npm - @cubis/foundry - Versions diffs - 0.3.75 → 0.3.77 - Mend

@cubis/foundry 0.3.75 → 0.3.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/src/cli/core.ts CHANGED Viewed

@@ -174,17 +174,20 @@ const WORKFLOW_PROFILES = {
       workflowDirs: [".claude/workflows"],
       agentDirs: [".claude/agents"],
       skillDirs: [".claude/skills"],
+      hookDirs: [".claude/hooks"],
       ruleFilesByPriority: ["CLAUDE.md"],
     },
     global: {
       workflowDirs: ["~/.claude/workflows"],
       agentDirs: ["~/.claude/agents"],
       skillDirs: ["~/.claude/skills"],
+      hookDirs: ["~/.claude/hooks"],
       ruleFilesByPriority: ["~/.claude/CLAUDE.md"],
     },
     detectorPaths: [
       "CLAUDE.md",
       ".claude",
+      ".claude/hooks",
       ".claude/rules",
       ".claude/settings.json",
     ],
@@ -2783,6 +2786,7 @@ async function recordBundleInstallState({
     skills: artifacts.skills.map(toPosixPath),
     commands: (artifacts.commands || []).map(toPosixPath),
     prompts: (artifacts.prompts || []).map(toPosixPath),
+    hooks: (artifacts.hooks || []).map(toPosixPath),
   };
   await writeState(scope, state, cwd);
@@ -2815,6 +2819,7 @@ async function resolveProfilePaths(profileId, scope, cwd = process.cwd()) {
   const skillDirs = Array.isArray(cfg.skillDirs) ? cfg.skillDirs : [];
   const commandDirs = Array.isArray(cfg.commandDirs) ? cfg.commandDirs : [];
   const promptDirs = Array.isArray(cfg.promptDirs) ? cfg.promptDirs : [];
+  const hookDirs = Array.isArray(cfg.hookDirs) ? cfg.hookDirs : [];
   const resolvePreferredDir = async (dirs) => {
     if (dirs.length === 0) return null;
@@ -2831,6 +2836,7 @@ async function resolveProfilePaths(profileId, scope, cwd = process.cwd()) {
     skillsDir: await resolvePreferredDir(skillDirs),
     commandsDir: commandDirs[0] ? expandPath(commandDirs[0], cwd) : null,
     promptsDir: promptDirs[0] ? expandPath(promptDirs[0], cwd) : null,
+    hooksDir: hookDirs[0] ? expandPath(hookDirs[0], cwd) : null,
     ruleFilesByPriority: cfg.ruleFilesByPriority.map((filePath) =>
       expandPath(filePath, cwd),
     ),
@@ -2862,6 +2868,7 @@ function resolveProfilePathCandidates(profileId, scope, cwd = process.cwd()) {
     skillsDirs: expandUniquePaths(cfg.skillDirs, cwd),
     commandsDirs: expandUniquePaths(cfg.commandDirs, cwd),
     promptsDirs: expandUniquePaths(cfg.promptDirs, cwd),
+    hooksDirs: expandUniquePaths(cfg.hookDirs, cwd),
     ruleFilesByPriority: expandUniquePaths(cfg.ruleFilesByPriority, cwd),
   };
 }
@@ -2895,6 +2902,7 @@ async function resolveArtifactProfilePaths(
     agentsDir: workspacePaths.agentsDir,
     commandsDir: workspacePaths.commandsDir ?? scopedPaths.commandsDir,
     promptsDir: workspacePaths.promptsDir ?? scopedPaths.promptsDir,
+    hooksDir: scopedPaths.hooksDir,
   };
 }
@@ -4561,10 +4569,14 @@ function resolvePostmanMcpDefinitionPath({
   );
 }
-function resolveStitchMcpDefinitionPath({ scope, cwd = process.cwd() }) {
+function resolveStitchMcpDefinitionPath({
+  platform,
+  scope,
+  cwd = process.cwd(),
+}) {
   return path.join(
     resolveMcpRootPath({ scope, cwd }),
-    "antigravity",
+    platform,
     "stitch.json",
   );
 }
@@ -5271,11 +5283,7 @@ async function removeGeneratedArtifactIfExists({ targetPath, dryRun = false }) {
 async function applyPostmanMcpForPlatform({
   platform,
   mcpScope,
-  apiKeyEnvVar,
-  mcpUrl,
-  includePostmanMcp = true,
-  stitchApiKeyEnvVar,
-  stitchMcpUrl,
+  includePostmanMcp = false,
   includeStitchMcp = false,
   includeFoundryMcp = true,
   includePlaywrightMcp = false,
@@ -5287,12 +5295,11 @@ async function applyPostmanMcpForPlatform({
   const warnings = [];
   const foundryScope = mcpScope === "global" ? "global" : "project";
   const normalizedFoundryRuntime = normalizeMcpRuntime(foundryRuntime, "local");
-  const resolvedPostmanApiKey = normalizePostmanApiKey(
-    process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR],
-  );
-  const resolvedStitchApiKey = normalizePostmanApiKey(
-    process.env[stitchApiKeyEnvVar || STITCH_API_KEY_ENV_VAR],
-  );
+  const cleanupLegacyServers = (servers) => {
+    delete servers[POSTMAN_SKILL_ID];
+    delete servers[STITCH_MCP_SERVER_ID];
+    return servers;
+  };
   let foundryDockerPort = DEFAULT_MCP_DOCKER_HOST_PORT;
   if (includeFoundryMcp && normalizedFoundryRuntime === "docker") {
     const runningPort = await resolveDockerContainerHostPort({
@@ -5324,13 +5331,7 @@ async function applyPostmanMcpForPlatform({
           !Array.isArray(next.mcpServers)
             ? { ...next.mcpServers }
             : {};
-        if (includePostmanMcp) {
-          mcpServers[POSTMAN_SKILL_ID] = buildGeminiPostmanServer({
-            apiKeyEnvVar,
-            apiKey: resolvedPostmanApiKey,
-            mcpUrl,
-          });
-        }
+        cleanupLegacyServers(mcpServers);
         if (includeFoundryMcp) {
           mcpServers[FOUNDRY_MCP_SERVER_ID] = buildGeminiFoundryServer({
             scope: foundryScope,
@@ -5340,13 +5341,6 @@ async function applyPostmanMcpForPlatform({
         } else {
           delete mcpServers[FOUNDRY_MCP_SERVER_ID];
         }
-        if (includeStitchMcp) {
-          mcpServers[STITCH_MCP_SERVER_ID] = buildGeminiStitchServer({
-            apiKeyEnvVar: stitchApiKeyEnvVar,
-            apiKey: resolvedStitchApiKey,
-            mcpUrl: stitchMcpUrl,
-          });
-        }
         if (includePlaywrightMcp) {
           mcpServers[PLAYWRIGHT_MCP_SERVER_ID] = buildGeminiPlaywrightServer();
         }
@@ -5380,13 +5374,7 @@ async function applyPostmanMcpForPlatform({
