create-workframe 0.1.0 → 0.1.1

package/scripts/setup-stack-secrets.sh

@@ -1,50 +1,50 @@
-#!/usr/bin/env bash
-# Append production stack secrets to a Workframe .env (idempotent).
-# Usage: bash scripts/workframe/setup-stack-secrets.sh path/to/.env
-set -euo pipefail
-
-ENV_FILE="${1:-/workspace/.env}"
-
-append_if_missing() {
-  local key="$1"
-  local value="$2"
-  local comment="${3:-}"
-  if [[ -f "$ENV_FILE" ]] && grep -q "^${key}=" "$ENV_FILE"; then
-    echo "${key} already exists in ${ENV_FILE}"
-    return 0
-  fi
-  mkdir -p "$(dirname "$ENV_FILE")"
-  {
-    [[ -n "$comment" ]] && printf '\n# %s\n' "$comment"
-    printf '%s=%s\n' "$key" "$value"
-  } >>"$ENV_FILE"
-  echo "${key} generated and appended to ${ENV_FILE}"
-}
-
-rand_hex() {
-  openssl rand -hex 32 2>/dev/null || python3 - <<'PY'
-import secrets
-print(secrets.token_hex(32))
-PY
-}
-
-rand_b64() {
-  python3 - <<'PY'
-import base64, os
-print(base64.b64encode(os.urandom(32)).decode())
-PY
-}
-
-rand_proxy() {
-  python3 - <<'PY'
-import secrets
-print(secrets.token_urlsafe(32))
-PY
-}
-
-append_if_missing WORKFRAME_SUPERVISOR_TOKEN "${WORKFRAME_SUPERVISOR_TOKEN:-$(rand_hex)}" \
-  "Workframe supervisor token. Keep this secret."
-append_if_missing WORKFRAME_PROXY_TOKEN "${WORKFRAME_PROXY_TOKEN:-$(rand_proxy)}" \
-  "Internal LLM/action proxy secret — gateway + API must match."
-append_if_missing WORKFRAME_VAULT_KEK "${WORKFRAME_VAULT_KEK:-$(rand_b64)}" \
-  "Credential vault KEK (32-byte base64). Required for public_multi_user."
+#!/usr/bin/env bash
+# Append production stack secrets to a Workframe .env (idempotent).
+# Usage: bash scripts/workframe/setup-stack-secrets.sh path/to/.env
+set -euo pipefail
+
+ENV_FILE="${1:-/workspace/.env}"
+
+append_if_missing() {
+  local key="$1"
+  local value="$2"
+  local comment="${3:-}"
+  if [[ -f "$ENV_FILE" ]] && grep -q "^${key}=" "$ENV_FILE"; then
+    echo "${key} already exists in ${ENV_FILE}"
+    return 0
+  fi
+  mkdir -p "$(dirname "$ENV_FILE")"
+  {
+    [[ -n "$comment" ]] && printf '\n# %s\n' "$comment"
+    printf '%s=%s\n' "$key" "$value"
+  } >>"$ENV_FILE"
+  echo "${key} generated and appended to ${ENV_FILE}"
+}
+
+rand_hex() {
+  openssl rand -hex 32 2>/dev/null || python3 - <<'PY'
+import secrets
+print(secrets.token_hex(32))
+PY
+}
+
+rand_b64() {
+  python3 - <<'PY'
+import base64, os
+print(base64.b64encode(os.urandom(32)).decode())
+PY
+}
+
+rand_proxy() {
+  python3 - <<'PY'
+import secrets
+print(secrets.token_urlsafe(32))
+PY
+}
+
+append_if_missing WORKFRAME_SUPERVISOR_TOKEN "${WORKFRAME_SUPERVISOR_TOKEN:-$(rand_hex)}" \
+  "Workframe supervisor token. Keep this secret."
+append_if_missing WORKFRAME_PROXY_TOKEN "${WORKFRAME_PROXY_TOKEN:-$(rand_proxy)}" \
+  "Internal LLM/action proxy secret — gateway + API must match."
+append_if_missing WORKFRAME_VAULT_KEK "${WORKFRAME_VAULT_KEK:-$(rand_b64)}" \
+  "Credential vault KEK (32-byte base64). Required for public_multi_user."

