@bleedingdev/modern-js-create 3.2.0-ultramodern.57 → 3.2.0-ultramodern.59

package/dist/types/locale/en.d.ts

@@ -35,7 +35,7 @@ export declare const EN_LOCALE: {
         optionUltramodernPackageSource: string;
         optionUltramodernPackageScope: string;
         optionUltramodernPackageNamePrefix: string;
-        optionMicroVertical: string;
+        optionVertical: string;
         optionSub: string;
         examples: string;
         example1: string;

package/dist/types/locale/zh.d.ts

@@ -35,7 +35,7 @@ export declare const ZH_LOCALE: {
         optionUltramodernPackageSource: string;
         optionUltramodernPackageScope: string;
         optionUltramodernPackageNamePrefix: string;
-        optionMicroVertical: string;
+        optionVertical: string;
         optionSub: string;
         examples: string;
         example1: string;

package/dist/types/ultramodern-workspace.d.ts

@@ -1,4 +1,3 @@
-export type MicroVerticalKind = 'remote' | 'horizontal-remote' | 'service' | 'shared';
 type UltramodernPackageSourceStrategy = 'workspace' | 'install';
 export type UltramodernWorkspaceOptions = {
     targetDir: string;
@@ -13,16 +12,15 @@ export type UltramodernWorkspaceOptions = {
         aliasPackageNamePrefix?: string;
     };
 };
-export type AddUltramodernMicroVerticalOptions = {
+export type AddUltramodernVerticalOptions = {
     workspaceRoot: string;
     name: string;
-    kind: MicroVerticalKind;
     modernVersion: string;
     enableTailwind?: boolean;
     packageSource?: UltramodernWorkspaceOptions['packageSource'];
 };
 export declare const ULTRAMODERN_WORKSPACE_FLAG = "--ultramodern-workspace";
-export declare function addUltramodernMicroVertical(options: AddUltramodernMicroVerticalOptions): void;
+export declare function addUltramodernVertical(options: AddUltramodernVerticalOptions): void;
 export declare function generateUltramodernWorkspace(options: UltramodernWorkspaceOptions): void;
 export declare const ultramodernWorkspaceVersions: {
     tanstackRouter: string;

package/package.json

@@ -21,7 +21,7 @@
   "engines": {
     "node": ">=20"
   },
-  "version": "3.2.0-ultramodern.57",
+  "version": "3.2.0-ultramodern.59",
   "types": "./dist/types/index.d.ts",
   "main": "./dist/index.js",
   "bin": {
@@ -41,7 +41,7 @@
     "@types/node": "^25.9.1",
     "@typescript/native-preview": "7.0.0-dev.20260527.2",
     "tsx": "^4.22.3",
-    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.57"
+    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.58"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",
@@ -54,6 +54,6 @@
     "start": "node ./dist/index.js"
   },
   "ultramodern": {
-    "frameworkVersion": "3.2.0-ultramodern.57"
+    "frameworkVersion": "3.2.0-ultramodern.58"
   }
 }

package/template/.codex/hooks.json

@@ -0,0 +1,16 @@
+{
+  "Stop": [
+    {
+      "command": "pnpm format && pnpm lint:fix && pnpm ultramodern:check",
+      "timeout": 600000,
+      "statusMessage": "Running UltraModern quality gates"
+    }
+  ],
+  "SubagentStop": [
+    {
+      "command": "pnpm format && pnpm lint:fix && pnpm ultramodern:check",
+      "timeout": 600000,
+      "statusMessage": "Running UltraModern quality gates"
+    }
+  ]
+}

package/template/AGENTS.md

@@ -8,7 +8,9 @@ This project is generated for Codex-first UltraModern.js work.
 - `pnpm format` runs oxfmt.
 - `pnpm typecheck` runs effect-tsgo as the TypeScript checker.
 - `pnpm i18n:check` rejects hardcoded user-visible JSX text.
-- `mise exec -- pnpm ultramodern:check` verifies the generated contract.
+- `pnpm ultramodern:check` verifies the generated contract.
+- Generated Codex stop hooks and subagent-stop hooks run `pnpm format && pnpm lint:fix && pnpm ultramodern:check`.
+- `postinstall` installs `lefthook` when the app is inside a Git worktree. Generated `lefthook.yml` runs `pnpm format`, `pnpm lint:fix`, and `pnpm ultramodern:check` on pre-commit; pre-push runs `pnpm ultramodern:check`.
 
