@cubis/foundry 0.3.75 → 0.3.77

package/dist/cli/core.js

@@ -137,17 +137,20 @@ const WORKFLOW_PROFILES = {
             workflowDirs: [".claude/workflows"],
             agentDirs: [".claude/agents"],
             skillDirs: [".claude/skills"],
+            hookDirs: [".claude/hooks"],
             ruleFilesByPriority: ["CLAUDE.md"],
         },
         global: {
             workflowDirs: ["~/.claude/workflows"],
             agentDirs: ["~/.claude/agents"],
             skillDirs: ["~/.claude/skills"],
+            hookDirs: ["~/.claude/hooks"],
             ruleFilesByPriority: ["~/.claude/CLAUDE.md"],
         },
         detectorPaths: [
             "CLAUDE.md",
             ".claude",
+            ".claude/hooks",
             ".claude/rules",
             ".claude/settings.json",
         ],
@@ -2379,6 +2382,7 @@ async function recordBundleInstallState({ scope, platform, bundleId, artifacts,
         skills: artifacts.skills.map(toPosixPath),
         commands: (artifacts.commands || []).map(toPosixPath),
         prompts: (artifacts.prompts || []).map(toPosixPath),
+        hooks: (artifacts.hooks || []).map(toPosixPath),
     };
     await writeState(scope, state, cwd);
 }
@@ -2404,6 +2408,7 @@ async function resolveProfilePaths(profileId, scope, cwd = process.cwd()) {
     const skillDirs = Array.isArray(cfg.skillDirs) ? cfg.skillDirs : [];
     const commandDirs = Array.isArray(cfg.commandDirs) ? cfg.commandDirs : [];
     const promptDirs = Array.isArray(cfg.promptDirs) ? cfg.promptDirs : [];
+    const hookDirs = Array.isArray(cfg.hookDirs) ? cfg.hookDirs : [];
     const resolvePreferredDir = async (dirs) => {
         if (dirs.length === 0)
             return null;
@@ -2420,6 +2425,7 @@ async function resolveProfilePaths(profileId, scope, cwd = process.cwd()) {
         skillsDir: await resolvePreferredDir(skillDirs),
         commandsDir: commandDirs[0] ? expandPath(commandDirs[0], cwd) : null,
         promptsDir: promptDirs[0] ? expandPath(promptDirs[0], cwd) : null,
+        hooksDir: hookDirs[0] ? expandPath(hookDirs[0], cwd) : null,
         ruleFilesByPriority: cfg.ruleFilesByPriority.map((filePath) => expandPath(filePath, cwd)),
     };
 }
@@ -2450,6 +2456,7 @@ function resolveProfilePathCandidates(profileId, scope, cwd = process.cwd()) {
         skillsDirs: expandUniquePaths(cfg.skillDirs, cwd),
         commandsDirs: expandUniquePaths(cfg.commandDirs, cwd),
         promptsDirs: expandUniquePaths(cfg.promptDirs, cwd),
+        hooksDirs: expandUniquePaths(cfg.hookDirs, cwd),
         ruleFilesByPriority: expandUniquePaths(cfg.ruleFilesByPriority, cwd),
     };
 }
@@ -2474,6 +2481,7 @@ async function resolveArtifactProfilePaths(profileId, scope, cwd = process.cwd()
         agentsDir: workspacePaths.agentsDir,
         commandsDir: workspacePaths.commandsDir ?? scopedPaths.commandsDir,
         promptsDir: workspacePaths.promptsDir ?? scopedPaths.promptsDir,
+        hooksDir: scopedPaths.hooksDir,
     };
 }
 async function listBundleIds() {
@@ -3783,8 +3791,8 @@ async function persistManagedCredentialsEnv({ envVarNames, dryRun = false }) {
 function resolvePostmanMcpDefinitionPath({ platform, scope, cwd = process.cwd(), }) {
     return path.join(resolveMcpRootPath({ scope, cwd }), platform, `${POSTMAN_SKILL_ID}.json`);
 }
-function resolveStitchMcpDefinitionPath({ scope, cwd = process.cwd() }) {
-    return path.join(resolveMcpRootPath({ scope, cwd }), "antigravity", "stitch.json");
+function resolveStitchMcpDefinitionPath({ platform, scope, cwd = process.cwd(), }) {
+    return path.join(resolveMcpRootPath({ scope, cwd }), platform, "stitch.json");
 }
 function buildPostmanAuthHeader({ apiKeyEnvVar = POSTMAN_API_KEY_ENV_VAR, apiKey = null, }) {
     const normalizedApiKey = normalizePostmanApiKey(apiKey);
@@ -4347,13 +4355,16 @@ async function removeGeneratedArtifactIfExists({ targetPath, dryRun = false }) {
         path: targetPath,
     };
 }
-async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mcpUrl, includePostmanMcp = true, stitchApiKeyEnvVar, stitchMcpUrl, includeStitchMcp = false, includeFoundryMcp = true, includePlaywrightMcp = false, foundryRuntime = "local", dryRun = false, cwd = process.cwd(), }) {
+async function applyPostmanMcpForPlatform({ platform, mcpScope, includePostmanMcp = false, includeStitchMcp = false, includeFoundryMcp = true, includePlaywrightMcp = false, foundryRuntime = "local", dryRun = false, cwd = process.cwd(), }) {
     const workspaceRoot = findWorkspaceRoot(cwd);
     const warnings = [];
     const foundryScope = mcpScope === "global" ? "global" : "project";
     const normalizedFoundryRuntime = normalizeMcpRuntime(foundryRuntime, "local");
-    const resolvedPostmanApiKey = normalizePostmanApiKey(process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR]);
-    const resolvedStitchApiKey = normalizePostmanApiKey(process.env[stitchApiKeyEnvVar || STITCH_API_KEY_ENV_VAR]);
+    const cleanupLegacyServers = (servers) => {
+        delete servers[POSTMAN_SKILL_ID];
+        delete servers[STITCH_MCP_SERVER_ID];
+        return servers;
+    };
     let foundryDockerPort = DEFAULT_MCP_DOCKER_HOST_PORT;
     if (includeFoundryMcp && normalizedFoundryRuntime === "docker") {
         const runningPort = await resolveDockerContainerHostPort({
@@ -4381,13 +4392,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                     !Array.isArray(next.mcpServers)
                     ? { ...next.mcpServers }
                     : {};
-                if (includePostmanMcp) {
-                    mcpServers[POSTMAN_SKILL_ID] = buildGeminiPostmanServer({
-                        apiKeyEnvVar,
-                        apiKey: resolvedPostmanApiKey,
-                        mcpUrl,
-                    });
-                }
+                cleanupLegacyServers(mcpServers);
                 if (includeFoundryMcp) {
                     mcpServers[FOUNDRY_MCP_SERVER_ID] = buildGeminiFoundryServer({
                         scope: foundryScope,
@@ -4398,13 +4403,6 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                 else {
                     delete mcpServers[FOUNDRY_MCP_SERVER_ID];
                 }
-                if (includeStitchMcp) {
-                    mcpServers[STITCH_MCP_SERVER_ID] = buildGeminiStitchServer({
-                        apiKeyEnvVar: stitchApiKeyEnvVar,
-                        apiKey: resolvedStitchApiKey,
-                        mcpUrl: stitchMcpUrl,
-                    });
-                }
                 if (includePlaywrightMcp) {
