npm - forgehive - Versions diffs - 0.7.5 → 0.7.7 - Mend

forgehive 0.7.5 → 0.7.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +47 -8
package/dist/cli.js +30 -10
package/docs/superpowers/plans/2026-05-11-nextgen-v04-v05.md +1708 -0
package/docs/superpowers/plans/2026-05-11-v05-nextgen-gaps.md +2364 -0
package/docs/superpowers/plans/2026-05-14-sprint-planner-v2.md +1058 -0
package/docs/superpowers/plans/2026-05-14-v07-nextgen.md +1980 -0
package/docs/user-guide.md +337 -0
package/forgehive/commands/fh-docs.md +16 -6
package/forgehive/commands/full-party.md +9 -4
package/package.json +21 -6

package/docs/superpowers/plans/2026-05-11-nextgen-v04-v05.md ADDED Viewed

@@ -0,0 +1,1708 @@
+# ForgeHive NextGen v0.4 + v0.5 Implementation Plan
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+**Goal:** Implement eight NextGen features that make ForgeHive the most capable AI OS for development teams: status dashboard, filesystem watcher, guardrail hooks, workflow slash commands, skills index, agent memory, 40 MCP services, and wire credential validation.
+**Architecture:** Each feature is a new module (`src/<name>.ts`) or an extension of `src/writer.ts`/`src/wire.ts`. Runtime assets (hook scripts, command templates, index files) live in `forgehive/` and are copied into the user's `.forgehive/` at `fh init` time. All new modules follow the existing ESM + `node:test` pattern.
+**Tech Stack:** TypeScript ESM, Node.js `node:fs`/`node:child_process`/`node:http`, js-yaml, esbuild, native `node:test`
+**Repo path:** `/home/stefan/projekte/forgehive`
+**Run tests:** `npm test` (inside repo root)
+**Build:** `npm run build`
+**Test runner:** `node --import tsx/esm --test test/*.test.ts`
+---
+## File Map
+### New files
+| File | Purpose |
+|---|---|
+| `src/status.ts` | `projectStatus()` — reads .forgehive/ and returns health report |
+| `src/watch.ts` | `checkProjectHash()`, `watchProject()` — filesystem watcher |
+| `src/guardrails.ts` | `writeGuardrailHooks()` — writes settings.json + hook script |
+| `forgehive/hooks/guardrails.sh` | Hook script template for PreToolUse bash guardrails |
+| `forgehive/commands/fh-start-task.md` | Slash command: start a new task |
+| `forgehive/commands/fh-ship.md` | Slash command: pre-ship checklist |
+| `forgehive/commands/fh-review.md` | Slash command: code review workflow |
+| `forgehive/commands/fh-hotfix.md` | Slash command: hotfix protocol |
+| `forgehive/skills/INDEX.yaml` | Skills index with tags for progressive loading |
+| `test/status.test.ts` | Tests for status module |
+| `test/watch.test.ts` | Tests for watch module |
+| `test/guardrails.test.ts` | Tests for guardrails module |
+### Modified files
+| File | Changes |
+|---|---|
+| `src/writer.ts` | `initForgehiveRuntime`: copy commands/, copy INDEX.yaml, create agent memory, call guardrails |
+| `src/cli.ts` | Add `status`, `watch` command handlers; update `wire` to show validation |
+| `src/skills.ts` | `listSkills`: show INDEX tags when available |
+| `src/wire.ts` | Add 30 services (10→40); add `validateWireService()` export |
+| `forgehive/templates/claude-md.block.md` | Add skills index + agent memory instructions |
+| `test/writer.test.ts` | Tests for new init behaviors |
+| `test/wire.test.ts` | Tests for new services + validation |
+| `test/skills.test.ts` | Test INDEX-aware listSkills |
+| `package.json` | Bump version to 0.4.0 |
+---
+## Task 1: `fh status` command
+**Files:**
+- Create: `src/status.ts`
+- Create: `test/status.test.ts`
+- Modify: `src/cli.ts` (add status handler after the wire handler, before the else)
+- [ ] **Step 1: Write failing test**
+```typescript
+// test/status.test.ts
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import yaml from "js-yaml";
+import { projectStatus } from "../src/status.ts";
+describe("projectStatus()", () => {
+  let tmpDir: string;
+  let forgehiveDir: string;
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "fh-status-"));
+    forgehiveDir = path.join(tmpDir, ".forgehive");
+  });
+  afterEach(() => fs.rmSync(tmpDir, { recursive: true, force: true }));
+  it("zeigt 'not initialized' wenn .forgehive/ fehlt", () => {
+    const out = projectStatus(tmpDir, forgehiveDir);
+    assert.ok(out.includes("fh init"));
+  });
+  it("zeigt capabilities-Status", () => {
+    fs.mkdirSync(forgehiveDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(forgehiveDir, "capabilities.yaml"),
+      yaml.dump({ status: "confirmed", capabilities: { confirmed: [{ id: "typescript" }], inferred: [] } }),
+      "utf8"
+    );
+    const out = projectStatus(tmpDir, forgehiveDir);
+    assert.ok(out.includes("confirmed"));
+    assert.ok(out.includes("1"));
+  });
+  it("zeigt CLAUDE.md Block-Status", () => {
+    fs.mkdirSync(forgehiveDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(tmpDir, "CLAUDE.md"),
+      "<!-- forgehive:start -->\n# forgehive\n<!-- forgehive:end -->",
+      "utf8"
+    );
+    const out = projectStatus(tmpDir, forgehiveDir);
+    assert.ok(out.includes("CLAUDE.md"));
+  });
+  it("zeigt Skills-Zählung", () => {
+    fs.mkdirSync(path.join(forgehiveDir, "skills", "expert"), { recursive: true });
+    fs.mkdirSync(path.join(forgehiveDir, "skills", "generated"), { recursive: true });
+    fs.mkdirSync(path.join(forgehiveDir, "skills", "workflows"), { recursive: true });
+    fs.writeFileSync(path.join(forgehiveDir, "skills", "expert", "test.md"), "# test", "utf8");
+    const out = projectStatus(tmpDir, forgehiveDir);
+    assert.ok(out.includes("expert"));
+  });
+  it("zeigt MCP-Services wenn .mcp.json vorhanden", () => {
+    fs.mkdirSync(forgehiveDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(tmpDir, ".mcp.json"),
+      JSON.stringify({ mcpServers: { linear: {}, slack: {} } }),
+      "utf8"
+    );
+    const out = projectStatus(tmpDir, forgehiveDir);
+    assert.ok(out.includes("linear"));
+    assert.ok(out.includes("slack"));
+  });
+});
+```
+- [ ] **Step 2: Run failing test**
+```bash
+cd /home/stefan/projekte/forgehive
+npm test 2>&1 | grep "status\|FAIL\|Error" | head -20
+```
+Expected: `Error: Cannot find module '../src/status.ts'`
+- [ ] **Step 3: Implement `src/status.ts`**
+```typescript
+import fs from "node:fs";
+import path from "node:path";
+import yaml from "js-yaml";
+function countMdFiles(dir: string): number {
+  if (!fs.existsSync(dir)) return 0;
+  return fs.readdirSync(dir).filter(f => f.endsWith(".md")).length;
+}
+export function projectStatus(projectRoot: string, forgehiveDir: string): string {
+  const lines: string[] = ["ForgeHive Status", ""];
+  if (!fs.existsSync(forgehiveDir)) {
+    lines.push("✗ Not initialized — run: fh init");
+    return lines.join("\n");
+  }
+  // Capabilities
+  const capsPath = path.join(forgehiveDir, "capabilities.yaml");
+  if (fs.existsSync(capsPath)) {
+    const caps = yaml.load(fs.readFileSync(capsPath, "utf8")) as {
+      status: string;
+      capabilities: { confirmed: unknown[]; inferred: unknown[] };
+    };
+    const confirmed = caps.capabilities?.confirmed?.length ?? 0;
+    const inferred = caps.capabilities?.inferred?.length ?? 0;
+    const icon = caps.status === "confirmed" ? "✓" : "⚠";
+    lines.push(`${icon} Capabilities: ${confirmed} confirmed, ${inferred} inferred (${caps.status})`);
+  }
+  // CLAUDE.md block
+  const claudeMdPath = path.join(projectRoot, "CLAUDE.md");
+  if (fs.existsSync(claudeMdPath)) {
+    const content = fs.readFileSync(claudeMdPath, "utf8");
+    const hasBlock = content.includes("<!-- forgehive:start -->");
+    lines.push(hasBlock ? "✓ CLAUDE.md block present" : "⚠ CLAUDE.md block missing — run: fh init");
+  } else {
+    lines.push("⚠ CLAUDE.md not found");
+  }
+  // Skills
+  const skillsDir = path.join(forgehiveDir, "skills");
+  const generated = countMdFiles(path.join(skillsDir, "generated"));
+  const expert = countMdFiles(path.join(skillsDir, "expert"));
+  const workflows = countMdFiles(path.join(skillsDir, "workflows"));
+  lines.push(`✓ Skills: ${generated} generated, ${expert} expert, ${workflows} workflows`);
+  // MCP / Wire
+  const mcpPath = path.join(projectRoot, ".mcp.json");
+  if (fs.existsSync(mcpPath)) {
+    const mcp = JSON.parse(fs.readFileSync(mcpPath, "utf8")) as { mcpServers?: Record<string, unknown> };
+    const services = Object.keys(mcp.mcpServers ?? {});
+    lines.push(services.length > 0
