release: sync develop → main (workflow fix)

.changeset/README.md

@@ -7,8 +7,8 @@ SPDX-License-Identifier: MIT
 
 This folder holds the FocusMCP CLI changesets. Every PR that changes user-facing behaviour must add a changeset via `pnpm changeset`.
 
-- Mode: **single package** — `@focusmcp/cli` is published as one npm package.
-- `access: public` — published to the public npm registry on the `@focusmcp/` scope.
+- Mode: **single package** — `@focus-mcp/cli` is published as one npm package.
+- `access: public` — published to the public npm registry on the `@focus-mcp/` scope.
 - `baseBranch: develop` — changesets are opened against `develop` and promoted to `main` at release time.
 
 Format: Markdown with frontmatter listing the package + bump level (patch / minor / major).

.changeset/config.json

@@ -1,11 +1,11 @@
 {
-  "$schema": "https://unpkg.com/@changesets/config@3.0.0/schema.json",
-  "changelog": "@changesets/cli/changelog",
-  "commit": false,
-  "fixed": [],
-  "linked": [],
-  "access": "public",
-  "baseBranch": "develop",
-  "updateInternalDependencies": "patch",
-  "ignore": []
+    "$schema": "https://unpkg.com/@changesets/config@3.0.0/schema.json",
+    "changelog": "@changesets/cli/changelog",
+    "commit": false,
+    "fixed": [],
+    "linked": [],
+    "access": "public",
+    "baseBranch": "develop",
+    "updateInternalDependencies": "patch",
+    "ignore": []
 }

.claude-plugin/marketplace.json

@@ -0,0 +1,17 @@
+{
+    "name": "focus-mcp-cli",
+    "owner": {
+        "name": "FocusMCP contributors",
+        "url": "https://github.com/focus-mcp"
+    },
+    "plugins": [
+        {
+            "name": "focus-mcp",
+            "source": "./",
+            "description": "MCP orchestrator — compose atomic AI tool bricks on demand and cut context from 200k to ~2k tokens.",
+            "version": "1.1.0",
+            "category": "mcp",
+            "tags": ["mcp", "orchestrator", "context-engineering", "ai-tools", "bricks"]
+        }
+    ]
+}

.claude-plugin/marketplace.json.license

@@ -0,0 +1 @@
+{ "SPDX-FileCopyrightText": "2026 FocusMCP contributors", "SPDX-License-Identifier": "MIT" }

.claude-plugin/plugin.json

@@ -0,0 +1,19 @@
+{
+    "name": "focus-mcp",
+    "version": "1.1.0",
+    "description": "FocusMCP — MCP orchestrator that reduces AI context from 200k to ~2k tokens. Compose AI tools (bricks) on demand without polluting context.",
+    "author": {
+        "name": "FocusMCP contributors",
+        "url": "https://github.com/focus-mcp"
+    },
+    "homepage": "https://github.com/focus-mcp/cli",
+    "repository": "https://github.com/focus-mcp/cli",
+    "license": "MIT",
+    "keywords": ["mcp", "tools", "orchestrator", "focus", "bricks"],
+    "mcpServers": {
+        "focus": {
+            "command": "npx",
+            "args": ["-y", "@focus-mcp/cli@latest", "start"]
+        }
+    }
+}

.claude-plugin/plugin.json.license

@@ -0,0 +1 @@
+{ "SPDX-FileCopyrightText": "2026 FocusMCP contributors", "SPDX-License-Identifier": "MIT" }

.github/actions/setup/action.yml

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2026 FocusMCP contributors
+# SPDX-License-Identifier: MIT
+
+name: Setup toolchain
+description: |
+  Clone @focus-mcp/core as a sibling directory (../core), install and build it,
+  then set up pnpm + Node and install this repo's dependencies.
+  The CLI depends on `@focus-mcp/core` via a `file:../core/packages/core` path,
+  so the sibling must exist and have a built `dist/` before `pnpm install`.
+
+inputs:
+  core-ref:
+    description: Git ref (branch, tag, SHA) of focus-mcp/core to check out.
+    required: false
+    default: develop
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout @focus-mcp/core (inside workspace — actions/checkout restriction)
+      uses: actions/checkout@v4
+      with:
+        repository: focus-mcp/core
+        ref: ${{ inputs.core-ref }}
+        path: .core-sibling
+        fetch-depth: 1
+
+    # actions/checkout refuses paths outside the workspace; move it to the real sibling now.
+    - name: Move @focus-mcp/core to sibling location
+      shell: bash
+      run: |
+        mv "$GITHUB_WORKSPACE/.core-sibling" "$GITHUB_WORKSPACE/../core"
+
+    - name: Set up pnpm
+      uses: pnpm/action-setup@v4
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: 22
+        cache: pnpm
+        registry-url: 'https://registry.npmjs.org'
+
+    - name: Install @focus-mcp/core dependencies
+      shell: bash
+      working-directory: ../core
+      run: pnpm install --frozen-lockfile
+
+    - name: Build @focus-mcp/core
+      shell: bash
+      working-directory: ../core
+      run: pnpm --filter "@focus-mcp/core" build
+
+    - name: Install CLI dependencies
+      shell: bash
+      run: pnpm install --frozen-lockfile

