@freshworks/shiftleft-tools 1.1.8

package/src/commands/link.js

@@ -0,0 +1,172 @@
+import {
+    existsSync,
+    lstatSync,
+    rmSync,
+    symlinkSync,
+    statSync,
+    readdirSync,
+    mkdirSync,
+} from 'fs';
+import { dirname, join } from 'path';
+import { ensureGitignoreEntries } from '../utils/gitignore.js';
+import ora from 'ora';
+import { TEMPLATES_DIR, copyTemplate } from '../utils/template.js';
+import { copyTemplateTree } from '../utils/copy-tree.js';
+import { detectStack } from '../utils/stack.js';
+import {
+    loadManifest,
+    createManifest,
+    saveManifest,
+    recordFile,
+    manifestKey,
+} from '../utils/manifest.js';
+import { logger } from '../utils/logger.js';
+
+const GITIGNORE_HEADER = '# shiftleft managed symlinks (not committed)';
+
+/**
+ * Cursor rule files to expose for a stack, mapped template -> dest filename.
+ * Mirrors the stack selection init-rules used when it copied rules.
+ */
+function cursorRuleLinks(stack) {
+    if (stack === 'node') {
+        return [{ template: 'rules/testing-node.mdc', dest: 'testing.mdc' }];
+    }
+    if (stack === 'java') {
+        return [
+            { template: 'rules/testing.mdc', dest: 'testing.mdc' },
+            { template: 'rules/local-test-setup.mdc', dest: 'local-test-setup.mdc' },
+        ];
+    }
+    // Unknown stack: expose every rule template as-is.
+    return readdirSync(join(TEMPLATES_DIR, 'rules')).map((f) => ({ template: `rules/${f}`, dest: f }));
+}
+
+function removeExisting(p) {
+    try {
+        lstatSync(p); // throws if absent
+        rmSync(p, { recursive: true, force: true });
+    } catch {
+        /* nothing there */
+    }
+}
+
+function ensureParent(p) {
+    const dir = dirname(p);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+}
+
+/** Create a symlink, replacing whatever is at linkPath. Returns true on success. */
+function trySymlink(target, linkPath) {
+    try {
+        ensureParent(linkPath);
+        removeExisting(linkPath);
+        const type = statSync(target).isDirectory() ? 'dir' : 'file';
+        symlinkSync(target, linkPath, type);
+        return true;
+    } catch {
+        return false;
+    }
+}
+
+function addToList(list, value) {
+    if (!list.includes(value)) list.push(value);
+}
+
+/**
+ * Point a repo's Cursor assets at the installed package's templates via
+ * symlinks, so `npm i -g shiftleft-tools@latest` updates every repo at
+ * once. Claude Code skills come from the plugin, not from here.
+ *
+ * In locked-down environments (no symlink permission, or `--copy`), falls back
+ * to copying the content and recording it as managed files instead.
+ *
+ * Pass `manifest` to operate on a caller-owned manifest (caller saves);
+ * otherwise this loads and saves `.shiftleft.json` itself.
+ *
+ * @returns {{ linked: string[], copied: string[], symlinkMode: boolean }}
+ */
+export function linkAssets(cwd, opts = {}) {
+    const { skills = true, rules = true, copy = false } = opts;
+    const ownManifest = !opts.manifest;
+    const stack = opts.stack || opts.manifest?.stack || detectStack(cwd);
+    const manifest = opts.manifest || loadManifest(cwd) || createManifest(stack);
+    manifest.symlinks = manifest.symlinks || [];
+
+    const linked = [];
+    const copied = [];
+    let symlinkMode = true;
+
+    const targets = [];
+    if (skills) {
+        targets.push({
+            rel: '.cursor/skills',
+            target: join(TEMPLATES_DIR, 'skills'),
+            fallback: () => copyTemplateTree('skills', join(cwd, '.cursor/skills'), {}, {
+                force: true, manifest, cwd,
+            }),
+        });
+    }
+    if (rules) {
+        for (const { template, dest } of cursorRuleLinks(stack)) {
+            const rel = `.cursor/rules/${dest}`;
+            targets.push({
+                rel,
+                target: join(TEMPLATES_DIR, template),
+                fallback: () => {
+                    const res = copyTemplate(template, join(cwd, rel), {}, { force: true });
+                    recordFile(manifest, cwd, rel, res.content, { template });
+                },
+            });
+        }
+    }
+
+    for (const t of targets) {
+        const linkPath = join(cwd, t.rel);
+        const key = manifestKey(cwd, t.rel);
+
+        if (!copy && trySymlink(t.target, linkPath)) {
+            addToList(manifest.symlinks, t.rel);
+            delete manifest.managed[key]; // no longer a content-managed file
+            linked.push(t.rel);
+        } else {
+            symlinkMode = false;
+            removeExisting(linkPath); // drop a stale symlink before copying
+            t.fallback();
+            manifest.symlinks = manifest.symlinks.filter((s) => s !== t.rel);
+            copied.push(t.rel);
+        }
+    }
+
+    // Phase C drops the per-repo Claude skills copy (plugin replaces it). Prune
+    // any leftover .claude/skills entries from earlier (copy-based) versions.
