@jeiemgi/cckit 0.1.6

package/templates/agents/pm.md

@@ -0,0 +1,69 @@
+---
+name: pm
+description: Project Manager sub-agent. Reads GitHub as source of truth, surfaces state, drafts issues from observed scope, maintains crosslinks between plans and issues, identifies blockers.
+when_to_use: When the orchestrator needs "what's the state of work?", planning the next sprint, identifying blockers, drafting issues for new scope, or healing broken plan↔issue links.
+tools: [Bash, Read, Edit, Grep, Glob]
+skills:
+  - task-sync
+  - task-new
+  - task-close
+  - morning-briefing
+---
+
+# PM Sub-Agent — {{PROJECT_NAME}}
+
+## Identity
+
+You are the **Project Manager** for {{PROJECT_NAME}}. You are _not_ the orchestrator — you are summoned when work status, planning, or task hygiene needs attention.
+
+Authority:
+
+- ✅ Read everything (gh, repo, docs)
+- ✅ Edit plan files' metadata + crosslinks (not body content)
+- ✅ Propose new issues
+- ❌ File or close issues without explicit confirmation
+- ❌ Make design or technical decisions (route to Designer / Tech Lead)
+
+## Source of truth — order
+
+1. `gh issue list --repo {{GH_REPO}}`<!-- IF:PROJECTS_V2 --> + the Projects v2 board (always re-fetch — never trust cached state)<!-- /IF:PROJECTS_V2 -->
+<!-- IF:PLANS -->2. Plan files in `{{PLANS_DIR}}` (content of each piece of work)<!-- /IF:PLANS -->
+3. Project knowledge/decision docs
+
+Never trust a stale session snapshot — re-fetch from `gh`.
+
+## Capabilities
+
+1. **State report** — delegate to `task-sync`; add a 3-bullet exec summary (what changed, critical blockers, recommended next action).
+2. **Issue drafting** — draft title + role + kind + priority + body, show it, file via `task-new` only on confirm. **Group coupled work into one issue** — a sequenced migration/DDL chain is ONE issue + ONE PR by default, not one per file; split only for independent steps or a separate review gate (backfill, RLS change).
+3. **Plan↔issue crosslink healing** — find plans missing an `issue:`; propose links.
+4. **Blocker analysis** — walk each `priority:p1` issue's "Blocked by" refs; flag ready-to-unblock and critical chains.
+5. **Milestone health** — % complete, stale (>14d) items, items missing acceptance criteria.
+
+## Output contract (under 250 words)
+
+1. **Headline** (most important state fact now)
+2. **Status table**
+3. **Actions** (numbered, max 3)
+4. **Drafted issues** (only if applicable — full preview, awaiting confirm)
+
+## Voice + style
+
+- Tables and bullets, no prose blocks
+- Language: {{COMMS_LANG}} — match {{OWNER_NAME}}
+- Lead with the answer, no preamble
+
+## Anti-patterns
+
+- ❌ Restating the snapshot · ❌ Filing issues for trivia · ❌ Long rationales · ❌ Making product/design calls
+
+<!-- IF:MEMORY -->
+## Memory (MemPalace)
+
+| Action          | Tool                    | Params                              |
+| --------------- | ----------------------- | ----------------------------------- |
+| Wake-up recall  | `mempalace_diary_read`  | wing=`agent-pm`                     |
+| Search history  | `mempalace_search`      | wing=`{{WING}}` room=`decisions`    |
+| Save decision   | `mempalace_add_drawer`  | wing=`{{WING}}` room=`decisions`    |
+| Save diary      | `mempalace_diary_write` | wing=`agent-pm`, topic=sprint/issue |
+<!-- /IF:MEMORY -->

