@bensandee/tooling 0.22.0 → 0.24.0

package/dist/bin.mjs

@@ -7,9 +7,9 @@ import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync, unlinkSync, w
 import JSON5 from "json5";
 import { parse } from "jsonc-parser";
 import { z } from "zod";
+import { FatalError, TransientError, UnexpectedError } from "@bensandee/common";
 import { isMap, isScalar, isSeq, parse as parse$1, parseDocument, stringify } from "yaml";
 import { execSync } from "node:child_process";
-import { FatalError, TransientError, UnexpectedError } from "@bensandee/common";
 import { tmpdir } from "node:os";
 //#region src/types.ts
 const LEGACY_TOOLS = [
@@ -201,7 +201,7 @@ function computeDefaults(targetDir) {
 		setupVitest: !isMonorepo && !detected.hasVitestConfig,
 		ci: detectCiPlatform(targetDir),
 		setupRenovate: true,
-		releaseStrategy: isMonorepo ? "changesets" : "simple",
+		releaseStrategy: "none",
 		projectType: isMonorepo ? "default" : detectProjectType(targetDir),
 		detectPackageTypes: true
 	};
@@ -493,7 +493,8 @@ const DockerCheckConfigSchema = z.object({
 	timeoutMs: z.number().int().positive().optional(),
 	pollIntervalMs: z.number().int().positive().optional()
 });
-const ToolingConfigSchema = z.object({
+const ToolingConfigSchema = z.strictObject({
+	$schema: z.string().optional(),
 	structure: z.enum(["single", "monorepo"]).optional(),
 	useEslintPlugin: z.boolean().optional(),
 	formatter: z.enum(["oxfmt", "prettier"]).optional(),
@@ -524,17 +525,14 @@ const ToolingConfigSchema = z.object({
 	})).optional(),
 	dockerCheck: z.union([z.literal(false), DockerCheckConfigSchema]).optional()
 });
-/** Load saved tooling config from the target directory. Returns undefined if missing or invalid. */
+/** Load saved tooling config from the target directory. Returns undefined if missing, throws on invalid. */
 function loadToolingConfig(targetDir) {
 	const fullPath = path.join(targetDir, CONFIG_FILE);
 	if (!existsSync(fullPath)) return void 0;
-	try {
-		const raw = readFileSync(fullPath, "utf-8");
-		const result = ToolingConfigSchema.safeParse(JSON.parse(raw));
-		return result.success ? result.data : void 0;
-	} catch {
-		return;
-	}
+	const raw = readFileSync(fullPath, "utf-8");
+	const result = ToolingConfigSchema.safeParse(JSON.parse(raw));
+	if (!result.success) throw new FatalError(`Invalid .tooling.json:\n${result.error.issues.map((i) => `  ${i.path.join(".")}: ${i.message}`).join("\n")}`);
+	return result.data;
 }
 /** Config fields that can be overridden in .tooling.json. */
 const OVERRIDE_KEYS = [
@@ -558,7 +556,7 @@ const MONOREPO_IGNORED_KEYS = new Set(["setupVitest", "projectType"]);
 function saveToolingConfig(ctx, config) {
 	const defaults = computeDefaults(config.targetDir);
 	const isMonorepo = config.structure === "monorepo";
-	const overrides = {};
+	const overrides = { $schema: "node_modules/@bensandee/tooling/tooling.schema.json" };
 	for (const key of OVERRIDE_KEYS) {
 		if (isMonorepo && MONOREPO_IGNORED_KEYS.has(key)) continue;
 		if (config[key] !== defaults[key]) overrides[key] = config[key];
@@ -983,7 +981,7 @@ function getAddedDevDepNames(config) {
 	const deps = { ...ROOT_DEV_DEPS };
 	if (config.structure !== "monorepo") Object.assign(deps, PER_PACKAGE_DEV_DEPS);
 	deps["@bensandee/config"] = "0.8.2";
-	deps["@bensandee/tooling"] = "0.22.0";
+	deps["@bensandee/tooling"] = "0.24.0";
 	if (config.formatter === "oxfmt") deps["oxfmt"] = "0.35.0";
 	if (config.formatter === "prettier") deps["prettier"] = "3.8.1";
 	addReleaseDeps(deps, config);
@@ -1008,7 +1006,7 @@ async function generatePackageJson(ctx) {
 	const devDeps = { ...ROOT_DEV_DEPS };
 	if (!isMonorepo) Object.assign(devDeps, PER_PACKAGE_DEV_DEPS);
 	devDeps["@bensandee/config"] = isWorkspacePackage(ctx, "@bensandee/config") ? "workspace:*" : "0.8.2";
-	devDeps["@bensandee/tooling"] = isWorkspacePackage(ctx, "@bensandee/tooling") ? "workspace:*" : "0.22.0";
+	devDeps["@bensandee/tooling"] = isWorkspacePackage(ctx, "@bensandee/tooling") ? "workspace:*" : "0.24.0";
 	if (ctx.config.useEslintPlugin) devDeps["@bensandee/eslint-plugin"] = isWorkspacePackage(ctx, "@bensandee/eslint-plugin") ? "workspace:*" : "0.9.2";
 	if (ctx.config.formatter === "oxfmt") devDeps["oxfmt"] = "0.35.0";
 	if (ctx.config.formatter === "prettier") devDeps["prettier"] = "3.8.1";
@@ -1494,25 +1492,26 @@ function actionsExpr$1(expr) {
 }
 const CI_CONCURRENCY = {
 	group: `ci-${actionsExpr$1("github.ref")}`,
-	"cancel-in-progress": true
+	"cancel-in-progress": actionsExpr$1("github.ref != 'refs/heads/main'")
 };
 function hasEnginesNode$1(ctx) {
 	const raw = ctx.read("package.json");
 	if (!raw) return false;
 	return typeof parsePackageJson(raw)?.engines?.["node"] === "string";
 }
-function ciWorkflow(nodeVersionYaml, isForgejo) {
+function ciWorkflow(nodeVersionYaml, isForgejo, isChangesets) {
 	const emailNotifications = isForgejo ? "\nenable-email-notifications: true\n" : "";
+	const concurrencyBlock = isChangesets ? `
+concurrency:
+  group: ci-${actionsExpr$1("github.ref")}
+  cancel-in-progress: ${actionsExpr$1("github.ref != 'refs/heads/main'")}
+` : "";
 	return `${workflowSchemaComment(isForgejo ? "forgejo" : "github")}name: CI
 ${emailNotifications}on:
   push:
     branches: [main]
   pull_request:
-
-concurrency:
-  group: ci-${actionsExpr$1("github.ref")}
-  cancel-in-progress: true
-
+${concurrencyBlock}
 jobs:
   check:
     runs-on: ubuntu-latest
@@ -1561,6 +1560,10 @@ function requiredCheckSteps(nodeVersionYaml) {
 		}
 	];
 }
+/** Resolve the CI workflow filename based on release strategy. */
+function ciWorkflowPath(ci, releaseStrategy) {
+	return `${ci === "github" ? ".github/workflows" : ".forgejo/workflows"}/${releaseStrategy === "changesets" ? "ci.yml" : "check.yml"}`;
+}
 async function generateCi(ctx) {
 	if (ctx.config.ci === "none") return {
 		filePath: "ci",
@@ -1568,16 +1571,23 @@ async function generateCi(ctx) {
 		description: "CI workflow not requested"
 	};
 	const isGitHub = ctx.config.ci === "github";
+	const isChangesets = ctx.config.releaseStrategy === "changesets";
 	const nodeVersionYaml = hasEnginesNode$1(ctx) ? "node-version-file: package.json" : "node-version: \"24\"";
-	const filePath = isGitHub ? ".github/workflows/ci.yml" : ".forgejo/workflows/ci.yml";
-	const content = ciWorkflow(nodeVersionYaml, !isGitHub);
+	const filePath = ciWorkflowPath(ctx.config.ci, ctx.config.releaseStrategy);
+	const content = ciWorkflow(nodeVersionYaml, !isGitHub, isChangesets);
 	if (ctx.exists(filePath)) {
 		const existing = ctx.read(filePath);
 		if (existing) {
-			const merged = mergeWorkflowSteps(existing, "check", requiredCheckSteps(nodeVersionYaml));
-			const withConcurrency = ensureWorkflowConcurrency(merged.content, CI_CONCURRENCY);
-			const withComment = ensureSchemaComment(withConcurrency.content, isGitHub ? "github" : "forgejo");
-			if (merged.changed || withConcurrency.changed || withComment !== withConcurrency.content) {
+			let result = mergeWorkflowSteps(existing, "check", requiredCheckSteps(nodeVersionYaml));
+			if (isChangesets) {
+				const withConcurrency = ensureWorkflowConcurrency(result.content, CI_CONCURRENCY);
+				result = {
+					content: withConcurrency.content,
+					changed: result.changed || withConcurrency.changed
+				};
+			}
+			const withComment = ensureSchemaComment(result.content, isGitHub ? "github" : "forgejo");
+			if (result.changed || withComment !== result.content) {
 				ctx.write(filePath, withComment);
 				return {
 					filePath,
@@ -2215,7 +2225,7 @@ function buildWorkflow(strategy, ci, nodeVersionYaml, publishesNpm) {
 	}
 }
 function generateChangesetsReleaseCi(ctx, publishesNpm) {
-	const ciPath = ctx.config.ci === "github" ? ".github/workflows/ci.yml" : ".forgejo/workflows/ci.yml";
+	const ciPath = ciWorkflowPath(ctx.config.ci, ctx.config.releaseStrategy);
 	const existing = ctx.read(ciPath);
 	if (!existing) return {
 		filePath: ciPath,
@@ -2589,1638 +2599,1658 @@ async function runGenerators(ctx) {
 	return results;
 }
 //#endregion
-//#region src/generators/migrate-prompt.ts
-/**
-* Generate a context-aware AI migration prompt based on what the CLI did.
-* This prompt can be pasted into Claude Code (or similar) to finish the migration.
-*/
-function generateMigratePrompt(results, config, detected) {
-	const sections = [];
-	sections.push("# Migration Prompt");
-	sections.push("");
-	sections.push("The following prompt was generated by `@bensandee/tooling repo:sync`. Paste it into Claude Code or another AI assistant to finish migrating this repository.");
-	sections.push("");
-	sections.push("> **Tip:** Before starting, run `/init` in Claude Code to generate a `CLAUDE.md` that gives the AI a complete picture of your repository's structure, conventions, and build commands.");
-	sections.push("");
-	sections.push("## What was changed");
-	sections.push("");
-	const created = results.filter((r) => r.action === "created");
-	const updated = results.filter((r) => r.action === "updated");
-	const skipped = results.filter((r) => r.action === "skipped");
-	const archived = results.filter((r) => r.action === "archived");
-	if (created.length > 0) {
-		sections.push("**Created:**");
-		for (const r of created) sections.push(`- \`${r.filePath}\` — ${r.description}`);
-		sections.push("");
-	}
-	if (updated.length > 0) {
-		sections.push("**Updated:**");
-		for (const r of updated) sections.push(`- \`${r.filePath}\` — ${r.description}`);
-		sections.push("");
-	}
-	if (archived.length > 0) {
-		sections.push("**Archived:**");
-		for (const r of archived) sections.push(`- \`${r.filePath}\` — ${r.description}`);
-		sections.push("");
-	}
-	if (skipped.length > 0) {
-		sections.push("**Skipped (review these):**");
-		for (const r of skipped) sections.push(`- \`${r.filePath}\` — ${r.description}`);
-		sections.push("");
-	}
-	sections.push("## Migration tasks");
-	sections.push("");
-	const legacyToRemove = detected.legacyConfigs.filter((legacy) => !(legacy.tool === "prettier" && config.formatter === "prettier"));
-	if (legacyToRemove.length > 0) {
-		sections.push("### Remove legacy tooling");
-		sections.push("");
-		for (const legacy of legacyToRemove) {
-			const replacement = {
-				eslint: "oxlint",
-				prettier: "oxfmt",
-				jest: "vitest",
-				webpack: "tsdown",
-				rollup: "tsdown"
-			}[legacy.tool];
-			sections.push(`- Remove ${legacy.tool} config files (${legacy.files.map((f) => `\`${f}\``).join(", ")}). This project now uses **${replacement}**.`);
-			sections.push(`  - Uninstall ${legacy.tool}-related packages from devDependencies`);
-			if (legacy.tool === "eslint") sections.push("  - Migrate any custom ESLint rules that don't have oxlint equivalents");
-			if (legacy.tool === "jest") sections.push("  - Migrate any jest-specific test utilities (jest.mock, jest.fn) to vitest equivalents (vi.mock, vi.fn)");
-		}
-		sections.push("");
-	}
-	if (archived.length > 0) {
-		sections.push("### Review archived files");
-		sections.push("");
-		sections.push("The following files were modified or replaced. The originals have been saved to `.tooling-archived/`:");
-		sections.push("");
-		for (const r of archived) sections.push(`- \`${r.filePath}\` → \`.tooling-archived/${r.filePath}\``);
-		sections.push("");
-		sections.push("For each archived file, **diff the old version against the new one** and look for features, categories, or modules that were enabled in the original but are missing from the replacement. Focus on broad capability gaps rather than individual rule strictness (in general, being stricter is fine). Examples of what to look for:");
-		sections.push("");
-		sections.push("- **Lint configs**: enabled plugin categories (e.g. `jsx-a11y`, `import`, `react`, `nextjs`), custom `plugins` or `overrides`, file-scoped rule blocks");
-		sections.push("- **TypeScript configs**: compiler features like `jsx`, `paths`, `baseUrl`, or `references` that affect build behavior");
-		sections.push("- **Other configs**: feature flags, custom presets, or integrations that go beyond the default template");
-		sections.push("");
-		sections.push("If the old config had capabilities the new one lacks, port them into the new file. Then:");
-		sections.push("");
-		sections.push("1. If the project previously used `husky` and `lint-staged`, remove them from `devDependencies`");
-		sections.push("2. Delete the `.tooling-archived/` directory when migration is complete");
-		sections.push("");
-	}
-	const oxlintWasSkipped = results.find((r) => r.filePath === "oxlint.config.ts")?.action === "skipped";
-	if (detected.hasLegacyOxlintJson) {
-		sections.push("### Migrate .oxlintrc.json to oxlint.config.ts");
-		sections.push("");
-		sections.push("A new `oxlint.config.ts` has been generated using `defineConfig` from the `oxlint` package. The existing `.oxlintrc.json` needs to be migrated:");
-		sections.push("");
-		sections.push("1. Read `.oxlintrc.json` and compare its `rules` against the rules provided by `@bensandee/config/oxlint/recommended` (check `node_modules/@bensandee/config`). Most standard rules are already included in the recommended config.");
-		sections.push("2. If there are any custom rules, overrides, settings, or `jsPlugins` not covered by the recommended config, add them to `oxlint.config.ts` alongside the `extends`.");
-		sections.push("3. Delete `.oxlintrc.json`.");
-		sections.push("4. Run `pnpm lint` to verify the new config works correctly.");
-		sections.push("");
-	} else if (oxlintWasSkipped && detected.hasOxlintConfig) {
-		sections.push("### Verify oxlint.config.ts includes recommended rules");
-		sections.push("");
-		sections.push("The existing `oxlint.config.ts` was kept as-is. Verify that it extends the recommended config from `@bensandee/config/oxlint`:");
-		sections.push("");
-		sections.push("1. Open `oxlint.config.ts` and check that it imports and extends `@bensandee/config/oxlint/recommended`.");
-		sections.push("2. The expected pattern is:");
-		sections.push("   ```ts");
-		sections.push("   import recommended from \"@bensandee/config/oxlint/recommended\";");
-		sections.push("   import { defineConfig } from \"oxlint\";");
-		sections.push("");
-		sections.push("   export default defineConfig({ extends: [recommended] });");
-		sections.push("   ```");
-		sections.push("3. If it uses a different pattern, update it to extend the recommended config while preserving any project-specific customizations.");
-		sections.push("4. Run `pnpm lint` to verify the config works correctly.");
-		sections.push("");
-	}
-	if (config.structure === "monorepo" && !detected.hasPnpmWorkspace) {
-		sections.push("### Migrate to monorepo structure");
-		sections.push("");
-		sections.push("This project was converted from a single repo to a monorepo. Complete the migration:");
-		sections.push("");
-		sections.push("1. Move existing source into `packages/<name>/` (using the existing package name)");
-		sections.push("2. Split the root `package.json` into a root workspace manifest + package-level `package.json`");
-		sections.push("3. Move the existing `tsconfig.json` into the package and update the root tsconfig with project references");
-		sections.push("4. Create a package-level `tsdown.config.ts` in the new package");
-		sections.push("5. Update any import paths or build scripts affected by the move");
-		sections.push("");
-	}
-	const skippedConfigs = skipped.filter((r) => r.filePath !== "ci" && r.description !== "Not a monorepo");
-	if (skippedConfigs.length > 0) {
-		sections.push("### Review skipped files");
-		sections.push("");
-		sections.push("The following files were left unchanged. Review them for compatibility:");
-		sections.push("");
-		for (const r of skippedConfigs) sections.push(`- \`${r.filePath}\` — ${r.description}`);
-		sections.push("");
+//#region src/release/docker.ts
+const ToolingDockerMapSchema = z.record(z.string(), z.object({
+	dockerfile: z.string(),
+	context: z.string().default(".")