 ## Internationalization
 
@@ -18,10 +20,4 @@ Routes are locale-prefixed by default through `localePathRedirect: true`. Keep l
 
 ## Private Skills
 
-Private orchestration skills are not vendored into this template. If you are authorized for `TechsioCZ/skills`, run:
-
-```bash
-pnpm skills:install
-```
-
-The installer clones that private repository and copies only the allowlisted skills from `.agents/skills-lock.json`.
+Private orchestration skills are installed automatically during `pnpm install` when the current developer is authorized for `TechsioCZ/skills`. The installer clones that private repository and copies only the allowlisted skills from `.agents/skills-lock.json`; unauthorized developers get a warning and can continue with the public contract.

package/template/README.md

@@ -1,14 +1,14 @@
 # UltraModern.js 3.0 Starter
 
 This generated workspace is the Tractor reference SuperApp. It is built around
-one shell and three full-stack Micro Verticals:
+one shell and three full-stack Verticals:
 
 | Package | Boundary |
 | --- | --- |
 | `apps/shell-super-app` | Module Federation host, route assembly, topology selection, shell fallback policy |
-| `apps/remotes/remote-explore` | Explore routes, MF exposes, locale JSON, CSS layer, and `/explore-api/effect/explore/*` |
-| `apps/remotes/remote-decide` | Decide routes, MF exposes, locale JSON, CSS layer, and `/decide-api/effect/decide/*` |
-| `apps/remotes/remote-checkout` | Checkout routes, MF exposes, locale JSON, CSS layer, and `/checkout-api/effect/checkout/*` |
+| `verticals/explore` | Explore routes, MF exposes, locale JSON, CSS layer, and `/explore-api/effect/explore/*` |
+| `verticals/decide` | Decide routes, MF exposes, locale JSON, CSS layer, and `/decide-api/effect/decide/*` |
+| `verticals/checkout` | Checkout routes, MF exposes, locale JSON, CSS layer, and `/checkout-api/effect/checkout/*` |
 
 Each vertical is a one-package ownership boundary. Its UI, Effect BFF contract,
 generated client, `localisedUrls`, dynamic locale JSON, CSS, MF manifest, and
@@ -20,7 +20,7 @@ Install the dependencies:
 
 ```bash
 mise install
-mise exec -- pnpm install
+pnpm install
 ```
 
 ## Get Started
@@ -28,27 +28,27 @@ mise exec -- pnpm install
 Start the dev server:
 
 ```bash
-mise exec -- pnpm dev
+pnpm dev
 ```
 
 Build the app for production:
 
 ```bash
-mise exec -- pnpm build
+pnpm build
 ```
 
 Validate the generated Ultramodern preset contract locally:
 
 ```bash
-mise exec -- pnpm run ultramodern:check
+pnpm run ultramodern:check
 ```
 
 Run the normal local gates before treating the scaffold as adoption-ready:
 
 ```bash
-mise exec -- pnpm run check
-mise exec -- pnpm run build
-mise exec -- pnpm run cloudflare:build
+pnpm run check
+pnpm run build
+pnpm run cloudflare:build
 ```
 
 The generated preset defaults are opt-out. Disable specific contracts via env vars:
@@ -61,31 +61,29 @@ MODERN_BASELINE_ENABLE_TELEMETRY_EXPORTERS=false
 
 The generated starter also includes `.github/workflows/ultramodern-gates.yml`
 and `.github/renovate.json`. The workflow runs
-`mise exec -- pnpm run ultramodern:check` and `mise exec -- pnpm run build` on
+`pnpm run ultramodern:check` and `pnpm run build` on
 every push and pull request with read-only permissions, commit-pinned actions,
 frozen installs, and StepSecurity audit-mode runner hardening. Renovate is
 configured for dependency dashboard review, one-day release age, grouped
 updates, action digest pinning, and manual approval for major upgrades.
 