+    for (const k of Object.keys(manifest.managed)) {
+        if (k.startsWith('.claude/skills/')) delete manifest.managed[k];
+    }
+
+    if (linked.length) ensureGitignoreEntries(join(cwd, '.gitignore'), linked, GITIGNORE_HEADER);
+    if (ownManifest) saveManifest(cwd, manifest);
+
+    return { linked, copied, symlinkMode };
+}
+
+/**
+ * CLI: shiftleft link
+ */
+export function link(options = {}) {
+    const cwd = process.cwd();
+    const spinner = ora(options.copy ? 'Copying Cursor assets...' : 'Linking Cursor assets...').start();
+
+    const { linked, copied, symlinkMode } = linkAssets(cwd, {
+        stack: options.stack,
+        copy: options.copy,
+    });
+
+    if (symlinkMode) {
+        spinner.succeed(`Linked ${linked.length} Cursor asset(s) to the installed shiftleft-tools package`);
+        logger.info('These are symlinks (gitignored). Run "shiftleft link" after a fresh clone or "npm i -g shiftleft-tools".');
+    } else {
+        spinner.succeed(`Copied ${copied.length} Cursor asset(s) (symlinks unavailable — using copies)`);
+    }
+    logger.info('Claude Code skills are provided by the shiftleft-tools plugin — install it once, not per repo.');
+}

package/src/commands/protect.js

@@ -0,0 +1,61 @@
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { loadManifest, saveManifest, getProtectedPaths, normalizeScriptPath } from '../utils/manifest.js';
+import { logger } from '../utils/logger.js';
+
+/**
+ * CLI: shiftleft protect [paths...] [--remove] [--list]
+ *
+ * Marks library scripts (relative to postman/scripts/) as repo-owned so
+ * `shiftleft test` / `stage-scripts` won't overwrite them from the package.
+ * Use for a customized library script, e.g.
+ *   shiftleft protect runners/run-tests-local.sh runners/run-tests-staging.sh
+ */
+export function protect(paths = [], options = {}) {
+    const cwd = process.cwd();
+    const manifest = loadManifest(cwd);
+
+    if (!manifest) {
+        logger.error('This project is not managed by shiftleft-tools (no .shiftleft.json). Run "shiftleft init-postman" first.');
+        process.exit(1);
+    }
+
+    const current = getProtectedPaths(manifest);
+
+    if (options.list || (paths.length === 0 && !options.remove)) {
+        if (current.length === 0) {
+            logger.info('No protected paths. Add one with: shiftleft protect runners/run-tests-local.sh');
+        } else {
+            logger.info('Protected library scripts (not overwritten by staging):');
+            for (const p of current) console.log(`  ${p}`);
+        }
+        return;
+    }
+
+    const normalized = paths.map(normalizeScriptPath).filter(Boolean);
+
+    if (options.remove) {
+        const set = new Set(current);
+        const removed = normalized.filter((p) => set.has(p));
+        manifest.protected = current.filter((p) => !normalized.includes(p));
+        if (manifest.protected.length === 0) delete manifest.protected;
+        saveManifest(cwd, manifest);
+        logger.success(removed.length ? `Unprotected: ${removed.join(', ')}` : 'Nothing to unprotect (paths were not in the list).');
+        return;
+    }
+
+    // Add. Warn (don't block) if the path isn't present under postman/scripts.