                     mcpServers[PLAYWRIGHT_MCP_SERVER_ID] = buildGeminiPlaywrightServer();
                 }
@@ -4435,13 +4433,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                         !Array.isArray(next.mcpServers)
                         ? { ...next.mcpServers }
                         : {};
-                    if (includePostmanMcp) {
-                        mcpServers[POSTMAN_SKILL_ID] = buildCopilotCliPostmanServer({
-                            apiKeyEnvVar,
-                            apiKey: resolvedPostmanApiKey,
-                            mcpUrl,
-                        });
-                    }
+                    cleanupLegacyServers(mcpServers);
                     if (includeFoundryMcp) {
                         mcpServers[FOUNDRY_MCP_SERVER_ID] = buildCopilotCliFoundryServer({
                             scope: foundryScope,
@@ -4464,13 +4456,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                     !Array.isArray(next.servers)
                     ? { ...next.servers }
                     : {};
-                if (includePostmanMcp) {
-                    servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
-                        apiKeyEnvVar,
-                        apiKey: resolvedPostmanApiKey,
-                        mcpUrl,
-                    });
-                }
+                cleanupLegacyServers(servers);
                 if (includeFoundryMcp) {
                     servers[FOUNDRY_MCP_SERVER_ID] = buildVsCodeFoundryServer({
                         scope: foundryScope,
@@ -4517,13 +4503,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                         !Array.isArray(next.servers)
                         ? { ...next.servers }
                         : {};
-                    if (includePostmanMcp) {
-                        servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
-                            apiKeyEnvVar,
-                            apiKey: resolvedPostmanApiKey,
-                            mcpUrl,
-                        });
-                    }
+                    cleanupLegacyServers(servers);
                     if (includeFoundryMcp) {
                         servers[FOUNDRY_MCP_SERVER_ID] = buildVsCodeFoundryServer({
                             scope: foundryScope,
@@ -4566,6 +4546,12 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
         catch {
             // Best effort. Add will still run and becomes source of truth.
         }
+        try {
+            await execFile("codex", ["mcp", "remove", STITCH_MCP_SERVER_ID], { cwd });
+        }
+        catch {
+            // Best effort. Add will still run and becomes source of truth.
+        }
         try {
             await execFile("codex", ["mcp", "remove", FOUNDRY_MCP_SERVER_ID], {
                 cwd,
@@ -4574,41 +4560,13 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
         catch {
             // Best effort. Add will still run and becomes source of truth.
         }
-        if (includePostmanMcp) {
-            try {
-                await execFile("codex", [
-                    "mcp",
-                    "add",
-                    POSTMAN_SKILL_ID,
-                    "--url",
-                    mcpUrl,
-                    "--bearer-token-env-var",
-                    apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR,
-                ], { cwd });
-                const postmanToken = normalizePostmanApiKey(process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR]);
-                const postmanPatch = await patchCodexPostmanHttpHeaders({
-                    configPath: codexConfigPath,
-                    mcpUrl,
-                    bearerToken: postmanToken,
-                    dryRun: false,
-                });
-                if (postmanPatch.action === "patched") {
-                    warnings.push("Codex Postman MCP config patched to static Authorization header for startup reliability.");
-                }
-                if (postmanPatch.warnings?.length) {
-                    warnings.push(...postmanPatch.warnings);
-                }
-            }
-            catch (error) {
-                warnings.push(`Failed to register Postman MCP via Codex CLI. Ensure 'codex' is installed and rerun. (${error.message})`);
-                return {
-                    kind: "codex-cli",
-                    scope: mcpScope,
-                    path: codexConfigPath,
-                    action: "failed",
-                    warnings,
-                };
-            }
+        try {
+            await execFile("codex", ["mcp", "remove", PLAYWRIGHT_MCP_SERVER_ID], {
+                cwd,
+            });
+        }
+        catch {
+            // Best effort. Add will still run and becomes source of truth.
         }
         if (includeFoundryMcp) {
             try {
@@ -4636,6 +4594,14 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                 warnings.push(`Failed to register ${FOUNDRY_MCP_SERVER_ID} MCP via Codex CLI. Ensure 'cbx' and 'codex' are installed and rerun. (${error.message})`);
             }
         }
+        if (includePlaywrightMcp) {
+            try {
+                await execFile("codex", ["mcp", "add", PLAYWRIGHT_MCP_SERVER_ID, "--url", PLAYWRIGHT_MCP_URL], { cwd });
+            }
+            catch (error) {
+                warnings.push(`Failed to register ${PLAYWRIGHT_MCP_SERVER_ID} MCP via Codex CLI. Ensure 'codex' is installed and rerun. (${error.message})`);
+            }
+        }
         return {
             kind: "codex-cli",
             scope: mcpScope,
@@ -4657,6 +4623,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
                     !Array.isArray(next.mcpServers)
                     ? { ...next.mcpServers }
                     : {};
+                cleanupLegacyServers(mcpServers);
                 if (includeFoundryMcp) {
                     if (normalizedFoundryRuntime === "docker") {
                         mcpServers[FOUNDRY_MCP_SERVER_ID] = {
@@ -4700,7 +4667,7 @@ async function applyPostmanMcpForPlatform({ platform, mcpScope, apiKeyEnvVar, mc
         path: null,
         action: "skipped",
         warnings: [
-            `Unsupported platform '${platform}' for Postman MCP installation.`,
+            `Unsupported platform '${platform}' for Foundry MCP installation.`,
         ],
     };
 }
@@ -4735,11 +4702,24 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
         throw new Error("Inline API keys are no longer allowed. Use environment variables and --env-var profiles (for example POSTMAN_API_KEY_* and STITCH_API_KEY_*).");
