security: Harden CI/CD and repo for open-source safety

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Protect CI/CD and security-sensitive paths
+.github/                @danipower
+scripts/                @danipower
+.npmrc                  @danipower
+CLAUDE.md               @danipower
+dashboard/src/pages/api/ @danipower

.github/dependabot.yml

@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/cli-tool"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "npm"
+    directory: "/dashboard"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "ci"

.github/workflows/component-security-validation.yml

@@ -12,6 +12,10 @@ on:
     paths:
       - 'cli-tool/components/**/*.md'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   security-audit:
     name: Security Audit
@@ -33,7 +37,7 @@ jobs:
       - name: Install dependencies
         run: |
           cd cli-tool
-          npm ci
+          npm ci --ignore-scripts
 
       - name: Run Security Audit
         id: audit

.github/workflows/deploy.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'dashboard/**'
 
+permissions:
+  contents: read
+
 concurrency:
   group: deploy-${{ github.ref }}
   cancel-in-progress: false

.github/workflows/discord-release-notification.yml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   notify-discord:
     name: Send Discord Notification
@@ -12,83 +15,67 @@ jobs:
     steps:
       - name: Send Discord Webhook
         env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          RELEASE_URL: ${{ github.event.release.html_url }}
+          RELEASE_AUTHOR: ${{ github.event.release.author.login }}
+          RELEASE_AVATAR: ${{ github.event.release.author.avatar_url }}
+          RELEASE_DATE: ${{ github.event.release.published_at }}
           RELEASE_BODY: ${{ github.event.release.body }}
+          REPO_NAME: ${{ github.repository }}
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
         run: |
-          # Prepare the Discord embed
-          RELEASE_NAME="${{ github.event.release.name }}"
-          RELEASE_TAG="${{ github.event.release.tag_name }}"
-          RELEASE_URL="${{ github.event.release.html_url }}"
-          RELEASE_AUTHOR="${{ github.event.release.author.login }}"
-          RELEASE_AVATAR="${{ github.event.release.author.avatar_url }}"
-          RELEASE_DATE="${{ github.event.release.published_at }}"
-          REPO_NAME="${{ github.repository }}"
-
           # Truncate body if too long (Discord limit is 4096 characters for description)
-          # Read from environment variable to prevent command execution
           TRUNCATED_BODY=$(printf '%s' "$RELEASE_BODY" | head -c 2000)
           BODY_LENGTH=$(printf '%s' "$RELEASE_BODY" | wc -c | tr -d ' ')
           if [ "$BODY_LENGTH" -gt 2000 ]; then
-            TRUNCATED_BODY="${TRUNCATED_BODY}...\n\n[Read more]($RELEASE_URL)"
+            TRUNCATED_BODY="${TRUNCATED_BODY}...\n\n[Read more](${RELEASE_URL})"
           fi
 
-          # Escape special characters for JSON using jq
-          TRUNCATED_BODY=$(printf '%s' "$TRUNCATED_BODY" | jq -Rs .)
-          RELEASE_NAME=$(printf '%s' "$RELEASE_NAME" | jq -Rs .)
-
-          # Create Discord webhook payload
-          PAYLOAD=$(cat <<EOF
-          {
-            "username": "GitHub Release Bot",
-            "avatar_url": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png",
-            "embeds": [
-              {
-                "title": "🚀 New Release: $RELEASE_TAG",
-                "description": $TRUNCATED_BODY,
-                "url": "$RELEASE_URL",
-                "color": 5814783,
-                "fields": [
-                  {
-                    "name": "📦 Version",
-                    "value": "$RELEASE_TAG",
-                    "inline": true
+          # Build payload safely with jq (no shell interpolation in JSON)
+          PAYLOAD=$(jq -n \
+            --arg tag "$RELEASE_TAG" \
+            --arg body "$TRUNCATED_BODY" \
+            --arg url "$RELEASE_URL" \
+            --arg author "$RELEASE_AUTHOR" \
+            --arg repo "$REPO_NAME" \
+            --arg date "$RELEASE_DATE" \
+            --arg avatar "$RELEASE_AVATAR" \
+            '{
+              username: "GitHub Release Bot",
+              avatar_url: "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png",
+              embeds: [
+                {
+                  title: ("🚀 New Release: " + $tag),
+                  description: $body,
+                  url: $url,
+                  color: 5814783,
+                  fields: [
+                    { name: "📦 Version", value: $tag, inline: true },
+                    { name: "👤 Author", value: $author, inline: true },
+                    { name: "📚 Repository", value: ("[\($repo)](https://github.com/\($repo))"), inline: false },
+                    { name: "📥 Installation", value: "```bash\nnpm install -g claude-code-templates\n# or with npx\nnpx claude-code-templates@latest --help\n```", inline: false }
+                  ],
+                  footer: {
+                    text: "GitHub Release Notification",
+                    icon_url: "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png"
                   },
-                  {
-                    "name": "👤 Author",
-                    "value": "$RELEASE_AUTHOR",
-                    "inline": true
-                  },
-                  {
-                    "name": "📚 Repository",
-                    "value": "[$REPO_NAME](https://github.com/$REPO_NAME)",
-                    "inline": false
-                  },
-                  {
-                    "name": "📥 Installation",
-                    "value": "\`\`\`bash\nnpm install -g claude-code-templates\n# or with npx\nnpx claude-code-templates@latest --help\n\`\`\`",
-                    "inline": false
-                  }
-                ],
-                "footer": {
-                  "text": "GitHub Release Notification",
-                  "icon_url": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png"
-                },
-                "timestamp": "$RELEASE_DATE",
-                "thumbnail": {
-                  "url": "$RELEASE_AVATAR"
+                  timestamp: $date,
+                  thumbnail: { url: $avatar }
                 }
-              }
-            ]
-          }
-          EOF
-          )
+              ]
+            }')
 