package/scripts/sync-canonical-to-package.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 /**
  * Copy canonical Workframe BFF into create-workframe package tree before npm pack.
- * Run from ProjectX root: node packages/create-workframe/scripts/sync-canonical-to-package.mjs
+ * Run from repository root: node packages/create-workframe/scripts/sync-canonical-to-package.mjs
  */
 import fs from 'node:fs';
 import path from 'node:path';
@@ -9,14 +9,15 @@ import { fileURLToPath } from 'node:url';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = path.resolve(__dirname, '..');
-const PROJECTX_ROOT = path.resolve(PKG_ROOT, '../..');
-const CANONICAL_API = path.join(PROJECTX_ROOT, 'services/workframe-api');
+const REPO_ROOT = path.resolve(PKG_ROOT, '../..');
+const CANONICAL_API = path.join(REPO_ROOT, 'services/workframe-api');
 const PKG_API = path.join(PKG_ROOT, 'workframe-api');
-const CANONICAL_SUPERVISOR = path.join(PROJECTX_ROOT, 'services/workframe-supervisor');
+const CANONICAL_SUPERVISOR = path.join(REPO_ROOT, 'services/workframe-supervisor');
 const PKG_SUPERVISOR = path.join(PKG_ROOT, 'workframe-supervisor');
 
 const SKIP_DIRS = new Set([
   'data',
+  'tests',
   '__pycache__',
   '.pytest_cache',
   '.venv',
@@ -103,7 +104,7 @@ const applyScripts = [
   'ensure-compose-host-paths.mjs',
 ];
 for (const name of applyScripts) {
-  const src = path.join(PROJECTX_ROOT, 'scripts/workframe', name);
+  const src = path.join(REPO_ROOT, 'scripts/workframe', name);
   const dst = path.join(PKG_ROOT, 'scripts', name);
   if (!fs.existsSync(src)) throw new Error(`Missing apply script: ${src}`);
   fs.mkdirSync(path.dirname(dst), { recursive: true });
@@ -111,7 +112,7 @@ for (const name of applyScripts) {
   console.log(`Synced ${name} -> package/scripts/`);
 }
 
-const publicDeploySrc = path.join(PROJECTX_ROOT, 'infra/compose/workframe/PUBLIC_DEPLOY.md');
+const publicDeploySrc = path.join(REPO_ROOT, 'infra/compose/workframe/PUBLIC_DEPLOY.md');
 const publicDeployDst = path.join(PKG_ROOT, 'docs/PUBLIC_DEPLOY.md');
 if (fs.existsSync(publicDeploySrc)) {
   fs.mkdirSync(path.dirname(publicDeployDst), { recursive: true });
@@ -120,7 +121,7 @@ if (fs.existsSync(publicDeploySrc)) {
 }
 
 for (const name of ['LICENSE', 'NOTICE', 'SECURITY.md']) {
-  const src = path.join(PROJECTX_ROOT, name);
+  const src = path.join(REPO_ROOT, name);
   const dst = path.join(PKG_ROOT, name);
   if (!fs.existsSync(src)) throw new Error(`Missing publish file: ${src}`);
   fs.copyFileSync(src, dst);

