docs: refresh portfolio docs

Author: Technical-1

.portfolio/architecture.md

@@ -189,6 +189,21 @@ Features like Docker, GitHub Actions, and VS Code settings are modular add-ons:
 - **Post-creation addition**: Features can be added to existing projects via `quickforge add`
 - **Independent templates**: Each feature has its own template set
 
+### 8. Context-Aware Escaping for Generated Code
+
+The Jinja2 environment runs with autoescaping disabled — correct for emitting code and config rather than HTML, but it shifts the responsibility for escaping onto the templates. Since a project's description and author name are free text, a stray quote, backslash, or brace would otherwise produce a broken `pyproject.toml` or unparsable Python file.
+
+I solved this with destination-specific filters in `generator.py` rather than blanket input sanitization:
+
+- `toml_escape` for TOML basic strings
+- `py_escape` for Python string and docstring literals
+- `fstring_escape` for f-string contexts (also doubles `{`/`}` so braces aren't read as replacement fields)
+- `github_slug` to reduce an author name to a URL-safe path segment
+
+This keeps user input verbatim where it's displayed and escapes it precisely where it's embedded, so the generated `pyproject.toml` round-trips the exact description while still parsing as valid TOML.
+
+A related concern is license metadata: PyPI trove classifiers use a controlled vocabulary that does not match SPDX identifiers (SPDX `Apache-2.0` is the classifier `Apache Software License`). `License.classifier` and `License.spdx_id` in `models.py` map each license to the correct value for both fields, and the non-SPDX `Proprietary` case is emitted as a `LicenseRef-` expression so the generated metadata is valid.
+
 ## Module Responsibilities
 
 | Module | Responsibility |

.portfolio/qa.md

@@ -41,6 +41,9 @@ Project creation is a linear pipeline (`validate -> create dirs -> render templa
 ### Conditional template rendering
 Templates are tagged by archetype and feature flags. `cli.py.j2` is rendered only for `--type cli`; the FastAPI router only for `--type api`; Docker, MkDocs, devcontainer files only when their flags are set. The generated tree contains only files the user actually asked for.
 
+### Context-aware escaping in a code generator
+Jinja2 autoescaping is built for HTML; for emitting TOML and Python it's the wrong default, so it's disabled — which means free-text fields (a project description, an author name) could otherwise inject a stray quote or brace and break the generated files. Rather than sanitizing input globally, I escape at the point of use with destination-specific filters in `src/quickforge/generator.py`: `toml_escape` for TOML strings, `py_escape` for Python literals and docstrings, and `fstring_escape` for f-string contexts (which additionally doubles braces so they aren't parsed as replacement fields). The result is that a description containing `"` and `{}` is preserved verbatim in `pyproject.toml` while the file still parses as valid TOML.
+
 ## Engineering Decisions
 
 ### tomlkit vs tomli for upgrades
@@ -81,6 +84,12 @@ One tool replaces three, with a single config block in `pyproject.toml` and subs
 ### Why basedpyright instead of mypy?
 basedpyright (a fork of pyright) is significantly faster, stricter by default, and produces clearer error messages with better editor integration. For new projects starting fresh, the stricter defaults catch bugs the day they're written.
 
+### What happens if my project description or author name contains quotes or braces?
+It's handled. Because the generator emits code and config (not HTML), free-text fields are escaped per destination — TOML strings, Python literals/docstrings, and f-strings each have their own escaping rule — so a description like `He said "hi" {now}` lands intact in `pyproject.toml` and the generated Python still compiles.
+
+### Which licenses generate a real LICENSE file?
+All six offered (MIT, Apache-2.0, GPL-3.0-only, BSD-3-Clause, Unlicense, Proprietary) emit a complete `LICENSE` file, and the project's PyPI trove classifier and SPDX expression are set to the correct values for the chosen license — including the `LicenseRef-` form for the non-SPDX Proprietary case.
+
 ### Can I customize the generated templates?
 Not at the moment — templates are bundled with the package. The intent is that the generated output is opinionated. If you need a different stack, fork the project or modify the generated files after creation.
 

.portfolio/stack.md

@@ -132,7 +132,7 @@ quickforge/
 │       ├── generator.py     # Project generation logic
 │       ├── auditor.py       # Project analysis
 │       ├── upgrader.py      # Migration logic
-│       └── templates/       # Jinja2 templates (18 files)
+│       └── templates/       # Jinja2 templates (22 files, incl. 6 license texts)
 ├── tests/
 │   ├── conftest.py          # pytest fixtures
 │   ├── test_cli.py          # CLI tests

README.md

@@ -41,6 +41,7 @@ That's it! Your project is ready with all the best practices built in.
 - ✅ VS Code settings optimized
 - ✅ Type checking enabled from day one
 - ✅ Test skeleton with pytest + coverage
+- ✅ Full-text `LICENSE` file for any of six licenses (MIT, Apache-2.0, GPL-3.0, BSD-3-Clause, Unlicense, Proprietary)
 
 ### 🔄 **Migration Tools**
 - Upgrade legacy projects to modern tooling
@@ -166,7 +167,7 @@ quickforge new myproject [OPTIONS]
 |--------|-------|-------------|
 | `--type` | `-t` | Project type: library, app, cli, api, script |
 | `--python` | `-p` | Python version: 3.11, 3.12, 3.13 |
-| `--license` | `-l` | License: MIT, Apache-2.0, GPL-3.0-only, BSD-3-Clause |
+| `--license` | `-l` | License: MIT, Apache-2.0, GPL-3.0-only, BSD-3-Clause, Unlicense, Proprietary |
 | `--author` | `-a` | Author name |
 | `--email` | `-e` | Author email |
 | `--output` | `-o` | Output directory |