@bookedsolid/reagent 0.6.0 → 0.7.0

package/dist/pm/discord-notifier.js

@@ -0,0 +1,122 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+/**
+ * Load discord_ops config from .reagent/gateway.yaml.
+ * Returns null if not configured or disabled.
+ */
+export function loadDiscordConfig(baseDir) {
+    const gatewayPath = path.join(baseDir, '.reagent', 'gateway.yaml');
+    if (!fs.existsSync(gatewayPath))
+        return null;
+    try {
+        const raw = fs.readFileSync(gatewayPath, 'utf8');
+        const parsed = parseYaml(raw);
+        const discordOps = parsed?.discord_ops;
+        if (!discordOps?.enabled)
+            return null;
+        return discordOps;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Send a message to a Discord channel via the discord-ops CLI.
+ * Fails silently — Discord notification failures must never block workflows.
+ */
+function sendDiscordMessage(config, channelKey, content, title) {
+    const channelId = config.channels[channelKey];
+    if (!channelId || !config.guild_id)
+        return;
+    const token = process.env['DISCORD_BOT_TOKEN'];
+    if (!token)
+        return;
+    try {
+        const args = [
+            '-y',
+            '@bookedsolid/discord-ops@latest',
+            'send_message',
+            '--channel-id',
+            channelId,
+            '--guild-id',
+            config.guild_id,
+            '--content',
+            title ? `**${title}**\n${content}` : content,
+        ];
+        execFileSync('npx', args, {
+            encoding: 'utf8',
+            timeout: 10_000,
+            stdio: 'pipe',
+            env: { ...process.env, DISCORD_BOT_TOKEN: token },
+        });
+    }
+    catch {
+        // Fail silently — Discord notification failure must never block anything
+    }
+}
+/**
+ * Discord notifier — sends structured notifications to configured channels.
+ * All methods fail silently when Discord is not configured or unavailable.
+ */
+export class DiscordNotifier {
+    config;
+    constructor(baseDir) {
+        this.config = loadDiscordConfig(baseDir);
+    }
+    /**
+     * Check whether Discord notifications are enabled.
+     */
+    isEnabled() {
+        return this.config !== null && this.config.enabled;
+    }
+    /**
+     * Notify Discord that a task was created.
+     */
+    async notifyTaskCreated(task) {
+        if (!this.config)
+            return;
+        const content = `Task created: **${task.id}** — ${task.title}` +
+            (task.urgency !== 'normal' ? ` [${task.urgency}]` : '') +
+            (task.assignee ? ` (assigned to ${task.assignee})` : '');
+        sendDiscordMessage(this.config, 'tasks', content, 'Task Created');
+    }
+    /**
+     * Notify Discord that a task was completed.
+     */
+    async notifyTaskCompleted(task) {
+        if (!this.config)
+            return;
+        const content = `Task completed: **${task.id}** — ${task.title}`;
+        sendDiscordMessage(this.config, 'tasks', content, 'Task Completed');
+    }
+    /**
+     * Notify Discord that a hook blocked an action.
+     */
+    async notifyHookBlocked(hookName, tool, reason) {
+        if (!this.config)
+            return;
+        const content = `Hook **${hookName}** blocked tool \`${tool}\`\nReason: ${reason}`;
+        sendDiscordMessage(this.config, 'alerts', content, 'Hook Block');
+    }
+    /**
+     * Notify Discord of a release.
+     */
+    async notifyRelease(version, changelog) {
+        if (!this.config)
+            return;
+        const truncated = changelog.length > 500 ? changelog.slice(0, 497) + '...' : changelog;
+        const content = `Version **${version}** released\n\n${truncated}`;
+        sendDiscordMessage(this.config, 'releases', content, 'Release');
+    }
+    /**
+     * Notify Discord of a security/audit alert.
+     */
+    async notifyAuditAlert(message) {
+        if (!this.config)
+            return;
+        sendDiscordMessage(this.config, 'alerts', message, 'Audit Alert');
+    }
+}
+//# sourceMappingURL=discord-notifier.js.map