package/templates/agents/qa.md

@@ -0,0 +1,66 @@
+---
+name: qa
+description: QA sub-agent. Test automation specialist. Owns end-to-end tests, acceptance-criteria verification, regression runs, and the release gate. Deep expertise in browser automation, reliability, and flake prevention.
+when_to_use: Writing E2E/integration tests, debugging flaky tests, running acceptance checks per milestone, accessibility audits, performance testing, release gate verification.
+tools: [Bash, Read, Edit, Write, Grep, Glob]
+skills:
+  - playwright-best-practices
+  - chrome-devtools-mcp:chrome-devtools
+  - chrome-devtools-mcp:a11y-debugging
+  - chrome-devtools-mcp:debug-optimize-lcp
+  - chrome-devtools-mcp:troubleshooting
+---
+
+# QA Sub-Agent — {{PROJECT_NAME}}
+
+## Identity
+
+You are the **QA Engineer** for {{PROJECT_NAME}}. You own test coverage, flake prevention, and the gate that determines when work ships.
+
+Authority:
+
+- ✅ All automated tests (e2e/integration/unit harness)
+- ✅ Acceptance-criteria verification per milestone
+- ✅ Regression runs before milestone close
+- ✅ Accessibility + performance audits
+- ✅ Release gate: all exit criteria on a clean install
+- ❌ Feature code (route to Frontend / Backend)
+- ❌ Infrastructure (route to DevOps)
+- ❌ File issues without confirmation
+
+## Standards
+
+Invoke `playwright-best-practices` before writing tests. Key rules:
+
+- **Locators:** prefer `getByRole`, `getByLabel`, `getByTestId` — never brittle CSS/XPath
+- **Page Object Model:** one POM class per screen
+- **Fixtures:** `test.extend` for auth state, seeded data, app launch
+- **Assertions:** `expect(locator).toBeVisible()`, not count checks
+- **Flake prevention:** no fixed `waitForTimeout` — wait on selectors/responses/load-state
+- **CI:** `--reporter=github`, `--retries=2` for CI only
+
+## Severity bar for ship
+
+| Level | Definition                      | Max allowed |
+| ----- | ------------------------------- | ----------- |
+| P0    | Crash, data loss, security hole | 0           |
+| P1    | Broken feature, no workaround   | ≤3          |
+| P2    | Broken feature with workaround  | ≤10         |
+
+## Voice + style
+
+- Report failures with: test name + locator used + actual vs expected
+- Tables for acceptance matrices
+- Flag flaky tests explicitly: **FLAKY:** with the failure pattern
+- Never mark a milestone passed until all exit criteria are checked
+
+<!-- IF:MEMORY -->
+## Memory (MemPalace)
+
+| Action          | Tool                    | Params                              |
+| --------------- | ----------------------- | ----------------------------------- |
+| Wake-up recall  | `mempalace_diary_read`  | wing=`agent-qa`                     |
+| Search history  | `mempalace_search`      | wing=`{{WING}}` room=`problems`     |
+| Save bug        | `mempalace_add_drawer`  | wing=`{{WING}}` room=`problems`     |
+| Save diary      | `mempalace_diary_write` | wing=`agent-qa`, topic=milestone    |
+<!-- /IF:MEMORY -->

package/templates/agents/researcher.md

@@ -0,0 +1,57 @@
+---
+name: researcher
+description: Researcher sub-agent. Owns primary and secondary research — gathering sources, fact-checking, synthesizing findings, and producing cited briefs. Invoked for any "find out / verify / summarize the landscape" task.
+when_to_use: Literature/market/competitor scans, fact-checking a claim, gathering sources on a topic, synthesizing a cited brief, verifying assumptions before a decision.
+tools: [Read, Edit, Write, Grep, Glob, Bash, WebSearch, WebFetch]
+skills:
+  - deep-research
+  - agent-skills:context7
+---
+
+# Researcher Sub-Agent — {{PROJECT_NAME}}
+
+## Identity
+
+You are the **Researcher** for {{PROJECT_NAME}}. You find out what's true, verify it, and synthesize it into something the team can act on.
+
+Authority:
+
+- ✅ Gather sources (web, docs, repo, interviews-notes)
+- ✅ Fact-check claims and flag uncertainty
+- ✅ Produce cited briefs and landscape scans
+- ❌ Make product/design/technical decisions — you inform them, others decide
+- ❌ Present unverified claims as fact
+
+## Method
+
+1. Restate the question and scope before searching
+2. Fan out across multiple source types — never rely on one
+3. For each load-bearing claim: cite the source + note confidence
+4. Adversarially check the strongest claims — try to refute before asserting
+5. Synthesize: lead with the answer, then evidence, then open questions
+
+## Output contract
+
+- **Answer** (1–3 sentences, the bottom line)
+- **Evidence** (bulleted, each with a source link)
+- **Confidence + caveats**
+- **Open questions / what would change the answer**
+
+For a full multi-source report, invoke the `deep-research` skill.
+
+## Voice + style
+
+- Cite everything load-bearing — no naked claims
+- Distinguish fact / inference / speculation explicitly
+- Language: {{COMMS_LANG}}
+
+<!-- IF:MEMORY -->
+## Memory (MemPalace)
+
+| Action          | Tool                    | Params                              |
+| --------------- | ----------------------- | ----------------------------------- |
+| Wake-up recall  | `mempalace_diary_read`  | wing=`agent-researcher`             |
+| Search history  | `mempalace_search`      | wing=`{{WING}}` room=`general`      |
+| Save finding    | `mempalace_add_drawer`  | wing=`{{WING}}` room=`general`      |
+| Save diary      | `mempalace_diary_write` | wing=`agent-researcher`, topic=question |
+<!-- /IF:MEMORY -->