package/scripts/verify-public-deploy.sh

@@ -1,105 +1,105 @@
-#!/usr/bin/env bash
-# Fail-closed preflight for WORKFRAME_DEPLOYMENT_MODE=public_multi_user.
-# Usage: bash scripts/workframe/verify-public-deploy.sh [compose-dir]
-set -euo pipefail
-
-ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
-COMPOSE_DIR="${1:-$ROOT/infra/compose/workframe}"
-ENV_FILE="$COMPOSE_DIR/.env"
-COMPOSE_FILE="$COMPOSE_DIR/docker-compose.yml"
-
-fail() { echo "FAIL: $*" >&2; exit 1; }
-warn() { echo "WARN: $*" >&2; }
-ok() { echo "OK: $*"; }
-
-[[ -f "$ENV_FILE" ]] || fail "missing $ENV_FILE"
-[[ -f "$COMPOSE_FILE" ]] || fail "missing $COMPOSE_FILE"
-
-env_val() {
-  local key="$1"
-  grep -E "^${key}=" "$ENV_FILE" | tail -n1 | cut -d= -f2- | tr -d '\r' || true
-}
-
-MODE="$(env_val WORKFRAME_DEPLOYMENT_MODE)"
-MODE="${MODE:-trusted_team}"
-if [[ "$MODE" != "public_multi_user" ]]; then
-  ok "WORKFRAME_DEPLOYMENT_MODE=$MODE (skipping public checks; pass nothing to force public)"
-  exit 0
-fi
-
-ok "checking public_multi_user preflight"
-
-if [[ "$(env_val DEV_LOCAL_UNSAFE)" =~ ^(1|true|yes|on)$ ]]; then
-  fail "DEV_LOCAL_UNSAFE must be off for public_multi_user"
-fi
-if [[ "$(env_val SECURE_MODE)" != "true" ]]; then
-  fail "SECURE_MODE=true required"
-fi
-
-for key in WORKFRAME_SUPERVISOR_TOKEN WORKFRAME_API_TOKEN WORKFRAME_PROXY_TOKEN WORKFRAME_VAULT_KEK \
-  ZK_AUTH_HMAC_KEY ZK_AUTH_ENCRYPTION_KEY ZK_AUTH_SESSION_SECRET \
-  SMTP_HOST SMTP_USER SMTP_PASS EMAIL_FROM; do
-  [[ -n "$(env_val "$key")" ]] || fail "$key is empty"
-done
-
-APP_URL="$(env_val APP_BASE_URL)"
-[[ "$APP_URL" == https://* ]] || fail "APP_BASE_URL must be https:// (got ${APP_URL:-<empty>})"
-
-enc_key="$(env_val ZK_AUTH_ENCRYPTION_KEY)"
-if [[ -n "$enc_key" ]]; then
-  python3 - "$enc_key" <<'PY' || fail "ZK_AUTH_ENCRYPTION_KEY must be base64-encoded 32 bytes (not hex)"
-import base64, sys
-raw = base64.b64decode(sys.argv[1].strip())
-assert len(raw) == 32
-PY
-  ok "ZK_AUTH_ENCRYPTION_KEY format"
-fi
-
-if [[ "$(env_val WORKFRAME_E2E)" =~ ^(1|true|yes|on)$ ]] && [[ "$APP_URL" == https://* ]]; then
-  fail "WORKFRAME_E2E must be off for public HTTPS deploy"
-fi
-
-if grep -A40 '^  gateway:' "$COMPOSE_FILE" | grep -q 'env_file:'; then
-  fail "gateway must not use env_file in docker-compose.yml"
-fi
-if ! grep -q 'control-net' "$COMPOSE_FILE"; then
-  fail "control-net missing from docker-compose.yml"
-fi
-
-UI_PORT="$(env_val WORKFRAME_UI_PORT)"
-UI_PORT="${UI_PORT:-18644}"
-API_PORT="$(env_val WORKFRAME_API_PORT)"
-API_PORT="${API_PORT:-19120}"
-
-if command -v curl >/dev/null 2>&1; then
-  health="$(curl -fsS "http://127.0.0.1:${API_PORT}/api/health" 2>/dev/null || true)"
-  if [[ -z "$health" ]]; then
-    warn "API health unreachable on 127.0.0.1:${API_PORT} (stack down?)"
-  else
-    echo "$health" | grep -q 'public_multi_user' || fail "API health missing deployment_mode public_multi_user"
