@kiwidata/grimoire 0.1.3 → 0.1.5

package/AGENTS.md

@@ -24,6 +24,43 @@ These principles govern all grimoire work — drafting, planning, reviewing, and
 
 **Verify before using.** Before importing a module, calling a function, or adding a dependency — confirm it exists. Check `.grimoire/docs/<area>.md` for reusable code with exact paths. Check `.grimoire/docs/data/schema.yml` for real model fields and API endpoints. If you haven't read the file you're importing from, read it (or its area doc) first. Never guess at package names, function signatures, or API paths.
 
+## Anti-Loop Protocol
+
+Applies everywhere: writing code, running tests, fixing checks, editing files. These rules exist because loops are expensive — each iteration burns context and time, and the later iterations are usually worse than just stopping.
+
+### Attempt budget: 3
+
+Count attempts per discrete problem (one failing test, one failing check, one broken script). After 3 failed attempts:
+
+1. **Stop.** Do not attempt #4.
+2. **Diagnose.** State the pattern: what you tried each time, what failed each time, what's different and what's the same.
+3. **Escalate.** Present the diagnosis to the user and ask how to proceed. Don't silently switch to a different approach without saying so.
+
+A "different attempt" means a fundamentally different approach — not the same fix with minor tweaks. If attempt 2 makes the same type of change as attempt 1, it counts as the same attempt.
+
+### Change approach after 2 failures of the same type
+
+If the second failure looks like the first failure (same error class, same location, same check), the approach is wrong — not the implementation. Don't attempt a third narrow fix. Step back and ask: is the whole approach wrong? Is there a simpler path?
+
+Examples:
+- Two shell scripts with portability bugs → stop writing scripts, use prose or build into the tool
+- Two attempts to fix the same failing test → reread the test and the code together, don't just tweak values
+- Two check failures on the same file → run the check manually and read the full output before editing
+
+### Pre-validate before acting
+
+Don't use side-effect actions (commits, test runs, check runs) as the primary validator. Validate first, then act.
+
+- Shell scripts: run against the actual codebase before embedding in any file
+- Commits: run `grimoire check <step>` manually, fix all issues, then commit once
+- Code: read the function you're calling before calling it — don't rely on the compiler or test runner to catch typos in function names
+
+### Diagnose before fixing
+
+After any failure, state what you observe before proposing a fix. One sentence: what failed, where, and why. If you can't state the why, you're not ready to fix it.
+
+This applies especially to test failures. "The test failed" is not a diagnosis. "The test expected `302` but got `200` because the redirect middleware isn't registered in the test client" is.
+
 ## When to Use Grimoire
 
 Use grimoire when the user's request involves:
@@ -94,10 +131,9 @@ User has a request
 │
 ├─ "Setting up grimoire on an existing project"
 │  1. `grimoire init` → creates .grimoire/ directory and config
-│  2. `grimoire map` → scans codebase structure into .snapshot.json
-│  3. `/grimoire:discover` → generates area docs, data schema, project context
-│  4. `/grimoire:audit` → discovers undocumented features and decisions
-│  5. Start working: `/grimoire:draft` for new changes, `/grimoire:bug` for fixes
+│  2. `/grimoire:discover` → generates conventions files, data schema, project context (requires codebase-memory-mcp)
+│  3. `/grimoire:audit` → discovers undocumented features and decisions
+│  4. Start working: `/grimoire:draft` for new changes, `/grimoire:bug` for fixes
 │
 └─ "Setting up grimoire on a new/greenfield project"
    1. `grimoire init` → creates .grimoire/ directory and config
@@ -215,3 +251,19 @@ This is what makes `grimoire trace` and `grimoire log` work. Without it, the com
 
 ### Step Definitions
 Organize by **domain concept**, NOT by feature file. Check the project's existing test setup and match its BDD framework conventions. See the active skill's testing reference for ecosystem-specific patterns.
+
+
+<!-- GRIMOIRE:START -->
+## Caveman Mode
+
+Respond terse like smart caveman at **lite** intensity. All technical substance stay. Only fluff die.
+
+Rules: No filler/hedging. Keep articles + full sentences. Professional but tight.
+
+Auto-clarity exception: revert to normal for security warnings, irreversible action confirmations, and multi-step sequences where fragments risk misread.
+
+Boundaries: code, commits, PRs written normally. Stop with "stop caveman" or "normal mode".
+
+<!-- caveman:lite — based on github.com/JuliusBrussee/caveman -->
+
+<!-- GRIMOIRE:END -->

package/README.md

@@ -15,10 +15,10 @@ The software industry spent decades learning hard lessons about building reliabl
 
 Grimoire adds the missing discipline:
 
-- **Specs before code** — every behavior is a Gherkin `.feature` file that doubles as an executable acceptance test
+- **One home per fact** — actor-observable behavior is a Gherkin `.feature`; security/NFR/observability invariants are a constraints register; trade-offs are MADR decisions; data is a schema; code structure is the live graph. No fact lives in two places.
 - **Plans before implementation** — concrete task lists with exact file paths, not "implement the feature"
-- **Tests that actually test** — mandatory red-green BDD cycle with assertion quality checks
-- **Codebase knowledge without exploration** — area docs, data schemas, and symbol maps so the AI doesn't waste context reading files
+- **Tests that actually test** — test-first discipline at the right level (red-green BDD for behavior, unit tests for invariants) with assertion quality checks
+- **Codebase knowledge without exploration** — intent-focused area docs + data schemas, with live structure (symbols, call graphs, reusable code) from codebase-memory-mcp so the AI doesn't waste context reading files
 - **Full audit trail** — every commit traces back to a requirement via git trailers
 - **Architecture decisions on record** — MADR decision records so the AI doesn't re-litigate choices
 
