claudex-setup 1.7.0 → 1.9.0

package/src/benchmark.js

@@ -5,6 +5,8 @@ const path = require('path');
 const { version } = require('../package.json');
 const { audit } = require('./audit');
 const { setup } = require('./setup');
+const { analyzeProject } = require('./analyze');
+const { getGovernanceSummary } = require('./governance');
 
 function copyProject(sourceDir, targetDir) {
   fs.mkdirSync(targetDir, { recursive: true });
@@ -34,20 +36,76 @@ function summarizeAudit(result) {
   };
 }
 
-function buildExecutiveSummary(before, after) {
+function buildWorkflowEvidence(before, after, analysisReport, governanceSummary) {
+  const tasks = [
+    {
+      key: 'discover-without-writes',
+      label: 'Discover next actions without writing files',
+      passed: before.checkCount > 0 && Array.isArray(before.quickWins),
+      evidence: `Baseline audit returned ${before.checkCount} applicable checks and ${before.quickWins.length} quick wins.`,
+    },
+    {
+      key: 'starter-safe-improvement',
+      label: 'Apply starter-safe improvements in isolation',
+      passed: after.score >= before.score && after.failed <= before.failed,
+      evidence: `Score moved ${before.score} -> ${after.score}; failed checks moved ${before.failed} -> ${after.failed}.`,
+    },
+    {
+      key: 'governed-rollout-surface',
+      label: 'Expose governed rollout controls',
+      passed: governanceSummary.permissionProfiles.length >= 3 && governanceSummary.hookRegistry.length >= 1,
+      evidence: `${governanceSummary.permissionProfiles.length} profiles and ${governanceSummary.hookRegistry.length} governed hooks available.`,
+    },
+    {
+      key: 'domain-pack-guidance',
+      label: 'Recommend a domain pack for the repo',
+      passed: analysisReport.recommendedDomainPacks.length > 0,
+      evidence: analysisReport.recommendedDomainPacks.map(pack => pack.label).join(', ') || 'No domain pack recommendation generated.',
+    },
+    {
+      key: 'mcp-pack-guidance',
+      label: 'Recommend MCP packs when appropriate',
+      passed: analysisReport.recommendedMcpPacks.length > 0,
+      evidence: analysisReport.recommendedMcpPacks.map(pack => pack.label).join(', ') || 'No MCP pack recommendation generated.',
+    },
+  ];
+
+  const passed = tasks.filter(task => task.passed).length;
+  const total = tasks.length;
+  return {
+    taskPack: 'maintainer-core',
+    tasks,
+    summary: {
+      passed,
+      total,
+      coverageScore: total > 0 ? Math.round((passed / total) * 100) : 0,
+    },
+  };
+}
+
+function buildExecutiveSummary(before, after, workflowEvidence) {
   const scoreDelta = after.score - before.score;
   const organicDelta = after.organicScore - before.organicScore;
+  const workflowCoverage = workflowEvidence.summary.coverageScore;
+  let headline = 'Benchmark did not improve the score in this run.';
+
+  if (scoreDelta > 0) {
+    headline = `Benchmark improved readiness by ${scoreDelta} points without touching the original repo.`;
+  } else if (before.score >= 85 && after.score >= before.score && workflowCoverage >= 80) {
+    headline = 'Benchmark confirmed the repo already meets the starter-safe baseline without regression.';
+  }
+
   return {
-    headline: scoreDelta > 0
-      ? `Benchmark improved readiness by ${scoreDelta} points without touching the original repo.`
-      : 'Benchmark did not improve the score in this run.',
+    headline,
     scoreDelta,
     organicDelta,
     decisionGuidance: scoreDelta >= 20
       ? 'Strong pilot candidate'
       : scoreDelta >= 10
         ? 'Promising but needs manual review'
-        : 'Use suggest-only mode before rollout',
+        : (before.score >= 85 && workflowCoverage >= 80
+          ? 'Use suggest-only mode, domain packs, or task-level benchmarks next'
+          : 'Use suggest-only mode before rollout'),
   };
 }
 
