@react-vault/create-app 0.1.0

package/claude-toolkit/hooks/scripts/lint.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Async post-write ESLint --fix on the changed file. Non-blocking on errors.
+set -euo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""')
+
+if [[ -z "$FILE_PATH" ]] || [[ ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+case "$FILE_PATH" in
+  *.ts|*.tsx|*.js|*.jsx)
+    ;;
+  *)
+    exit 0
+    ;;
+esac
+
+ROOT="$(dirname "$FILE_PATH")"
+while [[ "$ROOT" != "/" ]] && [[ ! -f "$ROOT/package.json" ]]; do
+  ROOT="$(dirname "$ROOT")"
+done
+
+if [[ ! -f "$ROOT/package.json" ]] || [[ ! -f "$ROOT/.eslintrc.cjs" && ! -f "$ROOT/.eslintrc.js" && ! -f "$ROOT/.eslintrc.json" && ! -f "$ROOT/eslint.config.js" ]]; then
+  exit 0
+fi
+
+if command -v pnpm >/dev/null 2>&1; then
+  cd "$ROOT" && OUTPUT=$(pnpm exec eslint --fix "$FILE_PATH" 2>&1 || true)
+elif command -v npx >/dev/null 2>&1; then
+  cd "$ROOT" && OUTPUT=$(npx eslint --fix "$FILE_PATH" 2>&1 || true)
+else
+  exit 0
+fi
+
+# If ESLint had unfixable errors, surface a summary to Claude on next turn
+if printf '%s' "$OUTPUT" | grep -qE 'error|problem'; then
+  SUMMARY=$(printf '%s' "$OUTPUT" | tail -10)
+  jq -n --arg msg "$SUMMARY" --arg file "$(basename "$FILE_PATH")" '{
+    systemMessage: ("[bfsi] lint issues in " + $file + ":\n" + $msg)
+  }'
+fi
+
+exit 0

package/claude-toolkit/hooks/scripts/protect-files.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Blocks edits to files that should never be modified by Claude:
+#   .env*, *.pem, *.key, credentials.json, secrets.json, .git/*
+set -euo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""')
+
+if [[ -z "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+PROTECTED_PATTERNS=(
+  '\.env(\..*)?$'         # .env, .env.local, .env.production
+  '\.pem$'
+  '\.key$'
+  'credentials\.json$'
+  'secrets\.json$'
+  '\.git/'
+  '/\.husky/'
+  '\.npmrc$'              # contains registry tokens
+  'id_rsa'
+  'id_ed25519'
+  '\.p12$'
+  '\.pfx$'
+)
+
+# Allow .env.local.sample / .env.example explicitly (placeholders, not secrets)
+if [[ "$FILE_PATH" =~ \.env\.(local\.)?(sample|example)$ ]]; then
+  exit 0
+fi
+
+for pattern in "${PROTECTED_PATTERNS[@]}"; do
+  if [[ "$FILE_PATH" =~ $pattern ]]; then
+    cat >&2 <<EOF
+[bfsi] Blocked edit to protected file:
+
+    $FILE_PATH
+
+This file matches a protected pattern. bfsi-claude-toolkit prevents
+Claude from editing secrets, keys, and git internals to avoid accidental
+leaks and history corruption.
+
+If this edit is intentional:
+  - For .env: edit manually outside Claude, then commit only the .sample
+  - For .git/*: use git commands instead of file edits
+  - For keys: rotate at the source, never edit in-place
+EOF
+    exit 2
+  fi
+done
+
+exit 0

