@phren/cli 0.0.17 → 0.0.19

package/mcp/dist/capabilities/cli.js

@@ -1,6 +1,6 @@
 export const cliManifest = {
     surface: "cli",
-    version: "0.0.17",
+    version: "0.0.19",
     actions: {
         // Finding management
         "finding.add": { implemented: true, handler: "cli-actions.ts:handleAddFinding" },

package/mcp/dist/capabilities/mcp.js

@@ -1,6 +1,6 @@
 export const mcpManifest = {
     surface: "mcp",
-    version: "0.0.17",
+    version: "0.0.19",
     actions: {
         // Finding management
         "finding.add": { implemented: true, handler: "index.ts:add_finding" },

package/mcp/dist/capabilities/vscode.js

@@ -1,6 +1,6 @@
 export const vscodeManifest = {
     surface: "vscode",
-    version: "0.0.17",
+    version: "0.0.19",
     actions: {
         // Finding management
         "finding.add": { implemented: true, handler: "extension.ts:phren.addFinding" },

package/mcp/dist/capabilities/web-ui.js

@@ -1,6 +1,6 @@
 export const webUiManifest = {
     surface: "web-ui",
-    version: "0.0.17",
+    version: "0.0.19",
     actions: {
         // Finding management
         "finding.add": { implemented: false, reason: "Web UI is read-only for findings (review queue only)" },

package/mcp/dist/cli-hooks-session.js

@@ -329,7 +329,7 @@ function scheduleBackgroundMaintenance(phrenPathLocal, project) {
         }
         if (project)
             spawnArgs.push(project);
-        const logDir = path.join(phrenPathLocal, ".governance");
+        const logDir = path.join(phrenPathLocal, ".config");
         fs.mkdirSync(logDir, { recursive: true });
         const logPath = path.join(logDir, "background-maintenance.log");
         const logFd = fs.openSync(logPath, "a");
@@ -394,7 +394,7 @@ function scheduleBackgroundMaintenance(phrenPathLocal, project) {
     catch (err) {
         const errMsg = errorMessage(err);
         try {
-            const logDir = path.join(phrenPathLocal, ".governance");
+            const logDir = path.join(phrenPathLocal, ".config");
             fs.mkdirSync(logDir, { recursive: true });
             fs.appendFileSync(path.join(logDir, "background-maintenance.log"), `[${new Date().toISOString()}] spawn failed: ${errMsg}\n`);
         }
@@ -888,7 +888,7 @@ export async function handleHookStop() {
                         continue;
                     const proj = m[1].trim();
                     if (proj.startsWith("."))
-                        continue; // skip .governance, .runtime, etc.
+                        continue; // skip .config, .runtime, etc.
                     const file = m[2].trim();
                     if (!changes.has(proj))
                         changes.set(proj, new Set());

package/mcp/dist/cli-namespaces.js

@@ -1440,7 +1440,7 @@ export async function handleFindingNamespace(args) {
     if (subcommand === "contradictions") {
         const project = args[1];
         const phrenPath = getPhrenPath();
-        const RESERVED_DIRS = new Set(["global", ".runtime", ".sessions", ".governance"]);
+        const RESERVED_DIRS = new Set(["global", ".runtime", ".sessions", ".config"]);
         const { readFindings } = await import("./data-access.js");
         const projects = project
             ? [project]

package/mcp/dist/data-tasks.js

@@ -330,7 +330,7 @@ function writeTaskDoc(doc) {
     fs.renameSync(tmpPath, doc.path);
 }
 function taskArchivePath(phrenPath, project) {
-    return path.join(phrenPath, ".governance", "task-archive", `${project}.md`);
+    return path.join(phrenPath, ".config", "task-archive", `${project}.md`);
 }
 export function readTasks(phrenPath, project) {
     const ensured = ensureProject(phrenPath, project);

