create-byan-agent 2.15.0 → 2.17.0

package/CHANGELOG.md

@@ -7,6 +7,84 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [2.17.0] - 2026-05-27
+
+### Added - BYAN Strict Mode shipped to npm + byan_web persistence
+
+Anti-downgrade enforcement now packaged for `npx create-byan-agent` and backed by the byan_web API.
+
+#### Strict Mode distribution
+
+- Mirrored the full strict feature into `install/templates/` so a fresh install ships it: MCP tools (`byan_strict_*`), Claude Code hooks (Stop / PreToolUse / UserPromptSubmit), the `byan-strict` skill, `strict-mode.yaml`, and the generated runtime config.
+- `settings.json` template now registers the three strict hooks.
+- Installer wires the cross-platform pre-commit gate: copies `.githooks/` and sets `core.hooksPath` when the target is a git repo (`claude-native-setup.js`).
+
+#### Server-side persistence (API authority)
+
+- byan_web migration `033-strict-sessions.sql` + `routes/strict-sessions.js` (POST lock/upsert, PATCH verify/complete/abort, GET list + by id), scoped to the API key user with optional project attachment.
+- New `lib/strict-sync.js` isolates network I/O: each local mutation pushes best-effort to the API; `byan_strict_status` and the pre-commit gate consult the API first and fall back to the local mirror when it is unreachable.
+- `.mcp.json` carries `BYAN_API_TOKEN` via env (no secret committed).
+
+---
+
+## [2.16.2] - 2026-05-02
+
+### Added - Electron desktop app v1.0 (Linux + Windows)
+
+Commits ea7abf3 + e905bee. App lives in `app/` as a standalone package (not a workspace of the root); builds and publishes independently of `create-byan-agent`.
+
+#### Core shell and security (F1, F2, F12)
+
+- **F1 app shell** — Electron main process in TypeScript (`app/main/`), compiled to `dist/main/`. Window lifecycle, splash, tray (Linux/Win only).
+- **F2 IPC contract** — Preload bridge via `contextBridge` (`app/preload/`). All renderer-to-Node calls go through typed IPC channels; `nodeIntegration: false`, `contextIsolation: true`, `sandbox: true`.
+- **F12 strict CSP** — Content Security Policy header injected by main process; default-src self, no inline scripts, no eval.
+
+#### Local server lifecycle and renderer (F3, F13)
+
+- **F3 lifecycle** — Main process spawns and supervises the existing `install/src/webui/server.js` local server on a free port; emits `server-ready` IPC event to renderer.
+- **F13 dev hot reload** — `npm run dev` runs renderer (Vite dev server, port 5173), main watcher (`tsc -w`), and preload watcher concurrently via `concurrently`; `BYAN_DEV=1` env flag switches main to load the Vite URL instead of `dist/renderer/index.html`.
+
+#### Authentication (F5)
+
+- **F5 hybrid login** — Three login modes selectable at runtime: cloud (`byan.acadenice.fr`), local (auto-detected server), custom URL. Mode persisted in app config; switchable from the native menu.
+
+#### Onboarding (F4)
+
+- **F4 5-step onboarding** — Welcome -> Platform detection -> Config preview -> Apply -> Done. Covers Linux and Windows; macOS branch present but gated (F21 deferred). Onboarding state persisted via Electron store; skipped on subsequent launches.
+
+#### Secure storage (F6)
+
+- **F6 keytar** — API tokens stored via `keytar` (libsecret on Linux, Credential Manager on Windows). Token stored in the OS keychain, not in plaintext config files; IPC `get-token` / `set-token` channels exposed through preload only.
+
+#### Native integration (F19)
+
+- **F19 native menu** — Application menu built with `Menu.buildFromTemplate`; entries: File (quit), Edit (cut/copy/paste/select-all), View (reload, devtools in dev mode), Help (about). Consistent on Linux and Windows.
+
+#### Cross-platform build (F10)
+
+- **F10 build** — `npm run build` compiles main + preload (TypeScript) and bundles renderer (Vite). `npm run build:linux` produces AppImage + deb via electron-builder. `npm run build:win` produces NSIS installer via cross-compilation (Wine on Linux CI or native Windows runner).
+
+#### CI matrix (F11, P1)
+
+- **F11 + P1 GitHub Actions matrix** — Workflow `.github/workflows/electron-ci.yml` runs on `ubuntu-latest` (Linux build + unit tests) and `windows-latest` (Windows build + unit tests) in parallel. Draft GitHub Release created automatically when a `v*` tag is pushed; AppImage, deb, and NSIS installer attached as artifacts.
+
+#### Test suite (F18)
+
+- **F18 E2E Playwright** — Playwright suite in `app/__tests__/` using `playwright-electron`; covers: app launch, onboarding flow, login modal, token store round-trip, native menu visibility. `npm run test:e2e` runs the full suite headlessly.
+
+### Changed
+
+- `install/src/webui/server.js` and `install/src/webui/api.js` — minor edits to support port-injection from the Electron main process (F3: server accepts `BYAN_PORT` env var, binds to `127.0.0.1` only, emits a ready signal to stdout that main process parses).
+
+### Notes
+
+- **F21 macOS** — deferred; code branch exists, not tested, no CI runner. Target: v1.1.
+- **F9 auto-update** — electron-updater integration deferred to P2 (v1.1). Update check menu item is present but inert.
+- **F14 MCP control panel** — deferred to P2 (v1.1).
+- **First CI run** — push tag `v0.1.0-rc` to trigger the first draft release and validate artifact upload end-to-end before promoting to `v1.0.0`.
+
+---
+
 ## [2.9.10] - 2026-04-21
 