package/dist/pm/discord-notifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discord-notifier.js","sourceRoot":"","sources":["../../src/pm/discord-notifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAkB1C;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IACnE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAuB,CAAC;QAEpD,MAAM,UAAU,GAAG,MAAM,EAAE,WAAW,CAAC;QACvC,IAAI,CAAC,UAAU,EAAE,OAAO;YAAE,OAAO,IAAI,CAAC;QAEtC,OAAO,UAAU,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,MAAwB,EACxB,UAA8C,EAC9C,OAAe,EACf,KAAc;IAEd,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO;IAE3C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG;YACX,IAAI;YACJ,iCAAiC;YACjC,cAAc;YACd,cAAc;YACd,SAAS;YACT,YAAY;YACZ,MAAM,CAAC,QAAQ;YACf,WAAW;YACX,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO;SAC7C,CAAC;QAEF,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;YACxB,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,MAAM;YACb,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE;SAClD,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,eAAe;IACT,MAAM,CAA0B;IAEjD,YAAY,OAAe;QACzB,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CAAC,IAAc;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,MAAM,OAAO,GACX,mBAAmB,IAAI,CAAC,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE;YAC9C,CAAC,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACvD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,iBAAiB,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3D,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IACpE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB,CAAC,IAAc;QACtC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,MAAM,OAAO,GAAG,qBAAqB,IAAI,CAAC,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;QACjE,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CAAC,QAAgB,EAAE,IAAY,EAAE,MAAc;QACpE,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,MAAM,OAAO,GAAG,UAAU,QAAQ,qBAAqB,IAAI,eAAe,MAAM,EAAE,CAAC;QACnF,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IACnE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,SAAiB;QACpD,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACvF,MAAM,OAAO,GAAG,aAAa,OAAO,kBAAkB,SAAS,EAAE,CAAC;QAClE,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAClE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;IACpE,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bookedsolid/reagent",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Zero-trust MCP gateway — policy enforcement, secret redaction, and audit logging for AI-assisted projects",
   "license": "MIT",
   "author": "Booked Solid Technology <oss@bookedsolid.tech> (https://bookedsolid.tech)",

package/profiles/astro/README.md

@@ -0,0 +1,44 @@
+# astro profile
+
+Reagent profile for projects built with [Astro](https://astro.build/) (v3+, including v5).
+
+## When to use
+
+Install this profile when your project:
+
+- Is built with Astro (any rendering mode: SSG, SSR, hybrid)
+- Uses Astro components (`.astro` files)
+- Has island-architecture client components (React, Vue, Svelte, Lit, etc.)
+- Uses `astro check` and `astro build` as quality gates
+
+## What this profile installs
+
+### Hooks
+
+- **astro-ssr-guard.sh** — PostToolUse/Write: warns on React hooks used in `.astro` frontmatter without a `client:*` directive, and `document`/`window` access in SSR context (frontmatter runs server-side).
+
+### Quality gates (gates.yaml)
+
+| Gate             | Command            | On failure |
+| ---------------- | ------------------ | ---------- |
+| astro-check      | `npx astro check`  | block      |
+| astro-build      | `npx astro build`  | block      |
+| astro-type-check | `npx tsc --noEmit` | block      |
+
+### Agents
+
+- `astro-specialist` — Astro architecture, islands, content collections
+- `frontend-specialist` — general frontend and component patterns
+- `performance-engineer` — Core Web Vitals, Astro partial hydration strategies
+
+## Recommended additions
+
+- Playwright e2e tests for rendered pages
+- `@astrojs/check` for enhanced type checking
+- Lighthouse CI for CWV regression on static output
+
+## Installation
+
+```bash
+reagent init --profile astro
+```

package/profiles/astro/agents.txt

@@ -0,0 +1,3 @@
+engineering/astro-specialist
+engineering/frontend-specialist
+engineering/performance-engineer

package/profiles/astro/gates.yaml

@@ -0,0 +1,15 @@
+gates:
+  - name: astro-check
+    command: npx astro check
+    description: Astro type checking must pass (catches SSR/component errors)
+    on_failure: block
+
+  - name: astro-build
+    command: npx astro build
+    description: Astro production build must succeed
+    on_failure: block
+
+  - name: astro-type-check
+    command: npx tsc --noEmit
+    description: TypeScript must compile without errors
+    on_failure: block

