@musashishao/folderforge 1.2.0

package/docs/roadmap.md

@@ -0,0 +1,172 @@
+# Roadmap
+
+Status of FolderForge toward a stable 1.0.
+
+## Done (0.1)
+
+- Core config loader with YAML merge and path normalization.
+- Dependency container and workspace activation.
+- Policy engine: path, command, and secret policies + risk model.
+- Approval queue (once/session scopes).
+- Append-only JSONL audit log + ring buffer.
+- Full native tool catalog (files, search, terminal, processes, git, build,
+  code, memory, security, db).
+- Native structural code search (`search_ast`) - regex-backed declaration finder,
+  no language server required.
+- Task-preset routing exposed as a tool (`workspace_route`): switch the visible
+  tool set to `explore` / `run_ui` / `fix_tests`, or reset to all.
+- MCP server with `tools/list` / `tools/call` handlers.
+- stdio and Streamable HTTP transports.
+- Local dashboard (`/status`, `/audit`, `/processes`, `/approvals`).
+- New `main.ts` entrypoint with arg parsing.
+
+## Done (0.2)
+
+- Child-MCP adapters wired end-to-end (Serena, Playwright, Desktop Commander) with tool namespacing (`serena__<tool>`).
+- Persisted approvals across restarts (stored under `.folderforge/approvals.jsonl`).
+- Dashboard auth token for non-loopback binds.
+- Integration tests against the sample fixtures (registry pipeline, policy
+  enforcement, and child-MCP adapter discovery via a fake stdio MCP server).
+
+## Done (0.3)
+
+- Policy "explain" tool (`policy_explain`): dry-run a call and return the
+  decision + reasoning.
+- Streaming tool results for long-running commands: `process_tail` long-polls a
+  process session, blocking until new output or exit (backed by
+  `ProcessManager.readUntil`).
+- Per-tool rate limits and quotas: sliding-window + rolling daily quota
+  (`RateLimiter`), enforced in the tool pipeline and surfaced via
+  `policy_ratelimits`; denied/approval-gated calls don't consume quota.
+- Multi-project sessions: activate more than one workspace at once, switch the
+  current one (`workspace_list`, `workspace_switch`, `workspace_deactivate`),
+  with isolated memory stores per project.
+- Pluggable secret scanners: Shannon-entropy detection flags bespoke
+  high-entropy tokens that no regex rule matches (configurable via
+  `secretScan`).
+
+## Done (1.0 hardening)
+
+- Documented config surface with validation errors (`validateConfig` throws a
+  single aggregated, human-readable error).
+- Hardened HTTP transport: bearer-token auth (constant-time), CORS allowlist +
+  preflight, and idle session expiry (`sessionTtlMs`).
+
+## Done (1.0)
+
+- Frozen tool schema: the public native tool surface (names + `mutates`/`risk`
+  contract) is locked in `src/tools/schema-lock.ts`. A guard test
+  (`tests/unit/schema-lock.test.ts`) fails CI if the live registry diverges, so
+  accidental renames, removals, or risk reclassifications are caught before
+  release. Renaming/removing a tool is now an explicit, major-version change.
+- Full policy-pipeline coverage: `tests/unit/policy-pipeline.test.ts` exercises
+  the end-to-end `registry.call()` path through all four modes (readonly / safe
+  / dev / danger) - risk classification, mode gating, approval creation,
+  once-vs-session scope, the no-quota-on-denied/gated-calls guarantee, and audit
+  event recording - composed with the existing per-policy unit suites.
+
+## 1.0 criteria
+
+- [x] Documented config surface with validation errors.
+- [x] Hardened HTTP transport (auth, CORS, session expiry).
+- [x] Stable tool schema (no breaking renames) - frozen in
+  `src/tools/schema-lock.ts` and CI-guarded.
+- [x] Full unit + integration coverage for the policy pipeline - per-policy unit
+  suites (rate limiter, entropy scanner, config validation, HTTP hardening,
+  command/path/secret policy) plus an end-to-end pipeline suite and multi-project
+  flows.
+
+**1.0 is complete: all four release criteria are met.**
+
+## Done (1.2 - MCP protocol features)
+
+These extend the server's MCP conformance beyond `tools/list` + `tools/call`.
+They are wired through a single per-call `ToolCallControl` object
+(`src/core/types.ts`) injected by the `tools/call` request handler
+(`src/server/mcp-server.ts`) and threaded into every tool via `ToolContext.control`.
+This adds **zero** new entries to the frozen tool surface, so the schema-lock is
+untouched.
+
+- **P4 - progress notifications.** When the client sends a `progressToken` in
+  the request `_meta`, `control.reportProgress(progress, total?, message?)`