+}));
+const ToolingConfigDockerSchema = z.object({ docker: ToolingDockerMapSchema.optional() });
+const PackageInfoSchema = z.object({
+	name: z.string().optional(),
+	version: z.string().optional()
+});
+/** Read the docker map from .tooling.json. Returns empty record if missing or invalid. */
+function loadDockerMap(executor, cwd) {
+	const configPath = path.join(cwd, ".tooling.json");
+	const raw = executor.readFile(configPath);
+	if (!raw) return {};
+	try {
+		const result = ToolingConfigDockerSchema.safeParse(JSON.parse(raw));
+		if (!result.success || !result.data.docker) return {};
+		return result.data.docker;
+	} catch (_error) {
+		return {};
 	}
-	if (results.some((r) => r.filePath === "test/example.test.ts" && r.action === "created")) {
-		sections.push("### Generate tests");
-		sections.push("");
-		sections.push("A starter test was created at `test/example.test.ts`. Now:");
-		sections.push("");
-		sections.push("1. Review the existing source code in `src/`");
-		sections.push("2. Create additional test files following the starter test's patterns (import style, describe/it structure)");
-		sections.push("3. Focus on edge cases and core business logic");
-		sections.push("4. Aim for meaningful coverage of exported functions and key code paths");
-		sections.push("");
+}
+/** Read name and version from a package's package.json. */
+function readPackageInfo(executor, packageJsonPath) {
+	const raw = executor.readFile(packageJsonPath);
+	if (!raw) return {
+		name: void 0,
+		version: void 0
+	};
+	try {
+		const result = PackageInfoSchema.safeParse(JSON.parse(raw));
+		if (!result.success) return {
+			name: void 0,
+			version: void 0
+		};
+		return {
+			name: result.data.name,
+			version: result.data.version
+		};
+	} catch (_error) {
+		return {
+			name: void 0,
+			version: void 0
+		};
 	}
-	sections.push("## Ground rules");
-	sections.push("");
-	sections.push("It is OK to add new packages (e.g. `zod`, `@bensandee/common`) if they are needed to resolve errors.");
-	sections.push("");
-	sections.push("When resolving errors from the checklist below, prefer fixing the root cause over suppressing the issue. For example:");
-	sections.push("");
-	sections.push("- **Lint errors**: fix the code rather than adding disable comments or rule exceptions");
-	sections.push("- **Test failures**: update the test or fix the underlying bug rather than skipping or deleting the test");
-	sections.push("- **Knip findings**: remove genuinely unused code/exports/dependencies rather than adding ignores to `knip.config.ts`");
-	sections.push("- **Type errors**: add proper types rather than using `any` or `@ts-expect-error`");
-	sections.push("");
-	sections.push("Only suppress an issue if there is a clear, documented reason why the fix is not feasible (e.g. a third-party type mismatch). Leave a comment explaining why.");
-	sections.push("");
-	sections.push("## Verification checklist");
-	sections.push("");
-	sections.push("Run each of these commands and fix any errors before moving on:");
-	sections.push("");
-	sections.push("1. `pnpm install`");
-	const updateCmd = `pnpm update --latest ${getAddedDevDepNames(config).join(" ")}`;
-	sections.push(`2. \`${updateCmd}\` — bump added dependencies to their latest versions`);
-	sections.push("3. `pnpm typecheck` — fix any type errors");
-	sections.push("4. `pnpm build` — fix any build errors");
-	sections.push("5. `pnpm test` — fix any test failures");
-	sections.push("6. `pnpm lint` — fix the code to satisfy lint rules");
-	sections.push("7. `pnpm knip` — remove unused exports, dependencies, and dead code");
-	sections.push("8. `pnpm format` — fix any formatting issues");
-	sections.push("");
-	return sections.join("\n");
 }
-//#endregion
-//#region src/commands/repo-init.ts
-/** Log what was detected so the user understands generator decisions. */
-function logDetectionSummary(ctx) {
-	const dockerNames = getDockerPackageNames(ctx);
-	if (dockerNames.length > 0) p.log.info(`Detected Docker packages: ${dockerNames.join(", ")}`);
-	if (ctx.config.releaseStrategy !== "none") {
-		const publishable = getPublishablePackages(ctx.targetDir, ctx.config.structure, ctx.packageJson);
-		if (publishable.length > 0) p.log.info(`Will publish npm packages: ${publishable.map((pkg) => pkg.name).join(", ")}`);
-		else p.log.info("No publishable npm packages — npm registry setup will be skipped");
+/** Convention paths to check for Dockerfiles in a package directory. */
+const CONVENTION_DOCKERFILE_PATHS = ["Dockerfile", "docker/Dockerfile"];
+/**
+* Find a Dockerfile at convention paths for a monorepo package.
+* Checks packages/{dir}/Dockerfile and packages/{dir}/docker/Dockerfile.
+*/
+function findConventionDockerfile(executor, cwd, dir) {
+	for (const rel of CONVENTION_DOCKERFILE_PATHS) {
+		const dockerfilePath = `packages/${dir}/${rel}`;
+		if (executor.readFile(path.join(cwd, dockerfilePath)) !== null) return {
+			dockerfile: dockerfilePath,
+			context: "."
+		};
 	}
 }
-async function runInit(config, options = {}) {
-	const detected = detectProject(config.targetDir);
-	const s = p.spinner();
-	const { ctx, archivedFiles } = createContext(config, options.confirmOverwrite ?? (async (relativePath) => {
-		s.stop("Paused");
-		const result = await p.select({
-			message: `${relativePath} already exists. What do you want to do?`,
-			options: [{
-				value: "overwrite",
-				label: "Overwrite"
-			}, {
-				value: "skip",
-				label: "Skip"
-			}]
-		});
-		s.start("Generating configuration files...");
-		if (p.isCancel(result)) return "skip";
-		return result;
-	}));
-	logDetectionSummary(ctx);
-	s.start("Generating configuration files...");
-	const results = await runGenerators(ctx);
-	const alreadyArchived = new Set(results.filter((r) => r.action === "archived").map((r) => r.filePath));
-	for (const rel of archivedFiles) if (!alreadyArchived.has(rel)) results.push({
-		filePath: rel,
-		action: "archived",
-		description: `Original saved to .tooling-archived/${rel}`
-	});
-	const created = results.filter((r) => r.action === "created");
-	const updated = results.filter((r) => r.action === "updated");
-	if (!(created.length > 0 || updated.length > 0 || archivedFiles.length > 0) && options.noPrompt) {
-		s.stop("Repository is up to date.");
-		return results;
-	}
-	s.stop("Done!");
-	if (results.some((r) => r.action === "archived" && r.filePath.startsWith(".husky/"))) try {
-		execSync("git config --unset core.hooksPath", {
-			cwd: config.targetDir,
-			stdio: "ignore"
-		});
-	} catch (_error) {}
-	const summaryLines = [];
-	if (created.length > 0) summaryLines.push(`Created: ${created.map((r) => r.filePath).join(", ")}`);
-	if (updated.length > 0) summaryLines.push(`Updated: ${updated.map((r) => r.filePath).join(", ")}`);
-	p.note(summaryLines.join("\n"), "Summary");
-	if (!options.noPrompt) {
-		const prompt = generateMigratePrompt(results, config, detected);
-		const promptPath = ".tooling-migrate.md";
-		ctx.write(promptPath, prompt);
-		p.log.info(`Migration prompt written to ${promptPath}`);
-		p.log.info("In Claude Code, run: \"Execute the steps in .tooling-migrate.md\"");
-	}
-	const bensandeeDeps = getAddedDevDepNames(config).filter((name) => name.startsWith("@bensandee/"));
-	const hasLockfile = ctx.exists("pnpm-lock.yaml");
-	if (bensandeeDeps.length > 0 && hasLockfile) {
-		s.start("Updating @bensandee/* packages...");
-		try {
-			execSync(`pnpm update --latest ${bensandeeDeps.join(" ")}`, {
-				cwd: config.targetDir,
-				stdio: "ignore"
-			});
-			s.stop("Updated @bensandee/* packages");
-		} catch (_error) {
-			s.stop("Could not update @bensandee/* packages — run pnpm install first");
-		}
-	}
-	p.note([
-		"1. Run: pnpm install",
-		"2. Run: pnpm typecheck",
-		"3. Run: pnpm build",
-		"4. Run: pnpm test",
-		...options.noPrompt ? [] : ["5. In Claude Code, run: \"Execute the steps in .tooling-migrate.md\""]
-	].join("\n"), "Next steps");
-	return results;
-}
-//#endregion
-//#region src/commands/repo-sync.ts
-const syncCommand = defineCommand({
-	meta: {
-		name: "repo:sync",
-		description: "Detect, generate, and sync project tooling (idempotent)"
-	},
-	args: {
-		dir: {
-			type: "positional",
-			description: "Target directory (default: current directory)",
-			required: false
-		},
-		check: {
-			type: "boolean",
-			description: "Dry-run mode: report drift without writing files"
-		},
-		yes: {
-			type: "boolean",
-			alias: "y",
-			description: "Accept all defaults (non-interactive)"
-		},
-		"eslint-plugin": {
-			type: "boolean",
-			description: "Include @bensandee/eslint-plugin (default: true)"
-		},
-		"no-ci": {
-			type: "boolean",
-			description: "Skip CI workflow generation"
-		},
-		"no-prompt": {
-			type: "boolean",
-			description: "Skip migration prompt generation"
-		}
-	},
-	async run({ args }) {
-		const targetDir = path.resolve(args.dir ?? ".");
-		if (args.check) {
-			const exitCode = await runCheck(targetDir);
-			process.exitCode = exitCode;
-			return;
-		}
-		const saved = loadToolingConfig(targetDir);
-		const isFirstRun = !saved;
-		let config;
-		if (args.yes || !isFirstRun) {
-			const detected = buildDefaultConfig(targetDir, {
-				eslintPlugin: args["eslint-plugin"] === true ? true : void 0,
-				noCi: args["no-ci"] === true ? true : void 0
-			});
-			config = saved ? mergeWithSavedConfig(detected, saved) : detected;
-		} else config = await runInitPrompts(targetDir, saved);
-		await runInit(config, {
-			noPrompt: args["no-prompt"] === true || !isFirstRun,
-			...!isFirstRun && { confirmOverwrite: async () => "overwrite" }
-		});
-	}
-});
-/** Run sync in check mode: dry-run drift detection. */
-async function runCheck(targetDir) {
-	const saved = loadToolingConfig(targetDir);
-	const detected = buildDefaultConfig(targetDir, {});
-	const { ctx, pendingWrites } = createDryRunContext(saved ? mergeWithSavedConfig(detected, saved) : detected);
-	logDetectionSummary(ctx);
-	const actionable = (await runGenerators(ctx)).filter((r) => {
-		if (r.action !== "created" && r.action !== "updated") return false;
-		const newContent = pendingWrites.get(r.filePath);
-		if (newContent && r.action === "updated") {
-			const existingPath = path.join(targetDir, r.filePath);
-			const existing = existsSync(existingPath) ? readFileSync(existingPath, "utf-8") : void 0;
-			if (existing && contentEqual(r.filePath, existing, newContent)) return false;
-		}
-		return true;
-	});
-	if (actionable.length === 0) {
-		p.log.success("Repository is up to date.");
-		return 0;
-	}
-	p.log.warn(`${actionable.length} file(s) would be changed by repo:sync`);
-	for (const r of actionable) {
-		p.log.info(`  ${r.action}: ${r.filePath} — ${r.description}`);
-		const newContent = pendingWrites.get(r.filePath);
-		if (!newContent) continue;
-		const existingPath = path.join(targetDir, r.filePath);
-		const existing = existsSync(existingPath) ? readFileSync(existingPath, "utf-8") : void 0;
-		if (!existing) {
-			const lineCount = newContent.split("\n").length - 1;
-			p.log.info(`    + ${lineCount} new lines`);
-		} else {
-			const diff = lineDiff(existing, newContent);
-			for (const line of diff) p.log.info(`    ${line}`);
-		}
-	}
-	return 1;
-}
-const normalize = (line) => line.trimEnd();
-function lineDiff(oldText, newText) {
-	const oldLines = oldText.split("\n").map(normalize);
-	const newLines = newText.split("\n").map(normalize);
-	const oldSet = new Set(oldLines);
-	const newSet = new Set(newLines);
-	const removed = oldLines.filter((l) => l.trim() !== "" && !newSet.has(l));
-	const added = newLines.filter((l) => l.trim() !== "" && !oldSet.has(l));
-	const lines = [];
-	for (const l of removed) lines.push(`- ${l.trim()}`);
-	for (const l of added) lines.push(`+ ${l.trim()}`);
-	return lines;
-}
-//#endregion
-//#region src/release/executor.ts
-/** Create an executor that runs real commands, fetches, and reads the filesystem. */
-function createRealExecutor() {
-	return {
-		exec(command, options) {
-			try {
-				return {
-					stdout: execSync(command, {
-						cwd: options?.cwd,
-						env: {
-							...process.env,
-							...options?.env
-						},
-						encoding: "utf-8",
-						stdio: [
-							"pipe",
-							"pipe",
-							"pipe"
-						]
-					}),
-					stderr: "",
-					exitCode: 0
-				};
-			} catch (err) {
-				if (isExecSyncError(err)) return {
-					stdout: err.stdout,
-					stderr: err.stderr,
-					exitCode: err.status
-				};
-				return {
-					stdout: "",
-					stderr: "",
-					exitCode: 1
-				};
-			}
-		},
-		fetch: globalThis.fetch,
-		listChangesetFiles(cwd) {
-			const dir = path.join(cwd, ".changeset");
-			try {
-				return readdirSync(dir).filter((f) => f.endsWith(".md") && f !== "README.md");
-			} catch {
-				return [];
-			}
-		},
-		listWorkspacePackages(cwd) {
-			const packagesDir = path.join(cwd, "packages");
-			const packages = [];
-			try {
-				for (const entry of readdirSync(packagesDir)) {
-					const pkgPath = path.join(packagesDir, entry, "package.json");
-					try {
-						const pkg = parsePackageJson(readFileSync(pkgPath, "utf-8"));
-						if (pkg?.name && pkg.version && !pkg.private) packages.push({
-							name: pkg.name,
-							version: pkg.version,
-							dir: entry
-						});
-					} catch (_error) {}
-				}
-			} catch (_error) {}
-			return packages;
-		},
-		listPackageDirs(cwd) {
-			const packagesDir = path.join(cwd, "packages");
-			try {
-				return readdirSync(packagesDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => entry.name);
-			} catch {
-				return [];
-			}
-		},
-		readFile(filePath) {
-			try {
-				return readFileSync(filePath, "utf-8");
-			} catch {
-				return null;
-			}
-		},
-		writeFile(filePath, content) {
-			mkdirSync(path.dirname(filePath), { recursive: true });
-			writeFileSync(filePath, content);
-		}
-	};
-}
-/** Parse "New tag:" lines from changeset publish output. */
-function parseNewTags(output) {
-	const tags = [];
-	for (const line of output.split("\n")) {
-		const match = /New tag:\s+(\S+)/.exec(line);
-		if (match?.[1]) tags.push(match[1]);
-	}
-	return tags;
-}
-/** Map workspace packages to their expected tag strings (name@version). */
-function computeExpectedTags(packages) {
-	return packages.map((p) => `${p.name}@${p.version}`);
-}
-/** Parse `git ls-remote --tags` output into tag names, filtering out `^{}` dereference entries. */
-function parseRemoteTags(output) {
-	const tags = [];
-	for (const line of output.split("\n")) {
-		const match = /refs\/tags\/(.+)/.exec(line);
-		if (match?.[1] && !match[1].endsWith("^{}")) tags.push(match[1]);
-	}
-	return tags;
-}
 /**
-* Reconcile expected tags with what already exists on the remote.
-* Returns `(expected - remote) ∪ stdoutTags`, deduplicated.
+* Find a Dockerfile at convention paths for a single-package repo.
+* Checks Dockerfile and docker/Dockerfile at the project root.
 */
-function reconcileTags(expectedTags, remoteTags, stdoutTags) {
-	const remoteSet = new Set(remoteTags);
-	const result = /* @__PURE__ */ new Set();
-	for (const tag of expectedTags) if (!remoteSet.has(tag)) result.add(tag);
-	for (const tag of stdoutTags) result.add(tag);
-	return [...result];
+function findRootDockerfile(executor, cwd) {
+	for (const rel of CONVENTION_DOCKERFILE_PATHS) if (executor.readFile(path.join(cwd, rel)) !== null) return {
+		dockerfile: rel,
+		context: "."
+	};
 }
-//#endregion
-//#region src/release/forgejo.ts
-const PullRequestSchema = z.array(z.object({
-	number: z.number(),
-	head: z.object({ ref: z.string() })
-}));
 /**
-* Find an open PR with the given head branch. Returns the PR number or null.
+* Discover Docker packages by convention and merge with .tooling.json overrides.
 *
-* Fetches all open PRs and filters client-side by head.ref rather than relying
-* on Forgejo's query parameter filtering, which behaves inconsistently.
+* Convention: any package with a Dockerfile or docker/Dockerfile is a Docker package.
+* For monorepos, scans packages/{name}/. For single-package repos, scans the root.
+* The docker map in .tooling.json overrides convention-discovered config and can add
+* packages at non-standard locations.
+*
+* Image names are derived from {root-name}-{package-name} using each package's package.json name.
+* Versions are read from each package's own package.json.
