npm - claude-code-starter - Versions diffs - 0.14.0 → 0.15.0 - Mend

claude-code-starter 0.14.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.js +482 -245
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -2,8 +2,8 @@
 // src/cli.ts
 import { execSync, spawn } from "child_process";
-import fs3 from "fs";
-import path3 from "path";
+import fs5 from "fs";
+import path5 from "path";
 import { fileURLToPath } from "url";
 import ora from "ora";
 import pc from "picocolors";
@@ -511,38 +511,12 @@ function countSourceFiles(rootDir, _languages) {
   countFiles(rootDir);
   return count;
 }
-function summarizeTechStack(stack) {
-  const parts = [];
-  if (stack.primaryLanguage) {
-    parts.push(`Language: ${stack.primaryLanguage}`);
-  }
-  if (stack.primaryFramework) {
-    parts.push(`Framework: ${stack.primaryFramework}`);
-  }
-  if (stack.packageManager) {
-    parts.push(`Package Manager: ${stack.packageManager}`);
-  }
-  if (stack.testingFramework) {
-    parts.push(`Testing: ${stack.testingFramework}`);
-  }
-  if (stack.isMonorepo) {
-    parts.push("Monorepo: yes");
-  }
-  return parts.join(" | ");
-}
 // src/generator.ts
 import fs2 from "fs";
 import path2 from "path";
 function ensureDirectories(rootDir) {
-  const dirs = [
-    ".claude",
-    ".claude/skills",
-    ".claude/agents",
-    ".claude/rules",
-    ".claude/commands",
-    ".claude/state"
-  ];
+  const dirs = [".claude", ".claude/skills", ".claude/agents", ".claude/rules", ".claude/commands"];
   for (const dir of dirs) {
     fs2.mkdirSync(path2.join(rootDir, dir), { recursive: true });
   }
@@ -625,6 +599,239 @@ function writeSettings(rootDir, stack) {
   fs2.writeFileSync(fullPath, content);
 }
+// src/hooks.ts
+import fs3 from "fs";
+import path3 from "path";
+var HOOK_SCRIPT = String.raw`#!/usr/bin/env node
+/**
+ * Block Dangerous Commands - PreToolUse Hook for Bash
+ * Blocks dangerous patterns before execution.
+ *
+ * SAFETY_LEVEL: 'critical' | 'high' | 'strict'
+ *   critical - Only catastrophic: rm -rf ~, dd to disk, fork bombs
+ *   high     - + risky: force push main, secrets exposure, git reset --hard
+ *   strict   - + cautionary: any force push, sudo rm, docker prune
+ */
+const fs = require('fs');
+const path = require('path');
+const SAFETY_LEVEL = 'high';
+const PATTERNS = [
+  // CRITICAL — Catastrophic, unrecoverable
+  // Filesystem destruction
+  { level: 'critical', id: 'rm-home',          regex: /\brm\s+(-.+\s+)*["']?~\/?["']?(\s|$|[;&|])/,                        reason: 'rm targeting home directory' },
+  { level: 'critical', id: 'rm-home-var',      regex: /\brm\s+(-.+\s+)*["']?\$HOME["']?(\s|$|[;&|])/,                      reason: 'rm targeting $HOME' },
+  { level: 'critical', id: 'rm-home-trailing', regex: /\brm\s+.+\s+["']?(~\/?|\$HOME)["']?(\s*$|[;&|])/,                   reason: 'rm with trailing ~/ or $HOME' },
+  { level: 'critical', id: 'rm-root',          regex: /\brm\s+(-.+\s+)*\/(\*|\s|$|[;&|])/,                                 reason: 'rm targeting root filesystem' },
+  { level: 'critical', id: 'rm-system',        regex: /\brm\s+(-.+\s+)*\/(etc|usr|var|bin|sbin|lib|boot|dev|proc|sys)(\/|\s|$)/, reason: 'rm targeting system directory' },
+  { level: 'critical', id: 'rm-cwd',           regex: /\brm\s+(-.+\s+)*(\.\/?|\*|\.\/\*)(\s|$|[;&|])/,                     reason: 'rm deleting current directory contents' },
+  // Disk operations
+  { level: 'critical', id: 'dd-disk',          regex: /\bdd\b.+of=\/dev\/(sd[a-z]|nvme|hd[a-z]|vd[a-z]|xvd[a-z])/,         reason: 'dd writing to disk device' },
+  { level: 'critical', id: 'mkfs',             regex: /\bmkfs(\.\w+)?\s+\/dev\/(sd[a-z]|nvme|hd[a-z]|vd[a-z])/,            reason: 'mkfs formatting disk' },
+  { level: 'critical', id: 'fdisk',            regex: /\b(fdisk|wipefs|parted)\s+\/dev\//,                                   reason: 'disk partitioning/wiping operation' },
+  // Shell exploits
+  { level: 'critical', id: 'fork-bomb',        regex: /:\(\)\s*\{.*:\s*\|\s*:.*&/,                                         reason: 'fork bomb detected' },
+  // Git — history destruction
+  { level: 'critical', id: 'git-filter',       regex: /\bgit\s+(filter-branch|filter-repo)\b/,                              reason: 'git history rewriting blocked' },
+  { level: 'critical', id: 'git-reflog-exp',   regex: /\bgit\s+(reflog\s+expire|gc\s+--prune|prune)\b/,                     reason: 'removes git recovery safety net' },
+  // HIGH — Significant risk, data loss, security exposure
+  // Remote code execution
+  { level: 'high', id: 'curl-pipe-sh',         regex: /\b(curl|wget)\b.+\|\s*(ba)?sh\b/,                                   reason: 'piping URL to shell (RCE risk)' },
+  // Git — destructive operations
+  { level: 'high', id: 'git-force-main',       regex: /\bgit\s+push\b(?!.+--force-with-lease).+(--force|-f)\b.+\b(main|master)\b/, reason: 'force push to main/master' },
+  { level: 'high', id: 'git-reset-hard',       regex: /\bgit\s+reset\s+--hard/,                                            reason: 'git reset --hard loses uncommitted work' },
+  { level: 'high', id: 'git-clean-f',          regex: /\bgit\s+clean\s+(-\w*f|-f)/,                                        reason: 'git clean -f deletes untracked files' },
+  { level: 'high', id: 'git-no-verify',        regex: /\bgit\b.+--no-verify/,                                              reason: '--no-verify skips safety hooks' },
+  { level: 'high', id: 'git-stash-destruct',   regex: /\bgit\s+stash\s+(drop|clear|pop)\b/,                                reason: 'destructive git stash operation' },
+  { level: 'high', id: 'git-branch-D',         regex: /\bgit\s+branch\s+(-D|--delete\s+--force)\b/,                        reason: 'git branch -D force-deletes branch' },
+  { level: 'high', id: 'git-checkout-force',   regex: /\bgit\s+checkout\s+(-f|--\s+\.)/,                                   reason: 'git checkout -f/-- . discards changes' },
+  { level: 'high', id: 'git-restore-destruct', regex: /\bgit\s+restore\s+(--staged\s+--worktree|\.)/,                      reason: 'git restore discards changes' },
+  { level: 'high', id: 'git-update-ref',       regex: /\bgit\s+(update-ref|symbolic-ref|replace)\b/,                       reason: 'git ref manipulation blocked' },
