forgecraft-mcp 0.2.1 → 0.3.0

package/templates/fintech/skills.yaml

@@ -0,0 +1,35 @@
+tag: FINTECH
+section: skills
+skills:
+  - id: fintech-money-audit
+    name: Money Calculation Audit
+    filename: fintech-money-audit.md
+    description: "Audit codebase for monetary calculation safety"
+    tier: core
+    content: |
+      Audit the codebase for monetary calculation risks.
+
+      Scan for:
+      1. **Floating-point arithmetic on money**:
+         - Any use of `float`, `double`, or JavaScript `number` for currency amounts
+         - Arithmetic operations (+, -, *, /) on money values without decimal/integer cents
+         - Rounding errors in tax, discount, or fee calculations
+      2. **Currency handling**:
+         - Money values stored without currency code
+         - Mixed-currency arithmetic without explicit conversion
+         - Missing exchange rate snapshots for audit trail
+      3. **Rounding**:
+         - Inconsistent rounding modes (banker's rounding vs. standard)
+         - Rounding applied at intermediate steps instead of final result
+         - Missing rounding specification in calculations
+      4. **Overflow / precision**:
+         - Integer cents stored in types too small for large amounts
+         - Multiplication (e.g., interest) without precision guards
+         - Division without remainder handling
+
+      For each finding, report:
+      - **File**: path
+      - **Line**: number
+      - **Risk**: CRITICAL | HIGH | MEDIUM
+      - **Issue**: what could go wrong
+      - **Fix**: recommended change (e.g., use Decimal library, store as integer cents)

package/templates/game/mcp-servers.yaml

@@ -7,4 +7,5 @@ servers:
     args: ["-y", "@anthropic/unity-mcp"]
     tags: [GAME]
     category: game-engine
+    tier: recommended
     url: "https://github.com/CoplayDev/unity-mcp"

package/templates/healthcare/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-postgres"]
     tags: [DATA-PIPELINE, API, HEALTHCARE]
     category: database
+    tier: recommended
     env:
       POSTGRES_CONNECTION_STRING: ""
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"

package/templates/healthcare/skills.yaml

@@ -0,0 +1,35 @@
+tag: HEALTHCARE
+section: skills
+skills:
+  - id: healthcare-phi-audit
+    name: PHI Audit
+    filename: healthcare-phi-audit.md
+    description: "Scan codebase for PHI exposure risks"
+    tier: core
+    content: |
+      Audit the codebase for Protected Health Information (PHI) exposure risks.
+
+      Scan for:
+      1. **Logging**: Search for log statements that might include PHI fields:
+         - Patient name, DOB, SSN, MRN, address, phone, email
+         - Diagnosis codes, treatment plans, lab results
+         - Any field from a patient/member/encounter model
+      2. **Error messages**: Check that error responses don't leak PHI in:
+         - API error bodies
+         - Exception messages
+         - Stack traces exposed to clients
+      3. **Storage**: Verify PHI at rest is protected:
+         - Database fields containing PHI are identified and encrypted
+         - File uploads with PHI use encrypted storage
+         - Temporary files are cleaned up
+      4. **Transmission**: Verify PHI in transit:
+         - All endpoints serving PHI require HTTPS
+         - No PHI in URL query parameters (use POST body)
+         - No PHI in client-side analytics or tracking
+
+      Report each finding with:
+      - **File**: path
+      - **Line**: number
+      - **Risk**: HIGH | MEDIUM | LOW
+      - **PHI type**: what data is exposed
+      - **Fix**: recommended remediation

package/templates/hipaa/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-postgres"]
     tags: [HIPAA, HEALTHCARE, API]
     category: database
+    tier: recommended
     env:
       POSTGRES_CONNECTION_STRING: ""
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"