package/profiles/astro/hooks/astro-ssr-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# profiles/astro/hooks/astro-ssr-guard.sh
+# PostToolUse hook for Write — warns on Astro SSR anti-patterns in .astro files.
+# Checks for: React hooks in non-client context, document/window in frontmatter.
+# Advisory only — exits 0 after printing warnings.
+
+set -euo pipefail
+
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB="$HOOK_DIR/../../../hooks/_lib/common.sh"
+if [[ -f "$LIB" ]]; then
+  source "$LIB"
+  check_halt
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"path":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+  exit 0
+fi
+
+# Only target .astro files
+case "$FILE_PATH" in
+  *.astro) ;;
+  *) exit 0 ;;
+esac
+
+if [[ ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+CONTENT=$(cat "$FILE_PATH" 2>/dev/null || echo "")
+WARNINGS=()
+
+# Extract frontmatter (between --- delimiters)
+FRONTMATTER=""
+if printf '%s' "$CONTENT" | grep -q '^---'; then
+  FRONTMATTER=$(printf '%s' "$CONTENT" | awk '/^---/{if(f)exit; f=1; next} f{print}')
+fi
+
+# Check 1: React hooks in .astro files — only valid in client:* components
+if printf '%s' "$CONTENT" | grep -qE '\b(useState|useEffect|useContext|useReducer|useCallback|useMemo|useRef)\s*[(<(]'; then
+  # Check if it's inside a component tag with client: directive
+  if ! printf '%s' "$CONTENT" | grep -qE 'client:(load|idle|visible|media|only)'; then
+    WARNINGS+=("ASTRO SSR: React hook (useState/useEffect/etc.) found but no 'client:*' directive detected in this file. React hooks only run in client-rendered components. Add 'client:load' (or other hydration strategy) to the component tag, or move hooks to a .tsx component used with 'client:load'.")
+  fi
+fi
+
+# Check 2: document or window in frontmatter (SSR context — not available server-side)
+if [[ -n "$FRONTMATTER" ]]; then
+  if printf '%s' "$FRONTMATTER" | grep -qE '\b(document|window)\b'; then
+    WARNINGS+=("ASTRO SSR: 'document' or 'window' accessed in Astro frontmatter (the --- block). Frontmatter runs at build time / server-side where these globals are not available. Move browser API calls into a <script> tag or a client:* component.")
+  fi
+fi
+
+# Check 3: import of useState/useEffect at top of frontmatter without client usage
+if printf '%s' "$FRONTMATTER" | grep -qE "import.*\{.*(useState|useEffect).*\}.*from\s+['\"]react['\"]"; then
+  if ! printf '%s' "$CONTENT" | grep -qE 'client:(load|idle|visible|media|only)'; then
+    WARNINGS+=("ASTRO SSR: React state/effect hooks imported in frontmatter without a 'client:*' component. This import will likely cause an error at runtime in SSR mode.")
+  fi
+fi
+
+if [[ ${#WARNINGS[@]} -gt 0 ]]; then
+  printf '\n[astro-ssr-guard] Astro SSR advisory warnings for %s:\n' "$FILE_PATH" >&2
+  for warning in "${WARNINGS[@]}"; do
+    printf '  WARN: %s\n' "$warning" >&2
+  done
+  printf '\n' >&2
+fi
+
+exit 0

