@esoteric-logic/praxis-harness 2.6.0 → 2.8.0

package/README.md

@@ -10,7 +10,7 @@ Praxis gives Claude Code a three-layer operating system:
 
 **Universal base** — always loaded. Praxis structures work (discuss → plan → execute → verify → simplify → ship). Built-in quality enforcement (debugging, code review, simplification).
 
-**AI-Kits** — activated on demand via `/kit:<name>`. Each kit bundles domain-specific rules, skills, MCP servers, and slash commands. Activate the web-designer kit and your components get design system enforcement, accessibility auditing, and production lint. Deactivate with `/kit:off`.
+**AI-Kits** — activated on demand via `/px-kit:<name>`. Each kit bundles domain-specific rules, skills, MCP servers, and slash commands. Activate the web-designer kit and your components get design system enforcement, accessibility auditing, and production lint. Deactivate with `/px-kit:off`.
 
 **Project config** — per-repo rules that fire automatically based on file paths. Terraform rules load when you touch `.tf` files. GitHub Actions rules load when you touch workflow YAML. No manual switching.
 
@@ -33,51 +33,51 @@ npx @esoteric-logic/praxis-harness@latest uninstall   # remove Praxis-owned file
 
 ## After install
 
-Verify with `/help` — you should see Praxis commands (`/discuss`, `/execute`, `/verify`, `/plan`, `/ship`, `/kit:*`).
+Verify with `/help` — you should see Praxis commands (`/px-discuss`, `/px-execute`, `/px-verify`, `/px-plan`, `/px-ship`, `/px-kit:*`).
 
 ## Workflow
 
 The standard Praxis workflow for feature development:
 
 ```
-/standup           → orient (reads status.md, surfaces stale state)
-/discuss       → frame the problem (conversational, scope guard)
-/discover          → research options with confidence levels (before /spec)
-/plan    → plan milestones (with dependency ordering + boundaries)
-/execute       → implement one milestone at a time (file-group isolation)
-/verify        → validate (test/lint/typecheck/build, self-review, UNIFY)
-/session-retro     → capture learnings, update vault
+/px-standup           → orient (reads status.md, surfaces stale state)
+/px-discuss          → frame the problem (conversational, scope guard)
+/px-discover         → research options with confidence levels (before /px-spec)
+/px-plan             → plan milestones (with dependency ordering + boundaries)
+/px-execute          → implement one milestone at a time (file-group isolation)
+/px-verify           → validate (test/lint/typecheck/build, self-review, UNIFY)
+/px-session-retro    → capture learnings, update vault
 ```
 
-For pure bugfixes: `/debug` (test-first debugging, skips the full loop).
-For code review: `/review` (launches subagent review at any time).
-For technical research: `/discover` (structured options evaluation before decisions).
+For pure bugfixes: `/px-debug` (test-first debugging, skips the full loop).
+For code review: `/px-review` (launches subagent review at any time).
+For technical research: `/px-discover` (structured options evaluation before decisions).
 
 ## Commands
 
 | Command | Purpose |
 |---------|---------|
-| `discuss` | Conversational problem framing, SPEC synthesis, scope guard |
-| `execute` | Implement one milestone with file-group isolation + boundary enforcement |
-| `verify` | Validate milestone (test/lint/build), self-review, UNIFY phase summary |
-
-| `plan` | Create a dated work plan with milestone dependencies + checkpoints |
-| `spec` | Create a structured spec or ADR with conflict detection |
-| `discover` | Structured technical discovery with confidence-rated options |
-| `standup` | Session-start orientation from vault state |
-| `risk` | Add a risk register entry to the vault |
-| `kit` | Activate/deactivate an AI-Kit |
-| `review` | Manual code review via subagent |
-| `simplify` | Post-implementation code simplification via subagent |
-| `debug` | Structured test-first debugging |
-| `ship` | Commit, push, and PR in one command with pre-flight checks |
-| `verify-app` | End-to-end verification with regression analysis |
-| `session-retro` | End-of-session retrospective with learnings extraction |
-| `status-update` | Manual vault status.md update |
-| `repair` | Structured 3-attempt fix-and-verify loop for failed milestones |
-| `sync-memory` | Bridge auto-memory insights to Obsidian vault |
-| `context-probe` | Assess context health and recommend action |
-| `context-reset` | Reload context from vault without clearing session |
+| `px-discuss` | Conversational problem framing, SPEC synthesis, scope guard |
+| `px-execute` | Implement one milestone with file-group isolation + boundary enforcement |
+| `px-verify` | Validate milestone (test/lint/build), self-review, UNIFY phase summary |
+
+| `px-plan` | Create a dated work plan with milestone dependencies + checkpoints |
+| `px-spec` | Create a structured spec or ADR with conflict detection |
+| `px-discover` | Structured technical discovery with confidence-rated options |
+| `px-standup` | Session-start orientation from vault state |
+| `px-risk` | Add a risk register entry to the vault |
+| `px-kit` | Activate/deactivate an AI-Kit |
+| `px-review` | Manual code review via subagent |
+| `px-simplify` | Post-implementation code simplification via subagent |
+| `px-debug` | Structured test-first debugging |
+| `px-ship` | Commit, push, and PR in one command with pre-flight checks |
+| `px-verify-app` | End-to-end verification with regression analysis |
+| `px-session-retro` | End-of-session retrospective with learnings extraction |
+| `px-status-update` | Manual vault status.md update |
+| `px-repair` | Structured 3-attempt fix-and-verify loop for failed milestones |
+| `px-sync-memory` | Bridge auto-memory insights to Obsidian vault |
+| `px-context-probe` | Assess context health and recommend action |
+| `px-context-reset` | Reload context from vault without clearing session |
 
