recall-os 0.2.0 → 0.2.1

package/dist/cli.js

@@ -1230,111 +1230,31 @@ function createDefaultConfig(overrides = {}) {
   });
 }
 
-// src/core/adopt/generate-adoption.ts
-var ADOPTION_REPORT_PATH = "docs/adopt/ADOPTION_REPORT.md";
-function generateAdoptionFiles(options) {
-  const files = [
-    {
-      path: ADOPTION_REPORT_PATH,
-      content: renderReport(options.adrDir, options.signals)
-    }
-  ];
-  for (const framework of options.signals.frameworks) {
-    files.push({
-      path: `${options.adrDir}/proposed/ADR-PROPOSED-adopt-${frameworkSlug(framework)}.md`,
-      content: renderProposedAdr(framework)
-    });
-  }
-  return files;
-}
-function renderReport(adrDir, signals) {
-  return `# Adoption Report
-
-## Status
-
-Proposed. Everything below is inferred from this repository and requires human review. Nothing here
-is accepted repository memory until you accept it.
-
-## Detected Signals
-
-- Languages: ${formatList(signals.languages)}
-- Package manager: ${signals.packageManager ?? "none detected"}
-- Frameworks: ${formatList(signals.frameworks)}
-- Tests present: ${formatBool(signals.hasTests)}
-- README present: ${formatBool(signals.hasReadme)}
-- Docs folder present: ${formatBool(signals.hasDocs)}
-
-## Proposed Decisions
-
-${renderProposedDecisions(adrDir, signals)}
-
-## Review Checklist
-
-- [ ] Confirm the detected languages and package manager.
-- [ ] Accept or reject each proposed framework ADR under \`${adrDir}/proposed/\`.
-- [ ] Run \`recall init\` to establish neutral repository memory if it does not exist yet.
-- [ ] Record any decision you accept with \`recall adr create\` or by accepting the proposed ADR.
-
-## Notes
-
-This report was produced by \`recall adopt\` through read-only inspection of manifest and marker
-files. No repository code was executed and no decision was accepted automatically.
-`;
-}
-function renderProposedDecisions(adrDir, signals) {
-  if (signals.frameworks.length === 0) {
-    return "- No framework decisions were inferred. Add decisions with `recall adr create` as needed.";
-  }
-  return signals.frameworks.map(
-    (framework) => `- Proposed: record **${framework}** as an architecture decision (see \`${adrDir}/proposed/ADR-PROPOSED-adopt-${frameworkSlug(framework)}.md\`). Requires review.`
-  ).join("\n");
-}
-function renderProposedAdr(framework) {
-  return `# Proposed ADR: Use ${framework}
-
-## Status
-
-Proposed
-
-## Context
-
-\`recall adopt\` detected ${framework} in this repository through read-only inspection.
-
-## Decision
-
-Consider recording ${framework} as an accepted architecture decision. This is proposed by adoption
-and is not accepted until a human reviews and accepts it.
-
-## Alternatives Considered
-
-- Record a different framework.
-- Leave the decision unrecorded for now.
-
-## Consequences
-
-- Captures a framework already in use as reviewable repository memory.
-- Requires explicit human acceptance before it becomes repository truth.
-
-## Related Documents
-
-- \`docs/10-architecture/ARCHITECTURE.md\` \u2014 record the accepted architecture here once promoted.
-- The adoption report generated alongside this proposal.
-`;
-}
-function frameworkSlug(framework) {
-  return framework.toLowerCase().replace(/\./gu, "").replace(/[^a-z0-9]+/gu, "-").replace(/^-+|-+$/gu, "");
-}
-function formatList(values) {
-  return values.length > 0 ? values.join(", ") : "none detected";
-}
-function formatBool(value) {
-  return value ? "yes" : "no";