-    echo "$health" | grep -q '"mode": "secure"' || fail "API not in secure mode"
-    echo "$health" | grep -q '"proxy_token_configured": true' || fail "API proxy_token_configured is false"
-    echo "$health" | grep -q '"vault_envelope": true' || fail "API vault_envelope is false"
-    echo "$health" | grep -q '"docker_sock_on_api": false' || fail "API still has docker.sock mounted"
-    echo "$health" | grep -q 'install_window_open' || warn "API health missing install_window_open"
-    echo "$health" | grep -q 'workframe_e2e' || warn "API health missing workframe_e2e"
-    echo "$health" | grep -q 'dev_local_unsafe' || warn "API health missing dev_local_unsafe"
-    ok "API health"
-  fi
-  dash_code="$(curl -sS -o /dev/null -w '%{http_code}' "http://127.0.0.1:${UI_PORT}/hermes-dashboard/" || true)"
-  [[ "$dash_code" == "403" ]] || warn "hermes-dashboard without session returned $dash_code (expected 403)"
-else
-  warn "curl not found — skipping HTTP checks"
-fi
-
-if command -v docker >/dev/null 2>&1 && docker inspect workframe-gateway >/dev/null 2>&1; then
-  gw_env="$(docker inspect workframe-gateway --format '{{range .Config.Env}}{{println .}}{{end}}')"
-  for marker in WORKFRAME_SUPERVISOR_TOKEN ZK_AUTH_ SMTP_PASS; do
-    echo "$gw_env" | grep -q "$marker" && fail "gateway env contains $marker"
-  done
-  ok "gateway env allowlist"
-else
-  warn "workframe-gateway not running — skipping docker inspect"
-fi
-
-ok "public_multi_user preflight passed"
+#!/usr/bin/env bash
+# Fail-closed preflight for WORKFRAME_DEPLOYMENT_MODE=public_multi_user.
+# Usage: bash scripts/workframe/verify-public-deploy.sh [compose-dir]
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+COMPOSE_DIR="${1:-$ROOT/infra/compose/workframe}"
+ENV_FILE="$COMPOSE_DIR/.env"
+COMPOSE_FILE="$COMPOSE_DIR/docker-compose.yml"
+
+fail() { echo "FAIL: $*" >&2; exit 1; }
+warn() { echo "WARN: $*" >&2; }
+ok() { echo "OK: $*"; }
+
+[[ -f "$ENV_FILE" ]] || fail "missing $ENV_FILE"
+[[ -f "$COMPOSE_FILE" ]] || fail "missing $COMPOSE_FILE"
+
+env_val() {
+  local key="$1"
+  grep -E "^${key}=" "$ENV_FILE" | tail -n1 | cut -d= -f2- | tr -d '\r' || true
+}
+
+MODE="$(env_val WORKFRAME_DEPLOYMENT_MODE)"
+MODE="${MODE:-trusted_team}"
+if [[ "$MODE" != "public_multi_user" ]]; then
+  ok "WORKFRAME_DEPLOYMENT_MODE=$MODE (skipping public checks; pass nothing to force public)"
+  exit 0
+fi
+
+ok "checking public_multi_user preflight"
+
+if [[ "$(env_val DEV_LOCAL_UNSAFE)" =~ ^(1|true|yes|on)$ ]]; then
+  fail "DEV_LOCAL_UNSAFE must be off for public_multi_user"
+fi
+if [[ "$(env_val SECURE_MODE)" != "true" ]]; then
+  fail "SECURE_MODE=true required"
+fi
+
+for key in WORKFRAME_SUPERVISOR_TOKEN WORKFRAME_API_TOKEN WORKFRAME_PROXY_TOKEN WORKFRAME_VAULT_KEK \
+  ZK_AUTH_HMAC_KEY ZK_AUTH_ENCRYPTION_KEY ZK_AUTH_SESSION_SECRET \
+  SMTP_HOST SMTP_USER SMTP_PASS EMAIL_FROM; do