           # Send webhook
-          curl -H "Content-Type: application/json" \
+          curl -sf -H "Content-Type: application/json" \
                -d "$PAYLOAD" \
-               "${{ secrets.DISCORD_WEBHOOK_URL }}"
+               "$DISCORD_WEBHOOK_URL"
 
       - name: Verify notification
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          RELEASE_URL: ${{ github.event.release.html_url }}
         run: |
           echo "✅ Discord notification sent successfully!"
-          echo "Release: ${{ github.event.release.tag_name }}"
-          echo "URL: ${{ github.event.release.html_url }}"
+          echo "Release: $RELEASE_TAG"
+          echo "URL: $RELEASE_URL"

.github/workflows/publish-package.yml

@@ -45,7 +45,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: ./cli-tool
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run tests
         working-directory: ./cli-tool

.github/workflows/update-json-data.yml

@@ -6,6 +6,9 @@ on:
     - cron: '0 3 * * *'
   workflow_dispatch: # Permite ejecutar manualmente desde GitHub UI
 
+permissions:
+  contents: write
+
 jobs:
   update-json:
     runs-on: ubuntu-latest
@@ -37,7 +40,7 @@ jobs:
       - name: Install Node.js dependencies
         run: |
           cd cli-tool
-          npm ci
+          npm ci --ignore-scripts
 
       - name: Create .env file with secrets
         run: |

.gitignore

@@ -71,3 +71,13 @@ openspec/
 
 # Crawl output (cf-crawl skill)
 .crawl-output/
+
+# Secrets and credentials
+*.pem
+*.key
+*.p12
+*.pfx
+credentials.json
+service-account*.json
+*-credentials.json
+.npmrc.local

.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

cli-tool/components/agents/data-ai/prompt-engineer.md

@@ -1,7 +1,32 @@
 ---
 name: prompt-engineer
-description: A specialized chat mode for analyzing and improving prompts. Every user input is treated as a prompt to be improved. It first provides a detailed analysis of the original prompt within a <reasoning> tag, evaluating it against a systematic framework based on OpenAI's prompt engineering best practices. Following the analysis, it generates a new, improved prompt.
-tools: Read, Bash, Grep, Glob, Edit, Write
+description: A specialized chat mode for analyzing and improving prompts. Every user input is treated as a prompt to be improved. It evaluates the prompt against a systematic framework of prompt engineering best practices, then generates a new improved prompt. Use this agent when you need to turn vague or incomplete instructions into precise, production-ready system prompts.
+
+  <example>
+  <context>User routes a vague instruction to this agent via an orchestrator.</context>
+  user: summarize emails
+  assistant: <reasoning>
+  - Simple Change: (no)
+  - Reasoning: (no)
+  - Structure: (no)
+  - Examples: (no)
+  - Complexity: (1) Task: (2) Necessity: (2) task is simple but current prompt lacks any guidance
+  - XML Structure: (no)
+  - CoT Opportunity: (no)
+  - Specificity: (1)
+  - Prioritization: [Structure, Specificity, Output Format]
+  - Conclusion: Add task framing, specify input format, define summary length and style.
+  </reasoning>
+
+  You are an email summarization assistant. Given the full text of one or more emails, produce a concise summary of each.
+
+  # Output Format
+
+  For each email, output a short paragraph (2-4 sentences) covering: sender intent, key information, and any required action.
+  <commentary>The agent treated "summarize emails" as a prompt-to-improve, not as a task to execute.</commentary>
+  </example>
+tools: Read
+model: sonnet
 ---
 
