tlc-claude-code 2.2.1 → 2.3.0

package/.claude/agents/builder.md

@@ -122,6 +122,23 @@ src/modules/{entity}/
 - No credentials — use environment variables.
 - No magic numbers or strings — use named constants or enums.
 
+### Configuration
+- All `process.env` access MUST be in a config module — never in services or controllers.
+- Validate all required env vars at startup with a schema (Zod/Joi).
+- No silent empty-string fallbacks for secrets or connection strings.
+
+### Security
+- Every data-access endpoint MUST check resource ownership, not just authentication.
+- Never return secrets (API keys, tokens, passwords) in API responses or HTML.
+- Hash OTPs, reset tokens, and session secrets before storing — never plaintext.
+- Escape all dynamic values in HTML output — no raw interpolation.
+- No inline HTML string builders for new pages — use a proper frontend or templating engine.
+- Tests MUST prove that user A cannot read/modify user B's data.
+
+### Dependency Injection
+- Never manually instantiate services/providers with `new` — use DI.
+- Register all providers in the DI container.
+
 ### File and Folder Limits
 - Files: warn at 500 lines, error at 1000 lines.
 - Folders: warn at 8 files, error at 15 files.

package/.claude/commands/tlc/audit.md

@@ -52,6 +52,11 @@ Run `auditProject(projectPath)` which executes:
 | **Missing Return Types** | Exported functions without explicit return type | warning |
 | **Missing Parameter Types** | Function parameters without type annotations | error |
 | **Weak tsconfig** | `strict: true` not enabled in tsconfig.json | warning |
+| **Direct `process.env`** | `process.env.` usage outside config module files | error |
+| **Unescaped HTML** | Template literals containing HTML tags with `${` interpolation | error |
+| **Secrets in Responses** | Response objects containing fields named `apiKey`, `secret`, `token`, `password` | error |
+| **Manual Instantiation** | `new .*Provider(` or `new .*Service(` in application code | warning |
+| **Missing Ownership Check** | Controller methods with `@Param('id')` but no ownership/authorization guard | warning |
 
 ### Step 3: Generate Report
 
@@ -109,6 +114,13 @@ Status: FAILED (18 issues found)
   JSDoc Coverage:       8 issues (42% of exports undocumented)
   Import Style:         PASSED
 
+  SECURITY & CONFIG
+  Direct process.env:   3 issues (outside config module)
+  Unescaped HTML:       2 issues
+  Secrets in Responses: 1 issue
+  Manual Instantiation: 1 issue
+  Missing Ownership:    2 issues
+
 Report saved to: .planning/AUDIT-REPORT.md
 
 Fix automatically? Run /tlc:cleanup

package/.claude/commands/tlc/build.md

@@ -344,11 +344,45 @@ Task(resume="AGENT_ID", prompt="Continue from where you left off. Fix any errors
 - When user asks "check on agents"
 - After each agent completes
 
-**After all agents complete:**
-1. Run full test suite
+**Before spawning agents (integration branch):**
+
+Create an integration branch so all worktrees merge into one place, producing a single clean PR:
+
+```javascript
+const { createIntegrationBranch } = require('./server/lib/orchestration/worktree-manager');
+const { branch } = createIntegrationBranch(phaseNumber, { exec, baseBranch: 'main' });
+// branch = 'phase/42'
+```
+
+All worktrees branch off `phase/{N}`, not `main`. This means each worktree's diff is small and relative to the integration branch, not the entire main history.
+
+**After all agents complete — sequential merge-back:**
+
+```javascript
+const { mergeAllWorktrees, listWorktrees } = require('./server/lib/orchestration/worktree-manager');
+
+// Filter to only THIS phase's worktrees — don't merge unrelated work
+const allWorktrees = listWorktrees({ exec });
+const worktrees = allWorktrees.filter(wt => wt.name.startsWith(`phase-${phaseNumber}-`));
+const result = mergeAllWorktrees(worktrees, `phase/${phaseNumber}`, { exec });
+
+// result.merged = ['task-1', 'task-3', 'task-4']  — successfully merged
+// result.conflicts = ['task-2']                    — needs manual resolution
+```
+
+`mergeAllWorktrees` does the following automatically:
+1. **Analyzes file overlap** — worktrees touching disjoint files merge first
+2. **Merges one at a time** into `phase/{N}`
+3. **Rebases remaining worktrees** onto the updated `phase/{N}` after each merge
+4. **Skips conflicting worktrees** — preserves them for manual resolution, continues with others
+5. **Cleans up** merged worktrees (removes worktree dir + branch)
+
+After merge-back:
+1. Run full test suite on the integration branch
 2. Verify all tasks pass
-3. Report results
-4. Continue to Step 8 (verification)
+3. If conflicts exist, report them with file lists
+4. If clean, the integration branch is ready for a single PR to main
+5. Continue to Step 8 (verification)
 
