create-byan-agent 2.14.1 → 2.16.1

package/install/GUIDE-INSTALLATION-BYAN-SIMPLE.md

@@ -416,6 +416,46 @@ Claude reconnaît l'agent BYAN et vous pouvez interagir avec lui.
 
 ---
 
+### 🔌 Extensions MCP optionnelles (depuis 2.16.0)
+
+Pendant l'installation, BYAN propose d'activer des MCP servers tiers en plus du serveur byan natif.
+
+**Disponibles aujourd'hui :**
+
+| Extension | Description | Setup |
+|-----------|-------------|-------|
+| `gdrive` | Google Workspace : Docs, Sheets, Slides, Drive, Gmail, Calendar (95+ tools via `google-workspace-mcp`) | Interactif — guide Google Cloud + OAuth flow |
+
+**Sécurité — où vivent les credentials :**
+
+- Aucune credential n'est écrite dans le repo BYAN ni dans `.mcp.json` (source : [CLAIM L1] code de `install/packages/platform-config/lib/mcp-config.js`, fonction `assertNoSecretInEntry`)
+- `~/.google-mcp/credentials.json` (perm 600) — Client OAuth Google
+- `~/.google-mcp/tokens/<account>.json` — Tokens d'accès persistés par compte
+- `BYAN_API_TOKEN` — vit uniquement dans `.env` (gitignored) + `.claude/settings.local.json` (gitignored)
+
+**Si tu skip l'extension à l'install et veux l'activer plus tard**, relance `npx create-byan-agent` ou ajoute manuellement l'entry suivante à `.mcp.json` :
+
+```json
+{
+  "mcpServers": {
+    "gdrive": {
+      "command": "npx",
+      "args": ["-y", "google-workspace-mcp", "serve"]
+    }
+  }
+}
+```
+
+Puis exécute le setup interactif du package :
+
+```bash
+npx -y google-workspace-mcp setup
+npx -y google-workspace-mcp accounts add default
+npx -y google-workspace-mcp status   # vérifier que tout est OK
+```
+
+---
+
 ## 5. Cas d'Usage Typiques
 
 ### 🎯 Cas 1 : Créer un Nouvel Agent

package/install/bin/create-byan-agent-v2.js

@@ -17,6 +17,7 @@ const { launchPhase2Chat, generateDefaultConfig } = require('../lib/phase2-chat'
 const { setupByanWebIntegration, validateByanWebReachability } = require('../lib/byan-web-integration');
 const { setupClaudeNative } = require('../lib/claude-native-setup');
 const { setupCodexNative } = require('../lib/codex-native-setup');
+const { setupMcpExtensions } = require('../lib/mcp-extensions');
 const { setupStagingConsent } = require('../lib/staging-consent');
 const { getLatestVersion, compareVersions } = require('../lib/utils/version-compare');
 
@@ -1491,6 +1492,14 @@ async function install(options = {}) {
     }
   }
 
+  if (needsClaude) {
+    try {
+      await setupMcpExtensions(projectRoot, {});
+    } catch (error) {
+      console.log(chalk.yellow(`  ⚠ MCP extensions setup skipped: ${error.message}`));
+    }
+  }
+
   // Step 8: Create config.yaml
   const configSpinner = ora('Generating configuration...').start();
   