     }
     const stitchRequested = Boolean(options.stitch);
+    const playwrightRequested = Boolean(options.playwright);
     const postmanRequested = Boolean(options.postman) ||
         hasWorkspaceOption ||
         options.postmanMode !== undefined;
-    const foundryOnlyRequested = options.foundryMcp === true && !postmanRequested && !stitchRequested;
-    const enabled = postmanRequested || stitchRequested || foundryOnlyRequested;
+    const stitchEnabled = stitchRequested;
+    const gatewayRequested = postmanRequested || stitchEnabled;
+    const foundryMcpRequested = options.foundryMcp === true;
+    const foundryMcpEnabled = options.foundryMcp === false && !gatewayRequested
+        ? false
+        : foundryMcpRequested || gatewayRequested;
+    const foundryOnlyRequested = foundryMcpRequested &&
+        !postmanRequested &&
+        !stitchRequested &&
+        !playwrightRequested;
+    const enabled = postmanRequested ||
+        stitchRequested ||
+        playwrightRequested ||
+        foundryOnlyRequested;
     if (!enabled)
         return { enabled: false };
     const requestedPostmanMode = postmanRequested
@@ -4758,20 +4738,19 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
         : null;
     let mcpScope = requestedMcpScope?.scope || "project";
     const warnings = [];
+    if (options.foundryMcp === false && gatewayRequested) {
+        warnings.push("Ignoring --no-foundry-mcp because Postman/Stitch now route through the Cubis Foundry MCP gateway.");
+    }
     if (requestedMcpScope?.warning) {
         warnings.push(requestedMcpScope.warning);
     }
-    const stitchEnabled = stitchRequested ||
-        (platform === "antigravity" &&
-            options.stitchDefaultForAntigravity !== false);
     const envStitchApiKey = normalizePostmanApiKey(process.env[STITCH_API_KEY_ENV_VAR]);
-    const requestedRuntime = normalizeMcpRuntime(options.mcpRuntime, DEFAULT_MCP_RUNTIME);
+    const requestedRuntime = normalizeMcpRuntime(options.mcpRuntime, foundryMcpEnabled ? DEFAULT_MCP_RUNTIME : "local");
     const requestedFallback = normalizeMcpFallback(options.mcpFallback, DEFAULT_MCP_FALLBACK);
     const requestedImage = normalizePostmanApiKey(options.mcpImage) || DEFAULT_MCP_DOCKER_IMAGE;
     const requestedUpdatePolicy = normalizeMcpUpdatePolicy(options.mcpUpdatePolicy, DEFAULT_MCP_UPDATE_POLICY);
     const mcpBuildLocal = Boolean(options.mcpBuildLocal);
-    const mcpToolSync = options.mcpToolSync !== false;
-    const foundryMcpEnabled = options.foundryMcp !== false;
+    const mcpToolSync = options.mcpToolSync !== false && (postmanRequested || stitchEnabled);
     const canPrompt = !options.yes && !options.dryRun && !process.env.CI && process.stdin.isTTY;
     if (postmanRequested && canPrompt && !hasWorkspaceOption) {
         const workspaceSelection = await promptPostmanWorkspaceSelection({
@@ -4782,10 +4761,10 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
         warnings.push(...workspaceSelection.warnings);
         workspaceSelectionSource = "interactive";
     }
-    let effectiveRuntime = requestedRuntime;
-    let runtimeSkipped = false;
-    let dockerImageAction = "not-requested";
-    if (requestedRuntime === "docker") {
+    let effectiveRuntime = foundryMcpEnabled ? requestedRuntime : null;
+    let runtimeSkipped = !foundryMcpEnabled;
+    let dockerImageAction = foundryMcpEnabled ? "not-requested" : "not-needed";
+    if (foundryMcpEnabled && requestedRuntime === "docker") {
         const dockerAvailable = await checkDockerAvailable({ cwd });
         if (!dockerAvailable) {
             if (requestedFallback === "fail") {
@@ -4852,10 +4831,10 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
         generatedAt: new Date().toISOString(),
         mcp: {
             scope: mcpScope,
-            server: postmanRequested
-                ? POSTMAN_SKILL_ID
-                : stitchEnabled
-                    ? STITCH_MCP_SERVER_ID
+            server: foundryMcpEnabled || gatewayRequested
+                ? FOUNDRY_MCP_SERVER_ID
+                : playwrightRequested
+                    ? PLAYWRIGHT_MCP_SERVER_ID
                     : FOUNDRY_MCP_SERVER_ID,
             platform,
             runtime: requestedRuntime,
@@ -4896,11 +4875,19 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
             mcpUrl: STITCH_MCP_URL,
         };
     }
+    if (playwrightRequested) {
+        cbxConfig.playwright = {
+            enabled: true,
+            server: PLAYWRIGHT_MCP_SERVER_ID,
+            mcpUrl: PLAYWRIGHT_MCP_URL,
+        };
+    }
     return {
         enabled: true,
         postmanEnabled: postmanRequested,
         apiKeySource,
         stitchEnabled,
+        playwrightEnabled: playwrightRequested,
         stitchApiKeySource,
         mcpRuntime: requestedRuntime,
         effectiveMcpRuntime: runtimeSkipped ? null : effectiveRuntime,
@@ -4921,7 +4908,7 @@ async function resolvePostmanInstallSelection({ platform, scope, options, cwd =
         cbxConfigPath,
     };
 }
-async function configurePostmanInstallArtifacts({ platform, scope, profilePaths, postmanSelection, overwrite = false, dryRun = false, cwd = process.cwd(), }) {
+async function configurePostmanInstallArtifacts({ platform, scope, profilePaths, postmanSelection, overwrite = false, persistCredentials = true, dryRun = false, cwd = process.cwd(), }) {
     if (!postmanSelection?.enabled)
         return null;
     const shouldInstallPostman = Boolean(postmanSelection.postmanEnabled);
@@ -5041,42 +5028,26 @@ async function configurePostmanInstallArtifacts({ platform, scope, profilePaths,
         });
         gitIgnoreResults.push(mcpIgnore);
     }
-    let mcpDefinitionPath = null;
-    let mcpDefinitionResult = null;
+    const legacyDefinitionCleanupResults = [];
     if (shouldInstallPostman) {
-        mcpDefinitionPath = resolvePostmanMcpDefinitionPath({
-            platform,
-            scope: postmanSelection.mcpScope,
-            cwd,
-        });
-        const mcpDefinitionContent = `${JSON.stringify(buildPostmanMcpDefinition({
-            apiKeyEnvVar: effectiveApiKeyEnvVar,
-            apiKey: envApiKey,
-            mcpUrl: effectiveMcpUrl,
-        }), null, 2)}\n`;
-        mcpDefinitionResult = await writeGeneratedArtifact({
-            destination: mcpDefinitionPath,
-            content: mcpDefinitionContent,
+        legacyDefinitionCleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolvePostmanMcpDefinitionPath({
+                platform,
