code-ai-installer 4.0.1-b → 4.0.1-c

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Denis Harchenko
+Copyright (c) 2026 Denish1209
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -12,7 +12,7 @@
 **Code-AI Installer** ships two things in one npm package:
 
 1. **`code-ai`** — a production-ready CLI that injects your `.agents/`, `.agents/skills/`, and `.agents/workflows/` into the exact environment layout each AI tool expects. Author your agentic pipelines once, deploy them to Copilot, Codex, Claude, Qwen, Kimi, or Google Antigravity.
-2. **`code-ai-mcp`** — a bundled MCP (Model Context Protocol) server that turns those agents and skills into a **governed, gate-by-gate pipeline**: each stage produces an artifact, gets classified, and waits for a human sign-off before the next stage runs. Auto-registered for Claude via `.mcp.json`.
+2. **`code-ai-mcp`** — a bundled MCP (Model Context Protocol) server that turns those agents and skills into a **governed, gate-by-gate pipeline**: each stage produces an artifact, gets classified, and waits for a human sign-off before the next stage runs. Auto-registered for Claude in your global (user-scope) MCP config.
 
 > The agents, the skills, and the MCP server are one product: the agents assume the MCP gate tools exist, and the MCP server assumes the installer registered it. `npm install -g code-ai-installer` brings the whole thing.
 
@@ -21,7 +21,7 @@
 ## ✨ Features
 
 - 🚪 **Gate-based pipeline** — agents don't free-run. Work advances through ordered gates (classify → produce → human sign-off → advance), enforced by the MCP server's state machine, with a circuit breaker on repeated rollbacks.
-- 🧰 **Bundled MCP server** — `code-ai-mcp` exposes 31 tools (gate machine, skill fetch with telemetry, artifact/decision log, audit + action tools). Auto-wired into Claude's `.mcp.json` at install time.
+- 🧰 **Bundled MCP server** — `code-ai-mcp` exposes 31 tools (gate machine, skill fetch with telemetry, artifact/decision log, audit + action tools). Auto-registered in Claude's global (user-scope) MCP config at install time, available across all your projects.
 - 🔭 **Self-improving Auditor** — a meta-agent reads aggregate run metrics after ≥3 completed runs and *proposes* (never forces) tweaks to skills/agents; the human approves.
 - 🚀 **Interactive wizard** — pick target, domain, agents, and skills from a guided CLI.
 - 🌍 **Multi-AI support** — adapts instructions, reasoning hints, and file layout for Copilot, GPT Codex, Claude, Qwen 3.5, Moonshot Kimi, and Google Antigravity.
@@ -48,7 +48,7 @@ Every domain also carries a meta **Auditor** beside the pipeline. Each skill dec
 
 ## 🚪 The MCP Gate Pipeline
 
-When you install for **Claude**, the installer registers `code-ai-mcp` in your project's `.mcp.json`. From then on, the agents drive the work *through the server*, not by free-form prompting:
+When you install for **Claude**, the installer registers `code-ai-mcp` in your global (user-scope) Claude config via `claude mcp add --scope user` (idempotent — a server already present in user scope is left untouched). From then on, the agents drive the work *through the server*, not by free-form prompting:
 
 1. **`current_gate` / `classify_gate`** — the conductor reads where the run is and classifies the gate outcome (`auto_resolve` / `fork` / `exception`).
 2. **`get_skill`** — the active role fetches the skills it owns at this gate (the fetch is logged as telemetry for the Auditor).
@@ -151,7 +151,7 @@ Depending on `--target`, `code-ai` restructures your project:
 1. **Orchestration entry** — `AGENTS.md` (plus tool aliases like `CLAUDE.md`, `CODEX.md`, `GEMINI.md`, `QWEN.md`, `KIMI.md`).
 2. **Agents** — roles copied into the target's layout (e.g. `.claude/agents/<role>.md`, `.github/copilot-instructions.md`).
 3. **Skills & workflows** — the execution skillsets, with per-tool metadata sidecars.
-4. **MCP wiring (Claude only)** — `.mcp.json` registering `code-ai-mcp` (run as `npx -p code-ai-installer code-ai-mcp`), plus an optional [MemPalace](https://www.npmjs.com/package/mempalace) memory server when present, and a `.code-ai/config.json` that records the active domain and decision-store backend.
+4. **MCP wiring (Claude only)** — registers `code-ai-mcp` (run as `npx -p code-ai-installer code-ai-mcp`) in your global (user-scope) Claude config via `claude mcp add --scope user`, plus an optional [MemPalace](https://www.npmjs.com/package/mempalace) memory server when present, and a project-local `.code-ai/config.json` that records the active domain and decision-store backend. If the `claude` CLI isn't on PATH, the installer prints the exact commands to run instead of editing your config by hand.
 