package/install/lib/mcp-extensions/gdrive.js

@@ -0,0 +1,256 @@
+/**
+ * Google Workspace MCP extension (gdrive)
+ *
+ * Wraps the npm package `google-workspace-mcp` (Docs, Sheets, Slides, Drive,
+ * Gmail, Calendar, Forms — 95+ tools). The package ships its own CLI for
+ * interactive credential setup and persists everything under
+ * ~/.google-mcp/ (gitignored by virtue of being in $HOME).
+ *
+ * Our role here is:
+ *   1. Detect if the package is reachable (npx).
+ *   2. Detect if credentials are already on disk.
+ *   3. If not, walk the user through the Google Cloud setup steps with
+ *      direct console links, and delegate the actual OAuth flow to the
+ *      package's `setup` / `accounts add` CLI subcommands.
+ *   4. Provide the .mcp.json entry to register the server.
+ *
+ * No credential ever touches the project tree. The .mcp.json entry only
+ * declares command/args — every secret stays in ~/.google-mcp/.
+ */
+
+'use strict';
+
+const path = require('path');
+const os = require('os');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const { execSync, spawnSync } = require('child_process');
+
+const PACKAGE_NAME = 'google-workspace-mcp';
+const CONFIG_DIR = path.join(os.homedir(), '.google-mcp');
+const CREDENTIALS_PATH = path.join(CONFIG_DIR, 'credentials.json');
+
+const SETUP_LINKS = [
+  {
+    step: 'Créer un projet Google Cloud',
+    url: 'https://console.cloud.google.com/projectcreate',
+  },
+  {
+    step: 'Activer les APIs (Drive, Docs, Sheets, Slides, Gmail, Calendar, Forms)',
+    url: 'https://console.cloud.google.com/apis/library',
+  },
+  {
+    step: 'Configurer l\'écran de consentement OAuth (External, mode Test)',
+    url: 'https://console.cloud.google.com/apis/credentials/consent',
+  },
+  {
+    step: 'Créer un OAuth Client ID type "Desktop App"',
+    url: 'https://console.cloud.google.com/apis/credentials/oauthclient',
+  },
+];
+
+async function isPackageInstallable() {
+  try {
+    execSync(`npm view ${PACKAGE_NAME} version --silent`, {
+      stdio: ['ignore', 'ignore', 'pipe'],
+      timeout: 30_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function hasCredentials() {
+  return fs.pathExists(CREDENTIALS_PATH);
+}
+
+async function isConfigured() {
+  return hasCredentials();
+}
+
+function buildEntry() {
+  return {
+    command: 'npx',
+    args: ['-y', PACKAGE_NAME, 'serve'],
+  };
+}
+
+async function buildMcpEntry() {
+  return buildEntry();
+}
+
+function printSetupGuide(log) {
+  log();
+  log(chalk.cyan('Étapes Google Cloud (faire dans le navigateur, dans cet ordre) :'));
+  SETUP_LINKS.forEach((s, i) => {
+    log(chalk.gray(`  ${i + 1}. ${s.step}`));
+    log(chalk.gray(`     → ${s.url}`));
+  });
+  log();
+  log(chalk.gray(`  5. Télécharger le JSON OAuth Client (bouton "Download JSON")`));
+  log(chalk.gray(`  6. Renommer ce fichier en : credentials.json`));
+  log(chalk.gray(`  7. Le placer dans : ${CREDENTIALS_PATH}`));
+  log();
+}
+
+async function importCredentialsFromPath(srcPath, log) {
+  const abs = path.resolve(srcPath);
+  if (!(await fs.pathExists(abs))) {
+    throw new Error(`Fichier introuvable : ${abs}`);
+  }
+  let parsed;
+  try {
+    parsed = await fs.readJson(abs);
+  } catch (e) {
+    throw new Error(`JSON invalide : ${e.message}`);
+  }
+  // Sanity check — Google OAuth client JSON has either "installed" or "web"
+  if (!parsed.installed && !parsed.web) {
+    throw new Error(
+      `Format inattendu : ce fichier ne ressemble pas à un OAuth Client Google (clé "installed" ou "web" absente)`
+    );
+  }
+  await fs.ensureDir(CONFIG_DIR);
+  // Tighten dir perms : 700 (owner only). Best-effort on non-POSIX.
+  try {
+    await fs.chmod(CONFIG_DIR, 0o700);
+  } catch {
+    // ignore on platforms where this fails
+  }
+  await fs.writeFile(CREDENTIALS_PATH, JSON.stringify(parsed, null, 2), {
