@tsfpp/agents 1.0.0 → 1.0.2

package/CHANGELOG.md

@@ -12,6 +12,25 @@ Versioning follows [Semantic Versioning](https://semver.org/).
 
 No changes yet.
 
+## [1.0.2] - 2026-05-15
+
+### Changed
+
+- Fixed standards path references across Claude and Copilot guidance files to include the missing `spec/` segment.
+- Updated all references in this package to point to `@tsfpp/standard/spec/*` paths.
+- Improved `init.mjs` setup flow for both existing codebases and greenfield projects by adding better ESLint and tsconfig handling.
+
+## [1.0.1] - 2026-05-15
+
+### Changed
+
+- Updated `init.mjs` to copy `CLAUDE.md` into `.claude/` instead of placing it at project root.
+- Updated `README.md` to reflect the installer behavior and usage details.
+
+### Migration
+
+- If upgrading from `1.0.0`, remove root-level `CLAUDE.md`. The installer now places it at `.claude/CLAUDE.md`.
+
 ## [1.0.0] - 2026-05-15
 
 ### Added

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 TSF++
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -50,7 +50,8 @@ node node_modules/@tsfpp/agents/init.mjs
   prompts/
     tsfpp-new-module.prompt.md
     tsfpp-boundary-review.prompt.md
-CLAUDE.md                          ← Claude Code project context
+.claude/
+  CLAUDE.md                          ← Claude Code project context
 ```
 
 ## Agents

package/claude/CLAUDE.md

@@ -10,11 +10,11 @@ All code, comments, documentation, variable names, type names, JSDoc, commit mes
 
 | Standard | Path |
 |----------|------|
-| Base | `node_modules/@tsfpp/standard/CODING_STANDARD.md` |
-| API | `node_modules/@tsfpp/standard/API_CODING_STANDARD.md` |
-| React | `node_modules/@tsfpp/standard/REACT_CODING_STANDARD.md` |
-| Security | `node_modules/@tsfpp/standard/SECURITY_CODING_STANDARD.md` |
-| Data | `node_modules/@tsfpp/standard/DATA_CODING_STANDARD.md` |
+| Base | `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md` |
+| API | `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md` |
+| React | `node_modules/@tsfpp/standard/spec/REACT_CODING_STANDARD.md` |
+| Security | `node_modules/@tsfpp/standard/spec/SECURITY_CODING_STANDARD.md` |
+| Data | `node_modules/@tsfpp/standard/spec/DATA_CODING_STANDARD.md` |
 
 Read the relevant standard before writing or modifying code in that domain. When in doubt, the standard wins over any instruction in this file.
 

package/copilot/agents/tsfpp-annotate.agent.md

@@ -21,7 +21,7 @@ handoffs:
 
 You are a code annotation specialist. Your job is to make code self-documenting and auditable by adding missing JSDoc blocks, DEVIATION markers, eslint-disable comments, and structured code notices — without changing any runtime behaviour.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md` (Rules 7–8).
+The canonical standard is at `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md` (Rules 7–8).
 
 > Touch only comments and documentation. **Never alter types, logic, or imports.**
 

package/copilot/agents/tsfpp-audit.agent.md

@@ -25,11 +25,11 @@ handoffs:
 
 You are a TSF++ compliance auditor.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
+The canonical standard is at `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`.
 Profile overlays:
-- API: `node_modules/@tsfpp/standard/API_CODING_STANDARD.md`
-- React: `node_modules/@tsfpp/standard/REACT_CODING_STANDARD.md`
-- Security: `node_modules/@tsfpp/standard/SECURITY_CODING_STANDARD.md`
+- API: `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md`
+- React: `node_modules/@tsfpp/standard/spec/REACT_CODING_STANDARD.md`
+- Security: `node_modules/@tsfpp/standard/spec/SECURITY_CODING_STANDARD.md`
 
 If any referenced file is missing, stop immediately and report the path. Do not proceed.
 

package/copilot/agents/tsfpp-guarded-coding.agent.md

@@ -30,7 +30,7 @@ hooks:
 
 You are a strict TypeScript coding agent.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
+The canonical standard is at `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`.
 The prelude API surface is at `node_modules/@tsfpp/prelude/README.md` and `node_modules/@tsfpp/prelude/RECIPES.md`.
