@polymorphism-tech/morph-spec 4.8.19 → 4.10.0

package/framework/skills/level-0-meta/{code-review-nextjs → morph-code-review-nextjs}/SKILL.md

@@ -1,163 +1,163 @@
----
-name: code-review-nextjs
-description: Next.js code review checklist covering naming conventions, component architecture (Server vs Client), data fetching patterns, form implementation, state management, TypeScript/Zod discipline, feature boundaries, and testing. Use after implementing Next.js code, before creating PRs, or when reviewing TSX/TS code for compliance with MORPH-SPEC Next.js standards.
-user-invocable: true
-allowed-tools: Read, Write, Edit, Bash, Glob, Grep
----
-
-# Next.js Code Review Checklist
-
-> Comprehensive checklist for Next.js code review: naming, component architecture, data fetching, forms, state, TypeScript, structure, and testing.
-> **Ref:** `framework/standards/frontend/nextjs/naming-conventions.md`
-> **Ref:** `framework/standards/frontend/nextjs/app-router.md`
-> **Ref:** `framework/standards/frontend/nextjs/components.md`
-> **Ref:** `framework/standards/frontend/nextjs/data-fetching.md`
-> **Ref:** `framework/standards/frontend/nextjs/forms.md`
-> **Ref:** `framework/standards/frontend/nextjs/state-management.md`
-> **Ref:** `framework/standards/frontend/nextjs/testing.md`
-> **Example:** `references/review-example-nextjs.md` — filled-in review showing expected finding format.
-> **Script:** `scripts/scan-nextjs.mjs` — automated scan for CRITICAL/HIGH violations before manual review.
-> **Ref:** `.claude/skills/code-review/references/review-guidelines.md` — false-positive rubric, confidence scoring, evidence format.
-
----
-
-## Step 0 — Eligibility Check
-
-```bash
-git diff --name-only main...HEAD -- "*.tsx" "*.ts" | wc -l
-```
-
-**Pular revisão se:**
-- 0 arquivos `.tsx`/`.ts` alterados → sem código frontend para revisar
-- Apenas mudanças em `*.json`, `*.md`, arquivos de config → escopo de infra
-- Já existe `.morph/features/$ARGUMENTS/4-implement/code-review-nextjs.md` criado hoje → já revisado
-
-Se skip: output `"Skipping code-review-nextjs: [motivo]"` e parar.
-
----
-
-## Step 1 — Run automated scan first
-
-```bash
-node scripts/scan-nextjs.mjs src/
-```
-
-Review and address CRITICAL findings before proceeding with the manual checklist below. Warnings can be addressed during review.
-
----
-
-## Naming & Style (ref: naming-conventions.md)
-
-- [ ] `[CRITICAL]` File names use kebab-case (`user-card.tsx`, NOT `UserCard.tsx`)
-- [ ] `[HIGH]` Components exported as named exports (`export function UserCard`, NOT `export default function UserCard`)
-- [ ] `[HIGH]` Hook files named `use-{action}.ts` and export `use{Action}()`
-- [ ] `[HIGH]` Schema files named `{feature}.schemas.ts` with Zod exports
-- [ ] `[HIGH]` Type files named `{feature}.types.ts` with `z.infer<>` derived types
-- [ ] `[MEDIUM]` No abbreviations in public API names (`repository` not `repo`)
-- [ ] `[MEDIUM]` Feature folder uses kebab-case (`features/user-management/`, NOT `features/userManagement/`)
-
----
-
-## Component Architecture (ref: app-router.md, components.md)
-
-### Server vs Client Discipline
-- [ ] `[CRITICAL]` `'use client'` only on components that use hooks or event handlers
-- [ ] `[CRITICAL]` No `useEffect(() => { fetch(...) }, [])` for data fetching — use Server Components or TanStack Query
-- [ ] `[HIGH]` Server Components used for initial page data (no `'use client'` on page files)
-- [ ] `[HIGH]` `loading.tsx`, `error.tsx` co-located with every `page.tsx`