-## Micro Vertical Workspaces
+## Vertical Workspaces
 
-Inside a Micro Vertical workspace, add packages from the workspace root with
-the UltraModern add flow. It derives paths, package names, ports, Module
-Federation names, topology entries, overlays, ownership, and root dev scripts:
+Inside an UltraModern workspace, add a full-stack vertical from the workspace
+root. The add flow derives paths, package names, ports, Module Federation names,
+topology entries, overlays, ownership, Effect BFF contracts, and root dev
+scripts:
 
 ```bash
-mise exec -- pnpm dlx @modern-js/create catalog --microvertical remote
-mise exec -- pnpm dlx @modern-js/create design-system --microvertical horizontal-remote
-mise exec -- pnpm dlx @modern-js/create catalog-api --microvertical service
-mise exec -- pnpm dlx @modern-js/create catalog-contracts --microvertical shared
+pnpm dlx @modern-js/create catalog --vertical
 ```
 
 The canonical topology is documented in
 `docs/super-app-rfc-adr/WORKSPACE-0001-micro-vertical-workspace-scaffolding.md`.
-Shell packages own route assembly and topology selection, remote packages own
-route subtrees and degraded UI, service packages own Effect or explicit Hono
-contracts, and shared packages are limited to tokens, primitives, generated
-clients, or domain-neutral utilities.
+Shell packages own route assembly and topology selection. Verticals own route
+subtrees, degraded UI, Effect BFF contracts, generated clients, and deployment
+evidence. Ordinary workspace packages are limited to tokens, primitives,
+generated clients, or domain-neutral utilities.
 
 Use a new vertical only when the feature needs its own route subtree owner,
 independent rollout, rollback, Cloudflare/Zephyr evidence, or incident routing.
@@ -93,23 +91,22 @@ Keep code inside an existing vertical when it shares the same product owner,
 fallback behavior, release train, and Effect contract. Do not use a shared
 package for feature composites or workflow state.
 
-If the design system needs independent deployment, keep it as a horizontal
-Module Federation remote with the same topology, trust, SSR compatibility, and
-fallback rules as the vertical remotes. Do not add a second preset or a
-design-system-specific framework mode.
+Do not add separate service or shared "vertical types". A vertical is the
+full-stack ownership unit. Supporting packages are implementation details and
+should stay ordinary workspace packages unless a real vertical owns the product
+behavior.
 
 The public opinionated entrypoint is `presetUltramodern(...)`. It is the default
-UltraModern.js SuperApp surface for Effect, TanStack, SSR, BFF, and Micro
-Verticals.
+UltraModern.js SuperApp surface for Effect, TanStack, SSR, BFF, and Verticals.
 
 ## Module Federation And Effect Ownership
 
 The shell consumes vertical UI through MF manifests and consumes vertical data
-through generated Effect clients exported by the remote packages:
+through generated Effect clients exported by the vertical packages:
 
 - Explore exposes header, footer, recommendations, store picker, and route UI.
 - Decide exposes product page and route UI, and may consume Explore or Checkout
-  remotes through declared `remoteRefs`.
+  verticals through declared `verticalRefs`.
 - Checkout exposes cart, checkout, thanks, mini-cart, add-to-cart, and route UI.
 