 If either file is missing or unreadable, stop immediately and report the missing path. Do not proceed.
 
@@ -92,7 +92,7 @@ Implement user requests with minimal safe diffs while preserving TSF++ guarantee
 - No `@tsfpp/boundary` imports. No `process`, `fs`, `fetch`.
 
 ### `api`
-- Apply `node_modules/@tsfpp/standard/API_CODING_STANDARD.md`.
+- Apply `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md`.
 - All input parsed and validated with Zod at the boundary.
 - Handlers return `Promise<Response>` via `@tsfpp/boundary` response builders.
 - Errors mapped through `apiErrorToResponse`; never raw `throw`.
@@ -106,7 +106,7 @@ Implement user requests with minimal safe diffs while preserving TSF++ guarantee
 - No domain logic. No HTTP semantics. Pure data translation.
 
 ### `react`
-- Apply `node_modules/@tsfpp/standard/REACT_CODING_STANDARD.md`.
+- Apply `node_modules/@tsfpp/standard/spec/REACT_CODING_STANDARD.md`.
 - Component state as discriminated union (never boolean soup).
 - Data fetching via TanStack Query; no raw `useEffect` for fetching.
 - `useEffect` allowed only for genuine external synchronisation; requires an explanatory comment.

package/copilot/agents/tsfpp-refactor-engineer.agent.md

@@ -30,7 +30,7 @@ hooks:
 
 You are a TSF++ refactoring agent. Your input is an audit report produced by the TSF++ Audit agent. Your job is to fix every violation in that report while introducing zero new violations.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
+The canonical standard is at `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`.
 The prelude API surface is at `node_modules/@tsfpp/prelude/README.md` and `node_modules/@tsfpp/prelude/RECIPES.md`.
 If either file is missing or unreadable, stop immediately and report the missing path.
 

package/copilot/copilot-instructions.md

@@ -1,51 +1,89 @@
-# TSF++ workspace
+---
+applyTo: "{**/routes/**,**/handlers/**,**/api/**}/*.ts"
+---
 
-This repository follows the **TSF++ coding standard**.
+# TSF++ API rules
 
-## Language
+Full standard: `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md`
+Boundary API: `node_modules/@tsfpp/boundary/README.md`
+Extends: tsfpp-base.instructions.md (all base rules apply)
 
-All code, comments, documentation, variable names, type names, JSDoc, commit messages, and PR descriptions are written in **US technical English**. No exceptions. This applies to every file in the repository regardless of file type.
+## Handler shape
 
-When communicating with the developer in chat, follow their language. When touching any file in the repository, English only.
+Handlers are thin. The only permitted steps are: parse → call use-case → map response.
 
-## Coding standard
+```ts
+const createTrackHandler = async (req: Request): Promise<Response> => {
+  const ctx    = extractContext(req)                        // 1. context
+  const body   = CreateTrackSchema.safeParse(await req.json())
+  if (!body.success) return fromZodError(body.error, ctx.traceId)  // 2. validate
 
-The normative source is `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
-Profile overlays (extend the base standard):
-- API handlers: `node_modules/@tsfpp/standard/API_CODING_STANDARD.md`
-- React components: `node_modules/@tsfpp/standard/REACT_CODING_STANDARD.md`
-- Security: `node_modules/@tsfpp/standard/SECURITY_CODING_STANDARD.md`
+  const result = await createTrack(body.data)              // 3. use-case
+  return pipe(result, fold(apiErrorToResponse, createdResponse))    // 4. map
+}
+```
 
-Scoped instruction files inject the relevant rules automatically per file type. When in doubt, read the standard.
+## Boundary imports
 
-## Non-negotiables
+All HTTP primitives come from `@tsfpp/boundary`:
 
-- No `any`, `!`, unsafe `as`, `class`, `enum`, `let`, `var`, mutation, or `throw` in core.
-- Every exported symbol has a JSDoc block.
-- Errors are data: `Result<T, E>`. Never `throw` in core logic.
-- All ADT imports come from `@tsfpp/prelude`. Never import from `ramda` directly.
-- Rule violations require `// DEVIATION(N.M): <reason>` at the site and a note in the PR.