+  emits `notifications/progress`. Consumers: `process_tail` reports a tick each
+  long-poll cycle (cursor as progress, status as message), and `git_push`
+  brackets the network call with a start/complete tick. Handlers without a token
+  see `reportProgress === undefined` and no-op.
+- **P6 - cancellation.** `control.signal` mirrors the SDK's per-request
+  `AbortSignal` (aborted on `notifications/cancelled`). `registry.call()`
+  refuses pre-cancelled calls early; `ProcessManager.readUntil(signal)` wakes
+  immediately on abort instead of blocking out the full `timeoutMs`, so a
+  cancelled tail returns at once with `cancelled: true`.
+- **P8 - elicitation.** `control.elicitInput(params)` is present only when the
+  client advertised the `elicitation` capability (checked via
+  `server.getClientCapabilities()`); otherwise it is `undefined` and handlers
+  fall back to non-interactive defaults. Two destructive native tools now elicit
+  an interactive confirmation before acting: `git_reset` (unstaging),
+  `git_push` (publishing commits to a shared remote), and `git_pull` (integrating
+  remote changes into the working tree). Clients without the
+  capability proceed non-interactively, still gated by policy/approval upstream.
+
+Verification status: typechecked logic reviewed manually; unit tests cover
+control propagation + early-cancel + progress emit
+(`tests/unit/tool-control.test.ts`) and signal-driven wakeup
+(`tests/unit/process-stream.test.ts`); integration tests cover the `git_reset`
+and `git_push` elicitation accept/decline/no-capability paths end-to-end against
+throwaway repos (`tests/integration/git-ops.test.ts`). Run
+`npm run typecheck && npm test` in the repo (with `node_modules` installed)
+before tagging 1.2.
+
+## Housekeeping
+
+- Removed stale pre-rename artifacts from the working tree (legacy "vibemcp"
+  naming). The leftover approval log was renamed
+  `.trash/vibemcp-approvals.jsonl.removed` -> `.trash/legacy-approvals.removed`.
+  Both `.trash/` and `**/.vibemcp/` are already gitignored (never committed).
+- Still pending a manual delete (the empty fixture dir cannot be removed via the
+  filesystem tooling): run
+  `rm -rf .trash tests/fixtures/sample-ts-project/.vibemcp`.
+
+## Next (post-1.0 ideas)
+
+- Distributed/shared rate limiting for multi-instance deployments.
+- Streaming over the MCP transport itself (incremental tool results) once the
+  protocol stabilizes that path.
+- Expanded file/git/db integration tests (Q8) - broaden coverage beyond the
+  current unit suites to full `registry.call()` flows against the sample
+  fixtures.
+- Wire P8 elicitation into a real consumer (interactive confirmation for
+  destructive db/git operations). **Done in 1.2** for `git_reset` and
+  `git_push`; db tools remain read-only so there is no destructive db consumer
+  to wire.
+
+## Done (1.2 - agent ergonomics)
+
+Rounded out the tool surface so an agent can comfortably explore, edit, run, and
+manage source control without falling back to raw `shell_exec`. All additions are
+backwards-compatible (new tools only) and synchronized across the risk map
+(`src/policy/risk.ts`), the frozen schema lock (`src/tools/schema-lock.ts`), and
+the integration suites.
+
+- **Git convenience tools.**
+  - `git_fetch` (MEDIUM, `openWorldHint`) - update remote-tracking refs only,
+    never touches the working tree; emits progress.
+  - `git_pull` (HIGH, `openWorldHint`) - merge or `--rebase` remote changes into
+    the current branch, with an elicitation confirmation (warns on a dirty tree)
+    and progress reporting.
+  - `git_stash` (MEDIUM) - `op`: `push` (default) | `pop` | `apply` | `list` |
+    `drop`. Deliberately omits `clear` to avoid irreversible data loss.
+- **File convenience tools.**
+  - `file_move` (MEDIUM) - rename/relocate a file or directory; both endpoints
+    boundary-checked, refuses to clobber unless `overwrite=true`.
+  - `file_copy` (MEDIUM) - copy a file or directory (recursive); same overwrite
+    guard.
+  - `list_directory` (LOW) - enumerate a directory (optional recursion + entry
+    cap), skipping anything the path policy denies (secrets, `node_modules`,
+    `.git` internals).
+
+Verification: `npm run typecheck && npm test && npm run build` all green
+(26 test files, 215 tests). New behavior is covered in
+`tests/integration/file-ops.test.ts` (list flat/recursive, move + overwrite +
+escape guard, file/dir copy) and `tests/integration/git-ops.test.ts` (stash
+push/list/pop, fetch+pull against a bare remote, pull cancellation on declined
+elicitation).

