@neikyun/ciel 6.14.1 → 6.14.2

package/assets/.claude/hooks/stop.sh

@@ -1,17 +1,7 @@
 #!/bin/bash
-# Ciel — Stop hook
-# Trigger: Claude finishes responding (end of task)
-# Purpose: (1) inject meta-critiquer instruction; (2) if on default branch with
-# 3+ unreleased feat/fix commits, prepend a release-gate reminder.
-#
-# Claude Code Stop-hook schema rejects hookSpecificOutput.additionalContext
-# (it is only valid for UserPromptSubmit/PostToolUse). The documented way to
-# steer the model at Stop is {"decision":"block","reason":"..."} — the reason
-# is surfaced as an instruction the model must address.
-#
-# Both meta-critiquer and release-gate are combined into a single `reason`
-# field so only one block event fires per Stop. The existing stop_hook_active
-# loop guard handles re-entry for both.
+# Ciel v9 — Stop hook
+# Injects 3 META reflection questions via decision:block.
+# Never blocks more than once per session.
 
 INPUT=$(cat 2>/dev/null || echo "{}")
 
@@ -20,85 +10,20 @@ import sys, json
 try:
     d = json.loads(sys.argv[1])
     print('true' if d.get('stop_hook_active', False) else 'false')
-except Exception:
+except:
     print('false')
 " "$INPUT" 2>/dev/null || echo "false")
 
-if [ "$ACTIVE" = "true" ]; then
-  exit 0
-fi
+[ "$ACTIVE" = "true" ] && exit 0
 
-# Fail-safe: block at most once per 60s window even if stop_hook_active
-# is not set (older Claude Code versions, parsing edge cases, plugin
-# auto-discovery re-invoking the same hook from multiple registrations).
-# Without this, the same Stop event can fire 9 times → CC overrides the
-# hook and emits the "blocked turn 9 times" warning.
-PROJECT_KEY=$(echo "${CLAUDE_PROJECT_DIR:-$PWD}" | (shasum 2>/dev/null || sha1sum 2>/dev/null || md5sum 2>/dev/null || md5 -q 2>/dev/null || cksum 2>/dev/null) | cut -c1-12)
-LAST_BLOCK_FILE="${TMPDIR:-/tmp}/ciel-stop-last-block-${PROJECT_KEY}"
-NOW=$(date +%s)
-LAST=$(cat "$LAST_BLOCK_FILE" 2>/dev/null || echo 0)
-if [ $((NOW - LAST)) -lt 60 ]; then
-  exit 0
-fi
-echo "$NOW" > "$LAST_BLOCK_FILE" 2>/dev/null || true
-
-CWD=$(python3 -c "
-import sys, json
-try:
-    d = json.loads(sys.argv[1])
-    print(d.get('cwd', ''))
-except Exception:
-    print('')
-" "$INPUT" 2>/dev/null || echo "")
-
-# Release-gate check — writes RG_MSG if it should fire
-RG_MSG=""
-check_release_gate() {
-  local cwd="$1"
-  [ -z "$cwd" ] && return 1
-  command -v git >/dev/null 2>&1 || return 1
-  git -C "$cwd" rev-parse --git-dir >/dev/null 2>&1 || return 1
-
-  local current default
-  current=$(git -C "$cwd" rev-parse --abbrev-ref HEAD 2>/dev/null)
-  default=$(git -C "$cwd" symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@')
-  [ -z "$default" ] && default="main"
-  [ "$current" = "$default" ] || return 1
-
-  local snooze="$cwd/.ciel-release-snooze"
-  if [ -f "$snooze" ] && find "$snooze" -mmin -60 2>/dev/null | grep -q .; then
-    return 1
-  fi
-
-  local last_tag range pending
-  last_tag=$(git -C "$cwd" describe --tags --abbrev=0 2>/dev/null || echo "")
-  if [ -z "$last_tag" ]; then
-    range="HEAD"
-  else
-    range="$last_tag..HEAD"
-  fi
-  pending=$(git -C "$cwd" log "$range" --oneline 2>/dev/null | grep -cE '^[a-f0-9]+ (feat|fix)(\(|:|!)' || echo 0)
-
-  [ "$pending" -ge 3 ] || return 1
-
-  local tag_label="${last_tag:-<no previous tag>}"
-  RG_MSG="CIEL RELEASE-GATE — $pending feat/fix commit(s) on $default since $tag_label without a release. Actions: (1) bump VERSION per conventional-commit scope (feat=minor, fix=patch, feat!/fix!=major), (2) append CHANGELOG.md entry, (3) git tag -a v<N.N.N>, (4) gh release create v<N.N.N> --generate-notes. Invoke changelog-updater + release-publisher skills. Snooze 60min: touch .ciel-release-snooze."
-  return 0
-}
-
-META_MSG="CIEL STOP — 30s META-CRITIQUER obligatoire avant de declarer fini: (1) depth match? (2) new failure mode → Guard? (3) user correction → memoire (capture to .ciel/memory/episodes/ via memory-engine.py)? (4) stale branches? (5) uncovered issues? (6) context health? (7) session-progress.md written? (8) dead code sweep (ruff/knip/Detekt)? (9) agent-discovered pattern → memoire capture (if you noticed a reusable pattern, bug, or convention not yet in .ciel/memory/ — call memory-engine.py capture with --captured-from=agent-observed)? (10) 5+ triggers without promotion → invoke memoire-consolidator? Invoke meta-critiquer skill then memoire."
-
-if check_release_gate "$CWD"; then
-  MSG="$RG_MSG
-
-$META_MSG"
-else
-  MSG="$META_MSG"
-fi
+META_MSG="CIEL — 30s META reflection avant de declarer fini:
+1. Qu'ai-je manque que l'utilisateur va me demander ensuite ?
+2. Quelle decision ou decouverte merite d'etre sauvegardee en memoire ?
+3. Si je devais refaire cette tache, que ferais-je differemment ?"
 
