syntropic 0.1.0

package/bin/syntropic.js

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+
+/**
+ * Syntropic CLI
+ * Philosophy-as-code development pipeline.
+ *
+ * Usage:
+ *   npx syntropic init [project-name]
+ *   npx syntropic health
+ *   npx syntropic --help
+ */
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+const COMMANDS = {
+  init: () => require('../commands/init'),
+  health: () => require('../commands/health'),
+};
+
+// Version flag
+if (args.includes('--version') || args.includes('-v')) {
+  const pkg = require('../package.json');
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+// Help
+if (!command || args.includes('--help') || args.includes('-h')) {
+  console.log(`
+  syntropic — Philosophy-as-code development pipeline
+
+  Usage:
+    syntropic init [project-name]   Scaffold a new project with the Syntropic pipeline
+    syntropic health                Run a local health check
+    syntropic --version             Show version
+    syntropic --help                Show this help
+
+  What you get:
+    - CLAUDE.md with Evergreen Rules (EG1-EG9) — a disciplined dev pipeline
+    - Generic agents: dev, qa, research, plan, devops, security
+    - Daily health check workflow with auto-remediation
+    - PRISM efficiency tracking methodology
+
+  Learn more: https://www.syntropicworks.com
+`);
+  process.exit(0);
+}
+
+// Run command
+if (COMMANDS[command]) {
+  const mod = COMMANDS[command]();
+  const run = mod.default || mod;
+  run(args.slice(1));
+} else {
+  console.error(`Unknown command: ${command}`);
+  console.error('Run "syntropic --help" for usage.');
+  process.exit(1);
+}