 */
-async function findOpenPr(executor, conn, head) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls?state=open`;
-	const res = await executor.fetch(url, { headers: { Authorization: `token ${conn.token}` } });
-	if (!res.ok) throw new TransientError(`Failed to list PRs: ${res.status} ${res.statusText}`);
-	const parsed = PullRequestSchema.safeParse(await res.json());
-	if (!parsed.success) throw new UnexpectedError(`Unexpected PR list response: ${parsed.error.message}`);
-	return parsed.data.find((pr) => pr.head.ref === head)?.number ?? null;
-}
-/** Create a new pull request. */
-async function createPr(executor, conn, options) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls`;
-	const payload = {
-		title: options.title,
-		head: options.head,
-		base: options.base
-	};
-	if (options.body) payload["body"] = options.body;
-	const res = await executor.fetch(url, {
-		method: "POST",
-		headers: {
-			Authorization: `token ${conn.token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify(payload)
-	});
-	if (!res.ok) throw new TransientError(`Failed to create PR: ${res.status} ${res.statusText}`);
-}
-/** Update an existing pull request's title and body. */
-async function updatePr(executor, conn, prNumber, options) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls/${String(prNumber)}`;
-	const res = await executor.fetch(url, {
-		method: "PATCH",
-		headers: {
-			Authorization: `token ${conn.token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify({
-			title: options.title,
-			body: options.body
-		})
-	});
-	if (!res.ok) throw new TransientError(`Failed to update PR #${String(prNumber)}: ${res.status} ${res.statusText}`);
-}
-/** Merge a pull request by number. */
-async function mergePr(executor, conn, prNumber, options) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls/${String(prNumber)}/merge`;
-	const res = await executor.fetch(url, {
-		method: "POST",
-		headers: {
-			Authorization: `token ${conn.token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify({
-			Do: options?.method ?? "merge",
-			delete_branch_after_merge: options?.deleteBranch ?? true
-		})
-	});
-	if (!res.ok) throw new TransientError(`Failed to merge PR #${String(prNumber)}: ${res.status} ${res.statusText}`);
-}
-/** Check whether a Forgejo release already exists for a given tag. */
-async function findRelease(executor, conn, tag) {
-	const encodedTag = encodeURIComponent(tag);
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/releases/tags/${encodedTag}`;
-	const res = await executor.fetch(url, { headers: { Authorization: `token ${conn.token}` } });
-	if (res.status === 200) return true;
-	if (res.status === 404) return false;
-	throw new TransientError(`Failed to check release for ${tag}: ${res.status} ${res.statusText}`);
-}
-/** Create a Forgejo release for a given tag. */
-async function createRelease(executor, conn, tag) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/releases`;
-	const res = await executor.fetch(url, {
-		method: "POST",
-		headers: {
-			Authorization: `token ${conn.token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify({
-			tag_name: tag,
-			name: tag,
-			body: `Published ${tag}`
-		})
-	});
-	if (!res.ok) throw new TransientError(`Failed to create release for ${tag}: ${res.status} ${res.statusText}`);
-}
-//#endregion
-//#region src/release/log.ts
-/** Log a debug message when verbose mode is enabled. */
-function debug$1(config, message) {
-	if (config.verbose) p.log.info(`[debug] ${message}`);
-}
-/** Log the result of an exec call when verbose mode is enabled. */
-function debugExec(config, label, result) {
-	if (!config.verbose) return;
-	const lines = [`[debug] ${label} (exit code ${String(result.exitCode)})`];
-	if (result.stdout.trim()) lines.push(`  stdout: ${result.stdout.trim()}`);
-	if (result.stderr.trim()) lines.push(`  stderr: ${result.stderr.trim()}`);
-	p.log.info(lines.join("\n"));
-}
-//#endregion
-//#region src/release/version.ts
-const BRANCH = "changeset-release/main";
-/** Extract the latest changelog entry (content between first and second `## ` heading). */
-function extractLatestEntry(changelog) {
-	const lines = changelog.split("\n");
-	let start = -1;
-	let end = lines.length;
-	for (let i = 0; i < lines.length; i++) if (lines[i]?.startsWith("## ")) if (start === -1) start = i;
-	else {
-		end = i;
-		break;
+function detectDockerPackages(executor, cwd, repoName) {
+	const overrides = loadDockerMap(executor, cwd);
+	const packageDirs = executor.listPackageDirs(cwd);
+	const packages = [];
+	const seen = /* @__PURE__ */ new Set();
+	if (packageDirs.length > 0) {
+		for (const dir of packageDirs) {
+			const convention = findConventionDockerfile(executor, cwd, dir);
+			const docker = overrides[dir] ?? convention;
+			if (docker) {
+				const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
+				packages.push({
+					dir,
+					imageName: `${repoName}-${name ?? dir}`,
+					version,
+					docker
+				});
+				seen.add(dir);
+			}
+		}
+		for (const [dir, docker] of Object.entries(overrides)) if (!seen.has(dir)) {
+			const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
+			packages.push({
+				dir,
+				imageName: `${repoName}-${name ?? dir}`,
+				version,
+				docker
+			});
+		}
+	} else {
+		const convention = findRootDockerfile(executor, cwd);
+		const docker = overrides["."] ?? convention;
+		if (docker) {
+			const { name, version } = readPackageInfo(executor, path.join(cwd, "package.json"));
+			packages.push({
+				dir: ".",
+				imageName: name ?? repoName,
+				version,
+				docker
+			});
+		}
 	}
-	if (start === -1) return null;
-	return lines.slice(start, end).join("\n").trim();
+	return packages;
 }
-/** Read the root package.json name and version. */
-function readRootPackage(executor, cwd) {
-	const content = executor.readFile(path.join(cwd, "package.json"));
-	if (!content) return null;
-	const pkg = parsePackageJson(content);
-	if (!pkg?.name || !pkg.version) return null;
-	if (pkg.private) return null;
+/**
+* Read docker config for a single package, checking convention paths first,
+* then .tooling.json overrides. Used by the per-package image:build script.
+*/
+function readSinglePackageDocker(executor, cwd, packageDir, repoName) {
+	const dir = path.basename(path.resolve(cwd, packageDir));
+	const convention = findConventionDockerfile(executor, cwd, dir);
+	const docker = loadDockerMap(executor, cwd)[dir] ?? convention;
+	if (!docker) throw new FatalError(`No Dockerfile found for package "${dir}" (checked convention paths and .tooling.json)`);
+	const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
 	return {
-		name: pkg.name,
-		version: pkg.version
+		dir,
+		imageName: `${repoName}-${name ?? dir}`,
+		version,
+		docker
 	};
 }
-/** Determine which packages changed and collect their changelog entries. */
-function buildPrContent(executor, cwd, packagesBefore) {
-	const packagesAfter = executor.listWorkspacePackages(cwd);
-	if (!(packagesBefore.length > 0 || packagesAfter.length > 0)) {
-		const rootPkg = readRootPackage(executor, cwd);
-		if (rootPkg) {
-			const changelog = executor.readFile(path.join(cwd, "CHANGELOG.md"));
-			const entry = changelog ? extractLatestEntry(changelog) : null;
-			return {
-				title: `chore: release ${rootPkg.name}@${rootPkg.version}`,
-				body: entry ?? ""
-			};
-		}
-		return {
-			title: "chore: version packages",
-			body: ""
-		};
-	}
-	const beforeMap = new Map(packagesBefore.map((pkg) => [pkg.name, pkg.version]));
-	const changed = packagesAfter.filter((pkg) => beforeMap.get(pkg.name) !== pkg.version);
-	if (changed.length === 0) return {
-		title: "chore: version packages",
-		body: ""
-	};
-	const title = `chore: release ${changed.map((pkg) => `${pkg.name}@${pkg.version}`).join(", ")}`;
-	const entries = [];
-	for (const pkg of changed) {
-		const changelogPath = path.join(cwd, "packages", pkg.dir, "CHANGELOG.md");
-		const changelog = executor.readFile(changelogPath);
-		const entry = changelog ? extractLatestEntry(changelog) : null;
-		if (entry) {
-			const labeled = entry.replace(/^## .+/, `## ${pkg.name}@${pkg.version}`);
-			entries.push(labeled);
-		}
-	}
+/** Parse semver version string into major, minor, patch components. */
+function parseSemver(version) {
+	const clean = version.replace(/^v/, "");
+	const match = /^(\d+)\.(\d+)\.(\d+)/.exec(clean);
+	if (!match?.[1] || !match[2] || !match[3]) throw new FatalError(`Invalid semver version: ${version}`);
 	return {
-		title,
-		body: entries.join("\n\n")
+		major: Number(match[1]),
+		minor: Number(match[2]),
+		patch: Number(match[3])
 	};
 }
-/** Mode 1: version packages and create/update a PR. */
-async function runVersionMode(executor, config) {
-	p.log.info("Changesets detected — versioning packages");
-	const packagesBefore = executor.listWorkspacePackages(config.cwd);
-	debug$1(config, `Packages before versioning: ${packagesBefore.map((pkg) => `${pkg.name}@${pkg.version}`).join(", ") || "(none)"}`);
-	const changesetConfigPath = path.join(config.cwd, ".changeset", "config.json");
-	const originalConfig = executor.readFile(changesetConfigPath);
-	if (originalConfig) {
-		const parsed = parseChangesetConfig(originalConfig);
-		if (parsed?.commit) {
-			const patched = {
-				...parsed,
-				commit: false
-			};
-			executor.writeFile(changesetConfigPath, JSON.stringify(patched, null, 2) + "\n");
-			debug$1(config, "Temporarily disabled changeset commit:true");
-		}
+/** Generate semver tag variants: latest, vX.Y.Z, vX.Y, vX */
+function generateTags(version) {
+	const { major, minor, patch } = parseSemver(version);
+	return [
+		"latest",
+		`v${major}.${minor}.${patch}`,
+		`v${major}.${minor}`,
+		`v${major}`
+	];
+}
+/** Build the full image reference: namespace/imageName:tag */
+function imageRef(namespace, imageName, tag) {
+	return `${namespace}/${imageName}:${tag}`;
+}
+function log$1(message) {
+	console.log(message);
+}
+function debug$1(verbose, message) {
+	if (verbose) console.log(`[debug] ${message}`);
+}
+/** Read the repo name from root package.json. */
+function readRepoName(executor, cwd) {
+	const rootPkgRaw = executor.readFile(path.join(cwd, "package.json"));
+	if (!rootPkgRaw) throw new FatalError("No package.json found in project root");
+	const repoName = parsePackageJson(rootPkgRaw)?.name;
+	if (!repoName) throw new FatalError("Root package.json must have a name field");
+	return repoName;
+}
+/** Build a single docker image from its config. Paths are resolved relative to cwd. */
+function buildImage(executor, pkg, cwd, verbose, extraArgs) {
+	const dockerfilePath = path.resolve(cwd, pkg.docker.dockerfile);
+	const contextPath = path.resolve(cwd, pkg.docker.context);
+	const command = [
+		"docker build",
+		`-f ${dockerfilePath}`,
+		`-t ${pkg.imageName}:latest`,
+		...extraArgs,
+		contextPath
+	].join(" ");
+	debug$1(verbose, `Running: ${command}`);
+	const buildResult = executor.exec(command);
+	debug$1(verbose, `Build stdout: ${buildResult.stdout}`);
+	if (buildResult.exitCode !== 0) throw new FatalError(`docker build failed for ${pkg.dir} (exit ${buildResult.exitCode}): ${buildResult.stderr}`);
+}
+/**
+* Detect packages with docker config in .tooling.json and build each one.
+* Runs `docker build -f <dockerfile> -t <image-name>:latest <context>` for each package.
+* Dockerfile and context paths are resolved relative to the project root.
+*
+* When `packageDir` is set, builds only that single package (for use as an image:build script).
+*/
+function runDockerBuild(executor, config) {
+	const repoName = readRepoName(executor, config.cwd);
+	if (config.packageDir) {
+		const pkg = readSinglePackageDocker(executor, config.cwd, config.packageDir, repoName);
+		log$1(`Building image for ${pkg.dir} (${pkg.imageName}:latest)...`);
+		buildImage(executor, pkg, config.cwd, config.verbose, config.extraArgs);
+		log$1(`Built ${pkg.imageName}:latest`);
+		return { packages: [pkg] };
 	}
-	const versionResult = executor.exec("pnpm changeset version", { cwd: config.cwd });
-	debugExec(config, "pnpm changeset version", versionResult);
-	if (originalConfig) executor.writeFile(changesetConfigPath, originalConfig);
-	if (versionResult.exitCode !== 0) throw new FatalError(`pnpm changeset version failed (exit code ${String(versionResult.exitCode)}):\n${versionResult.stderr}`);
-	debugExec(config, "pnpm install --no-frozen-lockfile", executor.exec("pnpm install --no-frozen-lockfile", { cwd: config.cwd }));
-	const { title, body } = buildPrContent(executor, config.cwd, packagesBefore);
-	debug$1(config, `PR title: ${title}`);
-	executor.exec("git add -A", { cwd: config.cwd });
-	const remainingChangesets = executor.listChangesetFiles(config.cwd);
-	if (remainingChangesets.length > 0) p.log.warn(`Changeset files still present after versioning: ${remainingChangesets.join(", ")}`);
-	debug$1(config, `Changeset files after versioning: ${remainingChangesets.length > 0 ? remainingChangesets.join(", ") : "(none — all consumed)"}`);
-	const commitResult = executor.exec("git commit -m \"chore: version packages\"", { cwd: config.cwd });
-	debugExec(config, "git commit", commitResult);
-	if (commitResult.exitCode !== 0) {
-		p.log.info("Nothing to commit after versioning");
-		return {
-			mode: "version",
-			pr: "none"
-		};
+	const packages = detectDockerPackages(executor, config.cwd, repoName);
+	if (packages.length === 0) {
+		log$1("No packages with docker config found");
+		return { packages: [] };
 	}
-	if (config.dryRun) {
-		p.log.info("[dry-run] Would push and create/update PR");
-		return {
-			mode: "version",
-			pr: "none"
-		};
+	log$1(`Found ${packages.length} Docker package(s): ${packages.map((p) => p.dir).join(", ")}`);
+	for (const pkg of packages) {
+		log$1(`Building image for ${pkg.dir} (${pkg.imageName}:latest)...`);
+		buildImage(executor, pkg, config.cwd, config.verbose, config.extraArgs);
 	}
-	debugExec(config, "git push", executor.exec(`git push origin "HEAD:refs/heads/${BRANCH}" --force`, { cwd: config.cwd }));
-	const conn = {
-		serverUrl: config.serverUrl,
-		repository: config.repository,
-		token: config.token
+	log$1(`Built ${packages.length} image(s)`);
+	return { packages };
+}
+/**
+* Run the full Docker publish pipeline:
+* 1. Build all images via runDockerBuild
+* 2. Login to registry
+* 3. Tag each image with semver variants from its own package.json version
+* 4. Push all tags
+* 5. Logout from registry
+*/
+function runDockerPublish(executor, config) {
+	const { packages } = runDockerBuild(executor, {
+		cwd: config.cwd,
+		packageDir: void 0,
+		verbose: config.verbose,
+		extraArgs: []
+	});
+	if (packages.length === 0) return {
+		packages: [],
+		tags: []
 	};
-	const existingPr = await findOpenPr(executor, conn, BRANCH);
-	debug$1(config, `Existing open PR for ${BRANCH}: ${existingPr === null ? "(none)" : `#${String(existingPr)}`}`);
-	if (existingPr === null) {
-		await createPr(executor, conn, {
-			title,
-			head: BRANCH,
-			base: "main",
-			body
-		});
-		p.log.info("Created version PR");
-		return {
-			mode: "version",
-			pr: "created"
-		};
+	for (const pkg of packages) if (!pkg.version) throw new FatalError(`Package ${pkg.dir} has docker config but no version in package.json`);
+	if (!config.dryRun) {
+		log$1(`Logging in to ${config.registryHost}...`);
+		const loginResult = executor.exec(`echo "${config.password}" | docker login ${config.registryHost} -u ${config.username} --password-stdin`);
+		if (loginResult.exitCode !== 0) throw new FatalError(`Docker login failed: ${loginResult.stderr}`);
+	} else log$1("[dry-run] Skipping docker login");
+	const allTags = [];
+	try {
+		for (const pkg of packages) {
+			const tags = generateTags(pkg.version ?? "");
+			log$1(`${pkg.dir} v${pkg.version} → tags: ${tags.join(", ")}`);
+			for (const tag of tags) {
+				const ref = imageRef(config.registryNamespace, pkg.imageName, tag);
+				allTags.push(ref);
+				log$1(`Tagging ${pkg.imageName} → ${ref}`);
+				const tagResult = executor.exec(`docker tag ${pkg.imageName} ${ref}`);
+				if (tagResult.exitCode !== 0) throw new FatalError(`docker tag failed: ${tagResult.stderr}`);
+				if (!config.dryRun) {
+					log$1(`Pushing ${ref}...`);
+					const pushResult = executor.exec(`docker push ${ref}`);
+					if (pushResult.exitCode !== 0) throw new FatalError(`docker push failed: ${pushResult.stderr}`);
+				} else log$1(`[dry-run] Skipping push for ${ref}`);
+			}
+		}
+	} finally {
+		if (!config.dryRun) {
+			log$1(`Logging out from ${config.registryHost}...`);
+			executor.exec(`docker logout ${config.registryHost}`);
+		}
 	}
-	await updatePr(executor, conn, existingPr, {
-		title,
-		body
-	});
-	p.log.info(`Updated version PR #${String(existingPr)}`);
+	log$1(`Published ${allTags.length} image tag(s)`);
 	return {
-		mode: "version",
-		pr: "updated"
+		packages,
+		tags: allTags
 	};
 }
 //#endregion
-//#region src/release/publish.ts
-const RETRY_ATTEMPTS = 3;
-const RETRY_BASE_DELAY_MS = 1e3;
-async function retryAsync(fn) {
-	let lastError;
-	for (let attempt = 0; attempt <= RETRY_ATTEMPTS; attempt++) try {
-		return await fn();
-	} catch (error) {
-		lastError = error;
-		if (attempt < RETRY_ATTEMPTS) {
-			const delay = RETRY_BASE_DELAY_MS * 2 ** attempt;
-			await new Promise((resolve) => setTimeout(resolve, delay));
-		}
+//#region src/generators/migrate-prompt.ts
+/**
+* Generate a context-aware AI migration prompt based on what the CLI did.
+* This prompt can be pasted into Claude Code (or similar) to finish the migration.