@@ -31,7 +31,7 @@ npm install -g @kiwidata/grimoire
 ```
 
 <details>
-<summary>Install from source</summary>
+<summary>Install from source (contributors / development only)</summary>
 
 Requires Node.js 20+ and git.
 
@@ -41,7 +41,7 @@ cd grimoire
 npm install
 npm run build
 npm link              # makes `grimoire` available globally
-grimoire --version    # should print 0.1.2
+grimoire --version    # should print the installed version
 ```
 
 To update after pulling new changes:
@@ -64,7 +64,8 @@ To unlink: `npm unlink -g @kiwidata/grimoire`
 ```bash
 cd my-project
 grimoire init          # Auto-detect tools, configure checks, install skills
-grimoire map           # Snapshot codebase structure into .grimoire/docs/
+# Structure comes from codebase-memory-mcp (live). Run /grimoire:discover
+# once to generate intent-focused area docs + data schema.
 ```
 
 Then talk to your AI assistant:
@@ -73,14 +74,15 @@ Then talk to your AI assistant:
 You: "Users should be able to log in with 2FA"
 
 → /grimoire:draft    Creates login.feature with Given/When/Then scenarios
-→ /grimoire:plan     Generates tasks: write step defs, then production code
-→ /grimoire:review   (optional) Product, security, and engineering review
-→ /grimoire:apply    Implements with strict red-green BDD
+→ /grimoire:plan     Generates tasks: write the test, then production code
+→ /grimoire:review   (optional) Product, security, engineering + principles review
+→ /grimoire:apply    Implements test-first (BDD for behavior, unit for invariants)
 → /grimoire:verify   Confirms all scenarios pass, no regressions
-→ grimoire archive    Syncs to baseline, archives manifest
 → grimoire pr         Generates PR description from artifacts
 ```
 
+Artifacts are edited **live on a feature branch** — `git diff` is the staging area. There is no copy-into-change-folder and no promote step.
+
 <details>
 <summary>What <code>grimoire init</code> creates</summary>
 
@@ -88,7 +90,7 @@ Interactive setup that auto-detects your project's tools and asks preferences fo
 
 - `AGENTS.md` — workflow instructions read by AI coding assistants
 - `.grimoire/config.yaml` — tool configuration and check pipeline
-- `.grimoire/` — decisions, docs, change tracking, archive directories
+- `.grimoire/` — decisions, docs (area docs + `constraints.md` register), and change tracking
 - `features/` — where Gherkin specs live
 - `.claude/skills/` — Claude Code skill definitions (ignored by other agents)
 - `.git/hooks/pre-commit` — runs `grimoire check` before commits
@@ -101,43 +103,49 @@ Use `grimoire init --no-detect` to skip interactive tool detection. Most unconfi
 
 ### 1. Draft — Define what you're building
 
-Grimoire routes your request to the right format:
+Grimoire routes your request to its one correct home (an admission test keeps each artifact type clean):
 
-- **"Users should be able to log in with 2FA"** → Gherkin feature
+- **"Users should be able to log in with 2FA"** (external actor, observable) → Gherkin feature
+- **"Logs must never contain PII"** (an invariant, no actor) → `constraints.md` register, **not** a `.feature`
 - **"We should use PostgreSQL instead of MySQL"** → MADR decision record
 - **"The login page is broken"** → `/grimoire:bug` (reproduce first, then fix)
 - **"A tester found a problem"** → `/grimoire:bug-report` → `/grimoire:bug-triage` → routed fix
 
-Produces `.feature` files (with security tags like `@security`, `@auth`, `@pii`, `@pci-dss` when applicable), decision records, `data.yml` for schema changes, and a manifest tracking the change.
+A `.feature` is allowed only if it has an external actor, is observable without reading code/logs, uses domain language, and survives a reimplementation. Security controls, NFRs, and observability guarantees are invariants → they live in the constraints register. Produces `.feature` files (with security tags like `@security`, `@auth`, `@pii`, `@pci-dss` when applicable), constraint entries, decision records, `data.yml` for schema changes, and a manifest tracking the change.
 
 ### 2. Plan — Generate concrete tasks
 
 Every scenario becomes a pair: write the step definition (test), then write the production code. Tasks reference exact file paths, exact assertions, and real patterns from area docs. Data changes (models, migrations) are ordered before feature code.
 
-The plan skill reads `.grimoire/docs/` to find reusable utilities, coding patterns, and where new code should go — so the AI plans with real codebase knowledge, not guesses.
+The plan skill reads area docs for conventions and boundaries, and queries the code graph for reusable utilities and exact symbols — so the AI plans with real codebase knowledge, not guesses. Each task is tagged with its verification level: `scenario` (behavior), `unit-invariant` (a constraint), or `characterization` (internal/refactor).
 
 ### 3. Review — Multi-perspective design review (optional)
 
-Five personas validate the change before any code is written:
+Personas validate the change before any code is written:
 
 - **Product manager** — completeness, missing edge cases, unclear requirements
 - **Senior engineer** — simplicity, code reuse, architecture fit, task quality
 - **Security engineer** — STRIDE threat analysis, OWASP Top 10 / CWE classification, compliance verification (PCI-DSS, HIPAA, GDPR, SOC2 when configured), input validation, auth boundaries, vulnerable dependencies, secrets
 - **QA engineer** — testability, negative scenarios, edge cases, observability, regression risk
 - **Data engineer** — schema design, migration safety, index coverage (when `data.yml` present)
