@esoteric-logic/praxis-harness 2.3.0 → 2.4.0

package/base/hooks/quality-check.sh

@@ -0,0 +1,165 @@
+#!/usr/bin/env bash
+# quality-check.sh — PostToolUse hook (merged format + lint + typecheck)
+# Detects stack from file extension. Formats, lints, type-checks.
+# Always exits 0 (PostToolUse cannot hard-block).
+# Emits JSON feedback for Claude self-correction.
+set -uo pipefail
+
+INPUT=$(cat)
+
+# Guard: skip if stop hook is active (prevent infinite loop)
+if [ "$(echo "$INPUT" | jq -r '.stop_hook_active // false')" = "true" ]; then
+  exit 0
+fi
+
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty')
+
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then
+  exit 0
+fi
+
+EXT="${FILE_PATH##*.}"
+BASENAME=$(basename "$FILE_PATH")
+ISSUES=()
+
+# ── FORMAT ──────────────────────────────────────────────
+case "$EXT" in
+  go)
+    if command -v goimports &>/dev/null; then
+      goimports -w "$FILE_PATH" 2>/dev/null
+    elif command -v gofmt &>/dev/null; then
+      gofmt -w "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  tf|tfvars)
+    if command -v terraform &>/dev/null; then
+      terraform fmt "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  sh|bash)
+    if command -v shfmt &>/dev/null; then
+      shfmt -i 2 -ci -bn -w "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  py)
+    if command -v ruff &>/dev/null; then
+      ruff format "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  json)
+    if command -v jq &>/dev/null; then
+      TMP=$(mktemp)
+      if jq . "$FILE_PATH" > "$TMP" 2>/dev/null; then
+        mv "$TMP" "$FILE_PATH"
+      else
+        rm -f "$TMP"
+      fi
+    fi
+    ;;
+  toml)
+    if command -v taplo &>/dev/null; then
+      taplo format "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  md)
+    if command -v prettier &>/dev/null; then
+      prettier --write --prose-wrap always "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+esac
+
+# ── LINT ────────────────────────────────────────────────
+case "$EXT" in
+  go)
+    if command -v go &>/dev/null; then
+      LINT_OUT=$(go vet "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ]; then
+        ISSUES+=("go vet: $LINT_OUT")
+      fi
+    fi
+    ;;
+  tf|tfvars)
+    if command -v tflint &>/dev/null; then
+      LINT_OUT=$(tflint --filter="$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ]; then
+        ISSUES+=("tflint: $LINT_OUT")
+      fi
+    fi
+    ;;
+  sh|bash)
+    if command -v shellcheck &>/dev/null; then
+      LINT_OUT=$(shellcheck -f gcc "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ]; then
+        ISSUES+=("shellcheck: $LINT_OUT")
+      fi
+    fi
+    ;;
+  py)
+    if command -v ruff &>/dev/null; then
+      LINT_OUT=$(ruff check --fix "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ] && ! echo "$LINT_OUT" | grep -q "All checks passed"; then
+        ISSUES+=("ruff: $LINT_OUT")
+      fi
+    fi
+    ;;
+  md)
+    if command -v vale &>/dev/null; then
+      LINT_OUT=$(vale --output=line "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ]; then
+        ISSUES+=("vale: $LINT_OUT")
+      fi
+    fi
+    ;;
+  yml|yaml)
+    if command -v yamllint &>/dev/null; then
+      LINT_OUT=$(yamllint -f parsable "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ]; then
+        ISSUES+=("yamllint: $LINT_OUT")
+      fi
+    fi
+    ;;
+esac
+
+# ── LINT (Dockerfile special case) ─────────────────────
+if [ "$BASENAME" = "Dockerfile" ] || echo "$BASENAME" | grep -qE "^Dockerfile\."; then
+  if command -v hadolint &>/dev/null; then
+    LINT_OUT=$(hadolint "$FILE_PATH" 2>&1) || true
+    if [ -n "$LINT_OUT" ]; then
+      ISSUES+=("hadolint: $LINT_OUT")
+    fi
+  fi
+fi
+
+# ── TYPECHECK ───────────────────────────────────────────
+case "$EXT" in
+  go)
+    if command -v go &>/dev/null; then
+      DIR=$(dirname "$FILE_PATH")
+      TC_OUT=$(cd "$DIR" && go build ./... 2>&1) || true
+      if [ -n "$TC_OUT" ]; then
+        ISSUES+=("go build: $TC_OUT")
+      fi
+    fi
+    ;;
+  bicep)
+    if command -v az &>/dev/null; then
+      TC_OUT=$(az bicep build --file "$FILE_PATH" 2>&1) || true
+      if echo "$TC_OUT" | grep -qi "error"; then
+        ISSUES+=("bicep build: $TC_OUT")
+      fi
+    fi
+    ;;
+esac
+
+# ── EMIT RESULT ─────────────────────────────────────────
+if [ ${#ISSUES[@]} -eq 0 ]; then
+  echo '{"decision":"pass","reason":""}'
+else
+  # Truncate to avoid flooding context window
+  COMBINED=$(printf '%s\n' "${ISSUES[@]}" | head -30)
+  # Escape for JSON
+  ESCAPED=$(echo "$COMBINED" | jq -Rs .)
+  echo "{\"decision\":\"block\",\"reason\":$ESCAPED}"
+fi
+
+exit 0