+*/
+function generateMigratePrompt(results, config, detected) {
+	const sections = [];
+	sections.push("# Migration Prompt");
+	sections.push("");
+	sections.push("The following prompt was generated by `@bensandee/tooling repo:sync`. Paste it into Claude Code or another AI assistant to finish migrating this repository.");
+	sections.push("");
+	sections.push("> **Tip:** Before starting, run `/init` in Claude Code to generate a `CLAUDE.md` that gives the AI a complete picture of your repository's structure, conventions, and build commands.");
+	sections.push("");
+	sections.push("## What was changed");
+	sections.push("");
+	const created = results.filter((r) => r.action === "created");
+	const updated = results.filter((r) => r.action === "updated");
+	const skipped = results.filter((r) => r.action === "skipped");
+	const archived = results.filter((r) => r.action === "archived");
+	if (created.length > 0) {
+		sections.push("**Created:**");
+		for (const r of created) sections.push(`- \`${r.filePath}\` — ${r.description}`);
+		sections.push("");
 	}
-	throw lastError;
-}
-/** Mode 2: publish to npm, push tags, and create Forgejo releases. */
-async function runPublishMode(executor, config) {
-	p.log.info("No changesets — publishing packages");
-	const publishResult = executor.exec("pnpm changeset publish", { cwd: config.cwd });
-	debugExec(config, "pnpm changeset publish", publishResult);
-	if (publishResult.exitCode !== 0) throw new FatalError(`pnpm changeset publish failed (exit code ${String(publishResult.exitCode)}):\n${publishResult.stderr}`);
-	const stdoutTags = parseNewTags(publishResult.stdout + "\n" + publishResult.stderr);
-	debug$1(config, `Tags from publish stdout: ${stdoutTags.length > 0 ? stdoutTags.join(", ") : "(none)"}`);
-	const expectedTags = computeExpectedTags(executor.listWorkspacePackages(config.cwd));
-	debug$1(config, `Expected tags from workspace packages: ${expectedTags.length > 0 ? expectedTags.join(", ") : "(none)"}`);
-	const remoteTags = parseRemoteTags(executor.exec("git ls-remote --tags origin", { cwd: config.cwd }).stdout);
-	debug$1(config, `Remote tags: ${remoteTags.length > 0 ? remoteTags.join(", ") : "(none)"}`);
-	const remoteSet = new Set(remoteTags);
-	const tagsToPush = reconcileTags(expectedTags, remoteTags, stdoutTags);
-	debug$1(config, `Reconciled tags to push: ${tagsToPush.length > 0 ? tagsToPush.join(", ") : "(none)"}`);
-	if (config.dryRun) {
-		if (tagsToPush.length === 0) {
-			p.log.info("No packages were published");
-			return { mode: "none" };
-		}
-		p.log.info(`Tags to process: ${tagsToPush.join(", ")}`);
-		p.log.info("[dry-run] Would push tags and create releases");
-		return {
-			mode: "publish",
-			tags: tagsToPush
-		};
+	if (updated.length > 0) {
+		sections.push("**Updated:**");
+		for (const r of updated) sections.push(`- \`${r.filePath}\` — ${r.description}`);
+		sections.push("");
 	}
-	const conn = {
-		serverUrl: config.serverUrl,
-		repository: config.repository,
-		token: config.token
-	};
-	const remoteExpectedTags = expectedTags.filter((t) => remoteSet.has(t) && !tagsToPush.includes(t));
-	const tagsWithMissingReleases = [];
-	for (const tag of remoteExpectedTags) if (!await findRelease(executor, conn, tag)) tagsWithMissingReleases.push(tag);
-	const allTags = [...tagsToPush, ...tagsWithMissingReleases];
-	if (allTags.length === 0) {
-		p.log.info("No packages were published");
-		return { mode: "none" };
+	if (archived.length > 0) {
+		sections.push("**Archived:**");
+		for (const r of archived) sections.push(`- \`${r.filePath}\` — ${r.description}`);
+		sections.push("");
 	}
-	p.log.info(`Tags to process: ${allTags.join(", ")}`);
-	const errors = [];
-	for (const tag of allTags) try {
-		if (!remoteSet.has(tag)) {
-			if (executor.exec(`git tag -l ${JSON.stringify(tag)}`, { cwd: config.cwd }).stdout.trim() === "") executor.exec(`git tag ${JSON.stringify(tag)}`, { cwd: config.cwd });
-			executor.exec(`git push origin refs/tags/${tag}`, { cwd: config.cwd });
-		}
-		if (await findRelease(executor, conn, tag)) p.log.warn(`Release for ${tag} already exists — skipping`);
-		else {
-			await retryAsync(async () => {
-				try {
-					await createRelease(executor, conn, tag);
-				} catch (error) {
-					if (await findRelease(executor, conn, tag)) return;
-					throw error;
-				}
-			});
-			p.log.info(`Created release for ${tag}`);
+	if (skipped.length > 0) {
+		sections.push("**Skipped (review these):**");
+		for (const r of skipped) sections.push(`- \`${r.filePath}\` — ${r.description}`);
+		sections.push("");
+	}
+	sections.push("## Migration tasks");
+	sections.push("");
+	const legacyToRemove = detected.legacyConfigs.filter((legacy) => !(legacy.tool === "prettier" && config.formatter === "prettier"));
+	if (legacyToRemove.length > 0) {
+		sections.push("### Remove legacy tooling");
+		sections.push("");
+		for (const legacy of legacyToRemove) {
+			const replacement = {
+				eslint: "oxlint",
+				prettier: "oxfmt",
+				jest: "vitest",
+				webpack: "tsdown",
+				rollup: "tsdown"
+			}[legacy.tool];
+			sections.push(`- Remove ${legacy.tool} config files (${legacy.files.map((f) => `\`${f}\``).join(", ")}). This project now uses **${replacement}**.`);
+			sections.push(`  - Uninstall ${legacy.tool}-related packages from devDependencies`);
+			if (legacy.tool === "eslint") sections.push("  - Migrate any custom ESLint rules that don't have oxlint equivalents");
+			if (legacy.tool === "jest") sections.push("  - Migrate any jest-specific test utilities (jest.mock, jest.fn) to vitest equivalents (vi.mock, vi.fn)");
 		}
-	} catch (error) {
-		errors.push({
-			tag,
-			error
-		});
-		p.log.warn(`Failed to process ${tag}: ${error instanceof Error ? error.message : String(error)}`);
+		sections.push("");
 	}
-	if (errors.length > 0) throw new TransientError(`Failed to create releases for: ${errors.map((e) => e.tag).join(", ")}`);
-	return {
-		mode: "publish",
-		tags: allTags
-	};
+	if (archived.length > 0) {
+		sections.push("### Review archived files");
+		sections.push("");
+		sections.push("The following files were modified or replaced. The originals have been saved to `.tooling-archived/`:");
+		sections.push("");
+		for (const r of archived) sections.push(`- \`${r.filePath}\` → \`.tooling-archived/${r.filePath}\``);
+		sections.push("");
+		sections.push("For each archived file, **diff the old version against the new one** and look for features, categories, or modules that were enabled in the original but are missing from the replacement. Focus on broad capability gaps rather than individual rule strictness (in general, being stricter is fine). Examples of what to look for:");
+		sections.push("");
+		sections.push("- **Lint configs**: enabled plugin categories (e.g. `jsx-a11y`, `import`, `react`, `nextjs`), custom `plugins` or `overrides`, file-scoped rule blocks");
+		sections.push("- **TypeScript configs**: compiler features like `jsx`, `paths`, `baseUrl`, or `references` that affect build behavior");
+		sections.push("- **Other configs**: feature flags, custom presets, or integrations that go beyond the default template");
+		sections.push("");
+		sections.push("If the old config had capabilities the new one lacks, port them into the new file. Then:");
+		sections.push("");
+		sections.push("1. If the project previously used `husky` and `lint-staged`, remove them from `devDependencies`");
+		sections.push("2. Delete the `.tooling-archived/` directory when migration is complete");
+		sections.push("");
+	}
+	const oxlintWasSkipped = results.find((r) => r.filePath === "oxlint.config.ts")?.action === "skipped";
+	if (detected.hasLegacyOxlintJson) {
+		sections.push("### Migrate .oxlintrc.json to oxlint.config.ts");
+		sections.push("");
+		sections.push("A new `oxlint.config.ts` has been generated using `defineConfig` from the `oxlint` package. The existing `.oxlintrc.json` needs to be migrated:");
+		sections.push("");
+		sections.push("1. Read `.oxlintrc.json` and compare its `rules` against the rules provided by `@bensandee/config/oxlint/recommended` (check `node_modules/@bensandee/config`). Most standard rules are already included in the recommended config.");
+		sections.push("2. If there are any custom rules, overrides, settings, or `jsPlugins` not covered by the recommended config, add them to `oxlint.config.ts` alongside the `extends`.");
+		sections.push("3. Delete `.oxlintrc.json`.");
+		sections.push("4. Run `pnpm lint` to verify the new config works correctly.");
+		sections.push("");
+	} else if (oxlintWasSkipped && detected.hasOxlintConfig) {
+		sections.push("### Verify oxlint.config.ts includes recommended rules");
+		sections.push("");
+		sections.push("The existing `oxlint.config.ts` was kept as-is. Verify that it extends the recommended config from `@bensandee/config/oxlint`:");
+		sections.push("");
+		sections.push("1. Open `oxlint.config.ts` and check that it imports and extends `@bensandee/config/oxlint/recommended`.");
+		sections.push("2. The expected pattern is:");
+		sections.push("   ```ts");
+		sections.push("   import recommended from \"@bensandee/config/oxlint/recommended\";");
+		sections.push("   import { defineConfig } from \"oxlint\";");
+		sections.push("");
+		sections.push("   export default defineConfig({ extends: [recommended] });");
+		sections.push("   ```");
+		sections.push("3. If it uses a different pattern, update it to extend the recommended config while preserving any project-specific customizations.");
+		sections.push("4. Run `pnpm lint` to verify the config works correctly.");
+		sections.push("");
+	}
+	if (config.structure === "monorepo" && !detected.hasPnpmWorkspace) {
+		sections.push("### Migrate to monorepo structure");
+		sections.push("");
+		sections.push("This project was converted from a single repo to a monorepo. Complete the migration:");
+		sections.push("");
+		sections.push("1. Move existing source into `packages/<name>/` (using the existing package name)");
+		sections.push("2. Split the root `package.json` into a root workspace manifest + package-level `package.json`");
+		sections.push("3. Move the existing `tsconfig.json` into the package and update the root tsconfig with project references");
+		sections.push("4. Create a package-level `tsdown.config.ts` in the new package");
+		sections.push("5. Update any import paths or build scripts affected by the move");
+		sections.push("");
+	}
+	const skippedConfigs = skipped.filter((r) => r.filePath !== "ci" && r.description !== "Not a monorepo");
+	if (skippedConfigs.length > 0) {
+		sections.push("### Review skipped files");
+		sections.push("");
+		sections.push("The following files were left unchanged. Review them for compatibility:");
+		sections.push("");
+		for (const r of skippedConfigs) sections.push(`- \`${r.filePath}\` — ${r.description}`);
+		sections.push("");
+	}
+	if (results.some((r) => r.filePath === "test/example.test.ts" && r.action === "created")) {
+		sections.push("### Generate tests");
+		sections.push("");
+		sections.push("A starter test was created at `test/example.test.ts`. Now:");
+		sections.push("");
+		sections.push("1. Review the existing source code in `src/`");
+		sections.push("2. Create additional test files following the starter test's patterns (import style, describe/it structure)");
+		sections.push("3. Focus on edge cases and core business logic");
+		sections.push("4. Aim for meaningful coverage of exported functions and key code paths");
+		sections.push("");
+	}
+	sections.push("## Ground rules");
+	sections.push("");
+	sections.push("It is OK to add new packages (e.g. `zod`, `@bensandee/common`) if they are needed to resolve errors.");
+	sections.push("");
+	sections.push("When resolving errors from the checklist below, prefer fixing the root cause over suppressing the issue. For example:");
+	sections.push("");
+	sections.push("- **Lint errors**: fix the code rather than adding disable comments or rule exceptions");
+	sections.push("- **Test failures**: update the test or fix the underlying bug rather than skipping or deleting the test");
+	sections.push("- **Knip findings**: remove genuinely unused code/exports/dependencies rather than adding ignores to `knip.config.ts`");
+	sections.push("- **Type errors**: add proper types rather than using `any` or `@ts-expect-error`");
+	sections.push("");
+	sections.push("Only suppress an issue if there is a clear, documented reason why the fix is not feasible (e.g. a third-party type mismatch). Leave a comment explaining why.");
+	sections.push("");
+	sections.push("## Verification checklist");
+	sections.push("");
+	sections.push("Run each of these commands and fix any errors before moving on:");
+	sections.push("");
+	sections.push("1. `pnpm install`");
+	const updateCmd = `pnpm update --latest ${getAddedDevDepNames(config).join(" ")}`;
+	sections.push(`2. \`${updateCmd}\` — bump added dependencies to their latest versions`);
+	sections.push("3. `pnpm typecheck` — fix any type errors");
+	sections.push("4. `pnpm build` — fix any build errors");
+	sections.push("5. `pnpm test` — fix any test failures");
+	sections.push("6. `pnpm lint` — fix the code to satisfy lint rules");
+	sections.push("7. `pnpm knip` — remove unused exports, dependencies, and dead code");
+	sections.push("8. `pnpm format` — fix any formatting issues");
+	sections.push("");
+	return sections.join("\n");
 }
 //#endregion
-//#region src/release/connection.ts
-const RepositorySchema = z.union([z.string(), z.object({ url: z.string() })]);
-/**
-* Resolve the hosting platform and connection details.
-*
-* Priority:
-* 1. Environment variables (FORGEJO_SERVER_URL, FORGEJO_REPOSITORY, FORGEJO_TOKEN)
-* 2. `repository` field in package.json (server URL and owner/repo parsed from the URL)
-*
-* For Forgejo, FORGEJO_TOKEN is always required (either from env or explicitly).
-* If the repository URL hostname is `github.com`, returns `{ type: "github" }`.
-*/
-function resolveConnection(cwd) {
-	const serverUrl = process.env["FORGEJO_SERVER_URL"];
-	const repository = process.env["FORGEJO_REPOSITORY"];
-	const token = process.env["FORGEJO_TOKEN"];
-	if (serverUrl && repository && token) return {
-		type: "forgejo",
-		conn: {
-			serverUrl,
-			repository,
-			token
-		}
-	};
-	const parsed = parseRepositoryUrl(cwd);
-	if (parsed === null) {
-		if (serverUrl) {
-			if (!repository) throw new FatalError("FORGEJO_REPOSITORY environment variable is required");
-			if (!token) throw new FatalError("FORGEJO_TOKEN environment variable is required");
-		}
-		return { type: "github" };
-	}
-	if (parsed.hostname === "github.com") return { type: "github" };
-	const resolvedToken = token;
-	if (!resolvedToken) throw new FatalError("FORGEJO_TOKEN environment variable is required (server URL and repository were resolved from package.json)");
+//#region src/commands/repo-init.ts
+/** Adapt a GeneratorContext to the DockerFileReader interface used by detectDockerPackages. */
+function contextAsDockerReader(ctx) {
 	return {
-		type: "forgejo",
-		conn: {
-			serverUrl: serverUrl ?? `${parsed.protocol}//${parsed.hostname}`,
-			repository: repository ?? parsed.repository,
-			token: resolvedToken
+		listPackageDirs(cwd) {
+			const packagesDir = path.join(cwd, "packages");
+			try {
+				return readdirSync(packagesDir, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
+			} catch (_error) {
+				return [];
+			}
+		},
+		readFile(filePath) {
+			const rel = path.relative(ctx.targetDir, filePath);
+			return ctx.read(rel) ?? null;
 		}
 	};
 }
-function parseRepositoryUrl(cwd) {
-	const pkgPath = path.join(cwd, "package.json");
-	let raw;
-	try {
-		raw = readFileSync(pkgPath, "utf-8");
-	} catch {
-		return null;
-	}
-	const pkg = z.object({ repository: RepositorySchema.optional() }).safeParse(JSON.parse(raw));
-	if (!pkg.success) return null;
-	const repo = pkg.data.repository;
-	if (!repo) return null;
-	return parseGitUrl(typeof repo === "string" ? repo : repo.url);
+/** Log what was detected so the user understands generator decisions. */
+function logDetectionSummary(ctx) {
+	const dockerPackages = detectDockerPackages(contextAsDockerReader(ctx), ctx.targetDir, ctx.config.name);
+	if (dockerPackages.length > 0) p.log.info(`Docker images: ${dockerPackages.map((pkg) => pkg.imageName).join(", ")}`);
+	const publishable = getPublishablePackages(ctx.targetDir, ctx.config.structure, ctx.packageJson);
+	if (publishable.length > 0) p.log.info(`npm packages: ${publishable.map((pkg) => pkg.name).join(", ")}`);
 }
-function parseGitUrl(urlStr) {
+async function runInit(config, options = {}) {
+	const detected = detectProject(config.targetDir);
+	const s = p.spinner();
+	const { ctx, archivedFiles } = createContext(config, options.confirmOverwrite ?? (async (relativePath) => {
+		s.stop("Paused");
+		const result = await p.select({
+			message: `${relativePath} already exists. What do you want to do?`,
+			options: [{
+				value: "overwrite",
+				label: "Overwrite"
+			}, {
+				value: "skip",
+				label: "Skip"
+			}]
+		});
+		s.start("Generating configuration files...");
+		if (p.isCancel(result)) return "skip";
+		return result;
+	}));
+	logDetectionSummary(ctx);
+	s.start("Generating configuration files...");
+	let results;
 	try {
-		const url = new URL(urlStr);
-		const pathname = url.pathname.replace(/\.git$/, "").replace(/^\//, "");
-		if (!pathname.includes("/")) return null;
-		return {
-			protocol: url.protocol,
-			hostname: url.hostname,
-			repository: pathname
-		};
-	} catch {
-		return null;
+		results = await runGenerators(ctx);
+	} catch (error) {
+		s.stop("Generation failed!");
+		throw error;
+	}
+	const alreadyArchived = new Set(results.filter((r) => r.action === "archived").map((r) => r.filePath));
+	for (const rel of archivedFiles) if (!alreadyArchived.has(rel)) results.push({
+		filePath: rel,
+		action: "archived",
+		description: `Original saved to .tooling-archived/${rel}`
+	});
+	const created = results.filter((r) => r.action === "created");
+	const updated = results.filter((r) => r.action === "updated");
+	if (!(created.length > 0 || updated.length > 0 || archivedFiles.length > 0) && options.noPrompt) {
+		s.stop("Repository is up to date.");
+		return results;
+	}
+	s.stop("Done!");
+	if (results.some((r) => r.action === "archived" && r.filePath.startsWith(".husky/"))) try {
+		execSync("git config --unset core.hooksPath", {
+			cwd: config.targetDir,
+			stdio: "ignore",
+			timeout: 5e3
+		});
+	} catch (_error) {}
+	const summaryLines = [];
+	if (created.length > 0) summaryLines.push(`Created: ${created.map((r) => r.filePath).join(", ")}`);
+	if (updated.length > 0) summaryLines.push(`Updated: ${updated.map((r) => r.filePath).join(", ")}`);