package/mcp/dist/entrypoint.js

@@ -255,7 +255,7 @@ export async function runTopLevelCommand(argv) {
         const ownershipArg = getOptionValue(argv.slice(1), "--ownership");
         const phrenPath = defaultPhrenPath();
         const profile = (process.env.PHREN_PROFILE) || undefined;
-        if (!fs.existsSync(phrenPath) || !fs.existsSync(path.join(phrenPath, ".governance"))) {
+        if (!fs.existsSync(phrenPath) || !fs.existsSync(path.join(phrenPath, ".config"))) {
             console.log("phren is not set up yet. Run: npx phren init");
             return finish(1);
         }

package/mcp/dist/governance-policy.js

@@ -5,6 +5,7 @@ import { appendAuditLog, debugLog, getProjectDirs, isRecord, runtimeHealthFile,
 import { withFileLock, isFiniteNumber, hasValidSchemaVersion } from "./shared-governance.js";
 import { errorMessage, isValidProjectName, safeProjectPath } from "./utils.js";
 import { readProjectConfig } from "./project-config.js";
+import { getActiveProfileDefaults } from "./profile-store.js";
 import { runCustomHooks } from "./hooks.js";
 import { METADATA_REGEX, isCitationLine, isArchiveStart as isArchiveStartMeta, isArchiveEnd as isArchiveEndMeta, stripLifecycleMetadata as stripLifecycleMetadataMeta, } from "./content-metadata.js";
 export const MAX_QUEUE_ENTRY_LENGTH = 500;
@@ -39,7 +40,7 @@ const DEFAULT_RUNTIME_HEALTH = {
     schemaVersion: GOVERNANCE_SCHEMA_VERSION,
 };
 function governanceDir(phrenPath) {
-    return path.join(phrenPath, ".governance");
+    return path.join(phrenPath, ".config");
 }
 function govFile(phrenPath, schema) {
     return path.join(governanceDir(phrenPath), GOVERNANCE_REGISTRY[schema].file);
@@ -283,66 +284,109 @@ function readProjectConfigOverrides(phrenPath, projectName) {
 export function getProjectConfigOverrides(phrenPath, projectName) {
     return readProjectConfigOverrides(phrenPath, projectName) ?? null;
 }
-export function mergeConfig(phrenPath, projectName) {
+export function mergeConfig(phrenPath, projectName, profile) {
     const globalRetention = getRetentionPolicyGlobal(phrenPath);
     const globalWorkflow = getWorkflowPolicyGlobal(phrenPath);
     if (projectName && !isValidProjectName(projectName)) {
         debugLog(`mergeConfig: invalid project name "${projectName}", using global defaults`);
         projectName = undefined;
     }
+    // Load profile-level defaults (global → profile → project resolution chain)
+    let profileDefaults;
+    try {
+        profileDefaults = getActiveProfileDefaults(phrenPath, profile);
+    }
+    catch {
+        // profile defaults are best-effort
+    }
+    // Apply profile defaults on top of global to get the profile-level base
+    const profileRetention = profileDefaults?.retentionPolicy
+        ? {
+            schemaVersion: globalRetention.schemaVersion,
+            ttlDays: profileDefaults.retentionPolicy.ttlDays ?? globalRetention.ttlDays,
+            retentionDays: profileDefaults.retentionPolicy.retentionDays ?? globalRetention.retentionDays,
+            autoAcceptThreshold: profileDefaults.retentionPolicy.autoAcceptThreshold ?? globalRetention.autoAcceptThreshold,
+            minInjectConfidence: profileDefaults.retentionPolicy.minInjectConfidence ?? globalRetention.minInjectConfidence,
+            decay: {
+                d30: profileDefaults.retentionPolicy.decay?.d30 ?? globalRetention.decay.d30,
+                d60: profileDefaults.retentionPolicy.decay?.d60 ?? globalRetention.decay.d60,
+                d90: profileDefaults.retentionPolicy.decay?.d90 ?? globalRetention.decay.d90,
+                d120: profileDefaults.retentionPolicy.decay?.d120 ?? globalRetention.decay.d120,
+            },
+        }
+        : globalRetention;
+    const profileWorkflow = profileDefaults
+        ? {
+            schemaVersion: globalWorkflow.schemaVersion,
+            lowConfidenceThreshold: profileDefaults.workflowPolicy?.lowConfidenceThreshold ?? globalWorkflow.lowConfidenceThreshold,
+            riskySections: profileDefaults.workflowPolicy?.riskySections?.length
+                ? profileDefaults.workflowPolicy.riskySections
+                : globalWorkflow.riskySections,
+            taskMode: profileDefaults.taskMode ?? globalWorkflow.taskMode,
+            findingSensitivity: profileDefaults.findingSensitivity ?? globalWorkflow.findingSensitivity,
+        }
+        : globalWorkflow;
     if (!projectName) {
         return {
-            findingSensitivity: globalWorkflow.findingSensitivity,
-            proactivity: {},
-            taskMode: globalWorkflow.taskMode,
-            retentionPolicy: globalRetention,
-            workflowPolicy: globalWorkflow,
+            findingSensitivity: profileWorkflow.findingSensitivity,
