code-ai-installer 4.1.0 → 4.3.1

package/README.md

@@ -157,8 +157,11 @@ Depending on `--target`, `code-ai` restructures your project:
 
 ## 🧬 Versions & migration
 
-`code-ai-installer` is on **v4.0.0**.
+`code-ai-installer` is on **v4.3.1**.
 
+- **v4.3.1** — the `code-ai-mcp` registration is now **pinned** to the installed version (`npx -p code-ai-installer@<version>`) and re-pinned on every reinstall, so an updated server actually takes effect instead of an unpinned `npx` silently reusing a stale global/cache copy. The server also logs `code-ai-mcp v<version> · domain=<domain>` to stderr at startup, so the live build is visible in Claude's MCP logs.
+- **v4.3.0** — `render_diff` MCP tool (unified diff → a standalone HTML review page); MCP gate-flow + stop-at-user-gate sections added to the content / analytics / product conductors; Auditor trigger — a `/audit` command plus a Release-Gate nudge that surfaces after every 3rd completed run (development pilot).
+- **v4.1.0** — MCP servers now register in your **global (user-scope)** config via a direct, idempotent `~/.claude.json` merge (no dependency on the `claude` CLI); the conductor halts at each user gate — one at a time, no batching, no auto-pass on green.
 - **v4.0.0** — consolidated the previously separate `code-ai-mcp` and types packages into this single package with **two bins** (`code-ai` + `code-ai-mcp`). Installing the CLI now also delivers the MCP server; for Claude it is auto-registered in your global (user-scope) MCP config. Existing 3.x CLI behavior is unchanged.
 - **v3.0.0 (breaking)** — removed the legacy flat root layout (`AGENTS.md` + `agents/` + `.agents/` at package root); the CLI now reads exclusively from `domains/<id>/`. **Migrating from v2.x:** add `--domain <development|content|analytics|product>` to every CLI call. If you used a custom `--project-dir`, restructure it to `domains/<id>/` instead of a flat layout.
 

package/dist/index.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import { createRequire } from "node:module";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import prompts from "prompts";
@@ -13,10 +12,9 @@ import { setupMcp, teardownMcp } from "./mcp_setup.js";
 import { getPlatformAdapters } from "./platforms/adapters.js";
 import { resolveSourceRoot } from "./sourceResolver.js";
 import { printBanner } from "./banner.js";
+import { readInstallerVersion } from "./version.js";
 const program = new Command();
 const packageRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
-const requireJson = createRequire(import.meta.url);
-const pkg = requireJson("../package.json");
 const WIZARD_TEXT = {
     en: {
         cancelled: "Installation cancelled.",
@@ -76,7 +74,7 @@ const WIZARD_TEXT = {
 program
     .name("code-ai")
     .description("Install code-ai agents and skills for AI coding assistants")
-    .version(pkg.version);
+    .version(readInstallerVersion());
 program
     .command("targets")
     .description("List supported AI targets")
@@ -228,7 +226,7 @@ program
             });
             for (const notice of report.notices)
                 info(`  ${notice}`);
-            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
+            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], re-pinned [${report.serversUpdated.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
             info(`  .code-ai/config.json: written at ${report.configPath} (decision_store=${report.mempalaceUsed ? "mempalace" : "jsonl"})`);
         }
         if (dryRun) {
@@ -494,7 +492,7 @@ async function runInteractiveWizard() {
             });
             for (const notice of report.notices)
                 info(`  ${notice}`);
-            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
+            info(`  MCP (${report.registration}): registered [${report.serversRegistered.join(", ") || "—"}], re-pinned [${report.serversUpdated.join(", ") || "—"}], already present [${report.serversAlreadyPresent.join(", ") || "—"}]`);
             info(`  .code-ai/config.json: written at ${report.configPath} (decision_store=${report.mempalaceUsed ? "mempalace" : "jsonl"})`);
         }
         success("Install completed.");