+- **Principles auditor** — flags duplicate homes (DRY), second ways to do a thing (one right way), reinvented wheels, speculative complexity (KISS), and any `.feature` that is really a constraint
 
 Issues flagged as **blocker** or **suggestion**. Security findings tagged with OWASP category and CWE ID. Skip for small/low-risk changes.
 
-### 4. Apply — Build with strict red-green BDD
+### 4. Apply — Build test-first at the right level
+
+Red-green discipline stays; the test *vehicle* matches the task's `verify:` tag — a Gherkin step definition for `scenario` tasks, a unit/integration test for `unit-invariant` and `characterization` tasks. (No `.feature` is forced onto a constraint or an internal change — that's what filled feature files with slop.)
 
 For each task:
-1. Write the step definition (test)
+1. Write the failing test at the task's level
 2. Run it — **must fail** (red). A test that passes immediately is broken.
 3. Write production code
 4. Run it — **must pass** (green)
 5. Test quality check — verify strong assertions, not `assert True`
 6. Mark done, move to next task
 
+Artifacts are edited **live on the feature branch** the whole time — no promote step. Finalize just flips decision status to `accepted` and removes the ephemeral change folder.
+
 **Session management:** Each task (or group of 2-3) runs in a fresh subagent to avoid context bloat. `tasks.md` is the coordination mechanism — if the session is interrupted, the next agent picks up where you left off.
 
 **Stuck detection:** After 3 failed attempts with different approaches on a single task, the agent stops and asks for help instead of looping.
@@ -151,11 +159,23 @@ For each task:
 - **Security compliance** — verifies plan-stage security patterns were followed (parameterized queries, bcrypt, no hardcoded secrets), checks review blockers were addressed, runs OWASP Top 10 surface scan on the diff, validates security-tagged scenarios (`@security`, `@auth`, `@pii`, `@pci-dss`, etc.)
 - **Dead features** — specs that exist but code no longer implements
 
-### 6. PR & Archive
+### 6. PR
+
+`grimoire pr` generates a PR description from the branch diff, features, decisions, and task progress. Optional `--review` runs an LLM review of the actual diff. `--create` creates via `gh` or `glab`.
+
+There is no archive step. Features, decisions, constraints, and schema were edited live on the branch; the PR diff *is* the change, and git history + the `Change: <id>` commit trailer are the record.
 
-`grimoire pr` generates a PR description from manifests, features, decisions, and task progress. Optional `--review` runs an LLM review of the actual diff. `--create` creates via `gh` or `glab`.
+## For UI/UX designers
 
-`grimoire archive` syncs features to baseline, accepts decisions, updates data schema, and archives the manifest.
+Grimoire treats design as a first-class spec input, not an afterthought.
+
+- **Brand capture at init** — `grimoire init` offers to capture colors, type, spacing, and voice into `.grimoire/brand/` (DTCG tokens). Skip-able; can be added later via `grimoire-design --capture-brand`.
+- **Consult (optional)** — `/grimoire:design-consult` runs a pre-design Q&A. Security and data personas interview the designer about the proposed change *before* any artifacts exist, surfacing assumptions and constraints early. No findings, no blockers — just questions whose answers will shape the design.
+- **Design** — `/grimoire:design` walks: problem statement → user flow & pain points → variants (Figma MCP, static HTML, or ASCII) → required component states (default/loading/empty/error) → proposed Gherkin scenarios for each (component × state).
+- **Handoff** — accepted scenarios feed `/grimoire:draft` (manifest + ADRs), then `/grimoire:plan` (tasks), then `/grimoire:review` — **mandatory at complexity 4** with surface-conditional adversarial personas (keyboard, screen-reader, contrast on web; touch + gesture on mobile; keyboard-only on TUI).
+- **Revision** — `/grimoire:design --revise` re-enters an existing design without restarting. Shows current variants and Gherkin, asks what to change, regenerates only the affected artifacts. Previously-accepted scenarios are not overwritten without confirmation.
+
+Brand-drift lint (`grimoire-design --lint`) cross-references hardcoded colors / px / fonts against `.grimoire/brand/tokens.json` and suggests token replacements. Wired into precommit-review when tokens exist.
 
 ## Walkthrough
 
@@ -298,17 +318,16 @@ The AI runs `/grimoire:verify`:
 ## Suggestions
 - Consider adding a rate-limiting scenario for repeated failed TOTP attempts
 
-Recommendation: Ready to archive.
+Recommendation: Ready to commit and open a PR.
 ```
 
-### PR & Archive
+### PR
 
 ```bash
 grimoire pr --create        # Creates PR via gh with full description
-grimoire archive add-2fa-login  # Syncs features, accepts decision, archives manifest
 ```
 
-The feature files move to `features/auth/login.feature` (baseline). The decision moves to `.grimoire/decisions/0003-totp-library.md` with status `accepted`. The manifest is archived to `.grimoire/archive/`.
+The feature file was edited live at `features/auth/login.feature` on the branch; the decision is live at `.grimoire/decisions/0003-totp-library.md` with status flipped to `accepted` at finalize; the ephemeral change folder was removed. The PR diff is the change — there's no archive step.
 
 `grimoire trace src/views/auth.py:42` now shows: commit `abc123` → Change: `add-2fa-login` → features: `auth/login.feature` → decision: `0003-totp-library.md`.
 