@@ -95,6 +153,11 @@ function renderBenchmarkMarkdown(report) {
     `- ${report.executiveSummary.headline}`,
     `- Recommendation: ${report.executiveSummary.decisionGuidance}`,
     '',
+    '## Workflow Evidence',
+    `- Task pack: ${report.workflowEvidence.taskPack}`,
+    `- Coverage: ${report.workflowEvidence.summary.passed}/${report.workflowEvidence.summary.total} (${report.workflowEvidence.summary.coverageScore}%)`,
+    ...report.workflowEvidence.tasks.map(task => `- ${task.label}: ${task.passed ? 'pass' : 'not yet'} — ${task.evidence}`),
+    '',
     '## Case Study',
     `- Initial state: ${report.caseStudy.initialState}`,
     `- Chosen mode: ${report.caseStudy.chosenMode}`,
@@ -111,8 +174,17 @@ async function runBenchmark(options) {
 
   try {
     copyProject(options.dir, sandboxDir);
-    const applyResult = await setup({ dir: sandboxDir, auto: true, silent: true });
+    const applyResult = await setup({
+      dir: sandboxDir,
+      auto: true,
+      silent: true,
+      profile: options.profile,
+      mcpPacks: options.mcpPacks || [],
+    });
     const after = await audit({ dir: sandboxDir, silent: true });
+    const analysisReport = await analyzeProject({ dir: sandboxDir, mode: 'suggest-only' });
+    const governanceSummary = getGovernanceSummary();
+    const workflowEvidence = buildWorkflowEvidence(before, after, analysisReport, governanceSummary);
 
     return {
       schemaVersion: 1,
@@ -133,7 +205,8 @@ async function runBenchmark(options) {
         passed: after.passed - before.passed,
         failed: after.failed - before.failed,
       },
-      executiveSummary: buildExecutiveSummary(before, after),
+      workflowEvidence,
+      executiveSummary: buildExecutiveSummary(before, after, workflowEvidence),
       caseStudy: buildCaseStudy(before, after, applyResult),
     };
   } finally {
@@ -158,6 +231,7 @@ function printBenchmark(report, options = {}) {
   console.log('');
   console.log(`  ${report.executiveSummary.headline}`);
   console.log(`  Recommendation: ${report.executiveSummary.decisionGuidance}`);
+  console.log(`  Workflow evidence: ${report.workflowEvidence.summary.passed}/${report.workflowEvidence.summary.total} tasks (${report.workflowEvidence.summary.coverageScore}%)`);
   console.log('');
 }
 

package/src/claudex-sync.json

@@ -1,7 +1,11 @@
 {
   "synced_from": "claudex",
-  "synced_at": "2026-03-30T23:05:29Z",
+  "synced_at": "2026-03-31T19:30:00Z",
   "total_items": 1107,
   "tested": 948,
-  "last_id": 1157
+  "last_id": 1157,
+  "domain_packs": 10,
+  "mcp_packs": 5,
+  "anti_patterns": 53,
+  "contract_version": "1.0.0"
 }

package/src/context.js

@@ -17,11 +17,12 @@ class ProjectContext {
     try {
       const entries = fs.readdirSync(this.dir, { withFileTypes: true });
       for (const entry of entries) {
-        if (entry.name.startsWith('.') && entry.name !== '.claude' && entry.name !== '.gitignore') continue;
-        if (entry.name === 'node_modules' || entry.name === '__pycache__') continue;
         if (entry.isFile()) {
+          if (entry.name === '.DS_Store') continue;
           this.files.push(entry.name);
         } else if (entry.isDirectory()) {
+          if (entry.name.startsWith('.') && entry.name !== '.claude') continue;
+          if (entry.name === 'node_modules' || entry.name === '__pycache__') continue;
           this.files.push(entry.name + '/');
           // Scan .claude/ subdirectories
           if (entry.name === '.claude') {

