@iamsaroj/replicax 0.0.3 → 0.0.5

package/dist/index.js

@@ -60,21 +60,24 @@ var logger = {
 };
 
 // src/commands/init.ts
-import path6 from "path";
-import fs5 from "fs-extra";
+import path7 from "path";
+import fs6 from "fs-extra";
 import ora from "ora";
 import { confirm } from "@inquirer/prompts";
 
 // src/constants.ts
 var REPLICAX_DIR = ".replicax";
 var IGNORE_FILE = ".replicaxignore";
-var REPLICAX_VERSION = "2.0.0";
+var INCLUDE_FILE = ".replicaxinclude";
+var ROOT_SKILL_FILE = "SKILL.md";
+var REPLICAX_VERSION = "2.2.0";
 var PROFILE_FILES = {
   profile: "profile.json",
   tooling: "tooling.json",
   structure: "structure.json",
   metadata: "metadata.json",
-  checksum: "checksum.json"
+  checksum: "checksum.json",
+  manifest: "manifest.json"
 };
 var SCAN_PRUNE_GLOBS = [
   "**/node_modules/**",
@@ -99,6 +102,7 @@ var SCAN_PRUNE_GLOBS = [
   "**/.fleet/**",
   "**/.zed/**"
 ];
+var INCLUDE_PRUNE_GLOBS = ["**/node_modules/**", "**/.git/**", `**/${REPLICAX_DIR}/**`];
 var DEFAULT_IGNORE_PATTERNS = [
   "node_modules/",
   ".git/",
@@ -181,9 +185,9 @@ yarn-error.log*
 `;
 
 // src/core/scanner.ts
-import path4 from "path";
-import fs3 from "fs-extra";
-import fg from "fast-glob";
+import path5 from "path";
+import fs4 from "fs-extra";
+import fg2 from "fast-glob";
 
 // src/config/supported-files.ts
 var CONFIG_CATEGORIES = [
@@ -288,6 +292,38 @@ var CONFIG_CATEGORIES = [
     label: "Git Hooks",
     patterns: [".husky/*"]
   },
+  {
+    id: "jvm-build",
+    label: "JVM Build",
+    // The captured surface is language-agnostic: Maven/Gradle build files are
+    // setup, not application code. Globbed with `**/` so monorepos (a Spring
+    // backend beside a JS frontend) are captured too. The gradle wrapper JAR is
+    // binary and deliberately excluded — only its text `.properties` is kept.
+    patterns: [
+      "**/pom.xml",
+      "**/build.gradle",
+      "**/build.gradle.kts",
+      "**/settings.gradle",
+      "**/settings.gradle.kts",
+      "gradle.properties",
+      "mvnw",
+      "mvnw.cmd",
+      "gradlew",
+      "gradlew.bat",
+      "**/gradle/wrapper/gradle-wrapper.properties"
+    ]
+  },
+  {
+    id: "jvm-config",
+    label: "JVM Config",
+    // Spring-style externalized config. Scoped to `src/main/resources/` so we
+    // capture application config without sweeping up unrelated `.properties`.
+    patterns: [
+      "**/src/main/resources/application*.yml",
+      "**/src/main/resources/application*.yaml",
+      "**/src/main/resources/application*.properties"
+    ]
+  },
   {
     id: "misc",
     label: "Miscellaneous Tooling",
@@ -308,6 +344,13 @@ var CONFIG_CATEGORIES = [
 ];
 var ALL_CONFIG_PATTERNS = CONFIG_CATEGORIES.flatMap((c) => c.patterns);
 var CATEGORY_BY_ID = new Map(CONFIG_CATEGORIES.map((c) => [c.id, c]));
+var EXTRA_CATEGORY_LABELS = {
+  // Files pulled in explicitly via `.replicaxinclude`.
+  included: "Included files"
+};
+function categoryLabel(id) {
+  return CATEGORY_BY_ID.get(id)?.label ?? EXTRA_CATEGORY_LABELS[id] ?? id;
+}
 
 // src/utils/paths.ts
 import path from "path";
@@ -353,6 +396,7 @@ import fs from "fs-extra";
 import ignore from "ignore";
 var IgnoreEngine = class _IgnoreEngine {
   ig;
+  userIg;
   secrets;
   userPatterns;
   constructor(userPatterns = []) {
@@ -361,6 +405,7 @@ var IgnoreEngine = class _IgnoreEngine {
       return t.length > 0 && !t.startsWith("#");
     });
     this.ig = ignore().add(DEFAULT_IGNORE_PATTERNS).add(this.userPatterns);
+    this.userIg = ignore().add(this.userPatterns);
     this.secrets = ignore().add(SECRET_GUARD_GLOBS);
   }
   /** Build an engine from a project's `.replicaxignore`, if present. */
@@ -377,6 +422,15 @@ var IgnoreEngine = class _IgnoreEngine {
     if (!relPosixPath || relPosixPath === ".") return false;
     return this.ig.ignores(relPosixPath);
   }
+  /**
+   * Whether a path is excluded by the user's `.replicaxignore` *only* (ignoring
+   * the built-in defaults). Used to apply `.replicaxignore`'s precedence over an
+   * explicit `.replicaxinclude` without the defaults vetoing the include.
+   */
+  isUserIgnored(relPosixPath) {
+    if (!relPosixPath || relPosixPath === ".") return false;
+    return this.userIg.ignores(relPosixPath);
+  }
   /** Whether a path is a protected secret that must never be captured. */
   isSecret(relPosixPath) {
     if (!relPosixPath || relPosixPath === ".") return false;
@@ -439,6 +493,11 @@ async function detectLanguage(root, pkg) {
       return file === "jsconfig.json" ? "javascript" : "typescript";
     }
   }
+  if (!pkg) {
+    for (const file of ["pom.xml", "build.gradle", "build.gradle.kts", "settings.gradle"]) {
+      if (await fs2.pathExists(path3.join(root, file))) return "java";
+    }
+  }
   return "javascript";
 }
 function detectFramework(pkg) {
@@ -554,6 +613,464 @@ function renderPackageJson(template, projectName) {
   return JSON.stringify(ordered, null, 2) + "\n";
 }
 
