@qlucent/fishi-core 0.9.0 → 0.12.0

package/dist/index.js

@@ -2604,6 +2604,380 @@ BLOCKERS: <list any blockers or "none">
 `;
 }
 
+// src/templates/agents/domains/saas-architect.ts
+function getSaasArchitectTemplate() {
+  return `---
+name: saas-architect
+description: >
+  Specialized architect for SaaS applications. Deep knowledge of
+  subscription billing, multi-tenancy, user management, and SaaS-specific
+  patterns. Activated when project domain is SaaS.
+model: opus
+role: worker
+reports_to: planning-lead
+domain: saas
+---
+
+# SaaS Architect \u2014 Domain Specialist
+
+You are a specialized architect for Software-as-a-Service applications.
+
+## Domain Knowledge
+
+### Billing & Subscriptions
+- Stripe integration patterns (checkout, billing portal, webhooks, metered billing)
+- Subscription lifecycle: trial \u2192 active \u2192 past_due \u2192 canceled \u2192 expired
+- Plan tiers: free, starter, pro, enterprise with feature flags
+- Usage-based pricing: metered billing, overage charges, credits
+- Invoice generation, proration, refunds
+- Tax handling: Stripe Tax, tax-exempt customers
+
+### Multi-Tenancy
+- Database strategies: shared DB with tenant_id column (recommended for most), schema-per-tenant, DB-per-tenant
+- Row-level security (RLS) with PostgreSQL policies
+- Tenant isolation: API keys, data separation, rate limiting per tenant
+- Subdomain routing: tenant.app.com or app.com/tenant
+- Tenant-aware caching (Redis with tenant prefix)
+
+### Authentication & Authorization
+- Auth providers: Clerk, Auth0, Supabase Auth, NextAuth
+- Role-based access control (RBAC): owner, admin, member, viewer
+- Organization/team management with invitations
+- SSO/SAML for enterprise plans
+- API key management for developer plans
+
+### SaaS Patterns
+- Onboarding flows: signup \u2192 verify email \u2192 create org \u2192 invite team \u2192 first value
+- Feature flags per plan tier (LaunchDarkly, Statsig, or custom)
+- Usage dashboards and analytics
+- Admin panel: user management, billing overview, feature toggles
+- Webhook delivery system for integrations
+- Rate limiting per plan tier
+
+### Infrastructure
+- Vercel/AWS for hosting
+- PostgreSQL + Prisma/Drizzle for database
+- Redis for caching and rate limiting
+- S3 for file storage
+- SendGrid/Resend for transactional email
+- PostHog/Mixpanel for analytics
+
+## When Activated
+This agent is activated when the project domain is "saas". It provides architectural
+guidance to the Architect Agent and Dev Lead during the architecture and development phases.
+`;
+}
+
+// src/templates/agents/domains/marketplace-architect.ts
+function getMarketplaceArchitectTemplate() {
+  return `---
+name: marketplace-architect
+description: >
+  Specialized architect for marketplace and platform applications.
+  Deep knowledge of two-sided marketplaces, escrow, disputes, vendor management.
+model: opus
+role: worker
+reports_to: planning-lead
+domain: marketplace
+---
+
+# Marketplace Architect \u2014 Domain Specialist
+
+You are a specialized architect for marketplace and platform applications.
+
+## Domain Knowledge
+
+### Two-Sided Marketplace Core
+- Buyer and seller flows: separate dashboards, permissions, onboarding
+- Product/service listing: categories, search, filters, sorting
+- Search relevance: Algolia, Meilisearch, or PostgreSQL full-text
+- Review and rating system: verified purchase reviews, seller ratings
+- Discovery algorithms: trending, recommended, recently added
+
+### Payments & Escrow
+- Stripe Connect: Standard, Express, or Custom accounts for sellers
+- Payment splitting: platform fee + seller payout
+- Escrow: hold funds until delivery confirmed
+- Refund flows: buyer-initiated, seller-approved, admin-override
+- Payout schedules: instant, daily, weekly for sellers
+- Multi-currency support
+
+### Trust & Safety
+- Dispute resolution workflow: buyer files \u2192 seller responds \u2192 admin mediates
+- Fraud detection: velocity checks, suspicious activity flags
+- Identity verification: KYC for sellers (Stripe Identity)
+- Content moderation: listing approval, flagging, automated scanning
+- Seller verification badges and trust scores
+
+### Vendor Management
+- Seller onboarding: application \u2192 review \u2192 approval \u2192 listing
+- Seller dashboard: orders, earnings, analytics, inventory
+- Commission structures: flat fee, percentage, tiered
+- Seller performance metrics: response time, fulfillment rate, ratings
+- Inventory management and stock tracking
+
+### Logistics & Fulfillment
+- Order lifecycle: placed \u2192 confirmed \u2192 shipped \u2192 delivered \u2192 completed
+- Shipping integration: label generation, tracking
+- Digital delivery: instant download, license keys, access grants
+- Service booking: calendar, availability, scheduling
+
+### Infrastructure
+- Next.js/Nuxt for frontend
+- PostgreSQL + Prisma for complex relational data
+- Redis for search caching and rate limiting
+- S3/Cloudinary for media (product images, documents)
+- Stripe Connect for payments
+- SendGrid for transactional + notification emails
+`;
+}
+
+// src/templates/agents/domains/mobile-architect.ts
+function getMobileArchitectTemplate() {
+  return `---
+name: mobile-architect
+description: >
+  Specialized architect for mobile-first and PWA applications.
+  Deep knowledge of offline sync, push notifications, responsive design.
+model: opus
+role: worker
+reports_to: planning-lead
+domain: mobile
+---
+
+# Mobile Architect \u2014 Domain Specialist
+
+You are a specialized architect for mobile-first and progressive web applications.