package/src/domain-packs.js

@@ -0,0 +1,223 @@
+const DOMAIN_PACKS = [
+  {
+    key: 'baseline-general',
+    label: 'Baseline General',
+    useWhen: 'General repos that need a pragmatic Claude baseline without domain-specific assumptions.',
+    recommendedModules: ['CLAUDE.md baseline', 'verification', 'safe-write profile'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['discover next actions', 'starter-safe improvement', 'governed rollout'],
+  },
+  {
+    key: 'backend-api',
+    label: 'Backend API',
+    useWhen: 'Service, API, or backend-heavy repos with routes, services, jobs, or data access.',
+    recommendedModules: ['verification', 'security workflow', 'commands', 'rules'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['test + build verification', 'security review workflow', 'safe apply on existing config'],
+  },
+  {
+    key: 'frontend-ui',
+    label: 'Frontend UI',
+    useWhen: 'React, Next.js, Vue, Angular, or Svelte repos with components and UI-heavy workflows.',
+    recommendedModules: ['frontend rules', 'design guidance', 'commands', 'benchmark'],
+    recommendedMcpPacks: ['context7-docs', 'next-devtools'],
+    benchmarkFocus: ['build checks', 'component workflow quality', 'framework-aware starter output'],
+  },
+  {
+    key: 'data-pipeline',
+    label: 'Data Pipeline',
+    useWhen: 'Repos with workers, DAGs, marts, ETL jobs, migrations, or analytics-heavy workflows.',
+    recommendedModules: ['verification', 'rules', 'agents', 'benchmark'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['pipeline safety', 'repeatable task flows', 'state-aware review artifacts'],
+  },
+  {
+    key: 'infra-platform',
+    label: 'Infra Platform',
+    useWhen: 'Terraform, Docker, Kubernetes, Wrangler, or deployment-oriented repos.',
+    recommendedModules: ['ci-devops', 'commands', 'governance', 'benchmark'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['release safety', 'policy-controlled rollout', 'infra verification loops'],
+  },
+  {
+    key: 'oss-library',
+    label: 'OSS Library',
+    useWhen: 'Public packages or contributor-heavy repos that need a lighter governance footprint.',
+    recommendedModules: ['suggest-only profile', 'light rules', 'commands', 'README-aligned CLAUDE.md'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['low-footprint adoption', 'manual review friendliness', 'contributor-safe defaults'],
+  },
+  {
+    key: 'enterprise-governed',
+    label: 'Enterprise Governed',
+    useWhen: 'Repos with CI, permissions, hooks, and a need for auditable change controls.',
+    recommendedModules: ['governance', 'activity artifacts', 'rollback manifests', 'benchmark evidence'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['policy-aware rollout', 'approval flow readiness', 'benchmark export quality'],
+  },
+  {
+    key: 'monorepo',
+    label: 'Monorepo',
+    useWhen: 'Nx, Turborepo, Lerna, or workspace-based repos with multiple packages sharing a root.',
+    recommendedModules: ['path-specific rules', 'commands per package', 'governance', 'agents'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['package-scoped rule coverage', 'cross-package safety', 'workspace-aware starter output'],
+  },
+  {
+    key: 'mobile',
+    label: 'Mobile App',
+    useWhen: 'React Native, Flutter, Swift, or Kotlin repos with mobile-specific build and release workflows.',
+    recommendedModules: ['verification', 'commands', 'rules', 'agents'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['build verification', 'platform-specific rules', 'release workflow quality'],
+  },
+  {
+    key: 'regulated-lite',
+    label: 'Regulated Lite',
+    useWhen: 'Repos in regulated environments (fintech, health, legal) that need auditability without full enterprise governance overhead.',
+    recommendedModules: ['governance', 'activity artifacts', 'suggest-only profile', 'audit logging'],
+    recommendedMcpPacks: ['context7-docs'],
+    benchmarkFocus: ['audit trail completeness', 'change traceability', 'policy compliance readiness'],
+  },
+];
+
+function uniqueByKey(items) {
+  const seen = new Set();
+  const result = [];
+  for (const item of items) {
+    if (seen.has(item.key)) continue;
+    seen.add(item.key);
+    result.push(item);
+  }
+  return result;
+}
+
+function detectDomainPacks(ctx, stacks, assets = null) {
+  const stackKeys = new Set((stacks || []).map(stack => stack.key));
+  const pkg = ctx.jsonFile('package.json') || {};
+  const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+  const matches = [];
+
+  function addMatch(key, reasons) {
+    const pack = DOMAIN_PACKS.find(item => item.key === key);
+    if (!pack) return;
+    matches.push({
+      ...pack,
+      matchReasons: reasons.filter(Boolean).slice(0, 3),
+    });
+  }
+
+  const hasFrontend = stackKeys.has('react') || stackKeys.has('nextjs') || stackKeys.has('vue') ||
+    stackKeys.has('angular') || stackKeys.has('svelte') || ctx.hasDir('components') || ctx.hasDir('app') || ctx.hasDir('pages');