package/commands/health.js

@@ -0,0 +1,133 @@
+/**
+ * syntropic health
+ *
+ * Runs a local health check: build status, localhost refs, git state.
+ * Mirrors EG1 pre-flight loop.
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+function run() {
+  console.log('\n  syntropic health — EG1 Pre-Flight Check\n');
+
+  const checks = [];
+  let hasErrors = false;
+
+  // 1. Check CLAUDE.md exists
+  const claudeMd = path.join(process.cwd(), 'CLAUDE.md');
+  if (fs.existsSync(claudeMd)) {
+    checks.push({ name: 'CLAUDE.md', status: 'pass', detail: 'Found' });
+  } else {
+    checks.push({ name: 'CLAUDE.md', status: 'fail', detail: 'Missing — run "syntropic init"' });
+    hasErrors = true;
+  }
+
+  // 2. Check .claude directory
+  const claudeDir = path.join(process.cwd(), '.claude');
+  if (fs.existsSync(claudeDir)) {
+    const agents = fs.readdirSync(path.join(claudeDir, 'commands')).filter(f => f.endsWith('.md') && f !== 'README.md');
+    checks.push({ name: 'Agents', status: 'pass', detail: `${agents.length} agents found` });
+  } else {
+    checks.push({ name: 'Agents', status: 'warn', detail: 'No .claude directory' });
+  }
+
+  // 3. npm build check
+  const pkgJson = path.join(process.cwd(), 'package.json');
+  if (fs.existsSync(pkgJson)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgJson, 'utf8'));
+      if (pkg.scripts && pkg.scripts.build) {
+        try {
+          execSync('npm run build', { stdio: 'pipe', timeout: 120000 });
+          checks.push({ name: 'Build', status: 'pass', detail: 'npm run build succeeded' });
+        } catch (e) {
+          checks.push({ name: 'Build', status: 'fail', detail: 'npm run build failed' });
+          hasErrors = true;
+        }
+      } else {
+        checks.push({ name: 'Build', status: 'skip', detail: 'No build script in package.json' });
+      }
+    } catch (e) {
+      checks.push({ name: 'Build', status: 'warn', detail: 'Could not parse package.json' });
+    }
+  } else {
+    checks.push({ name: 'Build', status: 'skip', detail: 'No package.json' });
+  }
+
+  // 4. Localhost grep
+  try {
+    const result = execSync(
+      'grep -r "localhost\\|127\\.0\\.0\\.1" --include="*.js" --include="*.ts" --include="*.tsx" --include="*.jsx" src/ pages/ components/ lib/ app/ 2>/dev/null || true',
+      { encoding: 'utf8', timeout: 10000 }
+    ).trim();
+
+    if (result) {
+      const lines = result.split('\n').length;
+      checks.push({ name: 'Localhost refs', status: 'warn', detail: `${lines} reference(s) found — review before deploy` });
+    } else {
+      checks.push({ name: 'Localhost refs', status: 'pass', detail: 'Clean' });
+    }
+  } catch (e) {
+    checks.push({ name: 'Localhost refs', status: 'skip', detail: 'No source directories found' });
+  }
+
+  // 5. Git status
+  try {
+    const status = execSync('git status --porcelain', { encoding: 'utf8', timeout: 5000 }).trim();
+    if (status) {
+      const files = status.split('\n').length;
+      checks.push({ name: 'Git status', status: 'warn', detail: `${files} uncommitted change(s)` });
+    } else {
+      checks.push({ name: 'Git status', status: 'pass', detail: 'Clean working tree' });
+    }
+  } catch (e) {
+    checks.push({ name: 'Git status', status: 'skip', detail: 'Not a git repository' });
+  }
+
+  // 6. npm audit
+  if (fs.existsSync(pkgJson)) {
+    try {
+      const auditJson = execSync('npm audit --json 2>/dev/null || true', { encoding: 'utf8', timeout: 30000 });
+      const audit = JSON.parse(auditJson);
+      const vulns = audit.metadata?.vulnerabilities || {};
+      const critical = vulns.critical || 0;
+      const high = vulns.high || 0;
+      const total = vulns.total || 0;
+
+      if (critical > 0) {
+        checks.push({ name: 'npm audit', status: 'fail', detail: `${total} vulnerabilities (${critical} critical, ${high} high)` });
+        hasErrors = true;
+      } else if (high > 0) {
+        checks.push({ name: 'npm audit', status: 'warn', detail: `${total} vulnerabilities (${high} high)` });
+      } else if (total > 0) {
+        checks.push({ name: 'npm audit', status: 'pass', detail: `${total} low/moderate vulnerabilities` });
+      } else {
+        checks.push({ name: 'npm audit', status: 'pass', detail: 'No vulnerabilities' });
+      }
+    } catch (e) {
+      checks.push({ name: 'npm audit', status: 'skip', detail: 'Could not run npm audit' });
+    }
+  }
+
+  // Print results
+  const icons = { pass: '  \x1b[32m✓\x1b[0m', fail: '  \x1b[31m✗\x1b[0m', warn: '  \x1b[33m!\x1b[0m', skip: '  \x1b[90m-\x1b[0m' };
+
+  for (const check of checks) {
+    console.log(`${icons[check.status]}  ${check.name}: ${check.detail}`);
+  }
+
+  const passCount = checks.filter(c => c.status === 'pass').length;
+  const failCount = checks.filter(c => c.status === 'fail').length;
+  const warnCount = checks.filter(c => c.status === 'warn').length;
+
+  console.log(`\n  ${passCount} passed, ${warnCount} warnings, ${failCount} failed\n`);
+
+  if (hasErrors) {
+    console.log('  Fix failures before deploying.\n');
+    process.exit(1);
+  }
+}
+
+module.exports = run;

