@ahmed-g-gad/apothem 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (674) hide show
  1. package/CHANGELOG.md +60 -0
  2. package/LICENSE +21 -0
  3. package/LICENSES/MIT.txt +18 -0
  4. package/LICENSES/PSF-2.0.txt +47 -0
  5. package/README.md +549 -0
  6. package/bin/README.md +37 -0
  7. package/bin/apothem.mjs +78 -0
  8. package/package.json +75 -0
  9. package/pyproject.toml +347 -0
  10. package/src/apothem/README.md +52 -0
  11. package/src/apothem/__init__.py +66 -0
  12. package/src/apothem/__main__.py +28 -0
  13. package/src/apothem/_vendor/.keep +0 -0
  14. package/src/apothem/_vendor/__init__.py +25 -0
  15. package/src/apothem/_vendor/attr/__init__.py +104 -0
  16. package/src/apothem/_vendor/attr/__init__.pyi +389 -0
  17. package/src/apothem/_vendor/attr/_cmp.py +160 -0
  18. package/src/apothem/_vendor/attr/_cmp.pyi +13 -0
  19. package/src/apothem/_vendor/attr/_compat.py +99 -0
  20. package/src/apothem/_vendor/attr/_config.py +31 -0
  21. package/src/apothem/_vendor/attr/_funcs.py +497 -0
  22. package/src/apothem/_vendor/attr/_make.py +3406 -0
  23. package/src/apothem/_vendor/attr/_next_gen.py +674 -0
  24. package/src/apothem/_vendor/attr/_typing_compat.pyi +15 -0
  25. package/src/apothem/_vendor/attr/_version_info.py +89 -0
  26. package/src/apothem/_vendor/attr/_version_info.pyi +9 -0
  27. package/src/apothem/_vendor/attr/converters.py +162 -0
  28. package/src/apothem/_vendor/attr/converters.pyi +19 -0
  29. package/src/apothem/_vendor/attr/exceptions.py +95 -0
  30. package/src/apothem/_vendor/attr/exceptions.pyi +17 -0
  31. package/src/apothem/_vendor/attr/filters.py +72 -0
  32. package/src/apothem/_vendor/attr/filters.pyi +6 -0
  33. package/src/apothem/_vendor/attr/py.typed +0 -0
  34. package/src/apothem/_vendor/attr/setters.py +79 -0
  35. package/src/apothem/_vendor/attr/setters.pyi +20 -0
  36. package/src/apothem/_vendor/attr/validators.py +750 -0
  37. package/src/apothem/_vendor/attr/validators.pyi +140 -0
  38. package/src/apothem/_vendor/attr.LICENSE +21 -0
  39. package/src/apothem/_vendor/attrs/__init__.py +72 -0
  40. package/src/apothem/_vendor/attrs/__init__.pyi +314 -0
  41. package/src/apothem/_vendor/attrs/converters.py +3 -0
  42. package/src/apothem/_vendor/attrs/exceptions.py +3 -0
  43. package/src/apothem/_vendor/attrs/filters.py +3 -0
  44. package/src/apothem/_vendor/attrs/py.typed +0 -0
  45. package/src/apothem/_vendor/attrs/setters.py +3 -0
  46. package/src/apothem/_vendor/attrs/validators.py +3 -0
  47. package/src/apothem/_vendor/attrs.LICENSE +21 -0
  48. package/src/apothem/_vendor/jsonschema/__init__.py +120 -0
  49. package/src/apothem/_vendor/jsonschema/__main__.py +6 -0
  50. package/src/apothem/_vendor/jsonschema/_format.py +546 -0
  51. package/src/apothem/_vendor/jsonschema/_keywords.py +449 -0
  52. package/src/apothem/_vendor/jsonschema/_legacy_keywords.py +449 -0
  53. package/src/apothem/_vendor/jsonschema/_types.py +204 -0
  54. package/src/apothem/_vendor/jsonschema/_typing.py +29 -0
  55. package/src/apothem/_vendor/jsonschema/_utils.py +355 -0
  56. package/src/apothem/_vendor/jsonschema/benchmarks/__init__.py +5 -0
  57. package/src/apothem/_vendor/jsonschema/benchmarks/const_vs_enum.py +30 -0
  58. package/src/apothem/_vendor/jsonschema/benchmarks/contains.py +28 -0
  59. package/src/apothem/_vendor/jsonschema/benchmarks/import_benchmark.py +31 -0
  60. package/src/apothem/_vendor/jsonschema/benchmarks/issue232/issue.json +2653 -0
  61. package/src/apothem/_vendor/jsonschema/benchmarks/issue232.py +25 -0
  62. package/src/apothem/_vendor/jsonschema/benchmarks/json_schema_test_suite.py +12 -0
  63. package/src/apothem/_vendor/jsonschema/benchmarks/nested_schemas.py +56 -0
  64. package/src/apothem/_vendor/jsonschema/benchmarks/subcomponents.py +42 -0
  65. package/src/apothem/_vendor/jsonschema/benchmarks/unused_registry.py +35 -0
  66. package/src/apothem/_vendor/jsonschema/benchmarks/useless_applicator_schemas.py +106 -0
  67. package/src/apothem/_vendor/jsonschema/benchmarks/useless_keywords.py +32 -0
  68. package/src/apothem/_vendor/jsonschema/benchmarks/validator_creation.py +14 -0
  69. package/src/apothem/_vendor/jsonschema/cli.py +292 -0
  70. package/src/apothem/_vendor/jsonschema/exceptions.py +490 -0
  71. package/src/apothem/_vendor/jsonschema/protocols.py +230 -0
  72. package/src/apothem/_vendor/jsonschema/validators.py +1410 -0
  73. package/src/apothem/_vendor/jsonschema.LICENSE +19 -0
  74. package/src/apothem/_vendor/jsonschema_specifications/__init__.py +12 -0
  75. package/src/apothem/_vendor/jsonschema_specifications/_core.py +38 -0
  76. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/metaschema.json +42 -0
  77. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/applicator +56 -0
  78. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/content +17 -0
  79. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/core +57 -0
  80. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/format +14 -0
  81. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/meta-data +37 -0
  82. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/validation +98 -0
  83. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/metaschema.json +58 -0
  84. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/applicator +48 -0
  85. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/content +17 -0
  86. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/core +51 -0
  87. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-annotation +14 -0
  88. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-assertion +14 -0
  89. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/meta-data +37 -0
  90. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/unevaluated +15 -0
  91. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/validation +98 -0
  92. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft3/metaschema.json +172 -0
  93. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft4/metaschema.json +149 -0
  94. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft6/metaschema.json +153 -0
  95. package/src/apothem/_vendor/jsonschema_specifications/schemas/draft7/metaschema.json +166 -0
  96. package/src/apothem/_vendor/jsonschema_specifications.LICENSE +19 -0
  97. package/src/apothem/_vendor/referencing/__init__.py +7 -0
  98. package/src/apothem/_vendor/referencing/_attrs.py +31 -0
  99. package/src/apothem/_vendor/referencing/_attrs.pyi +21 -0
  100. package/src/apothem/_vendor/referencing/_core.py +739 -0
  101. package/src/apothem/_vendor/referencing/exceptions.py +165 -0
  102. package/src/apothem/_vendor/referencing/jsonschema.py +642 -0
  103. package/src/apothem/_vendor/referencing/py.typed +0 -0
  104. package/src/apothem/_vendor/referencing/retrieval.py +94 -0
  105. package/src/apothem/_vendor/referencing/typing.py +61 -0
  106. package/src/apothem/_vendor/referencing.LICENSE +19 -0
  107. package/src/apothem/_vendor/rpds/__init__.py +251 -0
  108. package/src/apothem/_vendor/typing_extensions.LICENSE +279 -0
  109. package/src/apothem/_vendor/typing_extensions.py +4317 -0
  110. package/src/apothem/_vendor/vendor.txt +22 -0
  111. package/src/apothem/_vendor/yaml/__init__.py +389 -0
  112. package/src/apothem/_vendor/yaml/composer.py +138 -0
  113. package/src/apothem/_vendor/yaml/constructor.py +748 -0
  114. package/src/apothem/_vendor/yaml/cyaml.py +100 -0
  115. package/src/apothem/_vendor/yaml/dumper.py +61 -0
  116. package/src/apothem/_vendor/yaml/emitter.py +1137 -0
  117. package/src/apothem/_vendor/yaml/error.py +74 -0
  118. package/src/apothem/_vendor/yaml/events.py +85 -0
  119. package/src/apothem/_vendor/yaml/loader.py +63 -0
  120. package/src/apothem/_vendor/yaml/nodes.py +48 -0
  121. package/src/apothem/_vendor/yaml/parser.py +588 -0
  122. package/src/apothem/_vendor/yaml/reader.py +185 -0
  123. package/src/apothem/_vendor/yaml/representer.py +388 -0
  124. package/src/apothem/_vendor/yaml/resolver.py +226 -0
  125. package/src/apothem/_vendor/yaml/scanner.py +1435 -0
  126. package/src/apothem/_vendor/yaml/serializer.py +110 -0
  127. package/src/apothem/_vendor/yaml/tokens.py +103 -0
  128. package/src/apothem/_vendor/yaml.LICENSE +20 -0
  129. package/src/apothem/agents/README.md +60 -0
  130. package/src/apothem/agents/codebase-explorer.md +91 -0
  131. package/src/apothem/agents/convention-auditor.md +93 -0
  132. package/src/apothem/agents/dependency-auditor.md +97 -0
  133. package/src/apothem/agents/fact-checker.md +84 -0
  134. package/src/apothem/agents/mcp-builder.md +86 -0
  135. package/src/apothem/agents/memory-auditor.md +93 -0
  136. package/src/apothem/agents/prompt-evaluator.md +87 -0
  137. package/src/apothem/agents/quality-gate.md +103 -0
  138. package/src/apothem/agents/refactor-surgeon.md +74 -0
  139. package/src/apothem/agents/research-scout.md +73 -0
  140. package/src/apothem/agents/security-scanner.md +83 -0
  141. package/src/apothem/agents/test-runner.md +84 -0
  142. package/src/apothem/audit/README.md +73 -0
  143. package/src/apothem/audit/_scan_lib.py +182 -0
  144. package/src/apothem/audit/analyze_graph.py +260 -0
  145. package/src/apothem/audit/build_capability_graph.py +607 -0
  146. package/src/apothem/audit/build_inventory.py +657 -0
  147. package/src/apothem/audit/build_plans_provenance.py +997 -0
  148. package/src/apothem/audit/check_links.py +389 -0
  149. package/src/apothem/audit/classify_artifacts.py +381 -0
  150. package/src/apothem/audit/deprecated-tokens.txt +10 -0
  151. package/src/apothem/audit/execute_plans_migration.py +491 -0
  152. package/src/apothem/audit/known-projects.txt +15 -0
  153. package/src/apothem/audit/render_capability_index.py +467 -0
  154. package/src/apothem/audit/render_inventory.py +405 -0
  155. package/src/apothem/audit/scan_ai_surfaces.py +1125 -0
  156. package/src/apothem/audit/scan_ai_surfaces_coarse.py +261 -0
  157. package/src/apothem/audit/scan_drift_features.py +143 -0
  158. package/src/apothem/audit/scan_frontmatter.py +293 -0
  159. package/src/apothem/audit/scan_header_coverage.py +1134 -0
  160. package/src/apothem/audit/scan_plan_leakage.py +540 -0
  161. package/src/apothem/audit/scan_plans_discipline.py +188 -0
  162. package/src/apothem/audit/scan_secrets_pii.py +245 -0
  163. package/src/apothem/audit/scan_stale_tokens.py +296 -0
  164. package/src/apothem/audit/synthesize_drift.py +205 -0
  165. package/src/apothem/benchmarks/README.md +33 -0
  166. package/src/apothem/benchmarks/__init__.py +3 -0
  167. package/src/apothem/benchmarks/bench_agents.py +63 -0
  168. package/src/apothem/benchmarks/bench_hooks.py +93 -0
  169. package/src/apothem/benchmarks/bench_install.py +58 -0
  170. package/src/apothem/benchmarks/bench_tests.py +93 -0
  171. package/src/apothem/benchmarks/bench_validate_ecosystem.py +84 -0
  172. package/src/apothem/cli/README.md +33 -0
  173. package/src/apothem/cli/__init__.py +229 -0
  174. package/src/apothem/cli/_cmd_completion.py +88 -0
  175. package/src/apothem/cli/_cmd_diff.py +181 -0
  176. package/src/apothem/cli/_cmd_doctor.py +143 -0
  177. package/src/apothem/cli/_cmd_harnesses.py +167 -0
  178. package/src/apothem/cli/_cmd_install.py +327 -0
  179. package/src/apothem/cli/_cmd_migrate_workspace.py +143 -0
  180. package/src/apothem/cli/_cmd_profile.py +341 -0
  181. package/src/apothem/cli/_cmd_status.py +180 -0
  182. package/src/apothem/cli/_cmd_uninstall.py +215 -0
  183. package/src/apothem/cli/_cmd_update.py +397 -0
  184. package/src/apothem/cli/_cmd_verify.py +194 -0
  185. package/src/apothem/cli/_common_flags.py +90 -0
  186. package/src/apothem/cli/_epilogs.py +296 -0
  187. package/src/apothem/cli/_helpers.py +857 -0
  188. package/src/apothem/cli/_json_formatter.py +21 -0
  189. package/src/apothem/cli/_materialize.py +376 -0
  190. package/src/apothem/cli/completions/apothem.bash +30 -0
  191. package/src/apothem/cli/completions/apothem.fish +19 -0
  192. package/src/apothem/cli/completions/apothem.ps1 +27 -0
  193. package/src/apothem/cli/completions/apothem.zsh +42 -0
  194. package/src/apothem/cli/reference_export.py +126 -0
  195. package/src/apothem/commands/README.md +125 -0
  196. package/src/apothem/commands/a11y-audit.md +203 -0
  197. package/src/apothem/commands/architecture-review.md +194 -0
  198. package/src/apothem/commands/audit.md +165 -0
  199. package/src/apothem/commands/code-audit.md +218 -0
  200. package/src/apothem/commands/code-review.md +193 -0
  201. package/src/apothem/commands/dependency-audit.md +209 -0
  202. package/src/apothem/commands/docs-review.md +199 -0
  203. package/src/apothem/commands/elevate.md +285 -0
  204. package/src/apothem/commands/eval.md +149 -0
  205. package/src/apothem/commands/fortress.md +172 -0
  206. package/src/apothem/commands/freshify.md +168 -0
  207. package/src/apothem/commands/github-deploy-fresh.md +178 -0
  208. package/src/apothem/commands/github-deploy-next.md +167 -0
  209. package/src/apothem/commands/perf-audit.md +198 -0
  210. package/src/apothem/commands/plan-amend.md +104 -0
  211. package/src/apothem/commands/plan-audit.md +127 -0
  212. package/src/apothem/commands/plan-design.md +257 -0
  213. package/src/apothem/commands/plan-execute.md +495 -0
  214. package/src/apothem/commands/plan-generate.md +351 -0
  215. package/src/apothem/commands/plan-review.md +555 -0
  216. package/src/apothem/commands/plan-spec.md +359 -0
  217. package/src/apothem/commands/plan-status.md +222 -0
  218. package/src/apothem/commands/plan.md +173 -0
  219. package/src/apothem/commands/projectify.md +142 -0
  220. package/src/apothem/commands/release-readiness.md +142 -0
  221. package/src/apothem/commands/research-analysis.md +241 -0
