claudex-setup 1.14.1 → 1.15.1

package/bin/cli.js

@@ -249,6 +249,10 @@ async function main() {
     process.exit(1);
   }
 
+  if (options.require && normalizedCommand !== 'audit' && !['audit', 'discover'].includes(command)) {
+    console.error(`\n  Warning: --require is only supported with the audit command. Ignoring for '${normalizedCommand}'.\n`);
+  }
+
   if (!KNOWN_COMMANDS.includes(normalizedCommand)) {
     const suggestion = suggestCommand(command);
     console.error(`\n  Error: Unknown command '${command}'.`);
@@ -326,7 +330,7 @@ async function main() {
     } else if (normalizedCommand === 'insights') {
       const https = require('https');
       const url = 'https://claudex-insights.claudex.workers.dev/v1/stats';
-      https.get(url, (res) => {
+      const req = https.get(url, (res) => {
         let data = '';
         res.on('data', chunk => data += chunk);
         res.on('end', () => {
@@ -357,6 +361,10 @@ async function main() {
       }).on('error', () => {
         console.log('  Could not reach insights server. Run locally: npx claudex-setup');
       });
+      req.setTimeout(10000, () => {
+        req.destroy();
+        console.log('  Insights request timed out. Run locally: npx claudex-setup');
+      });
       return; // keep process alive for http
     } else if (normalizedCommand === 'augment' || normalizedCommand === 'suggest-only') {
       const report = await analyzeProject({ ...options, mode: normalizedCommand });
@@ -445,6 +453,15 @@ async function main() {
       await watch(options);
     } else if (normalizedCommand === 'setup') {
       await setup(options);
+      if (options.snapshot) {
+        const postSetupResult = await audit({ dir: options.dir, silent: true });
+        const snapshot = writeSnapshotArtifact(options.dir, 'audit', postSetupResult, {
+          sourceCommand: 'setup',
+        });
+        if (!options.json) {
+          console.log(`  Snapshot saved: ${snapshot.relativePath}`);
+        }
+      }
     } else {
       const result = await audit(options);
       const snapshot = options.snapshot ? writeSnapshotArtifact(options.dir, 'audit', result, {

package/content/case-study-template.md

@@ -64,7 +64,7 @@ Key observations:
 | Metric | Before | After | Change |
 |--------|--------|-------|--------|
 | Audit score | X | X | +X |
-| Checks passing | X/58 | X/58 | +X |
+| Checks passing | X/84 | X/84 | +X |
 | Time to first productive session | Xm | Xm | -Xm |
 | [Other metric] | | | |
 

package/content/claude-native-integration.md

@@ -28,14 +28,10 @@ Add to `.claude/settings.json`:
   "hooks": {
     "SessionStart": [
       {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node -e \"try{const r=require('child_process').execSync('npx claudex-setup --json 2>/dev/null',{timeout:15000}).toString();const d=JSON.parse(r);if(d.score<50)console.log(JSON.stringify({systemMessage:'⚠️ Claude Code setup score: '+d.score+'/100. Consider running: npx claudex-setup --lite'}))}catch(e){console.log('{}')}\"",
-            "timeout": 20,
-            "statusMessage": "Checking Claude Code setup..."
-          }
-        ]
+        "type": "command",
+        "command": "node -e \"try{const r=require('child_process').execSync('npx claudex-setup --json 2>/dev/null',{timeout:15000}).toString();const d=JSON.parse(r);if(d.score<50)console.log(JSON.stringify({systemMessage:'⚠️ Claude Code setup score: '+d.score+'/100. Consider running: npx claudex-setup --lite'}))}catch(e){console.log('{}')}\"",
+        "timeout": 20,
+        "statusMessage": "Checking Claude Code setup..."
       }
     ]
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claudex-setup",
-  "version": "1.14.1",
+  "version": "1.15.1",
   "description": "Score your repo's Claude Code setup against 84 checks. See gaps, apply fixes selectively with rollback, govern hooks and permissions, and benchmark impact — without breaking existing config.",
   "main": "src/index.js",
   "bin": {

package/src/activity.js

@@ -2,8 +2,18 @@ const fs = require('fs');
 const path = require('path');
 const { version } = require('../package.json');
 
+let _lastTimestamp = '';
+let _counter = 0;
+
 function timestampId() {
-  return new Date().toISOString().replace(/[:.]/g, '-');
+  const ts = new Date().toISOString().replace(/[:.]/g, '-');
+  if (ts === _lastTimestamp) {
+    _counter++;
+    return `${ts}-${_counter}`;
+  }
+  _lastTimestamp = ts;
+  _counter = 0;
+  return ts;
 }
 
 function ensureArtifactDirs(dir) {
@@ -122,6 +132,11 @@ function updateSnapshotIndex(snapshotDir, record) {
   }
 
   entries.push(record);
+  // Prune to keep last 200 entries
+  const MAX_INDEX_ENTRIES = 200;
+  if (entries.length > MAX_INDEX_ENTRIES) {
+    entries = entries.slice(entries.length - MAX_INDEX_ENTRIES);
+  }
   fs.writeFileSync(indexPath, JSON.stringify(entries, null, 2), 'utf8');
 }
 

package/src/analyze.js

@@ -424,7 +424,9 @@ function printAnalysis(report, options = {}) {
       if (item.risk || item.confidence) {
         console.log(c(`     Risk: ${item.risk || 'low'} | Confidence: ${item.confidence || 'medium'}`, 'dim'));
       }
-      console.log(c(`     Fix: ${item.fix}`, 'dim'));
+      if (item.fix && item.fix !== item.why) {
+        console.log(c(`     Fix: ${item.fix}`, 'dim'));
+      }
     });
     console.log('');
   }
@@ -515,7 +517,9 @@ function exportMarkdown(report) {
       if (item.risk || item.confidence) {
         lines.push(`   - Risk / Confidence: ${item.risk || 'low'} / ${item.confidence || 'medium'}`);
       }
-      lines.push(`   - Fix: ${item.fix}`);
+      if (item.fix && item.fix !== item.why) {
+        lines.push(`   - Fix: ${item.fix}`);
+      }
     });
     lines.push('');
   }

package/src/audit.js

@@ -85,12 +85,15 @@ function getPrioritizedFailed(failed) {
 function getQuickWins(failed) {
   const pool = getPrioritizedFailed(failed);
 