+                scope: postmanSelection.mcpScope,
+                cwd,
+            }),
             dryRun,
-        });
+        }));
     }
-    let stitchMcpDefinitionPath = null;
-    let stitchMcpDefinitionResult = null;
     if (shouldInstallStitch) {
-        stitchMcpDefinitionPath = resolveStitchMcpDefinitionPath({
-            scope: postmanSelection.mcpScope,
-            cwd,
-        });
-        const stitchMcpDefinitionContent = `${JSON.stringify(buildStitchMcpDefinition({
-            apiKeyEnvVar: effectiveStitchApiKeyEnvVar,
-            apiKey: envStitchApiKey,
-            mcpUrl: effectiveStitchMcpUrl,
-        }), null, 2)}\n`;
-        stitchMcpDefinitionResult = await writeGeneratedArtifact({
-            destination: stitchMcpDefinitionPath,
-            content: stitchMcpDefinitionContent,
+        legacyDefinitionCleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolveStitchMcpDefinitionPath({
+                platform,
+                scope: postmanSelection.mcpScope,
+                cwd,
+            }),
             dryRun,
-        });
+        }));
     }
     const mcpRuntimeResult = postmanSelection.runtimeSkipped
         ? {
@@ -5131,6 +5102,21 @@ async function configurePostmanInstallArtifacts({ platform, scope, profilePaths,
             dryRun,
         })
         : null;
+    const credentialEnvVarNames = [];
+    if (persistCredentials && shouldInstallPostman && effectiveApiKeySource === "env") {
+        credentialEnvVarNames.push(effectiveApiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR);
+    }
+    if (persistCredentials &&
+        shouldInstallStitch &&
+        effectiveStitchApiKeySource === "env") {
+        credentialEnvVarNames.push(effectiveStitchApiKeyEnvVar || STITCH_API_KEY_ENV_VAR);
+    }
+    const persistedCredentials = credentialEnvVarNames.length > 0
+        ? await persistManagedCredentialsEnv({
+            envVarNames: [...new Set(credentialEnvVarNames)],
+            dryRun,
+        })
+        : null;
     return {
         enabled: true,
         mcpScope: postmanSelection.mcpScope,
@@ -5144,10 +5130,14 @@ async function configurePostmanInstallArtifacts({ platform, scope, profilePaths,
         mcpToolSync: postmanSelection.mcpToolSync,
         foundryMcpEnabled: postmanSelection.foundryMcpEnabled,
         postmanEnabled: shouldInstallPostman,
+        playwrightEnabled: Boolean(postmanSelection.playwrightEnabled),
         postmanMode: shouldInstallPostman && effectiveMcpUrl
             ? resolvePostmanModeFromUrl(effectiveMcpUrl, DEFAULT_POSTMAN_INSTALL_MODE)
             : null,
         postmanMcpUrl: shouldInstallPostman ? effectiveMcpUrl : null,
+        playwrightMcpUrl: postmanSelection.playwrightEnabled
+            ? PLAYWRIGHT_MCP_URL
+            : null,
         apiKeySource: effectiveApiKeySource,
         stitchApiKeySource: effectiveStitchApiKeySource,
         defaultWorkspaceId: effectiveDefaultWorkspaceId,
@@ -5155,13 +5145,11 @@ async function configurePostmanInstallArtifacts({ platform, scope, profilePaths,
         cbxConfigPath: postmanSelection.cbxConfigPath,
         cbxConfigResult,
         gitIgnoreResults,
-        mcpDefinitionPath,
-        mcpDefinitionResult,
-        stitchMcpDefinitionPath,
-        stitchMcpDefinitionResult,
+        legacyDefinitionCleanupResults,
         mcpRuntimeResult,
         mcpCatalogSyncResults,
         legacySkillMcpCleanup,
+        persistedCredentials,
     };
 }
 function resolveMcpScopeFromConfigDocument(configValue, fallbackScope) {
@@ -5179,50 +5167,50 @@ function resolveMcpScopeFromConfigDocument(configValue, fallbackScope) {
 }
 async function applyPostmanConfigArtifacts({ platform, mcpScope, configValue, dryRun = false, cwd = process.cwd(), }) {
     const warnings = [];
-    const postmanState = ensureCredentialServiceState(configValue, "postman");
+    const storedPostmanState = parseStoredPostmanConfig(configValue);
+    const postmanEnabled = Boolean(storedPostmanState);
+    const postmanState = storedPostmanState ||
+        parseStoredCredentialServiceConfig({ service: "postman", rawService: {} });
     const stitchState = parseStoredStitchConfig(configValue);
-    const postmanApiKeyEnvVar = normalizePostmanApiKey(postmanState.apiKeyEnvVar) ||
-        POSTMAN_API_KEY_ENV_VAR;
-    const postmanMcpUrl = postmanState.mcpUrl || POSTMAN_MCP_URL;
+    const postmanApiKeyEnvVar = postmanEnabled
+        ? normalizePostmanApiKey(postmanState.apiKeyEnvVar) ||
+            POSTMAN_API_KEY_ENV_VAR
+        : POSTMAN_API_KEY_ENV_VAR;
+    const postmanMcpUrl = postmanEnabled
+        ? postmanState.mcpUrl || POSTMAN_MCP_URL
+        : POSTMAN_MCP_URL;
     const stitchEnabled = Boolean(stitchState);
-    const playwrightEnabled = Boolean(configValue?.playwright);
+    const playwrightConfig = configValue?.playwright &&
+        typeof configValue.playwright === "object" &&
+        !Array.isArray(configValue.playwright)
+        ? configValue.playwright
+        : null;
+    const playwrightEnabled = Boolean(playwrightConfig?.enabled ?? configValue?.playwright);
+    const playwrightMcpUrl = String(playwrightConfig?.mcpUrl || PLAYWRIGHT_MCP_URL).trim() ||
+        PLAYWRIGHT_MCP_URL;
     const stitchApiKeyEnvVar = normalizePostmanApiKey(stitchState?.apiKeyEnvVar) || STITCH_API_KEY_ENV_VAR;
     const stitchMcpUrl = stitchState?.mcpUrl || STITCH_MCP_URL;
     const foundryRuntime = normalizeMcpRuntime(configValue?.mcp?.effectiveRuntime || configValue?.mcp?.runtime, "local");
-    const resolvedPostmanApiKey = normalizePostmanApiKey(process.env[postmanApiKeyEnvVar]);
-    const resolvedStitchApiKey = normalizePostmanApiKey(process.env[stitchApiKeyEnvVar]);
-    const mcpDefinitionPath = resolvePostmanMcpDefinitionPath({
-        platform,
-        scope: mcpScope,
-        cwd,
-    });
-    const mcpDefinitionContent = `${JSON.stringify(buildPostmanMcpDefinition({
-        apiKeyEnvVar: postmanApiKeyEnvVar,
-        apiKey: resolvedPostmanApiKey,
-        mcpUrl: postmanMcpUrl,
-    }), null, 2)}\n`;
-    const mcpDefinitionResult = await writeGeneratedArtifact({
-        destination: mcpDefinitionPath,
-        content: mcpDefinitionContent,
-        dryRun,
-    });
-    let stitchMcpDefinitionPath = null;
-    let stitchMcpDefinitionResult = null;
+    const legacyDefinitionCleanupResults = [];
+    if (postmanEnabled && platform) {
+        legacyDefinitionCleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolvePostmanMcpDefinitionPath({
+                platform,
+                scope: mcpScope,
+                cwd,
