@massu/core 0.5.0 → 0.6.0

package/commands/massu-hotfix.md

@@ -1,20 +1,18 @@
 ---
 name: massu-hotfix
-description: Quick scoped fix workflow with branch, test, commit, push, and PR creation
+description: "When user needs an urgent fix -- 'hotfix', 'emergency fix', 'broken and needs immediate patch'"
 allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*)
 ---
 name: massu-hotfix
 
-> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-5, CR-12 enforced.
 
-# CS Hotfix: Quick Scoped Fix Workflow
+# Massu Hotfix: Emergency Fix Protocol
 
 ## Objective
 
 Apply **minimal, targeted fixes** for production issues with fast verification and safe deployment. Fix the bug, nothing more.
 
-**Usage**: `/massu-hotfix [description of the fix]`
-
 ---
 
 ## NON-NEGOTIABLE RULES
@@ -31,20 +29,21 @@ Apply **minimal, targeted fixes** for production issues with fast verification a
 
 ## ZERO-GAP AUDIT LOOP
 
-**Even hotfixes do NOT complete until a SINGLE COMPLETE VERIFICATION finds ZERO issues.**
+**Even hotfixes do NOT deploy until a SINGLE COMPLETE VERIFICATION finds ZERO issues.**
 
 ### The Rule
 
 ```
 HOTFIX VERIFICATION LOOP:
   1. Apply minimal fix
-  2. Run verification checks (patterns, types, tests)
+  2. Run verification checks (patterns, types, build, tests)
   3. Count issues found
   4. IF issues > 0:
        - Fix ALL issues
        - Re-run ENTIRE verification from Step 2
   5. IF issues == 0:
        - HOTFIX VERIFIED
+       - Safe to deploy
 ```
 
 ### Completion Requirement
@@ -53,9 +52,9 @@ HOTFIX VERIFICATION LOOP:
 |----------|--------|
 | Fix introduces type error | Fix it, re-verify ENTIRELY |
 | Re-verify finds pattern violation | Fix it, re-verify ENTIRELY |
-| Re-verify finds 0 issues | **NOW** hotfix verified |
+| Re-verify finds 0 issues | **NOW** hotfix can deploy |
 
-**Partial verification is NOT valid. ALL checks must pass in a SINGLE run.**
+**Partial verification is NOT valid. ALL checks must pass in a SINGLE run before deploy.**
 
 ---
 
@@ -92,15 +91,45 @@ IF scope_check_fails:
 
 ## DOMAIN-SPECIFIC PATTERN LOADING
 
-Based on the hotfix area, load relevant patterns from CLAUDE.md:
+Based on the hotfix area, load relevant pattern files:
+
+| Domain | Pattern File | Load When |
+|--------|--------------|-----------|
+| Tool modules | `.claude/patterns/tool-patterns.md` | Tool handler/registration bugs |
+| Config | `.claude/patterns/config-patterns.md` | Config parsing/access bugs |
+| Hooks | `.claude/patterns/hook-patterns.md` | Hook compilation/runtime bugs |
+| Build issues | `.claude/patterns/build-patterns.md` | Build/deploy issues |
+
+---
+
+## MANDATORY VERIFICATION (For Database Hotfixes)
+
+### VR-SCHEMA-PRE: Verify Schema BEFORE Applying Database Hotfix
+
+**WHEN hotfixing database-related issues, ALWAYS verify schema first.**
 