+  // QuickWins prioritize short fixes (easy to implement) first, then impact
   return [...pool]
     .sort((a, b) => {
+      const fixLenA = (a.fix || '').length;
+      const fixLenB = (b.fix || '').length;
+      if (fixLenA !== fixLenB) return fixLenA - fixLenB;
       const impactA = IMPACT_ORDER[a.impact] ?? 0;
       const impactB = IMPACT_ORDER[b.impact] ?? 0;
-      if (impactA !== impactB) return impactB - impactA;
-      return (a.fix || '').length - (b.fix || '').length;
+      return impactB - impactA;
     })
     .slice(0, 3);
 }
@@ -202,14 +205,14 @@ async function audit(options) {
   const medium = failed.filter(r => r.impact === 'medium');
 
   // Calculate score only from applicable checks
-  const weights = { critical: 15, high: 10, medium: 5 };
+  const weights = { critical: 15, high: 10, medium: 5, low: 2 };
   const maxScore = applicable.reduce((sum, r) => sum + (weights[r.impact] || 5), 0);
   const earnedScore = passed.reduce((sum, r) => sum + (weights[r.impact] || 5), 0);
   const score = maxScore > 0 ? Math.round((earnedScore / maxScore) * 100) : 0;
 
   // Detect scaffolded vs organic: if CLAUDE.md contains our version stamp, some checks
   // are passing because WE generated them, not the user
-  const claudeMd = ctx.fileContent('CLAUDE.md') || '';
+  const claudeMd = ctx.claudeMdContent() || '';
   const isScaffolded = claudeMd.includes('Generated by claudex-setup') ||
     claudeMd.includes('claudex-setup');
   // Scaffolded checks: things our setup creates (CLAUDE.md, hooks, commands, agents, rules, skills)

package/src/benchmark.js

@@ -21,6 +21,9 @@ function copyProject(sourceDir, targetDir) {
       copyProject(from, to);
     } else if (entry.isFile()) {
       fs.copyFileSync(from, to);
+    } else if (entry.isSymbolicLink && entry.isSymbolicLink()) {
+      // Symlinks are skipped in benchmark sandbox — log for awareness
+      process.stderr.write(`  Note: symlink skipped in benchmark: ${entry.name}\n`);
     }
   }
 }
@@ -89,7 +92,9 @@ function buildExecutiveSummary(before, after, workflowEvidence) {
   const workflowCoverage = workflowEvidence.summary.coverageScore;
   let headline = 'Benchmark did not improve the score in this run.';
 
-  if (scoreDelta > 0) {
+  if (scoreDelta < 0) {
+    headline = `Warning: score decreased by ${Math.abs(scoreDelta)} points. Setup may have introduced a regression.`;
+  } else if (scoreDelta > 0) {
     headline = `Benchmark improved readiness by ${scoreDelta} points without touching the original repo.`;
   } else if (before.score >= 85 && after.score >= before.score && workflowCoverage >= 80) {
     headline = 'Benchmark confirmed the repo already meets the starter-safe baseline without regression.';

package/src/context.js

@@ -67,6 +67,10 @@ class ProjectContext {
     }
   }
 
+  claudeMdContent() {
+    return this.fileContent('CLAUDE.md') || this.fileContent('.claude/CLAUDE.md');
+  }
+
   fileContent(filePath) {
     if (this._cache[filePath] !== undefined) return this._cache[filePath];
     const fullPath = path.join(this.dir, filePath);

package/src/domain-packs.js

@@ -156,17 +156,18 @@ function detectDomainPacks(ctx, stacks, assets = null) {
   }
 
   const hasFrontend = stackKeys.has('react') || stackKeys.has('nextjs') || stackKeys.has('vue') ||
-    stackKeys.has('angular') || stackKeys.has('svelte') || ctx.hasDir('components') || ctx.hasDir('app') || ctx.hasDir('pages');
+    stackKeys.has('angular') || stackKeys.has('svelte') || ctx.hasDir('components') || ctx.hasDir('pages') ||
+    (ctx.hasDir('app') && (deps.next || deps.react || deps.vue || deps['@angular/core'] || deps.svelte));
   const hasBackend = stackKeys.has('node') || stackKeys.has('python') || stackKeys.has('django') ||
     stackKeys.has('fastapi') || stackKeys.has('go') || stackKeys.has('rust') || stackKeys.has('java') ||
     ctx.hasDir('api') || ctx.hasDir('routes') || ctx.hasDir('services') || ctx.hasDir('controllers');
   const hasData = ctx.hasDir('dags') || ctx.hasDir('jobs') || ctx.hasDir('workers') ||
-    ctx.hasDir('models') || ctx.hasDir('migrations') || ctx.hasDir('db') ||
+    ctx.hasDir('migrations') || ctx.hasDir('db') ||
     deps.dbt || deps['apache-airflow'] || deps.pandas || deps.polars || deps.duckdb;
   const hasInfra = stackKeys.has('docker') || stackKeys.has('terraform') || stackKeys.has('kubernetes') ||
     ctx.files.includes('wrangler.toml') || ctx.files.includes('serverless.yml') || ctx.files.includes('serverless.yaml') ||
     ctx.files.includes('cdk.json') || ctx.hasDir('infra') || ctx.hasDir('deploy') || ctx.hasDir('helm');
-  const isOss = !!ctx.fileContent('LICENSE') && !!ctx.fileContent('CONTRIBUTING.md') && pkg.private !== true;
+  const isOss = !!ctx.fileContent('LICENSE') && pkg.private !== true;
   const isEnterpriseGoverned = !!(assets && assets.permissions && assets.permissions.hasDenyRules) &&
     !!(assets && assets.files && assets.files.settings) && ctx.hasDir('.github/workflows');
 