package/commands/init.js

@@ -0,0 +1,146 @@
+/**
+ * syntropic init [project-name]
+ *
+ * Scaffolds a project with the Syntropic development pipeline:
+ * - CLAUDE.md with Evergreen Rules
+ * - .claude/ directory with generic agents
+ * - .github/workflows/ with health check + auto-remediation
+ * - scripts/health-check.js
+ */
+
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+const TEMPLATES_DIR = path.join(__dirname, '..', 'templates');
+
+function ask(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function copyDir(src, dest) {
+  if (!fs.existsSync(dest)) fs.mkdirSync(dest, { recursive: true });
+
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDir(srcPath, destPath);
+    } else {
+      // Don't overwrite existing files
+      if (fs.existsSync(destPath)) {
+        console.log(`  skip  ${path.relative(process.cwd(), destPath)} (already exists)`);
+      } else {
+        fs.copyFileSync(srcPath, destPath);
+        console.log(`  create  ${path.relative(process.cwd(), destPath)}`);
+      }
+    }
+  }
+}
+
+function replaceInFile(filePath, replacements) {
+  let content = fs.readFileSync(filePath, 'utf8');
+  for (const [key, value] of Object.entries(replacements)) {
+    content = content.replace(new RegExp(key, 'g'), value);
+  }
+  fs.writeFileSync(filePath, content, 'utf8');
+}
+
+function parseFlags(args) {
+  const flags = {};
+  const positional = [];
+  for (let i = 0; i < args.length; i++) {
+    if (args[i].startsWith('--')) {
+      const key = args[i].replace('--', '');
+      flags[key] = args[i + 1] && !args[i + 1].startsWith('--') ? args[++i] : true;
+    } else {
+      positional.push(args[i]);
+    }
+  }
+  return { flags, positional };
+}
+
+async function run(args) {
+  console.log('\n  syntropic init — Philosophy-as-code development pipeline\n');
+
+  const { flags, positional } = parseFlags(args);
+
+  // Determine target directory
+  const projectArg = positional[0];
+  let targetDir;
+
+  if (projectArg) {
+    targetDir = path.resolve(process.cwd(), projectArg);
+    if (!fs.existsSync(targetDir)) {
+      fs.mkdirSync(targetDir, { recursive: true });
+      console.log(`  Created ${projectArg}/\n`);
+    }
+  } else {
+    targetDir = process.cwd();
+  }
+
+  // Gather project info — flags override interactive prompts
+  const dirName = path.basename(targetDir);
+  const isInteractive = process.stdin.isTTY !== false && !flags.yes;
+
+  const projectName = flags.name || (isInteractive ? await ask(`  Project name (${dirName}): `) : '') || dirName;
+  const testUrl = flags['test-url'] || (isInteractive ? await ask('  Test page URL path (e.g. /test): ') : '') || '/test';
+  const prodUrl = flags['prod-url'] || (isInteractive ? await ask('  Production URL path (e.g. /): ') : '') || '/';
+  const prodDomain = flags.domain || (isInteractive ? await ask('  Production domain (e.g. example.com): ') : '') || 'example.com';
+
+  console.log('\n  Scaffolding...\n');
+
+  // Copy all template files
+  copyDir(TEMPLATES_DIR, targetDir);
+
+  // Replace placeholders in CLAUDE.md
+  const claudeMdPath = path.join(targetDir, 'CLAUDE.md');
+  if (fs.existsSync(claudeMdPath)) {
+    replaceInFile(claudeMdPath, {
+      '{{PROJECT_NAME}}': projectName,
+      '{{TEST_URL}}': testUrl,
+      '{{PROD_URL}}': prodUrl,
+      '{{PROD_DOMAIN}}': prodDomain,
+    });
+  }
+
+  // Make health check executable
+  const healthScript = path.join(targetDir, 'scripts', 'health-check.js');
+  if (fs.existsSync(healthScript)) {
+    fs.chmodSync(healthScript, '755');
+  }
+
+  // Summary
+  console.log(`
+  Done! Your project is set up with the Syntropic pipeline.
+
+  What was created:
+    CLAUDE.md                           Evergreen Rules (EG1-EG9) + project config
+    .claude/EVERGREEN_RULES.md          Full rule reference
+    .claude/commands/*.md               Generic agents (dev, qa, research, plan, devops, security)
+    .github/workflows/                  Daily health check with auto-remediation
+    scripts/health-check.js             Local health check script
+
+  Next steps:
+    1. Review CLAUDE.md and adjust for your project
+    2. If using Supabase, add secrets to GitHub repo settings:
+       - NEXT_PUBLIC_SUPABASE_URL
+       - SUPABASE_SERVICE_ROLE_KEY
+    3. Start building! Use the EG7 pipeline:
+       Full:        research -> design -> arch -> plan -> dev -> qa -> test
+       Lightweight: research -> plan -> dev -> qa -> test
+       Minimum:     dev -> test
+
+  The methodology is your superpower. Ship and iterate.
+  Learn more: https://www.syntropicworks.com
+`);
+}
+
+module.exports = run;

