Consume blindfold as a dependency; remove in-tree security code

.github/workflows/blindfold-ci.yml

@@ -0,0 +1,58 @@
+name: blindfold CI
+
+on:
+  push:
+    branches:
+      - main
+      - 'md/project-vault'
+    paths:
+      - 'blindfold/**'
+  pull_request:
+    branches:
+      - main
+      - 'md/project-vault'
+    paths:
+      - 'blindfold/**'
+
+jobs:
+  ci:
+    name: Build & Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    defaults:
+      run:
+        working-directory: blindfold
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: blindfold/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm test
+
+      - name: Pack dry-run
+        run: npm pack --dry-run
+
+      - name: Build binary (Linux only)
+        if: matrix.os == 'ubuntu-latest'
+        run: npm run build:binary
+        continue-on-error: true

.github/workflows/ci.yml

@@ -34,6 +34,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          submodules: recursive
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
@@ -61,6 +62,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          submodules: recursive
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
@@ -127,6 +129,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          submodules: recursive
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
@@ -240,6 +243,7 @@ jobs:
         with:
           ref: ${{ github.sha }}
           fetch-depth: 0
+          submodules: recursive
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
@@ -264,7 +268,7 @@ jobs:
           fi
           git diff --cached --quiet || (
             git commit -m "chore: regenerate llms-full.txt" &&
-            git push origin HEAD:${{ github.head_ref }} || echo "Branch no longer exists — skipping push."
+            git push origin HEAD:${{ github.head_ref }} || echo "Branch no longer exists - skipping push."
           )
 
   release:
@@ -278,6 +282,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          submodules: recursive
 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@v4

.github/workflows/fleet-e2e.yml

@@ -33,6 +33,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: recursive
 
       - name: Create run directory
         shell: bash

.gitignore

@@ -30,3 +30,4 @@ CLAUDE.md
 GEMINI.md
 AGENTS.md
 COPILOT-INSTRUCTIONS.md
+blindfold.local.bak/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "blindfold"]
+	path = blindfold
+	url = git@github.com:Apra-Labs/blindfold.git

.mcp.json

@@ -1,12 +1,3 @@
 {
-  "mcpServers": {
-    "apra-fleet": {
-      "command": "node",
-      "args": ["dist/index.js"],
-      "cwd": ".",
-      "env": {
-        "NODE_ENV": "development"
-      }
-    }
-  }
-}
+  "mcpServers": {}
+}