+    for (const p of normalized) {
+        if (!existsSync(join(cwd, 'postman/scripts', p))) {
+            logger.warn(`${p} does not exist under postman/scripts/ yet — protect it once it's committed, or it will be missing on a fresh clone.`);
+        }
+    }
+
+    const merged = Array.from(new Set([...current, ...normalized])).sort();
+    manifest.protected = merged;
+    saveManifest(cwd, manifest);
+
+    logger.success(`Protected ${normalized.length} path(s). Staging will no longer overwrite:`);
+    for (const p of merged) console.log(`  ${p}`);
+    logger.info('Keep these files committed (or gitignore-excepted) so they survive a fresh clone.');
+}

package/src/commands/run-tests.js

@@ -0,0 +1,182 @@
+import { existsSync, readdirSync, statSync, chmodSync } from 'fs';
+import { join, dirname, parse } from 'path';
+import { spawnSync } from 'child_process';
+import { copyTemplate } from '../utils/template.js';
+import { copyTemplateTree } from '../utils/copy-tree.js';
+import { detectStack, inferServiceName, buildContext, NODE_BASE_SCRIPT_EXCLUDES } from '../utils/stack.js';
+import { loadManifest, getProtectedPaths } from '../utils/manifest.js';
+import { logger } from '../utils/logger.js';
+
+/**
+ * Entries (relative to postman/.gitignore) covering the staged script cache.
+ * Kept in sync with what stageScripts materializes.
+ */
+export const STAGED_GITIGNORE_ENTRIES = [
+    'scripts/.run-all-impl.sh',
+    'scripts/auth/',
+    'scripts/database/',
+    'scripts/infra/',
+    'scripts/lib/',
+    'scripts/report-generators/',
+    'scripts/runners/',
+];
+
+export const STAGED_GITIGNORE_HEADER =
+    '# shiftleft staged scripts (machine-local cache; refreshed by `shiftleft test`)';
+
+/**
+ * Walk up from `start` to the repo root: the first directory containing a
+ * postman/ dir alongside a pom.xml or package.json. Lets `shiftleft test`
+ * work both from the repo root and from inside postman/scripts (where
+ * Jenkins and humans traditionally invoke run-all.sh).
+ */
+export function findRepoRoot(start) {
+    let dir = start;
+    const { root } = parse(start);
+    while (true) {
+        if (
+            existsSync(join(dir, 'postman')) &&
+            (existsSync(join(dir, 'pom.xml')) || existsSync(join(dir, 'package.json')))
+        ) {
+            return dir;
+        }
+        if (dir === root) return null;
+        dir = dirname(dir);
+    }
+}
+
+function chmodShellScripts(dir) {
+    for (const entry of readdirSync(dir)) {
+        const p = join(dir, entry);
+        if (statSync(p).isDirectory()) chmodShellScripts(p);
+        else if (entry.endsWith('.sh')) chmodSync(p, 0o755);
+    }
+}
+
+/**
+ * Materialize the packaged library scripts into <repo>/postman/scripts.
+ *
+ * The scripts derive POSTMAN_DIR / PROJECT_ROOT from their own location
+ * (BASH_SOURCE), so they must physically live at postman/scripts — they are
+ * staged there as a gitignored, machine-local cache rather than vendored.
+ * The orchestrator stages as `.run-all-impl.sh` so the committed run-all.sh
+ * shim keeps its name. Repo-owned files (setup-mocks.js, wiremock/) are
+ * never touched, and any library scripts listed under `protected` in
+ * .shiftleft.json (paths relative to postman/scripts/, e.g. a customized
+ * runners/run-tests-local.sh) are left in place rather than overwritten.
+ *
+ * @returns {{ staged: number, stack: string, protected: string[] }}
+ */
+export function stageScripts(cwd, opts = {}) {
+    const stack = opts.stack || detectStack(cwd);
+    if (!stack) {
+        throw new Error('Could not detect project stack (no pom.xml or package.json).');
+    }
+    const context = buildContext(inferServiceName(cwd), stack);
+    const scriptsDir = join(cwd, 'postman/scripts');
+
+    // Repo-owned library scripts the package must not clobber on stage.