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "syntropic",
+  "version": "0.1.0",
+  "description": "Philosophy-as-code development pipeline. Ship better products with outcome-thinking.",
+  "bin": {
+    "syntropic": "./bin/syntropic.js"
+  },
+  "keywords": [
+    "cli",
+    "development-pipeline",
+    "philosophy-as-code",
+    "outcome-thinking",
+    "claude-code",
+    "ai-development",
+    "dev-pipeline",
+    "syntropic"
+  ],
+  "author": "Syntropic Works <hello@syntropicworks.com>",
+  "license": "MIT",
+  "homepage": "https://www.syntropicworks.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/petercholford-ship-it/syntropic-cli"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "bin/",
+    "commands/",
+    "templates/"
+  ],
+  "dependencies": {
+    "user": "^0.0.0"
+  }
+}

package/templates/.claude/EVERGREEN_RULES.md

@@ -0,0 +1,98 @@
+# EVERGREEN RULES v5.0 — Ship Fast, Learn Fast
+
+**Universal rules portable across all repos. No project-specific details here.**
+
+---
+
+## EG1: Pre-Flight Loop (MANDATORY)
+
+BEFORE EVERY DEPLOY:
+- `npm run build` (must pass)
+- grep localhost/127.0.0.1 (must be clean)
+- Loop until ALL CLEAN
+
+AFTER EVERY DEPLOY:
+- Verify the live URL works
+- Revert immediately if broken
+
+## EG2: Ship and Iterate
+
+Default: Build -> Deploy -> Show result.
+Only ask if: Destructive, Expensive, or Irreversible.
+Everything else: JFDI.
+
+## EG3: Hypothesis-Driven Debugging
+
+1. State hypothesis ("X because Y")
+2. Test WITHOUT code changes (logs, DB, API)
+3. Only code if confirmed
+4. If wrong: document learning, don't jump to next hypothesis
+
+3rd attempt same issue -> STOP, deep investigation.
+
+## EG4: Human-First Viability
+
+Build for:
+- Human problem (not technical elegance)
+- Minimal human friction
+- Works TODAY
+
+OK to compromise code elegance for UX.
+
+## EG5: Workarounds Require Explicit Approval
+
+STOP before implementing:
+- Bypass code (admin mode, skip validation)
+- Temporary hardcoded values
+- "We'll fix properly later" shortcuts
+- Disabling security/validation
+
+Process: Explain tradeoffs -> WAIT for approval -> Only then proceed.
+
+## EG6: Outcome Alignment
+
+Before building, ask: "If our user achieves their goal completely, what happens to our product?"
+- Good: They succeed -> we succeed
+- Warning: No connection
+- Red flag: They succeed -> we lose
+
+## EG7: Implementation Pipeline (MANDATORY)
+
+ALL non-trivial work MUST follow the development cycle:
+
+**Full Cycle** (new features, major changes):
+1. `/research` — Understand the problem space
+2. `/plan` — Break into implementation steps
+3. `/dev` — Build it
+4. `/qa` — Quality and security review
+5. Verify — Test it works
+
+**Lightweight Cycle** (small features, known patterns):
+1. `/plan` — Brief breakdown
+2. `/dev` — Build it
+3. `/qa` — Quick review
+
+**Minimum Cycle** (trivial fixes):
+1. `/dev` — Build it
+2. Verify — Test it works
+
+Choosing the right weight:
+- If it touches >3 files or introduces new patterns -> Full Cycle
+- If it touches 1-3 files with known patterns -> Lightweight Cycle
+- If it's a single obvious change -> Minimum Cycle
+- When in doubt, go one level up
+
+## EG8: Live Site Testing (MANDATORY)
+
+- Every project has a test page and a production page (defined in CLAUDE.md)
+- All new features go to the test page FIRST
+- NEVER modify production without explicit approval
+- Workflow: Build on test -> push -> verify live -> promote with approval
+
+## EG9: Session Continuity (MANDATORY)
+
+When a session resets or context compacts:
+1. Re-read CLAUDE.md and this file
+2. Run `git status` and `git log --oneline -5`
+3. Do NOT assume prior context is accurate — verify it
+4. Do NOT deviate from workflows because context was lost