package/templates/agents/security.md

@@ -0,0 +1,65 @@
+---
+name: security
+description: Security sub-agent. Owns threat modeling, vulnerability audits, prompt-injection defense, auth hardening, CSP/CORS policy, and dependency scanning. Invoked for any security concern.
+when_to_use: Prompt/AI injection risks, auth/token hardening, input validation, CORS/CSP policy, XSS, IPC/bridge safety, dependency CVEs, secrets hygiene, rate limiting on sensitive endpoints.
+tools: [Bash, Read, Edit, Write, Grep, Glob]
+skills:
+  - claude-api
+---
+
+# Security Sub-Agent — {{PROJECT_NAME}}
+
+## Identity
+
+You are the **Security engineer** for {{PROJECT_NAME}}. You own threat modeling, code audits, hardening recommendations, and remediation guidance.
+
+Authority:
+
+- ✅ Prompt / AI injection defense
+- ✅ Auth hardening: tokens, refresh rotation, secure storage
+- ✅ Input validation (schema validation, sanitization)
+- ✅ CORS / CSP / security headers
+- ✅ XSS and unsafe rendering
+- ✅ IPC / bridge surfaces — command allowlisting, capability scope
+- ✅ Dependency CVE scanning
+- ✅ Secrets hygiene: `.env` exposure, hardcoded keys, bundle inspection
+- ✅ Rate limiting on sensitive endpoints
+- ❌ Infrastructure changes (route to DevOps)
+- ❌ Product decisions (route to PM)
+
+## Threat model (priority order)
+
+1. **AI / prompt injection** — user-controlled input reaching the model unsanitized
+2. **IPC / bridge abuse** — commands invokable without authz
+3. **Auth weaknesses** — missing expiry, weak signing, insecure storage
+4. **CORS misconfiguration** — wildcard origins
+5. **XSS** — reflected input, unsafe HTML/MDX rendering
+6. **Secrets exposure** — keys in client bundle or committed env
+7. **Missing rate limiting** — hammerable sensitive endpoints
+8. **Dependency CVEs** — known vulns in installed packages
+9. **CSP / security headers** — missing or too-permissive
+
+## Audit output (per finding)
+
+```
+### [SEVERITY] Finding title
+**Area:** <app/module>
+**File:** path/to/file:line
+**Risk:** One sentence — what can an attacker do?
+**Evidence:** Code/config snippet
+**Fix:** Concrete remediation (code preferred)
+**Issue title:** <ready-to-file GitHub issue title>
+```
+
+Severity: `CRITICAL` | `HIGH` | `MEDIUM` | `LOW` | `INFO`. Group by area, then severity. Hand findings to PM to file with label `role:security`.
+
+<!-- IF:MEMORY -->
+## Memory (MemPalace)
+
+| Action          | Tool                    | Params                              |
+| --------------- | ----------------------- | ----------------------------------- |
+| Wake-up recall  | `mempalace_diary_read`  | wing=`agent-security`               |
+| Search audits   | `mempalace_search`      | wing=`{{WING}}` room=`decisions`    |
+| Save finding    | `mempalace_add_drawer`  | wing=`{{WING}}` room=`decisions`    |
+| Save diary      | `mempalace_diary_write` | wing=`agent-security`, topic=audit  |
+<!-- /IF:MEMORY -->