package/claude-toolkit/hooks/scripts/save-compliance-context.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# PreCompact hook: snapshot critical context before compaction so compliance
+# state is preserved in the new context window.
+set -euo pipefail
+
+cd "${CLAUDE_PROJECT_DIR:-$(pwd)}" 2>/dev/null || cd "$(pwd)"
+
+BRANCH=$(git branch --show-current 2>/dev/null || echo "")
+LAST_COMMIT=$(git log -1 --oneline 2>/dev/null || echo "")
+DIRTY=$(git status --short 2>/dev/null | head -10)
+
+# Emit as additionalContext so it survives compaction
+CTX="[bfsi-compact-snapshot] State before compaction:
+
+Branch: $BRANCH
+Last commit: $LAST_COMMIT
+Uncommitted changes:
+${DIRTY:-(clean)}
+
+BFSI conventions reminder (in effect for this session):
+  - useAuditedMutation for all state changes
+  - <ProtectedRoute permission=...> for all routes
+  - PII via <PIIMaskedDisplay>
+  - Zod parse on every API response
+  - Conventional Commits with security/compliance/audit types
+"
+
+jq -n --arg ctx "$CTX" '{
+  hookSpecificOutput: {
+    hookEventName: "PreCompact",
+    additionalContext: $ctx
+  }
+}'
+
+exit 0

package/claude-toolkit/hooks/scripts/scan-pii.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+# Post-write scan for PII patterns in changed content.
+# Non-blocking: this runs after the write has happened. Adds context for Claude.
+# Per Claude Code spec, PostToolUse exit 2 shows stderr to Claude (the file is already written).
+set -euo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""')
+
+if [[ -z "$FILE_PATH" ]] || [[ ! -f "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+# Skip non-source files
+case "$FILE_PATH" in
+  *.test.*|*__tests__*|*fixtures*|*mocks*)
+    # Test files are checked elsewhere; the bfsi-pii-scanner agent handles those.
+    exit 0
+    ;;
+  *.md|*.json|*.yaml|*.yml)
+    exit 0
+    ;;
+esac
+
+# PII patterns (intentionally narrow to avoid false positives)
+declare -a FINDINGS=()
+
+# console.log with PII variables
+if grep -nE 'console\.(log|info|warn|error|debug)\([^)]*\.(pan|aadhaar|account_number|password|cvv|otp|mobile|email)' "$FILE_PATH" >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    FINDINGS+=("$line — console.* call may include PII")
+  done < <(grep -nE 'console\.(log|info|warn|error|debug)\([^)]*\.(pan|aadhaar|account_number|password|cvv|otp|mobile|email)' "$FILE_PATH" | head -5)
+fi
+
+# localStorage with PII
+if grep -nE 'localStorage\.(setItem|set)\([^)]*\.(pan|aadhaar|account_number|password|token)' "$FILE_PATH" >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    FINDINGS+=("$line — localStorage write may include PII or auth token")
+  done < <(grep -nE 'localStorage\.(setItem|set)\([^)]*\.(pan|aadhaar|account_number|password|token)' "$FILE_PATH" | head -5)
+fi
+
+# PAN-shaped literal in source (10 chars: 5 letters, 4 digits, 1 letter)
+if grep -nE '"[A-Z]{5}[0-9]{4}[A-Z]"' "$FILE_PATH" >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    FINDINGS+=("$line — PAN-shaped string literal (use testPan() generator in tests)")
+  done < <(grep -nE '"[A-Z]{5}[0-9]{4}[A-Z]"' "$FILE_PATH" | head -5)
+fi
+
+# Aadhaar-shaped literal (12 digits as string)
+if grep -nE '"[0-9]{12}"' "$FILE_PATH" >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    FINDINGS+=("$line — 12-digit string literal (could be Aadhaar — use testAadhaar() generator)")
+  done < <(grep -nE '"[0-9]{12}"' "$FILE_PATH" | head -5)
+fi
+
+# Sentry/telemetry with PII
+if grep -nE '(Sentry\.captureMessage|posthog\.capture|analytics\.track)\([^)]*\.(pan|aadhaar|account_number|password)' "$FILE_PATH" >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    FINDINGS+=("$line — telemetry call may include PII (scrub before send)")
+  done < <(grep -nE '(Sentry\.captureMessage|posthog\.capture|analytics\.track)\([^)]*\.(pan|aadhaar|account_number|password)' "$FILE_PATH" | head -5)
+fi
+
+if [[ ${#FINDINGS[@]} -gt 0 ]]; then
+  # Use JSON output for structured context (per Claude Code spec)
+  ADDITIONAL_CONTEXT="[bfsi-pii-scanner] possible PII exposure detected in $FILE_PATH:"
+  for f in "${FINDINGS[@]}"; do
+    ADDITIONAL_CONTEXT="$ADDITIONAL_CONTEXT
+$f"
+  done
+  ADDITIONAL_CONTEXT="$ADDITIONAL_CONTEXT
+
+Consider:
+  - Replace console.* with structured log via @rsense/bfsi-core/audit
+  - Replace localStorage with secureStorage from @rsense/bfsi-core/storage
+  - Replace PAN/Aadhaar literals with testPan() / testAadhaar() generators
+  - Run /bfsi-compliance-check before merge"
+
+  # Emit JSON for additionalContext
+  jq -n --arg ctx "$ADDITIONAL_CONTEXT" '{
+    hookSpecificOutput: {
+      hookEventName: "PostToolUse",
+      additionalContext: $ctx
+    }
+  }'
+fi
+
+exit 0