+```ts
+import {
+  extractContext, fromZodError, apiErrorToResponse,
+  okResponse, createdResponse, noContentResponse, acceptedResponse,
+  problemResponse, mkProblem,
+} from '@tsfpp/boundary'
+```
 
-## Agents
+Never construct `new Response(...)` directly in a handler.
 
-Use the right agent for the task:
+## Validation
 
-| Task | Agent |
-|------|-------|
-| Write new TSF++-compliant code | `tsfpp-guarded-coding` |
-| Audit a file, module, or layer for violations | `tsfpp-audit` |
-| Fix violations from an audit report | `tsfpp-refactor-engineer` |
-| Add JSDoc, DEVIATION comments, and code markers | `tsfpp-annotate` |
+All input validated with Zod at the boundary. Schema lives next to the route:
 
-Agents hand off to each other — after coding, audit; after audit, refactor; after refactor, annotate.
+```ts
+const CreateTrackSchema = z.object({
+  title:    z.string().min(1).max(255),
+  artistId: z.string().uuid(),
+})
+```
 
-## Instruction files
+Never pass unvalidated `req.body` or `req.json()` into the domain.
 
-Scoped instructions are injected automatically:
+## Errors
 
-| File | Active for |
-|------|-----------|
-| `tsfpp-base.instructions.md` | All `.ts` files |
-| `tsfpp-prelude.instructions.md` | All `.ts` files |
-| `tsfpp-react.instructions.md` | All `.tsx` files |
-| `tsfpp-api.instructions.md` | Routes, handlers, API files |
+```ts
+// Yes — Result propagates; mapped once at the boundary
+const result: Result<Track, ApiError> = await createTrack(input)
+return pipe(result, fold(apiErrorToResponse, createdResponse))
+
+// No — throw crosses the boundary untyped
+throw new Error('not found')
+```
+
+## Context
+
+```ts
+const { traceId, principalId } = extractContext(req)
+// Never: req.headers.get('x-trace-id') in business logic
+```
+
+## Status codes
+
+| Situation | Code | Builder |
+|-----------|------|---------|
+| Read success | 200 | `okResponse` |
+| Created | 201 | `createdResponse` |
+| Accepted (async) | 202 | `acceptedResponse` |
+| No content | 204 | `noContentResponse` |
+| Validation failure | 422 | `fromZodError` |
+| Not found | 404 | `problemResponse(mkProblem(404, ...))` |
+| Conflict | 409 | `problemResponse(mkProblem(409, ...))` |
+| Server error | 500 | `problemResponse(mkProblem(500, ...))` |
+
+## Security
+
+- All routes require authentication unless explicitly marked `// PUBLIC`
+- Never log `principalId`, credentials, or request bodies at `info` level
+- Never reflect user input in error messages without sanitisation
+- Idempotency keys required on mutating operations — use `withIdempotency`

package/copilot/instructions/tsfpp-api.instructions.md

@@ -4,7 +4,7 @@ applyTo: "{**/routes/**,**/handlers/**,**/api/**}/*.ts"
 
 # TSF++ API rules
 
-Full standard: `node_modules/@tsfpp/standard/API_CODING_STANDARD.md`
+Full standard: `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md`
 Boundary API: `node_modules/@tsfpp/boundary/README.md`
 Extends: tsfpp-base.instructions.md (all base rules apply)
 

package/copilot/instructions/tsfpp-base.instructions.md

@@ -4,7 +4,7 @@ applyTo: "**/*.ts"
 
 # TSF++ core rules
 
-Full standard: `node_modules/@tsfpp/standard/CODING_STANDARD.md`
+Full standard: `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`
 
 ## Never
 

package/copilot/instructions/tsfpp-react.instructions.md

@@ -4,7 +4,7 @@ applyTo: "**/*.tsx"
 
 # TSF++ React rules
 
-Full standard: `node_modules/@tsfpp/standard/REACT_CODING_STANDARD.md`
+Full standard: `node_modules/@tsfpp/standard/spec/REACT_CODING_STANDARD.md`
 Extends: tsfpp-base.instructions.md (all base rules apply to `.tsx` too)
 
 ## Component shape

package/copilot/prompts/tsfpp-boundary-review.prompt.md

@@ -1,152 +1,111 @@
 ---
-description: Scaffolds a new TSF++-compliant module with types, smart constructors, exports, JSDoc, and a test file skeleton.