@@ -218,7 +219,8 @@ function detectDomainPacks(ctx, stacks, assets = null) {
 
   // Monorepo detection
   const isMonorepo = ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
-    ctx.files.includes('lerna.json') || ctx.hasDir('packages') ||
+    ctx.files.includes('lerna.json') || ctx.files.includes('pnpm-workspace.yaml') ||
+    ctx.hasDir('packages') ||
     (pkg.workspaces && (Array.isArray(pkg.workspaces) ? pkg.workspaces.length > 0 : true));
   if (isMonorepo) {
     addMatch('monorepo', [
@@ -259,7 +261,8 @@ function detectDomainPacks(ctx, stacks, assets = null) {
   // E-commerce detection
   const isEcommerce = deps.stripe || deps['@stripe/stripe-js'] || deps.shopify || deps['@shopify/shopify-api'] ||
     deps.woocommerce || deps.paypal || deps['@paypal/react-paypal-js'] || deps.square || deps['@adyen/adyen-web'] ||
-    deps.medusa || deps.saleor ||
+    deps.medusa || deps.saleor || deps.braintree || deps['@mollie/api-client'] ||
+    deps.razorpay || deps['@paddle/paddle-node-sdk'] || deps['@lemonsqueezy/lemonsqueezy.js'] ||
     ctx.hasDir('products') || ctx.hasDir('checkout') || ctx.hasDir('cart');
   if (isEcommerce) {
     addMatch('ecommerce', [
@@ -274,8 +277,10 @@ function detectDomainPacks(ctx, stacks, assets = null) {
     deps['@anthropic-ai/sdk'] || deps.transformers || deps.torch || deps.tensorflow ||
     deps.llamaindex || deps['llama-index'] || deps.crewai || deps.autogen ||
     deps['@ai-sdk/core'] || deps.ollama ||
-    ctx.hasDir('chains') || ctx.hasDir('agents') || ctx.hasDir('models') || ctx.hasDir('prompts');
-  if (isAiMl && !hasData) {
+    deps['@microsoft/semantic-kernel'] || deps['haystack-ai'] || deps['dspy-ai'] ||
+    deps.instructor || deps['@google/generative-ai'] || deps.cohere || deps.mistralai ||
+    ctx.hasDir('chains') || ctx.hasDir('agents') || ctx.hasDir('prompts');
+  if (isAiMl) {
     addMatch('ai-ml', [
       'Detected AI/ML dependencies or agent structure.',
       deps.langchain ? 'LangChain detected.' : null,
@@ -287,7 +292,7 @@ function detectDomainPacks(ctx, stacks, assets = null) {
   const isDevopsCicd = ctx.hasDir('.github/workflows') || ctx.hasDir('.circleci') ||
     ctx.files.includes('Jenkinsfile') || ctx.files.includes('.gitlab-ci.yml') ||
     ctx.hasDir('deploy') || ctx.hasDir('scripts/deploy');
-  if (isDevopsCicd && !hasInfra) {
+  if (isDevopsCicd) {
     addMatch('devops-cicd', [
       'Detected CI/CD pipelines or deployment scripts.',
       ctx.hasDir('.github/workflows') ? 'GitHub Actions detected.' : null,
@@ -298,8 +303,10 @@ function detectDomainPacks(ctx, stacks, assets = null) {
   // Design system detection
   const isDesignSystem = deps.storybook || deps['@storybook/react'] || deps['@storybook/vue3'] ||
     deps.chromatic || deps['style-dictionary'] || deps['@tokens-studio/sd-transforms'] ||
-    ctx.hasDir('tokens') || ctx.hasDir('design-tokens') ||
-    ctx.hasDir('.storybook') || (ctx.hasDir('components') && ctx.hasDir('.storybook'));
+    deps['@radix-ui/react-primitives'] || deps['@headlessui/react'] ||
+    ctx.hasDir('tokens') || ctx.hasDir('design-tokens') || ctx.hasDir('primitives') ||
+    ctx.hasDir('.storybook') ||
+    (ctx.hasDir('components') && (deps['tailwindcss'] || deps.tailwindcss) && ctx.hasDir('packages'));
   if (isDesignSystem) {
     addMatch('design-system', [
       'Detected design system or component library signals.',
@@ -321,8 +328,9 @@ function detectDomainPacks(ctx, stacks, assets = null) {
   }
 
   // Security-focused detection
-  const isSecurityFocused = hasSecurityPolicy &&
-    (hasBackend || deps.bcrypt || deps.jsonwebtoken || deps.passport || deps['next-auth']);
+  const hasAuthDeps = deps.bcrypt || deps.jsonwebtoken || deps.passport || deps['next-auth'] ||
+    deps['@auth/core'] || deps['lucia'] || deps['better-auth'];
+  const isSecurityFocused = (hasSecurityPolicy || hasAuthDeps) && hasBackend;
   if (isSecurityFocused && !isRegulated) {
     addMatch('security-focused', [
       'Detected security-sensitive backend with auth dependencies.',

package/src/governance.js

@@ -124,7 +124,7 @@ const HOOK_REGISTRY = [
   },
   {
     key: 'session-init',
-    file: '.claude/hooks/rotate-logs.sh',
+    file: '.claude/hooks/session-start.sh',
     triggerPoint: 'SessionStart',
     matcher: null,
     purpose: 'Rotates large log files and loads workspace context at session start.',
@@ -254,36 +254,46 @@ function buildHookConfig(hookFiles, profileKey) {
     return {};
   }
 
+  // Detect hook runtime: .js files use node, .sh files use bash
+  const hookCommand = (file) => {
+    if (file.endsWith('.js')) return `node .claude/hooks/${file}`;
+    return `bash .claude/hooks/${file}`;
+  };
+  const isSecrets = (f) => f === 'protect-secrets.sh' || f === 'protect-secrets.js';
+  const isSession = (f) => f === 'session-start.sh' || f === 'session-start.js';
+
   const hookConfig = {
     PostToolUse: [{
       matcher: 'Write|Edit',
       hooks: uniqueFiles
-        .filter(file => file !== 'protect-secrets.sh' && file !== 'session-start.sh')
+        .filter(file => !isSecrets(file) && !isSession(file))
         .map(file => ({
           type: 'command',
-          command: `bash .claude/hooks/${file}`,
+          command: hookCommand(file),
           timeout: 10,
         })),
     }],
   };
 
-  if (uniqueFiles.includes('protect-secrets.sh')) {
+  const secretsFile = uniqueFiles.find(isSecrets);
+  if (secretsFile) {
     hookConfig.PreToolUse = [{
       matcher: 'Read|Write|Edit',
       hooks: [{
         type: 'command',
-        command: 'bash .claude/hooks/protect-secrets.sh',
+        command: hookCommand(secretsFile),
         timeout: 5,
       }],
     }];
   }
 