package/templates/hipaa/skills.yaml

@@ -0,0 +1,39 @@
+tag: HIPAA
+section: skills
+skills:
+  - id: hipaa-compliance-check
+    name: HIPAA Compliance Check
+    filename: hipaa-compliance-check.md
+    description: "Verify HIPAA technical safeguard compliance"
+    tier: core
+    content: |
+      Check the project for HIPAA technical safeguard compliance.
+
+      Verify each requirement:
+
+      **Access Controls (§164.312(a))**:
+      - [ ] Unique user identification — every user has a unique ID
+      - [ ] Emergency access procedure — documented break-glass process
+      - [ ] Automatic logoff — session timeout configured
+      - [ ] Encryption/decryption — PHI encrypted at rest
+
+      **Audit Controls (§164.312(b))**:
+      - [ ] Audit logging enabled for all PHI access
+      - [ ] Logs include: who, what, when, where (IP)
+      - [ ] Logs are tamper-evident (append-only, signed, or immutable storage)
+      - [ ] Log retention meets minimum period (6 years)
+
+      **Integrity Controls (§164.312(c))**:
+      - [ ] Data validation on PHI fields
+      - [ ] Checksums or signatures for data integrity verification
+
+      **Transmission Security (§164.312(e))**:
+      - [ ] TLS 1.2+ enforced for all PHI transmission
+      - [ ] No PHI in URL parameters
+      - [ ] Encryption for PHI in message queues or event streams
+
+      For each gap, report:
+      - **Requirement**: HIPAA section reference
+      - **Status**: COMPLIANT | GAP | PARTIAL
+      - **Finding**: what's missing
+      - **Remediation**: specific implementation steps

package/templates/infra/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "mcp-server-docker"]
     tags: [INFRA]
     category: deployment
+    tier: recommended
     url: "https://github.com/ckreiling/mcp-server-docker"
 
   - name: kubernetes
@@ -15,4 +16,5 @@ servers:
     args: ["-y", "mcp-server-kubernetes"]
     tags: [INFRA]
     category: deployment
+    tier: optional
     url: "https://github.com/strowk/mcp-k8s-go"

package/templates/library/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-filesystem", "/"]
     tags: [CLI, LIBRARY]
     category: general
+    tier: recommended
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem"
 
   - name: npm-search
@@ -15,4 +16,5 @@ servers:
     args: ["-y", "mcp-server-npm-search"]
     tags: [LIBRARY]
     category: documentation
+    tier: optional
     url: "https://github.com/nicholasgriffintn/npm-search-mcp-server"

package/templates/medallion-architecture/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-postgres"]
     tags: [MEDALLION-ARCHITECTURE, DATA-PIPELINE]
     category: database
+    tier: recommended
     env:
       POSTGRES_CONNECTION_STRING: ""
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"
@@ -17,4 +18,5 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-filesystem"]
     tags: [MEDALLION-ARCHITECTURE, DATA-PIPELINE]
     category: filesystem
+    tier: optional
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem"

package/templates/ml/mcp-servers.yaml

@@ -7,4 +7,5 @@ servers:
     args: ["-y", "mcp-server-jupyter"]
     tags: [ML, DATA-PIPELINE]
     category: ai-ml
+    tier: recommended
     url: "https://github.com/datalayer/jupyter-mcp-server"

package/templates/mobile/mcp-servers.yaml

@@ -7,4 +7,5 @@ servers:
     args: ["-y", "mcp-server-android"]
     tags: [MOBILE]
     category: devtools
+    tier: recommended
     url: "https://github.com/nicholasgriffintn/android-mcp-server"

package/templates/observability-xray/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "mcp-server-cloudwatch"]
     tags: [OBSERVABILITY-XRAY, INFRA]
     category: monitoring
+    tier: recommended
     env:
       AWS_REGION: ""
       AWS_ACCESS_KEY_ID: ""

package/templates/realtime/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "mcp-server-redis"]
     tags: [REALTIME]
     category: database
+    tier: recommended
     env:
       REDIS_URL: "redis://localhost:6379"
     url: "https://github.com/nicholasgriffintn/redis-mcp-server"

package/templates/soc2/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-github"]
     tags: [SOC2, UNIVERSAL]
     category: version-control
+    tier: recommended
     env:
       GITHUB_PERSONAL_ACCESS_TOKEN: ""
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/github"
@@ -17,6 +18,7 @@ servers:
     args: ["-y", "mcp-server-sentry"]
     tags: [SOC2, API]
     category: monitoring
+    tier: optional
     env:
       SENTRY_AUTH_TOKEN: ""
     url: "https://github.com/modelcontextprotocol/servers"