+  [[ -n "$(env_val "$key")" ]] || fail "$key is empty"
+done
+
+APP_URL="$(env_val APP_BASE_URL)"
+[[ "$APP_URL" == https://* ]] || fail "APP_BASE_URL must be https:// (got ${APP_URL:-<empty>})"
+
+enc_key="$(env_val ZK_AUTH_ENCRYPTION_KEY)"
+if [[ -n "$enc_key" ]]; then
+  python3 - "$enc_key" <<'PY' || fail "ZK_AUTH_ENCRYPTION_KEY must be base64-encoded 32 bytes (not hex)"
+import base64, sys
+raw = base64.b64decode(sys.argv[1].strip())
+assert len(raw) == 32
+PY
+  ok "ZK_AUTH_ENCRYPTION_KEY format"
+fi
+
+if [[ "$(env_val WORKFRAME_E2E)" =~ ^(1|true|yes|on)$ ]] && [[ "$APP_URL" == https://* ]]; then
+  fail "WORKFRAME_E2E must be off for public HTTPS deploy"
+fi
+
+if grep -A40 '^  gateway:' "$COMPOSE_FILE" | grep -q 'env_file:'; then
+  fail "gateway must not use env_file in docker-compose.yml"
+fi
+if ! grep -q 'control-net' "$COMPOSE_FILE"; then
+  fail "control-net missing from docker-compose.yml"
+fi
+
+UI_PORT="$(env_val WORKFRAME_UI_PORT)"
+UI_PORT="${UI_PORT:-18644}"
+API_PORT="$(env_val WORKFRAME_API_PORT)"
+API_PORT="${API_PORT:-19120}"
+
+if command -v curl >/dev/null 2>&1; then
+  health="$(curl -fsS "http://127.0.0.1:${API_PORT}/api/health" 2>/dev/null || true)"
+  if [[ -z "$health" ]]; then
+    warn "API health unreachable on 127.0.0.1:${API_PORT} (stack down?)"
+  else
+    echo "$health" | grep -q 'public_multi_user' || fail "API health missing deployment_mode public_multi_user"
+    echo "$health" | grep -q '"mode": "secure"' || fail "API not in secure mode"
+    echo "$health" | grep -q '"proxy_token_configured": true' || fail "API proxy_token_configured is false"
+    echo "$health" | grep -q '"vault_envelope": true' || fail "API vault_envelope is false"
+    echo "$health" | grep -q '"docker_sock_on_api": false' || fail "API still has docker.sock mounted"
+    echo "$health" | grep -q 'install_window_open' || warn "API health missing install_window_open"
+    echo "$health" | grep -q 'workframe_e2e' || warn "API health missing workframe_e2e"
+    echo "$health" | grep -q 'dev_local_unsafe' || warn "API health missing dev_local_unsafe"
+    ok "API health"
+  fi
+  dash_code="$(curl -sS -o /dev/null -w '%{http_code}' "http://127.0.0.1:${UI_PORT}/hermes-dashboard/" || true)"
+  [[ "$dash_code" == "403" ]] || warn "hermes-dashboard without session returned $dash_code (expected 403)"
+else
+  warn "curl not found — skipping HTTP checks"
+fi
+
+if command -v docker >/dev/null 2>&1 && docker inspect workframe-gateway >/dev/null 2>&1; then
+  gw_env="$(docker inspect workframe-gateway --format '{{range .Config.Env}}{{println .}}{{end}}')"
+  for marker in WORKFRAME_SUPERVISOR_TOKEN ZK_AUTH_ SMTP_PASS; do
+    echo "$gw_env" | grep -q "$marker" && fail "gateway env contains $marker"
+  done
+  ok "gateway env allowlist"
+else
+  warn "workframe-gateway not running — skipping docker inspect"
+fi
+
+ok "public_multi_user preflight passed"

