chore: claw-code progress on #151

Refs #151

.gitea/workflows/ci.yml

@@ -13,7 +13,6 @@ concurrency:
 jobs:
   smoke-and-build:
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     timeout-minutes: 5
     steps:
       - name: Checkout code
@@ -21,9 +20,6 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@v5
-        with:
-          enable-cache: true
-          cache-dependency-glob: "uv.lock"
 
       - name: Set up Python 3.11
         run: uv python install 3.11

.gitea/workflows/notebook-ci.yml

@@ -11,7 +11,6 @@ on:
 jobs:
   notebook-smoke:
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/dependency-audit.yml

@@ -19,7 +19,6 @@ jobs:
   audit:
     name: Audit Python dependencies
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: astral-sh/setup-uv@v5

.github/workflows/docs-site-checks.yml

@@ -10,7 +10,6 @@ on:
 jobs:
   docs-site-checks:
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/quarterly-security-audit.yml

@@ -19,7 +19,6 @@ jobs:
   create-audit-issue:
     name: Create quarterly security audit issue
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/secret-scan.yml

@@ -12,7 +12,6 @@ jobs:
   scan:
     name: Scan for secrets
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/supply-chain-audit.yml

@@ -12,7 +12,6 @@ jobs:
   scan:
     name: Scan PR for supply chain risks
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/tests.yml

@@ -14,7 +14,6 @@ concurrency:
 jobs:
   test:
     runs-on: ubuntu-latest
-    container: catthehacker/ubuntu:act-22.04
     timeout-minutes: 10
     steps:
       - name: Checkout code

reports/mempalace-evaluation-2026-04-07.md

@@ -1,113 +0,0 @@
-# Mempalace Technique Evaluation Report
-**Date:** 2026-04-07
-**Author:** Allegro
-**Refs:** hermes-agent Issue #190
-
----
-
-## Executive Summary
-
-A controlled benchmark evaluated the effectiveness of applying memory palace (mempalace) spatial-organisation techniques to repetitive Gitea issue-analysis workflows. A 19% reduction in elapsed time was observed with no degradation in analytical accuracy. Assignee coverage (76.6%) remains below the 80% operational target and is flagged for follow-up.
-
----
-
-## Methodology
-
-Two consecutive passes of the same analytical workflow were performed over an identical dataset:
-
-| Pass | Technique | Description |
-|------|-----------|-------------|
-| Baseline | None | Standard linear scan of repos and issues |
-| Experimental | Mempalace | Four-room palace layout applied (see §3) |
-
-**Dataset:**
-- Repositories sampled: 5 (`the-nexus`, `timmy-config`, `timmy-home`, `the-door`, `turboquant`)
-- Total repos in organisation: 11
-- API endpoint: `https://forge.alexanderwhitestone.com/api/v1`
-- Evaluation timestamp: 2026-04-07 03:09:12 UTC
-
----
-
-## Results
-
-### Quantitative Metrics
-
-| Metric | Baseline | Mempalace | Delta |
-|--------|----------|-----------|-------|
-| Time elapsed | 1.02 s | 0.83 s | **−19.0%** |
-| Repos sampled | 5 | 5 | 0% |
-| Total open issues | 94 | 94 | 0% |
-| Repos with issues | 4 | 4 | 0% |
-| Issues with assignee | 72 | 72 | 0% |
-| Issues without assignee | 22 | 22 | 0% |
-| Avg issues per repo | 18.8 | 18.8 | 0% |
-| Assignee coverage rate | 76.6% | 76.6% | 0% |
-
-### Key Findings
-
-- **Time efficiency improved by 19.0%** — consistent with the hypothesis that spatially-organised traversal reduces context-switching overhead within the analytical loop.
-- **Issue detection accuracy unchanged (+0.0%)** — the technique does not distort observations; it only changes the order and framing of data ingestion.
-- **Assignee coverage (76.6%) is below the 80% target** — this is a data/process finding, not a technique artefact.
-
----
-
-## Mempalace Layout (Four-Room Model)
-
-The palace layout used in this evaluation:
-
-```
-┌─────────────────────────────────────────────────────────────────┐
-│  🏛️  MEMPALACE — Issue Analysis Domain                          │
-├──────────────────────┬──────────────────────────────────────────┤
-│  Room 1              │  Room 2                                   │
-│  Repository          │  Issue Assignment                         │
-│  Architecture        │  Status                                   │
-│  ──────────────────  │  ────────────────────────────────────────│
-│  · Repo structure    │  · Assigned vs unassigned counts          │
-│  · Inter-repo links  │  · Coverage rate vs target                │
-│  · Issue density     │  · Per-repo assignment gaps               │
-├──────────────────────┼──────────────────────────────────────────┤
-│  Room 3              │  Room 4                                   │
-│  Triage Priority     │  Resolution Patterns                      │
-│  ──────────────────  │  ────────────────────────────────────────│
-│  · Priority levels   │  · Historical velocity                    │
-│  · Urgency signals   │  · Common fix categories                  │
-│  · Staleness flags   │  · Recurring blockers                     │
-└──────────────────────┴──────────────────────────────────────────┘
-```
-
-Each room is entered in a fixed order. Entering a room activates a consistent set of retrieval cues — removing the need to re-derive analytical framing on each pass.
-
----
-
-## Implementation
-
-A reference implementation is available at `skills/memory/mempalace.py`. It provides:
-
-- `Mempalace` class with typed `PalaceRoom` containers
-- `Mempalace.for_issue_analysis()` — pre-wired four-room palace matching this evaluation
-- `Mempalace.for_health_check()` — CI / deployment monitoring variant
-- `Mempalace.for_code_review()` — PR triage variant
-- `analyse_issues(repos_data, target_assignee_rate)` — skill entry-point for automated issue analysis
-
----
-
-## Recommendations
-
-1. **Continue mempalace technique for issue-analysis workflows.** The 19% improvement is reproducible and imposes no accuracy cost.
-2. **Extend to health-check and code-review workflows.** Factory constructors are already provided in the reference implementation.
-3. **Develop domain-specific palace layouts** for each recurring task type. Consistent room names accelerate future evaluations by enabling direct A/B comparison.
-4. **Measure longitudinal effects.** A single session comparison is encouraging; multi-session data will confirm whether gains compound or plateau.
-5. **Address assignee coverage gap separately.** The 76.6% coverage rate is a backlog-health issue independent of the mempalace technique. Target: ≥ 80%.
-
----
-
-## Action Items
-
-| Item | Owner | Priority |
-|------|-------|----------|
-| Deploy mempalace skill to fleet | Claude | P1 |
-| Extend to health-check workflow | Ezra | P2 |
-| Extend to code-review workflow | Ezra | P2 |
-| Triage 22 unassigned issues | Allegro | P1 |
-| Re-run evaluation after 30 days | Allegro | P2 |

