forgedev 1.2.0 → 1.4.0

package/src/doctor-checks.js

@@ -1,5 +1,12 @@
 import fs from 'node:fs';
 import path from 'node:path';
+import {
+  checkChainproofExists,
+  checkChainproofIntegrity,
+  checkChainproofUnsigned,
+} from './doctor-checks-chainproof.js';
+
+export { checkChainproofExists, checkChainproofIntegrity, checkChainproofUnsigned };
 
 export function runAllChecks(projectDir, scan) {
   const issues = [];
@@ -21,6 +28,9 @@ export function runAllChecks(projectDir, scan) {
   issues.push(...checkDuplicateCode(projectDir));
   issues.push(...checkDeadFeatures(projectDir, scan));
   issues.push(...checkAIPrompts(projectDir));
+  issues.push(...checkChainproofExists(projectDir));
+  issues.push(...checkChainproofIntegrity(projectDir));
+  issues.push(...checkChainproofUnsigned(projectDir));
 
   return issues.sort((a, b) => {
     const order = { critical: 0, warning: 1, info: 2 };
@@ -36,7 +46,7 @@ function checkClaudeMdLength(projectDir, scan) {
   return [{
     severity: lines > 500 ? 'critical' : 'warning',
     title: `CLAUDE.md is ${lines} lines (recommended limit: 150)`,
-    impact: 'Instructions are being dropped — Claude Code ignores rules randomly when context is too large',
+    impact: 'Instructions are being dropped. Claude Code ignores rules randomly when context is too large',
     files: ['CLAUDE.md'],
     autoFixable: false,
     promptId: 'CLAUDE_MD_TOO_LONG',
@@ -68,7 +78,7 @@ function checkUnauthEndpoints(projectDir, scan) {
             issues.push({
               severity: 'critical',
               title: `Unauthenticated endpoint: ${relPath}:${i + 1}`,
-              impact: 'Security vulnerability — data accessible without login',
+              impact: 'Security vulnerability, data accessible without login',
               files: [`${relPath}:${i + 1}`],
               autoFixable: false,
               promptId: 'UNAUTH_ENDPOINT',
@@ -86,11 +96,14 @@ function checkUnauthEndpoints(projectDir, scan) {
     const apiDir = path.join(projectDir, srcDir, 'app', 'api');
     if (!fs.existsSync(apiDir)) return issues;
 
-    const routeFiles = findFiles(apiDir, '.ts').concat(findFiles(apiDir, '.tsx'));
+    const routeFiles = findFiles(apiDir, '.ts').concat(findFiles(apiDir, '.tsx'))
+      .concat(findFiles(apiDir, '.js')).concat(findFiles(apiDir, '.jsx'));
     for (const file of routeFiles) {
-      if (path.basename(file) === 'route.ts' || path.basename(file) === 'route.tsx') {
+      const basename = path.basename(file);
+      if (basename === 'route.ts' || basename === 'route.tsx' ||
+          basename === 'route.js' || basename === 'route.jsx') {
         // Skip health endpoints
-        if (file.includes('/health/')) continue;
+        if (file.includes(`${path.sep}health${path.sep}`)) continue;
 