 ### Fixed - MCP auth scheme wrong for byan_web API keys

package/README.md

@@ -428,6 +428,29 @@ Domaines stricts : `security` / `performance` / `compliance` → LEVEL-2 minimum
 
 ---
 
+## BYAN Strict Mode — Anti-Downgrade
+
+Mode d'enforcement qui empêche l'agent de livrer moins que demandé (un MVP au
+lieu de l'app prod, un stub au lieu de la feature, un template baclé). Actif sur
+les **3 plateformes** : Claude Code, Codex, GitHub Copilot.
+
+```
+1. Lock du scope       byan_strict_lock_scope  (scope verbatim + critères testables)
+2. Build complet       pas de MVP, pas de stub, tout gap est signalé
+3. Self-verify >= 3x   byan_strict_self_verify (relit la demande initiale)
+4. Complete            byan_strict_complete    (jeton d'audit)
+```
+
+Le commit est **bloqué** par un filet pre-commit tant que la session strict
+engagée n'est pas complétée correctement — y compris pour Codex et Copilot qui
+n'ont pas de hook in-session. Source de vérité unique :
+`_byan/_config/strict-mode.yaml`, régénérée via `byan-sync-rules`.
+
+Activation : `byan_fd_start strict:true`, skill `byan-strict`, ou auto-détection
+sur mots-clés (`prod`, `client`, `livrable`, `contrat`, `release`...).
+
+---
+
 ## Workflows Principaux
 
 | Workflow | Description | Agent principal |
@@ -443,6 +466,7 @@ Domaines stricts : `security` / `performance` / `compliance` → LEVEL-2 minimum
 | `testarch-atdd` | Générer des tests ATDD avant implémentation | tea |
 | `fact-check` | Analyser une assertion ou un document | fact-checker |
 | `elo-workflow` | Consulter et gérer le score de confiance ELO | byan |
+| `byan-sync-rules` | Régénérer les artefacts du mode strict (3 plateformes) | byan |
 
 ---
 

package/install/GUIDE-INSTALLATION-BYAN-SIMPLE.md

@@ -416,6 +416,46 @@ Claude reconnaît l'agent BYAN et vous pouvez interagir avec lui.
 