+            proactivity: {
+                base: profileDefaults?.proactivity,
+                findings: profileDefaults?.proactivityFindings,
+                tasks: profileDefaults?.proactivityTask,
+            },
+            taskMode: profileWorkflow.taskMode,
+            retentionPolicy: profileRetention,
+            workflowPolicy: profileWorkflow,
         };
     }
     const overrides = readProjectConfigOverrides(phrenPath, projectName);
     if (!overrides) {
         return {
-            findingSensitivity: globalWorkflow.findingSensitivity,
-            proactivity: {},
-            taskMode: globalWorkflow.taskMode,
-            retentionPolicy: globalRetention,
-            workflowPolicy: globalWorkflow,
+            findingSensitivity: profileWorkflow.findingSensitivity,
+            proactivity: {
+                base: profileDefaults?.proactivity,
+                findings: profileDefaults?.proactivityFindings,
+                tasks: profileDefaults?.proactivityTask,
+            },
+            taskMode: profileWorkflow.taskMode,
+            retentionPolicy: profileRetention,
+            workflowPolicy: profileWorkflow,
         };
     }
-    // Merge retention policy
+    // Merge retention policy: profile as base, project overrides on top
     const retentionOverride = overrides.retentionPolicy;
     const mergedRetention = retentionOverride
         ? {
-            schemaVersion: globalRetention.schemaVersion,
-            ttlDays: retentionOverride.ttlDays ?? globalRetention.ttlDays,
-            retentionDays: retentionOverride.retentionDays ?? globalRetention.retentionDays,
-            autoAcceptThreshold: retentionOverride.autoAcceptThreshold ?? globalRetention.autoAcceptThreshold,
-            minInjectConfidence: retentionOverride.minInjectConfidence ?? globalRetention.minInjectConfidence,
+            schemaVersion: profileRetention.schemaVersion,
+            ttlDays: retentionOverride.ttlDays ?? profileRetention.ttlDays,
+            retentionDays: retentionOverride.retentionDays ?? profileRetention.retentionDays,
+            autoAcceptThreshold: retentionOverride.autoAcceptThreshold ?? profileRetention.autoAcceptThreshold,
+            minInjectConfidence: retentionOverride.minInjectConfidence ?? profileRetention.minInjectConfidence,
             decay: {
-                d30: retentionOverride.decay?.d30 ?? globalRetention.decay.d30,
-                d60: retentionOverride.decay?.d60 ?? globalRetention.decay.d60,
-                d90: retentionOverride.decay?.d90 ?? globalRetention.decay.d90,
-                d120: retentionOverride.decay?.d120 ?? globalRetention.decay.d120,
+                d30: retentionOverride.decay?.d30 ?? profileRetention.decay.d30,
+                d60: retentionOverride.decay?.d60 ?? profileRetention.decay.d60,
+                d90: retentionOverride.decay?.d90 ?? profileRetention.decay.d90,
+                d120: retentionOverride.decay?.d120 ?? profileRetention.decay.d120,
             },
         }
-        : globalRetention;
-    // Merge workflow policy
+        : profileRetention;
+    // Merge workflow policy: profile as base, project overrides on top
     const workflowOverride = overrides.workflowPolicy;
     const mergedWorkflow = {
-        schemaVersion: globalWorkflow.schemaVersion,
-        lowConfidenceThreshold: workflowOverride?.lowConfidenceThreshold ?? globalWorkflow.lowConfidenceThreshold,
+        schemaVersion: profileWorkflow.schemaVersion,
+        lowConfidenceThreshold: workflowOverride?.lowConfidenceThreshold ?? profileWorkflow.lowConfidenceThreshold,
         riskySections: workflowOverride?.riskySections?.length
             ? workflowOverride.riskySections
-            : globalWorkflow.riskySections,
-        taskMode: overrides.taskMode ?? globalWorkflow.taskMode,
-        findingSensitivity: overrides.findingSensitivity ?? globalWorkflow.findingSensitivity,
+            : profileWorkflow.riskySections,
+        taskMode: overrides.taskMode ?? profileWorkflow.taskMode,
+        findingSensitivity: overrides.findingSensitivity ?? profileWorkflow.findingSensitivity,
     };
     return {
         findingSensitivity: mergedWorkflow.findingSensitivity,
         proactivity: {
-            base: overrides.proactivity,
-            findings: overrides.proactivityFindings,
-            tasks: overrides.proactivityTask,
+            base: overrides.proactivity ?? profileDefaults?.proactivity,
+            findings: overrides.proactivityFindings ?? profileDefaults?.proactivityFindings,
+            tasks: overrides.proactivityTask ?? profileDefaults?.proactivityTask,
         },
         taskMode: mergedWorkflow.taskMode,
         retentionPolicy: mergedRetention,