  222. package/src/apothem/commands/research-design.md +231 -0
  223. package/src/apothem/commands/research-disseminate.md +225 -0
  224. package/src/apothem/commands/research-experiment.md +232 -0
  225. package/src/apothem/commands/research-ideate.md +213 -0
  226. package/src/apothem/commands/research-paper.md +252 -0
  227. package/src/apothem/commands/research-proposal.md +220 -0
  228. package/src/apothem/commands/research-publish.md +255 -0
  229. package/src/apothem/commands/research-review.md +251 -0
  230. package/src/apothem/commands/research-sources.md +266 -0
  231. package/src/apothem/commands/research-spec.md +255 -0
  232. package/src/apothem/commands/research-synthesis.md +233 -0
  233. package/src/apothem/commands/research-theory.md +218 -0
  234. package/src/apothem/commands/research.md +181 -0
  235. package/src/apothem/commands/security-audit.md +196 -0
  236. package/src/apothem/commands/supply-chain-audit.md +192 -0
  237. package/src/apothem/commands/test-suite.md +146 -0
  238. package/src/apothem/commands/threat-model-audit.md +199 -0
  239. package/src/apothem/commands/ux-review.md +202 -0
  240. package/src/apothem/commands/workflow.md +162 -0
  241. package/src/apothem/conformity/README.md +173 -0
  242. package/src/apothem/conformity/__init__.py +1 -0
  243. package/src/apothem/conformity/_grep_base.py +93 -0
  244. package/src/apothem/conformity/agent_capability_grep.py +306 -0
  245. package/src/apothem/conformity/agents_md_coverage_grep.py +382 -0
  246. package/src/apothem/conformity/agnosticism_grep.py +311 -0
  247. package/src/apothem/conformity/always_on_budget_grep.py +318 -0
  248. package/src/apothem/conformity/bare_except_grep.py +115 -0
  249. package/src/apothem/conformity/binding_reciprocity_grep.py +151 -0
  250. package/src/apothem/conformity/brand_mark_grep.py +272 -0
  251. package/src/apothem/conformity/commented_out_code_grep.py +176 -0
  252. package/src/apothem/conformity/completion_claim_grep.py +169 -0
  253. package/src/apothem/conformity/conventional_commit_grep.py +319 -0
  254. package/src/apothem/conformity/copilot_instructions_presence_grep.py +324 -0
  255. package/src/apothem/conformity/cross_platform_matrix_grep.py +297 -0
  256. package/src/apothem/conformity/determinism_grep.py +306 -0
  257. package/src/apothem/conformity/diagram_staleness_grep.py +154 -0
  258. package/src/apothem/conformity/dynamism_grep.py +284 -0
  259. package/src/apothem/conformity/editorconfig_presence_grep.py +281 -0
  260. package/src/apothem/conformity/file_header_grep.py +502 -0
  261. package/src/apothem/conformity/freshness_token_grep.py +233 -0
  262. package/src/apothem/conformity/frontmatter_grep.py +274 -0
  263. package/src/apothem/conformity/frontmatter_value_grep.py +386 -0
  264. package/src/apothem/conformity/gate.py +1386 -0
  265. package/src/apothem/conformity/gitattributes_presence_grep.py +238 -0
  266. package/src/apothem/conformity/harden_runner_grep.py +320 -0
  267. package/src/apothem/conformity/hedging_grep.py +129 -0
  268. package/src/apothem/conformity/license_author_consistency_grep.py +204 -0
  269. package/src/apothem/conformity/link_check.py +327 -0
  270. package/src/apothem/conformity/magic_number_grep.py +182 -0
  271. package/src/apothem/conformity/multi_surface_coherence_grep.py +620 -0
  272. package/src/apothem/conformity/naming_grep.py +224 -0
  273. package/src/apothem/conformity/no_global_plans_grep.py +339 -0
  274. package/src/apothem/conformity/no_toplevel_docs_grep.py +120 -0
  275. package/src/apothem/conformity/oidc_trusted_publishing_grep.py +291 -0
  276. package/src/apothem/conformity/option_annotation_grep.py +352 -0
  277. package/src/apothem/conformity/orphan_output_grep.py +206 -0
  278. package/src/apothem/conformity/permissions_minimum_scope_grep.py +299 -0
  279. package/src/apothem/conformity/plain_language_grep.py +559 -0
  280. package/src/apothem/conformity/plan_next_step_consistency_grep.py +450 -0
  281. package/src/apothem/conformity/plan_suite_structure_grep.py +534 -0
  282. package/src/apothem/conformity/plans_discipline_language_grep.py +245 -0
  283. package/src/apothem/conformity/production_ready_pr_grep.py +200 -0
  284. package/src/apothem/conformity/recommend_next_step_grep.py +250 -0
  285. package/src/apothem/conformity/redundancy_grep.py +401 -0
  286. package/src/apothem/conformity/reference_token_grep.py +230 -0
  287. package/src/apothem/conformity/registry_capability_consistency_grep.py +368 -0
  288. package/src/apothem/conformity/secret_leak_grep.py +193 -0
  289. package/src/apothem/conformity/semver_stability_grep.py +358 -0
  290. package/src/apothem/conformity/smoke_install_grep.py +194 -0
  291. package/src/apothem/conformity/static_version_grep.py +284 -0
  292. package/src/apothem/conformity/token_efficiency_grep.py +185 -0
  293. package/src/apothem/conformity/unpinned_action_grep.py +115 -0
  294. package/src/apothem/conformity/user_confirm_grep.py +74 -0
  295. package/src/apothem/conformity/workflow_concurrency_grep.py +283 -0
  296. package/src/apothem/harnesses/README.md +63 -0
  297. package/src/apothem/harnesses/__init__.py +16 -0
  298. package/src/apothem/harnesses/_shared/README.md +36 -0
  299. package/src/apothem/harnesses/_shared/__init__.py +12 -0
  300. package/src/apothem/harnesses/_shared/install_driver.py +281 -0
  301. package/src/apothem/harnesses/_shared/install_driver_apply.py +612 -0
  302. package/src/apothem/harnesses/_shared/install_driver_backup.py +535 -0
  303. package/src/apothem/harnesses/_shared/install_driver_converters.py +310 -0
  304. package/src/apothem/harnesses/_shared/install_driver_lifecycle.py +495 -0
  305. package/src/apothem/harnesses/_shared/install_driver_materialize.py +675 -0
  306. package/src/apothem/harnesses/_shared/install_driver_merge.py +656 -0
  307. package/src/apothem/harnesses/_shared/install_driver_pathsafety.py +137 -0
  308. package/src/apothem/harnesses/_shared/install_driver_planvalidation.py +240 -0
  309. package/src/apothem/harnesses/_shared/install_driver_removal.py +366 -0
  310. package/src/apothem/harnesses/_shared/install_driver_treeops.py +248 -0
  311. package/src/apothem/harnesses/_shared/install_driver_types.py +330 -0
  312. package/src/apothem/harnesses/_shared/wrapper_factories.py +448 -0
  313. package/src/apothem/harnesses/antigravity/STANDARD-CONVENTION-PIN.md +91 -0
  314. package/src/apothem/harnesses/antigravity/__init__.py +70 -0
  315. package/src/apothem/harnesses/antigravity/capabilities.yml +40 -0
  316. package/src/apothem/harnesses/antigravity/install.py +63 -0
  317. package/src/apothem/harnesses/antigravity/templates/GEMINI.md +40 -0
  318. package/src/apothem/harnesses/antigravity/templates/plugin.json +5 -0
  319. package/src/apothem/harnesses/antigravity/uninstall.py +22 -0
  320. package/src/apothem/harnesses/antigravity/update.py +10 -0
  321. package/src/apothem/harnesses/antigravity/verify.py +11 -0
  322. package/src/apothem/harnesses/claude_code/STANDARD-CONVENTION-PIN.md +65 -0
  323. package/src/apothem/harnesses/claude_code/__init__.py +107 -0
  324. package/src/apothem/harnesses/claude_code/capabilities.yml +42 -0
  325. package/src/apothem/harnesses/claude_code/install.py +147 -0
  326. package/src/apothem/harnesses/claude_code/templates/settings.json +351 -0
  327. package/src/apothem/harnesses/claude_code/uninstall.py +23 -0
  328. package/src/apothem/harnesses/claude_code/update.py +10 -0
  329. package/src/apothem/harnesses/claude_code/verify.py +11 -0
  330. package/src/apothem/harnesses/codebuddy/STANDARD-CONVENTION-PIN.md +74 -0
  331. package/src/apothem/harnesses/codebuddy/__init__.py +49 -0
  332. package/src/apothem/harnesses/codebuddy/capabilities.yml +34 -0
  333. package/src/apothem/harnesses/codebuddy/install.py +40 -0
  334. package/src/apothem/harnesses/codebuddy/templates/apothem-rules.md +37 -0
  335. package/src/apothem/harnesses/codebuddy/uninstall.py +25 -0
  336. package/src/apothem/harnesses/codebuddy/update.py +10 -0
  337. package/src/apothem/harnesses/codebuddy/verify.py +11 -0
  338. package/src/apothem/harnesses/codex/STANDARD-CONVENTION-PIN.md +79 -0
  339. package/src/apothem/harnesses/codex/__init__.py +72 -0
  340. package/src/apothem/harnesses/codex/capabilities.yml +40 -0
  341. package/src/apothem/harnesses/codex/install.py +69 -0
  342. package/src/apothem/harnesses/codex/templates/AGENTS.md +40 -0
  343. package/src/apothem/harnesses/codex/templates/hooks.json +127 -0
  344. package/src/apothem/harnesses/codex/uninstall.py +23 -0
  345. package/src/apothem/harnesses/codex/update.py +10 -0
  346. package/src/apothem/harnesses/codex/verify.py +11 -0
  347. package/src/apothem/harnesses/cursor/STANDARD-CONVENTION-PIN.md +79 -0
  348. package/src/apothem/harnesses/cursor/__init__.py +48 -0
  349. package/src/apothem/harnesses/cursor/capabilities.yml +42 -0
  350. package/src/apothem/harnesses/cursor/install.py +38 -0
  351. package/src/apothem/harnesses/cursor/templates/apothem-rules.mdc +40 -0
  352. package/src/apothem/harnesses/cursor/uninstall.py +25 -0
  353. package/src/apothem/harnesses/cursor/update.py +10 -0
  354. package/src/apothem/harnesses/cursor/verify.py +11 -0
  355. package/src/apothem/harnesses/gemini_cli/STANDARD-CONVENTION-PIN.md +102 -0
  356. package/src/apothem/harnesses/gemini_cli/__init__.py +52 -0
  357. package/src/apothem/harnesses/gemini_cli/capabilities.yml +43 -0
  358. package/src/apothem/harnesses/gemini_cli/install.py +43 -0
  359. package/src/apothem/harnesses/gemini_cli/templates/GEMINI.md +38 -0
  360. package/src/apothem/harnesses/gemini_cli/uninstall.py +25 -0
  361. package/src/apothem/harnesses/gemini_cli/update.py +10 -0
  362. package/src/apothem/harnesses/gemini_cli/verify.py +11 -0
  363. package/src/apothem/harnesses/github_copilot/STANDARD-CONVENTION-PIN.md +84 -0
  364. package/src/apothem/harnesses/github_copilot/__init__.py +47 -0
  365. package/src/apothem/harnesses/github_copilot/capabilities.yml +42 -0
  366. package/src/apothem/harnesses/github_copilot/install.py +40 -0
  367. package/src/apothem/harnesses/github_copilot/templates/copilot-instructions.md +33 -0
  368. package/src/apothem/harnesses/github_copilot/uninstall.py +25 -0
  369. package/src/apothem/harnesses/github_copilot/update.py +10 -0
  370. package/src/apothem/harnesses/github_copilot/verify.py +11 -0
  371. package/src/apothem/harnesses/glm/STANDARD-CONVENTION-PIN.md +77 -0
  372. package/src/apothem/harnesses/glm/__init__.py +56 -0
  373. package/src/apothem/harnesses/glm/capabilities.yml +33 -0
  374. package/src/apothem/harnesses/glm/install.py +45 -0
  375. package/src/apothem/harnesses/glm/templates/glm.toml +58 -0
  376. package/src/apothem/harnesses/glm/uninstall.py +25 -0
  377. package/src/apothem/harnesses/glm/update.py +10 -0
  378. package/src/apothem/harnesses/glm/verify.py +11 -0
  379. package/src/apothem/harnesses/hermes/STANDARD-CONVENTION-PIN.md +57 -0
  380. package/src/apothem/harnesses/hermes/__init__.py +33 -0
  381. package/src/apothem/harnesses/hermes/capabilities.yml +36 -0
  382. package/src/apothem/harnesses/hermes/install.py +17 -0
  383. package/src/apothem/harnesses/hermes/materializer.py +35 -0
  384. package/src/apothem/harnesses/hermes/uninstall.py +33 -0
  385. package/src/apothem/harnesses/hermes/update.py +10 -0
  386. package/src/apothem/harnesses/hermes/verify.py +11 -0
  387. package/src/apothem/harnesses/kimi_code/STANDARD-CONVENTION-PIN.md +128 -0
  388. package/src/apothem/harnesses/kimi_code/__init__.py +59 -0
  389. package/src/apothem/harnesses/kimi_code/capabilities.yml +40 -0
  390. package/src/apothem/harnesses/kimi_code/install.py +42 -0
  391. package/src/apothem/harnesses/kimi_code/templates/AGENTS.md +43 -0
  392. package/src/apothem/harnesses/kimi_code/uninstall.py +27 -0
  393. package/src/apothem/harnesses/kimi_code/update.py +10 -0
  394. package/src/apothem/harnesses/kimi_code/verify.py +11 -0
  395. package/src/apothem/harnesses/kiro/STANDARD-CONVENTION-PIN.md +77 -0
  396. package/src/apothem/harnesses/kiro/__init__.py +49 -0
  397. package/src/apothem/harnesses/kiro/capabilities.yml +36 -0
  398. package/src/apothem/harnesses/kiro/install.py +39 -0
  399. package/src/apothem/harnesses/kiro/templates/apothem-rules.md +36 -0
  400. package/src/apothem/harnesses/kiro/uninstall.py +25 -0
  401. package/src/apothem/harnesses/kiro/update.py +10 -0
  402. package/src/apothem/harnesses/kiro/verify.py +11 -0
  403. package/src/apothem/harnesses/open_claw/STANDARD-CONVENTION-PIN.md +62 -0
  404. package/src/apothem/harnesses/open_claw/__init__.py +35 -0
  405. package/src/apothem/harnesses/open_claw/capabilities.yml +35 -0
  406. package/src/apothem/harnesses/open_claw/install.py +17 -0
  407. package/src/apothem/harnesses/open_claw/materializer.py +36 -0
  408. package/src/apothem/harnesses/open_claw/uninstall.py +32 -0
  409. package/src/apothem/harnesses/open_claw/update.py +10 -0
  410. package/src/apothem/harnesses/open_claw/verify.py +11 -0
  411. package/src/apothem/harnesses/opencode/STANDARD-CONVENTION-PIN.md +76 -0
  412. package/src/apothem/harnesses/opencode/__init__.py +35 -0
  413. package/src/apothem/harnesses/opencode/capabilities.yml +43 -0
  414. package/src/apothem/harnesses/opencode/install.py +17 -0
  415. package/src/apothem/harnesses/opencode/materializer.py +31 -0
  416. package/src/apothem/harnesses/opencode/uninstall.py +34 -0
  417. package/src/apothem/harnesses/opencode/update.py +10 -0
  418. package/src/apothem/harnesses/opencode/verify.py +11 -0
  419. package/src/apothem/harnesses/qwen_code/STANDARD-CONVENTION-PIN.md +87 -0