package/docs/security.md

@@ -0,0 +1,94 @@
+# Security
+
+FolderForge assumes the agent is capable but not fully trusted. Security is
+enforced server-side; the agent can request anything, but the policy engine
+decides.
+
+## Policy modes
+
+Set via `policy.defaultMode` or the `policy_set_mode` tool.
+
+| Mode | Mutations | HIGH risk | CRITICAL |
+| --- | --- | --- | --- |
+| `readonly` | denied | denied | denied |
+| `safe` | allowed (LOW/MEDIUM) | approval | denied |
+| `dev` | allowed | approval | denied |
+| `danger` | allowed | approval | approval |
+
+The decision logic lives in `PolicyEngine.evaluate` (`src/policy/policy-engine.ts`).
+Use the `policy_explain` tool to dry-run any call and see the decision
+(`allow`/`deny`/`approval`) and contributing factors **without** executing it or
+creating an approval request (backed by `PolicyEngine.explain`).
+
+## Path policy
+
+`src/policy/path-policy.ts` guarantees that every file path:
+
+1. resolves **inside** an allowed directory (`workspace.allowedDirectories`);
+2. is **not** matched by a denied glob (`workspace.deniedGlobs`, e.g. `**/.env`,
+   `**/*.pem`, `**/node_modules/**`);
+3. does **not** escape via symlink (the nearest existing ancestor is
+   `realpath`-resolved and re-checked);
+4. does not touch protected credential folders (`~/.ssh`, `~/.aws`, `~/.gnupg`,
+   `~/.config/gcloud`, `~/.kube`).
+
+Violations throw `PathEscapeError` and surface as a structured tool error.
+
+## Command policy
+
+`src/policy/command-policy.ts` classifies shell commands:
+
+- **CRITICAL** (always blocked): `rm -rf /`, `sudo`, `mkfs`, `dd if=`,
+  `chmod -R 777 /`, `curl ... | bash`, `git reset --hard`, `git push --force`,
+  fork bombs, `docker system prune`, `kubectl delete`, `terraform apply`, ...
+- **HIGH** (approval): `git push`, `git reset`, `docker rm`, `npm publish`,
+  `rm -rf ...`.
+- **MEDIUM** (allowed, audited): package installs, `docker compose up`, builds.
+- **LOW**: everything else.
+
+Config `policy.blockedCommands` adds project-specific substring/wildcard rules
+on top of the built-in regex set.
+
+## Secret policy
+
+`src/policy/secret-policy.ts` detects and redacts common credentials (OpenAI,
+Anthropic, AWS, GitHub, Google, Slack tokens, private-key blocks, generic
+`key=value` secrets). It powers:
+
+- `secret_scan` for explicit scans;
+- terminal env redaction when `terminal.envPolicy: redact`;
+- output redaction before content leaves the server.
+
+## Approvals
+
+HIGH/CRITICAL (and any tool in `policy.requireApproval`) create a pending
+`ApprovalRequest` (`src/policy/approvals.ts`). Resolve them in the dashboard
+(`POST /approvals/:id/approve|deny`) or via approval tools. `session`-scoped
+approvals remember the tool for the rest of the session.
+
+Approvals are **persisted across restarts**: every create/approve/deny is
+appended to `<project>/.vibemcp/approvals.jsonl` (append-only, compacted on
+load). Pending and resolved requests survive a restart so the dashboard history
+stays intact. Session-scoped allowances are **not** re-armed automatically - a
+fresh process starts a fresh session, so a session approval from a previous run
+must be granted again.
+
+## Dashboard auth
+
+The dashboard (`src/dashboard/server.ts`) is unauthenticated when bound to a
+loopback host (`127.0.0.1`, `::1`, `localhost`), since that is same-machine
+only. When bound to any **non-loopback** address it **requires a bearer token**:
+
+- Set it explicitly via `server.dashboard.token`, or
+- leave it unset and FolderForge generates one at startup and logs it once.
+
+Clients authenticate with `Authorization: Bearer <token>` or a `?token=<token>`
+query parameter; the comparison is constant-time. Missing/invalid tokens get a
+`401` with a `WWW-Authenticate: Bearer` header. Binding to a non-loopback host
+with no token available is a startup error.
+
+## Audit
+
+Every call, denial, and approval is appended to
+`<project>/.folderforge/audit/audit.jsonl` and kept in a 500-entry ring buffer
+for `audit_recent` and the dashboard `/audit` endpoint.

