@avesta-hq/prevention 0.4.1 → 0.6.0-pre.3

package/.claude/agents/avesta-acceptance-stage.md

@@ -2,8 +2,8 @@
 name: avesta-acceptance-stage
 description: Set up acceptance stage workflow with version-based test execution
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"acceptance-stage\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-acceptance-stage

package/.claude/agents/avesta-acceptance-writer.md

@@ -2,8 +2,9 @@
 name: avesta-acceptance-writer
 description: Write Executable Specifications in problem-domain language
 model: inherit
-tools: Read, Write, Edit, Glob, Grep
+disallowedTools: Bash
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"acceptance-writer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-acceptance-writer

package/.claude/agents/avesta-bug-fixer.md

@@ -2,8 +2,8 @@
 name: avesta-bug-fixer
 description: Bug fix workflow - reproduce, failing test, fix, verify
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"bug-fixer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-bug-fixer

package/.claude/agents/avesta-commit-stage.md

@@ -2,8 +2,8 @@
 name: avesta-commit-stage
 description: Set up commit stage CI/CD pipeline with test pyramid enforcement
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"commit-stage\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-commit-stage

package/.claude/agents/avesta-dependency-reviewer.md

@@ -2,8 +2,9 @@
 name: avesta-dependency-reviewer
 description: Review dependencies and generate gradual update plan
 model: inherit
-tools: Read, Bash, Glob, Grep
+disallowedTools: Write, Edit
 maxTurns: 20
+initialPrompt: "FIRST: Call avesta_get_prompt(\"dependency-reviewer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-dependency-reviewer

package/.claude/agents/avesta-driver-builder.md

@@ -2,8 +2,8 @@
 name: avesta-driver-builder
 description: Implement Protocol Driver for acceptance tests
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"driver-builder\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-driver-builder

package/.claude/agents/avesta-dsl-builder.md

@@ -2,8 +2,9 @@
 name: avesta-dsl-builder
 description: Implement Domain Specific Language for acceptance tests
 model: inherit
-tools: Read, Write, Edit, Glob, Grep
+disallowedTools: Bash
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"dsl-builder\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-dsl-builder

package/.claude/agents/avesta-enhancer.md

@@ -2,8 +2,8 @@
 name: avesta-enhancer
 description: Enhancement workflow - plan, ATDD, TDD, driver, review
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"enhancer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-enhancer

package/.claude/agents/avesta-green.md

@@ -2,8 +2,8 @@
 name: avesta-green
 description: TDD Green Phase - Write MINIMAL code to pass the failing test
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"green\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-green

package/.claude/agents/avesta-layer-worker.md

@@ -2,8 +2,8 @@
 name: avesta-layer-worker
 description: Implement a single Clean Architecture layer with TDD (all tests first, then all code)
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"layer-worker\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-layer-worker

package/.claude/agents/avesta-layer.md

@@ -2,8 +2,8 @@
 name: avesta-layer
 description: Implement a full layer - all tests first, then all production code
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 50
+initialPrompt: "FIRST: Call avesta_get_prompt(\"layer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-layer

package/.claude/agents/avesta-mutation-tester.md

@@ -2,8 +2,9 @@
 name: avesta-mutation-tester
 description: Analyze test effectiveness with mutation testing patterns
 model: inherit
-tools: Read, Bash, Glob, Grep
+disallowedTools: Write, Edit
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"mutation-tester\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-mutation-tester

package/.claude/agents/avesta-planner.md

@@ -2,8 +2,9 @@
 name: avesta-planner
 description: Create implementation plans using Example Mapping and behavioral analysis
 model: inherit
-tools: Read, Write, Edit, Glob, Grep
+disallowedTools: Bash
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"planner\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-planner

package/.claude/agents/avesta-red.md

@@ -2,8 +2,8 @@
 name: avesta-red
 description: TDD Red Phase - Write ONE failing test
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"red\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-red

package/.claude/agents/avesta-refactorer.md

@@ -2,8 +2,8 @@
 name: avesta-refactorer
 description: TDD Refactor Phase - Improve code structure while keeping tests green
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 25
+initialPrompt: "FIRST: Call avesta_get_prompt(\"refactorer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-refactorer