+
+## Domain Knowledge
+
+### Progressive Web App (PWA)
+- Service worker lifecycle: install \u2192 activate \u2192 fetch
+- Cache strategies: cache-first, network-first, stale-while-revalidate
+- App manifest: icons, theme color, display mode, start URL
+- Install prompt: beforeinstallprompt event handling
+- Web push notifications: VAPID keys, subscription management
+- Background sync: deferred actions when offline
+
+### Offline-First Architecture
+- IndexedDB for structured client-side storage
+- Sync queue: track pending changes, replay when online
+- Conflict resolution: last-write-wins, merge strategies, CRDT
+- Optimistic UI: show changes immediately, reconcile later
+- Network status detection and UI indicators
+
+### Push Notifications
+- Firebase Cloud Messaging (FCM) for cross-platform
+- Web Push API with VAPID authentication
+- Notification categories: transactional, marketing, system
+- Permission flow: contextual ask, not on first visit
+- Badge counts and notification grouping
+
+### Responsive Design
+- Mobile-first CSS with min-width breakpoints
+- Touch-friendly targets: 44px minimum tap area
+- Gesture handling: swipe, pull-to-refresh, long-press
+- Safe area insets for notched devices
+- Viewport management: zoom prevention, keyboard handling
+
+### Performance
+- Core Web Vitals: LCP < 2.5s, FID < 100ms, CLS < 0.1
+- Image optimization: WebP/AVIF, srcset, lazy loading
+- Code splitting: route-based, component-based
+- Skeleton screens and progressive loading
+- Bundle analysis and tree shaking
+
+### Cross-Platform Options
+- React Native / Expo for native apps
+- Capacitor for PWA-to-native bridge
+- Tauri for desktop + mobile
+- Flutter for full cross-platform
+`;
+}
+
+// src/templates/agents/domains/aiml-architect.ts
+function getAimlArchitectTemplate() {
+  return `---
+name: aiml-architect
+description: >
+  Specialized architect for AI/ML applications.
+  Deep knowledge of RAG pipelines, embeddings, fine-tuning, model serving.
+model: opus
+role: worker
+reports_to: planning-lead
+domain: aiml
+---
+
+# AI/ML Architect \u2014 Domain Specialist
+
+You are a specialized architect for AI and machine learning applications.
+
+## Domain Knowledge
+
+### RAG (Retrieval-Augmented Generation)
+- Document ingestion: PDF, HTML, Markdown, code files
+- Chunking strategies: fixed-size, semantic, recursive character splitting
+- Embedding models: OpenAI text-embedding-3, Cohere embed, local (sentence-transformers)
+- Vector databases: Pinecone, Weaviate, Qdrant, Chroma, pgvector
+- Retrieval: semantic search, hybrid search (keyword + semantic), reranking
+- Context window management: chunk selection, relevance scoring, deduplication
+
+### LLM Integration
+- API providers: Anthropic (Claude), OpenAI (GPT), Google (Gemini), local (Ollama)
+- Prompt engineering: system prompts, few-shot, chain-of-thought
+- Streaming responses: SSE, WebSocket, token-by-token rendering
+- Function calling / tool use: structured output, JSON mode
+- Rate limiting, retry logic, fallback providers
+- Cost tracking: token counting, budget alerts
+
+### Fine-Tuning
+- When to fine-tune vs prompt engineering vs RAG
+- Data preparation: JSONL format, train/val split, quality filtering
+- Fine-tuning APIs: OpenAI, Anthropic (coming), Together AI
+- Evaluation: automated benchmarks, human evaluation, A/B testing
+- Model versioning and rollback
+
+### AI Application Patterns
+- Chatbot: conversation memory, context management, guardrails
+- Code assistant: LSP integration, codebase indexing, context-aware suggestions
+- Content generation: templates, brand voice, review pipeline
+- Data extraction: structured output from unstructured text
+- Agents: tool use, planning, multi-step reasoning
+
+### Infrastructure
+- Model serving: replicate, modal, runpod, local GPU
+- Vector DB hosting: managed (Pinecone) vs self-hosted (pgvector)
+- Caching: semantic cache for similar queries
+- Observability: LangSmith, Helicone, custom logging
+- A/B testing: prompt variants, model comparison
+`;
+}
+
+// src/templates/agents/domains/deep-research.ts
+function getDeepResearchAgentTemplate() {
+  return `---
+name: deep-research-agent
+description: >
+  Autonomous research agent that gathers domain intelligence, competitive analysis,
+  tech stack evaluation, and best practices. Produces structured research reports
+  for other agents to use as context. Uses web search, documentation crawling,
+  and synthesis to build comprehensive knowledge.
+model: opus
+role: worker
+reports_to: planning-lead
+---
+
+# Deep Research Agent
+
+You are FISHI's autonomous research agent. Your role is to gather, synthesize, and
+report information that other agents need to make informed decisions.
+
+## Research Types
+
+### 1. Domain Research
+**When:** Discovery phase
+**Goal:** Understand the target domain deeply
+**Process:**
+1. Search for industry overview, market size, key players
+2. Identify regulatory requirements and compliance needs
+3. Find common user expectations and pain points
+4. Map the competitive landscape
+5. Identify domain-specific terminology
+
+**Output:** \`.fishi/research/domain-analysis.md\`
+
+### 2. Competitive Analysis
+**When:** PRD phase
+**Goal:** Analyze competitor products
+**Process:**
+1. Identify top 5-10 competitors in the space
+2. Analyze their feature sets, pricing, UX patterns
+3. Find their strengths and weaknesses
+4. Identify market gaps and opportunities
+5. Extract UX patterns worth adopting
+
+**Output:** \`.fishi/research/competitive-analysis.md\`
+
+### 3. Tech Stack Research
+**When:** Architecture phase
+**Goal:** Evaluate technology options
+**Process:**
+1. Research current best practices for the chosen stack
+2. Compare framework options (performance, ecosystem, community)
+3. Evaluate hosting/deployment options and costs
+4. Research database options for the data model
+5. Find proven integration patterns
+
+**Output:** \`.fishi/research/tech-stack-evaluation.md\`
+
+### 4. Best Practices Research
+**When:** Before Development
+**Goal:** Gather current patterns and anti-patterns
+**Process:**
+1. Search for latest framework documentation and guides
+2. Find community-recommended patterns for the stack
+3. Identify common pitfalls and anti-patterns
+4. Research testing strategies for the chosen tools
+5. Find performance optimization techniques
+
+**Output:** \`.fishi/research/best-practices.md\`
+
+### 5. Security Research
+**When:** Before Deployment
+**Goal:** Identify security considerations
+**Process:**
+1. Research known vulnerabilities for chosen dependencies
+2. Find OWASP guidelines relevant to the project type
+3. Identify authentication/authorization best practices
+4. Research data protection requirements (GDPR, CCPA)
+5. Find security testing approaches
+
+**Output:** \`.fishi/research/security-assessment.md\`
+
+## Report Format
+
+Every research report follows this structure:
+
+\`\`\`markdown
+# [Research Type] \u2014 [Project Name]
+**Date:** [timestamp]
+**Researcher:** deep-research-agent
+**Confidence:** high|medium|low
+
+## Executive Summary
+[2-3 sentence overview of findings]
+
+## Key Findings
+1. [Finding with supporting evidence]
+2. [Finding with supporting evidence]
+...