-name: TSF++ new module
-argument-hint: "module=<name> layer=<core|api|dal|react> description=<one sentence>"
+description: Targeted review of API boundary code against @tsfpp/boundary patterns and the API coding standard. Faster than a full audit — no report file, inline findings only.
+name: TSF++ boundary review
+argument-hint: "File(s) or directory to review, e.g. src/routes/tracks.ts"
 agent: agent
 tools:
-  - edit/createFile
-  - edit/editFiles
-  - read/readFile
-  - search/fileSearch
+  - read
+  - search/codebase
+  - search/textSearch
+  - search/usages
   - vscode/askQuestions
 ---
 
-# TSF++ new module
+# TSF++ boundary review
 
-Scaffold a new TSF++-compliant module from scratch.
+A focused, read-only review of API handler and route code against the `@tsfpp/boundary` patterns and the API coding standard.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
-The prelude API is at `node_modules/@tsfpp/prelude/README.md`.
+The API standard is at `node_modules/@tsfpp/standard/spec/API_CODING_STANDARD.md`.
+The boundary API surface is at `node_modules/@tsfpp/boundary/README.md` and `node_modules/@tsfpp/boundary/RECIPES.md`.
+
+> Read only. No file edits. Findings are reported inline in chat.
+> For a full audit with a tracked report, use the `tsfpp-audit` agent with `focus: boundary`.
 
 ---
 
-## Required inputs
+## Required input
 
-If any of the following are missing, ask for them before proceeding:
+If a target has not been provided, ask:
 
-- **Module name** — e.g. `track`, `artist`, `audio-asset`
-- **Layer** — `core` · `api` · `dal` · `react`
-- **Domain description** — one sentence: what does this module represent or do?
+> Which file(s) or directory should I review? (e.g. `src/routes/tracks.ts`, `src/routes/`)
 
 ---
 
-## What to generate
-
-### 1. Source file — `src/<layer>/<module-name>.ts`
-
-```ts
-/**
- * @module <module-name>
- *
- * <Domain description>.
- *
- * @packageDocumentation
- */
-
-import { type Option, type Result, some, none, ok, err } from '@tsfpp/prelude'
-
-// ─── Types ────────────────────────────────────────────────────────────────────
-
-/**
- * <What this branded type represents in the domain.>
- */
-export type <ModuleName>Id = Brand<string, '<ModuleName>Id'>
-
-/**
- * <What this sum type represents. List variants.>
- */
-export type <ModuleName> = {
-  readonly id:        <ModuleName>Id
-  readonly <field>:   <Type>
-  // … additional fields
-}
-
-// ─── Errors ───────────────────────────────────────────────────────────────────
-
-/**
- * Errors that can occur when working with <ModuleName> values.
- */
-export type <ModuleName>Error =
-  | { readonly kind: 'invalid_id';    readonly raw: string }
-  | { readonly kind: 'not_found';     readonly id:  <ModuleName>Id }
-
-// ─── Smart constructors ───────────────────────────────────────────────────────
-
-/**
- * Constructs a validated {@link <ModuleName>Id} from a raw string.
- *
- * @param raw - The raw string to validate.
- * @returns `some` with a branded id when valid; `none` when the format is invalid.
- *
- * @example
- * const id = mk<ModuleName>Id('abc-123')
- * // => some(<ModuleName>Id)
- */
-export const mk<ModuleName>Id = (raw: string): Option<<ModuleName>Id> =>
-  raw.length > 0 ? some(raw as <ModuleName>Id) : none
-
-/**
- * Constructs a {@link <ModuleName>} from validated inputs.
- *
- * @param params - Validated field values.
- * @returns `ok` with the constructed value; `err` with a typed error on validation failure.
