@esoteric-logic/praxis-harness 2.0.0 → 2.0.1

package/base/CLAUDE.md

@@ -43,9 +43,8 @@ permanent institutional memory. Don't wait for session-retro — fix the rule im
 If cannot fix in 3 attempts: STOP. Report What / So What / Now What.
 
 **Before every commit:**
-1. Secret scan: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,})" $(git diff --staged --name-only)`
-2. Lint + typecheck — no commits with warnings or errors.
-3. `git --no-pager config user.email` → must match expected identity. If mismatch: STOP.
+See `~/.claude/rules/git-workflow.md` § Pre-Commit Invariants. These are also enforced
+by hooks (secret-scan, identity-check) — see `~/.claude/settings.json`.
 
 **Before writing any templated file:** Scan for unreplaced `{placeholder}` patterns. Zero must remain.
 
@@ -92,11 +91,12 @@ Missing servers are non-blocking — features degrade gracefully.
 2. Active task? → read active plan current milestone only
    No active task? → read `status.md`
 4. Load rules only for what the current task touches:
-   - Terraform/Azure → `~/.claude/rules/terraform.md`
+   - Terraform/Azure → `~/.claude/rules/terraform.md`, `~/.claude/rules/azure.md`
    - GitHub Actions → `~/.claude/rules/github-actions.md`
    - PowerShell scripts → `~/.claude/rules/powershell.md`
    - Git operation → `~/.claude/rules/git-workflow.md`
-   - Security concern → `~/.claude/rules/security.md`
+   - Client-facing writing → auto-loaded by `communication-standards` skill
+   - Architecture/specs → auto-loaded by `architecture-patterns` skill
 
 ## Core Anti-Patterns (NEVER)
 - Silently swallow errors or use empty catch blocks
@@ -121,19 +121,15 @@ Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 
 ## Rules Registry — Load on Demand Only
 
-### Universal — always active
+### Universal — always active (6 rules)
 | File | Purpose |
 |------|---------|
-| `~/.claude/rules/profile.md` | Who the user is, active projects, identities |
+| `~/.claude/rules/profile.md` | Who the user is, identities, working style |
 | `~/.claude/rules/execution-loop.md` | SPEC/PLAN/VALIDATE loop enforcement |
-| `~/.claude/rules/coding.md` | Context7 mandate, error handling, no hardcodes |
-| `~/.claude/rules/code-quality.md` | Language-agnostic quality standards |
-| `~/.claude/rules/git-workflow.md` | Commits, branches, identity verification |
-| `~/.claude/rules/security.md` | Secrets, credentials, auth patterns |
-| `~/.claude/rules/communication.md` | Client writing, no AI attribution |
-| `~/.claude/rules/vault.md` | Second brain integration — Obsidian vault |
-| `~/.claude/rules/architecture.md` | ADR format, What/So What/Now What, risk docs |
-| `~/.claude/rules/context-management.md` | Context anti-rot, context reset protocol |
+| `~/.claude/rules/coding.md` | Code quality, security, complexity thresholds, Context7 mandate |
+| `~/.claude/rules/git-workflow.md` | Commits, branches, identity verification, pre-commit checks |
+| `~/.claude/rules/vault.md` | Second brain integration — vault backend, file purposes |
+| `~/.claude/rules/context-management.md` | Context anti-rot, phase scoping, context reset protocol |
 
 ### Scoped — load only when paths match
 | File | Loads when |
@@ -142,3 +138,9 @@ Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 | `~/.claude/rules/terraform.md` | `**/*.tf`, `**/*.tfvars` |
 | `~/.claude/rules/github-actions.md` | `.github/workflows/**` |
 | `~/.claude/rules/powershell.md` | `**/*.ps1`, `**/*.psm1` |
+
+### Auto-invocable skills (replace former universal rules)
+| Skill | Triggers when |
+|-------|--------------|
+| `communication-standards` | Writing client-facing docs, proposals, status reports, commits, PRs |
+| `architecture-patterns` | Writing ADRs, specs, system design, risk docs, blocker reports |