 ---
 
+### 🔌 Extensions MCP optionnelles (depuis 2.16.0)
+
+Pendant l'installation, BYAN propose d'activer des MCP servers tiers en plus du serveur byan natif.
+
+**Disponibles aujourd'hui :**
+
+| Extension | Description | Setup |
+|-----------|-------------|-------|
+| `gdrive` | Google Workspace : Docs, Sheets, Slides, Drive, Gmail, Calendar (95+ tools via `google-workspace-mcp`) | Interactif — guide Google Cloud + OAuth flow |
+
+**Sécurité — où vivent les credentials :**
+
+- Aucune credential n'est écrite dans le repo BYAN ni dans `.mcp.json` (source : [CLAIM L1] code de `install/packages/platform-config/lib/mcp-config.js`, fonction `assertNoSecretInEntry`)
+- `~/.google-mcp/credentials.json` (perm 600) — Client OAuth Google
+- `~/.google-mcp/tokens/<account>.json` — Tokens d'accès persistés par compte
+- `BYAN_API_TOKEN` — vit uniquement dans `.env` (gitignored) + `.claude/settings.local.json` (gitignored)
+
+**Si tu skip l'extension à l'install et veux l'activer plus tard**, relance `npx create-byan-agent` ou ajoute manuellement l'entry suivante à `.mcp.json` :
+
+```json
+{
+  "mcpServers": {
+    "gdrive": {
+      "command": "npx",
+      "args": ["-y", "google-workspace-mcp", "serve"]
+    }
+  }
+}
+```
+
+Puis exécute le setup interactif du package :
+
+```bash
+npx -y google-workspace-mcp setup
+npx -y google-workspace-mcp accounts add default
+npx -y google-workspace-mcp status   # vérifier que tout est OK
+```
+
+---
+
 ## 5. Cas d'Usage Typiques
 
 ### 🎯 Cas 1 : Créer un Nouvel Agent

package/install/bin/create-byan-agent-v2.js

@@ -17,6 +17,7 @@ const { launchPhase2Chat, generateDefaultConfig } = require('../lib/phase2-chat'
 const { setupByanWebIntegration, validateByanWebReachability } = require('../lib/byan-web-integration');
 const { setupClaudeNative } = require('../lib/claude-native-setup');
 const { setupCodexNative } = require('../lib/codex-native-setup');
+const { setupMcpExtensions } = require('../lib/mcp-extensions');
 const { setupStagingConsent } = require('../lib/staging-consent');
 const { getLatestVersion, compareVersions } = require('../lib/utils/version-compare');
 
@@ -1491,6 +1492,14 @@ async function install(options = {}) {
     }
   }
 
+  if (needsClaude) {
+    try {
+      await setupMcpExtensions(projectRoot, {});
+    } catch (error) {
+      console.log(chalk.yellow(`  ⚠ MCP extensions setup skipped: ${error.message}`));
+    }
+  }
+
   // Step 8: Create config.yaml
   const configSpinner = ora('Generating configuration...').start();
   

package/install/lib/claude-native-setup.js

@@ -131,6 +131,35 @@ async function installMcpDependencies(mcpServerPath) {
   }
 }
 