+// src/core/detection/context.ts
+import path4 from "path";
+import fs3 from "fs-extra";
+import fg from "fast-glob";
+var EXACT_CANDIDATES = [
+  // package managers / lockfiles
+  "package-lock.json",
+  "npm-shrinkwrap.json",
+  "yarn.lock",
+  "pnpm-lock.yaml",
+  "bun.lockb",
+  "bun.lock",
+  "pnpm-workspace.yaml",
+  // docker
+  "Dockerfile",
+  ".dockerignore",
+  // ci
+  ".gitlab-ci.yml",
+  ".circleci/config.yml",
+  "Jenkinsfile",
+  "azure-pipelines.yml",
+  // monorepo / build
+  "turbo.json",
+  "nx.json",
+  "lerna.json",
+  // git hooks
+  ".husky",
+  // editors / ai assistants
+  ".vscode",
+  ".cursor",
+  ".cursorrules",
+  ".claude",
+  "CLAUDE.md",
+  ".windsurf",
+  ".windsurfrules",
+  ".devcontainer",
+  ".devcontainer.json",
+  // lint / format (exact flavours)
+  ".eslintrc",
+  ".prettierrc",
+  // language
+  "tsconfig.json",
+  "jsconfig.json",
+  // jvm build
+  "pom.xml",
+  "mvnw",
+  "mvnw.cmd",
+  "build.gradle",
+  "build.gradle.kts",
+  "settings.gradle",
+  "settings.gradle.kts",
+  "gradlew",
+  "gradlew.bat"
+];
+var GLOB_CANDIDATES = [
+  ".github/workflows/*.yml",
+  ".github/workflows/*.yaml",
+  "Dockerfile.*",
+  "docker-compose*.yml",
+  "docker-compose*.yaml",
+  "compose.yml",
+  "compose.yaml",
+  "eslint.config.*",
+  ".eslintrc.*",
+  "prettier.config.*",
+  ".prettierrc.*",
+  "commitlint.config.*",
+  ".commitlintrc",
+  ".commitlintrc.*",
+  "lint-staged.config.*",
+  ".lintstagedrc",
+  ".lintstagedrc.*",
+  "vitest.config.*",
+  "jest.config.*",
+  "playwright.config.*",
+  "cypress.config.*",
+  ".husky/*",
+  // JVM build files + Spring resources, globbed with `**/` so a backend nested
+  // inside a monorepo (e.g. fullstack JS + Spring) is still detected.
+  "**/pom.xml",
+  "**/build.gradle",
+  "**/build.gradle.kts",
+  "**/settings.gradle",
+  "**/settings.gradle.kts",
+  "**/src/main/resources/application*.yml",
+  "**/src/main/resources/application*.yaml",
+  "**/src/main/resources/application*.properties"
+];
+async function gatherContext(root, pkg) {
+  const present = /* @__PURE__ */ new Set();
+  await Promise.all(
+    EXACT_CANDIDATES.map(async (rel) => {
+      if (await fs3.pathExists(path4.join(root, rel))) present.add(rel);
+    })
+  );
+  const matches = await fg(GLOB_CANDIDATES, {
+    cwd: root,
+    dot: true,
+    onlyFiles: true,
+    unique: true,
+    suppressErrors: true,
+    followSymbolicLinks: false,
+    ignore: SCAN_PRUNE_GLOBS
+  });
+  for (const m of matches) present.add(toPosix(m));
+  const deps = { ...pkg?.dependencies ?? {}, ...pkg?.devDependencies ?? {} };
+  return {
+    root,
+    pkg,
+    deps,
+    present,
+    has: (rel) => present.has(rel),
+    hasUnder: (prefix) => {
+      const p = prefix.replace(/\/+$/, "");
+      if (present.has(p)) return true;
+      const needle = `${p}/`;
+      for (const x of present) if (x.startsWith(needle)) return true;
+      return false;
+    },
+    hasDep: (name) => name in deps
+  };
+}
+
+// src/core/detection/types.ts
+var Confidence = {
+  /** A canonical, unambiguous artifact is present (e.g. a Dockerfile). */
+  Confirmed: 1,
+  /** Strong signal (e.g. a declared dependency, a pinned field). */
+  Strong: 0.9,
+  /** Secondary/heuristic evidence (e.g. a related config but not the tool itself). */
+  Likely: 0.7,
+  /** Weak hint. */
+  Possible: 0.5
+};
+function defineDetector(meta, fn) {
+  return {
+    ...meta,
+    detect(ctx) {
+      const hit2 = fn(ctx);
+      return hit2 ? { ...meta, confidence: hit2.confidence, evidence: hit2.evidence } : null;
+    }
+  };
+}
+function hit(confidence, ...evidence) {
+  return { confidence, evidence };
+}
+
+// src/core/detection/detectors/languages.ts
+var LANGUAGE_NAMES = {
+  typescript: "TypeScript",
+  javascript: "JavaScript",
+  java: "Java",
+  unknown: null
+};
+var FRAMEWORK_LABELS = {
+  next: "Next.js",
+  nuxt: "Nuxt",
+  remix: "Remix",
+  astro: "Astro",
+  angular: "Angular",
+  sveltekit: "SvelteKit",
+  nestjs: "NestJS",
+  expo: "Expo",
+  "react-native": "React Native",
+  vue: "Vue",
+  svelte: "Svelte",
+  solid: "SolidJS",
+  react: "React",
+  fastify: "Fastify",
+  koa: "Koa",
+  express: "Express"
+};
+var FRAMEWORK_SKIP = /* @__PURE__ */ new Set(["unknown", "node"]);
+function metadataDetections(metadata) {
+  const out = [];
+  const languageName = LANGUAGE_NAMES[metadata.language];
+  if (languageName) {
+    out.push({
+      id: metadata.language,
+      name: languageName,
+      category: "language",
+      confidence: Confidence.Confirmed,
+      evidence: ["metadata.language"]
+    });
+  }
+  if (metadata.framework && !FRAMEWORK_SKIP.has(metadata.framework)) {
+    out.push({
+      id: metadata.framework,
+      name: FRAMEWORK_LABELS[metadata.framework] ?? metadata.framework,
+      category: "framework",
+      confidence: Confidence.Confirmed,
+      evidence: ["package.json"]
+    });
+  }
+  return out;
+}
+
+// src/core/detection/detectors/packageManagers.ts
+function pmField(ctx) {
+  const field = ctx.pkg?.packageManager;
+  if (typeof field !== "string") return null;
+  return field.split("@")[0]?.trim().toLowerCase() ?? null;
+}
+var packageManagerDetectors = [
+  defineDetector({ id: "npm", name: "npm", category: "package-manager" }, (ctx) => {
+    if (ctx.has("package-lock.json")) return hit(Confidence.Confirmed, "package-lock.json");
+    if (ctx.has("npm-shrinkwrap.json")) return hit(Confidence.Confirmed, "npm-shrinkwrap.json");
+    if (pmField(ctx) === "npm") return hit(Confidence.Strong, "package.json#packageManager");
+    return null;
+  }),
+  defineDetector({ id: "pnpm", name: "pnpm", category: "package-manager" }, (ctx) => {
+    if (ctx.has("pnpm-lock.yaml")) return hit(Confidence.Confirmed, "pnpm-lock.yaml");
+    if (ctx.has("pnpm-workspace.yaml")) return hit(Confidence.Strong, "pnpm-workspace.yaml");
+    if (pmField(ctx) === "pnpm") return hit(Confidence.Strong, "package.json#packageManager");
+    return null;
+  }),
+  defineDetector({ id: "yarn", name: "Yarn", category: "package-manager" }, (ctx) => {
+    if (ctx.has("yarn.lock")) return hit(Confidence.Confirmed, "yarn.lock");
+    if (pmField(ctx) === "yarn") return hit(Confidence.Strong, "package.json#packageManager");
+    return null;
+  }),
+  defineDetector({ id: "bun", name: "Bun", category: "package-manager" }, (ctx) => {
+    if (ctx.has("bun.lockb")) return hit(Confidence.Confirmed, "bun.lockb");
+    if (ctx.has("bun.lock")) return hit(Confidence.Confirmed, "bun.lock");
+    if (pmField(ctx) === "bun") return hit(Confidence.Strong, "package.json#packageManager");
+    return null;
+  })
+];
+
+// src/core/detection/detectors/tooling.ts
+function match(ctx, re) {
+  for (const p of ctx.present) if (re.test(p)) return p;
+  return void 0;
+}
+function hasPkgKey(ctx, key) {
+  return Boolean(ctx.pkg && typeof ctx.pkg === "object" && key in ctx.pkg);
+}
+var toolingDetectors = [
+  // --- Containers ----------------------------------------------------------
+  defineDetector({ id: "docker", name: "Docker", category: "container" }, (ctx) => {
+    const dockerfile = ctx.has("Dockerfile") ? "Dockerfile" : match(ctx, /^Dockerfile(\.|$)/);
+    if (dockerfile) return hit(Confidence.Confirmed, dockerfile);
+    if (ctx.has(".dockerignore")) return hit(Confidence.Likely, ".dockerignore");
+    return null;
+  }),
+  defineDetector({ id: "docker-compose", name: "Docker Compose", category: "container" }, (ctx) => {
+    const compose = match(ctx, /^(docker-compose|compose).*\.ya?ml$/);
+    return compose ? hit(Confidence.Confirmed, compose) : null;
+  }),
+  // --- CI/CD ---------------------------------------------------------------
+  defineDetector({ id: "github-actions", name: "GitHub Actions", category: "ci" }, (ctx) => {
+    if (ctx.hasUnder(".github/workflows")) {
+      return hit(
+        Confidence.Confirmed,
+        match(ctx, /^\.github\/workflows\//) ?? ".github/workflows/"
+      );
+    }
+    return null;
+  }),
+  defineDetector(
+    { id: "gitlab-ci", name: "GitLab CI", category: "ci" },
+    (ctx) => ctx.has(".gitlab-ci.yml") ? hit(Confidence.Confirmed, ".gitlab-ci.yml") : null
+  ),
+  defineDetector(
+    { id: "circleci", name: "CircleCI", category: "ci" },
+    (ctx) => ctx.has(".circleci/config.yml") ? hit(Confidence.Confirmed, ".circleci/config.yml") : null
+  ),
+  defineDetector(
+    { id: "jenkins", name: "Jenkins", category: "ci" },
+    (ctx) => ctx.has("Jenkinsfile") ? hit(Confidence.Confirmed, "Jenkinsfile") : null
+  ),
+  defineDetector(
+    { id: "azure-pipelines", name: "Azure Pipelines", category: "ci" },
+    (ctx) => ctx.has("azure-pipelines.yml") ? hit(Confidence.Confirmed, "azure-pipelines.yml") : null
+  ),
+  // --- Monorepo ------------------------------------------------------------
+  defineDetector(
+    { id: "turborepo", name: "Turborepo", category: "monorepo" },
+    (ctx) => ctx.has("turbo.json") ? hit(Confidence.Confirmed, "turbo.json") : null
+  ),
+  defineDetector(
+    { id: "nx", name: "Nx", category: "monorepo" },
+    (ctx) => ctx.has("nx.json") ? hit(Confidence.Confirmed, "nx.json") : null
+  ),
+  // --- Git hooks / commit --------------------------------------------------
+  defineDetector({ id: "husky", name: "Husky", category: "git-hooks" }, (ctx) => {
+    if (ctx.hasUnder(".husky")) return hit(Confidence.Confirmed, ".husky/");
+    if (ctx.hasDep("husky")) return hit(Confidence.Strong, "package.json#husky");
+    return null;
+  }),
+  defineDetector({ id: "lint-staged", name: "lint-staged", category: "commit" }, (ctx) => {
+    const cfg = match(ctx, /^(lint-staged\.config\.|\.lintstagedrc)/);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (hasPkgKey(ctx, "lint-staged") || hasPkgKey(ctx, "nano-staged")) {
+      return hit(Confidence.Confirmed, "package.json#lint-staged");
+    }
+    if (ctx.hasDep("lint-staged")) return hit(Confidence.Strong, "package.json#lint-staged");
+    return null;
+  }),
+  defineDetector({ id: "commitlint", name: "Commitlint", category: "commit" }, (ctx) => {
+    const cfg = match(ctx, /^(commitlint\.config\.|\.commitlintrc)/);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (hasPkgKey(ctx, "commitlint")) return hit(Confidence.Confirmed, "package.json#commitlint");
+    if (ctx.hasDep("@commitlint/cli")) return hit(Confidence.Strong, "@commitlint/cli");
+    return null;
+  }),
+  // --- Lint / format -------------------------------------------------------
+  defineDetector({ id: "eslint", name: "ESLint", category: "lint" }, (ctx) => {
+    const cfg = ctx.has(".eslintrc") ? ".eslintrc" : match(ctx, /^(eslint\.config\.|\.eslintrc\.)/);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (hasPkgKey(ctx, "eslintConfig"))
+      return hit(Confidence.Confirmed, "package.json#eslintConfig");
+    if (ctx.hasDep("eslint")) return hit(Confidence.Strong, "eslint");
+    return null;
+  }),
+  defineDetector({ id: "prettier", name: "Prettier", category: "format" }, (ctx) => {
+    const cfg = ctx.has(".prettierrc") ? ".prettierrc" : match(ctx, /^(prettier\.config\.|\.prettierrc\.)/);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (hasPkgKey(ctx, "prettier")) return hit(Confidence.Confirmed, "package.json#prettier");
+    if (ctx.hasDep("prettier")) return hit(Confidence.Strong, "prettier");
+    return null;
+  }),
+  // --- Testing -------------------------------------------------------------
+  defineDetector({ id: "vitest", name: "Vitest", category: "test" }, (ctx) => {
+    const cfg = match(ctx, /^vitest\.config\./);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (ctx.hasDep("vitest")) return hit(Confidence.Strong, "vitest");
+    return null;
+  }),
+  defineDetector({ id: "jest", name: "Jest", category: "test" }, (ctx) => {
+    const cfg = match(ctx, /^jest\.config\./);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (hasPkgKey(ctx, "jest")) return hit(Confidence.Confirmed, "package.json#jest");
+    if (ctx.hasDep("jest")) return hit(Confidence.Strong, "jest");
+    return null;
+  }),
+  defineDetector({ id: "playwright", name: "Playwright", category: "test" }, (ctx) => {
+    const cfg = match(ctx, /^playwright\.config\./);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (ctx.hasDep("@playwright/test") || ctx.hasDep("playwright")) {
+      return hit(Confidence.Strong, "playwright");
+    }
+    return null;
+  }),
+  defineDetector({ id: "cypress", name: "Cypress", category: "test" }, (ctx) => {
+    const cfg = match(ctx, /^cypress\.config\./);
+    if (cfg) return hit(Confidence.Confirmed, cfg);
+    if (ctx.hasDep("cypress")) return hit(Confidence.Strong, "cypress");
+    return null;
+  }),
+  // --- Dev containers ------------------------------------------------------
+  defineDetector({ id: "devcontainer", name: "Dev Container", category: "devcontainer" }, (ctx) => {
+    if (ctx.hasUnder(".devcontainer")) return hit(Confidence.Confirmed, ".devcontainer/");
+    if (ctx.has(".devcontainer.json")) return hit(Confidence.Confirmed, ".devcontainer.json");
+    return null;
+  })
+];
+
+// src/core/detection/detectors/editors.ts
+var editorDetectors = [
+  defineDetector(
+    { id: "vscode", name: "VS Code", category: "editor" },
+    (ctx) => ctx.hasUnder(".vscode") ? hit(Confidence.Confirmed, ".vscode/") : null
+  ),
+  defineDetector({ id: "cursor", name: "Cursor", category: "ai" }, (ctx) => {
+    if (ctx.hasUnder(".cursor")) return hit(Confidence.Confirmed, ".cursor/");
+    if (ctx.has(".cursorrules")) return hit(Confidence.Confirmed, ".cursorrules");
+    return null;
+  }),
+  defineDetector({ id: "claude-code", name: "Claude Code", category: "ai" }, (ctx) => {
+    if (ctx.hasUnder(".claude")) return hit(Confidence.Confirmed, ".claude/");
+    if (ctx.has("CLAUDE.md")) return hit(Confidence.Confirmed, "CLAUDE.md");
+    return null;
+  }),
+  defineDetector({ id: "windsurf", name: "Windsurf", category: "ai" }, (ctx) => {
+    if (ctx.hasUnder(".windsurf")) return hit(Confidence.Confirmed, ".windsurf/");
+    if (ctx.has(".windsurfrules")) return hit(Confidence.Confirmed, ".windsurfrules");
+    return null;
+  })
+];
+
+// src/core/detection/detectors/jvm.ts
+function match2(ctx, re) {
+  for (const p of ctx.present) if (re.test(p)) return p;
+  return void 0;
+}
+var POM = /(^|\/)pom\.xml$/;
+var GRADLE = /(^|\/)(build|settings)\.gradle(\.kts)?$/;
+var APP_CONFIG = /(^|\/)src\/main\/resources\/application[^/]*\.(ya?ml|properties)$/;
+var jvmDetectors = [
+  defineDetector({ id: "maven", name: "Maven", category: "jvm" }, (ctx) => {
+    const pom = match2(ctx, POM);
+    if (pom) return hit(Confidence.Confirmed, pom);
+    if (ctx.has("mvnw") || ctx.has("mvnw.cmd")) return hit(Confidence.Strong, "mvnw");
+    return null;
+  }),
+  defineDetector({ id: "gradle", name: "Gradle", category: "jvm" }, (ctx) => {
+    const build = match2(ctx, GRADLE);
+    if (build) return hit(Confidence.Confirmed, build);
+    if (ctx.has("gradlew") || ctx.has("gradlew.bat")) return hit(Confidence.Strong, "gradlew");
+    return null;
+  }),
+  defineDetector({ id: "spring-boot", name: "Spring Boot", category: "framework" }, (ctx) => {
+    const appConfig = match2(ctx, APP_CONFIG);
+    const hasBuild = Boolean(match2(ctx, POM) || match2(ctx, GRADLE));
+    if (appConfig && hasBuild) return hit(Confidence.Strong, appConfig);
+    if (appConfig) return hit(Confidence.Likely, appConfig);
+    return null;
+  })
+];
+
+// src/core/detection/registry.ts
+var DETECTORS = [
+  ...packageManagerDetectors,
+  ...toolingDetectors,
+  ...editorDetectors,
+  ...jvmDetectors
+];
+var CATEGORY_ORDER = [
+  "language",
+  "framework",
+  "jvm",
+  "package-manager",
+  "monorepo",
+  "build",
+  "lint",
+  "format",
+  "test",
+  "container",
+  "ci",
+  "git-hooks",
+  "commit",
+  "devcontainer",
+  "editor",
+  "ai"
+];
+function sortDetections(list) {
+  return [...list].sort((a, b) => {
+    const ca = CATEGORY_ORDER.indexOf(a.category);
+    const cb = CATEGORY_ORDER.indexOf(b.category);
+    if (ca !== cb) return ca - cb;
+    return a.name.localeCompare(b.name);
+  });
+}
+function runDetectors(ctx) {
+  return DETECTORS.map((d) => d.detect(ctx)).filter((d) => d !== null);
+}
+async function detectStack(root, pkg, metadata) {
+  const ctx = await gatherContext(root, pkg);
+  const fromDetectors = runDetectors(ctx);
+  const fromMetadata = metadata ? metadataDetections(metadata) : [];
+  const byId = /* @__PURE__ */ new Map();
+  for (const d of [...fromMetadata, ...fromDetectors]) {
+    if (!byId.has(d.id)) byId.set(d.id, d);
+  }
+  return sortDetections([...byId.values()]);
+}
+
 // src/core/scanner.ts
 var FG_BASE_OPTIONS = {
   dot: true,
@@ -572,10 +1089,16 @@ function sanitizeNpmrc(content) {
   });
   return kept.join("\n");
 }
+async function readIncludePatterns(root) {
+  const file = path5.join(root, INCLUDE_FILE);
+  if (!await fs4.pathExists(file)) return [];
+  const content = await fs4.readFile(file, "utf8");
+  return content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).map((line) => line.endsWith("/") ? `${line}**` : line);
+}
 async function scanToolingFiles(root, ignore2) {
   const categoryOf = /* @__PURE__ */ new Map();
   for (const category of CONFIG_CATEGORIES) {
-    const found = await fg(category.patterns, {
+    const found = await fg2(category.patterns, {
       cwd: root,
       onlyFiles: true,
       unique: true,
@@ -586,43 +1109,67 @@ async function scanToolingFiles(root, ignore2) {
       if (!categoryOf.has(norm)) categoryOf.set(norm, category.id);
     }
   }
+  const includePatterns = await readIncludePatterns(root);
+  const included = /* @__PURE__ */ new Set();
+  if (includePatterns.length > 0) {
+    const found = await fg2(includePatterns, {
+      cwd: root,
+      onlyFiles: true,
+      unique: true,
+      dot: true,
+      followSymbolicLinks: false,
+      suppressErrors: true,
+      ignore: INCLUDE_PRUNE_GLOBS
+    });
+    for (const rel of found) {
+      const norm = toPosix(rel);
+      if (!categoryOf.has(norm)) included.add(norm);
+    }
+  }
+  const candidates = [
+    ...[...categoryOf.entries()].map(
+      ([rel, category]) => ({ rel, source: "catalogue", category })
+    ),
+    ...[...included].map((rel) => ({ rel, source: "include", category: "included" }))
+  ].sort((a, b) => a.rel.localeCompare(b.rel));
   const files = [];
   const skippedSecrets = [];
-  for (const rel of [...categoryOf.keys()].sort()) {
+  for (const { rel, source, category } of candidates) {
     if (rel === "package.json") continue;
     if (ignore2.isSecret(rel)) {
       skippedSecrets.push(rel);
       logger.detail(`skipped (secret guard): ${rel}`);
       continue;
     }
-    if (ignore2.isIgnored(rel)) {
+    const excluded = source === "include" ? ignore2.isUserIgnored(rel) : ignore2.isIgnored(rel);
+    if (excluded) {
       logger.detail(`skipped (.replicaxignore): ${rel}`);
       continue;
     }
-    const abs = path4.join(root, rel);
+    const abs = path5.join(root, rel);
     let stat;
     try {
-      stat = await fs3.stat(abs);
+      stat = await fs4.stat(abs);
     } catch {
       continue;
     }
     if (!stat.isFile()) continue;
-    let content = await fs3.readFile(abs, "utf8");
-    if (path4.basename(rel) === ".npmrc") content = sanitizeNpmrc(content);
+    let content = await fs4.readFile(abs, "utf8");
+    if (path5.basename(rel) === ".npmrc") content = sanitizeNpmrc(content);
     files.push({
       path: rel,
-      category: categoryOf.get(rel) ?? "misc",
+      category,
       variant: detectVariant(rel),
       encoding: "utf8",
       content,
       bytes: Buffer.byteLength(content, "utf8")
     });
-    logger.detail(`captured: ${rel}`);
+    logger.detail(`captured${source === "include" ? " (include)" : ""}: ${rel}`);
   }
   return { files, skippedSecrets };
 }
 async function scanStructure(root, ignore2) {
-  const dirs = await fg("**", {
+  const dirs = await fg2("**", {
     cwd: root,
     onlyDirectories: true,
     unique: true,
@@ -630,13 +1177,13 @@ async function scanStructure(root, ignore2) {
   });
   const directories = dirs.map(toPosix).filter((d) => d.length > 0 && d !== ".").filter((d) => !ignore2.isIgnored(d)).sort();
   return {
-    root: path4.basename(path4.resolve(root)) || "project",
+    root: path5.basename(path5.resolve(root)) || "project",
     directories
   };
 }
 async function scanProject(root) {
-  const resolved = path4.resolve(root);
-  if (!await fs3.pathExists(resolved)) {
+  const resolved = path5.resolve(root);
+  if (!await fs4.pathExists(resolved)) {
     throw new Error(`Directory does not exist: ${resolved}`);
   }
   const ignore2 = await IgnoreEngine.fromProject(resolved);
@@ -646,11 +1193,13 @@ async function scanProject(root) {
     scanStructure(resolved, ignore2),
     detectMetadata(resolved, pkg)
   ]);
+  const detections = await detectStack(resolved, pkg, metadata);
+  metadata.detections = detections;
   const tooling = {
     files,
     packageJson: buildPackageTemplate(pkg)
   };
-  return { tooling, structure, metadata, pkg, skippedSecrets };
+  return { tooling, structure, metadata, pkg, detections, skippedSecrets };
 }
 
