@arthai/agents 1.0.5 → 1.0.6

package/dist/plugins/prime/hooks/post-server-crash-watch.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+# PostToolUse hook (Bash): Detect server start commands and check for crash loops.
+# After a server start is detected, waits briefly then verifies the process is
+# still running and the port is responding. Catches services that start then die.
+#
+# stdout is injected as context.
+
+set -euo pipefail
+
+COMMAND="${CLAUDE_TOOL_INPUT_COMMAND:-}"
+if [ -z "$COMMAND" ] && [ -n "${CLAUDE_TOOL_INPUT:-}" ]; then
+    COMMAND=$(echo "$CLAUDE_TOOL_INPUT" | python3 -c "import json,sys; print(json.load(sys.stdin).get('command',''))" 2>/dev/null) || true
+fi
+
+[ -z "$COMMAND" ] && exit 0
+
+# Only check commands that ran successfully
+EXIT_CODE="${CLAUDE_TOOL_RESULT_EXIT_CODE:-0}"
+[ "$EXIT_CODE" != "0" ] && exit 0
+
+# ---------------------------------------------------------------------------
+# Detect server start commands and extract ports
+# ---------------------------------------------------------------------------
+
+PORT=""
+SERVICE=""
+
+# npm/pnpm/yarn dev/start
+if echo "$COMMAND" | grep -qE '\b(npm|pnpm|yarn)\s+run\s+(dev|start|serve)\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORT="${PORT:-3000}"
+    SERVICE="Node.js dev server"
+fi
+
+# next dev
+if echo "$COMMAND" | grep -qE '\bnext\s+dev\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORT="${PORT:-3000}"
+    SERVICE="Next.js dev server"
+fi
+
+# uvicorn
+if echo "$COMMAND" | grep -qE '\buvicorn\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORT="${PORT:-8000}"
+    SERVICE="Uvicorn"
+fi
+
+# gunicorn
+if echo "$COMMAND" | grep -qE '\bgunicorn\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-b\s+[^:]+:([0-9]+)' | grep -oE '[0-9]+$')
+    if [ -z "$PORT" ]; then
+        PORT=$(echo "$COMMAND" | grep -oE '\-\-bind\s+[^:]+:([0-9]+)' | grep -oE '[0-9]+$')
+    fi
+    PORT="${PORT:-8000}"
+    SERVICE="Gunicorn"
+fi
+
+# flask run
+if echo "$COMMAND" | grep -qE '\bflask\s+run\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORT="${PORT:-5000}"
+    SERVICE="Flask"
+fi
+
+# docker compose up
+if echo "$COMMAND" | grep -qE '\bdocker\s+compose\s+up\b'; then
+    SERVICE="Docker Compose services"
+    # For docker compose, check container status instead of port
+    sleep 8
+    down_containers=$(docker compose ps --format '{{.Name}} {{.Status}}' 2>/dev/null | grep -viE 'Up|running' | head -5) || true
+    if [ -n "$down_containers" ]; then
+        echo "CRASH DETECTED — Docker containers not healthy after 8s:"
+        echo "$down_containers"
+        echo "Check logs: docker compose logs --tail=30"
+    fi
+    exit 0
+fi
+
+# rails server
+if echo "$COMMAND" | grep -qE '\brails\s+s(erver)?\b'; then
+    PORT=$(echo "$COMMAND" | grep -oE '\-p\s+([0-9]+)' | awk '{print $2}')
+    PORT="${PORT:-3000}"
+    SERVICE="Rails server"
+fi
+
+# No server start detected
+[ -z "$SERVICE" ] && exit 0
+[ -z "$PORT" ] && exit 0
+
+# ---------------------------------------------------------------------------
+# Wait and check for crash loop
+# ---------------------------------------------------------------------------
+
+sleep 8
+
+# Check if process is still listening on the port
+pid=$(lsof -ti:"$PORT" 2>/dev/null | head -1) || true
+
+if [ -z "$pid" ]; then
+    echo "CRASH DETECTED — $SERVICE (port $PORT) is no longer running after 8s."
+    echo "The process started but has since exited. Check the terminal output for errors."
+    echo "Common causes: missing env vars, port conflict, dependency errors, syntax errors."
+    exit 0
+fi
+
+# Process is alive — try a quick HTTP health check
+http_status=$(timeout 5 curl -sf -o /dev/null -w "%{http_code}" "http://localhost:$PORT/" 2>/dev/null) || http_status="no_response"
+
+if [ "$http_status" = "no_response" ]; then
+    # Process exists but not responding to HTTP — might be starting up or non-HTTP
+    echo "$SERVICE (port $PORT): process alive (PID $pid) but not responding to HTTP yet. May still be starting."
+elif echo "$http_status" | grep -qE '^[2345]'; then
+    # Any HTTP response means the server is up
+    : # Silent success — don't spam on healthy starts
+else
+    echo "$SERVICE (port $PORT): process alive but returned HTTP $http_status."
+fi
+
+exit 0