         const content = fs.readFileSync(file, 'utf-8');
         if (!content.includes('getServerSession') && !content.includes('auth(') &&
@@ -118,7 +131,7 @@ function checkUnauthEndpoints(projectDir, scan) {
     return [{
       severity,
       title: `${issues.length} endpoints have no authentication`,
-      impact: 'Security vulnerability — data accessible without login',
+      impact: 'Security vulnerability, data accessible without login',
       files: allFiles,
       autoFixable: false,
       promptId: 'UNAUTH_ENDPOINT',
@@ -161,7 +174,7 @@ function checkFlakyTestPatterns(projectDir) {
     issues.push({
       severity: 'critical',
       title: `${flakyFiles.length} tests use waitForTimeout() or hardcoded delays`,
-      impact: 'Tests fail randomly — unreliable CI',
+      impact: 'Tests fail randomly, which means unreliable CI',
       files: flakyFiles,
       autoFixable: false,
       promptId: 'FLAKY_TESTS',
@@ -191,7 +204,7 @@ function checkCrossDomainImports(projectDir, scan) {
         issues.push({
           severity: 'critical',
           title: `Cross-domain import: ${path.relative(projectDir, file)} imports from ${backendDir}`,
-          impact: 'Build will break or bundle server code into client — security risk',
+          impact: 'Build will break or bundle server code into client. This is a security risk',
           files: [path.relative(projectDir, file)],
           autoFixable: false,
           promptId: 'CROSS_DOMAIN_IMPORT',
@@ -206,7 +219,7 @@ function checkCrossDomainImports(projectDir, scan) {
     return [{
       severity: 'critical',
       title: `${issues.length} cross-domain imports (frontend importing backend or vice versa)`,
-      impact: 'Build will break or bundle server code into client — security risk',
+      impact: 'Build will break or bundle server code into client. This is a security risk',
       files: allFiles,
       autoFixable: false,
       promptId: 'CROSS_DOMAIN_IMPORT',
@@ -252,7 +265,7 @@ function checkBareExcepts(projectDir) {
   }];
 }
 
-function checkMissingHealthEndpoint(projectDir, scan) {
+function checkMissingHealthEndpoint(projectDir, _scan) {
   // Search for health endpoints by file path or content
   const patterns = ['/health', '/healthz', '/api/health'];
   const searchDirs = ['src', 'backend', 'app', 'frontend/src'];
@@ -286,7 +299,7 @@ function checkMissingHealthEndpoint(projectDir, scan) {
   }];
 }
 
-function checkMissingGracefulShutdown(projectDir, scan) {
+function checkMissingGracefulShutdown(projectDir, _scan) {
   const searchDirs = ['src', 'backend', 'app', 'frontend/src'];
   const signals = ['SIGTERM', 'SIGINT', 'process.on', 'signal.signal', 'lifespan'];
 
@@ -318,7 +331,7 @@ function checkMissingUAT(scan) {
   return [{
     severity: 'warning',
     title: 'No UAT scenarios',
-    impact: 'No formal acceptance criteria — features may not work as intended',
+    impact: 'No formal acceptance criteria, so features may not work as intended',
     files: [],
     autoFixable: false,
     promptId: 'MISSING_UAT',
@@ -340,7 +353,7 @@ function checkScatteredAPICalls(projectDir, scan) {
     // Skip files that ARE the API client
     if (['api.ts', 'api.js', 'apiClient.ts', 'apiClient.js', 'fetcher.ts', 'fetcher.js'].includes(basename)) continue;
     // Skip non-component files
-    if (file.includes('/lib/') || file.includes('/services/') || file.includes('/utils/')) continue;
+    if (file.includes(`${path.sep}lib${path.sep}`) || file.includes(`${path.sep}services${path.sep}`) || file.includes(`${path.sep}utils${path.sep}`)) continue;
 
     const content = fs.readFileSync(file, 'utf-8');
     if (/fetch\s*\(\s*['"`]\/api\//.test(content) || /fetch\s*\(\s*['"`]http/.test(content) ||
@@ -387,7 +400,7 @@ function checkLargeFiles(projectDir) {
 