+	p.note(summaryLines.join("\n"), "Summary");
+	if (!options.noPrompt) {
+		const prompt = generateMigratePrompt(results, config, detected);
+		const promptPath = ".tooling-migrate.md";
+		ctx.write(promptPath, prompt);
+		p.log.info(`Migration prompt written to ${promptPath}`);
+		p.log.info("In Claude Code, run: \"Execute the steps in .tooling-migrate.md\"");
+	}
+	const bensandeeDeps = getAddedDevDepNames(config).filter((name) => name.startsWith("@bensandee/"));
+	const hasLockfile = ctx.exists("pnpm-lock.yaml");
+	if (bensandeeDeps.length > 0 && hasLockfile) {
+		s.start("Updating @bensandee/* packages...");
+		try {
+			execSync(`pnpm update --latest ${bensandeeDeps.join(" ")}`, {
+				cwd: config.targetDir,
+				stdio: "ignore",
+				timeout: 6e4
+			});
+			s.stop("Updated @bensandee/* packages");
+		} catch (_error) {
+			s.stop("Could not update @bensandee/* packages — run pnpm install first");
+		}
 	}
+	p.note([
+		"1. Run: pnpm install",
+		"2. Run: pnpm check",
+		...options.noPrompt ? [] : ["3. In Claude Code, run: \"Execute the steps in .tooling-migrate.md\""]
+	].join("\n"), "Next steps");
+	return results;
 }
 //#endregion
-//#region src/commands/release-changesets.ts
-const releaseForgejoCommand = defineCommand({
+//#region src/commands/repo-sync.ts
+const syncCommand = defineCommand({
 	meta: {
-		name: "release:changesets",
-		description: "Changesets version/publish for Forgejo CI"
+		name: "repo:sync",
+		description: "Detect, generate, and sync project tooling (idempotent)"
 	},
 	args: {
-		"dry-run": {
+		dir: {
+			type: "positional",
+			description: "Target directory (default: current directory)",
+			required: false
+		},
+		check: {
 			type: "boolean",
-			description: "Skip push, API calls, and publishing side effects"
+			description: "Dry-run mode: report drift without writing files"
 		},
-		verbose: {
+		yes: {
 			type: "boolean",
-			description: "Enable detailed debug logging (also enabled by RELEASE_DEBUG env var)"
-		}
-	},
-	async run({ args }) {
-		if ((await runRelease(buildReleaseConfig({
-			dryRun: args["dry-run"] === true,
-			verbose: args.verbose === true || process.env["RELEASE_DEBUG"] === "true"
-		}), createRealExecutor())).mode === "none") process.exitCode = 0;
-	}
-});
-/** Build release config from environment / package.json and CLI flags. */
-function buildReleaseConfig(flags) {
-	const resolved = resolveConnection(process.cwd());
-	if (resolved.type !== "forgejo") throw new FatalError("release:changesets requires a Forgejo repository");
-	return {
-		...resolved.conn,
-		cwd: process.cwd(),
-		dryRun: flags.dryRun ?? false,
-		verbose: flags.verbose ?? false
-	};
-}
-/** Resolve the current branch from CI env vars or git. */
-function getCurrentBranch(executor, cwd) {
-	const ref = process.env["GITHUB_REF"];
-	if (ref?.startsWith("refs/heads/")) return ref.slice(11);
-	return executor.exec("git rev-parse --abbrev-ref HEAD", { cwd }).stdout.trim();
-}
-/** Core release logic — testable with a mock executor. */
-async function runRelease(config, executor) {
-	const branch = getCurrentBranch(executor, config.cwd);
-	if (branch !== "main") {
-		debug$1(config, `Skipping release on non-main branch: ${branch}`);
-		return { mode: "none" };
-	}
-	executor.exec("git config user.name \"forgejo-actions[bot]\"", { cwd: config.cwd });
-	executor.exec("git config user.email \"forgejo-actions[bot]@noreply.localhost\"", { cwd: config.cwd });
-	const changesetFiles = executor.listChangesetFiles(config.cwd);
-	debug$1(config, `Changeset files found: ${changesetFiles.length > 0 ? changesetFiles.join(", ") : "(none)"}`);
-	if (changesetFiles.length > 0) {
-		debug$1(config, "Entering version mode");
-		return runVersionMode(executor, config);
-	}
-	debug$1(config, "Entering publish mode");
-	return runPublishMode(executor, config);
-}
-//#endregion
-//#region src/commands/release-trigger.ts
-const releaseTriggerCommand = defineCommand({
-	meta: {
-		name: "release:trigger",
-		description: "Trigger the release CI workflow"
-	},
-	args: { ref: {
-		type: "string",
-		description: "Git ref to trigger on (default: main)",
-		required: false
-	} },
-	async run({ args }) {
-		const ref = args.ref ?? "main";
-		const resolved = resolveConnection(process.cwd());
-		if (resolved.type === "forgejo") await triggerForgejo(resolved.conn, ref);
-		else triggerGitHub(ref);
-	}
-});
-async function triggerForgejo(conn, ref) {
-	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/actions/workflows/release.yml/dispatches`;
-	const res = await fetch(url, {
-		method: "POST",
-		headers: {
-			Authorization: `token ${conn.token}`,
-			"Content-Type": "application/json"
+			alias: "y",
+			description: "Accept all defaults (non-interactive)"
 		},
-		body: JSON.stringify({ ref })
-	});
-	if (!res.ok) throw new FatalError(`Failed to trigger Forgejo workflow: ${res.status} ${res.statusText}`);
-	p.log.info(`Triggered release workflow on Forgejo (ref: ${ref})`);
-}
-function triggerGitHub(ref) {
-	createRealExecutor().exec(`gh workflow run release.yml --ref ${ref}`, { cwd: process.cwd() });
-	p.log.info(`Triggered release workflow on GitHub (ref: ${ref})`);
-}
-//#endregion
-//#region src/commands/forgejo-create-release.ts
-const createForgejoReleaseCommand = defineCommand({
-	meta: {
-		name: "forgejo:create-release",
-		description: "Create a Forgejo release for a given tag"
+		"eslint-plugin": {
+			type: "boolean",
+			description: "Include @bensandee/eslint-plugin (default: true)"
+		},
+		"no-ci": {
+			type: "boolean",
+			description: "Skip CI workflow generation"
+		},
+		"no-prompt": {
+			type: "boolean",
+			description: "Skip migration prompt generation"
+		}
 	},
-	args: { tag: {
-		type: "string",
-		description: "Git tag to create a release for",
-		required: true
-	} },
 	async run({ args }) {
-		const resolved = resolveConnection(process.cwd());
-		if (resolved.type !== "forgejo") throw new FatalError("forgejo:create-release requires a Forgejo repository");
-		const executor = createRealExecutor();
-		const conn = resolved.conn;
-		if (await findRelease(executor, conn, args.tag)) {
-			p.log.info(`Release for ${args.tag} already exists — skipping`);
+		const targetDir = path.resolve(args.dir ?? ".");
+		if (args.check) {
+			const exitCode = await runCheck(targetDir);
+			process.exitCode = exitCode;
 			return;
 		}
-		await createRelease(executor, conn, args.tag);
-		p.log.info(`Created Forgejo release for ${args.tag}`);
+		const saved = loadToolingConfig(targetDir);
+		const isFirstRun = !saved;
+		let config;
+		if (args.yes || !isFirstRun) {
+			const detected = buildDefaultConfig(targetDir, {
+				eslintPlugin: args["eslint-plugin"] === true ? true : void 0,
+				noCi: args["no-ci"] === true ? true : void 0
+			});
+			config = saved ? mergeWithSavedConfig(detected, saved) : detected;
+		} else config = await runInitPrompts(targetDir, saved);
+		await runInit(config, {
+			noPrompt: args["no-prompt"] === true || !isFirstRun,
+			...!isFirstRun && { confirmOverwrite: async () => "overwrite" }
+		});
 	}
 });
-//#endregion
-//#region src/commands/changesets-merge.ts
-const HEAD_BRANCH = "changeset-release/main";
-const releaseMergeCommand = defineCommand({
-	meta: {
-		name: "changesets:merge",
-		description: "Merge the open changesets version PR"
-	},
-	args: { "dry-run": {
-		type: "boolean",
-		description: "Show what would be merged without actually merging"
-	} },
-	async run({ args }) {
-		const dryRun = args["dry-run"] === true;
-		const resolved = resolveConnection(process.cwd());
-		if (resolved.type === "forgejo") await mergeForgejo(resolved.conn, dryRun);
-		else mergeGitHub(dryRun);
+/** Run sync in check mode: dry-run drift detection. */
+async function runCheck(targetDir) {
+	const saved = loadToolingConfig(targetDir);
+	const detected = buildDefaultConfig(targetDir, {});
+	const { ctx, pendingWrites } = createDryRunContext(saved ? mergeWithSavedConfig(detected, saved) : detected);
+	logDetectionSummary(ctx);
+	const actionable = (await runGenerators(ctx)).filter((r) => {
+		if (r.action !== "created" && r.action !== "updated") return false;
+		const newContent = pendingWrites.get(r.filePath);
+		if (newContent && r.action === "updated") {
+			const existingPath = path.join(targetDir, r.filePath);
+			const existing = existsSync(existingPath) ? readFileSync(existingPath, "utf-8") : void 0;
+			if (existing && contentEqual(r.filePath, existing, newContent)) return false;
+		}
+		return true;
+	});
+	if (actionable.length === 0) {
+		p.log.success("Repository is up to date.");
+		return 0;
 	}
-});
-async function mergeForgejo(conn, dryRun) {
-	const executor = createRealExecutor();
-	const prNumber = await findOpenPr(executor, conn, HEAD_BRANCH);
-	if (prNumber === null) throw new FatalError(`No open PR found for branch ${HEAD_BRANCH}`);
-	if (dryRun) {
-		p.log.info(`[dry-run] Would merge PR #${String(prNumber)} and delete branch ${HEAD_BRANCH}`);
-		return;
+	p.log.warn(`${actionable.length} file(s) would be changed by repo:sync`);
+	for (const r of actionable) {
+		p.log.info(`  ${r.action}: ${r.filePath} — ${r.description}`);
+		const newContent = pendingWrites.get(r.filePath);
+		if (!newContent) continue;
+		const existingPath = path.join(targetDir, r.filePath);
+		const existing = existsSync(existingPath) ? readFileSync(existingPath, "utf-8") : void 0;
+		if (!existing) {
+			const lineCount = newContent.split("\n").length - 1;
+			p.log.info(`    + ${lineCount} new lines`);
+		} else {
+			const diff = lineDiff(existing, newContent);
+			for (const line of diff) p.log.info(`    ${line}`);
+		}
 	}
-	await mergePr(executor, conn, prNumber, {
-		method: "merge",
-		deleteBranch: true
-	});
-	p.log.info(`Merged PR #${String(prNumber)} and deleted branch ${HEAD_BRANCH}`);
+	return 1;
 }
-function mergeGitHub(dryRun) {
-	const executor = createRealExecutor();
-	if (dryRun) {
-		const prNum = executor.exec(`gh pr view ${HEAD_BRANCH} --json number --jq .number`, { cwd: process.cwd() }).stdout.trim();
-		if (!prNum) throw new FatalError(`No open PR found for branch ${HEAD_BRANCH}`);
-		p.log.info(`[dry-run] Would merge PR #${prNum} and delete branch ${HEAD_BRANCH}`);
-		return;
-	}
-	executor.exec(`gh pr merge ${HEAD_BRANCH} --merge --delete-branch`, { cwd: process.cwd() });
-	p.log.info(`Merged changesets PR and deleted branch ${HEAD_BRANCH}`);
+const normalize = (line) => line.trimEnd();
+function lineDiff(oldText, newText) {
+	const oldLines = oldText.split("\n").map(normalize);
+	const newLines = newText.split("\n").map(normalize);
+	const oldSet = new Set(oldLines);
+	const newSet = new Set(newLines);
+	const removed = oldLines.filter((l) => l.trim() !== "" && !newSet.has(l));
+	const added = newLines.filter((l) => l.trim() !== "" && !oldSet.has(l));
+	const lines = [];
+	for (const l of removed) lines.push(`- ${l.trim()}`);
+	for (const l of added) lines.push(`+ ${l.trim()}`);
+	return lines;
 }
 //#endregion
-//#region src/release/simple.ts
-/**
-* Compute sliding version tags from a semver version string.
-* For "1.2.3" returns ["v1", "v1.2"]. Strips prerelease suffixes.
-*/
-function computeSlidingTags(version) {
-	const parts = (version.split("-")[0] ?? version).split(".");
-	if (parts.length < 2 || !parts[0] || !parts[1]) throw new FatalError(`Invalid version format "${version}". Expected semver (X.Y.Z)`);
-	return [`v${parts[0]}`, `v${parts[0]}.${parts[1]}`];
-}
-/** Build the commit-and-tag-version command with appropriate flags. */
-function buildCommand(config) {
-	const args = ["pnpm exec commit-and-tag-version"];
-	if (config.dryRun) args.push("--dry-run");
-	if (config.firstRelease) args.push("--first-release");
-	if (config.releaseAs) args.push(`--release-as ${config.releaseAs}`);
-	if (config.prerelease) args.push(`--prerelease ${config.prerelease}`);
-	return args.join(" ");
-}
-/** Read the current version from package.json. */
-function readVersion(executor, cwd) {
-	const raw = executor.readFile(path.join(cwd, "package.json"));
-	if (!raw) throw new FatalError("Could not read package.json");
-	const pkg = parsePackageJson(raw);
-	if (!pkg?.version) throw new FatalError("No version field found in package.json");
-	return pkg.version;
-}
-/** Run the full commit-and-tag-version release flow. */
-async function runSimpleRelease(executor, config) {
-	const command = buildCommand(config);
-	p.log.info(`Running: ${command}`);
-	const versionResult = executor.exec(command, { cwd: config.cwd });
-	debugExec(config, "commit-and-tag-version", versionResult);
-	if (versionResult.exitCode !== 0) throw new FatalError(`commit-and-tag-version failed (exit code ${String(versionResult.exitCode)}):\n${versionResult.stderr || versionResult.stdout}`);
-	const version = readVersion(executor, config.cwd);
-	debug$1(config, `New version: ${version}`);
-	const tagResult = executor.exec("git describe --tags --abbrev=0", { cwd: config.cwd });
-	debugExec(config, "git describe", tagResult);
-	const tag = tagResult.stdout.trim();
-	if (!tag) throw new FatalError("Could not determine the new tag from git describe");
-	p.log.info(`Version ${version} tagged as ${tag}`);
-	if (config.dryRun) {
-		const slidingTags = config.noSlidingTags ? [] : computeSlidingTags(version);
-		p.log.info(`[dry-run] Would push to origin with --follow-tags`);
-		if (slidingTags.length > 0) p.log.info(`[dry-run] Would create sliding tags: ${slidingTags.join(", ")}`);
-		if (!config.noRelease && config.platform) p.log.info(`[dry-run] Would create ${config.platform.type} release for ${tag}`);
-		return {
-			version,
-			tag,
-			slidingTags,
-			pushed: false,
-			releaseCreated: false
-		};
-	}
-	let pushed = false;
-	if (!config.noPush) {
-		const branch = executor.exec("git rev-parse --abbrev-ref HEAD", { cwd: config.cwd }).stdout.trim() || "main";
-		debug$1(config, `Pushing to origin/${branch}`);
-		const pushResult = executor.exec(`git push --follow-tags origin ${branch}`, { cwd: config.cwd });
-		debugExec(config, "git push", pushResult);
-		if (pushResult.exitCode !== 0) throw new FatalError(`git push failed (exit code ${String(pushResult.exitCode)}):\n${pushResult.stderr || pushResult.stdout}`);
-		pushed = true;
-		p.log.info("Pushed to origin");
-	}
-	let slidingTags = [];
-	if (!config.noSlidingTags && pushed) {
-		slidingTags = computeSlidingTags(version);
-		for (const slidingTag of slidingTags) executor.exec(`git tag -f ${slidingTag}`, { cwd: config.cwd });
-		const forcePushResult = executor.exec(`git push origin ${slidingTags.join(" ")} --force`, { cwd: config.cwd });
-		debugExec(config, "force-push sliding tags", forcePushResult);
-		if (forcePushResult.exitCode !== 0) p.log.warn(`Warning: Failed to push sliding tags: ${forcePushResult.stderr || forcePushResult.stdout}`);
-		else p.log.info(`Created sliding tags: ${slidingTags.join(", ")}`);
-	}
-	let releaseCreated = false;
-	if (!config.noRelease && config.platform) releaseCreated = await createPlatformRelease(executor, config, tag);
+//#region src/release/executor.ts
+/** Create an executor that runs real commands, fetches, and reads the filesystem. */
+function createRealExecutor() {
 	return {
-		version,
-		tag,
-		slidingTags,
-		pushed,
-		releaseCreated
+		exec(command, options) {
+			try {
+				return {
+					stdout: execSync(command, {
+						cwd: options?.cwd,
+						env: {
+							...process.env,
+							...options?.env
+						},
+						encoding: "utf-8",
+						stdio: [
+							"pipe",
+							"pipe",
+							"pipe"
+						]
+					}),
+					stderr: "",
+					exitCode: 0
+				};
+			} catch (err) {
+				if (isExecSyncError(err)) return {
+					stdout: err.stdout,
+					stderr: err.stderr,
+					exitCode: err.status
+				};
+				return {
+					stdout: "",
+					stderr: "",
+					exitCode: 1
+				};
+			}
+		},
+		fetch: globalThis.fetch,
+		listChangesetFiles(cwd) {
+			const dir = path.join(cwd, ".changeset");
+			try {
+				return readdirSync(dir).filter((f) => f.endsWith(".md") && f !== "README.md");
+			} catch {
+				return [];
+			}
+		},
+		listWorkspacePackages(cwd) {
+			const packagesDir = path.join(cwd, "packages");
+			const packages = [];
+			try {
+				for (const entry of readdirSync(packagesDir)) {
+					const pkgPath = path.join(packagesDir, entry, "package.json");
+					try {
+						const pkg = parsePackageJson(readFileSync(pkgPath, "utf-8"));
+						if (pkg?.name && pkg.version && !pkg.private) packages.push({
+							name: pkg.name,
+							version: pkg.version,
+							dir: entry
+						});
+					} catch (_error) {}
+				}
+			} catch (_error) {}
+			return packages;
+		},
+		listPackageDirs(cwd) {
+			const packagesDir = path.join(cwd, "packages");
+			try {
+				return readdirSync(packagesDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => entry.name);
+			} catch {
+				return [];
+			}
+		},
+		readFile(filePath) {
+			try {
+				return readFileSync(filePath, "utf-8");
+			} catch {
+				return null;
+			}
+		},
+		writeFile(filePath, content) {
+			mkdirSync(path.dirname(filePath), { recursive: true });
+			writeFileSync(filePath, content);
+		}
 	};
 }
-async function createPlatformRelease(executor, config, tag) {
-	if (!config.platform) return false;
-	if (config.platform.type === "forgejo") {
-		if (await findRelease(executor, config.platform.conn, tag)) {
-			debug$1(config, `Release for ${tag} already exists, skipping`);
-			return false;
-		}
-		await createRelease(executor, config.platform.conn, tag);
-		p.log.info(`Created Forgejo release for ${tag}`);
-		return true;
+/** Parse "New tag:" lines from changeset publish output. */
+function parseNewTags(output) {
+	const tags = [];
+	for (const line of output.split("\n")) {
+		const match = /New tag:\s+(\S+)/.exec(line);
+		if (match?.[1]) tags.push(match[1]);
 	}
-	const ghResult = executor.exec(`gh release create ${tag} --generate-notes`, { cwd: config.cwd });
-	debugExec(config, "gh release create", ghResult);
-	if (ghResult.exitCode !== 0) {
-		p.log.warn(`Warning: Failed to create GitHub release: ${ghResult.stderr || ghResult.stdout}`);
-		return false;
+	return tags;
+}
+/** Map workspace packages to their expected tag strings (name@version). */
+function computeExpectedTags(packages) {
+	return packages.map((p) => `${p.name}@${p.version}`);
+}
+/** Parse `git ls-remote --tags` output into tag names, filtering out `^{}` dereference entries. */
+function parseRemoteTags(output) {
+	const tags = [];
+	for (const line of output.split("\n")) {
+		const match = /refs\/tags\/(.+)/.exec(line);
+		if (match?.[1] && !match[1].endsWith("^{}")) tags.push(match[1]);
 	}
-	p.log.info(`Created GitHub release for ${tag}`);
-	return true;
+	return tags;
+}
+/**
+* Reconcile expected tags with what already exists on the remote.