+  const hasBackend = stackKeys.has('node') || stackKeys.has('python') || stackKeys.has('django') ||
+    stackKeys.has('fastapi') || stackKeys.has('go') || stackKeys.has('rust') || stackKeys.has('java') ||
+    ctx.hasDir('api') || ctx.hasDir('routes') || ctx.hasDir('services') || ctx.hasDir('controllers');
+  const hasData = ctx.hasDir('dags') || ctx.hasDir('jobs') || ctx.hasDir('workers') ||
+    ctx.hasDir('models') || ctx.hasDir('migrations') || ctx.hasDir('db') ||
+    deps.dbt || deps['apache-airflow'] || deps.pandas || deps.polars || deps.duckdb;
+  const hasInfra = stackKeys.has('docker') || stackKeys.has('terraform') || stackKeys.has('kubernetes') ||
+    ctx.files.includes('wrangler.toml') || ctx.files.includes('serverless.yml') || ctx.files.includes('serverless.yaml') ||
+    ctx.files.includes('cdk.json') || ctx.hasDir('infra') || ctx.hasDir('deploy') || ctx.hasDir('helm');
+  const isOss = !!ctx.fileContent('LICENSE') && !!ctx.fileContent('CONTRIBUTING.md') && pkg.private !== true;
+  const isEnterpriseGoverned = !!(assets && assets.permissions && assets.permissions.hasDenyRules) &&
+    !!(assets && assets.files && assets.files.settings) && ctx.hasDir('.github/workflows');
+
+  if (hasBackend) {
+    addMatch('backend-api', [
+      'Detected backend stack or service directories.',
+      ctx.hasDir('api') ? 'API-facing structure detected.' : null,
+      ctx.hasDir('services') ? 'Service-layer directories detected.' : null,
+    ]);
+  }
+
+  if (hasFrontend) {
+    addMatch('frontend-ui', [
+      'Detected frontend stack or UI directories.',
+      ctx.hasDir('components') ? 'Component directories detected.' : null,
+      stackKeys.has('nextjs') ? 'Next.js stack detected.' : null,
+    ]);
+  }
+
+  if (hasData) {
+    addMatch('data-pipeline', [
+      'Detected worker, jobs, models, or analytics-style structure.',
+      ctx.hasDir('jobs') ? 'Job/pipeline directories detected.' : null,
+      ctx.hasDir('migrations') ? 'Migration flow detected.' : null,
+    ]);
+  }
+
+  if (hasInfra) {
+    addMatch('infra-platform', [
+      'Detected deployment or infrastructure signals.',
+      ctx.files.includes('wrangler.toml') ? 'Wrangler deployment config detected.' : null,
+      ctx.hasDir('deploy') ? 'Deployment directory detected.' : null,
+    ]);
+  }
+
+  if (isOss) {
+    addMatch('oss-library', [
+      'License and contribution guidance suggest an open-source repo.',
+      pkg.private === false ? 'package.json is not marked private.' : null,
+    ]);
+  }
+
+  if (isEnterpriseGoverned) {
+    addMatch('enterprise-governed', [
+      'Settings, deny rules, and CI indicate a governed team workflow.',
+      'Repo already has policy-aware Claude assets.',
+    ]);
+  }
+
+  // Monorepo detection
+  const isMonorepo = ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+    ctx.files.includes('lerna.json') || ctx.hasDir('packages') ||
+    (pkg.workspaces && (Array.isArray(pkg.workspaces) ? pkg.workspaces.length > 0 : true));
+  if (isMonorepo) {
+    addMatch('monorepo', [
+      'Detected monorepo or workspace configuration.',
+      ctx.files.includes('nx.json') ? 'Nx workspace detected.' : null,
+      ctx.files.includes('turbo.json') ? 'Turborepo detected.' : null,
+      ctx.hasDir('packages') ? 'Packages directory detected.' : null,
+    ]);
+  }
+
+  // Mobile detection
+  const isMobile = deps['react-native'] || deps.expo || deps.flutter ||
+    ctx.files.includes('Podfile') || ctx.files.includes('build.gradle') ||
+    ctx.files.includes('build.gradle.kts') || ctx.hasDir('ios') || ctx.hasDir('android');
+  if (isMobile) {
+    addMatch('mobile', [
+      'Detected mobile app structure or dependencies.',
+      deps['react-native'] ? 'React Native detected.' : null,
+      ctx.hasDir('ios') ? 'iOS directory detected.' : null,
+      ctx.hasDir('android') ? 'Android directory detected.' : null,
+    ]);
+  }
+
+  // Regulated-lite detection
+  const isRegulated = ctx.files.includes('SECURITY.md') ||
+    ctx.files.includes('COMPLIANCE.md') || ctx.hasDir('compliance') ||
+    ctx.hasDir('audit') || ctx.hasDir('policies') ||
+    (pkg.keywords && pkg.keywords.some(k => ['hipaa', 'fintech', 'compliance', 'regulated', 'sox', 'pci'].includes(k)));
+  if (isRegulated && !isEnterpriseGoverned) {
+    addMatch('regulated-lite', [
+      'Detected compliance or regulatory signals without full enterprise governance.',
+      ctx.files.includes('SECURITY.md') ? 'SECURITY.md present.' : null,
+      ctx.hasDir('compliance') ? 'Compliance directory detected.' : null,
+    ]);
+  }
+
+  const deduped = uniqueByKey(matches);
+  if (deduped.length === 0) {
+    return [{
+      ...DOMAIN_PACKS.find(item => item.key === 'baseline-general'),
+      matchReasons: ['No stronger domain signal detected yet.'],
+    }];
+  }
+  return deduped;
+}
+
+module.exports = {
+  DOMAIN_PACKS,
+  detectDomainPacks,
+};