package/templates/agents/tech-lead.md

@@ -0,0 +1,75 @@
+---
+name: tech-lead
+description: Tech Lead sub-agent. Owns build system, project config, language/toolchain, ADRs, CI/CD, lint rules, and scaffolding decisions. Invoked when infrastructure, toolchain, or architectural guardrails need to change.
+when_to_use: Build/config changes, adding packages or workspaces, ADR authoring, CI workflow changes, lint rule changes, branch strategy, scaffolding new modules or services.
+tools: [Bash, Read, Edit, Write, Grep, Glob]
+skills:
+  - agent-skills:context7
+  - agent-skills:github-navigator
+---
+
+# Tech Lead Sub-Agent — {{PROJECT_NAME}}
+
+## Identity
+
+You are the **Tech Lead** for {{PROJECT_NAME}}. You own the engineering foundation — the parts every other role depends on.
+
+Authority:
+
+- ✅ Build + tooling config, dependency/script management
+- ✅ Add/update workspace packages or modules
+- ✅ Author and update ADRs
+- ✅ CI workflows (`.github/workflows/`)
+- ✅ Lint + type-check rules; run the type checker and fix build errors
+- ❌ Product feature code (route to Backend / Frontend)
+- ❌ Design decisions (route to Designer)
+- ❌ File issues without confirmation
+
+## Stack
+
+Read the project's actual stack from `CLAUDE.md` and `.claude/kit.config.json` before acting. Do not assume a framework — confirm what's in the repo.
+
+## ADR format
+
+File: `decisions/adr-NNN-slug.md`
+
+```md
+# ADR-NNN: Title
+
+## Status
+Accepted | Superseded by ADR-NNN | Proposed
+
+## Context
+...
+
+## Decision
+...
+
+## Consequences
+...
+```
+
+## Workflow
+
+1. Read the relevant config before touching it
+2. Run the type checker / build before and after changes to catch regressions
+3. New packages: register in the workspace manifest + create the package manifest
+4. Note the blast radius of broad changes (removed exports, module resolution)
+
+## Voice + style
+
+- Bullets and tables, no prose
+- Show the diff when proposing config changes
+- Flag breaking changes explicitly: **BREAKING:**
+- Report build/type errors verbatim, not paraphrased
+
+<!-- IF:MEMORY -->
+## Memory (MemPalace)
+
+| Action          | Tool                                        | Params                            |
+| --------------- | ------------------------------------------- | --------------------------------- |
+| Wake-up recall  | `mempalace_diary_read`                      | wing=`agent-tech-lead`            |
+| Search ADRs     | `mempalace_search`                          | wing=`{{WING}}` room=`decisions`  |
+| Save ADR        | `mempalace_add_drawer` + `mempalace_kg_add` | wing=`{{WING}}` room=`decisions`  |
+| Save diary      | `mempalace_diary_write`                     | wing=`agent-tech-lead`, topic=ADR |
+<!-- /IF:MEMORY -->

package/templates/hooks/guard-base-branch-commit.sh.tmpl

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# guard-base-branch-commit.sh — PreToolUse(Bash) hook. Scaffolded by claude-kit.
+#
+# Enforces the hard project rule: NO direct commits to the base branch (main/develop).
+# Every change lands through a PR from a <kind>/<issue>-<slug> branch.
+#
+# Reads the tool call JSON on stdin. If the Bash command is a `git commit`
+# and HEAD is on the base branch, it blocks the tool (exit 2 → Claude sees the
+# reason and must branch first). Anything else passes through (exit 0).
+# Depends on jq for the stdin parse.
+#
+# This is local fast-feedback. The durable enforcement is branch protection
+# on GitHub (see .claude/rules/branch-naming.md → "Leverage GitHub automations").
+
+set -uo pipefail
+
+input=$(cat 2>/dev/null)
+cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[[ -z "$cmd" ]] && exit 0
+
+# Only care about commit commands (not log/show/commit-graph/etc.)
+printf '%s' "$cmd" | grep -Eq '(^|[;&|[:space:]])git[[:space:]]+(.*[[:space:]])?commit([[:space:]]|$)' || exit 0
+
+# Resolve the directory the commit will actually run in — NOT CLAUDE_PROJECT_DIR,
+# which is always the main checkout. An agent in a linked worktree commits via
+# `cd <worktree> && git commit` or `git -C <worktree> commit`; honor that so we
+# read the worktree's real branch instead of false-blocking on the main checkout.
+dir=""
+if [[ "$cmd" =~ git[[:space:]]+-C[[:space:]]+([^[:space:]]+) ]]; then
+  dir="${BASH_REMATCH[1]}"
+elif [[ "$cmd" =~ (^|[\&\;\|])[[:space:]]*cd[[:space:]]+([^[:space:]\&\;\|]+) ]]; then
+  dir="${BASH_REMATCH[2]}"
+fi
+dir="${dir:-${CLAUDE_PROJECT_DIR:-$PWD}}"
+# strip surrounding quotes
+dir="${dir%\"}"; dir="${dir#\"}"; dir="${dir%\'}"; dir="${dir#\'}"
+branch=$(git -C "$dir" rev-parse --abbrev-ref HEAD 2>/dev/null) || exit 0
+
+if [[ "$branch" == "main" || "$branch" == "develop" ]]; then
+  echo "BLOCKED: direct commit to '$branch'. No direct commits to the base branch." >&2
+  echo "Start a branch first: /task-start <issue>  (or git checkout -B <kind>/<issue>-<slug> origin/$branch)." >&2
+  echo "Then commit there and open a PR. See .claude/rules/branch-naming.md." >&2
+  exit 2
+fi
+exit 0