@@ -384,7 +403,7 @@ Skill also drafts the missing scenario into `features/checkout/place-order.featu
 - [ ] No regression in existing checkout suite
 ```
 
-Commit trailer: `Bug: 0042-place-order-timeout`. Tester runs through the checklist, marks complete, and the bug archives alongside the change.
+Commit trailer: `Bug: 0042-place-order-timeout`. Tester runs through the checklist, marks complete, and the bug closes alongside the change when the PR merges.
 
 </details>
 
@@ -422,13 +441,15 @@ Grimoire owns the **inner loop** — the Dev and Sec portions of DevSecOps. Ops
 | Requirements engineering | Gherkin specs as executable acceptance tests | Draft skill |
 | Architecture decisions | MADR records with cost-of-ownership | Draft skill |
 | Design review | Multi-persona review before code is written | Review skill |
-| Test-driven development | Strict red-green BDD enforcement | Apply skill |
+| Test-driven development | Test-first: red-green BDD for behavior, unit tests for invariants | Apply skill |
 | Test quality | Static analysis for weak/empty/tautological tests | `grimoire test-quality`, verify skill |
 | Regression prevention | All existing tests must pass; regressions block completion | Apply + verify skills |
-| Change management | Manifests, task tracking, session resumption, archive | Full lifecycle |
+| Change management | Manifests, task tracking, session resumption, live-on-branch edits | Full lifecycle |
 | Traceability | Every commit → change → feature → decision | `grimoire trace` |
 | Security review | STRIDE threat modeling, OWASP/CWE tagging at design time | Review + plan + verify skills |
 | Security tooling | SAST, SCA, secrets scanning in pre-commit pipeline | `grimoire check` |
+| Vulnerability triage | CVE noise → VEX verdict + hotfix-now/next-release, scored on KEV/EPSS/reachability vs deployment + recorded controls | Vuln-triage skill |
+| Vulnerability remediation | Triaged findings → bug-tracker tickets, risk-accept register with expiry (feeds back into triage *and* the `dep_audit`/`security` check gate), change stubs for non-trivial fixes | Vuln-remediate skill |
 | Bug discipline | Reproduce-first fixes, structured triage, confidential security handling | Bug workflow skills |
 | Exploratory testing | Gap analysis, coverage mapping, charter-based sessions | Bug-explore + bug-session skills |
 | Tech debt tracking | Structured debt register with severity and formal exceptions | Refactor skill |
@@ -453,35 +474,50 @@ Grimoire's security capabilities are **AI-mediated at design time**, not static
 
 This means security coverage depends on: (1) configuring the right tools in your check pipeline, and (2) the AI following its own instructions. Projects that run `grimoire init` with detection get solid defaults. Projects that skip detection should configure `tools.security`, `tools.dep_audit`, and `tools.secrets` in `.grimoire/config.yaml`.
 
+**Vulnerability triage.** Scanners (`npm audit`, `pip-audit`, `osv-scanner`) rank CVEs by CVSS base score, which knows nothing about your deployment — so they over-escalate. The vuln-triage skill scores each advisory the way it actually matters here: KEV (known-exploited), EPSS (exploit probability), reachability (is the vulnerable code even on our execute path), and exposure/controls read from `context.yml` + MADR decisions — never a new config file. The output is a [VEX](https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf) verdict per CVE (`not_affected` with a justification code suppresses noise auditably) and, for the survivors, the only decision that matters: **drop-everything hotfix vs next release cycle**. A Contrarian calibration pass (the same one from the review engine) steel-mans "we're not affected" against every escalation to kill manufactured emergencies. Full rubric in `skills/references/dependency-vuln-triage.md`. Accepted findings land in `.grimoire/security/accepted-risks.yml` with an expiry; the `dep_audit` and `security` check steps read that register and suppress an advisory only while its entry is unexpired — so the commit gate stops blocking on triaged-away findings (e.g. a dev-only CVE) without silently ignoring new ones.
+