 python3 -c "
 import json, sys
 print(json.dumps({'decision': 'block', 'reason': sys.argv[1]}))
-" "$MSG"
+" "$META_MSG"
 
 exit 0

package/assets/.claude/hooks/user-prompt-submit.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
-# Ciel — UserPromptSubmit hook
-# Trigger: user submits a prompt (before Claude processes)
-# Purpose: light depth pre-classification hint injected into context
-# Invokes: depth-classifier skill (lightweight mode)
+# Ciel v9 — UserPromptSubmit hook
+# Injects: depth hint + cued-recall memory + intervention detection
 # Never blocks (exit 0 always)
 
 INPUT=$(cat 2>/dev/null || echo "{}")
@@ -17,85 +15,19 @@ except:
 
 [ -z "$PROMPT" ] && exit 0
 
-# Depth classification is model-driven, not regex-driven.
-# Default to Standard — the model reclassifies via depth-classifier skill at DOCS step
-# and writes the result to .ciel/last-depth (read by pre-tool-write gate).
-# No mechanical keyword detection — regex is too imprecise for AI-driven tasks.
+# Depth classification — default Standard, model reclassifies at DOCS
 DEPTH="Standard"
-REASON="model reclassifies via depth-classifier at DOCS — write to .ciel/last-depth"
 
