Ali-dev11
diff --git a/‎.github/dependabot.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 16 additions & 0 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 21 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 80 additions & 55 deletions b/‎README.md‎
Lines changed: 80 additions & 55 deletions
diff --git a/‎docs/changelog.md‎
Lines changed: 21 additions & 0 deletions b/‎docs/changelog.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docs/development.md‎
Lines changed: 30 additions & 12 deletions b/‎docs/development.md‎
Lines changed: 30 additions & 12 deletions
@@ -0,0 +1,30 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Asia/Karachi
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - npm
+    groups:
+      production-dependencies:
+        dependency-type: production
+      development-dependencies:
+        dependency-type: development
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:30"
+      timezone: Asia/Karachi
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
@@ -0,0 +1,16 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     steps:
       - uses: actions/checkout@v5
         with:
@@ -37,6 +39,10 @@ jobs:
         run: |
           mkdir -p release-artifacts
           npm pack --ignore-scripts --pack-destination release-artifacts --cache /tmp/devforge-release-cache
+      - name: Attest release artifact provenance
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: release-artifacts/*.tgz
       - name: Publish GitHub release
         env:
           GH_TOKEN: ${{ github.token }}
 
@@ -6,6 +6,27 @@ The format follows Keep a Changelog and the version numbers follow Semantic Vers
 
 ## [Unreleased]
 
+## [0.4.0] - 2026-03-26
+
+### Added
+
+- Added repository hardening files and workflows: `CODEOWNERS`, Dependabot configuration, a pull-request dependency review workflow, and GitHub release artifact attestations.
+- Added generated README and getting-started command guides that explain what each common command does and why it matters.
+- Added a dedicated prompt reference page so users can understand what each CLI question changes and why DevForge asks it.
+
+### Changed
+
+- Refreshed the public README and documentation site with clearer positioning, stronger command explanations, and clearer guidance around default versus optional tooling.
+- Made Husky and Commitlint opt-in defaults, while keeping ESLint and Prettier enabled as the baseline quality setup.
+- Narrowed generated microfrontend strategy support to the currently implemented Vite federation flow so prompts and normalization no longer imply unsupported runtime behavior.
+
+### Fixed
+
+- Reworked generated microfrontend workspaces to use a federation-aware host and remote setup with stable ports, remote entry exposure, and a dev workflow that no longer races three generic Vite apps against each other.
+- Improved installer UX by surfacing explicit progress steps before dependency installation and git setup begin.
+- Added pnpm build-approval hints for browser-oriented scaffolds so common `esbuild` installs no longer stop at an approval warning on fresh pnpm setups.
+- Updated generated Tailwind Vite scaffolds to use the current Tailwind package integration instead of writing unprocessed `@tailwind` directives without the required plugin setup.
+
 ## [0.3.4] - 2026-03-26
 
 ### Changed
 
@@ -0,0 +1 @@
+* @Ali-dev11
@@ -1,77 +1,87 @@
 # DevForge CLI
 
-DevForge CLI is a production-focused, AI-native scaffolding tool for modern JavaScript and TypeScript applications. It helps teams move from project intent to a documented, installable repository with architecture guidance, AI assistant rules, testing setup, release hygiene, and baseline tooling already in place.
+DevForge CLI is an AI-native scaffolding tool for JavaScript and TypeScript teams that want more than a blank starter. It turns project intent into a runnable repository with architecture guidance, starter surfaces, testing setup, AI rules, repository hygiene, and contributor docs already in place.
 
-## Why DevForge
+## Why DevForge Exists
 
-Starting a new project usually means repeating the same setup work: choosing frameworks, wiring testing, adding linting, deciding on architecture, documenting the stack, and aligning AI assistants with team standards. DevForge turns that setup phase into a guided flow that produces a repo your team can actually build on.
+Most new projects lose time before real product work even starts. Teams repeat the same setup decisions around frameworks, package managers, testing, linting, formatting, release hygiene, CI, and AI tooling. DevForge compresses that setup phase into one guided flow and outputs a repository that already explains itself.
 