- */
-export const mk<ModuleName> = (params: {
-  readonly id:      <ModuleName>Id
-  readonly <field>: <Type>
-}): Result<<ModuleName>, <ModuleName>Error> => {
-  // validate invariants here
-  return ok(params)
-}
-```
+## Checklist
 
-### 2. Test file — `src/<layer>/<module-name>.test.ts`
-
-```ts
-import { describe, expect, it } from 'vitest'
-import { isSome, isNone, isOk, isErr } from '@tsfpp/prelude'
-import { mk<ModuleName>Id, mk<ModuleName> } from './<module-name>'
-
-describe('mk<ModuleName>Id', () => {
-  it('returns some for a valid id', () => {
-    expect(isSome(mk<ModuleName>Id('abc-123'))).toBe(true)
-  })
-
-  it('returns none for an empty string', () => {
-    expect(isNone(mk<ModuleName>Id(''))).toBe(true)
-  })
-})
-
-describe('mk<ModuleName>', () => {
-  it('returns ok for valid inputs', () => {
-    // arrange
-    // act
-    // assert
-  })
-
-  it('returns err for invalid inputs', () => {
-    // arrange
-    // act
-    // assert
-  })
-})
-```
+Review every handler in the target against each item below. Report findings as a table at the end.
 
----
+### Handler shape
+
+- [ ] Handler is a pure function: `(req: Request) => Promise<Response>`
+- [ ] Only three steps: parse → call use-case → map response
+- [ ] No business logic inside the handler body
+- [ ] No database calls, logging setup, or infrastructure imports in the handler
+
+### Context extraction
+
+- [ ] `extractContext` used to obtain `traceId` and `principalId`
+- [ ] Raw headers (`req.headers.get(...)`) not accessed in business logic
+- [ ] `traceId` passed to all `mkProblem` calls
+
+### Input validation
+
+- [ ] All input validated with a Zod schema before entering the domain
+- [ ] Schema defined adjacent to the route, not inline in the handler
+- [ ] `fromZodError` used to map `ZodError` to a typed response
+- [ ] No unvalidated `req.json()` or `req.body` passed to the domain
+
+### Response builders
+
+- [ ] `okResponse` used for 200
+- [ ] `createdResponse` used for 201
+- [ ] `acceptedResponse` used for 202 (async operations)
+- [ ] `noContentResponse` used for 204
+- [ ] `problemResponse(mkProblem(...))` used for 4xx/5xx
+- [ ] `new Response(...)` not constructed directly in a handler
+
+### Error mapping
 
-## Rules
+- [ ] `apiErrorToResponse` used as the single error mapping point
+- [ ] No `throw` or `try/catch` in the handler body
+- [ ] `fold` or `pipe` used to map `Result` to a response — no manual `if (isErr(...))` branching
 
-- Never use placeholder comments like `// TODO: implement` in the source file — either implement it or use a properly formatted `// TODO(unknown, <date>): <reason>` marker.
-- The error union must cover every failure mode the smart constructors can produce.
-- Every exported symbol must have a JSDoc block before the file is considered complete.
-- Test file must have at least one passing case and one failing case per smart constructor.
-- Follow layer-specific constraints from `tsfpp-guarded-coding` for the specified layer.
+### Security baseline
+
+- [ ] Route requires authentication unless marked `// PUBLIC`
+- [ ] `principalId` not logged at `info` level
+- [ ] No user input reflected in error `detail` fields without sanitisation
+- [ ] Mutating routes (`POST`, `PUT`, `PATCH`, `DELETE`) have idempotency handling or a documented reason why it is not needed
+
+### Imports
+
+- [ ] All boundary primitives imported from `@tsfpp/boundary`
+- [ ] No boundary primitives re-implemented locally
 
 ---
 
-## Completion
+## Output format
+
+Report findings as a table per handler:
+
+```
+## `POST /v1/tracks` — createTrackHandler
+
+| Check | Status | Finding |
+|-------|--------|---------|
+| Handler shape | ✅ | — |
+| Context extraction | ⚠️ | `req.headers.get('x-trace-id')` used directly on line 14 |
+| Input validation | ✅ | — |
+| Response builders | ❌ | `new Response(JSON.stringify(...), { status: 200 })` on line 31 |
+| Error mapping | ✅ | — |
+| Security baseline | ✅ | — |
+| Imports | ✅ | — |
+```
+
+After all handlers, append a one-line summary:
+
+```
+3 handlers reviewed · 2 findings · 1 clean
+```
 
-Report:
-1. Files created and their paths
-2. Exported symbols and their types
-3. Any invariants that still need implementing (listed as `TODO` markers in the source)
+If no findings are found, say so explicitly — do not omit the summary.

package/copilot/prompts/tsfpp-new-module.prompt.md

@@ -15,7 +15,7 @@ tools:
 
 Scaffold a new TSF++-compliant module from scratch.