-DISPATCH_GATE=""
-if [[ "$DEPTH" == "Standard" || "$DEPTH" == "Critical" ]]; then
-  DISPATCH_GATE=" | DISPATCH GATE: dispatch ciel-researcher + ciel-explorer in parallel BEFORE first Bash/Read/Edit."
-fi
-
-META_GATE=""
-PROJECT_DIR="${CLAUDE_PROJECT_DIR:-}"
-if [ -n "$PROJECT_DIR" ] && [ -f "$PROJECT_DIR/.ciel/tracked-files.json" ]; then
-  EDIT_COUNT=$(CIEL_PATH="$PROJECT_DIR/.ciel/tracked-files.json" python3 -c "
-import json, os
-try: print(len(json.load(open(os.environ['CIEL_PATH']))))
-except: print(0)
-" 2>/dev/null || echo "0")
-  if [ "${EDIT_COUNT:-0}" -ge 3 ] 2>/dev/null; then
-    # Write META-pending flag — persists across sessions until META completed
-    META_FLAG="$PROJECT_DIR/.ciel/meta-pending"
-    mkdir -p "$PROJECT_DIR/.ciel" 2>/dev/null || true
-    python3 -c "
-import json, os, datetime
-flag = os.environ.get('META_FLAG', '')
-if flag:
-    data = {'edits': int(os.environ.get('EDIT_COUNT', '0')), 'since': datetime.datetime.utcnow().isoformat() + 'Z'}
-    with open(flag, 'w') as f:
-        json.dump(data, f)
-" META_FLAG="$META_FLAG" EDIT_COUNT="$EDIT_COUNT" 2>/dev/null || true
-    META_GATE=" | META GATE: ${EDIT_COUNT} files edited — previous task MUST complete 10-item META reflection via Skill(meta-critiquer) BEFORE next task. META is NOT optional after 3+ edits. Clear .ciel/meta-pending when done."
-  elif [ "${EDIT_COUNT:-0}" -gt 0 ] 2>/dev/null; then
-    META_GATE=" | META GATE: ${EDIT_COUNT} file(s) edited — complete 10-item META if previous task ended at PROUVER."
-  fi
-fi
-
-# ─── Cued-recall: intervention + explicit-save detection ─────────────────────
-# Two narrow buckets, BOTH high-precision (POSIX-ERE, no PCRE lookahead):
-#  1. Intervention regex — user corrections ("you forgot", "non en fait", …)
-#  2. Explicit save-request regex — direct capture asks ("save this to memory", …)
-# Bare verbs without an explicit memory noun (e.g. "remember to commit",
-# "memorise this") are deliberately NOT triggers — an earlier draft used
-# `remember (this|that|it|to)` and fired on every casual "I'll remember to X"
-# prompt, polluting the cued-recall corpus. Each save-request branch REQUIRES
-# the noun `memory`/`mémoire` OR the unambiguous verb+object pair
-# `mémorise <ça/cela/ceci>` / `memorise <this/that/it>`. Anchored to sentence
-# boundary so trailing "remember" never fires. See ADR-0001, skill `memoire`,
-# and packages/ciel/test/hooks-regex.test.ts.
-INTERVENTION_GATE=""
-# Bucket 1: corrections / "you missed something" (unchanged from v6.2 — proven precise)
-if echo "$PROMPT" | grep -qiE "(tu as oublié|t'as oublié|n'oublie pas (que|de)|non en fait|non,? en fait|attention que|rappelle-toi (que|de)|ici on (fait|utilise) plutôt|non on (fait|utilise) plutôt|en fait c'est pas|c'est pas comme ça|mauvaise approche|tu te trompes|you forgot (to|that)|don't forget (to|that)|that's not (right|correct|how)|that's wrong|no[,]? actually|actually,? no|wait[,—-] (no|don't|you forgot)|stop[,—-] (no|you forgot|don't))"; then
-  INTERVENTION_GATE=" | CAPTURE GATE: intervention pattern detected — propose AskUserQuestion to capture as memory under .ciel/memory/episodes/ (skill: memoire). Never silent-write."
-fi
-# Bucket 2: explicit save requests — every branch requires the memory noun or
-# unambiguous mémorise/memorise+object. Anchored to start-of-prompt or
-# sentence boundary so "I'll remember the memory of …" never fires.
-if [ -z "$INTERVENTION_GATE" ] && echo "$PROMPT" | grep -qiE "(^|[[:space:].!?])(save (this|that|it) (to|in|into) (the )?memory|put (this|that|it) (in|into) (the )?memory|put (it|this|that) in (the )?memory of ciel|garde (ça|cela|ceci) en (mémoire|memoire)|mets (ça|cela|ceci) en (mémoire|memoire)|enregistre (ça|cela|ceci) (en|dans la|à la) (mémoire|memoire)|sauvegarde (ça|cela|ceci) (en|dans la|à la) (mémoire|memoire)|mémorise (ça|cela|ceci)|memorise (this|that|it))"; then
-  INTERVENTION_GATE=" | CAPTURE GATE: explicit save request detected — propose AskUserQuestion then capture as memory under .ciel/memory/episodes/ via memory-engine.py (skill: memoire). NEVER write to Claude Code auto-memory (~/.claude/projects/<slug>/memory/MEMORY.md) — that is a DIFFERENT system and invisible to /ciel-audit. Never silent-write."
-fi
-
-# ─── Cued-recall: query memory engine for matching memories ──────────────────
-# Calls hooks/memory-engine.py if installed and a memory corpus exists. The
-# engine handles cue extraction (paths, symbols, intents, language), scoring,
-# token cap, decay, and trigger updates. See docs/adrs/0001-cued-recall-memory.md.
+# ─── Cued-recall: query memory engine ──────────────────────────────────
 MEMORY_OUTPUT=""
 ENGINE_PATH=""
-# Resolution order: same dir as this script (most reliable, found via BASH_SOURCE)
-# → project-relative paths in priority order → $HOME fallbacks. Covers local-mode
-# install (top-level hooks/), curl-mode install (.claude/hooks/ or ~/.claude/plugins/ciel/),
-# and OpenCode plugin layout (~/.config/opencode/...).
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd 2>/dev/null || echo "")"
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-}"
+
 for candidate in \
     "$SCRIPT_DIR/memory-engine.py" \
     "$PROJECT_DIR/.claude/hooks/memory-engine.py" \
-    "$PROJECT_DIR/hooks/memory-engine.py" \
-    "$HOME/.claude/plugins/ciel/memory-engine.py" \
-    "$HOME/.ciel/hooks/memory-engine.py"; do
+    "$PROJECT_DIR/hooks/memory-engine.py"; do
   if [[ -n "$candidate" ]] && [[ -f "$candidate" ]]; then
     ENGINE_PATH="$candidate"
     break
@@ -107,46 +39,21 @@ if [[ -n "$ENGINE_PATH" ]] && [[ -n "$PROJECT_DIR" ]] && [[ -f "$PROJECT_DIR/.ci
   MEMORY_OUTPUT=$(python3 "$ENGINE_PATH" query --prompt "$PROMPT" --cwd "$PROJECT_DIR" --depth "$DEPTH_LOWER" 2>/dev/null || echo "")
 fi
 