   return [{
     severity: 'info',
-    title: `${largeFiles.length} files over 500 lines — candidates for splitting`,
+    title: `${largeFiles.length} files over 500 lines (candidates for splitting)`,
     impact: 'Large files are hard to navigate, review, and test',
     files: largeFiles.map(f => `${f.file} (${f.lines} lines)`),
     autoFixable: false,
@@ -406,7 +419,7 @@ function checkMissingScopedClaudeMd(projectDir, scan) {
   if (!fs.existsSync(path.join(projectDir, frontendDir, 'CLAUDE.md'))) {
     issues.push({
       severity: 'info',
-      title: `No ${frontendDir}/CLAUDE.md — frontend rules not scoped`,
+      title: `No ${frontendDir}/CLAUDE.md, frontend rules not scoped`,
       impact: 'Claude Code loads all rules even when working only on frontend',
       files: [],
       autoFixable: false,
@@ -418,7 +431,7 @@ function checkMissingScopedClaudeMd(projectDir, scan) {
   if (!fs.existsSync(path.join(projectDir, backendDir, 'CLAUDE.md'))) {
     issues.push({
       severity: 'info',
-      title: `No ${backendDir}/CLAUDE.md — backend rules not scoped`,
+      title: `No ${backendDir}/CLAUDE.md, backend rules not scoped`,
       impact: 'Claude Code loads all rules even when working only on backend',
       files: [],
       autoFixable: false,
@@ -430,11 +443,16 @@ function checkMissingScopedClaudeMd(projectDir, scan) {
   return issues;
 }
 
-function checkUnusedDependencies(projectDir, scan) {
+function checkUnusedDependencies(projectDir, _scan) {
   const pkgPath = path.join(projectDir, 'package.json');
   if (!fs.existsSync(pkgPath)) return [];
 
-  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+  let pkg;
+  try {
+    pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+  } catch {
+    return [];
+  }
   const deps = Object.keys(pkg.dependencies || {});
   if (deps.length === 0) return [];
 
@@ -526,7 +544,7 @@ function checkHardcodedValues(projectDir) {
   return [{
     severity: 'warning',
     title: `${hardcoded.length} hardcoded values that should be in environment variables`,
-    impact: 'Cannot change config without code changes — breaks deployment',
+    impact: 'Cannot change config without code changes, which breaks deployment',
     files: hardcoded,
     autoFixable: false,
     promptId: 'HARDCODED_VALUES',
@@ -709,7 +727,7 @@ function checkAIPrompts(projectDir) {
 
   return [{
     severity: 'info',
-    title: `${issues.length} files have inline AI prompts — consider a prompts file`,
+    title: `${issues.length} files have inline AI prompts. Consider a prompts file`,
     impact: 'Inline prompts are hard to version, test, and iterate on',
     files: issues,
     autoFixable: false,
@@ -741,3 +759,4 @@ function findFiles(dir, ext) {
 
   return results;
 }
+

package/src/doctor-prompts.js

@@ -1,7 +1,7 @@
 const PROMPT_TEMPLATES = {
   CLAUDE_MD_TOO_LONG: (issue) => {
     const lines = issue.title.match(/(\d+) lines/)?.[1] || '?';
-    return `Read CLAUDE.md. It's ${lines} lines — too long for Claude Code to follow reliably (target: <150).
+    return `Read CLAUDE.md. It's ${lines} lines, too long for Claude Code to follow reliably (target: <150).
 
 Propose a split:
 - What stays in CLAUDE.md (universal rules, commands, pitfalls)
@@ -25,7 +25,7 @@ Write a test for each endpoint confirming 401 without auth.`;
 
   FLAKY_TESTS: (issue) => {
     const fileList = (issue.files || []).map(f => `- ${f}`).join('\n');
-    return `These tests use waitForTimeout() or hardcoded delays — they will fail randomly:
+    return `These tests use waitForTimeout() or hardcoded delays. They will fail randomly:
 ${fileList}
 
 For each:
@@ -55,10 +55,10 @@ ${fileList}
 For each: replace with a specific exception type.
 - If catching expected errors: except ValueError, except KeyError, etc.
 - If catching any exception for logging: except Exception as e: with logging
-- Never use bare except: — it hides bugs`;
+- Never use bare except: because it hides bugs`;
   },
 
-  MISSING_HEALTH: (issue) => {
+  MISSING_HEALTH: (_issue) => {
     return `Add a health check endpoint to the application.
 