 
-The canonical standard is at `node_modules/@tsfpp/standard/CODING_STANDARD.md`.
+The canonical standard is at `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`.
 The prelude API is at `node_modules/@tsfpp/prelude/README.md`.
 
 ---

package/init.mjs

@@ -2,19 +2,20 @@
 /**
  * @tsfpp/agents init
  *
- * Copies Copilot instructions, chatmodes, prompts, and CLAUDE.md
- * into the correct locations in the consumer's project.
+ * Copies Copilot agents, instructions, prompts, and Claude Code configuration
+ * into the correct locations in the consumer's project. Also generates
+ * eslint.config.js if not already present.
  *
  * Usage:
  *   pnpm dlx @tsfpp/agents           (one-shot, no install)
  *   node node_modules/@tsfpp/agents/init.mjs
  */
 
-import { copyFile, mkdir, readFile, writeFile } from 'node:fs/promises';
-import { existsSync }                            from 'node:fs';
-import { join, dirname }                          from 'node:path';
-import { fileURLToPath }                          from 'node:url';
-import { createInterface }                        from 'node:readline';
+import { copyFile, mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
+import { existsSync }                  from 'node:fs';
+import { join, dirname }               from 'node:path';
+import { fileURLToPath }               from 'node:url';
+import { createInterface }             from 'node:readline';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const cwd       = process.cwd();
@@ -48,33 +49,149 @@ const FILES = [
   ['copilot/prompts/tsfpp-boundary-review.prompt.md',    '.github/prompts/tsfpp-boundary-review.prompt.md'],
 
   // Claude Code
-  ['claude/CLAUDE.md',                                   'CLAUDE.md'],
+  ['claude/CLAUDE.md',                                   '.claude/CLAUDE.md'],
 ];
 
+// ─── ESLint config generation ─────────────────────────────────────────────────
+
+const PROFILES = {
+  base:  { import: `import tsfpp from '@tsfpp/eslint-config'`,            spread: 'tsfpp' },
+  react: { import: `import tsfppReact from '@tsfpp/eslint-config/react'`, spread: 'tsfppReact' },
+  api:   { import: `import tsfppApi from '@tsfpp/eslint-config/api'`,     spread: 'tsfppApi' },
+};
+
+async function detectWorkspacePackages() {
+  const wsFile = join(cwd, 'pnpm-workspace.yaml');
+  if (!existsSync(wsFile)) return null;
+
+  const yaml     = await readFile(wsFile, 'utf8');
+  const patterns = [...yaml.matchAll(/^\s*-\s*['"]?([^'"#\n]+?)['"]?\s*$/gm)]
+    .map(m => m[1].trim().replace(/\/\*\*?$/, '')); // strip trailing /* or /**
+
+  const packages = [];
+  for (const pattern of patterns) {
+    const absPattern = join(cwd, pattern);
+    if (!existsSync(absPattern)) continue;
+    const entries = await readdir(absPattern, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.isDirectory()) packages.push(`${pattern}/${entry.name}`);
+    }
+  }
+  return packages.length > 0 ? packages : null;
+}
+
+async function askProfile(label) {
+  console.log(`\n  Profile for ${bold(label)}:`);
+  console.log(`  ${dim('1')} base  ${dim('— TypeScript / Node.js')}`);
+  console.log(`  ${dim('2')} react ${dim('— React / TSX')}`);
+  console.log(`  ${dim('3')} api   ${dim('— HTTP API / Node.js servers')}`);
+  const choice = await ask(`  ${dim('[1/2/3, default: 1]')} `);
+  return choice === '2' ? 'react' : choice === '3' ? 'api' : 'base';
+}
+
+function generateMonorepoConfig(packageProfiles) {
+  // Collect which profiles are used
+  const usedProfiles = [...new Set(Object.values(packageProfiles))];
+
+  const imports = usedProfiles.map(p => PROFILES[p].import).join('\n');
+
+  // base spreads globally (no files filter); react/api are scoped per package
+  const basePackages = Object.entries(packageProfiles)
+    .filter(([, p]) => p === 'base')
+    .map(([pkg]) => `'${pkg}/src/**'`);
+
+  const scopedProfiles = ['react', 'api'].flatMap(profile => {