+    const protectedPaths = getProtectedPaths(loadManifest(cwd));
+    const baseExcludes = (stack === 'node' ? NODE_BASE_SCRIPT_EXCLUDES : ['run-all.sh']).concat(protectedPaths);
+
+    let staged = copyTemplateTree('postman/scripts', scriptsDir, context, {
+        force: true,
+        excludeDirs: ['wiremock'],
+        excludePaths: baseExcludes,
+    }).copied;
+
+    if (stack === 'node') {
+        staged += copyTemplateTree('postman-node/scripts', scriptsDir, context, {
+            force: true,
+            excludeFiles: ['run-all.sh', 'setup-mocks.js.ejs'],
+            excludePaths: protectedPaths,
+        }).copied;
+    }
+
+    const implTemplate = stack === 'node' ? 'postman-node/scripts/run-all.sh' : 'postman/scripts/run-all.sh';
+    copyTemplate(implTemplate, join(scriptsDir, '.run-all-impl.sh'), context, { force: true });
+    staged++;
+
+    chmodShellScripts(scriptsDir);
+    chmodSync(join(scriptsDir, '.run-all-impl.sh'), 0o755);
+
+    return { staged, stack, protected: protectedPaths };
+}
+
+/**
+ * CLI: shiftleft stage-scripts
+ */
+export function stageScriptsCommand(options = {}) {
+    const root = findRepoRoot(process.cwd());
+    if (!root) {
+        logger.error('No postman/ directory found here or above. Run "shiftleft init-postman" first.');
+        process.exit(1);
+    }
+    const { staged, stack } = stageScripts(root, { stack: options.stack });
+    logger.success(`Staged ${staged} script files into postman/scripts (${stack}).`);
+}
+
+/**
+ * Find a bash >= 4 on the system and return its absolute path, or null.
+ * The scripts use bash-4 features (associative arrays, `${x^^}`, mapfile);
+ * macOS ships bash 3.2, so we locate a newer one rather than rely on the
+ * `#!/usr/bin/env bash` shebang resolving to the wrong version.
+ */
+export function resolveBash() {
+    // macOS Homebrew paths, then the PATH bash, then common Linux/CI locations.
+    for (const cand of ['/opt/homebrew/bin/bash', '/usr/local/bin/bash', 'bash', '/usr/bin/bash', '/bin/bash']) {
+        try {
+            const r = spawnSync(cand, ['-c', 'echo "${BASH_VERSINFO[0]:-0} ${BASH}"'], { encoding: 'utf8' });
+            if (r.status === 0) {
+                const [major, path] = r.stdout.trim().split(/\s+/);
+                if (parseInt(major, 10) >= 4 && path) return path;
+            }
+        } catch {
+            /* try next candidate */
+        }
+    }
+    return null;
+}
+
+/**
+ * CLI: shiftleft test [run-all flags...]
+ * Stages the latest scripts, then runs the packaged orchestrator with all
+ * arguments passed through.
+ */
+export function runTests(args = []) {
+    const root = findRepoRoot(process.cwd());
+    if (!root) {
+        logger.error('No postman/ directory found here or above. Run "shiftleft init-postman" first.');
+        process.exit(1);
+    }
+
+    const bash = resolveBash();
+    if (!bash) {
+        logger.error('shiftleft test requires bash >= 4, but only an older bash was found.');
+        logger.error('macOS ships bash 3.2; install a newer one:  brew install bash');
+        process.exit(1);
+    }
+
+    let impl;
+    try {
+        stageScripts(root);
+        impl = join(root, 'postman/scripts/.run-all-impl.sh');
+    } catch (error) {
+        logger.error(`Failed to stage scripts: ${error.message}`);
+        process.exit(1);
+    }
+
+    // Run via the resolved bash, and put it first on PATH so the sub-scripts
+    // the orchestrator calls (their own `#!/usr/bin/env bash`) also use it.
+    const result = spawnSync(bash, [impl, ...args], {
+        cwd: join(root, 'postman/scripts'),
+        stdio: 'inherit',
+        env: { ...process.env, PATH: `${dirname(bash)}:${process.env.PATH}` },
+    });
+
+    if (result.error) {
+        logger.error(`Failed to run tests: ${result.error.message}`);
+        process.exit(1);
+    }
+    process.exit(result.status ?? 1);
+}

package/src/commands/setup-pipeline.js

@@ -0,0 +1,209 @@
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import ora from 'ora';
+import inquirer from 'inquirer';
+import { ensureDir, syncTemplate } from '../utils/template.js';
+import { detectStack, inferServiceName, buildContext } from '../utils/stack.js';
+import { loadManifest, createManifest, saveManifest } from '../utils/manifest.js';
+import { ensureGitignoreEntries } from '../utils/gitignore.js';
+import { stageScripts, STAGED_GITIGNORE_ENTRIES, STAGED_GITIGNORE_HEADER } from './run-tests.js';
+import { logger } from '../utils/logger.js';
+
+/**
+ * Audit what pipeline components exist in the current project.