-# Persist depth classification for downstream hooks (pre-tool-write gate reads this)
-if [ -n "${CLAUDE_PROJECT_DIR:-}" ]; then
-  echo "$DEPTH" > "$CLAUDE_PROJECT_DIR/.ciel/last-depth" 2>/dev/null || true
+# ─── Intervention detection ─────────────────────────────────────────────
+INTERVENTION_GATE=""
+if echo "$PROMPT" | grep -qiE "(tu as oublié|t'as oublié|non en fait|attention que|ici on (fait|utilise) plutôt|tu te trompes|you forgot (to|that)|don't forget|that's not (right|correct|how)|no[,]? actually|wait[,—-] (no|don't|you forgot)|mauvaise approche)"; then
+  INTERVENTION_GATE=" | CAPTURE GATE: intervention detected — propose memory capture via memoire skill"
 fi
 
-# ─── Pipeline state tracker ───────────────────────────────────────────
-PIPELINE_STATE=""
-if [ -n "$PROJECT_DIR" ] && [ -f "$PROJECT_DIR/.ciel/pipeline-state.json" ]; then
-  PIPELINE_STATE=$(STATE_FILE="$PROJECT_DIR/.ciel/pipeline-state.json" python3 << 'PYEOF'
-import json, os, sys
-try:
-    with open(os.environ['STATE_FILE']) as f:
-        state = json.load(f)
-    steps = state.get('steps', {})
-    # ASK2 excluded — no Skill/Agent mapping exists for user-validation steps
-    order = ['DOCS','QUOI','ASK','AVEC QUOI','DIVERGE','RECHERCHE','SECURITE','CODEBASE','EVALUER','FAIRE','TESTER','ADR','RELIRE','PROUVER','MEMOIRE','COMPILER','META']
-    done = [s for s in order if s in steps and steps[s].get('status') == 'done']
-    done_count = len(done)
-    total = len(order)
-    # Compute pending step: first unfinished after last done
-    done_indices = [order.index(s) for s in done]
-    last_done_idx = max(done_indices) if done_indices else -1
-    pending = order[last_done_idx + 1] if last_done_idx + 1 < total else None
-    # Show last 6 completed + pending indicator
-    display = done[-6:] if len(done) > 6 else done[:]
-    show = [d + '✓' for d in display]
-    if pending and pending not in done:
-        show.append(pending + '●')
-    bar = ' → '.join(show)
-    print(f' | PIPELINE: {bar} ({done_count}/{total})')
-except Exception:
-    pass
-PYEOF
-)
+# ─── Persist depth ──────────────────────────────────────────────────────
+if [ -n "${CLAUDE_PROJECT_DIR:-}" ]; then
+  echo "$DEPTH" > "$CLAUDE_PROJECT_DIR/.ciel/last-depth" 2>/dev/null || true
 fi
 