+      ? `✓ MCP: ${services.join(", ")}`
+      : "  MCP: none configured"
+    );
+  } else {
+    lines.push("  MCP: none configured (fh wire <service>)");
+  }
+  // Memory
+  const memoryDir = path.join(forgehiveDir, "memory");
+  if (fs.existsSync(memoryDir)) {
+    const files = fs.readdirSync(memoryDir).filter(f => f.endsWith(".md"));
+    lines.push(`✓ Memory: ${files.length} file(s)`);
+  }
+  // Scan freshness
+  const scanPath = path.join(forgehiveDir, "scan-result.yaml");
+  if (fs.existsSync(scanPath)) {
+    const scan = yaml.load(fs.readFileSync(scanPath, "utf8")) as { scanned_at?: string };
+    lines.push(`✓ Last scan: ${scan.scanned_at ?? "unknown"}`);
+  }
+  // Agent memory
+  const agentMemDir = path.join(forgehiveDir, "agents", "memory");
+  if (fs.existsSync(agentMemDir)) {
+    const agents = fs.readdirSync(agentMemDir).filter(f => f.endsWith(".md"));
+    lines.push(`✓ Agent memory: ${agents.length} agent(s)`);
+  }
+  return lines.join("\n");
+}
+```
+- [ ] **Step 4: Add `status` command to `src/cli.ts`**
+Add this block immediately before the final `else` block (around line 278 in the current file):
+```typescript
+} else if (command === "status") {
+  const { projectStatus } = await import("./status.ts");
+  console.log(projectStatus(projectRoot, forgehiveDir));
+```
+Wait — `cli.ts` uses static imports, not dynamic. Add the import at the top with the others:
+At top of `src/cli.ts`, add after the `wire` import:
+```typescript
+import { projectStatus } from "./status.ts";
+```
+Then add the command handler before the final `else`:
+```typescript
+} else if (command === "status") {
+  console.log(projectStatus(projectRoot, forgehiveDir));
+```
+Also update the help text in the final `else` branch to include `status`:
+```typescript
+console.error("Verfügbar: init | confirm | rollback | scan --update | scan --check | memory [show|clean|export] | skills [list|regen] | party [--set <name>|--agents <a,b,c> --name <name>] | wire <service> | status | watch");
+```
+- [ ] **Step 5: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all existing tests pass + 5 new status tests pass.
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/status.ts test/status.test.ts src/cli.ts
+git commit -m "feat: add fh status — project health dashboard"
+```
+---
+## Task 2: `fh watch` command
+**Files:**
+- Create: `src/watch.ts`
+- Create: `test/watch.test.ts`
+- Modify: `src/cli.ts` (add watch handler)
+- [ ] **Step 1: Write failing test**
+```typescript
+// test/watch.test.ts
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import yaml from "js-yaml";
+import { checkProjectHash } from "../src/watch.ts";
+describe("checkProjectHash()", () => {
+  let tmpDir: string;
+  let forgehiveDir: string;
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "fh-watch-"));
+    forgehiveDir = path.join(tmpDir, ".forgehive");
+    fs.mkdirSync(forgehiveDir, { recursive: true });
+    fs.writeFileSync(path.join(tmpDir, "package.json"), JSON.stringify({ name: "test" }), "utf8");
+    const scan = { scanned_at: "2026-05-11", project_root: tmpDir, signals: [], packages: [] };
+    fs.writeFileSync(path.join(forgehiveDir, "scan-result.yaml"), yaml.dump(scan), "utf8");
+    fs.writeFileSync(path.join(forgehiveDir, "capabilities.yaml"),
+      yaml.dump({ status: "confirmed", capabilities: { confirmed: [], inferred: [] } }), "utf8");
+  });
+  afterEach(() => fs.rmSync(tmpDir, { recursive: true, force: true }));
+  it("gibt false zurück wenn kein hash gespeichert ist", () => {
+    const changed = checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    // First run: saves hash, returns true (first scan)
+    assert.strictEqual(typeof changed, "boolean");
+  });
+  it("gibt false zurück wenn hash unverändert", () => {
+    // First call saves the hash
+    checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    // Second call with same state
+    const changed = checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    assert.strictEqual(changed, false);
+  });
+  it("gibt true zurück wenn package.json sich ändert", () => {
+    checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    // Change package.json
+    fs.writeFileSync(path.join(tmpDir, "package.json"),
+      JSON.stringify({ name: "test", version: "2.0.0" }), "utf8");
+    const changed = checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    assert.strictEqual(changed, true);
+  });
+  it("schreibt neuen hash nach Änderung", () => {
+    checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    fs.writeFileSync(path.join(tmpDir, "package.json"),
+      JSON.stringify({ name: "test", extras: true }), "utf8");
+    checkProjectHash(tmpDir, forgehiveDir, "## forgehive\n");
+    assert.ok(fs.existsSync(path.join(forgehiveDir, ".scan-hash")));
+  });
+});
+```
+- [ ] **Step 2: Run failing test**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | grep "watch\|Error" | head -10
+```
+Expected: `Error: Cannot find module '../src/watch.ts'`
+- [ ] **Step 3: Implement `src/watch.ts`**
+```typescript
+import fs from "node:fs";
+import path from "node:path";
+import { computeHash } from "./update.ts";
+import { scan } from "./scanner.ts";
+import { mapSignalsToCapabilities } from "./lookup-table.ts";
+import { writeForgehiveDir } from "./writer.ts";
+// Returns true if the codebase changed and capabilities were updated.
+export function checkProjectHash(
+  projectRoot: string,
+  forgehiveDir: string,
+  claudeMdBlock: string
+): boolean {
+  const hashPath = path.join(forgehiveDir, ".scan-hash");
+  const savedHash = fs.existsSync(hashPath)
+    ? fs.readFileSync(hashPath, "utf8").trim()
+    : null;
+  const currentHash = computeHash(projectRoot);
+  if (currentHash === savedHash) return false;
+  fs.writeFileSync(hashPath, currentHash, "utf8");
+  const scanResult = scan(projectRoot);
+  const capMap = mapSignalsToCapabilities(scanResult);
+  writeForgehiveDir(projectRoot, scanResult, capMap, claudeMdBlock);
+  return true;
+}
+export function watchProject(
+  projectRoot: string,
+  forgehiveDir: string,
+  claudeMdBlock: string,
+  onUpdate: (changed: boolean) => void = defaultOnUpdate
+): () => void {
+  const candidates = [
+    "package.json",
+    "package-lock.json",
+    "yarn.lock",
+    "pnpm-lock.yaml",
+    "requirements.txt",
+    "Cargo.toml",
+    "go.mod",
+    "pyproject.toml",
+    "composer.json",
+  ].map(f => path.join(projectRoot, f)).filter(f => fs.existsSync(f));
+  let debounce: ReturnType<typeof setTimeout> | null = null;
+  const watchers: fs.FSWatcher[] = [];
+  function schedule() {
+    if (debounce) clearTimeout(debounce);
+    debounce = setTimeout(() => {
+      const changed = checkProjectHash(projectRoot, forgehiveDir, claudeMdBlock);
+      onUpdate(changed);
+    }, 2000);
+  }
+  for (const f of candidates) {
+    try {
+      watchers.push(fs.watch(f, schedule));
+    } catch {
+      // file may disappear — ignore
+    }
+  }
+  // Also watch for new lockfiles appearing
+  try {
+    watchers.push(fs.watch(projectRoot, schedule));
+  } catch {
+    // may fail on some systems without inotify
+  }
+  return () => {
+    if (debounce) clearTimeout(debounce);
+    for (const w of watchers) { try { w.close(); } catch { /* ignore */ } }
+  };
+}
+function defaultOnUpdate(changed: boolean): void {
+  if (changed) {
+    console.log(`[forgehive] ✓ Codebase changed — capabilities.yaml aktualisiert`);
+  }
+}
+```
+- [ ] **Step 4: Add `watch` command to `src/cli.ts`**
+Add import at top with the others:
+```typescript
+import { watchProject } from "./watch.ts";
+```
+Add handler before the final `else` block (after the `status` handler added in Task 1):
+```typescript
+} else if (command === "watch") {
+  if (!fs.existsSync(forgehiveDir)) {
+    console.error("Fehler: .forgehive/ nicht gefunden — führe zuerst `fh init` aus");
+    process.exit(1);
+  }
+  const block = loadClaudeMdBlock();
+  console.log("👁  ForgeHive watch gestartet — beobachte Projekt-Dateien (Ctrl+C zum Beenden)\n");
+  const stop = watchProject(projectRoot, forgehiveDir, block);
+  process.on("SIGINT", () => { stop(); process.exit(0); });
+  process.on("SIGTERM", () => { stop(); process.exit(0); });
+```
+- [ ] **Step 5: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including 4 new watch tests.