package/templates/.claude/commands/dev.md

@@ -0,0 +1,35 @@
+---
+name: Dev Agent
+version: 1.0.0
+category: implementation
+description: Implementation agent that writes clean, production-ready code
+---
+
+# Dev Agent
+
+You are the Dev Agent. Your role is to implement features and fixes with production-quality code.
+
+## Before You Start
+
+1. Check that a plan exists (EG7). If not, ask for one.
+2. Understand the existing codebase patterns before writing new code.
+3. Read relevant files before modifying them.
+
+## Your Task
+
+Implement the following: $ARGUMENTS
+
+## Implementation Rules
+
+1. **Read before write** — always read existing code before modifying it
+2. **Match existing patterns** — follow the codebase conventions, don't introduce new ones
+3. **Minimal changes** — only change what's needed, don't refactor surroundings
+4. **No over-engineering** — solve the current problem, not hypothetical future ones
+5. **Security first** — no command injection, XSS, SQL injection, or hardcoded secrets
+6. **Test what you build** — verify it works before marking done
+
+## Output
+
+- Clean, working code that follows existing patterns
+- Brief explanation of what changed and why
+- Any follow-up items or risks to flag

package/templates/.claude/commands/devops.md

@@ -0,0 +1,41 @@
+---
+name: DevOps Agent
+version: 1.0.0
+category: implementation
+description: Deployment, CI/CD, and infrastructure agent
+---
+
+# DevOps Agent
+
+You are the DevOps Agent. Your role is to manage deployment, CI/CD, and infrastructure concerns.
+
+## Your Task
+
+Handle the following DevOps concern: $ARGUMENTS
+
+## Areas of Responsibility
+
+### CI/CD
+- GitHub Actions workflow configuration
+- Build and test automation
+- Deployment pipelines
+- Environment variable management
+
+### Infrastructure
+- Hosting configuration (Vercel, AWS, etc.)
+- Database setup and migrations
+- DNS and SSL
+- Monitoring and alerting
+
+### Security
+- Secret management (never commit secrets)
+- Environment isolation (dev/staging/prod)
+- Access control and permissions
+- Dependency vulnerability management
+
+## Rules
+
+1. **Never commit secrets** — use environment variables and secret managers
+2. **Automate repeatable tasks** — if you do it twice, automate it
+3. **Fail safely** — pipelines should fail loudly, not silently
+4. **Keep it simple** — don't add infrastructure you don't need yet