 ---
 
@@ -159,7 +159,7 @@ Depending on `--target`, `code-ai` restructures your project:
 
 `code-ai-installer` is on **v4.0.0**.
 
-- **v4.0.0** — consolidated the previously separate `code-ai-mcp` and types packages into this single package with **two bins** (`code-ai` + `code-ai-mcp`). Installing the CLI now also delivers the MCP server; for Claude it is auto-registered in `.mcp.json`. Existing 3.x CLI behavior is unchanged.
+- **v4.0.0** — consolidated the previously separate `code-ai-mcp` and types packages into this single package with **two bins** (`code-ai` + `code-ai-mcp`). Installing the CLI now also delivers the MCP server; for Claude it is auto-registered in your global (user-scope) MCP config. Existing 3.x CLI behavior is unchanged.
 - **v3.0.0 (breaking)** — removed the legacy flat root layout (`AGENTS.md` + `agents/` + `.agents/` at package root); the CLI now reads exclusively from `domains/<id>/`. **Migrating from v2.x:** add `--domain <development|content|analytics|product>` to every CLI call. If you used a custom `--project-dir`, restructure it to `domains/<id>/` instead of a flat layout.
 
 ---

package/dist/catalog.js

@@ -159,7 +159,7 @@ async function mapWorkflowFiles(workflowsDir) {
 /**
  * Known root-level extra files to include in install.
  */
-const EXTRA_FILE_NAMES = ["prompt-examples.md", "CONTEXT.md"];
+const EXTRA_FILE_NAMES = ["prompt-examples.md"];
 /**
  * Maps optional root-level extra files for installation.
  * @param projectDir Absolute project root path.

package/dist/contentTransformer.d.ts

@@ -6,4 +6,4 @@ import type { TargetId } from "./types.js";
  * @param assetType Installed asset type.
  * @returns Target-normalized markdown content.
  */
-export declare function transformContentForTarget(input: string, target: TargetId, assetType: "orchestrator" | "agent" | "skill"): string;
+export declare function transformContentForTarget(input: string, target: TargetId, assetType: "orchestrator" | "agent" | "skill" | "workflow"): string;

package/dist/contentTransformer.js

@@ -1,4 +1,36 @@
 const hintRegex = /<!--\s*(codex|copilot|claude|qwen|gemini|kimi)\s*:\s*([\s\S]*?)-->\s*\n?/gi;
+/**
+ * Per-target tool-vocabulary map, applied to workflow files only. Source files
+ * use the Codex/Antigravity tool names; each target gets its native equivalents.
+ * Only unambiguous 1:1 tool-name renames live here — conceptual terms
+ * (notify_user, ShouldAutoProceed) are handled in the content rewrite, not
+ * mechanically substituted. Targets without an entry keep the source names.
+ */
+const WORKFLOW_TOOL_VOCABULARY = {
+    claude: {
+        view_file: "Read",
+        write_to_file: "Write",
+        replace_file_content: "Edit",
+    },
+};
+/**
+ * Substitutes tool-name tokens for the target using WORKFLOW_TOOL_VOCABULARY,
+ * matching whole words only so substrings are never mangled.
+ * @param content Normalized workflow content.
+ * @param target Destination target id.
+ * @returns Content with target-native tool names.
+ */
+function applyToolVocabulary(content, target) {
+    const map = WORKFLOW_TOOL_VOCABULARY[target];
+    if (!map) {
+        return content;
+    }
+    let out = content;
+    for (const [from, to] of Object.entries(map)) {
+        out = out.replace(new RegExp(`\\b${from}\\b`, "g"), to);
+    }
+    return out;
+}
 /**
  * Transforms markdown content for selected AI target.
  * @param input Original file content.
@@ -8,6 +40,13 @@ const hintRegex = /<!--\s*(codex|copilot|claude|qwen|gemini|kimi)\s*:\s*([\s\S]*
  */
 export function transformContentForTarget(input, target, assetType) {
     const normalizedInput = stripBom(input).replace(/\r\n/g, "\n");
+    // Workflow files become user-facing slash commands / reference docs: emit no
+    // provenance marker or model hint (keep them clean) — only adapt the tool
+    // vocabulary for the target.
+    if (assetType === "workflow") {
+        const adapted = applyToolVocabulary(normalizedInput.trimStart(), target);
+        return adapted.endsWith("\n") ? adapted : `${adapted}\n`;
+    }
     const parsedHints = [];
     const foundHints = new Set();
     const cleaned = normalizedInput.replace(hintRegex, (_match, model, payload) => {