+    mode: 0o600,
+  });
+  log(chalk.green(`  ✓ credentials.json copié vers ${CREDENTIALS_PATH} (perm 600)`));
+}
+
+async function runOAuthFlow(log) {
+  log();
+  log(chalk.cyan('Lancement du flow OAuth Google (le navigateur va s\'ouvrir)'));
+  log(chalk.gray('  Suis les instructions à l\'écran. Ferme la fenêtre quand le flow est terminé.'));
+  log();
+
+  const { accountName } = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'accountName',
+      message: 'Nom du compte Google (un slug — ex : "perso", "work") :',
+      default: 'default',
+      validate: (v) => /^[a-z0-9_-]+$/i.test(v) || 'Caractères autorisés : a-z, 0-9, _, -',
+    },
+  ]);
+
+  const result = spawnSync('npx', ['-y', PACKAGE_NAME, 'accounts', 'add', accountName], {
+    stdio: 'inherit',
+    timeout: 600_000, // 10 minutes
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`google-workspace-mcp accounts add a échoué (exit ${result.status})`);
+  }
+  log(chalk.green(`  ✓ Compte "${accountName}" ajouté`));
+  return accountName;
+}
+
+async function setup({ quiet } = {}) {
+  const log = quiet ? () => {} : (...a) => console.log(...a);
+
+  if (!(await isPackageInstallable())) {
+    return {
+      configured: false,
+      skipReason: `Le package npm "${PACKAGE_NAME}" n'est pas accessible (réseau / registre indisponible). Réessaie plus tard.`,
+    };
+  }
+
+  if (await hasCredentials()) {
+    log(chalk.gray(`  · credentials.json déjà présent à ${CREDENTIALS_PATH}`));
+    const { reuse } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'reuse',
+        message: 'Réutiliser la config existante (sans relancer OAuth) ?',
+        default: true,
+      },
+    ]);
+    if (reuse) {
+      return { configured: true, message: 'reused existing credentials' };
+    }
+  } else {
+    printSetupGuide(log);
+
+    const { hasJson } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'hasJson',
+        message: 'Tu as téléchargé le credentials.json (étapes 1-5) ?',
+        default: false,
+      },
+    ]);
+
+    if (!hasJson) {
+      return {
+        configured: false,
+        skipReason:
+          'Setup interrompu — relance l\'installer une fois le credentials.json téléchargé.',
+      };
+    }
+
+    const { jsonPath } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'jsonPath',
+        message: 'Chemin local vers le credentials.json téléchargé :',
+        validate: (v) => v && v.trim().length > 0 || 'Chemin requis',
+      },
+    ]);
+
+    try {
+      await importCredentialsFromPath(jsonPath.trim(), log);
+    } catch (err) {
+      return { configured: false, skipReason: `Import des credentials échoué : ${err.message}` };
+    }
+  }
+
+  const { runAuth } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'runAuth',
+      message: 'Lancer le flow OAuth maintenant (ouvre le navigateur) ?',
+      default: true,
+    },
+  ]);
+
+  if (!runAuth) {
+    return {
+      configured: true,
+      message:
+        'credentials importés ; lance le flow OAuth plus tard via : npx -y google-workspace-mcp accounts add <name>',
+    };
+  }
+
+  try {
+    const account = await runOAuthFlow(log);
+    return { configured: true, message: `compte "${account}" authentifié` };
+  } catch (err) {
+    return {
+      configured: false,
+      skipReason:
+        `OAuth a échoué : ${err.message}. Relance manuellement : npx -y ${PACKAGE_NAME} accounts add <name>`,
+    };
+  }
+}
+
+module.exports = {
+  id: 'gdrive',
+  name: 'Google Workspace (Docs / Sheets / Slides / Drive / Gmail / Calendar)',
+  description: '95+ tools via google-workspace-mcp, OAuth2, creds in ~/.google-mcp/',
+  isConfigured,
+  setup,
+  buildMcpEntry,
+  // exposed for tests
+  buildEntry,
+  CONFIG_DIR,
+  CREDENTIALS_PATH,
+  PACKAGE_NAME,
+};

