@cubis/foundry 0.3.12 → 0.3.14

package/Ai Agent Workflow/powers/postman/POWER.md

@@ -12,7 +12,7 @@ Before proceeding, validate that the user has completed the following steps befo
 
 ## Step 1
 
-Prompt the user to configure their own Postman API key for authentication. They can either set it as an environment variable named POSTMAN_API_KEY on their system, or hardcode it directly into the user level MCP configuration file (usually at ~/.kiro/settings/mcp.json) in the power section. To obtain an API key, they log into their Postman account, navigate to Settings → API Keys, and generate a new key with appropriate permissions for workspace, collection, and environment management. The key will be automatically used by the MCP server to authenticate all API requests to Postman's services.
+Generate and maintain `postman_setting.json` as the primary Postman configuration. Use env-first authentication by default: keep `apiKey` as `null`, set `apiKeyEnvVar` to `POSTMAN_API_KEY`, and read the key from environment variables. Only store `apiKey` inline when the user explicitly requests file-based key storage. Keep `defaultWorkspaceId` nullable (`null` when unknown) so workflows can run without a preselected workspace.
 
 ## Step 2
 
@@ -68,7 +68,7 @@ Create a hook that runs anytime the source code or configuration file has been c
 
 Automate API testing and collection management with Postman. Create workspaces, collections, environments, and run tests programmatically.
 
-**Authentication**: Requires Postman API key (Settings → API Keys at postman.com)
+**Authentication**: Env-first via `postman_setting.json` + `POSTMAN_API_KEY`; inline `apiKey` is optional.
 
 ## Available MCP Servers
 

package/Ai Agent Workflow/powers/postman/SKILL.md

@@ -10,7 +10,7 @@ Before proceeding, validate that the user has completed the following steps befo
 
 ## Step 1
 
-Prompt the user to configure their own Postman API key for authentication. They can either set it as an environment variable named POSTMAN_API_KEY on their system, or hardcode it directly into the user level MCP configuration file (usually at ~/.kiro/settings/mcp.json) in the power section. To obtain an API key, they log into their Postman account, navigate to Settings → API Keys, and generate a new key with appropriate permissions for workspace, collection, and environment management. The key will be automatically used by the MCP server to authenticate all API requests to Postman's services.
+Generate and maintain `postman_setting.json` as the primary Postman configuration. Use env-first authentication by default: keep `apiKey` as `null`, set `apiKeyEnvVar` to `POSTMAN_API_KEY`, and read the key from environment variables. Only store `apiKey` inline when the user explicitly requests file-based key storage. Keep `defaultWorkspaceId` nullable (`null` when unknown) so workflows can run without a preselected workspace.
 
 ## Step 2
 
@@ -66,7 +66,7 @@ Create a hook that runs anytime the source code or configuration file has been c
 
 Automate API testing and collection management with Postman. Create workspaces, collections, environments, and run tests programmatically.
 
-**Authentication**: Requires Postman API key (Settings → API Keys at postman.com)
+**Authentication**: Env-first via `postman_setting.json` + `POSTMAN_API_KEY`; inline `apiKey` is optional.
 
 ## Available MCP Servers
 

package/Ai Agent Workflow/skills/postman/POWER.md

@@ -12,7 +12,7 @@ Before proceeding, validate that the user has completed the following steps befo
 
 ## Step 1
 
-Prompt the user to configure their own Postman API key for authentication. They can either set it as an environment variable named POSTMAN_API_KEY on their system, or hardcode it directly into the user level MCP configuration file (usually at ~/.kiro/settings/mcp.json) in the power section. To obtain an API key, they log into their Postman account, navigate to Settings → API Keys, and generate a new key with appropriate permissions for workspace, collection, and environment management. The key will be automatically used by the MCP server to authenticate all API requests to Postman's services.
+Generate and maintain `postman_setting.json` as the primary Postman configuration. Use env-first authentication by default: keep `apiKey` as `null`, set `apiKeyEnvVar` to `POSTMAN_API_KEY`, and read the key from environment variables. Only store `apiKey` inline when the user explicitly requests file-based key storage. Keep `defaultWorkspaceId` nullable (`null` when unknown) so workflows can run without a preselected workspace.
 
 ## Step 2
 
@@ -68,7 +68,7 @@ Create a hook that runs anytime the source code or configuration file has been c
 
 Automate API testing and collection management with Postman. Create workspaces, collections, environments, and run tests programmatically.
 
-**Authentication**: Requires Postman API key (Settings → API Keys at postman.com)
+**Authentication**: Env-first via `postman_setting.json` + `POSTMAN_API_KEY`; inline `apiKey` is optional.
 
 ## Available MCP Servers
 
@@ -239,4 +239,4 @@ for (const collection of collections) {
 
 **Full mode (112 tools):** Change URL to `https://mcp.postman.com/full`
 
-**API Key Permissions:** Workspace management, collection read/write, environment read/write, collection runs
+**API Key Permissions:** Workspace management, collection read/write, environment read/write, collection runs

package/Ai Agent Workflow/skills/postman/SKILL.md

@@ -10,7 +10,7 @@ Before proceeding, validate that the user has completed the following steps befo
 
 ## Step 1
 
-Prompt the user to configure their own Postman API key for authentication. They can either set it as an environment variable named POSTMAN_API_KEY on their system, or hardcode it directly into the user level MCP configuration file (usually at ~/.kiro/settings/mcp.json) in the power section. To obtain an API key, they log into their Postman account, navigate to Settings → API Keys, and generate a new key with appropriate permissions for workspace, collection, and environment management. The key will be automatically used by the MCP server to authenticate all API requests to Postman's services.
+Generate and maintain `postman_setting.json` as the primary Postman configuration. Use env-first authentication by default: keep `apiKey` as `null`, set `apiKeyEnvVar` to `POSTMAN_API_KEY`, and read the key from environment variables. Only store `apiKey` inline when the user explicitly requests file-based key storage. Keep `defaultWorkspaceId` nullable (`null` when unknown) so workflows can run without a preselected workspace.
 