 For FastAPI: Add a /health endpoint that returns {"status": "ok"} and optionally checks database connectivity.
@@ -68,7 +68,7 @@ For both: Include database connectivity check if a database is configured.
 This endpoint is used by load balancers and monitoring to verify the app is running.`;
   },
 
-  MISSING_SHUTDOWN: (issue) => {
+  MISSING_SHUTDOWN: (_issue) => {
     return `Add graceful shutdown handling to the application.
 
 For FastAPI: Use the lifespan context manager to handle startup/shutdown events.
@@ -114,7 +114,7 @@ For each:
 3. Update imports
 4. Run tests after each extraction
 
-Don't refactor all at once — one file per session.`;
+Don't refactor all at once. Do one file per session.`;
   },
 
   MISSING_SCOPED_CLAUDE_MD: (issue) => {
@@ -177,7 +177,7 @@ ${fileList}
 Extract all prompts into a dedicated prompts file (e.g., src/lib/prompts.ts or prompts/). This makes prompts easier to version, A/B test, and iterate on without changing application code.`;
   },
 
-  DEVFORGE_UPDATE: (issue) => {
+  DEVFORGE_UPDATE: (_issue) => {
     return `A newer version of DevForge is available.
 
 Run: npm install -g forgedev@latest
@@ -221,7 +221,7 @@ ${prompt}
     sessionNum++;
   }
 
-  return `# Fix Prompts — Run These in Claude Code (In Order)
+  return `# Fix Prompts - Run These in Claude Code (In Order)
 
 ${sections.join('\n')}
 Run each as a separate Claude Code session. /clear between sessions.
@@ -232,7 +232,7 @@ export function generateReport(issues, projectName) {
   const critical = issues.filter(i => i.severity === 'critical');
   const warnings = issues.filter(i => i.severity === 'warning');
   const info = issues.filter(i => i.severity === 'info');
-  let report = `# DevForge Doctor Report — ${projectName}
+  let report = `# DevForge Doctor Report - ${projectName}
 Generated: ${new Date().toISOString().split('T')[0]}
 
 ## Summary

package/src/doctor.js

@@ -9,7 +9,7 @@ import { askDoctorAction } from './prompts.js';
 
 export async function runDoctor(projectDir) {
   console.log('');
-  console.log(chalk.bold.cyan('  🔨 DevForge Doctor') + chalk.dim(' — Project Health Check'));
+  console.log(chalk.bold.cyan('  🔨 DevForge Doctor') + chalk.dim('  Project Health Check'));
   console.log('');
   console.log('  Scanning...');
   console.log('');
@@ -45,7 +45,7 @@ export async function runDoctor(projectDir) {
       });
     }
   } catch {
-    // Silently ignore — network issues shouldn't block doctor
+    // Silently ignore. Network issues shouldn't block doctor
   }
 
   if (issues.length === 0) {
@@ -247,8 +247,7 @@ async function autoFixSafe(issues, projectDir) {
           fs.chmodSync(hookPath, '755');
           console.log(chalk.green(`  ✓ Fixed ${path.join('.claude/hooks', hookFile)} permissions (chmod +x)`));
           fixed++;
-        } catch {
-          // Skip
+        } catch { // Permission change failed on this hook, continue
         }
       }
     }
@@ -262,6 +261,8 @@ async function autoFixSafe(issues, projectDir) {
 
     if (!content.includes('.claude/todos')) entriesToAdd.push('.claude/todos');
     if (!content.includes('.claude/plans')) entriesToAdd.push('.claude/plans');
+    if (!content.includes('.env.local')) entriesToAdd.push('.env.local');
+    if (!content.includes('.env.*.local')) entriesToAdd.push('.env.*.local');
 
     if (entriesToAdd.length > 0) {
       const addition = '\n# Claude Code temp files\n' + entriesToAdd.join('\n') + '\n';
@@ -271,6 +272,38 @@ async function autoFixSafe(issues, projectDir) {
     }
   }
 