package/claude-toolkit/hooks/scripts/scan-secrets.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Pre-write scan: rejects content containing obvious secret patterns.
+# Allows the write if no patterns match. Per Claude Code spec, exit 2 blocks.
+set -euo pipefail
+
+INPUT=$(cat)
+FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""')
+TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // ""')
+
+# For Write, scan the full new content. For Edit, scan the new_string.
+if [[ "$TOOL" == "Write" ]]; then
+  CONTENT=$(printf '%s' "$INPUT" | jq -r '.tool_input.content // ""')
+elif [[ "$TOOL" == "Edit" ]]; then
+  CONTENT=$(printf '%s' "$INPUT" | jq -r '.tool_input.new_string // ""')
+else
+  exit 0
+fi
+
+# Skip if writing to a .env.sample / placeholder file (those are OK)
+if [[ "$FILE_PATH" =~ \.env\.(local\.)?(sample|example)$ ]] || [[ "$FILE_PATH" =~ /docs/ ]]; then
+  exit 0
+fi
+
+# Patterns that look like secrets (regex per line is too slow; do substring lookups)
+SECRET_PATTERNS=(
+  'AKIA[0-9A-Z]{16}'                                    # AWS access key ID
+  'aws_secret_access_key'                                # AWS in env-style
+  'sk-(live|test)_[A-Za-z0-9]{20,}'                     # Stripe-style
+  'sk-ant-[A-Za-z0-9_-]{32,}'                           # Anthropic
+  'xoxb-[0-9]+-[0-9]+-[A-Za-z0-9]+'                     # Slack bot token
+  'ghp_[A-Za-z0-9]{36}'                                 # GitHub personal access token
+  'ghs_[A-Za-z0-9]{36}'                                 # GitHub server-to-server
+  'github_pat_[A-Za-z0-9_]{82}'                         # GitHub fine-grained
+  '-----BEGIN (RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY' # PEM keys
+  'AIza[0-9A-Za-z_-]{35}'                               # Google API key
+  'glpat-[0-9A-Za-z_-]{20}'                             # GitLab PAT
+  'rzp_(live|test)_[A-Za-z0-9]+'                        # Razorpay
+)
+
+for pattern in "${SECRET_PATTERNS[@]}"; do
+  if printf '%s' "$CONTENT" | grep -qE "$pattern"; then
+    # Show the first 12 chars of the match for context (not the full secret)
+    MATCH=$(printf '%s' "$CONTENT" | grep -oE "$pattern" | head -1 | cut -c1-12)
+    cat >&2 <<EOF
+[bfsi] Blocked: write contains what looks like a secret.
+
+    File: $FILE_PATH
+    Pattern: $pattern
+    Found (truncated): ${MATCH}...
+
+bfsi-claude-toolkit blocks writes that contain obvious secret patterns
+to prevent accidental commits of credentials.
+
+If this is a false positive:
+  - For tests: use clearly-fake values (sk-test-FAKE, AKIAFAKE0000000)
+  - For docs: wrap the example in a code block tagged as example
+
+If it's a real secret:
+  - Rotate immediately at the source
+  - Move to an environment variable (.env.local, gitignored)
+  - Add only the .sample with a placeholder
+EOF
+    exit 2
+  fi
+done
+
+exit 0