-  if (uniqueFiles.includes('session-start.sh')) {
+  const sessionFile = uniqueFiles.find(isSession);
+  if (sessionFile) {
     hookConfig.SessionStart = [{
       matcher: '*',
       hooks: [{
         type: 'command',
-        command: 'bash .claude/hooks/session-start.sh',
+        command: hookCommand(sessionFile),
         timeout: 5,
       }],
     }];
@@ -451,6 +461,8 @@ function renderGovernanceMarkdown(summary) {
   }
 
   lines.push('');
+  lines.push('---');
+  lines.push(`*Generated by claudex-setup v${require('../package.json').version} on ${new Date().toISOString().split('T')[0]}*`);
   return lines.join('\n');
 }
 

package/src/mcp-packs.js

@@ -40,12 +40,11 @@ const MCP_PACKS = [
     key: 'postgres-mcp',
     label: 'PostgreSQL',
     useWhen: 'Repos with PostgreSQL databases that benefit from schema inspection and query assistance.',
-    adoption: 'Useful for backend-api and data-pipeline repos. Requires DATABASE_URL env var.',
+    adoption: 'Useful for backend-api and data-pipeline repos. Pass connection string as CLI argument.',
     servers: {
       postgres: {
         command: 'npx',
-        args: ['-y', '@modelcontextprotocol/server-postgres'],
-        env: { DATABASE_URL: '${DATABASE_URL}' },
+        args: ['-y', '@modelcontextprotocol/server-postgres', '${DATABASE_URL}'],
       },
     },
   },
@@ -77,7 +76,7 @@ const MCP_PACKS = [
     key: 'docker-mcp',
     label: 'Docker',
     useWhen: 'Repos with containerized workflows that benefit from container management during Claude sessions.',
-    adoption: 'Useful for infra-platform and backend repos. Requires Docker running locally.',
+    adoption: 'Community Docker MCP server. Requires Docker running locally. Note: community-maintained package.',
     servers: {
       docker: {
         command: 'npx',
@@ -128,7 +127,7 @@ const MCP_PACKS = [
     key: 'slack-mcp',
     label: 'Slack',
     useWhen: 'Teams using Slack that want Claude to draft, preview, or post messages.',
-    adoption: 'Useful for team workflows. Requires SLACK_BOT_TOKEN env var.',
+    adoption: 'Community Slack MCP server (supports OAuth and stealth mode). Requires SLACK_BOT_TOKEN or SLACK_COOKIES env var.',
     servers: {
       slack: {
         command: 'npx',
@@ -154,7 +153,7 @@ const MCP_PACKS = [
     key: 'figma-mcp',
     label: 'Figma',
     useWhen: 'Design-heavy repos where Claude needs access to Figma designs and components.',
-    adoption: 'Useful for frontend-ui repos with design systems. Requires FIGMA_ACCESS_TOKEN env var.',
+    adoption: 'Community Figma MCP server. Requires FIGMA_ACCESS_TOKEN env var. Note: community-maintained package.',
     servers: {
       figma: {
         command: 'npx',
@@ -202,8 +201,8 @@ const MCP_PACKS = [
   },
   {
     key: 'jira-confluence',
-    label: 'Jira + Confluence',
-    useWhen: 'Teams using Atlassian for issue tracking and documentation.',
+    label: 'Jira',
+    useWhen: 'Teams using Atlassian Jira for issue tracking and project management.',
     adoption: 'Requires ATLASSIAN_API_TOKEN and ATLASSIAN_EMAIL env vars.',
     servers: {
       jira: {
@@ -217,12 +216,12 @@ const MCP_PACKS = [
     key: 'ga4-analytics',
     label: 'Google Analytics 4',
     useWhen: 'Repos with web analytics needs — live GA4 data, attribution, and audience insights.',
-    adoption: 'Requires GA4 credentials. 1,641 stars.',
+    adoption: 'Requires GA4_PROPERTY_ID and either GOOGLE_APPLICATION_CREDENTIALS or ADC for auth.',
     servers: {
       ga4: {
         command: 'npx',
         args: ['-y', 'mcp-server-ga4'],
-        env: { GA4_PROPERTY_ID: '${GA4_PROPERTY_ID}' },
+        env: { GA4_PROPERTY_ID: '${GA4_PROPERTY_ID}', GOOGLE_APPLICATION_CREDENTIALS: '${GOOGLE_APPLICATION_CREDENTIALS}' },
       },
     },
   },
@@ -230,12 +229,12 @@ const MCP_PACKS = [
     key: 'search-console',
     label: 'Google Search Console',
     useWhen: 'SEO-focused repos that need search performance data, indexing status, and sitemap insights.',
-    adoption: 'Requires GSC credentials. 595 stars.',
+    adoption: 'Requires Google OAuth client credentials (client ID + secret). Uses OAuth consent flow.',
     servers: {
       gsc: {
         command: 'npx',
         args: ['-y', 'mcp-gsc@latest'],
-        env: { GSC_CREDENTIALS: '${GSC_CREDENTIALS}' },
+        env: { GOOGLE_CLIENT_ID: '${GOOGLE_CLIENT_ID}', GOOGLE_CLIENT_SECRET: '${GOOGLE_CLIENT_SECRET}' },
       },
     },
   },
@@ -243,7 +242,7 @@ const MCP_PACKS = [
     key: 'n8n-workflows',
     label: 'n8n Workflow Automation',
     useWhen: 'Teams using n8n for workflow automation with 1,396 integration nodes.',
-    adoption: 'Requires n8n instance URL. 17,092 stars.',
+    adoption: 'Requires n8n instance URL and API key.',
     servers: {
       n8n: {
         command: 'npx',
@@ -256,7 +255,7 @@ const MCP_PACKS = [
     key: 'zendesk-mcp',
     label: 'Zendesk',
     useWhen: 'Support teams using Zendesk for ticket management and help center content.',
-    adoption: 'Requires ZENDESK_API_TOKEN env var. 79 stars.',
+    adoption: 'Requires ZENDESK_API_TOKEN and ZENDESK_SUBDOMAIN env vars.',
     servers: {
       zendesk: {
         command: 'npx',
@@ -269,7 +268,7 @@ const MCP_PACKS = [
     key: 'infisical-secrets',
     label: 'Infisical Secrets',
     useWhen: 'Repos using Infisical for secrets management with auto-rotation.',
-    adoption: 'Requires INFISICAL_TOKEN env var. 25,629 stars.',
+    adoption: 'Requires INFISICAL_TOKEN env var.',
     servers: {
       infisical: {
         command: 'npx',
@@ -282,7 +281,7 @@ const MCP_PACKS = [
     key: 'shopify-mcp',
     label: 'Shopify',
     useWhen: 'Shopify stores and apps that need API schema access and deployment tooling.',
-    adoption: 'Official Shopify dev MCP. Requires SHOPIFY_ACCESS_TOKEN env var.',
+    adoption: 'Community Shopify MCP server for GraphQL API access. Requires SHOPIFY_ACCESS_TOKEN env var.',
     servers: {
       shopify: {
         command: 'npx',
@@ -307,7 +306,7 @@ const MCP_PACKS = [
   {
     key: 'blender-mcp',
     label: 'Blender 3D',
-    useWhen: '3D modeling, animation, or rendering repos that use Blender. 18,219 stars.',
+    useWhen: '3D modeling, animation, or rendering repos that use Blender.',
     adoption: 'Requires Blender installed locally. Python bridge.',
     servers: {
       blender: {
@@ -320,7 +319,7 @@ const MCP_PACKS = [
     key: 'wordpress-mcp',
     label: 'WordPress',
     useWhen: 'WordPress sites needing content management, site ops, and plugin workflows.',
-    adoption: 'Requires WP_URL and WP_AUTH_TOKEN env vars. 115 stars.',
+    adoption: 'Requires WP_URL and WP_AUTH_TOKEN env vars.',
     servers: {
       wordpress: {
         command: 'npx',
@@ -534,14 +533,17 @@ function recommendMcpPacks(stacks = [], domainPacks = [], options = {}) {
     recommended.add('jira-confluence');
   }
 