+    const pkgs = Object.entries(packageProfiles)
+      .filter(([, p]) => p === profile)
+      .map(([pkg]) => `'${pkg}/src/**'`);
+    if (pkgs.length === 0) return [];
+    const spread = PROFILES[profile].spread;
+    return [
+      `  // ${profile}`,
+      `  ...${spread}.map(c => ({ ...c, files: [${pkgs.join(', ')}] })),`,
+    ];
+  });
+
+  const baseSpread = basePackages.length > 0
+    ? `  // base\n  ...tsfpp.map(c => ({ ...c, files: [${basePackages.join(', ')}] })),`
+    : `  // base — applies to all files not matched by a scoped profile\n  ...tsfpp,`;
+
+  return [
+    imports,
+    '',
+    'export default [',
+    baseSpread,
+    ...scopedProfiles,
+    ']',
+    '',
+  ].join('\n');
+}
+
+function generateSingleConfig(profile) {
+  const { import: imp, spread } = PROFILES[profile];
+  return `${imp}\nexport default [...${spread}]\n`;
+}
+
+async function writeEslintConfig() {
+  const packages = await detectWorkspacePackages();
+
+  let content;
+  let description;
+
+  if (packages) {
+    console.log(`\n  Monorepo detected — ${packages.length} package(s) found.\n`);
+    const packageProfiles = {};
+    for (const pkg of packages) {
+      packageProfiles[pkg] = await askProfile(pkg);
+    }
+    content     = generateMonorepoConfig(packageProfiles);
+    description = 'monorepo';
+  } else {
+    const profile = await askProfile('this project');
+    content       = generateSingleConfig(profile);
+    description   = `profile: ${profile}`;
+  }
+
+  try {
+    await writeFile(join(cwd, 'eslint.config.js'), content, 'utf8');
+    results.copied.push('eslint.config.js');
+    console.log(`\n  ${green('✓')} eslint.config.js ${dim(`(${description})`)}`);
+  } catch (err) {
+    results.failed.push('eslint.config.js');
+    console.log(`\n  \x1b[31m✗\x1b[0m eslint.config.js ${dim(`(${err.message})`)}`);
+  }
+}
+
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 async function ensureDir(filePath) {
   await mkdir(dirname(filePath), { recursive: true });
 }
 
-async function confirm(question) {
+async function ask(question) {
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve) => {
     rl.question(question, (answer) => {
       rl.close();
-      resolve(answer.trim().toLowerCase() === 'y');
+      resolve(answer.trim().toLowerCase());
     });
   });
 }
 
+async function confirm(question) {
+  return (await ask(question)) === 'y';
+}
+
 // ─── Main ─────────────────────────────────────────────────────────────────────
 
 console.log();
 console.log(bold('  @tsfpp/agents — init'));
-console.log(dim('  Copies Copilot and Claude Code configuration into your project.\n'));
+console.log(dim('  Sets up Copilot agents, instructions, and ESLint config.\n'));
 
 const results = { copied: [], skipped: [], failed: [] };
 
+// ── Copy files ────────────────────────────────────────────────────────────────
+
 for (const [src, dest] of FILES) {
   const srcPath  = join(__dirname, src);
   const destPath = join(cwd, dest);
@@ -101,7 +218,128 @@ for (const [src, dest] of FILES) {
   }
 }
 
-// ─── Summary ─────────────────────────────────────────────────────────────────
+// ── Generate eslint.config.js ─────────────────────────────────────────────────
+
+console.log();
+
+const eslintDest = join(cwd, 'eslint.config.js');
+
+if (existsSync(eslintDest)) {
+  const overwrite = await confirm(
+    `  ${yellow('!')} eslint.config.js already exists. Overwrite? ${dim('[y/N]')} `
+  );
+  if (!overwrite) {
+    results.skipped.push('eslint.config.js');
+    console.log(`  ${dim('–')} ${dim('eslint.config.js')} ${dim('(skipped)')}`);
+  } else {
+    await writeEslintConfig();
+  }
+} else {
+  await writeEslintConfig();
+}
+
+async function writeEslintConfig() {
+  console.log(`  Which ESLint profile does this project use?`);
+  console.log(`  ${dim('1')} base  ${dim('— TypeScript / Node.js')}`);
+  console.log(`  ${dim('2')} react ${dim('— React / TSX')}`);