 ## Step 2
 
@@ -66,7 +66,7 @@ Create a hook that runs anytime the source code or configuration file has been c
 
 Automate API testing and collection management with Postman. Create workspaces, collections, environments, and run tests programmatically.
 
-**Authentication**: Requires Postman API key (Settings → API Keys at postman.com)
+**Authentication**: Env-first via `postman_setting.json` + `POSTMAN_API_KEY`; inline `apiKey` is optional.
 
 ## Available MCP Servers
 

package/Ai Agent Workflow/workflows/agent-environment-setup/manifest.json

@@ -123,98 +123,7 @@
         "testing-patterns",
         "vulnerability-scanner",
         "web-design-guidelines",
-        "vercel-automation",
-        "vercel-project-configuration",
-        "vercel-git-deployments",
-        "vercel-environments",
-        "vercel-generated-urls",
-        "vercel-deployment-promotion",
-        "vercel-build-pipeline",
-        "vercel-build-image-upgrades",
-        "vercel-build-output-api",
-        "vercel-monorepos",
-        "vercel-remote-caching",
-        "vercel-microfrontends",
-        "vercel-multi-tenant",
-        "vercel-functions-core",
-        "vercel-fluid-compute",
-        "vercel-functions-nodejs",
-        "vercel-functions-python",
-        "vercel-functions-edge-runtime",
-        "vercel-edge-to-node-migration",
-        "vercel-routing-middleware",
-        "vercel-function-config",
-        "vercel-runtime-cache",
-        "vercel-data-cache-nextjs",
-        "vercel-cron-jobs",
-        "vercel-og-image-generation",
-        "vercel-cdn-cache",
-        "vercel-cache-control-headers",
-        "vercel-isr",
-        "vercel-image-optimization",
-        "vercel-request-collapsing",
-        "vercel-redirects-rewrites",
-        "vercel-cdn-purging",
-        "vercel-blob",
-        "vercel-edge-config",
-        "vercel-edge-config-integrations",
-        "vercel-marketplace-storage-redis",
-        "vercel-storage-migrations",
-        "vercel-ai-sdk-core",
-        "vercel-ai-sdk-ui",
-        "vercel-ai-gateway-core",
-        "vercel-ai-gateway-model-routing",
-        "vercel-ai-gateway-fallbacks",
-        "vercel-ai-gateway-auth-byok",
-        "vercel-ai-gateway-observability",
-        "vercel-ai-gateway-openai-compatible",
-        "vercel-agent-workflows",
-        "vercel-mcp-for-agents",
-        "vercel-flags-platform",
-        "vercel-flags-dashboard",
-        "vercel-flags-sdk",
-        "vercel-flags-openfeature",
-        "vercel-flags-explorer",
-        "vercel-flags-cli-workflows",
-        "vercel-observability-overview",
-        "vercel-runtime-logs",
-        "vercel-tracing-otel",
-        "vercel-session-tracing",
-        "vercel-alerts-monitoring",
-        "vercel-drains-setup",
-        "vercel-log-drain-reference",
-        "vercel-log-trace-correlation",
-        "vercel-speed-insights",
-        "vercel-web-analytics",
-        "vercel-custom-events",
-        "vercel-deployment-protection",
-        "vercel-protection-bypass-automation",
-        "vercel-firewall-core",
-        "vercel-waf-custom-rules",
-        "vercel-waf-rate-limiting",
-        "vercel-bot-management",
-        "vercel-botid",
-        "vercel-secure-compute",
-        "vercel-static-ips",
-        "vercel-oidc-federation",
-        "vercel-rbac-access-groups",
-        "vercel-audit-logs",
-        "vercel-2fa-enforcement",
         "vercel-domains",
-        "vercel-dns-records",
-        "vercel-nameservers",
-        "vercel-ssl-certificates",
-        "vercel-domain-ownership-claims",
-        "vercel-cli-core",
-        "vercel-cli-project-domain-env",
-        "vercel-cli-flags",
-        "vercel-cli-microfrontends",
-        "vercel-cli-mcp",
-        "vercel-rest-api",
-        "vercel-sdk",
-        "vercel-integrations-native",
-        "vercel-marketplace-partner-api",
-        "vercel-webhooks-and-checks",
         "drift-flutter",
         "database-design",
         "database-optimizer"
@@ -353,98 +262,7 @@
         "testing-patterns",
         "vulnerability-scanner",
         "web-design-guidelines",
-        "vercel-automation",
-        "vercel-project-configuration",
-        "vercel-git-deployments",
-        "vercel-environments",
-        "vercel-generated-urls",
-        "vercel-deployment-promotion",
-        "vercel-build-pipeline",
-        "vercel-build-image-upgrades",
-        "vercel-build-output-api",
-        "vercel-monorepos",
-        "vercel-remote-caching",
-        "vercel-microfrontends",
-        "vercel-multi-tenant",
-        "vercel-functions-core",
-        "vercel-fluid-compute",
-        "vercel-functions-nodejs",
-        "vercel-functions-python",
-        "vercel-functions-edge-runtime",
-        "vercel-edge-to-node-migration",
-        "vercel-routing-middleware",
-        "vercel-function-config",
-        "vercel-runtime-cache",
-        "vercel-data-cache-nextjs",
-        "vercel-cron-jobs",
-        "vercel-og-image-generation",
-        "vercel-cdn-cache",
-        "vercel-cache-control-headers",
-        "vercel-isr",
-        "vercel-image-optimization",
-        "vercel-request-collapsing",
-        "vercel-redirects-rewrites",
-        "vercel-cdn-purging",
-        "vercel-blob",
-        "vercel-edge-config",
-        "vercel-edge-config-integrations",
-        "vercel-marketplace-storage-redis",
-        "vercel-storage-migrations",
-        "vercel-ai-sdk-core",