package/.claude/agents/avesta-release-stage.md

@@ -2,8 +2,8 @@
 name: avesta-release-stage
 description: Set up release stage CI/CD pipeline with contract verification
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"release-stage\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-release-stage

package/.claude/agents/avesta-reviewer.md

@@ -2,8 +2,9 @@
 name: avesta-reviewer
 description: Review code for XP/CD best practices and Clean Architecture
 model: inherit
-tools: Read, Glob, Grep
+disallowedTools: Write, Edit, Bash
 maxTurns: 20
+initialPrompt: "FIRST: Call avesta_get_prompt(\"reviewer\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-reviewer

package/.claude/agents/avesta-scaffolder.md

@@ -2,8 +2,9 @@
 name: avesta-scaffolder
 description: Scaffold project structure, dependencies, and config files
 model: haiku
-tools: Read, Write, Bash, Glob
+disallowedTools: Edit
 maxTurns: 15
+initialPrompt: "FIRST: Call avesta_get_prompt(\"scaffolder\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-scaffolder

package/.claude/agents/avesta-tech-debt-assessor.md

@@ -2,8 +2,8 @@
 name: avesta-tech-debt-assessor
 description: Tech debt workflow - approval tests, refactor, verify
 model: inherit
-tools: Read, Write, Edit, Bash, Glob, Grep
 maxTurns: 30
+initialPrompt: "FIRST: Call avesta_get_prompt(\"tech-debt-assessor\") to load your instructions — include project_type in context. Then call avesta_get_skill for EVERY skill in skills_to_load with _source=workflow. File writes are BLOCKED by the PreToolUse hook until all skills are loaded."
 ---
 
 # avesta-tech-debt-assessor

package/.claude/commands/avesta-layer.md

@@ -8,13 +8,13 @@ If blocked: Show the `error_message` to the user and stop.
 
 If `gate_check.allowed` is true, orchestrate per-layer workers:
 
-1. **Parse arguments** from `$ARGUMENTS`:
+1. **Parse arguments and dispatch response**:
    - **Layer(s)**: If a specific layer is named (`domain`, `application`, `infrastructure`, `presentation`), implement only that layer. If `all` or no layer specified, implement all four in order: domain, application, infrastructure, presentation.
-   - **Project type**: If `backend` or `frontend` is specified, use it. Default: `backend`.
+   - **Project type**: Use the `project_type` field from the dispatch response. This comes from the workflow state and reflects what the user set during `/avesta-init`. Do NOT default to backend — always use the dispatch response value.
 
 2. **For each layer** (in the determined order), spawn a subagent:
    - Use the `avesta-layer-worker` agent
-   - Pass a structured prompt: `"LAYER: <layer_name>\nPROJECT_TYPE: <project_type>\nFEATURE: $ARGUMENTS"`
+   - Pass a structured prompt: `"LAYER: <layer_name>\nPROJECT_TYPE: <project_type from dispatch>\nFEATURE: $ARGUMENTS"`
    - Wait for the worker to complete before starting the next layer
    - After each worker completes, briefly report which layer finished and how many tests passed
 

package/CLAUDE.md

@@ -68,7 +68,7 @@
 
 ## MCP Server Integration
 
-This project uses Prevention as an MCP server with 15 tools, 26 agents, and 34 skills that provide all methodology knowledge (TDD, Clean Architecture, test pyramid, CI/CD, etc.) on demand.
+This project uses Prevention as two MCP servers: a local server (12 tools for workflow orchestration) and a remote server (3 tools for content delivery — skills, prompts, catalog).
 
 **When starting work:**
 
@@ -76,10 +76,13 @@ This project uses Prevention as an MCP server with 15 tools, 26 agents, and 34 s
 2. The workflow tracks your phase (vision → plan → atdd → tdd → review → ship)
 3. Gates enforce that prerequisites are met before advancing
 
-**Key tools:**
+**Key tools (local):**
 
 - `avesta_get_status` — Current phase, gates, next action
 - `avesta_dispatch` — Route tasks to the right workflow step
+
+**Key tools (remote — `prevention-content`):**
+
 - `avesta_get_catalog` — All available commands and skills
 - `avesta_get_skill` — Deep knowledge on any practice (testing, architecture, CI/CD)
 

package/bin/cli.js

@@ -16,9 +16,11 @@ Commands:
   init                   First-time setup: commands, agents, MCP server, hooks, CLAUDE.md
   update                 Update everything to latest version (commands, agents, MCP server, hooks)
   serve                  Start the MCP server (used by Claude Code)
+  test-local [dir]       Set up a project to use local source (no npm publish needed)
   session-start          Output session context (used by SessionStart hook)
   hook pre-tool-use      Workflow enforcement hook (blocks unauthorized edits)
   hook prompt-submit     Context injection hook (injects workflow state)
+  hook subagent-start    Skill-loading injection hook (fires when agents spawn)
 