-  // Analytics for ecommerce and marketing
-  if (domainKeys.has('ecommerce') || domainKeys.has('docs-content')) {
+  // Analytics for ecommerce (docs-content repos rarely need GA4/GSC)
+  if (domainKeys.has('ecommerce')) {
     recommended.add('ga4-analytics');
     recommended.add('search-console');
   }
 
-  // Shopify for ecommerce
-  if (domainKeys.has('ecommerce')) {
+  // Shopify only when Shopify signals are present
+  if (domainKeys.has('ecommerce') && ctx && (
+    hasDependency(deps, 'shopify') || hasDependency(deps, '@shopify/shopify-api') ||
+    hasFileContentMatch(ctx, '.env', /shopify/i) || hasFileContentMatch(ctx, '.env.example', /shopify/i)
+  )) {
     recommended.add('shopify-mcp');
   }
 
@@ -550,8 +552,11 @@ function recommendMcpPacks(stacks = [], domainPacks = [], options = {}) {
     recommended.add('huggingface-mcp');
   }
 
-  // Zendesk for support
-  if (domainKeys.has('enterprise-governed')) {
+  // Zendesk only when Zendesk signals are present
+  if (domainKeys.has('enterprise-governed') && ctx && (
+    hasDependency(deps, 'zendesk') || hasDependency(deps, 'node-zendesk') ||
+    hasFileContentMatch(ctx, '.env', /zendesk/i) || hasFileContentMatch(ctx, '.env.example', /zendesk/i)
+  )) {
     recommended.add('zendesk-mcp');
   }
 

package/src/plans.js

@@ -63,7 +63,7 @@ function previewContent(content) {
 }
 
 function riskFromImpact(impact) {
-  if (impact === 'critical') return 'medium';
+  if (impact === 'critical') return 'high';
   if (impact === 'high') return 'medium';
   return 'low';
 }
@@ -260,7 +260,7 @@ function buildAgentPatchFiles(ctx) {
 
 function buildHookSettings(ctx, plannedHookFiles, options = {}) {
   const existing = ctx.hasDir('.claude/hooks')
-    ? ctx.dirFiles('.claude/hooks').filter(file => file.endsWith('.sh'))
+    ? ctx.dirFiles('.claude/hooks').filter(file => file.endsWith('.sh') || file.endsWith('.js'))
     : [];
   const hookFiles = [...new Set([...existing, ...plannedHookFiles])].sort();
   if (hookFiles.length === 0) {
@@ -385,7 +385,7 @@ async function buildProposalBundle(options) {
     if (templateKey === 'hooks') {
       const plannedHookFiles = templateFiles
         .map(file => path.basename(file.path))
-        .filter(file => file.endsWith('.sh'));
+        .filter(file => file.endsWith('.sh') || file.endsWith('.js'));
       const settingsFile = buildHookSettings(ctx, plannedHookFiles, options);
       if (settingsFile) {
         templateFiles.push(settingsFile);
@@ -476,7 +476,7 @@ function applyRuntimeSettingsOverlays(bundle, options) {
 
   const ctx = new ProjectContext(options.dir);
   const existingHooks = ctx.hasDir('.claude/hooks')
-    ? ctx.dirFiles('.claude/hooks').filter(file => file.endsWith('.sh'))
+    ? ctx.dirFiles('.claude/hooks').filter(file => file.endsWith('.sh') || file.endsWith('.js'))
     : [];
 
   const proposals = bundle.proposals.map((proposal) => {

package/src/setup.js

@@ -367,7 +367,7 @@ function generateMermaid(dirs, stacks) {
     nodes.push(addNode('Entry Point', 'round'));
   }
 
-  const root = ids['Next.js'] || ids['Django'] || ids['FastAPI'] || ids['Entry Point'];
+  const root = ids['Next.js'] || ids['Django'] || ids['FastAPI'] || ids['Entry Point'] || 'A';
   const pickNodeId = (...labels) => labels.map(label => ids[label]).find(Boolean) || root;
 
