Auto-detect on install; zero manual config; migration via `migrateV1ToV2()`.

Auto-detect on install; zero manual config; migration via migrateV1ToV2().

Breaking

• schema_version: 2 is now the default for every config generated by massu init. Configs without schema_version are interpreted as schema_version: 1 and continue to load unchanged — no code changes required for existing projects, but new fields (framework.languages, verification, verification_types, detection.rules) only apply to v2 configs.
• framework.type accepts a new value "multi" for multi-runtime projects, with framework.primary selecting the dominant language. Single-language projects still use framework.type: typescript | python | rust | ... exactly as before.
• Legacy top-level framework.router / .orm / .ui keys are mirrored from framework.languages.<primary> on v2 configs. Readers that only consult the top-level keys keep working.

Added

• Auto-detection engine (packages/core/src/detect/) — pure filesystem introspection across 8 languages (TypeScript, JavaScript, Python, Rust, Swift, Go, Java, Ruby), 9 manifest formats, and ~60 framework/ORM/test-framework signals. No network, no child processes, no database writes.
• massu init rewrite — detection-driven, zero manual YAML editing. Generates schema_version: 2 configs. New flags: --ci (non-interactive), --force (overwrite without prompt), --template <name>.
• 7 project templates — python-fastapi, python-django, ts-nextjs, ts-nestjs, rust-actix, swift-ios, multi-runtime. Greenfield mode skips detection.
• migrateV1ToV2(v1Config, detectionResult) pure function (packages/core/src/detect/migrate.ts) — lifts existing v1 configs to v2 while preserving every user override (rules, domains, canonical_paths, accessScopes, analytics, governance, security, team, conventions, etc.).
• computeFingerprint and detectDrift (packages/core/src/detect/drift.ts) — SHA-256 fingerprint over normalized DetectionResult plus a four-axis drift report (language set, per-language framework, manifest set, workspace set).
• verification config block — per-language overrides for VR-TEST, VR-TYPE, VR-BUILD, VR-SYNTAX, VR-LINT.
• verification_types config block — register custom VR-* types (e.g., VR-IBKR-CONTRACT, VR-POLICY) with descriptions.
• detection.rules config block — add project-specific framework signals or replace built-ins entirely with detection.disable_builtin: true.
• Monorepo detection — identifies turbo, nx, lerna, pnpm, yarn, bazel, generic, single. Nested workspace support (e.g., turbo outer + pnpm inner).
• Atomic config writes — .tmp file + renameSync; partial writes never persist. File permissions preserved on overwrite.
• Post-init validation — every written config is re-read through Zod and filesystem-checked; invalid configs are rolled back.
• 61 new tests covering 11 fixture repos, 5 stale-config migration snapshots, and 6 drift scenarios.
• Documentation — docs/auto-detection.mdx, docs/migration/v1-to-v2.mdx, docs/vr-types.mdx, docs/ci-drift-check.mdx, docs/error-handling.mdx.

Changed

• massu init output now reports detected languages, frameworks, source dirs, and monorepo type explicitly rather than producing a generic TypeScript template.
• framework.type shape extended to support multi-runtime via type: multi + primary: <language> + languages: { <language>: { ... } }.
• Pattern scanner allowlist extended to include detect/monorepo-detector.ts (reads pnpm-workspace.yaml, not massu.config.yaml) and commands/init.ts (validates the YAML it just wrote).

Fixed

• Stale configs where the declared language didn't match repo reality (multi-runtime stale-config regressions) now fail post-init validation and are rolled back instead of being silently written.
• --ci mode no longer silently overwrites existing configs — throws "massu init: config exists in --ci mode (no overwrite)". Use --force to opt in.
• Interactive overwrite prompt now defaults to NO (previously defaulted to YES on some terminals).
• Symlink-escape defense: detection filters out any file whose realpath resolves outside projectRoot.
• Secret-file exclusion: .env, .env., .pem, .key, .aws/, .ssh/, credentials.json, .p12, *.pfx are explicitly excluded from source-dir globbing.

Security

• New detection layer is network-free and database-free by contract. Verified by grep -rn "better-sqlite3|getMemoryDb|getDataDb|child_process|spawn|execSync|fetch\(" packages/core/src/detect/ → 0 matches.
• Atomic writes prevent partial config corruption on write failure.
• CI generalization scanner now runs on every PR to catch hardcoded project-specific data.