-- [ ] `[HIGH]` No business logic in `app/` route files — import from `features/`
-
-### Three-Tier Hierarchy
-- [ ] `[CRITICAL]` No edits to `components/ui/` files — shadcn primitives are never modified
-- [ ] `[HIGH]` `components/` (Tier 2) has no imports from `features/` — no domain knowledge
-- [ ] `[HIGH]` Feature components (`features/*/components/`) do not import from other features
-- [ ] `[MEDIUM]` Feature cross-dependencies extracted to `components/` or `lib/`
-
----
-
-## Data Fetching (ref: data-fetching.md)
-
-- [ ] `[CRITICAL]` No `useEffect` + `useState` pattern for API data — use `useQuery`
-- [ ] `[HIGH]` TanStack Query v5 syntax: `useQuery({ queryKey: [...], queryFn: async () => {} })`
-- [ ] `[HIGH]` Query key factory pattern used (`userKeys.lists()`, NOT hardcoded `['users']`)
-- [ ] `[HIGH]` `useMutation` used for POST/PUT/DELETE — not inline `fetch` in handlers
-- [ ] `[HIGH]` API responses validated with Zod before use
-- [ ] `[MEDIUM]` `onSuccess` in `useMutation` invalidates relevant query keys
-- [ ] `[MEDIUM]` `QueryClientProvider` wraps app in `app/layout.tsx`, not per-component
-
----
-
-## Forms (ref: forms.md)
-
-- [ ] `[CRITICAL]` Zod schema defined BEFORE TypeScript type — type derived with `z.infer<>`
-- [ ] `[HIGH]` `useForm` uses `zodResolver(schema)` — NOT manual validation
-- [ ] `[HIGH]` shadcn `<Form>`, `<FormField>`, `<FormItem>`, `<FormLabel>`, `<FormControl>`, `<FormMessage>` used
-- [ ] `[HIGH]` Form submission uses `useMutation` — NOT direct `fetch` in `onSubmit`
-- [ ] `[MEDIUM]` `isPending` used for loading state — NOT `isLoading` (v5 renamed)
-- [ ] `[MEDIUM]` Root-level errors displayed: `form.formState.errors.root`
-- [ ] `[MEDIUM]` No `useState` for individual form fields — react-hook-form handles this
-
----
-
-## State Management (ref: state-management.md)
-
-- [ ] `[HIGH]` No Zustand/Redux installed without documented justification
-- [ ] `[HIGH]` No React Context used for server state (API data) — use TanStack Query
-- [ ] `[MEDIUM]` Local UI state (open/closed, selected) in `useState` — not global store
-- [ ] `[MEDIUM]` Context only for truly global UI: theme, auth user, locale
-- [ ] `[LOW]` No prop drilling beyond 3 levels — consider Context or co-location
-
----
-
-## TypeScript Discipline
-
-- [ ] `[CRITICAL]` No `any` type — use `unknown` and narrow, or fix the actual type
-- [ ] `[HIGH]` Types derived from Zod schemas (`type User = z.infer<typeof userSchema>`)
-- [ ] `[HIGH]` No duplicate type definitions — if the server returns it, define it once with Zod
-- [ ] `[MEDIUM]` API response types come from the shared schema, not manually written
-- [ ] `[MEDIUM]` `noUncheckedIndexedAccess` respected — array accesses use optional chaining
-- [ ] `[LOW]` No type assertions (`as User`) without validation
-
----
-
-## Feature Structure (ref: project-structure.md)
-
-- [ ] `[HIGH]` Feature exposes public API via `features/{name}/index.ts` — no deep path imports
-- [ ] `[HIGH]` Consumers import from index: `from '@/features/users'` NOT `from '@/features/users/components/user-list'`
-- [ ] `[MEDIUM]` New features create: `components/`, `hooks/`, `types/` subdirectories
-- [ ] `[MEDIUM]` TanStack Query hooks in `features/{name}/hooks/` — NOT co-located with components
-- [ ] `[MEDIUM]` Zod schemas in `features/{name}/types/{name}.schemas.ts`
-- [ ] `[LOW]` Feature index only exports what external consumers actually need (no over-exposure)
-
----
-
-## Testing (ref: testing.md)
-