package/install/lib/mcp-extensions/index.js

@@ -0,0 +1,147 @@
+/**
+ * MCP Extensions Registry — discovers and orchestrates third-party MCP
+ * server integrations (Google Workspace, etc.) during yanstaller install.
+ *
+ * Each extension is a module under this directory exposing the contract:
+ *
+ *   {
+ *     id          : string                       // unique slug (becomes mcpServers key)
+ *     name        : string                       // human-readable name
+ *     description : string                       // shown to user during prompt
+ *     async isConfigured(): Promise<boolean>     // already set up on this machine?
+ *     async setup(options): Promise<{
+ *       configured: boolean,
+ *       message:    string,
+ *       skipReason?: string,
+ *     }>                                          // interactive: walks the user
+ *                                                 // through credential setup
+ *     async buildMcpEntry(): Promise<object>     // returns the entry to write
+ *                                                 // into mcpServers.<id>
+ *   }
+ *
+ * The registry walks the list, prompts the user for each, runs setup if
+ * accepted, and writes the resulting MCP entry into .mcp.json via
+ * addMcpEntry (which refuses any entry containing a value that looks like
+ * a secret — see mcp-config.js).
+ *
+ * No secret value is ever stored by this module. Per-extension credential
+ * persistence is the extension's responsibility (typically under ~/.config/
+ * or ~/.<package>/, never inside the project).
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+
+const {
+  mcpConfig: { addMcpEntry },
+} = require('byan-platform-config');
+
+const gdrive = require('./gdrive');
+
+const EXTENSIONS = [gdrive];
+
+function listExtensions() {
+  return EXTENSIONS.map((ext) => ({
+    id: ext.id,
+    name: ext.name,
+    description: ext.description,
+  }));
+}
+
+function getExtension(id) {
+  return EXTENSIONS.find((ext) => ext.id === id) || null;
+}
+
+/**
+ * Walk every registered extension and offer it to the user. For each
+ * extension the user accepts, run its setup flow, then register the
+ * resulting MCP entry in .mcp.json.
+ *
+ * @param {string} projectRoot
+ * @param {{
+ *   skipPrompts?: boolean,
+ *   presetSelections?: Record<string, boolean>,  // { gdrive: true }
+ *   quiet?: boolean,
+ * }} options
+ * @returns {Promise<Array<{ id: string, configured: boolean, message: string }>>}
+ */
+async function setupMcpExtensions(projectRoot, options = {}) {
+  const log = options.quiet ? () => {} : (...a) => console.log(...a);
+  const results = [];
+
+  if (EXTENSIONS.length === 0) return results;
+
+  log();
+  log(chalk.cyan('MCP extensions (optional third-party integrations)'));
+
+  for (const ext of EXTENSIONS) {
+    let want;
+    if (options.skipPrompts) {
+      want = options.presetSelections && options.presetSelections[ext.id] === true;
+    } else {
+      const answers = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'enable',
+          message: `${ext.name} — ${ext.description}\n  Activer ?`,
+          default: false,
+        },
+      ]);
+      want = answers.enable === true;
+    }
+
+    if (!want) {
+      log(chalk.gray(`  · ${ext.id}: skipped`));
+      results.push({ id: ext.id, configured: false, message: 'skipped by user' });
+      continue;
+    }
+
+    let setupResult;
+    try {
+      setupResult = await ext.setup({ projectRoot, quiet: options.quiet });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} setup failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `setup error: ${err.message}` });
+      continue;
+    }
+
+    if (!setupResult || setupResult.configured !== true) {
+      const reason = (setupResult && (setupResult.skipReason || setupResult.message)) || 'setup not completed';
+      log(chalk.yellow(`  ⚠ ${ext.id}: ${reason}`));
+      results.push({ id: ext.id, configured: false, message: reason });
+      continue;
+    }
+
+    let entry;
+    try {
+      entry = await ext.buildMcpEntry({ projectRoot });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} buildMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `buildMcpEntry error: ${err.message}` });
+      continue;
+    }
+
+    try {
+      await addMcpEntry(projectRoot, ext.id, entry);
+      log(chalk.green(`  ✓ ${ext.id} registered in .mcp.json`));
+      results.push({ id: ext.id, configured: true, message: 'registered' });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} addMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `addMcpEntry error: ${err.message}` });
+    }
+  }
+
+  return results;
+}
+
+module.exports = {
+  listExtensions,
+  getExtension,
+  setupMcpExtensions,
+  // re-exported for tests / programmatic callers
+  EXTENSIONS,
+};

package/install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-byan-agent",
-  "version": "2.14.1",
+  "version": "2.16.1",
   "description": "BYAN v2.2.2 - Intelligent AI agent installer with multi-platform native support (GitHub Copilot CLI, Claude Code, Codex/OpenCode)",
   "bin": {
     "create-byan-agent": "bin/create-byan-agent-v2.js"