+async function copyGitHooks(projectRoot) {
+  // The BYAN Strict Mode pre-commit gate is the cross-platform final net
+  // (Codex/Copilot have no in-session hook). Install it whenever the project
+  // is a git repo: copy .githooks/ and point core.hooksPath at it.
+  const src = path.join(TEMPLATE_ROOT, '.githooks');
+  const dst = path.join(projectRoot, '.githooks');
+  if (!(await fs.pathExists(src))) return { copied: false, reason: 'no_template' };
+  await fs.copy(src, dst, { overwrite: true });
+
+  const preCommit = path.join(dst, 'pre-commit');
+  if (await fs.pathExists(preCommit)) {
+    try { await fs.chmod(preCommit, 0o755); } catch { /* non-fatal */ }
+  }
+
+  // Only wire core.hooksPath when this is actually a git repo.
+  if (!(await fs.pathExists(path.join(projectRoot, '.git')))) {
+    return { copied: true, hooksPath: false, reason: 'not_a_git_repo' };
+  }
+  try {
+    execSync('git config core.hooksPath .githooks', {
+      cwd: projectRoot,
+      stdio: ['ignore', 'ignore', 'pipe'],
+    });
+    return { copied: true, hooksPath: true };
+  } catch (err) {
+    return { copied: true, hooksPath: false, error: err.message || String(err) };
+  }
+}
+
 async function setupClaudeNative(projectRoot, options = {}) {
   const log = options.quiet ? () => {} : (...a) => console.log(...a);
   const results = {};
@@ -158,6 +187,13 @@ async function setupClaudeNative(projectRoot, options = {}) {
   results.mcpConfig = await generateMcpConfig(projectRoot, options);
   log(chalk.green(`  ✓ .mcp.json generated (absolute path)`));
 
+  results.gitHooks = await copyGitHooks(projectRoot);
+  if (results.gitHooks.copied && results.gitHooks.hooksPath) {
+    log(chalk.green(`  ✓ Strict pre-commit gate wired (.githooks + core.hooksPath)`));
+  } else if (results.gitHooks.copied) {
+    log(chalk.yellow(`  ⚠ .githooks copied but not wired (${results.gitHooks.reason || 'no git repo'}); run: git config core.hooksPath .githooks`));
+  }
+
   if (results.mcp.copied && options.installDeps !== false) {
     results.mcpDeps = await installMcpDependencies(results.mcp.path);
     if (results.mcpDeps.installed) {
@@ -187,6 +223,7 @@ module.exports = {
   copyClaudeSkills,
   copyClaudeSettings,
   copyMcpServer,
+  copyGitHooks,
   makeNodeModulesFilter,
   generateMcpConfig,
   installMcpDependencies,