  420. package/src/apothem/harnesses/qwen_code/__init__.py +37 -0
  421. package/src/apothem/harnesses/qwen_code/capabilities.yml +43 -0
  422. package/src/apothem/harnesses/qwen_code/install.py +19 -0
  423. package/src/apothem/harnesses/qwen_code/materializer.py +174 -0
  424. package/src/apothem/harnesses/qwen_code/templates/QWEN.md +30 -0
  425. package/src/apothem/harnesses/qwen_code/uninstall.py +34 -0
  426. package/src/apothem/harnesses/qwen_code/update.py +10 -0
  427. package/src/apothem/harnesses/qwen_code/verify.py +11 -0
  428. package/src/apothem/harnesses/trae/STANDARD-CONVENTION-PIN.md +70 -0
  429. package/src/apothem/harnesses/trae/__init__.py +49 -0
  430. package/src/apothem/harnesses/trae/capabilities.yml +34 -0
  431. package/src/apothem/harnesses/trae/install.py +38 -0
  432. package/src/apothem/harnesses/trae/templates/apothem-rules.md +37 -0
  433. package/src/apothem/harnesses/trae/uninstall.py +25 -0
  434. package/src/apothem/harnesses/trae/update.py +10 -0
  435. package/src/apothem/harnesses/trae/verify.py +11 -0
  436. package/src/apothem/harnesses/windsurf/STANDARD-CONVENTION-PIN.md +91 -0
  437. package/src/apothem/harnesses/windsurf/__init__.py +52 -0
  438. package/src/apothem/harnesses/windsurf/capabilities.yml +40 -0
  439. package/src/apothem/harnesses/windsurf/install.py +41 -0
  440. package/src/apothem/harnesses/windsurf/templates/apothem-rules.md +37 -0
  441. package/src/apothem/harnesses/windsurf/uninstall.py +25 -0
  442. package/src/apothem/harnesses/windsurf/update.py +10 -0
  443. package/src/apothem/harnesses/windsurf/verify.py +11 -0
  444. package/src/apothem/harnesses/zed/STANDARD-CONVENTION-PIN.md +92 -0
  445. package/src/apothem/harnesses/zed/__init__.py +57 -0
  446. package/src/apothem/harnesses/zed/capabilities.yml +38 -0
  447. package/src/apothem/harnesses/zed/install.py +41 -0
  448. package/src/apothem/harnesses/zed/templates/apothem-rules.md +32 -0
  449. package/src/apothem/harnesses/zed/uninstall.py +28 -0
  450. package/src/apothem/harnesses/zed/update.py +10 -0
  451. package/src/apothem/harnesses/zed/verify.py +11 -0
  452. package/src/apothem/hooks/README.md +81 -0
  453. package/src/apothem/hooks/__init__.py +24 -0
  454. package/src/apothem/hooks/askuserquestion_validator.py +380 -0
  455. package/src/apothem/hooks/dispatch.py +296 -0
  456. package/src/apothem/hooks/emit_hook_context.py +444 -0
  457. package/src/apothem/hooks/hooks.json +318 -0
  458. package/src/apothem/hooks/lib/README.md +39 -0
  459. package/src/apothem/hooks/lib/__init__.py +18 -0
  460. package/src/apothem/hooks/lib/bootstrap.ps1 +129 -0
  461. package/src/apothem/hooks/lib/bootstrap.sh +103 -0
  462. package/src/apothem/hooks/lib/events.py +51 -0
  463. package/src/apothem/hooks/lib/find-pwsh.ps1 +78 -0
  464. package/src/apothem/hooks/lib/find-pwsh.sh +76 -0
  465. package/src/apothem/hooks/lib/find-python.ps1 +63 -0
  466. package/src/apothem/hooks/lib/find-python.sh +97 -0
  467. package/src/apothem/hooks/lib/log.py +43 -0
  468. package/src/apothem/hooks/lib/resolve_root.py +264 -0
  469. package/src/apothem/hooks/messages/postcompact.md +14 -0
  470. package/src/apothem/hooks/messages/posttooluse-proactive-compaction.md +46 -0
  471. package/src/apothem/hooks/messages/precompact.md +14 -0
  472. package/src/apothem/hooks/messages/pretooluse-askuserquestion-recommended.md +65 -0
  473. package/src/apothem/hooks/messages/pretooluse-bash-plan-guard.md +97 -0
  474. package/src/apothem/hooks/messages/pretooluse-bash.md +39 -0
  475. package/src/apothem/hooks/messages/pretooluse-conformity.md +70 -0
  476. package/src/apothem/hooks/messages/pretooluse-dependency-guard.md +21 -0
  477. package/src/apothem/hooks/messages/pretooluse-edit-header-guard.md +61 -0
  478. package/src/apothem/hooks/messages/pretooluse-edit.md +21 -0
  479. package/src/apothem/hooks/messages/pretooluse-eval-guard.md +39 -0
  480. package/src/apothem/hooks/messages/pretooluse-notebookedit.md +11 -0
  481. package/src/apothem/hooks/messages/pretooluse-write-header-guard.md +45 -0
  482. package/src/apothem/hooks/messages/pretooluse-write-plan-guard.md +72 -0
  483. package/src/apothem/hooks/messages/pretooluse-write.md +21 -0
  484. package/src/apothem/hooks/messages/sessionstart.md +15 -0
  485. package/src/apothem/hooks/messages/stop.md +27 -0
  486. package/src/apothem/hooks/proactive_compaction_tracker.py +327 -0
  487. package/src/apothem/hooks/session_start_bootstrap.py +472 -0
  488. package/src/apothem/lib/README.md +42 -0
  489. package/src/apothem/lib/__init__.py +13 -0
  490. package/src/apothem/lib/atomic_io.py +189 -0
  491. package/src/apothem/lib/auditor.py +687 -0
  492. package/src/apothem/lib/clean_slate.py +396 -0
  493. package/src/apothem/lib/contexts.py +352 -0
  494. package/src/apothem/lib/data_home.py +255 -0
  495. package/src/apothem/lib/frontmatter.py +101 -0
  496. package/src/apothem/lib/harness_materializer.py +213 -0
  497. package/src/apothem/lib/harness_protocol.py +59 -0
  498. package/src/apothem/lib/harness_registry.py +282 -0
  499. package/src/apothem/lib/harness_registry_data.py +843 -0
  500. package/src/apothem/lib/install_ledger.py +347 -0
  501. package/src/apothem/lib/learning.py +540 -0
  502. package/src/apothem/lib/memory.py +347 -0
  503. package/src/apothem/lib/parallel_sweep.py +234 -0
  504. package/src/apothem/lib/plan_tiers.py +200 -0
  505. package/src/apothem/lib/plugin_bootstrap.py +132 -0
  506. package/src/apothem/lib/plugin_tree.py +599 -0
  507. package/src/apothem/lib/profile.py +755 -0
  508. package/src/apothem/lib/profile_projection.py +198 -0
  509. package/src/apothem/lib/propagation-manifest.yaml +878 -0
  510. package/src/apothem/lib/propagation.py +220 -0
  511. package/src/apothem/lib/python_resolver.py +189 -0
  512. package/src/apothem/lib/reporter.py +62 -0
  513. package/src/apothem/lib/workspace_migration.py +323 -0
  514. package/src/apothem/output-styles/README.md +41 -0
  515. package/src/apothem/output-styles/concise-engineer.md +49 -0
  516. package/src/apothem/output-styles/default-architect.md +52 -0
  517. package/src/apothem/output-styles/default.md +113 -0
  518. package/src/apothem/output-styles/forensic-auditor.md +63 -0
  519. package/src/apothem/py.typed +0 -0
  520. package/src/apothem/rules/README.md +121 -0
  521. package/src/apothem/rules/agent-capability-discipline-matrix.md +89 -0
  522. package/src/apothem/rules/agent-capability-discipline.md +78 -0
  523. package/src/apothem/rules/agent-orchestration-patterns.md +144 -0
  524. package/src/apothem/rules/agent-orchestration.md +65 -0
  525. package/src/apothem/rules/agents-md-convention.md +86 -0
  526. package/src/apothem/rules/agile-sprints-elements.md +135 -0
  527. package/src/apothem/rules/agile-sprints.md +64 -0
  528. package/src/apothem/rules/agnostic-posture-checklist.md +47 -0
  529. package/src/apothem/rules/agnostic-posture.md +48 -0
  530. package/src/apothem/rules/authoritative-referencing-quotation.md +50 -0
  531. package/src/apothem/rules/authoritative-referencing.md +66 -0
  532. package/src/apothem/rules/authority-inquiry-categories.md +58 -0
  533. package/src/apothem/rules/authority-inquiry.md +54 -0
  534. package/src/apothem/rules/auto-memory-topic-files.md +86 -0
  535. package/src/apothem/rules/auto-memory.md +67 -0
  536. package/src/apothem/rules/bidirectional-binding.md +123 -0
  537. package/src/apothem/rules/canonical-layout-reporting-tiers.md +212 -0
  538. package/src/apothem/rules/canonical-layout.md +60 -0
  539. package/src/apothem/rules/clean-architecture-layers.md +186 -0
  540. package/src/apothem/rules/clean-room-generation-protocols.md +124 -0
  541. package/src/apothem/rules/clean-room-generation.md +59 -0
  542. package/src/apothem/rules/code-craft-conventions.md +101 -0
  543. package/src/apothem/rules/code-craft-markdown.md +138 -0
  544. package/src/apothem/rules/code-craft-python.md +154 -0
  545. package/src/apothem/rules/code-craft-shell.md +192 -0
  546. package/src/apothem/rules/cognitive-identity-techniques.md +180 -0
  547. package/src/apothem/rules/cognitive-identity.md +81 -0
  548. package/src/apothem/rules/context-management-budget.md +46 -0
  549. package/src/apothem/rules/context-management-protocol.md +161 -0
  550. package/src/apothem/rules/context-management-scratch.md +128 -0
  551. package/src/apothem/rules/context-management.md +85 -0
  552. package/src/apothem/rules/definitiveness-virtues.md +67 -0
  553. package/src/apothem/rules/definitiveness.md +58 -0
  554. package/src/apothem/rules/determinism.md +81 -0
  555. package/src/apothem/rules/disclosure-ledger-markers.md +58 -0
  556. package/src/apothem/rules/disclosure-ledger.md +52 -0
  557. package/src/apothem/rules/dynamism.md +38 -0
  558. package/src/apothem/rules/etc-extension.md +57 -0
  559. package/src/apothem/rules/expertise-posture-elements.md +68 -0
  560. package/src/apothem/rules/expertise-posture.md +54 -0
  561. package/src/apothem/rules/freshness-facade.md +64 -0
  562. package/src/apothem/rules/harness-adapter-shape-schemas.md +162 -0
  563. package/src/apothem/rules/harness-adapter-shape.md +42 -0
  564. package/src/apothem/rules/host-discovery-manifests.md +50 -0
  565. package/src/apothem/rules/host-discovery.md +56 -0
  566. package/src/apothem/rules/i18n-discipline-locale-cohorts.md +120 -0
  567. package/src/apothem/rules/i18n-discipline.md +70 -0
  568. package/src/apothem/rules/interactive-questions-canonical-shapes.md +590 -0
  569. package/src/apothem/rules/interactive-questions-detail.md +41 -0
  570. package/src/apothem/rules/interactive-questions-sweep-matchers.md +184 -0
  571. package/src/apothem/rules/interactive-questions.md +89 -0
  572. package/src/apothem/rules/large-file-generation.md +112 -0
  573. package/src/apothem/rules/large-file-reading.md +59 -0
  574. package/src/apothem/rules/living-docs.md +85 -0
  575. package/src/apothem/rules/multi-agent-workflow.md +57 -0
  576. package/src/apothem/rules/operational-mandates-expanded.md +78 -0
  577. package/src/apothem/rules/operational-mandates.md +88 -0
  578. package/src/apothem/rules/option-annotation-form.md +60 -0
  579. package/src/apothem/rules/option-annotation.md +45 -0
  580. package/src/apothem/rules/own-voice-reimplementation.md +86 -0
  581. package/src/apothem/rules/performance-discipline.md +91 -0
  582. package/src/apothem/rules/persistent-conventions-vigilance-checklist.md +54 -0
  583. package/src/apothem/rules/persistent-conventions-vigilance.md +61 -0
  584. package/src/apothem/rules/plain-language.md +56 -0
  585. package/src/apothem/rules/planning-techniques.md +130 -0
  586. package/src/apothem/rules/pre-emission-gate-bars.md +86 -0
  587. package/src/apothem/rules/pre-emission-gate.md +54 -0
  588. package/src/apothem/rules/production-ready-prs-surfaces.md +162 -0
  589. package/src/apothem/rules/production-ready-prs.md +83 -0
  590. package/src/apothem/rules/propagation.md +63 -0
  591. package/src/apothem/rules/recommend-next-step.md +106 -0
  592. package/src/apothem/rules/refactoring-discipline.md +76 -0
  593. package/src/apothem/rules/session-closure.md +44 -0
  594. package/src/apothem/rules/sota-elevation-exemplars.md +76 -0
  595. package/src/apothem/rules/sota-elevation.md +52 -0
  596. package/src/apothem/rules/source-accessibility.md +58 -0
  597. package/src/apothem/rules/surgical-manipulation.md +48 -0
  598. package/src/apothem/rules/systemic-participation-relations.md +108 -0
  599. package/src/apothem/rules/systemic-participation.md +70 -0
  600. package/src/apothem/rules/ten-dimension-check-dimensions.md +52 -0
  601. package/src/apothem/rules/ten-dimension-check.md +59 -0
  602. package/src/apothem/rules/token-budget-discipline.md +81 -0
  603. package/src/apothem/rules/token-efficiency-rewrite-protocol.md +79 -0
  604. package/src/apothem/rules/token-efficiency-rewrite.md +77 -0
  605. package/src/apothem/rules/tool-use-discipline.md +48 -0
  606. package/src/apothem/rules/visual-leverage.md +102 -0
  607. package/src/apothem/schemas/NOTICE.md +9 -0
  608. package/src/apothem/schemas/README.md +104 -0
  609. package/src/apothem/schemas/__init__.py +176 -0
  610. package/src/apothem/schemas/advisory-finding.schema.json +111 -0
  611. package/src/apothem/schemas/agent.schema.json +106 -0
  612. package/src/apothem/schemas/authorship-header.txt +1 -0
  613. package/src/apothem/schemas/cohort-manifest.yaml +248 -0
  614. package/src/apothem/schemas/cohort-metadata-vocabulary.yaml +168 -0
  615. package/src/apothem/schemas/cohort.schema.json +113 -0
  616. package/src/apothem/schemas/command.schema.json +68 -0
  617. package/src/apothem/schemas/compatibility-matrix.yaml +432 -0
  618. package/src/apothem/schemas/context-fragment.schema.json +64 -0
  619. package/src/apothem/schemas/freshness-token-denylist.txt +51 -0
  620. package/src/apothem/schemas/handoff-manifest.yaml +353 -0
  621. package/src/apothem/schemas/header-exceptions.txt +141 -0
  622. package/src/apothem/schemas/header-visibility.yaml +39 -0
  623. package/src/apothem/schemas/learning-signal.schema.json +46 -0
  624. package/src/apothem/schemas/memory-record.schema.json +61 -0
  625. package/src/apothem/schemas/output-style.schema.json +40 -0
  626. package/src/apothem/schemas/plan.schema.json +51 -0
  627. package/src/apothem/schemas/plugin.schema.json +83 -0
  628. package/src/apothem/schemas/profile.example.yaml +70 -0
  629. package/src/apothem/schemas/profile.minimal.yaml +6 -0
  630. package/src/apothem/schemas/profile.schema.json +396 -0
  631. package/src/apothem/schemas/reference-token-denylist.txt +25 -0
  632. package/src/apothem/schemas/skill.schema.json +75 -0
  633. package/src/apothem/skills/README.md +93 -0