+            }),
+            dryRun,
+        }));
+    }
     if (stitchEnabled) {
-        stitchMcpDefinitionPath = resolveStitchMcpDefinitionPath({
-            scope: mcpScope,
-            cwd,
-        });
-        const stitchMcpDefinitionContent = `${JSON.stringify(buildStitchMcpDefinition({
-            apiKeyEnvVar: stitchApiKeyEnvVar,
-            apiKey: resolvedStitchApiKey,
-            mcpUrl: stitchMcpUrl,
-        }), null, 2)}\n`;
-        stitchMcpDefinitionResult = await writeGeneratedArtifact({
-            destination: stitchMcpDefinitionPath,
-            content: stitchMcpDefinitionContent,
+        legacyDefinitionCleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolveStitchMcpDefinitionPath({
+                platform,
+                scope: mcpScope,
+                cwd,
+            }),
             dryRun,
-        });
+        }));
     }
     let mcpRuntimeResult = null;
     if (!platform) {
@@ -5234,6 +5222,7 @@ async function applyPostmanConfigArtifacts({ platform, mcpScope, configValue, dr
             mcpScope,
             apiKeyEnvVar: postmanApiKeyEnvVar,
             mcpUrl: postmanMcpUrl,
+            includePostmanMcp: postmanEnabled,
             stitchApiKeyEnvVar,
             stitchMcpUrl,
             includeStitchMcp: stitchEnabled,
@@ -5246,10 +5235,10 @@ async function applyPostmanConfigArtifacts({ platform, mcpScope, configValue, dr
         warnings.push(...(mcpRuntimeResult.warnings || []));
     }
     return {
-        mcpDefinitionPath,
-        mcpDefinitionResult,
-        stitchMcpDefinitionPath,
-        stitchMcpDefinitionResult,
+        postmanEnabled,
+        playwrightEnabled,
+        playwrightMcpUrl: playwrightEnabled ? playwrightMcpUrl : null,
+        legacyDefinitionCleanupResults,
         mcpRuntimeResult,
         warnings,
     };
@@ -5509,6 +5498,11 @@ async function installBundleArtifacts({ bundleId, manifest, platform, scope, ove
             platformSpec.prompts.length > 0) {
             await mkdir(profilePaths.promptsDir, { recursive: true });
         }
+        if (profilePaths.hooksDir &&
+            Array.isArray(platformSpec.hooks) &&
+            platformSpec.hooks.some((entry) => typeof entry?.file === "string")) {
+            await mkdir(profilePaths.hooksDir, { recursive: true });
+        }
     }
     const bundleRoot = path.join(agentAssetsRoot(), "workflows", bundleId);
     const platformRoot = path.join(bundleRoot, "platforms", platform);
@@ -5520,6 +5514,7 @@ async function installBundleArtifacts({ bundleId, manifest, platform, scope, ove
         skills: [],
         commands: [],
         prompts: [],
+        hooks: [],
     };
     // Bind useSymlinks into copyArtifact so every call site inherits it
     const copyArt = (args) => copyArtifact({ ...args, useSymlinks });
@@ -5613,6 +5608,35 @@ async function installBundleArtifacts({ bundleId, manifest, platform, scope, ove
         else
             installed.push(destination);
     }
+    const hookFiles = Array.isArray(platformSpec.hooks)
+        ? platformSpec.hooks
+            .map((entry) => typeof entry === "string"
+            ? entry
+            : typeof entry?.file === "string"
+                ? entry.file
+                : null)
+            .filter(Boolean)
+        : [];
+    for (const hookFile of hookFiles) {
+        if (!profilePaths.hooksDir)
+            continue;
+        const source = path.join(platformRoot, "hooks", hookFile);
+        const destination = path.join(profilePaths.hooksDir, path.basename(hookFile));
+        if (!(await pathExists(source))) {
+            throw new Error(`Missing hook source file: ${source}`);
+        }
+        const result = await copyArt({
+            source,
+            destination,
+            overwrite,
+            dryRun,
+        });
+        artifacts.hooks.push(destination);
+        if (result.action === "skipped" || result.action === "would-skip")
+            skipped.push(destination);
+        else
+            installed.push(destination);
+    }
     if (shouldInstallPlatformSkills) {
         const agentSkillDependencies = await resolvePlatformAgentSkillDependencies({
             platformRoot,
@@ -5837,6 +5861,20 @@ async function removeBundleArtifacts({ bundleId, manifest, platform, scope, prof
         if (await safeRemove(destination, dryRun))
             removed.push(destination);
     }
+    for (const hookEntry of platformSpec.hooks || []) {
+        if (!profilePaths.hooksDir)
+            continue;
+        const hookFile = typeof hookEntry === "string"
+            ? hookEntry
+            : typeof hookEntry?.file === "string"
+                ? hookEntry.file
+                : null;
+        if (!hookFile)
+            continue;
+        const destination = path.join(profilePaths.hooksDir, path.basename(hookFile));
+        if (await safeRemove(destination, dryRun))
+            removed.push(destination);
+    }
     const skillIds = await resolveInstallSkillIds({
         platformSpec,
         extraSkillIds: [],
@@ -5989,11 +6027,14 @@ function printPostmanSetupSummary({ postmanSetup }) {
         return;
     console.log("\nMCP setup:");
     console.log(`- MCP scope: ${postmanSetup.mcpScope}`);
+    if (postmanSetup.playwrightEnabled) {
+        console.log(`- Playwright MCP: enabled (${postmanSetup.playwrightMcpUrl || PLAYWRIGHT_MCP_URL})`);
+    }
     if (postmanSetup.postmanEnabled && postmanSetup.postmanMode) {
         console.log(`- Postman mode: ${postmanSetup.postmanMode}`);
     }
     if (postmanSetup.postmanEnabled && postmanSetup.postmanMcpUrl) {
-        console.log(`- Postman MCP URL: ${postmanSetup.postmanMcpUrl}`);
+        console.log(`- Postman upstream MCP URL: ${postmanSetup.postmanMcpUrl}`);
     }
     console.log(`- Config file: ${postmanSetup.cbxConfigResult.action} (${postmanSetup.cbxConfigPath})`);
     console.log(`- MCP runtime (requested): ${postmanSetup.mcpRuntime}`);
@@ -6004,7 +6045,7 @@ function printPostmanSetupSummary({ postmanSetup }) {
     console.log(`- MCP build local: ${postmanSetup.mcpBuildLocal ? "yes" : "no"}`);
     console.log(`- MCP image prepare: ${postmanSetup.dockerImageAction}`);
     console.log(`- MCP tool sync: ${postmanSetup.mcpToolSync ? "enabled" : "disabled"}`);
-    console.log(`- Foundry MCP side-by-side: ${postmanSetup.foundryMcpEnabled ? (postmanSetup.effectiveMcpRuntime === "docker" ? "enabled (docker endpoint)" : "enabled (cbx mcp serve)") : "disabled"}`);
+    console.log(`- Foundry MCP gateway: ${postmanSetup.foundryMcpEnabled ? (postmanSetup.effectiveMcpRuntime === "docker" ? "enabled (docker endpoint)" : "enabled (cbx mcp serve)") : "disabled"}`);