 ## Rules
 
@@ -114,11 +114,11 @@ Key additions in this version:
 
 | Kit | Activate | What it does |
 |-----|----------|-------------|
-| web-designer | `/kit:web-designer` | Design system init → component build → accessibility audit → production lint |
-| infrastructure | `/kit:infrastructure` | Terraform plan → apply → drift detection → compliance check |
-| api | `/kit:api` | RESTful conventions → OpenAPI specs → contract testing |
-| security | `/kit:security` | Threat modeling → IAM review → OWASP audit |
-| data | `/kit:data` | Schema design → migration planning → query optimization |
+| web-designer | `/px-kit:web-designer` | Design system init → component build → accessibility audit → production lint |
+| infrastructure | `/px-kit:infrastructure` | Terraform plan → apply → drift detection → compliance check |
+| api | `/px-kit:api` | RESTful conventions → OpenAPI specs → contract testing |
+| security | `/px-kit:security` | Threat modeling → IAM review → OWASP audit |
+| data | `/px-kit:data` | Schema design → migration planning → query optimization |
 
 More kits coming. See `docs/creating-a-kit.md` to build your own.
 
@@ -158,13 +158,13 @@ Praxis auto-documents your work in the vault with zero manual effort. Two indepe
 
 | Skill | Auto-writes to vault |
 |-------|---------------------|
-| `/execute` | `status.md` loop position, `decision-log.md` scope events |
-| `/verify` | `claude-progress.json` milestones[] |
-| `/review` | `specs/review-{date}-{slug}.md` (full findings breakdown) |
-| `/simplify` | `notes/{date}_simplify-findings.md` |
-| `/debug` | `notes/{date}_debug-trace.md` |
-| `/verify-app` | `specs/verify-app-{date}-{slug}.md` |
-| `/ship` | `claude-progress.json` features[] |
+| `/px-execute` | `status.md` loop position, `decision-log.md` scope events |
+| `/px-verify` | `claude-progress.json` milestones[] |
+| `/px-review` | `specs/review-{date}-{slug}.md` (full findings breakdown) |
+| `/px-simplify` | `notes/{date}_simplify-findings.md` |
+| `/px-debug` | `notes/{date}_debug-trace.md` |
+| `/px-verify-app` | `specs/verify-app-{date}-{slug}.md` |
+| `/px-ship` | `claude-progress.json` features[] |
 
 **On context compaction** (automatic fallback):
 - `plans/{date}-compact-checkpoint.md` — git state, active plan, loop position
@@ -184,14 +184,14 @@ Re-copies all hooks, skills, rules, and kits from the latest npm package version
 
 ### Updating existing projects
 
-After a harness update that adds new vault files (like `decision-log.md`), run `/scaffold-exist` in a Claude Code session to audit your vault and add any missing files. This is non-destructive — it never overwrites existing content.
+After a harness update that adds new vault files (like `decision-log.md`), run `/px-scaffold-exist` in a Claude Code session to audit your vault and add any missing files. This is non-destructive — it never overwrites existing content.
 
 ```
 Step 1: npx @esoteric-logic/praxis-harness@latest update   → deploys new hooks, skills, rules
-Step 2: /scaffold-exist                                      → audits vault, adds missing files
+Step 2: /px-scaffold-exist                                   → audits vault, adds missing files
 ```
 
-New projects get everything automatically via `/scaffold-new`.
+New projects get everything automatically via `/px-scaffold-new`.
 
 ## Uninstalling
 

package/base/CLAUDE.md

@@ -14,20 +14,20 @@ You are a senior engineering partner. Think before you build. Verify before you
 
 ## Workflow Hierarchy
 - **Praxis** owns the outer loop: discuss → plan → execute → verify → simplify → ship.
-  Always start feature work with `/discuss` or `/next`.
+  Always start feature work with `/px-discuss` or `/px-next`.
 - **Kits** inject domain context into this workflow — they don't replace it.
-- Pure bugfixes: skip the full loop, use `/debug` directly.
-- Trivial changes (typos, config): use `/fast` to skip planning.
-- After every implementation: run `/simplify` to clean up code before verify.
-- Use `/verify-app` for end-to-end checks, `/ship` when ready to commit+push+PR.
+- Pure bugfixes: skip the full loop, use `/px-debug` directly.
+- Trivial changes (typos, config): use `/px-fast` to skip planning.
+- After every implementation: run `/px-simplify` to clean up code before verify.
+- Use `/px-verify-app` for end-to-end checks, `/px-ship` when ready to commit+push+PR.
 