 Examples:
   cd my-project
@@ -44,6 +46,9 @@ switch (command) {
   case 'serve':
     require('./lib/init').serve();
     break;
+  case 'test-local':
+    require('./lib/test-local').testLocal(args[1]);
+    break;
   case 'session-start':
     require('./lib/session-start').sessionStart();
     break;
@@ -55,6 +60,9 @@ switch (command) {
       case 'prompt-submit':
         require('./lib/hooks').hookPromptSubmit();
         break;
+      case 'subagent-start':
+        require('./lib/hooks').hookSubagentStart();
+        break;
       default:
         console.error(`Unknown hook: ${args[1]}`);
         process.exit(1);

package/bin/lib/hooks.js

@@ -109,6 +109,14 @@ function extractBashWriteContent(command) {
 
 // ── PreToolUse Hook ───────────────────────────────────────────────
 
+function readWorkflowState(cwd) {
+  const statePath = path.join(cwd, '.avesta', 'workflow-state.json');
+  if (!fs.existsSync(statePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(statePath, 'utf-8'));
+  } catch { return null; }
+}
+
 function hookPreToolUse() {
   try {
     const data = JSON.parse(fs.readFileSync(0, 'utf8'));
@@ -187,6 +195,22 @@ function hookPreToolUse() {
         }
       }
 
+      // State-based fallback: block git commit/push when policy is missing
+      // but workflow state exists (e.g., policy file deleted or stale)
+      if (!policy && /\bgit\s+(commit|push)\b/.test(command)) {
+        const state = readWorkflowState(cwd);
+        // Bypass for scaffold, spike, or idle (no feature in progress)
+        const bypass = state?.needs_scaffold || state?.mode === 'spike' || state?.current_phase === 'idle';
+        if (state && !bypass && !state.gates?.review_approved) {
+          const verb = /\bgit\s+commit\b/.test(command) ? 'commit' : 'push';
+          process.stderr.write(
+            `⛔ Prevention: Cannot ${verb} without completing code review.\n` +
+            `Run /avesta-code-review first.\n`
+          );
+          process.exit(2);
+        }
+      }
+
       // Secret scanning for Bash commands that write file content
       const inlineContent = extractBashWriteContent(command);
       if (inlineContent) {
@@ -226,8 +250,13 @@ function hookPromptSubmit() {
       process.exit(0);
     }
 
-    if (policy.prompt_context) {
-      process.stdout.write(JSON.stringify({ additionalContext: policy.prompt_context }));
+    const parts = [];
+    if (policy.prompt_context) parts.push(policy.prompt_context);
+    if (policy.project_type) parts.push(`Project type: ${policy.project_type}`);
+    if (policy.current_agent) parts.push(`Active agent: avesta-${policy.current_agent}`);
+
+    if (parts.length > 0) {
+      process.stdout.write(JSON.stringify({ additionalContext: parts.join(' | ') }));
     }
     process.exit(0);
   } catch {
@@ -235,4 +264,55 @@ function hookPromptSubmit() {
   }
 }
 