package/templates/social/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-postgres"]
     tags: [DATA-PIPELINE, API, SOCIAL]
     category: database
+    tier: recommended
     env:
       POSTGRES_CONNECTION_STRING: ""
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"
@@ -17,6 +18,7 @@ servers:
     args: ["-y", "mcp-server-redis"]
     tags: [REALTIME, SOCIAL]
     category: database
+    tier: optional
     env:
       REDIS_URL: "redis://localhost:6379"
     url: "https://github.com/nicholasgriffintn/redis-mcp-server"

package/templates/state-machine/mcp-servers.yaml

@@ -7,4 +7,5 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-sequential-thinking"]
     tags: [UNIVERSAL, STATE-MACHINE]
     category: general
+    tier: optional
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking"

package/templates/universal/hooks.yaml

@@ -182,6 +182,69 @@ hooks:
       fi
       echo "🔍 Production quality scan passed"
 
+  - name: function-length
+    trigger: pre-commit
+    description: "Warn when staged functions exceed the configured maximum line count"
+    filename: pre-commit-function-length.sh
+    script: |
+      #!/bin/bash
+      MAX_LENGTH={{max_function_length | default: 50}}
+      STAGED=$(git diff --cached --name-only --diff-filter=ACM)
+      SOURCE_FILES=$(echo "$STAGED" | grep -E '\.(ts|tsx|js|jsx)$' | grep -vE '(\.test\.|\.spec\.|__tests__|tests/)')
+      if [ -z "$SOURCE_FILES" ]; then exit 0; fi
+      WARNINGS=0
+      for file in $SOURCE_FILES; do
+        # Heuristic: find function/method declarations and count lines to next declaration or closing brace
+        awk -v max="$MAX_LENGTH" -v fname="$file" '
+          /^[[:space:]]*(export )?(async )?(function |const [a-zA-Z]+ = (async )?\(|[a-zA-Z]+\(.*\) \{|[a-zA-Z]+\(.*\): )/ {
+            if (start > 0 && NR - start > max) {
+              printf "  ⚠️  %s:%d — function starting here is %d lines (max %d)\n", fname, start, NR - start, max
+              warnings++
+            }
+            start = NR
+          }
+          END {
+            if (start > 0 && NR - start > max) {
+              printf "  ⚠️  %s:%d — function starting here is %d lines (max %d)\n", fname, start, NR - start, max
+              warnings++
+            }
+          }
+        ' "$file"
+        WARNINGS=$((WARNINGS + $?))
+      done
+      # Warning only — does not block commit since bash heuristics aren't perfect
+      exit 0
+
+  - name: import-cycle-detector
+    trigger: pre-commit
+    description: "Detect circular import dependencies in TypeScript and Python projects"
+    filename: pre-commit-import-cycles.sh
+    script: |
+      #!/bin/bash
+      echo "🔄 Checking for circular imports..."
+      if [ -f "tsconfig.json" ]; then
+        if command -v npx &> /dev/null; then
+          RESULT=$(npx --yes madge --circular --extensions ts src/ 2>&1)
+          if echo "$RESULT" | grep -q "Found.*circular"; then
+            echo "❌ Circular imports detected in TypeScript:"
+            echo "$RESULT"
+            exit 1
+          fi
+          echo "  ✅ No circular imports (TypeScript)"
+        fi
+      fi
+      if [ -f "pyproject.toml" ] || [ -f "setup.py" ]; then
+        if command -v lint-imports &> /dev/null; then
+          lint-imports 2>&1
+          if [ $? -ne 0 ]; then
+            echo "❌ Circular imports detected in Python"
+            exit 1
+          fi
+          echo "  ✅ No circular imports (Python)"
+        fi
+      fi
+      echo "🔄 Import cycle check passed"
+
   - name: code-review
     trigger: pre-commit
     description: "AI assistant reviews diff against project standards"