+  { level: 'high', id: 'git-config-global',    regex: /\bgit\s+config\s+--(global|system)\b/,                              reason: 'git global/system config blocked' },
+  { level: 'high', id: 'git-tag-delete',       regex: /\bgit\s+tag\s+(-d|--delete)\b/,                                    reason: 'git tag deletion blocked' },
+  // Git — write operations (user handles manually)
+  { level: 'high', id: 'git-push',             regex: /\bgit\s+push\b/,                                                    reason: 'git push blocked — user handles manually' },
+  { level: 'high', id: 'git-pull',             regex: /\bgit\s+pull\b/,                                                    reason: 'git pull blocked — user handles manually' },
+  { level: 'high', id: 'git-fetch',            regex: /\bgit\s+fetch\b/,                                                   reason: 'git fetch blocked — user handles manually' },
+  { level: 'high', id: 'git-clone',            regex: /\bgit\s+clone\b/,                                                   reason: 'git clone blocked — user handles manually' },
+  { level: 'high', id: 'git-add',              regex: /\bgit\s+(add|stage)\b/,                                             reason: 'git add/stage blocked — user handles manually' },
+  { level: 'high', id: 'git-commit',           regex: /\bgit\s+commit\b/,                                                  reason: 'git commit blocked — user handles manually' },
+  { level: 'high', id: 'git-merge',            regex: /\bgit\s+merge\b/,                                                   reason: 'git merge blocked — user handles manually' },
+  { level: 'high', id: 'git-rebase',           regex: /\bgit\s+rebase\b/,                                                  reason: 'git rebase blocked — user handles manually' },
+  { level: 'high', id: 'git-reset',            regex: /\bgit\s+reset\b/,                                                   reason: 'git reset blocked — user handles manually' },
+  { level: 'high', id: 'git-remote-mod',       regex: /\bgit\s+remote\s+(add|set-url|remove)\b/,                           reason: 'git remote modification blocked' },
+  { level: 'high', id: 'git-submodule',        regex: /\bgit\s+submodule\s+(add|update)\b/,                                reason: 'git submodule operation blocked' },
+  // Credentials & secrets
+  { level: 'high', id: 'chmod-777',            regex: /\bchmod\b.+\b777\b/,                                                reason: 'chmod 777 is a security risk' },
+  { level: 'high', id: 'cat-env',              regex: /\b(cat|less|head|tail|more)\s+\.env\b/,                             reason: 'reading .env file exposes secrets' },
+  { level: 'high', id: 'cat-secrets',          regex: /\b(cat|less|head|tail|more)\b.+(credentials|secrets?|\.pem|\.key|id_rsa|id_ed25519)/i, reason: 'reading secrets file' },
+  { level: 'high', id: 'env-dump',             regex: /\b(printenv|^env)\s*([;&|]|$)/,                                     reason: 'env dump may expose secrets' },
+  { level: 'high', id: 'echo-secret',          regex: /\becho\b.+\$\w*(SECRET|KEY|TOKEN|PASSWORD|API_|PRIVATE)/i,          reason: 'echoing secret variable' },
+  { level: 'high', id: 'rm-ssh',               regex: /\brm\b.+\.ssh\/(id_|authorized_keys|known_hosts)/,                  reason: 'deleting SSH keys' },
+  { level: 'high', id: 'security-keychain',    regex: /\bsecurity\s+find-generic-password\b/,                              reason: 'keychain access blocked' },
+  { level: 'high', id: 'gpg-export-secret',    regex: /\bgpg\s+--export-secret-keys\b/,                                   reason: 'GPG secret key export blocked' },
+  { level: 'high', id: 'history-cmd',          regex: /\bhistory\b/,                                                       reason: 'history may expose secrets' },
+  // Destructive system commands
+  { level: 'high', id: 'elevated-priv',        regex: /\b(sudo|doas|pkexec)\b/,                                            reason: 'elevated privilege command blocked' },
+  { level: 'high', id: 'su-cmd',               regex: /\bsu\b/,                                                            reason: 'su (switch user) blocked' },
+  { level: 'high', id: 'chmod-R',              regex: /\bchmod\s+(-\w*R|-R)/,                                              reason: 'recursive chmod blocked' },
+  { level: 'high', id: 'chown-R',              regex: /\bchown\s+(-\w*R|-R)/,                                              reason: 'recursive chown blocked' },
+  { level: 'high', id: 'kill-all',             regex: /\bkill\s+-9\s+-1\b/,                                                reason: 'kill all processes blocked' },
+  { level: 'high', id: 'killall',              regex: /\b(killall|pkill\s+-9)\b/,                                          reason: 'mass process killing blocked' },
+  { level: 'high', id: 'truncate-zero',        regex: /\btruncate\s+-s\s*0\b/,                                             reason: 'truncating file to zero blocked' },
+  { level: 'high', id: 'empty-file',           regex: /\bcat\s+\/dev\/null\s*>/,                                           reason: 'emptying file via /dev/null blocked' },
+  { level: 'high', id: 'crontab-r',            regex: /\bcrontab\s+-r/,                                                    reason: 'removes all cron jobs' },
+  // Docker
+  { level: 'high', id: 'docker-vol-rm',        regex: /\bdocker\s+volume\s+(rm|prune)/,                                    reason: 'docker volume deletion loses data' },
+  { level: 'high', id: 'docker-push',          regex: /\bdocker\s+push\b/,                                                 reason: 'docker push blocked' },
+  { level: 'high', id: 'docker-rm-all',        regex: /\bdocker\s+rm\s+-f\b.+\$\(docker\s+ps/,                             reason: 'docker rm all containers blocked' },
+  { level: 'high', id: 'docker-sys-prune-a',   regex: /\bdocker\s+system\s+prune\s+-a/,                                    reason: 'docker system prune -a blocked' },
+  { level: 'high', id: 'docker-compose-destr', regex: /\bdocker[\s-]compose\s+down\s+(-v|--rmi)/,                           reason: 'docker-compose destructive down blocked' },
+  // Publishing & deployment