-module.exports = { hookPreToolUse, hookPromptSubmit };
+// ── SubagentStart Hook ───────────────────────────────────────────
+
+function hookSubagentStart() {
+  try {
+    const data = JSON.parse(fs.readFileSync(0, 'utf8'));
+    const { agent_type, cwd = process.cwd() } = data;
+
+    if (!agent_type) {
+      process.exit(0);
+    }
+
+    // Read workflow state to get project_type and current agent's required skills
+    const statePath = path.join(cwd, '.avesta', 'workflow-state.json');
+    if (!fs.existsSync(statePath)) {
+      process.exit(0);
+    }
+
+    let state;
+    try {
+      state = JSON.parse(fs.readFileSync(statePath, 'utf-8'));
+    } catch {
+      process.exit(0);
+    }
+
+    const requiredSkills = state.required_skills_for_agent || [];
+    if (requiredSkills.length === 0) {
+      // Agent has no skills to load (committer, shipper, etc.)
+      process.exit(0);
+    }
+
+    const projectType = state.project?.type || 'backend';
+    const agentName = state.current_agent || agent_type.replace(/^avesta-/, '');
+
+    process.stdout.write(JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: "SubagentStart",
+        additionalContext:
+          `[Prevention] MANDATORY — Skills must be loaded before writing any files.\n` +
+          `The PreToolUse hook will BLOCK all file writes until skills are loaded.\n` +
+          `1. Call avesta_get_prompt("${agentName}", { context: { project_type: "${projectType}" } })\n` +
+          `2. Call avesta_get_skill for EVERY skill in skills_to_load with _source="workflow"\n` +
+          `Required skills (${requiredSkills.length}): ${requiredSkills.join(', ')}\n` +
+          `Project type: ${projectType}`
+      }
+    }));
+    process.exit(0);
+  } catch {
+    process.exit(0); // Fail-open
+  }
+}
+
+module.exports = { hookPreToolUse, hookPromptSubmit, hookSubagentStart };

package/bin/lib/settings.js

@@ -87,6 +87,7 @@ function configureEnforcementHooks(targetDir) {
 
   const preToolUseCmd = findCliCommand('hook pre-tool-use');
   const promptSubmitCmd = findCliCommand('hook prompt-submit');
+  const subagentStartCmd = findCliCommand('hook subagent-start');
 
   // PreToolUse: remove old prevention hooks, add fresh ones
   const existing = (settings.hooks.PreToolUse || []).filter(entry =>
@@ -108,8 +109,17 @@ function configureEnforcementHooks(targetDir) {
     settings.hooks.UserPromptSubmit = promptHooks;
   }
 
+  // SubagentStart: inject skill-loading context when agents spawn
+  const subagentHooks = (settings.hooks.SubagentStart || []).filter(entry =>
+    !(entry.hooks && entry.hooks.some(h => h.command && h.command.includes('prevention hook')))
+  );
+  subagentHooks.push(
+    { matcher: '', hooks: [{ type: 'command', command: subagentStartCmd }] },
+  );
+  settings.hooks.SubagentStart = subagentHooks;
+
   writeSettings(targetDir, settings);
-  console.log('  ✓ Configured workflow enforcement hooks (PreToolUse, UserPromptSubmit)');
+  console.log('  ✓ Configured workflow enforcement hooks (PreToolUse, UserPromptSubmit, SubagentStart)');
 }
 
 function configureStatusLine(targetDir) {
@@ -121,7 +131,7 @@ function configureStatusLine(targetDir) {
   writeSettings(targetDir, settings);
 }
 
-function configureMcpServer(targetDir, binaryPath) {
+function configureMcpServer(targetDir, binaryPath, options = {}) {
   const mcpJsonPath = path.join(targetDir, '.mcp.json');
   let mcpConfig = {};
   if (fs.existsSync(mcpJsonPath)) {
@@ -130,11 +140,51 @@ function configureMcpServer(targetDir, binaryPath) {
 