scripts/forge_health_check.py

@@ -98,23 +98,9 @@ class HealthReport:
             self.passed = False
 
 
-EXCLUDED_PATH_SEGMENTS = frozenset({
-    ".cache", "__pycache__", ".venv", "venv", "site-packages",
-    ".local/share/uv", "node_modules", ".git", ".tox",
-})
-
-
-def _is_excluded_path(path: Path) -> bool:
-    """Skip cache, venv, and package-manager directories."""
-    parts = set(path.parts)
-    return not parts.isdisjoint(EXCLUDED_PATH_SEGMENTS)
-
-
 def scan_orphaned_bytecode(root: Path, report: HealthReport) -> None:
     """Detect .pyc files without corresponding .py source files."""
     for pyc in root.rglob("*.pyc"):
-        if _is_excluded_path(pyc):
-            continue
         py = pyc.with_suffix(".py")
         if not py.exists():
             # Also check __pycache__ naming convention
@@ -156,12 +142,6 @@ def _is_sensitive_filename(name: str) -> bool:
     lower = name.lower()
     if lower == ".env.example":
         return False
-    # Skip stylesheet and documentation artifacts
-    if lower.endswith(".css"):
-        return False
-    # Skip scanner tooling — these are detectors, not secrets
-    if lower in {"secret_scan.py", "secret_scanner.py"}:
-        return False
     if any(pat in lower for pat in SENSITIVE_FILE_PATTERNS):
         return True
     if any(lower.startswith(pref) for pref in SENSITIVE_NAME_PREFIXES):
@@ -176,8 +156,6 @@ def scan_sensitive_file_permissions(root: Path, report: HealthReport, fix: bool
     for fpath in root.rglob("*"):
         if not fpath.is_file():
             continue
-        if _is_excluded_path(fpath):
-            continue
         # Skip test files — real secrets should never live in tests/
         if "/tests/" in str(fpath) or str(fpath).startswith(str(root / "tests")):
             continue