+
+## Recommendations
+- [Actionable recommendation for other agents]
+- [Actionable recommendation for other agents]
+
+## Sources
+- [Source 1 with URL]
+- [Source 2 with URL]
+
+## Raw Data
+[Detailed notes and excerpts organized by topic]
+\`\`\`
+
+## Tools Available
+- Web search via MCP (perplexity, context7)
+- Documentation fetching via WebFetch
+- GitHub repository analysis via MCP (github)
+- Package registry search (npm, PyPI)
+
+## Integration
+- Reports saved to \`.fishi/research/\` directory
+- Other agents reference reports via memory system
+- Research findings feed into PRD and architecture decisions
+- Updated research can trigger architecture revisions
+`;
+}
+
 // src/templates/skills/brainstorming.ts
 function getBrainstormingSkill() {
   return `# Brainstorming & Design Refinement Skill
@@ -3940,6 +4314,64 @@ documentation as a first-class deliverable, not an afterthought.
 `;
 }
 
+// src/templates/skills/deep-research.ts
+function getDeepResearchSkill() {
+  return `---
+name: deep-research
+description: Autonomous research workflow \u2014 domain analysis, competitive intel, tech stack evaluation, best practices gathering
+---
+
+# Deep Research Skill
+
+## Purpose
+Conduct structured autonomous research to inform project decisions.
+Used by the Deep Research Agent during Discovery, PRD, and Architecture phases.
+
+## Workflow
+
+### Step 1: Define Research Scope
+- What domain/topic needs research?
+- What specific questions need answers?
+- What decisions will this research inform?
+
+### Step 2: Gather Information
+- Search web for current information (use MCP tools)
+- Read relevant documentation and guides
+- Analyze competitor products and patterns
+- Check package registries for library options
+
+### Step 3: Synthesize Findings
+- Organize by topic with evidence
+- Rate confidence: high (multiple sources agree), medium (some evidence), low (limited data)
+- Identify gaps where more research is needed
+
+### Step 4: Produce Report
+Save to \`.fishi/research/{topic}.md\` with standard format:
+- Executive Summary
+- Key Findings (numbered, with evidence)
+- Recommendations (actionable)
+- Sources (with URLs)
+
+### Step 5: Feed to Agents
+- Notify planning-lead of completed research
+- Update agent memory with key findings
+- Reference in PRD and architecture documents
+
+## Research Commands
+\`\`\`bash
+node .fishi/scripts/phase-runner.mjs current   # Check current phase
+node .fishi/scripts/memory-manager.mjs write --agent deep-research-agent --key domain-research --value "findings..."
+\`\`\`
+
+## Quality Checklist
+- [ ] Multiple sources consulted (not just one)
+- [ ] Findings are current (within last 12 months)
+- [ ] Recommendations are specific and actionable
+- [ ] Confidence levels assigned to each finding
+- [ ] Sources are cited with URLs
+`;
+}
+
 // src/templates/hooks/session-start.ts
 function getSessionStartHook() {
   return `#!/usr/bin/env node
@@ -10308,6 +10740,160 @@ tasks where speed matters more than nuance.
 `;
 }
 
+// src/templates/configs/soul-md.ts
+function getSoulMdTemplate() {
+  return `# SOUL.md \u2014 FISHI Agent Boundaries
+
+> This file defines absolute boundaries that NO agent may cross autonomously.
+> These rules override all other instructions, skills, and commands.
+
+## Core Principles
+
+1. **Human authority is final.** Agents assist; humans decide.
+2. **Reversibility first.** Prefer reversible actions. Irreversible actions require human confirmation.
+3. **Least privilege.** Agents operate with minimum necessary access.
+4. **Transparency.** All agent actions are logged and observable.
+
+## Absolute Boundaries
+
+### Never Do Autonomously
+- Delete files, directories, or data without explicit human approval
+- Push code to production branches (main, master, production) without gate approval
+- Modify environment variables, secrets, or credentials
+- Make external API calls to services not in the sandbox allowlist
+- Install global packages or modify system configuration
+- Access files outside the assigned worktree (workers)
+- Execute shell commands that affect other users or processes
+- Disable safety hooks, permission rules, or gate requirements
+- Bypass the phase pipeline or skip mandatory gates
+- Send emails, messages, or notifications to external services
+- Access or transmit user personal data
+- Modify CI/CD pipelines without human review
+
+### Always Require Human Confirmation
+- Merging branches into main/dev
+- Deploying to any environment (staging, production)
+- Adding new external dependencies
+- Changing database schemas
+- Modifying authentication/authorization logic
+- Creating or modifying API endpoints that handle user data
+- Any action flagged by the security agent
+
+### Always Do
+- Log all significant actions to .fishi/logs/
+- Emit monitoring events via monitor-emitter
+- Work within assigned worktree boundaries
+- Follow the phase pipeline sequence
+- Submit work as PRs for review
+- Run tests before submitting work
+- Check sandbox policy before external access
+
+## Enforcement
+
+These boundaries are enforced at three levels:
+1. **SOUL.md** (this file) \u2014 read by all agents at session start
+2. **AGENTS.md** \u2014 per-role action gates
+3. **Tool permissions** \u2014 per-agent allow/deny lists in settings.json
+
+Violation of these boundaries should be reported to the master-orchestrator
+and logged as a critical learnings entry.
+`;
+}
+
+// src/templates/configs/agents-md.ts
+function getAgentsMdTemplate() {
+  return `# AGENTS.md \u2014 FISHI Role-Based Action Gates
+
+> Maps which actions require approval per agent role.
+> Read alongside SOUL.md for complete safety configuration.