             !Array.isArray(next.mcpServers)
               ? { ...next.mcpServers }
               : {};
-          if (includePostmanMcp) {
-            mcpServers[POSTMAN_SKILL_ID] = buildCopilotCliPostmanServer({
-              apiKeyEnvVar,
-              apiKey: resolvedPostmanApiKey,
-              mcpUrl,
-            });
-          }
+          cleanupLegacyServers(mcpServers);
           if (includeFoundryMcp) {
             mcpServers[FOUNDRY_MCP_SERVER_ID] = buildCopilotCliFoundryServer({
               scope: foundryScope,
@@ -5410,13 +5398,7 @@ async function applyPostmanMcpForPlatform({
           !Array.isArray(next.servers)
             ? { ...next.servers }
             : {};
-        if (includePostmanMcp) {
-          servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
-            apiKeyEnvVar,
-            apiKey: resolvedPostmanApiKey,
-            mcpUrl,
-          });
-        }
+        cleanupLegacyServers(servers);
         if (includeFoundryMcp) {
           servers[FOUNDRY_MCP_SERVER_ID] = buildVsCodeFoundryServer({
             scope: foundryScope,
@@ -5464,13 +5446,7 @@ async function applyPostmanMcpForPlatform({
             !Array.isArray(next.servers)
               ? { ...next.servers }
               : {};
-          if (includePostmanMcp) {
-            servers[POSTMAN_SKILL_ID] = buildVsCodePostmanServer({
-              apiKeyEnvVar,
-              apiKey: resolvedPostmanApiKey,
-              mcpUrl,
-            });
-          }
+          cleanupLegacyServers(servers);
           if (includeFoundryMcp) {
             servers[FOUNDRY_MCP_SERVER_ID] = buildVsCodeFoundryServer({
               scope: foundryScope,
@@ -5513,6 +5489,11 @@ async function applyPostmanMcpForPlatform({
     } catch {
       // Best effort. Add will still run and becomes source of truth.
     }
+    try {
+      await execFile("codex", ["mcp", "remove", STITCH_MCP_SERVER_ID], { cwd });
+    } catch {
+      // Best effort. Add will still run and becomes source of truth.
+    }
     try {
       await execFile("codex", ["mcp", "remove", FOUNDRY_MCP_SERVER_ID], {
         cwd,
@@ -5520,51 +5501,12 @@ async function applyPostmanMcpForPlatform({
     } catch {
       // Best effort. Add will still run and becomes source of truth.
     }
-    if (includePostmanMcp) {
-      try {
-        await execFile(
-          "codex",
-          [
-            "mcp",
-            "add",
-            POSTMAN_SKILL_ID,
-            "--url",
-            mcpUrl,
-            "--bearer-token-env-var",
-            apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR,
-          ],
-          { cwd },
-        );
-        const postmanToken = normalizePostmanApiKey(
-          process.env[apiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR],
-        );
-        const postmanPatch = await patchCodexPostmanHttpHeaders({
-          configPath: codexConfigPath,
-          mcpUrl,
-          bearerToken: postmanToken,
-          dryRun: false,
-        });
-        if (postmanPatch.action === "patched") {
-          warnings.push(
-            "Codex Postman MCP config patched to static Authorization header for startup reliability.",
-          );
-        }
-        if (postmanPatch.warnings?.length) {
-          warnings.push(...postmanPatch.warnings);
-        }
-      } catch (error) {
-        warnings.push(
-          `Failed to register Postman MCP via Codex CLI. Ensure 'codex' is installed and rerun. (${error.message})`,
-        );
-        return {
-          kind: "codex-cli",
-          scope: mcpScope,
-          path: codexConfigPath,
-          action: "failed",
-          warnings,
-        };
-      }
+    try {
+      await execFile("codex", ["mcp", "remove", PLAYWRIGHT_MCP_SERVER_ID], {
+        cwd,
+      });
+    } catch {
+      // Best effort. Add will still run and becomes source of truth.
     }
     if (includeFoundryMcp) {
@@ -5601,6 +5543,19 @@ async function applyPostmanMcpForPlatform({
         );
       }
     }
+    if (includePlaywrightMcp) {
+      try {
+        await execFile(
+          "codex",
+          ["mcp", "add", PLAYWRIGHT_MCP_SERVER_ID, "--url", PLAYWRIGHT_MCP_URL],
+          { cwd },
+        );
+      } catch (error) {
+        warnings.push(
+          `Failed to register ${PLAYWRIGHT_MCP_SERVER_ID} MCP via Codex CLI. Ensure 'codex' is installed and rerun. (${error.message})`,
+        );
+      }
+    }
     return {
       kind: "codex-cli",
@@ -5626,6 +5581,7 @@ async function applyPostmanMcpForPlatform({
           !Array.isArray(next.mcpServers)
             ? { ...next.mcpServers }
             : {};
+        cleanupLegacyServers(mcpServers);
         if (includeFoundryMcp) {
           if (normalizedFoundryRuntime === "docker") {
             mcpServers[FOUNDRY_MCP_SERVER_ID] = {
@@ -5668,7 +5624,7 @@ async function applyPostmanMcpForPlatform({
     path: null,
     action: "skipped",
     warnings: [
-      `Unsupported platform '${platform}' for Postman MCP installation.`,
+      `Unsupported platform '${platform}' for Foundry MCP installation.`,
     ],
   };
 }
@@ -5716,13 +5672,28 @@ async function resolvePostmanInstallSelection({
   }
   const stitchRequested = Boolean(options.stitch);
+  const playwrightRequested = Boolean(options.playwright);
   const postmanRequested =
     Boolean(options.postman) ||
     hasWorkspaceOption ||
     options.postmanMode !== undefined;
+  const stitchEnabled = stitchRequested;
+  const gatewayRequested = postmanRequested || stitchEnabled;
+  const foundryMcpRequested = options.foundryMcp === true;