-}
-
 // src/core/adopt/inspect-repo.ts
 import { existsSync as existsSync3 } from "fs";
-import { readFile as readFile3 } from "fs/promises";
+import { readFile as readFile3, readdir as readdir4 } from "fs/promises";
 import path6 from "path";
+var FRAMEWORK_SOURCES = {
+  "Next.js": "package.json",
+  React: "package.json",
+  NestJS: "package.json",
+  Express: "package.json",
+  FastAPI: "pyproject.toml / requirements.txt",
+  Flask: "pyproject.toml / requirements.txt",
+  Django: "pyproject.toml / requirements.txt",
+  Gin: "go.mod",
+  Echo: "go.mod",
+  Fiber: "go.mod",
+  Chi: "go.mod",
+  "Spring Boot": "pom.xml / build.gradle",
+  "Actix Web": "Cargo.toml",
+  Axum: "Cargo.toml",
+  Rocket: "Cargo.toml",
+  Laravel: "composer.json",
+  Symfony: "composer.json",
+  "Ruby on Rails": "Gemfile",
+  Flutter: "pubspec.yaml"
+};
 async function inspectRepo(rootDir) {
   const has = (relativePath) => existsSync3(path6.join(rootDir, relativePath));
   const languages = /* @__PURE__ */ new Set();
@@ -1368,6 +1288,22 @@ async function inspectRepo(rootDir) {
     languages.add("Dart");
     frameworks.add("Flutter");
   }
+  if (has("composer.json")) {
+    languages.add("PHP");
+    const composer = (await readText(rootDir, "composer.json")).toLowerCase();
+    if (composer.includes("laravel/framework")) {
+      frameworks.add("Laravel");
+    } else if (composer.includes("symfony/")) {
+      frameworks.add("Symfony");
+    }
+  }
+  if (has("Gemfile")) {
+    languages.add("Ruby");
+    const gemfile = (await readText(rootDir, "Gemfile")).toLowerCase();
+    if (gemfile.includes("rails")) {
+      frameworks.add("Ruby on Rails");
+    }
+  }
   const deps = collectDependencies(pkg);
   if ("next" in deps) {
     frameworks.add("Next.js");
@@ -1413,25 +1349,147 @@ async function inspectRepo(rootDir) {
       frameworks.add("Rocket");
     }
   }
-  let packageManager = null;
-  if (has("pnpm-lock.yaml")) {
-    packageManager = "pnpm";
-  } else if (has("yarn.lock")) {
-    packageManager = "yarn";
-  } else if (has("package-lock.json")) {
-    packageManager = "npm";
-  }
+  const [packageManager, packageManagerSource] = detectPackageManager(has);
   const scripts = pkg !== null && isRecord(pkg.scripts) ? pkg.scripts : {};
-  const hasTests = "test" in scripts || has("test") || has("tests") || has("__tests__") || has("pytest.ini") || python.includes("pytest");
+  const testsEvidence = await detectTestsEvidence(rootDir, has, "test" in scripts, python);
   return {
     languages: [...languages],
     packageManager,
+    packageManagerSource,
     frameworks: [...frameworks],
-    hasTests,
+    hasTests: testsEvidence !== null,
+    testsEvidence,
     hasReadme: has("README.md") || has("README"),
     hasDocs: has("docs")
   };
 }
+function summarizeSignals(signals) {
+  const lines = [];
+  lines.push(`- Languages: ${formatList(signals.languages)}`);
+  lines.push(
+    signals.packageManager === null ? "- Package manager: none detected" : `- Package manager: ${signals.packageManager}${signals.packageManagerSource === null ? "" : ` (from \`${signals.packageManagerSource}\`)`}`
+  );
+  if (signals.frameworks.length === 0) {
+    lines.push("- Frameworks: none detected");
+  } else {
+    const withSource = signals.frameworks.map((framework) => {
+      const source = FRAMEWORK_SOURCES[framework];
+      return source === void 0 ? framework : `${framework} (from \`${source}\`)`;
+    });