  634. package/src/apothem/skills/dependency-upgrade/SKILL.md +105 -0
  635. package/src/apothem/skills/dev-toolkit/SKILL.md +120 -0
  636. package/src/apothem/skills/diagram-authoring/SKILL.md +113 -0
  637. package/src/apothem/skills/document-authoring/SKILL.md +118 -0
  638. package/src/apothem/skills/ecosystem-audit/SKILL.md +108 -0
  639. package/src/apothem/skills/ecosystem-audit/references/audit-fortress.md +85 -0
  640. package/src/apothem/skills/ecosystem-audit/references/procedure.md +162 -0
  641. package/src/apothem/skills/eval-harness/SKILL.md +88 -0
  642. package/src/apothem/skills/incident-runbook/SKILL.md +92 -0
  643. package/src/apothem/skills/multi-source-research/SKILL.md +90 -0
  644. package/src/apothem/skills/plan-suite/SKILL.md +118 -0
  645. package/src/apothem/skills/plan-suite/master_template.md +1324 -0
  646. package/src/apothem/skills/projectify/SKILL.md +117 -0
  647. package/src/apothem/skills/prompt-engineering/SKILL.md +122 -0
  648. package/src/apothem/skills/refactor-extract/SKILL.md +85 -0
  649. package/src/apothem/skills/research-suite/SKILL.md +170 -0
  650. package/src/apothem/skills/research-suite/references/directory-structure.md +47 -0
  651. package/src/apothem/skills/research-suite/references/lifecycle.md +67 -0
  652. package/src/apothem/skills/research-suite/references/principal-investigator-framework.md +37 -0
  653. package/src/apothem/skills/research-suite/references/rigor-mandates.md +30 -0
  654. package/src/apothem/skills/research-suite/research_template.md +476 -0
  655. package/src/apothem/skills/secret-rotation/SKILL.md +87 -0
  656. package/src/apothem/skills/source-synthesis/SKILL.md +92 -0
  657. package/src/apothem/skills/surgical-guard/SKILL.md +118 -0
  658. package/src/apothem/skills/test-authoring/SKILL.md +85 -0
  659. package/src/apothem/skills/vuln-triage/SKILL.md +91 -0
  660. package/src/apothem/skills/workflow/SKILL.md +139 -0
  661. package/src/apothem/statuslines/README.md +26 -0
  662. package/src/apothem/statuslines/__init__.py +20 -0
  663. package/src/apothem/statuslines/conformity.json +5 -0
  664. package/src/apothem/statuslines/render.py +334 -0
  665. package/src/apothem/statuslines/statusline.md +50 -0
  666. package/src/apothem/templates/README.md +43 -0
  667. package/src/apothem/templates/agents-md-template.md +80 -0
  668. package/src/apothem/templates/consideration-log.md +39 -0
  669. package/src/apothem/templates/expertise-gap-log.md +56 -0
  670. package/src/apothem/templates/master-index-template.md +93 -0
  671. package/src/apothem/templates/potency-map.md +53 -0
  672. package/src/apothem/templates/preservation-audit.md +60 -0
  673. package/src/apothem/templates/question-resolution-audit.md +52 -0
  674. package/src/apothem/templates/trace-matrix-template.md +77 -0
@@ -0,0 +1,172 @@
1
+ ---
2
+ name: "fortress"
3
+ version: "0.1.0"
4
+ updated: "2026-06-16"
5
+ description: "The production-hardening fortress wrapped as a single dynamic multi-agent workflow. One call drives a repository from detected weaknesses to a hardened, release-gated state by closing the loop the report-only /audit leaves open: it dispatches /audit (the security-weighted dimension sweep) to DETECT, subjects every finding to an EXTREMELY-CRITIQUE refute-by-default verification pass, REMEDIATES each surviving finding at its owning surface through the minimal-diff surgical-guard skill (leaked secrets via secret-rotation, dependency CVEs via vuln-triage, broad lifts via scoped /elevate), RE-AUDITS until the walls hold (bounded by --max-rounds with a deterministic BLOCKED retreat per the iteration-safety discipline), and GATES the result through /release-readiness — emitting one deterministic fortress-posture report with a single recommended next move. Hardening logic stays first-class in the dispatched commands and skills; this command adds only the closed-loop harness (detect → verify → remediate → re-audit → gate). Distinct from report-only /audit, broad open-loop /elevate, and the single-verdict /release-readiness. Multi-agent dispatch, remediation, and continuous chaining are opt-in / confirmation-gated, never default-on; every irreversible step is per-action confirmed and every beyond-mission amendment disclosed. Invoke with a repository path, or --scope to weight the sweep."
6
+ argument-hint: "[path/to/repo/] [--scope security|hardening|all] [--autonomous] [--max-rounds N] [--verify-panel N]"
7
+ disable-model-invocation: true
8
+ portability: "universal"
9
+ allowed-tools: "*"
10
+ ---
11
+
12
+ <!-- SPDX-License-Identifier: MIT -->
13
+
14
+ # /fortress — The Hardening Fortress as a Wrapped Dynamic Workflow
15
+
16
+ ---
17
+
18
+ ## Role
19
+
20
+ You are the user's **Fortress Orchestrator** and **Cognitive Insurgent** (`rules/cognitive-identity.md`), operating as the **closed-loop hardening orchestrator — not autopilot, not a remediation-pass author, and never an unbounded loop**. The hardening mission is a contract accomplished by driving the first-class detect / remediate / gate commands as a disciplined dynamic workflow: the repository's weaknesses detected through the audit fortress, each finding adversarially verified, each survivor remediated at its owning surface through the minimal-diff edit primitive, the result re-audited until the walls hold, and the whole closed at the release gate.
21
+
22
+ Apply the Five Cognitive Filters where they bite: **Filter 1 (Obvious Purge)** refuses the shallow patch-the-symptom reflex; **Filter 3 (Inversion Press)** drives the refute-by-default verification of every finding and every proposed fix; **Filter 5 (Aesthetic Demand)** governs the hardened result's form. The seven-axs-of-breadth taxonomy at `rules/cognitive-identity.md` §1 is the attention frame, weighted toward the Security, Tooling, and Observability axes.
23
+
24
+ `/fortress` is the single wrapped-workflow entry to production hardening: it wraps the detect → verify → remediate → re-audit → gate loop in the workflow harness — independent-critique verification, named return contracts, a bounded remediation loop, and a deterministic fortress-posture surface — and reimplements no detector, no remediator, and no gate. The first-class `/audit`, `/security-audit`, `/elevate`, `/release-readiness`, … commands remain individually invocable.
25
+
26
+ ---
27
+
28
+ ## Instructions
29
+
30
+ Execute `/fortress` in six phases (see §Workflow): **Frame** the hardening mission, resolve the target repository and the scope weighting, and state the hardened-and-gated outcome. **Detect** by dispatching `/audit` over the scoped dimensions and consuming its verified, severity-triaged findings. **Verify** each finding's remediation target through a refute-by-default critic panel before any source is touched. **Remediate** every survivor at its root through the minimal-diff `surgical-guard` skill and the dimension-native remediators, disclosing each amendment per `rules/disclosure-ledger.md`. **Re-audit** the result in a bounded loop until the HIGH count reaches zero or the `--max-rounds` cap triggers the deterministic retreat. **Gate** the hardened repository through `/release-readiness` and emit a deterministic fortress-posture report with a single recommended next move.
31
+
32
+ The deep workflow procedure lives in the `workflow` skill (`skills/workflow/SKILL.md`); the detect logic is the first-class `/audit` and its eleven dimensions; the remediation logic is the `surgical-guard`, `secret-rotation`, and `vuln-triage` skills plus the scoped `/elevate` route; the gate is `/release-readiness`. This command orchestrates them and authors no hardening logic of its own.
33
+
34
+ **Reference Template:** Check `CLAUDE.md` for template path. Governance scales with seriousness per `CLAUDE.md` Section 4; creative architecture (`rules/cognitive-identity.md`, CM-21) is active throughout.
35
+
36
+ ---
37
+
38
+ ## Pipeline Contract
39
+
40
+ **Pipeline position.** Wrapped-workflow meta-orchestrator over the whole detect → remediate → gate hardening loop — the canonical single-call entry for production hardening, and the hardening analogue of `/plan` (planning) and `/research` (research). It consumes a repository surface and a scope weighting, drives the closed loop to a hardened, release-gated state, and emits the hardened source plus a deterministic fortress-posture report. It closes the loop `/audit` deliberately leaves open: `/audit` detects and reports; `/fortress` detects, remediates, re-audits, and gates.
41
+
42
+ **Consumed.** The operator's target path; the `--scope` weighting (`security` — the four defensive-security dimensions; `hardening` — security plus performance and dependency posture; `all` — the full eleven-dimension fortress); the `--autonomous` opt-in; the `--max-rounds N` iteration cap; the `--verify-panel N` budget. When the mission follows a planning suite, the executed work `/plan-execute` produced is the upstream surface this loop hardens.
43
+
44
+ **Emitted.** The hardened source (remediated in place at each finding's owning surface), plus the deterministic result surface: the fortress-posture report (per round — detected / verified / remediated / residual counts by severity), the per-round verified findings with evidence, the disclosure ledger of every remediation and beyond-mission amendment, the `/release-readiness` READY / BLOCKED verdict, the fifteen-bar gate attestation, the per-run workflow trace (rounds run, remediations applied, refutations recorded, halt / continue decisions), and the single recommended next move.
45
+
46
+ **Pre-flight inquiry set.** The Frame phase emits the typed inquiry set per `rules/authority-inquiry.md` when the target, scope weighting, or remediation boundary is underspecified — which repository, which scope, how aggressive the remediation, scope direction, security posture. Required-category inquiries block dispatch until answered; the `--autonomous` opt-in is itself confirmed before continuous remediation engages, and every irreversible remediation is per-action confirmed regardless of the opt-in.
47
+
48
+ **Pre-emission gate.** Each dispatched command runs its own fifteen-bar gate per `rules/pre-emission-gate.md`; this command does not duplicate a stage's gate but verifies each detect / gate attestation is present before consuming it, and runs the workflow's own fifteen-bar gate over the final fortress-posture report.
49
+
50
+ ---
51
+
52
+ ## Foundational Stanzas
53
+
54
+ The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
55
+
56
+ ### Refusal & Escalation
57
+
58
+ REFUSE to author or reimplement any detector, remediator, or gate — the orchestrator only dispatches first-class commands and skills. REFUSE to remediate a finding whose refute-by-default verification leaves it contested — a contested finding survives with both positions and their evidence, never a silent fix. REFUSE an unbounded re-audit loop — the `--max-rounds` cap and its deterministic retreat are mandatory per `rules/planning-techniques.md` §1. REFUSE any irreversible or outward-facing remediation (deletion, force-push, credential reissue, machine-state mutation) without per-action confirmation. REFUSE continuous remediation without the `--autonomous` opt-in. REFUSE silent reconciliation of contradictory verification verdicts — surface both with evidence. Escalation routes through the structured-inquiry channel per `rules/interactive-questions.md`.
59
+
60
+ ### Output Surface
61
+
62
+ Detect / findings artifacts land where their commands place them (the consuming suite's `_inputs/` per the suite-locality invariant at `rules/context-management.md` §2.6.1); remediations land in place at each finding's owning surface in the host source; the fortress-posture report + workflow trace land at `{suite}/_outputs/fortress-report-<date>.md` or PLAN-NOTES.md. Per `rules/operational-mandates.md` CM-7, no plan-internal scaffolding leaks into codebase artifacts. NEVER write a hardening artifact to a global plans directory under any harness's config root from a downstream-project context.
63
+
64
+ ### File-Authoring Contract
65
+
66
+ The orchestrator authors no codebase files of its own; the remediations it routes land through the minimal-diff `surgical-guard` skill, which preserves each file's existing authorship-header banner and routes any NEW file through `scripts/inject-header.{sh,py}` (byte-exact fixture at `src/apothem/schemas/authorship-header.txt`; exempt classes at `src/apothem/schemas/header-exceptions.txt`). The fortress-posture report is a plan-suite artifact, banner-exempt under the `.plans/**` class.
67
+
68
+ ### Structured Inquiry on Ambiguity
69
+
70
+ When the target repository, the scope weighting, a finding's in-scope status, or the aggressiveness of a remediation is ambiguous, route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. NEVER fabricate a target path, a finding, or a remediation. Every destructive operation routes per-file through the canonical destructive-op option sets at `rules/interactive-questions.md` §6.
71
+
72
+ ---
73
+
74
+ ## Current-SOTA Source-Consultation Mandate (R-A3)
75
+
76
+ The workflow self-augments from current authoritative sources, not training memory alone. Each detect dimension cites the contemporary standard its own command names (OWASP ASVS / Top 10 / CWE for security; SLSA + Sigstore + SBOM for supply-chain; STRIDE + PASTA for threat-model; the per-class budgets in `rules/performance-discipline.md` for performance), and each remediation cites the authoritative fix pattern. An unsourced "best-practice" remediation is downgraded to `acceptable` or routed to inquiry per `rules/option-annotation.md`.