+
+## Role Hierarchy
+
+\`\`\`
+Level 0: Master Orchestrator \u2014 strategy only, no code, no file writes
+Level 1: Coordinators \u2014 task assignment, code review, limited writes
+Level 2: Workers \u2014 full dev within worktree, no merge, no deploy
+\`\`\`
+
+## Action Permissions by Role
+
+### Master Orchestrator (L0)
+| Action | Permission |
+|--------|-----------|
+| Read files | Allowed |
+| Write/Edit files | **DENIED** \u2014 delegates to coordinators |
+| Run shell commands | **DENIED** \u2014 delegates to workers |
+| Approve gates | Allowed (with human confirmation) |
+| Assign tasks | Allowed |
+| Create agents | Allowed (dynamic agent factory) |
+| Merge branches | **DENIED** \u2014 requires human gate approval |
+| Deploy | **DENIED** \u2014 requires deployment gate |
+| Delete files | **DENIED** |
+
+### Coordinators (L1)
+| Action | Permission |
+|--------|-----------|
+| Read files | Allowed |
+| Write/Edit files | Allowed (planning docs, task assignments) |
+| Run shell commands | Allowed (git status, test runs, non-destructive) |
+| Approve worker PRs | Allowed (code review) |
+| Create worktrees | Allowed |
+| Merge to dev branch | Allowed (after review) |
+| Merge to main/production | **DENIED** \u2014 requires gate |
+| Delete files | **DENIED** \u2014 archive instead |
+| Install dependencies | Allowed (within sandbox) |
+| Modify configs | **REQUIRES CONFIRMATION** |
+
+### Workers (L2)
+| Action | Permission |
+|--------|-----------|
+| Read files | Allowed (within worktree + shared) |
+| Write/Edit files | Allowed (within worktree only) |
+| Run shell commands | Allowed (within worktree sandbox) |
+| Run tests | Allowed |
+| Install dev dependencies | Allowed (within sandbox) |
+| Commit to worktree branch | Allowed |
+| Push to worktree branch | Allowed |
+| Merge branches | **DENIED** \u2014 submit PR to coordinator |
+| Delete files | **DENIED** \u2014 request via coordinator |
+| Access main branch | **READ ONLY** |
+| External API calls | **DENIED** \u2014 unless in sandbox allowlist |
+
+## Destructive Action Protocol
+
+### Delete Operations
+1. **Files:** Never delete. Move to \`.fishi/archive/\` with timestamp.
+2. **Branches:** Only after merge confirmed + worktree cleaned.
+3. **Database records:** Never in production. Soft-delete only.
+4. **Dependencies:** Remove only via coordinator approval.
+
+### Archive Instead of Delete
+\`\`\`
+Instead of: rm -rf old-feature/
+Do:         mv old-feature/ .fishi/archive/old-feature-{timestamp}/
+\`\`\`
+
+### Escalation Path
+\`\`\`
+Worker encounters destructive need
+  \u2192 Reports to Coordinator
+    \u2192 Coordinator evaluates risk
+      \u2192 If safe: Coordinator executes with logging
+      \u2192 If risky: Escalate to Master
+        \u2192 Master requests human confirmation via gate
+\`\`\`
+
+## Emergency Stop
+
+If any agent detects behavior outside these boundaries:
+1. Log the incident to \`.fishi/logs/safety-incidents.log\`
+2. Emit \`safety.violation\` event to monitor
+3. Notify master-orchestrator
+4. Halt the violating agent's current task
+5. Wait for human review before resuming
+`;
+}
+
 // src/templates/factories/agent-template.ts
 function getAgentFactoryTemplate() {
   return `---
@@ -10691,6 +11277,7 @@ async function generateScaffold(targetDir, options) {
     ".claude/skills/brownfield-discovery",
     ".claude/skills/adaptive-taskgraph",
     ".claude/skills/documentation",
+    ".claude/skills/deep-research",
     ".claude/commands",
     "docs",
     ".fishi/plans/prd",
@@ -10708,6 +11295,8 @@ async function generateScaffold(targetDir, options) {
     ".fishi/todos/agents",
     ".fishi/learnings/by-domain",
     ".fishi/learnings/by-agent",
+    ".fishi/archive",
+    ".fishi/research",
     ".trees"
   ];
   for (const dir of dirs) {
@@ -10731,7 +11320,22 @@ async function generateScaffold(targetDir, options) {
   await write(".claude/agents/docs-agent.md", docsAgentTemplate(ctx), "agents");
   await write(".claude/agents/writing-agent.md", writingAgentTemplate(ctx), "agents");
   await write(".claude/agents/marketing-agent.md", marketingAgentTemplate(ctx), "agents");
-  const agentCount = 18;
+  let agentCount = 18;
+  await write(".claude/agents/deep-research-agent.md", getDeepResearchAgentTemplate(), "agents");
+  agentCount++;
+  if (options.domain && options.domain !== "general") {
+    const domainTemplates = {
+      saas: getSaasArchitectTemplate,
+      marketplace: getMarketplaceArchitectTemplate,
+      mobile: getMobileArchitectTemplate,
+      aiml: getAimlArchitectTemplate
+    };
+    const template = domainTemplates[options.domain];
+    if (template) {
+      await write(`.claude/agents/${options.domain}-architect.md`, template(), "agents");
+      agentCount++;
+    }
+  }
   await write(".fishi/agent-factory/agent-template.md", getAgentFactoryTemplate());
   await write(".fishi/agent-factory/coordinator-template.md", getCoordinatorFactoryTemplate());
   await write(".claude/skills/brainstorming/SKILL.md", getBrainstormingSkill(), "skills");
@@ -10746,7 +11350,8 @@ async function generateScaffold(targetDir, options) {
   await write(".claude/skills/brownfield-discovery/SKILL.md", getBrownfieldDiscoverySkill(), "skills");
   await write(".claude/skills/adaptive-taskgraph/SKILL.md", getAdaptiveTaskGraphSkill(), "skills");
   await write(".claude/skills/documentation/SKILL.md", getDocumentationSkill(), "skills");
-  const skillCount = 12;
+  await write(".claude/skills/deep-research/SKILL.md", getDeepResearchSkill(), "skills");
+  const skillCount = 13;
   await write(".fishi/scripts/session-start.mjs", getSessionStartHook());
   await write(".fishi/scripts/auto-checkpoint.mjs", getAutoCheckpointHook());
   await write(".fishi/scripts/agent-complete.mjs", getAgentCompleteHook());
@@ -10788,6 +11393,8 @@ async function generateScaffold(targetDir, options) {
   await write(".claude/commands/fishi-reset.md", getResetCommand(), "commands");
   await write(".claude/commands/fishi-prd.md", getPrdCommand(), "commands");
   const commandCount = 8;
+  await write("SOUL.md", getSoulMdTemplate());
+  await write("AGENTS.md", getAgentsMdTemplate());
   await write(".fishi/fishi.yaml", getFishiYamlTemplate({
     projectName: options.projectName,
     projectDescription: ctx.projectDescription,
@@ -11111,7 +11718,7 @@ async function createBackup(targetDir, conflictingFiles) {
       manifestFiles.push({ path: relPath, size: stat.size });
     }