blindfold-migration/CLAUDE-doer.md

@@ -0,0 +1,103 @@
+# blindfold-migration — Doer (apra-fleet)
+
+You are the **doer** on the apra-fleet blindfold-migration sprint.
+
+## Project policy (also see root CLAUDE.md and README.md)
+
+- ASCII only - never write non-ASCII characters to any file. Use `-` for dashes, `->` for arrows, `[OK]` for checkmarks.
+- Branch naming: `feat/<topic>`, `fix/<topic>`, `chore/<topic>`.
+- Commit style: `<type>(<scope>): <description>` (project convention).
+- Do not push to `main` directly.
+- No Claude / Anthropic / AI attribution in commits, code, comments, or PR body.
+
+## Sprint context
+
+- **Branch:** `md/project-vault`
+- **Base:** `main`
+- **Plan:** `blindfold-migration/PLAN.md`
+- **Progress:** `blindfold-migration/progress.json`
+- **Requirements:** `blindfold-migration/requirements.md`
+
+Always read these from the `blindfold-migration/` folder, not the
+prior-sprint files at repo root (`PLAN.md`, `plan.md`, `progress.json`,
+`OVERVIEW.md`, `requirements*.md` are leftovers - ignore them).
+
+## Execution model
+
+On each invocation:
+
+1. `git log --oneline -10` for context recovery.
+2. Read `blindfold-migration/progress.json` - find the next task with
+   status `pending`.
+3. Read the corresponding section of `blindfold-migration/PLAN.md`.
+4. Execute the task: edits, commands, tests.
+5. Commit with a descriptive message that uses the commit message
+   listed in the PLAN.md phase header.
+6. Update `blindfold-migration/progress.json`: set the task to
+   `completed`, fill `commit` with the SHA, add notes if anything
+   non-obvious happened.
+7. Push to `origin md/project-vault`.
+8. If you reached a VERIFY task: stop, leave it as the last pending
+   item. The PM will dispatch the reviewer.
+
+## VERIFY checkpoints
+
+When the next task is type `verify`:
+
+1. Run the relevant gates from the PLAN.md phase ("Done when" list).
+   Always include:
+   - `npm run build`
+   - `npm test`
+2. If any gate fails, fix and re-run. Only move on once all gates are
+   green (or the PLAN.md explicitly says a regression is OK at this
+   commit and will be cleaned up in a later phase - if so, write the
+   exception into progress.json `notes`).
+3. Mark the VERIFY task `completed` in progress.json with a one-line
+   summary of what passed.
+4. `git push origin md/project-vault` - the reviewer will fetch.
+5. STOP. Do not start the next phase. Report status.
+
+## Doer-reviewer loop
+
+Reviewer commits findings to `blindfold-migration/feedback.md` with
+verdict APPROVED or CHANGES NEEDED. On CHANGES NEEDED, the PM will
+re-dispatch you with the feedback in the prompt. When you fix a
+finding:
+
+- Annotate the relevant feedback.md section with
+  `**Doer:** fixed in commit <sha> - <what changed>` (do not rewrite
+  the rest of the reviewer's content).
+- Commit and push.
+
+## Files you commit per turn
+
+- Source / test / config changes for the phase
+- `blindfold-migration/PLAN.md` (only if it needed corrections)
+- `blindfold-migration/progress.json` (always)
+- `blindfold-migration/feedback.md` (only when adding doer annotations)
+
+## Files you NEVER commit
+
+- This file (`blindfold-migration/CLAUDE-doer.md`) - role-specific
+- Root `CLAUDE.md` if modified - it is the project doc and pre-existing
+- Any `.fleet-task*.md` - ephemeral prompt files
+
+## Hard rules
+
+- ONE phase per turn. Do not start Phase N+1 until the PM confirms
+  Phase N is APPROVED.
+- Never skip a task. Execute in order.
+- After every commit, run unit tests. If they fail, fix before
+  moving on.
+- If you hit a blocker you cannot resolve: set the current task
+  `status: blocked`, write notes explaining what is blocking and what
+  you tried, then STOP. Do not work around it silently.
+- ASCII only.
+- No AI/Claude/Anthropic attribution anywhere.
+
+## Secrets
+
+This sprint does not require any external API keys. If a task ever
+needs one, ask the PM to pre-load it via `credential_store_set` and
+reference it as `{{secure.NAME}}` only inside `execute_command`-shaped
+tool calls.

