@rafter-security/cli 0.7.0 → 0.7.2

package/dist/commands/agent/disable.js

@@ -0,0 +1,47 @@
+import { Command } from "commander";
+import { resolveComponent, recordComponentState, getComponentRegistry } from "./components.js";
+import { fmt } from "../../utils/formatter.js";
+/**
+ * `rafter agent disable <component-id>...` — uninstall one or more specific components.
+ * For hook/MCP entries, removes rafter's entries from the shared config file. For skills
+ * and our own instruction files, deletes them. Other (non-rafter) entries are preserved.
+ *
+ * Exit codes: 0 success · 1 invalid id or uninstall failure.
+ */
+export function createDisableCommand() {
+    return new Command("disable")
+        .description("Uninstall a specific agent component (e.g. claude-code.mcp, cursor.hooks)")
+        .argument("<components...>", "Component IDs to uninstall")
+        .action((components) => {
+        let exitCode = 0;
+        const seenIds = new Set();
+        for (const raw of components) {
+            if (seenIds.has(raw))
+                continue;
+            seenIds.add(raw);
+            const spec = resolveComponent(raw);
+            if (!spec) {
+                console.error(fmt.error(`Unknown component: ${raw}`));
+                console.error(fmt.info(`Run 'rafter agent list' to see available components. Known IDs: ${getComponentRegistry().map((c) => c.id).join(", ")}`));
+                exitCode = 1;
+                continue;
+            }
+            try {
+                const wasInstalled = spec.isInstalled();
+                spec.uninstall();
+                recordComponentState(spec.id, false);
+                if (wasInstalled) {
+                    console.log(fmt.success(`Disabled ${spec.id} (removed from ${spec.path})`));
+                }
+                else {
+                    console.log(fmt.info(`${spec.id} was not installed — no changes`));
+                }
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to disable ${spec.id}: ${e}`));
+                exitCode = 1;
+            }
+        }
+        process.exit(exitCode);
+    });
+}

package/dist/commands/agent/enable.js

@@ -0,0 +1,50 @@
+import { Command } from "commander";
+import fs from "fs";
+import { resolveComponent, recordComponentState, getComponentRegistry } from "./components.js";
+import { fmt } from "../../utils/formatter.js";
+/**
+ * `rafter agent enable <component-id>...` — install one or more specific components.
+ * This is the fine-grained complement to `rafter agent init --with-<platform>`; it
+ * targets a single (platform, kind) pair rather than a whole platform.
+ *
+ * Exit codes: 0 success · 1 invalid id or install failure · 2 platform not detected
+ *             (unless --force is passed).
+ */
+export function createEnableCommand() {
+    return new Command("enable")
+        .description("Install a specific agent component (e.g. claude-code.mcp, cursor.hooks)")
+        .argument("<components...>", "Component IDs to install")
+        .option("--force", "Install even if platform is not detected on this machine")
+        .action((components, opts) => {
+        let exitCode = 0;
+        const seenIds = new Set();
+        for (const raw of components) {
+            if (seenIds.has(raw))
+                continue;
+            seenIds.add(raw);
+            const spec = resolveComponent(raw);
+            if (!spec) {
+                console.error(fmt.error(`Unknown component: ${raw}`));
+                console.error(fmt.info(`Run 'rafter agent list' to see available components. Known IDs: ${getComponentRegistry().map((c) => c.id).join(", ")}`));
+                exitCode = 1;
+                continue;
+            }
+            const detected = fs.existsSync(spec.detectDir);
+            if (!detected && !opts.force) {
+                console.error(fmt.warning(`${spec.id}: platform not detected (${spec.detectDir}). Re-run with --force to install anyway.`));
+                exitCode = exitCode || 2;
+                continue;
+            }
+            try {
+                spec.install();
+                recordComponentState(spec.id, true);
+                console.log(fmt.success(`Enabled ${spec.id} → ${spec.path}`));
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to enable ${spec.id}: ${e}`));
+                exitCode = 1;
+            }
+        }
+        process.exit(exitCode);
+    });
+}

package/dist/commands/agent/index.js

@@ -11,6 +11,9 @@ import { createVerifyCommand } from "./verify.js";
 import { createStatusCommand } from "./status.js";
 import { createUpdateGitleaksCommand } from "./update-gitleaks.js";
 import { createBaselineCommand } from "./baseline.js";
+import { createListCommand } from "./list.js";
+import { createEnableCommand } from "./enable.js";
+import { createDisableCommand } from "./disable.js";
 export function createAgentCommand() {
     const agent = new Command("agent")
         .description("Agent security features");
@@ -27,5 +30,8 @@ export function createAgentCommand() {
     agent.addCommand(createStatusCommand());
     agent.addCommand(createUpdateGitleaksCommand());
     agent.addCommand(createBaselineCommand());
+    agent.addCommand(createListCommand());
+    agent.addCommand(createEnableCommand());
+    agent.addCommand(createDisableCommand());
     return agent;
 }

package/dist/commands/agent/init.js

@@ -13,21 +13,33 @@ import { fmt } from "../../utils/formatter.js";
 import { injectInstructionFile } from "./instruction-block.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+/**
+ * Skills installed by `rafter agent init` for Claude Code / Codex.