-        "vercel-ai-sdk-ui",
-        "vercel-ai-gateway-core",
-        "vercel-ai-gateway-model-routing",
-        "vercel-ai-gateway-fallbacks",
-        "vercel-ai-gateway-auth-byok",
-        "vercel-ai-gateway-observability",
-        "vercel-ai-gateway-openai-compatible",
-        "vercel-agent-workflows",
-        "vercel-mcp-for-agents",
-        "vercel-flags-platform",
-        "vercel-flags-dashboard",
-        "vercel-flags-sdk",
-        "vercel-flags-openfeature",
-        "vercel-flags-explorer",
-        "vercel-flags-cli-workflows",
-        "vercel-observability-overview",
-        "vercel-runtime-logs",
-        "vercel-tracing-otel",
-        "vercel-session-tracing",
-        "vercel-alerts-monitoring",
-        "vercel-drains-setup",
-        "vercel-log-drain-reference",
-        "vercel-log-trace-correlation",
-        "vercel-speed-insights",
-        "vercel-web-analytics",
-        "vercel-custom-events",
-        "vercel-deployment-protection",
-        "vercel-protection-bypass-automation",
-        "vercel-firewall-core",
-        "vercel-waf-custom-rules",
-        "vercel-waf-rate-limiting",
-        "vercel-bot-management",
-        "vercel-botid",
-        "vercel-secure-compute",
-        "vercel-static-ips",
-        "vercel-oidc-federation",
-        "vercel-rbac-access-groups",
-        "vercel-audit-logs",
-        "vercel-2fa-enforcement",
         "vercel-domains",
-        "vercel-dns-records",
-        "vercel-nameservers",
-        "vercel-ssl-certificates",
-        "vercel-domain-ownership-claims",
-        "vercel-cli-core",
-        "vercel-cli-project-domain-env",
-        "vercel-cli-flags",
-        "vercel-cli-microfrontends",
-        "vercel-cli-mcp",
-        "vercel-rest-api",
-        "vercel-sdk",
-        "vercel-integrations-native",
-        "vercel-marketplace-partner-api",
-        "vercel-webhooks-and-checks",
         "drift-flutter",
         "database-design",
         "database-optimizer"
@@ -583,98 +401,7 @@
         "testing-patterns",
         "vulnerability-scanner",
         "web-design-guidelines",
-        "vercel-automation",
-        "vercel-project-configuration",
-        "vercel-git-deployments",
-        "vercel-environments",
-        "vercel-generated-urls",
-        "vercel-deployment-promotion",
-        "vercel-build-pipeline",
-        "vercel-build-image-upgrades",
-        "vercel-build-output-api",
-        "vercel-monorepos",
-        "vercel-remote-caching",
-        "vercel-microfrontends",
-        "vercel-multi-tenant",
-        "vercel-functions-core",
-        "vercel-fluid-compute",
-        "vercel-functions-nodejs",
-        "vercel-functions-python",
-        "vercel-functions-edge-runtime",
-        "vercel-edge-to-node-migration",
-        "vercel-routing-middleware",
-        "vercel-function-config",
-        "vercel-runtime-cache",
-        "vercel-data-cache-nextjs",
-        "vercel-cron-jobs",
-        "vercel-og-image-generation",
-        "vercel-cdn-cache",
-        "vercel-cache-control-headers",
-        "vercel-isr",
-        "vercel-image-optimization",
-        "vercel-request-collapsing",
-        "vercel-redirects-rewrites",
-        "vercel-cdn-purging",
-        "vercel-blob",
-        "vercel-edge-config",
-        "vercel-edge-config-integrations",
-        "vercel-marketplace-storage-redis",
-        "vercel-storage-migrations",
-        "vercel-ai-sdk-core",
-        "vercel-ai-sdk-ui",
-        "vercel-ai-gateway-core",
-        "vercel-ai-gateway-model-routing",
-        "vercel-ai-gateway-fallbacks",
-        "vercel-ai-gateway-auth-byok",
-        "vercel-ai-gateway-observability",
-        "vercel-ai-gateway-openai-compatible",
-        "vercel-agent-workflows",
-        "vercel-mcp-for-agents",
-        "vercel-flags-platform",
-        "vercel-flags-dashboard",
-        "vercel-flags-sdk",
-        "vercel-flags-openfeature",
-        "vercel-flags-explorer",
-        "vercel-flags-cli-workflows",
-        "vercel-observability-overview",
-        "vercel-runtime-logs",
-        "vercel-tracing-otel",
-        "vercel-session-tracing",
-        "vercel-alerts-monitoring",
-        "vercel-drains-setup",
-        "vercel-log-drain-reference",
-        "vercel-log-trace-correlation",
-        "vercel-speed-insights",
-        "vercel-web-analytics",
-        "vercel-custom-events",
-        "vercel-deployment-protection",
-        "vercel-protection-bypass-automation",
-        "vercel-firewall-core",
-        "vercel-waf-custom-rules",
-        "vercel-waf-rate-limiting",
-        "vercel-bot-management",
-        "vercel-botid",
-        "vercel-secure-compute",
-        "vercel-static-ips",
-        "vercel-oidc-federation",
-        "vercel-rbac-access-groups",
-        "vercel-audit-logs",
-        "vercel-2fa-enforcement",
         "vercel-domains",
-        "vercel-dns-records",
-        "vercel-nameservers",
-        "vercel-ssl-certificates",
-        "vercel-domain-ownership-claims",
-        "vercel-cli-core",
-        "vercel-cli-project-domain-env",
-        "vercel-cli-flags",
-        "vercel-cli-microfrontends",
-        "vercel-cli-mcp",
-        "vercel-rest-api",
-        "vercel-sdk",
-        "vercel-integrations-native",
-        "vercel-marketplace-partner-api",
-        "vercel-webhooks-and-checks",
         "drift-flutter",
         "database-design",
         "database-optimizer"