 DevForge helps you:
 
-- reduce setup time for frontend, backend, fullstack, microfrontend, extension, and CLI projects
-- avoid invalid stack combinations through built-in normalization and compatibility rules
-- start with generated docs, health surfaces, project metadata, and repository hygiene from day one
-- configure AI tools like Cursor, Claude, and Codex with stack-aware rule packs
-- standardize project creation across teams, internal tools, client work, and experiments
+- move from idea to runnable repo faster
+- avoid invalid stack combinations before they land in code
+- start with project docs, starter surfaces, and contributor files on day one
+- standardize scaffolding across personal projects, internal tooling, and client work
+- keep Cursor, Claude, and Codex aligned with the selected stack through generated rules
 
-## What You Get
+## What It Generates
 
-- intent-driven scaffolding for landing pages, frontend apps, backend APIs, fullstack apps, microfrontends, Chrome extensions, and CLI tools
-- environment-aware setup for Node.js and package manager selection
-- configurable ESLint, Prettier, and Husky strictness profiles
-- testing setup prompts for Vitest, Jest, Playwright, Cypress, `node`, `jsdom`, and `happy-dom`
-- frontend state and data choices including Redux Toolkit, MobX, Jotai, TanStack Query, RTK Query, and more
-- generated docs, AI rules, CI, contribution files, and release-ready repository hygiene
-
-## Generated Starter Experience
-
-DevForge does not stop at writing config files. Fresh projects include meaningful starter surfaces so the generated app explains itself:
-
-- frontend projects render a project details page with stack information and generator metadata
-- backend projects expose structured metadata from `/` and `/health`
-- fullstack apps ship with a frontend surface and an API health route
-- microfrontends generate a host plus remotes with role-aware starter screens
-- Chrome extensions include popup, background, and content-script starter surfaces
-- CLI projects expose human-readable output and machine-readable `--json` output
+- landing pages, frontend apps, backend APIs, fullstack apps, microfrontend workspaces, Chrome extensions, and CLI tools
+- project-detail starter UIs for frontend surfaces
+- metadata and health endpoints for backend and fullstack APIs
+- AI rule outputs for Cursor, Claude, Codex, and `AGENTS.md`
+- testing setup for Vitest, Jest, Playwright, and Cypress
+- optional ESLint, Prettier, Husky, Commitlint, Docker, and GitHub Actions setup
+- generated docs, changelog-ready project metadata, and baseline repository hygiene
 
 ## Quick Start
 
-Run without installing globally:
+Run without a global install:
 
 ```bash
-npx @ali-dev11/devforge@latest
+npx --yes @ali-dev11/devforge@latest
 ```
 
 Global install:
 
 ```bash
 npm install -g @ali-dev11/devforge
-create-devforge
-# or
 devforge
 ```
 
-## Local Development
+## What The CLI Asks You
 
-```bash
-npm install
-npm run check
-npm run build
-node dist/bin/devforge.js --help
-node dist/bin/devforge.js init
-```
+DevForge keeps core setup decisions required, and pushes the rest behind optional customization steps.
 
-## Release History And Docs
+- Always asked: project name, output directory, Node strategy, package manager, project intent, architecture when there is more than one valid choice, and stack-specific core choices like framework or backend language.
+- Asked only when you opt in to customization: frontend libraries, backend capabilities, testing details, AI rule details, linting/formatting/hooks, and extra DevOps tooling.
 
-- [Documentation Site](https://ali-dev11.github.io/devforge/)
-- [Docs Overview](./docs/overview.md)
-- [Changelog](./CHANGELOG.md)
-- [GitHub Releases](https://github.com/Ali-dev11/devforge/releases)
-- [GitHub Pages Changelog](https://ali-dev11.github.io/devforge/changelog.html)
+## Prompt Guide
+
+Every prompt in DevForge exists to answer one of four questions: where the project should live, what kind of product is being created, which stack should power it, and how much team/process setup should be generated from day one.
+
+- `Project name`: becomes the generated package or workspace name and is reused in starter screens, docs, and metadata.
+- `Output directory`: tells DevForge where to write files. It is needed so the generator knows which folder to create or validate before writing.
+- `Node.js version`: controls whether the scaffold follows the current LTS track, the latest available release, or a custom pinned version for stricter team environments.
+- `Package manager`: chooses the lockfile, install command, and workspace behavior for the generated project.
+- `What are you building?`: decides the entire downstream flow, including whether DevForge asks frontend, backend, extension, CLI, or workspace-specific questions.
+- `Architecture style`: determines whether the output is a single app, a modular codebase, a monorepo, or a microfrontend workspace when that makes sense for the selected intent.
+- `Template tier`: controls how much baseline setup and production-minded structure the scaffold should include.
+
+The full prompt-by-prompt guide is here:
+
+- [Prompt Reference](./docs/prompts.md)
+
+## Default Versus Optional Tooling
+
+- ESLint: enabled by default because most teams want lint feedback immediately.
+- Prettier: enabled by default so formatting stays consistent across humans and AI tools.
+- Husky: optional and off by default because local git hooks are team-policy dependent.
+- Commitlint: optional and off by default unless you explicitly want commit-message enforcement.
+- Docker and generated GitHub Actions: optional, depending on whether the project needs containerization or repo-level automation from day one.
+
+## How DevForge Helps In Practice
+
+- For frontend teams, it creates a visible starter surface that shows the selected stack, project metadata, and generator details.
+- For backend teams, it exposes structured metadata and health endpoints so the scaffold is immediately inspectable.
+- For fullstack teams, it gives you both a frontend shell and an API surface instead of only config files.
+- For platform teams, it creates repeatable project conventions around docs, testing, and AI rules.
+- For public packages and client work, it reduces “first week” setup drift and gives contributors a clearer starting point.
 