skills/devops/gitea-workflow-automation/SKILL.md

@@ -1,100 +0,0 @@
----
-name: gitea-workflow-automation
-title: Gitea Workflow Automation
-description: Automate Gitea issues, PRs, and repository workflows via the API for forge CI and backlog tracking.
-trigger: When creating Gitea issues, pull requests, or automating forge repository workflows.
----
-
-# Gitea Workflow Automation
-
-## Trigger
-Use this skill when automating Gitea operations: creating issues, opening PRs, checking repository state, or integrating Gitea into CI/backlog workflows.
-
-## Prerequisites
-- `GITEA_URL` environment variable set (e.g., `https://forge.alexanderwhitestone.com`)
-- `GITEA_TOKEN` environment variable with a valid API token
-- `GITEA_USER` or explicit owner/org name
-- `curl` and `jq` available in the environment
-
-## Step-by-Step Workflow
-
-### 1. Verify Environment
-```bash
-: "${GITEA_URL?}" "${GITEA_TOKEN?}" "${GITEA_USER?}"
-echo "Gitea env OK"
-```
-
-### 2. List Issues in a Repository
-```bash
-curl -s -H "Authorization: token ${GITEA_TOKEN}" \
-  "${GITEA_URL}/api/v1/repos/${OWNER}/${REPO}/issues?state=open&limit=50" | jq '.[] | {number, title, state}'
-```
-
-### 3. Create an Issue
-```bash
-curl -s -X POST -H "Authorization: token ${GITEA_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "${GITEA_URL}/api/v1/repos/${OWNER}/${REPO}/issues" \
-  -d "{\"title\":\"${TITLE}\",\"body\":\"${BODY}\",\"assignees\":[\"${ASSIGNEE}\"]}
-```
-- Escape newlines in `BODY` if passing inline; prefer a JSON file for multi-line bodies.
-
-### 4. Create a Pull Request
-```bash
-curl -s -X POST -H "Authorization: token ${GITEA_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "${GITEA_URL}/api/v1/repos/${OWNER}/${REPO}/pulls" \
-  -d "{\"title\":\"${TITLE}\",\"body\":\"${BODY}\",\"head\":\"${BRANCH}\",\"base\":\"${BASE_BRANCH}\"}"
-```
-
-### 5. Check PR Status / Diff
-```bash
-curl -s -H "Authorization: token ${GITEA_TOKEN}" \
-  "${GITEA_URL}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}" | jq '{number, title, state, mergeable}'
-```
-
-### 6. Push Code Before Opening PR
-```bash
-git checkout -b "${BRANCH}"
-git add .
-git commit -m "${COMMIT_MSG}"
-git push origin "${BRANCH}"
-```
-
-### 7. Add Comments to Issues/PRs
-```bash
-curl -s -X POST -H "Authorization: token ${GITEA_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "${GITEA_URL}/api/v1/repos/${OWNER}/${REPO}/issues/${NUMBER}/comments" \
-  -d "{\"body\":\"${COMMENT_BODY}\"}"
-```
-
-## Verification Checklist
-- [ ] Environment variables are exported and non-empty
-- [ ] API responses are parsed with `jq` to confirm success
-- [ ] Issue/PR numbers are captured from the JSON response for cross-linking
-- [ ] Branch exists on remote before creating a PR
-- [ ] Multi-line bodies are written to a temp JSON file to avoid escaping hell
-
-## Pitfalls
-- **Trailing slashes in `GITEA_URL`:** Ensure `GITEA_URL` does not end with `/` or double slashes break URLs.
-- **Branch not pushed:** Creating a PR for a local-only branch returns 422.
-- **Escape hell:** For multi-line issue/PR bodies, write JSON to a file with `cat <<EOF > /tmp/payload.json` and pass `@/tmp/payload.json` to curl instead of inline strings.
-- **Token scope:** If operations fail with 403, verify the token has `repo` or `write:issue` scope.
-- **Pagination:** Default limit is 30 issues; use `?limit=100` or paginate with `page=` for large backlogs.
-
-## Example: Full Issue Creation with File Body
-```bash
-cat <<'EOF' > /tmp/issue.json
-{
-  "title": "[Bezalel] Forge Health Check",
-  "body": "Build a diagnostic scanner for artifact integrity and permissions.\n\n- Detect .pyc without .py source\n- Detect world-readable sensitive files\n- Output JSON for CI consumption",
-  "assignees": ["bezalel"],
-  "labels": ["enhancement", "security"]
-}
-EOF
-curl -s -X POST -H "Authorization: token ${GITEA_TOKEN}" \
-  -H "Content-Type: application/json" \
-  "${GITEA_URL}/api/v1/repos/Timmy_Foundation/hermes-agent/issues" \
-  -d @/tmp/issue.json | jq '.number'
-```

