@trac3er/oh-my-god 1.0.2

package/plugins/advanced/commands/OMG:security-review.md

@@ -0,0 +1,119 @@
+---
+description: Deep security review — scans for vulnerabilities, hardcoded secrets, auth issues, and injection risks. Escalates to Codex for deep line-by-line analysis.
+allowed-tools: Read, Bash(grep:*), Bash(find:*), Bash(cat:*), Bash(git:*), Bash(rg:*), Grep, Glob
+argument-hint: "[file or directory to review, or 'all' for full scan]"
+---
+
+# /OMG:security-review — Vulnerability Scanner + Deep Review
+
+## Step 1: Scope Detection
+
+Determine what to scan:
+- If argument is a file: scan that file deeply
+- If argument is a directory: scan all source files in it
+- If "all" or no argument: scan git-tracked source files
+
+Identify security-critical files automatically:
+```bash
+# Auth/session
+find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" -o -name "*.rs" \) | xargs grep -li "auth\|login\|session\|token\|password\|jwt\|oauth" 2>/dev/null
+
+# Payment
+find . -type f -name "*.{ts,js,py,go}" | xargs grep -li "payment\|billing\|stripe\|checkout\|card\|price" 2>/dev/null
+
+# Database
+find . -type f -name "*.{ts,js,py,go}" | xargs grep -li "query\|SELECT\|INSERT\|UPDATE\|DELETE\|migration\|schema" 2>/dev/null
+```
+
+## Step 2: Automated Vulnerability Scan
+
+For each security-critical file, check LINE-BY-LINE:
+
+**2a. Hardcoded Secrets**
+```bash
+grep -rn "AKIA\|sk_live\|sk_test\|ghp_\|github_pat\|xoxb-\|xoxp-\|eyJ.*\.eyJ" [files]
+grep -rn "api[_-]key.*=.*['\"][A-Za-z0-9]" [files]
+grep -rn "password.*=.*['\"]" [files] | grep -v "test\|mock\|example\|placeholder"
+```
+
+**2b. SQL Injection**
+```bash
+grep -rn "f\".*SELECT\|f\".*INSERT\|f\".*UPDATE\|f\".*DELETE" [files]
+grep -rn "\\.format.*SELECT\|%s.*SELECT\|\\+.*SELECT" [files]
+grep -rn "query.*\\$\\{" [files]  # template literal SQL
+```
+
+**2c. XSS / Injection**
+```bash
+grep -rn "innerHTML\|dangerouslySetInnerHTML\|v-html\|\\|safe\b" [files]
+grep -rn "eval(\|exec(\|subprocess.*shell=True" [files]
+grep -rn "document\\.write\|document\\.location" [files]
+```
+
+**2d. Auth/Session Issues**
+```bash
+grep -rn "jwt\\.decode.*verify.*false\|verify.*False" [files]
+grep -rn "cors.*\\*\|origin.*\\*" [files]
+grep -rn "httpOnly.*false\|secure.*false\|sameSite.*none" [files]
+```
+
+**2e. Path Traversal**
+```bash
+grep -rn "req\\.params\|req\\.query\|req\\.body" [files] | grep -i "path\|file\|dir"
+grep -rn "\\.\\./\|\\.\\.\\\\" [files]
+```
+
+**2f. Sensitive Data Exposure**
+```bash
+grep -rn "console\\.log.*password\|console\\.log.*token\|console\\.log.*secret" [files]
+grep -rn "log\\.info.*password\|logger.*token\|print.*secret" [files]
+```
+
+## Step 3: Codex Deep Review (for high-risk files)
+
+For files with auth, payment, or database logic:
+
+```
+/OMG:escalate codex "Security deep review of [file]:
+1. Read every line. Flag any: hardcoded secrets, SQL injection, XSS, CSRF, auth bypass, privilege escalation, insecure deserialization, SSRF.
+2. Check auth flow completeness: does every protected route validate the token? Are permissions checked?
+3. Check payment flow: is card data handled safely? Are amounts validated server-side?
+4. Check database queries: all parameterized? Any raw string concatenation?
+5. Rate this file: SAFE / NEEDS_FIX / CRITICAL with specific line numbers."
+```
+
+## Step 4: Report
+
+```
+Security Review — [scope]
+━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Files scanned: [N]
+Security-critical files: [N]
+
+CRITICAL [N]:
+  [file:line] Hardcoded API key: [type]
+  [file:line] SQL injection: unparameterized query
+
+HIGH [N]:
+  [file:line] Missing auth check on protected route
+  [file:line] CORS wildcard in production config
+
+MEDIUM [N]:
+  [file:line] Sensitive data in console.log
+  [file:line] httpOnly not set on session cookie
+
+LOW [N]:
+  [file:line] Missing rate limiting on login endpoint
+
+Codex Deep Review:
+  [file]: [SAFE|NEEDS_FIX|CRITICAL] — [summary]
+
+Fix priority: [ordered list of what to fix first]
+```
+
+## Anti-patterns
+- Don't just grep and dump raw output — analyze each finding
+- Don't skip test files entirely (they can leak real credentials)
+- Don't claim "looks secure" without running ALL checks above
+- Don't treat this as optional for auth/payment/database changes