 // src/core/checksum.ts
@@ -688,6 +1237,34 @@ function verifyChecksum(tooling, stored) {
   return mismatches;
 }
 
+// src/core/manifest.ts
+function buildManifest(tooling, checksum) {
+  const entries = tooling.files.map((file) => ({
+    path: file.path,
+    category: file.category,
+    variant: file.variant,
+    bytes: file.bytes,
+    sha256: checksum.files[file.path] ?? ""
+  }));
+  if (tooling.packageJson) {
+    entries.push({
+      path: PACKAGE_JSON_KEY,
+      category: "package",
+      variant: "json",
+      // The curated template is a derived artifact, not a captured file on disk,
+      // so byte size is not meaningful — recorded as 0.
+      bytes: 0,
+      sha256: checksum.files[PACKAGE_JSON_KEY] ?? ""
+    });
+  }
+  entries.sort((a, b) => a.path.localeCompare(b.path));
+  return {
+    schemaVersion: REPLICAX_VERSION,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    entries
+  };
+}
+
 // src/core/profile-generator.ts
 function buildBundle(args) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -696,36 +1273,56 @@ function buildBundle(args) {
     name: args.name,
     description: args.description ?? args.existing.description,
     replicaxVersion: REPLICAX_VERSION,
-    updatedAt: now
+    updatedAt: now,
+    // Preserve the original provenance on sync unless explicitly overridden.
+    ...args.source ?? args.existing.source ? { source: args.source ?? args.existing.source } : {}
   } : {
     name: args.name,
     version: "1.0.0",
     createdAt: now,
     replicaxVersion: REPLICAX_VERSION,
-    ...args.description ? { description: args.description } : {}
+    ...args.description ? { description: args.description } : {},
+    ...args.source ? { source: args.source } : {}
   };
+  const checksum = computeChecksum(args.tooling);
   return {
     profile,
     tooling: args.tooling,
     structure: args.structure,
     metadata: args.metadata,
-    checksum: computeChecksum(args.tooling)
+    checksum,
+    manifest: buildManifest(args.tooling, checksum)
   };
 }
 
 // src/core/profile-store.ts
-import path5 from "path";
-import fs4 from "fs-extra";
+import path6 from "path";
+import fs5 from "fs-extra";
 
 // src/schema.ts
 import { z } from "zod";
+var RegistrySchema = z.object({
+  /** Stable identifier within a registry, e.g. "acme/react-enterprise". */
+  id: z.string().optional(),
+  /** Owning namespace/org. */
+  namespace: z.string().optional(),
+  /** Intended visibility once published. */
+  visibility: z.enum(["public", "private"]).optional(),
+  /** Where the profile originated (URL, registry name, …). */
+  source: z.string().optional()
+});
+var ProfileSourceSchema = z.enum(["local", "github", "import"]);
 var ProfileSchema = z.object({
   name: z.string().min(1),
   version: z.string().min(1),
   createdAt: z.string().min(1),
   updatedAt: z.string().optional(),
   replicaxVersion: z.string().min(1),
-  description: z.string().optional()
+  description: z.string().optional(),
+  /** Provenance of the captured setup (added in schema 2.2.0). */
+  source: ProfileSourceSchema.optional(),
+  /** Optional registry metadata (future registry compatibility). */
+  registry: RegistrySchema.optional()
 });
 var FileVariantSchema = z.enum(["ts", "js", "mjs", "cjs", "json", "yaml", "other"]);
 var ToolingFileSchema = z.object({
@@ -759,32 +1356,121 @@ var StructureSchema = z.object({
   root: z.string(),
   directories: z.array(z.string())
 });
+var DetectionCategorySchema = z.enum([
+  "language",
+  "framework",
+  "package-manager",
+  "monorepo",
+  "container",
+  "ci",
+  "git-hooks",
+  "commit",
+  "lint",
+  "format",
+  "test",
+  "build",
+  "editor",
+  "ai",
+  "devcontainer",
+  "jvm"
+]);
+var DetectionSchema = z.object({
+  /** Stable id, e.g. "docker", "github-actions". */
+  id: z.string().min(1),
+  /** Human-friendly label, e.g. "Docker". */
+  name: z.string().min(1),
+  category: DetectionCategorySchema,
+  /** 0..1 — how sure we are this tool is in use. */
+  confidence: z.number().min(0).max(1),
+  /** Paths/fields that justify the detection (e.g. ["Dockerfile"]). */
+  evidence: z.array(z.string()).default([])
+});
 var MetadataSchema = z.object({
   nodeVersion: z.string(),
   packageManager: z.enum(["npm", "yarn", "pnpm", "bun", "unknown"]),
   framework: z.string(),
-  language: z.enum(["typescript", "javascript"]),
-  platform: z.string()
+  language: z.enum(["typescript", "javascript", "java", "unknown"]),
+  platform: z.string(),
+  /** Detected tools/technologies with confidence (added in schema 2.1.0). */
+  detections: z.array(DetectionSchema).optional()
 });
 var ChecksumSchema = z.object({
   algorithm: z.literal("sha256"),
   files: z.record(z.string(), z.string())
 });
+var ManifestEntrySchema = z.object({
+  path: z.string().min(1),
+  category: z.string().min(1),
+  variant: FileVariantSchema,
+  bytes: z.number().int().nonnegative(),
+  sha256: z.string()
+});
+var ManifestSchema = z.object({
+  schemaVersion: z.string().min(1),
+  generatedAt: z.string().min(1),
+  entries: z.array(ManifestEntrySchema)
+});
+
+// src/core/migrations.ts
+var MIGRATIONS = [
+  {
+    from: "2.0.0",
+    to: "2.1.0",
+    apply(raw) {
+      const metadata = raw.metadata;
+      if (metadata && typeof metadata === "object" && !Array.isArray(metadata.detections)) {
+        metadata.detections = [];
+      }
+      return raw;
+    }
+  },
+  {
+    from: "2.1.0",
+    to: "2.2.0",
+    apply(raw) {
+      return raw;
+    }
+  }
+];
+var KNOWN_VERSIONS = /* @__PURE__ */ new Set([
+  REPLICAX_VERSION,
+  ...MIGRATIONS.flatMap((m) => [m.from, m.to])
+]);
+function migrateRawBundle(raw, detectedVersion) {
+  const steps = [];
+  let current = detectedVersion;
+  let data = raw;
+  for (let guard = 0; guard < MIGRATIONS.length + 1; guard += 1) {
+    if (current === REPLICAX_VERSION) break;
+    const next = MIGRATIONS.find((m) => m.from === current);
+    if (!next) break;
+    data = next.apply(data);
+    steps.push(`${next.from} \u2192 ${next.to}`);
+    current = next.to;
+  }
+  return {
+    raw: data,
+    from: detectedVersion,
+    to: current,
+    migrated: steps.length > 0,
+    steps
+  };
+}
 