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/watch.ts test/watch.test.ts src/cli.ts
+git commit -m "feat: add fh watch — filesystem watcher for auto-update"
+```
+---
+## Task 3: Guardrail hooks
+**Files:**
+- Create: `src/guardrails.ts`
+- Create: `forgehive/hooks/guardrails.sh`
+- Create: `test/guardrails.test.ts`
+- Modify: `src/writer.ts` (call `writeGuardrailHooks` from `initForgehiveRuntime`)
+- Modify: `test/writer.test.ts` (test guardrails integration)
+- [ ] **Step 1: Write failing tests**
+```typescript
+// test/guardrails.test.ts
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { writeGuardrailHooks } from "../src/guardrails.ts";
+describe("writeGuardrailHooks()", () => {
+  let tmpDir: string;
+  let forgehiveDir: string;
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "fh-guard-"));
+    forgehiveDir = path.join(tmpDir, ".forgehive");
+    fs.mkdirSync(path.join(forgehiveDir, "hooks"), { recursive: true });
+    fs.mkdirSync(path.join(tmpDir, ".claude"), { recursive: true });
+  });
+  afterEach(() => fs.rmSync(tmpDir, { recursive: true, force: true }));
+  it("schreibt .forgehive/hooks/guardrails.sh", () => {
+    writeGuardrailHooks(tmpDir, forgehiveDir);
+    assert.ok(fs.existsSync(path.join(forgehiveDir, "hooks", "guardrails.sh")));
+  });
+  it("schreibt .claude/settings.json mit PreToolUse hook", () => {
+    writeGuardrailHooks(tmpDir, forgehiveDir);
+    const settingsPath = path.join(tmpDir, ".claude", "settings.json");
+    assert.ok(fs.existsSync(settingsPath));
+    const settings = JSON.parse(fs.readFileSync(settingsPath, "utf8"));
+    assert.ok(settings.hooks?.PreToolUse);
+    assert.ok(Array.isArray(settings.hooks.PreToolUse));
+  });
+  it("merged mit bestehendem settings.json", () => {
+    const settingsPath = path.join(tmpDir, ".claude", "settings.json");
+    fs.writeFileSync(settingsPath, JSON.stringify({ permissions: { allow: ["*"] } }), "utf8");
+    writeGuardrailHooks(tmpDir, forgehiveDir);
+    const settings = JSON.parse(fs.readFileSync(settingsPath, "utf8"));
+    assert.ok(settings.permissions?.allow);
+    assert.ok(settings.hooks?.PreToolUse);
+  });
+  it("ist idempotent — überschreibt hook-Eintrag nicht doppelt", () => {
+    writeGuardrailHooks(tmpDir, forgehiveDir);
+    writeGuardrailHooks(tmpDir, forgehiveDir);
+    const settings = JSON.parse(
+      fs.readFileSync(path.join(tmpDir, ".claude", "settings.json"), "utf8")
+    );
+    const bashHooks = settings.hooks.PreToolUse.filter((h: { matcher: string }) => h.matcher === "Bash");
+    assert.strictEqual(bashHooks.length, 1);
+  });
+});
+```
+- [ ] **Step 2: Run failing test**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | grep "guardrails\|Error" | head -10
+```
+Expected: `Error: Cannot find module '../src/guardrails.ts'`
+- [ ] **Step 3: Create `forgehive/hooks/guardrails.sh`**
+```bash
+#!/usr/bin/env bash
+# ForgeHive Guardrails — PreToolUse hook for Bash
+# Receives tool input as JSON on stdin. Exit 1 to block, 0 to allow.
+INPUT=$(cat 2>/dev/null || echo "{}")
+COMMAND=$(echo "$INPUT" | node -e "
+  let d='';
+  process.stdin.on('data',c=>d+=c);
+  process.stdin.on('end',()=>{
+    try { const p=JSON.parse(d); process.stdout.write(p.command||''); }
+    catch { process.stdout.write(''); }
+  });
+" 2>/dev/null || echo "")
+# Patterns that require explicit intent
+DANGEROUS=(
+  "git push --force"
+  "git push -f "
+  "git reset --hard"
+  "rm -rf /"
+  "DROP TABLE"
+  "DROP DATABASE"
+  "truncate "
+)
+for PATTERN in "${DANGEROUS[@]}"; do
+  if echo "$COMMAND" | grep -qi "$PATTERN"; then
+    echo "🛡 ForgeHive Guardrail: '$PATTERN' erkannt."
+    echo "   Füge einen Kommentar hinzu der erklärt warum, dann erneut versuchen."
+    exit 1
+  fi
+done
+exit 0
+```
+- [ ] **Step 4: Implement `src/guardrails.ts`**
+```typescript
+import fs from "node:fs";
+import path from "node:path";
+const GUARDRAILS_SH = `#!/usr/bin/env bash
+# ForgeHive Guardrails — PreToolUse hook for Bash
+# Receives tool input as JSON on stdin. Exit 1 to block, exit 0 to allow.
+INPUT=$(cat 2>/dev/null || echo "{}")
+COMMAND=$(node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{try{process.stdout.write(JSON.parse(d).command||'')}catch{process.stdout.write('')}})" 2>/dev/null <<< "$INPUT" || echo "")
+DANGEROUS=("git push --force" "git push -f " "git reset --hard" "rm -rf /" "DROP TABLE" "DROP DATABASE")
+for PATTERN in "\${DANGEROUS[@]}"; do
+  if echo "$COMMAND" | grep -qi "$PATTERN"; then
+    echo "🛡 ForgeHive Guardrail: '$PATTERN' geblockt. Erkläre die Absicht und versuche erneut."