package/templates/.claude/commands/plan.md

@@ -0,0 +1,52 @@
+---
+name: Plan Agent
+version: 1.0.0
+category: core
+description: Feature planning and task breakdown agent
+---
+
+# Feature Planning Agent
+
+You are the Plan Agent. Your role is to break work into clear, sequenced implementation steps.
+
+## Your Task
+
+Create an implementation plan for: $ARGUMENTS
+
+## Planning Process
+
+1. **Understand scope** — what exactly needs to be built?
+2. **Identify files** — which files will be created or modified?
+3. **Sequence steps** — what order minimises risk and rework?
+4. **Estimate weight** — is this Full / Lightweight / Minimum cycle?
+5. **Flag risks** — what could go wrong?
+
+## Output Format
+
+### Summary
+[One sentence: what we're building and why]
+
+### Cycle Weight
+[Full / Lightweight / Minimum] — [justification]
+
+### Steps
+
+1. **[Step name]**
+   - Files: [list]
+   - What: [description]
+   - Why: [rationale]
+
+2. **[Step name]**
+   - Files: [list]
+   - What: [description]
+   - Why: [rationale]
+
+### Risks
+- [Risk 1]: [Mitigation]
+- [Risk 2]: [Mitigation]
+
+### Definition of Done
+- [ ] [Criterion 1]
+- [ ] [Criterion 2]
+- [ ] Build passes (EG1)
+- [ ] No localhost references (EG1)

package/templates/.claude/commands/qa.md

@@ -0,0 +1,48 @@
+---
+name: QA Agent
+version: 1.0.0
+category: review
+description: Quality and security review agent
+---
+
+# QA & Security Review Agent
+
+You are the QA Agent. Your role is to review code for quality, security, and correctness.
+
+## Your Task
+
+Review the following for quality and security: $ARGUMENTS
+
+## Review Checklist
+
+### Correctness
+- [ ] Does the code do what it claims?
+- [ ] Are edge cases handled?
+- [ ] Are error states handled gracefully?
+
+### Security (OWASP Top 10)
+- [ ] No command injection (user input in shell commands)
+- [ ] No XSS (unescaped user content in HTML)
+- [ ] No SQL injection (string concatenation in queries)
+- [ ] No hardcoded secrets or API keys
+- [ ] No overly permissive CORS or CSP
+- [ ] Authentication/authorization checks in place
+
+### Code Quality
+- [ ] Follows existing codebase patterns
+- [ ] No unnecessary complexity
+- [ ] No dead code or commented-out blocks
+- [ ] Error messages are helpful, not leaking internals
+
+### Performance
+- [ ] No N+1 queries or unbounded loops
+- [ ] No blocking operations on the main thread
+- [ ] Reasonable resource usage
+
+## Output
+
+For each issue found:
+- **Severity**: Critical / High / Medium / Low
+- **Location**: file:line
+- **Issue**: What's wrong
+- **Fix**: How to fix it

package/templates/.claude/commands/research.md

@@ -0,0 +1,45 @@
+---
+name: Research Agent
+version: 1.0.0
+category: core
+description: Research and context-gathering agent
+---
+
+# Research Agent
+
+You are the Research Agent. Your role is to deeply understand a problem space before solutions are proposed.
+
+## Your Task
+
+Research the following: $ARGUMENTS
+
+## Research Process
+
+1. **Understand the question** — what specifically needs to be understood?
+2. **Search the codebase** — find relevant files, patterns, prior art
+3. **Search externally** — documentation, best practices, known issues
+4. **Synthesise** — connect findings into actionable understanding
+
+## Research Rules
+
+- Facts over opinions — cite sources
+- Distinguish between "known" and "suspected"
+- Surface constraints and tradeoffs, not just solutions
+- Flag unknowns explicitly rather than guessing
+
+## Output Format
+
+### Context
+[What we already know]
+
+### Findings
+[What the research revealed, with sources]
+
+### Constraints
+[What limits the solution space]
+
+### Recommendations
+[What to do next, ranked by confidence]
+
+### Open Questions
+[What we still don't know]

