From b741354dd83c1bdf0ca72e1ae8c99f9ccbcfdf1c Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Thu, 2 Apr 2026 07:48:47 -0400
Subject: [PATCH] fix: resolve critical issues in install.sh, settings.json,
 and worker-protocol
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- install.sh: replace unreachable $? check with `if !` pattern (set -e
  exits before the check runs on Windows mklink failure)
- settings.json: remove fragile Bash deny patterns that can't match across
  path separators; broaden .env denies to recursive **/.env with Read/Write/Edit
- worker-protocol: align QA instruction with qa-checklist — qa_check goes in
  frontmatter envelope, not as a prose line
---
 install.sh                      |  6 ++----
 settings.json                   | 12 ++++++------
 skills/worker-protocol/SKILL.md |  2 +-
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/install.sh b/install.sh
index 50fbf87..3e1a41c 100755
--- a/install.sh
+++ b/install.sh
@@ -62,8 +62,7 @@ create_symlink() {
         local win_dst
         win_src="$(cygpath -w "$src")"
         win_dst="$(cygpath -w "$dst")"
-        cmd //c "mklink /D \"$win_dst\" \"$win_src\"" > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
+        if ! cmd //c "mklink /D \"$win_dst\" \"$win_src\"" > /dev/null 2>&1; then
             echo "ERROR: mklink failed for $name."
             echo "On Windows, enable Developer Mode (Settings > Update & Security > For Developers)"
             echo "or run this script as Administrator."
@@ -104,8 +103,7 @@ create_file_symlink() {
         local win_dst
         win_src="$(cygpath -w "$src")"
         win_dst="$(cygpath -w "$dst")"
-        cmd //c "mklink \"$win_dst\" \"$win_src\"" > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
+        if ! cmd //c "mklink \"$win_dst\" \"$win_src\"" > /dev/null 2>&1; then
             echo "ERROR: mklink failed for $name."
             echo "On Windows, enable Developer Mode (Settings > Update & Security > For Developers)"
             echo "or run this script as Administrator."
diff --git a/settings.json b/settings.json
index ce0414e..3e584c6 100644
--- a/settings.json
+++ b/settings.json
@@ -19,18 +19,18 @@
       "Read(~/.ssh/**)",
       "Read(~/.aws/**)",
       "Read(~/.gnupg/**)",
-      "Read(./.env)",
-      "Read(./.env.*)",
+      "Read(**/.env)",
+      "Read(**/.env.*)",
       "Write(~/.ssh/**)",
       "Write(~/.aws/**)",
       "Write(~/.gnupg/**)",
+      "Write(**/.env)",
+      "Write(**/.env.*)",
       "Edit(~/.ssh/**)",
       "Edit(~/.aws/**)",
       "Edit(~/.gnupg/**)",
-      "Bash(*.ssh/*)",
-      "Bash(*.aws/*)",
-      "Bash(*.gnupg/*)",
-      "Bash(*.env*)"
+      "Edit(**/.env)",
+      "Edit(**/.env.*)"
     ],
     "ask": [
       "Bash(rm *)",
diff --git a/skills/worker-protocol/SKILL.md b/skills/worker-protocol/SKILL.md
index 2789162..b2a4581 100644
--- a/skills/worker-protocol/SKILL.md
+++ b/skills/worker-protocol/SKILL.md
@@ -41,7 +41,7 @@ Produce the assigned deliverable. Accurately. Completely. Nothing more.
 
 ## Self-QA
 
-Before returning your output, run the `qa-checklist` skill against your work. Fix any issues you find — don't just note them. Your Self-Assessment must include the `QA self-check: pass/fail` line. If you can't pass your own QA, flag what remains and why.
+Before returning your output, run the `qa-checklist` skill against your work. Fix any issues you find — don't just note them. Set `qa_check: pass` or `qa_check: fail` in your frontmatter envelope. If you can't pass your own QA, flag what remains and why in your Self-Assessment.
 
 ## Cost sensitivity