package/shared/WORKFRAME_AGENT_LIBRARY.md

@@ -8,23 +8,23 @@ Canonical behavior location
 - Runtime: `Agents/profiles/{nativeProfileSlug}/SOUL.md`
 - Bootstrap seed: `scripts/seed/profiles/{nativeProfileSlug}/SOUL.md`
 
-Default specialist catalog
-- visionary
-- architect
-- docs
-- dev
-- research
-- designer
-
-Install-time starter packs
-- Recorded in `workframe-manifest.json` (`pack`, `profiles`, `native_agent`)
-- Default scaffold pack is `native` (native agent only)
-- Reference packs can still be chosen explicitly
-- See `docs/SETUP.md` for the pack chosen at install
-
-Extension pattern
-- Add niche specialists only when recurring demand exists.
-- Preferred path: spawn specialists on demand through botfather/lifecycle flows instead of preinstalling the whole crew.
+Default specialist catalog
+- visionary
+- architect
+- docs
+- dev
+- research
+- designer
+
+Install-time starter packs
+- Recorded in `workframe-manifest.json` (`pack`, `profiles`, `native_agent`)
+- Default scaffold pack is `native` (native agent only)
+- Reference packs can still be chosen explicitly
+- See `docs/SETUP.md` for the pack chosen at install
+
+Extension pattern
+- Add niche specialists only when recurring demand exists.
+- Preferred path: spawn specialists on demand through botfather/lifecycle flows instead of preinstalling the whole crew.
 
 Curation rule
 - Keep role-specific skill/tool bundles lean.

package/shared/WORKFRAME_AGENT_OPERATIONS.md

@@ -3,11 +3,11 @@
 Goal
 - keep the agent library dynamic but controlled.
 
-Concierge responsibilities
-- detect recurring specialist needs
-- propose profile add/remove/swap
-- route work through existing profiles until approved change lands
-- spawn specialists only when a real role gap exists
+Concierge responsibilities
+- detect recurring specialist needs
+- propose profile add/remove/swap
+- route work through existing profiles until approved change lands
+- spawn specialists only when a real role gap exists
 
 Profile operations policy
 - Add profile: when repeated tasks do not fit existing specialists.
@@ -17,13 +17,13 @@ Profile operations policy
 Approval
 - owner/admin approves profile topology changes in team environments.
 
-Preferred implementation path
-1) Update runtime profile SOUL under `Agents/profiles/`.
-2) Update bootstrap seeds under `scripts/seed/profiles/` when templates change.
-3) Spawn or update the runtime profile set through lifecycle/botfather flows.
-4) Announce changed routing behavior in docs and chat status.
-
-Default topology policy
-- Start native-only.
-- Treat specialist packs as reference presets, not mandatory first boot state.
-- Keep the installed crew as small as possible until real demand appears.
+Preferred implementation path
+1) Update runtime profile SOUL under `Agents/profiles/`.
+2) Update bootstrap seeds under `scripts/seed/profiles/` when templates change.
+3) Spawn or update the runtime profile set through lifecycle/botfather flows.
+4) Announce changed routing behavior in docs and chat status.
+
+Default topology policy
+- Start native-only.
+- Treat specialist packs as reference presets, not mandatory first boot state.
+- Keep the installed crew as small as possible until real demand appears.