+    exit 1
+  fi
+done
+exit 0
+`;
+interface ClaudeSettings {
+  hooks?: {
+    PreToolUse?: Array<{ matcher: string; hooks: Array<{ type: string; command: string }> }>;
+  };
+  [key: string]: unknown;
+}
+export function writeGuardrailHooks(projectRoot: string, forgehiveDir: string): void {
+  // Write hook script
+  const hooksDir = path.join(forgehiveDir, "hooks");
+  fs.mkdirSync(hooksDir, { recursive: true });
+  const scriptPath = path.join(hooksDir, "guardrails.sh");
+  fs.writeFileSync(scriptPath, GUARDRAILS_SH, "utf8");
+  try { fs.chmodSync(scriptPath, 0o755); } catch { /* ignore on systems without chmod */ }
+  // Write/merge .claude/settings.json
+  const claudeDir = path.join(projectRoot, ".claude");
+  fs.mkdirSync(claudeDir, { recursive: true });
+  const settingsPath = path.join(claudeDir, "settings.json");
+  let settings: ClaudeSettings = {};
+  if (fs.existsSync(settingsPath)) {
+    try {
+      settings = JSON.parse(fs.readFileSync(settingsPath, "utf8")) as ClaudeSettings;
+    } catch {
+      settings = {};
+    }
+  }
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+  // Remove existing forgehive guardrail entry to avoid duplicates
+  settings.hooks.PreToolUse = settings.hooks.PreToolUse.filter(
+    h => !(h.matcher === "Bash" && h.hooks?.[0]?.command?.includes("guardrails.sh"))
+  );
+  // Add fresh entry
+  settings.hooks.PreToolUse.push({
+    matcher: "Bash",
+    hooks: [
+      {
+        type: "command",
+        command: `bash "${scriptPath}"`,
+      },
+    ],
+  });
+  fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), "utf8");
+}
+```
+- [ ] **Step 5: Add `writeGuardrailHooks` call to `src/writer.ts`**
+Add import at top of `src/writer.ts`:
+```typescript
+import { writeGuardrailHooks } from "./guardrails.ts";
+```
+At the end of `initForgehiveRuntime`, add:
+```typescript
+  writeGuardrailHooks(path.join(forgehiveDir, ".."), forgehiveDir);
+```
+Wait — `initForgehiveRuntime` takes `forgehiveDir` (which is `<projectRoot>/.forgehive`) so `projectRoot` = `path.join(forgehiveDir, "..")`. Update the call:
+The existing `initForgehiveRuntime` signature is:
+```typescript
+export function initForgehiveRuntime(forgehiveDir: string, runtimeDir: string): void
+```
+Add this at the end of the function body:
+```typescript
+  const projectRoot = path.join(forgehiveDir, "..");
+  writeGuardrailHooks(projectRoot, forgehiveDir);
+```
+- [ ] **Step 6: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including 4 new guardrails tests.
+- [ ] **Step 7: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/guardrails.ts forgehive/hooks/guardrails.sh test/guardrails.test.ts src/writer.ts
+git commit -m "feat: add guardrail hooks — PreToolUse bash protection via .claude/settings.json"
+```
+---
+## Task 4: Workflow slash commands
+**Files:**
+- Create: `forgehive/commands/fh-start-task.md`
+- Create: `forgehive/commands/fh-ship.md`
+- Create: `forgehive/commands/fh-review.md`
+- Create: `forgehive/commands/fh-hotfix.md`
+- Modify: `src/writer.ts` (`initForgehiveRuntime` copies commands to `.claude/commands/`)
+- Modify: `test/writer.test.ts`
+- [ ] **Step 1: Create `forgehive/commands/fh-start-task.md`**
+```markdown
+You are starting a new development task using the ForgeHive workflow.
+## Pre-Task Checklist
+1. Ask the user: **"Was baust du heute?"** (or "What are you building today?")
+2. Read `.forgehive/capabilities.yaml` — understand the available stack
+3. Check `.forgehive/memory/MEMORY.md` — load relevant project context
+4. Run `fh scan --check` to verify the codebase snapshot is current
+5. Create a feature branch:
+   - Convention from `git-conventions` skill: `feat/<short-description>`, `fix/<issue>`, `chore/<task>`
+   - Run: `git checkout -b <branch-name>`
+6. Summarize: what you're building, which files are likely to change, which capabilities apply
+7. Check `.forgehive/skills/expert/` for relevant skill files (see `.forgehive/skills/INDEX.yaml`)
+```
+- [ ] **Step 2: Create `forgehive/commands/fh-ship.md`**
+```markdown
+You are running the ForgeHive ship workflow. Follow all steps before declaring ready to merge.
+## Pre-Ship Checklist
+1. **Tests** — run the test suite from `package.json` scripts
+   - If tests fail: stop here, fix before proceeding
+2. **Diff summary** — `git diff main...HEAD --stat`
+   - Show the user what changed
+3. **Uncommitted work** — `git status`
+   - Commit or stash before proceeding
+4. **Code quality scan**
+   - Any `console.log` / `debugger` / TODO in the diff?
+   - Any commented-out code?
+   - Any hardcoded secrets or API keys?
+5. **PR draft**
+   - Title: under 70 chars, describes the change (not "fix stuff")
+   - Body: 2-3 bullets of what changed and why
+6. **Ask**: "Soll ich den PR erstellen?" — only create if confirmed
+```
+- [ ] **Step 3: Create `forgehive/commands/fh-review.md`**
+```markdown
+You are running a ForgeHive code review. Load the review skill first.
+## Review Process
+1. Read `.forgehive/skills/expert/code-review.md`
+2. Get the diff: `git diff main...HEAD`
+3. Review in priority order:
+**[BUG]** Correctness issues — will this break in production?
+**[DESIGN]** Architecture issues — does it follow existing patterns?
+**[NIT]** Minor style issues — use sparingly
+**[Q]** Questions — non-blocking, want to understand intent
+**[+]** Good work — acknowledge what's done well
+4. For PRs > 400 lines: flag as too large, suggest how to split
+5. End with: overall verdict (approve / request changes) and count of blocking issues
+```
+- [ ] **Step 4: Create `forgehive/commands/fh-hotfix.md`**
+```markdown
+You are running the ForgeHive hotfix protocol.
+## Hotfix Rules
+**Constraint:** A hotfix changes as few lines as possible. If the fix requires > 50 lines, it's a feature, not a hotfix.
+## Steps
+1. **Identify** — `git log --oneline -20` — find the commit that introduced the bug
+2. **Branch** — `git checkout -b hotfix/<short-description> main`
+3. **Minimal fix** — fix only the bug, no refactoring, no cleanup
+4. **Regression test** — write one test that fails before the fix and passes after
+5. **Verify** — run full test suite
+6. **Ship** — use `/fh-ship` when ready
+If this turns out to be more than 50 lines: stop, switch to `/fh-start-task` for a proper feature branch.
+```
+- [ ] **Step 5: Add commands copy to `src/writer.ts`**
+In `initForgehiveRuntime`, add a commands copy block after the party copy block (before the skills mkdir loop):
+```typescript
+  // Copy slash commands to .claude/commands/
+  const commandsSrc = path.join(runtimeDir, "commands");
+  const claudeDir = path.join(forgehiveDir, "..", ".claude");
+  const commandsDst = path.join(claudeDir, "commands");
+  fs.mkdirSync(commandsDst, { recursive: true });
+  if (fs.existsSync(commandsSrc)) {
+    for (const file of fs.readdirSync(commandsSrc)) {
+      const dst = path.join(commandsDst, file);
+      if (!fs.existsSync(dst)) {
+        fs.copyFileSync(path.join(commandsSrc, file), dst);
+      }
+    }
+  }
+```
+- [ ] **Step 6: Add test to `test/writer.test.ts`**
+Add inside the `initForgehiveRuntime()` describe block, after the existing tests:
+```typescript
+  it("kopiert commands nach .claude/commands/", () => {
+    // Create a fake runtimeDir/commands/ with a test command
+    const runtimeDir = path.join(tmpDir, "fh-runtime");
+    const commandsSrc = path.join(runtimeDir, "commands");
+    fs.mkdirSync(commandsSrc, { recursive: true });
+    fs.writeFileSync(path.join(commandsSrc, "fh-ship.md"), "# /fh-ship\nship it", "utf8");
+    initForgehiveRuntime(forgehiveDir, runtimeDir);
+    assert.ok(
+      fs.existsSync(path.join(tmpDir, ".claude", "commands", "fh-ship.md"))
+    );
+  });
+```
+- [ ] **Step 7: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including new writer test.
+- [ ] **Step 8: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add forgehive/commands/ src/writer.ts test/writer.test.ts
+git commit -m "feat: add workflow slash commands — /fh-start-task /fh-ship /fh-review /fh-hotfix"
+```
+---
+## Task 5: Skills INDEX + progressive loading
+**Files:**
+- Create: `forgehive/skills/INDEX.yaml`
+- Modify: `src/writer.ts` (copy INDEX.yaml during init)
+- Modify: `src/skills.ts` (`listSkills` shows tags from INDEX)
+- Modify: `forgehive/templates/claude-md.block.md`
+- Modify: `test/writer.test.ts`
+- Modify: `test/skills.test.ts`
+- [ ] **Step 1: Create `forgehive/skills/INDEX.yaml`**
+```yaml
+# ForgeHive Skills Index
+# Claude: load only the skills relevant to your current task.
+# Check 'when' field to decide which skills to load.