package/install/packages/platform-config/lib/mcp-config.js

@@ -3,7 +3,21 @@
  *
  * READ-MERGE-WRITE semantics : preserves all existing mcpServers.* entries
  * and, if byan entry already exists, preserves its command/args. Only the
- * env.BYAN_API_URL and env.BYAN_API_TOKEN are authoritative from caller.
+ * env.BYAN_API_URL is authoritative from caller.
+ *
+ * Security: BYAN_API_TOKEN is NEVER written into .mcp.json (which is
+ * checked into git). The token lives exclusively in:
+ *   - .env (gitignored, for shell tools and Codex CLI)
+ *   - .claude/settings.local.json (gitignored, for Claude Code MCP injection)
+ *
+ * Claude Code reads .claude/settings.local.json's "env" block at startup and
+ * injects those vars into every MCP server it spawns. So the token reaches
+ * the byan MCP server via that channel — no need to declare it in .mcp.json.
+ *
+ * The `token` parameter on this module's API is kept for backward-compat
+ * but is intentionally discarded (with a one-line audit trail in the
+ * returned result). Callers that supply a token should instead use
+ * envConfig.updateDotenv + envConfig.updateSettingsLocal.
  */
 
 const path = require('path');
@@ -11,6 +25,7 @@ const fs = require('fs-extra');
 const { stripApiSuffix } = require('./url-utils');
 
 const MCP_SERVER_REL_PATH = '_byan/mcp/byan-mcp-server/server.js';
+const TOKEN_PLACEHOLDER = '${BYAN_API_TOKEN}';
 
 async function readJsonOrEmpty(filePath) {
   if (await fs.pathExists(filePath)) {
@@ -43,11 +58,14 @@ async function readMcpConfig(projectRoot) {
  * Pure merge — no I/O. Returns a new config object with byan entry merged.
  * Useful for migrations that inspect the diff before writing.
  *
+ * BYAN_API_TOKEN is intentionally stripped from env (never written into
+ * .mcp.json). See module header for the rationale and the persistence path.
+ *
  * @param {object} existingConfig — current parsed config (may be {} or {mcpServers:{...}})
- * @param {{ apiUrl: string, token?: string }} opts
+ * @param {{ apiUrl: string, token?: string }} opts — `token` is accepted but discarded
  * @returns {object} new merged config
  */
-function mergeByanEntry(existingConfig, { apiUrl, token } = {}) {
+function mergeByanEntry(existingConfig, { apiUrl } = {}) {
   const cfg = existingConfig && typeof existingConfig === 'object' ? { ...existingConfig } : {};
   cfg.mcpServers = { ...(cfg.mcpServers || {}) };
 
@@ -56,11 +74,7 @@ function mergeByanEntry(existingConfig, { apiUrl, token } = {}) {
 
   const env = { ...(existing.env || {}) };
   env.BYAN_API_URL = cleanUrl;
-  if (token && typeof token === 'string' && token.length > 0) {
-    env.BYAN_API_TOKEN = token;
-  } else {
-    delete env.BYAN_API_TOKEN;
-  }
+  delete env.BYAN_API_TOKEN;
 
   cfg.mcpServers.byan = {
     command: 'node',
@@ -87,9 +101,94 @@ async function ensureMcpConfig(projectRoot, { apiUrl, token } = {}) {
   return { path: filePath };
 }
 