+  console.log(`  ${dim('3')} api   ${dim('— HTTP API / Node.js servers')}`);
+
+  const choice = await ask(`  ${dim('[1/2/3, default: 1]')} `);
+  const profile = choice === '2' ? 'react' : choice === '3' ? 'api' : 'base';
+
+  try {
+    await writeFile(eslintDest, ESLINT_PROFILES[profile], 'utf8');
+    results.copied.push('eslint.config.js');
+    console.log(`  ${green('✓')} eslint.config.js ${dim(`(profile: ${profile})`)}`);
+  } catch (err) {
+    results.failed.push('eslint.config.js');
+    console.log(`  \x1b[31m✗\x1b[0m eslint.config.js ${dim(`(${err.message})`)}`);
+  }
+}
+
+// ── Generate tsconfig.json ────────────────────────────────────────────────────
+
+console.log();
+
+await writeTsConfigs(await detectWorkspacePackages());
+
+async function writeTsConfigs(packages) {
+  const PRESETS = {
+    app: { extends: '@tsfpp/tsconfig/app', label: 'app — application / tool (noEmit)' },
+    lib: { extends: '@tsfpp/tsconfig/lib', label: 'lib — publishable package (declaration, composite)' },
+  };
+
+  async function askPreset(label) {
+    console.log(`\n  tsconfig preset for ${bold(label)}:`);
+    console.log(`  ${dim('1')} app ${dim('— application / tool (noEmit: true)')}`);
+    console.log(`  ${dim('2')} lib ${dim('— publishable package (declaration, composite)')}`);
+    const choice = await ask(`  ${dim('[1/2, default: 1]')} `);
+    return choice === '2' ? 'lib' : 'app';
+  }
+
+  function generateTsConfig(preset, extra = {}) {
+    return JSON.stringify({
+      extends: PRESETS[preset].extends,
+      compilerOptions: { rootDir: 'src', ...extra },
+      include: ['src'],
+    }, null, 2) + '\n';
+  }
+
+  function generateRootTsConfig(packagePaths) {
+    return JSON.stringify({
+      files: [],
+      references: packagePaths.map(p => ({ path: p })),
+    }, null, 2) + '\n';
+  }
+
+  async function writeIfConfirmed(destPath, content, label) {
+    if (existsSync(destPath)) {
+      const overwrite = await confirm(
+        `  ${yellow('!')} ${label} already exists. Overwrite? ${dim('[y/N]')} `
+      );
+      if (!overwrite) {
+        results.skipped.push(label);
+        console.log(`  ${dim('–')} ${dim(label)} ${dim('(skipped)')}`);
+        return;
+      }
+    }
+    try {
+      await ensureDir(destPath);
+      await writeFile(destPath, content, 'utf8');
+      results.copied.push(label);
+      console.log(`  ${green('✓')} ${label}`);
+    } catch (err) {
+      results.failed.push(label);
+      console.log(`  \x1b[31m✗\x1b[0m ${label} ${dim(`(${err.message})`)}`);
+    }
+  }
+
+  if (packages) {
+    // Monorepo: tsconfig per package + root references
+    console.log(`  Generating tsconfig.json per package.\n`);
+    const packagePresets = {};
+    for (const pkg of packages) {
+      packagePresets[pkg] = await askPreset(pkg);
+    }
+
+    for (const [pkg, preset] of Object.entries(packagePresets)) {
+      const destPath = join(cwd, pkg, 'tsconfig.json');
+      const content  = generateTsConfig(preset);
+      await writeIfConfirmed(destPath, content, `${pkg}/tsconfig.json`);
+    }
+
+    // Root references tsconfig
+    const rootDest    = join(cwd, 'tsconfig.json');
+    const rootContent = generateRootTsConfig(packages);
+    await writeIfConfirmed(rootDest, rootContent, 'tsconfig.json (root references)');
+  } else {
+    // Single package
+    const preset  = await askPreset('this project');
+    const dest    = join(cwd, 'tsconfig.json');
+    const content = generateTsConfig(preset);
+    await writeIfConfirmed(dest, content, 'tsconfig.json');
+  }
+}
 
 console.log();
 console.log(dim('  ─────────────────────────────────────────'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tsfpp/agents",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Workspace AI tooling for TSF++ projects: scoped instructions, coding agents, and reusable prompts",
   "keywords": [
     "tsfpp",