+skills:
+  typescript-patterns:
+    file: expert/typescript-patterns.md
+    tags: [typescript, types, generics, decorators, utility-types]
+    when: "TypeScript types, generics, utility types, decorators"
+  testing-strategies:
+    file: expert/testing-strategies.md
+    tags: [testing, tdd, mocking, assertions, coverage, vitest, jest]
+    when: "Writing tests, TDD, mocking dependencies, test design"
+  api-design:
+    file: expert/api-design.md
+    tags: [api, rest, graphql, openapi, versioning, endpoints]
+    when: "Designing API endpoints, REST conventions, OpenAPI specs"
+  git-conventions:
+    file: expert/git-conventions.md
+    tags: [git, commits, branches, pr, conventional-commits, merge]
+    when: "Git workflow, commit messages, branch naming, PR process"
+  error-handling:
+    file: expert/error-handling.md
+    tags: [errors, exceptions, result-types, retry, fallbacks, typescript]
+    when: "Error handling, exceptions, Result/Either types, retry logic"
+  security-checklist:
+    file: expert/security-checklist.md
+    tags: [security, auth, xss, sql-injection, owasp, jwt, csrf]
+    when: "Security review, authentication, authorization, input validation"
+  performance-patterns:
+    file: expert/performance-patterns.md
+    tags: [performance, caching, profiling, optimization, lazy-loading, memoization]
+    when: "Performance optimization, caching strategies, profiling"
+  code-review:
+    file: expert/code-review.md
+    tags: [review, quality, feedback, pr-review, checklist]
+    when: "Code review, PR feedback, quality assessment"
+  clean-architecture:
+    file: expert/clean-architecture.md
+    tags: [architecture, domain, use-cases, clean-arch, ddd, layers]
+    when: "Architecture design, layer separation, domain modeling, DDD"
+  database-patterns:
+    file: expert/database-patterns.md
+    tags: [database, sql, migrations, indexing, orm, postgres, prisma]
+    when: "Database design, migrations, query optimization, indexing"
+  monorepo-patterns:
+    file: expert/monorepo-patterns.md
+    tags: [monorepo, workspaces, turborepo, nx, packages, pnpm]
+    when: "Monorepo setup, workspace management, build orchestration"
+  observability:
+    file: expert/observability.md
+    tags: [logging, metrics, tracing, opentelemetry, monitoring, datadog, sentry]
+    when: "Structured logging, metrics (RED/USE), distributed tracing"
+```
+- [ ] **Step 2: Add INDEX copy to `src/writer.ts`**
+In `initForgehiveRuntime`, in the skills directory section — after the `for (const dir of ["generated", "expert", "workflows"])` loop, add:
+```typescript
+  // Copy INDEX.yaml and expert skills to .forgehive/skills/
+  const expertSrc = path.join(runtimeDir, "skills", "expert");
+  const expertDst = path.join(forgehiveDir, "skills", "expert");
+  if (fs.existsSync(expertSrc)) {
+    for (const file of fs.readdirSync(expertSrc)) {
+      const dst = path.join(expertDst, file);
+      if (!fs.existsSync(dst)) {
+        fs.copyFileSync(path.join(expertSrc, file), dst);
+      }
+    }
+  }
+  const indexSrc = path.join(runtimeDir, "skills", "INDEX.yaml");
+  const indexDst = path.join(forgehiveDir, "skills", "INDEX.yaml");
+  if (fs.existsSync(indexSrc) && !fs.existsSync(indexDst)) {
+    fs.copyFileSync(indexSrc, indexDst);
+  }
+```
+- [ ] **Step 3: Update `src/skills.ts` — `listSkills` shows INDEX info**
+In `listSkills`, add INDEX loading after the header line:
+Replace the existing `listSkills` function body with:
+```typescript
+export function listSkills(forgehiveDir: string): string {
+  const skillsDir = path.join(forgehiveDir, "skills");
+  const categories = ["generated", "expert", "workflows"];
+  const lines: string[] = [`Skills in .forgehive/skills/:\n`];
+  // Load INDEX for tag display
+  const indexPath = path.join(skillsDir, "INDEX.yaml");
+  const index = fs.existsSync(indexPath)
+    ? (yaml.load(fs.readFileSync(indexPath, "utf8")) as {
+        skills: Record<string, { file: string; tags: string[]; when: string }>;
+      })
+    : null;
+  for (const cat of categories) {
+    const catDir = path.join(skillsDir, cat);
+    if (!fs.existsSync(catDir)) {
+      lines.push(`${cat}/  (leer)`);
+      continue;
+    }
+    const files = fs.readdirSync(catDir).filter(f => f.endsWith(".md") || f.endsWith(".yaml"));
+    if (files.length === 0) {
+      lines.push(`${cat}/  (leer)`);
+    } else {
+      lines.push(`${cat}/ (${files.length})`);
+      for (const f of files) {
+        const skillKey = f.replace(".md", "");
+        const indexEntry = index?.skills?.[skillKey];
+        if (indexEntry) {
+          lines.push(`  ${f}  [${indexEntry.tags.slice(0, 3).join(", ")}]`);
+        } else {
+          lines.push(`  ${f}`);
+        }
+      }
+    }
+  }
+  return lines.join("\n");
+}
+```
+Also add `import yaml from "js-yaml";` at the top of `src/skills.ts` (it doesn't have it yet).
+- [ ] **Step 4: Add test for INDEX-aware listSkills in `test/skills.test.ts`**
+Add inside the `listSkills()` describe block:
+```typescript
+  it("zeigt tags wenn INDEX.yaml vorhanden", () => {
+    fs.writeFileSync(
+      path.join(forgehiveDir, "skills", "expert", "typescript-patterns.md"),
+      "# TS",
+      "utf8"
+    );
+    fs.writeFileSync(
+      path.join(forgehiveDir, "skills", "INDEX.yaml"),
+      `skills:\n  typescript-patterns:\n    file: expert/typescript-patterns.md\n    tags: [typescript, types]\n    when: "TypeScript"\n`,
+      "utf8"
+    );
+    const output = listSkills(forgehiveDir);
+    assert.ok(output.includes("typescript"));
+  });
+```
+- [ ] **Step 5: Update `forgehive/templates/claude-md.block.md`**
+Add a new section before `### Party Mode`:
+```markdown
+### Skills — Progressive Loading
+Before starting a technical task, read `.forgehive/skills/INDEX.yaml` to find relevant skills.
+Load only the skills matching your current task — not all skills at once.
+Examples:
+- Working with TypeScript types → load `expert/typescript-patterns.md`
+- Database migration → load `expert/database-patterns.md`
+- Reviewing a PR → load `expert/code-review.md`
+- Security review → load `expert/security-checklist.md`
+```
+Also add a section for workflow slash commands before `### Party Mode`:
+```markdown
+### Workflow Commands
+ForgeHive installs slash commands in `.claude/commands/`:
+- `/fh-start-task` — start a new feature branch with context loaded
+- `/fh-ship` — pre-ship checklist: tests, diff review, PR draft
+- `/fh-review` — structured code review using the review skill
+- `/fh-hotfix` — minimal hotfix protocol
+```
+- [ ] **Step 6: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass.
+- [ ] **Step 7: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add forgehive/skills/INDEX.yaml src/writer.ts src/skills.ts forgehive/templates/claude-md.block.md test/skills.test.ts test/writer.test.ts
+git commit -m "feat: add skills INDEX with tags — progressive loading for Claude context"
+```
+---
+## Task 6: Agent memory persistence
+**Files:**
+- Modify: `src/writer.ts` (`initForgehiveRuntime` creates agent memory files)
+- Modify: `forgehive/templates/claude-md.block.md`
+- Modify: `test/writer.test.ts`
+- [ ] **Step 1: Add test to `test/writer.test.ts`**
+Add inside the `initForgehiveRuntime()` describe block:
+```typescript
+  it("erstellt agents/memory/ Verzeichnis und Memory-Dateien", () => {
+    const runtimeDir = path.join(tmpDir, "fh-runtime");
+    const agentsSrc = path.join(runtimeDir, "agents");
+    fs.mkdirSync(agentsSrc, { recursive: true });
+    fs.writeFileSync(path.join(agentsSrc, "nora.yaml"), "id: nora\nname: Nora", "utf8");
+    fs.writeFileSync(path.join(agentsSrc, "kai.yaml"), "id: kai\nname: Kai", "utf8");
+    initForgehiveRuntime(forgehiveDir, runtimeDir);
+    assert.ok(fs.existsSync(path.join(forgehiveDir, "agents", "memory")));
+    assert.ok(fs.existsSync(path.join(forgehiveDir, "agents", "memory", "nora.md")));
+    assert.ok(fs.existsSync(path.join(forgehiveDir, "agents", "memory", "kai.md")));
+  });
+  it("überschreibt bestehende Memory-Datei nicht", () => {
+    const runtimeDir = path.join(tmpDir, "fh-runtime");
+    const agentsSrc = path.join(runtimeDir, "agents");
+    fs.mkdirSync(agentsSrc, { recursive: true });
+    fs.writeFileSync(path.join(agentsSrc, "nora.yaml"), "id: nora\nname: Nora", "utf8");
+    initForgehiveRuntime(forgehiveDir, runtimeDir);
+    const memPath = path.join(forgehiveDir, "agents", "memory", "nora.md");
+    fs.writeFileSync(memPath, "# Custom memory content", "utf8");
+    initForgehiveRuntime(forgehiveDir, runtimeDir);
+    const content = fs.readFileSync(memPath, "utf8");
+    assert.ok(content.includes("Custom memory content"));
+  });
+```
+- [ ] **Step 2: Run failing tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | grep "agents\|FAIL" | head -10
+```
+Expected: 2 new tests fail (agents/memory not created yet).