package/profiles/drupal/README.md

@@ -0,0 +1,53 @@
+# drupal profile
+
+Reagent profile for Drupal CMS projects (Drupal 9/10/11).
+
+## When to use
+
+Install this profile when your project:
+
+- Is built on Drupal (any modern version)
+- Uses custom modules or themes
+- Has update hooks (`.install` files)
+- Requires Drupal coding standards enforcement
+
+## What this profile installs
+
+### Hooks
+
+- **drupal-coding-standards.sh** — PostToolUse/Write: warns on raw superglobals (`$_GET`, `$_POST`), hardcoded entity IDs, `hook_update_N` without schema management, and `t()` string concatenation.
+- **hook-update-guard.sh** — PostToolUse/Write: guards `.install` files for destructive schema operations and update hook numbering gaps.
+
+### Quality gates (gates.yaml)
+
+| Gate                 | Command                               | On failure |
+| -------------------- | ------------------------------------- | ---------- |
+| phpcs-drupal         | `vendor/bin/phpcs --standard=Drupal`  | block      |
+| drupal-cache-rebuild | `vendor/bin/drush cr`                 | warn       |
+| phpunit-drupal       | `vendor/bin/phpunit --testsuite=unit` | block      |
+
+### Agents
+
+- `drupal-specialist` — Drupal architecture and module development
+- `drupal-integration-specialist` — third-party integrations (APIs, payment, CRM)
+- `backend-engineer-payments` — commerce and payment flows
+- `security-engineer` — Drupal security review
+
+## Recommended additions
+
+- Behat behavioral tests for content workflows
+- Playwright e2e for rendered frontend
+- `phpstan` with Drupal extension for static analysis
+
+## Prerequisites
+
+```bash
+composer require --dev drupal/coder
+./vendor/bin/phpcs --config-set installed_paths vendor/drupal/coder/coder_sniffer
+```
+
+## Installation
+
+```bash
+reagent init --profile drupal
+```

package/profiles/drupal/agents.txt

@@ -0,0 +1,4 @@
+engineering/drupal-specialist
+engineering/drupal-integration-specialist
+engineering/backend-engineer-payments
+engineering/security-engineer

package/profiles/drupal/gates.yaml

@@ -0,0 +1,15 @@
+gates:
+  - name: phpcs-drupal
+    command: vendor/bin/phpcs --standard=Drupal --extensions=php,module,inc,install,theme .
+    description: Drupal coding standards (PHPCS) must pass
+    on_failure: block
+
+  - name: drupal-cache-rebuild
+    command: vendor/bin/drush cr
+    description: Drush cache rebuild must succeed (validates module/theme structure)
+    on_failure: warn
+
+  - name: phpunit-drupal
+    command: vendor/bin/phpunit --testsuite=unit
+    description: Drupal PHPUnit unit tests must pass
+    on_failure: block

package/profiles/drupal/hooks/drupal-coding-standards.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# profiles/drupal/hooks/drupal-coding-standards.sh
+# PostToolUse hook for Write — warns on Drupal anti-patterns in PHP/module/theme files.
+# Checks for: raw superglobals, hardcoded entity IDs, hook_update_N without schema bump.
+# Advisory only — exits 0 after printing warnings.
+
+set -euo pipefail
+
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB="$HOOK_DIR/../../../hooks/_lib/common.sh"
+if [[ -f "$LIB" ]]; then
+  source "$LIB"
+  check_halt
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"path":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+  exit 0
+fi
+
+# Only target Drupal PHP files
+if [[ -z "$FILE_PATH" ]]; then
+  exit 0
+fi
+case "$FILE_PATH" in
+  *.php|*.module|*.theme|*.install) ;;
+  *) exit 0 ;;
+esac
+
+if [[ ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+CONTENT=$(cat "$FILE_PATH" 2>/dev/null || echo "")
+WARNINGS=()
+
+# Check 1: Raw superglobal access — should use \Drupal::request()
+if printf '%s' "$CONTENT" | grep -qE '\$_(GET|POST|REQUEST|SERVER)\['; then
+  WARNINGS+=("DRUPAL: Direct superglobal access (\$_GET, \$_POST, \$_REQUEST, \$_SERVER) detected. Use \\Drupal::request()->query->get() or \\Drupal::request()->request->get() for proper sanitization and testability.")
+fi
+
+# Check 2: Hardcoded numeric node/entity IDs in templates or module files
+if printf '%s' "$CONTENT" | grep -qE "(Node::load|\\\\Drupal::entityTypeManager\(\)->getStorage\('node'\)->load\(|nid\s*=\s*[0-9]+|->load\([0-9]+\))"; then
+  WARNINGS+=("DRUPAL: Hardcoded numeric entity/node ID detected. Use configuration, a content reference field, or \Drupal::config() instead of load(42) — hardcoded IDs break between environments.")
+fi
+
+# Check 3: hook_update_N without schema version bump check
+if printf '%s' "$CONTENT" | grep -qE 'function [a-z_]+_update_[0-9]+'; then
+  if ! printf '%s' "$CONTENT" | grep -qE 'schema_version|hook_update_dependencies|db_change_table|Schema::'; then
+    WARNINGS+=("DRUPAL: hook_update_N() found without apparent schema version management. Ensure \$sandbox['#finished'] logic is correct for batched updates, and verify schema version alignment via hook_update_dependencies() if needed.")
+  fi
+fi
+
+# Check 4: t() with concatenated strings (breaks localization)
+if printf '%s' "$CONTENT" | grep -qE "t\(['\"].*\\\$[a-zA-Z_]|t\(['\"].*'\s*\.\s*\\\$"; then
+  WARNINGS+=("DRUPAL: String concatenation inside t() detected. Use placeholders ('@var', '%var', ':url') instead: t('Hello @name', ['@name' => \$name]). Concatenation breaks translation extraction.")
+fi
+
+if [[ ${#WARNINGS[@]} -gt 0 ]]; then
+  printf '\n[drupal-coding-standards] Advisory warnings for %s:\n' "$FILE_PATH" >&2
+  for warning in "${WARNINGS[@]}"; do
+    printf '  WARN: %s\n' "$warning" >&2
+  done
+  printf '\n' >&2
+fi
+
+exit 0