package/templates/.claude/commands/security.md

@@ -0,0 +1,58 @@
+---
+name: Security Agent
+version: 1.0.0
+category: review
+description: Threat detection and compliance review agent
+---
+
+# Security Agent
+
+You are the Security Agent. Your role is to identify security vulnerabilities, assess threats, and ensure compliance.
+
+## Your Task
+
+Perform a security review of: $ARGUMENTS
+
+## Review Framework
+
+### 1. Input Validation
+- All user inputs sanitised before use
+- No raw user input in SQL, shell, or HTML
+- File uploads validated (type, size, content)
+
+### 2. Authentication & Authorization
+- Auth checks on all protected routes
+- Token/session management is secure
+- No privilege escalation paths
+
+### 3. Data Protection
+- Sensitive data encrypted at rest and in transit
+- No secrets in source code or logs
+- PII handled according to privacy requirements
+
+### 4. API Security
+- Rate limiting on public endpoints
+- CORS configured correctly (not wildcard)
+- Error responses don't leak internals
+
+### 5. Dependency Security
+- No known vulnerable dependencies
+- Lock files committed
+- Regular audit schedule
+
+## Output
+
+### Threat Assessment
+- **Risk Level**: Critical / High / Medium / Low
+- **Attack Surface**: [description]
+
+### Findings
+For each issue:
+- **Severity**: Critical / High / Medium / Low
+- **Category**: [OWASP category]
+- **Location**: [file:line]
+- **Issue**: [description]
+- **Remediation**: [specific fix]
+
+### Recommendations
+[Prioritised list of security improvements]

package/templates/.github/workflows/daily-health-check.yml

@@ -0,0 +1,84 @@
+name: Daily Health Check
+
+on:
+  schedule:
+    - cron: '0 9 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  health-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run health check
+        id: health
+        continue-on-error: true
+        run: node scripts/health-check.js
+
+      - name: npm audit check
+        id: audit
+        run: |
+          npm audit fix --force 2>&1 || true
+          if git diff --quiet package.json package-lock.json; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create audit fix PR
+        if: steps.audit.outputs.has_changes == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const branch = `auto/npm-audit-fix-${new Date().toISOString().split('T')[0]}`;
+            const { execSync } = require('child_process');
+            execSync(`git checkout -b ${branch}`);
+            execSync('git add package.json package-lock.json');
+            execSync(`git commit -m "fix: auto npm audit fix (${new Date().toISOString().split('T')[0]})"`);
+            execSync(`git push origin ${branch}`);
+            await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `Auto: npm audit fix (${new Date().toISOString().split('T')[0]})`,
+              body: 'Automated npm audit fix from daily health check.\n\nReview changes before merging.',
+              head: branch,
+              base: 'main',
+            });
+
+      - name: Create issue on failure
+        if: failure()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issues = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'health-check',
+            });
+            if (issues.data.length === 0) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: 'Daily Health Check Failed',
+                body: `Health check failed on ${new Date().toISOString()}.\n\n**Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}`,
+                labels: ['health-check', 'automated'],
+              });
+            }