 ## Plan Mode Protocol
 For non-trivial tasks (3+ steps):
 1. Start in Plan Mode — iterate on the plan until it's solid
 2. Switch to auto-accept edits and let Claude one-shot the implementation
-3. Run `/simplify` after implementation
-4. Run `/verify-app` to confirm everything works
-5. Run `/ship` to commit, push, and PR
+3. Run `/px-simplify` after implementation
+4. Run `/px-verify-app` to confirm everything works
+5. Run `/px-ship` to commit, push, and PR
 
 ## Error Learning
 When a mistake is corrected: update project CLAUDE.md `## Error Learning` section
@@ -85,7 +85,7 @@ Registered via `claude mcp add`. Persist globally across sessions.
 
 | Server | Purpose | Install | Degrades without |
 |--------|---------|---------|-----------------|
-| perplexity | AI web search | `bash scripts/onboard-mcp.sh perplexity` | No web research in `/discover` |
+| perplexity | AI web search | `bash scripts/onboard-mcp.sh perplexity` | No web research in `/px-discover` |
 | filesystem | Direct vault file access | `claude mcp add filesystem` | Uses shell for vault reads |
 | sequential-thinking | Multi-step reasoning | `claude mcp add sequential-thinking` | Standard reasoning only |
 
@@ -101,8 +101,8 @@ Missing servers are non-blocking — features degrade gracefully.
    - GitHub Actions → `~/.claude/rules/github-actions.md`
    - PowerShell scripts → `~/.claude/rules/powershell.md`
    - Git operation → `~/.claude/rules/git-workflow.md`
-   - Client-facing writing → auto-loaded by `communication-standards` skill
-   - Architecture/specs → auto-loaded by `architecture-patterns` skill
+   - Client-facing writing → auto-loaded by `px-communication-standards` skill
+   - Architecture/specs → auto-loaded by `px-architecture-patterns` skill
 5. Quality re-anchor: read most recent `compact-checkpoint.md` → check the Quality State section.
    - If lint findings existed before compaction: re-run `golangci-lint run`, confirm status.
    - If tests were failing before compaction: re-run test command, confirm status.
@@ -120,15 +120,15 @@ Missing servers are non-blocking — features degrade gracefully.
 - Use vault search when Obsidian is not running (obsidian backend requires Obsidian open)
 
 ## AI-Kit Registry
-Kits activate via `/kit:<n>` slash command. Kits are idempotent — double-activate is a no-op.
+Kits activate via `/px-kit:<n>` slash command. Kits are idempotent — double-activate is a no-op.
 
 | Kit | Activate | Domain |
 |-----|----------|--------|
-| web-designer | `/kit:web-designer` | Design system → components → accessibility → production lint |
-| infrastructure | `/kit:infrastructure` | Terraform → Azure → GitHub Actions → compliance |
-| api | `/kit:api` | RESTful conventions → OpenAPI specs → contract testing |
-| security | `/kit:security` | Threat modeling → IAM review → OWASP audit |
-| data | `/kit:data` | Schema design → migration planning → query optimization |
+| web-designer | `/px-kit:web-designer` | Design system → components → accessibility → production lint |
+| infrastructure | `/px-kit:infrastructure` | Terraform → Azure → GitHub Actions → compliance |
+| api | `/px-kit:api` | RESTful conventions → OpenAPI specs → contract testing |
+| security | `/px-kit:security` | Threat modeling → IAM review → OWASP audit |
+| data | `/px-kit:data` | Schema design → migration planning → query optimization |
 
 Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 
@@ -159,17 +159,17 @@ Kit manifests live in `~/.claude/kits/<name>/KIT.md`.
 ### Auto-invocable skills (replace former universal rules)
 | Skill | Triggers when |
 |-------|--------------|
-| `communication-standards` | Writing client-facing docs, proposals, status reports, commits, PRs |
-| `architecture-patterns` | Writing ADRs, specs, system design, risk docs, blocker reports |
+| `px-communication-standards` | Writing client-facing docs, proposals, status reports, commits, PRs |
+| `px-architecture-patterns` | Writing ADRs, specs, system design, risk docs, blocker reports |
 
 ## Judgment & Research Commands
 
 | Command | Purpose |
 |---------|---------|
-| `/duel` | Parallel Alpha/Beta implementation → blind scoring → synthesis |
-| `/deliberate` | Multi-perspective decision analysis with scored option matrix |
-| `/freshness` | Full dependency audit — CVEs, outdated packages, maintenance status |
-| `/research <pkg>` | Live docs (Context7) + CVE/version/maintenance check (Perplexity Sonar) |
+| `/px-duel` | Parallel Alpha/Beta implementation → blind scoring → synthesis |
+| `/px-deliberate` | Multi-perspective decision analysis with scored option matrix |
+| `/px-freshness` | Full dependency audit — CVEs, outdated packages, maintenance status |
+| `/px-research <pkg>` | Live docs (Context7) + CVE/version/maintenance check (Perplexity Sonar) |
 
 MCP server templates: `base/configs/mcp-servers.json` — declarative config for context7, github, perplexity-sonar.
 Dependency registry: `base/configs/registry.json` — single source of truth for all tools, auth, hooks.