+  { level: 'high', id: 'npm-publish',          regex: /\bnpm\s+(publish|unpublish|deprecate)\b/,                            reason: 'npm publishing blocked' },
+  { level: 'high', id: 'npm-audit-force',      regex: /\bnpm\s+audit\s+fix\s+--force\b/,                                   reason: 'npm audit fix --force can break deps' },
+  { level: 'high', id: 'cargo-publish',        regex: /\bcargo\s+publish\b/,                                               reason: 'cargo publish blocked' },
+  { level: 'high', id: 'pip-twine-upload',     regex: /\b(pip|twine)\s+upload\b/,                                          reason: 'Python package upload blocked' },
+  { level: 'high', id: 'gem-push',             regex: /\bgem\s+push\b/,                                                    reason: 'gem push blocked' },
+  { level: 'high', id: 'pod-push',             regex: /\bpod\s+trunk\s+push\b/,                                            reason: 'pod trunk push blocked' },
+  { level: 'high', id: 'vercel-prod',          regex: /\bvercel\b.+--prod/,                                                reason: 'vercel production deploy blocked' },
+  { level: 'high', id: 'netlify-prod',         regex: /\bnetlify\s+deploy\b.+--prod/,                                      reason: 'netlify production deploy blocked' },
+  { level: 'high', id: 'fly-deploy',           regex: /\bfly\s+deploy\b/,                                                  reason: 'fly deploy blocked' },
+  { level: 'high', id: 'firebase-deploy',      regex: /\bfirebase\s+deploy\b/,                                             reason: 'firebase deploy blocked' },
+  { level: 'high', id: 'terraform',            regex: /\bterraform\s+(apply|destroy)\b/,                                   reason: 'terraform apply/destroy blocked' },
+  { level: 'high', id: 'pulumi-cdktf',         regex: /\b(pulumi|cdktf)\s+destroy\b/,                                      reason: 'infrastructure destroy blocked' },
+  { level: 'high', id: 'kubectl-mutate',       regex: /\bkubectl\s+(apply|delete|drain)\b/,                                reason: 'kubectl mutating operation blocked' },
+  { level: 'high', id: 'kubectl-scale-zero',   regex: /\bkubectl\s+scale\b.+--replicas=0/,                                 reason: 'kubectl scale to zero blocked' },
+  { level: 'high', id: 'helm-ops',             regex: /\bhelm\s+(install|uninstall|upgrade)\b/,                             reason: 'helm operation blocked' },
+  { level: 'high', id: 'heroku',               regex: /\bheroku\b/,                                                        reason: 'heroku command blocked' },
+  { level: 'high', id: 'eb-terminate',         regex: /\beb\s+terminate\b/,                                                reason: 'eb terminate blocked' },
+  { level: 'high', id: 'serverless-remove',    regex: /\bserverless\s+remove\b/,                                           reason: 'serverless remove blocked' },
+  { level: 'high', id: 'cap-prod-deploy',      regex: /\bcap\s+production\s+deploy\b/,                                     reason: 'production deploy blocked' },
+  { level: 'high', id: 'cloud-delete',         regex: /\b(aws\s+cloudformation\s+delete-stack|gcloud\s+projects\s+delete|az\s+group\s+delete)\b/, reason: 'cloud resource deletion blocked' },
+  // Network & infrastructure
+  { level: 'high', id: 'curl-mutating',        regex: /\bcurl\b.+-X\s*(POST|PUT|DELETE|PATCH)\b/,                          reason: 'mutating HTTP request blocked' },
+  { level: 'high', id: 'ssh-remote',           regex: /\bssh\s/,                                                           reason: 'SSH remote connection blocked' },
+  { level: 'high', id: 'scp-remote',           regex: /\bscp\s/,                                                           reason: 'SCP remote copy blocked' },
+  { level: 'high', id: 'rsync-delete',         regex: /\brsync\b.+--delete/,                                               reason: 'rsync --delete blocked' },
+  { level: 'high', id: 'firewall',             regex: /\b(iptables\s+-F|ufw\s+disable)\b/,                                 reason: 'firewall manipulation blocked' },
+  { level: 'high', id: 'network-kill',         regex: /\bifconfig\s+\w+\s+down\b/,                                         reason: 'network interface down blocked' },
+  { level: 'high', id: 'route-delete',         regex: /\broute\s+del\s+default\b/,                                         reason: 'default route deletion blocked' },
+  // Database
+  { level: 'high', id: 'sql-drop',             regex: /\b(DROP\s+(DATABASE|TABLE)|TRUNCATE\s+TABLE)\b/i,                   reason: 'SQL drop/truncate blocked' },
+  { level: 'high', id: 'sql-mass-delete',      regex: /\bDELETE\s+FROM\b.+\bWHERE\s+1\s*=\s*1/i,                          reason: 'SQL mass delete blocked' },
+  { level: 'high', id: 'redis-flush',          regex: /\bredis-cli\s+(FLUSHALL|FLUSHDB)\b/,                                reason: 'redis flush blocked' },
+  { level: 'high', id: 'orm-reset',            regex: /\b(prisma\s+migrate\s+reset|rails\s+db:(drop|reset)|django\s+flush)\b/, reason: 'ORM database reset blocked' },
+  { level: 'high', id: 'alembic-downgrade',    regex: /\balembic\s+downgrade\s+base\b/,                                    reason: 'alembic downgrade base blocked' },
+  { level: 'high', id: 'mongo-drop',           regex: /\bmongosh\b.+dropDatabase/,                                         reason: 'MongoDB drop database blocked' },
+  // STRICT — Cautionary, context-dependent
+  { level: 'strict', id: 'git-checkout-dot',    regex: /\bgit\s+checkout\s+\./,                                             reason: 'git checkout . discards changes' },
+  { level: 'strict', id: 'docker-prune',        regex: /\bdocker\s+(system|image)\s+prune/,                                 reason: 'docker prune removes images' },
+];
+const LEVELS = { critical: 1, high: 2, strict: 3 };
+const EMOJIS = { critical: '\u{1F6A8}', high: '\u26D4', strict: '\u26A0\uFE0F' };
+const LOG_DIR = path.join(process.env.HOME || '/tmp', '.claude', 'hooks-logs');
+function log(data) {
+  try {
+    if (!fs.existsSync(LOG_DIR)) fs.mkdirSync(LOG_DIR, { recursive: true });
+    const file = path.join(LOG_DIR, new Date().toISOString().slice(0, 10) + '.jsonl');