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/antigravity/agents/backend-specialist.md

@@ -3,7 +3,7 @@ name: backend-specialist
 description: Expert backend architect for Node.js, Python, and modern serverless/edge systems. Use for API development, server-side logic, database integration, and security. Triggers on backend, server, api, endpoint, database, auth.
 tools: Read, Grep, Glob, Bash, Edit, Write
 model: inherit
-skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
+skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, openapi-docs, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
 ---
 
 # Backend Development Architect

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/antigravity/workflows/backend.md

@@ -14,4 +14,14 @@ Use this workflow when backend architecture or implementation is primary.
 1. Ask `@backend-specialist` for solution outline.
 2. Validate API contracts, data model, and failure handling.
 3. Implement backend changes with tests and observability.
-4. Return summary including migration and rollout notes.
+4. Always update API docs: OpenAPI spec, Swagger UI route, and Stoplight Elements route/component.
+5. Return summary including migration and rollout notes.
+
+## Output Contract
+- API/contract changes
+- OpenAPI spec path
+- Swagger UI route
+- Stoplight route/component status
+- Migration impact
+- Reliability/security notes
+- Verification evidence

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/codex/agents/backend-specialist.md

@@ -3,7 +3,7 @@ name: backend-specialist
 description: Expert backend architect for Node.js, Python, and modern serverless/edge systems. Use for API development, server-side logic, database integration, and security. Triggers on backend, server, api, endpoint, database, auth.
 tools: Read, Grep, Glob, Bash, Edit, Write
 model: inherit
-skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
+skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, openapi-docs, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
 ---
 
 # Backend Development Architect

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/codex/workflows/backend.md

@@ -16,10 +16,14 @@ Use this when backend architecture or service logic is primary.
 1. Ask specialist(s) for design and risk assessment.
 2. Validate contracts, data model, and failure handling.
 3. Implement backend changes with observability.
-4. Run targeted tests and summarize rollout notes.
+4. Always update API docs: OpenAPI spec, Swagger UI route, and Stoplight Elements route/component.
+5. Run targeted tests and summarize rollout notes.
 
 ## Output Contract
 - API/contract changes
+- OpenAPI spec path
+- Swagger UI route
+- Stoplight route/component status
 - Migration impact
 - Reliability/security notes
 - Verification evidence

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/copilot/agents/backend-specialist.md

@@ -2,7 +2,7 @@
 name: backend-specialist
 description: Expert backend architect for Node.js, Python, and modern serverless/edge systems. Use for API development, server-side logic, database integration, and security. Triggers on backend, server, api, endpoint, database, auth.
 tools: Read, Grep, Glob, Bash, Edit, Write
-skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
+skills: clean-code, nodejs-best-practices, python-patterns, api-patterns, openapi-docs, database-design, database-optimizer, database-skills, mcp-builder, lint-and-validate, powershell-windows, bash-linux, rust-pro, api-designer, architecture-designer, typescript-pro, nestjs-expert, fastapi-expert, secure-code-guardian, test-master
 ---
 
 # Backend Development Architect

package/Ai Agent Workflow/workflows/agent-environment-setup/platforms/copilot/workflows/backend.md

@@ -16,10 +16,14 @@ Use this when backend architecture or service logic is primary.
 1. Ask specialist(s) for design and risk assessment.
 2. Validate contracts, data model, and failure handling.
 3. Implement backend changes with observability.
-4. Run targeted tests and summarize rollout notes.
+4. Always update API docs: OpenAPI spec, Swagger UI route, and Stoplight Elements route/component.
+5. Run targeted tests and summarize rollout notes.
 
 ## Output Contract
 - API/contract changes
+- OpenAPI spec path
+- Swagger UI route
+- Stoplight route/component status
 - Migration impact
 - Reliability/security notes
 - Verification evidence

package/README.md

@@ -34,8 +34,15 @@ cbx workflows doctor codex
 cbx workflows platforms
 cbx workflows install --platform antigravity --dry-run
 cbx workflows install --platform antigravity --terminal-integration --terminal-verifier codex
+cbx workflows install --platform codex --postman
+cbx workflows install --platform codex --postman --postman-workspace-id null
 ```
 
+Install bootstrap behavior:
+- `cbx workflows install` now also bootstraps `ENGINEERING_RULES.md` and `TECH.md` (creates when missing; keeps existing files unless explicitly regenerated).
+- Optional `--postman` bootstrap creates `postman_setting.json` and installs/configures the Postman skill.
+- Use `cbx rules init --platform <platform> --overwrite` to force-regenerate both files.
+
 `rules` manages strict engineering policy and a generated codebase tech map:
 
 ```bash
@@ -108,6 +115,7 @@ Routing behavior:
 - Antigravity/Copilot: workflow + agent markdown can be routed by platform conventions.
 - Codex: use generated callable wrapper skills (`$workflow-*`, `$agent-*`).
 - Example for backend intent in Codex: `$workflow-backend` or `$agent-backend-specialist`.
+- Backend workflow policy: always include OpenAPI updates plus Swagger UI and Stoplight Elements status in output.
 