+ */
+function auditPipeline(cwd) {
+    const stack = detectStack(cwd);
+    const isJava = stack === 'java';
+    const isNode = stack === 'node';
+
+    const audit = {
+        type: stack,
+        unitTests: false,
+        coverage: false,
+        postman: false,
+        postmanScripts: false,
+        runAllModern: false,
+        mutation: false,
+        apiCoverage: false,
+        qualityReport: false,
+        jenkinsfile: false,
+        jenkinsfileMutationStage: false,
+        jenkinsfileQualityReport: false,
+    };
+
+    if (!stack) return audit;
+
+    if (isJava) {
+        audit.unitTests = existsSync(join(cwd, 'src/test/java'));
+        const pomContent = readFileSync(join(cwd, 'pom.xml'), 'utf8');
+        audit.coverage = pomContent.includes('jacoco');
+        audit.mutation = pomContent.includes('pitest-maven');
+    } else {
+        const pkgContent = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf8'));
+        const scripts = pkgContent.scripts || {};
+        audit.unitTests = !!(scripts.test || scripts['unit-tests']);
+        audit.coverage = !!(scripts['test:coverage'] || pkgContent.nyc);
+        audit.mutation = !!(scripts['mutation-tests'] || scripts['mutation-tests:full']);
+    }
+
+    const postmanDir = join(cwd, 'postman');
+    const scriptsDir = join(postmanDir, 'scripts');
+    audit.postman = existsSync(postmanDir);
+    audit.postmanScripts = existsSync(scriptsDir);
+
+    const runAllPath = join(scriptsDir, 'run-all.sh');
+    if (existsSync(runAllPath)) {
+        const runAllContent = readFileSync(runAllPath, 'utf8');
+        // The shiftleft shim delegates to the packaged orchestrator, which is
+        // always current — treat it as modern alongside legacy full copies.
+        audit.runAllModern =
+            runAllContent.includes('shiftleft test') ||
+            (runAllContent.includes('--skip-report') &&
+                runAllContent.includes('--skip-unit') &&
+                runAllContent.includes('--no-delay'));
+    }
+
+    const coverageScript = isJava
+        ? join(scriptsDir, 'report-generators/java-api-coverage-matrix.sh')
+        : join(scriptsDir, 'report-generators/node-api-coverage-matrix.sh');
+    audit.apiCoverage = existsSync(coverageScript);
+
+    audit.qualityReport =
+        existsSync(join(scriptsDir, 'report-generators/stage-report-artifacts.sh')) &&
+        existsSync(join(scriptsDir, 'lib', 'report_generator.py'));
+
+    const jenkinsfilePath = join(cwd, 'Jenkinsfile');
+    if (existsSync(jenkinsfilePath)) {
+        audit.jenkinsfile = true;
+        const jfContent = readFileSync(jenkinsfilePath, 'utf8');
+        audit.jenkinsfileMutationStage =
+            jfContent.includes('Mutation') || jfContent.includes('mutation');
+        audit.jenkinsfileQualityReport =
+            jfContent.includes('QualityReport') || jfContent.includes('quality-report');
+    }
+
+    return audit;
+}
+
+function printAuditReport(audit) {
+    const status = (ok, label) => {
+        if (ok === 'stale') return `  \x1b[33mSTALE\x1b[0m    ${label}`;
+        return ok
+            ? `  \x1b[32mPRESENT\x1b[0m  ${label}`
+            : `  \x1b[31mMISSING\x1b[0m  ${label}`;
+    };
+
+    console.log('\n\x1b[1mPipeline Audit Results\x1b[0m');
+    console.log('======================');
+    if (!audit.type) {
+        console.log('  Could not detect project type (no pom.xml or package.json found).');
+        return;
+    }
+    console.log(`  Project type: \x1b[1m${audit.type === 'java' ? 'Java / Spring Boot' : 'Node.js / Express'}\x1b[0m\n`);
+    console.log(status(audit.unitTests, 'Unit tests'));
+    console.log(status(audit.coverage, audit.type === 'java' ? 'JaCoCo coverage' : 'nyc/Istanbul coverage'));
+    console.log(status(audit.postman, 'Postman infrastructure (postman/ directory)'));
+    if (audit.postman) {
+        console.log(status(audit.runAllModern ? true : audit.postmanScripts ? 'stale' : false,
+            'run-all.sh (modern — with --skip-*, --env, --no-delay flags)'));
+    }
+    console.log(status(audit.mutation, audit.type === 'java' ? 'PIT mutation testing' : 'Stryker mutation testing'));
+    console.log(status(
+        audit.apiCoverage,
+        audit.type === 'java'
+            ? 'report-generators/java-api-coverage-matrix.sh'
+            : 'report-generators/node-api-coverage-matrix.sh',
+    ));
+    console.log(status(audit.qualityReport, 'Quality report (stage-report-artifacts.sh + report_generator.py)'));
+    console.log(status(audit.jenkinsfile, 'Jenkinsfile'));
+    if (audit.jenkinsfile) {
+        console.log(status(audit.jenkinsfileMutationStage, '  └─ Mutation Tests stage'));
+        console.log(status(audit.jenkinsfileQualityReport, '  └─ Quality report generation'));
+    }
+    console.log('');
+}
+
+/**
+ * Main setup-pipeline command.