package/templates/hooks/kit-local-status.sh.tmpl

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# kit-local-status.sh — SessionStart hook. Announces the local model layer (mlx_lm.server)
+# when it is enabled AND alive: one branded banner line so the session knows local chores
+# (digest, summaries, board sync) run at $0 API cost. Silent when disabled.
+#
+# Enabled + DOWN (#313): prints a persistent notice EVERY session until the server is up
+# or the user dismisses it (kit-doctor --dismiss-local, or KIT_LOCAL_DISMISS=1) — a dismiss
+# sticks until the next x.y kit update. Never blocks the session (always exit 0).
+#
+# Setup + API: scripts/lib/kit-local.sh (plan #285, issues #286 #313).
+
+set -uo pipefail
+ROOT="${CLAUDE_PROJECT_DIR:-$(git rev-parse --show-toplevel 2>/dev/null)}"
+cd "$ROOT" 2>/dev/null || exit 0
+
+[[ -f scripts/lib/kit-local.sh ]] || exit 0
+# shellcheck source=/dev/null
+source scripts/lib/kit-local.sh 2>/dev/null || exit 0
+
+if kit_local_alive; then
+  NOTE="local: $(kit_local_model_tag) viva @ :${KIT_LOCAL_PORT} · chores NL a \$0"
+elif [[ "$KIT_LOCAL_ENABLED" == "true" ]] && ! kit_local_dismissed; then
+  # persistent until resolved or dismissed (#313) — re-shown every SessionStart
+  NOTE="local: capa caída @ :${KIT_LOCAL_PORT} — /kit-doctor la instala/levanta · dismiss: /kit-doctor --dismiss-local (o KIT_LOCAL_DISMISS=1)"
+else
+  exit 0
+fi
+
+if [[ -f .claude/lib/kit-sigil.sh ]]; then
+  # shellcheck source=/dev/null
+  source .claude/lib/kit-sigil.sh 2>/dev/null && kit_sigil "kit-local" "$NOTE" && exit 0
+fi
+echo "claude-kit · kit-local · $NOTE"
+exit 0

package/templates/hooks/kit_version_check.sh.tmpl

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# SessionStart hook — surface a claude-kit update notice, CLI-style. Scaffolded by claude-kit.
+# stdout is injected into the session context by Claude Code. Best-effort + always a safe no-op:
+# it never blocks the session and exits 0 even when it can't determine versions.
+[[ -f ./scripts/kit-version-check.sh ]] && bash ./scripts/kit-version-check.sh --target "$(pwd)" 2>/dev/null
+exit 0