package/docs/tools.md

@@ -0,0 +1,129 @@
+# Tools
+
+Tools are registered by group in `src/tools/index.ts` and executed through
+`ToolRegistry.call`, which classifies risk, consults the `PolicyEngine`, and
+records audit events. Each tool declares a default risk level in
+`src/policy/risk.ts` (`TOOL_RISK`).
+
+## Risk levels
+
+| Level | Meaning | Behavior |
+| --- | --- | --- |
+| `LOW` | Read-only / safe | Always allowed (except readonly blocks mutations) |
+| `MEDIUM` | Local mutation | Allowed in `safe`/`dev`/`danger`, audited |
+| `HIGH` | Sensitive mutation | Requires approval |
+| `CRITICAL` | Destructive | Denied unless `danger` mode + approval |
+
+`shell_exec` is re-classified per command at call time by `CommandPolicy`.
+
+## Schema lock
+
+The public native tool surface is frozen in `src/tools/schema-lock.ts`
+(`FROZEN_TOOLS`), which is the **source of truth** for tool names and their
+`mutates` / `risk` contract at 1.0. Renaming a tool, removing one, or changing
+its mutation/risk classification is a **breaking change**: it requires a
+major-version bump and a deliberate edit to that file. Adding a brand-new tool is
+backwards-compatible - register it, then add an entry to the lock.
+
+The guard test `tests/unit/schema-lock.test.ts` fails in CI if the live registry
+and the lock ever diverge, so accidental renames or removals are caught before
+release. A couple of entries are frozen at their *actual* runtime risk rather
+than a tidier value (e.g. `audit_export` and `approval_request` fall back to the
+`defineTool` default of `MEDIUM` because they are absent from `TOOL_RISK`);
+reclassifying them is a separate, intentional change. Adapter (child-MCP) tools
+are namespaced and discovered dynamically, so they are **not** part of the frozen
+surface.
+
+### `parse_errors` (internal but registered)
+
+`parse_errors` is an **internal helper** used by the build/quality tooling, not a
+tool intended for direct day-to-day use. It nonetheless lives in the native
+registry, so it shows up in `tools/list` and is frozen in the schema lock
+(`mutates: false`, `risk: MEDIUM`). This is intentional: the schema-lock guard is
+deliberately strict and freezes the *entire* live catalog so CI catches any
+accidental drift. Don't be surprised to see `parse_errors` in the tool list -
+it's expected, and removing or hiding it would be a lock change like any other.
+
+## Groups
+
+### Workspace
+`workspace_status`, `workspace_activate`, `workspace_onboard`, `workspace_health`,
+`workspace_route`, `project_detect_commands` - activate and inspect the active
+project. `workspace_route` switches the visible tool set to a task preset
+(`explore`, `run_ui`, `fix_tests`) or resets to all.
+
+### Files
+`file_read`, `file_read_many`, `file_write`, `file_patch`, `file_edit_block`,
+`file_move`, `file_copy`, `list_directory`, `file_delete` - all paths pass
+through `PathPolicy.resolveSafe` (workspace boundary, denied globs, symlink-escape
+checks). Mutations return a diff preview where applicable. `file_move` renames or
+relocates a file/directory and `file_copy` copies one (recursively for
+directories); both are boundary-checked on *both* endpoints and refuse to clobber
+an existing destination unless `overwrite=true`. `list_directory` enumerates a