+    lines.push(`- Frameworks: ${withSource.join(", ")}`);
+  }
+  lines.push(
+    signals.testsEvidence === null ? "- Tests: none detected \u2014 if tests exist, point Recall at them by correcting this report" : `- Tests: detected via ${signals.testsEvidence}`
+  );
+  lines.push(`- README present: ${signals.hasReadme ? "yes" : "no"}`);
+  lines.push(`- Docs folder present: ${signals.hasDocs ? "yes" : "no"}`);
+  return lines;
+}
+function formatList(values) {
+  return values.length === 0 ? "none detected" : values.join(", ");
+}
+function detectPackageManager(has) {
+  const candidates = [
+    [has("go.mod"), "Go modules", "go.mod"],
+    [has("Cargo.toml"), "Cargo", "Cargo.toml"],
+    [has("pom.xml"), "Maven", "pom.xml"],
+    [has("build.gradle"), "Gradle", "build.gradle"],
+    [has("build.gradle.kts"), "Gradle", "build.gradle.kts"],
+    [has("composer.json"), "Composer", "composer.json"],
+    [has("Gemfile"), "Bundler", "Gemfile"],
+    [has("Package.swift"), "Swift Package Manager", "Package.swift"],
+    [has("pubspec.yaml"), "pub", "pubspec.yaml"],
+    [has("uv.lock"), "uv", "uv.lock"],
+    [has("poetry.lock"), "Poetry", "poetry.lock"],
+    [has("requirements.txt"), "pip", "requirements.txt"],
+    [has("pyproject.toml"), "pip", "pyproject.toml"],
+    [has("pnpm-lock.yaml"), "pnpm", "pnpm-lock.yaml"],
+    [has("yarn.lock"), "yarn", "yarn.lock"],
+    [has("package-lock.json"), "npm", "package-lock.json"],
+    [has("package.json"), "npm", "package.json"]
+  ];
+  for (const [present, name, source] of candidates) {
+    if (present) {
+      return [name, source];
+    }
+  }
+  return [null, null];
+}
+async function detectTestsEvidence(rootDir, has, hasTestScript, pythonText) {
+  if (has("tests")) {
+    return "`tests/` directory";
+  }
+  if (has("test")) {
+    return "`test/` directory";
+  }
+  if (has("__tests__")) {
+    return "`__tests__/` directory";
+  }
+  if (has("pytest.ini") || pythonText.includes("pytest")) {
+    return "pytest configuration";
+  }
+  if (has("phpunit.xml") || has("phpunit.xml.dist")) {
+    return "PHPUnit configuration";
+  }
+  if (hasTestScript) {
+    return '`"test"` script in package.json';
+  }
+  const testFile = await findTestFile(rootDir);
+  if (testFile !== null) {
+    return `\`${testFile}\``;
+  }
+  return null;
+}
+var TEST_FILE_PATTERNS = [
+  /_test\.go$/u,
+  /\.(test|spec)\.[cm]?[jt]sx?$/u,
+  /^test_.+\.py$/u,
+  /_test\.py$/u,
+  /.+Tests?\.(java|kt)$/u,
+  /.+Test\.php$/u,
+  /_spec\.rb$/u,
+  /_test\.rb$/u
+];
+var TEST_WALK_SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  "vendor",
+  "dist",
+  "build",
+  "target",
+  "coverage",
+  "Pods",
+  "__pycache__"
+]);
+async function findTestFile(rootDir) {
+  let budget = 4e3;
+  const stack = [rootDir];
+  while (stack.length > 0 && budget > 0) {
+    const dir = stack.pop();
+    if (dir === void 0) {
+      break;
+    }
+    let entries;
+    try {
+      entries = await readdir4(dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      budget -= 1;
+      if (budget <= 0) {
+        break;
+      }
+      if (entry.isDirectory()) {
+        if (!TEST_WALK_SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".")) {
+          stack.push(path6.join(dir, entry.name));
+        }
+      } else if (TEST_FILE_PATTERNS.some((pattern) => pattern.test(entry.name))) {
+        return path6.relative(rootDir, path6.join(dir, entry.name));
+      }
+    }
+  }
+  return null;
+}