package/dist/index.js

@@ -9,7 +9,7 @@ import { listDomains, resolveDomainSourceRoot, normalizeDomain, resolveDomainAwa
 import { runDoctor } from "./doctor.js";
 import { runInstall, runUninstall } from "./installer.js";
 import { error, info, success, warn } from "./logger.js";
-import { setupMcp } from "./mcp_setup.js";
+import { setupMcp, teardownMcp } from "./mcp_setup.js";
 import { getPlatformAdapters } from "./platforms/adapters.js";
 import { resolveSourceRoot } from "./sourceResolver.js";
 import { printBanner } from "./banner.js";
@@ -42,7 +42,7 @@ const WIZARD_TEXT = {
         doctorFailed: "Doctor checks failed. Fix issues and run again.",
         dryRunMode: "Preview mode selected (no file writes).",
         previewCompleted: "Preview completed.",
-        mempalaceUsePrompt: "Use MemPalace for long-term decision memory? Recommended — installer will install MemPalace (via uv/pipx/pip) and register it in .mcp.json.",
+        mempalaceUsePrompt: "Use MemPalace for long-term decision memory? Recommended — installer will install MemPalace (via uv/pipx/pip) and register it in your global (user-scope) MCP config.",
         mempalaceSetupHeader: "MCP auto-setup for Claude Code:",
     },
     ru: {
@@ -69,7 +69,7 @@ const WIZARD_TEXT = {
         doctorFailed: "Doctor не пройден. Исправь ошибки и запусти снова.",
         dryRunMode: "Выбран preview-режим без записи файлов.",
         previewCompleted: "Preview completed.",
-        mempalaceUsePrompt: "Использовать MemPalace для долгосрочной памяти решений? (рекомендуется — установщик поставит MemPalace через uv/pipx/pip и зарегистрирует в .mcp.json)",
+        mempalaceUsePrompt: "Использовать MemPalace для долгосрочной памяти решений? (рекомендуется — установщик поставит MemPalace через uv/pipx/pip и зарегистрирует в глобальном (user-scope) MCP-конфиге)",
         mempalaceSetupHeader: "Авто-настройка MCP для Claude Code:",
     },
 };
@@ -228,7 +228,7 @@ program
             });
             for (const notice of report.notices)
                 info(`  ${notice}`);
-            info(`  .mcp.json: ${report.mcpJsonAction} at ${report.mcpJsonPath}`);
+            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
             info(`  .code-ai/config.json: written at ${report.configPath} (decision_store=${report.mempalaceUsed ? "mempalace" : "jsonl"})`);
         }
         if (dryRun) {
@@ -262,6 +262,11 @@ program
         const result = await runUninstall(destinationDir, target, dryRun, domainId);
         info(`Files removed/planned: ${result.removed.length}`);
         info(`Files missing: ${result.missing.length}`);
+        if (target === "claude") {
+            const teardown = await teardownMcp({ dryRun });
+            for (const notice of teardown.notices)
+                info(`  ${notice}`);
+        }
         if (dryRun) {
             success("Uninstall dry-run completed.");
         }
@@ -489,7 +494,7 @@ async function runInteractiveWizard() {
             });
             for (const notice of report.notices)
                 info(`  ${notice}`);
-            info(`  .mcp.json: ${report.mcpJsonAction} at ${report.mcpJsonPath}`);
+            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
             info(`  .code-ai/config.json: written at ${report.configPath} (decision_store=${report.mempalaceUsed ? "mempalace" : "jsonl"})`);
         }
         success("Install completed.");