+ *
+ * Sourced from `resources/skills/<name>/SKILL.md` in the shipped package.
+ * Keep this list in sync with Python's installer and the skills that actually
+ * ship in both resources/skills/ trees.
+ */
+const AGENT_SKILLS = [
+    { name: "rafter", description: "Rafter Remote" },
+    { name: "rafter-agent-security", description: "Rafter Agent Security" },
+    { name: "rafter-secure-design", description: "Rafter Secure Design" },
+    { name: "rafter-code-review", description: "Rafter Code Review" },
+];
 /**
  * Install global instruction files for platforms that support them.
  *
- * Only Claude Code (~/.claude/CLAUDE.md) and Cursor (~/.cursor/rules/*.mdc)
- * have confirmed global instruction file paths. Other platforms (Codex, Gemini,
- * Windsurf, Continue.dev, Aider) only support project-level instruction files
- * (AGENTS.md, GEMINI.md, .windsurfrules, .continuerules, .aider/conventions.md)
- * which are handled by `rafter agent init-project` (not yet implemented).
+ * User scope: Claude Code (~/.claude/CLAUDE.md), Cursor (~/.cursor/rules/*.mdc).
+ * Project scope: both platforms also honor <cwd>/.claude/CLAUDE.md and
+ * <cwd>/.cursor/rules/*.mdc. Other platforms (Codex, Gemini, Windsurf,
+ * Continue.dev, Aider) have project-only instruction file conventions
+ * (AGENTS.md, GEMINI.md, etc.) handled by `rafter agent init-project`.
  */
-function installGlobalInstructions(platforms) {
-    const homeDir = os.homedir();
-    // Claude Code — ~/.claude/CLAUDE.md (confirmed global instruction file)
+function installGlobalInstructions(platforms, root) {
+    // Claude Code — <root>/.claude/CLAUDE.md
     if (platforms.claudeCode) {
         try {
-            const filePath = path.join(homeDir, ".claude", "CLAUDE.md");
+            const filePath = path.join(root, ".claude", "CLAUDE.md");
             injectInstructionFile(filePath);
             console.log(fmt.success(`Installed Rafter instructions to ${filePath}`));
         }
@@ -35,10 +47,10 @@ function installGlobalInstructions(platforms) {
             console.log(fmt.warning(`Failed to write Claude Code instructions: ${e}`));
         }
     }
-    // Cursor — ~/.cursor/rules/rafter-security.mdc (global rules directory, markdown format)
+    // Cursor — <root>/.cursor/rules/rafter-security.mdc
     if (platforms.cursor) {
         try {
-            const filePath = path.join(homeDir, ".cursor", "rules", "rafter-security.mdc");
+            const filePath = path.join(root, ".cursor", "rules", "rafter-security.mdc");
             injectInstructionFile(filePath);
             console.log(fmt.success(`Installed Rafter instructions to ${filePath}`));
         }
@@ -47,10 +59,9 @@ function installGlobalInstructions(platforms) {
         }
     }
 }
-function installClaudeCodeHooks() {
-    const homeDir = os.homedir();
-    const settingsPath = path.join(homeDir, ".claude", "settings.json");
-    const claudeDir = path.join(homeDir, ".claude");
+function installClaudeCodeHooks(root) {
+    const settingsPath = path.join(root, ".claude", "settings.json");
+    const claudeDir = path.join(root, ".claude");
     if (!fs.existsSync(claudeDir)) {
         fs.mkdirSync(claudeDir, { recursive: true });
     }
@@ -90,9 +101,8 @@ function installClaudeCodeHooks() {
     console.log(fmt.success(`Installed PreToolUse hooks to ${settingsPath}`));
     console.log(fmt.success(`Installed PostToolUse hooks to ${settingsPath}`));