+ */
+export async function setupPipeline(options) {
+    const cwd = process.cwd();
+
+    console.log('\n\x1b[1m\x1b[34mDev-Tools: Test Pipeline Setup\x1b[0m\n');
+
+    const auditSpinner = ora('Auditing pipeline components...').start();
+    const audit = auditPipeline(cwd);
+    auditSpinner.succeed('Audit complete');
+
+    printAuditReport(audit);
+
+    if (!audit.type) {
+        logger.error('Could not detect project type. Run this from your project root (pom.xml or package.json).');
+        process.exit(1);
+    }
+
+    const hasGaps = !audit.unitTests || !audit.coverage || !audit.mutation ||
+        !audit.apiCoverage || !audit.qualityReport || !audit.runAllModern ||
+        !audit.jenkinsfileMutationStage || !audit.jenkinsfileQualityReport;
+
+    if (!hasGaps && !options.force) {
+        logger.success('Pipeline looks complete! Use --force to re-copy scripts anyway.');
+        console.log('\nTo finish setup, invoke: /enhance-test-pipeline\n');
+        return;
+    }
+
+    if (!options.yes) {
+        const { proceed } = await inquirer.prompt([
+            {
+                type: 'confirm',
+                name: 'proceed',
+                message: 'Copy missing/stale scripts from templates? (AI skill still needed for mutation config and Jenkinsfile)',
+                default: true,
+            },
+        ]);
+        if (!proceed) {
+            logger.info('Aborted. No changes made.');
+            return;
+        }
+    }
+
+    ensureDir(join(cwd, 'postman/scripts'));
+
+    const copySpinner = ora('Setting up pipeline scripts...').start();
+    const force = options.force || false;
+    const context = buildContext(inferServiceName(cwd), audit.type);
+
+    const manifest = loadManifest(cwd) || createManifest(audit.type);
+    manifest.stack = audit.type;
+
+    // Committed entrypoint is a thin shim; library scripts are staged from the
+    // package (gitignored cache) rather than vendored.
+    const shim = syncTemplate('postman/run-all-shim.sh', join(cwd, 'postman/scripts/run-all.sh'), context, {
+        manifest, cwd, force, adopt: true,
+    });
+    ensureGitignoreEntries(join(cwd, 'postman/.gitignore'), STAGED_GITIGNORE_ENTRIES, STAGED_GITIGNORE_HEADER);
+    const { staged } = stageScripts(cwd, { stack: audit.type });
+
+    saveManifest(cwd, manifest);
+
+    copySpinner.succeed(
+        `run-all.sh shim ${shim.status === 'conflict' ? 'CONFLICT (see .shiftleft-new)' : 'in place'}, `
+        + `${staged} library scripts staged from package`
+    );
+
+    console.log('\n\x1b[1mNext Steps\x1b[0m');
+    console.log('==========');
+    console.log('\nScripts are copied. Use AI skills for config that requires repo inspection:');
+
+    if (!audit.mutation) {
+        console.log(`\n  1. \x1b[33mMutation testing\x1b[0m → /setup-mutation-tests`);
+    }
+    if (!audit.jenkinsfileMutationStage || !audit.jenkinsfileQualityReport) {
+        console.log(`\n  2. \x1b[33mJenkinsfile wiring\x1b[0m → /enhance-test-pipeline`);
+    }
+    if (audit.type === 'node' && !audit.postman) {
+        console.log(`\n  3. \x1b[33mPostman infrastructure\x1b[0m → shiftleft init-postman --stack node`);
+    }
+    console.log('\n  Full audit: /enhance-test-pipeline\n');
+}