feat: Enterprise-ready workflows with formatted reports

Major enhancements for v3.2.x release:

## Formatted Reports for All Workflows
- Added consistent `formatted_report` output to all 10 workflows
- Professional structure with status icons and actionable summaries
- Workflows: health-check, security-audit, perf-audit, dependency-check,
  code-review, release-prep, refactor-plan, secure-release, doc-gen, test-gen

## Enterprise Doc-Gen Features
- Auto-scaling tokens based on section count (2k tokens/section)
- Chunked generation for large documents (sections_per_chunk=3)
- Chunked polish for documents over 10k tokens
- Cost guardrails with configurable max_cost ($5 default)
- Graceful degradation with partial results on errors
- File export to docs/generated/ directory
- Output chunking for display (avoids terminal truncation)

## README Updates
- Added "Enterprise-Ready Workflows" to What's New section
- New "Enterprise Doc-Gen" section with usage examples
- Updated workflow table with formatted reports mention

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: 2 people

.claude/CLAUDE.md

@@ -0,0 +1,6 @@
+# Python Coding Standards
+
+- Use type hints
+- Follow PEP 8
+- Write docstrings
+- Target 90%+ test coverage

.claude/python-standards.md

@@ -50,6 +50,22 @@ repos:
         args: ['-c', '.bandit', '-r', 'src/', 'empathy_software_plugin/', 'empathy_llm_toolkit/', 'coach_wizards/', '--severity-level', 'medium', '--confidence-level', 'medium']
         pass_filenames: false
 
+  # Detect-secrets - Prevent secrets from being committed
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: |
+          (?x)^(
+            \.env\.example$|
+            tests/test_secrets_detector\.py$|
+            tests/test_secure_memdocs\.py$|
+            empathy_llm_toolkit/security/secrets_detector\.py$|
+            empathy_llm_toolkit/security/secure_memdocs_example\.py$|
+            anthropic-cookbook/
+          )
+
   # Standard pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0

.pre-commit-config.yaml

@@ -0,0 +1,122 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2025-12-25T00:00:00Z"
+}

.secrets.baseline

@@ -14,6 +14,12 @@ pip install empathy-framework[full]
 
 ## What's New in v3.2.x
 
+### Enterprise-Ready Workflows
+
+- **Formatted Reports for All Workflows** — Every workflow now includes `formatted_report` with consistent structure, status icons, and actionable summaries
+- **Enterprise-Safe Doc-Gen** — Auto-scaling tokens, chunked generation, cost guardrails ($5 default limit), graceful degradation, and file export
+- **Output Chunking** — Large reports automatically split into displayable sections to avoid truncation
+
 ### Unified CLI & Developer Experience
 
 - **Unified Typer CLI** — One `empathy` command with Rich output, subcommand groups, and cheatsheet
@@ -225,6 +231,41 @@ print(result.summary, result.findings, result.checklist)
 
 ---
 
+## Enterprise Doc-Gen
+
+Generate comprehensive documentation for large projects with enterprise-safe defaults:
+
+```python
+from empathy_os.workflows import DocumentGenerationWorkflow
+
+# Enterprise-safe configuration
+workflow = DocumentGenerationWorkflow(
+    export_path="docs/generated",     # Auto-save to disk
+    max_cost=5.0,                     # Cost guardrail ($5 default)
+    chunked_generation=True,          # Handle large projects
+    graceful_degradation=True,        # Partial results on errors
+)
+
+result = await workflow.execute(
+    source_code=your_code,
+    doc_type="api_reference",
+    audience="developers"
+)
+
+# Access the formatted report
+print(result.final_output["formatted_report"])
+
+# Large outputs are chunked for display
+if "output_chunks" in result.final_output:
+    for chunk in result.final_output["output_chunks"]:
+        print(chunk)
+
+# Full docs saved to disk
+print(f"Saved to: {result.final_output.get('export_path')}")
+```
+
+---
+
 ## Smart Router
 
 Route natural language requests to the right wizard automatically:
@@ -391,7 +432,7 @@ cd empathy-framework && pip install -e .[dev]
 | **Multi-Model Router** | Smart routing across providers and tiers |
 | **Memory System** | Redis short-term + encrypted long-term patterns |
 | **17 Coach Wizards** | Security, performance, testing, docs, prompt engineering |
-| **10 Cost-Optimized Workflows** | Multi-tier pipelines with XML prompts |
+| **10 Cost-Optimized Workflows** | Multi-tier pipelines with formatted reports & XML prompts |
 | **Healthcare Suite** | SBAR, SOAP notes, clinical protocols (HIPAA) |
 | **Code Inspection** | Unified pipeline with SARIF/GitHub Actions support |
 | **VSCode Extension** | Visual dashboard for memory and workflows |

README.md

@@ -95,6 +95,43 @@ The Empathy Framework includes several security features:
 3. **API Key Protection**: Environment variable-based configuration
 4. **Audit Trail**: Optional logging of all wizard invocations
 5. **Rate Limiting**: Built-in protection against service abuse
+6. **Command Injection Prevention**: All file paths and user inputs are validated before subprocess execution
+7. **Secrets Detection**: Pre-commit hooks using detect-secrets to prevent accidental credential exposure
+
+### Pre-commit Security Hooks
+
+Run `pre-commit install` to enable:
+
+```bash
+pre-commit install
+```
+
+Security hooks include:
+
+- **detect-secrets**: Scans for potential API keys and credentials
+- **bandit**: Python security linter for common vulnerabilities
+
+### Built-in Security Tools
+
+```python
+from empathy_llm_toolkit.security import SecretsDetector, PIIScrubber
+
+# Detect secrets in content
+detector = SecretsDetector()
+findings = detector.scan(content)
+
+# Scrub PII before storage
+scrubber = PIIScrubber()
+clean_content = scrubber.scrub(content)
+```
+
+### Test Credentials
+
+All test files use obviously fake credentials:
+
+- Prefix with `TEST_`, `FAKE_`, or `EXAMPLE_`
+- Use placeholder patterns like `abc123xyz789...`
+- AWS example keys: `AKIAIOSFODNN7EXAMPLE`
 