package/dist/mcp/cli.js

@@ -27,15 +27,15 @@ const TOOL_DESCRIPTIONS = {
     load_role: "Load an agent role: frontmatter, body, merged persona, and the role's skill list. Use at SessionStart for an agent.",
     list_skills: "List skills in a domain. Optional filters: type, gate, tech, topic, owner.",
     get_skill: "Fetch a skill's frontmatter + body by name. Pass task_id (+ optional gate) to log the fetch as a skill invocation for Auditor telemetry; omit for plain lookups.",
-    request_decision: "Open a pending decision envelope. Returns a synthetic ADR-PENDING id; Claude relays the question to DEN in chat, then commits the answer via record_decision.",
+    request_decision: "Open a pending decision envelope. Returns a synthetic ADR-PENDING id; Claude relays the question to the user in chat, then commits the answer via record_decision.",
     record_decision: "Commit a chosen decision: writes ADR file, decision log entry, and KG triple. Resets the circuit breaker on new ARCH ADR.",
     classify_gate: "Record the current gate's classification (auto_resolve / fork / exception) with a rationale.",
     advance_gate: "Advance task from from_gate to to_gate after sign-off. Enforces gate sequence; trips the circuit breaker on dev_rollback_count threshold.",
     current_gate: "Return the task's current gate, allowed tools, and required handoff fields. Auto-creates task state on first touch.",
-    sign_off: "Record a sign-off event for the current gate. Validates signer against the gate's sign_off_policy (den / mcp_auto_pass / either).",
+    sign_off: "Record a sign-off event for the current gate. Validates signer against the gate's sign_off_policy (user / mcp_auto_pass / either).",
     submit_artifact: "Write an artifact (skill / role / ADR / handoff / diary / working_report / plan / spec). Enforces line caps + frontmatter validation + path safety.",
     verify_claim: "Verify a code-checkable claim. Wired: owners_present, no_orphan_skills, vocab_valid. Pending Phase 2: tests_pass, build_succeeds, lint_clean, custom.",
-    report_exception: "Append an exception record for DEN review (gate failed, breakdown of errors, optional evidence).",
+    report_exception: "Append an exception record for the user review (gate failed, breakdown of errors, optional evidence).",
     get_artifact: "Fetch a previously-submitted artifact by (task_id, gate). format: raw or summary.",
     list_artifacts: "List artifacts indexed for a task.",
     audit_trail: "Reconstruct the timeline of events for a task: classifications, sign-offs, decisions, artifacts, exceptions. Sorted by timestamp.",
@@ -47,7 +47,7 @@ const TOOL_DESCRIPTIONS = {
     aggregate_run_metrics: "Aggregate completed-run scorecards from the local audit ledger (.code-ai/state/audit/runs.jsonl) into deterministic per-agent (gate→role), per-workflow (mode), and per-skill (invocation frequency) statistics. min_runs (default 3) guards small samples. Read-only; the Auditor's data foundation — numbers only, no judgment.",
     propose_change: "Record an Auditor proposal (a draft change to an agent/skill) as a pending entry in the local proposal store (.code-ai/state/audit/proposals.jsonl). Carries change_kind (edit_minor/add_asset/destructive → risk tier), rationale, evidence, threshold_met, and the inline draft. Pure surfacing — writes nothing to the asset; inert until approved/applied (item 4b).",
     list_proposals: "List stored Auditor proposals, newest first, with optional filters (status / risk / domain). Read-only.",
-    review_proposal: "Authorize a proposal status transition (approve/reject a pending one; mark an approved one applied) and get a mandatory report. Enforces the autonomy matrix + .code-ai/config.json approval gate: decided_by='auditor_auto' may approve only low/additive AND only when the gate is OFF; destructive (high) and gate-ON always require den. Auto-adding a new skill also runs an additive-dedup guard — if it overlaps an existing skill it is routed to den, not auto-added. Authorization only — the byte write into the asset is a separate submit_artifact/edit step (see next_step).",
+    review_proposal: "Authorize a proposal status transition (approve/reject a pending one; mark an approved one applied) and get a mandatory report. Enforces the autonomy matrix + .code-ai/config.json approval gate: decided_by='auditor_auto' may approve only low/additive AND only when the gate is OFF; destructive (high) and gate-ON always require user. Auto-adding a new skill also runs an additive-dedup guard — if it overlaps an existing skill it is routed to user, not auto-added. Authorization only — the byte write into the asset is a separate submit_artifact/edit step (see next_step).",
     run_tests: "[stub] Run the test suite for a target (vitest / pytest).",
     apply_diff: "[stub] Apply a unified diff to a file with safety checks.",
     git_commit: "[stub] Stage and commit changes through a typed contract instead of raw shell.",

