@massu/core 1.7.0 → 1.9.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",

package/src/changelog-generator.ts

@@ -0,0 +1,178 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Release-boundary CHANGELOG entry generator. Reads `git log <last-tag>..HEAD`
+ * commit subjects, groups by `(plan-<token>)` paren-notation prefix, looks up
+ * the matching `docs/plans/*.md` files for their `## Changelog Summary` section,
+ * and emits a Keep-a-Changelog 1.1.0-compliant entry.
+ *
+ * Plan-token regex mirrors `scripts/lib/plan-token-regex.sh` (SSOT). See
+ * plan-1.9.0-plan-token-aware-changelog-batcher Phase B.
+ *
+ * Pure functions only — caller threads in commit subjects + plan directory.
+ * No git invocations inside this module (those live in commands/changelog.ts).
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+
+/**
+ * Plan-token regex (TS shim of scripts/lib/plan-token-regex.sh PLAN_TOKEN_REGEX).
+ * Matches subject prefix `<type>(plan-<token>):` where <type> ∈ {feat, fix, chore, docs}.
+ * Captures: group 1 = type, group 2 = full plan-<token>.
+ */
+const PLAN_TOKEN_RE = /^(feat|fix|chore|docs)\((plan-[a-z0-9._-]+)\)/;
+
+export class MissingPlanFileError extends Error {
+  constructor(token: string) {
+    super(`No plan file found in plans directory matching Plan Token: ${token}`);
+    this.name = 'MissingPlanFileError';
+  }
+}
+
+export class MissingChangelogSummaryError extends Error {
+  constructor(token: string, planFile: string) {
+    super(`Plan file ${planFile} for token ${token} has no '## Changelog Summary' section`);
+    this.name = 'MissingChangelogSummaryError';
+  }
+}
+
+export interface PlanSummary {
+  title: string;
+  summary: string;
+}
+
+export interface ParseResult {
+  tokens: Set<string>;
+  maintenance: string[];
+}
+
+/**
+ * Parse commit subject lines into:
+ *   - `tokens`: Set of unique `plan-<token>` strings (with `plan-` prefix)
+ *   - `maintenance`: subjects that DID NOT match the paren-notation pattern
+ */
+export function parseCommitsForPlanTokens(subjects: readonly string[]): ParseResult {
+  const tokens = new Set<string>();
+  const maintenance: string[] = [];
+  for (const subject of subjects) {
+    const m = subject.match(PLAN_TOKEN_RE);
+    if (m && m[2]) {
+      tokens.add(m[2]);
+    } else {
+      maintenance.push(subject);
+    }
+  }
+  return { tokens, maintenance };
+}
+
+/**
+ * For each plan-token, find the corresponding `docs/plans/*.md` file and
+ * extract its title (first `# Plan: ...` heading) and `## Changelog Summary`
+ * section body. Throws on missing file or missing section.
+ */
+export function loadPlanSummaries(
+  tokens: ReadonlySet<string>,
+  planDir: string,
+): Map<string, PlanSummary> {
+  const result = new Map<string, PlanSummary>();
+  if (tokens.size === 0) return result;
+
+  if (!existsSync(planDir)) {
+    throw new Error(`Plan directory does not exist: ${planDir}`);
+  }
+  const files = readdirSync(planDir).filter((f) => f.endsWith('.md'));
+
+  for (const token of tokens) {
+    let matchedFile: string | null = null;
+    let content = '';
+    for (const file of files) {
+      const path = resolve(planDir, file);
+      const text = readFileSync(path, 'utf-8');
+      // Match `**Plan Token**: `plan-<token>`` allowing optional surrounding text.
+      const tokenRe = new RegExp(
+        `^\\*\\*Plan Token\\*\\*:\\s*\`?${token.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\$&')}\`?(\\s|$)`,
+        'm',
+      );
+      if (tokenRe.test(text)) {
+        matchedFile = file;
+        content = text;
+        break;
+      }
+    }
+    if (!matchedFile) {
+      throw new MissingPlanFileError(token);
+    }
+
+    // Extract title: first line starting with `# ` (after the metadata block).
+    const titleMatch = content.match(/^# (.+)$/m);
+    const title = titleMatch ? titleMatch[1].trim() : token;
+
+    // Extract `## Changelog Summary` section body.
+    const sectionRe = /^## Changelog Summary\s*\n([\s\S]*?)(?=\n## |\n---|\n# |$)/m;
+    const sectionMatch = content.match(sectionRe);
+    if (!sectionMatch || !sectionMatch[1].trim()) {
+      throw new MissingChangelogSummaryError(token, matchedFile);
+    }
+    const summary = sectionMatch[1].trim();
+    result.set(token, { title, summary });
+  }
+
+  return result;
+}
+
+export interface GenerateOptions {
+  version: string;
+  date: string;
+  planSummaries: ReadonlyMap<string, PlanSummary>;
+  maintenance: readonly string[];
+}
+
+/**
+ * Emit a CHANGELOG.md entry in Keep-a-Changelog 1.1.0 format. Each plan-token
+ * becomes one paragraph (or `### Added` subsection if the plan summary itself
+ * uses Keep-a-Changelog subsections). Maintenance commits go under a
+ * `### Maintenance` subsection at the end.
+ */
+export function generateChangelogEntry(opts: GenerateOptions): string {
+  const parts: string[] = [];
+  parts.push(`## [${opts.version}] - ${opts.date}\n`);
+  parts.push('');
+
+  // Plan summaries, in iteration order
+  for (const [, planSum] of opts.planSummaries) {
+    parts.push(planSum.summary);
+    parts.push('');
+  }
+
+  // Maintenance fallback
+  if (opts.maintenance.length > 0) {
+    parts.push('### Maintenance');
+    parts.push('');
+    for (const subject of opts.maintenance) {
+      parts.push(`- ${subject}`);
+    }
+    parts.push('');
+  }
+
+  return parts.join('\n') + '\n';
+}
+
+/**
+ * Given a CHANGELOG.md entry body and a set of plan-tokens that should be
+ * referenced, return the subset of tokens NOT mentioned in the body.
+ * Used by `permissions check-drift` verification + pre-tag gate.
+ */
+export function findCoverageGaps(
+  entryText: string,
+  tokens: ReadonlySet<string>,
+): string[] {
+  const gaps: string[] = [];
+  for (const token of tokens) {
+    if (!entryText.includes(token)) {
+      gaps.push(token);
+    }
+  }
+  return gaps;
+}

