claudenv 1.0.1 → 1.1.0

package/scaffold/global/.claude/skills/claudenv/scaffold/.claude/commands/validate-docs.md

@@ -0,0 +1,40 @@
+---
+description: Validate project documentation for completeness and correctness
+allowed-tools: Read, Glob, Grep, Bash(bash:*)
+disable-model-invocation: true
+---
+
+# Validate Project Documentation
+
+Run validation checks on the project's Claude Code documentation.
+
+## Step 1: Run Bash Validation
+
+Execute the validation script:
+!`bash .claude/skills/doc-generator/scripts/validate.sh 2>&1 || true`
+
+## Step 2: Deep Validation
+
+Perform additional checks that require reading file contents:
+
+1. **Read CLAUDE.md** and verify:
+   - All `@import` references resolve to existing files
+   - Commands in the ## Commands section match actual scripts in package.json / pyproject.toml / Makefile
+   - Directories in ## Architecture section actually exist
+
+2. **Read .claude/rules/*.md** files and verify:
+   - YAML frontmatter `paths` globs match files that exist in the project
+   - Referenced tools (linters, formatters, test frameworks) are actually installed
+
+3. **Read .claude/settings.json** and verify:
+   - Valid JSON structure
+   - Referenced hook scripts exist at the specified paths
+
+## Step 3: Report
+
+Present a clear summary:
+- List all **errors** (things that must be fixed)
+- List all **warnings** (things that should be reviewed)
+- Provide a **pass/fail** verdict
+
+If there are errors, suggest specific fixes for each one.

package/scaffold/global/.claude/skills/claudenv/scaffold/.claude/skills/doc-generator/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: doc-generator
+description: Generates and updates project documentation including CLAUDE.md, rules, and hooks. Use when the user asks about documentation, project setup, CLAUDE.md, or when detecting that documentation is missing or outdated.
+allowed-tools: Read, Write, Glob, Grep, Bash(find:*), Bash(cat:*), Bash(node:*)
+---
+
+# Documentation Generator Skill
+
+## When to use
+- User mentions documentation, CLAUDE.md, or project setup
+- User asks to configure Claude Code for their project
+- New files detected that change the tech stack (new framework, test runner, etc.)
+- After major refactoring that changes directory structure
+- When CLAUDE.md references files or directories that no longer exist
+- When `.mcp.json` is missing and the project has significant external dependencies
+
+## Process
+
+### 1. Detect Tech Stack
+Scan the project root for manifest files, framework configs, and tooling:
+
+@.claude/skills/doc-generator/templates/detection-patterns.md
+
+### 2. Cross-Reference Existing Documentation
+If CLAUDE.md already exists, read it and identify:
+- Outdated commands or directory references
+- Missing entries for new tools/dependencies
+- Stale @imports pointing to removed files
+
+### 3. Generate or Update
+- For new documentation: generate CLAUDE.md, _state.md, .claude/rules/code-style.md, .claude/rules/testing.md, .claude/rules/workflow.md
+- For MCP configuration: suggest running `/setup-mcp` to search the MCP Registry and generate `.mcp.json`
+- For updates: propose specific changes and wait for user approval
+- Always present generated content for review before writing
+- NEVER create .md files beyond the ones listed above unless the user explicitly asks
+
+### 4. Validate
+After writing, run the validation script:
+```
+bash .claude/skills/doc-generator/scripts/validate.sh
+```
+
+Fix any errors before completing.
+
+## Output Format
+Generated CLAUDE.md should follow this structure:
+- `# CLAUDE.md` heading
+- `## Project overview` — one-sentence description with stack
+- `## Commands` — all dev/build/test/lint commands
+- `## Architecture` — key directories with descriptions
+- `## Conventions` — @imports to code-style.md and testing.md
+- `## Workflow` — @import to workflow.md (Claude Code best practices)
+- `## Memory` — reference to _state.md for session persistence
+- `## Rules` — project-specific rules as bullet points
+
+Additionally generate:
+- `_state.md` — project state tracking (decisions, focus, known issues)
+- `.claude/rules/workflow.md` — Claude Code workflow best practices
+- `.mcp.json` — MCP server configuration (via `/setup-mcp`)