package/base/configs/ci/lint-stack.yml

@@ -0,0 +1,126 @@
+# Polyglot Lint Stack — 3-Layer CI Template
+# Copy to: .github/workflows/lint-stack.yml
+# Conditional: each tool runs only if its language files exist in the repo.
+# Pin actions to SHA — update hashes when upgrading versions.
+
+name: Lint Stack
+on:
+  pull_request:
+    branches: [main, develop]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  # ─────────────────────────────────────────────
+  # LAYER 1: Fast Feedback (~10s per tool)
+  # ─────────────────────────────────────────────
+  lint:
+    name: L1 — Lint + Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Python — Ruff
+      - name: Ruff check
+        if: hashFiles('**/*.py') != ''
+        uses: astral-sh/ruff-action@9700c1666704e06e2cf8f9046755e3dfc6297e40 # v3.2.1
+        with:
+          args: "check"
+      - name: Ruff format check
+        if: hashFiles('**/*.py') != ''
+        uses: astral-sh/ruff-action@9700c1666704e06e2cf8f9046755e3dfc6297e40 # v3.2.1
+        with:
+          args: "format --check"
+
+      # JS/TS — Biome
+      - name: Setup Biome
+        if: hashFiles('**/*.js', '**/*.ts', '**/*.jsx', '**/*.tsx') != ''
+        uses: biomejs/setup-biome@1cbe33ead22c7a2fded3b52fa2893611c815c3d2 # v2.5.0
+      - name: Biome CI
+        if: hashFiles('**/*.js', '**/*.ts', '**/*.jsx', '**/*.tsx') != ''
+        run: biome ci .
+
+      # Go — golangci-lint
+      - name: golangci-lint
+        if: hashFiles('go.mod') != ''
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
+        with:
+          version: v2.1
+
+      # Rust — Clippy
+      - name: Setup Rust toolchain
+        if: hashFiles('Cargo.toml') != ''
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
+        with:
+          toolchain: stable
+          components: clippy, rustfmt
+      - name: Clippy
+        if: hashFiles('Cargo.toml') != ''
+        run: cargo clippy --all-targets --all-features -- -D warnings
+      - name: rustfmt check
+        if: hashFiles('Cargo.toml') != ''
+        run: cargo fmt --all -- --check
+
+      # Shell — ShellCheck
+      - name: ShellCheck
+        if: hashFiles('**/*.sh') != ''
+        run: |
+          sudo apt-get install -y shellcheck
+          find . -name '*.sh' -not -path './node_modules/*' -not -path './vendor/*' | xargs shellcheck -s bash
+
+  # ─────────────────────────────────────────────
+  # LAYER 2: Quality Gates (~2min)
+  # ─────────────────────────────────────────────
+  security-scan:
+    name: L2 — Semgrep
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: semgrep/semgrep-action@713efdd345ae26c72e79b5b32927be8e0e6bab83 # v1
+        with:
+          config: >-
+            p/default
+            p/secrets
+            p/owasp-top-ten
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+  # Uncomment to add SonarQube quality gate (requires self-hosted server)
+  # sonarqube:
+  #   name: L2 — SonarQube
+  #   runs-on: ubuntu-latest
+  #   needs: lint
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #       with:
+  #         fetch-depth: 0
+  #     - uses: SonarSource/sonarqube-scan-action@0e1a25e90571a34e2ec5c72ee40ba45cc73a1e6e # v4
+  #       env:
+  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  #         SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+  #     - uses: SonarSource/sonarqube-quality-gate-action@dc2f7b0dd95544cd550de3066f25f47e3fc20894 # v1.1.0
+  #       timeout-minutes: 5
+  #       env:
+  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  # ─────────────────────────────────────────────
+  # LAYER 3: AI Review (~2min, optional)
+  # ─────────────────────────────────────────────
+  # Uncomment to enable AI-powered PR review.
+  # Requires OPENAI_API_KEY secret or self-hosted Ollama.
+  #
+  # ai-review:
+  #   name: L3 — AI Review
+  #   runs-on: ubuntu-latest
+  #   needs: [security-scan]
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #     - uses: Codium-ai/pr-agent@main
+  #       env:
+  #         OPENAI_KEY: ${{ secrets.OPENAI_API_KEY }}
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       with:
+  #         command: review

package/base/configs/linters/.markdownlint.json

@@ -0,0 +1,7 @@
+{
+  "default": true,
+  "MD013": false,
+  "MD024": { "siblings_only": true },
+  "MD033": false,
+  "MD041": true
+}

package/base/configs/linters/.pre-commit-config.yaml

@@ -0,0 +1,63 @@
+repos:
+  # General file hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+      - id: check-added-large-files
+        args: ['--maxkb=500']
+      - id: detect-private-key
+      - id: check-merge-conflict
+
+  # Layer 1: Python — Ruff
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.11.6
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  # Layer 1: JS/TS — Biome
+  - repo: https://github.com/biomejs/pre-commit
+    rev: v2.0.0
+    hooks:
+      - id: biome-check
+        additional_dependencies: ["@biomejs/biome@2.0.0"]
+
+  # Layer 1: Shell — ShellCheck
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: [-s, bash]
+
+  # Layer 1: Go — golangci-lint
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v2.1.0
+    hooks:
+      - id: golangci-lint
+
+  # Layer 1: Rust — rustfmt + clippy
+  - repo: local
+    hooks:
+      - id: rustfmt
+        name: rustfmt
+        entry: rustfmt
+        language: system
+        types: [rust]
+      - id: clippy
+        name: clippy
+        entry: cargo clippy -- -D warnings
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+  # Layer 2: Semgrep security scan
+  - repo: https://github.com/semgrep/semgrep
+    rev: v1.120.0
+    hooks:
+      - id: semgrep
+        args: ['--config', 'auto', '--error']