     if (postmanSetup.postmanEnabled) {
         console.log(`- Postman API key source: ${postmanSetup.apiKeySource}`);
     }
@@ -6017,12 +6058,8 @@ function printPostmanSetupSummary({ postmanSetup }) {
     for (const ignoreResult of postmanSetup.gitIgnoreResults || []) {
         console.log(`- .gitignore (${ignoreResult.filePath}): ${ignoreResult.action}`);
     }
-    if (postmanSetup.mcpDefinitionPath && postmanSetup.mcpDefinitionResult) {
-        console.log(`- Managed MCP definition (${postmanSetup.mcpDefinitionPath}): ${postmanSetup.mcpDefinitionResult.action}`);
-    }
-    if (postmanSetup.stitchMcpDefinitionPath &&
-        postmanSetup.stitchMcpDefinitionResult) {
-        console.log(`- Managed Stitch MCP definition (${postmanSetup.stitchMcpDefinitionPath}): ${postmanSetup.stitchMcpDefinitionResult.action}`);
+    for (const cleanupResult of postmanSetup.legacyDefinitionCleanupResults || []) {
+        console.log(`- Legacy direct MCP cleanup (${cleanupResult.path}): ${cleanupResult.action}`);
     }
     if (postmanSetup.mcpRuntimeResult) {
         console.log(`- Platform MCP target (${postmanSetup.mcpRuntimeResult.path || "n/a"}): ${postmanSetup.mcpRuntimeResult.action}`);
@@ -6037,6 +6074,13 @@ function printPostmanSetupSummary({ postmanSetup }) {
             }
         }
     }
+    if (postmanSetup.persistedCredentials) {
+        console.log(`- Credential vault (${postmanSetup.persistedCredentials.envPath}): ${postmanSetup.persistedCredentials.action}`);
+        console.log(`- Credential vars: ${postmanSetup.persistedCredentials.persisted.length > 0 ? postmanSetup.persistedCredentials.persisted.join(", ") : "(none)"}`);
+        if (postmanSetup.persistedCredentials.missing.length > 0) {
+            console.log(`- Missing credential vars: ${postmanSetup.persistedCredentials.missing.join(", ")}`);
+        }
+    }
     if (postmanSetup.legacySkillMcpCleanup) {
         console.log(`- Legacy skill mcp.json cleanup (${postmanSetup.legacySkillMcpCleanup.path}): ${postmanSetup.legacySkillMcpCleanup.action}`);
     }
@@ -6328,9 +6372,10 @@ function withInstallOptions(command) {
         .option("--scope <scope>", "install scope: project (global is accepted but coerced to project)", "project")
         .option("-b, --bundle <bundle>", "bundle id (default: agent-environment-setup)")
         .option("--overwrite", "overwrite existing files")
-        .option("--postman", "optional: install Postman skill and generate cbx_config.json")
+        .option("--postman", "optional: configure Postman profiles and gateway-backed Foundry MCP wiring")
         .option("--postman-mode <mode>", "Postman MCP mode for --postman: minimal|code|full (default: full)")
-        .option("--stitch", "optional: include Stitch MCP profile/config alongside Postman")
+        .option("--stitch", "optional: configure Stitch profiles and gateway-backed Foundry MCP wiring")
+        .option("--playwright", "optional: include Playwright MCP server wiring")
         .option("--postman-api-key <key>", "deprecated: inline key mode is disabled. Use env vars + profiles.")
         .option("--postman-workspace-id <id|null>", "optional: set default Postman workspace ID (use 'null' for no default)")
         .option("--stitch-api-key <key>", "deprecated: inline key mode is disabled. Use env vars + profiles.")
@@ -6342,10 +6387,10 @@ function withInstallOptions(command) {
         .option("--mcp-build-local", "build MCP Docker image from local package mcp/ directory instead of pulling")
         .option("--mcp-tool-sync", "enable automatic MCP tool catalog sync (default: enabled)")
         .option("--no-mcp-tool-sync", "disable automatic MCP tool catalog sync")
-        .option("--no-foundry-mcp", "disable side-by-side cubis-foundry MCP registration during --postman setup")
+        .option("--no-foundry-mcp", "deprecated: Postman/Stitch always use Cubis Foundry MCP gateway wiring")
         .option("--terminal-integration", "Antigravity only: enable terminal verification integration (prompts for verifier when interactive)")
         .option("--terminal-verifier <provider>", "Antigravity only: verifier provider (codex|gemini). Implies --terminal-integration.")
-        .option("--skill-profile <profile>", "skill install profile: core|web-backend|full (default: core)", DEFAULT_SKILL_PROFILE)
+        .option("--skill-profile <profile>", "skill install profile: core|web-backend|full", DEFAULT_SKILL_PROFILE)
         .option("--all-skills", "alias for --skill-profile full")
         .option("--target <path>", "install into target project directory instead of cwd")
         .option("--link", "create symlinks instead of copies (edits in source are instantly reflected)")
@@ -6618,6 +6663,7 @@ async function performWorkflowInstall(options, { postmanSelectionOverride = null
         profilePaths: installResult.profilePaths,
         postmanSelection,
         overwrite: Boolean(options.overwrite),
+        persistCredentials: !options.initWizardMode,
         dryRun,
         cwd,
     });
@@ -7370,14 +7416,16 @@ async function runWorkflowRemoveAll(options) {
                     dryRun,
                     records: removedRecords,
                 });
-                if (platform === "antigravity") {
-                    await removePathRecord({
-                        targetPath: resolveStitchMcpDefinitionPath({ scope, cwd }),
-                        category: `${platform}/${scope}/stitch-mcp-definition`,
-                        dryRun,
-                        records: removedRecords,
-                    });
-                }
+                await removePathRecord({
+                    targetPath: resolveStitchMcpDefinitionPath({
+                        platform,
+                        scope,
+                        cwd,
+                    }),
+                    category: `${platform}/${scope}/stitch-mcp-definition`,
+                    dryRun,
+                    records: removedRecords,
+                });
                 const runtimeResults = await removePlatformMcpRuntimeTargets({
                     platform,
                     scope,
@@ -7651,7 +7699,7 @@ function prepareConfigDocument(existingValue, { scope, generatedBy }) {
         next.mcp = {};
     next.mcp.scope = scope;
     if (!next.mcp.server)
-        next.mcp.server = POSTMAN_SKILL_ID;
+        next.mcp.server = FOUNDRY_MCP_SERVER_ID;
     return next;
 }
 function ensureCredentialServiceState(configValue, service) {