-- [ ] `[HIGH]` Test files co-located with source (`user-card.test.tsx` next to `user-card.tsx`)
-- [ ] `[HIGH]` `@testing-library/user-event` used — NOT `fireEvent`
-- [ ] `[HIGH]` API calls mocked with MSW — NOT `jest.mock('fetch')` or `global.fetch = jest.fn()`
-- [ ] `[MEDIUM]` Hook tests use `QueryClientWrapper` helper with `retry: false`
-- [ ] `[MEDIUM]` Tests cover happy path + one error path per component
-- [ ] `[LOW]` No snapshot tests — use `expect(screen.getByText(...))`
-
----
-
-## Quick Pre-Merge Checklist
-
-```
-[ ] node scripts/scan-nextjs.mjs src/ — 0 CRITICAL findings
-[ ] File names are kebab-case (UserCard.tsx → user-card.tsx)
-[ ] 'use client' only on interactive components (hooks or event handlers)
-[ ] No useEffect for data fetching — Server Component or useQuery
-[ ] Zod schema defined first, type derived with z.infer<>
-[ ] zodResolver connected to useForm, useMutation for submit
-[ ] Query key factory used (userKeys.lists() not ['users'])
-[ ] Feature public API via features/{name}/index.ts
-[ ] components/ui/ files untouched (shadcn CLI only)
-[ ] Tests: userEvent not fireEvent, MSW not mock fetch
-```
-
----
-
-*Covers: naming-conventions.md + app-router.md + components.md + data-fetching.md + forms.md + state-management.md + testing.md + project-structure.md*
-*MORPH-SPEC by Polymorphism Tech*
+---
+name: morph:code-review-nextjs
+description: Next.js code review checklist covering naming conventions, component architecture (Server vs Client), data fetching patterns, form implementation, state management, TypeScript/Zod discipline, feature boundaries, and testing. Use after implementing Next.js code, before creating PRs, or when reviewing TSX/TS code for compliance with MORPH-SPEC Next.js standards.
+user-invocable: true
+allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+---
+
+# Next.js Code Review Checklist
+
+> Comprehensive checklist for Next.js code review: naming, component architecture, data fetching, forms, state, TypeScript, structure, and testing.
+> **Ref:** `framework/standards/frontend/nextjs/naming-conventions.md`
+> **Ref:** `framework/standards/frontend/nextjs/app-router.md`
+> **Ref:** `framework/standards/frontend/nextjs/components.md`
+> **Ref:** `framework/standards/frontend/nextjs/data-fetching.md`
+> **Ref:** `framework/standards/frontend/nextjs/forms.md`
+> **Ref:** `framework/standards/frontend/nextjs/state-management.md`
+> **Ref:** `framework/standards/frontend/nextjs/testing.md`
+> **Example:** `references/review-example-nextjs.md` — filled-in review showing expected finding format.
+> **Script:** `scripts/scan-nextjs.mjs` — automated scan for CRITICAL/HIGH violations before manual review.
+> **Ref:** `.claude/skills/morph-code-review/references/review-guidelines.md` — false-positive rubric, confidence scoring, evidence format.
+
+---
+
+## Step 0 — Eligibility Check
+
+```bash
+git diff --name-only main...HEAD -- "*.tsx" "*.ts" | wc -l
+```
+
+**Pular revisão se:**
+- 0 arquivos `.tsx`/`.ts` alterados → sem código frontend para revisar
+- Apenas mudanças em `*.json`, `*.md`, arquivos de config → escopo de infra
+- Já existe `.morph/features/$ARGUMENTS/5-implement/code-review-nextjs.md` criado hoje → já revisado
+
+Se skip: output `"Skipping code-review-nextjs: [motivo]"` e parar.
+
+---
+
+## Step 1 — Run automated scan first
+
+```bash
+node scripts/scan-nextjs.mjs src/
+```
+
+Review and address CRITICAL findings before proceeding with the manual checklist below. Warnings can be addressed during review.