package/dist/plugins/prime/hooks/pre-server-port-guard.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# PreToolUse hook (Bash): Check port availability before server start commands.
+# Detects server start commands and warns if the target port is already occupied
+# by an unexpected process.
+#
+# Exit 0  = allow the command
+# Exit 2  = block the command (stdout shown as reason)
+# stdout  = injected as context (warnings)
+
+set -euo pipefail
+
+COMMAND="${CLAUDE_TOOL_INPUT_COMMAND:-}"
+if [ -z "$COMMAND" ] && [ -n "${CLAUDE_TOOL_INPUT:-}" ]; then
+    COMMAND=$(echo "$CLAUDE_TOOL_INPUT" | python3 -c "import json,sys; print(json.load(sys.stdin).get('command',''))" 2>/dev/null) || true
+fi
+
+[ -z "$COMMAND" ] && exit 0
+
+# ---------------------------------------------------------------------------
+# Detect server start commands and extract ports
+# ---------------------------------------------------------------------------
+
+declare -a PORTS=()
+
+# npm/pnpm/yarn dev/start — default port 3000 unless --port specified
+if echo "$COMMAND" | grep -qE '\b(npm|pnpm|yarn)\s+run\s+(dev|start|serve)\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    if [ -z "$port" ]; then
+        port=$(echo "$COMMAND" | grep -oE '\bp(ort)?\s*=?\s*([0-9]{4,5})' | grep -oE '[0-9]+')
+    fi
+    PORTS+=("${port:-3000}")
+fi
+
+# next dev — default port 3000
+if echo "$COMMAND" | grep -qE '\bnext\s+dev\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORTS+=("${port:-3000}")
+fi
+
+# vite — default port 5173
+if echo "$COMMAND" | grep -qE '\bvite\b' && ! echo "$COMMAND" | grep -qE '\bvite\s+build\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORTS+=("${port:-5173}")
+fi
+
+# uvicorn — default port 8000
+if echo "$COMMAND" | grep -qE '\buvicorn\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORTS+=("${port:-8000}")
+fi
+
+# gunicorn — default port 8000
+if echo "$COMMAND" | grep -qE '\bgunicorn\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-b\s+[^:]+:([0-9]+)' | grep -oE '[0-9]+$')
+    if [ -z "$port" ]; then
+        port=$(echo "$COMMAND" | grep -oE '\-\-bind\s+[^:]+:([0-9]+)' | grep -oE '[0-9]+$')
+    fi
+    PORTS+=("${port:-8000}")
+fi
+
+# flask run — default port 5000
+if echo "$COMMAND" | grep -qE '\bflask\s+run\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-\-port\s+([0-9]+)' | awk '{print $2}')
+    PORTS+=("${port:-5000}")
+fi
+
+# docker compose up — check compose file for ports
+if echo "$COMMAND" | grep -qE '\bdocker\s+compose\s+up\b'; then
+    PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+    if [ -f "$PROJECT_DIR/docker-compose.yml" ]; then
+        # Extract host ports from ports: mappings (e.g., "3000:3000", "5432:5432")
+        compose_ports=$(grep -oE '^\s*-\s*"?([0-9]+):' "$PROJECT_DIR/docker-compose.yml" 2>/dev/null | grep -oE '[0-9]+' | head -5) || true
+        for p in $compose_ports; do
+            PORTS+=("$p")
+        done
+    fi
+fi
+
+# rails server — default port 3000
+if echo "$COMMAND" | grep -qE '\brails\s+s(erver)?\b'; then
+    port=$(echo "$COMMAND" | grep -oE '\-p\s+([0-9]+)' | awk '{print $2}')
+    PORTS+=("${port:-3000}")
+fi
+
+# go run with -addr or explicit port
+if echo "$COMMAND" | grep -qE '\bgo\s+run\b'; then
+    port=$(echo "$COMMAND" | grep -oE ':([0-9]{4,5})' | head -1 | tr -d ':')
+    [ -n "$port" ] && PORTS+=("$port")
+fi
+
+# No server command detected
+[ ${#PORTS[@]} -eq 0 ] && exit 0
+
+# ---------------------------------------------------------------------------
+# Check each port for conflicts
+# ---------------------------------------------------------------------------
+
+for port in "${PORTS[@]}"; do
+    [ -z "$port" ] && continue
+
+    pid=$(lsof -ti:"$port" 2>/dev/null | head -1) || true
+    if [ -n "$pid" ]; then
+        proc_name=$(ps -p "$pid" -o comm= 2>/dev/null) || proc_name="unknown"
+        echo "PORT CONFLICT — port $port is already in use by $proc_name (PID $pid)."
+        echo "Kill it first: lsof -ti:$port | xargs kill -9"
+        echo "Or use a different port."
+    fi
+done
+
+exit 0