 ### Codex Runtime Mode
 

package/bin/cubis.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { confirm, select } from "@inquirer/prompts";
+import { confirm, input, select } from "@inquirer/prompts";
 import { Command } from "commander";
 import { existsSync } from "node:fs";
 import {
@@ -122,6 +122,12 @@ const CODEX_WORKFLOW_SKILL_PREFIX = "workflow-";
 const CODEX_AGENT_SKILL_PREFIX = "agent-";
 const TERMINAL_VERIFIER_PROVIDERS = ["codex", "gemini"];
 const DEFAULT_TERMINAL_VERIFIER = "codex";
+const POSTMAN_API_KEY_ENV_VAR = "POSTMAN_API_KEY";
+const POSTMAN_MCP_URL = "https://mcp.postman.com/minimal";
+const POSTMAN_SKILL_ID = "postman";
+const POSTMAN_SETTINGS_FILENAME = "postman_setting.json";
+const POSTMAN_API_KEY_MISSING_WARNING =
+  `Postman API key is not configured. Set ${POSTMAN_API_KEY_ENV_VAR} or update ${POSTMAN_SETTINGS_FILENAME}.`;
 const TECH_SCAN_MAX_FILES = 5000;
 const TECH_SCAN_IGNORED_DIRS = new Set([
   ".git",
@@ -231,6 +237,13 @@ function normalizeTerminalVerifier(value) {
   return TERMINAL_VERIFIER_ALIASES[normalized] || null;
 }
 
+function normalizePostmanWorkspaceId(value) {
+  if (value === undefined || value === null) return null;
+  const normalized = String(value).trim();
+  if (!normalized || normalized.toLowerCase() === "null") return null;
+  return normalized;
+}
+
 function defaultState() {
   return {
     schemaVersion: 1,
@@ -1872,6 +1885,237 @@ async function writeGeneratedArtifact({ destination, content, dryRun = false })
   return { action: exists ? "replaced" : "installed", path: destination };
 }
 