package/install/lib/mcp-extensions/gdrive.js

@@ -0,0 +1,256 @@
+/**
+ * Google Workspace MCP extension (gdrive)
+ *
+ * Wraps the npm package `google-workspace-mcp` (Docs, Sheets, Slides, Drive,
+ * Gmail, Calendar, Forms — 95+ tools). The package ships its own CLI for
+ * interactive credential setup and persists everything under
+ * ~/.google-mcp/ (gitignored by virtue of being in $HOME).
+ *
+ * Our role here is:
+ *   1. Detect if the package is reachable (npx).
+ *   2. Detect if credentials are already on disk.
+ *   3. If not, walk the user through the Google Cloud setup steps with
+ *      direct console links, and delegate the actual OAuth flow to the
+ *      package's `setup` / `accounts add` CLI subcommands.
+ *   4. Provide the .mcp.json entry to register the server.
+ *
+ * No credential ever touches the project tree. The .mcp.json entry only
+ * declares command/args — every secret stays in ~/.google-mcp/.
+ */
+
+'use strict';
+
+const path = require('path');
+const os = require('os');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const { execSync, spawnSync } = require('child_process');
+
+const PACKAGE_NAME = 'google-workspace-mcp';
+const CONFIG_DIR = path.join(os.homedir(), '.google-mcp');
+const CREDENTIALS_PATH = path.join(CONFIG_DIR, 'credentials.json');
+
+const SETUP_LINKS = [
+  {
+    step: 'Créer un projet Google Cloud',
+    url: 'https://console.cloud.google.com/projectcreate',
+  },
+  {
+    step: 'Activer les APIs (Drive, Docs, Sheets, Slides, Gmail, Calendar, Forms)',
+    url: 'https://console.cloud.google.com/apis/library',
+  },
+  {
+    step: 'Configurer l\'écran de consentement OAuth (External, mode Test)',
+    url: 'https://console.cloud.google.com/apis/credentials/consent',
+  },
+  {
+    step: 'Créer un OAuth Client ID type "Desktop App"',
+    url: 'https://console.cloud.google.com/apis/credentials/oauthclient',
+  },
+];
+
+async function isPackageInstallable() {
+  try {
+    execSync(`npm view ${PACKAGE_NAME} version --silent`, {
+      stdio: ['ignore', 'ignore', 'pipe'],
+      timeout: 30_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function hasCredentials() {
+  return fs.pathExists(CREDENTIALS_PATH);
+}
+
+async function isConfigured() {
+  return hasCredentials();
+}
+
+function buildEntry() {
+  return {
+    command: 'npx',
+    args: ['-y', PACKAGE_NAME, 'serve'],
+  };
+}
+
+async function buildMcpEntry() {
+  return buildEntry();
+}
+
+function printSetupGuide(log) {
+  log();
+  log(chalk.cyan('Étapes Google Cloud (faire dans le navigateur, dans cet ordre) :'));
+  SETUP_LINKS.forEach((s, i) => {
+    log(chalk.gray(`  ${i + 1}. ${s.step}`));
+    log(chalk.gray(`     → ${s.url}`));
+  });
+  log();
+  log(chalk.gray(`  5. Télécharger le JSON OAuth Client (bouton "Download JSON")`));
+  log(chalk.gray(`  6. Renommer ce fichier en : credentials.json`));
+  log(chalk.gray(`  7. Le placer dans : ${CREDENTIALS_PATH}`));
+  log();
+}
+
+async function importCredentialsFromPath(srcPath, log) {
+  const abs = path.resolve(srcPath);
+  if (!(await fs.pathExists(abs))) {
+    throw new Error(`Fichier introuvable : ${abs}`);
+  }
+  let parsed;
+  try {
+    parsed = await fs.readJson(abs);
+  } catch (e) {
+    throw new Error(`JSON invalide : ${e.message}`);
+  }
+  // Sanity check — Google OAuth client JSON has either "installed" or "web"
+  if (!parsed.installed && !parsed.web) {
+    throw new Error(
+      `Format inattendu : ce fichier ne ressemble pas à un OAuth Client Google (clé "installed" ou "web" absente)`
+    );
+  }
+  await fs.ensureDir(CONFIG_DIR);
+  // Tighten dir perms : 700 (owner only). Best-effort on non-POSIX.
+  try {
+    await fs.chmod(CONFIG_DIR, 0o700);
+  } catch {
+    // ignore on platforms where this fails
+  }
+  await fs.writeFile(CREDENTIALS_PATH, JSON.stringify(parsed, null, 2), {