package/dist/mcp/audit_ledger.d.ts

@@ -10,3 +10,13 @@ export declare function readLedger(): Promise<RunScorecard[]>;
  * break a sign-off (telemetry is never load-bearing for the gate).
  */
 export declare function recordRunScorecard(state: TaskState): Promise<void>;
+/** Number of COMPLETED (RG-signed) runs in the ledger. */
+export declare function countCompletedRuns(): Promise<number>;
+/**
+ * A1 cadence (Variant A1): surface an Auditor nudge on every 3rd completed run
+ * (3, 6, 9, …). Stateless — no last-audit marker — so it re-reminds until the
+ * user runs /audit. Surfacing only; returns undefined when no nudge is due.
+ */
+export declare function auditNudgeFor(completedRuns: number): {
+    runs_total: number;
+} | undefined;

package/dist/mcp/audit_ledger.js

@@ -80,3 +80,18 @@ export async function recordRunScorecard(state) {
     const extras = await readSideCounts(state.task_id);
     await appendScorecard(buildScorecard(state, extras));
 }
+/** Number of COMPLETED (RG-signed) runs in the ledger. */
+export async function countCompletedRuns() {
+    const cards = await readLedger();
+    return cards.filter((c) => c.completed).length;
+}
+/**
+ * A1 cadence (Variant A1): surface an Auditor nudge on every 3rd completed run
+ * (3, 6, 9, …). Stateless — no last-audit marker — so it re-reminds until the
+ * user runs /audit. Surfacing only; returns undefined when no nudge is due.
+ */
+export function auditNudgeFor(completedRuns) {
+    return completedRuns >= 3 && completedRuns % 3 === 0
+        ? { runs_total: completedRuns }
+        : undefined;
+}

package/dist/mcp/cli.d.ts

@@ -11,6 +11,10 @@
  */
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { type ToolName } from "../shared/index.js";
+declare const SERVER_INFO: {
+    name: string;
+    version: string;
+};
 /**
  * One-line description per tool. Not stored in the shared types module (src/shared) because the
  * registry there is pure I/O contracts; descriptions live with the transport
@@ -18,4 +22,4 @@ import { type ToolName } from "../shared/index.js";
  */
 declare const TOOL_DESCRIPTIONS: Record<ToolName, string>;
 declare function buildServer(): McpServer;
-export { buildServer, TOOL_DESCRIPTIONS };
+export { buildServer, TOOL_DESCRIPTIONS, SERVER_INFO };

package/dist/mcp/cli.js

@@ -14,9 +14,11 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { TOOL_REGISTRY } from "../shared/index.js";
 import { CodeAiMcpServer } from "./server.js";
 import { NotImplementedError } from "./tools/stubs.js";
+import { readInstallerVersion } from "../version.js";
+import { resolveActiveDomain } from "./config.js";
 const SERVER_INFO = {
     name: "code-ai-mcp",
-    version: "0.0.0",
+    version: readInstallerVersion(),
 };
 /**
  * One-line description per tool. Not stored in the shared types module (src/shared) because the
@@ -56,6 +58,7 @@ const TOOL_DESCRIPTIONS = {
     dependency_supply_chain: "[stub] Check supply chain (npm audit, Socket integration, license check).",
     docker_compose: "[stub] Run docker compose up/down for a target.",
     e2e_playwright: "[stub] Run Playwright end-to-end suite.",
+    render_diff: "Render a unified diff (e.g. `git diff`) into a colored, per-file, line-numbered HTML review page written to the OS temp dir. Returns the path + a file:// URL the user opens in a browser. Use at the REV gate to present code changes for review. Informational only — the file lives in temp (cleared on reboot), never in the project.",
 };
 function buildServer() {
     const dispatch = new CodeAiMcpServer();
@@ -107,6 +110,11 @@ async function main() {
     const mcp = buildServer();
     const transport = new StdioServerTransport();
     await mcp.connect(transport);
+    // Startup banner to STDERR — never stdout, which carries the JSON-RPC stream.
+    // Makes the live build + active domain visible in Claude's MCP logs, so a
+    // stale-server mismatch is obvious instead of silent.
+    const domain = await resolveActiveDomain();
+    console.error(`code-ai-mcp v${SERVER_INFO.version} · domain=${domain}`);
 }
 // Allow importing buildServer in tests without starting the stdio loop.
 const isDirectRun = (() => {
@@ -124,4 +132,4 @@ if (isDirectRun) {
         process.exit(1);
     });
 }
-export { buildServer, TOOL_DESCRIPTIONS };
+export { buildServer, TOOL_DESCRIPTIONS, SERVER_INFO };