 // src/core/profile-store.ts
 function profileDir(root) {
-  return path5.join(path5.resolve(root), REPLICAX_DIR);
+  return path6.join(path6.resolve(root), REPLICAX_DIR);
 }
 async function profileExists(dir) {
-  return fs4.pathExists(path5.join(dir, PROFILE_FILES.profile));
+  return fs5.pathExists(path6.join(dir, PROFILE_FILES.profile));
 }
 async function resolveProfileDir(input) {
-  const resolved = path5.resolve(input);
-  if (!await fs4.pathExists(resolved)) {
+  const resolved = path6.resolve(input);
+  if (!await fs5.pathExists(resolved)) {
     throw new ReplicaxError(`Profile path not found: ${input}`);
   }
   if (await profileExists(resolved)) return resolved;
-  const nested = path5.join(resolved, REPLICAX_DIR);
+  const nested = path6.join(resolved, REPLICAX_DIR);
   if (await profileExists(nested)) return nested;
   throw new ReplicaxError(`No ReplicaX profile found at: ${input}`, [
     `Looked for ${PROFILE_FILES.profile} in ${resolved} and ${nested}.`,
@@ -792,26 +1478,29 @@ async function resolveProfileDir(input) {
   ]);
 }
 async function saveBundle(dir, bundle) {
-  await fs4.ensureDir(dir);
+  await fs5.ensureDir(dir);
+  const manifest = bundle.manifest ?? buildManifest(bundle.tooling, bundle.checksum);
   await Promise.all([
-    fs4.writeJson(path5.join(dir, PROFILE_FILES.profile), bundle.profile, { spaces: 2 }),
-    fs4.writeJson(path5.join(dir, PROFILE_FILES.tooling), bundle.tooling, { spaces: 2 }),
-    fs4.writeJson(path5.join(dir, PROFILE_FILES.structure), bundle.structure, { spaces: 2 }),
-    fs4.writeJson(path5.join(dir, PROFILE_FILES.metadata), bundle.metadata, { spaces: 2 }),
-    fs4.writeJson(path5.join(dir, PROFILE_FILES.checksum), bundle.checksum, { spaces: 2 })
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.profile), bundle.profile, { spaces: 2 }),
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.tooling), bundle.tooling, { spaces: 2 }),
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.structure), bundle.structure, { spaces: 2 }),
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.metadata), bundle.metadata, { spaces: 2 }),
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.checksum), bundle.checksum, { spaces: 2 }),
+    fs5.writeJson(path6.join(dir, PROFILE_FILES.manifest), manifest, { spaces: 2 })
   ]);
 }
-async function readAndParse(dir, file, schema) {
-  const full = path5.join(dir, file);
-  if (!await fs4.pathExists(full)) {
+async function readRawFile(dir, file) {
+  const full = path6.join(dir, file);
+  if (!await fs5.pathExists(full)) {
     throw new ReplicaxError(`Profile is missing ${file}`, [`Expected at ${full}.`]);
   }
-  let raw;
   try {
-    raw = await fs4.readJson(full);
+    return await fs5.readJson(full);
   } catch {
     throw new ReplicaxError(`Profile file ${file} is not valid JSON`, [`Path: ${full}`]);
   }
+}
+function parseFile(file, schema, raw) {
   const result = schema.safeParse(raw);
   if (!result.success) {
     const issues = result.error.issues.slice(0, 5).map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`);
@@ -825,17 +1514,35 @@ async function loadBundle(dir) {
       "Run `replicax init` to create one."
     ]);
   }
-  const [profile, tooling, structure, metadata, checksum] = await Promise.all([
-    readAndParse(dir, PROFILE_FILES.profile, ProfileSchema),
-    readAndParse(dir, PROFILE_FILES.tooling, ToolingSchema),
-    readAndParse(dir, PROFILE_FILES.structure, StructureSchema),
-    readAndParse(dir, PROFILE_FILES.metadata, MetadataSchema),
-    readAndParse(dir, PROFILE_FILES.checksum, ChecksumSchema)
-  ]);
-  return { profile, tooling, structure, metadata, checksum };
+  const rawFiles = {
+    profile: await readRawFile(dir, PROFILE_FILES.profile),
+    tooling: await readRawFile(dir, PROFILE_FILES.tooling),
+    structure: await readRawFile(dir, PROFILE_FILES.structure),
+    metadata: await readRawFile(dir, PROFILE_FILES.metadata),
+    checksum: await readRawFile(dir, PROFILE_FILES.checksum)
+  };
+  const detectedVersion = typeof rawFiles.profile.replicaxVersion === "string" ? rawFiles.profile.replicaxVersion : "2.0.0";
+  const { raw } = migrateRawBundle(rawFiles, detectedVersion);
+  const profile = parseFile(PROFILE_FILES.profile, ProfileSchema, raw.profile);
+  const tooling = parseFile(PROFILE_FILES.tooling, ToolingSchema, raw.tooling);
+  const structure = parseFile(PROFILE_FILES.structure, StructureSchema, raw.structure);
+  const metadata = parseFile(PROFILE_FILES.metadata, MetadataSchema, raw.metadata);
+  const checksum = parseFile(PROFILE_FILES.checksum, ChecksumSchema, raw.checksum);
+  const manifestPath = path6.join(dir, PROFILE_FILES.manifest);
+  const manifest = await fs5.pathExists(manifestPath) ? parseFile(
+    PROFILE_FILES.manifest,
+    ManifestSchema,
+    await readRawFile(dir, PROFILE_FILES.manifest)
+  ) : buildManifest(tooling, checksum);
+  return { profile, tooling, structure, metadata, checksum, manifest };
 }
 
 // src/commands/report.ts
+function statusLine(ok, label, note) {
+  const mark = ok ? pc.green("\u2713") : pc.red("\u2717");
+  const text = ok ? label : pc.dim(label);
+  return note ? `${mark} ${text} ${pc.dim(note)}` : `${mark} ${text}`;
+}
 function toolingByCategory(tooling) {
   const counts = /* @__PURE__ */ new Map();
   for (const file of tooling.files) {
@@ -844,7 +1551,7 @@ function toolingByCategory(tooling) {
   if (tooling.packageJson) {
     counts.set("package", (counts.get("package") ?? 0) + 1);
   }
-  return [...counts.entries()].map(([id, n]) => [CATEGORY_BY_ID.get(id)?.label ?? id, n]).sort((a, b) => a[0].localeCompare(b[0]));
+  return [...counts.entries()].map(([id, n]) => [categoryLabel(id), n]).sort((a, b) => a[0].localeCompare(b[0]));
 }
 function printScanSummary(bundle) {
   const { metadata, tooling, structure } = bundle;
@@ -854,6 +1561,7 @@ function printScanSummary(bundle) {
   logger.hint(`framework      ${metadata.framework}`);
   logger.hint(`packageManager ${metadata.packageManager}`);
   logger.hint(`nodeVersion    ${metadata.nodeVersion}`);
+  printDetections(metadata.detections ?? []);
   logger.newline();
   logger.info(pc.bold(`Tooling (${tooling.files.length + (tooling.packageJson ? 1 : 0)} files)`));
   for (const [label, count] of toolingByCategory(tooling)) {
@@ -862,6 +1570,15 @@ function printScanSummary(bundle) {
   logger.newline();
   logger.info(pc.bold(`Structure (${structure.directories.length} directories)`));
 }
+function printDetections(detections) {
+  if (detections.length === 0) return;
+  logger.newline();
+  logger.info(pc.bold(`Detected (${detections.length})`));
+  for (const d of detections) {
+    const pct = d.confidence < 1 ? pc.dim(` (${Math.round(d.confidence * 100)}%)`) : "";
+    logger.hint(`${pc.green("\u2713")} ${d.name}${pct}`);
+  }
+}
 function reportSkippedSecrets(skipped) {
   if (skipped.length === 0) return;
   logger.warn(`Excluded ${skipped.length} protected file(s) from the profile:`);
@@ -910,12 +1627,13 @@ async function initCommand(options) {
   spinner.succeed(
     `Scanned ${scan.tooling.files.length} config file(s) and ${scan.structure.directories.length} director(ies)`
   );
-  const name = options.name ?? path6.basename(path6.resolve(root)) ?? "project";
+  const name = options.name ?? path7.basename(path7.resolve(root)) ?? "project";
   const bundle = buildBundle({
     name,
     tooling: scan.tooling,
     structure: scan.structure,
-    metadata: scan.metadata
+    metadata: scan.metadata,
+    source: "local"
   });
   reportSkippedSecrets(scan.skippedSecrets);
   printScanSummary(bundle);
@@ -935,21 +1653,21 @@ async function initCommand(options) {
   logger.hint("Create a project from it with: replicax create <project-name>");
 }
 async function maybeWriteIgnoreFile(root) {
-  const file = path6.join(root, IGNORE_FILE);
-  if (await fs5.pathExists(file)) return;
+  const file = path7.join(root, IGNORE_FILE);
+  if (await fs6.pathExists(file)) return;
   const create = process.stdin.isTTY ? await confirm({
     message: `Create a starter ${IGNORE_FILE} to control what gets exported?`,
     default: true
   }) : false;
   if (create) {
-    await fs5.writeFile(file, DEFAULT_IGNORE_FILE_CONTENTS, "utf8");
+    await fs6.writeFile(file, DEFAULT_IGNORE_FILE_CONTENTS, "utf8");
     logger.success(`Wrote ${IGNORE_FILE}`);
   }
 }
 
 // src/commands/init-skill.ts
-import path7 from "path";
-import fs6 from "fs-extra";
+import path8 from "path";
+import fs7 from "fs-extra";
 import ora2 from "ora";
 
 // src/config/ai-targets.ts
@@ -983,7 +1701,7 @@ function slugify(input, fallback = "project") {
 }
 
 // src/core/skill-generator.ts
-var FRAMEWORK_LABELS = {
+var FRAMEWORK_LABELS2 = {
   next: "Next.js",
   nuxt: "Nuxt",
   remix: "Remix",
@@ -1047,7 +1765,7 @@ function orderedScripts(scripts) {
 function toolingByCategoryLabel(tooling) {
   const groups = /* @__PURE__ */ new Map();
   for (const file of tooling.files) {
-    const label = CATEGORY_BY_ID.get(file.category)?.label ?? file.category;
+    const label = categoryLabel(file.category);
     const list = groups.get(label) ?? [];
     list.push(file.path);
     groups.set(label, list);
@@ -1118,7 +1836,7 @@ function buildSkill(args) {
   const { name, metadata, tooling, structure, pkg } = args;
   const slug = slugify(name);
   const pm = metadata.packageManager;
-  const framework = FRAMEWORK_LABELS[metadata.framework] ?? metadata.framework;
+  const framework = FRAMEWORK_LABELS2[metadata.framework] ?? metadata.framework;
   const language = metadata.language === "typescript" ? "TypeScript" : "JavaScript";
   const scripts = pkg?.scripts ?? {};
   const description = `${name} project: ${framework}/${language} setup, build/test commands, and tooling conventions. Use this skill when working in or scaffolding this codebase.`;
@@ -1186,6 +1904,9 @@ function buildSkill(args) {
 }
 
 // src/core/ai/cli.ts
+import { spawn as spawn2 } from "child_process";
+
+// src/core/process.ts
 import { spawn } from "child_process";
 async function commandExists(bin) {
   const onWindows = process.platform === "win32";
@@ -1202,9 +1923,45 @@ async function commandExists(bin) {
     child.on("close", (code) => resolve(code === 0));
   });
 }
+async function getCommandOutput(bin, args = [], options = {}) {
+  const { timeoutMs = 5e3, shell = false } = options;
+  return new Promise((resolve) => {
+    let settled = false;
+    const finish = (result) => {
+      if (settled) return;
+      settled = true;
+      resolve(result);
+    };
+    let child;
+    try {
+      child = spawn(bin, args, { shell, windowsHide: true });
+    } catch {
+      finish({ ok: false, stdout: "", stderr: "", code: null });
+      return;
+    }
+    let stdout = "";
+    let stderr = "";
+    const timer = setTimeout(() => {
+      child.kill();
+      finish({ ok: false, stdout, stderr, code: null });
+    }, timeoutMs);
+    child.stdout?.on("data", (d) => stdout += d.toString());
+    child.stderr?.on("data", (d) => stderr += d.toString());
+    child.on("error", () => {
+      clearTimeout(timer);
+      finish({ ok: false, stdout, stderr, code: null });
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      finish({ ok: code === 0, stdout, stderr, code });
+    });
+  });
+}
+
+// src/core/ai/cli.ts
 async function runWithStdin(bin, args, input, timeoutMs = 12e4) {
   return new Promise((resolve, reject) => {
-    const child = spawn(bin, args, { shell: true, windowsHide: true });
+    const child = spawn2(bin, args, { shell: true, windowsHide: true });
     let stdout = "";
     let stderr = "";
     const timer = setTimeout(() => {
@@ -1230,6 +1987,14 @@ async function runWithStdin(bin, args, input, timeoutMs = 12e4) {
 }
 