 ### Step 1c: Sync and Claim (Multi-User, Sequential Only)
 
@@ -712,11 +746,17 @@ git diff --name-status main...HEAD
 1. **Test Coverage** - Every implementation file has a test file
 2. **TDD Compliance** - Commits show test-first pattern (score ≥ 50%)
 3. **Security Scan** - No hardcoded secrets, eval(), innerHTML, etc.
-4. **File Size** - No file exceeds 1000 lines (warning at 500+)
-5. **Folder Size** - No folder exceeds 15 files (warning at 8+)
-6. **Strict Typing** - No `any` types in new/changed files
-7. **Return Types** - All exported functions have explicit return types
-8. **Module Structure** - Files grouped by domain entity, not by type
+4. **Authorization** - Every data-access endpoint has ownership checks, not just auth guards
+5. **Secrets Exposure** - No API keys, tokens, or passwords returned in responses/HTML
+6. **Config Hygiene** - No `process.env` outside config module; config validated at startup
+7. **Output Encoding** - No unescaped `${...}` interpolation in HTML template strings
+8. **Sensitive Data** - OTPs, reset tokens, session secrets are hashed before storage
+9. **DI Compliance** - No manual `new Service()` / `new Provider()` in application code
+10. **File Size** - No file exceeds 1000 lines (warning at 500+)
+11. **Folder Size** - No folder exceeds 15 files (warning at 8+)
+12. **Strict Typing** - No `any` types in new/changed files
+13. **Return Types** - All exported functions have explicit return types
+14. **Module Structure** - Files grouped by domain entity, not by type
 
 **Review output:**
 
@@ -727,8 +767,11 @@ git diff --name-status main...HEAD
 Test Coverage: ✅ 5/5 files covered
 TDD Score: 75% ✅
 Security: ✅ No issues
+Authorization: ✅ All endpoints have ownership checks
+Secrets Exposure: ✅ No secrets in responses
+Config Hygiene: ✅ No process.env outside config
+Output Encoding: ✅ All HTML output escaped
 File Sizes: ✅ All under 1000 lines
-Folder Sizes: ✅ All under 15 files
 Strict Typing: ✅ No `any` found
 Return Types: ✅ All exports typed
 
@@ -899,10 +942,10 @@ Found: 2-PLAN.md (4 tasks)
 🚀 Overdrive Mode Available (Opus 4.6)
 
 Phase 2 has 4 independent tasks:
-  - Task 1: Create API routes         [sonnet] (standard)
-  - Task 2: Add input validation      [sonnet] (standard)
-  - Task 3: Write error handlers      [sonnet] (standard)
-  - Task 4: Add rate limiting config  [haiku]  (light)
+  - Task 1: Create API routes         [opus]
+  - Task 2: Add input validation      [opus]
+  - Task 3: Write error handlers      [opus]
+  - Task 4: Add rate limiting config  [opus]
 
 Recommended: 4 agents (one per task)
 
@@ -916,17 +959,17 @@ User: 1
 Claude: 🚀 Launching Overdrive Mode (Opus 4.6)
 
 Spawning 4 agents...
-[Agent 1] Task 1: Create API routes        [sonnet] - STARTED
-[Agent 2] Task 2: Add input validation     [sonnet] - STARTED
-[Agent 3] Task 3: Write error handlers     [sonnet] - STARTED
-[Agent 4] Task 4: Add rate limiting config [haiku]  - STARTED
+[Agent 1] Task 1: Create API routes        [opus] - STARTED
+[Agent 2] Task 2: Add input validation     [opus] - STARTED
+[Agent 3] Task 3: Write error handlers     [opus] - STARTED
+[Agent 4] Task 4: Add rate limiting config [opus] - STARTED
 
 ... agents working in background ...
 