package/claude-toolkit/hooks/scripts/verify-clean.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Post-turn verification: run async after Claude stops. Reports unflushed concerns.
+set -euo pipefail
+
+cd "${CLAUDE_PROJECT_DIR:-$(pwd)}" 2>/dev/null || cd "$(pwd)"
+
+# Only run if there are source-file changes
+if ! git diff --quiet 2>/dev/null; then
+  HAS_CHANGES=1
+else
+  HAS_CHANGES=0
+fi
+
+# Skip if no changes
+[[ "$HAS_CHANGES" == "1" ]] || exit 0
+
+declare -a CONCERNS=()
+
+# 1. Typecheck (quick check)
+if [[ -f "package.json" ]] && grep -q '"typecheck"' package.json 2>/dev/null; then
+  if ! pnpm exec tsc --noEmit 2>/dev/null; then
+    CONCERNS+=("typecheck failing — run \`pnpm typecheck\` to see errors")
+  fi
+fi
+
+# 2. Quick secret scan over uncommitted changes
+if git diff 2>/dev/null | grep -qE 'AKIA[0-9A-Z]{16}|sk-(live|test)_[A-Za-z0-9]{20,}|-----BEGIN.*PRIVATE KEY'; then
+  CONCERNS+=("uncommitted changes contain what looks like a secret — review with /bfsi-compliance-check")
+fi
+
+# 3. Quick PII shape scan
+if git diff 2>/dev/null | grep -qE '"[A-Z]{5}[0-9]{4}[A-Z]"|"[0-9]{12}"'; then
+  CONCERNS+=("uncommitted changes contain PAN/Aadhaar-shaped literals — use test generators")
+fi
+
+if [[ ${#CONCERNS[@]} -eq 0 ]]; then
+  exit 0
+fi
+
+MSG="[bfsi] post-turn verification surfaced concerns:"
+for c in "${CONCERNS[@]}"; do
+  MSG="$MSG
+  - $c"
+done
+
+jq -n --arg msg "$MSG" '{
+  systemMessage: $msg
+}'
+
+exit 0

package/claude-toolkit/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@react-vault/toolkit",
+  "version": "0.1.0",
+  "private": false,
+  "description": "Claude Code plugin: BFSI-aware skills, agents, hooks, and commands.",
+  "license": "UNLICENSED",
+  "files": [
+    "plugin.json",
+    "skills",
+    "agents",
+    "hooks",
+    "commands",
+    "README.md"
+  ],
+  "scripts": {
+    "lint": "echo 'no source code to lint'",
+    "test": "echo 'plugin validation via /bfsi-doctor'",
+    "typecheck": "echo 'no TS sources'",
+    "build": "echo 'plugin is distribution-ready'",
+    "validate": "node ./scripts/validate-plugin.mjs"
+  }
+}

package/claude-toolkit/plugin.json

@@ -0,0 +1,31 @@
+{
+  "name": "toolkit",
+  "version": "0.1.0",
+  "description": "BFSI-aware skills, agents, hooks, and commands for Claude Code. Bakes in security review, PII scanning, audit logging, compliance checks, and BFSI scaffolding for every Your Real Company BFSI React project.",
+  "author": {
+    "name": "Your Real Company",
+    "url": "https://your-org.example"
+  },
+  "license": "UNLICENSED",
+  "homepage": "https://github.com/your-real-org/react-starter",
+  "keywords": [
+    "bfsi",
+    "banking",
+    "fintech",
+    "claude-code",
+    "security",
+    "rbi",
+    "pci-dss",
+    "irdai",
+    "soc2"
+  ],
+  "components": {
+    "skills": "./skills",
+    "agents": "./agents",
+    "hooks": "./hooks/hooks.json",
+    "commands": "./commands"
+  },
+  "engines": {
+    "claude-code": ">=2.1.0"
+  }
+}