package/dist/mcp/tools/render_diff.d.ts

@@ -0,0 +1,25 @@
+import { type RenderDiffInput, type RenderDiffOutput } from "../../shared/index.js";
+type RowKind = "hunk" | "add" | "del" | "ctx";
+interface DiffRow {
+    kind: RowKind;
+    text: string;
+    o: number | "";
+    n: number | "";
+}
+export interface DiffFile {
+    name: string;
+    added: number;
+    removed: number;
+    rows: DiffRow[];
+}
+/** Parse a unified diff into per-file rows with old/new line numbers. Pure. */
+export declare function parseUnifiedDiff(raw: string): DiffFile[];
+/** Render parsed diff files into a self-contained HTML page. Pure. */
+export declare function renderDiffHtml(diff: string, title: string): {
+    html: string;
+    files: number;
+    added: number;
+    removed: number;
+};
+export declare function renderDiff(input: RenderDiffInput): Promise<RenderDiffOutput>;
+export {};

package/dist/mcp/tools/render_diff.js

@@ -0,0 +1,138 @@
+import { writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { pathToFileURL } from "node:url";
+import { createHash } from "node:crypto";
+/**
+ * render_diff — turn a unified diff into a colored, per-file, line-numbered HTML
+ * review page and write it to the OS temp dir.
+ *
+ * Why a tool (not a loose script): code reviews in the pipeline are presented as
+ * an HTML diff the user opens via a file:// link. Shipping it as an MCP tool keeps
+ * it version-controlled, testable, and reachable wherever the server runs.
+ *
+ * The output is INFORMATIONAL only — it lives in the system temp dir (cleared on
+ * reboot), never in the project, so it pollutes nothing and needs no cleanup.
+ * Self-contained: no deps, no network.
+ */
+const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+/** Parse a unified diff into per-file rows with old/new line numbers. Pure. */
+export function parseUnifiedDiff(raw) {
+    const blocks = raw.split(/^diff --git /m).filter(Boolean);
+    const files = [];
+    for (const b of blocks) {
+        const lines = ("diff --git " + b).split("\n");
+        const header = lines[0];
+        const m = header.match(/a\/(.+?) b\/(.+)$/);
+        const name = m ? m[2] : header;
+        let added = 0;
+        let removed = 0;
+        const rows = [];
+        let oldLn = 0;
+        let newLn = 0;
+        for (const ln of lines) {
+            if (ln.startsWith("diff --git") ||
+                ln.startsWith("index ") ||
+                ln.startsWith("--- ") ||
+                ln.startsWith("+++ "))
+                continue;
+            const hunk = ln.match(/^@@ -(\d+)(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+            if (hunk) {
+                oldLn = Number(hunk[1]);
+                newLn = Number(hunk[2]);
+                rows.push({ kind: "hunk", text: ln, o: "", n: "" });
+                continue;
+            }
+            if (ln.startsWith("+")) {
+                added++;
+                rows.push({ kind: "add", text: ln.slice(1), o: "", n: newLn++ });
+            }
+            else if (ln.startsWith("-")) {
+                removed++;
+                rows.push({ kind: "del", text: ln.slice(1), o: oldLn++, n: "" });
+            }
+            else if (ln.startsWith("\\")) {
+                // "" — skip
+            }
+            else {
+                rows.push({ kind: "ctx", text: ln.slice(1), o: oldLn++, n: newLn++ });
+            }
+        }
+        files.push({ name, added, removed, rows });
+    }
+    return files;
+}
+/** Render parsed diff files into a self-contained HTML page. Pure. */
+export function renderDiffHtml(diff, title) {
+    const files = parseUnifiedDiff(diff);
+    const fileSections = files
+        .map((f, i) => {