package/base/configs/linters/biome.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.0.0/schema.json",
+  "organizeImports": { "enabled": true },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true,
+      "complexity": {
+        "noExcessiveCognitiveComplexity": {
+          "level": "warn",
+          "options": { "maxAllowedComplexity": 15 }
+        }
+      },
+      "suspicious": {
+        "noExplicitAny": "warn",
+        "noConsoleLog": "warn"
+      },
+      "correctness": {
+        "noUnusedVariables": "error",
+        "noUnusedImports": "error"
+      }
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single",
+      "semicolons": "always"
+    }
+  },
+  "json": {
+    "formatter": {
+      "indentWidth": 2
+    }
+  }
+}

package/base/configs/linters/clippy.toml

@@ -0,0 +1,4 @@
+cognitive-complexity-threshold = 20
+too-many-arguments-threshold = 7
+type-complexity-threshold = 250
+single-char-binding-names-threshold = 4

package/base/configs/linters/ruff.toml

@@ -0,0 +1,26 @@
+target-version = "py312"
+line-length = 100
+fix = true
+
+[lint]
+select = [
+  "E", "W",    # pycodestyle
+  "F",         # pyflakes
+  "I",         # isort
+  "N",         # pep8-naming
+  "UP",        # pyupgrade
+  "S",         # bandit (security)
+  "B",         # flake8-bugbear
+  "A",         # flake8-builtins
+  "C4",        # flake8-comprehensions
+  "SIM",       # flake8-simplify
+  "RUF",       # ruff-specific
+]
+ignore = ["E501"]  # line length handled by formatter
+
+[lint.per-file-ignores]
+"tests/**" = ["S101"]  # allow assert in tests
+
+[format]
+quote-style = "double"
+indent-style = "space"

package/base/configs/linters/rustfmt.toml

@@ -0,0 +1,7 @@
+edition = "2024"
+max_width = 100
+tab_spaces = 4
+use_field_init_shorthand = true
+use_try_shorthand = true
+imports_granularity = "Crate"
+group_imports = "StdExternalCrate"

package/base/configs/linters/semgrep.yml

@@ -0,0 +1,65 @@
+rules:
+  # Usage:
+  #   semgrep --config auto                   (recommended community rules)
+  #   semgrep --config p/owasp-top-ten        (OWASP Top 10)
+  #   semgrep --config p/secrets              (secret detection)
+  #   semgrep --config .semgrep.yml           (this file — custom rules)
+
+  # Custom: ban f-string SQL queries
+  - id: no-fstring-sql-execute
+    patterns:
+      - pattern: cursor.execute($QUERY, ...)
+      - pattern-not: cursor.execute("...", ...)
+      - metavariable-pattern:
+          metavariable: $QUERY
+          pattern: |
+            f"..."
+    message: "Use parameterized queries instead of f-strings in SQL"
+    severity: ERROR
+    languages: [python]
+
+  # Custom: no hardcoded secrets in source
+  - id: hardcoded-secret-assignment
+    pattern-either:
+      - pattern: $KEY = "..."
+    metavariable-regex:
+      metavariable: $KEY
+      regex: ".*(secret|password|token|api_key|apikey|auth_token).*"
+    message: "Possible hardcoded secret — use environment variables"
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go, rust]
+
+  # Custom: no unsafe unwrap in Rust production code
+  - id: rust-no-unwrap
+    pattern: $X.unwrap()
+    message: "Avoid .unwrap() — use .expect() with context or propagate with ?"
+    severity: WARNING
+    languages: [rust]
+    paths:
+      exclude:
+        - "*_test.rs"
+        - "tests/**"
+        - "benches/**"
+
+  # Custom: no fmt.Println in Go production code
+  - id: go-no-fmt-println
+    pattern: fmt.Println(...)
+    message: "Use structured logging instead of fmt.Println"
+    severity: WARNING
+    languages: [go]
+    paths:
+      exclude:
+        - "*_test.go"
+        - "cmd/**"
+
+# Paths to exclude from scanning
+paths:
+  exclude:
+    - node_modules
+    - vendor
+    - .terraform
+    - target
+    - dist
+    - build
+    - "*.min.js"
+    - "*.generated.*"