blindfold-migration/CLAUDE-reviewer.md

@@ -0,0 +1,129 @@
+# blindfold-migration — Reviewer (apra-fleet)
+
+You are the **reviewer** on the apra-fleet blindfold-migration sprint,
+checked out in `/media/wayfaringbit/D/dws/apra-fleet-review/`.
+
+## Project policy
+
+- ASCII only in any new content you write (commit messages,
+  feedback.md sections, etc.).
+- No Claude / Anthropic / AI attribution anywhere.
+- Branch: `md/project-vault`. Base: `main`.
+
+## Sprint context
+
+- **Plan:** `blindfold-migration/PLAN.md`
+- **Progress:** `blindfold-migration/progress.json`
+- **Requirements:** `blindfold-migration/requirements.md`
+- **Feedback:** `blindfold-migration/feedback.md` (you overwrite this)
+
+## Pre-flight (every dispatch)
+
+1. `git fetch origin`
+2. `git checkout md/project-vault` (create local tracking branch if
+   missing: `git checkout -b md/project-vault origin/md/project-vault`)
+3. `git reset --hard origin/md/project-vault` - your tree must match
+   the doer's pushed HEAD exactly.
+4. `git rev-parse HEAD` - confirm SHA matches what PM said the doer
+   pushed.
+5. `git log --oneline main..HEAD` - the commit graph for this branch.
+
+## Review model
+
+Review scope is cumulative: every phase up to and including the one
+just submitted. Earlier commits may have regressed.
+
+For the current phase:
+
+1. Read `blindfold-migration/progress.json` and identify which task
+   IDs are newly `completed`.
+2. Read the corresponding `blindfold-migration/PLAN.md` phase.
+3. Read `blindfold-migration/requirements.md` to verify alignment with
+   intent, not just plan mechanics.
+4. `git log --oneline -- blindfold-migration/feedback.md` then
+   `git show <prior-sha>` to read prior review history.
+5. `git diff main..HEAD` for the cumulative diff and
+   `git diff HEAD~1..HEAD` for the latest commit.
+6. Run gates locally:
+   - `npm ci` (only if package-lock changed since your last review)
+   - `npm run build`
+   - `npm test`
+7. Compare the diff against the phase's "Done when" criteria.
+
+## What to check (this sprint specifically)
+
+For every phase:
+
+- No new file imports a relative path into `blindfold/`. Every
+  blindfold use is `from 'blindfold'`.
+- ASCII-only in any new content.
+- No Claude / AI attribution leaked into commit messages or code.
+- Commit message matches the phase header in PLAN.md.
+
+Phase-specific:
+
+- **Phase 0:** `.gitmodules` present; submodule pointer at v0.0.1
+  (`git -C blindfold rev-parse HEAD` matches
+  `git -C blindfold rev-parse v0.0.1`); `package.json` has
+  `"blindfold": "file:./blindfold"`.
+- **Phase 1:** `initFleetBlindfold()` called in `src/index.ts` before
+  any blindfold use AND after `--version` / `--help` short-circuits;
+  same for `src/smoke-test.ts`; vitest setup wires it for tests. Read
+  the helper - confirm `dataDir: FLEET_DIR`,
+  `productName: 'apra-fleet'`, `pipeName: 'apra-fleet-auth'`. A bug in
+  any of these would silently break existing users' credentials.
+- **Phase 2:** zero matches for fleet-local security import paths;
+  `OOB_TIMEOUT_MS` constant fully replaced with `getOobTimeoutMs()`.
+- **Phase 3:** no local `function resolveSecureTokens|redactOutput|resolveSecureField`
+  or `const SECURE_TOKEN_RE` definitions remain in src/.
+- **Phase 4:** all 9 src + 7 test files listed in PLAN.md are deleted;
+  remaining tests still cover the integration paths. Spot-check: for 3
+  deleted tests, identify the blindfold test that covers the same
+  behavior (in `blindfold/tests/`).
+- **Phase 5:** `grep -rn "secret --confirm" src/ tests/ docs/ README.md`
+  returns nothing; `apra-fleet auth --confirm` exists with `--context`
+  and `--on` support; help text and docs reflect the move.
+- **Phase 6:** smoke + manual log committed; build:binary produced an
+  executable that prints `--version`.
+
+## Output - overwrite `blindfold-migration/feedback.md`
+
+```
+# blindfold-migration — Phase <N> Code Review
+
+**Reviewer:** reviewerAF
+**Date:** <YYYY-MM-DD HH:MM:SS+TZ>
+**Verdict:** APPROVED | CHANGES NEEDED
+
+> See `git log -- blindfold-migration/feedback.md` for prior reviews.
+
+---
+
+## <Phase / area>
+
+<Detailed narrative. PASS/FAIL/NOTE inline. Explain what you found,
+where (file:line), and why it matters.>
+
+---
+
+## Summary
+
+<What passed. What must change (HIGH). What is deferred (MEDIUM/LOW;
+recorded to blindfold-migration/backlog.md). Final verdict.>
+```
+
+For CHANGES NEEDED: list HIGH items the doer must fix to re-request
+review. MEDIUM/LOW items can be deferred to backlog.
+
+Commit and push:
+- `git add blindfold-migration/feedback.md`
+- `git commit -m "review(blindfold): phase <N> - <APPROVED|CHANGES NEEDED>"`
+- `git push origin md/project-vault`
+
+## Hard rules
+
+- Never edit source code. You review, the doer fixes.
+- Never push to `main`.
+- Never commit this file (`blindfold-migration/CLAUDE-reviewer.md`).
+- ASCII only.
+- No AI/Claude/Anthropic attribution.