package/templates/universal/instructions.yaml

@@ -18,10 +18,11 @@ blocks:
     title: "Code Standards"
     content: |
       ## Code Standards
-      - Maximum function/method length: {{max_function_length | default: 50}} lines. If longer, decompose.
-      - Maximum file length: {{max_file_length | default: 300}} lines. If longer, split by responsibility.
+      - Maximum function/method length: {{max_function_length | default: 50}} lines (hook-enforced).
+      - Maximum file length: {{max_file_length | default: 300}} lines (hook-enforced).
       - Maximum function parameters: {{max_function_params | default: 5}}. If more, use a parameter object.
-      - Every public function/method must have a docstring/JSDoc with typed params and returns.
+      - No circular imports — module dependency graph must be acyclic (hook-enforced).
+      - Every public function/method must have {{#if language_is_typescript}}a JSDoc comment{{/if}}{{#if language_is_python}}a docstring (Google or NumPy style){{/if}} with typed params and returns.
       - Delete orphaned code. Do not comment it out. Git has history.
       - Before creating a new utility, search the entire codebase for existing ones.
       - Reuse existing patterns — check shared modules before writing new.
@@ -81,7 +82,7 @@ blocks:
       ### Modular from Day One
       - Feature-based modules over layer-based. Each feature owns its models, service, repository, routes.
       - Module dependency graph must be acyclic.
-      - Every module has a clear public API via __init__.py / index.ts exports.
+      - Every module has a clear public API via {{#if language_is_typescript}}index.ts{{/if}}{{#if language_is_python}}__init__.py{{/if}} exports.
 
   - id: layered-architecture
     tier: recommended
@@ -124,7 +125,7 @@ blocks:
 
       ### Data Transfer Objects (DTOs)
       - Use DTOs at layer boundaries — never pass domain entities to/from the API layer.
-      - **Request DTOs**: validated at the API boundary (Zod schema → typed object).
+      - **Request DTOs**: validated at the API boundary ({{#if language_is_typescript}}Zod schema{{/if}}{{#if language_is_python}}Pydantic model{{/if}} → typed object).
       - **Response DTOs**: shaped for the consumer, not mirroring the domain model.
       - **Domain ↔ Persistence mapping**: repositories map between domain entities and DB rows/documents.
       - DTOs are plain data objects — no methods, no behavior, no framework decorators.
@@ -178,8 +179,9 @@ blocks:
       - Instead: `order.getShippingCity()` or pass the needed data directly.
 
       ### Immutability by Default
-      - Use `const` over `let`. Use `readonly` on properties and parameters.
-      - Prefer `ReadonlyArray<T>`, `Readonly<T>`, `ReadonlyMap`, `ReadonlySet`.
+      {{#if language_is_typescript}}- Use `const` over `let`. Use `readonly` on properties and parameters.
+      - Prefer `ReadonlyArray<T>`, `Readonly<T>`, `ReadonlyMap`, `ReadonlySet`.{{/if}}{{#if language_is_python}}- Use `Final` for constants. Use `frozen=True` on dataclasses.
+      - Prefer `tuple` over `list` for immutable sequences. Use `MappingProxyType` for immutable dicts.{{/if}}
       - When you need to "modify" data, create a new copy with the change.
       - Mutable state is the #1 source of bugs. Restrict it to the smallest possible scope.
 
@@ -196,117 +198,7 @@ blocks:
       - Factories are the natural companion to dependency injection — the DI container
         IS the top-level factory.
 