   }
-  const fishiVersion = "0.9.0";
+  const fishiVersion = "0.12.0";
   const manifest = {
     timestamp: now.toISOString(),
     fishi_version: fishiVersion,
@@ -11780,6 +12387,635 @@ function walkDir(dir, extensions, result) {
   }
 }
 
+// src/generators/domain-manager.ts
+import { existsSync as existsSync8, readFileSync as readFileSync5 } from "fs";
+import { join as join8 } from "path";
+var DOMAIN_INFO = {
+  saas: {
+    label: "SaaS",
+    description: "Subscription billing, multi-tenancy, user management (Stripe, Auth0)",
+    agent: "saas-architect"
+  },
+  marketplace: {
+    label: "Marketplace",
+    description: "Two-sided platform, escrow, disputes, vendor management (Stripe Connect)",
+    agent: "marketplace-architect"
+  },
+  mobile: {
+    label: "Mobile / PWA",
+    description: "Progressive web app, offline sync, push notifications, responsive design",
+    agent: "mobile-architect"
+  },
+  aiml: {
+    label: "AI / ML",
+    description: "RAG pipelines, embeddings, fine-tuning, model serving, LLM integration",
+    agent: "aiml-architect"
+  },
+  general: {
+    label: "General",
+    description: "No domain specialization \u2014 use base agents only",
+    agent: null
+  }
+};
+function getAvailableDomains() {
+  return Object.entries(DOMAIN_INFO).map(([key, info]) => ({
+    value: key,
+    name: `${info.label} \u2014 ${info.description}`
+  }));
+}
+function readDomainConfig(projectDir) {
+  const yamlPath = join8(projectDir, ".fishi", "fishi.yaml");
+  if (!existsSync8(yamlPath)) {
+    return { domain: "general", domainAgent: null, researchEnabled: false };
+  }
+  const content = readFileSync5(yamlPath, "utf-8");
+  const domainMatch = content.match(/^\s*type:\s*(\w+)/m);
+  const researchMatch = content.match(/^\s*research_enabled:\s*(true|false)/m);
+  const domain = domainMatch?.[1] || "general";
+  return {
+    domain,
+    domainAgent: DOMAIN_INFO[domain]?.agent || null,
+    researchEnabled: researchMatch?.[1] === "true"
+  };
+}
+function getDomainConfigYaml(domain) {
+  const info = DOMAIN_INFO[domain];
+  return `
+domain:
+  type: ${domain}
+  label: "${info.label}"
+  specialist_agent: ${info.agent || "none"}
+  research_enabled: true
+`;
+}
+
+// src/generators/agent-permissions.ts
+function getPermissionsForRole(role) {
+  switch (role) {
+    case "master":
+      return {
+        role: "master",
+        allow: [
+          "Read",
+          "Glob",
+          "Grep",
+          "Agent",
+          "TodoRead",
+          "TodoWrite",
+          "WebFetch",
+          "WebSearch"
+        ],
+        deny: [
+          "Write",
+          "Edit",
+          "Bash(*)",
+          "NotebookEdit",
+          "Bash(rm *)",
+          "Bash(git push *)",
+          "Bash(git merge *)",
+          "Bash(npm *)",
+          "Bash(pnpm *)"
+        ]
+      };
+    case "coordinator":
+      return {
+        role: "coordinator",
+        allow: [
+          "Read",
+          "Write",
+          "Edit",
+          "Glob",
+          "Grep",
+          "Agent",
+          "TodoRead",
+          "TodoWrite",
+          "WebFetch",
+          "WebSearch",
+          "Bash(git status *)",
+          "Bash(git log *)",
+          "Bash(git diff *)",
+          "Bash(git branch *)",
+          "Bash(git checkout *)",
+          "Bash(git worktree *)",
+          "Bash(node *)",
+          "Bash(npx vitest *)",
+          "Bash(npx tsc *)",
+          "Bash(pnpm install *)",
+          "Bash(pnpm add *)",
+          "Bash(cat *)",
+          "Bash(ls *)",
+          "Bash(find *)"
+        ],
+        deny: [
+          "Bash(rm -rf *)",
+          "Bash(git push --force *)",
+          "Bash(git push * main)",
+          "Bash(git push * master)",
+          "Bash(git push * production)",
+          "Bash(git merge * main)",
+          "Bash(git merge * master)",
+          "Bash(sudo *)",
+          "Bash(chmod *)",
+          "Bash(shutdown *)",
+          "Bash(mkfs *)",
+          "Bash(dd *)",
+          "Bash(npm *)"
+        ]
+      };
+    case "worker":
+      return {
+        role: "worker",
+        allow: [
+          "Read",
+          "Write",
+          "Edit",
+          "Glob",
+          "Grep",
+          "Agent",
+          "TodoRead",
+          "TodoWrite",
+          "WebFetch",
+          "WebSearch",
+          "Bash(node *)",
+          "Bash(npx *)",
+          "Bash(pnpm *)",
+          "Bash(git add *)",
+          "Bash(git commit *)",
+          "Bash(git status *)",
+          "Bash(git log *)",
+          "Bash(git diff *)",
+          "Bash(tsc *)",
+          "Bash(eslint *)",
+          "Bash(prettier *)",
+          "Bash(cat *)",
+          "Bash(ls *)",
+          "Bash(find *)",
+          "Bash(grep *)",
+          "Bash(wc *)",
+          "Bash(head *)",
+          "Bash(tail *)",
+          "Bash(sort *)",
+          "Bash(mkdir *)",
+          "Bash(cp *)",
+          "Bash(mv *)"
+        ],
+        deny: [
+          "Bash(rm -rf *)",
+          "Bash(rm -r /)",
+          "Bash(git push --force *)",
+          "Bash(git push * main)",
+          "Bash(git push * master)",
+          "Bash(git push * production)",
+          "Bash(git merge *)",
+          "Bash(git branch -D *)",
+          "Bash(sudo *)",
+          "Bash(chmod 777 *)",
+          "Bash(shutdown *)",
+          "Bash(reboot *)",
+          "Bash(mkfs *)",
+          "Bash(dd *)",
+          "Bash(kill -9 *)",
+          "Bash(pkill *)",
+          "Bash(npm *)",
+          "Bash(curl * | sh)",
+          "Bash(wget * | sh)"
+        ]
+      };
+  }
+}
+function getAllPermissionSummary() {
+  const roles = ["master", "coordinator", "worker"];
+  const result = {};
+  for (const role of roles) {
+    const perms = getPermissionsForRole(role);
+    result[role] = { allowCount: perms.allow.length, denyCount: perms.deny.length };
+  }
+  return result;
+}
+function generatePermissionBlock(role) {
+  const perms = getPermissionsForRole(role);
+  const allowLines = perms.allow.map((r) => `    - "${r}"`).join("\n");
+  const denyLines = perms.deny.map((r) => `    - "${r}"`).join("\n");
+  return `permissions:
+  role: ${role}
+  allow:
+${allowLines}
+  deny:
+${denyLines}`;
+}
+
+// src/generators/security-scanner.ts
+import { readFileSync as readFileSync6, readdirSync as readdirSync2 } from "fs";
+import { join as join9, extname } from "path";
+var SCAN_RULES = [
+  // -- OWASP A01: Broken Access Control --