+  const foundryMcpEnabled =
+    options.foundryMcp === false && !gatewayRequested
+      ? false
+      : foundryMcpRequested || gatewayRequested;
   const foundryOnlyRequested =
-    options.foundryMcp === true && !postmanRequested && !stitchRequested;
-  const enabled = postmanRequested || stitchRequested || foundryOnlyRequested;
+    foundryMcpRequested &&
+    !postmanRequested &&
+    !stitchRequested &&
+    !playwrightRequested;
+  const enabled =
+    postmanRequested ||
+    stitchRequested ||
+    playwrightRequested ||
+    foundryOnlyRequested;
   if (!enabled) return { enabled: false };
   const requestedPostmanMode = postmanRequested
     ? normalizePostmanMode(options.postmanMode, DEFAULT_POSTMAN_INSTALL_MODE)
@@ -5743,19 +5714,20 @@ async function resolvePostmanInstallSelection({
     : null;
   let mcpScope = requestedMcpScope?.scope || "project";
   const warnings = [];
+  if (options.foundryMcp === false && gatewayRequested) {
+    warnings.push(
+      "Ignoring --no-foundry-mcp because Postman/Stitch now route through the Cubis Foundry MCP gateway.",
+    );
+  }
   if (requestedMcpScope?.warning) {
     warnings.push(requestedMcpScope.warning);
   }
-  const stitchEnabled =
-    stitchRequested ||
-    (platform === "antigravity" &&
-      options.stitchDefaultForAntigravity !== false);
   const envStitchApiKey = normalizePostmanApiKey(
     process.env[STITCH_API_KEY_ENV_VAR],
   );
   const requestedRuntime = normalizeMcpRuntime(
     options.mcpRuntime,
-    DEFAULT_MCP_RUNTIME,
+    foundryMcpEnabled ? DEFAULT_MCP_RUNTIME : "local",
   );
   const requestedFallback = normalizeMcpFallback(
     options.mcpFallback,
@@ -5768,8 +5740,8 @@ async function resolvePostmanInstallSelection({
     DEFAULT_MCP_UPDATE_POLICY,
   );
   const mcpBuildLocal = Boolean(options.mcpBuildLocal);
-  const mcpToolSync = options.mcpToolSync !== false;
-  const foundryMcpEnabled = options.foundryMcp !== false;
+  const mcpToolSync =
+    options.mcpToolSync !== false && (postmanRequested || stitchEnabled);
   const canPrompt =
     !options.yes && !options.dryRun && !process.env.CI && process.stdin.isTTY;
@@ -5783,10 +5755,10 @@ async function resolvePostmanInstallSelection({
     workspaceSelectionSource = "interactive";
   }
-  let effectiveRuntime = requestedRuntime;
-  let runtimeSkipped = false;
-  let dockerImageAction = "not-requested";
-  if (requestedRuntime === "docker") {
+  let effectiveRuntime = foundryMcpEnabled ? requestedRuntime : null;
+  let runtimeSkipped = !foundryMcpEnabled;
+  let dockerImageAction = foundryMcpEnabled ? "not-requested" : "not-needed";
+  if (foundryMcpEnabled && requestedRuntime === "docker") {
     const dockerAvailable = await checkDockerAvailable({ cwd });
     if (!dockerAvailable) {
       if (requestedFallback === "fail") {
@@ -5871,11 +5843,12 @@ async function resolvePostmanInstallSelection({
     generatedAt: new Date().toISOString(),
     mcp: {
       scope: mcpScope,
-      server: postmanRequested
-        ? POSTMAN_SKILL_ID
-        : stitchEnabled
-          ? STITCH_MCP_SERVER_ID
-          : FOUNDRY_MCP_SERVER_ID,
+      server:
+        foundryMcpEnabled || gatewayRequested
+          ? FOUNDRY_MCP_SERVER_ID
+          : playwrightRequested
+            ? PLAYWRIGHT_MCP_SERVER_ID
+            : FOUNDRY_MCP_SERVER_ID,
       platform,
       runtime: requestedRuntime,
       fallback: requestedFallback,
@@ -5918,12 +5891,20 @@ async function resolvePostmanInstallSelection({
       mcpUrl: STITCH_MCP_URL,
     };
   }
+  if (playwrightRequested) {
+    cbxConfig.playwright = {
+      enabled: true,
+      server: PLAYWRIGHT_MCP_SERVER_ID,
+      mcpUrl: PLAYWRIGHT_MCP_URL,
+    };
+  }
   return {
     enabled: true,
     postmanEnabled: postmanRequested,
     apiKeySource,
     stitchEnabled,
+    playwrightEnabled: playwrightRequested,
     stitchApiKeySource,
     mcpRuntime: requestedRuntime,
     effectiveMcpRuntime: runtimeSkipped ? null : effectiveRuntime,
@@ -5951,6 +5932,7 @@ async function configurePostmanInstallArtifacts({
   profilePaths,
   postmanSelection,
   overwrite = false,
+  persistCredentials = true,
   dryRun = false,
   cwd = process.cwd(),
 }) {
@@ -6123,50 +6105,30 @@ async function configurePostmanInstallArtifacts({
     gitIgnoreResults.push(mcpIgnore);
   }
-  let mcpDefinitionPath = null;
-  let mcpDefinitionResult = null;
+  const legacyDefinitionCleanupResults = [];
   if (shouldInstallPostman) {
-    mcpDefinitionPath = resolvePostmanMcpDefinitionPath({
-      platform,
-      scope: postmanSelection.mcpScope,
-      cwd,
-    });
-    const mcpDefinitionContent = `${JSON.stringify(
-      buildPostmanMcpDefinition({
-        apiKeyEnvVar: effectiveApiKeyEnvVar,
-        apiKey: envApiKey,
-        mcpUrl: effectiveMcpUrl,
+    legacyDefinitionCleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolvePostmanMcpDefinitionPath({
+          platform,
+          scope: postmanSelection.mcpScope,
+          cwd,
+        }),
+        dryRun,
       }),
-      null,
-      2,
-    )}\n`;
-    mcpDefinitionResult = await writeGeneratedArtifact({
-      destination: mcpDefinitionPath,
-      content: mcpDefinitionContent,
-      dryRun,
-    });
+    );
   }
-  let stitchMcpDefinitionPath = null;
-  let stitchMcpDefinitionResult = null;
   if (shouldInstallStitch) {
-    stitchMcpDefinitionPath = resolveStitchMcpDefinitionPath({
-      scope: postmanSelection.mcpScope,
-      cwd,
-    });
-    const stitchMcpDefinitionContent = `${JSON.stringify(
-      buildStitchMcpDefinition({