   // Detect layers
@@ -782,66 +782,64 @@ ${verificationSteps.join('\n')}
   },
 
   'hooks': () => ({
-    'on-edit-lint.sh': `#!/bin/bash
-# PostToolUse hook - runs linter after file edits
-# Detects which linter is available and runs it
-
-if command -v npx &>/dev/null; then
-  if [ -f "package.json" ] && grep -q '"lint"' package.json 2>/dev/null; then
-    npm run lint --silent 2>/dev/null
-  elif [ -f ".eslintrc" ] || [ -f ".eslintrc.js" ] || [ -f ".eslintrc.json" ] || [ -f "eslint.config.js" ]; then
-    npx eslint --fix . --quiet 2>/dev/null
-  fi
-elif command -v ruff &>/dev/null; then
-  ruff check --fix . 2>/dev/null
-fi
+    'on-edit-lint.js': `#!/usr/bin/env node
+// PostToolUse hook - runs linter after file edits
+const { execSync } = require('child_process');
+const fs = require('fs');
+try {
+  if (fs.existsSync('package.json')) {
+    const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+    if (pkg.scripts && pkg.scripts.lint) {
+      execSync('npm run lint --silent', { stdio: 'ignore', timeout: 30000 });
+    }
+  }
+} catch (e) { /* linter not available or failed - non-blocking */ }
 `,
-    'protect-secrets.sh': `#!/bin/bash
-# PreToolUse hook - blocks reads of secret files
-INPUT=$(cat -)
-FILE_PATH=$(echo "$INPUT" | sed -n 's/.*"file_path"[[:space:]]*:[[:space:]]*"\\([^"]*\\)".*/\\1/p')
-
-if echo "$FILE_PATH" | grep -qiE '\\.env$|\\.env\\.|secrets/|credentials|\\.pem$|\\.key$'; then
-  echo '{"decision": "block", "reason": "Blocked: accessing secret/credential files is not allowed."}'
-  exit 0
-fi
-echo '{"decision": "allow"}'
+    'protect-secrets.js': `#!/usr/bin/env node
+// PreToolUse hook - blocks reads of secret files
+let input = '';
+process.stdin.on('data', d => input += d);
+process.stdin.on('end', () => {
+  try {
+    const data = JSON.parse(input);
+    const fp = (data.tool_input && data.tool_input.file_path) || '';
+    if (/\\.env$|\\.env\\.|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i.test(fp)) {
+      console.log(JSON.stringify({ decision: 'block', reason: 'Blocked: accessing secret/credential files is not allowed.' }));
+    } else {
+      console.log(JSON.stringify({ decision: 'allow' }));
+    }
+  } catch (e) {
+    console.log(JSON.stringify({ decision: 'allow' }));
+  }
+});
 `,
-    'log-changes.sh': `#!/bin/bash
-# PostToolUse hook - logs all file changes with timestamps
-# Appends to .claude/logs/file-changes.log
-
-INPUT=$(cat -)
-TOOL_NAME=$(echo "$INPUT" | sed -n 's/.*"tool_name"[[:space:]]*:[[:space:]]*"\\([^"]*\\)".*/\\1/p')
-TOOL_NAME=\${TOOL_NAME:-unknown}
-FILE_PATH=$(echo "$INPUT" | sed -n 's/.*"file_path"[[:space:]]*:[[:space:]]*"\\([^"]*\\)".*/\\1/p')
-
-if [ -z "$FILE_PATH" ]; then
-  exit 0
-fi
-
-LOG_DIR=".claude/logs"
-LOG_FILE="$LOG_DIR/file-changes.log"
-
-mkdir -p "$LOG_DIR"
-
-TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
-echo "[$TIMESTAMP] $TOOL_NAME: $FILE_PATH" >> "$LOG_FILE"
-
-exit 0
+    'log-changes.js': `#!/usr/bin/env node
+// PostToolUse hook - logs all file changes with timestamps
+const fs = require('fs');
+const path = require('path');
+let input = '';
+process.stdin.on('data', d => input += d);
+process.stdin.on('end', () => {
+  try {
+    const data = JSON.parse(input);
+    const fp = (data.tool_input && data.tool_input.file_path) || '';
+    if (!fp) process.exit(0);
+    const toolName = data.tool_name || 'unknown';
+    const logDir = path.join('.claude', 'logs');
+    fs.mkdirSync(logDir, { recursive: true });
+    const ts = new Date().toISOString().replace('T', ' ').split('.')[0];
+    fs.appendFileSync(path.join(logDir, 'file-changes.log'), \`[\${ts}] \${toolName}: \${fp}\\n\`);
+  } catch (e) { /* non-blocking */ }
+});
 `,
-    'session-start.sh': `#!/bin/bash
-# SessionStart hook - prepares logs and records session entry
-
-LOG_DIR=".claude/logs"
-LOG_FILE="$LOG_DIR/sessions.log"
-
-mkdir -p "$LOG_DIR"
-
-TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
-echo "[$TIMESTAMP] session started" >> "$LOG_FILE"
-
-exit 0
+    'session-start.js': `#!/usr/bin/env node
+// SessionStart hook - prepares logs and records session entry
+const fs = require('fs');
+const path = require('path');
+const logDir = path.join('.claude', 'logs');
+fs.mkdirSync(logDir, { recursive: true });
+const ts = new Date().toISOString().replace('T', ' ').split('.')[0];
+fs.appendFileSync(path.join(logDir, 'sessions.log'), \`[\${ts}] session started\\n\`);
 `,
   }),
 
@@ -1219,7 +1217,7 @@ async function setup(options) {
   const hooksDir = path.join(options.dir, '.claude/hooks');
   const settingsPath = path.join(options.dir, '.claude/settings.json');
   if (fs.existsSync(hooksDir) && !fs.existsSync(settingsPath)) {
-    const hookFiles = fs.readdirSync(hooksDir).filter(f => f.endsWith('.sh'));
+    const hookFiles = fs.readdirSync(hooksDir).filter(f => f.endsWith('.sh') || f.endsWith('.js'));
     if (hookFiles.length > 0) {
       const settings = buildSettingsForProfile({
         profileKey: options.profile || 'safe-write',