@@ -7880,26 +7928,127 @@ function migrateInlineCredentialsInConfig(configValue) {
         changed: JSON.stringify(next) !== JSON.stringify(configValue || {}),
     };
 }
-async function collectInlineHeaderFindings({ scope, cwd = process.cwd() }) {
+function resolveCredentialLeakScanTargets({ scope, cwd = process.cwd() }) {
+    const workspaceRoot = findWorkspaceRoot(cwd);
+    const targets = new Set([
+        resolveLegacyPostmanConfigPath({ scope, cwd }),
+        scope === "global"
+            ? path.join(os.homedir(), ".gemini", "settings.json")
+            : path.join(workspaceRoot, ".gemini", "settings.json"),
+        scope === "global"
+            ? path.join(os.homedir(), ".claude", "mcp.json")
+            : path.join(workspaceRoot, ".mcp.json"),
+        scope === "global"
+            ? path.join(os.homedir(), ".copilot", "mcp-config.json")
+            : path.join(workspaceRoot, ".vscode", "mcp.json"),
+    ]);
+    if (scope === "global") {
+        targets.add(path.join(os.homedir(), ".codex", "config.toml"));
+    }
+    for (const platform of Object.keys(WORKFLOW_PROFILES)) {
+        targets.add(resolvePostmanMcpDefinitionPath({ platform, scope, cwd }));
+        targets.add(resolveStitchMcpDefinitionPath({ platform, scope, cwd }));
+    }
+    return [...targets];
+}
+function collectCredentialLeakMatches(raw) {
+    const matches = [];
+    const patterns = [
+        {
+            id: "inline-apiKey-field",
+            pattern: /"apiKey"\s*:\s*"(?!\$\{)[^"]+/i,
+        },
+        {
+            id: "inline-bearer-header-json",
+            pattern: /"Authorization"\s*:\s*"Bearer\s+(?!\$\{)[^"]+/i,
+        },
+        {
+            id: "inline-bearer-header-toml",
+            pattern: /http_headers\s*=\s*\{[^}]*Authorization\s*=\s*"Bearer\s+(?!\$\{)[^"]+/is,
+        },
+        {
+            id: "inline-stitch-header-arg",
+            pattern: /X-Goog-Api-Key:(?!\s*\$\{[A-Za-z_][A-Za-z0-9_]*\})\s*[^"\n]+/i,
+        },
+        {
+            id: "inline-stitch-header-json",
+            pattern: /"X-Goog-Api-Key"\s*:\s*"(?!\$\{)[^"]+/i,
+        },
+    ];
+    for (const { id, pattern } of patterns) {
+        if (pattern.test(raw)) {
+            matches.push(id);
+        }
+    }
+    return matches;
+}
+async function collectCredentialLeakFindings({ scope, cwd = process.cwd() }) {
     const findings = [];
-    const stitchDefinitionPath = resolveStitchMcpDefinitionPath({ scope, cwd });
-    const geminiSettingsPath = scope === "global"
-        ? path.join(os.homedir(), ".gemini", "settings.json")
-        : path.join(findWorkspaceRoot(cwd), ".gemini", "settings.json");
-    const scanFile = async (filePath) => {
+    for (const filePath of resolveCredentialLeakScanTargets({ scope, cwd })) {
         if (!(await pathExists(filePath)))
-            return;
+            continue;
         const raw = await readFile(filePath, "utf8");
-        const unsafeStitchHeader = /X-Goog-Api-Key:(?!\s*\$\{[A-Za-z_][A-Za-z0-9_]*\})\s*[^"\n]+/i;
-        const unsafeBearerHeader = /"Authorization"\s*:\s*"Bearer\s+(?!\$\{)[^"]+/i;
-        if (unsafeStitchHeader.test(raw) || unsafeBearerHeader.test(raw)) {
-            findings.push(filePath);
+        const matches = collectCredentialLeakMatches(raw);
+        if (matches.length > 0) {
+            findings.push({ filePath, matches });
         }
-    };
-    await scanFile(stitchDefinitionPath);
-    await scanFile(geminiSettingsPath);
+    }
     return findings;
 }
+async function cleanupLegacyDirectCredentialArtifacts({ scope, dryRun = false, cwd = process.cwd(), }) {
+    const workspaceRoot = findWorkspaceRoot(cwd);
+    const cleanupResults = [];
+    const legacyServerIds = [POSTMAN_SKILL_ID, STITCH_MCP_SERVER_ID];
+    cleanupResults.push(await removeMcpRuntimeEntriesJson({
+        filePath: scope === "global"
+            ? path.join(os.homedir(), ".gemini", "settings.json")
+            : path.join(workspaceRoot, ".gemini", "settings.json"),
+        keyName: "mcpServers",
+        serverIds: legacyServerIds,
+        dryRun,
+    }));
+    cleanupResults.push(await removeMcpRuntimeEntriesJson({
+        filePath: scope === "global"
+            ? path.join(os.homedir(), ".claude", "mcp.json")
+            : path.join(workspaceRoot, ".mcp.json"),
+        keyName: "mcpServers",
+        serverIds: legacyServerIds,
+        dryRun,
+    }));
+    if (scope === "global") {
+        cleanupResults.push(await removeMcpRuntimeEntriesJson({
+            filePath: path.join(os.homedir(), ".copilot", "mcp-config.json"),
+            keyName: "mcpServers",
+            serverIds: legacyServerIds,
+            dryRun,
+        }));
+        cleanupResults.push(await removeMcpRuntimeEntriesCodexToml({
+            filePath: path.join(os.homedir(), ".codex", "config.toml"),
+            serverIds: legacyServerIds,
+            dryRun,
+            cwd,
+        }));
+    }
+    else {
+        cleanupResults.push(await removeMcpRuntimeEntriesJson({
+            filePath: path.join(workspaceRoot, ".vscode", "mcp.json"),
+            keyName: "servers",
+            serverIds: legacyServerIds,
+            dryRun,
+        }));
+    }
+    for (const platform of Object.keys(WORKFLOW_PROFILES)) {
+        cleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolvePostmanMcpDefinitionPath({ platform, scope, cwd }),
+            dryRun,
+        }));
+        cleanupResults.push(await removeGeneratedArtifactIfExists({
+            targetPath: resolveStitchMcpDefinitionPath({ platform, scope, cwd }),
+            dryRun,
+        }));
+    }
+    return cleanupResults.filter((item) => item.action !== "missing" && item.action !== "unchanged");
+}
 async function runWorkflowConfigKeysList(options) {
     try {
         const opts = resolveActionOptions(options);
@@ -8126,6 +8275,7 @@ async function runWorkflowConfigKeysMigrateInline(options) {
         const scopeArg = readCliOptionFromArgv("--scope");
         const scope = normalizeMcpScope(scopeArg ?? opts.scope, "global");
         const dryRun = hasCliFlag("--dry-run") || Boolean(opts.dryRun);
+        await loadManagedCredentialsEnv();
         const { configPath, existing, existingValue } = await loadConfigForScope({
             scope,
             cwd,
@@ -8140,6 +8290,21 @@ async function runWorkflowConfigKeysMigrateInline(options) {
             existingExists: existing.exists,
             dryRun,
         });
+        const cleanupResults = await cleanupLegacyDirectCredentialArtifacts({
+            scope,
+            dryRun,
+            cwd,
+        });