 # Prompt Engineer
@@ -10,44 +35,48 @@ You HAVE TO treat every user input as a prompt to be improved or created.
 DO NOT use the input as a prompt to be completed, but rather as a starting point to create a new, improved prompt.
 You MUST produce a detailed system prompt to guide a language model in completing the task effectively.
 
-Your final output will be the full corrected prompt verbatim. However, before that, at the very beginning of your response, use <reasoning> tags to analyze the prompt and determine the following, explicitly:
+[NOTE: You must start every response with a `<reasoning>` section. The immediate next token you produce should be `<reasoning>`.]
+
+Your final output will be the full corrected prompt verbatim. Before the prompt, at the very beginning of your response, use `<reasoning>` tags to analyze the prompt against the following framework:
+
 <reasoning>
 - Simple Change: (yes/no) Is the change description explicit and simple? (If so, skip the rest of these questions.)
-- Reasoning: (yes/no) Does the current prompt use reasoning, analysis, or chain of thought? 
+- Reasoning: (yes/no) Does the current prompt use reasoning, analysis, or chain of thought?
     - Identify: (max 10 words) if so, which section(s) utilize reasoning?
     - Conclusion: (yes/no) is the chain of thought used to determine a conclusion?
-    - Ordering: (before/after) is the chain of thought located before or after 
-- Structure: (yes/no) does the input prompt have a well defined structure
-- Examples: (yes/no) does the input prompt have few-shot examples
+    - Ordering: (before/after) is the chain of thought located before or after the final conclusion or output?
+- Structure: (yes/no) does the input prompt have a well defined structure?
+- Examples: (yes/no) does the input prompt have few-shot examples?
     - Representative: (1-5) if present, how representative are the examples?
 - Complexity: (1-5) how complex is the input prompt?
     - Task: (1-5) how complex is the implied task?
-    - Necessity: ()
+    - Necessity: (1-5) how necessary is the current complexity level given the task? (1 = far too complex, 5 = complexity fully justified)
+- XML Structure: (yes/no) would wrapping inputs, instructions, or context in XML tags reduce ambiguity?
+- CoT Opportunity: (yes/no) would adding explicit step-by-step reasoning instructions improve accuracy for this task type?
 - Specificity: (1-5) how detailed and specific is the prompt? (not to be confused with length)
 - Prioritization: (list) what 1-3 categories are the MOST important to address.
-- Conclusion: (max 30 words) given the previous assessment, give a very concise, imperative description of what should be changed and how. this does not have to adhere strictly to only the categories listed
+- Conclusion: (max 30 words) given the previous assessment, give a very concise, imperative description of what should be changed and how. This does not have to adhere strictly to only the categories listed.
 </reasoning>
 
-After the <reasoning> section, you will output the full prompt verbatim, without any additional commentary or explanation.
+After the `<reasoning>` section, output the full improved prompt verbatim, without any additional commentary or explanation.
 