+    mode: 0o600,
+  });
+  log(chalk.green(`  ✓ credentials.json copié vers ${CREDENTIALS_PATH} (perm 600)`));
+}
+
+async function runOAuthFlow(log) {
+  log();
+  log(chalk.cyan('Lancement du flow OAuth Google (le navigateur va s\'ouvrir)'));
+  log(chalk.gray('  Suis les instructions à l\'écran. Ferme la fenêtre quand le flow est terminé.'));
+  log();
+
+  const { accountName } = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'accountName',
+      message: 'Nom du compte Google (un slug — ex : "perso", "work") :',
+      default: 'default',
+      validate: (v) => /^[a-z0-9_-]+$/i.test(v) || 'Caractères autorisés : a-z, 0-9, _, -',
+    },
+  ]);
+
+  const result = spawnSync('npx', ['-y', PACKAGE_NAME, 'accounts', 'add', accountName], {
+    stdio: 'inherit',
+    timeout: 600_000, // 10 minutes
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`google-workspace-mcp accounts add a échoué (exit ${result.status})`);
+  }
+  log(chalk.green(`  ✓ Compte "${accountName}" ajouté`));
+  return accountName;
+}
+
+async function setup({ quiet } = {}) {
+  const log = quiet ? () => {} : (...a) => console.log(...a);
+
+  if (!(await isPackageInstallable())) {
+    return {
+      configured: false,
+      skipReason: `Le package npm "${PACKAGE_NAME}" n'est pas accessible (réseau / registre indisponible). Réessaie plus tard.`,
+    };
+  }
+
+  if (await hasCredentials()) {
+    log(chalk.gray(`  · credentials.json déjà présent à ${CREDENTIALS_PATH}`));
+    const { reuse } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'reuse',
+        message: 'Réutiliser la config existante (sans relancer OAuth) ?',
+        default: true,
+      },
+    ]);
+    if (reuse) {
+      return { configured: true, message: 'reused existing credentials' };
+    }
+  } else {
+    printSetupGuide(log);
+
+    const { hasJson } = await inquirer.prompt([
+      {
+        type: 'confirm',
+        name: 'hasJson',
+        message: 'Tu as téléchargé le credentials.json (étapes 1-5) ?',
+        default: false,
+      },
+    ]);
+
+    if (!hasJson) {
+      return {
+        configured: false,
+        skipReason:
+          'Setup interrompu — relance l\'installer une fois le credentials.json téléchargé.',
+      };
+    }
+
+    const { jsonPath } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'jsonPath',
+        message: 'Chemin local vers le credentials.json téléchargé :',
+        validate: (v) => v && v.trim().length > 0 || 'Chemin requis',
+      },
+    ]);
+
+    try {
+      await importCredentialsFromPath(jsonPath.trim(), log);
+    } catch (err) {
+      return { configured: false, skipReason: `Import des credentials échoué : ${err.message}` };
+    }
+  }
+
+  const { runAuth } = await inquirer.prompt([
+    {
+      type: 'confirm',
+      name: 'runAuth',
+      message: 'Lancer le flow OAuth maintenant (ouvre le navigateur) ?',
+      default: true,
+    },
+  ]);
+
+  if (!runAuth) {
+    return {
+      configured: true,
+      message:
+        'credentials importés ; lance le flow OAuth plus tard via : npx -y google-workspace-mcp accounts add <name>',
+    };
+  }
+
+  try {
+    const account = await runOAuthFlow(log);
+    return { configured: true, message: `compte "${account}" authentifié` };
+  } catch (err) {
+    return {
+      configured: false,
+      skipReason:
+        `OAuth a échoué : ${err.message}. Relance manuellement : npx -y ${PACKAGE_NAME} accounts add <name>`,
+    };
+  }
+}
+
+module.exports = {
+  id: 'gdrive',
+  name: 'Google Workspace (Docs / Sheets / Slides / Drive / Gmail / Calendar)',
+  description: '95+ tools via google-workspace-mcp, OAuth2, creds in ~/.google-mcp/',
+  isConfigured,
+  setup,
+  buildMcpEntry,
+  // exposed for tests
+  buildEntry,
+  CONFIG_DIR,
+  CREDENTIALS_PATH,
+  PACKAGE_NAME,
+};