package/src/cli.ts

@@ -47,6 +47,18 @@ async function main(): Promise<void> {
       await runInstallCommands();
       break;
     }
+    case 'permissions': {
+      const { handlePermissionsSubcommand } = await import('./commands/permissions.ts');
+      const result = await handlePermissionsSubcommand(args.slice(1));
+      process.exit(result.exitCode);
+      return;
+    }
+    case 'changelog': {
+      const { handleChangelogSubcommand } = await import('./commands/changelog.ts');
+      const result = await handleChangelogSubcommand(args.slice(1));
+      process.exit(result.exitCode);
+      return;
+    }
     case 'show-template': {
       const { runShowTemplate } = await import('./commands/show-template.ts');
       await runShowTemplate(args.slice(1));
@@ -162,12 +174,14 @@ Commands:
   init              Set up Massu AI in your project (one command, full setup)
   doctor            Check installation health
   install-hooks     Install/update Claude Code hooks
-  install-commands  Install/update slash commands
+  install-commands  Install/update slash commands (use --skip-permissions to opt out of MCP allowlist seeding)
   show-template     Print the resolved variant of a bundled template (e.g. for diffs)
   watch             Run the file-watcher daemon (auto-refresh on stack changes)
   refresh-log [N]   Show the last N watcher auto-refresh events
   validate-config   Validate massu.config.yaml (alias: config validate)
   config <sub>      Config lifecycle: refresh | validate | upgrade | doctor | check-drift
+  permissions <sub> MCP permission lifecycle: install | verify | check-drift
+  changelog <sub>   CHANGELOG generation / verification: generate | verify
   adapters <sub>    Third-party adapter registry: list | refresh | search | add-local | remove-local | install | resign
 