+    fs.appendFileSync(file, JSON.stringify({ ts: new Date().toISOString(), ...data }) + '\n');
+  } catch {}
+}
+function checkCommand(cmd, safetyLevel) {
+  safetyLevel = safetyLevel || SAFETY_LEVEL;
+  const threshold = LEVELS[safetyLevel] || 2;
+  for (const p of PATTERNS) {
+    if (LEVELS[p.level] <= threshold && p.regex.test(cmd)) {
+      return { blocked: true, pattern: p };
+    }
+  }
+  return { blocked: false, pattern: null };
+}
+async function main() {
+  let input = '';
+  for await (const chunk of process.stdin) input += chunk;
+  try {
+    const data = JSON.parse(input);
+    const { tool_name, tool_input, session_id, cwd, permission_mode } = data;
+    if (tool_name !== 'Bash') return console.log('{}');
+    const cmd = tool_input?.command || '';
+    const result = checkCommand(cmd);
+    if (result.blocked) {
+      const p = result.pattern;
+      log({ level: 'BLOCKED', id: p.id, priority: p.level, cmd, session_id, cwd, permission_mode });
+      return console.log(JSON.stringify({
+        hookSpecificOutput: {
+          hookEventName: 'PreToolUse',
+          permissionDecision: 'deny',
+          permissionDecisionReason: EMOJIS[p.level] + ' [' + p.id + '] ' + p.reason
+        }
+      }));
+    }
+    console.log('{}');
+  } catch (e) {
+    log({ level: 'ERROR', error: e.message });
+    console.log('{}');
+  }
+}
+if (require.main === module) {
+  main();
+} else {
+  module.exports = { PATTERNS, LEVELS, SAFETY_LEVEL, checkCommand };
+}
+`;
+function installHook(rootDir) {
+  const hooksDir = path3.join(rootDir, ".claude", "hooks");
+  const hookPath = path3.join(hooksDir, "block-dangerous-commands.js");
+  const settingsPath = path3.join(rootDir, ".claude", "settings.json");
+  fs3.mkdirSync(hooksDir, { recursive: true });
+  fs3.writeFileSync(hookPath, HOOK_SCRIPT);
+  fs3.chmodSync(hookPath, 493);
+  try {
+    const existing = fs3.existsSync(settingsPath) ? JSON.parse(fs3.readFileSync(settingsPath, "utf-8")) : {};
+    existing.hooks = {
+      ...existing.hooks,
+      PreToolUse: [
+        {
+          matcher: "Bash",
+          hooks: [
+            {
+              type: "command",
+              command: "node .claude/hooks/block-dangerous-commands.js"
+            }
+          ]
+        }
+      ]
+    };
+    fs3.writeFileSync(settingsPath, JSON.stringify(existing, null, 2));
+  } catch {
+  }
+}
 // src/prompt.ts
 function getAnalysisPrompt(projectInfo) {
   const context = buildContextSection(projectInfo);
@@ -658,14 +865,14 @@ ${templateVars}
 1. Read this entire prompt to understand all phases
 2. Execute Phase 1 completely - read files, analyze code, gather all data
-3. Execute Phase 2 - generate the CLAUDE.md using only discovered information
+3. Execute Phase 2 - generate the CLAUDE.md (max 120 lines) using only discovered information
 4. Execute Phase 3 - verify quality before writing
 5. Use the Write tool to create \`.claude/CLAUDE.md\` with the final content
-6. Execute Phase 4 - generate ALL skill files
+6. Execute Phase 4 - generate ALL skill files (4 core + framework-specific if detected)
 7. Execute Phase 5 - generate agent files
 8. Execute Phase 6 - generate rule files
-9. Execute Phase 7 - generate command files
-10. Run the Anti-Redundancy Checklist one final time across ALL generated files \u2014 if any convention is restated or any rule lacks a \`paths:\` filter, fix it before proceeding
+9. Execute Phase 7 - generate command files (2 commands: analyze, code-review)
+10. Run the Anti-Redundancy Enforcement checks one final time across ALL generated files \u2014 if any convention is restated, any command is duplicated, or any rule lacks a \`paths:\` filter, fix it before proceeding
 11. Output a brief summary of what was generated and any gaps found
 Do NOT output file contents to stdout. Write all files to disk using the Write tool.
@@ -830,14 +1037,26 @@ frequencies, so place information where it costs the least while remaining acces
 5. **Agents have zero main-context cost.** Put detailed checklists and review criteria in agent files \u2014 they run in subprocesses and don't consume the user's context window.
 6. **Each piece of information must live in exactly ONE place.** If it's in CLAUDE.md, don't repeat it in rules, skills, or commands.
-### Anti-Redundancy Checklist
+### Anti-Redundancy Enforcement
-Before writing EACH artifact, verify:
-- [ ] No convention from CLAUDE.md is restated (commit format, naming, import order, etc.)
-- [ ] No content from another artifact is duplicated
-- [ ] Cross-references are used instead of copies (e.g., "Follow conventions in CLAUDE.md")
-- [ ] All rules have a \`paths:\` filter
-- [ ] Information is placed at the lowest-cost tier that still makes it accessible
+Before writing EACH artifact, apply these hard constraints:
+- **REJECT** any artifact that restates a convention from CLAUDE.md. If a convention appears in CLAUDE.md, it MUST NOT appear in any other file. Not paraphrased, not summarized, not restated in different words.
+- **Test commands, lint commands, and build commands** MUST appear in exactly ONE place: CLAUDE.md's Common Commands section. Skills and agents MUST write "See Common Commands in CLAUDE.md" instead.
+- **All rules MUST have a \`paths:\` filter** \u2014 no unfiltered rules.
+- **Cross-references replace copies** \u2014 write "Follow conventions in CLAUDE.md" instead of restating any convention.
+#### Forbidden Duplication List
+The following MUST NOT appear in skills, agents, rules, or commands \u2014 they belong exclusively in CLAUDE.md:
+- Test commands (the literal test runner invocation)
+- Lint commands (the literal linter invocation)
+- Build commands (the literal build invocation)
+- Import convention descriptions (absolute vs relative, ordering, type imports)
+- Naming convention descriptions (camelCase, PascalCase, file naming)
+- Commit format descriptions (conventional commits, message format)
+- Anti-patterns list (things to avoid)
+- Testing framework syntax examples (describe/it/expect \u2014 belongs in test-writer agent only)
 ---
@@ -936,9 +1155,13 @@ Read at least 3-5 source files and document the ACTUAL patterns used:
 Using ONLY information discovered in Phase 1, generate the \`.claude/CLAUDE.md\` file.