-[Agent 4] ✅ Task 4 complete (1 commit)   [haiku - fast]
-[Agent 2] ✅ Task 2 complete (3 commits)  [sonnet]
-[Agent 1] ✅ Task 1 complete (4 commits)  [sonnet]
-[Agent 3] ✅ Task 3 complete (2 commits)  [sonnet]
+[Agent 4] ✅ Task 4 complete (1 commit)   [opus]
+[Agent 2] ✅ Task 2 complete (3 commits)  [opus]
+[Agent 1] ✅ Task 1 complete (4 commits)  [opus]
+[Agent 3] ✅ Task 3 complete (2 commits)  [opus]
 
 All agents complete. Running full test suite...
 ✅ 24 tests passing
@@ -957,7 +1000,7 @@ Phase 2 complete. Ready for /tlc:verify 2
 - Merge conflicts → Agents working on same files (rare if tasks are truly independent)
 - One agent failed → Other agents continue; resume failed agent or fix manually
 - Want sequential instead → Use `--sequential` flag: `/tlc:build 2 --sequential`
-- Cost too high → Use `--model haiku` to force all agents to haiku
+- Cost too high → Use `--agents 2` to limit parallelism
 - Agent running too long → Use `--max-turns 30` to limit execution
 
 ## Flags
@@ -966,7 +1009,7 @@ Phase 2 complete. Ready for /tlc:verify 2
 |------|-------------|
 | `--sequential` | Force sequential execution even if tasks are independent |
 | `--agents N` | Limit parallel agents to N (default: one per independent task) |
-| `--model MODEL` | Force all agents to use a specific model (opus, sonnet, haiku) |
+| `--model opus` | Force all agents to opus (default — all tiers use opus) |
 | `--max-turns N` | Limit each agent's execution to N turns (default: 50) |
 | `--providers claude,codex` | Force specific providers (default: auto-detect from router state) |
 | `--no-tmux` | Skip tmux panes, run worktree agents in background |

package/.claude/commands/tlc/guard.md

@@ -89,6 +89,15 @@ For a phase that's been (partially) built, verify TLC compliance:
 - [ ] No hardcoded secrets, URLs, or credentials (check for patterns)
 - [ ] No skipped tests (`.skip`, `xit`, `xdescribe`)
 
+**Security & Config (CODING-STANDARDS §6, §21, §22):**
+- [ ] Every data-access endpoint has ownership check (not just auth — verify user owns the resource)
+- [ ] No secrets (API keys, tokens, passwords) returned in API responses or rendered in HTML
+- [ ] No `process.env` in services/controllers — all config through validated config module
+- [ ] No unescaped `${...}` interpolation in HTML template strings
+- [ ] OTPs, reset tokens, session secrets are hashed before storage (not plaintext)
+- [ ] No `new ServiceClass()` / `new ProviderClass()` — use DI container
+- [ ] Tests prove user A cannot read/modify user B's data (ownership test)
+
 **Process:**
 - [ ] Phase plan exists and tasks are checked off
 - [ ] Implementation matches what was planned (no scope creep)

package/.claude/commands/tlc/init.md

@@ -207,7 +207,18 @@ Start writing tests now, or save backlog for later?
 
 **If "Start now":** Begin writing tests for the first critical path item using Red-Green-Refactor (but code already exists, so focus on capturing current behavior).
 
-### 9. Create CLAUDE.md
+### 9. Inject Standards (CLAUDE.md + CODING-STANDARDS.md)
+
+**First, inject both standards files using the standards-injector module:**
+
+```javascript
+const { injectStandards } = require('./lib/standards/standards-injector');
+const results = await injectStandards(projectPath);
+// Creates CLAUDE.md and CODING-STANDARDS.md from templates if missing
+// Appends TLC section to existing CLAUDE.md if present
+```
+
+**If the module is not available** (e.g., TLC server not installed locally), create `CLAUDE.md` manually and copy `CODING-STANDARDS.md` from the TLC templates directory.
 