 Options:

package/src/commands/changelog.ts

@@ -0,0 +1,165 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * `massu changelog <subcommand>` — CHANGELOG generation + verification CLI.
+ *
+ * Subcommands:
+ *   generate   Emit a draft CHANGELOG.md entry to stdout for commits since the
+ *              last tag. Operator pipes/copies into CHANGELOG.md.
+ *   verify     Read current CHANGELOG.md latest entry; verify every plan-token
+ *              in `git log <last-tag>..HEAD` subjects is referenced. Exit 0 if
+ *              clean, exit 1 with one `gap: <token>` per missing.
+ *
+ * Plan ref: plan-1.9.0-plan-token-aware-changelog-batcher Phase C.
+ * Mirrors the `permissions <sub>` cluster precedent shipped in 1.8.0.
+ */
+
+import { execSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { resolve } from 'path';
+import {
+  parseCommitsForPlanTokens,
+  loadPlanSummaries,
+  generateChangelogEntry,
+  findCoverageGaps,
+  MissingPlanFileError,
+  MissingChangelogSummaryError,
+} from '../changelog-generator.ts';
+
+function resolveRepoRoot(): string {
+  try {
+    return execSync('git rev-parse --show-toplevel', { encoding: 'utf-8' }).trim();
+  } catch {
+    return process.cwd();
+  }
+}
+
+function getLastTag(): string | null {
+  try {
+    return execSync('git describe --tags --abbrev=0', { encoding: 'utf-8' }).trim();
+  } catch {
+    return null;
+  }
+}
+
+function getCommitSubjects(range: string): string[] {
+  try {
+    const out = execSync(`git log ${range} --pretty=format:%s`, { encoding: 'utf-8' });
+    return out.split('\n').filter((s) => s.length > 0);
+  } catch {
+    return [];
+  }
+}
+
+function getCurrentVersion(repoRoot: string): string {
+  const pkgPath = resolve(repoRoot, 'packages/core/package.json');
+  if (!existsSync(pkgPath)) return '0.0.0';
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+  return pkg.version || '0.0.0';
+}
+
+function todayDate(): string {
+  return new Date().toISOString().slice(0, 10);
+}
+
+function getLatestChangelogEntryBody(repoRoot: string): string {
+  const path = resolve(repoRoot, 'CHANGELOG.md');
+  if (!existsSync(path)) return '';
+  const content = readFileSync(path, 'utf-8');
+  // Find first `## [...]` heading and capture until next or EOF
+  const m = content.match(/^## \[[\d.]+\][^\n]*\n([\s\S]*?)(?=\n## \[|$)/m);
+  return m ? m[1] : '';
+}
+
+export async function handleChangelogSubcommand(
+  args: string[],
+): Promise<{ exitCode: number }> {
+  const sub = args[0];
+  const repoRoot = resolveRepoRoot();
+  const planDir = resolve(repoRoot, 'docs/plans');
+
+  switch (sub) {
+    case 'generate': {
+      const lastTag = getLastTag();
+      const range = lastTag ? `${lastTag}..HEAD` : 'HEAD';
+      const subjects = getCommitSubjects(range);
+      const { tokens, maintenance } = parseCommitsForPlanTokens(subjects);
+
+      let planSummaries;
+      try {
+        planSummaries = loadPlanSummaries(tokens, planDir);
+      } catch (err) {
+        if (err instanceof MissingPlanFileError || err instanceof MissingChangelogSummaryError) {
+          process.stderr.write(`changelog generate: ${err.message}\n`);
+          return { exitCode: 2 };
+        }
+        throw err;
+      }
+
+      const entry = generateChangelogEntry({
+        version: getCurrentVersion(repoRoot),
+        date: todayDate(),
+        planSummaries,
+        maintenance,
+      });
+      process.stdout.write(entry);
+      return { exitCode: 0 };
+    }
+
+    case 'verify': {
+      const lastTag = getLastTag();
+      const range = lastTag ? `${lastTag}..HEAD` : 'HEAD';
+      const subjects = getCommitSubjects(range);
+      const { tokens } = parseCommitsForPlanTokens(subjects);
+
+      const entryBody = getLatestChangelogEntryBody(repoRoot);
+      const gaps = findCoverageGaps(entryBody, tokens);
+
+      if (gaps.length === 0) {
+        process.stdout.write('All plan-tokens referenced.\n');
+        return { exitCode: 0 };
+      }
+      for (const t of gaps) {
+        process.stderr.write(`gap: ${t}\n`);
+      }
+      return { exitCode: 1 };
+    }
+
+    case '--help':
+    case '-h':
+    case undefined: {
+      printChangelogHelp();
+      return { exitCode: 0 };
+    }
+
+    default: {
+      process.stderr.write(`massu: unknown changelog subcommand: ${sub}\n`);
+      printChangelogHelp();
+      return { exitCode: 1 };
+    }
+  }
+}
+
+export function printChangelogHelp(): void {
+  process.stdout.write(`
+massu changelog <subcommand>
+
+Subcommands:
+  generate    Emit a draft CHANGELOG.md entry to stdout. Reads commit subjects
+              since the last git tag, groups by (plan-<token>) paren-notation,
+              looks up each plan file's ## Changelog Summary section, and emits
+              a Keep-a-Changelog 1.1.0 entry. Operator pipes/copies into
+              CHANGELOG.md (no forced overwrite).
+
+  verify      Read-only check that the latest CHANGELOG.md entry references
+              every plan-token in commits since the last tag. Exit 0 if clean,
+              exit 1 with one 'gap: <token>' per missing.
+
+Examples:
+  npx massu changelog generate > /tmp/draft-entry.md
+  npx massu changelog verify
+
+Documentation: https://massu.ai/docs/reference/cli-reference#massu-changelog
+`);
+}