package/mcp/dist/governance-rbac.js

@@ -0,0 +1,152 @@
+/**
+ * RBAC enforcement for mutating MCP tools.
+ *
+ * Access-control.json lives at `<phrenPath>/.config/access-control.json` (global).
+ * Per-project overrides live in `phren.project.yaml` under the `access` key.
+ *
+ * Schema:
+ *   { admins: string[], contributors: string[], readers: string[] }
+ *
+ * Role hierarchy:
+ *   admins       → all actions
+ *   contributors → add/edit/remove findings, complete/add/remove tasks
+ *   readers      → read-only (search, get)
+ *
+ * When no access-control.json exists, all actors are permitted (open mode).
+ *
+ * The actor is read from the PHREN_ACTOR env var (falls back to open if unset).
+ */
+import * as fs from "fs";
+import * as path from "path";
+import { debugLog } from "./shared.js";
+import { errorMessage } from "./utils.js";
+import { readProjectConfig } from "./project-config.js";
+function configDir(phrenPath) {
+    return path.join(phrenPath, ".config");
+}
+function readGlobalAccessControl(phrenPath) {
+    const filePath = path.join(configDir(phrenPath), "access-control.json");
+    if (!fs.existsSync(filePath))
+        return null;
+    try {
+        const raw = fs.readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch (err) {
+        debugLog(`readGlobalAccessControl: failed to parse ${filePath}: ${errorMessage(err)}`);
+        return null;
+    }
+}
+function normalizeStringArray(value) {
+    if (!Array.isArray(value))
+        return [];
+    return value.filter((item) => typeof item === "string" && item.trim().length > 0);
+}
+function mergeAccessControl(global, projectAccess) {
+    // If neither global nor project access is configured, open mode
+    if (!global && !projectAccess)
+        return null;
+    const base = global ?? {};
+    if (!projectAccess)
+        return base;
+    // Project-level access adds/replaces role lists; global is the baseline
+    return {
+        admins: [...new Set([...normalizeStringArray(base.admins), ...normalizeStringArray(projectAccess.admins)])],
+        contributors: [...new Set([...normalizeStringArray(base.contributors), ...normalizeStringArray(projectAccess.contributors)])],
+        readers: [...new Set([...normalizeStringArray(base.readers), ...normalizeStringArray(projectAccess.readers)])],
+    };
+}
+function resolvedActorRole(actor, ac) {
+    const admins = normalizeStringArray(ac.admins);
+    const contributors = normalizeStringArray(ac.contributors);
+    const readers = normalizeStringArray(ac.readers);
+    // If all role lists are empty, treat as open
+    if (!admins.length && !contributors.length && !readers.length)
+        return "admin";
+    if (admins.includes(actor))
+        return "admin";
+    if (contributors.includes(actor))
+        return "contributor";
+    if (readers.includes(actor))
+        return "reader";
+    return "denied";
+}
+const CONTRIBUTOR_ACTIONS = new Set([
+    "add_finding",
+    "remove_finding",
+    "edit_finding",
+    "complete_task",
+    "add_task",
+    "remove_task",
+    "update_task",
+]);
+const ADMIN_ONLY_ACTIONS = new Set([
+    "manage_config",
+]);
+function rolePermits(role, action) {
+    if (role === "denied")
+        return false;
+    if (role === "admin")
+        return true;
+    if (ADMIN_ONLY_ACTIONS.has(action))
+        return false;
+    if (role === "contributor")
+        return CONTRIBUTOR_ACTIONS.has(action);
+    // readers: no mutating actions
+    return false;
+}
+/**
+ * Check whether the current actor (from PHREN_ACTOR env var) is permitted to
+ * perform `action`. When `project` is provided, merges global + per-project ACL.
+ *
+ * Returns `{ allowed: true }` when permitted, `{ allowed: false, reason }` when denied.
+ */
+export function checkPermission(phrenPath, action, project) {
+    const actor = (process.env.PHREN_ACTOR ?? "").trim() || null;
+    const globalAc = readGlobalAccessControl(phrenPath);
+    const projectAccess = project
+        ? readProjectConfig(phrenPath, project).access
+        : undefined;
+    const effectiveAc = mergeAccessControl(globalAc, projectAccess);
+    // Open mode: no access control configured at any level
+    if (!effectiveAc) {
+        return { allowed: true, actor, role: "open" };
+    }
+    // No actor env var set — check if we're in open mode still
+    if (!actor) {
+        // If all lists are empty, open
+        const allEmpty = !normalizeStringArray(effectiveAc.admins).length &&
+            !normalizeStringArray(effectiveAc.contributors).length &&
+            !normalizeStringArray(effectiveAc.readers).length;
+        if (allEmpty)
+            return { allowed: true, actor, role: "open" };
+        return {
+            allowed: false,
+            actor,
+            role: "denied",
+            reason: "PHREN_ACTOR is not set and access control is configured. Set PHREN_ACTOR to your username.",
+        };
+    }
+    const role = resolvedActorRole(actor, effectiveAc);
+    const allowed = rolePermits(role, action);
+    if (!allowed) {
+        const reason = role === "denied"
+            ? `Actor "${actor}" is not listed in access-control for ${project ? `project "${project}"` : "global config"}.`
+            : `Actor "${actor}" has role "${role}" which does not permit "${action}".`;
+        return { allowed: false, actor, role, reason };
+    }
+    return { allowed: true, actor, role };
+}
+/**
+ * Convenience wrapper: returns a permission-denied MCP error string,
+ * or null if the action is allowed.
+ */
+export function permissionDeniedError(phrenPath, action, project) {
+    const result = checkPermission(phrenPath, action, project);
+    if (result.allowed)
+        return null;
+    return `Permission denied: ${result.reason ?? `actor "${result.actor}" cannot perform "${action}".`}`;
+}