package/src/techniques.js

@@ -30,7 +30,7 @@ const TECHNIQUES = {
     id: 51,
     name: 'Mermaid architecture diagram',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return md.includes('mermaid') || md.includes('graph ') || md.includes('flowchart ');
     },
     impact: 'high',
@@ -55,7 +55,7 @@ const TECHNIQUES = {
     id: 763,
     name: 'CLAUDE.md uses @import for modularity',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return md.includes('@import');
     },
     impact: 'medium',
@@ -69,8 +69,8 @@ const TECHNIQUES = {
     id: 681,
     name: 'CLAUDE.md under 200 lines (concise)',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
-      return md.split('\n').length < 200;
+      const md = ctx.claudeMdContent() || '';
+      return md.split('\n').length <= 200;
     },
     impact: 'medium',
     rating: 4,
@@ -87,8 +87,9 @@ const TECHNIQUES = {
     id: 93,
     name: 'Verification criteria in CLAUDE.md',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
-      return md.includes('test') || md.includes('verify') || md.includes('lint') || md.includes('check');
+      const md = ctx.claudeMdContent() || '';
+      return /\b(npm test|yarn test|pnpm test|pytest|go test|make test|npm run lint|yarn lint|npx |ruff |eslint)\b/i.test(md) ||
+        /\b(test command|lint command|build command|verify|run tests|run lint)\b/i.test(md);
     },
     impact: 'critical',
     rating: 5,
@@ -101,7 +102,7 @@ const TECHNIQUES = {
     id: 93001,
     name: 'CLAUDE.md contains a test command',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /npm test|pytest|jest|vitest|cargo test|go test|mix test|rspec/.test(md);
     },
     impact: 'high',
@@ -115,7 +116,7 @@ const TECHNIQUES = {
     id: 93002,
     name: 'CLAUDE.md contains a lint command',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /eslint|prettier|ruff|black|clippy|golangci-lint|rubocop|npm run lint|yarn lint|pnpm lint|bun lint/.test(md);
     },
     impact: 'high',
@@ -129,7 +130,7 @@ const TECHNIQUES = {
     id: 93003,
     name: 'CLAUDE.md contains a build command',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /npm run build|cargo build|go build|make|tsc|gradle build|mvn compile/.test(md);
     },
     impact: 'medium',
@@ -199,7 +200,7 @@ const TECHNIQUES = {
     id: 1039,
     name: 'CLAUDE.md has no embedded API keys',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return !/sk-[a-zA-Z0-9]{20,}|xoxb-|AKIA[A-Z0-9]{16}/.test(md);
     },
     impact: 'critical',
@@ -328,6 +329,7 @@ const TECHNIQUES = {
     id: 24,
     name: 'Permission configuration',
     check: (ctx) => {
+      // Prefer local (effective config) — any settings file with permissions passes
       const settings = ctx.jsonFile('.claude/settings.local.json') || ctx.jsonFile('.claude/settings.json');
       return !!(settings && settings.permissions);
     },
@@ -396,7 +398,7 @@ const TECHNIQUES = {
     id: 1031,
     name: 'Security review command awareness',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return md.includes('security') || md.includes('/security-review');
     },
     impact: 'high',
@@ -498,7 +500,7 @@ const TECHNIQUES = {
     name: 'Frontend design skill for anti-AI-slop',
     check: (ctx) => {
       if (!hasFrontendSignals(ctx)) return null;
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return md.includes('frontend_aesthetics') || md.includes('anti-AI-slop') || md.includes('frontend-design');
     },
     impact: 'medium',
@@ -553,11 +555,13 @@ const TECHNIQUES = {
   ciPipeline: {
     id: 260,
     name: 'CI pipeline configured',
-    check: (ctx) => ctx.hasDir('.github/workflows'),
+    check: (ctx) => ctx.hasDir('.github/workflows') || ctx.hasDir('.circleci') ||
+      ctx.files.includes('.gitlab-ci.yml') || ctx.files.includes('Jenkinsfile') ||
+      ctx.files.includes('.travis.yml') || ctx.files.includes('bitbucket-pipelines.yml'),
     impact: 'high',
     rating: 4,
     category: 'devops',
-    fix: 'Add .github/workflows/ with CI pipeline for automated testing and deployment.',
+    fix: 'Add a CI pipeline (GitHub Actions, GitLab CI, CircleCI, etc.) for automated testing and deployment.',
     template: null
   },
 
@@ -658,7 +662,7 @@ const TECHNIQUES = {
     id: 568,
     name: 'CLAUDE.md mentions /compact or compaction',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /\/compact|compaction|context.*(limit|manage|budget)/i.test(md);
     },
     impact: 'medium',
@@ -672,7 +676,7 @@ const TECHNIQUES = {
     id: 45,
     name: 'Context management awareness',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /context.*(manage|window|limit|budget|token)/i.test(md);
     },
     impact: 'medium',
@@ -744,7 +748,7 @@ const TECHNIQUES = {
     id: 96,
     name: 'XML tags for structured prompts',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       // Give credit for XML tags OR well-structured markdown with clear sections
       const hasXml = md.includes('<constraints') || md.includes('<rules') ||
         md.includes('<validation') || md.includes('<instructions');
@@ -764,7 +768,7 @@ const TECHNIQUES = {
     id: 9,
     name: 'CLAUDE.md contains code examples',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return (md.match(/```/g) || []).length >= 2;
     },
     impact: 'high',
@@ -778,8 +782,8 @@ const TECHNIQUES = {
     id: 10,
     name: 'CLAUDE.md defines a role or persona',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
-      return /you are|your role|act as|persona|behave as/i.test(md);
+      const md = ctx.claudeMdContent() || '';
+      return /^you are a |^your role is|^act as a |persona:|behave as a /im.test(md);
     },
     impact: 'medium',
     rating: 4,
@@ -792,7 +796,7 @@ const TECHNIQUES = {
     id: 9601,
     name: 'XML constraint blocks in CLAUDE.md',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /<constraints|<rules|<requirements|<boundaries/i.test(md);
     },
     impact: 'high',
@@ -810,10 +814,10 @@ const TECHNIQUES = {
     id: 1102,
     name: 'Claude Code Channels awareness',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       const settings = ctx.jsonFile('.claude/settings.local.json') || ctx.jsonFile('.claude/settings.json');
       const settingsStr = JSON.stringify(settings || {});
-      return md.toLowerCase().includes('channel') || settingsStr.includes('channel');
+      return /\bchannels?\b.*\b(telegram|discord|imessage|slack|bridge)\b|\b(telegram|discord|imessage|slack|bridge)\b.*\bchannels?\b/i.test(md) || settingsStr.includes('channels');
     },
     impact: 'low',
     rating: 3,
@@ -831,7 +835,7 @@ const TECHNIQUES = {
     id: 2001,
     name: 'CLAUDE.md mentions current Claude features',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       if (md.length < 50) return false; // too short to evaluate
       // Check for awareness of features from 2025+
       const modernFeatures = ['hook', 'skill', 'agent', 'subagent', 'mcp', 'compact', '/clear', 'extended thinking', 'tool_use', 'worktree'];
@@ -845,13 +849,14 @@ const TECHNIQUES = {
     template: null
   },
 