+**Supply chain defense.** For apps and services, the review and verify skills treat any dependency add/upgrade without a committed lockfile (and integrity hashes, where the ecosystem supports them) as a **blocker** — motivated by recent npm / PyPI / RubyGems / Cargo maintainer-account compromises that auto-installed through floating version ranges. Per-ecosystem rules cover `package.json` + lockfile (no `^`/`~`/`*`/`latest` for apps), `uv.lock` / `poetry.lock` / `pip-compile --generate-hashes`, `Gemfile.lock` with `CHECKSUMS` (Bundler 2.5+), `Cargo.lock` for binaries, and `go.mod` + `go.sum`. CI must install from the lockfile (`npm ci`, `pnpm install --frozen-lockfile`, `yarn install --immutable`, `uv sync --frozen`, `pip install --require-hashes`, `bundle install --deployment`, `cargo build --locked`, `go build` with `-mod=readonly`). Libraries published to a registry are out of scope — keep compatible ranges in your published manifest. Full ruleset in `skills/references/security-compliance.md`.
+
 Grimoire does not provide compliance framework enforcement (OWASP ASVS checklists, CWE mapping), SBOM generation, artifact signing, or DAST. These require dedicated security tooling.
 
 ## Features
 
 ### Codebase Intelligence
 
-```bash
-grimoire map                # Structural snapshot (.grimoire/docs/.snapshot.json)
-grimoire map --refresh      # Diff against existing docs, show gaps
-grimoire map --duplicates   # Run jscpd duplicate detection
-grimoire map --depth <n>    # Max directory depth to scan (default 4)
-```
-
-Snapshots the directory layout, language mix, and per-area metrics so area docs and plans don't have to re-explore the tree. No native dependencies.
+Structure is **live, not stored.** Symbols, call graphs, data-flow, dead code, and reusable utilities come from [codebase-memory-mcp](https://github.com/DeusData/codebase-memory-mcp) on demand (`search_graph`, `get_architecture`, `trace_path`) — there is no frozen snapshot to go stale. `grimoire init` offers to install it.
 
-For richer intelligence (call graphs, data flow tracing, dependency analysis), grimoire integrates with [codebase-memory-mcp](https://github.com/DeusData/codebase-memory-mcp). `grimoire init` offers to install it.
+Duplicate detection and convention-drift checks live in `grimoire health` (config-driven). Grimoire stores only what the graph *can't* derive — intent, boundaries, decisions, constraints.
 
 ### Area Docs & Data Schema
 
-`grimoire map` + `/grimoire:discover` generates docs in `.grimoire/docs/`:
+`/grimoire:discover` generates **intent-focused** docs in `.grimoire/docs/`:
 
 - Purpose and boundaries of each module
-- Key files with responsibilities
-- **Reusable code inventory** — exact function names, file paths, line numbers
-- Naming conventions, structural patterns, where new code goes
+- Conventions (naming, structure) with exemplar file references
+- Where new code of each type goes
+
+Area docs deliberately do **not** list key files or a reusable-code inventory — that's structure, and the graph regenerates it live (a frozen copy drifts). Discover runs only when an area's *intent* changes, not on every code change.
 
 `.grimoire/docs/data/schema.yml` captures your data layer — SQL tables, document collections, external API contracts — so the AI reads this instead of model files.
 
-`grimoire docs` generates a browsable `.grimoire/docs/OVERVIEW.md` project summary.
+`grimoire docs` generates a browsable `.grimoire/docs/OVERVIEW.md` — the single human entry point: what the app is, its actors, capabilities (grouped by functional story), constraints, architecture, and decisions, each linking down.
+
+### Rendering into your doc site
+
+`grimoire docs` emits **portable CommonMark** — grimoire owns the spec *storage* (features, constraints, decisions, schema); your existing doc tool owns *rendering*. Grimoire ships no renderer and standardizes on no doc tool. Include the output wherever your project already publishes:
+
+- **Sphinx** (with [myst-parser](https://myst-parser.readthedocs.io)): point grimoire at your docs tree and include the page in a toctree —
+  ```bash
+  grimoire docs -o docs/overview.md
+  ```
+  ````markdown
+  ```{include} overview.md
+  ```
+  ````
+- **MkDocs**: `grimoire docs -o docs/overview.md`, then add `overview.md` to `nav:`.
+- **No doc tool**: read `.grimoire/docs/OVERVIEW.md` directly — it's plain markdown.
+
+The source artifacts stay tool-agnostic, so the AI workflow doesn't depend on any renderer. Regenerate `OVERVIEW.md` whenever artifacts change (`grimoire-apply` does this at finalize).
 
 ### Pre-Commit Pipeline
 
@@ -549,8 +585,8 @@ Developer picks it up → /grimoire:bug-triage → classify root cause
 Every commit includes a `Change:` git trailer linking code → commit → change → feature → decision.
 