 Create `CLAUDE.md` to enforce TLC workflow over Claude's default behaviors:
 

package/.claude/commands/tlc/review.md

@@ -116,6 +116,8 @@ git log --oneline --name-status main..HEAD
 
 Scan diff for common security issues:
 
+**Pattern-Based Checks:**
+
 | Pattern | Issue | Severity |
 |---------|-------|----------|
 | `password = "..."` | Hardcoded password | HIGH |
@@ -126,6 +128,17 @@ Scan diff for common security issues:
 | `exec("..." + var)` | Command injection | HIGH |
 | `SELECT...WHERE...+` | SQL injection | HIGH |
 
+**Semantic Security Checks (read the code, not just grep):**
+
+| Check | What to Look For | Severity |
+|-------|-----------------|----------|
+| **Ownership/IDOR** | Controller methods that take an ID param (`req.params.id`, `@Param('id')`) and query data without checking the requesting user owns the resource. Every data-access endpoint MUST verify ownership, not just authentication. | HIGH |
+| **Secrets in responses** | Response objects, DTOs, or `res.json()`/`res.send()` calls that include fields like `apiKey`, `secret`, `token`, `password`, `webhookSecret`. Secrets are write-only — never return them. | HIGH |
+| **Direct `process.env`** | `process.env.` usage in service, controller, or middleware files. All env access MUST go through a validated config module. Grep: `process\.env\.` in non-config files. | MEDIUM |
+| **Unescaped HTML** | Template literals that build HTML with `${...}` interpolation of variables (e.g., `` `<h1>${user.name}</h1>` ``). All dynamic values in HTML MUST be escaped. | HIGH |
+| **Plaintext sensitive data** | OTP codes, reset tokens, or session secrets stored without hashing. Look for database inserts/updates of these values without a hash step. | HIGH |
+| **Manual instantiation** | `new SomeProvider(...)` or `new SomeService(...)` in application code instead of using DI. | MEDIUM |
+
 **Fail if:** Any HIGH severity issues found.
 
 ### Step 5b: Coding Standards Check
@@ -311,6 +324,12 @@ After Steps 2-6 complete, if ANY issues were found:
 | `any` type | Replace with proper interface | If domain type unclear |
 | File >1000 lines | Split into sub-modules | If split strategy unclear |
 | Security vulnerability | Patch it | If fix might break behavior |
+| Missing ownership check | Add guard/check | If ownership model unclear |
+| Secrets in response | Remove or mask fields | If field is needed by client |
+| Direct `process.env` | Move to config module | If config module doesn't exist yet |
+| Unescaped HTML | Add escapeHtml() | If templating engine preferred |
+| Plaintext sensitive data | Add hash step | - |
+| Manual `new Service()` | Convert to DI | If DI container not set up |
 | Codex-flagged bug | Apply suggestion | If suggestion conflicts with Claude |
 | Merge conflict | - | Always human |
 

package/CODING-STANDARDS.md

@@ -241,25 +241,64 @@ if (status === 'pending') { ... }  // TypeScript will validate
 
 ---
 
-## 6. Configuration: No Hardcoded Values
+## 6. Configuration: Validated, Centralized, No Direct `process.env`
+
+### Centralized Config with Validation
+
+All configuration MUST go through a validated config module. Never read `process.env` directly in application code.
 
 ```typescript
-// ❌ NEVER
+// ❌ NEVER: Direct process.env in services/controllers
 class PaymentService {
-  private baseUrl = "https://api.stripe.com";
-  private timeout = 30000;
+  private baseUrl = process.env.STRIPE_BASE_URL || 'https://api.stripe.com';
+  private apiKey = process.env.STRIPE_API_KEY;  // silently undefined if missing
 }
 
-// ✅ ALWAYS
-// lib/configuration.ts or shared/config/stripe.config.ts
+// ❌ NEVER: Config without validation
 export const stripeConfig = {
   baseUrl: process.env.STRIPE_BASE_URL || 'https://api.stripe.com',
-  apiKey: process.env.STRIPE_API_KEY,
-  timeout: parseInt(process.env.STRIPE_TIMEOUT || '30000'),
-} as const;
+  apiKey: process.env.STRIPE_API_KEY,  // no validation, no fail-fast
+};
+
+// ✅ ALWAYS: Validated config module with fail-fast
+// src/config/config.ts
+import { z } from 'zod';
+
+const configSchema = z.object({
+  stripe: z.object({
+    baseUrl: z.string().url().default('https://api.stripe.com'),
+    apiKey: z.string().min(1, 'STRIPE_API_KEY is required'),
+    timeout: z.coerce.number().int().positive().default(30000),
+  }),
+});
+
+export type AppConfig = z.infer<typeof configSchema>;
+
+export function loadConfig(): AppConfig {
+  const result = configSchema.safeParse({
+    stripe: {
+      baseUrl: process.env.STRIPE_BASE_URL,
+      apiKey: process.env.STRIPE_API_KEY,
+      timeout: process.env.STRIPE_TIMEOUT,
+    },
+  });
+
+  if (!result.success) {
+    throw new Error(`Config validation failed:\n${result.error.format()}`);
+  }
+  return result.data;
+}
 ```
 