-| Domain | Section | Load When |
-|--------|---------|-----------|
-| Tool modules | Tool Registration Pattern | Tool handler/registration bugs |
-| Config | Config Access Pattern | Config parsing/access bugs |
-| Hooks | Hook stdin/stdout Pattern | Hook compilation/runtime bugs |
-| Database | SQLite Database Pattern | DB access/schema bugs |
-| Build | Build & Test Commands | Build/compilation issues |
+```sql
+-- VR-SCHEMA-PRE: Query ACTUAL columns (even in emergency)
+SELECT column_name, data_type, is_nullable
+FROM information_schema.columns
+WHERE table_name = '[AFFECTED_TABLE]'
+ORDER BY ordinal_position;
+```
+
+**Why This Is Mandatory (Even for Emergencies):**
+- Wrong column name in hotfix = 500 error = makes things WORSE
+- Take 30 seconds to verify schema, save hours of debugging
+- Schema mismatch is a common root cause of bugs
+
+### VR-CONFIG: Verify Config for "Not Working" Hotfixes
+
+**If hotfixing "tool not found" or config issues, verify config-code alignment FIRST.**
+
+```bash
+# VR-CONFIG: Verify config values match code expectations
+cat massu.config.yaml
+grep -rn "getConfig()" packages/core/src/ | head -10
+```
 
 ---
 
@@ -166,8 +195,8 @@ Before implementing, verify fix follows CLAUDE.md:
 - [ ] Uses ESM imports (not require())
 - [ ] Uses getConfig() (not direct YAML parse)
 - [ ] Tool handlers follow 3-function pattern
-- [ ] memDb closed in try/finally
 - [ ] No hardcoded secrets
+- [ ] Error handling present
 
 ---
 
@@ -178,7 +207,7 @@ Before implementing, verify fix follows CLAUDE.md:
 # Ensure clean working tree
 git status --short
 
-# From main branch
+# From main/production branch
 git checkout main
 git pull origin main
 git checkout -b hotfix/[issue-name]
@@ -194,24 +223,34 @@ git checkout -b hotfix/[issue-name]
 - Do NOT fix "while we're at it" issues
 - Add comment if fix is non-obvious
 
+### 3.3 Verify Fix Locally
+```bash
+# Quick verification
+npx tsc --noEmit
+npm run build
+
+# Pattern check
+bash scripts/massu-pattern-scanner.sh
+```
+
 ---
 
 ## PHASE 4: FAST VERIFICATION (5 minutes)
 
-### 4.1 Essential Checks
+### 4.1 Essential Checks Only
 ```bash
 # Type safety
-cd packages/core && npx tsc --noEmit
+npx tsc --noEmit
+
+# Build integrity
+npm run build
 
 # Pattern scanner
 bash scripts/massu-pattern-scanner.sh
 
-# Run tests
+# Tests
 npm test
 
-# Hook build (if hooks modified)
-cd packages/core && npm run build:hooks
-
 # Security check
 git diff --cached --name-only | grep -E '\.(env|pem|key)' && echo "FAIL" || echo "PASS"
 ```
@@ -223,6 +262,7 @@ git diff --cached --name-only | grep -E '\.(env|pem|key)' && echo "FAIL" || echo
 | Check | Command | Result | Status |
 |-------|---------|--------|--------|
 | Types | npx tsc --noEmit | 0 errors | PASS |
+| Build | npm run build | Exit 0 | PASS |
 | Patterns | massu-pattern-scanner.sh | Exit 0 | PASS |
 | Tests | npm test | All pass | PASS |
 | Secrets | git diff check | 0 files | PASS |
@@ -230,19 +270,13 @@ git diff --cached --name-only | grep -E '\.(env|pem|key)' && echo "FAIL" || echo
 **ALL CRITICAL CHECKS: PASS/FAIL**
 ```
 
-**If ANY check fails:**
-1. Fix the issue
-2. Re-run ALL checks (zero-gap loop)
-3. Repeat until clean
-
 ---
 
-## PHASE 5: COMMIT & PUSH
+## PHASE 5: COMMIT & DEPLOY
 
 ### 5.1 Commit with Hotfix Format
 ```bash
 git add [specific files only]
-
 git commit -m "$(cat <<'EOF'
 hotfix: [brief description]
 
@@ -251,7 +285,7 @@ Root cause: [what was wrong]
 Fix: [what was changed]
 
 Severity: P0/P1/P2
-Verified: types, patterns, tests
+Verified: types, build, patterns, tests
 
 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 EOF
@@ -259,9 +293,6 @@ EOF
 ```
 
 ### 5.2 Create PR (If Required)
-
-Ask user before pushing:
-
 ```bash
 git push -u origin hotfix/[issue-name]
 