+* Returns `(expected - remote) ∪ stdoutTags`, deduplicated.
+*/
+function reconcileTags(expectedTags, remoteTags, stdoutTags) {
+	const remoteSet = new Set(remoteTags);
+	const result = /* @__PURE__ */ new Set();
+	for (const tag of expectedTags) if (!remoteSet.has(tag)) result.add(tag);
+	for (const tag of stdoutTags) result.add(tag);
+	return [...result];
 }
 //#endregion
-//#region src/commands/release-simple.ts
-const releaseSimpleCommand = defineCommand({
-	meta: {
-		name: "release:simple",
-		description: "Run commit-and-tag-version, push, create sliding tags, and create a platform release"
-	},
-	args: {
-		"dry-run": {
-			type: "boolean",
-			description: "Pass --dry-run to commit-and-tag-version and skip all remote operations"
-		},
-		verbose: {
-			type: "boolean",
-			description: "Enable detailed debug logging (also enabled by RELEASE_DEBUG env var)"
-		},
-		"no-push": {
-			type: "boolean",
-			description: "Run commit-and-tag-version but skip push and remote operations"
-		},
-		"no-sliding-tags": {
-			type: "boolean",
-			description: "Skip creating sliding major/minor version tags (vX, vX.Y)"
+//#region src/release/forgejo.ts
+const PullRequestSchema = z.array(z.object({
+	number: z.number(),
+	head: z.object({ ref: z.string() })
+}));
+/**
+* Find an open PR with the given head branch. Returns the PR number or null.
+*
+* Fetches all open PRs and filters client-side by head.ref rather than relying
+* on Forgejo's query parameter filtering, which behaves inconsistently.
+*/
+async function findOpenPr(executor, conn, head) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls?state=open`;
+	const res = await executor.fetch(url, { headers: { Authorization: `token ${conn.token}` } });
+	if (!res.ok) throw new TransientError(`Failed to list PRs: ${res.status} ${res.statusText}`);
+	const parsed = PullRequestSchema.safeParse(await res.json());
+	if (!parsed.success) throw new UnexpectedError(`Unexpected PR list response: ${parsed.error.message}`);
+	return parsed.data.find((pr) => pr.head.ref === head)?.number ?? null;
+}
+/** Create a new pull request. */
+async function createPr(executor, conn, options) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls`;
+	const payload = {
+		title: options.title,
+		head: options.head,
+		base: options.base
+	};
+	if (options.body) payload["body"] = options.body;
+	const res = await executor.fetch(url, {
+		method: "POST",
+		headers: {
+			Authorization: `token ${conn.token}`,
+			"Content-Type": "application/json"
 		},
-		"no-release": {
-			type: "boolean",
-			description: "Skip Forgejo/GitHub release creation"
+		body: JSON.stringify(payload)
+	});
+	if (!res.ok) throw new TransientError(`Failed to create PR: ${res.status} ${res.statusText}`);
+}
+/** Update an existing pull request's title and body. */
+async function updatePr(executor, conn, prNumber, options) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls/${String(prNumber)}`;
+	const res = await executor.fetch(url, {
+		method: "PATCH",
+		headers: {
+			Authorization: `token ${conn.token}`,
+			"Content-Type": "application/json"
 		},
-		"first-release": {
-			type: "boolean",
-			description: "Pass --first-release to commit-and-tag-version (skip version bump)"
+		body: JSON.stringify({
+			title: options.title,
+			body: options.body
+		})
+	});
+	if (!res.ok) throw new TransientError(`Failed to update PR #${String(prNumber)}: ${res.status} ${res.statusText}`);
+}
+/** Merge a pull request by number. */
+async function mergePr(executor, conn, prNumber, options) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/pulls/${String(prNumber)}/merge`;
+	const res = await executor.fetch(url, {
+		method: "POST",
+		headers: {
+			Authorization: `token ${conn.token}`,
+			"Content-Type": "application/json"
 		},
-		"release-as": {
-			type: "string",
-			description: "Force a specific version (passed to commit-and-tag-version --release-as)"
+		body: JSON.stringify({
+			Do: options?.method ?? "merge",
+			delete_branch_after_merge: options?.deleteBranch ?? true
+		})
+	});
+	if (!res.ok) throw new TransientError(`Failed to merge PR #${String(prNumber)}: ${res.status} ${res.statusText}`);
+}
+/** Check whether a Forgejo release already exists for a given tag. */
+async function findRelease(executor, conn, tag) {
+	const encodedTag = encodeURIComponent(tag);
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/releases/tags/${encodedTag}`;
+	const res = await executor.fetch(url, { headers: { Authorization: `token ${conn.token}` } });
+	if (res.status === 200) return true;
+	if (res.status === 404) return false;
+	throw new TransientError(`Failed to check release for ${tag}: ${res.status} ${res.statusText}`);
+}
+/** Create a Forgejo release for a given tag. */
+async function createRelease(executor, conn, tag) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/releases`;
+	const res = await executor.fetch(url, {
+		method: "POST",
+		headers: {
+			Authorization: `token ${conn.token}`,
+			"Content-Type": "application/json"
 		},
-		prerelease: {
-			type: "string",
-			description: "Create a prerelease with the given tag (e.g., beta, alpha)"
-		}
-	},
-	async run({ args }) {
-		const cwd = process.cwd();
-		const verbose = args.verbose === true || process.env["RELEASE_DEBUG"] === "true";
-		const noRelease = args["no-release"] === true;
-		let platform;
-		if (!noRelease) {
-			const resolved = resolveConnection(cwd);
-			if (resolved.type === "forgejo") platform = {
-				type: "forgejo",
-				conn: resolved.conn
-			};
-			else platform = { type: "github" };
-		}
-		const config = {
-			cwd,
-			dryRun: args["dry-run"] === true,
-			verbose,
-			noPush: args["no-push"] === true,
-			noSlidingTags: args["no-sliding-tags"] === true,
-			noRelease,
-			firstRelease: args["first-release"] === true,
-			releaseAs: args["release-as"],
-			prerelease: args.prerelease,
-			platform
-		};
-		await runSimpleRelease(createRealExecutor(), config);
-	}
-});
+		body: JSON.stringify({
+			tag_name: tag,
+			name: tag,
+			body: `Published ${tag}`
+		})
+	});
+	if (!res.ok) throw new TransientError(`Failed to create release for ${tag}: ${res.status} ${res.statusText}`);
+}
 //#endregion
-//#region src/commands/repo-run-checks.ts
-const CHECKS = [
-	{ name: "build" },
-	{ name: "typecheck" },
-	{ name: "lint" },
-	{ name: "test" },
-	{
-		name: "format",
-		args: "--check"
-	},
-	{ name: "knip" },
-	{ name: "tooling:check" },
-	{ name: "docker:check" }
-];
-function defaultGetScripts(targetDir) {
-	try {
-		const pkg = parsePackageJson(readFileSync(path.join(targetDir, "package.json"), "utf-8"));
-		return new Set(Object.keys(pkg?.scripts ?? {}));
-	} catch {
-		return /* @__PURE__ */ new Set();
-	}
+//#region src/release/log.ts
+/** Log a debug message when verbose mode is enabled. */
+function debug(config, message) {
+	if (config.verbose) p.log.info(`[debug] ${message}`);
 }
-function defaultExecCommand(cmd, cwd) {
-	try {
-		execSync(cmd, {
-			cwd,
-			stdio: "inherit"
-		});
-		return 0;
-	} catch (err) {
-		if (isExecSyncError(err)) return err.status;
-		return 1;
+/** Log the result of an exec call when verbose mode is enabled. */
+function debugExec(config, label, result) {
+	if (!config.verbose) return;
+	const lines = [`[debug] ${label} (exit code ${String(result.exitCode)})`];
+	if (result.stdout.trim()) lines.push(`  stdout: ${result.stdout.trim()}`);
+	if (result.stderr.trim()) lines.push(`  stderr: ${result.stderr.trim()}`);
+	p.log.info(lines.join("\n"));
+}
+//#endregion
+//#region src/release/version.ts
+const BRANCH = "changeset-release/main";
+/** Extract the latest changelog entry (content between first and second `## ` heading). */
+function extractLatestEntry(changelog) {
+	const lines = changelog.split("\n");
+	let start = -1;
+	let end = lines.length;
+	for (let i = 0; i < lines.length; i++) if (lines[i]?.startsWith("## ")) if (start === -1) start = i;
+	else {
+		end = i;
+		break;
 	}
+	if (start === -1) return null;
+	return lines.slice(start, end).join("\n").trim();
 }
-const ciLog = (msg) => console.log(msg);
-function runRunChecks(targetDir, options = {}) {
-	const exec = options.execCommand ?? defaultExecCommand;
-	const getScripts = options.getScripts ?? defaultGetScripts;
-	const skip = options.skip ?? /* @__PURE__ */ new Set();
-	const add = options.add ?? [];
-	const isCI = Boolean(process.env["CI"]);
-	const failFast = options.failFast ?? !isCI;
-	const definedScripts = getScripts(targetDir);
-	const addedNames = new Set(add);
-	const allChecks = [...CHECKS, ...add.map((name) => ({ name }))];
-	const failures = [];
-	const notDefined = [];
-	for (const check of allChecks) {
-		if (skip.has(check.name)) continue;
-		if (!definedScripts.has(check.name)) {
-			if (addedNames.has(check.name)) {
-				p.log.error(`${check.name} not defined in package.json`);
-				failures.push(check.name);
-			} else notDefined.push(check.name);
-			continue;
-		}
-		const cmd = check.args ? `pnpm run ${check.name} ${check.args}` : `pnpm run ${check.name}`;
-		if (isCI) ciLog(`::group::${check.name}`);
-		const exitCode = exec(cmd, targetDir);
-		if (isCI) ciLog("::endgroup::");
-		if (exitCode === 0) p.log.success(check.name);
-		else {
-			if (isCI) ciLog(`::error::${check.name} failed`);
-			p.log.error(`${check.name} failed`);
-			failures.push(check.name);
-			if (failFast) return 1;
+/** Read the root package.json name and version. */
+function readRootPackage(executor, cwd) {
+	const content = executor.readFile(path.join(cwd, "package.json"));
+	if (!content) return null;
+	const pkg = parsePackageJson(content);
+	if (!pkg?.name || !pkg.version) return null;
+	if (pkg.private) return null;
+	return {
+		name: pkg.name,
+		version: pkg.version
+	};
+}
+/** Determine which packages changed and collect their changelog entries. */
+function buildPrContent(executor, cwd, packagesBefore) {
+	const packagesAfter = executor.listWorkspacePackages(cwd);
+	if (!(packagesBefore.length > 0 || packagesAfter.length > 0)) {
+		const rootPkg = readRootPackage(executor, cwd);
+		if (rootPkg) {
+			const changelog = executor.readFile(path.join(cwd, "CHANGELOG.md"));
+			const entry = changelog ? extractLatestEntry(changelog) : null;
+			return {
+				title: `chore: release ${rootPkg.name}@${rootPkg.version}`,
+				body: entry ?? ""
+			};
 		}
+		return {
+			title: "chore: version packages",
+			body: ""
+		};
 	}
-	if (notDefined.length > 0) p.log.info(`Skipped (not defined): ${notDefined.join(", ")}`);
-	if (failures.length > 0) {
-		p.log.error(`Failed checks: ${failures.join(", ")}`);
-		return 1;
+	const beforeMap = new Map(packagesBefore.map((pkg) => [pkg.name, pkg.version]));
+	const changed = packagesAfter.filter((pkg) => beforeMap.get(pkg.name) !== pkg.version);
+	if (changed.length === 0) return {
+		title: "chore: version packages",
+		body: ""
+	};
+	const title = `chore: release ${changed.map((pkg) => `${pkg.name}@${pkg.version}`).join(", ")}`;
+	const entries = [];
+	for (const pkg of changed) {
+		const changelogPath = path.join(cwd, "packages", pkg.dir, "CHANGELOG.md");
+		const changelog = executor.readFile(changelogPath);
+		const entry = changelog ? extractLatestEntry(changelog) : null;
+		if (entry) {
+			const labeled = entry.replace(/^## .+/, `## ${pkg.name}@${pkg.version}`);
+			entries.push(labeled);
+		}
 	}
-	p.log.success("All checks passed");
-	return 0;
+	return {
+		title,
+		body: entries.join("\n\n")
+	};
 }
-const runChecksCommand = defineCommand({
-	meta: {
-		name: "checks:run",
-		description: "Run all standard checks (build, typecheck, lint, test, format, knip, tooling:check, docker:check)"
-	},
-	args: {
-		dir: {
-			type: "positional",
-			description: "Target directory (default: current directory)",
-			required: false
-		},
-		skip: {
-			type: "string",
-			description: "Comma-separated list of checks to skip (build, typecheck, lint, test, format, knip, tooling:check, docker:check)",
-			required: false
-		},
-		add: {
-			type: "string",
-			description: "Comma-separated list of additional check names to run (uses pnpm run <name>)",
-			required: false
-		},
-		"fail-fast": {
-			type: "boolean",
-			description: "Stop on first failure (default: true in dev, false in CI)",
-			required: false
+/** Mode 1: version packages and create/update a PR. */
+async function runVersionMode(executor, config) {
+	p.log.info("Changesets detected — versioning packages");
+	const packagesBefore = executor.listWorkspacePackages(config.cwd);
+	debug(config, `Packages before versioning: ${packagesBefore.map((pkg) => `${pkg.name}@${pkg.version}`).join(", ") || "(none)"}`);
+	const changesetConfigPath = path.join(config.cwd, ".changeset", "config.json");
+	const originalConfig = executor.readFile(changesetConfigPath);
+	if (originalConfig) {
+		const parsed = parseChangesetConfig(originalConfig);
+		if (parsed?.commit) {
+			const patched = {
+				...parsed,
+				commit: false
+			};
+			executor.writeFile(changesetConfigPath, JSON.stringify(patched, null, 2) + "\n");
+			debug(config, "Temporarily disabled changeset commit:true");
 		}
-	},
-	run({ args }) {
-		const exitCode = runRunChecks(path.resolve(args.dir ?? "."), {
-			skip: args.skip ? new Set(args.skip.split(",").map((s) => s.trim())) : void 0,
-			add: args.add ? args.add.split(",").map((s) => s.trim()) : void 0,
-			failFast: args["fail-fast"] === true ? true : args["fail-fast"] === false ? false : void 0
-		});
-		process.exitCode = exitCode;
-	}
-});
-//#endregion
-//#region src/release/docker.ts
-const ToolingDockerMapSchema = z.record(z.string(), z.object({
-	dockerfile: z.string(),
-	context: z.string().default(".")
-}));
-const ToolingConfigDockerSchema = z.object({ docker: ToolingDockerMapSchema.optional() });
-const PackageInfoSchema = z.object({
-	name: z.string().optional(),
-	version: z.string().optional()
-});
-/** Read the docker map from .tooling.json. Returns empty record if missing or invalid. */
-function loadDockerMap(executor, cwd) {
-	const configPath = path.join(cwd, ".tooling.json");
-	const raw = executor.readFile(configPath);
-	if (!raw) return {};
-	try {
-		const result = ToolingConfigDockerSchema.safeParse(JSON.parse(raw));
-		if (!result.success || !result.data.docker) return {};
-		return result.data.docker;
-	} catch (_error) {
-		return {};
 	}
-}
-/** Read name and version from a package's package.json. */
-function readPackageInfo(executor, packageJsonPath) {
-	const raw = executor.readFile(packageJsonPath);
-	if (!raw) return {
-		name: void 0,
-		version: void 0
-	};
-	try {
-		const result = PackageInfoSchema.safeParse(JSON.parse(raw));
-		if (!result.success) return {
-			name: void 0,
-			version: void 0
+	const versionResult = executor.exec("pnpm changeset version", { cwd: config.cwd });
+	debugExec(config, "pnpm changeset version", versionResult);
+	if (originalConfig) executor.writeFile(changesetConfigPath, originalConfig);
+	if (versionResult.exitCode !== 0) throw new FatalError(`pnpm changeset version failed (exit code ${String(versionResult.exitCode)}):\n${versionResult.stderr}`);
+	debugExec(config, "pnpm install --no-frozen-lockfile", executor.exec("pnpm install --no-frozen-lockfile", { cwd: config.cwd }));
+	const { title, body } = buildPrContent(executor, config.cwd, packagesBefore);
+	debug(config, `PR title: ${title}`);
+	executor.exec("git add -A", { cwd: config.cwd });
+	const remainingChangesets = executor.listChangesetFiles(config.cwd);
+	if (remainingChangesets.length > 0) p.log.warn(`Changeset files still present after versioning: ${remainingChangesets.join(", ")}`);
+	debug(config, `Changeset files after versioning: ${remainingChangesets.length > 0 ? remainingChangesets.join(", ") : "(none — all consumed)"}`);
+	const commitResult = executor.exec("git commit -m \"chore: version packages\"", { cwd: config.cwd });
+	debugExec(config, "git commit", commitResult);
+	if (commitResult.exitCode !== 0) {
+		p.log.info("Nothing to commit after versioning");
+		return {
+			mode: "version",
+			pr: "none"
 		};
+	}
+	if (config.dryRun) {
+		p.log.info("[dry-run] Would push and create/update PR");
 		return {
-			name: result.data.name,
-			version: result.data.version
+			mode: "version",
+			pr: "none"
 		};
-	} catch (_error) {
+	}
+	debugExec(config, "git push", executor.exec(`git push origin "HEAD:refs/heads/${BRANCH}" --force`, { cwd: config.cwd }));
+	const conn = {
+		serverUrl: config.serverUrl,
+		repository: config.repository,
+		token: config.token
+	};
+	const existingPr = await findOpenPr(executor, conn, BRANCH);
+	debug(config, `Existing open PR for ${BRANCH}: ${existingPr === null ? "(none)" : `#${String(existingPr)}`}`);
+	if (existingPr === null) {
+		await createPr(executor, conn, {
+			title,
+			head: BRANCH,
+			base: "main",
+			body
+		});
+		p.log.info("Created version PR");
 		return {
-			name: void 0,
-			version: void 0
+			mode: "version",
+			pr: "created"
 		};
 	}
+	await updatePr(executor, conn, existingPr, {
+		title,
+		body
+	});
+	p.log.info(`Updated version PR #${String(existingPr)}`);
+	return {
+		mode: "version",
+		pr: "updated"
+	};
+}
+//#endregion
+//#region src/release/publish.ts
+const RETRY_ATTEMPTS = 3;
+const RETRY_BASE_DELAY_MS = 1e3;
+async function retryAsync(fn) {
+	let lastError;
+	for (let attempt = 0; attempt <= RETRY_ATTEMPTS; attempt++) try {
+		return await fn();
+	} catch (error) {
+		lastError = error;
+		if (attempt < RETRY_ATTEMPTS) {
+			const delay = RETRY_BASE_DELAY_MS * 2 ** attempt;
+			await new Promise((resolve) => setTimeout(resolve, delay));
+		}
+	}
+	throw lastError;
 }
-/** Convention paths to check for Dockerfiles in a package directory. */
-const CONVENTION_DOCKERFILE_PATHS = ["Dockerfile", "docker/Dockerfile"];
-/**
-* Find a Dockerfile at convention paths for a monorepo package.