 // src/core/ai/providers.ts
+var ApiHttpError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "ApiHttpError";
+  }
+  status;
+};
 async function postJson(url, headers, body) {
   const res = await fetch(url, {
     method: "POST",
@@ -1238,10 +2003,33 @@ async function postJson(url, headers, body) {
   });
   if (!res.ok) {
     const text = await res.text().catch(() => "");
-    throw new Error(`HTTP ${res.status}: ${text.slice(0, 300) || res.statusText}`);
+    throw new ApiHttpError(res.status, text.slice(0, 300) || res.statusText);
   }
   return res.json();
 }
+function enrichProviderError(err, def, model) {
+  const status = err instanceof ApiHttpError ? err.status : void 0;
+  const detail = err instanceof Error ? err.message : String(err);
+  const overrideHint = `Override the model with --model <id> or ${def.modelEnvVar}=<id>.`;
+  if (status === 404 || status === 400) {
+    return new ReplicaxError(
+      `${def.label} API rejected model "${model}" (HTTP ${status}). ${overrideHint}`,
+      [`Provider response: ${detail}`]
+    );
+  }
+  if (status === 401 || status === 403) {
+    return new ReplicaxError(`${def.label} API rejected the credentials (HTTP ${status}).`, [
+      `Check ${def.apiEnvVars[0]} holds a valid API key.`,
+      `Provider response: ${detail}`
+    ]);
+  }
+  if (status === 429) {
+    return new ReplicaxError(`${def.label} API rate limit hit (HTTP 429).`, [
+      "Wait a moment and try again."
+    ]);
+  }
+  return new ReplicaxError(`${def.label} API request failed: ${detail}`);
+}
 async function callAnthropic(prompt, apiKey, model) {
   const data = await postJson(
     "https://api.anthropic.com/v1/messages",
@@ -1318,7 +2106,13 @@ function apiInvoker(def, apiKey, modelOverride) {
   return {
     id: def.id,
     via: `${def.label} API (${model})`,
-    run: (prompt) => def.callApi(prompt, apiKey, model)
+    run: async (prompt) => {
+      try {
+        return await def.callApi(prompt, apiKey, model);
+      } catch (err) {
+        throw enrichProviderError(err, def, model);
+      }
+    }
   };
 }
 async function resolveProvider(preference, modelOverride) {
@@ -1348,6 +2142,12 @@ async function resolveProvider(preference, modelOverride) {
 function buildSkillPrompt(args) {
   const scripts = Object.entries(args.scripts).map(([name, cmd]) => `  ${name}: ${cmd}`).join("\n");
   const tooling = args.toolingPaths.map((p) => `  ${p}`).join("\n");
+  const template = args.rootSkill?.trim();
+  const templateRule = template ? "\n- A USER SKILL TEMPLATE (the project's root SKILL.md) is provided below. Use it as the BASE for the entry file: preserve its headings, structure, tone, and any explicit instructions, and refine/fill it in using the PROJECT ANALYSIS. Do not drop content the author put there; do not contradict it." : "";
+  const templateSection = template ? `
+USER SKILL TEMPLATE (project root SKILL.md \u2014 use this as the base; preserve and refine, keep "name: ${args.slug}" in the frontmatter):
+${template}
+` : "";
   return `You are an expert developer-tooling assistant. Generate a high-quality "skill" for an AI coding assistant: a document (plus optional supporting files) that teaches the assistant how to work productively in a specific software project.
 
 STRICT RULES:
@@ -1361,11 +2161,11 @@ REQUIREMENTS:
 - Include exactly one entry file whose path is "${args.entryFile}". It MUST start with YAML frontmatter containing "name: ${args.slug}" and a concise single-line "description", then clear markdown covering: tech stack, setup/install, common commands, tooling, project structure, and conventions.
 - You MAY add a few supporting files under "references/" (e.g. "references/commands.md") when genuinely useful. Keep the bundle small and focused.
 - All paths must be relative, use forward slashes, and must NOT contain ".." or be absolute.
-- This skill targets ${args.target.label} and will be installed at ${args.entryPath}.
+- This skill targets ${args.target.label} and will be installed at ${args.entryPath}.${templateRule}
 
 PROJECT ANALYSIS (ground truth \u2014 refine and expand this, do not contradict it):
 ${args.analysis}
-
+${templateSection}
 CAPTURED CONFIG FILES:
 ${tooling || "  (none)"}
 
@@ -1431,6 +2231,8 @@ async function initSkillCommand(options) {
   spinner.succeed(
     `Scanned ${scan.tooling.files.length} config file(s) and ${scan.structure.directories.length} director(ies)`
   );
+  const rootSkillPath = path8.join(root, ROOT_SKILL_FILE);
+  const rootSkill = await fs7.pathExists(rootSkillPath) ? await fs7.readFile(rootSkillPath, "utf8") : void 0;
   const name = options.name ?? scan.structure.root;
   const seed = buildSkill({
     name,
@@ -1458,6 +2260,7 @@ async function initSkillCommand(options) {
     const provider = await resolveProvider(options.provider, options.model);
     if (provider) {
       logger.info(`Generating with ${provider.via} (sending project setup only)\u2026`);
+      if (rootSkill?.trim()) logger.info(`Using ${ROOT_SKILL_FILE} as the skill template.`);
       const aiSpinner = ora2({ text: "Authoring skill\u2026", isEnabled: !options.verbose }).start();
       try {
         const prompt = buildSkillPrompt({
@@ -1467,7 +2270,8 @@ async function initSkillCommand(options) {
           target,
           analysis: seed.content,
           toolingPaths: scan.tooling.files.map((f) => f.path),
-          scripts: scan.pkg?.scripts ?? {}
+          scripts: scan.pkg?.scripts ?? {},
+          rootSkill
         });
         const raw = await provider.run(prompt);
         const parsed = parseSkillBundle(raw);
@@ -1481,7 +2285,9 @@ async function initSkillCommand(options) {
         }
       } catch (err) {
         aiSpinner.fail("AI generation failed");
-        logger.warn(`${err.message}. Falling back to the built-in template.`);
+        logger.warn(`${err.message}`);
+        if (err instanceof ReplicaxError) for (const hint of err.hints) logger.hint(hint);
+        logger.warn("Falling back to the built-in template.");
       }
     } else {
       logger.info("No configured AI provider found \u2014 using the built-in template.");
@@ -1499,11 +2305,11 @@ async function initSkillCommand(options) {
     if (!safe) {
       throw new ReplicaxError(`Refusing to write unsafe skill path: ${f.path}`);
     }
-    return { rel: safe, abs: path7.join(root, ...safe.split("/")), content: f.content };
+    return { rel: safe, abs: path8.join(root, ...safe.split("/")), content: f.content };
   });
   const conflicts = [];
   for (const file of planned) {
-    if (await fs6.pathExists(file.abs)) conflicts.push(file.rel);
+    if (await fs7.pathExists(file.abs)) conflicts.push(file.rel);
   }
   if (conflicts.length > 0 && !options.force) {
     throw new ReplicaxError(
@@ -1512,27 +2318,193 @@ async function initSkillCommand(options) {
     );
   }
   for (const file of planned) {
-    await fs6.ensureDir(path7.dirname(file.abs));
-    await fs6.writeFile(file.abs, file.content, "utf8");
+    await fs7.ensureDir(path8.dirname(file.abs));
+    await fs7.writeFile(file.abs, file.content, "utf8");
     logger.detail(`wrote: ${file.rel}`);
   }
   logger.newline();
   logger.success(`Skill "${seed.slug}" written (${planned.length} file(s), via ${via})`);
   logger.hint(
-    `Location: ${relPosix(root, path7.join(root, ...(bundleRoot || entryFile).split("/")))}`
+    `Location: ${relPosix(root, path8.join(root, ...(bundleRoot || entryFile).split("/")))}`
   );
   logger.hint(target.note);
 }
 
 // src/commands/extract.ts
-import path9 from "path";
+import path11 from "path";
 import ora3 from "ora";
 
 // src/core/github.ts
+import os2 from "os";
+import path10 from "path";
+import fs9 from "fs-extra";
+
+// src/core/archive.ts
+import { createReadStream } from "fs";
 import os from "os";
-import path8 from "path";
-import fs7 from "fs-extra";
-import { extract as tarExtract } from "tar";
+import path9 from "path";
+import fs8 from "fs-extra";
+import { create as tarCreate, extract as tarExtract, Parser } from "tar";
+async function exportProfile(profileDirectory, outPath) {
+  const resolvedOut = path9.resolve(outPath);
+  await fs8.ensureDir(path9.dirname(resolvedOut));
+  const parent = path9.dirname(profileDirectory);
+  const base = path9.basename(profileDirectory);
+  await tarCreate(
+    {
+      gzip: true,
+      file: resolvedOut,
+      cwd: parent,
+      // tar strips leading "/" and ".." by default, so extraction stays scoped.
+      portable: true
+    },
+    [base]
+  );
+}
+var PROFILE_ARCHIVE_LIMITS = {
+  maxCompressedBytes: 50 * 1024 * 1024,
+  // 50 MB
+  maxTotalBytes: 200 * 1024 * 1024,
+  // 200 MB uncompressed
+  maxEntries: 2e4,
+  maxEntryBytes: 50 * 1024 * 1024,
+  // 50 MB per file
+  allowSymlinks: false
+};
+var REPO_ARCHIVE_LIMITS = {
+  maxCompressedBytes: 250 * 1024 * 1024,
+  // 250 MB
+  maxTotalBytes: 1024 * 1024 * 1024,
+  // 1 GB uncompressed
+  maxEntries: 2e5,
+  maxEntryBytes: 200 * 1024 * 1024,
+  // 200 MB per file
+  allowSymlinks: true
+};
+function inspectEntry(entry, limits) {
+  const type = String(entry.type);
+  const entryPath = entry.path;
+  if (type === "File" || type === "Directory" || type === "GNUDumpDir") {
+    if (safeJoinable(entryPath) === null) {
+      throw new ReplicaxError(`Refusing to extract unsafe path from archive: "${entryPath}".`, [
+        "The archive may be malicious (path traversal)."
+      ]);
+    }
+    if ((entry.size ?? 0) > limits.maxEntryBytes) {
+      throw new ReplicaxError(`Archive entry "${entryPath}" exceeds the per-file size limit.`);
+    }
+    return "extract";
+  }
+  if (type === "SymbolicLink" || type === "Link") {
+    if (!limits.allowSymlinks) {
+      throw new ReplicaxError(`Refusing to extract link entry from archive: "${entryPath}".`, [
+        "Profile archives never contain symlinks; this one may be malicious."
+      ]);
+    }
+    return "skip";
+  }
+  throw new ReplicaxError(`Refusing to extract "${entryPath}" (unsupported tar entry: ${type}).`);
+}
+function validateArchive(resolved, limits) {
+  return new Promise((resolve, reject) => {
+    let entryCount = 0;
+    let totalBytes = 0;
+    let settled = false;
+    const source = createReadStream(resolved);
+    const parser = new Parser({});
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      source.destroy();
+      reject(err);
+    };
+    const finish = () => {
+      if (settled) return;
+      settled = true;
+      resolve();
+    };
+    parser.on("entry", (entry) => {
+      if (settled) {
+        entry.resume();
+        return;
+      }
+      try {
+        if (inspectEntry(entry, limits) === "extract") {
+          entryCount += 1;
+          if (entryCount > limits.maxEntries) {
+            return fail(
+              new ReplicaxError("Archive contains too many entries; refusing to extract.")
+            );
+          }
+          totalBytes += entry.size ?? 0;
+          if (totalBytes > limits.maxTotalBytes) {
+            return fail(
+              new ReplicaxError("Archive is too large when uncompressed; refusing to extract.")
+            );
+          }
+        }
+      } catch (err) {
+        return fail(err);
+      }
+      entry.resume();
+    });
+    parser.on("end", finish);
+    parser.on("error", (err) => fail(err));
+    source.on("error", (err) => fail(err));
+    source.pipe(parser);
+  });
+}
+async function safeExtract(archivePath, destDir, limits) {
+  const resolved = path9.resolve(archivePath);
+  const stat = await fs8.stat(resolved).catch(() => null);
+  if (!stat) {
+    throw new ReplicaxError(`Archive not found: ${archivePath}`);
+  }
+  if (stat.size > limits.maxCompressedBytes) {
+    throw new ReplicaxError("Archive file is too large; refusing to extract.");
+  }
+  await validateArchive(resolved, limits);
+  await fs8.ensureDir(destDir);
+  await tarExtract({
+    file: resolved,
+    cwd: destDir,
+    strip: 0,
+    filter: (_p, entry) => {
+      try {
+        return inspectEntry(entry, limits) === "extract";
+      } catch {
+        return false;
+      }
+    }
+  });
+}
+async function extractToTemp(archivePath) {
+  if (!await fs8.pathExists(path9.resolve(archivePath))) {
+    throw new ReplicaxError(`Archive not found: ${archivePath}`);
+  }
+  const tmp = await fs8.mkdtemp(path9.join(os.tmpdir(), "replicax-import-"));
+  try {
+    await safeExtract(archivePath, tmp, PROFILE_ARCHIVE_LIMITS);
+  } catch (err) {
+    await fs8.remove(tmp).catch(() => void 0);
+    throw err;
+  }
+  return tmp;
+}
+async function findProfileRoot(dir) {
+  const hasProfile = async (d) => fs8.pathExists(path9.join(d, PROFILE_FILES.profile));
+  if (await hasProfile(dir)) return dir;
+  const entries = await fs8.readdir(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      const candidate = path9.join(dir, entry.name);
+      if (await hasProfile(candidate)) return candidate;
+    }
+  }
+  return null;
+}
+
+// src/core/github.ts
 function parseGitHubRef(input) {
   const raw = input.trim();
   if (!raw) {
@@ -1602,9 +2574,9 @@ function httpError(status, slug, hasToken) {
   return new ReplicaxError(`GitHub returned HTTP ${status} for ${slug}.`);
 }
 async function firstSubdir(dir) {
-  const entries = await fs7.readdir(dir, { withFileTypes: true });
+  const entries = await fs9.readdir(dir, { withFileTypes: true });
   for (const entry of entries) {
-    if (entry.isDirectory()) return path8.join(dir, entry.name);
+    if (entry.isDirectory()) return path10.join(dir, entry.name);
   }
   return null;
 }
@@ -1628,14 +2600,14 @@ async function downloadRepo(ref) {
   if (!res.ok) {
     throw httpError(res.status, slug, Boolean(token));
   }
-  const tmpRoot = await fs7.mkdtemp(path8.join(os.tmpdir(), "replicax-extract-"));
-  const cleanup = () => fs7.remove(tmpRoot);
+  const tmpRoot = await fs9.mkdtemp(path10.join(os2.tmpdir(), "replicax-extract-"));
+  const cleanup = () => fs9.remove(tmpRoot);
   try {
-    const tarPath = path8.join(tmpRoot, "repo.tar.gz");
-    await fs7.writeFile(tarPath, Buffer.from(await res.arrayBuffer()));
-    const extractDir = path8.join(tmpRoot, "src");
-    await fs7.ensureDir(extractDir);
-    await tarExtract({ file: tarPath, cwd: extractDir, strip: 0 });
+    const tarPath = path10.join(tmpRoot, "repo.tar.gz");
+    await fs9.writeFile(tarPath, Buffer.from(await res.arrayBuffer()));
+    const extractDir = path10.join(tmpRoot, "src");
+    await fs9.ensureDir(extractDir);
+    await safeExtract(tarPath, extractDir, REPO_ARCHIVE_LIMITS);
     const repoRoot = await firstSubdir(extractDir);
     if (!repoRoot) {
       throw new ReplicaxError(`The downloaded archive for ${slug} was empty.`);
@@ -1677,7 +2649,9 @@ async function extractCommand(repo, options) {
       name,
       tooling: scan.tooling,
       structure: scan.structure,
-      metadata: scan.metadata
+      metadata: scan.metadata,
+      // Captured from a remote repo we don't control — untrusted for auto-install.
+      source: "github"
     });
     reportSkippedSecrets(scan.skippedSecrets);
     printScanSummary(bundle);
@@ -1687,7 +2661,7 @@ async function extractCommand(repo, options) {
       logger.info("Dry run \u2014 no files were written.");
       return;
     }
-    const outRoot = options.out ? path9.resolve(options.out) : process.cwd();
+    const outRoot = options.out ? path11.resolve(options.out) : process.cwd();
     const dir = profileDir(outRoot);
     if (await profileExists(dir)) {
       logger.warn(
@@ -1704,8 +2678,7 @@ async function extractCommand(repo, options) {
 }
 