-MSG_BASE="CIEL depth hint: $DEPTH ($REASON).$DISPATCH_GATE$META_GATE$INTERVENTION_GATE$PIPELINE_STATE | SKILLS: load workflow skill via Skill() for current pipeline step (CLAUDE.md column 'Skill a charger'). Never skip. Invoke depth-classifier if ambiguous before routing pipeline."
+# ─── Build context injection ────────────────────────────────────────────
+MSG="CIEL depth: $DEPTH. | Dispatch researcher+explorer before writing code.$INTERVENTION_GATE | Load domain skills via paths: matching files."
 
-# Emit JSON via python to handle newlines and quoting safely
-MSG_BASE="$MSG_BASE" MEMORY_OUTPUT="$MEMORY_OUTPUT" python3 -c "
+MSG_BASE="$MSG" MEMORY_OUTPUT="$MEMORY_OUTPUT" python3 -c "
 import os, json
 base = os.environ.get('MSG_BASE', '')
 mem = os.environ.get('MEMORY_OUTPUT', '').strip()

package/assets/.claude/rules/api-design.md

@@ -0,0 +1,23 @@
+---
+paths:
+  - "**/routes/**"
+  - "**/*Routes*"
+  - "**/*Controller*"
+  - "**/*Handler*"
+  - "**/openapi*"
+  - "**/swagger*"
+---
+
+## Dispatch
+- Charge `api-design` AVANT d'ecrire ou modifier un endpoint.
+- Si l'endpoint gere des donnees utilisateur → charge aussi `appsec`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de breaking change sans nouvelle version ou deprecation window explicite.
+- **Jamais** de `200 OK` avec erreur dans le corps. Codes HTTP standard.
+- **Jamais** de pagination offset-based. Cursor-based uniquement.
+
+## Conventions du projet
+- Erreurs structurees : `{error: {code, message, details}}`.
+- Mutations POST/PUT/DELETE avec `Idempotency-Key`.
+- Rate limiting avec headers standards : `Retry-After`, `X-RateLimit-*`.

package/assets/.claude/rules/backend.md

@@ -0,0 +1,22 @@
+---
+paths:
+  - "**/services/**"
+  - "**/*Service*"
+  - "**/*Server*"
+  - "**/server*"
+---
+
+## Dispatch
+- Charge `backend` AVANT d'ecrire du code backend.
+- Si le service appelle une DB → charge aussi `database-design`.
+- Si le service gere des donnees utilisateur → charge aussi `appsec`.
+
+## Regles dures (zero tolerance)
+- **Jamais** avaler les erreurs. Soit gerer (retry, fallback), soit laisser remonter.
+- **Jamais** de `process.exit(0)` sur SIGTERM. Graceful shutdown : stop accepter → drainer → close → exit.
+- **Jamais** de connexion unique DB/Redis. Connection pooling obligatoire.
+
+## Conventions du projet
+- Chaque endpoint a un timeout explicite.
+- Health check : liveness ≠ readiness.
+- Erreurs structurees en prod, jamais de stack trace.