 ```bash
-grimoire trace src/auth.py:42   # What requirement introduced this line?
-grimoire log --from v1.0        # Release notes from archived changes
+grimoire trace src/auth.py:42        # What requirement introduced this line?
+git log --grep "Change: add-2fa-login"   # Every commit for a change, via its trailer
 ```
 
 ### Project Health
@@ -560,14 +596,15 @@ grimoire health
 
   features          100%  ██████████  12 scenarios in 5 files
   decisions          89%  █████████░  8/9 current
-  area docs          75%  ████████░░  6/8 areas documented
+  area docs         100%  ██████████  6 areas documented
   data schema       100%  ██████████  4 models documented
+  conventions drift 100%  ██████████  no drift — paths match
   test coverage      60%  ██████░░░░  3/5 features have step definitions
   unit coverage      82%  █████████░  82% line coverage
   duplicates           —              2 clones detected
   complexity           —              no high-complexity functions
 
-  Overall            84%  █████████░
+  Overall            87%  █████████░
 ```
 
 ### Contract Testing
@@ -626,22 +663,27 @@ grimoire init --agent copilot                   # .github/copilot-instructions.m
 |-------|---------|
 | `/grimoire:draft` | Draft features and/or decisions collaboratively |
 | `/grimoire:plan` | Generate detailed implementation tasks from specs |
-| `/grimoire:review` | Multi-perspective design review (PM, engineer, security, QA, data) |
-| `/grimoire:apply` | Execute tasks with strict red-green BDD |
+| `/grimoire:review` | Multi-perspective design review (PM, engineer, security, QA, data, principles) |
+| `/grimoire:apply` | Execute tasks test-first at the right level (BDD for behavior, unit for invariants) |
 | `/grimoire:verify` | Post-implementation verification + test quality |
 | `/grimoire:audit` | Discover undocumented features and decisions |
 | `/grimoire:remove` | Tracked feature removal with impact assessment |
-| `/grimoire:discover` | Generate area docs and data schema from codebase |
+| `/grimoire:discover` | Generate intent-focused area docs and data schema |
 | `/grimoire:refactor` | Find, prioritize, and track tech debt |
 | `/grimoire:bug` | Disciplined bug fix with reproduction test first |
 | `/grimoire:bug-report` | Structured bug reporting (accepts test tool output) |
 | `/grimoire:bug-triage` | Classify and route bug reports |
+| `/grimoire:vuln-triage` | Triage vuln scans (npm audit / pip-audit / Trivy / any tool) against deployment + controls — hotfix-now vs next release |
+| `/grimoire:vuln-remediate` | File triaged vulns — tickets in the bug tracker, risk-accept register with expiry, change stubs for big fixes |
 | `/grimoire:bug-explore` | AI-guided exploratory testing and gap analysis |
 | `/grimoire:bug-session` | Charter-based exploratory testing sessions |
 | `/grimoire:branch-guard` | Enforce branch hygiene before starting new feature work (also wired as a hook) |
 | `/grimoire:commit` | Contextual commit messages with change trailers |
 | `/grimoire:pr` | Generate PR description + optional diff review |
 | `/grimoire:pr-review` | Review a teammate's PR with the multi-persona lens |
+| `/grimoire:precommit-review` | Multi-persona review of your own staged/unstaged diff before commit |
+| `/grimoire:design` | Generate UI/UX designs — problem → variants → states → derived Gherkin |
+| `/grimoire:design-consult` | Pre-design Q&A with security and data personas before any artifacts exist |
 
 </details>
 
@@ -666,11 +708,6 @@ grimoire init --agent copilot                   # .github/copilot-instructions.m
 | `grimoire status <id>` | Show change status, branch, and task progress |
 | `grimoire validate [id]` | Validate features, decisions, and manifests |
 | `grimoire validate --strict` | Enable strict validation |
-| `grimoire archive <id> [-y]` | Archive a completed change (`-y` skips confirmation) |
-| `grimoire map` | Structural codebase scan |
-| `grimoire map --duplicates` | Run jscpd duplicate detection |
-| `grimoire map --refresh` | Diff against existing docs, show gaps |
-| `grimoire map --depth <n>` | Max directory depth to scan (default 4) |
 | `grimoire check [steps...]` | Run pre-commit pipeline |
 | `grimoire ci` | Run CI pipeline |
 | `grimoire ci --setup` | Generate `.github/workflows/grimoire.yml` template |
@@ -680,7 +717,6 @@ grimoire init --agent copilot                   # .github/copilot-instructions.m
 | `grimoire pr --create` | Create PR via gh/glab |
 | `grimoire pr --review` | Run post-implementation LLM review of diff |
 | `grimoire test-quality [files]` | Analyze test files for quality issues |
-| `grimoire log [--from <ref>] [--to <ref>]` | Generate change log / release notes |
 | `grimoire trace <file[:line]>` | Trace file to originating grimoire change |
 | `grimoire diff <id>` | Compare proposed change specs against the baseline |
 | `grimoire docs [-o <path>]` | Generate human-readable project overview |
@@ -793,6 +829,16 @@ testing_tools:
 
 ## Contributing
 
+Issues and pull requests welcome at [github.com/kiwi-data/grimoire](https://github.com/kiwi-data/grimoire). Grimoire dogfoods itself — `.grimoire/` in this repo is built using grimoire skills, so contributions are expected to go through the same `draft → plan → apply → verify → pr` workflow described above.
+
+**Before opening a PR:**
+
+- `npm run build && npm test && npm run lint` — all green
+- `grimoire check` — pre-commit pipeline green
+- New behavior has a Gherkin scenario in `features/` (or a decision record under `.grimoire/decisions/` if it's an architectural choice)
+- Commit messages include a `Change:` trailer when the work is part of a tracked change
+- For dependency adds/upgrades: lockfile committed, no floating version ranges in `package.json` (see Security model above)
+
 <details>
 <summary>Development setup and project structure</summary>
 
@@ -826,7 +872,7 @@ grimoire/
 ### Adding a New Skill
 
 1. Create `skills/grimoire-<name>/SKILL.md` with trigger, prerequisites, workflow, and important notes
-2. Add `"grimoire-<name>"` to the `skillNames` array in both `src/core/init.ts` and `src/core/update.ts`
+2. Add `"grimoire-<name>"` to the `SKILL_NAMES` array in `src/core/shared-setup.ts` (shared by init and update)
 3. Build and test: `npm run build && node bin/grimoire.js update .`
 
 Skills are pure markdown — instructions for the AI, not executable code.
@@ -847,12 +893,14 @@ Skills are pure markdown — instructions for the AI, not executable code.
 
 ## Philosophy
 
-- **Features are tests.** A `.feature` file is both the requirement and the acceptance test.
-- **Red-green is mandatory.** A test must fail before it passes. If it doesn't fail, it's not a real test.
+- **One home per fact.** Behavior → feature; invariant → constraint; trade-off → decision; data → schema; structure → the live graph. No fact in two places (DRY).
+- **One right way.** Each thing has a single sanctioned approach. Two ways to do the same job is a defect, even if both work.
+- **Don't reinvent the wheel.** Use the tool that exists — git for isolation/staging/history, standard libraries for crypto/auth/parsing — not a bespoke grimoire clone of it.
+- **Features are tests — when they're behavior.** A `.feature` is the requirement and the acceptance test, but only for actor-observable behavior. Invariants are unit-tested constraints, not Gherkin.
+- **Red-green is mandatory.** A test must fail before it passes — at the right level (BDD for behavior, unit for invariants).
 - **Decisions are documented.** Architecture choices that aren't written down get relitigated.
 - **Reproduce before you fix.** Every bug gets a failing test before any code changes.
 - **Simple over clever.** Less code, fewer abstractions, smallest surface area.
-- **Verify before using.** Confirm imports, functions, and packages exist before writing code that depends on them.
 - **Removal is deliberate.** Removing a feature gets the same rigor as adding one.
 - **The fix is upstream.** You don't fix codebase entropy by reviewing harder — you fix it by requiring specs before code.
 