package/src/commands/doctor.ts

@@ -23,6 +23,7 @@ import { fileURLToPath } from 'url';
 import { parse as parseYaml } from 'yaml';
 import { getConfig, getResolvedPaths } from '../config.ts';
 import { getCurrentTier, getLicenseInfo, daysUntilExpiry } from '../license.ts';
+import { readSettingsAtPath } from '../lib/settings-local.ts';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -103,7 +104,7 @@ function checkHooksConfig(projectRoot: string): CheckResult {
   }
 
   try {
-    const content = JSON.parse(readFileSync(settingsPath, 'utf-8'));
+    const content = readSettingsAtPath(settingsPath);
     if (!content.hooks) {
       return { name: 'Hooks Config', status: 'fail', detail: 'No hooks configured. Run: npx massu install-hooks' };
     }
@@ -238,8 +239,8 @@ function checkShellHooksWired(_projectRoot: string): CheckResult {
   }
 
   try {
-    const content = JSON.parse(readFileSync(settingsPath, 'utf-8'));
-    const hooks = content.hooks ?? {};
+    const content = readSettingsAtPath(settingsPath);
+    const hooks = (content.hooks ?? {}) as Record<string, unknown>;
     const hasSessionStart = Array.isArray(hooks.SessionStart) && hooks.SessionStart.length > 0;
     const hasPreToolUse = Array.isArray(hooks.PreToolUse) && hooks.PreToolUse.length > 0;
     if (!hasSessionStart && !hasPreToolUse) {

package/src/commands/init.ts

@@ -34,6 +34,7 @@ import { stringify as yamlStringify, parse as yamlParse } from 'yaml';
 import { backfillMemoryFiles } from '../memory-file-ingest.ts';
 import { getConfig, resetConfig } from '../config.ts';
 import { installAll } from './install-commands.ts';
+import { readSettingsLocal, writeSettingsLocalAtomic } from '../lib/settings-local.ts';
 import {
   runDetection,
   type DetectionResult,
@@ -1107,20 +1108,12 @@ export function installHooks(projectRoot: string): { installed: boolean; count:
     claudeDirName = '.claude';
   }
   const claudeDir = resolve(projectRoot, claudeDirName);
-  const settingsPath = resolve(claudeDir, 'settings.local.json');
 
   if (!existsSync(claudeDir)) {
     mkdirSync(claudeDir, { recursive: true });
   }
 
-  let settings: Record<string, unknown> = {};
-  if (existsSync(settingsPath)) {
-    try {
-      settings = JSON.parse(readFileSync(settingsPath, 'utf-8'));
-    } catch {
-      settings = {};
-    }
-  }
+  const settings = readSettingsLocal(claudeDir);
 
   const hooksDir = resolveHooksDir();
   const hooksConfig = buildHooksConfig(hooksDir);
@@ -1134,7 +1127,7 @@ export function installHooks(projectRoot: string): { installed: boolean; count:
 
   settings.hooks = hooksConfig;
 