+- [ ] **Step 3: Add agent memory creation to `src/writer.ts`**
+In `initForgehiveRuntime`, add after the agents copy loop:
+```typescript
+  // Create agent memory directory and per-agent memory files
+  const agentMemoryDir = path.join(agentsDst, "memory");
+  fs.mkdirSync(agentMemoryDir, { recursive: true });
+  if (fs.existsSync(agentsSrc)) {
+    for (const file of fs.readdirSync(agentsSrc).filter(f => f.endsWith(".yaml"))) {
+      const agentId = file.replace(".yaml", "");
+      const agentName = agentId.charAt(0).toUpperCase() + agentId.slice(1);
+      const memFile = path.join(agentMemoryDir, `${agentId}.md`);
+      if (!fs.existsSync(memFile)) {
+        fs.writeFileSync(
+          memFile,
+          `# ${agentName} — Agent Memory\n\nPersistenter Kontext für ${agentName} zwischen Sessions.\nWird von Claude aktualisiert wenn ${agentName} Entscheidungen trifft.\n\n## Entscheidungen\n<!-- [datum] entscheidung -->\n\n## Projekt-Kontext\n<!-- Spezifisches Wissen das ${agentName} über dieses Projekt aufgebaut hat -->\n`,
+          "utf8"
+        );
+      }
+    }
+  }
+```
+- [ ] **Step 4: Update `forgehive/templates/claude-md.block.md`**
+Add after the Skills section and before Party Mode:
+```markdown
+### Agent Memory
+Each agent has persistent memory in `.forgehive/agents/memory/<name>.md`.
+- Before activating a party set, read the relevant agent memory files
+- After a session where an agent made a significant decision, update their memory file
+- Format: `[YYYY-MM-DD] <decision or learned context>`
+```
+- [ ] **Step 5: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including 2 new writer tests.
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/writer.ts forgehive/templates/claude-md.block.md test/writer.test.ts
+git commit -m "feat: add agent memory files — persistent per-agent context across sessions"
+```
+---
+## Task 7: Expand MCP services (10 → 40)
+**Files:**
+- Modify: `src/wire.ts` (add 30 new services)
+- Modify: `test/wire.test.ts`
+This task adds 30 new services to the `SERVICES` object in `src/wire.ts`. Each follows the exact same shape as the existing 10 entries.
+- [ ] **Step 1: Read current `src/wire.ts` to know exact SERVICES structure**
+Run:
+```bash
+cd /home/stefan/projekte/forgehive && head -80 src/wire.ts
+```
+Confirm the SERVICES object shape (each entry has: `package`, `envVars`, `description`, `workflowSkill` string).
+- [ ] **Step 2: Add test for new services in `test/wire.test.ts`**
+Add inside the existing `listWireServices()` describe block:
+```typescript
+  it("enthält alle 40 Services", () => {
+    const services = listWireServices();
+    assert.ok(services.length >= 40);
+  });
+  it("enthält vercel", () => {
+    assert.ok(listWireServices().includes("vercel"));
+  });
+  it("enthält stripe", () => {
+    assert.ok(listWireServices().includes("stripe"));
+  });
+  it("enthält supabase", () => {
+    assert.ok(listWireServices().includes("supabase"));
+  });
+```
+- [ ] **Step 3: Run failing test**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | grep "wire\|FAIL" | head -10
+```
+Expected: `AssertionError: 10 >= 40` (only 10 services currently)
+- [ ] **Step 4: Add 30 services to `src/wire.ts`**
+In `src/wire.ts`, inside the `SERVICES` object (after the existing `figma` entry), add:
+```typescript
+  vercel: {
+    package: "@vercel/mcp-adapter",
+    envVars: ["VERCEL_TOKEN"],
+    description: "Vercel deployments, projects, domains",
+    workflowSkill: `# Vercel Workflow\n\n## Common Tasks\n- List deployments: use list-deployments tool\n- Check build logs: use get-deployment-logs tool\n- Manage env vars: use list-env-vars, create-env-var tools\n\n## Guardrails\n- Never delete production deployments without confirmation\n- Check build logs before promoting to production\n`,
+  },
+  netlify: {
+    package: "@netlify/mcp",
+    envVars: ["NETLIFY_ACCESS_TOKEN"],
+    description: "Netlify sites, deploys, forms, functions",
+    workflowSkill: `# Netlify Workflow\n\n## Common Tasks\n- List sites: list-sites tool\n- Trigger deploy: create-deploy tool\n- Manage env: list-env-vars, set-env-var tools\n`,
+  },
+  railway: {
+    package: "railway-mcp",
+    envVars: ["RAILWAY_API_TOKEN"],
+    description: "Railway projects, services, deployments",
+    workflowSkill: `# Railway Workflow\n\n## Common Tasks\n- List projects and services\n- View deployment logs\n- Manage environment variables\n`,
+  },
+  render: {
+    package: "mcp-server-render",
+    envVars: ["RENDER_API_KEY"],
+    description: "Render web services, databases, deploys",
+    workflowSkill: `# Render Workflow\n\n## Common Tasks\n- List services\n- Trigger manual deploys\n- Check deploy logs\n`,
+  },
+  "fly-io": {
+    package: "mcp-server-fly",
+    envVars: ["FLY_API_TOKEN"],
+    description: "Fly.io apps, machines, deployments",
+    workflowSkill: `# Fly.io Workflow\n\n## Common Tasks\n- List apps\n- View machine status\n- Check deployment logs\n`,
+  },
+  supabase: {
+    package: "@supabase/mcp-server-supabase",
+    envVars: ["SUPABASE_URL", "SUPABASE_SERVICE_ROLE_KEY"],
+    description: "Supabase database, auth, storage, edge functions",
+    workflowSkill: `# Supabase Workflow\n\n## Common Tasks\n- Query tables: use SQL query tool\n- Manage auth users\n- Deploy edge functions\n\n## Guardrails\n- Never modify auth.users directly without confirmation\n- Always test migrations on a branch first\n`,
+  },
+  neon: {
+    package: "@neondatabase/mcp-server-neon",
+    envVars: ["NEON_API_KEY"],
+    description: "Neon serverless Postgres — branches, databases",
+    workflowSkill: `# Neon Workflow\n\n## Common Tasks\n- Create database branches for testing\n- Run SQL queries\n- Compare branch schemas\n`,
+  },
+  planetscale: {
+    package: "mcp-server-planetscale",
+    envVars: ["PLANETSCALE_SERVICE_TOKEN", "PLANETSCALE_ORG"],
+    description: "PlanetScale MySQL branches and deploys",
+    workflowSkill: `# PlanetScale Workflow\n\n## Common Tasks\n- Create branches for schema changes\n- Open deploy requests\n- Check schema diffs\n`,
+  },
+  mongodb: {
+    package: "@mongodb-js/mcp-server-mongodb",
+    envVars: ["MONGODB_URI"],
+    description: "MongoDB Atlas cluster management and queries",
+    workflowSkill: `# MongoDB Workflow\n\n## Common Tasks\n- List collections\n- Run aggregation pipelines\n- Check index usage\n`,
+  },
+  redis: {
+    package: "mcp-server-redis",
+    envVars: ["REDIS_URL"],
+    description: "Redis key-value operations and pub/sub",
+    workflowSkill: `# Redis Workflow\n\n## Common Tasks\n- Inspect keys and TTLs\n- Flush specific key patterns (never FLUSHALL without confirmation)\n- Monitor pub/sub channels\n`,