 ## Known Security Considerations
 

SECURITY.md

@@ -1,2 +1,10 @@
-fastapi==0.104.1
-uvicorn[standard]==0.24.0
+# API-specific requirements
+#
+# For full installation, use from project root:
+#   pip install -e .[backend]
+#
+# This file is for minimal API-only deployments.
+
+# FastAPI (CVE-fixed versions aligned with pyproject.toml)
+fastapi>=0.109.1,<1.0.0
+uvicorn[standard]>=0.20.0,<1.0.0

backend/api/requirements.txt

@@ -58,35 +58,35 @@
 from empathy_llm_toolkit.wizards.retail_wizard import RetailWizard  # noqa: E402
 from empathy_llm_toolkit.wizards.sales_wizard import SalesWizard  # noqa: E402
 from empathy_llm_toolkit.wizards.technology_wizard import TechnologyWizard  # noqa: E402
-from empathy_software_plugin.wizards.advanced_debugging_wizard import (  # noqa: E402
+from empathy_software_plugin.wizards.advanced_debugging_wizard import (
     AdvancedDebuggingWizard,
-)
-from empathy_software_plugin.wizards.agent_orchestration_wizard import (  # noqa: E402
+)  # noqa: E402
+from empathy_software_plugin.wizards.agent_orchestration_wizard import (
     AgentOrchestrationWizard,
-)
-from empathy_software_plugin.wizards.ai_collaboration_wizard import (  # noqa: E402
+)  # noqa: E402
+from empathy_software_plugin.wizards.ai_collaboration_wizard import (
     AICollaborationWizard,
-)
+)  # noqa: E402
 from empathy_software_plugin.wizards.ai_context_wizard import AIContextWindowWizard  # noqa: E402
-from empathy_software_plugin.wizards.ai_documentation_wizard import (  # noqa: E402
+from empathy_software_plugin.wizards.ai_documentation_wizard import (
     AIDocumentationWizard,
-)
-from empathy_software_plugin.wizards.enhanced_testing_wizard import (  # noqa: E402
+)  # noqa: E402
+from empathy_software_plugin.wizards.enhanced_testing_wizard import (
     EnhancedTestingWizard,
-)
+)  # noqa: E402
 
 # AI wizards (12 total)
 from empathy_software_plugin.wizards.multi_model_wizard import MultiModelWizard  # noqa: E402
-from empathy_software_plugin.wizards.performance_profiling_wizard import (  # noqa: E402
+from empathy_software_plugin.wizards.performance_profiling_wizard import (
     PerformanceProfilingWizard as AIPerformanceWizard,
-)
-from empathy_software_plugin.wizards.prompt_engineering_wizard import (  # noqa: E402
+)  # noqa: E402
+from empathy_software_plugin.wizards.prompt_engineering_wizard import (
     PromptEngineeringWizard,
-)
+)  # noqa: E402
 from empathy_software_plugin.wizards.rag_pattern_wizard import RAGPatternWizard  # noqa: E402
-from empathy_software_plugin.wizards.security_analysis_wizard import (  # noqa: E402
+from empathy_software_plugin.wizards.security_analysis_wizard import (
     SecurityAnalysisWizard,
-)
+)  # noqa: E402
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)

backend/api/wizard_api.py

@@ -1,28 +1,26 @@
 # Backend requirements for Empathy Framework API
+#
+# For development, install from the project root:
+#   pip install -e .[backend,dev]
+#
+# This file provides standalone installation for deployments.
+# Version constraints are aligned with pyproject.toml
 
-# FastAPI and web server
-fastapi==0.115.6
-uvicorn[standard]==0.34.0
-python-multipart==0.0.20
+# FastAPI and web server (CVE-fixed versions)
+fastapi>=0.109.1,<1.0.0
+uvicorn[standard]>=0.20.0,<1.0.0
+starlette>=0.40.0,<1.0.0
+python-multipart>=0.0.9,<1.0.0
 
 # Security and authentication
-PyJWT[crypto]>=2.8.0  # Replaces python-jose - uses cryptography backend
-passlib[bcrypt]==1.7.4
-python-dotenv==1.0.0
+PyJWT[crypto]>=2.8.0,<3.0.0
+passlib[bcrypt]>=1.7.4,<2.0.0
+python-dotenv>=1.0.0,<2.0.0
 
-# Data validation
-pydantic==2.5.3
-pydantic-settings==2.1.0
-email-validator==2.1.0
+# Data validation (match core deps)
+pydantic>=2.0.0,<3.0.0
+pydantic-settings>=2.0.0,<3.0.0
+email-validator>=2.0.0,<3.0.0
 
 # Async support
-aiofiles==23.2.1
-
-# Database (for future use)
-# sqlalchemy==2.0.25
-# alembic==1.13.1
-
-# Testing
-pytest==7.4.4
-pytest-asyncio==0.23.3
-httpx==0.26.0
+aiofiles>=23.0.0,<24.0.0