-  writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf-8');
+  writeSettingsLocalAtomic(claudeDir, settings);
 
   return { installed: true, count: hookCount };
 }

package/src/commands/install-commands.ts

@@ -20,17 +20,11 @@
  */
 
 import {
-  closeSync,
   existsSync,
-  fsyncSync,
-  openSync,
   readFileSync,
-  rmSync,
-  writeSync,
   mkdirSync,
   readdirSync,
   statSync,
-  renameSync,
 } from 'fs';
 import { resolve, dirname, relative, join } from 'path';
 import { fileURLToPath } from 'url';
@@ -38,6 +32,8 @@ import { createHash } from 'crypto';
 import { getConfig } from '../config.ts';
 import type { Config } from '../config.ts';
 import { renderTemplate, MissingVariableError, TemplateParseError } from './template-engine.ts';
+import { atomicWriteFile } from '../lib/settings-local.ts';
+import { installPermissions } from '../permissions.ts';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -131,47 +127,7 @@ export function loadManifest(claudeDir: string): Manifest {
   }
 }
 
-/**
- * Iter-7 fix: atomic file write — tmp + fsync + rename.
- *
- * Plan 3a §3 Risk #4 ("Watcher writes to .claude/ while editor has it open:
- * editors can lose changes. Mitigation: write to .massu-tmp then atomic rename")
- * AND the watcher spec doc §3 Shutdown Semantics claim ("every file op the
- * refresh issues is already atomic-rename-safe... installAll writes <path>.tmp
- * then renameSync") both demand this. Previously installAll's per-file writes
- * (lines 463/467) and saveManifest were direct `writeFileSync` calls — a
- * SIGINT/power-loss between truncate and complete-write left a partial file.
- * Now both go through this helper so the watcher's iter-6 "we don't await
- * fireRefresh because atomic-rename covers everything" decision is sound.
- *
- * Writes via openSync + writeSync + fsyncSync + closeSync + renameSync so the
- * data hits the platter before the rename. On any error, removes the tmp file.
- * Tmp filename includes process.pid to avoid clashes with concurrent installs
- * from sibling processes (e.g. a manual `npx massu config refresh` racing the
- * watcher daemon — the install-lock should prevent this, but the file-level
- * tmp name disambiguates if it ever happens).
- */
-function atomicWriteFile(targetPath: string, content: string, mode = 0o644): void {
-  const tmpPath = `${targetPath}.${process.pid}.tmp`;
-  try {
-    const fd = openSync(tmpPath, 'w', mode);
-    try {
-      const buf = Buffer.from(content, 'utf-8');
-      writeSync(fd, buf, 0, buf.length, 0);
-      fsyncSync(fd);
-    } finally {
-      closeSync(fd);
-    }
-    renameSync(tmpPath, targetPath);
-  } catch (err) {
-    if (existsSync(tmpPath)) {
-      try { rmSync(tmpPath, { force: true }); } catch { /* ignore */ }
-    }
-    throw err;
-  }
-}
-
-/** Write the manifest atomically: tempfile + fsync + renameSync. */
+/** Write the manifest atomically: tempfile + fsync + renameSync (uses shared lib/settings-local.ts:atomicWriteFile). */
 export function saveManifest(claudeDir: string, manifest: Manifest): void {
   const dir = resolve(claudeDir, '.massu');
   if (!existsSync(dir)) {
@@ -541,7 +497,15 @@ export function buildTemplateVars(): Record<string, unknown> {
   };
 }
 