package/assets/.claude/rules/cicd-pipeline.md

@@ -0,0 +1,23 @@
+---
+paths:
+  - "**/.github/workflows/**"
+  - "**/.gitlab-ci*"
+  - "**/Jenkinsfile*"
+  - "**/ci*"
+  - "**/.circleci/**"
+  - "**/azure-pipelines*"
+---
+
+## Dispatch
+- Charge `cicd-pipeline` AVANT de modifier un pipeline CI/CD.
+- Si le pipeline deploye → charge aussi `release-management`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de secret dans le pipeline. OIDC ou secrets manager.
+- **Jamais** de `on: push` sans filtrage de branche sur les jobs de deploy.
+- **Jamais** de `--no-verify` ou `--no-gpg-sign` dans un pipeline.
+
+## Conventions du projet
+- Feedback < 5 min pour les tests unitaires, < 15 min pour l'integration.
+- Matrix builds pour tester plusieurs versions.
+- Runners ephemeres — pas d'etat persistant entre les jobs.

package/assets/.claude/rules/containers.md

@@ -0,0 +1,23 @@
+---
+paths:
+  - "**/Dockerfile*"
+  - "**/docker-compose*"
+  - "**/.dockerignore"
+  - "**/*.containerfile"
+  - "**/compose*.yml"
+  - "**/compose*.yaml"
+---
+
+## Dispatch
+- Charge `containers` AVANT de modifier des conteneurs.
+- Si le Dockerfile est pour la prod → charge aussi `appsec` + `supply-chain`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de `:latest` en prod. Tag explicite ou digest SHA256.
+- **Jamais** de root dans le container. USER non-root.
+- **Jamais** de secret dans une couche Docker (COPY + RUN + rm = toujours dans l'historique).
+
+## Conventions du projet
+- Multi-stage builds pour separer build et runtime.
+- Layer ordering : dependances (peu changeant) → code source (changeant).
+- Healthcheck dans chaque container de service.

package/assets/.claude/rules/database-design.md

@@ -0,0 +1,22 @@
+---
+paths:
+  - "**/*.sql"
+  - "**/migrations/**"
+  - "**/schema/**"
+  - "**/*Repository*"
+  - "**/*Database*"
+---
+
+## Dispatch
+- Charge `database-design` AVANT d'ecrire du SQL ou de modifier un schema.
+- Si la migration touche une table > 1M rows → charge aussi `resilience`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de `ALTER TABLE` direct sur une grosse table en une etape. Expand/Contract : add column → backfill → add constraint.
+- **Jamais** de FK sans index. Verifiable automatiquement.
+- **Jamais** de logique metier dans la DB (triggers, stored procedures).
+
+## Conventions du projet
+- UUID v7 si distribue, bigint si centralise.
+- Migrations reversibles (up + down) testees en rollback dans la CI.
+- Colonnes NOT NULL par defaut — nullable est l'exception, justifiee.

package/assets/.claude/rules/environments.md

@@ -0,0 +1,27 @@
+---
+paths:
+  - ".github/workflows/**"
+  - ".github/environments/**"
+  - "**/environment*"
+  - "**/deploy*"
+  - "**/ci*.yml"
+  - "**/ci*.yaml"
+  - "**/.env*"
+  - ".env.example"
+---
+
+## Dispatch
+- Charge `environments` AVANT de modifier la configuration de deploiement, les workflows de deploy, ou les variables d'environnement.
+- Si la tache touche aux secrets → charge aussi `security` et `appsec`.
+- Si la tache touche au pipeline CI/CD → charge aussi `cicd-pipeline`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de secret partage entre environnements. Chaque environnement a ses propres credentials.
+- **Jamais** de deploy direct en production sans gate humaine. Staging d'abord, validation, puis production.
+- **Jamais** de promotion inversee (prod → staging). Le flux est toujours dev → staging → prod.
+
+## Conventions du projet
+- Au moins 2 environnements : staging/preview + production.
+- GitHub Environments pour les secrets par environnement (fonctionne sans organisation).
+- Staging est le jumeau de production — meme stack, meme config, donnees et echelle differentes.
+- Logs et metriques centralises avec tag `env:` (staging/production).