 ## Development Commands
 
 ```bash
+npm install
 npm run lint
 npm run typecheck
 npm run test
@@ -82,16 +92,30 @@ npm run smoke
 npm run runtime:matrix -- --scenario backend-hono --scenario cli-tool
 ```
 
-## Documentation
+## Why These Commands Matter
 
+- `npm install` installs local development dependencies for the DevForge repository itself.
+- `npm run lint` checks repository code quality rules.
+- `npm run typecheck` validates the TypeScript source without emitting build output.
+- `npm run test` runs regression coverage for prompts, normalization, generator output, changelog rendering, and runtime-matrix coverage.
+- `npm run build` compiles the CLI into `dist/` so the published package and smoke runs use built artifacts.
+- `npm run check` is the main contributor safety command because it combines linting, typechecking, tests, and build verification.
+- `npm run docs:changelog` refreshes the GitHub Pages changelog page from `CHANGELOG.md`.
+- `npm run smoke` verifies a non-interactive scaffold run end to end.
+- `npm run runtime:matrix -- --scenario ...` installs, builds, and verifies generated projects so the scaffold output is tested as a product, not just as source code.
+
+## Repository Docs
+
+- [Documentation Site](https://ali-dev11.github.io/devforge/)
 - [Docs Home](./docs/index.md)
-- [Changelog Page](./docs/changelog.md)
+- [Prompt Reference](./docs/prompts.md)
 - [Overview](./docs/overview.md)
 - [Architecture](./docs/architecture.md)
 - [Development](./docs/development.md)
 - [Generated Output](./docs/generated-output.md)
-- [Contributing](./CONTRIBUTING.md)
-- [Docs Contributing Page](./docs/contributing.md)
+- [Changelog](./CHANGELOG.md)
+- [GitHub Releases](https://github.com/Ali-dev11/devforge/releases)
+- [GitHub Pages Changelog](https://ali-dev11.github.io/devforge/changelog.html)
 
 ## Community Health
 
@@ -105,13 +129,14 @@ npm run runtime:matrix -- --scenario backend-hono --scenario cli-tool
 
 ## Repository Structure
 
-- `src/cli.ts`: argument parsing and command dispatch
-- `src/commands/init.ts`: orchestration for the init flow
-- `src/engines/`: environment detection, prompts, normalization, generation, install hooks, AI rules
-- `src/templates.ts`: generated file content and project docs
-- `src/devforge-rules.ts`: DevForge-curated AI rule pack mapping
-- `test/`: regression tests
-- `docs/`: product, architecture, and contribution documentation
+- `src/cli.ts` handles argument parsing and command dispatch.
+- `src/commands/init.ts` orchestrates the interactive initialization flow.
+- `src/engines/` contains environment detection, prompting, normalization, generation, installation, and AI rule logic.
+- `src/templates.ts` defines generated project files, starter surfaces, and generated docs.
+- `src/runtime-matrix.ts` verifies generated project installs, builds, and runtime behavior.
+- `src/devforge-rules.ts` maps stack choices to DevForge-curated AI rule packs.
+- `docs/` powers the public documentation site.
+- `test/` covers generator behavior, decision normalization, changelog rendering, and runtime-matrix coverage.
 