package/base/configs/registry.json

@@ -30,7 +30,15 @@
       {"name": "gitleaks", "feature": "secret-scanning", "install": "brew install gitleaks"},
       {"name": "osv-scanner", "feature": "dep-audit", "install": "go install github.com/google/osv-scanner/cmd/osv-scanner@latest"},
       {"name": "pip-audit", "feature": "dep-audit-python", "install": "pip install pip-audit"},
-      {"name": "docker", "feature": "docker-sandbox", "install": "brew install --cask docker"}
+      {"name": "docker", "feature": "docker-sandbox", "install": "brew install --cask docker"},
+      {"name": "biome", "feature": "lint-js", "install": "npm install -g @biomejs/biome"},
+      {"name": "ruff", "feature": "lint-python", "install": "pip install ruff"},
+      {"name": "semgrep", "feature": "security-scan", "install": "pip install semgrep"},
+      {"name": "markdownlint", "feature": "lint-markdown", "install": "npm install -g markdownlint-cli"},
+      {"name": "pre-commit", "feature": "pre-commit-hooks", "install": "pip install pre-commit"},
+      {"name": "golangci-lint", "feature": "lint-go", "install": "brew install golangci-lint"},
+      {"name": "rustfmt", "feature": "format-rust", "install": "rustup component add rustfmt"},
+      {"name": "clippy", "feature": "lint-rust", "install": "rustup component add clippy"}
     ]
   },
   "env_vars": {

package/base/hooks/quality-check.sh

@@ -61,6 +61,18 @@ case "$EXT" in
       taplo format "$FILE_PATH" 2>/dev/null
     fi
     ;;
+  js|jsx|ts|tsx)
+    if command -v biome &>/dev/null; then
+      biome format --write "$FILE_PATH" 2>/dev/null
+    elif command -v prettier &>/dev/null; then
+      prettier --write "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  rs)
+    if command -v rustfmt &>/dev/null; then
+      rustfmt "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
   md)
     if command -v prettier &>/dev/null; then
       prettier --write --prose-wrap always "$FILE_PATH" 2>/dev/null
@@ -111,6 +123,30 @@ case "$EXT" in
       fi
     fi
     ;;
+  js|jsx|ts|tsx)
+    if command -v biome &>/dev/null; then
+      LINT_OUT=$(biome lint "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ] && ! echo "$LINT_OUT" | grep -q "No diagnostics"; then
+        ISSUES+=("biome: $LINT_OUT")
+      fi
+    fi
+    ;;
+  rs)
+    if command -v cargo &>/dev/null; then
+      DIR=$(dirname "$FILE_PATH")
+      # Walk up to find Cargo.toml for crate context
+      CRATE_DIR="$DIR"
+      while [ "$CRATE_DIR" != "/" ] && [ ! -f "$CRATE_DIR/Cargo.toml" ]; do
+        CRATE_DIR=$(dirname "$CRATE_DIR")
+      done
+      if [ -f "$CRATE_DIR/Cargo.toml" ]; then
+        LINT_OUT=$(cd "$CRATE_DIR" && cargo clippy --quiet -- -D warnings 2>&1) || true
+        if [ -n "$LINT_OUT" ]; then
+          ISSUES+=("clippy: $LINT_OUT")
+        fi
+      fi
+    fi
+    ;;
   yml|yaml)
     if command -v yamllint &>/dev/null; then
       LINT_OUT=$(yamllint -f parsable "$FILE_PATH" 2>&1) || true

package/base/skills/{architecture-patterns → px-architecture-patterns}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: architecture-patterns
+name: px-architecture-patterns
 description: "Architecture decision and design documentation standards. Auto-triggers when writing ADRs, technical specs, risk register entries, system design documents, or any decision that affects system design, network topology, identity model, data residency, security posture, or compliance scope. Also triggers when writing status updates, blocker reports, or spec summaries that require What/So What/Now What structure."
 ---
 

package/base/skills/{code-gc → px-code-gc}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: code-gc
+name: px-code-gc
 disable-model-invocation: true
 description: "Detect code entropy in the current repo: dead code, test debt, stale TODOs, oversized functions, commented-out blocks, unused deps. Two modes: lightweight (called by session-retro) and full audit (manual /code-gc). Never auto-deletes or auto-fixes."
 ---

package/base/skills/{communication-standards → px-communication-standards}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: communication-standards
+name: px-communication-standards
 description: "Client-facing writing standards. Auto-triggers when writing proposals, status reports, executive summaries, SOWs, deliverable documents, or any content targeting a non-technical audience. Also triggers when writing git commit messages, PR descriptions, or any text where AI attribution must be avoided. Covers executive-summary-first rule, What/So What/Now What structure, proposal format, audience calibration, and no-AI-attribution policy."
 ---
 

package/base/skills/{context-probe → px-context-probe}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: context-probe
+name: px-context-probe
 disable-model-invocation: true
 description: "Assess current context health and recommend action. Reads session data and conversation signals to estimate context bracket (FRESH/MODERATE/DEPLETED/CRITICAL)."
 ---

package/base/skills/{context-reset → px-context-reset}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: context-reset
+name: px-context-reset
 disable-model-invocation: true
 description: Checkpoint current session state to vault files before a context reset. Use when context degradation is detected (repeated corrections, loop behavior, instruction drift).
 ---

package/base/skills/{context7-lookup → px-context7-lookup}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: context7-lookup
+name: px-context7-lookup
 description: "Enforces the docs-first mandate from coding.md. Before implementing with any external library, framework, or API, use Context7 to retrieve current documentation. Activates when code references an external package, imports a third-party library, or calls an API that releases frequently."
 ---
 