package/src/governance.js

@@ -1,3 +1,6 @@
+const { DOMAIN_PACKS } = require('./domain-packs');
+const { MCP_PACKS, mergeMcpServers, normalizeMcpPackKeys } = require('./mcp-packs');
+
 const PERMISSION_PROFILES = [
   {
     key: 'read-only',
@@ -83,6 +86,54 @@ const HOOK_REGISTRY = [
     dryRunExample: 'Edit one file and verify the log entry is appended.',
     rollbackPath: 'Remove the PostToolUse hook entry and delete the log file if desired.',
   },
+  {
+    key: 'duplicate-id-check',
+    file: '.claude/hooks/check-duplicate-ids.sh',
+    triggerPoint: 'PostToolUse',
+    matcher: 'Write|Edit',
+    purpose: 'Detects duplicate IDs in catalog or structured data files after edits.',
+    filesTouched: [],
+    sideEffects: ['Returns a systemMessage warning if duplicates are found.'],
+    risk: 'low',
+    dryRunExample: 'Edit a catalog file and verify duplicate check runs without blocking.',
+    rollbackPath: 'Remove the PostToolUse hook entry from settings.',
+  },
+  {
+    key: 'injection-defense',
+    file: '.claude/hooks/injection-defense.sh',
+    triggerPoint: 'PostToolUse',
+    matcher: 'WebFetch|WebSearch',
+    purpose: 'Scans web tool outputs for common prompt injection patterns.',
+    filesTouched: ['tools/failure-log.txt'],
+    sideEffects: ['Logs alerts to failure log.', 'Returns a systemMessage warning if patterns detected.'],
+    risk: 'low',
+    dryRunExample: 'Run a WebFetch and verify output is scanned for injection patterns.',
+    rollbackPath: 'Remove the PostToolUse hook entry from settings.',
+  },
+  {
+    key: 'trust-drift-check',
+    file: '.claude/hooks/trust-drift-check.sh',
+    triggerPoint: 'PostToolUse',
+    matcher: 'Write|Edit',
+    purpose: 'Runs trust drift validation after file changes to catch metric/docs inconsistencies.',
+    filesTouched: [],
+    sideEffects: ['Returns a systemMessage warning if drift is detected.'],
+    risk: 'low',
+    dryRunExample: 'Edit a product-facing file and verify drift check runs.',
+    rollbackPath: 'Remove the PostToolUse hook entry from settings.',
+  },
+  {
+    key: 'session-init',
+    file: '.claude/hooks/rotate-logs.sh',
+    triggerPoint: 'SessionStart',
+    matcher: null,
+    purpose: 'Rotates large log files and loads workspace context at session start.',
+    filesTouched: ['tools/change-log.txt', 'tools/failure-log.txt'],
+    sideEffects: ['Archives logs over 500KB.', 'Returns a systemMessage with workspace info.'],
+    risk: 'low',
+    dryRunExample: 'Start a new session and verify log rotation runs.',
+    rollbackPath: 'Remove the SessionStart hook entry from settings.',
+  },
 ];
 
 const POLICY_PACKS = [
@@ -137,11 +188,147 @@ const PILOT_ROLLOUT_KIT = {
   ],
 };
 