+directory (optionally recursive, with an entry cap) and skips anything the path
+policy denies, so secrets, `node_modules`, and `.git` internals never leak.
+
+### Search
+`search_files`, `search_text`, `search_ast` - glob, content, and structural
+declaration search honoring denied globs and ignore files. `search_ast` finds
+functions/classes/methods/interfaces/types/consts by name via lightweight,
+regex-backed structural matching (no language server required).
+
+### Terminal & processes
+`shell_exec` (one-shot, risk-classified), and the process manager tools
+`process_start`, `process_read`, `process_write`, `process_stop`,
+`process_kill`, `process_list` for long-running dev servers.
+
+### Git
+`git_status`, `git_diff`, `git_log`, `git_show`, `git_blame`, `git_branch`,
+`git_add`, `git_checkout`, `git_commit`, `git_push`, `git_reset`, `git_fetch`,
+`git_pull`, `git_stash`. Commit/push default to approval; `git_reset --hard` is
+CRITICAL. `git_fetch` (MEDIUM) updates remote-tracking refs only and never
+touches the working tree. `git_pull` (HIGH) integrates remote changes into the
+current branch (merge or `--rebase`) and confirms interactively via elicitation
+before running, warning when the working tree is dirty. `git_stash` (MEDIUM)
+shelves and restores work via `op`: `push` (default) | `pop` | `apply` | `list` |
+`drop`; it deliberately omits `clear` to avoid irreversible data loss.
+
+### Build & quality
+`run_build`, `run_test`, `run_lint`, `run_typecheck`, `code_diagnostics` -
+output is run through `src/tools/error-parser.ts` for structured diagnostics.
+
+### Code intelligence
+`code_symbols_overview`, `code_find_symbol`, `code_find_references`,
+`code_find_definition`, `code_find_implementations`, and symbol-level edits
+(`code_replace_symbol_body`, `code_insert_before_symbol`, etc.).
+
+### Memory
+`memory_list`, `memory_read`, `memory_write`, `memory_update` - per-project
+persistent notes stored under `.folderforge/`.
+
+### Security
+`secret_scan` - scans content/diffs for credential patterns
+(`src/policy/secret-policy.ts`).
+
+### Policy & audit
+`policy_get`, `policy_set_mode` - read or change the active policy mode
+(`readonly`/`safe`/`dev`/`danger`). `policy_explain` - dry-run a tool call and
+return the decision (`allow`/`deny`/`approval`) plus the contributing factors,
+without executing the tool or creating an approval request. `audit_recent`,
+`audit_export` - inspect or export the append-only audit trail.
+
+### Approvals
+`approval_status`, `approval_request` - inspect pending approval requests created
+by the engine, or raise one explicitly.
+
+### Browser & DB
+Child-MCP adapter tools are exposed namespaced as `<adapter>__<tool>` (e.g.
+`playwright__browser_navigate`, `serena__find_symbol`) - see `docs/adapters.md`.
+`db_*` tools (`db_connect`, `db_list_connections`, `db_list_tables`,
+`db_describe_table`, `db_query_readonly`, `db_explain`) are native. Read-only
+queries are LOW; writes/migrations are HIGH.
+
+## Task presets
+
+`src/tools/index.ts` exports `TASK_PRESETS` (`explore`, `run_ui`, `fix_tests`).
+The `workspace_route` tool exposes this at runtime: calling it with a preset name
+runs `registry.setActive(TASK_PRESETS[name])` so `tools/list` returns only that
+focused subset; `workspace_route` with `reset: true` (or `preset: "all"`) restores
+the full catalog.