 The shell owns orchestration and fallback policy. A vertical owns its route-local
@@ -123,14 +120,14 @@ Route localization is owned by the package that owns the route. Each app emits
 `src/routes/ultramodern-route-metadata` and passes
 `ultramodernLocalisedUrls` to `@modern-js/plugin-i18n`. Dynamic JSON resources
 are served from `/locales/{{lng}}/{{ns}}.json`; shell rewrites must not replace
-remote-owned localized URL maps.
+vertical-owned localized URL maps.
 
 CSS federation is recorded in `.modernjs/ultramodern-generated-contract.json`:
 
 - `packages/shared-design-tokens` owns `ultramodern-shared-tokens` and exports
   `./tokens.css`.
 - The shell owns shell base and overlay CSS under its app root marker.
-- Each remote owns one vertical CSS layer and one remote app root marker.
+- Each vertical owns one vertical CSS layer and one vertical app root marker.
 - Tailwind CSS v4 is app-local through `@tailwindcss/postcss`.
 - Duplicate base styles are forbidden. SSR first paint requires shared tokens
   and Modern/Rspack-emitted app CSS.
@@ -140,28 +137,28 @@ CSS federation is recorded in `.modernjs/ultramodern-generated-contract.json`:
 Build all Cloudflare Worker artifacts:
 
 ```bash
-MODERN_PUBLIC_SITE_URL=https://shell-super-app.example.test mise exec -- pnpm run cloudflare:build
+MODERN_PUBLIC_SITE_URL=https://shell-super-app.example.test pnpm run cloudflare:build
 ```
 
 Validate local or deployed Cloudflare output with the repo harness:
 
 ```bash
 node scripts/ultramodern-cloudflare-ssr-validation/validate-cloudflare-ssr.js \
-  --root-dir apps/remotes/remote-checkout \
+  --root-dir verticals/checkout \
   --bff /checkout-api/effect/checkout/readiness \
-  --expect-en "Checkout Remote" \
+  --expect-en "Checkout Vertical" \
   --match-build-marker \
-  --out .codex/reports/cloudflare-ssr/remote-checkout-local.json
+  --out .codex/reports/cloudflare-ssr/checkout-local.json
 ```
 
 After deploying public Workers, run the generated public URL proof:
 
 ```bash
 ULTRAMODERN_PUBLIC_URL_SHELL_SUPER_APP=https://shell-super-app.example.workers.dev \
-ULTRAMODERN_PUBLIC_URL_REMOTE_EXPLORE=https://remote-explore.example.workers.dev \
-ULTRAMODERN_PUBLIC_URL_REMOTE_DECIDE=https://remote-decide.example.workers.dev \
-ULTRAMODERN_PUBLIC_URL_REMOTE_CHECKOUT=https://remote-checkout.example.workers.dev \
-mise exec -- pnpm run cloudflare:proof -- --require-public-urls
+ULTRAMODERN_PUBLIC_URL_EXPLORE=https://explore.example.workers.dev \
+ULTRAMODERN_PUBLIC_URL_DECIDE=https://decide.example.workers.dev \
+ULTRAMODERN_PUBLIC_URL_CHECKOUT=https://checkout.example.workers.dev \
+pnpm run cloudflare:proof -- --require-public-urls
 ```
 
 Zephyr upload and live switching proof are opt-in evidence workflows. The
@@ -172,7 +169,7 @@ credentials. Without those values, only dry-run Zephyr evidence can be claimed.
 Preview the production build locally:
 
 ```bash
-mise exec -- pnpm serve
+pnpm serve
 ```
 