-        apiKeyEnvVar: effectiveStitchApiKeyEnvVar,
-        apiKey: envStitchApiKey,
-        mcpUrl: effectiveStitchMcpUrl,
+    legacyDefinitionCleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolveStitchMcpDefinitionPath({
+          platform,
+          scope: postmanSelection.mcpScope,
+          cwd,
+        }),
+        dryRun,
       }),
-      null,
-      2,
-    )}\n`;
-    stitchMcpDefinitionResult = await writeGeneratedArtifact({
-      destination: stitchMcpDefinitionPath,
-      content: stitchMcpDefinitionContent,
-      dryRun,
-    });
+    );
   }
   const mcpRuntimeResult = postmanSelection.runtimeSkipped
@@ -6229,6 +6191,28 @@ async function configurePostmanInstallArtifacts({
         dryRun,
       })
     : null;
+  const credentialEnvVarNames = [];
+  if (persistCredentials && shouldInstallPostman && effectiveApiKeySource === "env") {
+    credentialEnvVarNames.push(
+      effectiveApiKeyEnvVar || POSTMAN_API_KEY_ENV_VAR,
+    );
+  }
+  if (
+    persistCredentials &&
+    shouldInstallStitch &&
+    effectiveStitchApiKeySource === "env"
+  ) {
+    credentialEnvVarNames.push(
+      effectiveStitchApiKeyEnvVar || STITCH_API_KEY_ENV_VAR,
+    );
+  }
+  const persistedCredentials =
+    credentialEnvVarNames.length > 0
+      ? await persistManagedCredentialsEnv({
+          envVarNames: [...new Set(credentialEnvVarNames)],
+          dryRun,
+        })
+      : null;
   return {
     enabled: true,
@@ -6243,6 +6227,7 @@ async function configurePostmanInstallArtifacts({
     mcpToolSync: postmanSelection.mcpToolSync,
     foundryMcpEnabled: postmanSelection.foundryMcpEnabled,
     postmanEnabled: shouldInstallPostman,
+    playwrightEnabled: Boolean(postmanSelection.playwrightEnabled),
     postmanMode:
       shouldInstallPostman && effectiveMcpUrl
         ? resolvePostmanModeFromUrl(
@@ -6251,6 +6236,9 @@ async function configurePostmanInstallArtifacts({
           )
         : null,
     postmanMcpUrl: shouldInstallPostman ? effectiveMcpUrl : null,
+    playwrightMcpUrl: postmanSelection.playwrightEnabled
+      ? PLAYWRIGHT_MCP_URL
+      : null,
     apiKeySource: effectiveApiKeySource,
     stitchApiKeySource: effectiveStitchApiKeySource,
     defaultWorkspaceId: effectiveDefaultWorkspaceId,
@@ -6258,13 +6246,11 @@ async function configurePostmanInstallArtifacts({
     cbxConfigPath: postmanSelection.cbxConfigPath,
     cbxConfigResult,
     gitIgnoreResults,
-    mcpDefinitionPath,
-    mcpDefinitionResult,
-    stitchMcpDefinitionPath,
-    stitchMcpDefinitionResult,
+    legacyDefinitionCleanupResults,
     mcpRuntimeResult,
     mcpCatalogSyncResults,
     legacySkillMcpCleanup,
+    persistedCredentials,
   };
 }
@@ -6291,14 +6277,32 @@ async function applyPostmanConfigArtifacts({
   cwd = process.cwd(),
 }) {
   const warnings = [];
-  const postmanState = ensureCredentialServiceState(configValue, "postman");
+  const storedPostmanState = parseStoredPostmanConfig(configValue);
+  const postmanEnabled = Boolean(storedPostmanState);
+  const postmanState =
+    storedPostmanState ||
+    parseStoredCredentialServiceConfig({ service: "postman", rawService: {} });
   const stitchState = parseStoredStitchConfig(configValue);
-  const postmanApiKeyEnvVar =
-    normalizePostmanApiKey(postmanState.apiKeyEnvVar) ||
-    POSTMAN_API_KEY_ENV_VAR;
-  const postmanMcpUrl = postmanState.mcpUrl || POSTMAN_MCP_URL;
+  const postmanApiKeyEnvVar = postmanEnabled
+    ? normalizePostmanApiKey(postmanState.apiKeyEnvVar) ||
+      POSTMAN_API_KEY_ENV_VAR
+    : POSTMAN_API_KEY_ENV_VAR;
+  const postmanMcpUrl = postmanEnabled
+    ? postmanState.mcpUrl || POSTMAN_MCP_URL
+    : POSTMAN_MCP_URL;
   const stitchEnabled = Boolean(stitchState);
-  const playwrightEnabled = Boolean(configValue?.playwright);
+  const playwrightConfig =
+    configValue?.playwright &&
+    typeof configValue.playwright === "object" &&
+    !Array.isArray(configValue.playwright)
+      ? configValue.playwright
+      : null;
+  const playwrightEnabled = Boolean(
+    playwrightConfig?.enabled ?? configValue?.playwright,
+  );
+  const playwrightMcpUrl =
+    String(playwrightConfig?.mcpUrl || PLAYWRIGHT_MCP_URL).trim() ||
+    PLAYWRIGHT_MCP_URL;
   const stitchApiKeyEnvVar =
     normalizePostmanApiKey(stitchState?.apiKeyEnvVar) || STITCH_API_KEY_ENV_VAR;
   const stitchMcpUrl = stitchState?.mcpUrl || STITCH_MCP_URL;
@@ -6306,54 +6310,31 @@ async function applyPostmanConfigArtifacts({
     configValue?.mcp?.effectiveRuntime || configValue?.mcp?.runtime,
     "local",
   );
-  const resolvedPostmanApiKey = normalizePostmanApiKey(
-    process.env[postmanApiKeyEnvVar],
-  );
-  const resolvedStitchApiKey = normalizePostmanApiKey(
-    process.env[stitchApiKeyEnvVar],
-  );
-  const mcpDefinitionPath = resolvePostmanMcpDefinitionPath({
-    platform,
-    scope: mcpScope,
-    cwd,
-  });
-  const mcpDefinitionContent = `${JSON.stringify(
-    buildPostmanMcpDefinition({
-      apiKeyEnvVar: postmanApiKeyEnvVar,
-      apiKey: resolvedPostmanApiKey,
-      mcpUrl: postmanMcpUrl,
-    }),
-    null,
-    2,
-  )}\n`;
-  const mcpDefinitionResult = await writeGeneratedArtifact({
-    destination: mcpDefinitionPath,
-    content: mcpDefinitionContent,
-    dryRun,
-  });
+  const legacyDefinitionCleanupResults = [];
+  if (postmanEnabled && platform) {
+    legacyDefinitionCleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolvePostmanMcpDefinitionPath({
+          platform,
+          scope: mcpScope,
+          cwd,
+        }),
+        dryRun,
+      }),
+    );
+  }
-  let stitchMcpDefinitionPath = null;