package/base/hooks/settings-hooks.json

@@ -10,6 +10,15 @@
           }
         ]
       },
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/file-guard.sh"
+          }
+        ]
+      },
       {
         "matcher": "Bash",
         "hooks": [
@@ -26,7 +35,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "bash ~/.claude/hooks/auto-format.sh"
+            "command": "bash ~/.claude/hooks/quality-check.sh"
           }
         ]
       }
@@ -39,6 +48,10 @@
             "type": "command",
             "command": "bash ~/.claude/hooks/post-session-lint.sh"
           },
+          {
+            "type": "prompt",
+            "prompt": "Run the project test suite. Read CLAUDE.md ## Commands for the test command. If no test command defined, respond {ok:true}. Run tests. If all pass: respond {ok:true}. If tests fail: respond {ok:false, reason:'Tests failing: <summary>'}. Do not fix — only report."
+          },
           {
             "type": "command",
             "command": "bash ~/.claude/hooks/session-data-collect.sh"

package/base/hooks/vault-checkpoint.sh

@@ -37,6 +37,27 @@ if [[ -f "$STATUS_FILE" ]]; then
   [[ -z "$LOOP_POSITION" ]] && LOOP_POSITION="unknown"
 fi
 
+# ── Quality state snapshot (survives compaction) ──
+LINT_STATE="unknown"
+TEST_STATE="unknown"
+
+if [ -f "go.mod" ] && command -v golangci-lint &>/dev/null; then
+  LINT_COUNT=$(golangci-lint run ./... 2>&1 | grep -c "^" || true)
+  if [ "$LINT_COUNT" -eq 0 ]; then
+    LINT_STATE="clean"
+  else
+    LINT_STATE="$LINT_COUNT findings"
+  fi
+fi
+
+if [ -f "go.mod" ] && command -v go &>/dev/null; then
+  if go test ./... -short 2>&1 | grep -q "^ok"; then
+    TEST_STATE="passing"
+  else
+    TEST_STATE="failing"
+  fi
+fi
+
 cat > "$CHECKPOINT_FILE" <<EOF
 ---
 tags: [checkpoint, compact]
@@ -58,6 +79,10 @@ $CURRENT_PLAN
 ## Loop Position
 $LOOP_POSITION
 
+## Quality State
+- Lint: $LINT_STATE
+- Tests: $TEST_STATE
+
 ## Note
 This checkpoint was auto-written by the PreCompact hook.
 Read this file after compaction to restore context.

package/base/rules/coding.md

@@ -113,8 +113,31 @@ Before adding any new package:
 
 ---
 
+## Linter Delegation
+
+Style, formatting, import ordering, complexity thresholds, and security patterns
+are enforced by automated tooling (golangci-lint, shellcheck, hadolint, tflint,
+semgrep, vale). Rules files cover ONLY:
+- Architecture decisions tooling cannot express
+- Permission boundaries and file-group scoping
+- Error learning from real session failures
+- Verification command references
+
+Do NOT duplicate in CLAUDE.md what hooks already enforce.
+
+---
+
 ## Verification Commands
 