 }
-function installCodexHooks() {
-    const homeDir = os.homedir();
-    const codexDir = path.join(homeDir, ".codex");
+function installCodexHooks(root) {
+    const codexDir = path.join(root, ".codex");
     if (!fs.existsSync(codexDir)) {
         fs.mkdirSync(codexDir, { recursive: true });
     }
@@ -123,9 +133,8 @@ function installCodexHooks() {
     fs.writeFileSync(hooksPath, JSON.stringify(config, null, 2), "utf-8");
     console.log(fmt.success(`Installed hooks to ${hooksPath}`));
 }
-function installCursorHooks() {
-    const homeDir = os.homedir();
-    const cursorDir = path.join(homeDir, ".cursor");
+function installCursorHooks(root) {
+    const cursorDir = path.join(root, ".cursor");
     if (!fs.existsSync(cursorDir)) {
         fs.mkdirSync(cursorDir, { recursive: true });
     }
@@ -155,9 +164,8 @@ function installCursorHooks() {
     fs.writeFileSync(hooksPath, JSON.stringify(config, null, 2), "utf-8");
     console.log(fmt.success(`Installed hooks to ${hooksPath}`));
 }
-function installGeminiHooks() {
-    const homeDir = os.homedir();
-    const geminiDir = path.join(homeDir, ".gemini");
+function installGeminiHooks(root) {
+    const geminiDir = path.join(root, ".gemini");
     if (!fs.existsSync(geminiDir)) {
         fs.mkdirSync(geminiDir, { recursive: true });
     }
@@ -191,9 +199,8 @@ function installGeminiHooks() {
     fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
     console.log(fmt.success(`Installed hooks to ${settingsPath}`));
 }
-function installWindsurfHooks() {
-    const homeDir = os.homedir();
-    const windsurfDir = path.join(homeDir, ".windsurf");
+function installWindsurfHooks(root) {
+    const windsurfDir = path.join(root, ".windsurf");
     if (!fs.existsSync(windsurfDir)) {
         fs.mkdirSync(windsurfDir, { recursive: true });
     }
@@ -227,9 +234,8 @@ function installWindsurfHooks() {
     fs.writeFileSync(hooksPath, JSON.stringify(config, null, 2), "utf-8");
     console.log(fmt.success(`Installed hooks to ${hooksPath}`));
 }
-function installContinueDevHooks() {
-    const homeDir = os.homedir();
-    const continueDir = path.join(homeDir, ".continue");
+function installContinueDevHooks(root) {
+    const continueDir = path.join(root, ".continue");
     if (!fs.existsSync(continueDir)) {
         fs.mkdirSync(continueDir, { recursive: true });
     }
@@ -267,9 +273,8 @@ const RAFTER_MCP_ENTRY = {
 /**
  * Install MCP server config for Gemini CLI (~/.gemini/settings.json)
  */
-function installGeminiMcp() {
-    const homeDir = os.homedir();
-    const geminiDir = path.join(homeDir, ".gemini");
+function installGeminiMcp(root) {
+    const geminiDir = path.join(root, ".gemini");
     const settingsPath = path.join(geminiDir, "settings.json");
     if (!fs.existsSync(geminiDir)) {
         fs.mkdirSync(geminiDir, { recursive: true });
@@ -293,9 +298,8 @@ function installGeminiMcp() {
 /**
  * Install MCP server config for Cursor (~/.cursor/mcp.json)
  */
-function installCursorMcp() {
-    const homeDir = os.homedir();
-    const cursorDir = path.join(homeDir, ".cursor");
+function installCursorMcp(root) {
+    const cursorDir = path.join(root, ".cursor");
     const mcpPath = path.join(cursorDir, "mcp.json");
     if (!fs.existsSync(cursorDir)) {
         fs.mkdirSync(cursorDir, { recursive: true });
@@ -319,9 +323,8 @@ function installCursorMcp() {