+function resolvePostmanSettingsPath({ scope, cwd = process.cwd() }) {
+  if (scope === "global") {
+    return path.join(os.homedir(), ".cbx", POSTMAN_SETTINGS_FILENAME);
+  }
+  const workspaceRoot = findWorkspaceRoot(cwd);
+  return path.join(workspaceRoot, POSTMAN_SETTINGS_FILENAME);
+}
+
+function buildPostmanMcpConfig({ apiKey = null, mcpUrl = POSTMAN_MCP_URL }) {
+  const authHeader = apiKey
+    ? `Bearer ${apiKey}`
+    : `Bearer \${${POSTMAN_API_KEY_ENV_VAR}}`;
+  return {
+    mcpServers: {
+      postman: {
+        url: mcpUrl,
+        headers: {
+          Authorization: authHeader
+        }
+      }
+    },
+    disabled: false
+  };
+}
+
+function getPostmanApiKeySource({ apiKey, envApiKey }) {
+  if (apiKey) return "inline";
+  if (envApiKey) return "env";
+  return "unset";
+}
+
+function normalizePostmanApiKey(value) {
+  if (value === undefined || value === null) return null;
+  const normalized = String(value).trim();
+  return normalized || null;
+}
+
+async function ensureGitIgnoreEntry({
+  filePath,
+  entry,
+  dryRun = false
+}) {
+  const exists = await pathExists(filePath);
+  const original = exists ? await readFile(filePath, "utf8") : "";
+  const lines = original.split(/\r?\n/).map((line) => line.trim());
+  const alreadyPresent = lines.includes(entry);
+
+  if (alreadyPresent) {
+    return { action: "unchanged", filePath };
+  }
+
+  if (dryRun) {
+    return {
+      action: exists ? "would-patch" : "would-create",
+      filePath
+    };
+  }
+
+  const suffix = original.endsWith("\n") || original.length === 0 ? "" : "\n";
+  const nextContent = `${original}${suffix}${entry}\n`;
+  await mkdir(path.dirname(filePath), { recursive: true });
+  await writeFile(filePath, nextContent, "utf8");
+  return {
+    action: exists ? "patched" : "created",
+    filePath
+  };
+}
+
+async function resolvePostmanInstallSelection({
+  scope,
+  options,
+  cwd = process.cwd()
+}) {
+  const hasApiKeyOption = options.postmanApiKey !== undefined;
+  const hasWorkspaceOption = options.postmanWorkspaceId !== undefined;
+  const enabled = Boolean(options.postman) || hasApiKeyOption || hasWorkspaceOption;
+  if (!enabled) return { enabled: false };
+
+  const explicitApiKey = hasApiKeyOption ? String(options.postmanApiKey || "").trim() : "";
+  let apiKey = explicitApiKey || null;
+  const envApiKey = String(process.env[POSTMAN_API_KEY_ENV_VAR] || "").trim();
+  let defaultWorkspaceId = hasWorkspaceOption
+    ? normalizePostmanWorkspaceId(options.postmanWorkspaceId)
+    : null;
+  const warnings = [];
+
+  const canPrompt = !options.yes && process.stdin.isTTY;
+  if (canPrompt && !hasApiKeyOption && !apiKey && !envApiKey) {
+    const promptedApiKey = String(
+      await input({
+        message: `Postman API key (optional, leave blank to keep ${POSTMAN_API_KEY_ENV_VAR} env mode):`,
+        default: ""
+      })
+    ).trim();
+    if (promptedApiKey) {
+      apiKey = promptedApiKey;
+    }
+  }
+
+  if (canPrompt && !hasWorkspaceOption) {
+    const promptedWorkspaceId = await input({
+      message: "Default Postman workspace ID (optional, leave blank for null):",
+      default: ""
+    });
+    defaultWorkspaceId = normalizePostmanWorkspaceId(promptedWorkspaceId);
+  }
+
+  const apiKeySource = getPostmanApiKeySource({ apiKey, envApiKey });
+  if (apiKeySource === "unset") {
+    warnings.push(POSTMAN_API_KEY_MISSING_WARNING);
+  }
+
+  const settingsPath = resolvePostmanSettingsPath({ scope, cwd });
+  const settings = {
+    apiKey: apiKey || null,
+    apiKeyEnvVar: POSTMAN_API_KEY_ENV_VAR,
+    apiKeySource,
+    defaultWorkspaceId: defaultWorkspaceId ?? null,
+    mcpUrl: POSTMAN_MCP_URL,
+    generatedBy: "cbx workflows install --postman",
+    generatedAt: new Date().toISOString()
+  };
+
+  return {
+    enabled: true,
+    apiKey,
+    apiKeySource,
+    defaultWorkspaceId: defaultWorkspaceId ?? null,
+    warnings,
+    settings,
+    settingsPath
+  };
+}
+
+async function configurePostmanInstallArtifacts({
+  scope,
+  profilePaths,
+  postmanSelection,
+  overwrite = false,
+  dryRun = false,
+  cwd = process.cwd()
+}) {
+  if (!postmanSelection?.enabled) return null;
+
+  let warnings = postmanSelection.warnings.filter((warning) => warning !== POSTMAN_API_KEY_MISSING_WARNING);
+  const settingsContent = `${JSON.stringify(postmanSelection.settings, null, 2)}\n`;
+  const settingsResult = await writeTextFile({
+    targetPath: postmanSelection.settingsPath,
+    content: settingsContent,
+    overwrite,
+    dryRun
+  });
+
+  let effectiveApiKey = normalizePostmanApiKey(postmanSelection.settings.apiKey);
+  let effectiveDefaultWorkspaceId = postmanSelection.defaultWorkspaceId ?? null;
+  let effectiveMcpUrl = postmanSelection.settings.mcpUrl || POSTMAN_MCP_URL;
+
+  if (settingsResult.action === "skipped" || settingsResult.action === "would-skip") {
+    try {
+      const existingSettingsRaw = await readFile(postmanSelection.settingsPath, "utf8");
+      const existingSettings = JSON.parse(existingSettingsRaw);
+      effectiveApiKey = normalizePostmanApiKey(existingSettings?.apiKey);
+      effectiveDefaultWorkspaceId = normalizePostmanWorkspaceId(existingSettings?.defaultWorkspaceId);
+      const existingMcpUrl = String(existingSettings?.mcpUrl || "").trim();
+      if (existingMcpUrl) {
+        effectiveMcpUrl = existingMcpUrl;
+      }
+    } catch {
+      warnings.push(
+        `Existing ${POSTMAN_SETTINGS_FILENAME} could not be parsed. Using install-time Postman values for MCP config.`
+      );
+    }
+  }
+
+  const envApiKey = normalizePostmanApiKey(process.env[POSTMAN_API_KEY_ENV_VAR]);
+  const effectiveApiKeySource = getPostmanApiKeySource({
+    apiKey: effectiveApiKey,
+    envApiKey
+  });
+  if (effectiveApiKeySource === "unset") {
+    warnings.push(POSTMAN_API_KEY_MISSING_WARNING);
+  }
+
+  let gitIgnoreResult = null;
+  if (scope === "project") {
+    const workspaceRoot = findWorkspaceRoot(cwd);
+    const gitIgnorePath = path.join(workspaceRoot, ".gitignore");
+    gitIgnoreResult = await ensureGitIgnoreEntry({
+      filePath: gitIgnorePath,
+      entry: POSTMAN_SETTINGS_FILENAME,
+      dryRun
+    });
+  }
+
+  const postmanSkillDir = path.join(profilePaths.skillsDir, POSTMAN_SKILL_ID);
+  const postmanMcpPath = path.join(postmanSkillDir, "mcp.json");
+  let mcpResult = null;
+  const postmanSkillExists = await pathExists(postmanSkillDir);
+  if (!dryRun && !postmanSkillExists) {
+    mcpResult = {
+      action: "missing-postman-skill",
+      path: postmanMcpPath
+    };
+  } else {
+    const mcpConfigContent = `${JSON.stringify(
+      buildPostmanMcpConfig({
+        apiKey: effectiveApiKey,
+        mcpUrl: effectiveMcpUrl
+      }),
+      null,
+      2
+    )}\n`;
+    mcpResult = await writeGeneratedArtifact({
+      destination: postmanMcpPath,
+      content: mcpConfigContent,
+      dryRun
+    });
+  }
+
+  return {
+    enabled: true,
+    apiKeySource: effectiveApiKeySource,
+    defaultWorkspaceId: effectiveDefaultWorkspaceId,
+    warnings,
+    settingsPath: postmanSelection.settingsPath,
+    settingsResult,
+    gitIgnoreResult,
+    mcpResult
+  };
+}
+
 async function installAntigravityTerminalIntegrationArtifacts({
   profilePaths,
   provider,
@@ -2032,6 +2276,7 @@ async function installBundleArtifacts({
   platform,
   scope,
   overwrite,
+  extraSkillIds = [],
   terminalVerifierSelection = null,
   dryRun = false,
   cwd = process.cwd()
@@ -2092,7 +2337,8 @@ async function installBundleArtifacts({
     else installed.push(destination);
   }
 