+        const rowsHtml = f.rows
+            .map((r) => {
+            if (r.kind === "hunk")
+                return `<tr class="hunk"><td class="ln"></td><td class="ln"></td><td class="code">${esc(r.text)}</td></tr>`;
+            const sign = r.kind === "add" ? "+" : r.kind === "del" ? "-" : " ";
+            return `<tr class="${r.kind}"><td class="ln">${r.o}</td><td class="ln">${r.n}</td><td class="code"><span class="sign">${sign}</span>${esc(r.text)}</td></tr>`;
+        })
+            .join("\n");
+        return `<section id="f${i}">
+  <h2>${esc(f.name)} <span class="stat"><span class="plus">+${f.added}</span> <span class="minus">-${f.removed}</span></span></h2>
+  <table>${rowsHtml}</table>
+</section>`;
+    })
+        .join("\n");
+    const added = files.reduce((s, f) => s + f.added, 0);
+    const removed = files.reduce((s, f) => s + f.removed, 0);
+    const nav = files
+        .map((f, i) => `<a href="#f${i}">${esc(f.name.split("/").pop() ?? f.name)}</a>`)
+        .join("");
+    const html = `<!doctype html><html lang="en"><head><meta charset="utf-8">
+<title>${esc(title)}</title>
+<style>
+  :root { color-scheme: light dark; }
+  body { font: 13px/1.5 ui-monospace, "Cascadia Code", Consolas, monospace; margin: 0; background:#0d1117; color:#c9d1d9; }
+  header { padding: 16px 24px; border-bottom: 1px solid #30363d; position: sticky; top:0; background:#0d1117; }
+  header h1 { font: 600 16px system-ui, sans-serif; margin: 0 0 4px; }
+  header .summary { font: 13px system-ui, sans-serif; color:#8b949e; }
+  .plus { color:#3fb950; } .minus { color:#f85149; }
+  section { margin: 20px 24px; border: 1px solid #30363d; border-radius: 8px; overflow:hidden; }
+  section h2 { font: 600 13px ui-monospace, monospace; margin:0; padding:10px 14px; background:#161b22; border-bottom:1px solid #30363d; }
+  .stat { float:right; font-weight:400; }
+  table { border-collapse: collapse; width:100%; }
+  td { padding: 0 6px; white-space: pre-wrap; word-break: break-word; vertical-align: top; }
+  td.ln { width:1%; text-align:right; color:#6e7681; user-select:none; border-right:1px solid #21262d; padding:0 8px; }
+  td.code { width:100%; }
+  .sign { display:inline-block; width:1ch; color:#6e7681; }
+  tr.add { background: rgba(63,185,80,.15); } tr.add .sign { color:#3fb950; }
+  tr.del { background: rgba(248,81,73,.15); } tr.del .sign { color:#f85149; }
+  tr.hunk td { background:#161b22; color:#8b949e; padding:4px 14px; }
+  nav { padding: 0 24px; font: 13px system-ui, sans-serif; }
+  nav a { color:#58a6ff; text-decoration:none; display:inline-block; margin:2px 12px 2px 0; }
+</style></head><body>
+<header>
+  <h1>${esc(title)}</h1>
+  <div class="summary">${files.length} files · <span class="plus">+${added}</span> <span class="minus">-${removed}</span></div>
+</header>
+<nav>${nav}</nav>
+${fileSections}
+</body></html>`;
+    return { html, files: files.length, added, removed };
+}
+/** Slugify a label for use in a temp filename. */
+function slug(s) {
+    return (s
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 40) || "review");
+}
+export async function renderDiff(input) {
+    const title = input.title ?? "Diff review";
+    const { html, files, added, removed } = renderDiffHtml(input.diff, title);
+    // Content-hashed name → same diff reuses one file; lands in the OS temp dir
+    // (cleared on reboot), never in the project.
+    const hash = createHash("sha1").update(input.diff).digest("hex").slice(0, 8);
+    const path = join(tmpdir(), `code-ai-diff-${slug(input.task_id ?? title)}-${hash}.html`);
+    await writeFile(path, html, "utf8");
+    return { path, file_url: pathToFileURL(path).href, files, added, removed };
+}