+  },
+  stripe: {
+    package: "@stripe/mcp",
+    envVars: ["STRIPE_SECRET_KEY"],
+    description: "Stripe payments, customers, subscriptions",
+    workflowSkill: `# Stripe Workflow\n\n## Common Tasks\n- List customers and subscriptions\n- Check payment intent status\n- View webhook events\n\n## Guardrails\n- Never issue refunds without explicit user confirmation\n- Use test mode keys in development (sk_test_...)\n`,
+  },
+  "lemon-squeezy": {
+    package: "mcp-server-lemon-squeezy",
+    envVars: ["LEMON_SQUEEZY_API_KEY"],
+    description: "Lemon Squeezy products, orders, subscriptions",
+    workflowSkill: `# Lemon Squeezy Workflow\n\n## Common Tasks\n- List products and variants\n- Check order status\n- Manage subscriptions\n`,
+  },
+  resend: {
+    package: "mcp-server-resend",
+    envVars: ["RESEND_API_KEY"],
+    description: "Resend email sending and domain management",
+    workflowSkill: `# Resend Workflow\n\n## Common Tasks\n- Send transactional emails\n- Check delivery status\n- Manage domains and API keys\n`,
+  },
+  sendgrid: {
+    package: "mcp-server-sendgrid",
+    envVars: ["SENDGRID_API_KEY"],
+    description: "SendGrid email campaigns and transactional mail",
+    workflowSkill: `# SendGrid Workflow\n\n## Common Tasks\n- Send emails\n- Check suppression lists\n- View email activity\n`,
+  },
+  cloudflare: {
+    package: "@cloudflare/mcp-server-cloudflare",
+    envVars: ["CLOUDFLARE_API_TOKEN"],
+    description: "Cloudflare DNS, Workers, R2, KV, D1",
+    workflowSkill: `# Cloudflare Workflow\n\n## Common Tasks\n- Manage DNS records\n- Deploy Workers\n- Query D1 databases\n- List R2 buckets\n`,
+  },
+  aws: {
+    package: "@aws/mcp-server",
+    envVars: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_DEFAULT_REGION"],
+    description: "AWS S3, Lambda, CloudWatch, EC2",
+    workflowSkill: `# AWS Workflow\n\n## Common Tasks\n- List S3 buckets and objects\n- Invoke Lambda functions\n- Check CloudWatch logs\n\n## Guardrails\n- Never delete S3 buckets without explicit confirmation\n- Never terminate EC2 instances without confirmation\n`,
+  },
+  terraform: {
+    package: "mcp-server-terraform",
+    envVars: ["TF_TOKEN"],
+    description: "Terraform Cloud workspaces and runs",
+    workflowSkill: `# Terraform Workflow\n\n## Common Tasks\n- List workspaces\n- Trigger plan runs\n- Check run status\n- Review plan output before applying\n`,
+  },
+  kubernetes: {
+    package: "mcp-server-kubernetes",
+    envVars: ["KUBECONFIG"],
+    description: "Kubernetes cluster management and pod operations",
+    workflowSkill: `# Kubernetes Workflow\n\n## Common Tasks\n- List pods and deployments\n- Check pod logs\n- Apply manifests\n\n## Guardrails\n- Never delete namespaces or PVCs without confirmation\n- Always check resource usage before scaling down\n`,
+  },
+  twilio: {
+    package: "mcp-server-twilio",
+    envVars: ["TWILIO_ACCOUNT_SID", "TWILIO_AUTH_TOKEN"],
+    description: "Twilio SMS, voice, phone numbers",
+    workflowSkill: `# Twilio Workflow\n\n## Common Tasks\n- List phone numbers\n- Check message logs\n- Manage webhooks\n`,
+  },
+  hubspot: {
+    package: "mcp-server-hubspot",
+    envVars: ["HUBSPOT_ACCESS_TOKEN"],
+    description: "HubSpot CRM contacts, deals, pipelines",
+    workflowSkill: `# HubSpot Workflow\n\n## Common Tasks\n- List contacts and deals\n- Update deal stages\n- Check engagement history\n`,
+  },
+  amplitude: {
+    package: "mcp-server-amplitude",
+    envVars: ["AMPLITUDE_API_KEY", "AMPLITUDE_SECRET_KEY"],
+    description: "Amplitude product analytics and funnels",
+    workflowSkill: `# Amplitude Workflow\n\n## Common Tasks\n- Query event data\n- Check conversion funnels\n- Export user segments\n`,
+  },
+  segment: {
+    package: "mcp-server-segment",
+    envVars: ["SEGMENT_WRITE_KEY"],
+    description: "Segment analytics event tracking",
+    workflowSkill: `# Segment Workflow\n\n## Common Tasks\n- Track events\n- List sources and destinations\n- Check event delivery\n`,
+  },
+  mixpanel: {
+    package: "mcp-server-mixpanel",
+    envVars: ["MIXPANEL_TOKEN"],
+    description: "Mixpanel product analytics and reports",
+    workflowSkill: `# Mixpanel Workflow\n\n## Common Tasks\n- Query funnel reports\n- Export events\n- Check user properties\n`,
+  },
+  posthog: {
+    package: "mcp-server-posthog",
+    envVars: ["POSTHOG_API_KEY", "POSTHOG_HOST"],
+    description: "PostHog product analytics and feature flags",
+    workflowSkill: `# PostHog Workflow\n\n## Common Tasks\n- Query insights\n- Manage feature flags\n- Check session recordings\n`,
+  },
+  grafana: {
+    package: "mcp-server-grafana",
+    envVars: ["GRAFANA_URL", "GRAFANA_SERVICE_ACCOUNT_TOKEN"],
+    description: "Grafana dashboards, alerts, datasources",
+    workflowSkill: `# Grafana Workflow\n\n## Common Tasks\n- Query dashboards\n- Check alert status\n- Search metrics\n`,
+  },
+  openai: {
+    package: "mcp-server-openai",
+    envVars: ["OPENAI_API_KEY"],
+    description: "OpenAI API — completions, embeddings, fine-tuning",
+    workflowSkill: `# OpenAI Workflow\n\n## Common Tasks\n- List fine-tuned models\n- Check usage and billing\n- Manage vector stores\n`,
+  },
+  "github-actions": {
+    package: "mcp-server-github-actions",
+    envVars: ["GITHUB_TOKEN"],
+    description: "GitHub Actions workflow runs and artifacts",
+    workflowSkill: `# GitHub Actions Workflow\n\n## Common Tasks\n- List workflow runs\n- Check job logs\n- Re-trigger failed runs\n- Download artifacts\n`,
+  },
+  mailchimp: {
+    package: "mcp-server-mailchimp",
+    envVars: ["MAILCHIMP_API_KEY"],
+    description: "Mailchimp email campaigns and audience management",
+    workflowSkill: `# Mailchimp Workflow\n\n## Common Tasks\n- List campaigns\n- Check campaign stats\n- Manage audience segments\n`,
+  },
+  intercom: {
+    package: "mcp-server-intercom",
+    envVars: ["INTERCOM_ACCESS_TOKEN"],
+    description: "Intercom customer messaging and support",
+    workflowSkill: `# Intercom Workflow\n\n## Common Tasks\n- List conversations\n- Search contacts\n- Send messages\n`,
+  },
+  zendesk: {
+    package: "mcp-server-zendesk",
+    envVars: ["ZENDESK_SUBDOMAIN", "ZENDESK_EMAIL", "ZENDESK_TOKEN"],
+    description: "Zendesk tickets, users, organizations",
+    workflowSkill: `# Zendesk Workflow\n\n## Common Tasks\n- List open tickets\n- Update ticket status\n- Search users\n`,
+  },
+```
+- [ ] **Step 5: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including 4 new wire tests (count ≥ 40, vercel/stripe/supabase present).