 Every section must contain PROJECT-SPECIFIC content. Skip sections that don't apply.
+**The CLAUDE.md MUST NOT exceed 120 lines. Prioritize density over completeness.**
+Do NOT include sections that duplicate information available in package.json, tsconfig.json, or other config files the agent can read directly.
 ### Output Structure
-The CLAUDE.md MUST follow this structure:
+The CLAUDE.md MUST follow this compact structure:
 \`\`\`markdown
 # {Project Name}
@@ -952,17 +1175,9 @@ Written for an AI assistant that needs to understand PURPOSE to make good decisi
 ## Architecture
-{Describe the actual architecture pattern found}
-### Directory Structure
-\\\`\\\`\\\`
-{Actual directory tree, depth 3, with annotations}
-\\\`\\\`\\\`
-### Data Flow
-{How a typical request flows through the system}
+{1-2 sentences describing the actual architecture pattern found, then the Key Files table.
+Do NOT include a Directory Structure ASCII tree or Data Flow subsection \u2014 the agent can
+read the filesystem directly.}
 ### Key Files
@@ -970,42 +1185,18 @@ Written for an AI assistant that needs to understand PURPOSE to make good decisi
 |------|---------|
 | \`path/to/file\` | What it does |
-## Tech Stack
-| Category | Technology | Notes |
-|----------|-----------|-------|
-| Language | X | Config details |
-| Framework | Y | How it's used |
-## Development Setup
-### Prerequisites
-{Exact versions and tools needed}
-### Getting Started
-\\\`\\\`\\\`bash
-{Actual commands to get running}
-\\\`\\\`\\\`
-### Environment Variables
-| Variable | Description | Example |
-|----------|-------------|---------|
-| \`VAR_NAME\` | What it's for | \`example_value\` |
 ## Common Commands
 \\\`\\\`\\\`bash
-{Actual commands from package.json scripts or equivalent}
+{5 critical commands max, from package.json scripts or equivalent.
+Only the commands developers use daily \u2014 not every script.}
 \\\`\\\`\\\`
 ## Code Conventions
 ### Naming
-{ACTUAL naming patterns found}
+{ACTUAL naming patterns found \u2014 be brief}
 ### Patterns to Follow
@@ -1018,45 +1209,16 @@ Written for an AI assistant that needs to understand PURPOSE to make good decisi
 > **This Code Conventions section is the single source of truth.**
 > Rules and skills cross-reference this section \u2014 they do not repeat it.
-## Skills
-{List each generated skill with a one-line description}
-| Skill | Purpose |
-|-------|---------|
-| \`pattern-discovery\` | Discover and document codebase patterns |
-| ... | ... |
-## Agents
-{List each generated agent with a one-line description}
-| Agent | Purpose |
-|-------|---------|
-| \`code-reviewer\` | Reviews code for quality and security |
-| \`test-writer\` | Generates tests for code |
 ## Testing
-### Running Tests
-\\\`\\\`\\\`bash
-{actual test commands}
-\\\`\\\`\\\`
-### Writing Tests
-{Testing patterns, utilities, fixtures available}
+{2-3 lines: test command, test file location, key testing pattern.
+NOT a full guide \u2014 the test-writer agent handles detailed test methodology.}
 ## Domain Knowledge
 ### Core Entities
-{Main domain objects and relationships}
-### Key Workflows
-{3-5 most important workflows}
+{Brief list of main domain objects and relationships}
 ## Gotchas & Important Notes
@@ -1070,12 +1232,22 @@ Written for an AI assistant that needs to understand PURPOSE to make good decisi
 4. {project-specific rules discovered during analysis}
 \`\`\`
+**Sections NOT to include** (the agent can read these from config files directly):
+- Directory Structure ASCII tree (agent uses Glob/Read)
+- Tech Stack table (available in package.json, tsconfig.json, etc.)
+- Development Setup / Getting Started / Prerequisites
+- Environment Variables table (available in .env.example)
+- Skills index table
+- Agents index table
+- Key Workflows (duplicates Data Flow / Architecture)
 ---
 ## Phase 3: Quality Checklist
 Before writing the CLAUDE.md, verify:
+- [ ] The file does NOT exceed 120 lines
 - [ ] Every section contains PROJECT-SPECIFIC information (not generic boilerplate)
 - [ ] File paths referenced actually exist in the project
 - [ ] File references use \`path/to/file.ts (functionName)\` format, not line numbers
@@ -1084,12 +1256,13 @@ Before writing the CLAUDE.md, verify:
 - [ ] The "Gotchas" section contains genuinely useful, non-obvious information
 - [ ] An AI reading this CLAUDE.md could add a new feature following existing patterns
 - [ ] Sections without real content have been omitted entirely
+- [ ] No section duplicates information available in config files the agent can read
 ### Cross-Artifact Deduplication Check
 Before writing ANY artifact (rule, skill, agent, command), verify:
 - [ ] No conventions from CLAUDE.md are restated (naming, commit format, import order, style)
-- [ ] No commit format description is restated outside CLAUDE.md
+- [ ] No item from the Forbidden Duplication List appears outside CLAUDE.md
 - [ ] No content from one artifact is duplicated in another
 - [ ] Cross-references are used instead of copies (e.g., "Follow conventions in CLAUDE.md")
 - [ ] Every rule file has a \`paths:\` filter \u2014 no unfiltered rules
@@ -1117,57 +1290,38 @@ var SKILLS_PROMPT = `---
 Write each skill file to \`.claude/skills/\` using the Write tool. Every skill must have
 YAML frontmatter with \`name\`, \`description\`, and optionally \`globs\` for file matching.
-**Tailor ALL skills to this specific project** \u2014 use the actual test command, lint command,
-file patterns, and conventions discovered during Phase 1.
+**Tailor ALL skills to this specific project** \u2014 use the actual file patterns and
+conventions discovered during Phase 1.
 ### Skill Content Rules
 1. **Cross-reference, don't copy** \u2014 write "Follow conventions in CLAUDE.md" instead of restating naming, style, or commit conventions. Skills focus on methodology (HOW to do something), not conventions (WHAT the conventions are).
 2. **Use stable references** \u2014 reference code as \`path/to/file.ts (functionName)\`, not line numbers which become stale.