package/base/hooks/auto-format.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# PostToolUse hook — auto-formats files after edit.
+# Always exits 0 (advisory, never blocks).
+set -uo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty' 2>/dev/null)
+
+if [[ -z "$FILE_PATH" || ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+EXT="${FILE_PATH##*.}"
+
+case "$EXT" in
+  tf|tfvars)
+    if command -v terraform &>/dev/null; then
+      terraform fmt "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  py)
+    if command -v ruff &>/dev/null; then
+      ruff format --quiet "$FILE_PATH" 2>/dev/null
+    elif command -v black &>/dev/null; then
+      black --quiet "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  ts|tsx|js|jsx|json|css)
+    if command -v prettier &>/dev/null; then
+      prettier --write "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  go)
+    if command -v gofmt &>/dev/null; then
+      gofmt -w "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+esac
+
+exit 0

package/base/hooks/identity-check.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# PreToolUse hook — blocks git commit if email doesn't match expected identity.
+# Reads expected emails from praxis.config.json identity section.
+# Exit 0 = allow, Exit 2 = block with message.
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Only fire on Bash tool calls that contain "git commit"
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$COMMAND" ]] || ! echo "$COMMAND" | grep -q "git commit"; then
+  exit 0
+fi
+
+# Read identity config
+CONFIG="$HOME/.claude/praxis.config.json"
+if [[ ! -f "$CONFIG" ]]; then
+  exit 0
+fi
+
+CWD=$(pwd)
+ACTUAL_EMAIL=$(git --no-pager config user.email 2>/dev/null || echo "")
+
+# Check work path match
+WORK_PATH=$(jq -r '.identity.work.path_match // empty' "$CONFIG" 2>/dev/null)
+WORK_EMAIL=$(jq -r '.identity.work.email // empty' "$CONFIG" 2>/dev/null)
+PERSONAL_PATH=$(jq -r '.identity.personal.path_match // empty' "$CONFIG" 2>/dev/null)
+PERSONAL_EMAIL=$(jq -r '.identity.personal.email // empty' "$CONFIG" 2>/dev/null)
+
+EXPECTED_EMAIL=""
+if [[ -n "$WORK_PATH" ]] && echo "$CWD" | grep -q "$WORK_PATH"; then
+  EXPECTED_EMAIL="$WORK_EMAIL"
+elif [[ -n "$PERSONAL_PATH" ]] && echo "$CWD" | grep -q "$PERSONAL_PATH"; then
+  EXPECTED_EMAIL="$PERSONAL_EMAIL"
+else
+  # Unknown path — allow but warn
+  echo "WARNING: CWD $CWD does not match known identity paths." >&2
+  exit 0
+fi
+
+if [[ -n "$EXPECTED_EMAIL" && "$ACTUAL_EMAIL" != "$EXPECTED_EMAIL" ]]; then
+  echo "BLOCKED: Git identity mismatch." >&2
+  echo "  Expected: $EXPECTED_EMAIL" >&2
+  echo "  Actual:   $ACTUAL_EMAIL" >&2
+  echo "  CWD:      $CWD" >&2
+  # Check if includeIf is configured and suggest fix
+  if git config --global --get-regexp 'includeIf' &>/dev/null; then
+    echo "  Note: includeIf is configured in ~/.gitconfig — verify CWD matches an includeIf path." >&2
+  else
+    echo "  Fix: git config --local user.email \"$EXPECTED_EMAIL\"" >&2
+  fi
+  exit 2
+fi
+
+exit 0

package/base/hooks/secret-scan.sh

@@ -14,7 +14,7 @@ if [[ -z "$FILE_PATH" || ! -f "$FILE_PATH" ]]; then
 fi
 
 # Scan the file for secret patterns
-SECRET_PATTERN='(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36,}|pplx-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|Bearer [A-Za-z0-9+/]{20,})'
+SECRET_PATTERN='(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36,}|pplx-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|Bearer [A-Za-z0-9+/]{20,}|DefaultEndpointsProtocol|AccountKey=)'
 
 if rg -q "$SECRET_PATTERN" "$FILE_PATH" 2>/dev/null; then
   MATCHES=$(rg -n "$SECRET_PATTERN" "$FILE_PATH" 2>/dev/null | head -5)

package/base/hooks/settings-hooks.json

@@ -0,0 +1,61 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/secret-scan.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/identity-check.sh"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/auto-format.sh"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/post-session-lint.sh"
+          },
+          {
+            "type": "prompt",
+            "prompt": "Review the conversation. Did you complete all tasks the user requested? Are there uncommitted changes that should be committed? Are there vault files (status.md, plan) that should be updated? Answer yes/no for each."
+          }
+        ]
+      }
+    ],
+    "PreCompact": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/vault-checkpoint.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/base/rules/git-workflow.md