package/claude-toolkit/skills/bfsi-api-endpoint/SKILL.md

@@ -0,0 +1,105 @@
+---
+name: bfsi-api-endpoint
+description: Adds a typed API endpoint with Zod validation, audit hooks, and idempotency-key support. Variant-aware (RTK Query OR TanStack Query). Use when the user types /bfsi-api-endpoint, asks to "add an API endpoint", "wire up GET /something", "create a mutation", or "add a new RTK query".
+disable-model-invocation: true
+argument-hint: <Method> <Path> [--feature FeatureName] [--mutation]
+allowed-tools: Read Write Edit Glob Grep
+---
+
+# BFSI API Endpoint
+
+Adds a new endpoint to an existing feature module's `api.ts`.
+
+## What it generates
+
+For RTK Query (variant):
+
+```ts
+// In src/features/<Feature>/api.ts
+export const <featureApi>.injectEndpoints({
+  endpoints: (builder) => ({
+    <endpointName>: builder.<query|mutation><Response, RequestArg>({
+      query: (arg) => ({
+        url: <URL_CONSTANT>,
+        method: '<METHOD>',
+        body: arg,
+        headers: needsIdempotency ? { 'Idempotency-Key': uuid() } : undefined,
+      }),
+      transformResponse: (raw: unknown) => <ResponseSchema>.parse(raw),
+      providesTags: [...],
+      invalidatesTags: [...],
+      onQueryStarted: auditOnQueryStarted('<auditEventName>'),
+    }),
+  }),
+});
+```
+
+For TanStack Query (variant):
+
+```ts
+// In src/features/<Feature>/api.ts
+export const use<EndpointName> = createQuery({
+  queryKey: [<TAG>],
+  queryFn: async (arg) => {
+    const raw = await http.<method>(<URL>, arg);
+    return <ResponseSchema>.parse(raw);
+  },
+  meta: { audit: '<auditEventName>' },
+});
+```
+
+## Workflow
+
+### Step 1: Detect variant
+
+Check the project's `package.json` for `@reduxjs/toolkit` vs `@tanstack/react-query`. If both, ask the user.
+
+### Step 2: Locate the api.ts
+
+Find the feature's `api.ts` (either via `--feature` flag or by inferring from the current file's path). If the user is editing `src/features/Foo/components/X.tsx`, target `src/features/Foo/api.ts`.
+
+### Step 3: Generate Zod schemas
+
+If schemas for the request/response don't exist in `schema.ts`, add them. Default shape:
+
+```ts
+export const <endpointName>RequestSchema = z.object({ /* infer from path params and method */ });
+export const <endpointName>ResponseSchema = z.object({ /* placeholder — user fills in */ });
+export type <EndpointName>Request = z.infer<typeof <endpointName>RequestSchema>;
+export type <EndpointName>Response = z.infer<typeof <endpointName>ResponseSchema>;
+```
+
+### Step 4: Add the endpoint
+
+Use the variant-specific template.
+
+### Step 5: Add the URL constant
+
+In `constants.ts`:
+
+```ts
+export const <FEATURE>_URLS = {
+  // ...existing
+  <ENDPOINT_NAME>: '<path>',
+} as const;
+```
+
+### Step 6: Mutations: idempotency-key
+
+If method is `POST | PUT | PATCH | DELETE`, automatically include the Idempotency-Key header. Tell the user this is automatic.
+
+### Step 7: Audit event
+
+Pick a name following the convention: `<feature>.<entity>.<action>`. For GET endpoints, skip audit (reads are not audited by default; opt in via `--audit-reads`).
+
+### Step 8: Verify
+
+Run `pnpm typecheck`. If the Zod schemas have placeholder shapes, flag it: "I've added the endpoint but the response schema is a placeholder. Open `schema.ts` and define the response shape."
+
+## Conventions
+
+- **No `any`** — every endpoint must have typed request + response.
+- **All responses go through Zod** — runtime safety against XSS via malformed API.
+- **All mutations get Idempotency-Key** — backend de-dupes accidental double-submit.
+- **All errors throw typed `ApiError`** — handled by the global error boundary.
+- **All caching uses tags**, never hard times. Invalidation is explicit.