 /**
  * Install MCP server config for Windsurf (~/.codeium/windsurf/mcp_config.json)
  */
-function installWindsurfMcp() {
-    const homeDir = os.homedir();
-    const windsurfDir = path.join(homeDir, ".codeium", "windsurf");
+function installWindsurfMcp(root) {
+    const windsurfDir = path.join(root, ".codeium", "windsurf");
     const mcpPath = path.join(windsurfDir, "mcp_config.json");
     if (!fs.existsSync(windsurfDir)) {
         fs.mkdirSync(windsurfDir, { recursive: true });
@@ -345,9 +348,8 @@ function installWindsurfMcp() {
 /**
  * Install MCP server config for Continue.dev (~/.continue/config.json)
  */
-function installContinueDevMcp() {
-    const homeDir = os.homedir();
-    const continueDir = path.join(homeDir, ".continue");
+function installContinueDevMcp(root) {
+    const continueDir = path.join(root, ".continue");
     const configPath = path.join(continueDir, "config.json");
     if (!fs.existsSync(continueDir)) {
         fs.mkdirSync(continueDir, { recursive: true });
@@ -384,9 +386,8 @@ function installContinueDevMcp() {
  * Install MCP config for Aider (~/.aider.conf.yml)
  * Aider uses YAML config with mcpServers list
  */
-function installAiderMcp() {
-    const homeDir = os.homedir();
-    const configPath = path.join(homeDir, ".aider.conf.yml");
+function installAiderMcp(root) {
+    const configPath = path.join(root, ".aider.conf.yml");
     // Aider's YAML config is simple — we append the MCP flag if not present
     let content = "";
     if (fs.existsSync(configPath)) {
@@ -403,73 +404,31 @@ function installAiderMcp() {
     console.log(fmt.success(`Installed Rafter MCP server to ${configPath}`));
     return true;
 }
-async function installClaudeCodeSkills() {
-    const homeDir = os.homedir();
-    const claudeSkillsDir = path.join(homeDir, ".claude", "skills");
-    // Ensure .claude/skills directory exists
-    if (!fs.existsSync(claudeSkillsDir)) {
-        fs.mkdirSync(claudeSkillsDir, { recursive: true });
-    }
-    // Install Backend Skill
-    const backendSkillDir = path.join(claudeSkillsDir, "rafter");
-    const backendSkillPath = path.join(backendSkillDir, "SKILL.md");
-    const backendTemplatePath = path.join(__dirname, "..", "..", "..", "resources", "skills", "rafter", "SKILL.md");
-    if (!fs.existsSync(backendSkillDir)) {
-        fs.mkdirSync(backendSkillDir, { recursive: true });
-    }
-    if (fs.existsSync(backendTemplatePath)) {
-        fs.copyFileSync(backendTemplatePath, backendSkillPath);
-        console.log(fmt.success(`Installed Rafter Remote skill to ${backendSkillPath}`));
-    }
-    else {
-        console.log(fmt.warning(`Remote skill template not found at ${backendTemplatePath}`));
-    }
-    // Install Agent Security Skill
-    const agentSkillDir = path.join(claudeSkillsDir, "rafter-agent-security");
-    const agentSkillPath = path.join(agentSkillDir, "SKILL.md");
-    const agentTemplatePath = path.join(__dirname, "..", "..", "..", "resources", "skills", "rafter-agent-security", "SKILL.md");
-    if (!fs.existsSync(agentSkillDir)) {
-        fs.mkdirSync(agentSkillDir, { recursive: true });
+function installSkillsTo(skillsDir) {
+    if (!fs.existsSync(skillsDir)) {
+        fs.mkdirSync(skillsDir, { recursive: true });
     }
-    if (fs.existsSync(agentTemplatePath)) {
-        fs.copyFileSync(agentTemplatePath, agentSkillPath);