+Single-file (matches PostToolUse hooks):
+- `go vet <file>` / `shellcheck <file>` / `hadolint Dockerfile` / `vale <file>.md`
+
+Project-level (matches pre-commit + /verify):
+- `golangci-lint run`
+- `semgrep --config=auto --error .`
+- `govulncheck ./...`
+- `trivy config .`
+
 ```bash
 # Verify Context7 MCP is active
 claude mcp list | grep context7

package/base/rules/context-management.md

@@ -57,6 +57,8 @@ conversation length heuristic (not token count — we cannot read session JSONL)
 - Re-read key requirements before implementation decisions
 - Reinforce constraint awareness — re-state SPEC if drifting
 - Prefer concise output — save context for implementation
+- Run lint on all files modified this session to catch drift-induced errors:
+  `golangci-lint run $(git diff --name-only HEAD) 2>/dev/null || true`
 
 ### DEPLETED (late session, >60%)
 - Checkpoint progress to vault files before continuing

package/base/rules/terraform.md

@@ -39,10 +39,20 @@ paths:
 - Managed identity preferred over service principal where possible
 - Tag all resources: `project`, `environment`, `owner`, `created_by = "terraform"`
 
+### Security scanning
+- Run `trivy config .` before committing infrastructure changes.
+- If trivy is not installed: warn, do not block. (tfsec is deprecated — use trivy.)
+
+### Cost Awareness
+Before proposing any Azure resource, state the estimated SKU and monthly cost.
+Prefer B-series (burstable) over D/E-series unless workload justifies it.
+Infracost runs on every commit — cost surprises are treated as bugs.
+
 ## Verification Commands
 ```bash
 terraform fmt -recursive -check
 terraform validate
+trivy config --severity HIGH,CRITICAL .
 rg 'source\s*=\s*"\.\.\/environments' modules/
 rg '^resource "' environments/
 ```

package/base/skills/execute/SKILL.md

@@ -41,6 +41,21 @@ Before implementing the current milestone, declare the file group:
   - **Rationale**: {why}
   ```
 
+**Step 2c — Execution mode selection**
+Read `execution_type` from the active plan frontmatter.
+
+**If execution_type: tdd**:
+1. Write test file first (`*_test.go`, `*.test.ts`, etc.)
+2. Run test command → confirm RED (tests fail as expected)
+3. If tests pass before implementation → tests are wrong, rewrite them
+4. Implement minimum code to make tests GREEN
+5. Run lint (project lint command from CLAUDE.md ## Commands)
+6. Refactor if needed — tests must stay green
+7. Commit test + implementation together
+
+**If execution_type: execute** (default):
+Proceed with existing implementation flow unchanged.
+
 **Step 3 — Implement current milestone**
 - Update `{vault_path}/status.md`: set `loop_position: EXECUTE`.
 - One milestone at a time. Keep diffs scoped.

package/base/skills/plan/SKILL.md

@@ -106,6 +106,22 @@ After building the milestone list:
 - Validate checkpoints: milestones with architectural decisions or user-facing output
   should be annotated as `checkpoint: decision` or `checkpoint: human-verify`.
 
+**Step 2c — Execution type recommendation**
+After building milestones, recommend `execution_type` in plan frontmatter:
+
+Recommend **tdd** when:
+- Plan touches existing code that already has tests
+- Plan involves API contracts, interfaces, or data transformations
+- Plan is a bug fix (regression test first)
+
+Recommend **execute** when:
+- Pure IaC / infrastructure work
+- Greenfield scaffolding with no existing test patterns
+- Documentation-only changes
+
+Write the recommendation to plan frontmatter. Explain the reasoning in one line.
+The operator can override during plan review.
+
 **Step 3 — Write and wire**
 - Write to: `{vault_path}/plans/{YYYY-MM-DD}_{kebab-title}.md`
 - Update `status.md`: set `current_plan:`, update `last_updated`, set `loop_position: PLAN`, update `## Now What`

package/base/skills/pre-commit-lint/SKILL.md

@@ -36,7 +36,7 @@ Out of scope:
 