package/dist/mcp/scorecard.d.ts

@@ -42,7 +42,7 @@ export declare const GateScore: z.ZodObject<{
     }>;
     signoff_count: z.ZodNumber;
     last_signer: z.ZodNullable<z.ZodEnum<{
-        den: "den";
+        user: "user";
         mcp: "mcp";
         system: "system";
     }>>;
@@ -99,7 +99,7 @@ export declare const RunScorecard: z.ZodObject<{
         }>;
         signoff_count: z.ZodNumber;
         last_signer: z.ZodNullable<z.ZodEnum<{
-            den: "den";
+            user: "user";
             mcp: "mcp";
             system: "system";
         }>>;

package/dist/mcp/task_state.d.ts

@@ -35,7 +35,7 @@ export declare const GateSignoff: z.ZodObject<{
         TECH_LEAD: "TECH_LEAD";
     }>;
     signer: z.ZodEnum<{
-        den: "den";
+        user: "user";
         mcp: "mcp";
         system: "system";
     }>;
@@ -137,7 +137,7 @@ export declare const TaskState: z.ZodObject<{
             TECH_LEAD: "TECH_LEAD";
         }>;
         signer: z.ZodEnum<{
-            den: "den";
+            user: "user";
             mcp: "mcp";
             system: "system";
         }>;

package/dist/mcp/tools/advance_gate.js

@@ -54,7 +54,7 @@ export async function advanceGate(input) {
                 `  2) Read skills: ${skills}`,
                 `  3) Produce architect audit (root-cause analysis, not patch attempt).`,
                 `  4) record_decision(task_id="${input.task_id}", gate="ARCH", ...) — new ARCH ADR resets dev_rollback_count to 0 via reset_on=new_arch_adr.`,
-                `  5) After reset, re-run sign_off("DEV", "den") + advance_gate(DEV → ${input.from_gate}).`,
+                `  5) After reset, re-run sign_off("DEV", "user") + advance_gate(DEV → ${input.from_gate}).`,
             ].join("\n"));
         }
         state.dev_rollback_count = nextCount;

package/dist/mcp/tools/classify_gate.d.ts

@@ -5,8 +5,8 @@ import { type ClassifyGateInput, type ClassifyGateOutput } from "../../shared/in
  *
  * Outcomes map to next_required_action:
  *   auto_resolve → produce_artifact (silent path)
- *   fork         → open_request_decision (DEN must choose)
- *   exception    → open_report_exception (auto-check failed; needs DEN review)
+ *   fork         → open_request_decision (the user must choose)
+ *   exception    → open_report_exception (auto-check failed; needs the user review)
  *
  * No-op-safe if called multiple times for the same gate — each call appends
  * a new classification entry. latestClassification() returns the most recent.

package/dist/mcp/tools/classify_gate.js

@@ -7,8 +7,8 @@ import { resolveActiveDomain } from "../config.js";
  *
  * Outcomes map to next_required_action:
  *   auto_resolve → produce_artifact (silent path)
- *   fork         → open_request_decision (DEN must choose)
- *   exception    → open_report_exception (auto-check failed; needs DEN review)
+ *   fork         → open_request_decision (the user must choose)
+ *   exception    → open_report_exception (auto-check failed; needs the user review)
  *
  * No-op-safe if called multiple times for the same gate — each call appends
  * a new classification entry. latestClassification() returns the most recent.

package/dist/mcp/tools/load_role.d.ts

@@ -6,8 +6,8 @@ import { type LoadRoleInput, type LoadRoleOutput } from "../../shared/index.js";
  * `domains/<domain>/persona/persona-base.md` (resolved per active domain via
  * resolvePersonaBase); absent file degrades gracefully to no base layer.
  *
- * User-layer persona is currently always absent (persona-user-denis.md is
- * gitignored and not loaded by name match). Future versions read the user
+ * User-layer persona is currently always absent (the gitignored user-layer
+ * persona file is not loaded by name match). Future versions read the user
  * handle from env or config.
  */
 export declare function loadRole(input: LoadRoleInput): Promise<LoadRoleOutput>;