package/mcp/dist/init-preferences.js

@@ -11,7 +11,7 @@ function preferencesFile(phrenPath) {
     return installPreferencesFile(phrenPath);
 }
 export function governanceInstallPreferencesFile(phrenPath) {
-    return path.join(phrenPath, ".governance", "install-preferences.json");
+    return path.join(phrenPath, ".config", "install-preferences.json");
 }
 function readPreferencesFile(file) {
     if (!fs.existsSync(file))

package/mcp/dist/init-setup.js

@@ -399,9 +399,9 @@ export function applyStarterTemplateUpdates(phrenPath) {
 }
 export function ensureGovernanceFiles(phrenPath) {
     const created = [];
-    const govDir = path.join(phrenPath, ".governance");
+    const govDir = path.join(phrenPath, ".config");
     if (!fs.existsSync(govDir))
-        created.push(".governance/");
+        created.push(".config/");
     fs.mkdirSync(govDir, { recursive: true });
     const sv = GOVERNANCE_SCHEMA_VERSION;
     const policy = path.join(govDir, "retention-policy.json");
@@ -417,7 +417,7 @@ export function ensureGovernanceFiles(phrenPath) {
             minInjectConfidence: 0.35,
             decay: { d30: 1.0, d60: 0.85, d90: 0.65, d120: 0.45 },
         }, null, 2) + "\n");
-        created.push(".governance/retention-policy.json");
+        created.push(".config/retention-policy.json");
     }
     if (!fs.existsSync(workflow)) {
         atomicWriteText(workflow, JSON.stringify({
@@ -426,7 +426,7 @@ export function ensureGovernanceFiles(phrenPath) {
             riskySections: ["Stale", "Conflicts"],
             taskMode: "auto",
         }, null, 2) + "\n");
-        created.push(".governance/workflow-policy.json");
+        created.push(".config/workflow-policy.json");
     }
     if (!fs.existsSync(indexPolicy)) {
         atomicWriteText(indexPolicy, JSON.stringify({
@@ -435,7 +435,7 @@ export function ensureGovernanceFiles(phrenPath) {
             excludeGlobs: ["**/.git/**", "**/node_modules/**", "**/dist/**", "**/build/**"],
             includeHidden: false,
         }, null, 2) + "\n");
-        created.push(".governance/index-policy.json");
+        created.push(".config/index-policy.json");
     }
     if (!fs.existsSync(runtimeHealth)) {
         atomicWriteText(runtimeHealth, JSON.stringify({ schemaVersion: sv }, null, 2) + "\n");
@@ -1215,12 +1215,12 @@ export function runPostInitVerify(phrenPath) {
         detail: globalOk ? "global/CLAUDE.md exists" : "global/CLAUDE.md missing",
         fix: globalOk ? undefined : "Run `phren init` to create starter files",
     });
-    const govDir = path.join(phrenPath, ".governance");
+    const govDir = path.join(phrenPath, ".config");
     const govOk = fs.existsSync(govDir);
     checks.push({
         name: "config",
         ok: govOk,
-        detail: govOk ? ".governance/ config directory exists" : ".governance/ config directory missing",
+        detail: govOk ? ".config/ config directory exists" : ".config/ config directory missing",
         fix: govOk ? undefined : "Run `phren init` to create governance config",
     });
     const installedPrefs = readInstallPreferences(phrenPath);