+        const platform = normalizePlatform(result.next?.mcp?.platform);
+        const secureArtifacts = platform && WORKFLOW_PROFILES[platform]
+            ? await applyPostmanConfigArtifacts({
+                platform,
+                mcpScope: resolveMcpScopeFromConfigDocument(result.next, scope),
+                configValue: result.next,
+                dryRun,
+                cwd,
+            })
+            : null;
         console.log(`Config file: ${configPath}`);
         console.log(`Action: ${action}`);
         console.log(`Inline key fields found: ${result.findings.length}`);
@@ -8154,6 +8319,19 @@ async function runWorkflowConfigKeysMigrateInline(options) {
                 console.log(`- ${envVar}`);
             }
         }
+        console.log(`Legacy direct MCP cleanup actions: ${cleanupResults.length}`);
+        for (const cleanup of cleanupResults) {
+            console.log(`- ${cleanup.action} ${cleanup.path}`);
+        }
+        if (secureArtifacts?.mcpRuntimeResult) {
+            console.log(`Secure platform MCP target: ${secureArtifacts.mcpRuntimeResult.action} (${secureArtifacts.mcpRuntimeResult.path || "n/a"})`);
+        }
+        for (const cleanup of secureArtifacts?.legacyDefinitionCleanupResults || []) {
+            console.log(`- ${cleanup.action} ${cleanup.path}`);
+        }
+        for (const warning of secureArtifacts?.warnings || []) {
+            console.log(`Warning: ${warning}`);
+        }
     }
     catch (error) {
         if (error?.name === "ExitPromptError") {
@@ -8170,6 +8348,7 @@ async function runWorkflowConfigKeysDoctor(options) {
         const cwd = process.cwd();
         const scopeArg = readCliOptionFromArgv("--scope");
         const scope = normalizeMcpScope(scopeArg ?? opts.scope, "global");
+        await loadManagedCredentialsEnv();
         const { configPath, existing, existingValue } = await loadConfigForScope({
             scope,
             cwd,
@@ -8180,15 +8359,15 @@ async function runWorkflowConfigKeysDoctor(options) {
             return;
         }
         const configFindings = collectInlineCredentialFindings(existingValue);
-        const artifactFindings = await collectInlineHeaderFindings({ scope, cwd });
+        const artifactFindings = await collectCredentialLeakFindings({ scope, cwd });
         const migrationPreview = migrateInlineCredentialsInConfig(existingValue);
         console.log(`Inline key findings: ${configFindings.length}`);
         for (const finding of configFindings) {
             console.log(`- ${finding.path}`);
         }
-        console.log(`Unsafe header findings: ${artifactFindings.length}`);
-        for (const filePath of artifactFindings) {
-            console.log(`- ${filePath}`);
+        console.log(`Credential leak findings: ${artifactFindings.length}`);
+        for (const finding of artifactFindings) {
+            console.log(`- ${finding.filePath} [${finding.matches.join(", ")}]`);
         }
         if (migrationPreview.requiredEnvVars.length > 0) {
             console.log("Expected env vars:");
@@ -8202,7 +8381,7 @@ async function runWorkflowConfigKeysDoctor(options) {
         else {
             console.log("Doctor result: issues detected. Run `cbx workflows config keys migrate-inline --scope " +
                 scope +
-                "` and reinstall with `--overwrite`.");
+                "` to scrub keys and reapply secure Foundry MCP wiring.");
         }
     }
     catch (error) {
@@ -8392,6 +8571,7 @@ async function runWorkflowConfig(options) {
         if (!next.mcp || typeof next.mcp !== "object" || Array.isArray(next.mcp)) {
             next.mcp = {};
         }
+        next.mcp.server = FOUNDRY_MCP_SERVER_ID;
         if (hasMcpRuntimeOption) {
             next.mcp.runtime = mcpRuntime;
             next.mcp.effectiveRuntime = mcpRuntime;
@@ -8455,10 +8635,9 @@ async function runWorkflowConfig(options) {
             console.log(`postman.mode: ${effectivePostmanMode}`);
             console.log(`postman.mcpUrl: ${effectivePostmanState.mcpUrl}`);
             if (postmanArtifacts) {
-                console.log(`postman.definition: ${postmanArtifacts.mcpDefinitionResult.action} (${postmanArtifacts.mcpDefinitionPath})`);
-                if (postmanArtifacts.stitchMcpDefinitionPath &&
-                    postmanArtifacts.stitchMcpDefinitionResult) {
-                    console.log(`stitch.definition: ${postmanArtifacts.stitchMcpDefinitionResult.action} (${postmanArtifacts.stitchMcpDefinitionPath})`);
+                for (const cleanupResult of postmanArtifacts.legacyDefinitionCleanupResults ||
+                    []) {
+                    console.log(`legacy.definition.cleanup: ${cleanupResult.action} (${cleanupResult.path})`);
                 }
                 if (postmanArtifacts.mcpRuntimeResult) {
                     console.log(`platform.mcp.target: ${postmanArtifacts.mcpRuntimeResult.action} (${postmanArtifacts.mcpRuntimeResult.path || "n/a"})`);
@@ -9554,7 +9733,12 @@ function normalizeInitPlatforms(value) {
     return normalized;
 }
 function normalizeInitMcpSelections(value) {
-    const allowed = new Set(["cubis-foundry", "postman", "stitch"]);
+    const allowed = new Set([
+        "cubis-foundry",
+        "postman",
+        "stitch",
+        "playwright",
+    ]);
     const items = Array.isArray(value) ? value : parseCsvOption(value);
     const normalized = [];
     for (const item of items) {
@@ -9653,7 +9837,7 @@ async function runInitWizard(options) {
         if (selections.platforms.length === 0) {
             throw new Error("No platforms selected.");
         }
-        const runtimeSelectableMcp = selections.selectedMcps.length > 0;
+        const runtimeSelectableMcp = selections.selectedMcps.some((item) => item !== "playwright");
         if (runtimeSelectableMcp && isInteractive) {
             const runtimeSelection = await promptInitMcpRuntime({
                 defaultRuntime: selections.mcpRuntime,
@@ -9791,9 +9975,14 @@ async function runInitWizard(options) {
             }
         }
         if (emitJson) {
+            const sanitizedSelections = {
+                ...selections,
+                postmanApiKey: selections.postmanApiKey ? "***REDACTED***" : null,
+                stitchApiKey: selections.stitchApiKey ? "***REDACTED***" : null,
+            };
             console.log(JSON.stringify({
                 dryRun,
-                selections,
+                selections: sanitizedSelections,
                 results,
                 persistedCredentials,
             }, null, 2));