   if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
 
-  if (binaryPath) {
-    mcpConfig.mcpServers['prevention'] = { command: path.resolve(binaryPath) };
+  // Local MCP server: workflow orchestration tools
+  // Pass through API/MCP URLs so the server process can reach them
+  const env = {};
+  if (process.env.AVESTA_API_URL) env.AVESTA_API_URL = process.env.AVESTA_API_URL;
+  if (process.env.AVESTA_MCP_URL) env.AVESTA_MCP_URL = process.env.AVESTA_MCP_URL;
+  const hasEnv = Object.keys(env).length > 0;
+
+  if (options.localSource) {
+    // Dev mode: run from source via tsx
+    const entry = { command: 'npx', args: ['tsx', options.localSource] };
+    if (hasEnv) entry.env = env;
+    mcpConfig.mcpServers['prevention'] = entry;
+  } else if (binaryPath) {
+    const entry = { command: path.resolve(binaryPath) };
+    if (hasEnv) entry.env = env;
+    mcpConfig.mcpServers['prevention'] = entry;
   } else {
-    mcpConfig.mcpServers['prevention'] = { command: 'npx', args: ['@avesta-hq/prevention', 'serve'] };
+    const entry = { command: 'npx', args: ['@avesta-hq/prevention', 'serve'] };
+    if (hasEnv) entry.env = env;
+    mcpConfig.mcpServers['prevention'] = entry;
+  }
+
+  // Remote MCP server: content delivery (skills, prompts, catalog)
+  // Pre-populate auth token from existing session if available
+  const remoteUrl = process.env.AVESTA_MCP_URL || 'https://prevention-production.up.railway.app/mcp';
+  const existingRemote = mcpConfig.mcpServers['prevention-content'];
+  const existingToken = existingRemote?.headers?.Authorization;
+  let authToken = existingToken || '';
+  if (!authToken) {
+    try {
+      const sessionPath = path.join(require('os').homedir(), '.avesta', 'session.json');
+      if (fs.existsSync(sessionPath)) {
+        const session = JSON.parse(fs.readFileSync(sessionPath, 'utf8'));
+        if (session.access_token) {
+          authToken = `Bearer ${session.access_token}`;
+        }
+      }
+    } catch {}
   }
+  const headers = authToken ? { Authorization: authToken } : {};
+  mcpConfig.mcpServers['prevention-content'] = {
+    type: 'http',
+    url: remoteUrl,
+    headers,
+  };
 