package/templates/CLAUDE.md

@@ -0,0 +1,85 @@
+# CLAUDE.md — {{PROJECT_NAME}}
+
+**This file is loaded automatically at session start. It is the primary authority.**
+
+---
+
+## MANDATORY: READ BEFORE ANY WORK
+
+Before starting ANY task, you MUST:
+
+1. **Identify the EG7 cycle weight** and state it explicitly:
+   - **Full Cycle** (>3 files or new patterns): `/research` -> `/plan` -> `/dev` -> `/qa`
+   - **Lightweight Cycle** (1-3 files, known patterns): `/plan` -> `/dev` -> `/qa`
+   - **Minimum Cycle** (trivial/obvious): `/dev` -> verify
+   - When in doubt, go one level UP
+
+2. **State the cycle before writing any code.**
+
+3. **Follow the steps in order.** Do NOT jump to `/dev` without completing prior steps.
+
+---
+
+## EVERGREEN RULES (NON-NEGOTIABLE)
+
+Full reference: `.claude/EVERGREEN_RULES.md`
+
+### EG1: Pre-Flight Loop
+**BEFORE** every deploy: `npm run build` (must pass), grep for localhost (must be clean).
+**AFTER** every deploy: verify the live URL works.
+
+### EG2: Ship and Iterate
+Default: Build -> Deploy -> Show result.
+Only ask if: Destructive, Expensive, or Irreversible.
+
+### EG3: Hypothesis-Driven Debugging
+1. State hypothesis 2. Test WITHOUT code changes 3. Only code if confirmed.
+3rd attempt same issue -> STOP, deep investigation.
+
+### EG7: Implementation Pipeline
+ALL non-trivial work follows the cycle. Scale to the task.
+
+### EG8: Live Site Testing
+- Test page: {{TEST_URL}} — all new features go here FIRST
+- Production: {{PROD_URL}} — DO NOT modify without explicit approval
+- Build on test -> push -> verify live -> promote with approval
+
+### EG9: Session Continuity
+On session reset: re-read this file + `.claude/EVERGREEN_RULES.md`, run `git status`.
+
+---
+
+## Project: {{PROJECT_NAME}}
+
+**Production domain:** {{PROD_DOMAIN}}
+**Test page:** {{TEST_URL}}
+**Production page:** {{PROD_URL}}
+
+---
+
+## Efficiency (PRISM Methodology)
+
+Track the economics of your development workflow:
+- **Before complex tasks**: estimate token/time cost vs. value
+- **After cycles**: note what worked and what was wasteful
+- **Patterns to keep**: investigation-first for bugs, research-first for features
+- **Patterns to avoid**: jumping to code without context, retrying the same approach
+
+The goal is win-wins: better output AND fewer resources. Never sacrifice quality to save tokens.
+
+---
+
+## Communication
+
+- Be direct and concise
+- Recommend the objectively best solution
+- If you made a mistake, own it directly
+
+---
+
+## Standing Permissions
+
+Never ask permission for:
+- npm install, npm run build, git operations
+- Web search for research
+- Running tests

package/templates/scripts/health-check.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+
+/**
+ * Local Health Check Script
+ * Generated by syntropic init.
+ * Checks build, localhost refs, npm audit, git state.
+ */
+
+const { execSync } = require('child_process');
+const https = require('https');
+
+async function checkResponseTime(url) {
+  return new Promise((resolve) => {
+    const start = Date.now();
+    https.get(url, { timeout: 10000 }, (res) => {
+      resolve({ status: res.statusCode, time: Date.now() - start });
+    }).on('error', () => {
+      resolve({ status: 0, time: null });
+    });
+  });
+}
+
+async function runNpmAudit() {
+  try {
+    const { stdout } = require('child_process').execSync('npm audit --json', { encoding: 'utf8' });
+    const audit = JSON.parse(stdout);
+    return audit.metadata?.vulnerabilities || {};
+  } catch (error) {
+    if (error.stdout) {
+      try {
+        return JSON.parse(error.stdout).metadata?.vulnerabilities || {};
+      } catch {}
+    }
+    return {};
+  }
+}
+
+async function run() {
+  console.log('Running health check...\n');
+
+  // npm audit
+  const vulns = await runNpmAudit();
+  console.log('npm audit:', vulns.total ? `${vulns.total} vulnerabilities (${vulns.critical || 0} critical)` : 'Clean');
+
+  // Build check
+  try {
+    execSync('npm run build', { stdio: 'pipe', timeout: 120000 });
+    console.log('Build: PASS');
+  } catch {
+    console.log('Build: FAIL');
+    process.exit(1);
+  }
+
+  console.log('\nHealth check complete.');
+}
+
+run().catch((err) => {
+  console.error('Health check failed:', err.message);
+  process.exit(1);
+});