package/install/lib/mcp-extensions/index.js

@@ -0,0 +1,147 @@
+/**
+ * MCP Extensions Registry — discovers and orchestrates third-party MCP
+ * server integrations (Google Workspace, etc.) during yanstaller install.
+ *
+ * Each extension is a module under this directory exposing the contract:
+ *
+ *   {
+ *     id          : string                       // unique slug (becomes mcpServers key)
+ *     name        : string                       // human-readable name
+ *     description : string                       // shown to user during prompt
+ *     async isConfigured(): Promise<boolean>     // already set up on this machine?
+ *     async setup(options): Promise<{
+ *       configured: boolean,
+ *       message:    string,
+ *       skipReason?: string,
+ *     }>                                          // interactive: walks the user
+ *                                                 // through credential setup
+ *     async buildMcpEntry(): Promise<object>     // returns the entry to write
+ *                                                 // into mcpServers.<id>
+ *   }
+ *
+ * The registry walks the list, prompts the user for each, runs setup if
+ * accepted, and writes the resulting MCP entry into .mcp.json via
+ * addMcpEntry (which refuses any entry containing a value that looks like
+ * a secret — see mcp-config.js).
+ *
+ * No secret value is ever stored by this module. Per-extension credential
+ * persistence is the extension's responsibility (typically under ~/.config/
+ * or ~/.<package>/, never inside the project).
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs-extra');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+
+const {
+  mcpConfig: { addMcpEntry },
+} = require('byan-platform-config');
+
+const gdrive = require('./gdrive');
+
+const EXTENSIONS = [gdrive];
+
+function listExtensions() {
+  return EXTENSIONS.map((ext) => ({
+    id: ext.id,
+    name: ext.name,
+    description: ext.description,
+  }));
+}
+
+function getExtension(id) {
+  return EXTENSIONS.find((ext) => ext.id === id) || null;
+}
+
+/**
+ * Walk every registered extension and offer it to the user. For each
+ * extension the user accepts, run its setup flow, then register the
+ * resulting MCP entry in .mcp.json.
+ *
+ * @param {string} projectRoot
+ * @param {{
+ *   skipPrompts?: boolean,
+ *   presetSelections?: Record<string, boolean>,  // { gdrive: true }
+ *   quiet?: boolean,
+ * }} options
+ * @returns {Promise<Array<{ id: string, configured: boolean, message: string }>>}
+ */
+async function setupMcpExtensions(projectRoot, options = {}) {
+  const log = options.quiet ? () => {} : (...a) => console.log(...a);
+  const results = [];
+
+  if (EXTENSIONS.length === 0) return results;
+
+  log();
+  log(chalk.cyan('MCP extensions (optional third-party integrations)'));
+
+  for (const ext of EXTENSIONS) {
+    let want;
+    if (options.skipPrompts) {
+      want = options.presetSelections && options.presetSelections[ext.id] === true;
+    } else {
+      const answers = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'enable',
+          message: `${ext.name} — ${ext.description}\n  Activer ?`,
+          default: false,
+        },
+      ]);
+      want = answers.enable === true;
+    }
+
+    if (!want) {
+      log(chalk.gray(`  · ${ext.id}: skipped`));
+      results.push({ id: ext.id, configured: false, message: 'skipped by user' });
+      continue;
+    }
+
+    let setupResult;
+    try {
+      setupResult = await ext.setup({ projectRoot, quiet: options.quiet });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} setup failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `setup error: ${err.message}` });
+      continue;
+    }
+
+    if (!setupResult || setupResult.configured !== true) {
+      const reason = (setupResult && (setupResult.skipReason || setupResult.message)) || 'setup not completed';
+      log(chalk.yellow(`  ⚠ ${ext.id}: ${reason}`));
+      results.push({ id: ext.id, configured: false, message: reason });
+      continue;
+    }
+
+    let entry;
+    try {
+      entry = await ext.buildMcpEntry({ projectRoot });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} buildMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `buildMcpEntry error: ${err.message}` });
+      continue;
+    }
+
+    try {
+      await addMcpEntry(projectRoot, ext.id, entry);
+      log(chalk.green(`  ✓ ${ext.id} registered in .mcp.json`));
+      results.push({ id: ext.id, configured: true, message: 'registered' });
+    } catch (err) {
+      log(chalk.red(`  ✘ ${ext.id} addMcpEntry failed: ${err.message}`));
+      results.push({ id: ext.id, configured: false, message: `addMcpEntry error: ${err.message}` });
+    }
+  }
+
+  return results;
+}
+
+module.exports = {
+  listExtensions,
+  getExtension,
+  setupMcpExtensions,
+  // re-exported for tests / programmatic callers
+  EXTENSIONS,
+};

package/install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-byan-agent",
-  "version": "2.15.0",
+  "version": "2.17.0",
   "description": "BYAN v2.2.2 - Intelligent AI agent installer with multi-platform native support (GitHub Copilot CLI, Claude Code, Codex/OpenCode)",
   "bin": {
     "create-byan-agent": "bin/create-byan-agent-v2.js"