+  // Create missing .env.example if .env exists but no example
+  const envPath = path.join(projectDir, '.env');
+  const envExamplePath = path.join(projectDir, '.env.example');
+  if (fs.existsSync(envPath) && !fs.existsSync(envExamplePath)) {
+    const envContent = fs.readFileSync(envPath, 'utf-8');
+    const exampleContent = envContent
+      .split('\n')
+      .map(line => {
+        if (!line.includes('=') || line.startsWith('#')) return line;
+        const key = line.split('=')[0];
+        return `${key}=`;
+      })
+      .join('\n');
+    fs.writeFileSync(envExamplePath, exampleContent, 'utf-8');
+    console.log(chalk.green('  ✓ Created .env.example from .env (values stripped)'));
+    fixed++;
+  }
+
+  // Create missing CLAUDE.md for subdirectories in polyglot projects
+  const frontendDir = path.join(projectDir, 'frontend');
+  const backendDir = path.join(projectDir, 'backend');
+  if (fs.existsSync(frontendDir) && fs.existsSync(backendDir)) {
+    for (const subdir of ['frontend', 'backend']) {
+      const subdirClaudeMd = path.join(projectDir, subdir, 'CLAUDE.md');
+      if (!fs.existsSync(subdirClaudeMd)) {
+        fs.writeFileSync(subdirClaudeMd, `# ${subdir}\n\nSee root CLAUDE.md for project-level rules. This file contains ${subdir}-specific overrides.\n`, 'utf-8');
+        console.log(chalk.green(`  ✓ Created ${subdir}/CLAUDE.md (scoped)`));
+        fixed++;
+      }
+    }
+  }
+
   const skipped = issues.filter(i => !i.autoFixable).length;
 
   if (fixed === 0) {

package/src/guided.js

@@ -91,7 +91,7 @@ export function analyzeDescription(text) {
     suggestedServiceType = 'web_app';
   }
 
-  // AI service override — if AI is the primary focus
+  // AI service override: if AI is the primary focus
   if (features.includes('ai') && !features.includes('dashboard') && !features.includes('payments')) {
     suggestedServiceType = 'ai_service';
   }
@@ -114,7 +114,7 @@ export function mapFeaturesToStack(analysis) {
   return stackConfig;
 }
 
-export function buildGuidedPreview(analysis, stackConfig) {
+export function buildGuidedPreview(analysis, _stackConfig) {
   const lines = [];
 
   lines.push(chalk.bold('  What you\'ll get:'));
@@ -208,7 +208,7 @@ npm run dev`;
 
 DevForge created a starter version of your app with all the basic
 building blocks in place. Think of it like getting a house with the
-foundation, walls, and plumbing already done — you just need to
+foundation, walls, and plumbing already done. You just need to
 furnish and decorate it.
 
 ## Your Project Structure (Plain English)

package/src/index.js

@@ -2,7 +2,7 @@ import path from 'node:path';
 import fs from 'node:fs';
 import { execSync } from 'node:child_process';
 import chalk from 'chalk';
-import { log, toKebabCase } from './utils.js';
+import { log, toKebabCase, copyEnvCmd } from './utils.js';
 import { askServiceType, askRefinements, askNewMode, confirmStack } from './prompts.js';
 import { recommend } from './recommender.js';
 import { compose } from './composer.js';
@@ -12,9 +12,9 @@ import { generateUAT } from './uat-generator.js';
 export async function runNew(projectName) {
   const safeName = toKebabCase(projectName);
 
-  // Validate project name — must be a clean kebab-case identifier
-  if (!/^[a-z0-9][a-z0-9-]*$/.test(safeName)) {
-    log.error('Project name must start with a letter or number and contain only lowercase letters, numbers, and hyphens.');
+  // Validate project name. Must be a clean kebab-case identifier
+  if (!/^[a-z][a-z0-9]*(?:-[a-z0-9]+)*$/.test(safeName)) {
+    log.error('Project name must start with a letter, contain only lowercase letters, numbers, and hyphens, and not have consecutive or trailing hyphens.');
     process.exit(1);
   }
 