package/examples/claude-desktop.json

@@ -0,0 +1,18 @@
+{
+  "mcpServers": {
+    "folderforge": {
+      "command": "node",
+      "args": [
+        "/home/devops/FolderForge/dist/main.js",
+        "--stdio",
+        "--project",
+        "/home/devops/FolderForge",
+        "--config",
+        "/home/devops/FolderForge/examples/config.basic.yaml"
+      ],
+      "env": {
+        "FOLDERFORGE_LOG_LEVEL": "info"
+      }
+    }
+  }
+}

package/examples/codex.toml

@@ -0,0 +1,18 @@
+# Codex CLI MCP server configuration for FolderForge.
+#
+# Place this in ~/.codex/config.toml (or merge the [mcp_servers] block).
+# Codex launches the server over stdio.
+
+[mcp_servers.folderforge]
+command = "node"
+args = [
+  "/home/devops/FolderForge/dist/main.js",
+  "--stdio",
+  "--project",
+  "/home/devops/FolderForge",
+  "--config",
+  "/home/devops/FolderForge/examples/config.basic.yaml",
+]
+
+[mcp_servers.folderforge.env]
+FOLDERFORGE_LOG_LEVEL = "info"

package/examples/config.basic.yaml

@@ -0,0 +1,37 @@
+# FolderForge - basic example config
+#
+# Minimal setup: one project, safe mode, stdio transport.
+# Copy to your project root as `folderforge.yaml` (or pass via --config).
+
+server:
+  name: folderforge
+  transport: stdio
+  http:
+    host: 127.0.0.1
+    port: 7331
+  dashboard:
+    host: 127.0.0.1
+    port: 7332
+    # Optional: required when binding dashboard to a non-loopback host.
+    # token: "put-a-long-random-string-here"
+
+workspace:
+  defaultProject: /home/devops/FolderForge
+  allowedDirectories:
+    - /home/devops/FolderForge
+  deniedGlobs:
+    - "**/.env"
+    - "**/.env.*"
+    - "**/*.pem"
+    - "**/*.key"
+    - "**/node_modules/**"
+
+policy:
+  defaultMode: safe
+  requireApproval:
+    - git_commit
+    - git_push
+    - file_delete
+  blockedCommands:
+    - "rm -rf /"
+    - "git push --force"