.github/renovate.json

@@ -1,39 +1,44 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended",
-    ":semanticCommits",
-    ":semanticCommitTypeAll(chore)",
-    "group:monorepos",
-    "group:recommended",
-    "schedule:weekly"
-  ],
-  "labels": ["dependencies"],
-  "rangeStrategy": "bump",
-  "lockFileMaintenance": {
-    "enabled": true,
-    "schedule": ["before 5am on monday"]
-  },
-  "vulnerabilityAlerts": {
-    "labels": ["security"],
-    "schedule": ["at any time"]
-  },
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["patch", "minor"],
-      "matchCurrentVersion": "!/^0/",
-      "automerge": true,
-      "automergeType": "branch"
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended",
+        ":semanticCommits",
+        ":semanticCommitTypeAll(chore)",
+        "group:monorepos",
+        "group:recommended",
+        "schedule:weekly"
+    ],
+    "labels": ["dependencies"],
+    "rangeStrategy": "bump",
+    "lockFileMaintenance": {
+        "enabled": true,
+        "schedule": ["before 5am on monday"]
     },
-    {
-      "matchPackageNames": ["typescript", "@biomejs/biome", "vitest", "@modelcontextprotocol/sdk"],
-      "automerge": false
+    "vulnerabilityAlerts": {
+        "labels": ["security"],
+        "schedule": ["at any time"]
     },
-    {
-      "matchDepTypes": ["devDependencies"],
-      "automerge": true
-    }
-  ],
-  "prHourlyLimit": 4,
-  "prConcurrentLimit": 10
+    "packageRules": [
+        {
+            "matchUpdateTypes": ["patch", "minor"],
+            "matchCurrentVersion": "!/^0/",
+            "automerge": true,
+            "automergeType": "branch"
+        },
+        {
+            "matchPackageNames": [
+                "typescript",
+                "@biomejs/biome",
+                "vitest",
+                "@modelcontextprotocol/sdk"
+            ],
+            "automerge": false
+        },
+        {
+            "matchDepTypes": ["devDependencies"],
+            "automerge": true
+        }
+    ],
+    "prHourlyLimit": 4,
+    "prConcurrentLimit": 10
 }

.github/workflows/ci.yml

@@ -21,57 +21,37 @@ jobs:
     name: Lint (Biome)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/setup
       - run: pnpm lint
 
   commitlint:
     name: Commitlint
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
+      - uses: ./.github/actions/setup
       - run: pnpm exec commitlint --config config/commitlint.config.js --from ${{ github.event.pull_request.base.sha }} --to HEAD --verbose
 
   typecheck:
     name: Typecheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/setup
       - run: pnpm typecheck
 
   test:
     name: Test + Coverage
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/setup
       - run: pnpm test:coverage
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: coverage
@@ -82,14 +62,14 @@ jobs:
     name: REUSE compliance
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: fsfe/reuse-action@v5
 
   gitleaks:
     name: Gitleaks (secret scan)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Install gitleaks
@@ -104,15 +84,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [typecheck, test]
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/setup
       - run: pnpm build
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: dist

.github/workflows/claude-review.yml

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2026 FocusMCP contributors
+# SPDX-License-Identifier: MIT
+
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+  issue_comment:
+    types: [created]
+
+jobs:
+  review:
+    if: |
+      (github.event_name == 'pull_request') ||
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            Review this pull request as a senior engineer. Post inline comments on issues you find. At the end, post a summary review with verdict (approve / request changes / comment).
+
+            Focus areas (in order of priority):
+            1. **Correctness** — does the code do what the PR description claims? Any obvious bugs, race conditions, or broken edge cases?
+            2. **Security** — input validation, injection risks, unsafe shell/eval, secret leaks, unsafe deps.
+            3. **Test coverage** — are new code paths tested? Any missing edge-case tests?
+            4. **TypeScript strictness** — no `any`, proper types, `node:` protocol for stdlib imports.
+            5. **Consistency** — matches surrounding patterns, naming conventions, file layout.
+            6. **Docs** — public API changes reflected in README/AGENTS.md.
+
+            Be terse and concrete. If the PR is clean, say "LGTM" and approve. Do not hedge.
+            Reject `--no-verify` and any bypasses of CI gates in the code.

.github/workflows/codeql.yml

@@ -31,11 +31,11 @@ jobs:
       matrix:
         language: [typescript]
     steps:
-      - uses: actions/checkout@v4
-      - uses: github/codeql-action/init@v3
+      - uses: actions/checkout@v5
+      - uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql-config.yml
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@v4
         with:
           category: /language:${{ matrix.language }}