@@ -26,7 +26,7 @@ export async function runNew(projectName) {
   }
 
   console.log('');
-  console.log(chalk.bold.cyan('  🔨 DevForge') + chalk.dim(' — Let\'s build something.'));
+  console.log(chalk.bold.cyan('  🔨 DevForge') + chalk.dim('  Let\'s build something.'));
   console.log('');
 
   const mode = await askNewMode();
@@ -62,7 +62,7 @@ async function runDeveloperFlow(safeName, outputDir) {
 
 export async function scaffold(outputDir, stackConfig) {
   console.log('');
-  const totalSteps = stackConfig.claudeCode ? 4 : 3;
+  const totalSteps = stackConfig.claudeCode ? 5 : 4;
   let step = 0;
 
   step++;
@@ -79,6 +79,11 @@ export async function scaffold(outputDir, stackConfig) {
   log.step(step, totalSteps, 'Generating UAT templates...');
   await generateUAT(outputDir, stackConfig);
 
+  step++;
+  log.step(step, totalSteps, 'Initializing ChainProof trust chain...');
+  const { initChainproof } = await import('./chainproof-bridge.js');
+  initChainproof(outputDir);
+
   step++;
   log.step(step, totalSteps, 'Initializing git repository...');
   initGit(outputDir);
@@ -93,7 +98,7 @@ function initGit(outputDir) {
   try {
     execSync('git init', { cwd: outputDir, stdio: 'ignore' });
   } catch {
-    // git not available — skip silently
+    log.dim('  git not available, skipping repository initialization');
   }
 }
 
@@ -109,7 +114,7 @@ export function printNextSteps(projectName, config, isGuided = false) {
     console.log(chalk.bold('  📖 New to coding? Here\'s what to do next:'));
     console.log('    1. Open this folder in VS Code (or any code editor)');
     console.log('    2. If you have Claude Code installed, type /workflows');
-    console.log('       — it will guide you step by step');
+    console.log('       It will guide you step by step');
     console.log('    3. Or read docs/getting-started.md for a beginner-friendly walkthrough');
     console.log('');
     return;
@@ -120,7 +125,7 @@ export function printNextSteps(projectName, config, isGuided = false) {
 
   if (config.stackId === 'nextjs-fullstack') {
     console.log('    npm install');
-    console.log('    cp .env.example .env');
+    console.log(`    ${copyEnvCmd()}`);
     console.log('    npx prisma db push');
     console.log('    npm run dev');
   } else if (config.stackId === 'fastapi-backend') {
@@ -128,7 +133,7 @@ export function printNextSteps(projectName, config, isGuided = false) {
     console.log('    python -m venv venv');
     console.log('    source venv/bin/activate  # or venv\\Scripts\\activate on Windows');
     console.log('    pip install -r requirements.txt');
-    console.log('    cp .env.example .env');
+    console.log(`    ${copyEnvCmd()}`);
     console.log('    uvicorn app.main:app --reload');
   } else if (config.stackId === 'polyglot-fullstack') {
     console.log('    docker compose up -d postgres');
@@ -136,6 +141,21 @@ export function printNextSteps(projectName, config, isGuided = false) {
     console.log('    cd frontend && npm install && npm run dev');
     console.log('    # Backend:');
     console.log('    cd backend && pip install -r requirements.txt && uvicorn app.main:app --reload');
+  } else if (config.stackId === 'react-express') {
+    console.log('    # Frontend:');
+    console.log('    cd frontend && npm install && npm run dev');
+    console.log('    # Backend (in a separate terminal):');
+    console.log(`    cd backend && npm install && ${copyEnvCmd()} && npx prisma db push && npm run dev`);
+  } else if (config.stackId === 'remix-fullstack') {
+    console.log('    npm install');
+    console.log(`    ${copyEnvCmd()}`);
+    console.log('    npx prisma db push');
+    console.log('    npm run dev');
+  } else if (config.stackId === 'hono-api') {
+    console.log('    npm install');
+    console.log(`    ${copyEnvCmd()}`);
+    console.log('    npx prisma db push');
+    console.log('    npm run dev');
   }
 