package/dist/mcp/tools/sign_off.js

@@ -1,6 +1,6 @@
 import { getGateConfig, loadPipeline } from "../pipeline.js";
 import { readTaskState, writeTaskState } from "../task_state.js";
-import { recordRunScorecard } from "../audit_ledger.js";
+import { recordRunScorecard, countCompletedRuns, auditNudgeFor } from "../audit_ledger.js";
 import { resolveActiveDomain } from "../config.js";
 /**
  * Records a sign-off event for the task's current gate. Validates that:
@@ -27,7 +27,9 @@ export async function signOff(input) {
     switch (gateCfg.sign_off_policy) {
         case "user":
             if (input.signer !== "user") {
-                throw new Error(`sign_off: gate ${input.gate} requires signer 'user' (policy=user), got '${input.signer}'`);
+                throw new Error(`sign_off: gate ${input.gate} requires signer 'user' (policy=user), got '${input.signer}'. ` +
+                    `This is a USER gate — HALT: present the ${input.gate} artifact and request the user's sign_off(signer='user') for THIS gate. ` +
+                    `Do not auto-pass it, do not batch it with other gates, and do not begin any downstream-gate work until it is signed.`);
             }
             break;
         case "mcp_auto_pass":
@@ -56,15 +58,18 @@ export async function signOff(input) {
     });
     await writeTaskState(state);
     // Auditor telemetry: when the terminal gate is signed, the run is complete —
-    // append a scorecard to the local ledger. Best-effort: a ledger failure must
-    // NEVER break a sign-off (telemetry is not load-bearing for the gate).
+    // append a scorecard to the local ledger, then compute the /audit nudge.
+    // Best-effort: a ledger failure (or nudge failure) must NEVER break a
+    // sign-off (telemetry is not load-bearing for the gate).
+    let audit_nudge;
     if (input.gate === "RG") {
         try {
             await recordRunScorecard(state);
+            audit_nudge = auditNudgeFor(await countCompletedRuns());
         }
         catch {
             /* swallow — see contract in audit_ledger.recordRunScorecard */
         }
     }
-    return { signed: true, signer: input.signer, timestamp };
+    return { signed: true, signer: input.signer, timestamp, ...(audit_nudge ? { audit_nudge } : {}) };
 }

package/dist/mcp/tools/stubs.js

@@ -31,6 +31,7 @@ import { reviewProposal } from "./review_proposal.js";
 import { e2ePlaywright } from "./e2e_playwright.js";
 import { dockerCompose } from "./docker_compose.js";
 import { dependencySupplyChain } from "./dependency_supply_chain.js";
+import { renderDiff } from "./render_diff.js";
 /** Thrown by every stub until the real implementation lands. */
 export class NotImplementedError extends Error {
     constructor(tool) {
@@ -83,4 +84,5 @@ export const DEFAULT_HANDLERS = {
     dependency_supply_chain: dependencySupplyChain,
     docker_compose: dockerCompose,
     e2e_playwright: e2ePlaywright,
+    render_diff: renderDiff,
 };

package/dist/mcp_setup.d.ts

@@ -69,6 +69,8 @@ export interface McpSetupReport {
     registration: "user-scope" | "manual-fallback";
     /** Server names freshly added to the user config this run. */
     serversRegistered: string[];
+    /** Installer-owned server names whose entry was refreshed (e.g. re-pinned to a new version). */
+    serversUpdated: string[];
     /** Server names already present in the user config (left untouched). */
     serversAlreadyPresent: string[];
     /** Server names whose registration failed (config unwritable). */
@@ -128,13 +130,16 @@ export declare function userConfigPath(): string;
 export declare function createUserConfigIO(configPath: string): UserConfigIO;
 /**
  * Idempotently merge `servers` into the config's top-level `mcpServers`. Pure —
- * returns a new config object plus which names were freshly added vs already
- * present. An existing key is NEVER overwritten (so a pre-existing global
- * `mempalace` is preserved untouched). Exported for unit testing.
+ * returns a new config object plus which names were added / updated / already
+ * present. A FOREIGN existing key is never overwritten (so a pre-existing global
+ * `mempalace` is preserved). An OWNED server (named in `ownedServers`) whose
+ * entry differs is refreshed in place — that is how a reinstall re-pins
+ * `code-ai-mcp` to the new version. Exported for unit testing.
  */
-export declare function mergeUserScopeServers(config: Record<string, unknown>, servers: Record<string, McpServerEntry>): {
+export declare function mergeUserScopeServers(config: Record<string, unknown>, servers: Record<string, McpServerEntry>, ownedServers?: readonly string[]): {
     config: Record<string, unknown>;
     registered: string[];
+    updated: string[];
     alreadyPresent: string[];
 };
 /**