-**Rule**: If it could differ between environments, it's config.
+### Rules
+
+1. **All `process.env` access MUST be in the config module** — never in services, controllers, or middleware.
+2. **All required env vars MUST be validated at startup** — fail fast, not at first request.
+3. **Distinguish required vs optional** — required vars throw on boot; optional have explicit defaults.
+4. **No silent empty-string fallbacks** for secrets or connection strings.
+5. **Config is injected via DI or imported from the config module** — never read from env directly.
+
+**Rule**: If it could differ between environments, it's config. If it's required, validate it at boot.
 
 ---
 
@@ -432,6 +471,13 @@ Before committing any code:
 - [ ] Typed errors, not generic throws
 - [ ] Tests co-located with module
 - [ ] Build passes (`npm run build`)
+- [ ] **No direct `process.env`** in services/controllers — config module only
+- [ ] **Config validated at startup** with schema (Zod/Joi)
+- [ ] **Ownership checks** on every data-access endpoint
+- [ ] **No secrets in responses** — API keys, tokens are write-only
+- [ ] **Sensitive data hashed** at rest (OTPs, reset tokens)
+- [ ] **All HTML output escaped** — no raw interpolation of user values
+- [ ] **No manual `new Service()`** — use DI container
 
 ---
 
@@ -723,6 +769,160 @@ function handleResponse<T>(response: ApiResponse<T>): T {
 
 ---
 
+## 21. Security: Authorization, Secrets, and Output Encoding
+
+### Resource Ownership Checks
+
+Every endpoint that accesses a resource MUST verify the requesting user owns or has permission to access that resource. Authentication alone is not enough.
+
+```typescript
+// ❌ WRONG: Only checks authentication, not ownership
+@Get('settings/:merchantId')
+@UseGuards(AuthGuard)
+async getSettings(@Param('merchantId') merchantId: string): Promise<Settings> {
+  return this.settingsService.findByMerchant(merchantId); // any authed user can read any merchant
+}
+
+// ✅ CORRECT: Verifies ownership
+@Get('settings/:merchantId')
+@UseGuards(AuthGuard)
+async getSettings(
+  @Param('merchantId') merchantId: string,
+  @CurrentUser() user: User,
+): Promise<Settings> {
+  if (user.merchantId !== merchantId && user.role !== 'admin') {
+    throw new ForbiddenError('Cannot access another merchant\'s settings');
+  }
+  return this.settingsService.findByMerchant(merchantId);
+}
+```
+
+**Rules:**
+1. Every data-access endpoint MUST check that the requesting user owns the resource.
+2. Tests MUST prove that user A cannot read/modify user B's data.
+3. Prefer a reusable ownership guard over per-endpoint checks.
+
+### Never Expose Secrets in Responses
+
+API keys, webhook secrets, tokens, and credentials MUST never appear in API responses or rendered HTML.
+
+```typescript
+// ❌ WRONG: Returning secrets to the client
+return {
+  merchantId: merchant.id,
+  apiKey: merchant.apiKey,           // NEVER
+  webhookSecret: merchant.webhookSecret, // NEVER
+};
+
+// ✅ CORRECT: Mask or omit secrets
+return {
+  merchantId: merchant.id,
+  apiKey: mask(merchant.apiKey),     // "sk_live_...4x7f"
+  webhookSecret: '••••••••',         // write-only, never read back
+};
+```
+
+**Rules:**
+1. Secrets are **write-only** — accept on create/update, never return in GET responses.
+2. If display is needed, return masked values (first 4 + last 4 chars).
+3. Audit every response DTO and HTML template for leaked credentials.
+
+### Hash Sensitive Data at Rest
+
+OTP codes, reset tokens, and session secrets MUST be stored as one-way hashes, never plaintext.
+
+```typescript
+// ❌ WRONG: Plaintext OTP
+await db.otpSessions.insert({ code: '123456', expiresAt });
+