 For more information, see the

package/template/lefthook.yml

@@ -0,0 +1,15 @@
+pre-commit:
+  commands:
+    format:
+      run: pnpm format
+      stage_fixed: true
+    lint:
+      run: pnpm lint:fix
+      stage_fixed: true
+    check:
+      run: pnpm ultramodern:check
+
+pre-push:
+  commands:
+    check:
+      run: pnpm ultramodern:check

package/template/package.json.handlebars

@@ -15,13 +15,13 @@
 {{#unless isSubproject}}
     "skills:install": "node ./scripts/bootstrap-agent-skills.mjs",
     "skills:check": "node ./scripts/bootstrap-agent-skills.mjs --check",
+    "postinstall": "node ./scripts/bootstrap-agent-skills.mjs && (git rev-parse --is-inside-work-tree >/dev/null 2>&1 && lefthook install || true)",
 {{/unless}}
     "ultramodern:check": "{{#unless isSubproject}}pnpm format:check && pnpm lint && {{/unless}}pnpm typecheck && pnpm i18n:check && pnpm test{{#unless isSubproject}} && pnpm skills:check{{/unless}} && node ./scripts/validate-ultramodern.mjs"{{#unless isSubproject}},
     "format": "oxfmt .",
     "format:check": "oxfmt --check .",
     "lint": "oxlint .",
-    "lint:fix": "oxlint . --fix",
-    "prepare": "simple-git-hooks"{{/unless}}
+    "lint:fix": "oxlint . --fix"{{/unless}}
   },
   "dependencies": {
     "@modern-js/plugin-i18n": "{{pluginI18nVersion}}",
@@ -51,26 +51,16 @@
     "@typescript/native-preview": "7.0.0-dev.20260527.2",
     "happy-dom": "^20.9.0",
 {{#unless isSubproject}}
-    "lint-staged": "~17.0.5",
+    "lefthook": "^2.1.9",
     "oxfmt": "0.51.0",
     "oxlint": "1.66.0",
 {{/unless}}{{#if enableTailwind}}    "postcss": "^8.5.6",
-{{/if}}    "rimraf": "^6.1.3"{{#unless isSubproject}},
-    "simple-git-hooks": "^2.13.1"{{/unless}}{{#if enableTailwind}},
+{{/if}}    "rimraf": "^6.1.3"{{#if enableTailwind}},
     "tailwindcss": "^{{tailwindVersion}}"{{/if}}{{#unless isSubproject}},
     "ultracite": "7.7.0"{{/unless}}
-  }{{#unless isSubproject}},
-  "simple-git-hooks": {
-    "pre-commit": "npx lint-staged"
   },
-  "lint-staged": {
-    "*.{js,ts,cjs,mjs,d.cts,d.mts,jsx,tsx,json,jsonc}": [
-      "oxfmt --write",
-      "oxlint --fix"
-    ]
-  }{{/unless}},
   "engines": {
     "node": ">=20",
-    "pnpm": ">={{pnpmVersion}} <11.5.0"
+    "pnpm": ">={{pnpmVersion}} <11.6.0"
   }
 }

package/template/pnpm-workspace.yaml

@@ -13,7 +13,7 @@ allowBuilds:
   '@swc/core': true
   core-js: true
   esbuild: true
+  lefthook: true
   msgpackr-extract: true
   sharp: true
-  simple-git-hooks: true
   workerd: true

package/template/scripts/bootstrap-agent-skills.mjs

@@ -55,32 +55,64 @@ if (!fs.existsSync(lockPath)) {
 
 const lock = readJson(lockPath);
 const installDir = path.join(root, lock.installDir ?? '.agents/skills');
-const privateSources = (lock.sources ?? []).filter(
+const sources = lock.sources ?? [];
+const requiredCloneSources = sources.filter((source) => source.install === 'clone');
+const optionalCloneSources = sources.filter(
   (source) => source.install === 'clone-if-authorized',
 );
+const requiredSkills = [
+  ...(lock.baseline ?? []),
+  ...requiredCloneSources.flatMap((source) => source.baseline ?? []),
+].filter(
+  (skill, index, skills) =>
+    skills.findIndex((candidate) => candidate.name === skill.name) === index,
+);
 