@@ -2,12 +2,12 @@
 # Scope: All projects with git repos
 
 ## Identity — Invariants (BLOCK on violation)
-<!-- CUSTOMIZE: Replace with your git identities -->
-<!-- Example identity table: -->
-<!-- | Type | gitconfig | SSH Key | Email | includeIf Path | -->
-<!-- |------|-----------|---------|-------|----------------| -->
-<!-- | Work | ~/.gitconfig-work | ~/.ssh/id_ed25519_work | you@company.com | ~/Projects/Work/ | -->
-<!-- | Personal | ~/.gitconfig-personal | ~/.ssh/id_ed25519_personal | you@personal.com | ~/Projects/Personal/ | -->
+<!-- NOTE: This is a TEMPLATE. install.sh generates the real file with actual identities. -->
+
+| Type | gitconfig | SSH Key | Email | Path Match |
+|------|-----------|---------|-------|------------|
+| Work | {identity.work.gitconfig} | {identity.work.ssh_key} | {identity.work.email} | {identity.work.path_match} |
+| Personal | {identity.personal.gitconfig} | {identity.personal.ssh_key} | {identity.personal.email} | {identity.personal.path_match} |
 
 **Verification:** `git --no-pager config user.email`
 **On mismatch:** STOP. Report `expected: X, got: Y`. Do not commit.
@@ -32,7 +32,7 @@
 - Keep working tree clean — no untracked debris, no partial stages.
 
 ## Pre-Commit Invariants (BLOCK on violation)
-1. Secret scan staged files: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,})" $(git diff --staged --name-only)`
+1. Secret scan staged files: `rg "(sk-|ghp_|pplx-|AKIA|Bearer [A-Za-z0-9+/]{20,}|DefaultEndpointsProtocol|AccountKey=)" $(git diff --staged --name-only)`
 2. Confirm `git config user.email` matches expected identity for this repo path.
 3. Run stack linter (see terraform.md, github-actions.md as applicable).
 4. Run typecheck if applicable — no commits with type errors.

package/base/rules/profile.md

@@ -1,15 +1,16 @@
 # Profile
 # Universal — loads every session. Static context foundation.
-# No paths: scoping — always in context
+# NOTE: This is a TEMPLATE. install.sh generates the real file at ~/.claude/rules/profile.md
 
 ## Setup Detection
-If "Your Name" or "Your Role" appears below, this file is not configured.
-STOP and tell the user:
-"profile.md is not configured. Fill in Who You Are Working With below before starting."
-Do NOT proceed with an empty profile — it causes silent context gaps every session.
+If "{identity.name}" or "Your Name" appears below, this file was not generated.
+On first interaction of a session, mention: "profile.md has placeholder values — run install.sh to configure your identity."
+Continue with the task — an unconfigured profile degrades calibration but does not block work.
 
 ## Who You Are Working With
-Your Name — Your Role. Primary focus: your domains.
+{identity.name} — {identity.role}. Primary focus: {identity.domains}.
+
+Operates across identities (see git-workflow.md Identity table for details).
 
 ## Active Projects
 Project context is loaded dynamically per session via /scaffold-new and /standup.
@@ -21,6 +22,7 @@ To see current project state: run /standup.
 - Writes for two audiences: technical implementers and non-technical stakeholders.
 - Communication style: direct, structured, What/So What/Now What.
 - Deliverables over discussion — prefers concrete output to long explanations.
+- Single-pass intake: complete intake in single-pass messages, not sequential round-trips.
 - Vault-first: decisions, specs, and plans live in the vault, not in conversation.
 - Git identity is project-specific — always verify before committing.
 