package/assets/.claude/rules/frontend.md

@@ -0,0 +1,25 @@
+---
+paths:
+  - "**/*.tsx"
+  - "**/*.jsx"
+  - "**/*.vue"
+  - "**/*.svelte"
+  - "**/*.css"
+  - "**/*.scss"
+  - "**/components/**"
+  - "**/pages/**"
+---
+
+## Dispatch
+- Charge `frontend` AVANT d'ecrire du code frontend.
+- Si le composant gere l'auth → charge aussi `appsec`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de state management disproportionne : useState → Context → Zustand → Redux (pas l'inverse).
+- **Jamais** de `useEffect` en cascade. Deriver pendant le rendu.
+- **Jamais** de bundle > 200KB sans code splitting par route.
+
+## Conventions du projet
+- Lighthouse ≥ 90 sur perf + a11y + best practices — mesure dans la CI.
+- Accessibilite de base non-negociable : labels, keyboard nav, contrast, ARIA.
+- Formulaires : idle, loading, success, error, validation — tous les etats geres.

package/assets/.claude/rules/github.md

@@ -0,0 +1,22 @@
+---
+paths:
+  - ".github/**"
+  - ".github/ISSUE_TEMPLATE/**"
+  - ".github/workflows/**"
+  - "**/pull_request_template.md"
+---
+
+## Dispatch
+- Charge `github` AVANT de modifier les workflows, templates, ou la configuration GitHub.
+- Si le workflow déploie → charge aussi `cicd-pipeline` et `release-management`.
+
+## Règles dures (zero tolerance)
+- **Jamais** de secret dans les workflows. OIDC ou `secrets: inherit` uniquement.
+- **Jamais** de push direct sur main. PR obligatoire + review + CI verte.
+- **Jamais** de PR sans issue liée (Closes #N) et description structurée.
+
+## Conventions du projet
+- Conventional Commits : `feat(scope):`, `fix(scope):`, `chore(scope):` — machine-readable.
+- Branches ≤ 1 jour : `feat/`, `fix/`, `chore/`.
+- PR < 400 lignes avec test plan.
+- Templates d'issue (bug.yml, feature.yml) et de PR (pull_request_template.md).

package/assets/.claude/rules/logging.md

@@ -0,0 +1,23 @@
+---
+paths:
+  - "**/logging*"
+  - "**/*Logger*"
+  - "**/*log*"
+  - "**/logback*"
+  - "**/log4j*"
+  - "**/winston*"
+---
+
+## Dispatch
+- Charge `logging` AVANT de configurer les logs.
+- Si les logs contiennent des PII → charge aussi `appsec`.
+
+## Regles dures (zero tolerance)
+- **Jamais** de PII/token/secret dans les logs. Scrub automatique.
+- **Jamais** de `console.log` en prod. Structured logging uniquement.
+- **Jamais** de log level DEBUG en prod par defaut.
+
+## Conventions du projet
+- JSON structure : `{timestamp, level, logger, message, correlationId, ...context}`.
+- Correlation ID sur chaque requete — propage a tous les services.
+- Log levels : ERROR (alerte), WARN (investiguer), INFO (decisions metier), DEBUG (detail).

package/assets/.claude/rules/monitoring.md

@@ -0,0 +1,25 @@
+---
+paths:
+  - "**/metrics*"
+  - "**/*Metrics*"
+  - "**/health*"
+  - "**/*Health*"
+  - "**/dashboards/**"
+  - "**/alerts*"
+  - "**/prometheus*"
+  - "**/grafana*"
+---
+
+## Dispatch
+- Charge `monitoring` AVANT de configurer des metriques ou alertes.
+- Si les alertes sont pour la securite → charge aussi `appsec`.
+
+## Regles dures (zero tolerance)
+- **Jamais** d'alerte sans runbook. Chaque alerte a un lien vers la procedure.
+- **Jamais** de metrique sans cardinalite bornee. Pas de user ID comme label.
+- **Jamais** de `alert: always` sans fenetre de silence.
+
+## Conventions du projet
+- RED metrics pour les services : Rate, Errors, Duration.
+- USE metrics pour l'infra : Utilization, Saturation, Errors.
+- Dashboards : 4 golden signals (latency, traffic, errors, saturation).