package/mcp/dist/init.js

@@ -105,7 +105,7 @@ function parseRiskySectionsAnswer(raw, fallback) {
 }
 function hasInstallMarkers(phrenPath) {
     return fs.existsSync(phrenPath) && (fs.existsSync(path.join(phrenPath, "machines.yaml")) ||
-        fs.existsSync(path.join(phrenPath, ".governance")) ||
+        fs.existsSync(path.join(phrenPath, ".config")) ||
         fs.existsSync(path.join(phrenPath, "global")));
 }
 function resolveInitPhrenPath(opts) {
@@ -1374,7 +1374,7 @@ export async function runInit(opts = {}) {
     log(`  ${phrenPath}/global/CLAUDE.md    Global instructions loaded in every session`);
     log(`  ${phrenPath}/global/skills/      Phren slash commands`);
     log(`  ${phrenPath}/profiles/           Machine-to-project mappings`);
-    log(`  ${phrenPath}/.governance/        Memory quality settings and config`);
+    log(`  ${phrenPath}/.config/        Memory quality settings and config`);
     // Ollama status summary (skip if already covered in walkthrough)
     const walkthroughCoveredOllama = Boolean(process.env._PHREN_WALKTHROUGH_OLLAMA_SKIP) || (!hasExistingInstall && !opts.yes);
     if (!walkthroughCoveredOllama) {

package/mcp/dist/link-checksums.js

@@ -9,7 +9,7 @@ function fileChecksum(filePath) {
     return crypto.createHash("sha256").update(content).digest("hex");
 }
 function checksumStorePath(phrenPath) {
-    return path.join(phrenPath, ".governance", "file-checksums.json");
+    return path.join(phrenPath, ".config", "file-checksums.json");
 }
 function loadChecksums(phrenPath) {
     const file = checksumStorePath(phrenPath);

package/mcp/dist/link-doctor.js

@@ -433,7 +433,7 @@ export async function runDoctor(phrenPath, fix = false, checkData = false) {
             { file: "index-policy.json", schema: "index-policy" },
         ];
         for (const item of governanceChecks) {
-            const filePath = path.join(phrenPath, ".governance", item.file);
+            const filePath = path.join(phrenPath, ".config", item.file);
             const exists = fs.existsSync(filePath);
             const valid = exists ? validateGovernanceJson(filePath, item.schema) : false;
             checks.push({