-  let stitchMcpDefinitionResult = null;
   if (stitchEnabled) {
-    stitchMcpDefinitionPath = resolveStitchMcpDefinitionPath({
-      scope: mcpScope,
-      cwd,
-    });
-    const stitchMcpDefinitionContent = `${JSON.stringify(
-      buildStitchMcpDefinition({
-        apiKeyEnvVar: stitchApiKeyEnvVar,
-        apiKey: resolvedStitchApiKey,
-        mcpUrl: stitchMcpUrl,
+    legacyDefinitionCleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolveStitchMcpDefinitionPath({
+          platform,
+          scope: mcpScope,
+          cwd,
+        }),
+        dryRun,
       }),
-      null,
-      2,
-    )}\n`;
-    stitchMcpDefinitionResult = await writeGeneratedArtifact({
-      destination: stitchMcpDefinitionPath,
-      content: stitchMcpDefinitionContent,
-      dryRun,
-    });
+    );
   }
   let mcpRuntimeResult = null;
@@ -6367,6 +6348,7 @@ async function applyPostmanConfigArtifacts({
       mcpScope,
       apiKeyEnvVar: postmanApiKeyEnvVar,
       mcpUrl: postmanMcpUrl,
+      includePostmanMcp: postmanEnabled,
       stitchApiKeyEnvVar,
       stitchMcpUrl,
       includeStitchMcp: stitchEnabled,
@@ -6380,10 +6362,10 @@ async function applyPostmanConfigArtifacts({
   }
   return {
-    mcpDefinitionPath,
-    mcpDefinitionResult,
-    stitchMcpDefinitionPath,
-    stitchMcpDefinitionResult,
+    postmanEnabled,
+    playwrightEnabled,
+    playwrightMcpUrl: playwrightEnabled ? playwrightMcpUrl : null,
+    legacyDefinitionCleanupResults,
     mcpRuntimeResult,
     warnings,
   };
@@ -6707,6 +6689,13 @@ async function installBundleArtifacts({
     ) {
       await mkdir(profilePaths.promptsDir, { recursive: true });
     }
+    if (
+      profilePaths.hooksDir &&
+      Array.isArray(platformSpec.hooks) &&
+      platformSpec.hooks.some((entry) => typeof entry?.file === "string")
+    ) {
+      await mkdir(profilePaths.hooksDir, { recursive: true });
+    }
   }
   const bundleRoot = path.join(agentAssetsRoot(), "workflows", bundleId);
@@ -6720,6 +6709,7 @@ async function installBundleArtifacts({
     skills: [],
     commands: [],
     prompts: [],
+    hooks: [],
   };
   // Bind useSymlinks into copyArtifact so every call site inherits it
@@ -6832,6 +6822,40 @@ async function installBundleArtifacts({
       skipped.push(destination);
     else installed.push(destination);
   }
+  const hookFiles = Array.isArray(platformSpec.hooks)
+    ? platformSpec.hooks
+        .map((entry) =>
+          typeof entry === "string"
+            ? entry
+            : typeof entry?.file === "string"
+              ? entry.file
+              : null,
+        )
+        .filter(Boolean)
+    : [];
+  for (const hookFile of hookFiles) {
+    if (!profilePaths.hooksDir) continue;
+    const source = path.join(platformRoot, "hooks", hookFile);
+    const destination = path.join(
+      profilePaths.hooksDir,
+      path.basename(hookFile),
+    );
+    if (!(await pathExists(source))) {
+      throw new Error(`Missing hook source file: ${source}`);
+    }
+    const result = await copyArt({
+      source,
+      destination,
+      overwrite,
+      dryRun,
+    });
+    artifacts.hooks.push(destination);
+    if (result.action === "skipped" || result.action === "would-skip")
+      skipped.push(destination);
+    else installed.push(destination);
+  }
   if (shouldInstallPlatformSkills) {
     const agentSkillDependencies = await resolvePlatformAgentSkillDependencies({
       platformRoot,
@@ -7129,6 +7153,22 @@ async function removeBundleArtifacts({
     if (await safeRemove(destination, dryRun)) removed.push(destination);
   }
+  for (const hookEntry of platformSpec.hooks || []) {
+    if (!profilePaths.hooksDir) continue;
+    const hookFile =
+      typeof hookEntry === "string"
+        ? hookEntry
+        : typeof hookEntry?.file === "string"
+          ? hookEntry.file
+          : null;
+    if (!hookFile) continue;
+    const destination = path.join(
+      profilePaths.hooksDir,
+      path.basename(hookFile),
+    );
+    if (await safeRemove(destination, dryRun)) removed.push(destination);
+  }
   const skillIds = await resolveInstallSkillIds({
     platformSpec,
     extraSkillIds: [],
@@ -7361,11 +7401,16 @@ function printPostmanSetupSummary({ postmanSetup }) {
   console.log("\nMCP setup:");
   console.log(`- MCP scope: ${postmanSetup.mcpScope}`);
+  if (postmanSetup.playwrightEnabled) {
+    console.log(
+      `- Playwright MCP: enabled (${postmanSetup.playwrightMcpUrl || PLAYWRIGHT_MCP_URL})`,
+    );
+  }
   if (postmanSetup.postmanEnabled && postmanSetup.postmanMode) {
     console.log(`- Postman mode: ${postmanSetup.postmanMode}`);
   }
   if (postmanSetup.postmanEnabled && postmanSetup.postmanMcpUrl) {
-    console.log(`- Postman MCP URL: ${postmanSetup.postmanMcpUrl}`);
+    console.log(`- Postman upstream MCP URL: ${postmanSetup.postmanMcpUrl}`);
   }
   console.log(
     `- Config file: ${postmanSetup.cbxConfigResult.action} (${postmanSetup.cbxConfigPath})`,
@@ -7385,7 +7430,7 @@ function printPostmanSetupSummary({ postmanSetup }) {
     `- MCP tool sync: ${postmanSetup.mcpToolSync ? "enabled" : "disabled"}`,
   );
   console.log(
-    `- Foundry MCP side-by-side: ${postmanSetup.foundryMcpEnabled ? (postmanSetup.effectiveMcpRuntime === "docker" ? "enabled (docker endpoint)" : "enabled (cbx mcp serve)") : "disabled"}`,
+    `- Foundry MCP gateway: ${postmanSetup.foundryMcpEnabled ? (postmanSetup.effectiveMcpRuntime === "docker" ? "enabled (docker endpoint)" : "enabled (cbx mcp serve)") : "disabled"}`,
   );
   if (postmanSetup.postmanEnabled) {