+
+---
+
+## Naming & Style (ref: naming-conventions.md)
+
+- [ ] `[CRITICAL]` File names use kebab-case (`user-card.tsx`, NOT `UserCard.tsx`)
+- [ ] `[HIGH]` Components exported as named exports (`export function UserCard`, NOT `export default function UserCard`)
+- [ ] `[HIGH]` Hook files named `use-{action}.ts` and export `use{Action}()`
+- [ ] `[HIGH]` Schema files named `{feature}.schemas.ts` with Zod exports
+- [ ] `[HIGH]` Type files named `{feature}.types.ts` with `z.infer<>` derived types
+- [ ] `[MEDIUM]` No abbreviations in public API names (`repository` not `repo`)
+- [ ] `[MEDIUM]` Feature folder uses kebab-case (`features/user-management/`, NOT `features/userManagement/`)
+
+---
+
+## Component Architecture (ref: app-router.md, components.md)
+
+### Server vs Client Discipline
+- [ ] `[CRITICAL]` `'use client'` only on components that use hooks or event handlers
+- [ ] `[CRITICAL]` No `useEffect(() => { fetch(...) }, [])` for data fetching — use Server Components or TanStack Query
+- [ ] `[HIGH]` Server Components used for initial page data (no `'use client'` on page files)
+- [ ] `[HIGH]` `loading.tsx`, `error.tsx` co-located with every `page.tsx`
+- [ ] `[HIGH]` No business logic in `app/` route files — import from `features/`
+
+### Three-Tier Hierarchy
+- [ ] `[CRITICAL]` No edits to `components/ui/` files — shadcn primitives are never modified
+- [ ] `[HIGH]` `components/` (Tier 2) has no imports from `features/` — no domain knowledge
+- [ ] `[HIGH]` Feature components (`features/*/components/`) do not import from other features
+- [ ] `[MEDIUM]` Feature cross-dependencies extracted to `components/` or `lib/`
+
+---
+
+## Data Fetching (ref: data-fetching.md)
+
+- [ ] `[CRITICAL]` No `useEffect` + `useState` pattern for API data — use `useQuery`
+- [ ] `[HIGH]` TanStack Query v5 syntax: `useQuery({ queryKey: [...], queryFn: async () => {} })`
+- [ ] `[HIGH]` Query key factory pattern used (`userKeys.lists()`, NOT hardcoded `['users']`)
+- [ ] `[HIGH]` `useMutation` used for POST/PUT/DELETE — not inline `fetch` in handlers
+- [ ] `[HIGH]` API responses validated with Zod before use
+- [ ] `[MEDIUM]` `onSuccess` in `useMutation` invalidates relevant query keys
+- [ ] `[MEDIUM]` `QueryClientProvider` wraps app in `app/layout.tsx`, not per-component
+
+---
+
+## Forms (ref: forms.md)
+
+- [ ] `[CRITICAL]` Zod schema defined BEFORE TypeScript type — type derived with `z.infer<>`
+- [ ] `[HIGH]` `useForm` uses `zodResolver(schema)` — NOT manual validation
+- [ ] `[HIGH]` shadcn `<Form>`, `<FormField>`, `<FormItem>`, `<FormLabel>`, `<FormControl>`, `<FormMessage>` used
+- [ ] `[HIGH]` Form submission uses `useMutation` — NOT direct `fetch` in `onSubmit`
+- [ ] `[MEDIUM]` `isPending` used for loading state — NOT `isLoading` (v5 renamed)
+- [ ] `[MEDIUM]` Root-level errors displayed: `form.formState.errors.root`
+- [ ] `[MEDIUM]` No `useState` for individual form fields — react-hook-form handles this
+
+---
+
+## State Management (ref: state-management.md)
+
+- [ ] `[HIGH]` No Zustand/Redux installed without documented justification
+- [ ] `[HIGH]` No React Context used for server state (API data) — use TanStack Query
+- [ ] `[MEDIUM]` Local UI state (open/closed, selected) in `useState` — not global store
+- [ ] `[MEDIUM]` Context only for truly global UI: theme, auth user, locale
+- [ ] `[LOW]` No prop drilling beyond 3 levels — consider Context or co-location
+
+---
+
+## TypeScript Discipline
+
+- [ ] `[CRITICAL]` No `any` type — use `unknown` and narrow, or fix the actual type
+- [ ] `[HIGH]` Types derived from Zod schemas (`type User = z.infer<typeof userSchema>`)
+- [ ] `[HIGH]` No duplicate type definitions — if the server returns it, define it once with Zod
+- [ ] `[MEDIUM]` API response types come from the shared schema, not manually written
+- [ ] `[MEDIUM]` `noUncheckedIndexedAccess` respected — array accesses use optional chaining
+- [ ] `[LOW]` No type assertions (`as User`) without validation
+
+---
+