+/**
+ * Adds (or replaces) an arbitrary MCP server entry under mcpServers.<name>.
+ * Used by mcp-extensions to register third-party MCPs (gdrive, etc.) without
+ * touching the byan entry. Other entries are preserved.
+ *
+ * Security guard : refuses to write any value matching common token shapes
+ * directly into .mcp.json. Callers must put secrets in .env / settings.local
+ * and reference env-var names elsewhere.
+ *
+ * @param {string} projectRoot
+ * @param {string} name — server identifier (becomes the mcpServers key)
+ * @param {object} entry — { command, args?, env?, ... }
+ * @returns {Promise<{ path: string }>}
+ */
+async function addMcpEntry(projectRoot, name, entry) {
+  if (!name || typeof name !== 'string') {
+    throw new Error('addMcpEntry: name must be a non-empty string');
+  }
+  if (!entry || typeof entry !== 'object') {
+    throw new Error('addMcpEntry: entry must be an object');
+  }
+  assertNoSecretInEntry(entry);
+
+  const filePath = path.join(projectRoot, '.mcp.json');
+  const current = await readJsonOrEmpty(filePath);
+  const cfg = current && typeof current === 'object' ? { ...current } : {};
+  cfg.mcpServers = { ...(cfg.mcpServers || {}) };
+  cfg.mcpServers[name] = entry;
+  await fs.writeJson(filePath, cfg, { spaces: 2 });
+  return { path: filePath };
+}
+
+/**
+ * Removes an MCP server entry. No-op if the entry does not exist.
+ *
+ * @param {string} projectRoot
+ * @param {string} name
+ * @returns {Promise<{ path: string, removed: boolean }>}
+ */
+async function removeMcpEntry(projectRoot, name) {
+  const filePath = path.join(projectRoot, '.mcp.json');
+  const current = await readJsonOrEmpty(filePath);
+  if (!current || !current.mcpServers || !(name in current.mcpServers)) {
+    return { path: filePath, removed: false };
+  }
+  const cfg = { ...current, mcpServers: { ...current.mcpServers } };
+  delete cfg.mcpServers[name];
+  await fs.writeJson(filePath, cfg, { spaces: 2 });
+  return { path: filePath, removed: true };
+}
+
+const SECRET_SHAPES = [
+  /^byan_[a-f0-9]{20,}$/i,                  // byan tokens
+  /^ghp_[A-Za-z0-9]{30,}$/,                 // GitHub PAT
+  /^gho_[A-Za-z0-9]{30,}$/,                 // GitHub OAuth
+  /^github_pat_[A-Za-z0-9_]{60,}$/,         // GitHub PAT (new format)
+  /^sk-ant-[A-Za-z0-9_-]{20,}$/,            // Anthropic
+  /^sk-proj-[A-Za-z0-9_-]{20,}$/,           // OpenAI project
+  /^AIza[0-9A-Za-z_-]{30,}$/,               // Google API key
+  /^xox[bpao]-[0-9]+-[0-9]+-/,              // Slack
+  /^AKIA[0-9A-Z]{16}$/,                     // AWS
+];
+
+function looksLikeSecret(value) {
+  if (typeof value !== 'string') return false;
+  return SECRET_SHAPES.some((re) => re.test(value));
+}
+
+function assertNoSecretInEntry(entry) {
+  const env = (entry && entry.env) || {};
+  for (const [key, val] of Object.entries(env)) {
+    if (looksLikeSecret(val)) {
+      throw new Error(
+        `addMcpEntry: env.${key} looks like a secret. Refusing to write it into .mcp.json. ` +
+          `Put the value in .env (gitignored) and reference it via .claude/settings.local.json env, ` +
+          `or use \${VAR_NAME} if your MCP client supports env-var expansion.`
+      );
+    }
+  }
+}
+
 module.exports = {
   ensureMcpConfig,
   readMcpConfig,
   mergeByanEntry,
+  addMcpEntry,
+  removeMcpEntry,
+  looksLikeSecret,
   MCP_SERVER_REL_PATH,
+  TOKEN_PLACEHOLDER,
 };

package/install/templates/.claude/agents/bmad-byan.md

@@ -137,7 +137,7 @@ Meta-Agent Creator + Intelligent Interviewer + Brainstorming Expert
 - [PC] Show Project Context and business documentation
 - [MAN] Display 64 Mantras reference guide
 - [FC] Fact-Check — Analyser une assertion, un document ou une chaine de raisonnement
-- [FD] Feature Development — Brainstorm → Prune → Dispatch → Build → Validate (validation a chaque etape)
+- [FD] Feature Development — Discovery → Brainstorm → Prune → Dispatch → Build → Review → Validate → Doc (boucle Refactor si KO)
 - [FORGE] Forger une âme — Interview psychologique profonde pour distiller l'âme du créateur
 - [FP] Forger un persona — Interview court pour créer un profil cognitif réutilisable
 - [PP] Jouer un persona — Immersion avec ancrage identitaire et débrief