 function collectDependencies(pkg) {
   if (pkg === null) {
     return {};
@@ -1459,6 +1517,100 @@ function isRecord(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
+// src/core/adopt/generate-adoption.ts
+var ADOPTION_REPORT_PATH = "docs/adopt/ADOPTION_REPORT.md";
+function generateAdoptionFiles(options) {
+  const files = [
+    {
+      path: ADOPTION_REPORT_PATH,
+      content: renderReport(options.adrDir, options.signals)
+    }
+  ];
+  for (const framework of options.signals.frameworks) {
+    files.push({
+      path: `${options.adrDir}/proposed/ADR-PROPOSED-adopt-${frameworkSlug(framework)}.md`,
+      content: renderProposedAdr(framework)
+    });
+  }
+  return files;
+}
+function renderReport(adrDir, signals) {
+  return `# Adoption Report
+
+## Status
+
+Proposed. Everything below is inferred from this repository and requires human review. Nothing here
+is accepted repository memory until you accept it.
+
+## Detected Signals
+
+Each signal notes the file it was inferred from. If one is wrong, correct the source or edit this
+report \u2014 nothing here is accepted.
+
+${summarizeSignals(signals).join("\n")}
+
+## Proposed Decisions
+
+${renderProposedDecisions(adrDir, signals)}
+
+## Review Checklist
+
+- [ ] Confirm the detected languages and package manager (and the source each was read from).
+- [ ] Confirm where tests were detected, or point Recall at the right location if it is wrong.
+- [ ] Accept or reject each proposed framework ADR under \`${adrDir}/proposed/\`.
+- [ ] Run \`recall init\` to establish neutral repository memory if it does not exist yet.
+- [ ] Record any decision you accept with \`recall adr create\` or by accepting the proposed ADR.
+
+## Notes
+
+This report was produced by \`recall adopt\` through read-only inspection of manifest and marker
+files. No repository code was executed and no decision was accepted automatically.
+`;
+}
+function renderProposedDecisions(adrDir, signals) {
+  if (signals.frameworks.length === 0) {
+    return "- No framework decisions were inferred. Add decisions with `recall adr create` as needed.";
+  }
+  return signals.frameworks.map(
+    (framework) => `- Proposed: record **${framework}** as an architecture decision (see \`${adrDir}/proposed/ADR-PROPOSED-adopt-${frameworkSlug(framework)}.md\`). Requires review.`
+  ).join("\n");
+}
+function renderProposedAdr(framework) {
+  return `# Proposed ADR: Use ${framework}
+
+## Status
+
+Proposed
+
+## Context
+
+\`recall adopt\` detected ${framework} in this repository through read-only inspection.
+
+## Decision
+
+Consider recording ${framework} as an accepted architecture decision. This is proposed by adoption
+and is not accepted until a human reviews and accepts it.
+
+## Alternatives Considered
+
+- Record a different framework.
+- Leave the decision unrecorded for now.
+
+## Consequences
+
+- Captures a framework already in use as reviewable repository memory.
+- Requires explicit human acceptance before it becomes repository truth.
+
+## Related Documents
+
+- \`docs/10-architecture/ARCHITECTURE.md\` \u2014 record the accepted architecture here once promoted.
+- The adoption report generated alongside this proposal.
+`;
+}
+function frameworkSlug(framework) {
+  return framework.toLowerCase().replace(/\./gu, "").replace(/[^a-z0-9]+/gu, "-").replace(/^-+|-+$/gu, "");
+}
+
 // src/commands/adopt.ts
 var AdoptError = class extends Error {
   code;
@@ -1532,7 +1684,7 @@ function formatList2(values) {
 