package/dist/mcp/tools/load_role.js

@@ -10,8 +10,8 @@ import { listSkills } from "./list_skills.js";
  * `domains/<domain>/persona/persona-base.md` (resolved per active domain via
  * resolvePersonaBase); absent file degrades gracefully to no base layer.
  *
- * User-layer persona is currently always absent (persona-user-denis.md is
- * gitignored and not loaded by name match). Future versions read the user
+ * User-layer persona is currently always absent (the gitignored user-layer
+ * persona file is not loaded by name match). Future versions read the user
  * handle from env or config.
  */
 export async function loadRole(input) {

package/dist/mcp/tools/report_exception.d.ts

@@ -3,9 +3,9 @@ import type { ReportExceptionInput, ReportExceptionOutput } from "../../shared/i
  * The exception channel of the silent-by-default pipeline. When an auto-check
  * fails (vocab violation, missing artifact, line cap breach, drift...), the
  * caller surfaces it here. We append a structured entry to
- * .code-ai/state/exceptions.jsonl and tell the caller it was surfaced to DEN.
+ * .code-ai/state/exceptions.jsonl and tell the caller it was surfaced to the user.
  *
- * For v1 every exception surfaces to "den". The hook layer is responsible for
- * waking DEN (toast / push) — MCP only records.
+ * For v1 every exception surfaces to "user". The hook layer is responsible for
+ * waking the user (toast / push) — MCP only records.
  */
 export declare function reportException(input: ReportExceptionInput): Promise<ReportExceptionOutput>;

package/dist/mcp/tools/report_exception.js

@@ -4,10 +4,10 @@ import { join } from "node:path";
  * The exception channel of the silent-by-default pipeline. When an auto-check
  * fails (vocab violation, missing artifact, line cap breach, drift...), the
  * caller surfaces it here. We append a structured entry to
- * .code-ai/state/exceptions.jsonl and tell the caller it was surfaced to DEN.
+ * .code-ai/state/exceptions.jsonl and tell the caller it was surfaced to the user.
  *
- * For v1 every exception surfaces to "den". The hook layer is responsible for
- * waking DEN (toast / push) — MCP only records.
+ * For v1 every exception surfaces to "user". The hook layer is responsible for
+ * waking the user (toast / push) — MCP only records.
  */
 export async function reportException(input) {
     const stateDir = join(process.cwd(), ".code-ai", "state");
@@ -26,6 +26,6 @@ export async function reportException(input) {
     await appendFile(path, JSON.stringify(entry) + "\n", "utf8");
     return {
         exception_id: exceptionId,
-        surfaced_to: "den",
+        surfaced_to: "user",
     };
 }

package/dist/mcp/tools/request_decision.d.ts

@@ -7,8 +7,8 @@ import { recordDecision } from "./record_decision.js";
  * two parts:
  *   1. Caller invokes request_decision with question + options. The tool
  *      validates input but does NOT record an ADR yet. It returns a structured
- *      "pending" envelope that Claude (the LLM) relays to DEN in chat.
- *   2. After DEN replies in chat, Claude calls record_decision with the chosen
+ *      "pending" envelope that Claude (the LLM) relays to the user in chat.
+ *   2. After the user replies in chat, Claude calls record_decision with the chosen
  *      option_id + rationale, which writes the ADR atomically (3 places).
  *
  * The returned object satisfies the RequestDecisionOutput contract by emitting
@@ -23,7 +23,7 @@ import { recordDecision } from "./record_decision.js";
 export declare function requestDecision(input: RequestDecisionInput): Promise<RequestDecisionOutput>;
 /**
  * Convenience: convert request_decision output into a record_decision input
- * once Claude has surfaced the question to DEN and received an answer.
+ * once Claude has surfaced the question to the user and received an answer.
  * Not part of the MCP surface — use as a helper from the LLM relay flow.
  */
 export declare function commitRequestedDecision(args: {