package/scaffold/global/.claude/skills/claudenv/scaffold/.claude/skills/doc-generator/scripts/validate.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# Documentation validation script for Claude Code hooks.
+# Exit 0 = success, Exit 2 = block action (sends stderr to Claude).
+# POSIX-compatible for macOS and Linux.
+set -euo pipefail
+
+ERRORS=0
+WARNINGS=0
+
+error() {
+  echo "ERROR: $1" >&2
+  ERRORS=$((ERRORS + 1))
+}
+
+warn() {
+  echo "WARN: $1" >&2
+  WARNINGS=$((WARNINGS + 1))
+}
+
+ok() {
+  echo "OK: $1"
+}
+
+# --- Required files ---
+
+if [ -f "CLAUDE.md" ] && [ -s "CLAUDE.md" ]; then
+  ok "CLAUDE.md exists and is non-empty"
+else
+  error "CLAUDE.md is missing or empty"
+fi
+
+# --- Required sections in CLAUDE.md ---
+
+if [ -f "CLAUDE.md" ]; then
+  for section in "## Commands" "## Architecture"; do
+    if grep -q "^${section}" CLAUDE.md 2>/dev/null; then
+      ok "CLAUDE.md has ${section}"
+    else
+      error "CLAUDE.md is missing required section: ${section}"
+    fi
+  done
+
+  # Check that ## Commands has at least one backtick-quoted command
+  # Use awk instead of head -n -1 for macOS compatibility
+  COMMANDS_SECTION=$(sed -n '/^## Commands/,/^## /p' CLAUDE.md | awk 'NR>1{print prev} {prev=$0}')
+  if echo "$COMMANDS_SECTION" | grep -q '`'; then
+    ok "## Commands section contains command examples"
+  else
+    warn "## Commands section has no inline code examples"
+  fi
+
+  # Check @import references
+  while IFS= read -r line; do
+    # Skip lines inside code blocks
+    case "$line" in
+      '```'*) continue ;;
+    esac
+    # Match bare @path lines (not emails, not inline)
+    if echo "$line" | grep -qE '^@[^@[:space:]]+$'; then
+      IMPORT_PATH=$(echo "$line" | sed 's/^@//')
+      # Resolve ~ to HOME
+      case "$IMPORT_PATH" in
+        '~/'*) IMPORT_PATH="${HOME}/${IMPORT_PATH#\~/}" ;;
+      esac
+      if [ -f "$IMPORT_PATH" ]; then
+        ok "@import ${IMPORT_PATH} resolves"
+      else
+        error "@import reference '${IMPORT_PATH}' does not resolve to a file"
+      fi
+    fi
+  done < CLAUDE.md
+fi
+
+# --- Optional structure checks ---
+
+if [ -d ".claude" ]; then
+  ok ".claude/ directory exists"
+else
+  warn ".claude/ directory not found"
+fi
+
+if [ -f ".claude/settings.json" ]; then
+  # Validate JSON syntax (requires python or node)
+  if command -v node >/dev/null 2>&1; then
+    if node -e "JSON.parse(require('fs').readFileSync('.claude/settings.json','utf-8'))" 2>/dev/null; then
+      ok ".claude/settings.json is valid JSON"
+    else
+      error ".claude/settings.json is not valid JSON"
+    fi
+  elif command -v python3 >/dev/null 2>&1; then
+    if python3 -c "import json; json.load(open('.claude/settings.json'))" 2>/dev/null; then
+      ok ".claude/settings.json is valid JSON"
+    else
+      error ".claude/settings.json is not valid JSON"
+    fi
+  fi
+fi
+
+# --- Summary ---
+
+echo ""
+echo "Validation complete: ${ERRORS} error(s), ${WARNINGS} warning(s)"
+
+if [ "$ERRORS" -gt 0 ]; then
+  exit 2
+fi
+
+exit 0

package/scaffold/global/.claude/skills/claudenv/scaffold/.claude/skills/doc-generator/templates/detection-patterns.md