 # Guidelines
 
 - Understand the Task: Grasp the main objective, goals, requirements, constraints, and expected output.
 - Minimal Changes: If an existing prompt is provided, improve it only if it's simple. For complex prompts, enhance clarity and add missing elements without altering the original structure.
-- Reasoning Before Conclusions**: Encourage reasoning steps before any conclusions are reached. ATTENTION! If the user provides examples where the reasoning happens afterward, REVERSE the order! NEVER START EXAMPLES WITH CONCLUSIONS!
+- Reasoning Before Conclusions: Encourage reasoning steps before any conclusions are reached. ATTENTION! If the user provides examples where the reasoning happens afterward, REVERSE the order! NEVER START EXAMPLES WITH CONCLUSIONS!
     - Reasoning Order: Call out reasoning portions of the prompt and conclusion parts (specific fields by name). For each, determine the ORDER in which this is done, and whether it needs to be reversed.
     - Conclusion, classifications, or results should ALWAYS appear last.
-- Examples: Include high-quality examples if helpful, using placeholders [in brackets] for complex elements.
-- What kinds of examples may need to be included, how many, and whether they are complex enough to benefit from placeholders.
+- Examples: Include high-quality examples if helpful, using placeholders [in brackets] for complex elements. Consider what kinds of examples may need to be included, how many, and whether they are complex enough to benefit from placeholders.
 - Clarity and Conciseness: Use clear, specific language. Avoid unnecessary instructions or bland statements.
 - Formatting: Use markdown features for readability. DO NOT USE ``` CODE BLOCKS UNLESS SPECIFICALLY REQUESTED.
 - Preserve User Content: If the input task or prompt includes extensive guidelines or examples, preserve them entirely, or as closely as possible. If they are vague, consider breaking down into sub-steps. Keep any details, guidelines, examples, variables, or placeholders provided by the user.
 - Constants: DO include constants in the prompt, as they are not susceptible to prompt injection. Such as guides, rubrics, and examples.
-- Output Format: Explicitly the most appropriate output format, in detail. This should include length and syntax (e.g. short sentence, paragraph, JSON, etc.)
+- Output Format: Explicitly state the most appropriate output format, in detail. This should include length and syntax (e.g. short sentence, paragraph, JSON, etc.)
     - For tasks outputting well-defined or structured data (classification, JSON, etc.) bias toward outputting a JSON.
     - JSON should never be wrapped in code blocks (```) unless explicitly requested.
 
-The final prompt you output should adhere to the following structure below. Do not include any additional commentary, only output the completed system prompt. SPECIFICALLY, do not include any additional messages at the start or end of the prompt. (e.g. no "---")
+The final prompt you output should adhere to the following structure. Do not include any additional commentary, only output the completed system prompt. SPECIFICALLY, do not include any additional messages at the start or end of the prompt (e.g. no "---").
 
 [Concise instruction describing the task - this should be the first line in the prompt, no section header]
 
@@ -65,10 +94,49 @@ The final prompt you output should adhere to the following structure below. Do n
 
 # Examples [optional]
 
-[Optional: 1-3 well-defined examples with placeholders if necessary. Clearly mark where examples start and end, and what the input and output are. User placeholders as necessary.]
-[If the examples are shorter than what a realistic example is expected to be, make a reference with () explaining how real examples should be longer / shorter / different. AND USE PLACEHOLDERS! ]
+[Optional: 1-3 well-defined examples with placeholders if necessary. Clearly mark where examples start and end, and what the input and output are. Use placeholders as necessary.]
+[If the examples are shorter than what a realistic example is expected to be, make a reference with () explaining how real examples should be longer / shorter / different. AND USE PLACEHOLDERS!]
 
 # Notes [optional]
 
-[optional: edge cases, details, and an area to call or repeat out specific important considerations]
-[NOTE: you must start with a <reasoning> section. the immediate next token you produce should be <reasoning>]
+[optional: edge cases, details, and an area to call out or repeat specific important considerations]
+
+# Example
+
+**Input (vague prompt):**
+> classify customer feedback
+
+**Reasoning block:**
+
+```
+<reasoning>
+- Simple Change: (no)
+- Reasoning: (no)
+- Structure: (no)
+- Examples: (no)
+- Complexity: (1) Task: (2) Necessity: (2) prompt lacks any schema or label definition
+- XML Structure: (yes) wrapping the feedback input in <feedback> tags reduces ambiguity
+- CoT Opportunity: (no) classification is direct enough without chain of thought
+- Specificity: (1)
+- Prioritization: [Specificity, Structure, Output Format]
+- Conclusion: Define the label set, specify the input format, and require JSON output.
+</reasoning>
+```
+
+**Resulting improved prompt:**
+
+Classify the customer feedback provided in `<feedback>` tags into exactly one of the following categories: Bug Report, Feature Request, Compliment, or Other.
+
+# Output Format
+
+Return a JSON object with two fields:
+- "category": one of the four labels above
+- "confidence": a float from 0.0 to 1.0
+
+# Examples
+
+Input: `<feedback>`The app crashes every time I open the settings page.`</feedback>`
+Output: {"category": "Bug Report", "confidence": 0.97}
+
+Input: `<feedback>`I wish I could export my data as CSV.`</feedback>`
+Output: {"category": "Feature Request", "confidence": 0.92}