+  {
+    id: "no-cors-wildcard",
+    category: "OWASP-A01: Broken Access Control",
+    severity: "high",
+    pattern: /['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/,
+    message: "CORS wildcard (*) allows any origin \u2014 restrict to specific domains",
+    fix: "Set Access-Control-Allow-Origin to specific trusted domains",
+    cwe: "CWE-942",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  {
+    id: "no-open-redirect",
+    category: "OWASP-A01: Broken Access Control",
+    severity: "medium",
+    pattern: /redirect\s*\(\s*req\.(query|params|body)\./,
+    message: "Open redirect \u2014 user-controlled redirect target",
+    fix: "Validate redirect URLs against an allowlist of trusted domains",
+    cwe: "CWE-601",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  // -- OWASP A02: Cryptographic Failures --
+  {
+    id: "no-hardcoded-secret",
+    category: "OWASP-A02: Cryptographic Failures",
+    severity: "critical",
+    pattern: /(?:password|secret|api_?key|token|auth|private_?key)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+    message: "Possible hardcoded secret or credential",
+    fix: "Move secrets to environment variables (.env) and never commit them",
+    cwe: "CWE-798",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx", ".py", ".java", ".go", ".rb"],
+    exclude: /example|placeholder|test|mock|fake|dummy|sample|TODO|FIXME|xxx|your[_-]?/i
+  },
+  {
+    id: "no-md5",
+    category: "OWASP-A02: Cryptographic Failures",
+    severity: "high",
+    pattern: /(?:createHash|hashlib\.md5|MD5|md5)\s*\(\s*['"]?md5['"]?\s*\)/,
+    message: "MD5 is cryptographically broken \u2014 use SHA-256 or bcrypt",
+    fix: "Replace MD5 with SHA-256 for hashing or bcrypt/argon2 for passwords",
+    cwe: "CWE-328"
+  },
+  {
+    id: "no-weak-crypto",
+    category: "OWASP-A02: Cryptographic Failures",
+    severity: "medium",
+    pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/,
+    message: "SHA-1 is deprecated \u2014 use SHA-256 or stronger",
+    fix: 'Replace SHA-1 with SHA-256: createHash("sha256")',
+    cwe: "CWE-328",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  // -- OWASP A03: Injection --
+  {
+    id: "no-sql-injection",
+    category: "OWASP-A03: Injection",
+    severity: "critical",
+    pattern: /(?:query|execute|raw)\s*\(\s*[`'"].*\$\{.*\}.*[`'"]/,
+    message: "Possible SQL injection \u2014 string interpolation in query",
+    fix: 'Use parameterized queries: db.query("SELECT * FROM users WHERE id = $1", [userId])',
+    cwe: "CWE-89",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  {
+    id: "no-command-injection",
+    category: "OWASP-A03: Injection",
+    severity: "critical",
+    pattern: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*[`'"].*\$\{.*\}.*[`'"]/,
+    message: "Possible command injection \u2014 user input in shell command",
+    fix: "Use execFile() with argument array instead of string interpolation in exec()",
+    cwe: "CWE-78",
+    fileTypes: [".ts", ".js", ".mjs"],
+    exclude: /fishi|scripts|hooks/i
+  },
+  {
+    id: "no-eval",
+    category: "OWASP-A03: Injection",
+    severity: "high",
+    pattern: /\beval\s*\(/,
+    message: "eval() executes arbitrary code \u2014 never use with user input",
+    fix: "Replace eval() with JSON.parse() for data or a safe parser for expressions",
+    cwe: "CWE-95",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"],
+    exclude: /['"]use strict['"]/
+  },
+  {
+    id: "no-dangerouslySetInnerHTML",
+    category: "OWASP-A03: Injection",
+    severity: "high",
+    pattern: /dangerouslySetInnerHTML/,
+    message: "dangerouslySetInnerHTML can lead to XSS if content is not sanitized",
+    fix: "Sanitize HTML with DOMPurify before using dangerouslySetInnerHTML, or use React components instead",
+    cwe: "CWE-79",
+    fileTypes: [".tsx", ".jsx"]
+  },
+  // -- OWASP A04: Insecure Design --
+  {
+    id: "no-console-log-sensitive",
+    category: "OWASP-A04: Insecure Design",
+    severity: "medium",
+    pattern: /console\.(log|info|debug)\s*\(.*(?:password|secret|token|key|credential|auth)/i,
+    message: "Logging sensitive data (password, secret, token)",
+    fix: "Remove sensitive data from log statements or use structured logging with redaction",
+    cwe: "CWE-532",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"],
+    exclude: /\/\/|test|spec|mock/i
+  },
+  // -- OWASP A05: Security Misconfiguration --
+  {
+    id: "no-debug-mode",
+    category: "OWASP-A05: Security Misconfiguration",
+    severity: "medium",
+    pattern: /(?:DEBUG|debug)\s*[:=]\s*(?:true|1|['"]true['"])/,
+    message: "Debug mode enabled \u2014 disable in production",
+    fix: 'Use environment-based config: DEBUG = process.env.NODE_ENV !== "production"',
+    cwe: "CWE-489",
+    exclude: /test|spec|\.env\.example|\.env\.local/i
+  },
+  {
+    id: "no-http-only-false",
+    category: "OWASP-A05: Security Misconfiguration",
+    severity: "high",
+    pattern: /httpOnly\s*:\s*false/,
+    message: "Cookie httpOnly set to false \u2014 vulnerable to XSS cookie theft",
+    fix: "Set httpOnly: true for authentication cookies",
+    cwe: "CWE-1004",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  {
+    id: "no-secure-false",
+    category: "OWASP-A05: Security Misconfiguration",
+    severity: "medium",
+    pattern: /secure\s*:\s*false/,
+    message: "Cookie secure flag set to false \u2014 cookie sent over HTTP",
+    fix: "Set secure: true for cookies in production (HTTPS only)",
+    cwe: "CWE-614",
+    fileTypes: [".ts", ".js", ".mjs"],
+    exclude: /development|localhost|test/i
+  },
+  // -- OWASP A07: Identification and Authentication Failures --
+  {
+    id: "no-jwt-none-alg",
+    category: "OWASP-A07: Auth Failures",
+    severity: "critical",
+    pattern: /algorithm\s*[:=]\s*['"]none['"]/i,
+    message: 'JWT "none" algorithm \u2014 allows token forgery',
+    fix: 'Always specify a strong algorithm: { algorithm: "HS256" } or RS256',
+    cwe: "CWE-327",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  {
+    id: "no-weak-password-regex",
+    category: "OWASP-A07: Auth Failures",
+    severity: "low",
+    pattern: /password.*\.length\s*[<>=]+\s*[1-5]\b/,
+    message: "Weak password policy \u2014 minimum length too short",
+    fix: "Require minimum 8 characters with complexity requirements",
+    cwe: "CWE-521",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  // -- OWASP A08: Software and Data Integrity --