     console.log(`- Postman API key source: ${postmanSetup.apiKeySource}`);
@@ -7403,17 +7448,9 @@ function printPostmanSetupSummary({ postmanSetup }) {
       `- .gitignore (${ignoreResult.filePath}): ${ignoreResult.action}`,
     );
   }
-  if (postmanSetup.mcpDefinitionPath && postmanSetup.mcpDefinitionResult) {
+  for (const cleanupResult of postmanSetup.legacyDefinitionCleanupResults || []) {
     console.log(
-      `- Managed MCP definition (${postmanSetup.mcpDefinitionPath}): ${postmanSetup.mcpDefinitionResult.action}`,
-    );
-  }
-  if (
-    postmanSetup.stitchMcpDefinitionPath &&
-    postmanSetup.stitchMcpDefinitionResult
-  ) {
-    console.log(
-      `- Managed Stitch MCP definition (${postmanSetup.stitchMcpDefinitionPath}): ${postmanSetup.stitchMcpDefinitionResult.action}`,
+      `- Legacy direct MCP cleanup (${cleanupResult.path}): ${cleanupResult.action}`,
     );
   }
   if (postmanSetup.mcpRuntimeResult) {
@@ -7434,6 +7471,19 @@ function printPostmanSetupSummary({ postmanSetup }) {
       }
     }
   }
+  if (postmanSetup.persistedCredentials) {
+    console.log(
+      `- Credential vault (${postmanSetup.persistedCredentials.envPath}): ${postmanSetup.persistedCredentials.action}`,
+    );
+    console.log(
+      `- Credential vars: ${postmanSetup.persistedCredentials.persisted.length > 0 ? postmanSetup.persistedCredentials.persisted.join(", ") : "(none)"}`,
+    );
+    if (postmanSetup.persistedCredentials.missing.length > 0) {
+      console.log(
+        `- Missing credential vars: ${postmanSetup.persistedCredentials.missing.join(", ")}`,
+      );
+    }
+  }
   if (postmanSetup.legacySkillMcpCleanup) {
     console.log(
       `- Legacy skill mcp.json cleanup (${postmanSetup.legacySkillMcpCleanup.path}): ${postmanSetup.legacySkillMcpCleanup.action}`,
@@ -7865,7 +7915,7 @@ function withInstallOptions(command) {
     .option("--overwrite", "overwrite existing files")
     .option(
       "--postman",
-      "optional: install Postman skill and generate cbx_config.json",
+      "optional: configure Postman profiles and gateway-backed Foundry MCP wiring",
     )
     .option(
       "--postman-mode <mode>",
@@ -7873,7 +7923,11 @@ function withInstallOptions(command) {
     )
     .option(
       "--stitch",
-      "optional: include Stitch MCP profile/config alongside Postman",
+      "optional: configure Stitch profiles and gateway-backed Foundry MCP wiring",
+    )
+    .option(
+      "--playwright",
+      "optional: include Playwright MCP server wiring",
     )
     .option(
       "--postman-api-key <key>",
@@ -7922,7 +7976,7 @@ function withInstallOptions(command) {
     .option("--no-mcp-tool-sync", "disable automatic MCP tool catalog sync")
     .option(
       "--no-foundry-mcp",
-      "disable side-by-side cubis-foundry MCP registration during --postman setup",
+      "deprecated: Postman/Stitch always use Cubis Foundry MCP gateway wiring",
     )
     .option(
       "--terminal-integration",
@@ -7934,7 +7988,7 @@ function withInstallOptions(command) {
     )
     .option(
       "--skill-profile <profile>",
-      "skill install profile: core|web-backend|full (default: core)",
+      "skill install profile: core|web-backend|full",
       DEFAULT_SKILL_PROFILE,
     )
     .option("--all-skills", "alias for --skill-profile full")
@@ -8343,6 +8397,7 @@ async function performWorkflowInstall(
     profilePaths: installResult.profilePaths,
     postmanSelection,
     overwrite: Boolean(options.overwrite),
+    persistCredentials: !options.initWizardMode,
     dryRun,
     cwd,
   });
@@ -9263,14 +9318,16 @@ async function runWorkflowRemoveAll(options) {
           dryRun,
           records: removedRecords,
         });
-        if (platform === "antigravity") {
-          await removePathRecord({
-            targetPath: resolveStitchMcpDefinitionPath({ scope, cwd }),
-            category: `${platform}/${scope}/stitch-mcp-definition`,
-            dryRun,
-            records: removedRecords,
-          });
-        }
+        await removePathRecord({
+          targetPath: resolveStitchMcpDefinitionPath({
+            platform,
+            scope,
+            cwd,
+          }),
+          category: `${platform}/${scope}/stitch-mcp-definition`,
+          dryRun,
+          records: removedRecords,
+        });
         const runtimeResults = await removePlatformMcpRuntimeTargets({
           platform,
@@ -9592,7 +9649,7 @@ function prepareConfigDocument(existingValue, { scope, generatedBy }) {
   if (!next.mcp || typeof next.mcp !== "object" || Array.isArray(next.mcp))
     next.mcp = {};
   next.mcp.scope = scope;
-  if (!next.mcp.server) next.mcp.server = POSTMAN_SKILL_ID;
+  if (!next.mcp.server) next.mcp.server = FOUNDRY_MCP_SERVER_ID;
   return next;
 }
@@ -9879,30 +9936,160 @@ function migrateInlineCredentialsInConfig(configValue) {
   };
 }
-async function collectInlineHeaderFindings({ scope, cwd = process.cwd() }) {
-  const findings = [];
-  const stitchDefinitionPath = resolveStitchMcpDefinitionPath({ scope, cwd });
-  const geminiSettingsPath =
+function resolveCredentialLeakScanTargets({ scope, cwd = process.cwd() }) {
+  const workspaceRoot = findWorkspaceRoot(cwd);
+  const targets = new Set([
+    resolveLegacyPostmanConfigPath({ scope, cwd }),
     scope === "global"
       ? path.join(os.homedir(), ".gemini", "settings.json")
-      : path.join(findWorkspaceRoot(cwd), ".gemini", "settings.json");
+      : path.join(workspaceRoot, ".gemini", "settings.json"),
+    scope === "global"
+      ? path.join(os.homedir(), ".claude", "mcp.json")