 3. **No convention duplication** \u2014 if CLAUDE.md already documents commit format, import order, or naming rules, the skill must not repeat them.
+4. **No command duplication** \u2014 for test, lint, and build commands, write "See Common Commands in CLAUDE.md" instead of repeating the literal command.
-### 4.1 Core Skills (ALWAYS generate all 8)
-**\`.claude/skills/pattern-discovery.md\`**
-- Name: pattern-discovery
-- Description: Analyze codebase to discover and document patterns
-- Content: How to search for patterns in THIS project's structure. Include the actual source directories, key file patterns, and import conventions found.
-**\`.claude/skills/systematic-debugging.md\`**
-- Name: systematic-debugging
-- Description: 4-phase debugging methodology \u2014 Reproduce, Locate, Diagnose, Fix
-- Content: Tailor reproduction steps to the project's actual test runner and dev server commands. Include how to use the project's logging/debugging setup.
-**\`.claude/skills/testing-methodology.md\`**
-- Name: testing-methodology
-- Description: AAA testing pattern with project-specific framework syntax
-- Content: Use the project's actual testing framework syntax. Include real examples of test patterns found in the codebase (describe/it blocks, pytest fixtures, etc.). Reference the actual test command. Include mocking/stubbing patterns specific to the stack.
+### 4.1 Core Skills (ALWAYS generate all 4)
 **\`.claude/skills/iterative-development.md\`**
 - Name: iterative-development
-- Description: TDD workflow with project-specific test and lint commands
-- Content: The TDD loop using the actual test command and lint command. Include the project's verification steps (typecheck, build, etc.).
-**\`.claude/skills/commit-hygiene.md\`**
-- Name: commit-hygiene
-- Description: Atomic commits, conventional format, size thresholds
-- Content: Size thresholds (\xB1300 lines per commit), when-to-commit triggers. For commit format, write "Follow the commit conventions in CLAUDE.md" \u2014 do NOT restate the format here. If the project uses commitlint or similar, reference its config.
+- Description: TDD workflow with debugging methodology and verification chain
+- Content: The TDD loop referencing "See Common Commands in CLAUDE.md" for actual commands. Include the project's verification steps (typecheck, build, etc.). Add a Debugging section with: 4-phase methodology (Reproduce, Locate, Diagnose, Fix), project-specific file-to-module mapping for tracing bugs, how to use the project's logging/debugging setup. Add commit guidance: size thresholds (\xB1300 lines per commit), when-to-commit triggers, "Follow commit conventions in CLAUDE.md" for format.
 **\`.claude/skills/code-deduplication.md\`**
 - Name: code-deduplication
-- Description: Check-before-write principle and search checklist
-- Content: Search existing code before writing new code. Include project-specific glob patterns for source files. Reference the actual directory structure for where to look.
-**\`.claude/skills/simplicity-rules.md\`**
-- Name: simplicity-rules
-- Description: Function and file size limits, decomposition patterns
-- Content: Function length limits (40 lines), file limits (300 lines), cyclomatic complexity. Decomposition patterns appropriate for the project's architecture style.
+- Description: Check-before-write principle, search checklist, and size limits
+- Content: Search existing code before writing new code. Include project-specific glob patterns for source files. Reference the actual directory structure for where to look. Include a "Where to Look" checklist for discovering patterns in THIS project's structure (source directories, key file patterns). Add size limits: function length (40 lines), file length (300 lines), decomposition patterns appropriate for the project's architecture style.
 **\`.claude/skills/security.md\`**
 - Name: security
 - Description: Security patterns and secrets management for this stack
 - Content: .gitignore entries appropriate for the detected stack. Environment variable handling patterns. OWASP checklist items relevant to the detected framework. Include actual secrets patterns to watch for (API keys, database URLs, etc.).
+**\`.claude/skills/testing-methodology.md\`**
+- Name: testing-methodology
+- Description: Test design methodology \u2014 what to test, edge cases, test organization
+- Content: Focus on test DESIGN: what to test, how to identify edge cases, test organization strategy, when to use unit vs integration tests. Include project-specific test file naming and location conventions. Reference "See Common Commands in CLAUDE.md" for the test command. Do NOT include testing framework syntax examples (describe/it/expect, pytest fixtures, etc.) \u2014 those belong in the test-writer agent, not here. The \`testing-methodology\` skill focuses on test DESIGN (what to test, edge cases, test organization). The \`test-writer\` agent focuses on test EXECUTION (writing code, running tests). They must not overlap.
 ### 4.2 Framework-Specific Skills (ONLY if detected)
 Generate the matching skill ONLY if the framework was detected in the tech stack:
@@ -1255,7 +1409,8 @@ Body content \u2014 instructions for the test writer agent:
 - Follow existing test file naming conventions
 - Include edge cases: empty inputs, nulls, errors, boundaries
 - Mock external dependencies following project patterns
-- Run tests after writing to verify they pass`;
+- Run tests after writing to verify they pass
+- Do NOT duplicate the testing-methodology skill content. The skill covers test design (what to test, edge cases, organization); this agent covers writing and running tests (framework syntax, assertions, execution).`;
 var RULES_PROMPT = `---
 ## Phase 6: Generate Rules
@@ -1320,39 +1475,11 @@ var COMMANDS_PROMPT = `---
 ## Phase 7: Generate Commands
-Write 5 command files to \`.claude/commands/\`. Each needs YAML frontmatter with
+Write 2 command files to \`.claude/commands/\`. Each needs YAML frontmatter with
 \`allowed-tools\`, \`description\`, and optionally \`argument-hint\`.
-### \`.claude/commands/task.md\`
-\`\`\`yaml
----
-allowed-tools: ["Read", "Write", "Edit", "Glob"]
-description: "Start or switch to a new task"
-argument-hint: "<task description>"
----
-\`\`\`
-Body: Instructions to read current \`.claude/state/task.md\`, update status to "In Progress",
-record the task description and timestamp. If starting a new task, archive the previous one.
-### \`.claude/commands/status.md\`
-\`\`\`yaml
----
-allowed-tools: ["Read", "Glob", "Grep", "Bash(git status)", "Bash(git diff --stat)"]
-description: "Show current task and session state"
----
-\`\`\`
-Body: Read \`.claude/state/task.md\`, show git status, list recently modified files,
-summarize current state in a concise format.