+function clone(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+
+function mergeUnique(existing = [], additions = []) {
+  return [...new Set([...(Array.isArray(existing) ? existing : []), ...additions])];
+}
+
+function mergeHooks(existingHooks = {}, nextHooks = {}) {
+  const merged = clone(existingHooks || {});
+
+  for (const [stage, blocks] of Object.entries(nextHooks)) {
+    const targetBlocks = Array.isArray(merged[stage]) ? clone(merged[stage]) : [];
+    for (const incoming of blocks) {
+      const index = targetBlocks.findIndex(block => block.matcher === incoming.matcher);
+      if (index === -1) {
+        targetBlocks.push(clone(incoming));
+        continue;
+      }
+
+      const current = targetBlocks[index];
+      const existingCommands = new Set((current.hooks || []).map(hook => `${hook.type}:${hook.command}:${hook.timeout || ''}`));
+      const mergedHooks = [...(current.hooks || [])];
+      for (const hook of incoming.hooks || []) {
+        const signature = `${hook.type}:${hook.command}:${hook.timeout || ''}`;
+        if (!existingCommands.has(signature)) {
+          mergedHooks.push(clone(hook));
+          existingCommands.add(signature);
+        }
+      }
+      targetBlocks[index] = { ...current, hooks: mergedHooks };
+    }
+    merged[stage] = targetBlocks;
+  }
+
+  return merged;
+}
+
+function getPermissionProfile(key = 'safe-write') {
+  return PERMISSION_PROFILES.find(profile => profile.key === key) ||
+    PERMISSION_PROFILES.find(profile => profile.key === 'safe-write');
+}
+
+function isWritableProfile(key = 'safe-write') {
+  return ['safe-write', 'power-user', 'internal-research'].includes(getPermissionProfile(key).key);
+}
+
+function ensureWritableProfile(key = 'safe-write', commandName = 'apply', dryRun = false) {
+  const profile = getPermissionProfile(key);
+  if (!dryRun && !isWritableProfile(profile.key)) {
+    throw new Error(`${commandName} requires a writable profile. Use --profile safe-write or --dry-run.`);
+  }
+  return profile;
+}
+
+function buildHookConfig(hookFiles, profileKey) {
+  const profile = getPermissionProfile(profileKey);
+  if (!isWritableProfile(profile.key)) {
+    return {};
+  }
+
+  const uniqueFiles = [...new Set(hookFiles)].sort();
+  if (uniqueFiles.length === 0) {
+    return {};
+  }
+
+  const hookConfig = {
+    PostToolUse: [{
+      matcher: 'Write|Edit',
+      hooks: uniqueFiles
+        .filter(file => file !== 'protect-secrets.sh' && file !== 'session-start.sh')
+        .map(file => ({
+          type: 'command',
+          command: `bash .claude/hooks/${file}`,
+          timeout: 10,
+        })),
+    }],
+  };
+
+  if (uniqueFiles.includes('protect-secrets.sh')) {
+    hookConfig.PreToolUse = [{
+      matcher: 'Read|Write|Edit',
+      hooks: [{
+        type: 'command',
+        command: 'bash .claude/hooks/protect-secrets.sh',
+        timeout: 5,
+      }],
+    }];
+  }
+
+  if (uniqueFiles.includes('session-start.sh')) {
+    hookConfig.SessionStart = [{
+      matcher: '*',
+      hooks: [{
+        type: 'command',
+        command: 'bash .claude/hooks/session-start.sh',
+        timeout: 5,
+      }],
+    }];
+  }
+
+  if ((hookConfig.PostToolUse[0].hooks || []).length === 0) {
+    delete hookConfig.PostToolUse;
+  }
+
+  return hookConfig;
+}
+
+function buildSettingsForProfile({ profileKey = 'safe-write', hookFiles = [], existingSettings = null, mcpPackKeys = [] } = {}) {
+  const profile = getPermissionProfile(profileKey);
+  const base = existingSettings ? clone(existingSettings) : {};
+  const selectedMcpPacks = normalizeMcpPackKeys(mcpPackKeys);
+  base.permissions = base.permissions || {};
+  base.permissions.defaultMode = profile.defaultMode;
+  base.permissions.deny = mergeUnique(base.permissions.deny, profile.deny);
+
+  const hookConfig = buildHookConfig(hookFiles, profile.key);
+  if (Object.keys(hookConfig).length > 0) {
+    base.hooks = mergeHooks(base.hooks, hookConfig);
+  }
+
+  if (selectedMcpPacks.length > 0) {
+    base.mcpServers = mergeMcpServers(base.mcpServers, selectedMcpPacks);
+  }
+
+  base.claudexSetup = {
+    ...(base.claudexSetup || {}),
+    profile: profile.key,
+    mcpPacks: selectedMcpPacks,
+  };
+
+  return base;
+}
+
 function getGovernanceSummary() {
   return {
     permissionProfiles: PERMISSION_PROFILES,
     hookRegistry: HOOK_REGISTRY,
     policyPacks: POLICY_PACKS,
+    domainPacks: DOMAIN_PACKS,
+    mcpPacks: MCP_PACKS,
     pilotRolloutKit: PILOT_ROLLOUT_KIT,
   };
 }
@@ -168,8 +355,9 @@ function printGovernanceSummary(summary, options = {}) {
 