   if (config.claudeCode) {
@@ -149,6 +169,7 @@ export function printNextSteps(projectName, config, isGuided = false) {
     console.log(chalk.dim('    - .claude/commands/  (audit, verify, pre-pr)'));
     console.log(chalk.dim('    - docs/prompt-library.md'));
     console.log(chalk.dim('    - docs/uat/          (acceptance testing)'));
+    console.log(chalk.dim('    - .chainproof/       (trust chain tracking)'));
   }
 
   console.log('');

package/src/init-mode.js

@@ -1,13 +1,15 @@
 import path from 'node:path';
+import fs from 'node:fs';
 import chalk from 'chalk';
-import { log } from './utils.js';
+import { log, ROOT_DIR, ensureDir } from './utils.js';
 import { scanProject } from './scanner.js';
 import { generateClaudeConfig } from './claude-configurator.js';
 import { generateUAT } from './uat-generator.js';
+import { initChainproof } from './chainproof-bridge.js';
 
 export async function runInit(projectDir) {
   console.log('');
-  console.log(chalk.bold.cyan('  🔨 DevForge') + chalk.dim(' — Adding dev guardrails'));
+  console.log(chalk.bold.cyan('  🔨 DevForge') + chalk.dim('  Adding dev guardrails'));
   console.log('');
   console.log('  Scanning...');
   console.log('');
@@ -51,38 +53,61 @@ export async function runInit(projectDir) {
   // Generate Claude Code infrastructure (skips CLAUDE.md if it exists, merges settings.json if it exists)
   const skipClaudeMd = scan.infrastructure.hasClaudeMd;
   const mergeSettings = scan.infrastructure.hasHooks;
-  await generateClaudeConfig(projectDir, stackConfig, { skipClaudeMd, mergeSettings });
+  const { agents, commands } = await generateClaudeConfig(projectDir, stackConfig, { skipClaudeMd, mergeSettings });
 
   if (!skipClaudeMd) {
-    console.log(chalk.green('  ✓ ') + 'CLAUDE.md — project context + rules');
+    console.log(chalk.green('  ✓ ') + 'CLAUDE.md (project context + rules)');
   } else {
-    console.log(chalk.yellow('  ⊘ ') + `CLAUDE.md — exists (tip: run ${chalk.cyan('/optimize-claude-md')} to slim it)`);
+    console.log(chalk.yellow('  ⊘ ') + `CLAUDE.md already exists (tip: run ${chalk.cyan('/optimize-claude-md')} to slim it)`);
   }
 
   if (!scan.infrastructure.hasHooks) {
-    console.log(chalk.green('  ✓ ') + '.claude/hooks/ — auto-lint, quality gate, file protection');
+    console.log(chalk.green('  ✓ ') + '.claude/hooks/ (auto-lint, quality gate, file protection)');
   } else {
-    console.log(chalk.yellow('  ⊘ ') + '.claude/hooks/ — already configured');
+    console.log(chalk.yellow('  ⊘ ') + '.claude/hooks/ already configured');
   }
 
   if (!scan.infrastructure.hasAgents) {
-    console.log(chalk.green('  ✓ ') + '.claude/agents/ — code quality, security, spec validator');
+    console.log(chalk.green('  ✓ ') + `.claude/agents/ (${agents.count} agents installed)`);
+  } else {
+    console.log(chalk.green('  ✓ ') + `.claude/agents/ (${agents.count} agents synced)`);
   }
   if (!scan.infrastructure.hasCommands) {
-    console.log(chalk.green('  ✓ ') + '.claude/commands/ — help, status, next, done, audit, pre-pr');
+    console.log(chalk.green('  ✓ ') + `.claude/commands/ (${commands.count} commands installed)`);
+  } else {
+    console.log(chalk.green('  ✓ ') + `.claude/commands/ (${commands.count} commands synced)`);
   }
   if (!scan.infrastructure.hasSkills) {
-    console.log(chalk.green('  ✓ ') + '.claude/skills/ — framework-specific knowledge');
+    console.log(chalk.green('  ✓ ') + '.claude/skills/ (framework-specific knowledge)');
+  }
+
+  // Report orphan cleanup
+  const removedFiles = [...agents.removed, ...commands.removed];
+  if (removedFiles.length > 0) {
+    const removedNames = removedFiles.map(f => f.replace('.md', ''));
+    console.log(chalk.dim('  - ') + `Cleaned up ${removedFiles.length} outdated file${removedFiles.length > 1 ? 's' : ''}: ${removedNames.join(', ')}`);
   }
 