-### \`.claude/commands/done.md\`
-\`\`\`yaml
----
-allowed-tools: ["Read", "Write", "Edit", "Glob", "Grep", "Bash(git:*)", "Bash({test_command})", "Bash({lint_command})"]
-description: "Mark current task complete"
----
-\`\`\`
-Body: Run tests and lint checks. If they pass, update \`.claude/state/task.md\`
-status to "Done". Show a summary of what was accomplished. Suggest next steps.
+Do NOT generate task management commands (\`task.md\`, \`status.md\`, \`done.md\`) \u2014
+Claude Code has built-in TaskCreate/TaskUpdate/TaskList tools for task management.
 ### \`.claude/commands/analyze.md\`
 \`\`\`yaml
@@ -1378,10 +1505,154 @@ Body: This command delegates to the code-reviewer agent for thorough review.
 3. If the agent is unavailable, perform a lightweight review: run the linter and check for obvious issues
 Do NOT duplicate the code-reviewer agent's checklist here \u2014 the agent has the full review criteria.`;
+// src/validator.ts
+import fs4 from "fs";
+import path4 from "path";
+function extractCommands(claudeMd) {
+  const commands = [];
+  const match = claudeMd.match(/## Common Commands[\s\S]*?```(?:bash)?\n([\s\S]*?)```/);
+  if (!match) return commands;
+  for (const line of match[1].split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const cmd = trimmed.split(/\s+#/)[0].trim();
+    if (cmd.length > 3) commands.push(cmd);
+  }
+  return commands;
+}
+function extractConventionFingerprints(claudeMd) {
+  const fingerprints = [];
+  const startIdx = claudeMd.indexOf("## Code Conventions");
+  if (startIdx === -1) return fingerprints;
+  const rest = claudeMd.slice(startIdx + "## Code Conventions".length);
+  const nextHeading = rest.match(/\n## [A-Z]/);
+  const section = nextHeading ? claudeMd.slice(startIdx, startIdx + "## Code Conventions".length + nextHeading.index) : claudeMd.slice(startIdx);
+  for (const kw of ["camelCase", "PascalCase", "kebab-case", "snake_case"]) {
+    if (section.includes(kw)) fingerprints.push(kw);
+  }
+  if (/\bnamed exports?\b/i.test(section)) fingerprints.push("named export");
+  if (/\bdefault exports?\b/i.test(section)) fingerprints.push("default export");
+  if (section.includes("import type")) fingerprints.push("import type");
+  for (const kw of [".skip()", ".only()", "console.log"]) {
+    if (section.includes(kw)) fingerprints.push(kw);
+  }
+  return fingerprints;
+}
+var RULE_WORDS = /\b(verify|check|ensure|always|never|must|should|avoid)\b/i;
+function isConventionDuplication(line, fingerprints) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#") || trimmed.includes("CLAUDE.md")) return false;
+  if (!/^[-*]\s/.test(trimmed)) return false;
+  const matchCount = fingerprints.filter((fp) => trimmed.includes(fp)).length;
+  if (matchCount >= 2) return true;
+  if (matchCount === 1 && RULE_WORDS.test(trimmed)) return true;
+  return false;
+}
+function findLiteralCommand(line, commands) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#") || trimmed.includes("CLAUDE.md")) return null;
+  for (const cmd of commands) {
+    if (trimmed.includes(cmd)) return cmd;
+  }
+  return null;
+}
+function separateFrontmatter(content) {
+  const match = content.match(/^---\n[\s\S]*?\n---(?:\n|$)/);
+  if (!match) {
+    return { frontmatter: "", body: content };
+  }
+  return {
+    frontmatter: match[0],
+    body: content.slice(match[0].length)
+  };
+}
+function processFile(filePath, commands, fingerprints) {
+  const content = fs4.readFileSync(filePath, "utf-8");
+  const { frontmatter, body } = separateFrontmatter(content);
+  const lines = body.split("\n");
+  const changes = [];
+  const newLines = [];
+  let inCodeBlock = false;
+  for (const line of lines) {
+    if (line.trim().startsWith("```")) {
+      inCodeBlock = !inCodeBlock;
+      newLines.push(line);
+      continue;
+    }
+    if (inCodeBlock) {
+      newLines.push(line);
+      continue;
+    }
+    if (isConventionDuplication(line, fingerprints)) {
+      changes.push({ file: filePath, original: line.trim(), replacement: null });
+      continue;
+    }
+    const cmd = findLiteralCommand(line, commands);
+    if (cmd) {
+      const newLine = line.replace(cmd, "see Common Commands in CLAUDE.md");
+      changes.push({ file: filePath, original: line.trim(), replacement: newLine.trim() });
+      newLines.push(newLine);
+      continue;
+    }
+    newLines.push(line);
+  }
+  if (changes.length > 0) {
+    fs4.writeFileSync(filePath, frontmatter + newLines.join("\n"));
+  }
+  return changes;
+}
+function walkMdFiles(dir) {
+  const files = [];
+  if (!fs4.existsSync(dir)) return files;
+  const entries = fs4.readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = path4.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...walkMdFiles(fullPath));
+    } else if (entry.name.endsWith(".md")) {
+      files.push(fullPath);
+    }
+  }
+  return files;
+}
+function validateArtifacts(rootDir) {
+  const result = {
+    filesChecked: 0,
+    filesModified: 0,
+    duplicationsRemoved: 0,
+    changes: []
+  };
+  const claudeMdPath = path4.join(rootDir, ".claude", "CLAUDE.md");
+  if (!fs4.existsSync(claudeMdPath)) return result;
+  try {
+    const claudeMd = fs4.readFileSync(claudeMdPath, "utf-8");
+    const commands = extractCommands(claudeMd);
+    const fingerprints = extractConventionFingerprints(claudeMd);
+    if (commands.length === 0 && fingerprints.length === 0) return result;
+    const claudeDir = path4.join(rootDir, ".claude");
+    const files = walkMdFiles(claudeDir).filter((f) => !f.endsWith("CLAUDE.md"));
+    for (const filePath of files) {
+      result.filesChecked++;
+      const changes = processFile(filePath, commands, fingerprints);
+      if (changes.length > 0) {
+        result.filesModified++;
+        result.duplicationsRemoved += changes.length;
+        for (const change of changes) {
+          change.file = path4.relative(rootDir, filePath);
+        }
+        result.changes.push(...changes);
+      }
+    }
+  } catch {
+    return result;
+  }
+  return result;
+}
 // src/cli.ts
-var __dirname2 = path3.dirname(fileURLToPath(import.meta.url));
+var __dirname2 = path5.dirname(fileURLToPath(import.meta.url));
 var VERSION = JSON.parse(
-  fs3.readFileSync(path3.join(__dirname2, "..", "package.json"), "utf-8")
+  fs5.readFileSync(path5.join(__dirname2, "..", "package.json"), "utf-8")
 ).version;
 function parseArgs(args) {
   return {
@@ -1419,7 +1690,7 @@ ${pc.bold("WHAT IT DOES")}
      - Skills for your frameworks and workflows
      - Agents for code review and testing
      - Rules matching your code style
-     - Commands for task management
+     - Commands for analysis and code review
 ${pc.bold("REQUIREMENTS")}
   Claude CLI must be installed: https://claude.ai/download
@@ -1756,61 +2027,6 @@ function mapFormatter(linter) {
   };
   return mapping[linter] ?? null;
 }
-function createTaskFile(projectInfo, preferences) {
-  const taskPath = path3.join(projectInfo.rootDir, ".claude", "state", "task.md");
-  fs3.mkdirSync(path3.dirname(taskPath), { recursive: true });
-  if (fs3.existsSync(taskPath)) {
-    return;
-  }
-  let content;
-  if (projectInfo.isExisting) {
-    content = `# Current Task
-## Status: Ready
-No active task. Start one with \`/task <description>\`.