-        console.log(fmt.success(`Installed Rafter Agent Security skill to ${agentSkillPath}`));
-    }
-    else {
-        console.log(fmt.warning(`Agent Security skill template not found at ${agentTemplatePath}`));
+    for (const skill of AGENT_SKILLS) {
+        const destDir = path.join(skillsDir, skill.name);
+        const destPath = path.join(destDir, "SKILL.md");
+        const srcPath = path.join(__dirname, "..", "..", "..", "resources", "skills", skill.name, "SKILL.md");
+        if (!fs.existsSync(destDir)) {
+            fs.mkdirSync(destDir, { recursive: true });
+        }
+        if (fs.existsSync(srcPath)) {
+            fs.copyFileSync(srcPath, destPath);
+            console.log(fmt.success(`Installed ${skill.description} skill to ${destPath}`));
+        }
+        else {
+            console.log(fmt.warning(`${skill.description} skill template not found at ${srcPath}`));
+        }
     }
 }
-function installCodexSkills() {
-    const homeDir = os.homedir();
-    const agentsSkillsDir = path.join(homeDir, ".agents", "skills");
-    // Install Backend Skill
-    const backendDir = path.join(agentsSkillsDir, "rafter");
-    const backendSkillPath = path.join(backendDir, "SKILL.md");
-    const backendTemplatePath = path.join(__dirname, "..", "..", "..", "resources", "skills", "rafter", "SKILL.md");
-    if (!fs.existsSync(backendDir)) {
-        fs.mkdirSync(backendDir, { recursive: true });
-    }
-    if (fs.existsSync(backendTemplatePath)) {
-        fs.copyFileSync(backendTemplatePath, backendSkillPath);
-        console.log(fmt.success(`Installed Rafter Remote skill to ${backendSkillPath}`));
-    }
-    else {
-        console.log(fmt.warning(`Remote skill template not found at ${backendTemplatePath}`));
-    }
-    // Install Agent Security Skill
-    const agentDir = path.join(agentsSkillsDir, "rafter-agent-security");
-    const agentSkillPath = path.join(agentDir, "SKILL.md");
-    const agentTemplatePath = path.join(__dirname, "..", "..", "..", "resources", "skills", "rafter-agent-security", "SKILL.md");
-    if (!fs.existsSync(agentDir)) {
-        fs.mkdirSync(agentDir, { recursive: true });
-    }
-    if (fs.existsSync(agentTemplatePath)) {
-        fs.copyFileSync(agentTemplatePath, agentSkillPath);
-        console.log(fmt.success(`Installed Rafter Agent Security skill to ${agentSkillPath}`));
-    }
-    else {
-        console.log(fmt.warning(`Agent Security skill template not found at ${agentTemplatePath}`));
-    }
+async function installClaudeCodeSkills(root) {
+    installSkillsTo(path.join(root, ".claude", "skills"));
+}
+function installCodexSkills(root) {
+    installSkillsTo(path.join(root, ".agents", "skills"));
 }
 async function askYesNo(question, defaultYes = true) {
     const rl = createInterface({ input: process.stdin, output: process.stderr });
@@ -501,30 +460,43 @@ export function createInitCommand() {
         .option("--all", "Install all detected integrations and download Gitleaks")
         .option("-i, --interactive", "Guided setup — prompts for each detected integration")
         .option("--update", "Re-download gitleaks and reinstall integrations without resetting config")
+        .option("--local", "Install integration configs project-locally (in CWD) instead of user-globally. " +
+        "Supported for Claude Code, Codex, Gemini, Cursor. Other platforms are skipped in local mode.")