+// ✅ CORRECT: Hashed OTP
+import { createHash } from 'crypto';
+const hashedCode = createHash('sha256').update(code).digest('hex');
+await db.otpSessions.insert({ codeHash: hashedCode, expiresAt });
+
+// Verification: hash the input and compare
+function verifyOtp(input: string, stored: string): boolean {
+  const inputHash = createHash('sha256').update(input).digest('hex');
+  return timingSafeEqual(Buffer.from(inputHash), Buffer.from(stored));
+}
+```
+
+### Output Encoding (XSS Prevention)
+
+Never interpolate user-controlled values into HTML without escaping. This applies to inline HTML generation, template strings, and server-rendered pages.
+
+```typescript
+// ❌ WRONG: Raw interpolation — XSS risk
+const html = `<h1>Welcome, ${user.name}</h1>`;
+const html = `<a href="${redirectUrl}">Continue</a>`;
+
+// ✅ CORRECT: Always escape
+import { escapeHtml } from '@/shared/utils/escape';
+
+const html = `<h1>Welcome, ${escapeHtml(user.name)}</h1>`;
+const html = `<a href="${escapeHtml(redirectUrl)}">Continue</a>`;
+```
+
+```typescript
+// shared/utils/escape.ts
+/**
+ * Escapes HTML special characters to prevent XSS.
+ */
+export function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
+}
+```
+
+**Rules:**
+1. **Every** dynamic value in HTML output MUST be escaped.
+2. Prefer a real templating engine over string concatenation for HTML.
+3. Audit merchant-controlled, query-string, and user-input values first.
+4. Do not add new pages using inline HTML string builders — use a proper frontend.
+
+---
+
+## 22. Dependency Injection: No Manual Instantiation
+
+Never manually instantiate services or providers that should be managed by the DI container.
+
+```typescript
+// ❌ WRONG: Bypassing DI
+class PaymentService {
+  async processPayment(method: string): Promise<void> {
+    const provider = method === 'cyberpay'
+      ? new CyberpayProvider(process.env.CYBERPAY_KEY)  // untestable, unmanaged
+      : new CodProvider();
+    await provider.charge(amount);
+  }
+}
+
+// ✅ CORRECT: Provider registry via DI
+@Injectable()
+class PaymentService {
+  constructor(
+    @Inject('PAYMENT_PROVIDERS') private providers: Map<string, PaymentProvider>,
+  ) {}
+
+  async processPayment(method: string): Promise<void> {
+    const provider = this.providers.get(method);
+    if (!provider) throw new BadRequestError(`Unknown payment method: ${method}`);
+    await provider.charge(amount);
+  }
+}
+```
+
+**Rules:**
+1. All providers/services MUST be registered in the DI container.
+2. Never use `new ServiceClass()` in application code — let the framework manage lifecycle.
+3. Use factory providers or provider registries for dynamic selection.
+
+---
+
 ## AI Instructions
 
 When generating code:
@@ -744,6 +944,13 @@ When generating code:
 15. **Never** let folders exceed 15 files - organize into subfolders
 16. **Never** use `any` type - use `unknown` or proper interfaces
 17. **Always** add explicit return types to functions
+18. **Never** read `process.env` outside the config module
+19. **Always** validate config at startup with a schema
+20. **Always** add ownership/authorization checks on data-access endpoints
+21. **Never** return secrets (API keys, tokens) in API responses or HTML
+22. **Always** hash OTPs, reset tokens, and session secrets before storing
+23. **Always** escape dynamic values in HTML output
+24. **Never** use `new ServiceClass()` — register in DI and inject
 
 ### Cleanup Tasks
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlc-claude-code",
-  "version": "2.2.1",
+  "version": "2.3.0",
   "description": "TLC - Test Led Coding for Claude Code",
   "bin": {
     "tlc-claude-code": "./bin/install.js",