+  {
+    id: "no-unsafe-deserialization",
+    category: "OWASP-A08: Data Integrity",
+    severity: "high",
+    pattern: /JSON\.parse\s*\(\s*req\.(body|query|params)/,
+    message: "Parsing untrusted input without validation",
+    fix: "Validate and sanitize input with zod, joi, or yup before parsing",
+    cwe: "CWE-502",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  // -- OWASP A09: Security Logging and Monitoring Failures --
+  {
+    id: "no-empty-catch",
+    category: "OWASP-A09: Logging Failures",
+    severity: "low",
+    pattern: /catch\s*\([^)]*\)\s*\{\s*\}/,
+    message: "Empty catch block \u2014 errors silently swallowed",
+    fix: 'Log the error: catch(e) { console.error("Context:", e); }',
+    cwe: "CWE-390",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  // -- OWASP A10: Server-Side Request Forgery (SSRF) --
+  {
+    id: "no-ssrf",
+    category: "OWASP-A10: SSRF",
+    severity: "high",
+    pattern: /(?:fetch|axios|got|request|http\.get)\s*\(\s*(?:req\.|params\.|query\.|body\.)/,
+    message: "Possible SSRF \u2014 user-controlled URL in server-side request",
+    fix: "Validate URLs against an allowlist; block internal IPs (127.0.0.1, 10.x, 192.168.x)",
+    cwe: "CWE-918",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  // -- Additional SAST Rules --
+  {
+    id: "no-innerhtml",
+    category: "SAST: XSS",
+    severity: "high",
+    pattern: /\.innerHTML\s*=/,
+    message: "Direct innerHTML assignment \u2014 XSS vulnerability",
+    fix: "Use textContent for text, or sanitize with DOMPurify before innerHTML",
+    cwe: "CWE-79",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  {
+    id: "no-document-write",
+    category: "SAST: XSS",
+    severity: "high",
+    pattern: /document\.write\s*\(/,
+    message: "document.write() can inject malicious content",
+    fix: "Use DOM manipulation methods (createElement, appendChild) instead",
+    cwe: "CWE-79",
+    fileTypes: [".ts", ".js", ".mjs", ".tsx", ".jsx"]
+  },
+  {
+    id: "no-prototype-pollution",
+    category: "SAST: Prototype Pollution",
+    severity: "medium",
+    pattern: /\[['"]__proto__['"]\]|\[['"]constructor['"]\]\s*\[['"]prototype['"]\]/,
+    message: "Potential prototype pollution via __proto__ or constructor.prototype",
+    fix: "Use Object.create(null) for dictionaries, validate keys against blocklist",
+    cwe: "CWE-1321",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  {
+    id: "no-unvalidated-file-path",
+    category: "SAST: Path Traversal",
+    severity: "high",
+    pattern: /(?:readFile|writeFile|readFileSync|writeFileSync|createReadStream)\s*\(\s*(?:req\.|params\.|query\.|body\.|`.*\$\{)/,
+    message: "User input in file path \u2014 possible path traversal (../../etc/passwd)",
+    fix: "Sanitize paths: use path.resolve() + verify within allowed directory",
+    cwe: "CWE-22",
+    fileTypes: [".ts", ".js", ".mjs"]
+  },
+  {
+    id: "no-env-in-client",
+    category: "SAST: Secret Exposure",
+    severity: "high",
+    pattern: /process\.env\.(?!NEXT_PUBLIC_|VITE_|NUXT_PUBLIC_)[\w]+/,
+    message: "Server-side env var accessed \u2014 ensure this is not in client-side code",
+    fix: "Use framework-specific public prefixes (NEXT_PUBLIC_, VITE_) for client-side env vars",
+    cwe: "CWE-200",
+    fileTypes: [".tsx", ".jsx"],
+    exclude: /server|api|middleware|getServerSideProps|getStaticProps|loader|action/i
+  },
+  {
+    id: "no-crypto-random",
+    category: "SAST: Weak Randomness",
+    severity: "medium",
+    pattern: /Math\.random\s*\(\)/,
+    message: "Math.random() is not cryptographically secure",
+    fix: "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive operations",
+    cwe: "CWE-330",
+    fileTypes: [".ts", ".js", ".mjs"],
+    exclude: /test|spec|mock|animation|color|delay|jitter/i
+  }
+];
+function runSecurityScan(projectDir) {
+  const findings = [];
+  let filesScanned = 0;
+  const files = findScanFiles(projectDir);
+  for (const file of files) {
+    try {
+      const content = readFileSync6(file, "utf-8");
+      const lines = content.split("\n");
+      const relPath = file.replace(projectDir, "").replace(/\\/g, "/").replace(/^\//, "");
+      const ext = extname(file);
+      filesScanned++;
+      for (const rule of SCAN_RULES) {
+        if (rule.fileTypes && rule.fileTypes.length > 0 && !rule.fileTypes.includes(ext)) continue;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trimStart().startsWith("//") || line.trimStart().startsWith("*") || line.trimStart().startsWith("#")) continue;
+          if (rule.exclude && rule.exclude.test(line)) continue;
+          if (rule.pattern.test(line)) {
+            findings.push({
+              rule: rule.id,
+              category: rule.category,
+              severity: rule.severity,
+              file: relPath,
+              line: i + 1,
+              code: line.trim().slice(0, 120),
+              message: rule.message,
+              fix: rule.fix,
+              cwe: rule.cwe
+            });
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  const critical = findings.filter((f) => f.severity === "critical").length;
+  const high = findings.filter((f) => f.severity === "high").length;
+  const medium = findings.filter((f) => f.severity === "medium").length;
+  const low = findings.filter((f) => f.severity === "low").length;
+  const info = findings.filter((f) => f.severity === "info").length;
+  return {
+    findings,
+    summary: {
+      critical,
+      high,
+      medium,
+      low,
+      info,
+      total: findings.length,
+      filesScanned,
+      passed: critical === 0 && high === 0
+    },
+    scanDate: (/* @__PURE__ */ new Date()).toISOString(),
+    projectDir
+  };
+}
+function generateSecurityReport(report) {
+  const { findings, summary } = report;
+  let md = `# Security Scan Report
+
+`;
+  md += `**Date:** ${report.scanDate}
+`;
+  md += `**Files Scanned:** ${summary.filesScanned}
+`;
+  md += `**Status:** ${summary.passed ? "PASSED" : "FAILED"}
+
+`;
+  md += `## Summary
+
+`;
+  md += `| Severity | Count |
+|----------|-------|
+`;
+  md += `| Critical | ${summary.critical} |
+`;
+  md += `| High | ${summary.high} |
+`;
+  md += `| Medium | ${summary.medium} |
+`;
+  md += `| Low | ${summary.low} |
+`;
+  md += `| Info | ${summary.info} |
+`;
+  md += `| **Total** | **${summary.total}** |
+
+`;
+  if (findings.length === 0) {
+    md += `No security issues found.