+## Feature Structure (ref: project-structure.md)
+
+- [ ] `[HIGH]` Feature exposes public API via `features/{name}/index.ts` — no deep path imports
+- [ ] `[HIGH]` Consumers import from index: `from '@/features/users'` NOT `from '@/features/users/components/user-list'`
+- [ ] `[MEDIUM]` New features create: `components/`, `hooks/`, `types/` subdirectories
+- [ ] `[MEDIUM]` TanStack Query hooks in `features/{name}/hooks/` — NOT co-located with components
+- [ ] `[MEDIUM]` Zod schemas in `features/{name}/types/{name}.schemas.ts`
+- [ ] `[LOW]` Feature index only exports what external consumers actually need (no over-exposure)
+
+---
+
+## Testing (ref: testing.md)
+
+- [ ] `[HIGH]` Test files co-located with source (`user-card.test.tsx` next to `user-card.tsx`)
+- [ ] `[HIGH]` `@testing-library/user-event` used — NOT `fireEvent`
+- [ ] `[HIGH]` API calls mocked with MSW — NOT `jest.mock('fetch')` or `global.fetch = jest.fn()`
+- [ ] `[MEDIUM]` Hook tests use `QueryClientWrapper` helper with `retry: false`
+- [ ] `[MEDIUM]` Tests cover happy path + one error path per component
+- [ ] `[LOW]` No snapshot tests — use `expect(screen.getByText(...))`
+
+---
+
+## Quick Pre-Merge Checklist
+
+```
+[ ] node scripts/scan-nextjs.mjs src/ — 0 CRITICAL findings
+[ ] File names are kebab-case (UserCard.tsx → user-card.tsx)
+[ ] 'use client' only on interactive components (hooks or event handlers)
+[ ] No useEffect for data fetching — Server Component or useQuery
+[ ] Zod schema defined first, type derived with z.infer<>
+[ ] zodResolver connected to useForm, useMutation for submit
+[ ] Query key factory used (userKeys.lists() not ['users'])
+[ ] Feature public API via features/{name}/index.ts
+[ ] components/ui/ files untouched (shadcn CLI only)
+[ ] Tests: userEvent not fireEvent, MSW not mock fetch
+```
+
+---
+
+*Covers: naming-conventions.md + app-router.md + components.md + data-fetching.md + forms.md + state-management.md + testing.md + project-structure.md*
+*MORPH-SPEC by Polymorphism Tech*

package/framework/skills/level-0-meta/{frontend-review → morph-frontend-review}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: frontend-review
+name: morph:frontend-review
 description: Auditoria completa do frontend — valida design outputs (design-system, contraste WCAG,
   mockups), scan estático de acessibilidade (TSX + Razor), screenshots responsivos em 3
   breakpoints via Playwright, axe-core a11y em runtime, e SEO (Next.js metadata). Cobre Next.js
@@ -10,7 +10,7 @@ allowed-tools: Read, Write, Edit, Bash, Glob, Grep,
   mcp__playwright__browser_navigate, mcp__playwright__browser_resize,
   mcp__playwright__browser_take_screenshot, mcp__playwright__browser_snapshot,
   mcp__playwright__browser_evaluate, mcp__playwright__browser_console_messages
-cliVersion: "4.8.14"
+cliVersion: "4.8.19"
 ---
 
 # Frontend Review
@@ -28,7 +28,7 @@ cliVersion: "4.8.14"
 ## Step 0 — Detectar Contexto e Stack
 
 ```bash
-node .claude/skills/post-implementation/scripts/detect-stack.mjs
+node .claude/skills/morph-post-implementation/scripts/detect-stack.mjs
 ```
 
 Output JSON: `{ stack: "DOTNET" | "NEXTJS" | "FULLSTACK" | "UNKNOWN", frontendPath, backendPath, startCommand }`
@@ -79,7 +79,7 @@ contraste ≥ 4.5:1. Ferramentas de referência: WebAIM Contrast Checker (crité
 ## Step 2 — Scan Estático de Acessibilidade
 
 ```bash
-node .claude/skills/frontend-review/scripts/scan-accessibility.mjs $frontendPath
+node .claude/skills/morph-frontend-review/scripts/scan-accessibility.mjs $frontendPath
 ```
 
 O script detecta automaticamente a extensão dos arquivos para determinar Next.js (`.tsx`) vs
@@ -108,7 +108,7 @@ Corrija todos os CRITICALs antes de continuar. Para HIGH < 3, registre no resumo
 ### Se NEXTJS ou FULLSTACK:
 
 ```bash
-node .claude/skills/code-review-nextjs/scripts/scan-nextjs.mjs $frontendPath
+node .claude/skills/morph-code-review-nextjs/scripts/scan-nextjs.mjs $frontendPath
 ```
 
 > Pular se já executado pelo `post-implementation` na mesma sessão.