-  - id: domain-driven-design
-    tier: optional
-    title: "Domain-Driven Design Essentials"
-    content: |
-      ## Domain-Driven Design (DDD) Essentials
-
-      ### Entities vs. Value Objects
-      - **Entity**: has identity (ID) that persists across state changes. Two users with the
-        same name are NOT the same user. Compared by ID.
-      - **Value Object**: defined by its attributes, not identity. Two `Money(100, "USD")` are
-        the same. Immutable. Compared by value.
-      - When in doubt, make it a Value Object — they're simpler and safer.
-
-      ### Eliminate Primitive Obsession
-      - Don't use raw `string` for email, `number` for currency, `string` for phone.
-      - Wrap domain concepts in typed Value Objects: `EmailAddress`, `Money`, `PhoneNumber`.
-      - Value Objects enforce validation at construction — an invalid email can never exist.
-      - This moves validation FROM every call site TO the constructor — DRY + safe.
-
-      ### Aggregates
-      - An aggregate is a cluster of domain objects treated as a single unit for data changes.
-      - One entity is the **aggregate root** — all external access goes through it.
-      - Aggregates enforce invariants: `Order` ensures its `OrderLines` don't exceed the limit.
-      - Reference other aggregates by ID, not by direct object reference.
-
-      ### Bounded Contexts
-      - A bounded context is a boundary within which a domain model has a specific meaning.
-      - The word "Account" means different things in Billing vs. Auth vs. Social.
-      - Each context owns its models, language, and persistence — no shared database tables.
-      - Contexts communicate via well-defined interfaces, events, or an **Anti-Corruption Layer**
-        that translates between contexts.
-
-      ### Domain Events
-      - When something important happens in the domain, publish an event: `OrderPlaced`,
-        `MemberDeactivated`, `PaymentFailed`.
-      - Events decouple modules: the Order module publishes `OrderPlaced`, the Notification
-        module subscribes — neither imports the other.
-      - Events are past-tense named facts. They carry the data needed by subscribers.
-      - In-process event bus for monoliths; message broker (SQS, Kafka, NATS) for distributed.
-
-  - id: cqrs-event-patterns
-    tier: optional
-    title: "CQRS & Event Patterns"
-    content: |
-      ## CQRS & Event-Driven Patterns
-
-      ### CQRS (Command Query Responsibility Segregation)
-      When read and write patterns diverge significantly:
-      - **Command side**: validates, enforces business rules, writes to the canonical store.
-      - **Query side**: reads from optimized read models (denormalized views, search indices).
-      - Start simple: same database, separate service methods. Optimize to separate stores
-        only when read/write scaling demands it.
-      - CQRS is not mandatory everywhere — use it where read/write asymmetry is real.
-
-      ### Event Sourcing (when appropriate)
-      - Store the sequence of events, not just current state.
-      - Useful for: audit trails, temporal queries, debugging, undo/redo.
-      - NOT appropriate for: simple CRUD, low-value data, early-stage features.
-      - If you use event sourcing, you MUST also maintain a read-projection.
-
-      ### Pub/Sub & Message Patterns
-      - **Fire and forget**: publish event, don't wait for subscribers.
-      - **Request/Reply**: send command, wait for response.
-      - In-process: use an event emitter or mediator.
-      - Distributed: use durable message queues with at-least-once delivery.
-
-  - id: design-patterns-reference
-    tier: optional
-    title: "Design Patterns Quick Reference"
-    content: |
-      ## Design Patterns — When to Reach for What
-
-      ### Creational
-      - **Factory Method / Abstract Factory**: Use when instantiation logic is complex or varies by context.
-        Prefer over `new` in business logic — keep constructors for DI only.
-      - **Builder**: Use when constructing objects with many optional parameters. Fluent API preferred.
-      - **Singleton**: Almost never in application code. Use DI to manage lifecycle instead.
-        Acceptable only for: loggers, config singletons in composition root.
-
-      ### Structural
-      - **Adapter**: Wrap third-party APIs to match your port interfaces. Isolates vendor lock-in.
-      - **Facade**: Simplify complex subsystem interactions behind a unified interface.
-        Every module's `index.ts` exports are a facade.
-      - **Decorator**: Add behavior (logging, caching, retry, auth) without modifying the original.
-        Middleware pipelines are decorator chains.
-      - **Proxy**: Lazy loading, access control, or caching in front of expensive resources.
-
-      ### Behavioral
-      - **Strategy**: Extract interchangeable algorithms behind an interface. Inject the right one.
-        Examples: pricing calculators, render strategies, sort algorithms.
-      - **Observer / Pub-Sub**: Decouple event producers from consumers. Use for: domain events,
-        UI state changes, webhook fan-out. See CQRS & Event Patterns section.
-      - **Chain of Responsibility**: Middleware pipelines (Express, Koa). Each handler decides
-        to process or pass to the next. Order matters.
-      - **Command**: Encapsulate actions as objects. Enables: undo/redo, queuing, audit trail.
-
-      ### Enterprise
-      - **Repository**: Encapsulate data access behind a collection-like interface. Defined in the
-        domain layer, implemented in the infrastructure layer as adapters.
-      - **Unit of Work**: Track changes within a transaction boundary. Commit or roll back atomically.
-        Pair with Repository for database operations.
-      - **Saga**: Coordinate multi-step distributed operations. Each step has a compensating action
-        for rollback. Use for: order processing, payment flows, multi-service workflows.
-      - **Outbox**: Write events to a local outbox table in the same transaction as the state change.
-        A separate process reliably publishes them. Guarantees at-least-once event delivery.
-
-      ### Anti-Patterns to Avoid
-      - **God Object**: One class that knows/does everything. Split by responsibility.
-      - **Service Locator**: Global registry looked up at runtime. Use constructor injection instead.
-      - **Anemic Domain Model**: Entities with only getters/setters, logic in services.
-        Push behavior into domain objects.
+      > **Design reference patterns** (DDD, CQRS, GoF) available on demand via `get_design_reference` tool.
 