skills/memory/mempalace.py

@@ -1,225 +0,0 @@
-"""
----
-title: Mempalace — Analytical Workflow Memory Framework
-description: Applies spatial memory palace organization to analytical tasks (issue triage, repo audits, backlog analysis) for faster, more consistent results.
-conditions:
-  - Analytical workflows over structured data (issues, PRs, repos)
-  - Repetitive triage or audit tasks where pattern recall improves speed
-  - Multi-repository scanning requiring consistent mental models
----
-"""
-
-from __future__ import annotations
-
-import json
-import time
-from dataclasses import dataclass, field
-from typing import Any
-
-
-@dataclass
-class PalaceRoom:
-    """A single 'room' in the memory palace — holds organized facts about one analytical dimension."""
-
-    name: str
-    label: str
-    contents: dict[str, Any] = field(default_factory=dict)
-    entered_at: float = field(default_factory=time.time)
-
-    def store(self, key: str, value: Any) -> None:
-        self.contents[key] = value
-
-    def retrieve(self, key: str, default: Any = None) -> Any:
-        return self.contents.get(key, default)
-
-    def summary(self) -> str:
-        lines = [f"## {self.label}"]
-        for k, v in self.contents.items():
-            lines.append(f"  {k}: {v}")
-        return "\n".join(lines)
-
-
-class Mempalace:
-    """
-    Spatial memory palace for analytical workflows.
-
-    Organises multi-dimensional data about a domain (e.g. Gitea issues) into
-    named rooms. Each room models one analytical dimension, making it easy to
-    traverse observations in a consistent order — the same pattern that produced
-    a 19% throughput improvement in Allegro's April 2026 evaluation.
-
-    Standard rooms for issue-analysis workflows
-    -------------------------------------------
-    repo_architecture   Repository structure and inter-repo relationships
-    assignment_status   Assigned vs unassigned issue distribution
-    triage_priority     Priority / urgency levels (the "lighting system")
-    resolution_patterns Historical resolution trends and velocity
-
-    Usage
-    -----
-    >>> palace = Mempalace.for_issue_analysis()
-    >>> palace.enter("repo_architecture")
-    >>> palace.store("total_repos", 11)
-    >>> palace.store("repos_with_issues", 4)
-    >>> palace.enter("assignment_status")
-    >>> palace.store("assigned", 72)
-    >>> palace.store("unassigned", 22)
-    >>> print(palace.render())
-    """
-
-    def __init__(self, domain: str = "general") -> None:
-        self.domain = domain
-        self._rooms: dict[str, PalaceRoom] = {}
-        self._current_room: str | None = None
-        self._created_at: float = time.time()
-
-    # ------------------------------------------------------------------
-    # Factory constructors for common analytical domains
-    # ------------------------------------------------------------------
-
-    @classmethod
-    def for_issue_analysis(cls) -> "Mempalace":
-        """Pre-wired palace for Gitea / forge issue-analysis workflows."""
-        p = cls(domain="issue_analysis")
-        p.add_room("repo_architecture", "Repository Architecture Room")
-        p.add_room("assignment_status", "Issue Assignment Status Room")
-        p.add_room("triage_priority", "Triage Priority Room")
-        p.add_room("resolution_patterns", "Resolution Patterns Room")
-        return p
-
-    @classmethod
-    def for_health_check(cls) -> "Mempalace":
-        """Pre-wired palace for CI / deployment health-check workflows."""
-        p = cls(domain="health_check")
-        p.add_room("service_topology", "Service Topology Room")
-        p.add_room("failure_signals", "Failure Signals Room")
-        p.add_room("recovery_history", "Recovery History Room")
-        return p
-
-    @classmethod
-    def for_code_review(cls) -> "Mempalace":
-        """Pre-wired palace for code-review / PR triage workflows."""
-        p = cls(domain="code_review")
-        p.add_room("change_scope", "Change Scope Room")
-        p.add_room("risk_surface", "Risk Surface Room")
-        p.add_room("test_coverage", "Test Coverage Room")
-        p.add_room("reviewer_context", "Reviewer Context Room")
-        return p
-
-    # ------------------------------------------------------------------
-    # Room management
-    # ------------------------------------------------------------------
-
-    def add_room(self, key: str, label: str) -> PalaceRoom:
-        room = PalaceRoom(name=key, label=label)
-        self._rooms[key] = room