package/dist/mcp_setup.js

@@ -2,6 +2,7 @@ import { spawn } from "node:child_process";
 import { copyFile, mkdir, readFile, rename, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { readInstallerVersion } from "./version.js";
 /**
  * Try `mempalace-mcp --help` — the dedicated MCP-server bin, which is exactly
  * what we register. Resolves true on exit code 0, false otherwise (including
@@ -120,25 +121,38 @@ function readMcpServers(config) {
 }
 /**
  * Idempotently merge `servers` into the config's top-level `mcpServers`. Pure —
- * returns a new config object plus which names were freshly added vs already
- * present. An existing key is NEVER overwritten (so a pre-existing global
- * `mempalace` is preserved untouched). Exported for unit testing.
+ * returns a new config object plus which names were added / updated / already
+ * present. A FOREIGN existing key is never overwritten (so a pre-existing global
+ * `mempalace` is preserved). An OWNED server (named in `ownedServers`) whose
+ * entry differs is refreshed in place — that is how a reinstall re-pins
+ * `code-ai-mcp` to the new version. Exported for unit testing.
  */
-export function mergeUserScopeServers(config, servers) {
+export function mergeUserScopeServers(config, servers, ownedServers = []) {
     const next = { ...config };
     const mcpServers = readMcpServers(config);
+    const owned = new Set(ownedServers);
     const registered = [];
+    const updated = [];
     const alreadyPresent = [];
     for (const [name, entry] of Object.entries(servers)) {
+        const desired = toUserScopeEntry(entry);
         if (Object.prototype.hasOwnProperty.call(mcpServers, name)) {
-            alreadyPresent.push(name);
+            // Refresh ONLY our own servers (e.g. re-pin to a new version). A foreign
+            // server we also register (mempalace) is never overwritten.
+            if (owned.has(name) && JSON.stringify(mcpServers[name]) !== JSON.stringify(desired)) {
+                mcpServers[name] = desired;
+                updated.push(name);
+            }
+            else {
+                alreadyPresent.push(name);
+            }
             continue;
         }
-        mcpServers[name] = toUserScopeEntry(entry);
+        mcpServers[name] = desired;
         registered.push(name);
     }
     next.mcpServers = mcpServers;
-    return { config: next, registered, alreadyPresent };
+    return { config: next, registered, updated, alreadyPresent };
 }
 /**
  * Idempotently remove `names` from the config's `mcpServers`. Pure — returns a
@@ -184,10 +198,14 @@ function buildServerEntries(mempalaceUsed) {
     // DEV-100 consolidation: the code-ai-mcp bin lives inside the
     // `code-ai-installer` npm package. `npx -p <package> <bin>` tells npm to
     // install that package and run the named bin from it.
+    // Pin to THIS installer's version so the spawned server is explicit and
+    // reproducible. An unpinned `npx` silently runs whatever global/cache copy
+    // exists — that is how a stale, pre-fix server kept running after a reinstall.
+    // A reinstall re-pins this (mergeUserScopeServers refreshes owned servers).
     const servers = {
         "code-ai-mcp": {
             command: "npx",
-            args: ["-y", "-p", "code-ai-installer", "code-ai-mcp"],