package/plugins/advanced/commands/OMG:sequential-thinking.md

@@ -0,0 +1,20 @@
+---
+description: Structured multi-step reasoning using sequential-thinking tool for complex debugging and planning.
+allowed-tools: sequential-thinking_sequentialthinking, Read, Grep, Glob
+argument-hint: "[problem statement to reason through]"
+---
+
+# /OMG:sequential-thinking
+
+Use the sequential-thinking tool when the task needs explicit step-by-step reasoning,
+branching, and hypothesis verification.
+
+Execution contract:
+- Start with an initial thought budget
+- Revise or branch when new evidence appears
+- End only when a verified conclusion is reached
+
+Output contract:
+- Return final conclusion
+- Return key assumptions
+- Return verification steps used

package/plugins/advanced/commands/OMG:ship.md

@@ -0,0 +1,46 @@
+---
+description: Ship pipeline — Idea -> Plan -> Execute -> Evidence -> PR-ready summary
+allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(python3:*), Bash(pytest:*), Bash(npm test:*), Bash(go test:*), Bash(cargo test:*), Bash(jest:*), Bash(vitest:*)
+argument-hint: "[goal or optional path to .omg/idea.yml]"
+---
+
+# /OMG:ship — Idea -> Evidence -> PR
+
+## Step 1: Load idea contract
+- Prefer `.omg/idea.yml`.
+- If missing, scaffold from `~/.claude/templates/omg/idea.yml` and ask user for minimum fields:
+  - `goal`, `constraints`, `acceptance`, `risk`, `evidence_required`.
+
+## Step 2: Convert idea to execution plan
+- Consume plan artifacts generated by `/OMG:deep-plan`.
+- Require `.omg/state/_plan.md` and `.omg/state/_checklist.md` to already encode the business workflow contract.
+- If missing, invoke `/OMG:deep-plan` first and return after those artifacts are created.
+- Use the deep-plan workflow path and task metadata as the execution source of truth.
+
+## Step 3: Execute with Shadow + Evidence discipline
+- Implement changes.
+- Run verification commands.
+- Build an evidence pack at `.omg/evidence/<run-id>.json` containing:
+  - `tests[]`, `security_scans[]`, `diff_summary`, `reproducibility`, `unresolved_risks[]`.
+
+## Step 4: Security and trust checks
+- Run `/OMG:security-review` for auth/payment/database/sensitive changes.
+- If config/hook/MCP changes are involved, ensure trust manifest is updated at `.omg/trust/manifest.lock.json`.
+
+## Step 5: PR-ready output
+Return:
+1. Goal and scope delivered
+2. Files changed
+3. Verification evidence (command + exit code)
+4. Risks/unknowns
+5. Suggested PR title + body
+
+## Full-power sub-agent protocol
+- Prefer parallel background sub-agent launches for independent workstreams.
+- Do not finalize until every launched track is collected via `background_output`.
+- Use `sequential-thinking` to reconcile conflicts and enforce execution order.
+
+## Anti-patterns
+- Do not claim done without evidence.
+- Do not edit tests to hide product bugs.
+- Do not skip trust review for `.claude/.omg` or MCP changes.