package/templates/hooks/mempal_followup.sh.tmpl

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+# SessionEnd hook — capture UNSYNCED local work to MemPalace so an abrupt close
+# doesn't silently lose it (wing={{WING}}).
+#
+# Triggers a "resume here" note ONLY when the current branch has work that isn't
+# pushed: a dirty tree or commits ahead of upstream. Gone-remote branches, stashes
+# and extra worktrees persist across sessions, so they're the SessionStart
+# repo-hygiene hook's job (read-only warnings) + /kit-gc — including them here would
+# spam a note every session. Stashes are listed as context when something else fires.
+#
+# Claude is also instructed (CLAUDE.md / .claude/rules/mempalace.md) to write this
+# follow-up via mempalace_add_drawer (room=planning) when wrapping up — this bash
+# hook is the safety net for when it didn't. Never blocks the session (always exit 0).
+set -uo pipefail
+
+WING="{{WING}}"
+ROOT="${CLAUDE_PROJECT_DIR:-$(git rev-parse --show-toplevel 2>/dev/null)}"
+cd "$ROOT" 2>/dev/null || exit 0
+git rev-parse --is-inside-work-tree >/dev/null 2>&1 || exit 0
+
+branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+
+dirty=$(git status --porcelain 2>/dev/null | wc -l | tr -d ' ')
+up=$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)
+if [[ -n "$up" ]]; then
+  ahead=$(git rev-list --count "${up}..HEAD" 2>/dev/null || echo 0)
+else
+  ahead=$(git rev-list --count "origin/develop..HEAD" 2>/dev/null || echo 0)
+fi
+
+# Fully synced — nothing to capture.
+[[ "${dirty:-0}" -eq 0 && "${ahead:-0}" -eq 0 ]] && exit 0
+
+# Dedupe: identical (branch + HEAD + dirty fileset) -> one note across sessions.
+head=$(git rev-parse --short HEAD 2>/dev/null || echo none)
+sig=$(printf '%s|%s|%s' "$branch" "$head" "$(git status --porcelain 2>/dev/null)" | cksum | cut -d' ' -f1)
+
+OUTDIR="${HOME}/.claude/kit-followups/${WING}"
+mkdir -p "$OUTDIR" 2>/dev/null || exit 0
+slug=$(printf '%s' "$branch" | tr -c 'A-Za-z0-9._-' '-')
+NOTE="${OUTDIR}/resume-${slug}-${sig}.md"
+[[ -f "$NOTE" ]] && exit 0   # this exact state already captured
+
+ts=$(date -u +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || echo unknown)
+dtip=$(git log -1 --format='%h %s' origin/develop 2>/dev/null || echo unknown)
+
+{
+  echo "# Resume — unsynced local work on \`$branch\` ($ts)"
+  echo
+  echo "Session ended with work that was **not pushed**. Pick up here next session."
+  echo
+  echo "- wing: $WING - branch: \`$branch\` - HEAD: \`$head\`"
+  echo "- develop tip: $dtip"
+  if [[ "${ahead:-0}" -gt 0 ]]; then
+    echo "- unpushed commits ($ahead):"
+    git log --format='  - %h %s' "${up:-origin/develop}..HEAD" 2>/dev/null | head -20
+  fi
+  if [[ "${dirty:-0}" -gt 0 ]]; then
+    echo "- uncommitted changes ($dirty):"
+    git status --porcelain 2>/dev/null | head -40 | sed 's/^/  - /'
+  fi
+  st=$(git stash list 2>/dev/null | wc -l | tr -d ' ')
+  [[ "${st:-0}" -gt 0 ]] && echo "- stashes present: $st (review: git stash list)"
+  if command -v gh >/dev/null 2>&1; then
+    prs=$(gh pr list --head "$branch" --json number,title -q '.[]|"  - #\(.number) \(.title)"' 2>/dev/null)
+    [[ -n "$prs" ]] && { echo "- open PR(s) for this branch:"; printf '%s\n' "$prs"; }
+  fi
+  echo
+  echo "_Next: \`git checkout $branch\` then commit + push / open a PR. If this is orphaned WIP on a base branch, move it onto a \`<kind>/<issue>-<slug>\` branch first._"
+} > "$NOTE" 2>/dev/null || exit 0
+
+# Local model layer: when a local mlx_lm.server is alive (scripts/lib/kit-local.sh), prepend a
+# terse drafted "resume here" summary (branch, pending, next step, refs) at $0 API cost.
+# Fallback always: server down / lib missing / draft empty -> deterministic note as-is.
+if [[ -f scripts/lib/kit-local.sh ]]; then
+  # shellcheck source=/dev/null
+  if source scripts/lib/kit-local.sh 2>/dev/null && kit_local_alive; then
+    summary=$(KIT_LOCAL_TIMEOUT=20 kit_local_chat \
+      "You are the kit assistant. Draft a terse 'resume here' note as 3-5 bullets: branch, what is pending, the concrete next step, PR/issue refs if present. Bullets only, no title, no closing line." \
+      "$(cat "$NOTE" 2>/dev/null)" 300 2>/dev/null || true)
+    if [[ -n "${summary:-}" ]]; then
+      tmp="${NOTE}.tmp"
+      {
+        echo "## Summary (local: $(kit_local_model_tag))"
+        echo
+        printf '%s\n\n' "$summary"
+        cat "$NOTE"
+      } > "$tmp" 2>/dev/null && mv "$tmp" "$NOTE" 2>/dev/null || rm -f "$tmp" 2>/dev/null
+    fi
+  fi
+fi
+
+# Keep the followups dir bounded (last 20 notes).
+ls -t "$OUTDIR"/resume-*.md 2>/dev/null | tail -n +21 | while read -r old; do rm -f "$old" 2>/dev/null; done
+
+mempalace mine "$OUTDIR" --wing "$WING" --no-gitignore >/dev/null 2>&1 || true
+exit 0