-  const skillIds = Array.isArray(platformSpec.skills) ? platformSpec.skills : [];
+  const manifestSkillIds = Array.isArray(platformSpec.skills) ? platformSpec.skills : [];
+  const skillIds = unique([...manifestSkillIds, ...extraSkillIds.filter(Boolean)]);
   for (const skillId of skillIds) {
     const source = path.join(agentAssetsRoot(), "skills", skillId);
     const destination = path.join(profilePaths.skillsDir, skillId);
@@ -2389,6 +2635,32 @@ function printInstallSummary({
   }
 }
 
+function printPostmanSetupSummary({ postmanSetup }) {
+  if (!postmanSetup?.enabled) return;
+
+  console.log("\nPostman setup:");
+  console.log(`- Settings file: ${postmanSetup.settingsResult.action} (${postmanSetup.settingsPath})`);
+  console.log(`- API key source: ${postmanSetup.apiKeySource}`);
+  console.log(
+    `- Default workspace ID: ${postmanSetup.defaultWorkspaceId === null ? "null" : postmanSetup.defaultWorkspaceId}`
+  );
+  if (postmanSetup.gitIgnoreResult) {
+    console.log(
+      `- .gitignore (${postmanSetup.gitIgnoreResult.filePath}): ${postmanSetup.gitIgnoreResult.action}`
+    );
+  }
+  if (postmanSetup.mcpResult) {
+    console.log(`- Postman MCP config (${postmanSetup.mcpResult.path}): ${postmanSetup.mcpResult.action}`);
+  }
+
+  if (postmanSetup.warnings.length > 0) {
+    console.log("- Warnings:");
+    for (const warning of postmanSetup.warnings) {
+      console.log(`  - ${warning}`);
+    }
+  }
+}
+
 function printRemoveSummary({
   platform,
   scope,
@@ -2694,6 +2966,18 @@ function withInstallOptions(command) {
   return withWorkflowBaseOptions(command)
     .option("-b, --bundle <bundle>", "bundle id (default: agent-environment-setup)")
     .option("--overwrite", "overwrite existing files")
+    .option(
+      "--postman",
+      "optional: install Postman skill and generate postman_setting.json"
+    )
+    .option(
+      "--postman-api-key <key>",
+      "optional: set Postman API key inline for generated postman_setting.json and installed Postman MCP config"
+    )
+    .option(
+      "--postman-workspace-id <id|null>",
+      "optional: set default Postman workspace ID (use 'null' for no default)"
+    )
     .option(
       "--terminal-integration",
       "Antigravity only: enable terminal verification integration (prompts for verifier when interactive)"
@@ -2854,6 +3138,11 @@ async function runWorkflowInstall(options) {
       platform,
       options
     });
+    const postmanSelection = await resolvePostmanInstallSelection({
+      scope,
+      options,
+      cwd: process.cwd()
+    });
 
     const installResult = await installBundleArtifacts({
       bundleId,
@@ -2861,6 +3150,7 @@ async function runWorkflowInstall(options) {
       platform,
       scope,
       overwrite: Boolean(options.overwrite),
+      extraSkillIds: postmanSelection.enabled ? [POSTMAN_SKILL_ID] : [],
       terminalVerifierSelection,
       dryRun,
       cwd: process.cwd()
@@ -2882,6 +3172,22 @@ async function runWorkflowInstall(options) {
       dryRun,
       cwd: process.cwd()
     });
+    const engineeringArtifactsResult = await upsertEngineeringArtifacts({
+      platform,
+      scope,
+      overwrite: false,
+      dryRun,
+      skipTech: false,
+      cwd: process.cwd()
+    });
+    const postmanSetupResult = await configurePostmanInstallArtifacts({
+      scope,
+      profilePaths: installResult.profilePaths,
+      postmanSelection,
+      overwrite: Boolean(options.overwrite),
+      dryRun,
+      cwd: process.cwd()
+    });
 
     const terminalVerificationRuleResult =
       platform === "antigravity" && installResult.terminalIntegration
@@ -2918,6 +3224,13 @@ async function runWorkflowInstall(options) {
       dryRun
     });
     printRuleSyncResult(syncResult);
+    printInstallEngineeringSummary({
+      engineeringResults: engineeringArtifactsResult.engineeringResults,
+      techResult: engineeringArtifactsResult.techResult
+    });
+    printPostmanSetupSummary({
+      postmanSetup: postmanSetupResult
+    });
     if (dryRun) {
       console.log("\nDry-run complete. Re-run without `--dry-run` to apply changes.");
     } else {
@@ -3128,6 +3441,94 @@ function printRulesInitSummary({
   }
 }
 