package/profiles/drupal/hooks/hook-update-guard.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# profiles/drupal/hooks/hook-update-guard.sh
+# PostToolUse hook for Write — additional guard for hook_update_N patterns.
+# Specifically watches .install files for update hooks that modify critical schema.
+# Advisory only — exits 0 after printing warnings.
+
+set -euo pipefail
+
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB="$HOOK_DIR/../../../hooks/_lib/common.sh"
+if [[ -f "$LIB" ]]; then
+  source "$LIB"
+  check_halt
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"path":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+  exit 0
+fi
+
+# Only target .install files
+case "$FILE_PATH" in
+  *.install) ;;
+  *) exit 0 ;;
+esac
+
+if [[ ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+CONTENT=$(cat "$FILE_PATH" 2>/dev/null || echo "")
+WARNINGS=()
+
+# Check: db_drop_table / db_drop_field without backup advisory
+if printf '%s' "$CONTENT" | grep -qE 'db_drop_(table|field)\s*\('; then
+  WARNINGS+=("DRUPAL SCHEMA: Destructive schema operation (db_drop_table/db_drop_field) detected in update hook. Ensure data migration or backup is handled before dropping. Consider using db_rename_table first if data needs preservation.")
+fi
+
+# Check: Multiple update hooks in single file (numbering gaps)
+UPDATE_HOOKS=$(printf '%s' "$CONTENT" | grep -oE 'function [a-z_]+_update_([0-9]+)' | grep -oE '[0-9]+$' | sort -n || echo "")
+if [[ -n "$UPDATE_HOOKS" ]]; then
+  PREV=""
+  while IFS= read -r num; do
+    if [[ -n "$PREV" ]]; then
+      EXPECTED=$((PREV + 1))
+      if [[ "$num" -gt "$EXPECTED" ]]; then
+        WARNINGS+=("DRUPAL SCHEMA: Gap detected in update hook numbering (after $PREV, next is $num). Verify this is intentional — gaps can confuse module update ordering.")
+      fi
+    fi
+    PREV="$num"
+  done <<< "$UPDATE_HOOKS"
+fi
+
+if [[ ${#WARNINGS[@]} -gt 0 ]]; then
+  printf '\n[hook-update-guard] Advisory warnings for %s:\n' "$FILE_PATH" >&2
+  for warning in "${WARNINGS[@]}"; do
+    printf '  WARN: %s\n' "$warning" >&2
+  done
+  printf '\n' >&2
+fi
+
+exit 0