package/dist/plugins/prime/hooks/project-setup.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# hooks/project-setup.sh — SessionStart hook: first-run project setup for marketplace installs.
+#
+# Runs on every SessionStart. Checks for marker file .claude/.toolkit-setup-done.
+# If missing (or version is stale): creates CLAUDE.md from template, injects managed block,
+# updates .gitignore with toolkit markers.
+#
+# Templates are read from ${CLAUDE_PLUGIN_ROOT}/templates/ (bundled with the plugin).
+
+set -euo pipefail
+
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-}"
+MARKER_FILE="$PROJECT_DIR/.claude/.toolkit-setup-done"
+
+# Exit silently if CLAUDE_PLUGIN_ROOT is not set (not running from a plugin context)
+if [ -z "$PLUGIN_ROOT" ]; then
+    exit 0
+fi
+
+TEMPLATES_DIR="$PLUGIN_ROOT/templates"
+TEMPLATE_CLAUDE="$TEMPLATES_DIR/CLAUDE.md.template"
+TEMPLATE_BLOCK="$TEMPLATES_DIR/CLAUDE.md.managed-block"
+
+# Exit silently if templates are not bundled
+if [ ! -f "$TEMPLATE_CLAUDE" ] || [ ! -f "$TEMPLATE_BLOCK" ]; then
+    exit 0
+fi
+
+# Read toolkit version from VERSION file (bundled alongside plugin)
+TOOLKIT_VERSION="0.0.0"
+if [ -f "$PLUGIN_ROOT/VERSION" ]; then
+    TOOLKIT_VERSION=$(cat "$PLUGIN_ROOT/VERSION" 2>/dev/null | tr -d '[:space:]' || echo "0.0.0")
+fi
+
+MANAGED_START="<!-- >>> claude-agents toolkit (DO NOT EDIT THIS BLOCK) >>> -->"
+MANAGED_END="<!-- <<< claude-agents toolkit <<< -->"
+GITIGNORE_START="# >>> claude-agents managed (DO NOT EDIT THIS BLOCK) >>>"
+
+# Check marker file — skip if current version is already set up
+if [ -f "$MARKER_FILE" ]; then
+    STORED_VERSION=$(cat "$MARKER_FILE" 2>/dev/null | tr -d '[:space:]' || echo "")
+    if [ "$STORED_VERSION" = "$TOOLKIT_VERSION" ]; then
+        exit 0
+    fi
+fi
+
+CLAUDE_MD="$PROJECT_DIR/CLAUDE.md"
+GITIGNORE="$PROJECT_DIR/.gitignore"
+
+# 1. Create CLAUDE.md from template if it doesn't exist (never overwrite existing)
+if [ ! -f "$CLAUDE_MD" ]; then
+    PROJECT_NAME=$(basename "$PROJECT_DIR")
+    sed "s/{{PROJECT_NAME}}/$PROJECT_NAME/g" "$TEMPLATE_CLAUDE" > "$CLAUDE_MD"
+fi
+
+# 2. Inject managed block into CLAUDE.md if missing, or update if version is stale
+if [ -f "$CLAUDE_MD" ]; then
+    BLOCK_CONTENT=$(cat "$TEMPLATE_BLOCK")
+    NEW_BLOCK=$(printf '%s\n<!-- version: %s -->\n%s\n%s' \
+        "$MANAGED_START" "$TOOLKIT_VERSION" "$BLOCK_CONTENT" "$MANAGED_END")
+
+    if ! grep -qF "$MANAGED_START" "$CLAUDE_MD"; then
+        # Block missing — append it
+        printf '\n\n%s\n' "$NEW_BLOCK" >> "$CLAUDE_MD"
+    else
+        # Block exists — update if version changed
+        EXISTING_VERSION=$(grep -o '<!-- version: [^>]* -->' "$CLAUDE_MD" 2>/dev/null | head -1 | sed 's/<!-- version: //;s/ -->//' | tr -d '[:space:]' || echo "")
+        if [ "$EXISTING_VERSION" != "$TOOLKIT_VERSION" ]; then
+            # Replace block contents between markers
+            tmp=$(mktemp)
+            in_block=false
+            wrote_block=false
+            while IFS= read -r line; do
+                if echo "$line" | grep -qF "$MANAGED_START"; then
+                    in_block=true
+                    printf '%s\n' "$NEW_BLOCK" >> "$tmp"
+                    wrote_block=true
+                    continue
+                fi
+                if echo "$line" | grep -qF "$MANAGED_END"; then
+                    in_block=false
+                    continue
+                fi
+                if ! $in_block; then
+                    echo "$line" >> "$tmp"
+                fi
+            done < "$CLAUDE_MD"
+            mv "$tmp" "$CLAUDE_MD"
+        fi
+    fi
+fi
+
+# 3. Update .gitignore with toolkit marker block if missing
+if [ ! -f "$GITIGNORE" ] || ! grep -qF "$GITIGNORE_START" "$GITIGNORE" 2>/dev/null; then
+    GITIGNORE_BLOCK=$(printf '%s\n.claude/.toolkit-last-seen-sha\n.claude/.toolkit-setup-done\n.claude/.claude-agents.conf\n%s' \
+        "$GITIGNORE_START" "# <<< claude-agents managed <<<")
+    if [ ! -f "$GITIGNORE" ]; then
+        printf '%s\n' "$GITIGNORE_BLOCK" > "$GITIGNORE"
+    else
+        printf '\n\n%s\n' "$GITIGNORE_BLOCK" >> "$GITIGNORE"
+    fi
+fi
+
+# 4. Write marker file with current version
+mkdir -p "$PROJECT_DIR/.claude"
+printf '%s\n' "$TOOLKIT_VERSION" > "$MARKER_FILE"
+
+exit 0

package/dist/plugins/prime/hooks/sync-agents.sh

@@ -22,8 +22,9 @@ if [ ! -d "$AGENTS_DIR/.git" ]; then
     exit 0
 fi
 
-# Exit silently if no license
-if [ ! -f "$LICENSE_FILE" ]; then
+# Exit silently if no license found in any path
+ARTHAI_LICENSE_PATH="$REAL_HOME/.arthai/license"
+if [ ! -f "$LICENSE_FILE" ] && [ ! -f "$ARTHAI_LICENSE_PATH" ] && [ -z "${ARTHAI_LICENSE_KEY:-}" ]; then
     exit 0
 fi
 
@@ -108,6 +109,27 @@ fi
 
 # --- Step 2: Check license (with revocation enforcement) ---
 NOW=$(date +%s)
+WORKER_URL="https://license-worker.muddassar-shaikh.workers.dev"
+
+# Resolve license key: ~/.claude-agents/.license takes priority (existing clone-install users),
+# fall back to ~/.arthai/license (npm activate users).
+ARTHAI_LICENSE_KEY_VALUE="${ARTHAI_LICENSE_KEY:-}"
+RESOLVED_KEY=""
+if [ -n "$ARTHAI_LICENSE_KEY_VALUE" ]; then
+    RESOLVED_KEY="$ARTHAI_LICENSE_KEY_VALUE"
+elif [ -f "$LICENSE_FILE" ]; then
+    RESOLVED_KEY=$(cat "$LICENSE_FILE" 2>/dev/null | tr -d '[:space:]' || echo "")
+elif [ -f "$REAL_HOME/.arthai/license" ]; then
+    RESOLVED_KEY=$(cat "$REAL_HOME/.arthai/license" 2>/dev/null | tr -d '[:space:]' || echo "")
+fi
+
+# Validate key format before using it in any JSON payload — prevents JSON injection
+# via a crafted key value in the env var or license file.
+KEY_FORMAT='^ARTH-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$'
+if [ -n "$RESOLVED_KEY" ] && ! echo "$RESOLVED_KEY" | grep -qE "$KEY_FORMAT"; then
+    # Key has invalid format — don't use it for Worker call or local check
+    RESOLVED_KEY=""
+fi
 
 # Detect if authorized-keys.txt changed in the pull — force re-check if so
 AK_HASH_FILE="$AGENTS_DIR/.ak-hash"
@@ -128,6 +150,49 @@ fi
 # Store current hash for next comparison
 [ -n "$AK_CURRENT_HASH" ] && echo "$AK_CURRENT_HASH" > "$AK_HASH_FILE" 2>/dev/null || true
 
+# validate_with_worker: call Worker /validate with the resolved key.
+# Sets WORKER_RESULT: "valid", "invalid" (definitive), or "network_error".
+validate_with_worker() {
+    local key="$1"
+    if [ -z "$key" ]; then
+        WORKER_RESULT="invalid"
+        return
+    fi
+
+    local payload="{\"key\":\"$key\"}"
+    local response
+    local curl_exit
+
+    # Pass payload via stdin (--data @-) so the key is not visible in the process list
+    response=$(printf '%s' "$payload" | curl \
+        --silent \
+        --max-time 10 \
+        --connect-timeout 5 \
+        --request POST \
+        --header "Content-Type: application/json" \
+        --data "@-" \
+        "$WORKER_URL/validate" 2>/dev/null)
+    curl_exit=$?
+
+    if [ $curl_exit -ne 0 ] || [ -z "$response" ]; then
+        WORKER_RESULT="network_error"
+        return
+    fi
+
+    # Parse "valid" field from JSON — minimal grep-based parse, no jq dependency
+    local valid_field
+    valid_field=$(echo "$response" | grep -o '"valid"[[:space:]]*:[[:space:]]*[a-z]*' | head -1 | grep -o '[a-z]*$')
+
+    if [ "$valid_field" = "true" ]; then
+        WORKER_RESULT="valid"
+    elif [ "$valid_field" = "false" ]; then
+        WORKER_RESULT="invalid"
+    else
+        # Unexpected response format — treat as network error (fail safe)
+        WORKER_RESULT="network_error"
+    fi
+}
+
 LICENSE_VALID=true
 if [ -f "$LICENSE_CACHE" ]; then
     LAST_CHECK=$(cat "$LICENSE_CACHE" 2>/dev/null || echo "0")
@@ -136,19 +201,41 @@ if [ -f "$LICENSE_CACHE" ]; then
         # Cache is fresh, skip validation
         :
     else
-        # Re-validate
-        if ! "$AGENTS_DIR/install.sh" --check-license-only 2>/dev/null; then
+        # Re-validate: try Worker first, fall back to local only on network error
+        validate_with_worker "$RESOLVED_KEY"
+        if [ "$WORKER_RESULT" = "valid" ]; then
+            echo "$NOW" > "$LICENSE_CACHE"
+        elif [ "$WORKER_RESULT" = "invalid" ]; then
+            # Worker says definitively invalid — no local fallback, clear cache
+            rm -f "$LICENSE_CACHE" 2>/dev/null || true
             LICENSE_VALID=false
         else
-            echo "$NOW" > "$LICENSE_CACHE"
+            # Network error — fall back to local authorized-keys.txt check
+            echo "License server unavailable. Retrying with local validation..." >&2
+            if ! "$AGENTS_DIR/install.sh" --check-license-only 2>/dev/null; then
+                LICENSE_VALID=false
+            else
+                echo "$NOW" > "$LICENSE_CACHE"
+            fi
         fi
     fi
 else
-    # First check (or cache was invalidated by AK change)
-    if ! "$AGENTS_DIR/install.sh" --check-license-only 2>/dev/null; then
+    # First check (or cache was invalidated by AK change): try Worker first
+    validate_with_worker "$RESOLVED_KEY"
+    if [ "$WORKER_RESULT" = "valid" ]; then
+        echo "$NOW" > "$LICENSE_CACHE"
+    elif [ "$WORKER_RESULT" = "invalid" ]; then
+        # Worker says definitively invalid — no local fallback, ensure cache stays clear
+        rm -f "$LICENSE_CACHE" 2>/dev/null || true
         LICENSE_VALID=false
     else
-        echo "$NOW" > "$LICENSE_CACHE"
+        # Network error — fall back to local authorized-keys.txt check
+        echo "License server unavailable. Retrying with local validation..." >&2
+        if ! "$AGENTS_DIR/install.sh" --check-license-only 2>/dev/null; then
+            LICENSE_VALID=false
+        else
+            echo "$NOW" > "$LICENSE_CACHE"
+        fi
     fi
 fi
 
@@ -182,12 +269,12 @@ if ! $LICENSE_VALID; then
 
         # Remove CLAUDE.md managed block
         CLAUDEMD="$PROJECT_DIR/CLAUDE.md"
-        if [ -f "$CLAUDEMD" ] && grep -qF "<!-- >>> claude-agents toolkit -->" "$CLAUDEMD" 2>/dev/null; then
+        if [ -f "$CLAUDEMD" ] && grep -qF "<!-- >>> claude-agents toolkit (DO NOT EDIT THIS BLOCK) >>> -->" "$CLAUDEMD" 2>/dev/null; then
             tmp=$(mktemp)
             in_block=false
             skip_next_blank=false
             while IFS= read -r line; do
-                if echo "$line" | grep -qF "<!-- >>> claude-agents toolkit -->"; then
+                if echo "$line" | grep -qF "<!-- >>> claude-agents toolkit (DO NOT EDIT THIS BLOCK) >>> -->"; then
                     in_block=true
                     continue
                 fi
@@ -218,8 +305,8 @@ if ! $LICENSE_VALID; then
         rm -f "$LICENSE_CACHE" 2>/dev/null || true
     fi
 
-    echo "⚠ License revoked. Toolkit has been disabled for this project."
-    echo "  Contact support to renew your license."
+    echo "Invalid license key. Toolkit has been disabled for this project."
+    echo "  Check your key or get one at arthai.dev/pricing"
     exit 0
 fi
 

package/dist/plugins/prime/templates/CLAUDE.md.managed-block

@@ -0,0 +1,123 @@
+## Engineering Principles (MANDATORY — applies to ALL work)
+
+### Research Before Fixing
+- **Never guess.** Before changing code, read the relevant source files, docs, and configs.
+- Understand WHY something is broken before attempting a fix.
+- If your first fix doesn't work, STOP. Don't try another guess. Re-read the code.
+- Use explore-light (Haiku, 1x cost) to scan the codebase before expensive agents investigate.
+
+### No Over-Engineering
+- **Do exactly what's needed.** Don't add abstractions, utilities, or frameworks unless the code already uses them.
+- Match existing patterns — run explore-light to find how similar code is structured before writing new code.
+- A bug fix touches the minimum files possible. A feature matches the existing architecture.
+- If you're creating a new class/helper/utility that nothing else in the codebase uses, you're over-engineering.
+
+### Test Before Shipping
+- **Run tests locally before pushing.** Never push untested code.
+- If the project has `/precheck`, run it. If it has `/qa`, run it in commit mode.
+- After fixing a bug, verify the fix AND verify nothing else broke (differential testing).
+- If 3+ consecutive fix attempts fail, STOP. Step back and reassess the root cause from scratch.
+
+### Deployment Safety
+- **Never modify production systems without explicit confirmation.**
+- Don't change deploy targets, CI pipeline structure, or infrastructure config silently.
+- Don't overwrite existing files during deployment without asking.
+- If a deployment breaks something, investigate before attempting to fix. Don't cascade.
+
+## Toolkit Awareness (MANDATORY — READ THIS FIRST)
+
+You have a **claude-agents toolkit** installed in this project. It provides specialized
+agents, skills, and hooks that handle domain-specific work better and cheaper.
+
+**You are the ORCHESTRATOR.** The triage router fires on every message with a routing
+table and SPEED score. Use it to decide: toolkit or you?
+
+### When to use the toolkit (SPEED score 2+):
+- **Multi-step workflows**: `/pr`, `/deploy`, `/planning`, `/implement`, `/qa`, `/ci-fix`
+  encode battle-tested sequences you'd otherwise do manually and forget steps
+- **Domain expertise**: SRE, QA, frontend, backend agents have project context baked in
+- **Cost savings**: Haiku/Sonnet agents handle 80% of tasks at 1/60th the cost of Opus
+- **Parallelism**: Team skills spawn multiple agents working simultaneously
+
+### When to use YOU directly (SPEED score 0-1):
+- **Quick lookups**: Read/Grep/Glob for finding a file, checking a value, reading code
+- **Small targeted edits**: 1-2 file changes where you already know what to do
+- **Complex reasoning**: Architecture decisions, debugging novel problems, nuanced tradeoffs
+- **Conversation flow**: Follow-up questions, clarifications, explaining code
+- **Creative problem-solving**: When the task doesn't fit any existing pattern
+- **Judgment calls**: Security reviews, design decisions, "should we even do this?"
+
+### The balance:
+The toolkit handles **process** (repeatable workflows, domain-specific checks, multi-step
+sequences). You handle **judgment** (reasoning, creativity, novel problems, architecture).
+
+A senior engineer doesn't do everything themselves — they delegate routine work and focus
+their expertise where it matters most. That's you. The toolkit is your team.
+
+**Don't over-delegate**: If it's faster to just Read a file and answer, do it.
+**Don't under-delegate**: If it's a 5-step workflow the toolkit has a skill for, use it.
+
+### Project Knowledge System
+
+If this project has been calibrated (`/calibrate`), deep context is available:
+
+- **`.claude/project-profile.md`** — Architecture patterns, coding conventions, domain model,
+  testing style. Read this before writing any code to match the project's patterns.
+- **`.claude/knowledge/`** — The toolkit's long-term memory for this project:
+  - `shared/conventions.md` — Coding rules learned from corrections. **Read before writing code.**
+  - `shared/domain.md` — Business rules beyond what's in the code. **Read before domain decisions.**
+  - `shared/vocabulary.md` — What the team calls things. **Use these terms.**
+  - `shared/patterns.md` — Architecture patterns. **Follow these when adding new code.**
+  - `agents/{your-name}.md` — Your past learning. **Read on session start.**
+  - **Write back** when you learn something new — corrections, discoveries, decisions.
+  - See `knowledge/README.md` for the full protocol.
+- **`.claude/knowledge/external/sources.md`** — Where team knowledge lives outside code
+  (Notion, Linear, Figma, etc.). Check before making decisions that might already be documented.
+
+## Session Start Behavior (MANDATORY)
+
+On your FIRST response in every new session, ALWAYS start with a brief status line
+using context from the SessionStart hook. Include:
+- Current branch + uncommitted file count
+- Docker/infra status (if problems detected)
+- Open PRs or assigned issues (if any)
+- Any red flags (pending migrations, expired tokens)
+
+Format: 1-3 compact lines before addressing the user's request. Example:
+```
+📋 project — main | 5 uncommitted | Docker: postgres ✓ redis ✓ | 2 open PRs
+```
+Then proceed with the user's actual request.
+
+**CRITICAL — Greetings and vague first messages**: If the user's first message is a
+greeting ("hey", "hi", "hello", "yo", "sup") or vague ("help", "what's up",
+"what should I work on") or ANY message under 5 words with no specific task —
+**ALWAYS use the `/onboard` skill**. Never respond to greetings yourself. The
+bootstrap hook status line is a quick snapshot — `/onboard` gives the real briefing
+with open PRs, issues, priorities, and actionable next steps.
+
+## Routing Trace (MANDATORY)
+
+On EVERY response, show a compact routing trace so the user understands the decision
+path. Place it at the end of your response in a dimmed block:
+
+```
+🔀 Routing: [what triage decided] → [agent/skill/tool used] ([cost tier])
+   Why: [1-line reason for this routing choice]
+```
+
+Examples:
+```
+🔀 Routing: backend bug fix → python-backend agent (Sonnet, 10x)
+   Why: touches backend/app/services/, needs CLAUDE.md context, SPEED=4
+```
+```
+🔀 Routing: file lookup → Grep (built-in, 0x)
+   Why: single-file search, no project context needed, SPEED=0
+```
+
+Rules:
+- Always show the SPEED score breakdown if score >= 2
+- Show which hook provided the context (triage-router, bootstrap, etc.)
+- If you chose NOT to use the triage router's suggestion, explain why
+- Skip the trace only for simple follow-up messages in an ongoing conversation