 // src/commands/create.ts
-import path11 from "path";
-import fs9 from "fs-extra";
+import path13 from "path";
 
 // src/core/conflict-resolver.ts
 import { select } from "@inquirer/prompts";
@@ -1747,8 +2720,8 @@ var ConflictResolver = class {
 };
 
 // src/core/project-generator.ts
-import path10 from "path";
-import fs8 from "fs-extra";
+import path12 from "path";
+import fs10 from "fs-extra";
 async function generateProject(options) {
   const { bundle, targetDir, projectName, dryRun, conflict } = options;
   const result = {
@@ -1758,16 +2731,16 @@ async function generateProject(options) {
     filesSkipped: 0,
     unsafeSkipped: []
   };
-  if (!dryRun) await fs8.ensureDir(targetDir);
+  if (!dryRun) await fs10.ensureDir(targetDir);
   for (const dir of bundle.structure.directories) {
     const safe = safeJoinable(dir);
     if (!safe) {
       result.unsafeSkipped.push(dir);
       continue;
     }
-    const full = path10.join(targetDir, safe);
-    const existed = await fs8.pathExists(full);
-    if (!dryRun) await fs8.ensureDir(full);
+    const full = path12.join(targetDir, safe);
+    const existed = await fs10.pathExists(full);
+    if (!dryRun) await fs10.ensureDir(full);
     if (!existed) result.dirsCreated += 1;
     result.entries.push({ kind: "dir", path: safe, action: existed ? "skip" : "create" });
   }
@@ -1791,8 +2764,8 @@ async function writeFile(relPath, content, options, result) {
     logger.warn(`Refusing to write unsafe path from profile: ${relPath}`);
     return;
   }
-  const full = path10.join(options.targetDir, safe);
-  const exists = await fs8.pathExists(full);
+  const full = path12.join(options.targetDir, safe);
+  const exists = await fs10.pathExists(full);
   let action2 = exists ? "overwrite" : "create";
   if (exists) {
     const decision = await options.conflict.resolve(safe);
@@ -1805,8 +2778,8 @@ async function writeFile(relPath, content, options, result) {
     action2 = "overwrite";
   }
   if (!options.dryRun) {
-    await fs8.ensureDir(path10.dirname(full));
-    await fs8.writeFile(full, content, "utf8");
+    await fs10.ensureDir(path12.dirname(full));
+    await fs10.writeFile(full, content, "utf8");
   }
   result.filesWritten += 1;
   result.entries.push({ kind: "file", path: safe, action: action2 });
@@ -1814,7 +2787,7 @@ async function writeFile(relPath, content, options, result) {
 }
 
 // src/core/installer.ts
-import { spawn as spawn2 } from "child_process";
+import { spawn as spawn3 } from "child_process";
 var COMMANDS = {
   npm: ["npm", "install"],
   pnpm: ["pnpm", "install"],
@@ -1825,7 +2798,7 @@ function installDependencies(cwd, manager) {
   if (manager === "unknown") return Promise.resolve(false);
   const [command, ...args] = COMMANDS[manager];
   return new Promise((resolve) => {
-    const child = spawn2(command, args, {
+    const child = spawn3(command, args, {
       cwd,
       stdio: "inherit",
       // npm/pnpm/yarn are .cmd shims on Windows; a shell resolves them.
@@ -1855,9 +2828,9 @@ async function createCommand(projectName, options) {
     logger.warn(`Profile integrity check found ${mismatches.length} issue(s); continuing anyway.`);
     logger.hint("Run `replicax validate` for details.");
   }
-  const targetDir = path11.resolve(process.cwd(), projectName);
-  const leafName = path11.basename(targetDir);
-  if (path11.resolve(process.cwd()) === targetDir) {
+  const targetDir = path13.resolve(process.cwd(), projectName);
+  const leafName = path13.basename(targetDir);
+  if (path13.resolve(process.cwd()) === targetDir) {
     throw new ReplicaxError("Refusing to scaffold into the current directory.", [
       "Pass a new project name, e.g. `replicax create my-app`."
     ]);
@@ -1887,63 +2860,95 @@ async function createCommand(projectName, options) {
     return;
   }
   logger.hint(`Location: ${relPosix(process.cwd(), targetDir)}/`);
-  await maybeInstall(
-    bundle.metadata.packageManager,
-    targetDir,
-    options,
-    Boolean(bundle.tooling.packageJson)
-  );
+  await maybeInstall(bundle, targetDir, options);
   logger.newline();
   logger.success(`Project ${pc.bold(leafName)} is ready.`);
 }
-async function maybeInstall(manager, targetDir, options, hasPackageJson) {
-  if (options.skipInstall) {
-    logger.hint("Skipped dependency install (--skip-install).");
-    return;
-  }
-  if (!hasPackageJson) return;
-  if (manager === "unknown") {
-    logger.hint("No package manager detected; run your install command manually.");
-    return;
-  }
-  const pkgPath = path11.join(targetDir, "package.json");
-  const pkg = await fs9.readJson(pkgPath).catch(() => null);
-  if (!pkg?.devDependencies || Object.keys(pkg.devDependencies).length === 0) {
-    logger.hint("No dependencies to install.");
-    return;
+function decideInstall(bundle, options) {
+  if (options.skipInstall) return { kind: "skip-flag" };
+  const devDeps = bundle.tooling.packageJson?.devDependencies ?? {};
+  if (Object.keys(devDeps).length === 0) return { kind: "no-deps" };
+  const manager = bundle.metadata.packageManager;
+  if (manager === "unknown") return { kind: "no-manager" };
+  const source = bundle.profile.source ?? "local";
+  const trusted = source === "local";
+  if (!trusted && !options.install) return { kind: "blocked", source, manager, devDeps };
+  return { kind: "install", trusted, source, manager, devDeps };
+}
+function printDependencySummary(devDeps) {
+  const names = Object.keys(devDeps).sort();
+  for (const name of names.slice(0, 10)) logger.hint(`  ${name}  ${devDeps[name]}`);
+  if (names.length > 10) logger.hint(`  \u2026and ${names.length - 10} more`);
+}
+async function maybeInstall(bundle, targetDir, options) {
+  const decision = decideInstall(bundle, options);
+  switch (decision.kind) {
+    case "skip-flag":
+      logger.hint("Skipped dependency install (--skip-install).");
+      return;
+    case "no-deps":
+      if (bundle.tooling.packageJson) logger.hint("No dependencies to install.");
+      return;
+    case "no-manager":
+      logger.hint("No package manager detected; run your install command manually.");
+      return;
+    case "blocked":
+      logger.newline();
+      logger.warn(
+        `Profile source is "${decision.source}" \u2014 skipping dependency install for safety.`
+      );
+      logger.hint(
+        `Installing runs package lifecycle scripts. ${Object.keys(decision.devDeps).length} devDependencies would be added with ${decision.manager}:`
+      );
+      printDependencySummary(decision.devDeps);
+      logger.hint(
+        `Review them, then run \`${decision.manager} install\`, or re-run create with --install.`
+      );
+      return;
+    case "install": {
+      logger.newline();
+      if (!decision.trusted) {
+        logger.warn(
+          `Installing for an untrusted ("${decision.source}") profile \u2014 package lifecycle scripts can execute code.`
+        );
+      }
+      logger.info(
+        `Installing ${Object.keys(decision.devDeps).length} devDependencies with ${decision.manager}\u2026`
+      );
+      printDependencySummary(decision.devDeps);
+      const ok = await installDependencies(targetDir, decision.manager);
+      if (ok) logger.success("Dependencies installed.");
+      else logger.warn("Dependency install did not complete; run it manually.");
+      return;
+    }
   }
-  logger.newline();
-  logger.info(`Installing dependencies with ${manager}\u2026`);
-  const ok = await installDependencies(targetDir, manager);
-  if (ok) logger.success("Dependencies installed.");
-  else logger.warn("Dependency install did not complete; run it manually.");
 }
 
 // src/commands/sync.ts
 import ora4 from "ora";
 