@@ -28,4 +30,5 @@ To see current project state: run /standup.
 - Never assume a dormant project is dead — verify from status.md before deprioritizing.
 - When project context is ambiguous: check CWD against local_path in vault _index.md before asking.
 - Context7 is installed — always use it before implementing with an external library or API.
-- Add any project-agnostic rules or constraints here (not project-specific — those go in repo CLAUDE.md).
+- Every option presented MUST include a recommendation and why.
+- Scale response length to question complexity — short question, short answer.

package/base/rules/vault.md

@@ -5,10 +5,19 @@
 
 ## Vault Backend
 
-Vault backend is Obsidian. Search: `obsidian search query="{query}" limit=5`
-Scope searches with `path=` filter: `obsidian search query="{query}" path="01_Projects" limit=5`
+Read `vault_backend` from `~/.claude/praxis.config.json`.
 
-**Note:** The Obsidian CLI requires Obsidian to be running. If Obsidian is not running, vault search will fail.
+| Backend | Search command | Requires |
+|---------|---------------|----------|
+| obsidian | `obsidian search query="{query}" limit=5` | Obsidian running |
+| ripgrep | `rg --files-with-matches "{query}" {vault_path}` | rg installed |
+
+Scope searches:
+- obsidian: `obsidian search query="{query}" path="01_Projects" limit=5`
+- ripgrep: `rg --files-with-matches "{query}" {vault_path}/01_Projects`
+
+If backend is `obsidian` and Obsidian is not running, vault search will fail.
+If backend is unset, default to `obsidian`.
 Use `[[wikilinks]]` for all internal vault references.
 
 ## Vault Location

package/base/{rules/architecture.md → skills/architecture-patterns/SKILL.md}

@@ -1,5 +1,15 @@
-# Architecture Rules
-<!-- Universal — applies when designing systems, documenting decisions, writing proposals -->
+---
+name: architecture-patterns
+description: >
+  Architecture decision and design documentation standards. Auto-triggers when
+  writing ADRs, technical specs, risk register entries, system design documents,
+  or any decision that affects system design, network topology, identity model,
+  data residency, security posture, or compliance scope. Also triggers when
+  writing status updates, blocker reports, or spec summaries that require
+  What/So What/Now What structure.
+---
+
+# Architecture Patterns
 
 ## Invariants — BLOCK on violation
 
@@ -22,8 +32,6 @@
 - If in doubt: repo = what runs, vault = why it runs that way.
 - Never put credentials, client-specific data, or engagement PII in the repo.
 
----
-
 ## Conventions — WARN on violation
 
 ### Specs before implementation
@@ -34,18 +42,8 @@
 - Phase completion criteria documented before the phase begins — not retroactively.
 - 99% complete is not complete. One remaining blocker = log it, don't round to done.
 
----
-
 ## Verification Commands
 ```bash
-# Check for ADRs missing required sections
 grep -rL "## Decision\|## Context\|## Consequences" {vault_path}/specs/ 2>/dev/null
-
-# Find specs older than 90 days that may be stale
 find {vault_path}/specs/ -name "*.md" -mtime +90 -ls 2>/dev/null
 ```
-
----
-
-## Removal Condition
-Permanent. These are workflow guardrails, not project-specific.

package/base/skills/code-gc/SKILL.md

@@ -5,7 +5,6 @@ description: Detect code entropy in the current repo. Dead code, test debt, stal
   TODOs, oversized functions, commented-out blocks, unused deps. Two modes:
   lightweight (called by session-retro) and full audit (manual /code-gc).
   Never auto-deletes or auto-fixes. Side-effect skill — never auto-triggers.
-allowed-tools: Bash, Read, Write
 ---
 
 # code-gc Skill

package/base/{rules/communication.md → skills/communication-standards/SKILL.md}

@@ -1,5 +1,15 @@
-# Communication Rules
-<!-- Universal — applies to all client-facing writing, proposals, status reports, specs -->
+---
+name: communication-standards
+description: >
+  Client-facing writing standards. Auto-triggers when writing proposals,
+  status reports, executive summaries, SOWs, deliverable documents, or any
+  content targeting a non-technical audience. Also triggers when writing
+  git commit messages, PR descriptions, or any text where AI attribution
+  must be avoided. Covers executive-summary-first rule, What/So What/Now What
+  structure, proposal format, audience calibration, and no-AI-attribution policy.
+---
+
+# Communication Standards
 
 ## Invariants — BLOCK on violation
 
@@ -19,8 +29,6 @@
   "It's worth noting that", "In conclusion", "To summarize the above".
 - Never open with "In today's rapidly evolving landscape" or equivalent.
 