@@ -138,7 +138,7 @@ Verificar manualmente as categorias principais do checklist para o feature imple
 ### 4a. Detectar Dev Server
 
 ```bash
-node .claude/skills/post-implementation/scripts/detect-dev-server.mjs "$startCommand"
+node .claude/skills/morph-post-implementation/scripts/detect-dev-server.mjs "$startCommand"
 ```
 
 ### 4b. Se dev server disponível (exit 0):
@@ -178,7 +178,7 @@ await mcp__playwright__browser_take_screenshot({
 ```
 
 Screenshots salvos em: `.morph/features/$ARGUMENTS/visual-screenshots/`
-(funciona tanto na fase `2-ui` quanto na `4-implement`)
+(funciona tanto na fase `2-ui` quanto na `5-implement`)
 
 ### 4c. Se dev server NÃO disponível (exit 1):
 
@@ -190,7 +190,7 @@ Solicite confirmação explícita ao usuário antes de pular os screenshots:
 Dev server não detectado. Screenshots responsivos via Playwright não podem ser capturados.
 
 Opções:
-1. Inicie manualmente o servidor e re-execute /frontend-review
+1. Inicie manualmente o servidor e re-execute /morph:frontend-review
 2. Confirme explicitamente que deseja pular os screenshots e por quê
 
 Não é possível prosseguir para axe-core sem dev server.
@@ -297,7 +297,7 @@ Criar arquivo de resumo consolidado:
 mkdir -p ".morph/features/$ARGUMENTS/visual-screenshots"
 ```
 
-Salvar em `.morph/features/$ARGUMENTS/visual-screenshots/frontend-review-summary.md`:
+Salvar em `.morph/features/$ARGUMENTS/visual-screenshots/morph:frontend-review-summary.md`:
 
 ```markdown
 # Frontend Review — {feature}

package/framework/skills/level-0-meta/morph-init/SKILL.md

@@ -1,11 +1,11 @@
 ---
-name: morph-init
+name: morph:init
 description: >
   LLM-powered project initialization. Installs morph-spec infrastructure if
   needed, auto-installs required plugins (superpowers, context7), analyzes any
   project structure intelligently, generates rich context/README.md and
   config.json, and configures MCPs. Use once per project after installing
-  @polymorphism-tech/morph-spec. Re-run with /morph-init refresh to update
+  @polymorphism-tech/morph-spec. Re-run with /morph:init refresh to update
   context as the project evolves.
 argument-hint: "[refresh]"
 user-invocable: true
@@ -15,7 +15,7 @@ allowed-tools: Read, Write, Edit, Bash, Glob, Grep
 # morph-init — LLM-Powered Project Initialization
 
 > Run once after `npm install @polymorphism-tech/morph-spec`.
-> Re-run as `/morph-init refresh` when your project evolves.
+> Re-run as `/morph:init refresh` when your project evolves.
 
 ---
 
@@ -55,7 +55,7 @@ claude plugin install superpowers@claude-plugins-official
 claude plugin install context7@claude-plugins-official
 ```
 
-**If the command succeeds:** `✓ {plugin} installed. Restart Claude Code after /morph-init completes.`
+**If the command succeeds:** `✓ {plugin} installed. Restart Claude Code after /morph:init completes.`
 
 **If the command fails:** Show this and **STOP** — do not continue:
 
@@ -63,7 +63,7 @@ claude plugin install context7@claude-plugins-official
 Plugin {plugin} could not be installed automatically.
 Run manually and restart Claude Code:
   claude plugin install {plugin}
-Then re-run /morph-init.
+Then re-run /morph:init.
 ```
 
 Both `superpowers` and `context7` are required. Do not continue if either is missing.
@@ -236,17 +236,43 @@ Para criar um novo projeto VSA:
 For each detected integration with an available MCP:
 
 **Supabase detected:**
-> *"Configure Supabase MCP now? I'll need `SUPABASE_URL` and `SERVICE_ROLE_KEY`."*
-- YES → collect credentials → add to `.claude/settings.local.json` under `mcpServers`
+> *"Configure Supabase MCP? Uses OAuth — no credentials needed."*
+- YES → write remote config to `.claude/settings.local.json`:
+  ```json
+  "supabase": { "type": "http", "url": "https://mcp.supabase.com/mcp" }
+  ```
 - NO → show snippet + `npx morph-spec mcp setup supabase`
 
 **GitHub:**
-> *"Configure GitHub MCP? I'll need a `GITHUB_PERSONAL_ACCESS_TOKEN`."*
-- YES/NO → same pattern
+> *"Configure GitHub MCP? Requires Docker + a `GITHUB_PERSONAL_ACCESS_TOKEN`."*
+- YES → collect token → write Docker config:
+  ```json
+  "github": {
+    "command": "docker",
+    "args": ["run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", "ghcr.io/github/github-mcp-server"],
+    "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "<token>" }
+  }
+  ```
+- NO → show snippet + `npx morph-spec mcp setup github`
 
-Only offer Figma, Docker, Azure if explicitly detected in `.env.example`.