   console.log('  Hook Registry');
   for (const hook of summary.hookRegistry) {
-    console.log(`  - ${hook.file}`);
-    console.log(`    ${hook.triggerPoint} ${hook.matcher} -> ${hook.purpose}`);
+    const riskColor = hook.risk === 'low' ? '\x1b[32m' : hook.risk === 'medium' ? '\x1b[33m' : '\x1b[31m';
+    console.log(`  - ${hook.file} ${riskColor}[${hook.risk} risk]\x1b[0m`);
+    console.log(`    ${hook.triggerPoint}${hook.matcher ? ` ${hook.matcher}` : ''} -> ${hook.purpose}`);
   }
   console.log('');
 
@@ -179,6 +367,18 @@ function printGovernanceSummary(summary, options = {}) {
   }
   console.log('');
 
+  console.log('  Domain Packs');
+  for (const pack of summary.domainPacks) {
+    console.log(`  - ${pack.label}: ${pack.useWhen}`);
+  }
+  console.log('');
+
+  console.log('  MCP Packs');
+  for (const pack of summary.mcpPacks) {
+    console.log(`  - ${pack.label}: ${Object.keys(pack.servers).join(', ')}`);
+  }
+  console.log('');
+
   console.log('  Pilot Rollout Kit');
   for (const item of summary.pilotRolloutKit.recommendedScope) {
     console.log(`  - ${item}`);
@@ -187,6 +387,11 @@ function printGovernanceSummary(summary, options = {}) {
 }
 
 module.exports = {
+  PERMISSION_PROFILES,
+  getPermissionProfile,
+  isWritableProfile,
+  ensureWritableProfile,
+  buildSettingsForProfile,
   getGovernanceSummary,
   printGovernanceSummary,
 };

package/src/index.js

@@ -4,6 +4,8 @@ const { analyzeProject } = require('./analyze');
 const { buildProposalBundle, applyProposalBundle } = require('./plans');
 const { getGovernanceSummary } = require('./governance');
 const { runBenchmark } = require('./benchmark');
+const { DOMAIN_PACKS, detectDomainPacks } = require('./domain-packs');
+const { MCP_PACKS, getMcpPack, mergeMcpServers, recommendMcpPacks } = require('./mcp-packs');
 
 module.exports = {
   audit,
@@ -13,4 +15,10 @@ module.exports = {
   applyProposalBundle,
   getGovernanceSummary,
   runBenchmark,
+  DOMAIN_PACKS,
+  detectDomainPacks,
+  MCP_PACKS,
+  getMcpPack,
+  mergeMcpServers,
+  recommendMcpPacks,
 };