@@ -0,0 +1,76 @@
+# Tech Stack Detection Patterns
+
+Use these patterns to identify the project's tech stack by scanning for files.
+
+## Language / Runtime Detection (check manifest files first)
+
+| File | Language | Runtime |
+|------|----------|---------|
+| `package.json` | JavaScript/TypeScript | Node.js |
+| `pyproject.toml`, `setup.py`, `requirements.txt` | Python | Python |
+| `go.mod` | Go | Go |
+| `Cargo.toml` | Rust | Rust |
+| `Gemfile` | Ruby | Ruby |
+| `composer.json` | PHP | PHP |
+| `pom.xml`, `build.gradle`, `build.gradle.kts` | Java/Kotlin | JVM |
+| `*.csproj`, `*.sln` | C# | .NET |
+
+**TypeScript override**: If `tsconfig.json` exists alongside `package.json`, the language is TypeScript.
+
+## Framework Detection (check config files)
+
+| File | Framework |
+|------|-----------|
+| `next.config.js/mjs/ts` | Next.js |
+| `nuxt.config.ts/js` | Nuxt |
+| `vite.config.js/ts/mts` | Vite |
+| `svelte.config.js` | SvelteKit |
+| `astro.config.mjs/ts` | Astro |
+| `angular.json` | Angular |
+| `manage.py` | Django |
+| `config/routes.rb` | Rails |
+| `artisan` | Laravel |
+| `application.properties/yml` | Spring Boot |
+
+## Package Manager Detection (check lockfiles)
+
+| File | Package Manager |
+|------|----------------|
+| `package-lock.json` | npm |
+| `yarn.lock` | Yarn |
+| `pnpm-lock.yaml` | pnpm |
+| `bun.lockb`, `bun.lock` | Bun |
+| `poetry.lock` | Poetry |
+| `Pipfile.lock` | Pipenv |
+| `uv.lock` | uv |
+
+## Test Framework Detection
+
+| File | Framework |
+|------|-----------|
+| `vitest.config.*` | Vitest |
+| `jest.config.*` | Jest |
+| `playwright.config.*` | Playwright |
+| `cypress.config.*` | Cypress |
+| `pytest.ini`, `conftest.py` | pytest |
+| `.rspec` | RSpec |
+
+Also check dependencies in `package.json` or `pyproject.toml`.
+
+## CI/CD Detection
+
+| Path | System |
+|------|--------|
+| `.github/workflows/*.yml` | GitHub Actions |
+| `.gitlab-ci.yml` | GitLab CI |
+| `Jenkinsfile` | Jenkins |
+| `.circleci/config.yml` | CircleCI |
+
+## Monorepo Detection
+
+| File | Tool |
+|------|------|
+| `turbo.json` | Turborepo |
+| `nx.json` | Nx |
+| `lerna.json` | Lerna |
+| `pnpm-workspace.yaml` | pnpm workspaces |

package/scaffold/global/.claude/skills/claudenv/scaffold/.claude/skills/doc-generator/templates/mcp-servers.md