 // src/core/diff.ts
-function diffChecksums(prev, next) {
+function diffStringMaps(prev, next, options = {}) {
+  const ignore2 = options.ignoreKeys;
   const added = [];
   const removed = [];
   const changed = [];
-  let packageJsonChanged = false;
-  const keys = /* @__PURE__ */ new Set([...Object.keys(prev.files), ...Object.keys(next.files)]);
+  const keys = /* @__PURE__ */ new Set([...Object.keys(prev), ...Object.keys(next)]);
   for (const key of keys) {
-    const before = prev.files[key];
-    const after = next.files[key];
-    if (key === PACKAGE_JSON_KEY) {
-      if (before !== after) packageJsonChanged = true;
-      continue;
-    }
+    if (ignore2?.has(key)) continue;
+    const before = prev[key];
+    const after = next[key];
     if (before === void 0) added.push(key);
     else if (after === void 0) removed.push(key);
     else if (before !== after) changed.push(key);
   }
-  return {
-    files: { added: added.sort(), removed: removed.sort(), changed: changed.sort() },
-    packageJsonChanged
-  };
+  return { added: added.sort(), removed: removed.sort(), changed: changed.sort() };
+}
+var PACKAGE_JSON_KEYS = /* @__PURE__ */ new Set([PACKAGE_JSON_KEY]);
+function diffChecksums(prev, next) {
+  const files = diffStringMaps(prev.files, next.files, { ignoreKeys: PACKAGE_JSON_KEYS });
+  const packageJsonChanged = prev.files[PACKAGE_JSON_KEY] !== next.files[PACKAGE_JSON_KEY];
+  return { files, packageJsonChanged };
 }
 function diffStructure(prev, next) {
   const before = new Set(prev.directories);
@@ -1999,6 +3004,8 @@ async function syncCommand(options) {
     tooling: scan.tooling,
     structure: scan.structure,
     metadata: scan.metadata,
+    // A sync re-captures the local project, so the result is locally trusted.
+    source: "local",
     existing: existing.profile
   });
   const diff = diffBundles(existing, next);
@@ -2053,7 +3060,7 @@ function formatBytes(bytes) {
 }
 
 // src/commands/inspect.ts
-var SECTIONS = ["profile", "tooling", "structure", "metadata"];
+var SECTIONS = ["profile", "tooling", "structure", "metadata", "detections"];
 async function inspectCommand(options) {
   const dir = options.profile ? await resolveProfileDir(options.profile) : profileDir(process.cwd());
   if (!await profileExists(dir)) {
@@ -2067,15 +3074,38 @@ async function inspectCommand(options) {
   const bundle = await loadBundle(dir);
   const section = options.section;
   if (options.json) {
-    const payload = section ? { [section]: bundle[section] } : bundle;
-    logger.out(JSON.stringify(payload, null, 2));
+    logger.out(JSON.stringify(jsonPayload(bundle, section), null, 2));
     return;
   }
   if (!section || section === "profile") printProfile(bundle);
   if (!section || section === "metadata") printMetadata(bundle);
+  if (!section || section === "detections") printDetectionsSection(bundle);
   if (!section || section === "tooling") printTooling(bundle);
   if (!section || section === "structure") printStructure(bundle);
 }
+function jsonPayload(bundle, section) {
+  if (!section) return bundle;
+  if (section === "detections") return { detections: bundle.metadata.detections ?? [] };
+  return { [section]: bundle[section] };
+}
+function printDetectionsSection(bundle) {
+  const detections = bundle.metadata.detections ?? [];
+  logger.out(pc.bold(`Detections (${detections.length})`));
+  if (detections.length === 0) {
+    logger.out("  (none)");
+    logger.out("");
+    return;
+  }
+  const table = new Table({
+    head: ["Category", "Tool", "Confidence", "Evidence"],
+    style: { head: ["cyan"], border: ["dim"] }
+  });
+  for (const d of detections) {
+    table.push([d.category, d.name, `${Math.round(d.confidence * 100)}%`, d.evidence.join(", ")]);
+  }
+  logger.out(table.toString());
+  logger.out("");
+}
 function printProfile(bundle) {
   const p = bundle.profile;
   logger.out(pc.bold("Profile"));
@@ -2109,12 +3139,7 @@ function printTooling(bundle) {
     table.push(["Package Management & Monorepos", "package.json", "json", "template"]);
   }
   for (const file of [...tooling.files].sort((a, b) => a.path.localeCompare(b.path))) {
-    table.push([
-      CATEGORY_BY_ID.get(file.category)?.label ?? file.category,
-      file.path,
-      file.variant,
-      formatBytes(file.bytes)
-    ]);
+    table.push([categoryLabel(file.category), file.path, file.variant, formatBytes(file.bytes)]);
   }
   logger.out(table.toString());
   logger.out("");
@@ -2162,61 +3187,16 @@ async function validateCommand(options) {
 }
 
 // src/commands/export.ts
-import path13 from "path";
+import path14 from "path";
 import fs11 from "fs-extra";
 import ora5 from "ora";
-
-// src/core/archive.ts
-import os2 from "os";
-import path12 from "path";
-import fs10 from "fs-extra";
-import { create as tarCreate, extract as tarExtract2 } from "tar";
-async function exportProfile(profileDirectory, outPath) {
-  const resolvedOut = path12.resolve(outPath);
-  await fs10.ensureDir(path12.dirname(resolvedOut));
-  const parent = path12.dirname(profileDirectory);
-  const base = path12.basename(profileDirectory);
-  await tarCreate(
-    {
-      gzip: true,
-      file: resolvedOut,
-      cwd: parent,
-      // tar strips leading "/" and ".." by default, so extraction stays scoped.
-      portable: true
-    },
-    [base]
-  );
-}
-async function extractToTemp(archivePath) {
-  const resolved = path12.resolve(archivePath);
-  if (!await fs10.pathExists(resolved)) {
-    throw new Error(`Archive not found: ${archivePath}`);
-  }
-  const tmp = await fs10.mkdtemp(path12.join(os2.tmpdir(), "replicax-import-"));
-  await tarExtract2({ file: resolved, cwd: tmp, strip: 0 });
-  return tmp;
-}
-async function findProfileRoot(dir) {
-  const hasProfile = async (d) => fs10.pathExists(path12.join(d, PROFILE_FILES.profile));
-  if (await hasProfile(dir)) return dir;
-  const entries = await fs10.readdir(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    if (entry.isDirectory()) {
-      const candidate = path12.join(dir, entry.name);
-      if (await hasProfile(candidate)) return candidate;
-    }
-  }
-  return null;
-}
-
-// src/commands/export.ts
 async function exportCommand(options) {
   const dir = options.profile ? await resolveProfileDir(options.profile) : profileDir(process.cwd());
   if (!await profileExists(dir)) {
     throw new ReplicaxError("No ReplicaX profile found to export.", ["Run `replicax init` first."]);
   }
   const bundle = await loadBundle(dir);
-  const outPath = path13.resolve(
+  const outPath = path14.resolve(
     options.out ?? `${slugify(bundle.profile.name, "profile")}.replicax.tar.gz`
   );
   const spinner = ora5({ text: "Packaging profile\u2026" }).start();
@@ -2224,7 +3204,7 @@ async function exportCommand(options) {
   spinner.stop();
   const { size } = await fs11.stat(outPath);
   logger.success(
-    `Exported "${bundle.profile.name}" \u2192 ${path13.relative(process.cwd(), outPath)} (${formatBytes(size)})`
+    `Exported "${bundle.profile.name}" \u2192 ${path14.relative(process.cwd(), outPath)} (${formatBytes(size)})`
   );
   logger.hint("Share it, then `replicax import <file>` elsewhere.");
 }
@@ -2246,6 +3226,7 @@ async function importCommand(archivePath, options) {
       throw new ReplicaxError("The archive does not contain a ReplicaX profile.");
     }
     const bundle = await loadBundle(source);
+    bundle.profile.source = "import";
     spinner.succeed(`Validated profile "${bundle.profile.name}"`);
     const dest = profileDir(process.cwd());
     if (await profileExists(dest)) {
@@ -2271,6 +3252,407 @@ async function importCommand(archivePath, options) {
   }
 }
 