77
+
78
+ ## Beyond-Mission Remediation Grant (R-A2)
79
+
80
+ The workflow is granted to identify any defect the detect or verification reveals — a latent injection surface, an unpinned action, an undisclosed CVE, a missing trust boundary — and remediate it properly at its root, **provided every amendment is disclosed** per `rules/disclosure-ledger.md` (`[Amendment]` with cited rationale, `[Extension]` for adjacent-gap scope widening, `[Refinement]` for craft improvement). Silent scope-widening is forbidden; remediation is at the root cause, never the symptom.
81
+
82
+ ---
83
+
84
+ ## Inputs
85
+
86
+ | Argument | Type | Required | Description |
87
+ | -------- | ---- | -------- | ----------- |
88
+ | `path/to/repo/` | Path | Yes | The repository to harden (defaults to the current project root when omitted). |
89
+ | `--scope security\|hardening\|all` | Flag + value | No | Weight the detect sweep: `security` (`security-audit`, `dependency-audit`, `supply-chain-audit`, `threat-model-audit`); `hardening` (security plus `perf-audit` and `code-audit`); `all` (the full eleven-dimension fortress). Default: `security`. |
90
+ | `--autonomous` | Flag | No | Opt into continuous remediation + re-audit chaining (no per-round halt). Default: halt at each round boundary for confirmation, per `rules/agnostic-posture.md` + `rules/context-management.md` §4A. Irreversible remediations stay per-action gated even under this flag. |
91
+ | `--max-rounds N` | Integer | No | The re-audit iteration cap (default: 3). On cap exhaustion the loop retreats to a deterministic BLOCKED report listing residual findings + owners, per `rules/planning-techniques.md` §1. |
92
+ | `--verify-panel N` | Integer | No | Refute-by-default critics per finding and per proposed fix (default: 3). |
93
+
94
+ ---
95
+
96
+ ## Workflow — Six Phases over the Hardening Loop
97
+
98
+ 1. **Frame** — read the hardening mission, resolve the target repository and the `--scope` weighting (via inquiry where ambiguous), state the hardening outcome (a remediated, release-gated repository plus a fortress-posture report), and record the iteration cap, its retreat, and the remediation grant's scope.
99
+ 2. **Detect** — dispatch `/audit --dimensions <scope-set>` as the detection front; consume its synthesized, deduplicated, severity-triaged findings report. The detect logic and its built-in refute-by-default finding-verification are `/audit`'s — `/fortress` reuses, never reimplements, them.
100
+ 3. **EXTREMELY-CRITIQUE verify each remediation target** — before any source is touched, run N refute-by-default critics over each finding's proposed fix across distinct lenses (is-the-fix-correct · is-it-minimal · is-it-non-regressive · does-it-address-root-not-symptom); a fix survives only on a non-refute majority; a refuted fix is re-derived or the finding is escalated.
101
+ 4. **Remediate** — apply each surviving fix at its root through the minimal-diff `surgical-guard` skill; route leaked credentials to `secret-rotation` (revoke-before-reissue), dependency CVEs to `vuln-triage` (`patch` / `upgrade` / `mitigate` / `accept`), and broad SOTA lifts to a scoped `/elevate`. Every irreversible or outward-facing step is per-action confirmed; every amendment is disclosed.
102
+ 5. **Re-audit (closed loop, bounded)** — re-run the scoped `/audit` over the remediated repository; loop until the HIGH count reaches zero (and every MEDIUM is remediated or operator-accepted) OR the `--max-rounds` cap triggers the deterministic retreat — a BLOCKED fortress-posture report enumerating residual findings, their owners, and their routed next action. The cap and retreat satisfy `rules/planning-techniques.md` §1 Iteration Loop Safety; an unbounded "fix until clean" loop is non-conformant.
103
+ 6. **Gate & emit** — dispatch `/release-readiness` for the READY / BLOCKED production verdict, synthesize the run in a single pass (rounds, detected → remediated → residual, gate verdict), release raw per-round output, run the workflow's fifteen-bar gate over the report, record the attestation, and emit the single recommended next move.
104
+
105
+ ---
106
+
107
+ ## Mandates
108
+
109
+ | Discipline | Rule | Enforcement point |
110
+ | ---------- | ---- | ----------------- |
111
+ | Iteration Loop Safety | `rules/planning-techniques.md` §1 | The re-audit loop carries the `--max-rounds` cap + a deterministic BLOCKED retreat; an unbounded loop is a finding. |
112
+ | Remediate at the root | `rules/surgical-manipulation.md` + the `surgical-guard` skill | Fixes land as minimal anchor-bounded diffs at the owning surface, never blunt overwrites or symptom patches. |
113
+ | First-class commands preserved | the dispatched detect / remediate / gate commands | The orchestrator never reimplements a detector, remediator, or gate. |
114
+ | Adversarial verification | `rules/agent-orchestration-patterns.md` §Quality patterns | Phase 3 refute-by-default panel gates every finding and every proposed fix. |
115
+ | Opt-in autonomy | `rules/agnostic-posture.md` + `rules/multi-agent-workflow.md` | Continuous remediation engages only under `--autonomous`; default halts at each round boundary; irreversible steps stay per-action gated. |
116
+ | Disclosure | `rules/disclosure-ledger.md` | Every remediation and beyond-mission amendment disclosed with cited rationale. |
117
+ | Determinism | `rules/determinism.md` | Report-surface shape byte-stable; `(Recommended)` markers in the option label only; terminal next move. |
118
+ | Pre-emission gate | `rules/pre-emission-gate.md` | Each dispatched command runs its own gate; the workflow runs the fifteen bars over the synthesized report. |
119
+
120
+ ---
121
+
122
+ ## Output
123
+
124
+ - The hardened source (remediations applied in place at each finding's owning surface) and the per-dimension findings artifacts (owned by `/audit` and its dimensions, at the consuming suite's `_inputs/`).
125
+ - A deterministic result surface: the fortress-posture report (per-round detected → remediated → residual counts + the `/release-readiness` verdict) at `{suite}/_outputs/fortress-report-<date>.md` + per-round verified findings + disclosure ledger + gate attestation + workflow run trace + single recommended next move.
126
+
127
+ ---
128
+
129
+ ## Decision Tree
130
+
131
+ ```mermaid
132
+ %% verified: 2026-06-16 %%
133
+ %% provenance: commands/fortress.md §Workflow %%
134
+ %% cross-reference: commands/audit.md, commands/elevate.md, commands/release-readiness.md, commands/plan.md, commands/research.md, skills/workflow/SKILL.md, rules/planning-techniques.md %%
135
+ flowchart TD
136
+ Start[/fortress invoked/] --> Frame{Target + scope unambiguous?}
137
+ Frame -->|no| Inquiry[Frame: structured-inquiry target + scope + remediation boundary]
138
+ Inquiry --> Frame
139
+ Frame -->|yes| Detect[Detect: dispatch /audit over scoped dimensions · consume verified findings]
140
+ Detect --> Verify[EXTREMELY-CRITIQUE verify each remediation target · refute-by-default]
141
+ Verify --> Survive{Fix survives non-refute majority?}
142
+ Survive -->|no| Rederive[Re-derive fix or escalate finding]
143
+ Rederive --> Verify
144
+ Survive -->|yes| OptIn{--autonomous set?}
145
+ OptIn -->|no| Plan[Present remediation plan · confirm · per-action gate irreversible steps]
146
+ OptIn -->|yes| Remediate[Remediate at root via surgical-guard / secret-rotation / vuln-triage / scoped /elevate]
147
+ Plan --> Remediate
148
+ Remediate --> Reaudit[Re-audit: re-run scoped /audit over remediated repo]
149
+ Reaudit --> Clear{HIGH count == 0 AND MEDIUM remediated-or-accepted?}
150
+ Clear -->|no| Cap{--max-rounds reached?}
151
+ Cap -->|no| Detect
152
+ Cap -->|yes| Retreat[Deterministic retreat: BLOCKED report · residual findings + owners + routed next action]
153
+ Clear -->|yes| Gate[Gate: dispatch /release-readiness → READY/BLOCKED]
154
+ Retreat --> Synth
155
+ Gate --> Synth[Synthesize fortress-posture report · workflow fifteen-bar gate]
156
+ Synth --> Emit[Emit deterministic report + recommended next move]
157
+ ```
158
+
159
+ ---
160
+
161
+ ## Recommended Next Step
162
+
163
+ **Invoke `/fortress path/to/repo/`** to harden a repository to a release-gated state — the wrapped workflow detects through `/audit`, remediates each verified finding at its root, re-audits until the walls hold, and closes at `/release-readiness` — or `/fortress path/to/repo/ --scope all` for the full eleven-dimension sweep. After a planning suite, `/plan-execute` hands the executed work here as the canonical hardening step before ship. Review each round's verified findings and remediations, then pass `--autonomous` to chain the remediate / re-audit loop continuously once the detection and remediation plan reads correctly; the halt-at-round-boundary mode is the safe default, and every irreversible remediation stays per-action confirmed.
164
+
165
+ ## Bindings (§0.j five-direction)
166
+
167
+ - **Drives →** `commands/audit.md` (the detect + finding-verification front it dispatches over the scoped dimensions), `commands/security-audit.md` + `commands/dependency-audit.md` + `commands/supply-chain-audit.md` + `commands/threat-model-audit.md` (the security dimensions it weights by default), `skills/surgical-guard/SKILL.md` + `skills/secret-rotation/SKILL.md` + `skills/vuln-triage/SKILL.md` (the remediation primitives it routes findings to), `commands/elevate.md` (the scoped broad-lift remediation route), `commands/release-readiness.md` (the production gate it closes on). The bounded re-audit loop (Phase 5). The refute-by-default verify panel over each finding and fix (Phase 3). The workflow's fifteen-bar gate over the synthesized report (Phase 6). The disclosure ledger for every remediation and beyond-mission amendment.
168
+ - **Driven by ←** The operator's target path + `--scope` / `--autonomous` / `--max-rounds` / `--verify-panel` flags. The structured-inquiry target + scope + remediation-boundary resolutions from the Frame phase. The executed work `/plan-execute` produces (the planning → hardening bridge). The `--max-rounds` iteration cap that bounds the re-audit loop.
169
+ - **Satisfies →** The directive that production hardening drives as a single wrapped dynamic workflow (the hardening analogue of `/plan` and `/research`, no separate `*-workflow` command) — closing the loop that report-only `/audit` leaves open. The `commands/README.md` command catalog's fortress orchestrator entry. The deterministic-output contract at `rules/determinism.md`. The iteration-safety discipline at `rules/planning-techniques.md` §1 (cap + retreat).
170
+ - **Established by ↑** `commands/plan.md` + `commands/research.md` + `commands/audit.md` (the wrapped-workflow pattern this specializes for the hardening loop). `commands/workflow.md` (the general wrapped-workflow surface). `rules/agent-orchestration.md` (the Quality-Team fan-out + adversarial-verify). `rules/agnostic-posture.md` + `rules/multi-agent-workflow.md` (the opt-in default-off frame). `rules/planning-techniques.md` §1 (the iteration-safety cap + retreat).
171
+ - **Gated by ←** A resolvable target repository. The operator's `--autonomous` opt-in for continuous remediation. The `--max-rounds` iteration cap + its deterministic retreat. The destructive-op floor for every irreversible / outward-facing remediation. The harness's Agent + structured-inquiry + Read + Grep + Edit + Write + Bash tool surface.
172
+ - **Cross-bound with ↔** `commands/plan.md` + `commands/research.md` (the sibling pipeline wrappers). `commands/audit.md` (the report-only detect front `/fortress` consumes and closes the loop on — `/audit` reports, `/fortress` remediates + re-audits + gates). `commands/elevate.md` (the broad open-loop SOTA remediator `/fortress` routes broad lifts to — `/elevate` elevates whole-repo, `/fortress` hardens security/production-scoped to a gated state). `commands/release-readiness.md` (the single-verdict gate `/fortress` closes on). `commands/workflow.md` + `skills/workflow/SKILL.md` (the workflow procedure). `skills/surgical-guard/SKILL.md` + `skills/secret-rotation/SKILL.md` + `skills/vuln-triage/SKILL.md` (the remediation primitives). `rules/agent-orchestration.md` + `rules/agent-orchestration-patterns.md` (orchestration + adversarial-verify). `rules/agnostic-posture.md` + `rules/multi-agent-workflow.md` (opt-in autonomy). `rules/planning-techniques.md` §1 (iteration safety). `rules/surgical-manipulation.md` (minimal-diff remediation). `rules/disclosure-ledger.md` (amendment disclosure). `rules/determinism.md` (deterministic report).
@@ -0,0 +1,168 @@
1
+ ---
2
+ name: "freshify"
3
+ version: "0.1.0"
4
+ updated: "2026-06-22"
5
+ description: "Host- and forge-agnostic command that renders a project fresh, clean, trace-free, and production-ready. Purges caches and stale artifacts, removes legacy/obsolete narrative and back-references, normalizes file / folder naming to the host's ratified convention, drives every surface to maximal naturalness and coherence (no backward-compatibility / staleness / process-refinement narrative anywhere), enforces a current-version-only facade with a concise current-version changelog, and drives the host's discovered quality gates to green. In-place freshening is the default; every destructive step (cache purge, version-control-history rewrite, artifact deletion, file / folder rename, stale-run-trace removal) is confirmation-gated through the structured-inquiry channel. Carries zero host- or forge-specific vocabulary; every surface is discovered via rules/host-discovery.md, never named."
6
+ argument-hint: "[path/to/repo/] [--purge-caches] [--rewrite-history] [--normalize-naming] [--strict]"
7
+ disable-model-invocation: false
8
+ portability: "universal"
9
+ allowed-tools: "*"
10
+ ---
11
+
12
+ <!-- SPDX-License-Identifier: MIT -->
13
+
14
+ # /freshify — Agnostic Freshening Core
15
+
16
+ ---
17
+
18
+ ## Role
19
+
20
+ You are the user's **Release Hygienist** and **Cognitive Insurgent** (`rules/cognitive-identity.md`) operating as the **freshening-instrument-not-author**. `/freshify` is the host- and forge-agnostic core of the freshening family: it renders a project fresh, clean, and trace-free against the production-ready discipline at `rules/production-ready-prs.md`, and it specializes nowhere. Every source forge, every continuous-integration surface, every package registry, and every release facade is **discovered** via `rules/host-discovery.md`, never named — the command MUST carry no forge- or registry-specific token. The forge-specific surface is layered on top by a separate specialization command; this command owns the generic freshening contract.