@@ -279,6 +310,7 @@ gh pr create --title "hotfix: [description]" --body "$(cat <<'EOF'
 
 ### Verification
 - [ ] Types pass
+- [ ] Build passes
 - [ ] Pattern scanner passes
 - [ ] All tests pass
 - [ ] Tested fix locally
@@ -289,6 +321,138 @@ EOF
 )"
 ```
 
+### 5.3 Deploy
+```bash
+# After PR approval (or direct push if P0)
+git checkout main
+git merge hotfix/[issue-name]
+git push origin main
+
+# Monitor deployment
+```
+
+---
+
+## PHASE 6: POST-DEPLOY VERIFICATION
+
+### 6.1 Verify Fix
+```markdown
+### Post-Deploy Verification
+
+| Check | Result | Status |
+|-------|--------|--------|
+| Issue reproduced? | NO | PASS |
+| Feature working? | YES | PASS |
+| No new errors? | YES | PASS |
+| Logs clean? | YES | PASS |
+```
+
+### 6.2 Monitor for Regressions
+```bash
+# Check for new errors in output/logs
+# Run tests again post-deploy
+npm test
+```
+
+---
+
+## HOTFIX REPORT FORMAT
+
+```markdown
+## MASSU HOTFIX REPORT
+
+### Summary
+- **Date**: [timestamp]
+- **Severity**: P0/P1/P2
+- **Time to Fix**: [duration]
+- **Status**: RESOLVED
+
+### Issue
+- **Symptom**: [what was broken]
+- **Impact**: [who was affected]
+- **Root Cause**: [technical cause]
+
+### Fix Applied
+- **File(s)**: [paths]
+- **Change**: [description]
+- **Commit**: [hash]
+
+### Verification
+| Check | Result |
+|-------|--------|
+| Types | PASS |
+| Build | PASS |
+| Patterns | PASS |
+| Tests | PASS |
+
+### Rollback Plan
+```bash
+git revert [commit-hash]
+```
+
+### Follow-up Required
+- [ ] Add test coverage
+- [ ] Review related code
+- [ ] Root cause analysis
+
+**HOTFIX COMPLETE**
+```
+
+---
+
+## SESSION STATE UPDATE
+
+After hotfix, update `session-state/CURRENT.md`:
+
+```markdown
+## HOTFIX SESSION
+
+### Issue
+- **Severity**: P0/P1/P2
+- **Symptom**: [description]
+
+### Fix
+- **File**: [path]
+- **Change**: [description]
+- **Commit**: [hash]
+
+### Status
+- Applied: YES
+- Verified: YES
+
+### Follow-up
+[Any additional work needed]
+```
+
+---
+
+## MANDATORY PLAN DOCUMENT UPDATE (If Hotfix From Plan)
+
+**If hotfix was derived from a plan document, update the plan with completion status.**
+
+### Plan Document Update (Add to TOP of plan if applicable)
+
+```markdown
+# IMPLEMENTATION STATUS
+
+**Plan**: [Plan Name]
+**Status**: HOTFIX APPLIED
+**Last Updated**: [YYYY-MM-DD HH:MM]
+
+## Hotfix Applied
+
+| # | Fix Description | Status | Verification | Date |
+|---|-----------------|--------|--------------|------|
+| 1 | [Hotfix description] | COMPLETE | VR-TEST: Pass | [date] |
+
+## Verification Evidence
+
+### Hotfix: [Name]
+- Command: `npm run build && npm test`
+- Result: Exit 0
+- Status: VERIFIED COMPLETE
+```
+
 ---
 
 ## ROLLBACK PROCEDURE
@@ -306,7 +470,7 @@ git push origin main
 ```bash
 # Confirm no new issues from hotfix revert
 npm test
-cd packages/core && npx tsc --noEmit
+npx tsc --noEmit
 ```
 
 ---
@@ -338,9 +502,9 @@ echo "Hotfix aborted. Reason: [reason]"