+      : path.join(workspaceRoot, ".mcp.json"),
+    scope === "global"
+      ? path.join(os.homedir(), ".copilot", "mcp-config.json")
+      : path.join(workspaceRoot, ".vscode", "mcp.json"),
+  ]);
-  const scanFile = async (filePath) => {
-    if (!(await pathExists(filePath))) return;
-    const raw = await readFile(filePath, "utf8");
-    const unsafeStitchHeader =
-      /X-Goog-Api-Key:(?!\s*\$\{[A-Za-z_][A-Za-z0-9_]*\})\s*[^"\n]+/i;
-    const unsafeBearerHeader = /"Authorization"\s*:\s*"Bearer\s+(?!\$\{)[^"]+/i;
-    if (unsafeStitchHeader.test(raw) || unsafeBearerHeader.test(raw)) {
-      findings.push(filePath);
+  if (scope === "global") {
+    targets.add(path.join(os.homedir(), ".codex", "config.toml"));
+  }
+  for (const platform of Object.keys(WORKFLOW_PROFILES)) {
+    targets.add(resolvePostmanMcpDefinitionPath({ platform, scope, cwd }));
+    targets.add(resolveStitchMcpDefinitionPath({ platform, scope, cwd }));
+  }
+  return [...targets];
+}
+function collectCredentialLeakMatches(raw) {
+  const matches = [];
+  const patterns = [
+    {
+      id: "inline-apiKey-field",
+      pattern: /"apiKey"\s*:\s*"(?!\$\{)[^"]+/i,
+    },
+    {
+      id: "inline-bearer-header-json",
+      pattern: /"Authorization"\s*:\s*"Bearer\s+(?!\$\{)[^"]+/i,
+    },
+    {
+      id: "inline-bearer-header-toml",
+      pattern:
+        /http_headers\s*=\s*\{[^}]*Authorization\s*=\s*"Bearer\s+(?!\$\{)[^"]+/is,
+    },
+    {
+      id: "inline-stitch-header-arg",
+      pattern: /X-Goog-Api-Key:(?!\s*\$\{[A-Za-z_][A-Za-z0-9_]*\})\s*[^"\n]+/i,
+    },
+    {
+      id: "inline-stitch-header-json",
+      pattern: /"X-Goog-Api-Key"\s*:\s*"(?!\$\{)[^"]+/i,
+    },
+  ];
+  for (const { id, pattern } of patterns) {
+    if (pattern.test(raw)) {
+      matches.push(id);
     }
-  };
+  }
+  return matches;
+}
-  await scanFile(stitchDefinitionPath);
-  await scanFile(geminiSettingsPath);
+async function collectCredentialLeakFindings({ scope, cwd = process.cwd() }) {
+  const findings = [];
+  for (const filePath of resolveCredentialLeakScanTargets({ scope, cwd })) {
+    if (!(await pathExists(filePath))) continue;
+    const raw = await readFile(filePath, "utf8");
+    const matches = collectCredentialLeakMatches(raw);
+    if (matches.length > 0) {
+      findings.push({ filePath, matches });
+    }
+  }
   return findings;
 }
+async function cleanupLegacyDirectCredentialArtifacts({
+  scope,
+  dryRun = false,
+  cwd = process.cwd(),
+}) {
+  const workspaceRoot = findWorkspaceRoot(cwd);
+  const cleanupResults = [];
+  const legacyServerIds = [POSTMAN_SKILL_ID, STITCH_MCP_SERVER_ID];
+  cleanupResults.push(
+    await removeMcpRuntimeEntriesJson({
+      filePath:
+        scope === "global"
+          ? path.join(os.homedir(), ".gemini", "settings.json")
+          : path.join(workspaceRoot, ".gemini", "settings.json"),
+      keyName: "mcpServers",
+      serverIds: legacyServerIds,
+      dryRun,
+    }),
+  );
+  cleanupResults.push(
+    await removeMcpRuntimeEntriesJson({
+      filePath:
+        scope === "global"
+          ? path.join(os.homedir(), ".claude", "mcp.json")
+          : path.join(workspaceRoot, ".mcp.json"),
+      keyName: "mcpServers",
+      serverIds: legacyServerIds,
+      dryRun,
+    }),
+  );
+  if (scope === "global") {
+    cleanupResults.push(
+      await removeMcpRuntimeEntriesJson({
+        filePath: path.join(os.homedir(), ".copilot", "mcp-config.json"),
+        keyName: "mcpServers",
+        serverIds: legacyServerIds,
+        dryRun,
+      }),
+    );
+    cleanupResults.push(
+      await removeMcpRuntimeEntriesCodexToml({
+        filePath: path.join(os.homedir(), ".codex", "config.toml"),
+        serverIds: legacyServerIds,
+        dryRun,
+        cwd,
+      }),
+    );
+  } else {
+    cleanupResults.push(
+      await removeMcpRuntimeEntriesJson({
+        filePath: path.join(workspaceRoot, ".vscode", "mcp.json"),
+        keyName: "servers",
+        serverIds: legacyServerIds,
+        dryRun,
+      }),
+    );
+  }
+  for (const platform of Object.keys(WORKFLOW_PROFILES)) {
+    cleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolvePostmanMcpDefinitionPath({ platform, scope, cwd }),
+        dryRun,
+      }),
+    );
+    cleanupResults.push(
+      await removeGeneratedArtifactIfExists({
+        targetPath: resolveStitchMcpDefinitionPath({ platform, scope, cwd }),
+        dryRun,
+      }),
+    );
+  }
+  return cleanupResults.filter(
+    (item) => item.action !== "missing" && item.action !== "unchanged",
+  );
+}
 async function runWorkflowConfigKeysList(options) {
   try {
     const opts = resolveActionOptions(options);
@@ -10178,6 +10365,7 @@ async function runWorkflowConfigKeysMigrateInline(options) {
     const scopeArg = readCliOptionFromArgv("--scope");
     const scope = normalizeMcpScope(scopeArg ?? opts.scope, "global");
     const dryRun = hasCliFlag("--dry-run") || Boolean(opts.dryRun);
+    await loadManagedCredentialsEnv();
     const { configPath, existing, existingValue } = await loadConfigForScope({
       scope,
@@ -10194,6 +10382,22 @@ async function runWorkflowConfigKeysMigrateInline(options) {
       existingExists: existing.exists,
       dryRun,
     });
+    const cleanupResults = await cleanupLegacyDirectCredentialArtifacts({
+      scope,
+      dryRun,
+      cwd,
+    });
+    const platform = normalizePlatform(result.next?.mcp?.platform);
+    const secureArtifacts =
+      platform && WORKFLOW_PROFILES[platform]
+        ? await applyPostmanConfigArtifacts({
+            platform,