-* Checks packages/{dir}/Dockerfile and packages/{dir}/docker/Dockerfile.
-*/
-function findConventionDockerfile(executor, cwd, dir) {
-	for (const rel of CONVENTION_DOCKERFILE_PATHS) {
-		const dockerfilePath = `packages/${dir}/${rel}`;
-		if (executor.readFile(path.join(cwd, dockerfilePath)) !== null) return {
-			dockerfile: dockerfilePath,
-			context: "."
+/** Mode 2: publish to npm, push tags, and create Forgejo releases. */
+async function runPublishMode(executor, config) {
+	p.log.info("No changesets — publishing packages");
+	const publishResult = executor.exec("pnpm changeset publish", { cwd: config.cwd });
+	debugExec(config, "pnpm changeset publish", publishResult);
+	if (publishResult.exitCode !== 0) throw new FatalError(`pnpm changeset publish failed (exit code ${String(publishResult.exitCode)}):\n${publishResult.stderr}`);
+	const stdoutTags = parseNewTags(publishResult.stdout + "\n" + publishResult.stderr);
+	debug(config, `Tags from publish stdout: ${stdoutTags.length > 0 ? stdoutTags.join(", ") : "(none)"}`);
+	const expectedTags = computeExpectedTags(executor.listWorkspacePackages(config.cwd));
+	debug(config, `Expected tags from workspace packages: ${expectedTags.length > 0 ? expectedTags.join(", ") : "(none)"}`);
+	const remoteTags = parseRemoteTags(executor.exec("git ls-remote --tags origin", { cwd: config.cwd }).stdout);
+	debug(config, `Remote tags: ${remoteTags.length > 0 ? remoteTags.join(", ") : "(none)"}`);
+	const remoteSet = new Set(remoteTags);
+	const tagsToPush = reconcileTags(expectedTags, remoteTags, stdoutTags);
+	debug(config, `Reconciled tags to push: ${tagsToPush.length > 0 ? tagsToPush.join(", ") : "(none)"}`);
+	if (config.dryRun) {
+		if (tagsToPush.length === 0) {
+			p.log.info("No packages were published");
+			return { mode: "none" };
+		}
+		p.log.info(`Tags to process: ${tagsToPush.join(", ")}`);
+		p.log.info("[dry-run] Would push tags and create releases");
+		return {
+			mode: "publish",
+			tags: tagsToPush
 		};
 	}
-}
-/**
-* Find a Dockerfile at convention paths for a single-package repo.
-* Checks Dockerfile and docker/Dockerfile at the project root.
-*/
-function findRootDockerfile(executor, cwd) {
-	for (const rel of CONVENTION_DOCKERFILE_PATHS) if (executor.readFile(path.join(cwd, rel)) !== null) return {
-		dockerfile: rel,
-		context: "."
+	const conn = {
+		serverUrl: config.serverUrl,
+		repository: config.repository,
+		token: config.token
+	};
+	const remoteExpectedTags = expectedTags.filter((t) => remoteSet.has(t) && !tagsToPush.includes(t));
+	const tagsWithMissingReleases = [];
+	for (const tag of remoteExpectedTags) if (!await findRelease(executor, conn, tag)) tagsWithMissingReleases.push(tag);
+	const allTags = [...tagsToPush, ...tagsWithMissingReleases];
+	if (allTags.length === 0) {
+		p.log.info("No packages were published");
+		return { mode: "none" };
+	}
+	p.log.info(`Tags to process: ${allTags.join(", ")}`);
+	const errors = [];
+	for (const tag of allTags) try {
+		if (!remoteSet.has(tag)) {
+			if (executor.exec(`git tag -l ${JSON.stringify(tag)}`, { cwd: config.cwd }).stdout.trim() === "") executor.exec(`git tag ${JSON.stringify(tag)}`, { cwd: config.cwd });
+			executor.exec(`git push origin refs/tags/${tag}`, { cwd: config.cwd });
+		}
+		if (await findRelease(executor, conn, tag)) p.log.warn(`Release for ${tag} already exists — skipping`);
+		else {
+			await retryAsync(async () => {
+				try {
+					await createRelease(executor, conn, tag);
+				} catch (error) {
+					if (await findRelease(executor, conn, tag)) return;
+					throw error;
+				}
+			});
+			p.log.info(`Created release for ${tag}`);
+		}
+	} catch (error) {
+		errors.push({
+			tag,
+			error
+		});
+		p.log.warn(`Failed to process ${tag}: ${error instanceof Error ? error.message : String(error)}`);
+	}
+	if (errors.length > 0) throw new TransientError(`Failed to create releases for: ${errors.map((e) => e.tag).join(", ")}`);
+	return {
+		mode: "publish",
+		tags: allTags
 	};
 }
+//#endregion
+//#region src/release/connection.ts
+const RepositorySchema = z.union([z.string(), z.object({ url: z.string() })]);
 /**
-* Discover Docker packages by convention and merge with .tooling.json overrides.
+* Resolve the hosting platform and connection details.
 *
-* Convention: any package with a Dockerfile or docker/Dockerfile is a Docker package.
-* For monorepos, scans packages/{name}/. For single-package repos, scans the root.
-* The docker map in .tooling.json overrides convention-discovered config and can add
-* packages at non-standard locations.
+* Priority:
+* 1. Environment variables (FORGEJO_SERVER_URL, FORGEJO_REPOSITORY, FORGEJO_TOKEN)
+* 2. `repository` field in package.json (server URL and owner/repo parsed from the URL)
 *
-* Image names are derived from {root-name}-{package-name} using each package's package.json name.
-* Versions are read from each package's own package.json.
+* For Forgejo, FORGEJO_TOKEN is always required (either from env or explicitly).
+* If the repository URL hostname is `github.com`, returns `{ type: "github" }`.
 */
-function detectDockerPackages(executor, cwd, repoName) {
-	const overrides = loadDockerMap(executor, cwd);
-	const packageDirs = executor.listPackageDirs(cwd);
-	const packages = [];
-	const seen = /* @__PURE__ */ new Set();
-	if (packageDirs.length > 0) {
-		for (const dir of packageDirs) {
-			const convention = findConventionDockerfile(executor, cwd, dir);
-			const docker = overrides[dir] ?? convention;
-			if (docker) {
-				const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
-				packages.push({
-					dir,
-					imageName: `${repoName}-${name ?? dir}`,
-					version,
-					docker
-				});
-				seen.add(dir);
-			}
-		}
-		for (const [dir, docker] of Object.entries(overrides)) if (!seen.has(dir)) {
-			const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
-			packages.push({
-				dir,
-				imageName: `${repoName}-${name ?? dir}`,
-				version,
-				docker
-			});
+function resolveConnection(cwd) {
+	const serverUrl = process.env["FORGEJO_SERVER_URL"];
+	const repository = process.env["FORGEJO_REPOSITORY"];
+	const token = process.env["FORGEJO_TOKEN"];
+	if (serverUrl && repository && token) return {
+		type: "forgejo",
+		conn: {
+			serverUrl,
+			repository,
+			token
 		}
-	} else {
-		const convention = findRootDockerfile(executor, cwd);
-		const docker = overrides["."] ?? convention;
-		if (docker) {
-			const { name, version } = readPackageInfo(executor, path.join(cwd, "package.json"));
-			packages.push({
-				dir: ".",
-				imageName: name ?? repoName,
-				version,
-				docker
-			});
+	};
+	const parsed = parseRepositoryUrl(cwd);
+	if (parsed === null) {
+		if (serverUrl) {
+			if (!repository) throw new FatalError("FORGEJO_REPOSITORY environment variable is required");
+			if (!token) throw new FatalError("FORGEJO_TOKEN environment variable is required");
 		}
+		return { type: "github" };
 	}
-	return packages;
-}
-/**
-* Read docker config for a single package, checking convention paths first,
-* then .tooling.json overrides. Used by the per-package image:build script.
-*/
-function readSinglePackageDocker(executor, cwd, packageDir, repoName) {
-	const dir = path.basename(path.resolve(cwd, packageDir));
-	const convention = findConventionDockerfile(executor, cwd, dir);
-	const docker = loadDockerMap(executor, cwd)[dir] ?? convention;
-	if (!docker) throw new FatalError(`No Dockerfile found for package "${dir}" (checked convention paths and .tooling.json)`);
-	const { name, version } = readPackageInfo(executor, path.join(cwd, "packages", dir, "package.json"));
+	if (parsed.hostname === "github.com") return { type: "github" };
+	const resolvedToken = token;
+	if (!resolvedToken) throw new FatalError("FORGEJO_TOKEN environment variable is required (server URL and repository were resolved from package.json)");
 	return {
-		dir,
-		imageName: `${repoName}-${name ?? dir}`,
-		version,
-		docker
+		type: "forgejo",
+		conn: {
+			serverUrl: serverUrl ?? `${parsed.protocol}//${parsed.hostname}`,
+			repository: repository ?? parsed.repository,
+			token: resolvedToken
+		}
 	};
 }
-/** Parse semver version string into major, minor, patch components. */
-function parseSemver(version) {
-	const clean = version.replace(/^v/, "");
-	const match = /^(\d+)\.(\d+)\.(\d+)/.exec(clean);
-	if (!match?.[1] || !match[2] || !match[3]) throw new FatalError(`Invalid semver version: ${version}`);
+function parseRepositoryUrl(cwd) {
+	const pkgPath = path.join(cwd, "package.json");
+	let raw;
+	try {
+		raw = readFileSync(pkgPath, "utf-8");
+	} catch {
+		return null;
+	}
+	const pkg = z.object({ repository: RepositorySchema.optional() }).safeParse(JSON.parse(raw));
+	if (!pkg.success) return null;
+	const repo = pkg.data.repository;
+	if (!repo) return null;
+	return parseGitUrl(typeof repo === "string" ? repo : repo.url);
+}
+function parseGitUrl(urlStr) {
+	try {
+		const url = new URL(urlStr);
+		const pathname = url.pathname.replace(/\.git$/, "").replace(/^\//, "");
+		if (!pathname.includes("/")) return null;
+		return {
+			protocol: url.protocol,
+			hostname: url.hostname,
+			repository: pathname
+		};
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/commands/release-changesets.ts
+const releaseForgejoCommand = defineCommand({
+	meta: {
+		name: "release:changesets",
+		description: "Changesets version/publish for Forgejo CI"
+	},
+	args: {
+		"dry-run": {
+			type: "boolean",
+			description: "Skip push, API calls, and publishing side effects"
+		},
+		verbose: {
+			type: "boolean",
+			description: "Enable detailed debug logging (also enabled by RELEASE_DEBUG env var)"
+		}
+	},
+	async run({ args }) {
+		if ((await runRelease(buildReleaseConfig({
+			dryRun: args["dry-run"] === true,
+			verbose: args.verbose === true || process.env["RELEASE_DEBUG"] === "true"
+		}), createRealExecutor())).mode === "none") process.exitCode = 0;
+	}
+});
+/** Build release config from environment / package.json and CLI flags. */
+function buildReleaseConfig(flags) {
+	const resolved = resolveConnection(process.cwd());
+	if (resolved.type !== "forgejo") throw new FatalError("release:changesets requires a Forgejo repository");
 	return {
-		major: Number(match[1]),
-		minor: Number(match[2]),
-		patch: Number(match[3])
+		...resolved.conn,
+		cwd: process.cwd(),
+		dryRun: flags.dryRun ?? false,
+		verbose: flags.verbose ?? false
 	};
 }
-/** Generate semver tag variants: latest, vX.Y.Z, vX.Y, vX */
-function generateTags(version) {
-	const { major, minor, patch } = parseSemver(version);
-	return [
-		"latest",
-		`v${major}.${minor}.${patch}`,
-		`v${major}.${minor}`,
-		`v${major}`
-	];
+/** Resolve the current branch from CI env vars or git. */
+function getCurrentBranch(executor, cwd) {
+	const ref = process.env["GITHUB_REF"];
+	if (ref?.startsWith("refs/heads/")) return ref.slice(11);
+	return executor.exec("git rev-parse --abbrev-ref HEAD", { cwd }).stdout.trim();
 }
-/** Build the full image reference: namespace/imageName:tag */
-function imageRef(namespace, imageName, tag) {
-	return `${namespace}/${imageName}:${tag}`;
+/** Core release logic — testable with a mock executor. */
+async function runRelease(config, executor) {
+	const branch = getCurrentBranch(executor, config.cwd);
+	if (branch !== "main") {
+		debug(config, `Skipping release on non-main branch: ${branch}`);
+		return { mode: "none" };
+	}
+	executor.exec("git config user.name \"forgejo-actions[bot]\"", { cwd: config.cwd });
+	executor.exec("git config user.email \"forgejo-actions[bot]@noreply.localhost\"", { cwd: config.cwd });
+	const changesetFiles = executor.listChangesetFiles(config.cwd);
+	debug(config, `Changeset files found: ${changesetFiles.length > 0 ? changesetFiles.join(", ") : "(none)"}`);
+	if (changesetFiles.length > 0) {
+		debug(config, "Entering version mode");
+		return runVersionMode(executor, config);
+	}
+	debug(config, "Entering publish mode");
+	return runPublishMode(executor, config);
 }
-function log$1(message) {
-	console.log(message);
+//#endregion
+//#region src/commands/release-trigger.ts
+const releaseTriggerCommand = defineCommand({
+	meta: {
+		name: "release:trigger",
+		description: "Trigger the release CI workflow"
+	},
+	args: { ref: {
+		type: "string",
+		description: "Git ref to trigger on (default: main)",
+		required: false
+	} },
+	async run({ args }) {
+		const ref = args.ref ?? "main";
+		const resolved = resolveConnection(process.cwd());
+		if (resolved.type === "forgejo") await triggerForgejo(resolved.conn, ref);
+		else triggerGitHub(ref);
+	}
+});
+async function triggerForgejo(conn, ref) {
+	const url = `${conn.serverUrl}/api/v1/repos/${conn.repository}/actions/workflows/release.yml/dispatches`;
+	const res = await fetch(url, {
+		method: "POST",
+		headers: {
+			Authorization: `token ${conn.token}`,
+			"Content-Type": "application/json"
+		},
+		body: JSON.stringify({ ref })
+	});
+	if (!res.ok) throw new FatalError(`Failed to trigger Forgejo workflow: ${res.status} ${res.statusText}`);
+	p.log.info(`Triggered release workflow on Forgejo (ref: ${ref})`);
 }
-function debug(verbose, message) {
-	if (verbose) console.log(`[debug] ${message}`);
+function triggerGitHub(ref) {
+	createRealExecutor().exec(`gh workflow run release.yml --ref ${ref}`, { cwd: process.cwd() });
+	p.log.info(`Triggered release workflow on GitHub (ref: ${ref})`);
 }
-/** Read the repo name from root package.json. */
-function readRepoName(executor, cwd) {
-	const rootPkgRaw = executor.readFile(path.join(cwd, "package.json"));
-	if (!rootPkgRaw) throw new FatalError("No package.json found in project root");
-	const repoName = parsePackageJson(rootPkgRaw)?.name;
-	if (!repoName) throw new FatalError("Root package.json must have a name field");
-	return repoName;
+//#endregion
+//#region src/commands/forgejo-create-release.ts
+const createForgejoReleaseCommand = defineCommand({
+	meta: {
+		name: "forgejo:create-release",
+		description: "Create a Forgejo release for a given tag"
+	},
+	args: { tag: {
+		type: "string",
+		description: "Git tag to create a release for",
+		required: true
+	} },
+	async run({ args }) {
+		const resolved = resolveConnection(process.cwd());
+		if (resolved.type !== "forgejo") throw new FatalError("forgejo:create-release requires a Forgejo repository");
+		const executor = createRealExecutor();
+		const conn = resolved.conn;
+		if (await findRelease(executor, conn, args.tag)) {
+			p.log.info(`Release for ${args.tag} already exists — skipping`);
+			return;
+		}
+		await createRelease(executor, conn, args.tag);
+		p.log.info(`Created Forgejo release for ${args.tag}`);
+	}
+});
+//#endregion
+//#region src/commands/changesets-merge.ts
+const HEAD_BRANCH = "changeset-release/main";
+const releaseMergeCommand = defineCommand({
+	meta: {
+		name: "changesets:merge",
+		description: "Merge the open changesets version PR"
+	},
+	args: { "dry-run": {
+		type: "boolean",
+		description: "Show what would be merged without actually merging"
+	} },
+	async run({ args }) {
+		const dryRun = args["dry-run"] === true;
+		const resolved = resolveConnection(process.cwd());
+		if (resolved.type === "forgejo") await mergeForgejo(resolved.conn, dryRun);
+		else mergeGitHub(dryRun);
+	}
+});
+async function mergeForgejo(conn, dryRun) {
+	const executor = createRealExecutor();
+	const prNumber = await findOpenPr(executor, conn, HEAD_BRANCH);
+	if (prNumber === null) throw new FatalError(`No open PR found for branch ${HEAD_BRANCH}`);
+	if (dryRun) {
+		p.log.info(`[dry-run] Would merge PR #${String(prNumber)} and delete branch ${HEAD_BRANCH}`);
+		return;
+	}
+	await mergePr(executor, conn, prNumber, {
+		method: "merge",
+		deleteBranch: true
+	});
+	p.log.info(`Merged PR #${String(prNumber)} and deleted branch ${HEAD_BRANCH}`);
 }
-/** Build a single docker image from its config. Paths are resolved relative to cwd. */
-function buildImage(executor, pkg, cwd, verbose, extraArgs) {
-	const dockerfilePath = path.resolve(cwd, pkg.docker.dockerfile);
-	const contextPath = path.resolve(cwd, pkg.docker.context);
-	const command = [
-		"docker build",
-		`-f ${dockerfilePath}`,
-		`-t ${pkg.imageName}:latest`,
-		...extraArgs,
-		contextPath
-	].join(" ");
-	debug(verbose, `Running: ${command}`);
-	const buildResult = executor.exec(command);
-	debug(verbose, `Build stdout: ${buildResult.stdout}`);
-	if (buildResult.exitCode !== 0) throw new FatalError(`docker build failed for ${pkg.dir} (exit ${buildResult.exitCode}): ${buildResult.stderr}`);
+function mergeGitHub(dryRun) {
+	const executor = createRealExecutor();
+	if (dryRun) {
+		const prNum = executor.exec(`gh pr view ${HEAD_BRANCH} --json number --jq .number`, { cwd: process.cwd() }).stdout.trim();
+		if (!prNum) throw new FatalError(`No open PR found for branch ${HEAD_BRANCH}`);
+		p.log.info(`[dry-run] Would merge PR #${prNum} and delete branch ${HEAD_BRANCH}`);
+		return;
+	}
+	executor.exec(`gh pr merge ${HEAD_BRANCH} --merge --delete-branch`, { cwd: process.cwd() });
+	p.log.info(`Merged changesets PR and deleted branch ${HEAD_BRANCH}`);
 }
+//#endregion
+//#region src/release/simple.ts
 /**
-* Detect packages with docker config in .tooling.json and build each one.