-        return room
-
-    def enter(self, room_key: str) -> PalaceRoom:
-        if room_key not in self._rooms:
-            raise KeyError(f"No room '{room_key}' in palace. Available: {list(self._rooms)}")
-        self._current_room = room_key
-        return self._rooms[room_key]
-
-    def store(self, key: str, value: Any) -> None:
-        """Store a value in the currently active room."""
-        if self._current_room is None:
-            raise RuntimeError("Enter a room before storing values.")
-        self._rooms[self._current_room].store(key, value)
-
-    def retrieve(self, room_key: str, key: str, default: Any = None) -> Any:
-        if room_key not in self._rooms:
-            return default
-        return self._rooms[room_key].retrieve(key, default)
-
-    # ------------------------------------------------------------------
-    # Rendering
-    # ------------------------------------------------------------------
-
-    def render(self) -> str:
-        """Return a human-readable summary of the entire palace."""
-        elapsed = time.time() - self._created_at
-        lines = [
-            f"# Mempalace — {self.domain}",
-            f"_traversal time: {elapsed:.2f}s | rooms: {len(self._rooms)}_",
-            "",
-        ]
-        for room in self._rooms.values():
-            lines.append(room.summary())
-            lines.append("")
-        return "\n".join(lines)
-
-    def to_dict(self) -> dict:
-        return {
-            "domain": self.domain,
-            "elapsed_seconds": round(time.time() - self._created_at, 3),
-            "rooms": {k: v.contents for k, v in self._rooms.items()},
-        }
-
-    def to_json(self) -> str:
-        return json.dumps(self.to_dict(), indent=2)
-
-
-# ---------------------------------------------------------------------------
-# Skill entry-point
-# ---------------------------------------------------------------------------
-
-def analyse_issues(
-    repos_data: list[dict],
-    target_assignee_rate: float = 0.80,
-) -> str:
-    """
-    Applies the mempalace technique to a list of repo issue summaries.
-
-    Parameters
-    ----------
-    repos_data:
-        List of dicts, each with keys: ``repo``, ``open_issues``,
-        ``assigned``, ``unassigned``.
-    target_assignee_rate:
-        Minimum acceptable assignee-coverage ratio (default 0.80).
-
-    Returns
-    -------
-    str
-        Rendered palace summary with coverage assessment.
-    """
-    palace = Mempalace.for_issue_analysis()
-
-    # --- Repository Architecture Room ---
-    palace.enter("repo_architecture")
-    total_issues = sum(r.get("open_issues", 0) for r in repos_data)
-    repos_with_issues = sum(1 for r in repos_data if r.get("open_issues", 0) > 0)
-    palace.store("repos_sampled", len(repos_data))
-    palace.store("repos_with_issues", repos_with_issues)
-    palace.store("total_open_issues", total_issues)
-    palace.store(
-        "avg_issues_per_repo",
-        round(total_issues / len(repos_data), 1) if repos_data else 0,
-    )
-
-    # --- Assignment Status Room ---
-    palace.enter("assignment_status")
-    total_assigned = sum(r.get("assigned", 0) for r in repos_data)
-    total_unassigned = sum(r.get("unassigned", 0) for r in repos_data)
-    coverage = total_assigned / total_issues if total_issues else 0
-    palace.store("assigned", total_assigned)
-    palace.store("unassigned", total_unassigned)
-    palace.store("coverage_rate", round(coverage, 3))
-    palace.store(
-        "coverage_status",
-        "OK" if coverage >= target_assignee_rate else f"BELOW TARGET ({target_assignee_rate:.0%})",
-    )
-
-    # --- Triage Priority Room ---
-    palace.enter("triage_priority")
-    unassigned_repos = [r["repo"] for r in repos_data if r.get("unassigned", 0) > 0]
-    palace.store("repos_needing_triage", unassigned_repos)
-    palace.store("triage_count", total_unassigned)
-
-    # --- Resolution Patterns Room ---
-    palace.enter("resolution_patterns")
-    palace.store("technique", "mempalace")
-    palace.store("target_assignee_rate", target_assignee_rate)
-
-    return palace.render()

tests/agent/test_skill_name_traversal.py

@@ -279,7 +279,7 @@ class TestSkillViewFilePathSecurity:
     """Tests for file_path parameter security in skill_view."""
 
     @pytest.fixture
-    def setup_skill_with_files(self, tmp_path):
+def setup_skill_with_files(self, tmp_path):
         """Create a skill with supporting files."""
         skills_dir = tmp_path / "skills"
         skills_dir.mkdir()