+            args: ["-y", "-p", `code-ai-installer@${readInstallerVersion()}`, "code-ai-mcp"],
         },
     };
     if (mempalaceUsed) {
@@ -249,6 +267,7 @@ export async function setupMcp(opts, io = defaultUserConfigIO) {
     }
     const servers = buildServerEntries(mempalaceUsed);
     const serversRegistered = [];
+    const serversUpdated = [];
     const serversAlreadyPresent = [];
     const serversFailed = [];
     let registration;
@@ -268,12 +287,13 @@ export async function setupMcp(opts, io = defaultUserConfigIO) {
                 notices.push(manualEntryLine(name, entry));
         }
         else {
-            const merged = mergeUserScopeServers(read.data, servers);
+            const merged = mergeUserScopeServers(read.data, servers, INSTALLER_OWNED_SERVERS);
             serversAlreadyPresent.push(...merged.alreadyPresent);
             for (const name of merged.alreadyPresent) {
                 notices.push(`MCP server '${name}' already in user config — left untouched.`);
             }
-            if (merged.registered.length === 0) {
+            const changed = [...merged.registered, ...merged.updated];
+            if (changed.length === 0) {
                 registration = "user-scope";
             }
             else {
@@ -281,16 +301,22 @@ export async function setupMcp(opts, io = defaultUserConfigIO) {
                 if (written.ok) {
                     registration = "user-scope";
                     serversRegistered.push(...merged.registered);
-                    notices.push(`Registered MCP server(s) [${merged.registered.join(", ")}] in Claude user config ${io.configPath}` +
+                    serversUpdated.push(...merged.updated);
+                    const parts = [];
+                    if (merged.registered.length)
+                        parts.push(`registered [${merged.registered.join(", ")}]`);
+                    if (merged.updated.length)
+                        parts.push(`re-pinned [${merged.updated.join(", ")}]`);
+                    notices.push(`MCP server(s) ${parts.join(", ")} in Claude user config ${io.configPath}` +
                         (written.backupPath ? ` (backup: ${written.backupPath})` : "") +
                         ". Restart your Claude Code session to load them.");
                 }
                 else {
                     registration = "manual-fallback";
-                    serversFailed.push(...merged.registered);
+                    serversFailed.push(...changed);
                     notices.push(`Failed to write Claude user config at ${io.configPath} (${written.error ?? "unknown error"}). ` +
                         `No changes made — add these entries to its "mcpServers" object by hand:`);
-                    for (const name of merged.registered)
+                    for (const name of changed)
                         notices.push(manualEntryLine(name, servers[name]));
                 }
             }
@@ -308,6 +334,7 @@ export async function setupMcp(opts, io = defaultUserConfigIO) {
         userConfigPath: io.configPath,
         registration,
         serversRegistered,
+        serversUpdated,
         serversAlreadyPresent,
         serversFailed,
         configPath: cfg.path,