@@ -0,0 +1,168 @@
+# MCP Server Reference — Registry Search & Configuration
+
+## 1. How to Search the Registry
+
+The official MCP Registry API provides a searchable catalog of MCP servers. No authentication required.
+
+**Endpoint**: `GET https://registry.modelcontextprotocol.io/v0.1/servers`
+
+**Parameters**:
+- `search=<term>` — case-insensitive substring match on server names and descriptions
+- `version=latest` — return only the latest version of each server
+- `limit=<n>` — max results per page (default ~100)
+
+**Search strategy**:
+1. Analyze the project's tech stack from manifest files, configs, and source code
+2. Extract key technology names (languages, frameworks, databases, cloud services, tools)
+3. Search each technology individually — specific terms yield better results
+
+**Example searches**:
+```bash
+# Database
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=postgres&version=latest&limit=10'
+
+# Cloud provider
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=aws&version=latest&limit=10'
+
+# Monitoring
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=sentry&version=latest&limit=10'
+
+# Version control
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=github&version=latest&limit=10'
+```
+
+## 2. How to Evaluate and Trust Results
+
+### Primary trust signal: npm download counts
+
+For each candidate server that has an npm package, check monthly downloads:
+```bash
+curl -s 'https://api.npmjs.org/downloads/point/last-month/<npm-package-name>'
+# Returns: { "downloads": N, "package": "...", ... }
+```
+
+- **Filter out** servers with <100 monthly downloads — likely unmaintained or experimental
+- **Prefer** servers with 10,000+ monthly downloads — well-established and community-trusted
+- **Strong signal** at 100,000+ downloads — widely adopted
+
+### Secondary trust signal: GitHub stars
+
+If the server has a repository URL, check GitHub stars:
+```bash
+curl -s 'https://api.github.com/repos/<owner>/<repo>'
+# Check the "stargazers_count" field
+```
+
+- Prefer repos with 100+ stars
+- Stars indicate community interest but downloads are a stronger usage signal
+
+### Additional evaluation criteria
+
+- **Prefer `packages` (npm/stdio) over `remotes` (hosted)** — stdio runs locally with no external dependency
+- **Prefer well-known namespaces**: `io.modelcontextprotocol/*`, `io.github.modelcontextprotocol/*` are official
+- **Read descriptions carefully** — pick servers that match the project's actual use case
+- **Skip** servers that appear to be forks, test entries, or clearly unmaintained
+- **When multiple servers exist for the same tech**, pick the one with highest npm downloads
+- **Check `environmentVariables`** — servers requiring many complex env vars may be harder to set up
+
+## 3. How to Build .mcp.json
+
+The `.mcp.json` file configures MCP servers for a project. It lives in the project root.
+
+**Root structure**:
+```json
+{
+  "mcpServers": {
+    "server-name": { ... }
+  }
+}
+```
+
+### stdio servers (npm packages)
+
+For servers with a `packages` entry of `registryType: "npm"`:
+```json
+{
+  "mcpServers": {
+    "server-name": {
+      "command": "npx",
+      "args": ["-y", "<package-identifier>@latest"],
+      "env": {
+        "VAR_NAME": "${VAR_NAME}"
+      }
+    }
+  }
+}
+```
+
+- Add any `packageArguments` with `type: "positional"` to the `args` array after the package name
+- Map `environmentVariables` to the `env` object
+- Use `${ENV_VAR}` placeholders for all variables with `isSecret: true`
+- Non-secret env vars can use literal values when the value is project-specific and non-sensitive
+
+### HTTP/SSE servers (remote)
+
+For servers with a `remotes` entry:
+```json
+{
+  "mcpServers": {
+    "server-name": {
+      "type": "streamable-http",
+      "url": "https://example.com/mcp"
+    }
+  }
+}
+```
+
+Use the `type` and `url` from the remote entry directly. Add `headers` if authentication is needed:
+```json
+{
+  "type": "streamable-http",
+  "url": "https://example.com/mcp",
+  "headers": {
+    "Authorization": "Bearer ${API_KEY}"
+  }
+}
+```
+
+## 4. Well-Known Servers
+
+These are hints to help find the best option when search results are noisy. Always verify via the registry API — these names and packages may change.
+
+| Technology | Search term | Known namespace | Notes |
+|---|---|---|---|
+| Library docs | `context7` | `io.github.upstash/context7` | Up-to-date docs for any library; useful for most projects |
+| GitHub | `github` | `io.github.modelcontextprotocol/github` | Repo management, PRs, issues |
+| PostgreSQL | `postgres` | `io.github.modelcontextprotocol/postgres` | Database queries; prefer read-only config |
+| Filesystem | `filesystem` | `io.github.modelcontextprotocol/filesystem` | Scoped file access |
+| Fetch | `fetch` | `io.github.modelcontextprotocol/fetch` | Web content retrieval |
+| Sentry | `sentry` | — | Error tracking integration |
+| Stripe | `stripe` | — | Payment API |
+| Docker | `docker` | — | Container management |
+| AWS | `aws` | — | Cloud services |
+| Redis | `redis` | — | Cache and data store |
+| MongoDB | `mongodb` | — | Document database |
+| Slack | `slack` | — | Team communication |
+| Linear | `linear` | — | Issue tracking |
+
+## 5. Security Rules
+
+### Secrets management
+- **NEVER** put actual secret values in `.mcp.json` — use `${ENV_VAR}` placeholders
+- Secret values go in `~/.claude.json` (user-level config, not committed to version control)
+- Tell the user how to configure each secret:
+  ```
+  claude config set env.VAR_NAME "actual-value"
+  ```
+
+### Safe to commit
+- `.mcp.json` is safe to commit to version control — it contains only placeholders, never real secrets
+- Add `.mcp.json` to the git commit alongside other Claude Code config files
+
+### Database safety
+- Prefer read-only database connection strings
+- If read-write access is needed, document this clearly in the recommendation
+
+### Principle of least privilege
+- Only recommend servers that the project actually needs
+- Prefer servers with narrow, well-defined capabilities over general-purpose ones