package/claude-toolkit/skills/bfsi-commit/SKILL.md

@@ -0,0 +1,102 @@
+---
+name: bfsi-commit
+description: Generates an audit-friendly Conventional Commits message from the current staged diff. Uses BFSI-extended types (feat, fix, security, compliance, audit, docs, perf, refactor, test, ci, chore). Use when the user types /bfsi-commit, asks to "write a commit message", "commit my changes", or "generate a commit".
+disable-model-invocation: true
+allowed-tools: Read Grep Bash(git status:*) Bash(git diff:*) Bash(git log:*)
+---
+
+# BFSI Commit Message
+
+Generates a Conventional Commits message tuned for BFSI audit logs.
+
+## Workflow
+
+### Step 1: Inspect staged changes
+
+```bash
+git status --short
+git diff --cached
+git log --oneline -5
+```
+
+If there are no staged changes, ask the user to stage first.
+
+### Step 2: Pick a type
+
+Use the most-specific applicable type. BFSI-extended set:
+
+| Type | When |
+|---|---|
+| `feat` | new feature/capability |
+| `fix` | bug fix |
+| `security` | security-related change (CSP, headers, auth tightening) |
+| `compliance` | regulatory/compliance change (RBI/PCI/IRDAI/SOC2 item) |
+| `audit` | audit log additions, observability changes |
+| `perf` | performance improvement |
+| `refactor` | code restructure, no behaviour change |
+| `docs` | docs only |
+| `style` | formatting only |
+| `test` | tests only |
+| `build` | build system, deps |
+| `ci` | CI configuration |
+| `chore` | maintenance |
+| `revert` | reverting prior commit |
+
+`security` and `compliance` are BFSI-extensions. Use them whenever applicable so audit reviewers can grep `git log --grep="^security:"` or `git log --grep="^compliance:"` to find every relevant commit quickly.
+
+### Step 3: Pick a scope (optional)
+
+The feature or area: `kyc`, `transactions`, `auth`, `audit`, `ui`, `core`, etc.
+
+### Step 4: Write subject
+
+- Imperative mood ("add", not "added" or "adds")
+- ≤ 50 chars
+- Lowercase first word (after type/scope)
+- No trailing period
+
+### Step 5: Write body (if WHY is non-obvious)
+
+- Wrap at ~72 chars
+- Focus on WHY not WHAT (diff already shows WHAT)
+- For `security` or `compliance` types, the body should reference the regulation/control (e.g. "addresses RBI Annexure I §6.2 — session timeout enforcement")
+- Reference issue / Jira ticket if applicable
+
+### Step 6: Output
+
+Print the message in a code block. Do NOT run `git commit` automatically — let the user copy or invoke it manually.
+
+## Examples
+
+```
+feat(kyc): add PAN+Aadhaar e-KYC submission flow
+
+Implements the customer-facing e-KYC submission per
+section 5 of the KYC redesign spec. Adds PIIMaskedDisplay
+on Aadhaar in confirmation step. All submission events
+are audited as kyc.verification.submitted.
+```
+
+```
+security(auth): tighten session idle timeout to 5min on transaction routes
+
+Addresses RBI Annexure I §6.2 — sensitive transaction
+flows must auto-logout after ≤ 5min idle. Adds
+idleTimeout prop to <ProtectedRoute scope="transaction">.
+Non-transaction routes remain at 15min.
+```
+
+```
+compliance(audit): emit data.pan.revealed events with reveal_duration
+
+PCI-DSS req 10.2.1 — log every access to cardholder
+data. Extends auditClient to record reveal_duration_ms
+so reveal events can be queried for anomaly detection.
+```
+
+## Conventions reinforced
+
+- Subject ≤ 50 chars. Body lines ≤ 72.
+- Body present only when WHY isn't obvious from subject + diff.
+- For `security` / `compliance` types, body MUST include the regulation reference.
+- Never include the actual content of secrets, PII, or sensitive data in the message.