 // src/core/doctor/checks/code-reference-check.ts
 import { existsSync as existsSync4 } from "fs";
-import { readFile as readFile4, readdir as readdir4 } from "fs/promises";
+import { readFile as readFile4, readdir as readdir5 } from "fs/promises";
 import path7 from "path";
 var featureFolderPattern = /^F-\d{3,}-[a-z0-9]+(?:-[a-z0-9]+)*$/u;
 var FEATURE_DOCS = ["PRD.md", "ARCHITECTURE_IMPACT.md"];
@@ -1592,7 +1744,7 @@ async function checkDoc(rootDir, relativePath) {
 }
 async function readDirIfExists(rootDir, relativePath) {
   try {
-    return await readdir4(path7.join(rootDir, relativePath), { withFileTypes: true });
+    return await readdir5(path7.join(rootDir, relativePath), { withFileTypes: true });
   } catch (error) {
     const nodeError = error;
     if (nodeError.code === "ENOENT") {
@@ -1682,9 +1834,12 @@ async function checkConfig(rootDir) {
 }
 
 // src/core/doctor/checks/content-check.ts
-import { readFile as readFile6, readdir as readdir5 } from "fs/promises";
+import { readFile as readFile6, readdir as readdir6 } from "fs/promises";
 import path8 from "path";
 var featureFolderPattern2 = /^F-\d{3,}-[a-z0-9]+(?:-[a-z0-9]+)*$/u;
+var acceptedAdrPattern = /^ADR-\d{4,}-[a-z0-9]+(?:-[a-z0-9]+)*\.md$/u;
+var SECURITY_MODEL_PATH = "docs/20-security/SECURITY_MODEL.md";
+var THREAT_MODEL_PATH = "docs/20-security/THREAT_MODEL.md";
 async function checkContent(context) {
   if (context.config === void 0) {
     return [];
@@ -1719,6 +1874,14 @@ async function checkContent(context) {
   }
   const moduleEntries = await readDirIfExists2(context.rootDir, context.config.modulesDir);
   const moduleFolders = moduleEntries.filter((entry) => entry.isDirectory());
+  const adrEntries = await readDirIfExists2(context.rootDir, context.config.adrDir);
+  const acceptedAdrs = adrEntries.filter(
+    (entry) => entry.isFile() && acceptedAdrPattern.test(entry.name)
+  );
+  const hasWork = featureFolders.length > 0 || moduleFolders.length > 0 || acceptedAdrs.length > 0;
+  if (hasWork) {
+    findings.push(...await checkSecurityDoc(context.rootDir));
+  }
   for (const folder of moduleFolders) {
     const modulePath = path8.posix.join(context.config.modulesDir, folder.name, "MODULE.md");
     const moduleDoc = await readFileIfExists2(context.rootDir, modulePath);
@@ -1744,6 +1907,28 @@ async function checkContent(context) {
   }
   return findings;
 }
+async function checkSecurityDoc(rootDir) {
+  const findings = [];
+  const security = await readFileIfExists2(rootDir, SECURITY_MODEL_PATH);
+  if (security !== void 0 && sectionIsUnfilled(security, "Authentication And Authorization")) {
+    findings.push({
+      severity: "warning",
+      check: "content-security",
+      message: "Security model authentication and authorization section is still an unfilled template.",
+      path: SECURITY_MODEL_PATH
+    });
+  }
+  const threat = await readFileIfExists2(rootDir, THREAT_MODEL_PATH);
+  if (threat !== void 0 && sectionIsUnfilled(threat, "Assets")) {
+    findings.push({
+      severity: "warning",
+      check: "content-threat-model",
+      message: "Threat model assets section is still an unfilled template.",
+      path: THREAT_MODEL_PATH
+    });
+  }
+  return findings;
+}
 function sectionIsUnfilled(content, heading) {
   const section = getSection(content, heading);
   return section !== void 0 && isUnfilled(section);
@@ -1756,7 +1941,7 @@ function isUnfilled(value) {
   if (normalized === "tbd" || normalized === "todo" || normalized === "pending" || normalized === "none" || normalized === "n/a") {
     return true;
   }
-  return normalized.includes("describe why this feature exists") || normalized.includes("describe what this module owns");
+  return normalized.includes("describe why this feature exists") || normalized.includes("describe what this module owns") || normalized.includes("describe how this repository authenticates") || normalized.includes("describe what this repository must protect");
 }
 function getSection(content, heading) {
   const lines = content.split(/\r?\n/u);
@@ -1776,7 +1961,7 @@ function getSection(content, heading) {
 }
 async function readDirIfExists2(rootDir, relativePath) {
   try {
-    return await readdir5(path8.join(rootDir, relativePath), { withFileTypes: true });
+    return await readdir6(path8.join(rootDir, relativePath), { withFileTypes: true });
   } catch (error) {
     const nodeError = error;
     if (nodeError.code === "ENOENT") {
@@ -1798,7 +1983,7 @@ async function readFileIfExists2(rootDir, relativePath) {
 }
 