package/plugins/advanced/plugin.json

@@ -0,0 +1,96 @@
+{
+  "name": "oal-advanced",
+  "version": "1.0.2",
+  "description": "Advanced OAL commands - deep planning, learning, code review, security review, and specialized workflows",
+  "type": "oal-plugin",
+  "commands": {
+    "deep-plan": {
+      "path": "commands/OAL:deep-plan.md",
+      "description": "Deep strategic planning with domain awareness",
+      "category": "planning"
+    },
+    "learn": {
+      "path": "commands/OAL:learn.md",
+      "description": "Create reusable skills from patterns",
+      "category": "knowledge"
+    },
+    "code-review": {
+      "path": "commands/OAL:code-review.md",
+      "description": "Deep code review with line-by-line analysis",
+      "category": "quality"
+    },
+    "security-review": {
+      "path": "commands/OAL:security-review.md",
+      "description": "Security vulnerability scanning",
+      "category": "security"
+    },
+    "ship": {
+      "path": "commands/OAL:ship.md",
+      "description": "Ship pipeline - idea to PR-ready summary",
+      "category": "delivery"
+    },
+    "handoff": {
+      "path": "commands/OAL:handoff.md",
+      "description": "Intelligent session transfer",
+      "category": "collaboration"
+    },
+    "maintainer": {
+      "path": "commands/OAL:maintainer.md",
+      "description": "Open-source maintainer workflows",
+      "category": "oss"
+    },
+    "sequential-thinking": {
+      "path": "commands/OAL:sequential-thinking.md",
+      "description": "Structured multi-step reasoning",
+      "category": "thinking"
+    },
+    "ralph-start": {
+      "path": "commands/OAL:ralph-start.md",
+      "description": "Start Ralph autonomous loop",
+      "category": "automation"
+    },
+    "ralph-stop": {
+      "path": "commands/OAL:ralph-stop.md",
+      "description": "Stop Ralph autonomous loop",
+      "category": "automation"
+    }
+  },
+  "categories": {
+    "planning": {
+      "description": "Strategic planning and architecture",
+      "commands": ["deep-plan"]
+    },
+    "quality": {
+      "description": "Code quality and review",
+      "commands": ["code-review"]
+    },
+    "security": {
+      "description": "Security analysis and review",
+      "commands": ["security-review"]
+    },
+    "knowledge": {
+      "description": "Learning and skill creation",
+      "commands": ["learn"]
+    },
+    "delivery": {
+      "description": "Shipping and release workflows",
+      "commands": ["ship"]
+    },
+    "collaboration": {
+      "description": "Team collaboration and handoff",
+      "commands": ["handoff"]
+    },
+    "automation": {
+      "description": "Autonomous execution modes",
+      "commands": ["ralph-start", "ralph-stop"]
+    },
+    "thinking": {
+      "description": "Structured thinking tools",
+      "commands": ["sequential-thinking"]
+    },
+    "oss": {
+      "description": "Open source maintainer tools",
+      "commands": ["maintainer"]
+    }
+  }
+}

package/plugins/core/plugin.json

@@ -0,0 +1,82 @@
+{
+  "name": "oal-core",
+  "version": "1.0.2",
+  "description": "Core OAL commands - essential functionality for routing, initialization, and multi-agent orchestration",
+  "type": "oal-plugin",
+  "commands": {
+    "init": {
+      "path": "commands/OAL:init.md",
+      "description": "Unified initializer for project setup and domain scaffolding",
+      "category": "setup"
+    },
+    "escalate": {
+      "path": "commands/OAL:escalate.md",
+      "description": "Auto-route to Codex or Gemini",
+      "category": "routing"
+    },
+    "teams": {
+      "path": "commands/OAL:teams.md",
+      "description": "Internal team routing for standalone operation",
+      "category": "routing"
+    },
+    "ccg": {
+      "path": "commands/OAL:ccg.md",
+      "description": "CCG mode - tri-track synthesis (Claude+Codex+Gemini)",
+      "category": "routing"
+    },
+    "crazy": {
+      "path": "commands/OAL:crazy.md",
+      "description": "CRAZY mode - parallel multi-agent orchestration",
+      "category": "orchestration"
+    },
+    "compat": {
+      "path": "commands/OAL:compat.md",
+      "description": "Legacy skill compatibility dispatcher",
+      "category": "compatibility"
+    },
+    "health-check": {
+      "path": "commands/OAL:health-check.md",
+      "description": "Verify project setup and tool integration",
+      "category": "setup"
+    },
+    "mode": {
+      "path": "commands/OAL:mode.md",
+      "description": "Set cognitive mode for the session",
+      "category": "config"
+    },
+    "domain-init": {
+      "path": "commands/OAL:domain-init.md",
+      "description": "Alias for domain scaffolding (use init instead)",
+      "category": "setup",
+      "deprecated": true
+    },
+    "project-init": {
+      "path": "commands/OAL:project-init.md",
+      "description": "Alias for project setup (use init instead)",
+      "category": "setup",
+      "deprecated": true
+    }
+  },
+  "categories": {
+    "setup": {
+      "description": "Project initialization and setup",
+      "commands": ["init", "health-check"]
+    },
+    "routing": {
+      "description": "Model routing and escalation",
+      "commands": ["escalate", "teams", "ccg"]
+    },
+    "orchestration": {
+      "description": "Multi-agent orchestration modes",
+      "commands": ["crazy"]
+    },
+    "compatibility": {
+      "description": "Legacy compatibility",
+      "commands": ["compat"]
+    },
+    "config": {
+      "description": "Configuration and settings",
+      "commands": ["mode"]
+    }
+  }
+}