package/dist/mcp/tools/request_decision.js

@@ -6,8 +6,8 @@ import { recordDecision } from "./record_decision.js";
  * two parts:
  *   1. Caller invokes request_decision with question + options. The tool
  *      validates input but does NOT record an ADR yet. It returns a structured
- *      "pending" envelope that Claude (the LLM) relays to DEN in chat.
- *   2. After DEN replies in chat, Claude calls record_decision with the chosen
+ *      "pending" envelope that Claude (the LLM) relays to the user in chat.
+ *   2. After the user replies in chat, Claude calls record_decision with the chosen
  *      option_id + rationale, which writes the ADR atomically (3 places).
  *
  * The returned object satisfies the RequestDecisionOutput contract by emitting
@@ -24,14 +24,14 @@ export async function requestDecision(input) {
     const safeTask = input.task_id.toUpperCase().replace(/[^A-Z0-9-]/g, "");
     return {
         chosen_option_id: "__pending__",
-        signer: "den",
+        signer: "user",
         adr_id: `ADR-PENDING-${safeTask}-${input.gate}-${hash}`,
         timestamp: new Date().toISOString(),
     };
 }
 /**
  * Convenience: convert request_decision output into a record_decision input
- * once Claude has surfaced the question to DEN and received an answer.
+ * once Claude has surfaced the question to the user and received an answer.
  * Not part of the MCP surface — use as a helper from the LLM relay flow.
  */
 export async function commitRequestedDecision(args) {
@@ -42,7 +42,7 @@ export async function commitRequestedDecision(args) {
         options: args.input.options,
         chosen_option_id: args.chosen_option_id,
         rationale: args.rationale,
-        signer: "den",
+        signer: "user",
     });
 }
 function simpleHash(s) {

package/dist/mcp/tools/review_proposal.d.ts

@@ -12,6 +12,6 @@ import { type ReviewProposalInput, type ReviewProposalOutput } from "../../share
  *   applied  approved → applied    (bookkeeping marker after the caller wrote the asset)
  *
  * Matrix (ADR-DEV-122): auditor_auto may approve only low/additive AND only when the approval
- * gate is OFF; destructive (high) and gate-ON always require den. den may always act.
+ * gate is OFF; destructive (high) and gate-ON always require user. user may always act.
  */
 export declare function reviewProposal(input: ReviewProposalInput): Promise<ReviewProposalOutput>;

package/dist/mcp/tools/review_proposal.js

@@ -14,7 +14,7 @@ import { readDomainSkillMeta, findOverlaps } from "../proposal_dedup.js";
  *   applied  approved → applied    (bookkeeping marker after the caller wrote the asset)
  *
  * Matrix (ADR-DEV-122): auditor_auto may approve only low/additive AND only when the approval
- * gate is OFF; destructive (high) and gate-ON always require den. den may always act.
+ * gate is OFF; destructive (high) and gate-ON always require user. user may always act.
  */
 export async function reviewProposal(input) {
     const proposals = await readProposals();
@@ -38,13 +38,13 @@ export async function reviewProposal(input) {
     if (input.decision === "approve" && input.decided_by === "auditor_auto") {
         const cfg = await loadCodeAiConfig();
         if (cfg.auditor.approval_gate) {
-            throw new Error(`review_proposal: approval gate is ON — '${input.id}' requires den approval, not auditor_auto`);
+            throw new Error(`review_proposal: approval gate is ON — '${input.id}' requires user approval, not auditor_auto`);
         }
         if (p.risk === "high") {
-            throw new Error(`review_proposal: '${input.id}' is high-risk (destructive) — always requires den, even in autonomy`);
+            throw new Error(`review_proposal: '${input.id}' is high-risk (destructive) — always requires user, even in autonomy`);
         }
         // Additive-dedup guard (ADR-DEV-125): before auto-adding a NEW skill, block silent
-        // library bloat — if it overlaps an existing skill, route to den instead of auto-adding.
+        // library bloat — if it overlaps an existing skill, route to user instead of auto-adding.
         if (p.change_kind === "add_asset" && p.target.asset === "skill") {
             const skills = await readDomainSkillMeta(p.target.domain);
             const overlaps = findOverlaps({
@@ -56,7 +56,7 @@ export async function reviewProposal(input) {
                 const summary = overlaps
                     .map((o) => `${o.skill} (${o.reasons.join("; ")})`)
                     .join("; ");
-                throw new Error(`review_proposal: '${input.id}' may duplicate existing skill(s) [${summary}] — additive-dedup guard routes it to den, not auto-add`);
+                throw new Error(`review_proposal: '${input.id}' may duplicate existing skill(s) [${summary}] — additive-dedup guard routes it to user, not auto-add`);
             }
         }
     }
@@ -84,7 +84,7 @@ export async function reviewProposal(input) {
 }
 /** Mandatory report — every decision (especially autonomous) returns a plain-language next step. */
 function buildNextStep(status, target, draft, decided_by, change_kind) {
-    const who = decided_by === "auditor_auto" ? "Auditor (autonomous)" : "den";
+    const who = decided_by === "auditor_auto" ? "Auditor (autonomous)" : "user";
     const asset = `${target.asset} '${target.name}' in domain '${target.domain}'`;
     if (status === "approved") {
         const bloatNote = decided_by === "auditor_auto" && change_kind === "add_asset"