         .action(async (opts) => {
         console.log(fmt.header("Rafter Agent Security Setup"));
         console.log(fmt.divider());
         console.log();
         const manager = new ConfigManager();
-        // Detect environments
-        const hasOpenClaw = fs.existsSync(path.join(os.homedir(), ".openclaw"));
-        const hasClaudeCode = fs.existsSync(path.join(os.homedir(), ".claude"));
-        const hasCodex = fs.existsSync(path.join(os.homedir(), ".codex"));
-        const hasGemini = fs.existsSync(path.join(os.homedir(), ".gemini"));
-        const hasCursor = fs.existsSync(path.join(os.homedir(), ".cursor"));
-        const hasWindsurf = fs.existsSync(path.join(os.homedir(), ".codeium", "windsurf"));
-        const hasContinueDev = fs.existsSync(path.join(os.homedir(), ".continue"));
-        const hasAider = fs.existsSync(path.join(os.homedir(), ".aider.conf.yml"));
-        // Resolve opt-in flags (--all enables all detected, --interactive prompts)
-        let wantOpenClaw = opts.withOpenclaw || opts.all;
+        const root = opts.local ? process.cwd() : os.homedir();
+        const scope = opts.local ? "project" : "user";
+        if (opts.local) {
+            console.log(fmt.info(`Project-local install — writing configs under ${root}`));
+        }
+        // Platforms supported in --local scope: Claude Code, Codex, Gemini, Cursor.
+        // Windsurf, Continue.dev, Aider are skipped in --local because their
+        // project-local config story is not established in their CLIs today.
+        // Detect environments. In local scope, don't probe user-global paths —
+        // the user must opt in explicitly via --with-<platform>.
+        const hasOpenClaw = scope === "user" && fs.existsSync(path.join(os.homedir(), ".openclaw"));
+        const hasClaudeCode = scope === "user" && fs.existsSync(path.join(os.homedir(), ".claude"));
+        const hasCodex = scope === "user" && fs.existsSync(path.join(os.homedir(), ".codex"));
+        const hasGemini = scope === "user" && fs.existsSync(path.join(os.homedir(), ".gemini"));
+        const hasCursor = scope === "user" && fs.existsSync(path.join(os.homedir(), ".cursor"));
+        const hasWindsurf = scope === "user" && fs.existsSync(path.join(os.homedir(), ".codeium", "windsurf"));
+        const hasContinueDev = scope === "user" && fs.existsSync(path.join(os.homedir(), ".continue"));
+        const hasAider = scope === "user" && fs.existsSync(path.join(os.homedir(), ".aider.conf.yml"));
+        // Resolve opt-in flags (--all enables all detected, --interactive prompts).
+        // In --local scope, --all is restricted to platforms that have a project-local
+        // config story (claudeCode, codex, gemini, cursor). The rest require user scope.
+        let wantOpenClaw = opts.withOpenclaw || (opts.all && !opts.local);
         let wantClaudeCode = opts.withClaudeCode || opts.all;
         let wantCodex = opts.withCodex || opts.all;
         let wantGemini = opts.withGemini || opts.all;
         let wantCursor = opts.withCursor || opts.all;
-        let wantWindsurf = opts.withWindsurf || opts.all;
-        let wantContinue = opts.withContinue || opts.all;
-        let wantAider = opts.withAider || opts.all;
-        let wantGitleaks = opts.withGitleaks || opts.all;
+        let wantWindsurf = opts.withWindsurf || (opts.all && !opts.local);
+        let wantContinue = opts.withContinue || (opts.all && !opts.local);
+        let wantAider = opts.withAider || (opts.all && !opts.local);
+        let wantGitleaks = opts.withGitleaks || (opts.all && !opts.local);
         // Interactive mode: prompt for each detected integration
         if (opts.interactive && !opts.all) {
             console.log();
@@ -574,23 +546,26 @@ export function createInitCommand() {
         else {
             console.log(fmt.info("No agent environments detected"));
         }
-        // Warn about requested but undetected environments
-        if (wantOpenClaw && !hasOpenClaw)
-            console.log(fmt.warning("OpenClaw requested but not detected (~/.openclaw not found)"));
-        if (wantClaudeCode && !hasClaudeCode)
-            console.log(fmt.warning("Claude Code requested but not detected (~/.claude not found)"));
-        if (wantCodex && !hasCodex)
-            console.log(fmt.warning("Codex CLI requested but not detected (~/.codex not found)"));
-        if (wantGemini && !hasGemini)
-            console.log(fmt.warning("Gemini CLI requested but not detected (~/.gemini not found)"));
-        if (wantCursor && !hasCursor)
-            console.log(fmt.warning("Cursor requested but not detected (~/.cursor not found)"));
-        if (wantWindsurf && !hasWindsurf)
-            console.log(fmt.warning("Windsurf requested but not detected (~/.codeium/windsurf not found)"));
-        if (wantContinue && !hasContinueDev)
-            console.log(fmt.warning("Continue.dev requested but not detected (~/.continue not found)"));
-        if (wantAider && !hasAider)
-            console.log(fmt.warning("Aider requested but not detected (~/.aider.conf.yml not found)"));
+        // Warn about requested but undetected environments (user scope only —
+        // in --local scope we create the directories in CWD as needed).