   // Generate UAT templates
   if (!scan.infrastructure.hasUAT) {
     await generateUAT(projectDir, stackConfig);
-    console.log(chalk.green('  ✓ ') + 'docs/uat/ — acceptance test templates');
+    console.log(chalk.green('  ✓ ') + 'docs/uat/ (acceptance test templates)');
   } else {
-    console.log(chalk.yellow('  ⊘ ') + 'docs/uat/ — already exists');
+    console.log(chalk.yellow('  ⊘ ') + 'docs/uat/ already exists');
   }
 
+  // Initialize ChainProof trust chain
+  const chainproofDir = path.join(projectDir, '.chainproof');
+  if (!fs.existsSync(chainproofDir)) {
+    initChainproof(projectDir);
+    console.log(chalk.green('  ✓ ') + '.chainproof/ (trust chain initialized)');
+  } else {
+    console.log(chalk.yellow('  ⊘ ') + '.chainproof/ already exists');
+  }
+
+  // Install ChainProof MCP server and configure .mcp.json
+  setupChainproofMcp(projectDir);
+
   console.log('');
   log.success('  Done. Your project is now configured for Claude Code.');
   console.log('');
@@ -136,3 +161,42 @@ export function buildConfigFromScan(scan) {
 
   return config;
 }
+
+export function setupChainproofMcp(projectDir) {
+  // Copy MCP server script into .chainproof/
+  const serverSrc = path.join(ROOT_DIR, 'templates', 'chainproof', 'base', '.chainproof', 'mcp-server.mjs');
+  const serverDest = path.join(projectDir, '.chainproof', 'mcp-server.mjs');
+  if (fs.existsSync(serverSrc) && !fs.existsSync(serverDest)) {
+    ensureDir(path.dirname(serverDest));
+    fs.copyFileSync(serverSrc, serverDest);
+  }
+
+  // Configure .mcp.json (merge if exists)
+  const mcpPath = path.join(projectDir, '.mcp.json');
+  const chainproofMcpEntry = {
+    command: 'node',
+    args: ['.chainproof/mcp-server.mjs'],
+    env: {},
+  };
+
+  if (fs.existsSync(mcpPath)) {
+    try {
+      const existing = JSON.parse(fs.readFileSync(mcpPath, 'utf-8'));
+      existing.mcpServers = existing.mcpServers || {};
+      if (!existing.mcpServers.chainproof) {
+        existing.mcpServers.chainproof = chainproofMcpEntry;
+        fs.writeFileSync(mcpPath, JSON.stringify(existing, null, 2) + '\n', 'utf-8');
+        console.log(chalk.green('  ✓ ') + '.mcp.json (added ChainProof server)');
+      } else {
+        console.log(chalk.yellow('  ⊘ ') + '.mcp.json already has ChainProof configured');
+      }
+    } catch {
+      // Corrupted .mcp.json, don't touch it
+      console.log(chalk.yellow('  ⊘ ') + '.mcp.json exists but could not be parsed');
+    }
+  } else {
+    const mcpConfig = { mcpServers: { chainproof: chainproofMcpEntry } };
+    fs.writeFileSync(mcpPath, JSON.stringify(mcpConfig, null, 2) + '\n', 'utf-8');
+    console.log(chalk.green('  ✓ ') + '.mcp.json (ChainProof MCP auto-configured)');
+  }
+}