package/pytest.ini

@@ -0,0 +1,5 @@
+[pytest]
+testpaths = tests
+python_files = test_*.py
+python_classes = Test*
+python_functions = test_*

package/registry/__init__.py

@@ -0,0 +1 @@
+"""Registry package for OMG."""

package/registry/verify_artifact.py

@@ -0,0 +1,90 @@
+"""OMG v1 supply-chain verification with Warn-and-Run semantics."""
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+
+@dataclass
+class SupplyArtifact:
+    id: str
+    signer: str | None
+    checksum: str | None
+    permissions: list[str]
+    static_scan: list[dict[str, Any]]
+    risk_level: str = "low"
+
+
+def _normalize(artifact: dict[str, Any]) -> SupplyArtifact:
+    return SupplyArtifact(
+        id=str(artifact.get("id", "unknown")),
+        signer=artifact.get("signer"),
+        checksum=artifact.get("checksum"),
+        permissions=[str(p) for p in artifact.get("permissions", [])],
+        static_scan=[f for f in artifact.get("static_scan", []) if isinstance(f, dict)],
+        risk_level=str(artifact.get("risk_level", "low")).lower(),
+    )
+
+
+def verify_artifact(artifact: dict[str, Any], mode: str = "warn_and_run") -> dict[str, Any]:
+    a = _normalize(artifact)
+    reasons: list[str] = []
+    controls: list[str] = []
+
+    for finding in a.static_scan:
+        sev = str(finding.get("severity", "")).lower()
+        if sev == "critical":
+            reasons.append("critical static scan finding")
+            return {
+                "action": "deny",
+                "risk_level": "critical",
+                "reason": "; ".join(reasons),
+                "controls": ["block-execution"],
+                "trusted": False,
+            }
+
+    perm_blob = " ".join(a.permissions).lower()
+    if any(token in perm_blob for token in ["sudo", "rm -rf", "--privileged", "curl |", "wget |"]):
+        return {
+            "action": "deny",
+            "risk_level": "critical",
+            "reason": "critical permission profile",
+            "controls": ["block-execution"],
+            "trusted": False,
+        }
+
+    if not a.signer or not a.checksum:
+        reasons.append("missing signer/checksum")
+        controls.extend(["isolate-network", "read-only-fs", "manual-approval"])
+        if mode == "warn_and_run":
+            return {
+                "action": "ask",
+                "risk_level": "high",
+                "reason": "; ".join(reasons),
+                "controls": controls,
+                "trusted": False,
+            }
+        return {
+            "action": "deny",
+            "risk_level": "high",
+            "reason": "; ".join(reasons),
+            "controls": ["block-execution"],
+            "trusted": False,
+        }
+
+    if any(str(f.get("severity", "")).lower() == "high" for f in a.static_scan):
+        return {
+            "action": "ask",
+            "risk_level": "high",
+            "reason": "high severity findings present",
+            "controls": ["manual-approval"],
+            "trusted": False,
+        }
+
+    return {
+        "action": "allow",
+        "risk_level": a.risk_level if a.risk_level in {"low", "med", "high", "critical"} else "low",
+        "reason": "artifact verified",
+        "controls": [],
+        "trusted": True,
+    }

package/rules/contextual/architect-mode.md

@@ -0,0 +1,9 @@
+# Architect Mode
+
+When in architect mode:
+- Map the full system before proposing changes
+- Consider: scalability, maintainability, testability, security
+- Produce: diagrams (text-based), decision records, trade-off analysis
+- Do NOT write implementation code — write specs and interfaces only
+- Every decision must have: rationale, alternatives considered, trade-offs
+- Use /OMG:deep-plan for complex multi-phase work