-export function installCommands(projectRoot: string): InstallCommandsResult {
+export interface InstallCommandsOptions {
+  /** When true, skip seeding `mcp__massu__*` into permissions.allow. */
+  skipPermissions?: boolean;
+}
+
+export function installCommands(
+  projectRoot: string,
+  opts: InstallCommandsOptions = {},
+): InstallCommandsResult {
   const claudeDirName = getConfig().conventions?.claudeDirName ?? '.claude';
   const claudeDir = resolve(projectRoot, claudeDirName);
   const targetDir = resolve(claudeDir, 'commands');
@@ -559,9 +523,21 @@ export function installCommands(projectRoot: string): InstallCommandsResult {
 
   const framework = getConfig().framework;
   const templateVars = buildTemplateVars();
-  const stats = runWithManifest(claudeDir, (manifest) =>
-    syncDirectory(sourceDir, targetDir, framework, manifest, 'commands', true, templateVars),
-  );
+  const stats = runWithManifest(claudeDir, (manifest) => {
+    const syncStats = syncDirectory(
+      sourceDir,
+      targetDir,
+      framework,
+      manifest,
+      'commands',
+      true,
+      templateVars,
+    );
+    if (!opts.skipPermissions) {
+      installPermissions(claudeDir, manifest, { silent: true });
+    }
+    return syncStats;
+  });
   return { ...stats, commandsDir: targetDir };
 }
 
@@ -576,9 +552,19 @@ export interface InstallAllResult {
   totalSkipped: number;
   totalKept: number;
   claudeDir: string;
+  /** Permission-seeding outcome (undefined when --skip-permissions). */
+  permissions?: { installed: number; kept: number; skipped: number };
 }
 
-export function installAll(projectRoot: string): InstallAllResult {
+export interface InstallAllOptions {
+  /** When true, skip seeding `mcp__massu__*` into permissions.allow. */
+  skipPermissions?: boolean;
+}
+
+export function installAll(
+  projectRoot: string,
+  opts: InstallAllOptions = {},
+): InstallAllResult {
   const claudeDirName = getConfig().conventions?.claudeDirName ?? '.claude';
   const claudeDir = resolve(projectRoot, claudeDirName);
 
@@ -587,6 +573,7 @@ export function installAll(projectRoot: string): InstallAllResult {
   let totalUpdated = 0;
   let totalSkipped = 0;
   let totalKept = 0;
+  let permissionsResult: { installed: number; kept: number; skipped: number } | undefined;
 
   const framework = getConfig().framework;
   const templateVars = buildTemplateVars();
@@ -613,6 +600,9 @@ export function installAll(projectRoot: string): InstallAllResult {
       totalSkipped += stats.skipped;
       totalKept += stats.kept;
     }
+    if (!opts.skipPermissions) {
+      permissionsResult = installPermissions(claudeDir, manifest, { silent: true });
+    }
   });
 
   return {
@@ -622,6 +612,7 @@ export function installAll(projectRoot: string): InstallAllResult {
     totalSkipped,
     totalKept,
     claudeDir,
+    permissions: permissionsResult,
   };
 }
 
@@ -631,13 +622,14 @@ export function installAll(projectRoot: string): InstallAllResult {
 
 export async function runInstallCommands(): Promise<void> {
   const projectRoot = process.cwd();
+  const skipPermissions = process.argv.slice(2).includes('--skip-permissions');
 
   console.log('');
   console.log('Massu AI - Install Project Assets');
   console.log('==================================');
   console.log('');
 
-  const result = installAll(projectRoot);
+  const result = installAll(projectRoot, { skipPermissions });
 
   // Report per-asset-type
   for (const assetType of ASSET_TYPES) {
@@ -667,6 +659,23 @@ export async function runInstallCommands(): Promise<void> {
       `  ${result.totalKept} file(s) had local edits and were preserved (see stderr above).`,
     );
   }
+
+  // Permission seeding outcome line
+  if (skipPermissions) {
+    console.log('  Permission seeding skipped (--skip-permissions).');
+  } else if (result.permissions) {
+    if (result.permissions.installed > 0) {
+      console.log(
+        `  Wrote merged permissions block to .claude/settings.local.json (use --skip-permissions to opt out).`,
+      );
+    } else if (result.permissions.kept > 0) {
+      console.log(
+        `  MCP allowlist entry was edited by operator; preserved. Use \`npx massu permissions check-drift\` to inspect.`,
+      );
+    }
+    // skipped:1 → silent (already in sync, no operator-visible change)
+  }
+
   console.log('');
   console.log('  Restart your Claude Code session to use them.');
   console.log('');