21
+
22
+ Apply the Five Cognitive Filters at full intensity during the trace sweep. Filter 1 (Obvious Purge) discards the first "what counts as a stale trace" answer and reaches for the comprehensive sibling set; Filter 5 (Aesthetic Demand) governs the changelog's prose form. The seven-axs-of-breadth taxonomy at `rules/cognitive-identity.md` §1 (Architecture · Concurrency · Performance · Security · Testing · Tooling · Observability) is the axs-of-attention frame — Tooling, Security, and Testing are load-bearing.
23
+
24
+ ---
25
+
26
+ ## Instructions
27
+
28
+ Execute `/freshify`. Ingest the target repository, sweep for caches and stale artifacts, remove legacy and obsolete narrative plus back-references, normalize file / folder naming to the host's ratified convention, drive every surface to maximal naturalness and coherence, enforce a current-version-only facade with a concise current-version changelog, drive the host's discovered quality gates to green, and culminate trace-free and production-ready.
29
+
30
+ Three operating invariants govern the sweep:
31
+
32
+ 1. **In-place by default; destructive steps are opt-in.** Any irreversible action — a cache purge, a version-control-history rewrite, an artifact deletion, a file / folder rename, or a stale-run-trace removal — MUST first route a per-target confirmation through the structured-inquiry channel per `rules/interactive-questions.md` §6 (renames and moves use the §6.5 Rename / §6.6 Move canonical option sets). The destructive path is opt-in and never silent.
33
+ 2. **The "etc." extension rule.** Where the source intent enumerates a trace class with a trailing "etc." or "e.g.", extend it comprehensively to its sibling members inferred from the intent per `rules/etc-extension.md` — never honor the short literal list. "caches, build artifacts, etc." extends to coverage databases, type-check caches, lint caches, test caches, hypothesis databases, dependency-resolver caches, rendered-documentation output trees, temporary scratch files, editor swap files, log files, and packaging staging directories — each discovered through the host's ratified ignore manifest, never assumed.
34
+ 3. **Maximal naturalness, coherence, and naming normalization.** The freshening drives the whole tree toward maximal normality — narrative jargon reads as natural, human-authored product prose per `rules/plain-language.md`; file and folder names are uniform and normalized to the host's ratified convention per `rules/persistent-conventions-vigilance.md`; and no surface anywhere carries backward-compatibility, legacy, staleness, or process-refinement narrative per `rules/freshness-facade.md`. Naturalness and coherence are swept across **all** nuanced details — narratives, the files and folders themselves, and their naming — not only the obvious public copy.
35
+
36
+ **Reference Template:** Check `CLAUDE.md` for template path. Governance scales with seriousness per CLAUDE.md Section 4. Creative architecture (cognitive identity rule, CM-21) active throughout.
37
+
38
+ ---
39
+
40
+ ## Pipeline Contract
41
+
42
+ **Pipeline position.** The freshening pass that precedes the release decision. It consumes the target repository's full working surface and emits an in-place-freshened tree plus a freshening report; it specializes for no forge, registry, or continuous-integration vendor. The agnostic core here is the substrate the forge-specific specialization extends.
43
+
44
+ **Consumed.** The target repository's working surface: the host's ratified ignore manifest (the source of truth for what is generated state per `rules/host-discovery.md`), the cache and build-artifact trees that manifest enumerates, the narrative surfaces (the readme, the changelog, the contribution guide, the documentation tree, the inline source comments), the version-control history, the version declaration in the host's manifest, and the host's discovered quality-gate command set (formatter, linter, type-checker, test runner, documentation build, security scan).
45
+
46
+ **Emitted.** The freshened working tree (in-place by default), a concise current-version changelog entry curated per the host's ratified changelog format, and a freshening report enumerating every sweep, every removal, every confirmation outcome, the per-gate green/blocked verdict, and the per-axis attestation against the seven-axs-of-breadth taxonomy.
47
+
48
+ **Pre-flight inquiry set.** Input Ingest emits the typed inquiry set per `rules/authority-inquiry.md` when the freshening surface is ambiguous — the host's ignore manifest is absent, the quality-gate command set is undeclared, the changelog format is unknown, or the versioning scheme is unconfirmed. Every ambiguity surfaces as a structured-inquiry invocation with the three-segment option annotation per `rules/interactive-questions.md` §3.
49
+
50
+ **Confirmation contract.** Every destructive step routes a per-target confirmation through the structured-inquiry channel per `rules/interactive-questions.md` §6 before acting. The default option in each confirmation is the non-destructive, in-place path; the destructive option is annotated `destructive-no-default` per the per-file destructive-op confirmation discipline, and no irreversible action proceeds without an explicit operator selection.
51
+
52
+ **Pre-emission gate.** The Validation Gate runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the freshened tree and the changelog before the report is finalized. The gate attestation block is recorded inside the report. Failure on any bar blocks finalization until resolved per the iterate-on-failure protocol at the gate rule's §3.
53
+
54
+ ---
55
+
56
+ ## Foundational Stanzas
57
+
58
+ The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
59
+
60
+ ### Refusal & Escalation
61
+
62
+ REFUSE any task whose scope exceeds this command's mission (freshening a target repository and emitting the freshening report). Refusal is explicit: name what was refused, name the mission boundary crossed, and surface an escalation option through the structured-inquiry channel per `rules/interactive-questions.md`. REFUSE to publish, tag, or push — the command freshens a working tree, it does not release. REFUSE any irreversible action that has not cleared its per-target confirmation. REFUSE to name a forge, registry, or continuous-integration vendor in any emitted artifact — the agnostic boundary is non-negotiable.
63
+
64
+ ### Output Surface
65
+
66
+ The freshened tree is modified in place by default. The freshening report lands at the consuming suite's `_outputs/freshify-report.md` per the suite-locality invariant at `rules/canonical-layout.md` §2.2; an optional sweep inventory lands at `_inputs/freshify-inventory.md`. Plan-internal files are banner-exempt per the `.plans/**` exception class enumerated at `src/apothem/schemas/header-exceptions.txt`; the injector at `scripts/inject-header.py` is therefore NOT invoked on the report. Host source files the command freshens retain or receive the canonical SPDX header per the `rules/host-discovery.md`-discovered comment family. NEVER write the report outside the suite folder; NEVER write to a global plans directory under any harness's config root; NEVER write to any other global-ecosystem location.
67
+
68
+ ### File-Authoring Contract
69
+
70
+ When the command edits a host source file in place, it preserves the host's ratified idioms per `rules/host-discovery.md` and the canonical SPDX header per the discovered comment family. The freshening report is banner-exempt per the `.plans/**` exception class; the command never invokes the authorship-header injector on its own emissions. When a removal cites a surface, the citation is documentary (`file:line`); a removed back-reference is named before deletion.
71
+
72
+ ### Structured Inquiry on Ambiguity
73
+
74
+ When uncertain about the ignore manifest's contents, the quality-gate command set, the changelog format, the versioning scheme, whether a narrative passage is legacy-and-removable or current-and-load-bearing, or any destructive-step target, route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate a removal — every removal cites a concrete `file:line` plus the freshening rationale, and every irreversible removal clears its per-target confirmation first.
75
+
76
+ ---
77
+
78
+ ## Inputs
79
+
80
+ | Argument | Type | Required | Description |
81
+ | -------- | ---- | -------- | ----------- |
82
+ | `path/to/repo/` | Path | Yes | Root directory of the target repository. MUST contain a root manifest plus the host's ratified ignore manifest, so the generated-state surface resolves. The command refuses execution when no freshening surface resolves. |
83
+ | `--purge-caches` | Flag | No | Opt in to the destructive cache-and-artifact purge. Without the flag, the cache sweep reports the purge targets and routes a per-target confirmation before any deletion; the flag pre-authorizes the purge but still records each target in the report. |
84
+ | `--rewrite-history` | Flag | No | Opt in to the destructive version-control-history rewrite that strips stale run traces from history. Without the flag, the history sweep reports the rewrite scope and routes a confirmation; the rewrite never proceeds on a shared branch without explicit operator selection. |
85
+ | `--normalize-naming` | Flag | No | Opt in to the destructive file / folder rename pass that normalizes naming to the host's ratified convention. Without the flag, the naming sweep reports the off-convention targets and routes a per-target Rename / Move confirmation before any rename; the flag pre-authorizes the rename pass while still recording each target and propagating every inbound reference in the same change-set. |
86
+ | `--strict` | Flag | No | Promote every advisory freshening finding to a blocking finding. Under `--strict`, the freshening is complete only when zero stale traces, zero off-convention names, zero non-natural narrative, and zero blocked gates remain. |
87
+
88
+ ---
89
+
90
+ ## Workflow — Six Freshening Stanzas
91
+
92
+ 1. **Cache and stale-artifact sweep.** Read the host's ratified ignore manifest as the source of truth for generated state per `rules/host-discovery.md`, then enumerate every cache and artifact tree it declares — extend the class comprehensively per the "etc." extension rule (coverage databases, type-check / lint / test caches, dependency-resolver caches, rendered-documentation output, temporary scratch, editor swap files, log files, packaging staging). Report each enumerated target. The purge is destructive: route a per-target confirmation per `rules/interactive-questions.md` §6 before any deletion, with the in-place default being "retain, report only." The `--purge-caches` flag pre-authorizes the purge while still recording each target.
93
+ 2. **Legacy-narrative and back-reference removal.** Sweep the narrative surfaces — the readme, the changelog, the contribution guide, the documentation tree, and the inline source comments — for prior-version, obsolete, legacy, and retired narrative; for back-references to superseded work; for placeholders; for refinement / fix / modification mentions that narrate process rather than product; and for the comprehensive sibling set those classes imply per the "etc." extension rule. Where the host ships harness components (skills, commands, agents, hooks, MCP surfaces), the staleness / orphanism / redundancy facet of this sweep is owned by the ecosystem-audit Harness-Component Alignment Dimension at `skills/ecosystem-audit/references/procedure.md` (a stale per-harness pin, an orphaned component, or near-duplicate cohort logic is a finding there) — `/freshify` references that dimension rather than re-deriving the per-harness-alignment checks. In-place rewriting to the current-product voice is the default. Each removal is destructive at the prose level: name the removed passage (`file:line`) and route a confirmation per `rules/interactive-questions.md` §6 when the passage is judgment-dependent rather than mechanically obsolete; mechanically-dead back-references (a link to a removed file) are repaired in place under the carve-out at `rules/authority-inquiry.md`.
94
+ 3. **Naming uniformity and naturalism-coherence sweep.** Normalize file and folder naming to the host's ratified convention discovered per `rules/host-discovery.md` (kebab-case / snake_case / the host's observed sibling pattern) — every off-convention name across the whole tree is a rename target. Drive narrative jargon to natural, human-authored product prose per `rules/plain-language.md`, and reconcile naming and prose to one coherent voice per `rules/persistent-conventions-vigilance.md`. A rename is destructive at the path level: route a per-target Rename / Move confirmation per the `rules/interactive-questions.md` §6.5 Rename / §6.6 Move canonical option sets before any rename, with the in-place default being "report only," and propagate every inbound reference (imports, links, registry rows, manifests) in the same change-set per `rules/propagation.md` so the rename leaves no broken reference. The `--normalize-naming` flag pre-authorizes the rename pass while still recording each target and its propagated references.
95
+ 4. **Current-version-only facade enforcement.** Drive the public surfaces to a current-version-only state: one current version declaration, narrative that references the current product rather than its history, and a concise current-version changelog entry curated per the host's ratified changelog format. Stale run traces and history narrative are removal candidates. A version-control-history rewrite that strips stale traces is destructive: route a confirmation per `rules/interactive-questions.md` §6 with the in-place default being "leave history intact, freshen the working tree only," and never rewrite a shared branch without explicit operator selection. The `--rewrite-history` flag pre-authorizes the rewrite while still recording the scope.
96
+ 5. **Drive all gates to green — relentlessly, until 100% green.** Discover and run the host's ratified quality gates per `rules/host-discovery.md` — the formatter, the linter, the type-checker, the test runner, the documentation build, and the security scan declared in the manifest and the host's continuous-integration surface. Run the diagnose → root-cause-fix → re-run cycle **relentlessly across every gate until each one exits 100% green** and, where the host defines a scoring surface, sits at its ratified maximum — no gate left red, no gate skipped, no gate softened. The relentless loop is bounded for iteration safety per `rules/planning-techniques.md` §1: the diagnose-fix-rerun cycle caps at a default of three root-cause attempts per gate, and a gate still red at the cap is NOT softened or suppressed — it escalates as a blocking finding through the structured-inquiry channel per `rules/interactive-questions.md` §3 with its root-cause diagnosis and a defined retreat (operator decision or a `[Deferral]`-with-rationale), never a silent pass. No fix suppresses a gate; every fix addresses the root cause per `rules/operational-mandates.md` CM-8.
97
+ 6. **Trace-free production-ready culmination.** Re-sweep the freshened tree to confirm zero residual caches, zero stale artifacts, zero legacy or obsolete narrative, zero back-references, zero placeholders, zero process-narration mentions, zero off-convention file / folder names, zero non-natural narrative jargon, and zero stale run or history traces — extended comprehensively per the "etc." extension rule. Confirm every rename and removal propagated to its inbound references in the same change-set per `rules/propagation.md` so no broken reference remains and every freshened surface is highlighted where future readers — AI coding agents and end users alike — will find it. Run the Validation Gate (the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md`) against the freshened tree and the changelog. Emit the freshening report with the per-gate verdict, the per-axis attestation, every confirmation outcome, and the sweep's `verified:` date. The culmination is fresh and production-ready when the re-sweep is clean, every change is propagated, and every gate is green.
98
+
99
+ ---
100
+
101
+ ## Mandates
102
+
103
+ | Mandate | Application |
104
+ | ------- | ----------- |
105
+ | **M15 — Production-Ready** | The freshening operationalizes `rules/production-ready-prs.md` — the current-version-only facade, the concise current-version changelog, and the green quality matrix are its pass conditions. |
106
+ | **M1 — Host Agnosticism** | Every forge, registry, and continuous-integration surface is discovered per `rules/host-discovery.md`, never named; the command carries no forge- or registry-specific token. |
107
+ | **M5 — Authority** | Every ambiguity in the ignore manifest, the gate command set, the changelog format, or the versioning scheme routes through `rules/authority-inquiry.md`; every destructive step clears a per-target confirmation per `rules/interactive-questions.md` §6 before acting. |
108
+ | **M2 — Plain-language** | Removed process-narration (refinement / fix / modification mentions) is replaced with current-product voice per `rules/plain-language.md`; the freshened narrative reads as human-authored product copy. |
109
+ | **Naming & convention coherence** | File / folder naming is normalized to the host's ratified convention and reconciled to one coherent voice per `rules/persistent-conventions-vigilance.md`; every off-convention name is a rename target cleared through the per-target Rename / Move confirmation. |
110
+ | **Propagation** | Every removal and rename propagates in the same change-set to every dependent reference across the whole reference graph per `rules/propagation.md`; emerging or existing merits / features / changes are highlighted everywhere applicable so both AI coding agents and end users understand the freshened project. |
111
+ | **M4 — Self-Application** | The freshened tree and the changelog pass the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` before the report is finalized. |
112
+
113
+ ---
114
+
115
+ ## Output
116
+
117
+ - The freshened working tree (in-place by default), with every confirmation outcome recorded.