package/examples/config.full.yaml

@@ -0,0 +1,120 @@
+# FolderForge - full example config
+#
+# Exercises every configurable surface: HTTP transport, dev mode, git policy,
+# terminal sandboxing, persisted approvals, and child-MCP adapters (Serena / Playwright / Desktop Commander).
+
+server:
+  name: folderforge
+  transport: http
+  http:
+    host: 127.0.0.1
+    port: 7331
+    # Bearer token for the MCP HTTP endpoint. Required for non-loopback binds
+    # (auto-generated and logged once if omitted). Send as `Authorization: Bearer <token>`.
+    # token: "put-a-long-random-string-here"
+    # CORS allowlist. Use ["*"] to allow any origin; omit/empty to disable CORS.
+    # corsOrigins:
+    #   - https://your-tool.example.com
+    # Idle session lifetime (ms) before the HTTP MCP session is rotated/expired.
+    sessionTtlMs: 1800000
+  dashboard:
+    host: 127.0.0.1
+    port: 7332
+    # Optional: required when binding dashboard to a non-loopback host.
+    # Requests must send `Authorization: Bearer <token>` or add `?token=<token>`.
+    # token: "put-a-long-random-string-here"
+
+workspace:
+  defaultProject: /home/devops/FolderForge
+  allowedDirectories:
+    - /home/devops/FolderForge
+    - /home/devops/FolderForge/tests/fixtures
+  deniedGlobs:
+    - "**/.env"
+    - "**/.env.*"
+    - "**/id_rsa"
+    - "**/id_ed25519"
+    - "**/*.pem"
+    - "**/*.key"
+    - "**/node_modules/**"
+    - "**/.git/objects/**"
+
+policy:
+  # readonly | safe | dev | danger
+  defaultMode: dev
+  requireApproval:
+    - git_push
+    - git_commit
+    - file_delete
+    - db_write
+    - shell_high_risk
+    - docker_prune
+  blockedCommands:
+    - "rm -rf /"
+    - "sudo rm"
+    - "mkfs"
+    - "dd if="
+    - "chmod -R 777 /"
+    - "curl * | bash"
+    - "wget * | sh"
+    - "git reset --hard"
+    - "git push --force"
+    - "docker system prune"
+    - "kubectl delete"
+    - "terraform apply"
+
+terminal:
+  shell: /bin/bash
+  defaultTimeoutMs: 120000
+  maxOutputBytes: 200000
+  # redact | passthrough
+  envPolicy: redact
+
+git:
+  # approval | allow | deny
+  allowCommit: approval
+  allowPush: approval
+  allowResetHard: false
+
+# Per-tool rate limiting and quotas. Sliding window (maxCalls / windowMs) plus an
+# optional rolling 24h dailyQuota. Denied or approval-gated calls don't consume quota.
+rateLimit:
+  enabled: true
+  default:
+    maxCalls: 60
+    windowMs: 10000
+  overrides:
+    shell_exec:
+      maxCalls: 20
+      windowMs: 10000
+      dailyQuota: 1000
+    git_push:
+      maxCalls: 5
+      windowMs: 60000
+      dailyQuota: 50
+
+# Secret scanning. Beyond the built-in regex rules, entropy detection flags
+# bespoke high-entropy tokens (minEntropy is bits/char; minLength is the
+# shortest token considered).
+secretScan:
+  entropyEnabled: true
+  minEntropy: 4.0
+  minLength: 20
+
+adapters:
+  serena:
+    enabled: false
+    command: serena
+    args: []
+  playwright:
+    enabled: true
+    command: npx
+    args:
+      - "-y"
+      - "@playwright/mcp@latest"
+  desktopCommander:
+    enabled: false
+    command: npx
+    args:
+      - "-y"
+      - "@wonderwhy-er/desktop-commander@latest"

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "@musashishao/folderforge",
+  "version": "1.2.0",
+  "description": "FolderForge - the all-in-one MCP-native local development control plane for AI coding agents.",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "ai-agents",
+    "coding-agent",
+    "claude",
+    "cursor",
+    "codex",
+    "developer-tools",
+    "workspace",
+    "filesystem",
+    "stdio",
+    "cli"
+  ],
+  "homepage": "https://github.com/roronoazoroshao369/FolderForge#readme",
+  "bugs": {
+    "url": "https://github.com/roronoazoroshao369/FolderForge/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/roronoazoroshao369/FolderForge.git"
+  },
+  "license": "Apache-2.0",
+  "author": "",
+  "type": "module",
+  "bin": {
+    "folderforge": "./dist/main.js"
+  },
+  "main": "./dist/main.js",
+  "files": [
+    "dist",
+    "examples",
+    "docs",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "scripts": {
+    "dev": "tsx src/main.ts",
+    "build": "tsc -p tsconfig.json",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "start": "node dist/main.js",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "lint": "tsc -p tsconfig.json --noEmit",
+    "prepublishOnly": "npm run clean && npm run build && npm test"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "execa": "^9.0.0",
+    "fast-glob": "^3.3.0",
+    "ignore": "^6.0.0",
+    "pino": "^9.0.0",
+    "simple-git": "^3.25.0",
+    "yaml": "^2.5.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}