-## Project Summary
-${projectInfo.name}${projectInfo.description ? ` - ${projectInfo.description}` : ""}
-**Tech Stack:** ${summarizeTechStack(projectInfo.techStack)}
-## Quick Commands
-- \`/task\` - Start working on something
-- \`/status\` - See current state
-- \`/analyze\` - Deep dive into code
-- \`/done\` - Mark task complete
-`;
-  } else {
-    const description = preferences?.description || "Explore and set up project";
-    content = `# Current Task
-## Status: In Progress
-**Task:** ${description}
-## Context
-New project - setting up from scratch.
-${preferences?.framework ? `**Framework:** ${formatFramework(preferences.framework)}` : ""}
-${preferences?.primaryLanguage ? `**Language:** ${formatLanguage(preferences.primaryLanguage)}` : ""}
-## Next Steps
-1. Define project structure
-2. Set up development environment
-3. Start implementation
-## Decisions
-(None yet - starting fresh)
-`;
-  }
-  fs3.writeFileSync(taskPath, content);
-}
 function formatLanguage(lang) {
   const names = {
     typescript: "TypeScript",
@@ -1950,17 +2166,17 @@ function runClaudeAnalysis(projectDir, projectInfo) {
   });
 }
 function getGeneratedFiles(projectDir) {
-  const claudeDir = path3.join(projectDir, ".claude");
+  const claudeDir = path5.join(projectDir, ".claude");
   const files = [];
   function walk(dir) {
-    if (!fs3.existsSync(dir)) return;
-    const entries = fs3.readdirSync(dir, { withFileTypes: true });
+    if (!fs5.existsSync(dir)) return;
+    const entries = fs5.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path3.join(dir, entry.name);
+      const fullPath = path5.join(dir, entry.name);
       if (entry.isDirectory()) {
         walk(fullPath);
       } else {
-        files.push(path3.relative(projectDir, fullPath));
+        files.push(path5.relative(projectDir, fullPath));
       }
     }
   }
@@ -2017,7 +2233,7 @@ async function main() {
       const { proceed } = await prompts({
         type: "confirm",
         name: "proceed",
-        message: "Update existing configuration? (preserves task state)",
+        message: "Update existing configuration?",
         initial: true
       });
       if (!proceed) {
@@ -2039,12 +2255,19 @@ async function main() {
   console.log(pc.green("Created:"));
   console.log(pc.green("  + .claude/settings.json"));
   console.log();
-  createTaskFile(projectInfo, preferences);
   const success = await runClaudeAnalysis(projectDir, projectInfo);
   if (!success) {
     console.error(pc.red("Claude analysis failed. Please try again."));
     process.exit(1);
   }
+  const validation = validateArtifacts(projectDir);
+  if (validation.duplicationsRemoved > 0) {
+    console.log(
+      pc.gray(
+        `  Deduplication: removed ${validation.duplicationsRemoved} redundancies from ${validation.filesModified} files`
+      )
+    );
+  }
   const generatedFiles = getGeneratedFiles(projectDir);
   console.log();
   console.log(pc.green(`Done! (${generatedFiles.length} files)`));
@@ -2059,12 +2282,12 @@ async function main() {
   }
   if (skills.length > 0) {
     console.log(
-      `  ${skills.length} skills (${skills.map((s) => path3.basename(s, ".md")).join(", ")})`
+      `  ${skills.length} skills (${skills.map((s) => path5.basename(s, ".md")).join(", ")})`
     );
   }
   if (agents.length > 0) {
     console.log(
-      `  ${agents.length} agents (${agents.map((a) => path3.basename(a, ".md")).join(", ")})`
+      `  ${agents.length} agents (${agents.map((a) => path5.basename(a, ".md")).join(", ")})`
     );
   }
   if (rules.length > 0) {
@@ -2074,6 +2297,21 @@ async function main() {
     console.log(`  ${commands.length} commands`);
   }
   console.log();
+  if (args.interactive) {
+    console.log();
+    const { installSafetyHook } = await prompts({
+      type: "confirm",
+      name: "installSafetyHook",
+      message: "Add a safety hook to block dangerous commands? (git push, rm -rf, etc.)",
+      initial: true
+    });
+    if (installSafetyHook) {
+      installHook(projectDir);
+      console.log(pc.green("  + .claude/hooks/block-dangerous-commands.js"));
+      console.log(pc.gray("    Blocks destructive Bash commands before execution"));
+    }
+  }
+  console.log();
   console.log(`${pc.cyan("Next step:")} Run ${pc.bold("claude")} to start working!`);
   console.log();
   console.log(
@@ -2083,7 +2321,7 @@ async function main() {
   );
 }
 try {
-  const isMain = process.argv[1] && fs3.realpathSync(process.argv[1]) === fileURLToPath(import.meta.url);
+  const isMain = process.argv[1] && fs5.realpathSync(process.argv[1]) === fileURLToPath(import.meta.url);
   if (isMain) {
     main().catch((err) => {
       console.error(pc.red("Error:"), err.message);
@@ -2097,7 +2335,6 @@ try {
 }
 export {
   checkClaudeCli,
-  createTaskFile,
   formatFramework,
   formatLanguage,
   getVersion,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "claude-code-starter",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "description": "A lightweight starter kit for AI-assisted development with Claude Code",
   "keywords": [
     "claude",