 1. Read `{repo_root}/CLAUDE.md` → extract `{identity_email}` and `{stack}`
 2. Detect stack from repo: `git ls-files | grep -E "\.(tf|ps1|yml|py|ts|sh|go)$" | sed 's/.*\.//' | sort -u`
-3. Check tool availability: tflint, tfsec, actionlint, ruff, mypy, terraform, shellcheck
+3. Check tool availability: tflint, trivy, actionlint, ruff, mypy, terraform, shellcheck, golangci-lint, semgrep, hadolint, govulncheck, infracost, vale, markdownlint, gitleaks, commitlint
 
 ## Phase 1 — Generate Hook
 
@@ -47,6 +47,26 @@ Append stack sections based on detected flags:
 - **Shell**: bash -n syntax, set -euo check, shellcheck
 - **GitHub Actions**: actionlint, unpinned action check
 - **Python**: ruff, mypy
+- **Go** (if golangci-lint available): `golangci-lint run` on staged .go files
+- **Security** (if tools available):
+  - `gitleaks protect --staged` (replaces regex-based secret scan if gitleaks available)
+  - `semgrep --config=auto --error` on staged code files (if semgrep available)
+- **Terraform security** (if tools available):
+  - `trivy config --severity HIGH,CRITICAL --exit-code 1` on staged .tf files
+  - `infracost breakdown --path=.` (advisory only, exit 0)
+- **Docker** (if hadolint available):
+  - `hadolint` on staged Dockerfiles
+  - `trivy config` on staged Dockerfiles (if trivy available)
+- **Dependencies** (if applicable):
+  - `govulncheck ./...` (if go.mod exists and govulncheck available)
+- **Markdown** (if tools available):
+  - `vale` on staged .md files
+  - `markdownlint` on staged .md files
+
+### Commit Message Hook
+Generate a SEPARATE `.git/hooks/commit-msg` file that runs:
+- `commitlint --edit $1` (if commitlint available)
+
 Append summary footer.
 
 ## Phase 2 — Write and Verify

package/base/skills/repair/SKILL.md

@@ -52,6 +52,13 @@ Run the full validation sequence from `/verify` Step 1:
 3. Typecheck (if applicable)
 4. Build (if applicable)
 
+**Step 4b — Post-fix security re-scan**
+After applying the fix, run the full validation sequence from /verify Step 1 (including security scan).
+If the original failure was security-related:
+1. Re-run the exact scanner that found the original issue
+2. Confirm the specific finding is resolved
+3. Verify the fix didn't introduce NEW findings in the same file
+
 **Step 5 — Evaluate result**
 - **PASS** → Milestone repaired. Commit the fix. Return to workflow.
   Output: `Repaired: {what was fixed} in {file}. Next: continue with /execute or /verify.`

package/base/skills/scaffold-new/SKILL.md

@@ -129,6 +129,46 @@ If no: skip silently.
 
 ---
 
+## Phase 5.5b — Linter Config Generation
+
+Based on the detected tech stack from Phase 1, copy relevant configs from `base/configs/`:
+
+| Stack Detected | Configs to Copy |
+|---------------|-----------------|
+| Go | `.golangci.yml` |
+| Shell scripts | `.shellcheckrc` |
+| Dockerfile | `.hadolint.yaml` |
+| Terraform | `.tflint.hcl` |
+| Any | `.vale.ini`, `.vale-styles/Praxis/*` (all rule files), `.editorconfig`, `commitlint.config.js` |
+
+After copying Vale configs: run `vale sync` to download community packages (Microsoft, write-good, Readability).
+
+---
+
+## Phase 5.5c — VS Code Workspace (optional)
+
+Ask: "Generate VS Code workspace settings?"
+If yes:
+- Generate `.vscode/settings.json` with stack-detected configuration (formatter, linter paths)
+- Generate `.vscode/extensions.json` with recommended extensions from this mapping:
+
+| Always | Extension ID |
+|--------|-------------|
+| Vale | `chrischinchilla.vale-vscode` |
+| ShellCheck | `timonwong.shellcheck` |
+| EditorConfig | `editorconfig.editorconfig` |
+| markdownlint | `davidanson.vscode-markdownlint` |
+
+| Stack Detected | Extension ID |
+|---------------|-------------|
+| Go | `golang.go` |
+| Terraform | `hashicorp.terraform` |
+| Docker | `exiasr.hadolint` |
+
+If no: skip silently.
+
+---
+
 ## Phase 6 — Update Project Registry
 