package/rules/contextual/big-picture.md

@@ -0,0 +1,20 @@
+# Big Picture — Map Before Code
+
+**When:** Task touches 2+ subsystems, you're unfamiliar with the area, or change could cascade.
+
+**Steps:**
+1. Write .omg/state/_context.md with:
+   - Subsystems involved (names + responsibilities)
+   - Data flow between them
+   - Public interfaces affected
+2. Identify side effects: "If I change X, what breaks?"
+3. Get user confirmation before proceeding
+
+**Skip when:** Single-file fix within one well-understood module.
+
+**Format:**
+```
+Subsystems: [A] → [B] → [C]
+Change in A affects: B (interface), C (data format)
+Risk: B's tests may break → run B's tests first
+```

package/rules/contextual/code-hygiene.md

@@ -0,0 +1,26 @@
+# Code Hygiene
+
+**Always active.**
+
+**No unnecessary code:**
+- Don't add code "just in case" — every line must serve the current requirement
+- Don't add empty catch blocks, unused imports, dead variables, or placeholder functions
+- Don't copy boilerplate that isn't needed for this specific feature
+- If removing code makes the program work the same → remove it
+
+**No noise comments:**
+- NEVER: `// increment i by 1`, `// return the result`, `// constructor`, `// import modules`
+- NEVER: `// TODO: implement` (either implement it or note it in working-memory)
+- OK: WHY comments (`// Retry 3x because Stripe webhook occasionally 504s`)
+- OK: WARN comments (`// SECURITY: raw SQL here because ORM can't express this join`)
+- OK: API contract comments (`// @param userId - must be UUID v4, not email`)
+
+**Line-by-line awareness:**
+- Before editing a file: read the FULL file (or relevant section), not just the target function
+- After editing: re-read to verify no duplicate imports, no orphaned variables, no broken references
+- Check: does this change break anything ABOVE or BELOW the edit?
+
+**Before claiming completion, verify:**
+- `grep -n "TODO\|FIXME\|HACK\|XXX"` — are any left unresolved?
+- No console.log/print debugging statements left in production code
+- No commented-out code blocks (delete or extract to a branch)

package/rules/contextual/context-management.md

@@ -0,0 +1,19 @@
+# Context Management
+
+**When:** Long sessions (100+ tool calls), feeling lost, or about to compact.
+
+**Prefer /OMG:handoff over automatic compaction.** /OMG:handoff preserves intent + decisions + failure history. Automatic compaction loses nuance.
+
+**Minimize context waste:**
+- Read file line ranges, not entire files: `Read(file.ts:10-50)` not `Read(file.ts)`
+- Keep working-memory.md concise (under 30 lines)
+- Don't re-read files you already read this session
+- Use Grep/Glob to find specific content instead of reading everything
+
+**Signs of thin context (you need /OMG:handoff soon):**
+- Repeating questions you already asked
+- Contradicting earlier decisions
+- Forgetting file locations
+- Re-reading the same files
+
+**Rule:** When in doubt, /OMG:handoff now. It's cheaper than losing context.

package/rules/contextual/context-minimization.md

@@ -0,0 +1,32 @@
+# Context Minimization Principle
+
+Based on: ETH Zurich (2026) "Evaluating AGENTS.md" (arXiv:2602.11988)
+and Lulla et al. (2026) "On the Impact of AGENTS.md Files" (arXiv:2601.20404)
+
+## Key Findings
+- LLM-generated context files LOWER success rates and INCREASE cost by 20%+
+- Human-written minimal files may help slightly (+4%) if they contain ONLY
+  information the agent cannot discover by reading project files
+- Always-on rules that don't vary by task type cause unnecessary work
+
+## OMG Policy: Non-Discoverable Only
+
+### INJECT (agent can't discover this from code):
+- Project conventions (naming, commit style, PR process)
+- AI behavior preferences (language, communication style)
+- Active task state (working memory, checklist progress)
+- Failure history (what approaches already failed)
+- Team decisions (why X was chosen over Y)
+
+### DO NOT INJECT (agent can discover this by reading code):
+- Language and framework (detectable from package.json, Cargo.toml, etc.)
+- Dependencies list (detectable from lockfiles)
+- Directory structure (detectable from file listing)
+- API shapes (detectable from source code)
+- Database schema (detectable from migrations/models)
+
+### Budget Enforcement
+- session-start: ≤1500 chars total
+- prompt-enhancer: ≤800 chars per prompt
+- handoff: ≤60 lines, portable ≤100 lines
+- Stale handoffs (>48h): auto-skipped