----
-
 ## Conventions — WARN on violation
 
 ### Proposal structure
@@ -54,16 +62,9 @@ agent-memory.jsonl
 .vault-path
 ```
 
----
-
 ## Verification Commands
 ```bash
-# Check commit messages for AI attribution
 git log --oneline -20 | grep -iE "(claude|ai-generated|co-authored by ai)"
-
-# Check staged markdown for AI filler phrases
 git diff --staged -- "*.md" | grep -iE "(certainly|absolutely|great question|i'd be happy)"
-
-# Verify .gitignore covers CLAUDE.md
-grep -q "CLAUDE.md" .gitignore && echo "✓ CLAUDE.md ignored" || echo "✗ CLAUDE.md NOT in .gitignore"
+grep -q "CLAUDE.md" .gitignore && echo "✓" || echo "✗ CLAUDE.md NOT in .gitignore"
 ```

package/base/{commands/context-reset.md → skills/context-reset/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: context-reset
+disable-model-invocation: true
 description: Checkpoint current session state to vault files before a context reset. Use when context degradation is detected (repeated corrections, loop behavior, instruction drift).
 ---
 

package/base/skills/context7-lookup/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: context7-lookup
+description: >
+  Enforces the docs-first mandate from coding.md. Before implementing with
+  any external library, framework, or API, use Context7 to retrieve current
+  documentation. Activates when code references an external package, imports
+  a third-party library, or calls an API that releases frequently.
+---
+
+# context7-lookup Skill
+
+## When to Use
+
+Before writing code that uses an external library, framework, or API:
+1. Resolve the library ID: `resolve-library-id` with the package name
+2. Query docs: `query-docs` with the resolved ID and your specific question
+3. Proceed with implementation using verified signatures
+
+## Flow
+
+**Step 1 — Identify the library**
+From the user's request or the code context, determine which library/API
+needs documentation lookup.
+
+**Step 2 — Resolve library ID**
+Use the Context7 MCP tool `resolve-library-id`:
+- Input: library name (e.g., "react", "express", "terraform azurerm")
+- Output: resolved library ID for querying
+
+**Step 3 — Query documentation**
+Use the Context7 MCP tool `query-docs`:
+- Input: resolved library ID + specific question about the method/API
+- Output: current documentation with code examples
+
+**Step 4 — Implement with verified signatures**
+Use the documentation output as the authoritative source for:
+- Method signatures and parameter types
+- Constructor arguments
+- Configuration options
+- Return types and error cases
+
+## When Context7 Is Unavailable
+
+If the MCP server is not running or returns an error:
+1. State that docs could not be verified
+2. Flag the specific method/API as "unverified against current version"
+3. Proceed with best-knowledge implementation but mark it for review
+
+## What NOT to Look Up
+
+- Standard library functions (built into the language)
+- Patterns you've already verified in this session
+- Internal project code (use `rg` instead)

package/base/{commands/debug.md → skills/debug/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: debug
+disable-model-invocation: true
 description: Structured test-first debugging. Reproduce the bug, write a failing test, isolate root cause, fix, verify. Use for pure bugfixes — skips the full loop.
 ---
 

package/base/{commands/discover.md → skills/discover/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: discover
+disable-model-invocation: true
 description: Structured technical discovery — evaluate options, make recommendations with confidence levels. Use before /spec when you need to research before deciding.
 ---
 

package/base/{commands/discuss.md → skills/discuss/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: discuss
+disable-model-invocation: true
 description: Entry point for all feature work. Conversational problem framing — listen first, then synthesize scope. Use before /plan.
 ---
 

package/base/{commands/execute.md → skills/execute/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: execute
+disable-model-invocation: true
 description: Implementation phase — loads scoped context and works one milestone at a time. Use after plan is approved.
 ---
 
@@ -18,7 +20,6 @@ Load ONLY rules relevant to files being touched in this milestone:
 - GitHub Actions → `~/.claude/rules/github-actions.md`
 - PowerShell → `~/.claude/rules/powershell.md`
 - Git operations → `~/.claude/rules/git-workflow.md`
-- Security-sensitive changes → `~/.claude/rules/security.md`
 
 Do NOT load all rules. Context is scarce — spend it on implementation, not instructions.
 

package/base/{commands/fast.md → skills/fast/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: fast
+disable-model-invocation: true
 description: Skip planning for trivial changes. Edit, verify, commit. Use for typos, config tweaks, single-line fixes, and other changes too small for a plan.
 ---
 

package/base/{commands/kit.md → skills/kit/SKILL.md}

@@ -1,6 +1,7 @@
 ---
+name: kit
+disable-model-invocation: true
 description: Activate or deactivate a domain AI-Kit. Use /kit:web-designer to activate, /kit:off to deactivate, /kit:list to show installed kits.
-allowed-tools: Bash(ls ~/.claude/kits/*)
 ---
 
 You are managing AI-Kit activation.

package/base/skills/managing-git-identities/SKILL.md

@@ -0,0 +1,98 @@
+---
+name: managing-git-identities
+description: >
+  Guides setup and troubleshooting of multiple Git identities
+  (SSH keys, commit author, GitHub CLI auth, includeIf directory
+  routing). Activates when user discusses git accounts, commit
+  identity mismatch, SSH key management, or gh auth switching.
+---
+
+## Two Independent Problems
+
+Every commit stamps `user.name` and `user.email` into metadata.
+This is separate from which credentials authenticate to the remote.
+Solve both layers independently.
+
+## Methods (ranked simplest → most flexible)
+
+### 1. GitHub CLI (`gh auth switch`)
+Requires gh >= 2.40.0. Stores OAuth tokens per account.
+
+```bash
+gh auth login                          # first account
+gh auth login --hostname github.com    # second account
+gh auth switch -u <username>
+```
+
+Set commit identity locally after clone:
+```bash
+git config --local user.name "Work Name"
+git config --local user.email "work@company.com"
+```
+
+### 2. SSH Key Per Account
+Map keys to host aliases in `~/.ssh/config`:
+
+```
+Host github.com-personal
+  HostName github.com
+  User git
+  IdentityFile ~/.ssh/id_personal
+  IdentitiesOnly yes
+
+Host github.com-work
+  HostName github.com
+  User git
+  IdentityFile ~/.ssh/id_work
+  IdentitiesOnly yes
+```
+
+Clone with alias: `git clone git@github.com-work:org/repo.git`
+
+### 3. `includeIf` — Auto-Switch by Directory
+Best when repos are organized by directory tree.
+
+```gitconfig
+# ~/.gitconfig
+[user]
+    name = Personal Name
+    email = personal@gmail.com
+
+[includeIf "gitdir:~/work/"]
+    path = ~/work/.gitconfig
+```
+
+```gitconfig
+# ~/work/.gitconfig
+[user]
+    name = Work Name
+    email = work@company.com
+```
+
+### 4. HTTPS + Credential Manager + `useHttpPath`
+For corporate proxy environments:
+
+```gitconfig
+[credential "https://github.com"]
+    useHttpPath = true
+    helper = manager
+```
+
+## Decision Matrix
+
+| Scenario | Method |
+|---|---|
+| GitHub-only, minimal config | `gh auth switch` |
+| Multi-platform (GitHub + GitLab) | SSH aliases |
+| Directory-organized repos | `includeIf` + SSH or HTTPS |
+| Corporate HTTPS-only | Credential Manager + `useHttpPath` |
+
+## Praxis Integration
+
+Praxis enforces identity at commit time via:
+- `git-workflow.md` identity table (expected email per path)
+- `identity-check.sh` hook (hard blocks on mismatch)
+- `praxis.config.json` identity section (machine-local, never committed)
+
+When setting up a new machine, run `install.sh` — it prompts for identity
+details and generates `profile.md` and `git-workflow.md` from templates.

package/base/{commands/next.md → skills/next/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: next
+disable-model-invocation: true
 description: Auto-advance to the next workflow phase. Reads status.md loop_position and plan state to determine what comes next. Use anytime to keep moving.
 ---
 

package/base/{commands/plan.md → skills/plan/SKILL.md}

@@ -1,4 +1,6 @@
 ---
+name: plan
+disable-model-invocation: true
 description: Create a dated work plan for the current project. Writes to vault plans/ directory and updates status.md current_plan field. Use when starting any multi-step task.
 ---