 Append to vault CLAUDE.md Project Registry table and agenda.md.

package/base/skills/scaffold-new/references/repo-CLAUDE-md-template.md

@@ -39,14 +39,40 @@ Code lives here. Knowledge, decisions, and plans live in the vault.
 - {stack_item_3}
 
 ## Commands
+<!-- Populated by scaffold-new based on detected stack -->
+
+### Go
+```bash
+test:     go test ./...
+lint:     golangci-lint run
+format:   goimports -w . && shfmt -w .
+typecheck: go build ./...
+security: govulncheck ./... && semgrep --config=auto --error .
+```
+
+### Terraform
+```bash
+lint:     tflint --recursive && trivy config .
+format:   terraform fmt -recursive
+security: trivy config --severity HIGH,CRITICAL .
+cost:     infracost breakdown --path=.
+```
+
+### General
 ```bash
 dev:    # fill in as project develops
 test:   # fill in as project develops
 lint:   # fill in as project develops
 build:  # fill in as project develops
 format: # fill in as project develops
+prose:  vale .
 ```
 
+## Thresholds
+- coverage_minimum: 80
+- max_function_lines: 60
+- max_cognitive_complexity: 20
+
 ## Code Style
 - Prefer simple, readable code over clever abstractions
 - After finishing implementation, run `/simplify` to clean up
@@ -65,6 +91,12 @@ format: # fill in as project develops
 - **Plans**: `{vault_path}/plans/YYYY-MM-DD_[task-slug].md`
 - **Learnings**: `{vault_path}/notes/learnings.md` using [LEARN:tag] schema
 
+## Protected Files
+<!-- Files that file-guard.sh blocks from modification -->
+- go.sum
+- go.mod
+- .github/workflows/
+
 ## Error Learning
 <!-- When a mistake is corrected, write a new rule here to prevent recurrence -->
 <!-- Each rule should be specific and actionable -->
@@ -77,6 +109,9 @@ format: # fill in as project develops
 **Step 1** — Read this file top to bottom first.
 **Step 2** — Active task? → read active plan. No task? → read status.md.
 **Step 3** — Load stack rules only if the current task touches them.
+**Step 4** — Quality re-anchor: read most recent `compact-checkpoint.md` → check Quality State section.
+If lint findings existed before compaction: re-run lint, confirm status.
+If tests were failing before compaction: re-run tests, confirm status.
 
 ## Compact Preservation
 When compacting, always preserve:

package/base/skills/ship/SKILL.md

@@ -14,6 +14,12 @@ You are running the ship workflow — commit, push, and PR in one command.
   3. Typecheck (if applicable)
   4. Test suite (from CLAUDE.md `## Commands`)
   5. Identity check: `git --no-pager config user.email` must match expected
+  6. Secret deep scan: `gitleaks protect --staged` (if gitleaks available)
+  7. Security scan: `semgrep --config=auto --error .` (if semgrep available, on staged files)
+  8. Dependency check: `govulncheck ./...` (if Go project with go.mod)
+  9. Cost check: `infracost breakdown --path=.` (if Terraform project — advisory only, do not block)
+- Any HIGH/CRITICAL finding in steps 6-8 blocks the ship. Cost check is informational.
+- If tools not installed: skip with note, do not block.
 - If ANY check fails: STOP. Fix first, then re-run `/ship`.
 