package/profiles/lit-wc/README.md

@@ -0,0 +1,48 @@
+# lit-wc profile
+
+Reagent profile for projects using [Lit](https://lit.dev/) and native Web Components (Custom Elements v1, Shadow DOM).
+
+## When to use
+
+Install this profile when your project:
+
+- Uses `LitElement`, `ReactiveElement`, or plain `HTMLElement` subclasses
+- Registers custom elements via `customElements.define()`
+- Uses Shadow DOM for style encapsulation
+- Uses the Custom Elements Manifest (`cem analyze`) for component documentation
+
+## What this profile installs
+
+### Hooks
+
+- **shadow-dom-guard.sh** — PostToolUse/Write: warns on `document.querySelector` inside web components, missing `:host` CSS scoping, and `customElements.define()` without a guard check.
+- **cem-integrity-gate.sh** — PostToolUse/Write: advisory reminder to regenerate `custom-elements.json` after component source changes.
+
+### Quality gates (gates.yaml)
+
+| Gate            | Command              | On failure |
+| --------------- | -------------------- | ---------- |
+| cem-analyze     | `npx cem analyze`    | block      |
+| web-test-runner | `npx wtr --coverage` | warn       |
+| lit-ts-check    | `npx tsc --noEmit`   | block      |
+
+### Agents
+
+- `lit-specialist` — deep Lit/Web Components expertise
+- `accessibility-engineer` — a11y for custom elements and ARIA
+- `frontend-specialist` — general frontend patterns
+- `design-system-developer` — design token and component API patterns
+
+## Recommended additions
+
+- Visual regression tests (Playwright snapshots or Storybook visual tests)
+- `@axe-core/playwright` for accessibility audits per component
+- `@web/test-runner-playwright` for real browser test execution
+
+## Installation
+
+```bash
+reagent init --profile lit-wc
+```
+
+Or during initial setup when `reagent catalyze` detects Lit/Web Components usage.

package/profiles/lit-wc/agents.txt

@@ -0,0 +1,4 @@
+engineering/lit-specialist
+engineering/accessibility-engineer
+engineering/frontend-specialist
+engineering/design-system-developer

package/profiles/lit-wc/gates.yaml

@@ -0,0 +1,15 @@
+gates:
+  - name: cem-analyze
+    command: npx cem analyze
+    description: Custom Elements Manifest must be valid and up-to-date
+    on_failure: block
+
+  - name: web-test-runner
+    command: npx wtr --coverage
+    description: Web Test Runner component tests must pass
+    on_failure: warn
+
+  - name: lit-ts-check
+    command: npx tsc --noEmit
+    description: TypeScript must compile without errors
+    on_failure: block

package/profiles/lit-wc/hooks/cem-integrity-gate.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# profiles/lit-wc/hooks/cem-integrity-gate.sh
+# PostToolUse hook for Write — verifies custom elements manifest stays parseable.
+# If cem analyze is available and a custom-elements.json exists, validates it.
+# Advisory only — exits 0 after printing warnings.
+
+set -euo pipefail
+
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+LIB="$HOOK_DIR/../../../hooks/_lib/common.sh"
+if [[ -f "$LIB" ]]; then
+  source "$LIB"
+  check_halt
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"path":"[^"]*"' | head -1 | cut -d'"' -f4 2>/dev/null || echo "")
+
+if [[ "$TOOL_NAME" != "Write" && "$TOOL_NAME" != "Edit" ]]; then
+  exit 0
+fi
+
+# Only care about .ts/.js files (component source changes)
+case "$FILE_PATH" in
+  *.ts|*.js) ;;
+  *) exit 0 ;;
+esac
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+CEM_JSON="$PROJECT_DIR/custom-elements.json"
+
+# Only run if a custom-elements.json exists
+if [[ ! -f "$CEM_JSON" ]]; then
+  exit 0
+fi
+
+# Validate the existing manifest is valid JSON
+if ! python3 -c "import sys,json; json.load(open('$CEM_JSON'))" 2>/dev/null && \
+   ! node -e "require('$CEM_JSON')" 2>/dev/null; then
+  printf '[cem-integrity-gate] WARN: custom-elements.json exists but failed JSON validation. Run: npx cem analyze\n' >&2
+  exit 0
+fi
+
+# Advisory: remind to regenerate after component changes
+printf '[cem-integrity-gate] Advisory: Component source changed. Remember to run "npx cem analyze" to keep custom-elements.json in sync.\n' >&2
+
+exit 0