package/scaffold/global/.claude/skills/claudenv/templates/detection-patterns.md

@@ -0,0 +1,76 @@
+# Tech Stack Detection Patterns
+
+Use these patterns to identify the project's tech stack by scanning for files.
+
+## Language / Runtime Detection (check manifest files first)
+
+| File | Language | Runtime |
+|------|----------|---------|
+| `package.json` | JavaScript/TypeScript | Node.js |
+| `pyproject.toml`, `setup.py`, `requirements.txt` | Python | Python |
+| `go.mod` | Go | Go |
+| `Cargo.toml` | Rust | Rust |
+| `Gemfile` | Ruby | Ruby |
+| `composer.json` | PHP | PHP |
+| `pom.xml`, `build.gradle`, `build.gradle.kts` | Java/Kotlin | JVM |
+| `*.csproj`, `*.sln` | C# | .NET |
+
+**TypeScript override**: If `tsconfig.json` exists alongside `package.json`, the language is TypeScript.
+
+## Framework Detection (check config files)
+
+| File | Framework |
+|------|-----------|
+| `next.config.js/mjs/ts` | Next.js |
+| `nuxt.config.ts/js` | Nuxt |
+| `vite.config.js/ts/mts` | Vite |
+| `svelte.config.js` | SvelteKit |
+| `astro.config.mjs/ts` | Astro |
+| `angular.json` | Angular |
+| `manage.py` | Django |
+| `config/routes.rb` | Rails |
+| `artisan` | Laravel |
+| `application.properties/yml` | Spring Boot |
+
+## Package Manager Detection (check lockfiles)
+
+| File | Package Manager |
+|------|----------------|
+| `package-lock.json` | npm |
+| `yarn.lock` | Yarn |
+| `pnpm-lock.yaml` | pnpm |
+| `bun.lockb`, `bun.lock` | Bun |
+| `poetry.lock` | Poetry |
+| `Pipfile.lock` | Pipenv |
+| `uv.lock` | uv |
+
+## Test Framework Detection
+
+| File | Framework |
+|------|-----------|
+| `vitest.config.*` | Vitest |
+| `jest.config.*` | Jest |
+| `playwright.config.*` | Playwright |
+| `cypress.config.*` | Cypress |
+| `pytest.ini`, `conftest.py` | pytest |
+| `.rspec` | RSpec |
+
+Also check dependencies in `package.json` or `pyproject.toml`.
+
+## CI/CD Detection
+
+| Path | System |
+|------|--------|
+| `.github/workflows/*.yml` | GitHub Actions |
+| `.gitlab-ci.yml` | GitLab CI |
+| `Jenkinsfile` | Jenkins |
+| `.circleci/config.yml` | CircleCI |
+
+## Monorepo Detection
+
+| File | Tool |
+|------|------|
+| `turbo.json` | Turborepo |
+| `nx.json` | Nx |
+| `lerna.json` | Lerna |
+| `pnpm-workspace.yaml` | pnpm workspaces |