+            mcpScope: resolveMcpScopeFromConfigDocument(result.next, scope),
+            configValue: result.next,
+            dryRun,
+            cwd,
+          })
+        : null;
     console.log(`Config file: ${configPath}`);
     console.log(`Action: ${action}`);
@@ -10209,6 +10413,21 @@ async function runWorkflowConfigKeysMigrateInline(options) {
         console.log(`- ${envVar}`);
       }
     }
+    console.log(`Legacy direct MCP cleanup actions: ${cleanupResults.length}`);
+    for (const cleanup of cleanupResults) {
+      console.log(`- ${cleanup.action} ${cleanup.path}`);
+    }
+    if (secureArtifacts?.mcpRuntimeResult) {
+      console.log(
+        `Secure platform MCP target: ${secureArtifacts.mcpRuntimeResult.action} (${secureArtifacts.mcpRuntimeResult.path || "n/a"})`,
+      );
+    }
+    for (const cleanup of secureArtifacts?.legacyDefinitionCleanupResults || []) {
+      console.log(`- ${cleanup.action} ${cleanup.path}`);
+    }
+    for (const warning of secureArtifacts?.warnings || []) {
+      console.log(`Warning: ${warning}`);
+    }
   } catch (error) {
     if (error?.name === "ExitPromptError") {
       console.error("\nCancelled.");
@@ -10225,6 +10444,7 @@ async function runWorkflowConfigKeysDoctor(options) {
     const cwd = process.cwd();
     const scopeArg = readCliOptionFromArgv("--scope");
     const scope = normalizeMcpScope(scopeArg ?? opts.scope, "global");
+    await loadManagedCredentialsEnv();
     const { configPath, existing, existingValue } = await loadConfigForScope({
       scope,
       cwd,
@@ -10237,7 +10457,7 @@ async function runWorkflowConfigKeysDoctor(options) {
     }
     const configFindings = collectInlineCredentialFindings(existingValue);
-    const artifactFindings = await collectInlineHeaderFindings({ scope, cwd });
+    const artifactFindings = await collectCredentialLeakFindings({ scope, cwd });
     const migrationPreview = migrateInlineCredentialsInConfig(existingValue);
     console.log(`Inline key findings: ${configFindings.length}`);
@@ -10245,9 +10465,9 @@ async function runWorkflowConfigKeysDoctor(options) {
       console.log(`- ${finding.path}`);
     }
-    console.log(`Unsafe header findings: ${artifactFindings.length}`);
-    for (const filePath of artifactFindings) {
-      console.log(`- ${filePath}`);
+    console.log(`Credential leak findings: ${artifactFindings.length}`);
+    for (const finding of artifactFindings) {
+      console.log(`- ${finding.filePath} [${finding.matches.join(", ")}]`);
     }
     if (migrationPreview.requiredEnvVars.length > 0) {
@@ -10263,7 +10483,7 @@ async function runWorkflowConfigKeysDoctor(options) {
       console.log(
         "Doctor result: issues detected. Run `cbx workflows config keys migrate-inline --scope " +
           scope +
-          "` and reinstall with `--overwrite`.",
+          "` to scrub keys and reapply secure Foundry MCP wiring.",
       );
     }
   } catch (error) {
@@ -10501,6 +10721,7 @@ async function runWorkflowConfig(options) {
     if (!next.mcp || typeof next.mcp !== "object" || Array.isArray(next.mcp)) {
       next.mcp = {};
     }
+    next.mcp.server = FOUNDRY_MCP_SERVER_ID;
     if (hasMcpRuntimeOption) {
       next.mcp.runtime = mcpRuntime;
       next.mcp.effectiveRuntime = mcpRuntime;
@@ -10572,15 +10793,10 @@ async function runWorkflowConfig(options) {
       console.log(`postman.mode: ${effectivePostmanMode}`);
       console.log(`postman.mcpUrl: ${effectivePostmanState.mcpUrl}`);
       if (postmanArtifacts) {
-        console.log(
-          `postman.definition: ${postmanArtifacts.mcpDefinitionResult.action} (${postmanArtifacts.mcpDefinitionPath})`,
-        );
-        if (
-          postmanArtifacts.stitchMcpDefinitionPath &&
-          postmanArtifacts.stitchMcpDefinitionResult
-        ) {
+        for (const cleanupResult of postmanArtifacts.legacyDefinitionCleanupResults ||
+          []) {
           console.log(
-            `stitch.definition: ${postmanArtifacts.stitchMcpDefinitionResult.action} (${postmanArtifacts.stitchMcpDefinitionPath})`,
+            `legacy.definition.cleanup: ${cleanupResult.action} (${cleanupResult.path})`,
           );
         }
         if (postmanArtifacts.mcpRuntimeResult) {
@@ -11884,7 +12100,12 @@ function normalizeInitPlatforms(value) {
 }
 function normalizeInitMcpSelections(value) {
-  const allowed = new Set(["cubis-foundry", "postman", "stitch"]);
+  const allowed = new Set([
+    "cubis-foundry",
+    "postman",
+    "stitch",
+    "playwright",
+  ]);
   const items = Array.isArray(value) ? value : parseCsvOption(value);
   const normalized = [];
   for (const item of items) {
@@ -12012,7 +12233,9 @@ async function runInitWizard(options) {
       throw new Error("No platforms selected.");
     }
-    const runtimeSelectableMcp = selections.selectedMcps.length > 0;
+    const runtimeSelectableMcp = selections.selectedMcps.some(
+      (item) => item !== "playwright",
+    );
     if (runtimeSelectableMcp && isInteractive) {
       const runtimeSelection = await promptInitMcpRuntime({
@@ -12185,11 +12408,16 @@ async function runInitWizard(options) {
     }
     if (emitJson) {
+      const sanitizedSelections = {
+        ...selections,
+        postmanApiKey: selections.postmanApiKey ? "***REDACTED***" : null,
+        stitchApiKey: selections.stitchApiKey ? "***REDACTED***" : null,
+      };
       console.log(
         JSON.stringify(
           {
             dryRun,
-            selections,
+            selections: sanitizedSelections,
             results,
             persistedCredentials,
           },