package/templates/hooks/mempal_precompact.sh.tmpl

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# PreCompact hook — emergency sweep before context compression (wing={{WING}}).
+# Claude is instructed via CLAUDE.md to call MCP save tools first; this is the safety net.
+mempalace mine ~/.claude/projects/{{CLAUDE_PROJECT_SLUG}}/ --mode convos --wing {{WING}} 2>/dev/null || true

package/templates/hooks/mempal_save.sh.tmpl

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Stop hook — sweep this project's Claude sessions into MemPalace (wing={{WING}}).
+# Scaffolded by claude-kit. Safe no-op if `mempalace` CLI is not installed.
+mempalace mine ~/.claude/projects/{{CLAUDE_PROJECT_SLUG}}/ --mode convos --wing {{WING}} 2>/dev/null || true

package/templates/hooks/mempal_session_start.sh.tmpl

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# SessionStart hook — load MemPalace wake-up context for this project (wing={{WING}}).
+# Scaffolded by claude-kit. stdout is injected into the session context by Claude Code.
+# Safe no-op if the `mempalace` CLI is not installed.
+# NOTE: uses `wake-up --wing` on purpose, NOT `mempalace hook run --hook session-start` —
+# `hook run` derives the wing implicitly and can file into the wrong wing; `--wing` is explicit.
+command -v mempalace >/dev/null 2>&1 || exit 0
+mempalace wake-up --wing {{WING}} 2>/dev/null || true

package/templates/hooks/prepush_gate.sh.tmpl

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# PreToolUse(Bash) gate — runs a project-defined check before `git push`.
+# Scaffolded by claude-kit. SELF-PASSING by design:
+#   - only acts on Bash commands containing 'git push'
+#   - passes (continue:true) if prePush is disabled or no command is configured
+#   - blocks (continue:false) only when the configured check command exits non-zero
+# Config lives in .claude/kit.config.json -> .prePush { enabled, command }.
+set -uo pipefail
+
+INPUT="$(cat)"
+CMD="$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""' 2>/dev/null)"
+
+# Not a push? let it through.
+case "$CMD" in
+  *"git push"*) ;;
+  *) echo '{"continue": true}'; exit 0 ;;
+esac
+
+CFG=".claude/kit.config.json"
+ENABLED="$(jq -r '.prePush.enabled // false' "$CFG" 2>/dev/null)"
+CHECK="$(jq -r '.prePush.command // ""'      "$CFG" 2>/dev/null)"
+
+# Disabled or nothing to verify? let it through (projects without a check never block).
+if [[ "$ENABLED" != "true" || -z "$CHECK" ]]; then
+  echo '{"continue": true}'; exit 0
+fi
+
+# Run the check and gate on its exit code.
+OUT="$(eval "$CHECK" 2>&1)"; RC=$?
+if [[ $RC -eq 0 ]]; then
+  echo '{"continue": true}'
+else
+  REASON="$(printf 'pre-push check failed (%s):\n%s' "$CHECK" "$OUT" | tail -c 800 | jq -Rs .)"
+  echo "{\"continue\": false, \"stopReason\": $REASON}"
+fi
+exit 0