 if (checkOnly) {
-  const missing = privateSources.flatMap((source) =>
+  const missingRequired = requiredSkills
+    .map((skill) => skill.name)
+    .filter((skillName) => !fs.existsSync(path.join(installDir, skillName, 'SKILL.md')));
+  const missingOptional = optionalCloneSources.flatMap((source) =>
     (source.baseline ?? [])
       .map((skill) => skill.name)
       .filter((skillName) => !fs.existsSync(path.join(installDir, skillName, 'SKILL.md'))),
   );
-  if (missing.length > 0) {
+
+  if (missingRequired.length > 0) {
+    console.error(
+      `Required agent skills not installed: ${missingRequired.join(', ')}. Run pnpm skills:install.`,
+    );
+    process.exit(1);
+  }
+
+  if (missingOptional.length > 0) {
     console.warn(
-      `Private skills not installed: ${missing.join(', ')}. Run pnpm skills:install if you have access.`,
+      `Private skills not installed: ${missingOptional.join(', ')}. Run pnpm skills:install if you have access.`,
     );
   } else {
-    console.log('Agent skills are installed.');
+    console.log('Required and private agent skills are installed.');
+    process.exit(0);
   }
+  console.log('Required agent skills are installed.');
   process.exit(0);
 }
 
 fs.mkdirSync(installDir, { recursive: true });
 
-for (const source of privateSources) {
+for (const source of [...requiredCloneSources, ...optionalCloneSources]) {
   const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'ultramodern-skills-'));
   try {
-    cloneSource(source, tempDir);
+    try {
+      cloneSource(source, tempDir);
+    } catch (error) {
+      if (source.install === 'clone-if-authorized') {
+        console.warn(
+          `Skipping ${source.repository}; current developer may not have access.`,
+        );
+        continue;
+      }
+      throw error;
+    }
     for (const skill of source.baseline ?? []) {
       const sourceSkillDir = resolveSkillDir(tempDir, skill.name);
       if (!sourceSkillDir) {

package/template/scripts/validate-ultramodern.mjs.handlebars

@@ -34,7 +34,7 @@ const activePnpmVersion = execFileSync('pnpm', ['--version'], {
 
 if (activePnpmVersion !== expectedPnpmVersion) {
   console.error(
-    `Generated app requires pnpm ${expectedPnpmVersion}; active pnpm is ${activePnpmVersion}. Run mise install, then rerun through mise exec -- pnpm ...`,
+    `Generated app requires pnpm ${expectedPnpmVersion}; active pnpm is ${activePnpmVersion}. Run mise install, then rerun pnpm from the activated shell`,
   );
   process.exit(1);
 }
@@ -81,7 +81,7 @@ const requiredDeniedPaths = [
 ];
 const requiredPostMaterialization = [
   'ultramodern-contract-check',
-  'dependency-install-with-lifecycle-deny',
+  'agent-skill-postinstall-allowed',
   'github-workflow-security-enforced',
   'package-source-retained',
   'pnpm-11-policy-enforced',
@@ -92,8 +92,10 @@ const requiredPaths = [
 {{#unless isSubproject}}
   'AGENTS.md',
   '.agents/skills-lock.json',
+  '.codex/hooks.json',
   '.github/renovate.json',
   '.github/workflows/ultramodern-gates.yml',
+  'lefthook.yml',
   'oxlint.config.ts',
   'oxfmt.config.ts',
   'scripts/bootstrap-agent-skills.mjs',
@@ -152,9 +154,9 @@ for (const requiredSnippet of [
   'pull_request:',
   'persist-credentials: false',
   'jdx/mise-action',
-  'mise exec -- pnpm install --frozen-lockfile',
-  'mise exec -- pnpm run ultramodern:check',
-  'mise exec -- pnpm run build',
+  'pnpm install --frozen-lockfile',
+  'pnpm run ultramodern:check',
+  'pnpm run build',
   'MODERN_PUBLIC_SITE_URL: http://localhost:8080',
   'timeout-minutes:',
   'egress-policy: audit',
@@ -218,6 +220,12 @@ for (const deniedPath of requiredDeniedPaths) {
 if (templateManifest.lifecyclePolicy?.denyByDefault !== true) {
   manifestErrors.push('lifecyclePolicy.denyByDefault');
 }
+if (
+  JSON.stringify(templateManifest.lifecyclePolicy?.allowedScripts) !==
+  JSON.stringify(['postinstall'])
+) {
+  manifestErrors.push('lifecyclePolicy.allowedScripts');
+}
 