-* Runs `docker build -f <dockerfile> -t <image-name>:latest <context>` for each package.
-* Dockerfile and context paths are resolved relative to the project root.
-*
-* When `packageDir` is set, builds only that single package (for use as an image:build script).
+* Compute sliding version tags from a semver version string.
+* For "1.2.3" returns ["v1", "v1.2"]. Strips prerelease suffixes.
 */
-function runDockerBuild(executor, config) {
-	const repoName = readRepoName(executor, config.cwd);
-	if (config.packageDir) {
-		const pkg = readSinglePackageDocker(executor, config.cwd, config.packageDir, repoName);
-		log$1(`Building image for ${pkg.dir} (${pkg.imageName}:latest)...`);
-		buildImage(executor, pkg, config.cwd, config.verbose, config.extraArgs);
-		log$1(`Built ${pkg.imageName}:latest`);
-		return { packages: [pkg] };
+function computeSlidingTags(version) {
+	const parts = (version.split("-")[0] ?? version).split(".");
+	if (parts.length < 2 || !parts[0] || !parts[1]) throw new FatalError(`Invalid version format "${version}". Expected semver (X.Y.Z)`);
+	return [`v${parts[0]}`, `v${parts[0]}.${parts[1]}`];
+}
+/** Build the commit-and-tag-version command with appropriate flags. */
+function buildCommand(config) {
+	const args = ["pnpm exec commit-and-tag-version"];
+	if (config.dryRun) args.push("--dry-run");
+	if (config.firstRelease) args.push("--first-release");
+	if (config.releaseAs) args.push(`--release-as ${config.releaseAs}`);
+	if (config.prerelease) args.push(`--prerelease ${config.prerelease}`);
+	return args.join(" ");
+}
+/** Read the current version from package.json. */
+function readVersion(executor, cwd) {
+	const raw = executor.readFile(path.join(cwd, "package.json"));
+	if (!raw) throw new FatalError("Could not read package.json");
+	const pkg = parsePackageJson(raw);
+	if (!pkg?.version) throw new FatalError("No version field found in package.json");
+	return pkg.version;
+}
+/** Run the full commit-and-tag-version release flow. */
+async function runSimpleRelease(executor, config) {
+	const command = buildCommand(config);
+	p.log.info(`Running: ${command}`);
+	const versionResult = executor.exec(command, { cwd: config.cwd });
+	debugExec(config, "commit-and-tag-version", versionResult);
+	if (versionResult.exitCode !== 0) throw new FatalError(`commit-and-tag-version failed (exit code ${String(versionResult.exitCode)}):\n${versionResult.stderr || versionResult.stdout}`);
+	const version = readVersion(executor, config.cwd);
+	debug(config, `New version: ${version}`);
+	const tagResult = executor.exec("git describe --tags --abbrev=0", { cwd: config.cwd });
+	debugExec(config, "git describe", tagResult);
+	const tag = tagResult.stdout.trim();
+	if (!tag) throw new FatalError("Could not determine the new tag from git describe");
+	p.log.info(`Version ${version} tagged as ${tag}`);
+	if (config.dryRun) {
+		const slidingTags = config.noSlidingTags ? [] : computeSlidingTags(version);
+		p.log.info(`[dry-run] Would push to origin with --follow-tags`);
+		if (slidingTags.length > 0) p.log.info(`[dry-run] Would create sliding tags: ${slidingTags.join(", ")}`);
+		if (!config.noRelease && config.platform) p.log.info(`[dry-run] Would create ${config.platform.type} release for ${tag}`);
+		return {
+			version,
+			tag,
+			slidingTags,
+			pushed: false,
+			releaseCreated: false
+		};
+	}
+	let pushed = false;
+	if (!config.noPush) {
+		const branch = executor.exec("git rev-parse --abbrev-ref HEAD", { cwd: config.cwd }).stdout.trim() || "main";
+		debug(config, `Pushing to origin/${branch}`);
+		const pushResult = executor.exec(`git push --follow-tags origin ${branch}`, { cwd: config.cwd });
+		debugExec(config, "git push", pushResult);
+		if (pushResult.exitCode !== 0) throw new FatalError(`git push failed (exit code ${String(pushResult.exitCode)}):\n${pushResult.stderr || pushResult.stdout}`);
+		pushed = true;
+		p.log.info("Pushed to origin");
+	}
+	let slidingTags = [];
+	if (!config.noSlidingTags && pushed) {
+		slidingTags = computeSlidingTags(version);
+		for (const slidingTag of slidingTags) executor.exec(`git tag -f ${slidingTag}`, { cwd: config.cwd });
+		const forcePushResult = executor.exec(`git push origin ${slidingTags.join(" ")} --force`, { cwd: config.cwd });
+		debugExec(config, "force-push sliding tags", forcePushResult);
+		if (forcePushResult.exitCode !== 0) p.log.warn(`Warning: Failed to push sliding tags: ${forcePushResult.stderr || forcePushResult.stdout}`);
+		else p.log.info(`Created sliding tags: ${slidingTags.join(", ")}`);
+	}
+	let releaseCreated = false;
+	if (!config.noRelease && config.platform) releaseCreated = await createPlatformRelease(executor, config, tag);
+	return {
+		version,
+		tag,
+		slidingTags,
+		pushed,
+		releaseCreated
+	};
+}
+async function createPlatformRelease(executor, config, tag) {
+	if (!config.platform) return false;
+	if (config.platform.type === "forgejo") {
+		if (await findRelease(executor, config.platform.conn, tag)) {
+			debug(config, `Release for ${tag} already exists, skipping`);
+			return false;
+		}
+		await createRelease(executor, config.platform.conn, tag);
+		p.log.info(`Created Forgejo release for ${tag}`);
+		return true;
 	}
-	const packages = detectDockerPackages(executor, config.cwd, repoName);
-	if (packages.length === 0) {
-		log$1("No packages with docker config found");
-		return { packages: [] };
+	const ghResult = executor.exec(`gh release create ${tag} --generate-notes`, { cwd: config.cwd });
+	debugExec(config, "gh release create", ghResult);
+	if (ghResult.exitCode !== 0) {
+		p.log.warn(`Warning: Failed to create GitHub release: ${ghResult.stderr || ghResult.stdout}`);
+		return false;
 	}
-	log$1(`Found ${packages.length} Docker package(s): ${packages.map((p) => p.dir).join(", ")}`);
-	for (const pkg of packages) {
-		log$1(`Building image for ${pkg.dir} (${pkg.imageName}:latest)...`);
-		buildImage(executor, pkg, config.cwd, config.verbose, config.extraArgs);
+	p.log.info(`Created GitHub release for ${tag}`);
+	return true;
+}
+//#endregion
+//#region src/commands/release-simple.ts
+const releaseSimpleCommand = defineCommand({
+	meta: {
+		name: "release:simple",
+		description: "Run commit-and-tag-version, push, create sliding tags, and create a platform release"
+	},
+	args: {
+		"dry-run": {
+			type: "boolean",
+			description: "Pass --dry-run to commit-and-tag-version and skip all remote operations"
+		},
+		verbose: {
+			type: "boolean",
+			description: "Enable detailed debug logging (also enabled by RELEASE_DEBUG env var)"
+		},
+		"no-push": {
+			type: "boolean",
+			description: "Run commit-and-tag-version but skip push and remote operations"
+		},
+		"no-sliding-tags": {
+			type: "boolean",
+			description: "Skip creating sliding major/minor version tags (vX, vX.Y)"
+		},
+		"no-release": {
+			type: "boolean",
+			description: "Skip Forgejo/GitHub release creation"
+		},
+		"first-release": {
+			type: "boolean",
+			description: "Pass --first-release to commit-and-tag-version (skip version bump)"
+		},
+		"release-as": {
+			type: "string",
+			description: "Force a specific version (passed to commit-and-tag-version --release-as)"
+		},
+		prerelease: {
+			type: "string",
+			description: "Create a prerelease with the given tag (e.g., beta, alpha)"
+		}
+	},
+	async run({ args }) {
+		const cwd = process.cwd();
+		const verbose = args.verbose === true || process.env["RELEASE_DEBUG"] === "true";
+		const noRelease = args["no-release"] === true;
+		let platform;
+		if (!noRelease) {
+			const resolved = resolveConnection(cwd);
+			if (resolved.type === "forgejo") platform = {
+				type: "forgejo",
+				conn: resolved.conn
+			};
+			else platform = { type: "github" };
+		}
+		const config = {
+			cwd,
+			dryRun: args["dry-run"] === true,
+			verbose,
+			noPush: args["no-push"] === true,
+			noSlidingTags: args["no-sliding-tags"] === true,
+			noRelease,
+			firstRelease: args["first-release"] === true,
+			releaseAs: args["release-as"],
+			prerelease: args.prerelease,
+			platform
+		};
+		await runSimpleRelease(createRealExecutor(), config);
+	}
+});
+//#endregion
+//#region src/commands/repo-run-checks.ts
+const CHECKS = [
+	{ name: "build" },
+	{ name: "typecheck" },
+	{ name: "lint" },
+	{ name: "test" },
+	{
+		name: "format",
+		args: "--check"
+	},
+	{ name: "knip" },
+	{ name: "tooling:check" },
+	{ name: "docker:check" }
+];
+function defaultGetScripts(targetDir) {
+	try {
+		const pkg = parsePackageJson(readFileSync(path.join(targetDir, "package.json"), "utf-8"));
+		return new Set(Object.keys(pkg?.scripts ?? {}));
+	} catch {
+		return /* @__PURE__ */ new Set();
 	}
-	log$1(`Built ${packages.length} image(s)`);
-	return { packages };
 }
-/**
-* Run the full Docker publish pipeline:
-* 1. Build all images via runDockerBuild
-* 2. Login to registry
-* 3. Tag each image with semver variants from its own package.json version
-* 4. Push all tags
-* 5. Logout from registry
-*/
-function runDockerPublish(executor, config) {
-	const { packages } = runDockerBuild(executor, {
-		cwd: config.cwd,
-		packageDir: void 0,
-		verbose: config.verbose,
-		extraArgs: []
-	});
-	if (packages.length === 0) return {
-		packages: [],
-		tags: []
-	};
-	for (const pkg of packages) if (!pkg.version) throw new FatalError(`Package ${pkg.dir} has docker config but no version in package.json`);
-	if (!config.dryRun) {
-		log$1(`Logging in to ${config.registryHost}...`);
-		const loginResult = executor.exec(`echo "${config.password}" | docker login ${config.registryHost} -u ${config.username} --password-stdin`);
-		if (loginResult.exitCode !== 0) throw new FatalError(`Docker login failed: ${loginResult.stderr}`);
-	} else log$1("[dry-run] Skipping docker login");
-	const allTags = [];
+function defaultExecCommand(cmd, cwd) {
 	try {
-		for (const pkg of packages) {
-			const tags = generateTags(pkg.version ?? "");
-			log$1(`${pkg.dir} v${pkg.version} → tags: ${tags.join(", ")}`);
-			for (const tag of tags) {
-				const ref = imageRef(config.registryNamespace, pkg.imageName, tag);
-				allTags.push(ref);
-				log$1(`Tagging ${pkg.imageName} → ${ref}`);
-				const tagResult = executor.exec(`docker tag ${pkg.imageName} ${ref}`);
-				if (tagResult.exitCode !== 0) throw new FatalError(`docker tag failed: ${tagResult.stderr}`);
-				if (!config.dryRun) {
-					log$1(`Pushing ${ref}...`);
-					const pushResult = executor.exec(`docker push ${ref}`);
-					if (pushResult.exitCode !== 0) throw new FatalError(`docker push failed: ${pushResult.stderr}`);
-				} else log$1(`[dry-run] Skipping push for ${ref}`);
-			}
+		execSync(cmd, {
+			cwd,
+			stdio: "inherit"
+		});
+		return 0;
+	} catch (err) {
+		if (isExecSyncError(err)) return err.status;
+		return 1;
+	}
+}
+const ciLog = (msg) => console.log(msg);
+function runRunChecks(targetDir, options = {}) {
+	const exec = options.execCommand ?? defaultExecCommand;
+	const getScripts = options.getScripts ?? defaultGetScripts;
+	const skip = options.skip ?? /* @__PURE__ */ new Set();
+	const add = options.add ?? [];
+	const isCI = Boolean(process.env["CI"]);
+	const failFast = options.failFast ?? !isCI;
+	const definedScripts = getScripts(targetDir);
+	const addedNames = new Set(add);
+	const allChecks = [...CHECKS, ...add.map((name) => ({ name }))];
+	const failures = [];
+	const notDefined = [];
+	for (const check of allChecks) {
+		if (skip.has(check.name)) continue;
+		if (!definedScripts.has(check.name)) {
+			if (addedNames.has(check.name)) {
+				p.log.error(`${check.name} not defined in package.json`);
+				failures.push(check.name);
+			} else notDefined.push(check.name);
+			continue;
 		}
-	} finally {
-		if (!config.dryRun) {
-			log$1(`Logging out from ${config.registryHost}...`);
-			executor.exec(`docker logout ${config.registryHost}`);
+		const cmd = check.args ? `pnpm run ${check.name} ${check.args}` : `pnpm run ${check.name}`;
+		if (isCI) ciLog(`::group::${check.name}`);
+		const exitCode = exec(cmd, targetDir);
+		if (isCI) ciLog("::endgroup::");
+		if (exitCode === 0) p.log.success(check.name);
+		else {
+			if (isCI) ciLog(`::error::${check.name} failed`);
+			p.log.error(`${check.name} failed`);
+			failures.push(check.name);
+			if (failFast) return 1;
 		}
 	}
-	log$1(`Published ${allTags.length} image tag(s)`);
-	return {
-		packages,
-		tags: allTags
-	};
+	if (notDefined.length > 0) p.log.info(`Skipped (not defined): ${notDefined.join(", ")}`);
+	if (failures.length > 0) {
+		p.log.error(`Failed checks: ${failures.join(", ")}`);
+		return 1;
+	}
+	p.log.success("All checks passed");
+	return 0;
 }
+const runChecksCommand = defineCommand({
+	meta: {
+		name: "checks:run",
+		description: "Run all standard checks (build, typecheck, lint, test, format, knip, tooling:check, docker:check)"
+	},
+	args: {
+		dir: {
+			type: "positional",
+			description: "Target directory (default: current directory)",
+			required: false
+		},
+		skip: {
+			type: "string",
+			description: "Comma-separated list of checks to skip (build, typecheck, lint, test, format, knip, tooling:check, docker:check)",
+			required: false
+		},
+		add: {
+			type: "string",
+			description: "Comma-separated list of additional check names to run (uses pnpm run <name>)",
+			required: false
+		},
+		"fail-fast": {
+			type: "boolean",
+			description: "Stop on first failure (default: true in dev, false in CI)",
+			required: false
+		}
+	},
+	run({ args }) {
+		const exitCode = runRunChecks(path.resolve(args.dir ?? "."), {
+			skip: args.skip ? new Set(args.skip.split(",").map((s) => s.trim())) : void 0,
+			add: args.add ? args.add.split(",").map((s) => s.trim()) : void 0,
+			failFast: args["fail-fast"] === true ? true : args["fail-fast"] === false ? false : void 0
+		});
+		process.exitCode = exitCode;
+	}
+});
 //#endregion
 //#region src/commands/publish-docker.ts
 function requireEnv(name) {
@@ -4577,7 +4607,7 @@ const dockerCheckCommand = defineCommand({
 const main = defineCommand({
 	meta: {
 		name: "tooling",
-		version: "0.22.0",
+		version: "0.24.0",
 		description: "Bootstrap and maintain standardized TypeScript project tooling"
 	},
 	subCommands: {
@@ -4593,7 +4623,11 @@ const main = defineCommand({
 		"docker:check": dockerCheckCommand
 	}
 });
-console.log(`@bensandee/tooling v0.22.0`);
-runMain(main);
+console.log(`@bensandee/tooling v0.24.0`);
+async function run() {
+	await runMain(main);
+	process.exit(process.exitCode ?? 0);
+}
+run();
 //#endregion
 export {};