   - id: twelve-factor-ops
     tier: optional
@@ -416,6 +308,37 @@ blocks:
       - Define invariants, not examples: "sorting is idempotent", "encode then decode = identity".
       - Property tests complement, not replace, example-based tests.
 
+  - id: tdd-methodology
+    tier: core
+    title: "Test-Driven Development"
+    content: |
+      ## Test-Driven Development (TDD)
+
+      ### Red-Green-Refactor — The Only Cycle
+      1. **RED**: Write a failing test that describes the desired behavior. Run it. It MUST fail.
+         If it passes, the test is wrong — it's not testing what you think.
+      2. **GREEN**: Write the minimum code to make the test pass. No more.
+      3. **REFACTOR**: Clean up while all tests stay green. No new behavior in this step.
+      Repeat. Every feature, every function, every bug fix follows this cycle.
+
+      ### Tests Are Specifications, Not Confirmations
+      - Write tests against **expected behavior**, never against current implementation.
+      - A test that passes on broken code is worse than no test — it provides false confidence.
+      - Never weaken an assertion to match what the code currently does. If the code disagrees
+        with the spec, the code is wrong.
+      - Never write a test suite after the fact that just "locks in" existing behavior without
+        verifying it's correct.
+
+      ### Bug Fix Protocol
+      - **Every bug fix starts with a failing test** that reproduces the bug.
+      - The test must fail before the fix and pass after. No exceptions.
+      - If you can't write a reproducing test, you don't understand the bug well enough to fix it.
+
+      ### One Behavior Per Test
+      - Each test verifies exactly one behavior or rule.
+      - A test with multiple unrelated assertions is testing multiple things — split it.
+      - Test name = the specification: `rejects_expired_tokens`, not `test_auth`.
+
   - id: data-guardrails
     tier: core
     title: "Data Guardrails"

package/templates/universal/mcp-servers.yaml

@@ -7,6 +7,7 @@ servers:
     args: ["-y", "forgecraft-mcp"]
     tags: [UNIVERSAL]
     category: scaffolding
+    tier: core
     url: "https://github.com/jghiringhelli/forgecraft-mcp"
 
   - name: context7
@@ -15,6 +16,7 @@ servers:
     args: ["-y", "@upstash/context7-mcp@latest"]
     tags: [UNIVERSAL]
     category: documentation
+    tier: recommended
     url: "https://github.com/upstash/context7"
 
   - name: sequential-thinking
@@ -23,4 +25,14 @@ servers:
     args: ["-y", "@modelcontextprotocol/server-sequential-thinking"]
     tags: [UNIVERSAL]
     category: general
+    tier: optional
     url: "https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking"
+
+  - name: spec-workflow
+    description: "Spec-driven TDD workflow with structured requirements, design docs, and red-green-refactor quality gates"
+    command: npx
+    args: ["-y", "spec-workflow-mcp"]
+    tags: [UNIVERSAL]
+    category: testing
+    tier: optional
+    url: "https://github.com/Pimzino/spec-workflow-mcp"

package/templates/universal/nfr.yaml

@@ -177,7 +177,7 @@ blocks:
       ### Code Quality Metrics
       - Cyclomatic complexity: flag functions > 10, block > 15.
       - Dead code detection.
-      - Documentation coverage: all public APIs have docstrings/JSDoc.
+      - Documentation coverage: all public APIs have {{#if language_is_typescript}}JSDoc{{/if}}{{#if language_is_python}}docstrings{{/if}}.
 
       ### Technical Debt Tracking
       - Tech debt items logged in Status.md.