+function printInstallEngineeringSummary({ engineeringResults, techResult }) {
+  console.log("\nEngineering artifacts:");
+  for (const item of engineeringResults) {
+    console.log(`- ENGINEERING_RULES.md: ${item.rulesFileResult.action} (${item.rulesFilePath})`);
+    console.log(`- Managed engineering block (${item.ruleFilePath}): ${item.blockResult.action}`);
+    if (item.blockResult.warnings.length > 0) {
+      for (const warning of item.blockResult.warnings) {
+        console.log(`  - warning: ${warning}`);
+      }
+    }
+  }
+
+  if (techResult) {
+    console.log(`- TECH.md: ${techResult.action} (${techResult.filePath})`);
+    console.log(`- TECH scan files: ${techResult.snapshot.scannedFiles}`);
+  }
+}
+
+async function upsertEngineeringArtifacts({
+  platform,
+  scope,
+  overwrite = false,
+  skipTech = false,
+  dryRun = false,
+  cwd = process.cwd()
+}) {
+  const ruleFilePath = await resolveRuleFilePath(platform, scope, cwd);
+  if (!ruleFilePath) throw new Error(`No rule file configured for platform '${platform}'.`);
+
+  const workspaceRoot = findWorkspaceRoot(cwd);
+  const techMdPath = path.join(workspaceRoot, "TECH.md");
+  const targets = [{ ruleFilePath }];
+
+  if (scope === "global") {
+    const workspaceRuleFile = await resolveWorkspaceRuleFileForGlobalScope(platform, cwd);
+    const globalRuleFile = expandPath(WORKFLOW_PROFILES[platform].global.ruleFilesByPriority[0], cwd);
+    if (workspaceRuleFile && path.resolve(workspaceRuleFile) !== path.resolve(globalRuleFile)) {
+      targets.push({ ruleFilePath: workspaceRuleFile });
+    }
+  }
+
+  const template = buildEngineeringRulesTemplate();
+  const engineeringResults = [];
+  for (const target of targets) {
+    const rulesFilePath = path.join(path.dirname(target.ruleFilePath), "ENGINEERING_RULES.md");
+    const rulesFileResult = await writeTextFile({
+      targetPath: rulesFilePath,
+      content: `${template}\n`,
+      overwrite,
+      dryRun
+    });
+    const blockResult = await upsertEngineeringRulesBlock({
+      ruleFilePath: target.ruleFilePath,
+      platform,
+      engineeringRulesFilePath: rulesFilePath,
+      techMdFilePath: techMdPath,
+      dryRun
+    });
+    engineeringResults.push({
+      ruleFilePath: target.ruleFilePath,
+      rulesFilePath,
+      rulesFileResult,
+      blockResult
+    });
+  }
+
+  let techResult = null;
+  if (!skipTech) {
+    const snapshot = await collectTechSnapshot(workspaceRoot);
+    const content = buildTechMd(snapshot);
+    const fileResult = await writeTextFile({
+      targetPath: techMdPath,
+      content: `${content}\n`,
+      overwrite,
+      dryRun
+    });
+    techResult = {
+      ...fileResult,
+      snapshot
+    };
+  }
+
+  return {
+    engineeringResults,
+    techResult
+  };
+}
+
 async function runRulesInit(options) {
   try {
     const scope = normalizeScope(options.scope);
@@ -3135,68 +3536,21 @@ async function runRulesInit(options) {
     const overwrite = Boolean(options.overwrite);
     const cwd = process.cwd();
     const platform = await resolvePlatform(options.platform, scope, cwd);
-    const ruleFilePath = await resolveRuleFilePath(platform, scope, cwd);
-    if (!ruleFilePath) throw new Error(`No rule file configured for platform '${platform}'.`);
-
-    const workspaceRoot = findWorkspaceRoot(cwd);
-    const techMdPath = path.join(workspaceRoot, "TECH.md");
-    const targets = [{ ruleFilePath }];
-
-    if (scope === "global") {
-      const workspaceRuleFile = await resolveWorkspaceRuleFileForGlobalScope(platform, cwd);
-      const globalRuleFile = expandPath(WORKFLOW_PROFILES[platform].global.ruleFilesByPriority[0], cwd);
-      if (workspaceRuleFile && path.resolve(workspaceRuleFile) !== path.resolve(globalRuleFile)) {
-        targets.push({ ruleFilePath: workspaceRuleFile });
-      }
-    }
-
-    const template = buildEngineeringRulesTemplate();
-    const engineeringResults = [];
-    for (const target of targets) {
-      const rulesFilePath = path.join(path.dirname(target.ruleFilePath), "ENGINEERING_RULES.md");
-      const rulesFileResult = await writeTextFile({
-        targetPath: rulesFilePath,
-        content: `${template}\n`,
-        overwrite,
-        dryRun
-      });
-      const blockResult = await upsertEngineeringRulesBlock({
-        ruleFilePath: target.ruleFilePath,
-        platform,
-        engineeringRulesFilePath: rulesFilePath,
-        techMdFilePath: techMdPath,
-        dryRun
-      });
-      engineeringResults.push({
-        ruleFilePath: target.ruleFilePath,
-        rulesFilePath,
-        rulesFileResult,
-        blockResult
-      });
-    }
-
-    let techResult = null;
-    if (!options.skipTech) {
-      const snapshot = await collectTechSnapshot(workspaceRoot);
-      const content = buildTechMd(snapshot);
-      const fileResult = await writeTextFile({
-        targetPath: techMdPath,
-        content: `${content}\n`,
-        overwrite,
-        dryRun
-      });
-      techResult = {
-        ...fileResult,
-        snapshot
-      };
-    }
+    const initResult = await upsertEngineeringArtifacts({
+      platform,
+      scope,
+      overwrite,
+      skipTech: Boolean(options.skipTech),
+      dryRun,
+      cwd
+    });
 
     printRulesInitSummary({
       platform,
       scope,
       dryRun,
-      engineeringResults,
-      techResult
+      engineeringResults: initResult.engineeringResults,
+      techResult: initResult.techResult
     });
 
     if (dryRun) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cubis/foundry",
-  "version": "0.3.12",
+  "version": "0.3.14",
   "description": "Cubis Foundry CLI for workflow-first AI agent environments",
   "type": "module",
   "bin": {