+        if (scope === "user") {
+            if (wantOpenClaw && !hasOpenClaw)
+                console.log(fmt.warning("OpenClaw requested but not detected (~/.openclaw not found)"));
+            if (wantClaudeCode && !hasClaudeCode)
+                console.log(fmt.warning("Claude Code requested but not detected (~/.claude not found)"));
+            if (wantCodex && !hasCodex)
+                console.log(fmt.warning("Codex CLI requested but not detected (~/.codex not found)"));
+            if (wantGemini && !hasGemini)
+                console.log(fmt.warning("Gemini CLI requested but not detected (~/.gemini not found)"));
+            if (wantCursor && !hasCursor)
+                console.log(fmt.warning("Cursor requested but not detected (~/.cursor not found)"));
+            if (wantWindsurf && !hasWindsurf)
+                console.log(fmt.warning("Windsurf requested but not detected (~/.codeium/windsurf not found)"));
+            if (wantContinue && !hasContinueDev)
+                console.log(fmt.warning("Continue.dev requested but not detected (~/.continue not found)"));
+            if (wantAider && !hasAider)
+                console.log(fmt.warning("Aider requested but not detected (~/.aider.conf.yml not found)"));
+        }
         // Initialize directory structure
         try {
             await manager.initialize();
@@ -697,14 +672,20 @@ export function createInitCommand() {
                 }
             }
         }
+        // Helper: warn that a platform is not supported in --local mode.
+        const localUnsupported = (label) => {
+            console.log(fmt.warning(`${label} is not supported in --local mode yet. Skipping. ` +
+                `Re-run without --local to install for this platform user-globally.`));
+        };
         // Install Claude Code skills + hooks if opted in
-        // When --with-claude-code is explicitly passed, install even if .claude doesn't exist yet
+        // When --with-claude-code is explicitly passed (or --local), install even if <root>/.claude doesn't exist yet
         let claudeCodeOk = false;
-        if ((hasClaudeCode || opts.withClaudeCode) && wantClaudeCode) {
+        if ((hasClaudeCode || opts.withClaudeCode || (opts.local && wantClaudeCode)) && wantClaudeCode) {
             try {
-                await installClaudeCodeSkills();
-                installClaudeCodeHooks();
-                manager.set("agent.environments.claudeCode.enabled", true);
+                await installClaudeCodeSkills(root);
+                installClaudeCodeHooks(root);
+                if (scope === "user")
+                    manager.set("agent.environments.claudeCode.enabled", true);
                 claudeCodeOk = true;
             }
             catch (e) {
@@ -713,11 +694,12 @@ export function createInitCommand() {
         }
         // Install Codex CLI skills + hooks if opted in
         let codexOk = false;
-        if (hasCodex && wantCodex) {
+        if ((hasCodex || (opts.local && wantCodex)) && wantCodex) {
             try {
-                installCodexSkills();
-                installCodexHooks();
-                manager.set("agent.environments.codex.enabled", true);
+                installCodexSkills(root);
+                installCodexHooks(root);
+                if (scope === "user")
+                    manager.set("agent.environments.codex.enabled", true);
                 codexOk = true;
             }
             catch (e) {
@@ -726,11 +708,11 @@ export function createInitCommand() {
         }
         // Install Gemini CLI MCP + hooks if opted in
         let geminiOk = false;
-        if (hasGemini && wantGemini) {
+        if ((hasGemini || (opts.local && wantGemini)) && wantGemini) {
             try {
-                geminiOk = installGeminiMcp();
-                installGeminiHooks();
-                if (geminiOk)
+                geminiOk = installGeminiMcp(root);
+                installGeminiHooks(root);
+                if (geminiOk && scope === "user")
                     manager.set("agent.environments.gemini.enabled", true);