 2. [ ] Check recent commits
 3. [ ] Find root cause
 4. [ ] Apply minimal fix
-5. [ ] Type check + tests
-6. [ ] Commit and push
-7. [ ] Verify fix
+5. [ ] Type check + build + tests
+6. [ ] Deploy immediately
+7. [ ] Verify
 8. [ ] Document
 
 ### P1 Checklist (Feature Broken)
@@ -350,131 +514,44 @@ echo "Hotfix aborted. Reason: [reason]"
 4. [ ] Verify patterns
 5. [ ] Full verification
 6. [ ] PR + review
-7. [ ] Push
+7. [ ] Deploy
 8. [ ] Verify + document
 
 ---
 
 ## START NOW
 
-**Step 0: Write AUTHORIZED_COMMAND to session state (CR-35)**
+**Step 0: Write AUTHORIZED_COMMAND to session state (CR-12)**
 
-Update `session-state/CURRENT.md` to include `AUTHORIZED_COMMAND: massu-hotfix`.
+Before any other work, update `session-state/CURRENT.md` to include:
+```
+AUTHORIZED_COMMAND: massu-hotfix
+```
+This ensures that if the session compacts, the recovery protocol knows only `/massu-hotfix` was authorized.
 
-Then:
 1. Triage: Assess severity and impact
 2. Investigate: Find root cause quickly
 3. Plan: Design minimal fix with rollback
 4. Implement: Make only the necessary change
 5. Verify: Run essential checks
-6. Commit: Commit and push
-7. Document: Update session state and report
+6. Deploy: Commit and push
+7. Confirm: Verify fix
+8. Document: Update session state and report
 
 **Remember: Fix the bug, only the bug, nothing but the bug.**
 
 ---
 
-## MANDATORY PLAN DOCUMENT UPDATE (If Hotfix From Plan)
-
-**If hotfix was derived from a plan document, update the plan with completion status.**
-
-```markdown
-# IMPLEMENTATION STATUS
-
-**Plan**: [Plan Name]
-**Status**: HOTFIX APPLIED
-**Last Updated**: [YYYY-MM-DD HH:MM]
-
-## Hotfix Applied
-
-| # | Fix Description | Status | Verification | Date |
-|---|-----------------|--------|--------------|------|
-| 1 | [Hotfix description] | COMPLETE | VR-TEST: Pass | [date] |
-```
-
----
-
-## SESSION STATE UPDATE
-
-After hotfix, update `session-state/CURRENT.md`:
-
-```markdown
-## HOTFIX SESSION
-
-### Issue
-- **Severity**: P0/P1/P2
-- **Symptom**: [description]
-
-### Fix
-- **File**: [path]
-- **Change**: [description]
-- **Commit**: [hash]
-
-### Status
-- Applied: YES
-- Verified: YES
-
-### Follow-up
-[Any additional work needed]
-```
-
----
-
 ## AUTO-LEARNING PROTOCOL (MANDATORY after every hotfix)
 
 **Every hotfix represents a failure that MUST be recorded so the system learns.**
 
-### After Fix is Verified:
+### After Fix is Deployed and Verified:
 
-1. **Record in session state**: Update `.claude/session-state/CURRENT.md` with the wrong pattern and correct pattern
-2. **Add to pattern scanner**: If the bad pattern is grep-able, add detection to `scripts/massu-pattern-scanner.sh`
-3. **Search codebase-wide**: `grep -rn "[bad_pattern]" packages/core/src/ --include="*.ts"` and fix ALL instances (CR-9)
-4. **Consider new CR rule**: If this is a class of bug (not one-off), propose a new CR rule for CLAUDE.md