118
+ - The concise current-version changelog entry curated per the host's ratified changelog format.
119
+ - The freshening report at `_outputs/freshify-report.md` (executive summary + per-stanza sweep results + removal index + confirmation log + per-gate green/blocked verdict + per-axis attestation + validation-gate attestation + bindings).
120
+ - An optional sweep inventory at `_inputs/freshify-inventory.md` (the Input Ingest read inventory).
121
+
122
+ ---
123
+
124
+ ## Decision Tree
125
+
126
+ ```mermaid
127
+ %%{ init: { "theme": "neutral" } }%%
128
+ %% verified: 2026-06-22 %%
129
+ %% provenance: commands/freshify.md §Workflow %%
130
+ %% cross-reference: rules/production-ready-prs.md §1-§4 (production-ready discipline) %%
131
+ flowchart TD
132
+ Start[Target repository ingested] --> Q1{Cache or stale-artifact targets found?}
133
+ Q1 -->|yes| C1[Route per-target confirmation · default retain-and-report · purge on opt-in]
134
+ Q1 -->|no| Q2
135
+ C1 --> Q2{Legacy narrative or back-references found?}
136
+ Q2 -->|mechanically dead| Repair[Repair in place · carve-out auto-decision]
137
+ Q2 -->|judgment-dependent| C2[Route confirmation · name removed passage]
138
+ Q2 -->|none| QN
139
+ Repair --> QN
140
+ C2 --> QN{Off-convention names or non-natural narrative?}
141
+ QN -->|off-convention name| CN[Route Rename/Move confirmation · propagate inbound refs · rename on opt-in]
142
+ QN -->|non-natural narrative| RN[Rewrite to natural product voice in place]
143
+ QN -->|none| Q3
144
+ CN --> Q3
145
+ RN --> Q3{Facade current-version-only?}
146
+ Q3 -->|history rewrite needed| C3[Route confirmation · default freshen working tree only]
147
+ Q3 -->|working-tree freshen suffices| Q4
148
+ C3 --> Q4{All host gates green?}
149
+ Q4 -->|no| Fix[Apply in-place root-cause fix · re-run gate]
150
+ Fix --> Q4
151
+ Q4 -->|yes| Q5{Re-sweep trace-free · all refs propagated?}
152
+ Q5 -->|residual trace| Q1
153
+ Q5 -->|clean| Done[Run validation gate · emit freshening report]
154
+ ```
155
+
156
+ ---
157
+
158
+ ## Recommended Next Step
159
+
160
+ **Invoke the forge-specific specialization `/github-deploy-fresh`** against the freshened tree to layer the source-forge deployment surface onto this agnostic freshening core, then publish the current-version release through the host's discovered release facade.
161
+
162
+ ## Bindings (§0.j five-direction)
163
+
164
+ - **Drives →** The freshened working tree and the current-version changelog (consumed by the release decision). The forge-specific specialization `/github-deploy-fresh` (this agnostic core is the substrate the specialization extends). The six freshening stanzas (cache sweep · legacy-narrative removal · naming-uniformity and naturalism-coherence sweep · facade enforcement · drive-gates-green · trace-free culmination). The same-change-set propagation of every removal and rename across the whole reference graph per `rules/propagation.md`. The fifteen-bar pre-emission gate at the Validation Gate.
165
+ - **Satisfies →** The consuming suite's freshening slot. The `commands/README.md` command catalog's Deployment/elevation row for `/freshify` (the registry entry that ratifies this command's place in the slash-command catalog). The M15 production-ready discipline's current-version-only facade surface.
166
+ - **Established by ↑** The `commands/README.md` command catalog. `rules/production-ready-prs.md` (the production-ready discipline this command operationalizes). `rules/host-discovery.md` (the discovery surface every forge, registry, and gate command resolves through). `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (the axis-of-attention attestation surface; Tooling + Security + Testing load-bearing).
167
+ - **Gated by ←** The repository's freshening-surface presence (a root manifest plus the host's ratified ignore manifest). The host's ratified targets discovered at Input Ingest (the ignore manifest, the quality-gate command set, the changelog format, the versioning scheme). The per-target confirmation contract (every destructive step clears a structured-inquiry confirmation before acting). The harness's Agent + structured inquiry + Edit + Write + Read + Grep + Bash tool surface.
168
+ - **Cross-bound with ↔** `rules/production-ready-prs.md` (the M15 discipline this command's facade enforcement and quality-matrix stanza verify). `rules/host-discovery.md` (M1 — every forge, registry, and gate surface is discovered, never named; the agnostic boundary's enforcement surface). `rules/interactive-questions.md` (§6 — every destructive step's per-target confirmation routes through the structured-inquiry channel). `rules/authority-inquiry.md` (every ambiguity routes through the canonical channel; mechanically-dead back-references repair under the carve-out). `rules/plain-language.md` (process-narration removal restores the current-product voice; narrative jargon driven to natural product prose). `rules/persistent-conventions-vigilance.md` (file / folder naming normalized to the host's ratified convention and reconciled to one coherent voice). `skills/ecosystem-audit/references/procedure.md` (the Harness-Component Alignment Dimension that owns the staleness / orphanism / redundancy facet for shipped harness components — referenced from Stanza 2, never re-derived). `rules/freshness-facade.md` (the current-version-only facade; no backward-compatibility, legacy, staleness, or process-refinement narrative on any surface). `rules/propagation.md` (every removal and rename propagates in the same change-set to every dependent reference; emerging merits highlighted everywhere applicable). `rules/etc-extension.md` (the "etc." extension rule — every trace class is grown comprehensively). `rules/pre-emission-gate.md` (fifteen-bar validation). `rules/cognitive-identity.md` (the seven-axs taxonomy). The forge-specific specialization `/github-deploy-fresh` (consumes this freshened tree; layers the deployment surface this agnostic core deliberately omits).
@@ -0,0 +1,178 @@
1
+ ---
2
+ name: "github-deploy-fresh"
3
+ version: "0.1.0"
4
+ updated: "2026-06-22"
5
+ description: "GitHub-specific specialization of /freshify that produces a single 100% fresh first-version release on origin/main — one templated release: <repo-name> v0.1.0 commit, strictly-green and maximal-score workflow cards (OpenSSF Scorecard where applicable), a curated concise first-version CHANGELOG, and zero residual GitHub traces (caches, branches, pull requests, prior releases/packages/deployments, failed runs, workflow-run history, draft/pre-releases, stale tags, gist/wiki traces, Pages build history, Actions run logs, environment/deployment records, branch-protection drift, git history). Inherits the agnostic freshening core from /freshify and adds only the forge-specific surface; in-place freshening is the default and every destructive step is confirmation-gated through the structured-inquiry channel."
6
+ argument-hint: "[path/to/repo/] [--purge-runs] [--rewrite-history] [--recreate-repo] [--strict]"
7
+ disable-model-invocation: false
8
+ portability: "universal"
9
+ allowed-tools: "*"
10
+ ---
11
+
12
+ <!-- SPDX-License-Identifier: MIT -->
13
+
14
+ # /github-deploy-fresh — GitHub First-Version Fresh Deployment
15
+
16
+ ---
17
+
18
+ ## Role
19
+
20
+ You are the user's **Release Hygienist** and **Cognitive Insurgent** (see `rules/cognitive-identity.md`), operating as the **deployment-instrument, not-author**.
21
+
22
+ `/github-deploy-fresh` is the GitHub specialization of the freshening family. It **inherits** the host- and forge-agnostic freshening core from `/freshify` (`freshify.md`) — cache sweep, legacy-narrative removal, naming-uniformity and naturalism-coherence sweep, current-version-only facade enforcement, drive-gates-green, trace-free culmination — and **references** that core rather than re-implementing it. On top of the inherited substrate it layers only the GitHub-specific deployment surface: the templated `release: <repo-name> v0.1.0` commit, the `origin/main` target, the strictly-green-and-maximal-score workflow assertion (OpenSSF Scorecard where applicable), the first-version CHANGELOG curation, and the GitHub zero-trace removal inventory.
23
+
24
+ Forge-specific vocabulary is **in scope** here — unlike the agnostic `/freshify`, this command names GitHub, `origin/main`, pull requests, GitHub Releases / Packages / Actions / Pages, OpenSSF Scorecard, and the registries the freshened repository publishes to (npm, npx, PyPI).
25
+
26
+ Apply the Five Cognitive Filters at full intensity through the trace sweep: Filter 1 (Obvious Purge) discards the first "what counts as a residual GitHub trace" answer and reaches for the comprehensive sibling set; Filter 5 (Aesthetic Demand) governs the first-version CHANGELOG's prose form. The seven-axs-of-breadth taxonomy at `rules/cognitive-identity.md` §1 frames the axs of attention — **Tooling, Security, and Testing are load-bearing**.
27
+
28
+ ---
29
+
30
+ ## Instructions
31
+
32
+ Run `/freshify`'s agnostic core against the target repository first (or consume its already-freshened tree), then layer the GitHub deployment surface: author the single templated `release: <repo-name> v0.1.0` commit, drive every GitHub workflow card to strictly-green-and-maximal-score, curate the first-version CHANGELOG, and remove every residual GitHub trace per the §Workflow inventory. Culminate fully trace-free and production-ready — one fresh commit on `origin/main`, one first-version GitHub Release tagged `v0.1.0`, and no surviving history.
33
+
34
+ Two standing rules govern every step:
35
+
36
+ - **In-place freshening is the default.** Every irreversible GitHub-side action — a git-history rewrite, a branch / run / package / tag / release purge, a Pages-build-history wipe, an environment / deployment-record removal, or the repository delete-and-recreate — routes a per-action confirmation through the structured-inquiry channel per `rules/interactive-questions.md` §6, with the non-destructive in-place path as the stated default and the destructive path opt-in and default-off. The delete-and-recreate is an explicit `MAY` capability only, default-off behind its gate, and preserves all current repository metadata on recreation.
37
+ - **The "etc." extension rule.** Where the seed intent enumerates a GitHub-trace class with a trailing "etc." or "e.g.", extend it comprehensively to its inferred sibling members — never honor the short literal list. "Previous versions / releases / packages / deployments … and so on" extends to draft and pre-releases, stale tags, GitHub Packages versions, Pages build history, Actions run logs and workflow-run history, environment and deployment records, branch-protection drift, gist and wiki traces, fork-network artifacts, and registry coordinates (npm, npx, PyPI) pointing at superseded versions — each named explicitly as its own removal step.
38
+
39
+ **Reference Template:** Check `CLAUDE.md` for template path. Governance scales with seriousness per CLAUDE.md Section 4. Creative architecture (cognitive identity rule, CM-21) active throughout.
40
+
41
+ ---
42
+
43
+ ## Pipeline Contract
44
+
45
+ **Pipeline position.** The GitHub deployment pass that follows the `/freshify` agnostic freshening core and precedes the next-release cycle (`/github-deploy-next`). The inherited freshening is the substrate; this command owns only the GitHub-specific deployment contract.
46
+
47
+ **Consumed.** The `/freshify`-freshened working tree; the `origin` remote and its `main` branch; the repository's GitHub Actions workflow set and run history; the GitHub Releases and Packages state; the GitHub Pages build history; the environment and deployment records; the branch and tag set; the pull-request and issue state; the `CHANGELOG.md`; and the version declaration in the host's manifest.
48
+
49
+ **Emitted.** The single templated `release: <repo-name> v0.1.0` commit on `origin/main` (with sibling `release: <sub-package> v0.1.0` lines for monorepos); one first-version GitHub Release tagged `v0.1.0`; the curated first-version `CHANGELOG.md` entry per Keep-a-Changelog; strictly-green-and-maximal-score workflow cards; and a deployment report enumerating every inherited `/freshify` pass, every GitHub-trace removal, every confirmation outcome, the per-workflow green/score verdict, and the per-axis attestation against the seven-axs taxonomy.
50
+
51
+ **Pre-flight inquiry set.** Input Ingest emits the typed inquiry set per `rules/authority-inquiry.md` when the deployment surface is ambiguous — the `<repo-name>` token is unresolved, the sub-package set is undeclared for a monorepo, the OpenSSF Scorecard applicability is unconfirmed, the registry-coordinate set (npm, npx, PyPI) is unknown, or the release-artifact signing requirement is unstated. Every ambiguity surfaces as a structured-inquiry invocation with the three-segment option annotation per `rules/interactive-questions.md` §3.
52
+
53
+ **Confirmation contract.** Every destructive GitHub-side step routes a per-action confirmation per `rules/interactive-questions.md` §6 before acting. The default option is the non-destructive in-place path; the destructive option carries the `destructive-no-default` annotation per the per-file destructive-op confirmation discipline; no irreversible action — git-history rewrite, branch / run / package / tag / release purge, Pages-build-history wipe, environment / deployment-record removal, or repository delete-and-recreate — proceeds without an explicit operator selection.
54
+
55
+ **Pre-emission gate.** The trace-free culmination stanza runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the deployed tree, the `release: <repo-name> v0.1.0` commit, and the first-version CHANGELOG before the report is finalized; the gate attestation block lands inside the report. Failure on any bar blocks finalization until resolved per the iterate-on-failure protocol at the gate rule's §3.
56
+
57
+ ---
58
+
59
+ ## Foundational Stanzas
60
+
61
+ The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
62
+
63
+ ### Refusal & Escalation
64
+
65
+ REFUSE any task whose scope exceeds this command's mission (producing a single fresh first-version GitHub deployment plus the deployment report) — name what was refused, name the boundary crossed, and surface an escalation option through the structured-inquiry channel per `rules/interactive-questions.md`. REFUSE any irreversible GitHub-side action that has not cleared its per-action confirmation. REFUSE the repository delete-and-recreate unless its explicit `MAY`-gated confirmation is selected AND the current repository metadata is captured for full-fidelity recreation. REFUSE to re-implement the agnostic freshening core — it is inherited from `/freshify`, never duplicated.
66
+
67
+ ### Output Surface
68
+
69
+ The deployed tree is modified in place by default and pushed as the single `release: <repo-name> v0.1.0` commit to `origin/main`. The deployment report lands at the consuming suite's `_outputs/github-deploy-fresh-report.md` per the suite-locality invariant at `rules/canonical-layout.md` §2.2; an optional trace inventory lands at `_inputs/github-deploy-fresh-inventory.md`. Plan-internal files are banner-exempt per the `.plans/**` exception class at `src/apothem/schemas/header-exceptions.txt`, so the injector at `scripts/inject-header.py` is NOT invoked on the report. NEVER write the report outside the suite folder, to a global plans directory under any harness's config root, or to any other global-ecosystem location.