package/assets/.claude/rules/research.md

@@ -0,0 +1,20 @@
+---
+paths:
+  - "SKILL.md"
+  - "**/SKILL.md"
+  - ".claude/skills/**"
+---
+
+## Dispatch
+- Charge `research` AVANT toute recherche d'information externe (WebSearch, WebFetch, documentation).
+- Charge `research` quand tu crées ou modifies un skill (les skills encodent des connaissances, la recherche vérifie leur exactitude).
+
+## Règles dures (zero tolerance)
+- **Jamais** citer une API ou option sans vérification dans la doc officielle correspondant à la version utilisée.
+- **Jamais** adopter une solution d'une seule source. Minimum deux sources indépendantes pour l'information critique.
+- **Jamais** ignorer les issues fermées GitHub — elles contiennent les solutions.
+
+## Conventions du projet
+- Hiérarchie des sources : doc officielle > code source > changelog > issues GitHub > StackOverflow > blogs > LLM.
+- Vérification de version systématique avant d'appliquer une doc.
+- Toute information critique documentée avec ses sources (URL + date de consultation).

package/assets/.claude/settings.json

@@ -43,10 +43,6 @@
       {
         "matcher": "Edit|Write",
         "hooks": [
-          {
-            "type": "command",
-            "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/check-test-first.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/check-test-first.sh\""
-          },
           {
             "type": "command",
             "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/pre-tool-write.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/pre-tool-write.sh\""
@@ -89,48 +85,6 @@
           {
             "type": "command",
             "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/track-file.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/track-file.sh\""
-          },
-          {
-            "type": "command",
-            "command": "COUNT=$(cat \"${CLAUDE_PROJECT_DIR:-$PWD}/.ciel/tracked-files.json\" 2>/dev/null | python3 -c \"import sys,json; d=json.load(sys.stdin); print(len(d))\" 2>/dev/null || echo \"?\"); echo \"[CIEL] Tracked files: $COUNT — RELIRE recommended at 5+ files or on Critical paths\" >&2"
-          }
-        ]
-      },
-      {
-        "matcher": "Skill|Agent",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/track-pipeline.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/track-pipeline.sh\""
-          }
-        ]
-      }
-    ],
-    "SubagentStart": [
-      {
-        "matcher": "ciel-explorer",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "echo \"$(date +%s)\" > \"/tmp/ciel_dispatched.$$\" && echo \"[CIEL] Explorer started: $(date -u +%Y-%m-%dT%H:%M:%SZ)\" >> \"$CLAUDE_PROJECT_DIR/.ciel/exploration-log.md\""
-          }
-        ]
-      },
-      {
-        "matcher": "ciel-researcher",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "echo \"$(date +%s)\" > \"/tmp/ciel_dispatched.$$\" && echo \"[CIEL] Researcher started: $(date -u +%Y-%m-%dT%H:%M:%SZ)\" >> \"$CLAUDE_PROJECT_DIR/.ciel/subagent-log.md\""
-          }
-        ]
-      },
-      {
-        "matcher": "ciel-critic",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "echo \"$(date +%s)\" > \"/tmp/ciel_dispatched.$$\" && echo \"[CIEL] Critic started: $(date -u +%Y-%m-%dT%H:%M:%SZ)\" >> \"$CLAUDE_PROJECT_DIR/.ciel/subagent-log.md\""
           }
         ]
       }
@@ -140,17 +94,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/meta-critiquer.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/meta-critiquer.sh\""
-          }
-        ]
-      }
-    ],
-    "SubagentStop": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/meta-critiquer.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/meta-critiquer.sh\""
+            "command": "! [ -x \"$CLAUDE_PROJECT_DIR/.claude/hooks/stop.sh\" ] || \"$CLAUDE_PROJECT_DIR/.claude/hooks/stop.sh\""
           }
         ]
       }
@@ -160,7 +104,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "mkdir -p \"$CLAUDE_PROJECT_DIR/.ciel\" && echo \"[CIEL] Pre-compact: $(date -u +%Y-%m-%dT%H:%M:%SZ)\" >> \"$CLAUDE_PROJECT_DIR/.ciel/compact-log.md\""
+            "command": "mkdir -p \"$CLAUDE_PROJECT_DIR/.ciel\""
           }
         ]
       }