+**Vercel detected** (vercel.json exists OR stack is nextjs):
+> *"Configure Vercel MCP? Uses OAuth — no credentials needed."*
+- YES → write remote config:
+  ```json
+  "vercel": { "type": "http", "url": "https://mcp.vercel.com" }
+  ```
+- NO → show snippet + `npx morph-spec mcp setup vercel`
+
+Only offer Docker, Azure if explicitly detected in `.env.example`.
 
-> **Format rule:** Always write MCP entries with `"command": "cmd"` and `"/c"` as the **first element of `"args"`**:
+> **Format rules for MCP configs:**
+>
+> **Remote MCPs** (Supabase, Vercel) — no credentials, OAuth-based:
+> ```json
+> "mcp-name": { "type": "http", "url": "https://mcp.example.com" }
+> ```
+>
+> **Stdio MCPs** (Context7, Playwright) — local process with `cmd /c` on Windows:
 > ```json
 > "mcp-name": {
 >   "command": "cmd",
@@ -254,11 +280,50 @@ Only offer Figma, Docker, Azure if explicitly detected in `.env.example`.
 >   "env": { "KEY": "VALUE" }
 > }
 > ```
+>
+> **Docker MCPs** (GitHub) — Docker container:
+> ```json
+> "mcp-name": {
+>   "command": "docker",
+>   "args": ["run", "-i", "--rm", "-e", "TOKEN_VAR", "ghcr.io/org/image"],
+>   "env": { "TOKEN_VAR": "<value>" }
+> }
+> ```
+>
 > **Never** use `"command": "cmd /c"` (space-separated string) — that is invalid and will fail.
 > **Never** use `"command": "npx"` directly — it also fails on Windows without `cmd`.
 
 ---
 
+## Step 7.5 — Validate MCP Connections
+
+For each MCP configured in Step 7, run a health check to verify it actually works.
+
+**Read the registry:** `framework/skills/level-0-meta/mcp-registry.json` → for each configured MCP, get its `healthCheck` object.
+
+**For each configured MCP:**
+
+1. **Find available tool:** Search your available tools for one matching `healthCheck.toolPattern` (substring match — e.g., tool name contains "context7")
+2. **If tool found → execute the test call:** Follow `healthCheck.testCall` using `healthCheck.testParams`
+3. **Evaluate result:**
+
+| Result | Action |
+|--------|--------|
+| **Success** (matches `healthCheck.successIndicator`) | Print `✓ {MCP} — connection verified` |
+| **Tool not found** (no tool matching `toolPattern`) | Print `○ {MCP} — needs restart to activate` (MCP configured but tools not yet loaded) |
+| **Error** (tool found but call fails) | → **AskUserQuestion** (see below) |
+
+**On error — ask user with 3 options:**
+
+Use `AskUserQuestion` with header `"{MCP} failed"` and these options:
+- **Reconfigure credentials** — Loop back to Step 7 for this specific MCP. Maximum 2 retries per MCP. After 2 failures, force option 2.
+- **Continue without {MCP}** — Show the `fallback` field from the registry (e.g., "WebSearch + WebFetch for library documentation") and proceed.
+- **Stop init** — Abort initialization. User must fix MCP configuration manually and re-run `/morph:init`.
+
+**Retry tracking:** Keep a counter per MCP. On the 2nd failure for the same MCP, skip the "Reconfigure" option and only offer "Continue without" or "Stop".
+
+---
+
 ## Step 8 — Final Output
 
 Before printing the summary, check `~/.claude/settings.local.json` for `env.CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`. If set to `"1"`, mark Agent Teams as enabled; otherwise show the warning.
@@ -271,7 +336,7 @@ Before printing the summary, check `~/.claude/settings.local.json` for `env.CLAU
 ✓ config.json updated
   Stack: [stack]  |  Architecture: [architecture]
   Integrations:   [list]
-✓ MCPs: [configured list]
+✓ MCPs: [configured list] ([N verified] / [M needs restart] / [K failed])
 
 [If CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS = "1":]
 ✓ Agent Teams: enabled