 // src/core/doctor/checks/drift-check.ts
-import { readFile as readFile7, readdir as readdir6 } from "fs/promises";
+import { readFile as readFile7, readdir as readdir7 } from "fs/promises";
 import path9 from "path";
 var adrFilePattern = /^ADR-(\d{4,})-[a-z0-9]+(?:-[a-z0-9]+)*\.md$/iu;
 var adrReferencePattern = /ADR-\d{4,}/giu;
@@ -1902,7 +2087,7 @@ function getSection2(content, heading) {
 }
 async function readDirIfExists3(rootDir, relativePath) {
   try {
-    return await readdir6(path9.join(rootDir, relativePath), { withFileTypes: true });
+    return await readdir7(path9.join(rootDir, relativePath), { withFileTypes: true });
   } catch (error) {
     const nodeError = error;
     if (nodeError.code === "ENOENT") {
@@ -1913,7 +2098,7 @@ async function readDirIfExists3(rootDir, relativePath) {
 }
 
 // src/core/doctor/checks/memory-integrity-check.ts
-import { lstat as lstat2, readFile as readFile8, readdir as readdir7 } from "fs/promises";
+import { lstat as lstat2, readFile as readFile8, readdir as readdir8 } from "fs/promises";
 import path10 from "path";
 
 // src/core/adr/adr-sections.ts
@@ -2047,7 +2232,7 @@ async function checkAdrFiles(rootDir, adrDir) {
 }
 async function readDirIfExists4(rootDir, relativePath) {
   try {
-    return await readdir7(path10.join(rootDir, relativePath), { withFileTypes: true });
+    return await readdir8(path10.join(rootDir, relativePath), { withFileTypes: true });
   } catch (error) {
     const nodeError = error;
     if (nodeError.code === "ENOENT") {
@@ -2158,7 +2343,7 @@ function missingFile(pathValue, check) {
 }
 
 // src/core/doctor/checks/standards-check.ts
-import { lstat as lstat4, readFile as readFile9, readdir as readdir8 } from "fs/promises";
+import { lstat as lstat4, readFile as readFile9, readdir as readdir9 } from "fs/promises";
 import path12 from "path";
 var featureFolderPattern4 = /^F-\d{3,}-[a-z0-9]+(?:-[a-z0-9]+)*$/u;
 var adrFilePattern3 = /^ADR-\d{4,}-[a-z0-9]+(?:-[a-z0-9]+)*\.md$/u;
@@ -2317,7 +2502,7 @@ function isPlaceholder(value) {
 }
 async function readDirIfExists5(rootDir, relativePath) {
   try {
-    return await readdir8(path12.join(rootDir, relativePath), { withFileTypes: true });
+    return await readdir9(path12.join(rootDir, relativePath), { withFileTypes: true });
   } catch (error) {
     const nodeError = error;
     if (nodeError.code === "ENOENT") {
@@ -2591,26 +2776,78 @@ Default behavior:
     path: "docs/20-security/SECURITY_MODEL.md",
     content: `# Security Model
 
-## Current Status
+## Status
 
-Draft.
+Draft \u2014 fill the prompted sections below with this repository's real model as it grows. \`recall doctor\`
+flags these as warnings once the repository has real work (a feature, module, or accepted decision).
 
 ## Baseline Rules
 
-- Do not commit secrets.
-- Do not read or copy \`.env\` files into docs.
+- Never commit secrets or credentials, and never read or copy \`.env\` files into docs.
+- Validate and authorize untrusted input at every trust boundary.
 - Do not add network, telemetry, cloud, MCP runtime, or AI API behavior without explicit review.
+
+## Authentication And Authorization
+
+Describe how this repository authenticates users or clients and how it authorizes actions, including
+where those checks live.
+
+## Secrets And Configuration
+
+Describe where secrets live, how they are injected, and how configuration is kept out of version
+control.
+
+## Sensitive Data
+
+Describe the sensitive or personal data this repository handles, and how it is protected at rest and
+in transit.
+
+## Dependencies And Supply Chain
+
+Describe how third-party dependencies are vetted, pinned, and updated.
 `
   },
   {
     path: "docs/20-security/THREAT_MODEL.md",
     content: `# Threat Model
 
-## Current Status
+## Status
 
-Draft.
+Draft \u2014 replace the prompts below with this repository's real analysis as it grows. \`recall doctor\`
+flags these as warnings once the repository has real work (a feature, module, or accepted decision).
+
+## Assets
+
+Describe what this repository must protect: user data, credentials, money, availability, or
+reputation.
+
+## Entry Points
+
+Describe where untrusted input enters: HTTP endpoints, webhooks, file uploads, queues, CLI input, or
+third-party callbacks.
 