package/base/skills/{debug → px-debug}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: debug
+name: px-debug
 disable-model-invocation: true
 description: Structured test-first debugging. Reproduce the bug, write a failing test, isolate root cause, fix, verify. Use for pure bugfixes — skips the full loop.
 ---

package/base/skills/{deliberate → px-deliberate}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: deliberate
+name: px-deliberate
 disable-model-invocation: true
 description: "Multi-perspective architectural decision making with structured scoring matrix. Use for decisions with multiple valid approaches and hidden trade-offs."
 ---

package/base/skills/{discover → px-discover}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: discover
+name: px-discover
 disable-model-invocation: true
 description: Structured technical discovery — evaluate options, make recommendations with confidence levels. Use before /spec when you need to research before deciding.
 ---

package/base/skills/{discuss → px-discuss}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: discuss
+name: px-discuss
 disable-model-invocation: true
 description: Entry point for all feature work. Conversational problem framing — listen first, then synthesize scope. Use before /plan.
 ---

package/base/skills/{execute → px-execute}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: execute
+name: px-execute
 disable-model-invocation: true
 description: Implementation phase — loads scoped context and works one milestone at a time. Use after plan is approved.
 ---

package/base/skills/{fast → px-fast}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: fast
+name: px-fast
 disable-model-invocation: true
 description: Skip planning for trivial changes. Edit, verify, commit. Use for typos, config tweaks, single-line fixes, and other changes too small for a plan.
 ---

package/base/skills/{kit → px-kit}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: kit
+name: px-kit
 disable-model-invocation: true
 description: Activate or deactivate a domain AI-Kit. Use /kit:web-designer to activate, /kit:off to deactivate, /kit:list to show installed kits.
 ---

package/base/skills/{managing-git-identities → px-managing-git-identities}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: managing-git-identities
+name: px-managing-git-identities
 description: "Guides setup and troubleshooting of multiple Git identities (SSH keys, commit author, GitHub CLI auth, includeIf directory routing). Activates when user discusses git accounts, commit identity mismatch, SSH key management, or gh auth switching."
 ---
 

package/base/skills/{next → px-next}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: next
+name: px-next
 disable-model-invocation: true
 description: Auto-advance to the next workflow phase. Reads status.md loop_position and plan state to determine what comes next. Use anytime to keep moving.
 ---

package/base/skills/{plan → px-plan}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: plan
+name: px-plan
 disable-model-invocation: true
 description: Create a dated work plan for the current project. Writes to vault plans/ directory and updates status.md current_plan field. Use when starting any multi-step task.
 ---

package/base/skills/{plan-writer → px-plan-writer}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: plan-writer
+name: px-plan-writer
 disable-model-invocation: true
 description: "Writes a dated work plan to the vault plans/ directory. Creates the plan file with YAML frontmatter, milestones, and acceptance criteria. Updates status.md current_plan field. Called by /plan and /discuss workflows."
 ---

package/base/skills/{pre-commit-lint → px-pre-commit-lint}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: pre-commit-lint
+name: px-pre-commit-lint
 disable-model-invocation: true
 description: "Generate a stack-aware pre-commit hook script for a repo. Use when setting up a new repo, when asked to install pre-commit checks, add linting to commits, or wire pre-commit-lint. Also invoked by scaffold-new Phase 5.5. NOT invoked at commit time — generates a shell script that runs at commit time."
 ---

package/base/skills/{quick → px-quick}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: quick
+name: px-quick
 disable-model-invocation: true
 description: Ad-hoc task with full quality guarantees in a single compressed flow. Use for tasks that need planning but aren't worth the full loop.
 ---

package/base/skills/{repair → px-repair}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: repair
+name: px-repair
 disable-model-invocation: true
 description: "Structured repair phase for failed milestones. 3-attempt fix-and-verify loop with root cause analysis. Triggered by /verify failure or manually."
 ---

package/base/skills/{research → px-research}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: research
+name: px-research
 disable-model-invocation: true
 description: "Live documentation + security research pipeline. Chains Context7 (docs) and Perplexity Sonar (CVEs, versions, maintenance) into a single structured report."
 ---

package/base/skills/{review → px-review}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: review
+name: px-review
 disable-model-invocation: true
 description: "Manual code review trigger. Launches a subagent to review a diff for bugs, security, and convention violations. Use independently of Praxis phases."
 ---

package/base/skills/{risk → px-risk}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: risk
+name: px-risk
 disable-model-invocation: true
 description: Add a new risk register entry to the current project vault. Assigns a risk ID, severity, mitigation, and writes to specs/risk-register.md.
 ---