package/dist/cli/index.js

@@ -1,13 +1,13 @@
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
 import { Command } from "commander";
 import { initCommand } from "../commands/init.js";
 import { updateCommand } from "../commands/update.js";
 import { validateCommand } from "../commands/validate.js";
 import { listCommand } from "../commands/list.js";
 import { statusCommand } from "../commands/status.js";
-import { archiveCommand } from "../commands/archive.js";
-import { mapCommand } from "../commands/map.js";
 import { checkCommand } from "../commands/check.js";
-import { logCommand } from "../commands/log.js";
 import { traceCommand } from "../commands/trace.js";
 import { docsCommand } from "../commands/docs.js";
 import { healthCommand } from "../commands/health.js";
@@ -16,20 +16,19 @@ import { testQualityCommand } from "../commands/test-quality.js";
 import { diffCommand } from "../commands/diff.js";
 import { ciCommand } from "../commands/ci.js";
 import { branchCheckCommand } from "../commands/branch-check.js";
+import { configureCommand } from "../commands/configure.js";
+const pkg = JSON.parse(readFileSync(join(dirname(fileURLToPath(import.meta.url)), "..", "..", "package.json"), "utf-8"));
 const program = new Command();
 program
     .name("grimoire")
     .description("Gherkin + MADR spec-driven development for AI coding assistants")
-    .version("0.1.2");
+    .version(pkg.version);
 program.addCommand(initCommand);
 program.addCommand(updateCommand);
 program.addCommand(validateCommand);
 program.addCommand(listCommand);
 program.addCommand(statusCommand);
-program.addCommand(archiveCommand);
-program.addCommand(mapCommand);
 program.addCommand(checkCommand);
-program.addCommand(logCommand);
 program.addCommand(traceCommand);
 program.addCommand(docsCommand);
 program.addCommand(healthCommand);
@@ -38,5 +37,6 @@ program.addCommand(testQualityCommand);
 program.addCommand(diffCommand);
 program.addCommand(ciCommand);
 program.addCommand(branchCheckCommand);
+program.addCommand(configureCommand);
 program.parse();
 //# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CACV,iEAAiE,CAClE;KACA,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;AACpC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;AACnC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC/B,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;AACjC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC/B,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;AACjC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAC9B,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AACvC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAC9B,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAEvC,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAE5D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAC1E,CAAC;AAEzB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CACV,iEAAiE,CAClE;KACA,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;AACpC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;AACjC,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;AACjC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;AAClC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAC9B,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AACvC,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;AAChC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAC9B,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AACvC,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;AAErC,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/commands/check.js

@@ -15,7 +15,7 @@ export const checkCommand = new Command("check")
         skip: options.skip,
         json: options.json ?? false,
     });
-    if (failed > 0 || errored > 0) {
+    if (failed > 0) {
         process.exit(1);
     }
 });

package/dist/commands/check.js.map

@@ -1 +1 @@
-{"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC;KAC7C,WAAW,CAAC,wEAAwE,CAAC;KACrF,QAAQ,CAAC,YAAY,EAAE,iDAAiD,CAAC;KACzE,MAAM,CAAC,aAAa,EAAE,+CAA+C,CAAC;KACtE,MAAM,CAAC,WAAW,EAAE,kDAAkD,CAAC;KACvE,MAAM,CAAC,mBAAmB,EAAE,qBAAqB,CAAC;KAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,OAAO,EAAE,EAAE;IACzC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC;QACzC,KAAK,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAC3C,cAAc,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;QAC5C,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,IAAI;QAChC,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,KAAK;KAC5B,CAAC,CAAC;IACH,IAAI,MAAM,GAAG,CAAC,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC"}
+{"version":3,"file":"check.js","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC;KAC7C,WAAW,CAAC,wEAAwE,CAAC;KACrF,QAAQ,CAAC,YAAY,EAAE,iDAAiD,CAAC;KACzE,MAAM,CAAC,aAAa,EAAE,+CAA+C,CAAC;KACtE,MAAM,CAAC,WAAW,EAAE,kDAAkD,CAAC;KACvE,MAAM,CAAC,mBAAmB,EAAE,qBAAqB,CAAC;KAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,OAAO,EAAE,EAAE;IACzC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC;QACzC,KAAK,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAC3C,cAAc,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;QAC5C,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,IAAI;QAChC,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,KAAK;KAC5B,CAAC,CAAC;IACH,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/commands/configure.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const configureCommand: Command;
+//# sourceMappingURL=configure.d.ts.map

package/dist/commands/configure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure.d.ts","sourceRoot":"","sources":["../../src/commands/configure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKpC,eAAO,MAAM,gBAAgB,SAwBzB,CAAC"}