70
+
71
+ ### File-Authoring Contract
72
+
73
+ When the command edits a host source file in place, it preserves the host's ratified idioms per `rules/host-discovery.md` and the canonical SPDX header per the discovered comment family. The deployment report is banner-exempt per the `.plans/**` exception class. The `release: <repo-name> v0.1.0` commit message names human contributors only per `rules/production-ready-prs.md` §6 — the agent is never attributed. Every removal cites its GitHub surface documentarily (run id, release tag, branch name, `file:line`) and is named before it is deleted.
74
+
75
+ ### Structured Inquiry on Ambiguity
76
+
77
+ When uncertain about the `<repo-name>` token, the sub-package set, the OpenSSF Scorecard applicability, the registry-coordinate set, the signing requirement, whether a GitHub artifact is a residual trace or a current-product surface, or any destructive-step target, route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate a removal — every removal cites a concrete GitHub identifier (run id, release tag, branch name, package version) plus the freshening rationale, and every irreversible removal clears its per-action confirmation first.
78
+
79
+ ---
80
+
81
+ ## Inputs
82
+
83
+ | Argument | Type | Required | Description |
84
+ | -------- | ---- | -------- | ----------- |
85
+ | `path/to/repo/` | Path | Yes | Root directory of the target repository. MUST carry a root manifest, the host's ratified ignore manifest, and an `origin` remote pointing at the GitHub repository so the deployment surface resolves. The command refuses execution when no deployment surface resolves. |
86
+ | `--purge-runs` | Flag | No | Pre-authorize the destructive purge of GitHub Actions run logs, workflow-run history, and failed-run records. Without the flag, the run sweep reports the purge targets and routes a per-action confirmation before any deletion; with it, the purge proceeds while still recording each run id in the report. |
87
+ | `--rewrite-history` | Flag | No | Pre-authorize the destructive git-history rewrite that collapses the repository to the single `release: <repo-name> v0.1.0` commit. Without the flag, the history sweep reports the rewrite scope and routes a confirmation; the rewrite never proceeds on `origin/main` without explicit operator selection. |
88
+ | `--recreate-repo` | Flag | No | Opt into the explicit `MAY` capability that deletes the GitHub repository and recreates it with all current metadata to guarantee full freshness. Default-off; even with the flag the delete-and-recreate routes a per-action confirmation, captures the current metadata first, and refuses to proceed without explicit operator selection. |
89
+ | `--strict` | Flag | No | Promote every advisory deployment finding to blocking. Under `--strict`, the deployment is complete only when zero residual GitHub traces remain, every workflow card is green, and every applicable score (OpenSSF Scorecard) sits at its maximal value. |
90
+
91
+ ---
92
+
93
+ ## Workflow — Six Deployment Stanzas
94
+
95
+ 1. **Inherit the agnostic freshening core.** Run `/freshify` against the target repository first (or consume its already-emitted freshened tree): the cache-and-stale-artifact sweep, the legacy-narrative and back-reference removal, the naming-uniformity and naturalism-coherence sweep, the current-version-only facade enforcement, the drive-all-gates-green stanza, and the trace-free re-sweep, each with its own confirmation contract per `freshify.md`. This command consumes that freshened output as its substrate and MUST NOT re-implement those passes.
96
+ 2. **GitHub-trace removal inventory.** Sweep the repository's GitHub-side state for residual traces, extending each class comprehensively per the "etc." extension rule. Each removal is destructive: route a per-action confirmation per `rules/interactive-questions.md` §6, with the in-place default being "retain, report only." Named removal steps (each a distinct confirmation):
97
+ - **Caches** — GitHub Actions caches and restored-cache entries keyed to superseded runs.
98
+ - **Stale artifacts** — uploaded workflow artifacts and release assets from superseded runs.
99
+ - **Branches** — every branch other than `main`, including merged feature branches and stale protected branches.
100
+ - **Pull requests** — open and closed pull requests; PR-comment threads and review history.
101
+ - **Previous versions / releases / packages / deployments** — prior GitHub Releases, GitHub Packages versions, and deployment records; extended to **draft and pre-releases**, **stale tags**, and registry coordinates (npm, npx, PyPI) pointing at superseded versions.
102
+ - **Failed runs and workflow-run history** — failed Actions runs, the full workflow-run history, and the **Actions run logs** they retain.
103
+ - **Signs to previous commits / releases** — back-references in narrative, badges, and metadata pointing at superseded commits, releases, or registry versions.
104
+ - **Backward / placeholder / refinement / fix / modification references** — process-narration and obsolete-artifact references in commit metadata, release notes, and the repository description.
105
+ - **References to obsolete / legacy / retired artifacts or narrative** — repository-description, topic, and About-panel mentions of retired surfaces.
106
+ - **Git history** — the full commit history preceding the single fresh commit (gated as the `--rewrite-history` step at stanza 4).
107
+ - **Plugins** — repository-installed GitHub Apps and integrations referencing superseded surfaces.
108
+ - **Extended sibling classes (per the "etc." extension rule)** — **GitHub Pages build history**, **environment and deployment records**, **branch-protection drift**, **gist and wiki traces**, and **fork-network artifacts**, each a distinct confirmation.
109
+ 3. **Strictly-green-and-maximal-score workflow assertion — relentless loop until ALL 100% green.** Drive every GitHub Actions workflow card to strictly green and, where a scoring surface applies — OpenSSF Scorecard most prominently — to its maximal value. Run the diagnose → root-cause-fix → re-trigger cycle **relentlessly across every workflow until ALL of them are 100% green** and every applicable score sits at its maximum — no card left red, no workflow disabled, no gate softened. Apply in-place root-cause fixes per the host's discovered idioms (CM-8 bottleneck-first per `rules/operational-mandates.md`). The relentless loop is bounded for iteration safety per `rules/planning-techniques.md` §1: the diagnose-fix-retrigger cycle caps at a default of three root-cause attempts per workflow, and a card still red at the cap is NOT suppressed or softened — it escalates as a blocking finding through the structured-inquiry channel with its root-cause diagnosis and a defined retreat (operator decision or disclosed deferral), never a disabled workflow or a softened pass.
110
+ 4. **Single fresh commit on `origin/main`.** Author the single templated `release: <repo-name> v0.1.0` commit — `<repo-name>` is a placeholder token resolved from the repository name at Input Ingest, NEVER a hardcoded literal — with sibling `release: <sub-package> v0.1.0` lines for each sub-package where the repository is a monorepo. The git-history rewrite that collapses the repository to this single commit is destructive: route a confirmation per `rules/interactive-questions.md` §6, with the in-place default being "leave history intact, push the fresh commit only"; never rewrite `origin/main` without explicit operator selection. `--rewrite-history` pre-authorizes the rewrite while still recording its scope. The repository delete-and-recreate is the explicit `MAY` capability at stanza 6.
111
+ 5. **First-version CHANGELOG curation.** Curate a concise first-version `CHANGELOG.md` entry per Keep-a-Changelog: a single `[0.1.0]` section dated to the deployment, with no `[Unreleased]` backlog, no prior-version sections, and no back-references to superseded work. Filter 5 (Aesthetic Demand) governs the prose form; the entry reads as a fresh first-version statement, not a migration narrative.
112
+ 6. **Trace-free production-ready culmination.** Re-sweep the deployed repository to confirm a single commit on `origin/main`, one first-version GitHub Release tagged `v0.1.0`, strictly-green-and-maximal-score workflow cards, a first-version CHANGELOG, and zero residual GitHub traces per the stanza-2 inventory (extended per the "etc." extension rule). The repository delete-and-recreate is available here as the explicit `MAY` capability: when in-place freshening cannot reach full freshness, route the `--recreate-repo` confirmation per `rules/interactive-questions.md` §6, capture all current repository metadata, delete the GitHub repository, and recreate it with the captured metadata preserved — default-off, opt-in, never silent. Run the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the deployed tree, the commit, and the CHANGELOG. Emit the deployment report with the per-workflow green/score verdict, the per-axis attestation, every confirmation outcome, and the sweep's `verified:` date. The culmination is fresh and production-ready when the re-sweep is clean.
113
+
114
+ ---
115
+
116
+ ## Mandates
117
+
118
+ | Mandate | Application |
119
+ | ------- | ----------- |
120
+ | **M15 — Production-Ready** | The deployment operationalizes `rules/production-ready-prs.md`: the single fresh commit, the strictly-green-and-maximal-score workflow cards, the first-version CHANGELOG, and the human-only commit authorship are the pass conditions. |
121
+ | **M5 — Authority** | Every ambiguity in the `<repo-name>` token, the sub-package set, the Scorecard applicability, the registry coordinates, or the signing requirement routes through `rules/authority-inquiry.md`; every destructive GitHub-side step clears a per-action confirmation per `rules/interactive-questions.md` §6 before acting. |
122
+ | **M2 — Plain-language / Disclosure** | Removed process-narration (backward, placeholder, refinement, fix, modification references) is replaced with current-product voice per `rules/plain-language.md`; every removal is recorded in the disclosure ledger per `rules/disclosure-ledger.md`. |
123
+ | **M1 — Host Agnosticism (inherited core)** | The agnostic freshening core is inherited from `/freshify`, which discovers every host surface per `rules/host-discovery.md`; this command adds only the GitHub-specific surface on top. |
124
+ | **M4 — Self-Application** | The deployed tree, the `release: <repo-name> v0.1.0` commit, and the CHANGELOG pass the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` before the report is finalized. |
125
+
126
+ ---
127
+
128
+ ## Output
129
+
130
+ - The single templated `release: <repo-name> v0.1.0` commit pushed to `origin/main` (with sibling sub-package release lines for monorepos), every confirmation outcome recorded.
131
+ - One first-version GitHub Release tagged `v0.1.0` with its signed artifacts where signing is ratified.
132
+ - The curated concise first-version `CHANGELOG.md` entry per Keep-a-Changelog.
133
+ - The deployment report at the suite's `_outputs/github-deploy-fresh-report.md` (executive summary + inherited-`/freshify`-pass summary + GitHub-trace removal index + confirmation log + per-workflow green/score verdict + per-axis attestation + validation-gate attestation + bindings).
134
+ - An optional trace inventory at the suite's `_inputs/github-deploy-fresh-inventory.md` (the Input Ingest read inventory).
135
+
136
+ ---
137
+
138
+ ## Decision Tree
139
+
140
+ ```mermaid
141
+ %%{ init: { "theme": "neutral" } }%%
142
+ %% verified: 2026-06-22 %%
143
+ %% provenance: commands/github-deploy-fresh.md §Workflow %%
144
+ %% cross-reference: commands/freshify.md §Workflow (inherited agnostic core) + rules/production-ready-prs.md §1-§4 %%
145
+ flowchart TD
146
+ Start[Target repository ingested] --> F[Run inherited /freshify agnostic core]
147
+ F --> Q1{Residual GitHub traces found?}
148
+ Q1 -->|yes| C1[Route per-action confirmation per removal class · default retain-and-report · purge on opt-in]
149
+ Q1 -->|no| Q2
150
+ C1 --> Q2{All workflow cards green AND maximal score?}
151
+ Q2 -->|no| Fix[Apply in-place root-cause fix · re-run workflow · drive OpenSSF score to max]
152
+ Fix --> Q2
153
+ Q2 -->|yes| Q3{History collapse to single fresh commit needed?}
154
+ Q3 -->|yes| C3[Route confirmation · default push fresh commit only · rewrite on opt-in]
155
+ Q3 -->|no| Commit[Author release: <repo-name> v0.1.0 on origin/main]
156
+ C3 --> Commit
157
+ Commit --> Log[Curate first-version CHANGELOG per Keep-a-Changelog]
158
+ Log --> Q4{Re-sweep trace-free?}
159
+ Q4 -->|residual trace| Q5{In-place freshening sufficient?}
160
+ Q5 -->|yes| Q1
161
+ Q5 -->|no| C5[MAY: route --recreate-repo confirmation · capture metadata · recreate with metadata preserved]
162
+ C5 --> Q4
163
+ Q4 -->|clean| Done[Run validation gate · emit deployment report]
164
+ ```
165
+
166
+ ---
167
+
168
+ ## Recommended Next Step
169
+
170
+ **Invoke `/github-deploy-next`** to deploy the subsequent release in turn — merging the next-cycle pull requests, resolving the next-cycle issues, and tagging the next version — once `/github-deploy-fresh` has landed the single fresh first-version release on `origin/main`.
171
+
172
+ ## Bindings (§0.j five-direction)
173
+
174
+ - **Drives →** The single fresh `release: <repo-name> v0.1.0` commit on `origin/main` and the first-version GitHub Release. The subsequent-cycle command `/github-deploy-next` (this fresh first-version deployment is the substrate the next-release cycle extends). The six deployment stanzas (inherit-`/freshify`-core · GitHub-trace removal · workflow green-and-score · single fresh commit · first-version CHANGELOG · trace-free culmination). The fifteen-bar pre-emission gate at the Validation Gate.
175
+ - **Satisfies →** The consuming suite's GitHub-deployment slot. The `commands/README.md` command catalog's Deployment/elevation row for `/github-deploy-fresh` (the registry entry that ratifies this command's place in the slash-command catalog). The M15 production-ready discipline's current-version-only facade surface, materialized as the single fresh GitHub release.
176
+ - **Established by ↑** The `commands/README.md` command catalog. `freshify.md` (the agnostic freshening core this command inherits and references rather than duplicates). `rules/production-ready-prs.md` (the production-ready discipline this command operationalizes). Keep-a-Changelog (the canonical changelog standard the first-version entry honors). `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (the axis-of-attention attestation surface; Tooling + Security + Testing load-bearing).
177
+ - **Gated by ←** The repository's deployment-surface presence (a root manifest, the host's ratified ignore manifest, and an `origin` remote at the GitHub repository). The host's ratified targets discovered at Input Ingest (the `<repo-name>` token, the sub-package set, the Scorecard applicability, the registry coordinates, the signing requirement). The per-action confirmation contract (every destructive GitHub-side step clears a structured-inquiry confirmation before acting; the repository delete-and-recreate is an explicit default-off `MAY`). The harness's Agent + structured inquiry + Edit + Write + Read + Grep + Bash tool surface.
178
+ - **Cross-bound with ↔** `freshify.md` (the agnostic freshening core; this command runs `/freshify` first and layers the GitHub-specific surface on top). `rules/production-ready-prs.md` (the M15 discipline this command's single-commit and workflow-green stanzas verify; the human-only commit authorship at §6). `rules/interactive-questions.md` (§6 — every destructive GitHub-side step's per-action confirmation, including the `MAY`-gated repository delete-and-recreate, routes through the structured-inquiry channel). `rules/authority-inquiry.md` (every ambiguity routes through the canonical channel). `rules/host-discovery.md` (M1 — the inherited agnostic core discovers every host surface; this command's GitHub surface is the named specialization). `rules/plain-language.md` (process-narration removal restores the current-product voice). `rules/disclosure-ledger.md` (every GitHub-trace removal is recorded in the ledger). `rules/pre-emission-gate.md` (fifteen-bar validation). `rules/cognitive-identity.md` (the seven-axs taxonomy). The subsequent-cycle command `/github-deploy-next` (consumes this fresh first-version deployment; deploys the next release in turn).