package/base/skills/{scaffold-exist → px-scaffold-exist}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: scaffold-exist
+name: px-scaffold-exist
 disable-model-invocation: true
 description: "Scaffold an existing project into the full harness. Invoke with /scaffold-exist only. Adds missing harness files to projects that predate the scaffold standard. Non-destructive — never overwrites without confirmation. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{scaffold-new → px-scaffold-new}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: scaffold-new
+name: px-scaffold-new
 disable-model-invocation: true
 description: "Scaffold a brand new project into the full harness. Invoke with /scaffold-new only. Creates repo CLAUDE.md, vault subtree, git identity verification, gitignore, pre-commit hook, and Project Registry entry. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{secret-scan → px-secret-scan}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: secret-scan
+name: px-secret-scan
 description: "Canonical secret scanning skill. Scans files for credential patterns (API keys, tokens, connection strings). Called by pre-commit-lint and ship workflows. Also usable standalone for repo-wide audits. Replaces all inline secret scan regex instances with a single authoritative source."
 ---
 

package/base/skills/{session-retro → px-session-retro}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: session-retro
+name: px-session-retro
 disable-model-invocation: true
 description: "End-of-session retrospective. Invoke manually with /session-retro only. Writes [LEARN:tag] entries, proposes rule updates, updates claude-progress.json, triggers vault-gc lightweight check. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{ship → px-ship}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: ship
+name: px-ship
 disable-model-invocation: true
 description: Commit, push, and open a PR in one shot. Runs pre-commit checks, crafts a commit message, pushes, and creates a PR with structured description. Use when a milestone or feature is complete and verified.
 ---

package/base/skills/{simplify → px-simplify}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: simplify
+name: px-simplify
 disable-model-invocation: true
 description: "Post-implementation code simplification. Launches a subagent to review recent changes for unnecessary complexity, over-abstraction, and opportunities to simplify. Runs after any implementation phase. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{spec → px-spec}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: spec
+name: px-spec
 disable-model-invocation: true
 description: Create a structured spec or ADR for the current project. Writes to vault specs/ directory. Use for architecture decisions, technical designs, and risk documentation — NOT for task framing (use /discuss for that).
 ---

package/base/skills/{standup → px-standup}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: standup
+name: px-standup
 disable-model-invocation: true
 description: Generate a standup summary for the current project. Reads status.md, tasks.md, and active plan. Use at the start or end of any working session.
 ---

package/base/skills/{status-update → px-status-update}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: status-update
+name: px-status-update
 disable-model-invocation: true
 description: "Atomic update to vault status.md. Ensures consistent format, enforces the 100-line limit, and archives resolved items. Called at milestone boundaries, session end, and phase transitions."
 ---

package/base/skills/{subagent → px-subagent}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: subagent
+name: px-subagent
 disable-model-invocation: true
 description: "Reference protocol for subagent dispatch. Defines how to package context, spawn, interpret results, and escalate findings. Not invoked directly — referenced by review, simplify, verify-app, and verify skills."
 ---

package/base/skills/{sync-memory → px-sync-memory}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: sync-memory
+name: px-sync-memory
 disable-model-invocation: true
 description: "Bridge auto-memory insights to Obsidian vault. Reads MEMORY.md and topic files, syncs durable entries to vault learnings, prunes stale content. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{vault-gc → px-vault-gc}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: vault-gc
+name: px-vault-gc
 disable-model-invocation: true
 description: "Audit vault health and detect entropy. Invoke manually with /vault-gc only. Two modes — full audit (manual) and lightweight staleness check (called inline by session-retro). Never auto-deletes. Side-effect skill — never auto-triggers."
 ---

package/base/skills/{verify → px-verify}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: verify
+name: px-verify
 disable-model-invocation: true
 description: Validation phase — runs test/lint/typecheck/build and reports PASS or FAIL. Use after each milestone completion.
 ---

package/base/skills/{verify-app → px-verify-app}/SKILL.md

@@ -1,5 +1,5 @@
 ---
-name: verify-app
+name: px-verify-app
 disable-model-invocation: true
 description: "End-to-end application verification. Launches a subagent to run the full test suite, check build, verify runtime behavior, and confirm acceptance criteria. Use after implementation to catch integration issues that unit tests miss. Side-effect skill — never auto-triggers."
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@esoteric-logic/praxis-harness",
-  "version": "2.6.0",
+  "version": "2.8.0",
   "description": "Layered Claude Code harness — workflow discipline, AI-Kits, persistent vault integration",
   "bin": {
     "praxis-harness": "./bin/praxis.js"

package/scripts/test-harness.sh

@@ -94,12 +94,12 @@ echo "Cross-skill references:"
 
 # Skills that reference other skills — verify targets exist
 declare -A SKILL_REFS
-SKILL_REFS["verify"]="repair subagent"
-SKILL_REFS["review"]="subagent"
-SKILL_REFS["simplify"]="subagent"
-SKILL_REFS["verify-app"]="subagent"
-SKILL_REFS["repair"]="verify"
-SKILL_REFS["execute"]="verify discuss"
+SKILL_REFS["px-verify"]="px-repair px-subagent"
+SKILL_REFS["px-review"]="px-subagent"
+SKILL_REFS["px-simplify"]="px-subagent"
+SKILL_REFS["px-verify-app"]="px-subagent"
+SKILL_REFS["px-repair"]="px-verify"
+SKILL_REFS["px-execute"]="px-verify px-discuss"
 
 for caller in "${!SKILL_REFS[@]}"; do
   for target in ${SKILL_REFS[$caller]}; do