 **Step 2 — Stage and review changes**

package/base/skills/verify/SKILL.md

@@ -12,7 +12,12 @@ Execute in order, showing actual output (never assertions):
 2. **Linter** → run the project lint command → show output, fix ALL warnings
 3. **Typecheck** (if applicable) → show output
 4. **Build** (if applicable) → show output
-5. **Functional check** — ask: "Is there a smoke test, `terraform plan` output, or browser check needed for this milestone?" If yes: block until user confirms it passed. If no: proceed.
+5. **Security scan** (if tools available):
+   - **Go**: `gosec ./...` OR `golangci-lint run --enable=gosec` (if golangci-lint available)
+   - **All staged code**: `semgrep --config=auto --error .` (if semgrep available)
+   - If either tool finds HIGH/CRITICAL: treat as blocking — must fix before proceeding.
+   - If tools not installed: skip with advisory note, do not block.
+6. **Functional check** — ask: "Is there a smoke test, `terraform plan` output, or browser check needed for this milestone?" If yes: block until user confirms it passed. If no: proceed.
 
 Read test/lint/build commands from the project CLAUDE.md `## Commands` section.
 If no commands are defined: warn and ask user for the correct commands.
@@ -29,10 +34,16 @@ If no commands are defined: warn and ask user for the correct commands.
 4. Check if more milestones remain:
    - Yes → "Milestone committed. Run `/execute` for the next milestone."
    - No → "All milestones committed. Running self-review."
-5. After ALL milestones: trigger Self-Review Protocol
-   - Launch a subagent to review the full diff as a critical code reviewer
-   - Subagent receives ONLY: the diff, the SPEC (from plan file `## SPEC` section), relevant rules files
-   - Address all Critical and Major findings before reporting done
+5. After ALL milestones: trigger Self-Review Protocol (Subagent Isolation)
+   - Launch a subagent for code review. The subagent receives ONLY:
+     1. The diff: `git diff main...HEAD` (or `git diff HEAD~N` for N commits)
+     2. The SPEC/ACCEPTANCE section from the active plan
+     3. Relevant rules files (scoped to file types in the diff)
+   - The subagent must NOT receive session conversation history or implementation notes.
+   - Two-pass review:
+     - **Pass 1 — Spec compliance**: Does the diff deliver what ACCEPTANCE requires? Flag gaps.
+     - **Pass 2 — Code quality**: Bugs, security issues, dead code, missing error handling, maintainability.
+   - If either pass finds issues: list them. Do not auto-fix — report back to the operator.
 
 **Step 3b — UNIFY (mandatory after all milestones verified)**
 After self-review passes, write phase summary:

package/bin/praxis.js

@@ -105,6 +105,14 @@ async function install() {
     }
   }
 
+  // Copy base/configs/ → ~/.claude/configs/
+  const configsDir = path.join(PKG_DIR, 'base', 'configs');
+  if (fs.existsSync(configsDir)) {
+    fs.mkdirSync(path.join(CLAUDE_DIR, 'configs'), { recursive: true });
+    copyDir(configsDir, path.join(CLAUDE_DIR, 'configs'));
+    ok('linter configs installed');
+  }
+
   // Copy kits/ → ~/.claude/kits/
   const kitsDir = path.join(PKG_DIR, 'kits');
   if (fs.existsSync(kitsDir)) {
@@ -234,6 +242,10 @@ function health() {
   }
   check(fs.existsSync(path.join(CLAUDE_DIR, 'settings.json')), 'settings.json with hooks configured');
 
+  // Configs
+  console.log('\nConfigs:');
+  check(fs.existsSync(path.join(CLAUDE_DIR, 'configs')), 'configs directory installed');
+
   // Kits
   console.log('\nKits:');
   check(fs.existsSync(path.join(CLAUDE_DIR, 'kits')), 'kits directory installed');
@@ -317,6 +329,13 @@ function uninstall() {
     ok('hooks removed');
   }
 
+  // Remove configs
+  const configsTarget = path.join(CLAUDE_DIR, 'configs');
+  if (fs.existsSync(configsTarget)) {
+    fs.rmSync(configsTarget, { recursive: true, force: true });
+    ok('linter configs removed');
+  }
+
   // Remove kits
   const kitsTarget = path.join(CLAUDE_DIR, 'kits');
   if (fs.existsSync(kitsTarget)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@esoteric-logic/praxis-harness",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "description": "Layered Claude Code harness — workflow discipline, AI-Kits, persistent vault integration",
   "bin": {
     "praxis-harness": "./bin/praxis.js"