   fs.writeFileSync(mcpJsonPath, JSON.stringify(mcpConfig, null, 2) + '\n');
 }

package/bin/lib/test-local.js

@@ -0,0 +1,125 @@
+#!/usr/bin/env node
+/**
+ * Local Testing Setup
+ *
+ * Sets up a target project to use the local Prevention source code
+ * instead of the published npm package. Copies agents, commands,
+ * configures hooks, and points MCP server at local source.
+ *
+ * Usage:
+ *   cd ~/Projects/my-test-project
+ *   node ~/Projects/cd-agent/bin/lib/test-local.js
+ *
+ * Or via CLI:
+ *   node ~/Projects/cd-agent/bin/cli.js test-local [target-dir]
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const { PACKAGE_ROOT, COMMANDS_DIR, AGENTS_DIR, AVESTA_DIR, copyDir, getVersion } = require('./utils');
+const {
+  configureMcpServer,
+  configureSessionStartHook,
+  configureEnforcementHooks,
+  configureStatusLine,
+  ensureClaudeMdSection,
+} = require('./settings');
+
+function testLocal(targetDir) {
+  targetDir = targetDir || process.cwd();
+  const cdAgentRoot = PACKAGE_ROOT;
+
+  console.log(`\n  Setting up local Prevention test environment...`);
+  console.log(`  Source:  ${cdAgentRoot}`);
+  console.log(`  Target:  ${targetDir}\n`);
+
+  // Step 1: Rebuild embedded assets
+  console.log('  [1/6] Rebuilding catalog + embedded assets...');
+  try {
+    execSync('pnpm run prebuild:assets', { cwd: cdAgentRoot, stdio: 'pipe' });
+    console.log('  ✓ Assets rebuilt');
+  } catch (e) {
+    console.error('  ✗ Asset rebuild failed:', e.message);
+    console.error('    Try running manually: cd ' + cdAgentRoot + ' && pnpm run prebuild:assets');
+    process.exit(1);
+  }
+
+  // Step 2: Copy agents + commands
+  console.log('  [2/6] Copying agents and commands...');
+  const claudeDir = path.join(targetDir, '.claude');
+  if (!fs.existsSync(claudeDir)) fs.mkdirSync(claudeDir, { recursive: true });
+
+  if (fs.existsSync(COMMANDS_DIR)) {
+    copyDir(COMMANDS_DIR, path.join(claudeDir, 'commands'));
+  }
+  if (fs.existsSync(AGENTS_DIR)) {
+    copyDir(AGENTS_DIR, path.join(claudeDir, 'agents'));
+  }
+  if (fs.existsSync(AVESTA_DIR)) {
+    copyDir(AVESTA_DIR, path.join(targetDir, '.avesta'));
+  }
+  const commandCount = fs.existsSync(COMMANDS_DIR) ? fs.readdirSync(COMMANDS_DIR).filter(f => f.endsWith('.md')).length : 0;
+  const agentCount = fs.existsSync(AGENTS_DIR) ? fs.readdirSync(AGENTS_DIR).filter(f => f.endsWith('.md')).length : 0;
+  console.log(`  ✓ Copied ${commandCount} commands, ${agentCount} agents`);
+
+  // Step 3: Configure MCP servers (local source + remote content)
+  console.log('  [3/6] Configuring MCP servers (local source + remote content)...');
+  const mcpServerPath = path.join(cdAgentRoot, 'src', 'mcp-server.ts');
+  configureMcpServer(targetDir, null, { localSource: mcpServerPath });
+  console.log(`  ✓ Local MCP server → npx tsx ${mcpServerPath}`);
+  const remoteUrl = process.env.AVESTA_MCP_URL || 'https://prevention-production.up.railway.app/mcp';
+  console.log(`  ✓ Remote MCP server → ${remoteUrl}`);
+
+  // Step 4: Configure hooks (pointing at local CLI)
+  console.log('  [4/6] Configuring hooks...');
+  configureSessionStartHook(targetDir);
+  configureEnforcementHooks(targetDir);
+  configureStatusLine(targetDir);
+  ensureClaudeMdSection(targetDir);
+
+  // Step 5: Write version
+  console.log('  [5/6] Writing version...');
+  const versionFile = path.join(targetDir, '.avesta', 'version.json');
+  const versionDir = path.dirname(versionFile);
+  if (!fs.existsSync(versionDir)) fs.mkdirSync(versionDir, { recursive: true });
+  fs.writeFileSync(versionFile, JSON.stringify({ version: getVersion(), updated_at: new Date().toISOString() }, null, 2));
+  console.log(`  ✓ Version ${getVersion()}`);
+
+  // Step 6: Show result
+  console.log('  [6/6] Verifying setup...');
+  const settings = JSON.parse(fs.readFileSync(path.join(claudeDir, 'settings.json'), 'utf8'));
+  const hookTypes = Object.keys(settings.hooks || {});
+  console.log(`  ✓ Hooks configured: ${hookTypes.join(', ')}`);
+
+  const mcpJsonPath = path.join(targetDir, '.mcp.json');
+  const mcpFinal = JSON.parse(fs.readFileSync(mcpJsonPath, 'utf8'));
+  const mcpCmd = mcpFinal.mcpServers?.prevention?.command || '?';
+  const mcpArgs = (mcpFinal.mcpServers?.prevention?.args || []).join(' ');
+  console.log(`  ✓ Local MCP: ${mcpCmd} ${mcpArgs}`);
+  const remoteEntry = mcpFinal.mcpServers?.['prevention-content'];
+  console.log(`  ✓ Remote MCP: ${remoteEntry?.url || 'not configured'}`);
+
+  console.log(`
+  ✅ Local test environment ready! (v${getVersion()})
+
+  Changes from source at ${cdAgentRoot} are active.
+  No npm publish needed — MCP server runs from source via tsx.
+
+  To test:
+    1. Open Claude Code in ${targetDir}
+    2. Run avesta login to authenticate (connects remote content server)
+    3. Run /avesta-init backend (or frontend)
+    4. Test skill enforcement: /avesta-red should block writes until skills loaded
+    5. Test gate enforcement: git commit should be blocked without review gate
+
+  To revert to published version:
+    node ${path.join(cdAgentRoot, 'bin', 'cli.js')} update
+`);
+}
+
+if (require.main === module) {
+  testLocal(process.argv[2]);
+}
+
+module.exports = { testLocal };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@avesta-hq/prevention",
-  "version": "0.4.1",
+  "version": "0.6.0-pre.3",
   "description": "XP/CD development agent commands for Claude Code - achieve Elite DORA metrics through disciplined TDD and Continuous Delivery practices",
   "keywords": [
     "claude-code",
@@ -16,14 +16,7 @@
   ],
   "author": "Avesta Technologies",
   "license": "UNLICENSED",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/avesta-hq/prevention.git"
-  },
-  "homepage": "https://github.com/avesta-hq/prevention#readme",
-  "bugs": {
-    "url": "https://github.com/avesta-hq/prevention/issues"
-  },
+  "homepage": "https://avestahq.com/prevention",
   "bin": {
     "prevention": "./bin/cli.js"
   },