-Track repository-specific risks here as the project evolves.
+## Trust Boundaries
+
+Describe where trust changes: client to server, service to database, your code to third-party APIs.
+
+## Threats
+
+Describe the concrete threats that apply to this repository, by category:
+
+- Spoofing \u2014 how identities are faked or sessions stolen.
+- Tampering \u2014 how requests, data, or builds are altered (injection, mass assignment).
+- Repudiation \u2014 actions that must remain auditable.
+- Information disclosure \u2014 how sensitive data or secrets could leak.
+- Denial of service \u2014 how the system can be overwhelmed or abused.
+- Elevation of privilege \u2014 how a user could gain access they should not have.
+
+## Mitigations
+
+Describe the control in place or planned for each threat above.
+
+## Open Risks
+
+Describe accepted or unresolved risks and who owns them.
 `
   },
   {
@@ -2940,12 +3177,12 @@ async function detectPreCommitGates(rootDir) {
   if (typeof scripts !== "object" || scripts === null) {
     return [];
   }
-  const packageManager = detectPackageManager(rootDir);
+  const packageManager = detectPackageManager2(rootDir);
   return KNOWN_SCRIPTS.filter((script) => typeof scripts[script] === "string").map(
     (script) => `${packageManager} run ${script}`
   );
 }
-function detectPackageManager(rootDir) {
+function detectPackageManager2(rootDir) {
   if (existsSync5(path14.join(rootDir, "pnpm-lock.yaml"))) {
     return "pnpm";
   }
@@ -5156,6 +5393,7 @@ async function initProject(options) {
     );
   }
   const preset = resolvePreset(options.preset);
+  const detected = await inspectRepo(options.rootDir);
   const preCommitGates = await detectPreCommitGates(options.rootDir);
   const config = createDefaultConfig({ preset: preset?.id ?? null, preCommitGates });
   const files = createInitWriteFiles(options.rootDir, config, preset);
@@ -5176,7 +5414,8 @@ async function initProject(options) {
     preset: preset?.id ?? null,
     dryRun: options.dryRun ?? false,
     plan,
-    writeResult
+    writeResult,
+    detected
   };
 }
 function formatInitResult(result) {
@@ -5193,6 +5432,7 @@ function formatInitResult(result) {
     dryRun: result.dryRun,
     writeResult: result.writeResult
   });
+  appendDetectedStack(lines, result.detected);
   const hookWritten = result.writeResult.created.includes(PRE_COMMIT_HOOK_PATH) || result.writeResult.overwritten.includes(PRE_COMMIT_HOOK_PATH);
   if (hookWritten) {
     lines.push("");
@@ -5215,6 +5455,21 @@ function formatInitResult(result) {
   return `${lines.join("\n")}
 `;
 }
+function appendDetectedStack(lines, detected) {
+  const hasSignal = detected.languages.length > 0 || detected.frameworks.length > 0 || detected.packageManager !== null || detected.testsEvidence !== null;
+  if (!hasSignal) {
+    return;
+  }
+  const stack = summarizeSignals(detected).filter(
+    (line) => !line.startsWith("- README") && !line.startsWith("- Docs")
+  );
+  lines.push("");
+  lines.push("Detected in this repository (proposed \u2014 review, nothing was accepted):");
+  lines.push(...stack);
+  lines.push(
+    "If any signal is wrong, correct the source file noted. Run `recall adopt` to record this as proposed memory."
+  );
+}
 function resolvePreset(presetId) {
   if (presetId === void 0) {
     return null;