package/dist/commands/configure.js

@@ -0,0 +1,19 @@
+import { Command } from "commander";
+import { configureProject, SECTION_LABELS } from "../core/configure.js";
+const VALID_SECTIONS = Object.keys(SECTION_LABELS);
+export const configureCommand = new Command("configure")
+    .description("Configure grimoire options deferred from init: compliance, design tool, LLM models, bug trackers, testing tools")
+    .argument("[section]", `Section to configure: ${VALID_SECTIONS.join(", ")} (omit for interactive menu)`)
+    .argument("[path]", "Project root directory", ".")
+    .action(async (section, path) => {
+    const root = require("node:path").join(process.cwd(), path);
+    const sections = section && VALID_SECTIONS.includes(section)
+        ? [section]
+        : undefined;
+    if (section && !sections) {
+        console.error(`Unknown section "${section}". Valid: ${VALID_SECTIONS.join(", ")}`);
+        process.exit(1);
+    }
+    await configureProject(root, sections);
+});
+//# sourceMappingURL=configure.js.map

package/dist/commands/configure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure.js","sourceRoot":"","sources":["../../src/commands/configure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAoB,MAAM,sBAAsB,CAAC;AAE1F,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAkB,CAAC;AAEpE,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC;KACrD,WAAW,CACV,iHAAiH,CAClH;KACA,QAAQ,CACP,WAAW,EACX,yBAAyB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,8BAA8B,CACjF;KACA,QAAQ,CAAC,QAAQ,EAAE,wBAAwB,EAAE,GAAG,CAAC;KACjD,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,IAAY,EAAE,EAAE;IAC1D,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;IAC5D,MAAM,QAAQ,GACZ,OAAO,IAAK,cAA2B,CAAC,QAAQ,CAAC,OAAO,CAAC;QACvD,CAAC,CAAC,CAAC,OAAsB,CAAC;QAC1B,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CACX,oBAAoB,OAAO,aAAa,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACpE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,gBAAgB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AACzC,CAAC,CAAC,CAAC"}

package/dist/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,eAAO,MAAM,WAAW,SAkBpB,CAAC"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,eAAO,MAAM,WAAW,SAoBpB,CAAC"}

package/dist/commands/init.js

@@ -9,12 +9,14 @@ export const initCommand = new Command("init")
     .option("--agent <type>", "Add an AI agent: claude, opencode, codex, cursor, copilot (can be repeated)", collect, [])
     .option("--install-codebase-memory-mcp", "Mark codebase-memory-mcp as a recommended integration (prints install command at end)")
     .option("--install-caveman-plugin", "Mark caveman skill plugin as a recommended integration (prints install command at end)")
+    .option("--full", "Also run all deferred configure sections (compliance, design, LLM models, bug trackers, testing tools)")
     .action(async (path, options) => {
     await initProject(path, {
         skipAgents: options.skipAgents ?? false,
         skipSkills: options.skipSkills ?? false,
         noDetect: options.detect === false,
         agents: options.agent ?? [],
+        full: options.full ?? false,
         installCodebaseMemoryMcp: options.installCodebaseMemoryMcp,
         installCavemanPlugin: options.installCavemanPlugin,
     });

package/dist/commands/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,kCAAkC,CAAC;KAC/C,QAAQ,CAAC,QAAQ,EAAE,wBAAwB,EAAE,GAAG,CAAC;KACjD,MAAM,CAAC,eAAe,EAAE,wCAAwC,CAAC;KACjE,MAAM,CAAC,eAAe,EAAE,4CAA4C,CAAC;KACrE,MAAM,CAAC,aAAa,EAAE,sCAAsC,CAAC;KAC7D,MAAM,CAAC,gBAAgB,EAAE,6EAA6E,EAAE,OAAO,EAAE,EAAE,CAAC;KACpH,MAAM,CAAC,+BAA+B,EAAE,uFAAuF,CAAC;KAChI,MAAM,CAAC,0BAA0B,EAAE,wFAAwF,CAAC;KAC5H,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,OAAO,EAAE,EAAE;IACtC,MAAM,WAAW,CAAC,IAAI,EAAE;QACtB,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK;QACvC,QAAQ,EAAE,OAAO,CAAC,MAAM,KAAK,KAAK;QAClC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;QAC3B,wBAAwB,EAAE,OAAO,CAAC,wBAAwB;QAC1D,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,SAAS,OAAO,CAAC,KAAa,EAAE,QAAkB;IAChD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AAClC,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,kCAAkC,CAAC;KAC/C,QAAQ,CAAC,QAAQ,EAAE,wBAAwB,EAAE,GAAG,CAAC;KACjD,MAAM,CAAC,eAAe,EAAE,wCAAwC,CAAC;KACjE,MAAM,CAAC,eAAe,EAAE,4CAA4C,CAAC;KACrE,MAAM,CAAC,aAAa,EAAE,sCAAsC,CAAC;KAC7D,MAAM,CAAC,gBAAgB,EAAE,6EAA6E,EAAE,OAAO,EAAE,EAAE,CAAC;KACpH,MAAM,CAAC,+BAA+B,EAAE,uFAAuF,CAAC;KAChI,MAAM,CAAC,0BAA0B,EAAE,wFAAwF,CAAC;KAC5H,MAAM,CAAC,QAAQ,EAAE,wGAAwG,CAAC;KAC1H,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,OAAO,EAAE,EAAE;IACtC,MAAM,WAAW,CAAC,IAAI,EAAE;QACtB,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK;QACvC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK;QACvC,QAAQ,EAAE,OAAO,CAAC,MAAM,KAAK,KAAK;QAClC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,KAAK;QAC3B,wBAAwB,EAAE,OAAO,CAAC,wBAAwB;QAC1D,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,SAAS,OAAO,CAAC,KAAa,EAAE,QAAkB;IAChD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AAClC,CAAC"}