package/dist/mcp/tools/sign_off.d.ts

@@ -3,9 +3,9 @@ import { type SignOffInput, type SignOffOutput } from "../../shared/index.js";
  * Records a sign-off event for the task's current gate. Validates that:
  *   1. Task exists and is at the named gate.
  *   2. Signer matches sign_off_policy:
- *        sign_off_policy=den            → signer must be "den"
+ *        sign_off_policy=user            → signer must be "user"
  *        sign_off_policy=mcp_auto_pass  → signer must be "mcp"
- *        sign_off_policy=either         → signer must be "den" or "mcp"
+ *        sign_off_policy=either         → signer must be "user" or "mcp"
  *   3. Gate has a classification recorded if classify_required=true.
  *
  * Does NOT advance the gate — that's advance_gate's job. sign_off only

package/dist/mcp/tools/sign_off.js

@@ -6,9 +6,9 @@ import { resolveActiveDomain } from "../config.js";
  * Records a sign-off event for the task's current gate. Validates that:
  *   1. Task exists and is at the named gate.
  *   2. Signer matches sign_off_policy:
- *        sign_off_policy=den            → signer must be "den"
+ *        sign_off_policy=user            → signer must be "user"
  *        sign_off_policy=mcp_auto_pass  → signer must be "mcp"
- *        sign_off_policy=either         → signer must be "den" or "mcp"
+ *        sign_off_policy=either         → signer must be "user" or "mcp"
  *   3. Gate has a classification recorded if classify_required=true.
  *
  * Does NOT advance the gate — that's advance_gate's job. sign_off only
@@ -25,9 +25,9 @@ export async function signOff(input) {
     }
     const gateCfg = getGateConfig(pipeline, state.mode, input.gate);
     switch (gateCfg.sign_off_policy) {
-        case "den":
-            if (input.signer !== "den") {
-                throw new Error(`sign_off: gate ${input.gate} requires signer 'den' (policy=den), got '${input.signer}'`);
+        case "user":
+            if (input.signer !== "user") {
+                throw new Error(`sign_off: gate ${input.gate} requires signer 'user' (policy=user), got '${input.signer}'`);
             }
             break;
         case "mcp_auto_pass":
@@ -36,8 +36,8 @@ export async function signOff(input) {
             }
             break;
         case "either":
-            if (input.signer !== "den" && input.signer !== "mcp") {
-                throw new Error(`sign_off: gate ${input.gate} requires signer 'den' or 'mcp' (policy=either), got '${input.signer}'`);
+            if (input.signer !== "user" && input.signer !== "mcp") {
+                throw new Error(`sign_off: gate ${input.gate} requires signer 'user' or 'mcp' (policy=either), got '${input.signer}'`);
             }
             break;
     }

package/dist/mcp/tools/verify_claim.d.ts

@@ -2,7 +2,7 @@ import { type VerifyClaimInput, type VerifyClaimOutput } from "../../shared/inde
 /**
  * Code-verifiable claims. Per the silent-by-default contract, every claim a
  * gate makes ("tests pass", "no orphan skills", "vocab clean") should be
- * verifiable by a deterministic check — not by DEN reading the report.
+ * verifiable by a deterministic check — not by the user reading the report.
  *
  * v1 implements three corpus-level checks against the installed development
  * domain on disk:

package/dist/mcp/tools/verify_claim.js

@@ -9,7 +9,7 @@ import { build } from "./build.js";
 /**
  * Code-verifiable claims. Per the silent-by-default contract, every claim a
  * gate makes ("tests pass", "no orphan skills", "vocab clean") should be
- * verifiable by a deterministic check — not by DEN reading the report.
+ * verifiable by a deterministic check — not by the user reading the report.
  *
  * v1 implements three corpus-level checks against the installed development
  * domain on disk: