@esoteric-logic/praxis-harness 1.2.1 → 2.0.1

package/README.md

@@ -8,7 +8,7 @@ A layered harness for [Claude Code](https://docs.anthropic.com/en/docs/claude-co
 
 Praxis gives Claude Code a three-layer operating system:
 
-**Universal base** — always loaded. [GSD](https://github.com/gsd-build/get-shit-done) structures work (spec → plan → execute → verify). [Superpowers](https://github.com/obra/superpowers) enforces quality (TDD, debugging, code review). [Ralph](https://github.com/snarktank/ralph) runs autonomous execution loops.
+**Universal base** — always loaded. Praxis structures work (discuss → plan → execute → verify → simplify → ship). Built-in quality enforcement (debugging, code review, simplification).
 
 **AI-Kits** — activated on demand via `/kit:<name>`. Each kit bundles domain-specific rules, skills, MCP servers, and slash commands. Activate the web-designer kit and your components get design system enforcement, accessibility auditing, and production lint. Deactivate with `/kit:off`.
 
@@ -31,32 +31,23 @@ npx praxis-harness uninstall   # remove Praxis-owned files from ~/.claude/
 
 ## After install
 
-Open Claude Code and run:
-
-```
-/plugin marketplace add obra/superpowers-marketplace
-/plugin install superpowers@superpowers-marketplace
-/plugin marketplace add snarktank/ralph
-/plugin install ralph-skills@ralph-marketplace
-```
-
-Verify with `/help` — you should see GSD, Superpowers, and Praxis commands.
+Verify with `/help` — you should see Praxis commands (`/discuss`, `/execute`, `/verify`, `/plan`, `/ship`, `/kit:*`).
 
 ## Workflow
 
-The standard GSD workflow for feature development:
+The standard Praxis workflow for feature development:
 
 ```
 /standup           → orient (reads status.md, surfaces stale state)
-/gsd:discuss       → frame the problem (SPEC questions, scope guard)
+/discuss       → frame the problem (conversational, scope guard)
 /discover          → research options with confidence levels (before /spec)
-/gsd:plan-phase    → plan milestones (with dependency ordering + boundaries)
-/gsd:execute       → implement one milestone at a time (file-group isolation)
-/gsd:verify        → validate (test/lint/typecheck/build, self-review, UNIFY)
+/plan    → plan milestones (with dependency ordering + boundaries)
+/execute       → implement one milestone at a time (file-group isolation)
+/verify        → validate (test/lint/typecheck/build, self-review, UNIFY)
 /session-retro     → capture learnings, update vault
 ```
 
-For pure bugfixes: `/debug` (test-first debugging, skips GSD).
+For pure bugfixes: `/debug` (test-first debugging, skips the full loop).
 For code review: `/review` (launches subagent review at any time).
 For technical research: `/discover` (structured options evaluation before decisions).
 
@@ -64,10 +55,10 @@ For technical research: `/discover` (structured options evaluation before decisi
 
 | Command | Purpose |
 |---------|---------|
-| `gsd-discuss` | Frame the problem, SPEC questions, scope guard |
-| `gsd-execute` | Implement one milestone with file-group isolation + boundary enforcement |
-| `gsd-verify` | Validate milestone (test/lint/build), self-review, UNIFY phase summary |
-| `ralph` | Autonomous multi-story execution from a PRD |
+| `discuss` | Conversational problem framing, SPEC synthesis, scope guard |
+| `execute` | Implement one milestone with file-group isolation + boundary enforcement |
+| `verify` | Validate milestone (test/lint/build), self-review, UNIFY phase summary |
+
 | `plan` | Create a dated work plan with milestone dependencies + checkpoints |
 | `spec` | Create a structured spec or ADR with conflict detection |
 | `discover` | Structured technical discovery with confidence-rated options |
@@ -86,17 +77,6 @@ Key additions in this version:
 - **context-management** — context brackets (FRESH/MODERATE/DEPLETED/CRITICAL) adapt behavior to session stage
 - **vault** — Obsidian vault integration
 
-## Ralph
-
-Ralph is the autonomous execution mode for multi-story work. Use it when you have >5 independent stories that don't require human checkpoints.
-
-1. Write a PRD using `/prd-writer` (structured story format with file groups and estimates)
-2. Run `/ralph` to begin autonomous execution
-3. Each story runs in a fresh context with its own verify cycle
-4. Blocked stories are recorded and skipped — reported at run end
-
-Ralph is not a replacement for GSD — it runs GSD internally per story. Use GSD for work that needs cross-story reasoning or architectural decisions.
-
 ## Architecture
 
 ```
@@ -108,7 +88,7 @@ Ralph is not a replacement for GSD — it runs GSD internally per story. Use GSD
 │  Skills chain + domain rules + MCPs    │
 ├────────────────────────────────────────┤
 │  Universal base (always loaded)        │
-│  GSD → Superpowers → Ralph             │
+│  Praxis workflow engine                 │
 ├────────────────────────────────────────┤
 │  Vault layer                           │
 │  Obsidian                              │
@@ -118,7 +98,7 @@ Ralph is not a replacement for GSD — it runs GSD internally per story. Use GSD
 └────────────────────────────────────────┘
 ```
 
-**Workflow hierarchy:** GSD owns the outer loop (discuss → plan → execute → verify). Superpowers enforces quality inside execution (TDD, review, debug). Ralph runs autonomous multi-story iterations. Kits inject domain context into this workflow — they don't replace it.
+**Workflow hierarchy:** Praxis owns the outer loop (discuss → plan → execute → verify → simplify → ship). Kits inject domain context into this workflow — they don't replace it.
 
 ## Available kits
 

package/base/CLAUDE.md

@@ -13,14 +13,11 @@ You are a senior engineering partner. Think before you build. Verify before you
 - Every option presented MUST include a recommendation and why.
 
 ## Workflow Hierarchy
-- **GSD** owns the outer loop: discuss → plan → execute → verify → simplify → ship.
-  Always start feature work with GSD.
-- **Superpowers** enforces quality inside execution (TDD, review, debug).
-  Its skills auto-activate — never invoke them alongside GSD phases.
-- **Ralph** runs autonomous multi-story iterations from the terminal.
+- **Praxis** owns the outer loop: discuss → plan → execute → verify → simplify → ship.
+  Always start feature work with `/discuss` or `/next`.
 - **Kits** inject domain context into this workflow — they don't replace it.
-- Never invoke `/superpowers:write-plan` alongside `/gsd:plan-phase`.
-- Pure bugfixes: skip GSD, use Superpowers debugging directly.
+- Pure bugfixes: skip the full loop, use `/debug` directly.
+- Trivial changes (typos, config): use `/fast` to skip planning.
 - After every implementation: run `/simplify` to clean up code before verify.
 - Use `/verify-app` for end-to-end checks, `/ship` when ready to commit+push+PR.
 
@@ -40,15 +37,14 @@ permanent institutional memory. Don't wait for session-retro — fix the rule im
 ## Non-Negotiables (fire every session)
 
 **Before any non-trivial task:**
-- WHAT / DONE-WHEN / CONSTRAINTS / NON-GOALS — answer all four before starting.
+- PROBLEM / DELIVERABLE / ACCEPTANCE / BOUNDARIES — answer all four before starting.
 
 **Stop-and-Fix Rule:** Validation fails → fix now → re-validate → proceed.
 If cannot fix in 3 attempts: STOP. Report What / So What / Now What.
 
 **Before every commit:**
-1. Secret scan: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,})" $(git diff --staged --name-only)`
-2. Lint + typecheck — no commits with warnings or errors.
-3. `git --no-pager config user.email` → must match expected identity. If mismatch: STOP.
+See `~/.claude/rules/git-workflow.md` § Pre-Commit Invariants. These are also enforced
+by hooks (secret-scan, identity-check) — see `~/.claude/settings.json`.
 
 **Before writing any templated file:** Scan for unreplaced `{placeholder}` patterns. Zero must remain.
 
@@ -92,15 +88,15 @@ Missing servers are non-blocking — features degrade gracefully.
 
 ## After Compaction — Bootstrap
 1. Read project CLAUDE.md (always first)
-2. Check `claude-progress.json` — if `.ralph_state.current_story` is set: read it NOW, it is authoritative
-3. Active task? → read active plan current milestone only
+2. Active task? → read active plan current milestone only
    No active task? → read `status.md`
 4. Load rules only for what the current task touches:
-   - Terraform/Azure → `~/.claude/rules/terraform.md`
+   - Terraform/Azure → `~/.claude/rules/terraform.md`, `~/.claude/rules/azure.md`
    - GitHub Actions → `~/.claude/rules/github-actions.md`
    - PowerShell scripts → `~/.claude/rules/powershell.md`
    - Git operation → `~/.claude/rules/git-workflow.md`
-   - Security concern → `~/.claude/rules/security.md`
+   - Client-facing writing → auto-loaded by `communication-standards` skill
+   - Architecture/specs → auto-loaded by `architecture-patterns` skill
 
 ## Core Anti-Patterns (NEVER)
 - Silently swallow errors or use empty catch blocks
@@ -125,19 +121,15 @@ Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 
 ## Rules Registry — Load on Demand Only
 
-### Universal — always active
+### Universal — always active (6 rules)
 | File | Purpose |
 |------|---------|
-| `~/.claude/rules/profile.md` | Who the user is, active projects, identities |
+| `~/.claude/rules/profile.md` | Who the user is, identities, working style |
 | `~/.claude/rules/execution-loop.md` | SPEC/PLAN/VALIDATE loop enforcement |
-| `~/.claude/rules/coding.md` | Context7 mandate, error handling, no hardcodes |
-| `~/.claude/rules/code-quality.md` | Language-agnostic quality standards |
-| `~/.claude/rules/git-workflow.md` | Commits, branches, identity verification |
-| `~/.claude/rules/security.md` | Secrets, credentials, auth patterns |
-| `~/.claude/rules/communication.md` | Client writing, no AI attribution |
-| `~/.claude/rules/vault.md` | Second brain integration — Obsidian vault |
-| `~/.claude/rules/architecture.md` | ADR format, What/So What/Now What, risk docs |
-| `~/.claude/rules/context-management.md` | GSD/Ralph anti-rot, context reset protocol |
+| `~/.claude/rules/coding.md` | Code quality, security, complexity thresholds, Context7 mandate |
+| `~/.claude/rules/git-workflow.md` | Commits, branches, identity verification, pre-commit checks |
+| `~/.claude/rules/vault.md` | Second brain integration — vault backend, file purposes |
+| `~/.claude/rules/context-management.md` | Context anti-rot, phase scoping, context reset protocol |
 
 ### Scoped — load only when paths match
 | File | Loads when |
@@ -146,3 +138,9 @@ Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 | `~/.claude/rules/terraform.md` | `**/*.tf`, `**/*.tfvars` |
 | `~/.claude/rules/github-actions.md` | `.github/workflows/**` |
 | `~/.claude/rules/powershell.md` | `**/*.ps1`, `**/*.psm1` |
+
+### Auto-invocable skills (replace former universal rules)
+| Skill | Triggers when |
+|-------|--------------|
+| `communication-standards` | Writing client-facing docs, proposals, status reports, commits, PRs |
+| `architecture-patterns` | Writing ADRs, specs, system design, risk docs, blocker reports |

package/base/hooks/auto-format.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# PostToolUse hook — auto-formats files after edit.
+# Always exits 0 (advisory, never blocks).
+set -uo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty' 2>/dev/null)
+
+if [[ -z "$FILE_PATH" || ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+EXT="${FILE_PATH##*.}"
+
+case "$EXT" in
+  tf|tfvars)
+    if command -v terraform &>/dev/null; then
+      terraform fmt "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  py)
+    if command -v ruff &>/dev/null; then
+      ruff format --quiet "$FILE_PATH" 2>/dev/null
+    elif command -v black &>/dev/null; then
+      black --quiet "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  ts|tsx|js|jsx|json|css)
+    if command -v prettier &>/dev/null; then
+      prettier --write "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  go)
+    if command -v gofmt &>/dev/null; then
+      gofmt -w "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+esac
+
+exit 0

package/base/hooks/identity-check.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# PreToolUse hook — blocks git commit if email doesn't match expected identity.
+# Reads expected emails from praxis.config.json identity section.
+# Exit 0 = allow, Exit 2 = block with message.
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Only fire on Bash tool calls that contain "git commit"
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$COMMAND" ]] || ! echo "$COMMAND" | grep -q "git commit"; then
+  exit 0
+fi
+
+# Read identity config
+CONFIG="$HOME/.claude/praxis.config.json"
+if [[ ! -f "$CONFIG" ]]; then
+  exit 0
+fi
+
+CWD=$(pwd)
+ACTUAL_EMAIL=$(git --no-pager config user.email 2>/dev/null || echo "")
+
+# Check work path match
+WORK_PATH=$(jq -r '.identity.work.path_match // empty' "$CONFIG" 2>/dev/null)
+WORK_EMAIL=$(jq -r '.identity.work.email // empty' "$CONFIG" 2>/dev/null)
+PERSONAL_PATH=$(jq -r '.identity.personal.path_match // empty' "$CONFIG" 2>/dev/null)
+PERSONAL_EMAIL=$(jq -r '.identity.personal.email // empty' "$CONFIG" 2>/dev/null)
+
+EXPECTED_EMAIL=""
+if [[ -n "$WORK_PATH" ]] && echo "$CWD" | grep -q "$WORK_PATH"; then
+  EXPECTED_EMAIL="$WORK_EMAIL"
+elif [[ -n "$PERSONAL_PATH" ]] && echo "$CWD" | grep -q "$PERSONAL_PATH"; then
+  EXPECTED_EMAIL="$PERSONAL_EMAIL"
+else
+  # Unknown path — allow but warn
+  echo "WARNING: CWD $CWD does not match known identity paths." >&2
+  exit 0
+fi
+
+if [[ -n "$EXPECTED_EMAIL" && "$ACTUAL_EMAIL" != "$EXPECTED_EMAIL" ]]; then
+  echo "BLOCKED: Git identity mismatch." >&2
+  echo "  Expected: $EXPECTED_EMAIL" >&2
+  echo "  Actual:   $ACTUAL_EMAIL" >&2
+  echo "  CWD:      $CWD" >&2
+  # Check if includeIf is configured and suggest fix
+  if git config --global --get-regexp 'includeIf' &>/dev/null; then
+    echo "  Note: includeIf is configured in ~/.gitconfig — verify CWD matches an includeIf path." >&2
+  else
+    echo "  Fix: git config --local user.email \"$EXPECTED_EMAIL\"" >&2
+  fi
+  exit 2
+fi
+
+exit 0

package/base/hooks/secret-scan.sh

@@ -14,7 +14,7 @@ if [[ -z "$FILE_PATH" || ! -f "$FILE_PATH" ]]; then
 fi
 
 # Scan the file for secret patterns
-SECRET_PATTERN='(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36,}|pplx-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|Bearer [A-Za-z0-9+/]{20,})'
+SECRET_PATTERN='(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36,}|pplx-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|Bearer [A-Za-z0-9+/]{20,}|DefaultEndpointsProtocol|AccountKey=)'
 
 if rg -q "$SECRET_PATTERN" "$FILE_PATH" 2>/dev/null; then
   MATCHES=$(rg -n "$SECRET_PATTERN" "$FILE_PATH" 2>/dev/null | head -5)

package/base/hooks/settings-hooks.json

@@ -0,0 +1,61 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/secret-scan.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/identity-check.sh"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/auto-format.sh"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/post-session-lint.sh"
+          },
+          {
+            "type": "prompt",
+            "prompt": "Review the conversation. Did you complete all tasks the user requested? Are there uncommitted changes that should be committed? Are there vault files (status.md, plan) that should be updated? Answer yes/no for each."
+          }
+        ]
+      }
+    ],
+    "PreCompact": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/vault-checkpoint.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/base/hooks/vault-checkpoint.sh

@@ -37,11 +37,6 @@ if [[ -f "$STATUS_FILE" ]]; then
   [[ -z "$LOOP_POSITION" ]] && LOOP_POSITION="unknown"
 fi
 
-RALPH_STORY="inactive"
-if [[ -f "$PROGRESS_FILE" ]]; then
-  RALPH_STORY=$(jq -r '.ralph_state.current_story // "inactive"' "$PROGRESS_FILE" 2>/dev/null)
-fi
-
 cat > "$CHECKPOINT_FILE" <<EOF
 ---
 tags: [checkpoint, compact]
@@ -60,12 +55,9 @@ $PWD
 ## Active Plan
 $CURRENT_PLAN
 
-## GSD Phase
+## Loop Position
 $LOOP_POSITION
 
-## Ralph State
-$RALPH_STORY
-
 ## Note
 This checkpoint was auto-written by the PreCompact hook.
 Read this file after compaction to restore context.

package/base/rules/context-management.md

@@ -1,11 +1,11 @@
 # Context Management — Rules
 # Scope: All projects, all sessions
-# Prevents context rot via GSD phase discipline and Ralph story sizing
+# Prevents context rot via phase discipline
 
-## GSD Phase Discipline — Invariants (BLOCK on violation)
+## Phase Discipline — Invariants (BLOCK on violation)
 
 ### Phase-scoped context loading
-- Load ONLY context required for the current GSD phase.
+- Load ONLY context required for the current phase.
   SPEC needs requirements and constraints — not implementation details.
   IMPLEMENT needs the plan and relevant source files — not research notes.
 - At the end of each phase: write a phase summary to the active plan file.
@@ -21,50 +21,6 @@
   IMPLEMENT → VALIDATE: test output and lint output are the evidence.
 - Use subagents for exploration, research, and review to protect the main context.
 
-## Ralph Story Sizing — Invariants (BLOCK on violation)
-
-### Size constraint
-- Each Ralph PRD story must be completable in a single context window (~10k output tokens).
-- Right-sized stories: add one component, one migration, one service method,
-  one test suite, or one configuration change.
-- Too large: any story requiring >3 file groups or >1 architectural decision.
-  Split before execution.
-- Stories requiring cross-story reasoning belong in GSD, not Ralph.
-  Ralph stories must be independently verifiable.
-
-### State contract
-- `claude-progress.json` is the ONLY state bridge between Ralph iterations.
-- The `ralph_state` object is authoritative:
-  ```json
-  {
-    "mode": "idle | active",
-    "prd_path": null,
-    "completed_stories": [],
-    "current_story": null
-  }
-  ```
-- Ralph reads `ralph_state` at iteration start, writes at iteration end.
-- Never reference conversation history as source of truth in Ralph mode.
-
-## When to Use GSD vs Ralph — Conventions (WARN on violation)
-
-| Trigger | Use | Reason |
-|---------|-----|--------|
-| <5 stories, needs reasoning continuity | GSD | Decisions compound across stories |
-| Architectural decisions required | GSD | Context must persist through tradeoff analysis |
-| Exploratory or ambiguous scope | GSD | Needs human-in-the-loop at phase gates |
-| >5 independent stories | Ralph | Parallelizable, no cross-story dependencies |
-| Overnight/unattended execution | Ralph | Fresh context per story prevents drift |
-| Mechanical transformations (migrations, renames) | Ralph | Repetitive, well-scoped, low judgment |
-
-Default to GSD. Use Ralph only when stories are clearly independent and well-scoped.
-
-## Compaction Safety — Invariants (BLOCK on violation)
-
-### Ralph mid-run takes precedence
-- If `claude-progress.json` → `.ralph_state.current_story` is set, ALWAYS read it — even if an active plan exists.
-- Ralph mid-run state is authoritative over plan state. The story must complete or be explicitly blocked before plan-level work resumes.
-
 ## Subagent Discipline — Conventions (WARN on violation)
 
 ### Subagent scope
@@ -119,9 +75,6 @@ conversation length heuristic (not token count — we cannot read session JSONL)
 ## Verification Commands
 
 ```bash
-# Check that claude-progress.json has ralph_state field
-jq '.ralph_state' {vault_path}/claude-progress.json
-
 # Verify active plan file exists and has phase summaries
 ls -la {vault_path}/plans/
 

package/base/rules/execution-loop.md

@@ -1,84 +1,64 @@
 # Execution Loop — Rules
 # Scope: All projects, all sessions
-# Extracted from ~/.claude/CLAUDE.md to reduce root file size
+# Invariants only. Phase details live in the commands that implement them.
 
-## Core Loop (MANDATORY — every non-trivial task)
+## Loop Order (reference — commands are authoritative)
+`/discuss` → `/plan` → `/execute` → `/verify` → `/simplify` → `/ship`
 
-### Phase 1: SPEC
-Answer four questions before any code or file is written:
-- **WHAT**: Concrete deliverable (not vague goals)
-- **DONE-WHEN**: Specific checks that prove completion
-- **CONSTRAINTS**: Performance, compatibility, style requirements
-- **NON-GOALS**: What this task explicitly does NOT include
-If ambiguous: ask 2–3 clarifying questions before proceeding.
+Each command file contains its own steps. This file defines only the
+cross-cutting invariants that apply regardless of which phase is active.
 
-### Risk Check (MANDATORY if any apply)
-Run `/risk` before proceeding to PLAN if the task:
+## Invariants — BLOCK on violation
+
+### SPEC before code
+No code or file changes until PROBLEM / DELIVERABLE / ACCEPTANCE / BOUNDARIES are answered.
+`/discuss` synthesizes these from conversation. If discuss was skipped,
+the implementer must answer all four before proceeding.
+
+### Risk check gate
+Run `/risk` before `/plan` if the task:
 - Touches infrastructure files (`*.tf`, `*.bicep`, `*.yml` in `.github/workflows/`)
 - Touches authentication, credentials, or secrets handling
 - Modifies >3 files across different domains
-- Has a NON-GOALS list that explicitly defers something risky
+- Has BOUNDARIES (out of scope) that explicitly defer something risky
 
-If any condition is met: `/risk` must produce at minimum one risk entry before `/gsd:plan-phase`.
+### Plan before implementation
+Do NOT begin implementation until a plan exists and is approved.
+The plan is the sole implementation guide — not conversation history.
 
-### Phase 2: PLAN
-- Break work into milestones small enough to complete and verify in one pass.
-- Each milestone MUST have: description, acceptance criteria, validation command.
-- Save plan to `{vault_path}/plans/YYYY-MM-DD_[task-slug].md` with frontmatter:
-  ```yaml
-  ---
-  created: YYYY-MM-DD
-  status: active
-  tags: [relevant, tags]
-  ---
-  ```
-- Update `{vault_path}/status.md` → `current_plan:` field.
-- Do NOT begin implementation until the plan is approved.
+### One milestone at a time
+Keep diffs scoped. Do not expand scope without explicit approval.
+Never let uncommitted work span multiple milestones.
 
-### Phase 3: IMPLEMENT
-- One milestone at a time. Keep diffs scoped.
-- Do not expand scope without explicit approval.
-- Use extended thinking for tasks touching >3 files or requiring architectural decisions.
-
-### Phase 4: VALIDATE
+### Validate with evidence
 After EACH milestone — show actual output, not assertions:
-1. Run test suite → show output
-2. Run linter → show output, fix ALL warnings
-3. Run typecheck (if applicable) → show output
-4. Run build (if applicable) → show output
-5. Report: PASS or FAIL with specifics
-
-### Phase 5: REPAIR (Stop-and-Fix)
-If ANY validation fails:
-- Do NOT proceed to the next milestone.
-- Fix NOW. Re-validate. Then proceed.
-- If cannot fix in 3 attempts: STOP.
-  Report: **What** (full error + 3 attempts) → **So What** (root cause) → **Now What** (next steps)
+1. Test suite output
+2. Linter output (fix ALL warnings)
+3. Typecheck output (if applicable)
+4. Build output (if applicable)
+Report: PASS or FAIL with specifics.
 
-### Phase 6: COMMIT
-- Commit at milestone completion. See git-workflow.md.
-- Never let uncommitted work span multiple milestones.
+### Stop-and-fix
+If ANY validation fails: fix NOW, re-validate, then proceed.
+If cannot fix in 3 attempts: STOP.
+Report: **What** (full error + 3 attempts) → **So What** (root cause) → **Now What** (next steps)
 
-### Phase 7: LOG
-- Update `{vault_path}/status.md`: what was done, decisions made, what's next.
-- Mark completed milestone status in the plan file.
-- Update `{vault_path}/_index.md` goals if project direction changed.
-- Vault indexing is automatic (obsidian) or not needed (other backends).
+### Commit at milestone boundaries
+Commit when verify passes. See git-workflow.md.
 
-### Phase 8: REPEAT
-Next milestone. Loop until plan complete.
+### Log to vault
+After each milestone: update status.md, mark milestone complete in plan file.
+After ALL milestones: update _index.md goals if project direction changed.
 
 ## Self-Review Protocol
 After ALL milestones, before reporting done:
-1. Use a subagent to review the diff as a critical code reviewer.
-   Prompt: "Review this diff for bugs, edge cases, error handling gaps, security issues,
-   and violations of project conventions. Rate each: Critical / Major / Minor."
-   — Subagent receives ONLY: the diff, the SPEC, relevant rules files. NOT the conversation history.
+1. Launch a subagent to review the full diff as a critical code reviewer.
+   Subagent receives ONLY: the diff, the SPEC (from plan file), relevant rules.
+   NOT the conversation history.
 2. Address all Critical and Major findings.
 3. Re-validate after fixes.
 4. If reviewer found >3 issues: run review again (max 3 rounds).
 
 ## Context Management
-See `~/.claude/rules/context-management.md` for complete context discipline:
-GSD phase scoping, Ralph story sizing, context reset protocol.
-- Use subagents (Task tool) for exploration, research, and review.
+See `~/.claude/rules/context-management.md` for:
+Phase scoping, subagent discipline, context reset protocol.

package/base/rules/git-workflow.md

@@ -2,12 +2,12 @@
 # Scope: All projects with git repos
 
 ## Identity — Invariants (BLOCK on violation)
-<!-- CUSTOMIZE: Replace with your git identities -->
-<!-- Example identity table: -->
-<!-- | Type | gitconfig | SSH Key | Email | includeIf Path | -->
-<!-- |------|-----------|---------|-------|----------------| -->
-<!-- | Work | ~/.gitconfig-work | ~/.ssh/id_ed25519_work | you@company.com | ~/Projects/Work/ | -->
-<!-- | Personal | ~/.gitconfig-personal | ~/.ssh/id_ed25519_personal | you@personal.com | ~/Projects/Personal/ | -->
+<!-- NOTE: This is a TEMPLATE. install.sh generates the real file with actual identities. -->
+
+| Type | gitconfig | SSH Key | Email | Path Match |
+|------|-----------|---------|-------|------------|
+| Work | {identity.work.gitconfig} | {identity.work.ssh_key} | {identity.work.email} | {identity.work.path_match} |
+| Personal | {identity.personal.gitconfig} | {identity.personal.ssh_key} | {identity.personal.email} | {identity.personal.path_match} |
 
 **Verification:** `git --no-pager config user.email`
 **On mismatch:** STOP. Report `expected: X, got: Y`. Do not commit.
@@ -32,7 +32,7 @@
 - Keep working tree clean — no untracked debris, no partial stages.
 
 ## Pre-Commit Invariants (BLOCK on violation)
-1. Secret scan staged files: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,})" $(git diff --staged --name-only)`
+1. Secret scan staged files: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,}|DefaultEndpointsProtocol|AccountKey=)" $(git diff --staged --name-only)`
 2. Confirm `git config user.email` matches expected identity for this repo path.
 3. Run stack linter (see terraform.md, github-actions.md as applicable).
 4. Run typecheck if applicable — no commits with type errors.