-
-**Hotfixes without learning are wasted crises. Every failure teaches something -- capture it.**
-
----
+1. **Ingest into massu memory**: Use `mcp__massu-codegraph__massu_memory_ingest` with type="bugfix", importance=5 (hotfixes are always high importance), description of root cause + fix
+2. **Record in session state**: Add the wrong pattern and correct pattern to `.claude/session-state/CURRENT.md`
+3. **Add to pattern scanner**: If the bad pattern is grep-able, add detection to `scripts/massu-pattern-scanner.sh`
+4. **Search codebase-wide**: `grep -rn "[bad_pattern]" packages/core/src/` and fix ALL instances (CR-9)
+5. **Consider new CR rule**: If this is a class of bug (not one-off), propose a new CR rule for CLAUDE.md
 
-## COMPLETION REPORT
-
-```markdown
-## CS HOTFIX COMPLETE
-
-### Summary
-- **Date**: [timestamp]
-- **Severity**: P0/P1/P2
-- **Time to Fix**: [duration]
-- **Status**: RESOLVED
-
-### Issue
-- **Symptom**: [what was broken]
-- **Impact**: [what was affected]
-- **Root Cause**: [technical cause]
-
-### Fix Applied
-- **File(s)**: [paths]
-- **Change**: [description]
-- **Branch**: hotfix/[description]
-- **Commit**: [hash]
-
-### Verification
-| Check | Status |
-|-------|--------|
-| Type Safety | PASS |
-| Pattern Scanner | PASS |
-| Tests | PASS ([N] passed) |
-
-### Rollback Plan
-git revert [commit-hash]
-
-### PR (if created)
-- **URL**: [PR URL]
-- **Status**: Open
-
-### Follow-up Required
-- [ ] Add test coverage for the bug
-- [ ] Review related code
-- [ ] Root cause analysis
-
-**HOTFIX COMPLETE**
-```
+**Hotfixes without learning are wasted crises. Every outage teaches something -- capture it.**

package/commands/massu-incident.md

@@ -1,22 +1,23 @@
 ---
 name: massu-incident
 description: "When a bug is confirmed, a production issue is found, or user reports 'this broke', 'incident', 'production error' — triggers incident documentation protocol"
-allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*)
+allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*), mcp__massu-codegraph__massu_memory_ingest
 ---
 name: massu-incident
 
-# Massu Incident: Automated Post-Mortem & Prevention Pipeline
-
 > **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding.
 
+# Massu Incident: Automated Post-Mortem & Prevention Pipeline
+
 ## Objective
 
 When a bug is discovered that an audit should have caught, execute a
 structured post-mortem that AUTOMATICALLY:
 1. Logs the incident to INCIDENT-LOG.md
-2. Proposes a new CR rule or VR-* check
-3. Proposes a pattern-scanner addition
-4. Updates relevant protocol files with incident reminder
+2. Ingests it into massu memory (high importance)
+3. Proposes a new CR rule or VR-* check
+4. Proposes a pattern-scanner addition
+5. Updates relevant protocol files with incident reminder
 
 ## INPUT
 
@@ -64,32 +65,54 @@ Append to `.claude/incidents/INCIDENT-LOG.md`:
 **Lesson**: [one-line lesson]
 ```
 