+// src/config/environment-tools.ts
+var ENVIRONMENT_TOOLS = [
+  { id: "node", name: "Node.js", bin: "node", versionArgs: ["--version"], kind: "runtime" },
+  { id: "git", name: "Git", bin: "git", versionArgs: ["--version"], kind: "vcs" },
+  { id: "npm", name: "npm", bin: "npm", versionArgs: ["--version"], kind: "package-manager" },
+  { id: "pnpm", name: "pnpm", bin: "pnpm", versionArgs: ["--version"], kind: "package-manager" },
+  { id: "yarn", name: "Yarn", bin: "yarn", versionArgs: ["--version"], kind: "package-manager" },
+  { id: "bun", name: "Bun", bin: "bun", versionArgs: ["--version"], kind: "package-manager" },
+  { id: "docker", name: "Docker", bin: "docker", versionArgs: ["--version"], kind: "container" },
+  {
+    id: "vscode",
+    name: "VS Code",
+    bin: "code",
+    versionArgs: ["--version"],
+    kind: "editor",
+    // `code --version` prints version on the first line, then commit + arch.
+    parseVersion: (raw) => raw.split(/\r?\n/)[0]?.trim() || void 0
+  },
+  { id: "cursor", name: "Cursor", bin: "cursor", versionArgs: ["--version"], kind: "editor" },
+  {
+    id: "claude-code",
+    name: "Claude Code",
+    bin: "claude",
+    versionArgs: ["--version"],
+    kind: "editor"
+  },
+  { id: "windsurf", name: "Windsurf", bin: "windsurf", versionArgs: ["--version"], kind: "editor" }
+];
+
+// src/core/environment.ts
+function parseVersionDefault(raw) {
+  const trimmed = raw.trim();
+  const semver = trimmed.match(/\d+\.\d+\.\d+(?:[-+][\w.]+)?/);
+  if (semver) return semver[0];
+  const loose = trimmed.match(/\d+\.\d+/);
+  return loose ? loose[0] : void 0;
+}
+var defaultProbe = async (tool) => {
+  const out = await getCommandOutput(tool.bin, tool.versionArgs, { shell: true });
+  if (out.ok) {
+    const raw = out.stdout.trim() || out.stderr.trim();
+    const parse = tool.parseVersion ?? parseVersionDefault;
+    return { found: true, version: parse(raw) };
+  }
+  return { found: await commandExists(tool.bin) };
+};
+async function runEnvironmentChecks(tools = ENVIRONMENT_TOOLS, probe = defaultProbe) {
+  return Promise.all(
+    tools.map(async (tool) => {
+      const result = await probe(tool);
+      return {
+        id: tool.id,
+        name: tool.name,
+        kind: tool.kind,
+        found: result.found,
+        version: result.version
+      };
+    })
+  );
+}
+
+// src/commands/doctor.ts
+async function doctorCommand(options) {
+  const checks = await runEnvironmentChecks();
+  if (options.json) {
+    logger.out(JSON.stringify({ checks }, null, 2));
+    return;
+  }
+  logger.out(pc.bold("Developer environment"));
+  logger.out("");
+  for (const check of checks) {
+    const note = check.found ? check.version : "not found";
+    logger.out(statusLine(check.found, check.name, note));
+  }
+  const found = checks.filter((c) => c.found).length;
+  logger.out("");
+  logger.out(pc.dim(`${found}/${checks.length} tools found`));
+}
+
+// src/commands/compare.ts
+import path15 from "path";
+import fs13 from "fs-extra";
+
+// src/core/compare.ts
+function detectionsOf(bundle) {
+  return bundle.metadata.detections ?? [];
+}
+var toolingComparator = {
+  id: "tooling",
+  title: "Tooling",
+  compare(a, b) {
+    const aById = new Map(detectionsOf(a).map((d) => [d.id, d]));
+    const bById = new Map(detectionsOf(b).map((d) => [d.id, d]));
+    const added = [];
+    const removed = [];
+    const changed = [];
+    for (const [id, d] of bById) if (!aById.has(id)) added.push(d.name);
+    for (const [id, d] of aById) if (!bById.has(id)) removed.push(d.name);
+    for (const [id, d] of aById) {
+      const other = bById.get(id);
+      if (other && other.confidence !== d.confidence) changed.push(d.name);
+    }
+    return sortSection({ id: this.id, title: this.title, added, removed, changed });
+  }
+};
+var PACKAGE_JSON_KEYS2 = /* @__PURE__ */ new Set([PACKAGE_JSON_KEY]);
+var configFilesComparator = {
+  id: "config-files",
+  title: "Configuration files",
+  compare(a, b) {
+    const diff = diffStringMaps(a.checksum.files, b.checksum.files, {
+      ignoreKeys: PACKAGE_JSON_KEYS2
+    });
+    return { id: this.id, title: this.title, ...diff };
+  }
+};
+var packageJsonComparator = {
+  id: "package-json",
+  title: "package.json",
+  compare(a, b) {
+    const flatten = (bundle) => {
+      const pkg = bundle.tooling.packageJson;
+      const out = {};
+      for (const [name, cmd] of Object.entries(pkg?.scripts ?? {})) out[`script:${name}`] = cmd;
+      for (const [name, ver] of Object.entries(pkg?.devDependencies ?? {})) {
+        out[`devDependency:${name}`] = ver;
+      }
+      return out;
+    };
+    const diff = diffStringMaps(flatten(a), flatten(b));
+    return { id: this.id, title: this.title, ...diff };
+  }
+};
+var structureComparator = {
+  id: "structure",
+  title: "Structure",
+  compare(a, b) {
+    const before = new Set(a.structure.directories);
+    const after = new Set(b.structure.directories);
+    const added = b.structure.directories.filter((d) => !before.has(d));
+    const removed = a.structure.directories.filter((d) => !after.has(d));
+    return sortSection({ id: this.id, title: this.title, added, removed, changed: [] });
+  }
+};
+var metadataComparator = {
+  id: "metadata",
+  title: "Metadata",
+  compare(a, b) {
+    const fields = [
+      "language",
+      "framework",
+      "packageManager",
+      "nodeVersion"
+    ];
+    const changed = [];
+    for (const field of fields) {
+      const from = String(a.metadata[field] ?? "");
+      const to = String(b.metadata[field] ?? "");
+      if (from !== to) changed.push(`${field}: ${from} \u2192 ${to}`);
+    }
+    return { id: this.id, title: this.title, added: [], removed: [], changed };
+  }
+};
+var COMPARATORS = [
+  toolingComparator,
+  configFilesComparator,
+  packageJsonComparator,
+  structureComparator,
+  metadataComparator
+];
+function sortSection(section) {
+  return {
+    ...section,
+    added: [...section.added].sort(),
+    removed: [...section.removed].sort(),
+    changed: [...section.changed].sort()
+  };
+}
+function compareBundles(a, b) {
+  return { sections: COMPARATORS.map((c) => c.compare(a, b)) };
+}
+function sectionHasChanges(section) {
+  return section.added.length > 0 || section.removed.length > 0 || section.changed.length > 0;
+}
+function comparisonHasChanges(comparison) {
+  return comparison.sections.some(sectionHasChanges);
+}
+
+// src/commands/compare.ts
+async function resolveBundle(input) {
+  const resolved = path15.resolve(input);
+  if (!await fs13.pathExists(resolved)) {
+    throw new ReplicaxError(`Path not found: ${input}`);
+  }
+  try {
+    const dir = await resolveProfileDir(input);
+    const bundle2 = await loadBundle(dir);
+    return { bundle: bundle2, label: `${bundle2.profile.name} (profile)` };
+  } catch {
+  }
+  const stat = await fs13.stat(resolved);
+  if (!stat.isDirectory()) {
+    throw new ReplicaxError(`Cannot compare "${input}": not a profile or a project directory.`, [
+      "Pass a project folder or a directory containing a .replicax profile."
+    ]);
+  }
+  const scan = await scanProject(resolved);
+  const bundle = buildBundle({
+    name: path15.basename(resolved) || "project",
+    tooling: scan.tooling,
+    structure: scan.structure,
+    metadata: scan.metadata
+  });
+  return { bundle, label: `${path15.basename(resolved)} (scanned)` };
+}
+async function compareCommand(source, target, options) {
+  const [a, b] = await Promise.all([resolveBundle(source), resolveBundle(target)]);
+  const comparison = compareBundles(a.bundle, b.bundle);
+  if (options.json) {
+    logger.out(JSON.stringify({ source: a.label, target: b.label, ...comparison }, null, 2));
+    return;
+  }
+  logger.out(pc.bold(`Comparing ${a.label} \u2192 ${b.label}`));
+  logger.out("");
+  if (!comparisonHasChanges(comparison)) {
+    logger.out("No differences.");
+    return;
+  }
+  printGroup("Added", collect(comparison, "added"), pc.green("+"));
+  printGroup("Removed", collect(comparison, "removed"), pc.red("-"));
+  printGroup("Changed", collect(comparison, "changed"), pc.yellow("~"));
+}
+function collect(comparison, bucket) {
+  const out = [];
+  for (const section of comparison.sections) {
+    for (const item of section[bucket]) {
+      out.push(`${item} ${pc.dim(`(${section.title})`)}`);
+    }
+  }
+  return out;
+}
+function printGroup(label, items, marker) {
+  if (items.length === 0) return;
+  logger.out(pc.bold(`${label}:`));
+  for (const item of items) logger.out(`  ${marker} ${item}`);
+  logger.out("");
+}
+
+// src/commands/audit.ts
+import path16 from "path";
+
+// src/core/audit/rules.ts
+function detected(ctx, ids) {
+  const present = new Set(ctx.detections.map((d) => d.id));
+  return ids.some((id) => present.has(id));
+}
+var AUDIT_RULES = [
+  {
+    id: "linting",
+    title: "Linting",
+    weight: 15,
+    category: "quality",
+    passes: (c) => detected(c, ["eslint", "biome"]),
+    recommendation: "Add ESLint to catch problems with static analysis."
+  },
+  {
+    id: "formatting",
+    title: "Formatting",
+    weight: 10,
+    category: "quality",
+    passes: (c) => detected(c, ["prettier", "biome"]),
+    recommendation: "Add Prettier to keep formatting consistent."
+  },
+  {
+    id: "testing",
+    title: "Testing",
+    weight: 20,
+    category: "quality",
+    passes: (c) => detected(c, ["vitest", "jest", "playwright", "cypress"]),
+    recommendation: "Add a test runner such as Vitest or Jest."
+  },
+  {
+    id: "git-hooks",
+    title: "Git hooks",
+    weight: 10,
+    category: "quality",
+    passes: (c) => detected(c, ["husky", "lefthook"]),
+    recommendation: "Add Husky to run checks before each commit."
+  },
+  {
+    id: "ci",
+    title: "CI/CD",
+    weight: 20,
+    category: "delivery",
+    passes: (c) => detected(c, ["github-actions", "gitlab-ci", "circleci", "jenkins", "azure-pipelines"]),
+    recommendation: "Add a CI pipeline (e.g. GitHub Actions) to run checks on every push."
+  },
+  {
+    id: "containerization",
+    title: "Containerization",
+    weight: 10,
+    category: "delivery",
+    passes: (c) => detected(c, ["docker", "docker-compose"]),
+    recommendation: "Add a Dockerfile to containerize the application."
+  },
+  {
+    id: "typescript",
+    title: "TypeScript",
+    weight: 10,
+    category: "quality",
+    passes: (c) => detected(c, ["typescript"]),
+    recommendation: "Adopt TypeScript for type safety."
+  },
+  {
+    id: "commit-linting",
+    title: "Commit linting",
+    weight: 3,
+    category: "quality",
+    passes: (c) => detected(c, ["commitlint"]),
+    recommendation: "Add Commitlint to standardize commit messages."
+  },
+  {
+    id: "staged-linting",
+    title: "Staged-file linting",
+    weight: 2,
+    category: "quality",
+    passes: (c) => detected(c, ["lint-staged"]),
+    recommendation: "Add lint-staged to lint only changed files."
+  }
+];
+
+// src/core/audit/engine.ts
+function runAudit(ctx, rules = AUDIT_RULES) {
+  const evaluated = rules.map((rule) => ({
+    id: rule.id,
+    title: rule.title,
+    category: rule.category,
+    weight: rule.weight,
+    passed: rule.passes(ctx),
+    recommendation: rule.recommendation
+  }));
+  const totalWeight = evaluated.reduce((sum, r) => sum + r.weight, 0);
+  const passedWeight = evaluated.filter((r) => r.passed).reduce((sum, r) => sum + r.weight, 0);
+  const score = totalWeight === 0 ? 100 : Math.round(passedWeight / totalWeight * 100);
+  const failed = evaluated.filter((r) => !r.passed);
+  return {
+    score,
+    maxScore: 100,
+    rules: evaluated,
+    missing: failed.map((r) => r.title),
+    recommendations: failed.map((r) => r.recommendation)
+  };
+}
+
+// src/commands/audit.ts
+async function buildContext(options) {
+  if (options.profile) {
+    const dir = await resolveProfileDir(options.profile);
+    const bundle = await loadBundle(dir);
+    return {
+      ctx: {
+        detections: bundle.metadata.detections ?? [],
+        metadata: bundle.metadata,
+        tooling: bundle.tooling
+      },
+      source: `profile "${bundle.profile.name}"`
+    };
+  }
+  const root = path16.resolve(options.path ?? process.cwd());
+  const scan = await scanProject(root);
+  return {
+    ctx: { detections: scan.detections, metadata: scan.metadata, tooling: scan.tooling },
+    source: path16.basename(root) || "project"
+  };
+}
+async function auditCommand(options) {
+  const { ctx, source } = await buildContext(options);
+  const result = runAudit(ctx);
+  if (options.json) {
+    logger.out(JSON.stringify(result, null, 2));
+    return;
+  }
+  logger.out(pc.bold(`Project Score: ${result.score}/${result.maxScore}`));
+  logger.out(pc.dim(`Audited ${source}`));
+  logger.out("");
+  for (const rule of result.rules) {
+    logger.out(statusLine(rule.passed, rule.title));
+  }
+  if (result.missing.length === 0) {
+    logger.out("");
+    logger.out(pc.green("All checks passed."));
+    return;
+  }
+  logger.out("");
+  logger.out(pc.bold("Missing:"));
+  for (const item of result.missing) logger.out(`  - ${item}`);
+  logger.out("");
+  logger.out(pc.bold("Recommendations:"));
+  for (const rec of result.recommendations) logger.out(`  - ${rec}`);
+}
+
 // src/index.ts
 function packageVersion() {
   try {
@@ -2311,12 +3693,15 @@ program.command("init-skill").description(
   "Generate an AI assistant skill from the detected tech stack (uses your configured AI)"
 ).option("--target <ai>", `Target AI assistant: ${SKILL_TARGET_IDS.join("|")}`).option("--name <name>", "Name the skill (defaults to the project folder name)").option("--provider <ai>", "Force the AI provider: claude|openai|gemini (default: auto-detect)").option("--model <id>", "Override the API model id for the chosen provider").option("--no-ai", "Skip the AI provider and use the built-in deterministic template").option("--dry-run", "Preview the skill without writing (no AI call)").option("--force", "Overwrite existing skill files").option("--verbose", "Show every detected file").action(action(initSkillCommand));
 program.command("extract").argument("<repo>", "GitHub repo: owner/repo, a github.com URL, or owner/repo#branch").description("Extract a ReplicaX profile from a remote GitHub repository").option("--ref <ref>", "Branch, tag, or commit to fetch (default: the repo default branch)").option("--name <name>", "Name the profile (defaults to the repo name)").option("--out <dir>", "Directory to write the .replicax profile into (default: current dir)").option("--dry-run", "Preview what would be captured without writing").option("--verbose", "Show every detected file").action(action(extractCommand));
-program.command("create").argument("<project-name>", "Directory/name for the new project").description("Create a new project from a profile").option("--profile <path>", "Use a profile from a custom path").option("--skip-install", "Do not run the package manager install step").option("--dry-run", "Preview the output without writing").option("--force", "Overwrite conflicting files without prompting").option("--verbose", "Show every written file").action(action(createCommand));
+program.command("create").argument("<project-name>", "Directory/name for the new project").description("Create a new project from a profile").option("--profile <path>", "Use a profile from a custom path").option("--skip-install", "Do not run the package manager install step").option("--install", "Install deps even for imported/remote (untrusted) profiles").option("--dry-run", "Preview the output without writing").option("--force", "Overwrite conflicting files without prompting").option("--verbose", "Show every written file").action(action(createCommand));
 program.command("sync").description("Update the profile from the current project state").option("--diff", "Show a detailed list of what changed").option("--force", "Rewrite the profile even if nothing changed").option("--verbose", "Show every detected file").action(action(syncCommand));
 program.command("inspect").description("Display captured configuration and structure").option("--json", "Output as JSON").option("--section <section>", "Inspect one section: profile|tooling|structure|metadata").option("--profile <path>", "Inspect a profile at a custom path").action(action(inspectCommand));
 program.command("validate").description("Check profile schema and integrity").option("--profile <path>", "Validate a profile at a custom path").action(action(validateCommand));
 program.command("export").description("Export the profile as a portable .tar.gz archive").option("--out <file>", "Output archive path").option("--profile <path>", "Export a profile from a custom path").action(action(exportCommand));
 program.command("import").argument("<archive>", "Path to a .tar.gz profile archive").description("Import a portable profile archive into .replicax/").option("--force", "Overwrite an existing profile").action(action(importCommand));
+program.command("doctor").description("Check which developer tools are installed locally").option("--json", "Output as JSON").action(action(doctorCommand));
+program.command("compare").argument("<source>", "A profile path or project directory").argument("<target>", "A profile path or project directory").description("Compare two profiles (or projects): tooling, config, structure, metadata").option("--json", "Output as JSON").action(action(compareCommand));
+program.command("audit").description("Score a project setup against best practices and recommend improvements").option("--path <dir>", "Directory to audit (default: current dir)").option("--profile <path>", "Audit a stored profile instead of scanning").option("--json", "Output as JSON").action(action(auditCommand));
 if (process.argv.slice(2).length === 0) {
   program.outputHelp();
   process.exit(0);