diff --git a/package.json b/package.json
index a656bfa..f358380 100644
--- a/package.json
+++ b/package.json
@@ -40,10 +40,12 @@
"typecheck": "tsc -p tsconfig.json --noEmit",
"lint": "npm run typecheck",
"lint:public-surface": "node scripts/public-surface-check.mjs",
+ "secret-sweep": "bash scripts/secret-sweep.sh",
+ "check:release": "npm run typecheck && npm test && npm run lint:public-surface && npm run secret-sweep",
"pretest": "npm run build",
"test": "tsx --test",
"start": "node dist/cli.js",
- "prepublishOnly": "npm run lint && npm run lint:public-surface && npm test",
+ "prepublishOnly": "npm run check:release",
"prepare": "npm run build"
},
"dependencies": {
diff --git a/scripts/secret-sweep.sh b/scripts/secret-sweep.sh
new file mode 100755
index 0000000..d993f87
--- /dev/null
+++ b/scripts/secret-sweep.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
+
+capture_hits="$(
+ find "$root" \
+ -type f \
+ \( \
+ -name '*.har' -o \
+ -name '*.har.gz' -o \
+ -name '*.trace' -o \
+ -name '*.trace.json' -o \
+ -name 'storage-state.json' -o \
+ -name 'cookies.txt' -o \
+ -name 'cookies.json' -o \
+ -name '*.session.json' \
+ \) \
+ -not -path '*/.git/*' \
+ -not -path '*/node_modules/*' \
+ -not -path '*/dist/*' \
+ -not -path '*/coverage/*' \
+ -not -path '*/.next/*' \
+ -not -path '*/.firecrawl/*' \
+ -print 2>/dev/null | sort -u
+)"
+
+secret_pattern='(FATHOM_API_KEY=[^[:space:]]{16,}|AQ\.[A-Za-z0-9._-]{20,}|eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-_]{20,}|gh[pousr]_[A-Za-z0-9]{20,}|github_pat_[A-Za-z0-9_]{20,}|sk_(live|test|proj)_[A-Za-z0-9]{16,}|xox[baporsc]-[A-Za-z0-9-]{10,}|ya29\.[A-Za-z0-9\-_]+)'
+
+secret_hits="$(
+ rg -n \
+ --hidden \
+ --glob '!**/.git/**' \
+ --glob '!**/node_modules/**' \
+ --glob '!**/dist/**' \
+ --glob '!**/coverage/**' \
+ --glob '!**/.next/**' \
+ --glob '!**/.firecrawl/**' \
+ --glob '!**/.env' \
+ --glob '!**/.env.*' \
+ --glob '!**/*.min.*' \
+ --glob '!scripts/secret-sweep.sh' \
+ --glob '!scripts/public-surface-check.mjs' \
+ "$secret_pattern" \
+ "$root" 2>/dev/null || true
+)"
+
+exit_code=0
+
+if [ -n "$capture_hits" ]; then
+ exit_code=1
+ printf 'Suspicious capture files:\n%s\n\n' "$capture_hits"
+fi
+
+if [ -n "$secret_hits" ]; then
+ exit_code=1
+ printf 'Secret-like strings:\n%s\n\n' "$secret_hits"
+fi
+
+if [ "$exit_code" -eq 0 ]; then
+ printf 'No suspicious captures or secret-like strings found in %s\n' "$root"
+fi
+
+exit "$exit_code"
diff --git a/skills/fathom/agents/openai.yaml b/skills/fathom/agents/openai.yaml
index acedbdb..b68c199 100644
--- a/skills/fathom/agents/openai.yaml
+++ b/skills/fathom/agents/openai.yaml
@@ -1,8 +1,10 @@
interface:
display_name: "Fathom"
short_description: "List, search, and export Fathom meetings via the official API."
+ icon_small: "./assets/fathom-small.svg"
+ icon_large: "./assets/fathom.svg"
+ brand_color: "#2563EB"
default_prompt: "Use $fathom to inspect meetings, fetch transcripts and summaries, and export filtered results."
policy:
allow_implicit_invocation: true
-
diff --git a/skills/fathom/assets/fathom-small.svg b/skills/fathom/assets/fathom-small.svg
new file mode 100644
index 0000000..97847d8
--- /dev/null
+++ b/skills/fathom/assets/fathom-small.svg
@@ -0,0 +1,3 @@
+
diff --git a/skills/fathom/assets/fathom.svg b/skills/fathom/assets/fathom.svg
new file mode 100644
index 0000000..8609f24
--- /dev/null
+++ b/skills/fathom/assets/fathom.svg
@@ -0,0 +1,9 @@
+