+  // claudeMdNotOverlong removed — duplicate of underlines200 (id 681)
+
   claudeMdNotOverlong: {
     id: 2002,
     name: 'CLAUDE.md is concise (under 200 lines)',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md');
-      if (!md) return false; // no CLAUDE.md = not passing
-      return md.split('\n').length <= 200;
+      // Defer to underlines200 — this check always returns null (skipped)
+      return null;
     },
     impact: 'medium',
     rating: 4,
@@ -864,12 +869,20 @@ const TECHNIQUES = {
     id: 2003,
     name: 'CLAUDE.md has no obvious contradictions',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md');
+      const md = ctx.claudeMdContent();
       if (!md || md.length < 50) return false; // no CLAUDE.md or too short = not passing
       // Check for common contradictions
-      const hasNever = /never.*always|always.*never/i.test(md);
-      const hasBothStyles = /use tabs/i.test(md) && /use spaces/i.test(md);
-      return !hasNever && !hasBothStyles;
+      // Check for contradictions on the SAME topic (same line or adjacent sentence)
+      const lines = md.split('\n');
+      let hasContradiction = false;
+      for (const line of lines) {
+        if (/\balways\b.*\bnever\b|\bnever\b.*\balways\b/i.test(line)) {
+          hasContradiction = true;
+          break;
+        }
+      }
+      const hasBothStyles = /\buse tabs\b/i.test(md) && /\buse spaces\b/i.test(md);
+      return !hasContradiction && !hasBothStyles;
     },
     impact: 'high',
     rating: 4,
@@ -940,14 +953,15 @@ const TECHNIQUES = {
 
   securityReviewInWorkflow: {
     id: 2008,
-    name: '/security-review in workflow',
+    name: '/security-review command or workflow',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
       const hasCommand = ctx.hasDir('.claude/commands') &&
         (ctx.dirFiles('.claude/commands') || []).some(f => f.includes('security') || f.includes('review'));
-      return md.toLowerCase().includes('security') || hasCommand;
+      const md = ctx.claudeMdContent() || '';
+      const hasExplicitRef = /\/security-review|security review command|security workflow/i.test(md);
+      return hasCommand || hasExplicitRef;
     },
-    impact: 'high',
+    impact: 'medium',
     rating: 4,
     category: 'quality-deep',
     fix: 'Claude Code has built-in /security-review (OWASP Top 10). Add it to your workflow or create a /security command.',
@@ -959,7 +973,7 @@ const TECHNIQUES = {
     id: 2010,
     name: 'Test coverage or strategy mentioned',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /coverage|test.*strateg|e2e|integration test|unit test/i.test(md);
     },
     impact: 'medium', rating: 3, category: 'quality',
@@ -991,7 +1005,7 @@ const TECHNIQUES = {
     id: 2012,
     name: 'Auto-memory or memory management mentioned',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /auto.?memory|memory.*manage|remember|persistent.*context/i.test(md);
     },
     impact: 'low', rating: 3, category: 'memory',
@@ -1004,7 +1018,7 @@ const TECHNIQUES = {
     id: 2013,
     name: 'Sandbox or isolation mentioned',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       const settings = ctx.jsonFile('.claude/settings.json') || {};
       return /sandbox|isolat/i.test(md) || !!settings.sandbox;
     },
@@ -1047,7 +1061,7 @@ const TECHNIQUES = {
     id: 2016,
     name: 'Effort level or thinking configuration',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       const shared = ctx.jsonFile('.claude/settings.json') || {};
       const local = ctx.jsonFile('.claude/settings.local.json') || {};
       return /effort|thinking/i.test(md) || shared.effortLevel || local.effortLevel ||
@@ -1074,7 +1088,7 @@ const TECHNIQUES = {
     id: 2018,
     name: 'Worktree or parallel sessions mentioned',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       const shared = ctx.jsonFile('.claude/settings.json') || {};
       return /worktree|parallel.*session/i.test(md) || !!shared.worktree;
     },
@@ -1088,7 +1102,7 @@ const TECHNIQUES = {
     id: 2019,
     name: 'CLAUDE.md includes "do not" instructions',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /do not|don't|never|avoid|must not/i.test(md);
     },
     impact: 'medium', rating: 4, category: 'prompting',
@@ -1100,8 +1114,8 @@ const TECHNIQUES = {
     id: 2020,
     name: 'CLAUDE.md includes output or style guidance',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
-      return /style|format|convention|naming|pattern|prefer/i.test(md);
+      const md = ctx.claudeMdContent() || '';
+      return /coding style|naming convention|code style|style guide|formatting rules|\bprefer\b.*\b(single|double|tabs|spaces|camel|snake|kebab|named|default|const|let|arrow|function)\b/i.test(md);
     },
     impact: 'medium', rating: 3, category: 'prompting',
     fix: 'Add coding style and naming conventions to CLAUDE.md so Claude matches your project patterns.',
@@ -1127,7 +1141,7 @@ const TECHNIQUES = {
     id: 2022,
     name: 'CLAUDE.md describes what the project does',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /what.*does|overview|purpose|about|description|project.*is/i.test(md) && md.length > 100;
     },
     impact: 'high', rating: 4, category: 'memory',
@@ -1139,7 +1153,7 @@ const TECHNIQUES = {
     id: 2023,
     name: 'CLAUDE.md documents directory structure',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md') || '';
+      const md = ctx.claudeMdContent() || '';
       return /src\/|app\/|lib\/|structure|director|folder/i.test(md);
     },
     impact: 'medium', rating: 4, category: 'memory',
@@ -1265,15 +1279,15 @@ const TECHNIQUES = {
     id: 2009,
     name: 'No deprecated patterns detected',
     check: (ctx) => {
-      const md = ctx.fileContent('CLAUDE.md');
+      const md = ctx.claudeMdContent();
       if (!md) return false; // no CLAUDE.md = not passing
       // Check for patterns deprecated in Claude 4.x
-      const deprecated = [
-        'prefill', // deprecated in 4.6
-        'claude-3-opus', 'claude-3-sonnet', 'claude-3-haiku', // old model names
-        'human_prompt', 'assistant_prompt', // old API format
+      const deprecatedPatterns = [
+        /\bprefill\b/i, // deprecated API pattern in 4.6
+        /\bclaude-3-opus\b/i, /\bclaude-3-sonnet\b/i, /\bclaude-3-haiku\b/i, // old model names
+        /\bhuman_prompt\b/i, /\bassistant_prompt\b/i, // old API format
       ];
-      return !deprecated.some(d => md.toLowerCase().includes(d));
+      return !deprecatedPatterns.some(p => p.test(md));
     },
     impact: 'medium',
     rating: 3,