package/shared/WORKFRAME_AGENT_PACKS.json

@@ -1,17 +1,17 @@
 {
-  "version": 2,
-  "packs": {
-    "native": {
-      "description": "One native project agent only. Spawn specialists later through Workframe botfather flows.",
-      "profiles": [
-        "project-agent"
-      ]
-    },
-    "vanilla": {
-      "description": "Reference default crew pack (native project agent + all core specialists)",
-      "profiles": [
-        "project-agent",
-        "visionary",
+  "version": 2,
+  "packs": {
+    "native": {
+      "description": "One native project agent only. Spawn specialists later through Workframe botfather flows.",
+      "profiles": [
+        "project-agent"
+      ]
+    },
+    "vanilla": {
+      "description": "Reference default crew pack (native project agent + all core specialists)",
+      "profiles": [
+        "project-agent",
+        "visionary",
         "architect",
         "docs",
         "dev",
@@ -48,11 +48,11 @@
         "research"
       ]
     },
-    "full": {
-      "description": "Alias of vanilla for compatibility",
-      "profiles": [
-        "project-agent",
-        "visionary",
+    "full": {
+      "description": "Alias of vanilla for compatibility",
+      "profiles": [
+        "project-agent",
+        "visionary",
         "architect",
         "docs",
         "dev",

package/shared/WORKFRAME_AGENT_PACKS.yaml

@@ -1,11 +1,11 @@
-version: 2
-packs:
-  native:
-    description: One native project agent only. Spawn specialists later through Workframe botfather flows.
-    profiles: [project-agent]
-  vanilla:
-    description: Reference default crew pack (native project agent + all core specialists)
-    profiles: [project-agent, visionary, architect, docs, dev, research, designer]
+version: 2
+packs:
+  native:
+    description: One native project agent only. Spawn specialists later through Workframe botfather flows.
+    profiles: [project-agent]
+  vanilla:
+    description: Reference default crew pack (native project agent + all core specialists)
+    profiles: [project-agent, visionary, architect, docs, dev, research, designer]
   core:
     description: Minimal operational baseline
     profiles: [project-agent, docs, dev]

package/shared/WORKFRAME_SKILL_CURATION.md

@@ -21,7 +21,7 @@ Tool curation rules
 3) Add a skill only after repeated need.
 4) Remove stale skills quarterly.
 
-Install-time selection
-- default to the `native` starter pack unless a larger reference pack is explicitly requested
-- reference packs remain available (`core` / `product` / `engineering` / `full`)
-- concierge can request profile add/remove later with owner approval.
+Install-time selection
+- default to the `native` starter pack unless a larger reference pack is explicitly requested
+- reference packs remain available (`core` / `product` / `engineering` / `full`)
+- concierge can request profile add/remove later with owner approval.

package/workframe-api/README.md

@@ -1,28 +1,28 @@
-# Workframe API Service
-
-**Version:** `0.1.0` (`workframe-api-0.1.0`). See `docs/VERSION.md`.
-
-Active backend service for the transplanted Workframe vertical slice.
-
-This is intentionally preserved as the current Python BFF instead of being rewritten into `apps/api`.
-
-## Local
-
-```bash
-cd services/workframe-api
-python3 -m venv .venv
-. .venv/bin/activate
-pip install -r requirements.txt
-HOST=0.0.0.0 PORT=8080 HERMES_DATA=/opt/data WORKSPACE=/workspace python3 server.py
-```
-
-## Runtime state
-
-Runtime files are intentionally not committed:
-
-- `data/*.db`
-- `data/.auth_keys`
-- Hermes `Agents/`
-- workspace `Files/`
-
-For VPS deployment, mount clean persistent volumes into `/opt/data` and `/workspace`.
+# Workframe API Service
+
+**Version:** `0.1.0` (`workframe-api-0.1.0`). See `docs/VERSION.md`.
+
+Active backend service for the transplanted Workframe vertical slice.
+
+This is intentionally preserved as the current Python BFF instead of being rewritten into `apps/api`.
+
+## Local
+
+```bash
+cd services/workframe-api
+python3 -m venv .venv
+. .venv/bin/activate
+pip install -r requirements.txt
+HOST=0.0.0.0 PORT=8080 HERMES_DATA=/opt/data WORKSPACE=/workspace python3 server.py
+```
+
+## Runtime state
+
+Runtime files are intentionally not committed:
+
+- `data/*.db`
+- `data/.auth_keys`
+- Hermes `Agents/`
+- workspace `Files/`
+
+For VPS deployment, mount clean persistent volumes into `/opt/data` and `/workspace`.