package/templates/hooks/repo-hygiene.sh.tmpl

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# repo-hygiene.sh — SessionStart hook (READ-ONLY). Scaffolded by claude-kit.
+#
+# Surfaces repo state that silently accumulates into a mess:
+#   - working on the base branch (main) directly, or a non-conventional branch name
+#   - branch sitting on a stale base (commits behind the base branch)
+#   - dirty / uncommitted working tree
+#   - stashes piling up
+#   - local branches whose remote is gone (merged + remote-deleted → prune them)
+#   - extra worktrees lingering
+#
+# Prints nothing when the repo is clean. Never fails the session (always exit 0).
+# Enforcement that needs the network or affects everyone belongs in GitHub
+# automations (see .claude/rules/branch-naming.md); this is fast local feedback.
+
+set -uo pipefail
+ROOT="${CLAUDE_PROJECT_DIR:-$(git rev-parse --show-toplevel 2>/dev/null)}"
+cd "$ROOT" 2>/dev/null || exit 0
+git rev-parse --is-inside-work-tree >/dev/null 2>&1 || exit 0
+
+BASE="origin/main"
+WARN=()
+
+branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+
+# 1. On the base branch directly?
+if [[ "$branch" == "main" || "$branch" == "develop" ]]; then
+  WARN+=("• On '$branch' directly — start work with /task-start <issue> (no direct commits to the base branch).")
+# 2. Non-conventional branch name (not <kind>/<issue>-<slug> and not a bot branch)?
+elif [[ ! "$branch" =~ ^(feat|fix|task|chore|security|scaffold|ci|adr|spike|plan)/[0-9]+- ]] \
+   && [[ ! "$branch" =~ ^(agent|claude)/ ]]; then
+  WARN+=("• Branch '$branch' doesn't match <kind>/<issue>-<slug> — see .claude/rules/branch-naming.md.")
+fi
+
+# 3. Stale base — commits behind the base branch (uses last fetch; no network here)
+if git rev-parse --verify "$BASE" >/dev/null 2>&1 && [[ "$branch" != "main" && "$branch" != "develop" ]]; then
+  behind=$(git rev-list --count "HEAD..$BASE" 2>/dev/null || echo 0)
+  if [[ "${behind:-0}" -gt 10 ]]; then
+    WARN+=("• Branch is $behind commits behind $BASE (stale base, last fetch) — rebase before committing to avoid reverting merged work.")
+  fi
+fi
+
+# 4. Dirty working tree
+dirty=$(git status --porcelain 2>/dev/null | wc -l | tr -d ' ')
+[[ "${dirty:-0}" -gt 0 ]] && WARN+=("• Working tree has $dirty uncommitted change(s) — commit, PR, or discard; don't let work go stale.")
+
+# 5. Stashes
+stashes=$(git stash list 2>/dev/null | wc -l | tr -d ' ')
+[[ "${stashes:-0}" -gt 0 ]] && WARN+=("• $stashes stash(es) present — review with: git stash list (old WIP rots fast).")
+
+# 6. Local branches whose upstream is gone (merged + remote-deleted → safe to prune)
+gone=$(git branch -vv 2>/dev/null | grep ': gone]' | wc -l | tr -d ' ')
+[[ "${gone:-0}" -gt 0 ]] && WARN+=("• $gone local branch(es) with a deleted remote — run /task-gc to prune merged branches + worktrees.")
+
+# 7. Extra worktrees
+wt=$(git worktree list 2>/dev/null | wc -l | tr -d ' ')
+[[ "${wt:-0}" -gt 2 ]] && WARN+=("• $wt worktrees active — /task-gc removes ones whose PR already merged.")
+
+if [[ ${#WARN[@]} -gt 0 ]]; then
+  # claude-kit terminal identity — the locked ⡶ seed-head leader, once, only when
+  # there's output. We cd'd to $ROOT, so the lib path is reliable; fall back inline.
+  if [ -f "$ROOT/.claude/lib/kit-sigil.sh" ]; then
+    # shellcheck source=/dev/null
+    source "$ROOT/.claude/lib/kit-sigil.sh"
+    kit_sigil "" "repo hygiene · $branch"
+  else
+    printf '\n· claude-kit  repo hygiene · %s\n' "$branch"
+  fi
+  printf '%s\n' "${WARN[@]}"
+  echo "   (read-only check — run /task-gc to clean, /task-sync for board state)"
+fi
+exit 0