package/mcp/dist/mcp-config.js

@@ -1,3 +1,5 @@
+import * as fs from "fs";
+import * as path from "path";
 import { mcpResponse } from "./mcp-types.js";
 import { z } from "zod";
 import { getRetentionPolicy, updateRetentionPolicy, getWorkflowPolicy, updateWorkflowPolicy, getIndexPolicy, updateIndexPolicy, mergeConfig, VALID_TASK_MODES, VALID_FINDING_SENSITIVITY, } from "./shared-governance.js";
@@ -5,7 +7,8 @@ import { PROACTIVITY_LEVELS, } from "./proactivity.js";
 import { writeGovernanceInstallPreferences, } from "./init-preferences.js";
 import { FINDING_SENSITIVITY_CONFIG, buildProactivitySnapshot, checkProjectInProfile } from "./cli-config.js";
 import { readProjectConfig, updateProjectConfigOverrides, } from "./project-config.js";
-import { isValidProjectName } from "./utils.js";
+import { isValidProjectName, safeProjectPath } from "./utils.js";
+import { readProjectTopics, writeProjectTopics, } from "./project-topics.js";
 // ── Helpers ─────────────────────────────────────────────────────────────────
 function proactivitySnapshot(phrenPath) {
     const snap = buildProactivitySnapshot(phrenPath);
@@ -32,7 +35,7 @@ function getProjectOverrides(phrenPath, project) {
 function hasOwnOverride(overrides, key) {
     return Object.prototype.hasOwnProperty.call(overrides, key);
 }
-const projectParam = z.string().optional().describe("Project name. When provided, writes to that project's phren.project.yaml instead of global .governance/.");
+const projectParam = z.string().optional().describe("Project name. When provided, writes to that project's phren.project.yaml instead of global .config/.");
 // ── Registration ────────────────────────────────────────────────────────────
 export function register(server, ctx) {
     const { phrenPath } = ctx;
@@ -448,4 +451,101 @@ export function register(server, ctx) {
             data: result.data,
         });
     });
+    // ── get_topic_config ──────────────────────────────────────────────────────
+    server.registerTool("get_topic_config", {
+        title: "◆ phren · get topic config",
+        description: "Read the topic-config.json for a project. Returns the list of topics, domain, " +
+            "and pinned topics. When no config exists, returns the built-in default topics for the project.",
+        inputSchema: z.object({
+            project: z.string().describe("Project name to read topic config from."),
+        }),
+    }, async ({ project }) => {
+        const err = validateProject(project);
+        if (err)
+            return mcpResponse({ ok: false, error: err });
+        const projectDir = safeProjectPath(phrenPath, project);
+        if (!projectDir || !fs.existsSync(projectDir)) {
+            return mcpResponse({ ok: false, error: `Project "${project}" not found in phren.` });
+        }
+        const result = readProjectTopics(phrenPath, project);
+        const configPath = path.join(projectDir, "topic-config.json");
+        const raw = fs.existsSync(configPath)
+            ? (() => { try {
+                return JSON.parse(fs.readFileSync(configPath, "utf8"));
+            }
+            catch {
+                return null;
+            } })()
+            : null;
+        return mcpResponse({
+            ok: true,
+            message: `Topic config for "${project}" (source: ${result.source}).`,
+            data: {