package/scaffold/global/.claude/skills/claudenv/templates/mcp-servers.md

@@ -0,0 +1,168 @@
+# MCP Server Reference — Registry Search & Configuration
+
+## 1. How to Search the Registry
+
+The official MCP Registry API provides a searchable catalog of MCP servers. No authentication required.
+
+**Endpoint**: `GET https://registry.modelcontextprotocol.io/v0.1/servers`
+
+**Parameters**:
+- `search=<term>` — case-insensitive substring match on server names and descriptions
+- `version=latest` — return only the latest version of each server
+- `limit=<n>` — max results per page (default ~100)
+
+**Search strategy**:
+1. Analyze the project's tech stack from manifest files, configs, and source code
+2. Extract key technology names (languages, frameworks, databases, cloud services, tools)
+3. Search each technology individually — specific terms yield better results
+
+**Example searches**:
+```bash
+# Database
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=postgres&version=latest&limit=10'
+
+# Cloud provider
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=aws&version=latest&limit=10'
+
+# Monitoring
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=sentry&version=latest&limit=10'
+
+# Version control
+curl -s 'https://registry.modelcontextprotocol.io/v0.1/servers?search=github&version=latest&limit=10'
+```
+
+## 2. How to Evaluate and Trust Results
+
+### Primary trust signal: npm download counts
+
+For each candidate server that has an npm package, check monthly downloads:
+```bash
+curl -s 'https://api.npmjs.org/downloads/point/last-month/<npm-package-name>'
+# Returns: { "downloads": N, "package": "...", ... }
+```
+
+- **Filter out** servers with <100 monthly downloads — likely unmaintained or experimental
+- **Prefer** servers with 10,000+ monthly downloads — well-established and community-trusted
+- **Strong signal** at 100,000+ downloads — widely adopted
+
+### Secondary trust signal: GitHub stars
+
+If the server has a repository URL, check GitHub stars:
+```bash
+curl -s 'https://api.github.com/repos/<owner>/<repo>'
+# Check the "stargazers_count" field
+```
+
+- Prefer repos with 100+ stars
+- Stars indicate community interest but downloads are a stronger usage signal
+
+### Additional evaluation criteria
+
+- **Prefer `packages` (npm/stdio) over `remotes` (hosted)** — stdio runs locally with no external dependency
+- **Prefer well-known namespaces**: `io.modelcontextprotocol/*`, `io.github.modelcontextprotocol/*` are official
+- **Read descriptions carefully** — pick servers that match the project's actual use case
+- **Skip** servers that appear to be forks, test entries, or clearly unmaintained
+- **When multiple servers exist for the same tech**, pick the one with highest npm downloads
+- **Check `environmentVariables`** — servers requiring many complex env vars may be harder to set up
+
+## 3. How to Build .mcp.json
+
+The `.mcp.json` file configures MCP servers for a project. It lives in the project root.
+
+**Root structure**:
+```json
+{
+  "mcpServers": {
+    "server-name": { ... }
+  }
+}
+```
+
+### stdio servers (npm packages)
+
+For servers with a `packages` entry of `registryType: "npm"`:
+```json
+{
+  "mcpServers": {
+    "server-name": {
+      "command": "npx",
+      "args": ["-y", "<package-identifier>@latest"],
+      "env": {
+        "VAR_NAME": "${VAR_NAME}"
+      }
+    }
+  }
+}
+```
+
+- Add any `packageArguments` with `type: "positional"` to the `args` array after the package name
+- Map `environmentVariables` to the `env` object
+- Use `${ENV_VAR}` placeholders for all variables with `isSecret: true`
+- Non-secret env vars can use literal values when the value is project-specific and non-sensitive
+
+### HTTP/SSE servers (remote)
+
+For servers with a `remotes` entry:
+```json
+{
+  "mcpServers": {
+    "server-name": {
+      "type": "streamable-http",
+      "url": "https://example.com/mcp"
+    }
+  }
+}
+```
+
+Use the `type` and `url` from the remote entry directly. Add `headers` if authentication is needed:
+```json
+{
+  "type": "streamable-http",
+  "url": "https://example.com/mcp",
+  "headers": {
+    "Authorization": "Bearer ${API_KEY}"
+  }
+}
+```
+
+## 4. Well-Known Servers
+
+These are hints to help find the best option when search results are noisy. Always verify via the registry API — these names and packages may change.
+
+| Technology | Search term | Known namespace | Notes |
+|---|---|---|---|
+| Library docs | `context7` | `io.github.upstash/context7` | Up-to-date docs for any library; useful for most projects |
+| GitHub | `github` | `io.github.modelcontextprotocol/github` | Repo management, PRs, issues |
+| PostgreSQL | `postgres` | `io.github.modelcontextprotocol/postgres` | Database queries; prefer read-only config |
+| Filesystem | `filesystem` | `io.github.modelcontextprotocol/filesystem` | Scoped file access |
+| Fetch | `fetch` | `io.github.modelcontextprotocol/fetch` | Web content retrieval |
+| Sentry | `sentry` | — | Error tracking integration |
+| Stripe | `stripe` | — | Payment API |
+| Docker | `docker` | — | Container management |
+| AWS | `aws` | — | Cloud services |
+| Redis | `redis` | — | Cache and data store |
+| MongoDB | `mongodb` | — | Document database |
+| Slack | `slack` | — | Team communication |
+| Linear | `linear` | — | Issue tracking |
+
+## 5. Security Rules
+
+### Secrets management
+- **NEVER** put actual secret values in `.mcp.json` — use `${ENV_VAR}` placeholders
+- Secret values go in `~/.claude.json` (user-level config, not committed to version control)
+- Tell the user how to configure each secret:
+  ```
+  claude config set env.VAR_NAME "actual-value"
+  ```
+
+### Safe to commit
+- `.mcp.json` is safe to commit to version control — it contains only placeholders, never real secrets
+- Add `.mcp.json` to the git commit alongside other Claude Code config files
+
+### Database safety
+- Prefer read-only database connection strings
+- If read-write access is needed, document this clearly in the recommendation
+
+### Principle of least privilege
+- Only recommend servers that the project actually needs
+- Prefer servers with narrow, well-defined capabilities over general-purpose ones