             }
             catch (e) {
@@ -739,11 +721,11 @@ export function createInitCommand() {
         }
         // Install Cursor MCP + hooks if opted in
         let cursorOk = false;
-        if (hasCursor && wantCursor) {
+        if ((hasCursor || (opts.local && wantCursor)) && wantCursor) {
             try {
-                cursorOk = installCursorMcp();
-                installCursorHooks();
-                if (cursorOk)
+                cursorOk = installCursorMcp(root);
+                installCursorHooks(root);
+                if (cursorOk && scope === "user")
                     manager.set("agent.environments.cursor.enabled", true);
             }
             catch (e) {
@@ -754,8 +736,8 @@ export function createInitCommand() {
         let windsurfOk = false;
         if (hasWindsurf && wantWindsurf) {
             try {
-                windsurfOk = installWindsurfMcp();
-                installWindsurfHooks();
+                windsurfOk = installWindsurfMcp(root);
+                installWindsurfHooks(root);
                 if (windsurfOk)
                     manager.set("agent.environments.windsurf.enabled", true);
             }
@@ -763,12 +745,15 @@ export function createInitCommand() {
                 console.error(fmt.error(`Failed to install Windsurf integration: ${e}`));
             }
         }
+        else if (opts.local && wantWindsurf) {
+            localUnsupported("Windsurf");
+        }
         // Install Continue.dev MCP + hooks if opted in
         let continueOk = false;
         if (hasContinueDev && wantContinue) {
             try {
-                continueOk = installContinueDevMcp();
-                installContinueDevHooks();
+                continueOk = installContinueDevMcp(root);
+                installContinueDevHooks(root);
                 if (continueOk)
                     manager.set("agent.environments.continueDev.enabled", true);
             }
@@ -776,11 +761,14 @@ export function createInitCommand() {
                 console.error(fmt.error(`Failed to install Continue.dev integration: ${e}`));
             }
         }
+        else if (opts.local && wantContinue) {
+            localUnsupported("Continue.dev");
+        }
         // Install Aider MCP if opted in
         let aiderOk = false;
         if (hasAider && wantAider) {
             try {
-                aiderOk = installAiderMcp();
+                aiderOk = installAiderMcp(root);
                 if (aiderOk)
                     manager.set("agent.environments.aider.enabled", true);
             }
@@ -788,11 +776,14 @@ export function createInitCommand() {
                 console.error(fmt.error(`Failed to install Aider integration: ${e}`));
             }
         }
+        else if (opts.local && wantAider) {
+            localUnsupported("Aider");
+        }
         // Install global instruction files for platforms that support them
         installGlobalInstructions({
             claudeCode: claudeCodeOk,
             cursor: cursorOk,
-        });
+        }, root);
         console.log();
         console.log(fmt.success("Agent security initialized!"));
         console.log();
@@ -816,6 +807,13 @@ export function createInitCommand() {
             if (aiderOk)
                 console.log("  - Restart Aider to load MCP server");
         }
+        else if (scope === "project") {
+            console.log("No integrations were installed. In --local mode, pass one or more opt-in flags:");
+            console.log("  rafter agent init --local --with-claude-code");
+            console.log("  rafter agent init --local --with-codex");
+            console.log("  rafter agent init --local --with-gemini");
+            console.log("  rafter agent init --local --with-cursor");
+        }
         else if (detected.length > 0) {
             console.log("No integrations were installed. To install, re-run with opt-in flags:");
             console.log("  rafter agent init --all                  # Install all detected");