+                project,
+                source: result.source,
+                domain: result.domain ?? raw?.domain ?? null,
+                topics: result.topics,
+                pinnedTopics: raw?.pinnedTopics ?? [],
+            },
+        });
+    });
+    // ── set_topic_config ──────────────────────────────────────────────────────
+    server.registerTool("set_topic_config", {
+        title: "◆ phren · set topic config",
+        description: "Write the topic-config.json for a project. Accepts a list of topics with slug, label, " +
+            "description, and keywords. Merges with any existing pinnedTopics and domain.",
+        inputSchema: z.object({
+            project: z.string().describe("Project name to write topic config for."),
+            topics: z.array(z.object({
+                slug: z.string().describe("Topic slug (lowercase, hyphens allowed)."),
+                label: z.string().describe("Human-readable label."),
+                description: z.string().optional().describe("Short description of what goes in this topic."),
+                keywords: z.array(z.string()).optional().describe("Keywords used for auto-classification."),
+            })).describe("Topic list to write."),
+            domain: z.string().optional().describe("Optional domain label (e.g. 'software', 'music')."),
+        }),
+    }, async ({ project, topics, domain }) => {
+        const err = validateProject(project);
+        if (err)
+            return mcpResponse({ ok: false, error: err });
+        const projectDir = safeProjectPath(phrenPath, project);
+        if (!projectDir || !fs.existsSync(projectDir)) {
+            return mcpResponse({ ok: false, error: `Project "${project}" not found in phren.` });
+        }
+        const normalized = topics.map((t) => ({
+            slug: t.slug,
+            label: t.label,
+            description: t.description ?? "",
+            keywords: t.keywords ?? [],
+        }));
+        // If a domain is provided, patch it onto the existing file before writing topics
+        if (domain) {
+            const configPath = path.join(projectDir, "topic-config.json");
+            if (fs.existsSync(configPath)) {
+                try {
+                    const existing = JSON.parse(fs.readFileSync(configPath, "utf8"));
+                    if (existing && typeof existing === "object") {
+                        existing.domain = domain;
+                        fs.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+                    }
+                }
+                catch {
+                    // ignore read errors; writeProjectTopics will still succeed
+                }
+            }
+            else {
+                fs.mkdirSync(projectDir, { recursive: true });
+                fs.writeFileSync(configPath, JSON.stringify({ version: 1, domain, topics: [] }, null, 2) + "\n");
+            }
+        }
+        const result = writeProjectTopics(phrenPath, project, normalized);
+        if (!result.ok) {
+            return mcpResponse({ ok: false, error: result.error });
+        }
+        return mcpResponse({
+            ok: true,
+            message: `Topic config written for "${project}" (${result.topics.length} topics).`,
+            data: { project, topics: result.topics, domain: domain ?? null },
+        });
+    });
 }