 ## License
 
 
@@ -9,6 +9,27 @@ Track what changed in DevForge CLI across releases, including scaffolding behavi
 - [GitHub Releases](https://github.com/Ali-dev11/devforge/releases)
 - [Repository Changelog](https://github.com/Ali-dev11/devforge/blob/main/CHANGELOG.md)
 
+## [0.4.0] - 2026-03-26
+
+### Added
+
+- Added repository hardening files and workflows: `CODEOWNERS`, Dependabot configuration, a pull-request dependency review workflow, and GitHub release artifact attestations.
+- Added generated README and getting-started command guides that explain what each common command does and why it matters.
+- Added a dedicated prompt reference page so users can understand what each CLI question changes and why DevForge asks it.
+
+### Changed
+
+- Refreshed the public README and documentation site with clearer positioning, stronger command explanations, and clearer guidance around default versus optional tooling.
+- Made Husky and Commitlint opt-in defaults, while keeping ESLint and Prettier enabled as the baseline quality setup.
+- Narrowed generated microfrontend strategy support to the currently implemented Vite federation flow so prompts and normalization no longer imply unsupported runtime behavior.
+
+### Fixed
+
+- Reworked generated microfrontend workspaces to use a federation-aware host and remote setup with stable ports, remote entry exposure, and a dev workflow that no longer races three generic Vite apps against each other.
+- Improved installer UX by surfacing explicit progress steps before dependency installation and git setup begin.
+- Added pnpm build-approval hints for browser-oriented scaffolds so common `esbuild` installs no longer stop at an approval warning on fresh pnpm setups.
+- Updated generated Tailwind Vite scaffolds to use the current Tailwind package integration instead of writing unprocessed `@tailwind` directives without the required plugin setup.
+
 ## [0.3.4] - 2026-03-26
 
 ### Changed
 
@@ -7,8 +7,8 @@ title: Development
 ## Prerequisites
 
 - Node.js 20+
-- npm 10+ recommended
-- Use Node `20.19.0+` or `22.12.0+` when running generated frontend or extension runtime scenarios locally.
+- npm 10+ recommended for working on the DevForge repository
+- Use Node `20.19.0+` or `22.12.0+` when running generated frontend or extension runtime scenarios locally
 
 ## Local Setup
 
@@ -17,23 +17,41 @@ npm install
 npm run check
 ```
 
-## Common Commands
+## Repository Commands
 
 ```bash
 npm run dev -- --help
-npm run build
-npm run test
 npm run lint
+npm run typecheck
+npm run test
+npm run build
+npm run check
 npm run docs:changelog
 npm run smoke
 npm run runtime:matrix -- --scenario backend-hono --scenario cli-tool
 ```
 
-## Workflow
+## Why Each Command Exists
+
+- `npm run dev -- --help` lets you exercise the CLI locally without publishing a package first.
+- `npm run lint` checks repository code-style and code-quality rules.
+- `npm run typecheck` catches TypeScript regressions before runtime.
+- `npm run test` runs focused regression tests for prompting, normalization, generator output, changelog rendering, and runtime-matrix coverage.
+- `npm run build` compiles the CLI to `dist/`, which mirrors what npm users receive.
+- `npm run check` is the primary contributor gate because it runs lint, types, tests, and build verification together.
+- `npm run docs:changelog` keeps the GitHub Pages changelog synchronized with `CHANGELOG.md`.
+- `npm run smoke` verifies a fast end-to-end scaffold run without interactive prompts.
+- `npm run runtime:matrix -- --scenario ...` validates generated projects as products by installing, building, and checking runtime behavior for representative stacks.
+
+## Working On Generated Scaffolds
+
+- Prefer `npm run smoke` for quick CLI sanity checks.
+- Use `npm run runtime:matrix` when changing templates, prompts, package-manager behavior, or generated runtime surfaces.
+- If you touch microfrontend templates, validate the generated `dev` workflow, not just build output.
+- If you touch docs or release notes, rerun `npm run docs:changelog`.
+
+## Tooling Defaults
 
-1. Make changes in `src/`.
-2. Run `npm run check`.
-3. Use `npm run smoke` for an end-to-end non-interactive scaffold.
-4. Use `npm run runtime:matrix` to verify generated installs, builds, and runtime surfaces for representative stacks.
-5. Run `npm run docs:changelog` after changelog updates so the GitHub Pages release history stays aligned.
-6. Update docs when command behavior or generated output changes.
+- ESLint and Prettier are default-on in generated projects because they are broad quality baselines.
+- Husky and Commitlint are opt-in because local hook enforcement is not appropriate for every team or prototype.
+- Generated GitHub Actions, Docker, and heavier DevOps setup remain optional to avoid forcing unnecessary tooling into every scaffold.