+`;
+    return md;
+  }
+  const byCategory = {};
+  for (const f of findings) {
+    if (!byCategory[f.category]) byCategory[f.category] = [];
+    byCategory[f.category].push(f);
+  }
+  for (const [category, catFindings] of Object.entries(byCategory)) {
+    md += `## ${category}
+
+`;
+    for (const f of catFindings) {
+      const icon = f.severity === "critical" ? "\u{1F534}" : f.severity === "high" ? "\u{1F7E0}" : f.severity === "medium" ? "\u{1F7E1}" : "\u{1F535}";
+      md += `### ${icon} ${f.rule} (${f.severity.toUpperCase()})
+`;
+      md += `**File:** \`${f.file}:${f.line}\`
+`;
+      if (f.cwe) md += `**CWE:** ${f.cwe}
+`;
+      md += `**Issue:** ${f.message}
+`;
+      md += `**Code:** \`${f.code}\`
+`;
+      md += `**Fix:** ${f.fix}
+
+`;
+    }
+  }
+  return md;
+}
+function getScanRules() {
+  return SCAN_RULES.map((r) => ({
+    id: r.id,
+    category: r.category,
+    severity: r.severity,
+    message: r.message,
+    cwe: r.cwe
+  }));
+}
+function findScanFiles(projectDir) {
+  const scanExts = [".ts", ".js", ".mjs", ".tsx", ".jsx", ".py", ".java", ".go", ".rb"];
+  const skipDirs = ["node_modules", ".next", "dist", ".git", ".fishi", ".trees", "coverage", "__pycache__", ".venv"];
+  const files = [];
+  function walk(dir) {
+    try {
+      const entries = readdirSync2(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory()) {
+          if (skipDirs.includes(entry.name)) continue;
+          walk(join9(dir, entry.name));
+        } else if (scanExts.some((ext) => entry.name.endsWith(ext))) {
+          files.push(join9(dir, entry.name));
+        }
+      }
+    } catch {
+    }
+  }
+  walk(projectDir);
+  return files.slice(0, 500);
+}
+
 // src/templates/configs/sandbox-policy.ts
 function getSandboxPolicyTemplate() {
   return `# FISHI Sandbox Policy
@@ -12172,6 +13408,7 @@ function getDashboardHtml() {
 </html>`;
 }
 export {
+  DOMAIN_INFO,
   architectAgentTemplate,
   backendAgentTemplate,
   buildSandboxEnv,
@@ -12189,14 +13426,20 @@ export {
   fullstackAgentTemplate,
   generateDefaultTokens,
   generateDesignSystemConfig,
+  generatePermissionBlock,
   generateScaffold,
+  generateSecurityReport,
   getAdaptiveTaskGraphSkill,
   getAgentCompleteHook,
   getAgentFactoryTemplate,
   getAgentRegistryTemplate,
   getAgentSummary,
+  getAgentsMdTemplate,
+  getAimlArchitectTemplate,
+  getAllPermissionSummary,
   getApiDesignSkill,
   getAutoCheckpointHook,
+  getAvailableDomains,
   getBoardCommand,
   getBrainstormingSkill,
   getBrownfieldAnalysisSkill,
@@ -12206,21 +13449,27 @@ export {
   getCoordinatorFactoryTemplate,
   getDashboardHtml,
   getDebuggingSkill,
+  getDeepResearchAgentTemplate,
+  getDeepResearchSkill,
   getDeploymentSkill,
   getDocCheckerScript,
   getDockerfileTemplate,
   getDocumentationSkill,
+  getDomainConfigYaml,
   getFishiYamlTemplate,
   getGateCommand,
   getGateManagerScript,
   getGitignoreAdditions,
   getInitCommand,
   getLearningsManagerScript,
+  getMarketplaceArchitectTemplate,
   getMasterOrchestratorTemplate,
   getMcpJsonTemplate,
   getMemoryManagerScript,
+  getMobileArchitectTemplate,
   getModelRoutingReference,
   getMonitorEmitterScript,
+  getPermissionsForRole,
   getPhaseRunnerScript,
   getPostEditHook,
   getPrdCommand,
@@ -12228,10 +13477,13 @@ export {
   getProjectYamlTemplate,
   getResetCommand,
   getResumeCommand,
+  getSaasArchitectTemplate,
   getSafetyCheckHook,
   getSandboxPolicyTemplate,
+  getScanRules,
   getSessionStartHook,
   getSettingsJsonTemplate,
+  getSoulMdTemplate,
   getSprintCommand,
   getStatusCommand,
   getTaskboardOpsSkill,
@@ -12252,6 +13504,7 @@ export {
   planningAgentTemplate,
   planningLeadTemplate,
   qualityLeadTemplate,
+  readDomainConfig,
   readMonitorState,
   readSandboxConfig,
   readSandboxPolicy,
@@ -12260,6 +13513,7 @@ export {
   runInDockerSandbox,
   runInProcessSandbox,
   runInSandbox,
+  runSecurityScan,
   securityAgentTemplate,
   startDevServer,
   testingAgentTemplate,