package/dist/shared/tools.d.ts

@@ -687,6 +687,10 @@ export declare const SignOffInput: z.ZodObject<{
     }>;
     evidence: z.ZodOptional<z.ZodUnknown>;
 }, z.core.$strip>;
+/** Surfacing-only Auditor reminder, emitted when completed runs hit the A1 cadence (every 3rd). */
+export declare const AuditNudge: z.ZodObject<{
+    runs_total: z.ZodNumber;
+}, z.core.$strip>;
 export declare const SignOffOutput: z.ZodObject<{
     signed: z.ZodLiteral<true>;
     signer: z.ZodEnum<{
@@ -695,6 +699,9 @@ export declare const SignOffOutput: z.ZodObject<{
         system: "system";
     }>;
     timestamp: z.ZodString;
+    audit_nudge: z.ZodOptional<z.ZodObject<{
+        runs_total: z.ZodNumber;
+    }, z.core.$strip>>;
 }, z.core.$strip>;
 export type SignOffInput = z.infer<typeof SignOffInput>;
 export type SignOffOutput = z.infer<typeof SignOffOutput>;
@@ -1578,6 +1585,20 @@ export declare const E2EPlaywrightOutput: z.ZodObject<{
 }, z.core.$strip>;
 export type E2EPlaywrightInput = z.infer<typeof E2EPlaywrightInput>;
 export type E2EPlaywrightOutput = z.infer<typeof E2EPlaywrightOutput>;
+export declare const RenderDiffInput: z.ZodObject<{
+    diff: z.ZodString;
+    title: z.ZodOptional<z.ZodString>;
+    task_id: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const RenderDiffOutput: z.ZodObject<{
+    path: z.ZodString;
+    file_url: z.ZodString;
+    files: z.ZodNumber;
+    added: z.ZodNumber;
+    removed: z.ZodNumber;
+}, z.core.$strip>;
+export type RenderDiffInput = z.infer<typeof RenderDiffInput>;
+export type RenderDiffOutput = z.infer<typeof RenderDiffOutput>;
 export declare const TOOL_REGISTRY: {
     readonly load_role: {
         readonly input: z.ZodObject<{
@@ -2245,6 +2266,9 @@ export declare const TOOL_REGISTRY: {
                 system: "system";
             }>;
             timestamp: z.ZodString;
+            audit_nudge: z.ZodOptional<z.ZodObject<{
+                runs_total: z.ZodNumber;
+            }, z.core.$strip>>;
         }, z.core.$strip>;
     };
     readonly submit_artifact: {
@@ -3017,5 +3041,19 @@ export declare const TOOL_REGISTRY: {
             }, z.core.$strip>>>;
         }, z.core.$strip>;
     };
+    readonly render_diff: {
+        readonly input: z.ZodObject<{
+            diff: z.ZodString;
+            title: z.ZodOptional<z.ZodString>;
+            task_id: z.ZodOptional<z.ZodString>;
+        }, z.core.$strip>;
+        readonly output: z.ZodObject<{
+            path: z.ZodString;
+            file_url: z.ZodString;
+            files: z.ZodNumber;
+            added: z.ZodNumber;
+            removed: z.ZodNumber;
+        }, z.core.$strip>;
+    };
 };
 export type ToolName = keyof typeof TOOL_REGISTRY;

package/dist/shared/tools.js

@@ -159,10 +159,16 @@ export const SignOffInput = z.object({
     /** Evidence — for mcp signer this is the auto_check tool output; for user it's free-form. */
     evidence: z.unknown().optional(),
 });
+/** Surfacing-only Auditor reminder, emitted when completed runs hit the A1 cadence (every 3rd). */
+export const AuditNudge = z.object({
+    runs_total: z.number().int().nonnegative(),
+});
 export const SignOffOutput = z.object({
     signed: z.literal(true),
     signer: Signer,
     timestamp: z.string(),
+    /** Present only when RG is signed AND the run count hits the cadence. Best-effort; never load-bearing. */
+    audit_nudge: AuditNudge.optional(),
 });
 // ─── submit_artifact ─────────────────────────────────────────────────────────
 export const SubmitArtifactInput = z.object({
@@ -598,6 +604,23 @@ export const E2EPlaywrightOutput = z.object({
     failed: z.number().int().nonnegative(),
     failures: z.array(ExceptionItem).default([]),
 });
+export const RenderDiffInput = z.object({
+    /** A unified diff (e.g. the output of `git diff`). */
+    diff: z.string().min(1),
+    /** Heading shown at the top of the review page. */
+    title: z.string().optional(),
+    /** Optional task id — only used to label the output filename. */
+    task_id: TaskId.optional(),
+});
+export const RenderDiffOutput = z.object({
+    /** Absolute path of the written HTML file (in the OS temp dir). */
+    path: z.string(),
+    /** file:// URL the user can open in a browser. */
+    file_url: z.string(),
+    files: z.number().int().nonnegative(),
+    added: z.number().int().nonnegative(),
+    removed: z.number().int().nonnegative(),
+});
 // ════════════════════════════════════════════════════════════════════════════
 // TOOL REGISTRY — name → { input, output } for runtime dispatch
 // ════════════════════════════════════════════════════════════════════════════
@@ -639,4 +662,5 @@ export const TOOL_REGISTRY = {
     },
     docker_compose: { input: DockerComposeInput, output: DockerComposeOutput },
     e2e_playwright: { input: E2EPlaywrightInput, output: E2EPlaywrightOutput },
+    render_diff: { input: RenderDiffInput, output: RenderDiffOutput },
 };