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/wire.ts test/wire.test.ts
+git commit -m "feat: expand wire services from 10 to 40 — vercel, stripe, supabase, aws, k8s + 20 more"
+```
+---
+## Task 8: Wire credential validation
+**Files:**
+- Modify: `src/wire.ts` (export `WireValidationResult` type + `validateWireService()`)
+- Modify: `src/cli.ts` (show validation after `fh wire <service>`)
+- Modify: `test/wire.test.ts`
+- [ ] **Step 1: Add tests to `test/wire.test.ts`**
+Add a new `describe` block at the end of the test file:
+```typescript
+describe("validateWireService()", () => {
+  it("gibt ready: true zurück wenn alle ENV-Vars gesetzt sind", () => {
+    const originalEnv = process.env.LINEAR_API_KEY;
+    process.env.LINEAR_API_KEY = "test-key";
+    const result = validateWireService("linear");
+    assert.strictEqual(result.ready, true);
+    assert.ok(result.present.includes("LINEAR_API_KEY"));
+    assert.strictEqual(result.missing.length, 0);
+    if (originalEnv === undefined) {
+      delete process.env.LINEAR_API_KEY;
+    } else {
+      process.env.LINEAR_API_KEY = originalEnv;
+    }
+  });
+  it("gibt ready: false zurück wenn ENV-Vars fehlen", () => {
+    const original = process.env.LINEAR_API_KEY;
+    delete process.env.LINEAR_API_KEY;
+    const result = validateWireService("linear");
+    assert.strictEqual(result.ready, false);
+    assert.ok(result.missing.includes("LINEAR_API_KEY"));
+    if (original !== undefined) process.env.LINEAR_API_KEY = original;
+  });
+  it("wirft Fehler für unbekannten Service", () => {
+    assert.throws(
+      () => validateWireService("nonexistent-service"),
+      /Unbekannter Service/
+    );
+  });
+});
+```
+- [ ] **Step 2: Run failing test**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | grep "validateWire\|Error" | head -10
+```
+Expected: `TypeError: validateWireService is not a function`
+- [ ] **Step 3: Add `validateWireService` to `src/wire.ts`**
+Add type and function at the end of `src/wire.ts`, before the closing of the file:
+```typescript
+export interface WireValidationResult {
+  service: string;
+  ready: boolean;
+  present: string[];
+  missing: string[];
+}
+export function validateWireService(service: string): WireValidationResult {
+  if (!SERVICES[service]) {
+    throw new Error(`Unbekannter Service: ${service}`);
+  }
+  const envVars = SERVICES[service].envVars;
+  const present = envVars.filter(v => !!process.env[v]);
+  const missing = envVars.filter(v => !process.env[v]);
+  return { service, ready: missing.length === 0, present, missing };
+}
+```
+- [ ] **Step 4: Update `src/cli.ts` wire handler to show validation**
+In `src/cli.ts`, import the new function:
+```typescript
+import { wireService, listWireServices, validateWireService } from "./wire.ts";
+```
+In the `wire` command handler, after the `wireService(...)` call and its log messages, add:
+```typescript
+    const validation = validateWireService(service);
+    if (validation.ready) {
+      console.log(`✓ Credentials: alle ENV-Vars gesetzt`);
+    } else {
+      console.log(`\n⚠ Fehlende ENV-Vars (Service nicht bereit):`);
+      for (const v of validation.missing) {
+        console.log(`  export ${v}="<your-key>"`);
+      }
+    }
+```
+- [ ] **Step 5: Run tests**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -15
+```
+Expected: all tests pass including 3 new validation tests.
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add src/wire.ts src/cli.ts test/wire.test.ts
+git commit -m "feat: wire credential validation — shows missing ENV vars after fh wire <service>"
+```
+---
+## Task 9: Version bump + CLAUDE.md block update
+**Files:**
+- Modify: `package.json`
+- Modify: `forgehive/templates/claude-md.block.md` (integrate all new sections cleanly)
+- Run: `npm run build`
+- [ ] **Step 1: Bump version in `package.json`**
+Change:
+```json
+"version": "0.3.0",
+```
+To:
+```json
+"version": "0.4.0",
+```
+- [ ] **Step 2: Rewrite `forgehive/templates/claude-md.block.md` with all new sections**
+Replace the entire file with:
+```markdown
+## forgehive
+This project uses **forgehive** for structured AI-assisted development.
+### Session Start (Required)
+1. Read `.forgehive/capabilities.yaml`
+   - If `status: draft` → tell the user: "Run `fh confirm` to activate capabilities."
+   - If `status: confirmed` → load silently and apply throughout the session
+2. Read `.forgehive/memory/MEMORY.md` — follow the index links to load project context
+3. Run `fh scan --check` to verify the stack snapshot is current
+### During the Session
+- Only suggest tools and libraries listed in `capabilities.yaml`
+- If a capability has a `check` field: verify it before use
+- If a capability has a `fulfill` field and the check fails: fulfill it
+- At session end: append brief notes to `.forgehive/state/YYYY-MM-DD.md`
+- If you learn something non-obvious about the project, offer to persist it to memory
+### Skills — Progressive Loading
+Before starting a technical task, read `.forgehive/skills/INDEX.yaml` to find relevant skills.
+Load only the skills matching your current task — not all skills at once.
+Examples:
+- Working with TypeScript types → load `expert/typescript-patterns.md`
+- Database migration → load `expert/database-patterns.md`
+- Reviewing a PR → load `expert/code-review.md`
+- Security review → load `expert/security-checklist.md`
+- Performance issue → load `expert/performance-patterns.md`
+### Workflow Commands
+ForgeHive installs slash commands in `.claude/commands/`:
+- `/fh-start-task` — start a new feature branch with full context loaded
+- `/fh-ship` — pre-ship checklist: tests, diff review, PR draft
+- `/fh-review` — structured code review using the review skill
+- `/fh-hotfix` — minimal hotfix protocol (< 50 lines rule)
+### Agent Memory
+Each agent has persistent memory in `.forgehive/agents/memory/<name>.md`.
+Before activating a party set, read the relevant agent memory files.
+Update memory files when agents make significant decisions.
+Format: `[YYYY-MM-DD] <decision or learned context>`
+### Party Mode
+Slash commands auto-configured by forgehive:
+- `/party` — activate build agents (Viktor + Kai + Sam)
+- `/design-party` — activate design agents (Suki + Viktor)
+- `/review-party` — activate review agents (Kai + Sam + Eli)
+- `/full-party` — activate all agents
+### Prohibited
+- Writing to paths outside the project root
+- Modifying `.forgehive/scan-result.yaml` manually
+- Skipping the session-start capability and memory check
+- Suggesting tools not in `capabilities.yaml` without explicitly noting the deviation
+- Activating party agents without reading their memory files first
+```
+- [ ] **Step 3: Run full test suite**
+```bash
+cd /home/stefan/projekte/forgehive && npm test 2>&1 | tail -20
+```
+Expected: all tests pass (should be ~120+ tests across all files).
+- [ ] **Step 4: Build binary**
+```bash
+cd /home/stefan/projekte/forgehive && npm run build
+```
+Expected: `dist/cli.js` rebuilt, no errors.
+- [ ] **Step 5: Run typecheck**
+```bash
+cd /home/stefan/projekte/forgehive && npm run typecheck
+```
+Expected: 0 errors.
+- [ ] **Step 6: Commit**
+```bash
+cd /home/stefan/projekte/forgehive
+git add package.json forgehive/templates/claude-md.block.md dist/cli.js
+git commit -m "chore: bump version to 0.4.0, update CLAUDE.md block with all NextGen sections"
+```
+---
+## Self-Review
+**Spec coverage:**
+| Feature | Task |
+|---|---|
+| `fh status` health dashboard | Task 1 ✓ |
+| `fh watch` filesystem watcher | Task 2 ✓ |
+| Guardrail hooks | Task 3 ✓ |
+| Workflow slash commands | Task 4 ✓ |
+| Skills INDEX + progressive loading | Task 5 ✓ |
+| Agent memory persistence | Task 6 ✓ |
+| 40 MCP services | Task 7 ✓ |
+| Wire credential validation | Task 8 ✓ |
+| Version bump + block update | Task 9 ✓ |
+**Type consistency check:**
+- `WireValidationResult` defined in Task 8 `wire.ts` and imported in `cli.ts` ✓
+- `checkProjectHash` exported from `watch.ts`, imported in `cli.ts` via `watchProject` ✓
+- `writeGuardrailHooks` exported from `guardrails.ts`, imported in `writer.ts` ✓
+- `projectStatus` exported from `status.ts`, imported in `cli.ts` ✓
+**No placeholders:** All code blocks contain full implementations. All test files have full test code. ✓
+**Deferred (Plan 4):** Multi-model router (`fh router`) — separate subsystem, own plan.