 for (const token of requiredPostMaterialization) {
   if (!templateManifest.validation?.postMaterializationValidation?.includes(token)) {
@@ -260,6 +268,7 @@ const requiredScripts = {
   'lint:fix': 'oxlint . --fix',
   'skills:check': 'node ./scripts/bootstrap-agent-skills.mjs --check',
   'skills:install': 'node ./scripts/bootstrap-agent-skills.mjs',
+  postinstall: 'node ./scripts/bootstrap-agent-skills.mjs && (git rev-parse --is-inside-work-tree >/dev/null 2>&1 && lefthook install || true)',
 {{/unless}}
 };
 
@@ -299,8 +308,8 @@ if (packageJson.packageManager !== `pnpm@${expectedPnpmVersion}`) {
   process.exit(1);
 }
 
-if (packageJson.engines?.pnpm !== `>=${expectedPnpmVersion} <11.5.0`) {
-  console.error(`Generated app package must require pnpm >=${expectedPnpmVersion} <11.5.0`);
+if (packageJson.engines?.pnpm !== `>=${expectedPnpmVersion} <11.6.0`) {
+  console.error(`Generated app package must require pnpm >=${expectedPnpmVersion} <11.6.0`);
   process.exit(1);
 }
 
@@ -348,9 +357,9 @@ if (
     '@swc/core': true,
     'core-js': true,
     esbuild: true,
+    lefthook: true,
     'msgpackr-extract': true,
     sharp: true,
-    'simple-git-hooks': true,
     workerd: true,
   })
 ) {
@@ -467,6 +476,7 @@ for (const dependency of [
   'tailwindcss',
 {{/if}}
 {{#unless isSubproject}}
+  'lefthook',
   'oxlint',
   'oxfmt',
   'ultracite',

package/template/src/routes/[lang]/page.tsx.handlebars

@@ -127,7 +127,7 @@ const Index = () => {
           <code className="code">modern.config.ts</code>
           {/* i18n-ignore technical token */}
           {t('home.description.afterConfig')}
-          <code className="code">mise exec -- pnpm run ultramodern:check</code>
+          <code className="code">pnpm run ultramodern:check</code>
           {/* i18n-ignore technical token */}
           {t('home.description.end')}
         </p>

package/template-workspace/.codex/hooks.json

@@ -0,0 +1,16 @@
+{
+  "Stop": [
+    {
+      "command": "pnpm format && pnpm lint:fix && pnpm check",
+      "timeout": 600000,
+      "statusMessage": "Running UltraModern quality gates"
+    }
+  ],
+  "SubagentStop": [
+    {
+      "command": "pnpm format && pnpm lint:fix && pnpm check",
+      "timeout": 600000,
+      "statusMessage": "Running UltraModern quality gates"
+    }
+  ]
+}

package/template-workspace/AGENTS.md

@@ -8,6 +8,8 @@ This workspace is generated as an agent-ready UltraModern.js SuperApp. Agents sh
 - `pnpm format` runs oxfmt.
 - `pnpm typecheck` runs effect-tsgo as the TypeScript checker.
 - `pnpm check` runs formatting, linting, effect-tsgo, private-skill availability checks, and the generated workspace contract.
+- Generated Codex stop hooks and subagent-stop hooks run `pnpm format && pnpm lint:fix && pnpm check`.
+- `postinstall` installs `lefthook` when the workspace is inside a Git worktree. Generated `lefthook.yml` runs `pnpm format`, `pnpm lint:fix`, and `pnpm check` on pre-commit; pre-push runs `pnpm check`.
 