-## STEP 4: PROPOSE PREVENTION
+## STEP 4: INGEST INTO MASSU MEMORY
+
+Use `mcp__massu-codegraph__massu_memory_ingest` to record:
+```json
+{
+  "type": "failed_attempt",
+  "title": "INCIDENT #[N]: [short title]",
+  "detail": "[root cause and lesson]",
+  "importance": 5,
+  "cr_rule": "[relevant CR]",
+  "files_involved": "[file list]"
+}
+```
+
+This ensures the incident surfaces automatically in future sessions
+via the session-start hook's failed_attempt query.
+
+## STEP 5: PROPOSE PREVENTION
 
-### 4a: New CR Rule (if pattern is new)
+### 5a: New CR Rule (if pattern is new)
 If the failure mode isn't covered by existing CRs:
 - Propose CR-[N+1] with rule text
 - Add to CLAUDE.md CR table
+- Add to Zero Tolerance table
 
-### 4b: New VR-* Check (always)
+### 5b: New VR-* Check (always)
 Every incident MUST produce a verifiable check:
 - Define the verification command
 - Add to VR table in CLAUDE.md
 - Specify when to run it
 
-### 4c: Pattern Scanner Rule (if automatable)
+### 5c: Pattern Scanner Rule (if automatable)
 If the failure can be caught by grep:
 - Add rule to `scripts/pattern-scanner.sh`
 - Test it catches the original failure
 - Verify it doesn't false-positive
 
-### 4d: Protocol Update (always)
+### 5d: Protocol Update (always)
 Add incident reminder to the protocol that should have caught it:
 - Add `## INCIDENT #[N] REMINDER` section
 - Explain the failure mode
 - Explain what to check for
 
-## STEP 5: VERIFY PREVENTION WORKS
+## STEP 6: UPDATE CLAUDE.md INCIDENT SUMMARY
+
+Update the incident count and add the new row to the incident table.
+
+## STEP 7: VERIFY PREVENTION WORKS
 
 ```bash
 # If pattern-scanner rule added:
@@ -97,6 +120,9 @@ Add incident reminder to the protocol that should have caught it:
 
 # If VR-* check added, run it:
 [verification command]
+
+# Confirm incident is in memory:
+# (will surface at next session start automatically)
 ```
 
 ## OUTPUT
@@ -106,21 +132,23 @@ Add incident reminder to the protocol that should have caught it:
 
 ### Incident #[N]: [Title]
 - Logged to: INCIDENT-LOG.md
+- Ingested to: massu memory (importance: 5)
 - CR rule: [CR-XX added/updated]
 - VR check: [VR-XX added]
 - Pattern scanner: [rule added / not automatable]
 - Protocol updated: [which protocol]
 
 ### Prevention Chain
-1. Pattern scanner: Will catch at pre-push
-2. Protocol: Explicit reminder in [protocol name]
-3. CR rule: Documented in CLAUDE.md
-4. MEMORY.md: Wrong vs correct pattern recorded for all future sessions
+1. Memory: Will surface at session start in related domains
+2. Pattern scanner: Will catch at pre-push
+3. Protocol: Explicit reminder in [protocol name]
+4. CR rule: Documented in CLAUDE.md
+5. MEMORY.md: Wrong vs correct pattern recorded for all future sessions
 
-**This failure mode is now prevented at 4 levels.**
+**This failure mode is now prevented at 5 levels.**
 ```
 
-## STEP 6: UPDATE MEMORY.md (MANDATORY)
+## STEP 8: UPDATE MEMORY.md (MANDATORY)
 
 Every incident MUST be recorded in `memory/MEMORY.md` with the wrong vs correct pattern:
 
@@ -134,7 +162,7 @@ Every incident MUST be recorded in `memory/MEMORY.md` with the wrong vs correct
 This ensures that even without accessing the incident log, future sessions
 will have the pattern in their system prompt via MEMORY.md.
 
-## STEP 7: CODEBASE-WIDE SEARCH (CR-9)
+## STEP 9: CODEBASE-WIDE SEARCH (CR-9)
 
 Search the ENTIRE codebase for the same bad pattern that caused the incident:
 ```bash
@@ -143,7 +171,7 @@ grep -rn "[bad_pattern]" src/ --include="*.ts" --include="*.tsx"
 Fix ALL instances found. The incident that triggered this post-mortem
 may not be the only occurrence.
 
-## STEP 8: COUPLING CHECK
+## STEP 10: VR-COUPLING CHECK
 
 If the incident involved a feature that was implemented but not exposed in the UI, run the coupling check to verify all backend procedures have UI exposure:
 
@@ -156,6 +184,7 @@ If the incident involved a feature that was implemented but not exposed in the U
 
 ## Gotchas
 
+- **Ingest to memory immediately** — every incident MUST be saved to `.claude/memory/` files BEFORE the session ends. Lost incident knowledge = repeated incidents
 - **Update INCIDENT-LOG.md** — every incident gets a numbered entry in `incidents/INCIDENT-LOG.md` with root cause, prevention, and CR reference
 - **Add CR if pattern emerges** — if the incident reveals a repeatable failure pattern, add a new Canonical Rule to CLAUDE.md
 - **Update pattern scanner** — if the incident could be caught by static analysis, add a check to `scripts/pattern-scanner.sh`