package/rules/contextual/ddd-sdd.md

@@ -0,0 +1,28 @@
+# DDD (Domain-Driven Drive) + SDD (Spec-Driven Development)
+
+**When:** Building new features, creating new modules, or the user mentions domain/spec/pattern.
+
+**Core DDD workflow (4 steps):**
+1. **Write first domain by hand** — Define concepts + data handling manually. This becomes the REFERENCE.
+2. **Establish criteria** — Understand the reference deeply. Know what's correct vs wrong.
+3. **Replicate by pattern** — Use the reference to generate similar domains. AI output is MUCH more accurate with a concrete pattern.
+4. **Maintain structure → increasing accuracy** — Initial setup is EVERYTHING. Without it, AI generates plausible-looking garbage.
+
+**4 Principles:**
+- Structure becomes pattern → code should be PREDICTABLE across domains
+- Focus per domain → one bounded context at a time, NEVER mix concerns
+- Code names = business language → `createOrder()` not `processData()`, `PaymentIntent` not `TransactionObj`
+- Hooks trigger skills → user command → hook fires → skill activates → AI generates with pattern
+
+**SDD workflow:**
+1. Read the spec/requirement COMPLETELY before writing code
+2. Extract: inputs, outputs, constraints, edge cases, error states
+3. Write interface/type first, implementation second
+4. Every function maps to a spec requirement (traceability)
+
+**Before generating code for a new domain, ASK:**
+- Does a reference domain exist? → Read it first, match the pattern
+- Does a spec exist? → Read it, extract requirements
+- If neither → ask the user to define one, or draft one together with /OMG:deep-plan
+
+**Evidence:** When creating domain code, cite which reference pattern was followed.

package/rules/contextual/dependency-safety.md

@@ -0,0 +1,16 @@
+# Dependency Safety
+
+**When:** Adding, upgrading, or removing any dependency.
+
+**Before adding:**
+1. Can stdlib or existing deps solve this? (Check lockfile for overlap)
+2. Evaluate: maintenance status, last publish date, weekly downloads, license, bundle size
+3. Check for known vulnerabilities: `npm audit` / `pip audit` / `cargo audit`
+
+**After adding:**
+- Lockfile updated and committed
+- dev vs prod classification correct
+- Version pinned (not floating/latest)
+- Run full test suite to catch conflicts
+
+**Red flags:** Last publish >1 year, <1K weekly downloads, copyleft license in proprietary project, >500KB for a utility function.

package/rules/contextual/doc-check.md

@@ -0,0 +1,13 @@
+# Doc Check — Read Before Edit
+
+**When:** Modifying core logic, adding new patterns, or changing public interfaces.
+
+**Steps:**
+1. Check if docs/ARCHITECTURE_TOC.md or docs/ARCHITECTURE.md exists
+2. Read the relevant chapter for the subsystem you're touching
+3. Note invariants — things that must NOT break
+4. After changes: verify invariants still hold
+
+**Skip when:** Fixing typos, updating comments, or trivial changes that don't alter behavior.
+
+**Evidence:** "Read [doc], invariants: [list], all preserved: [yes/no]"

package/rules/contextual/implement-mode.md

@@ -0,0 +1,9 @@
+# Implement Mode
+
+When in implement mode:
+- Follow existing patterns in the codebase (read before writing)
+- Write tests BEFORE or ALONGSIDE implementation (TDD preferred)
+- Verify every change: build → lint → test → show exit codes
+- Minimal changes: touch only what's needed for the task
+- No noise comments, no generic names (data/result/temp/val)
+- After each file change: read it back to confirm correctness

package/rules/contextual/infra-safety.md

@@ -0,0 +1,14 @@
+# Infrastructure Safety
+
+**When:** Working with scripts, Docker, Terraform, K8s, DB migrations, CI/CD.
+
+**Rules:**
+- `--dry-run` or `--plan` before any destructive operation
+- Never hardcode secrets — use env vars or secret managers
+- Bash scripts: `set -euo pipefail` + `trap` for cleanup
+- Docker: non-root user + health check + specific base image tags
+- Terraform: `plan` before `apply`, state locking enabled
+- DB migrations: backward-compatible always (old code must still work with new schema)
+- CI/CD: test in staging-like environment before production
+
+**Forbidden:** `rm -rf` without confirmation, `chmod 777`, force-push to main, unencrypted credentials in config.