 ## Localized Routes
 
@@ -26,7 +28,7 @@ Use these skills when the task touches the matching subsystem:
 - `rstest-best-practices`: Rstest configuration, test writing, mocking, snapshots, coverage, and CI test behavior.
 - `mf`: Module Federation docs, Modern.js integration, DTS/type checks, shared dependency checks, runtime errors, and observability troubleshooting.
 
-The public `module-federation/agent-skills` repository is installed during `mise exec -- pnpm install` and `mise exec -- pnpm skills:install`. `mise exec -- pnpm skills:check` fails when the required public `mf` skill is missing.
+The public `module-federation/agent-skills` repository is installed during `pnpm install` and `pnpm skills:install`. `pnpm skills:check` fails when the required public `mf` skill is missing.
 
 ## Private Skills
 
@@ -40,7 +42,7 @@ The installer copies only the pinned private skills from `.agents/skills-lock.js
 
 ## Agent Reference Repositories
 
-The workspace installs read-only source references under `repos/` by default during `mise exec -- pnpm install` using `git subtree add --squash`. These repositories are reference material for coding agents, not application source:
+The workspace installs read-only source references under `repos/` by default during `pnpm install` using `git subtree add --squash`. These repositories are reference material for coding agents, not application source:
 
 - `repos/effect` from `Effect-TS/effect`.
 - `repos/ultramodern.js` from `BleedingDev/ultramodern.js`.

package/template-workspace/README.md.handlebars

@@ -6,34 +6,33 @@ This workspace keeps `presetUltramodern(...)` as the single public
 UltraModern.js 3.0 SuperApp surface and scaffolds the canonical Micro Vertical
 starter topology:
 
-- `apps/shell-super-app` owns shell route assembly and remote manifest wiring.
-- `apps/remotes/remote-commerce` owns the commerce vertical remote, its
+- `apps/shell-super-app` owns shell route assembly and federated manifest wiring.
+- `verticals/commerce` owns the commerce vertical, its
   browser-safe Module Federation exposes, and its Effect BFF/API surface.
-- `apps/remotes/remote-identity` owns the identity vertical remote, its
+- `verticals/identity` owns the identity vertical, its
   browser-safe Module Federation exposes, and its Effect BFF/API surface.
-- `apps/remotes/remote-design-system` owns the horizontal design-system remote.
+- `verticals/design-system` owns the design-system vertical.
 - `packages/shared-*` provide placeholders for cross-workspace contracts.
 
-Default vertical APIs are owned by the vertical package, not by `services/*`.
+Default vertical APIs are owned by the vertical package.
 Each full-stack vertical keeps its `api/effect/index.ts` handlers next to its
 `shared/effect/api.ts` contract and `src/effect/*-client.ts` typed client
 surface. The Module Federation config exposes only browser-safe Route and
 Widget modules; server handlers and Effect client/contract modules stay out of
-browser remotes. `services/*` is reserved for explicit external service
-packages.
+browser verticals.
 
 Run the scaffold validator before adding business code:
 
 ```bash
 mise install
-mise exec -- pnpm ultramodern:check
+pnpm ultramodern:check
 ```
 
-By default, `mise exec -- pnpm install` also prepares read-only agent reference repositories
+By default, `pnpm install` also prepares read-only agent reference repositories
 under `repos/` for Effect and UltraModern.js source lookup using squashed git
 subtrees. Disable this setup with
-`ULTRAMODERN_SKIP_AGENT_REPOS=1 mise exec -- pnpm install`, or rerun it
-explicitly with `mise exec -- pnpm agents:refs:install`.
+`ULTRAMODERN_SKIP_AGENT_REPOS=1 pnpm install`, or rerun it
+explicitly with `pnpm agents:refs:install`.
 
 The topology and ownership metadata are generated under `topology/`. The
 workspace also ships `.github/workflows/ultramodern-workspace-gates.yml` and