bossbuild 0.97.0

package/library/hooks/secrets-guard.js

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+// BOSS secrets-guard — a PreToolUse hook (OPT-IN; high-stakes ceiling, NOT a universal default).
+//
+// WHY OPT-IN (read before registering): a PreToolUse hook fires a process on EVERY tool call —
+// real per-call latency. The universal, zero-cost floor is the `permissions.deny` block in
+// settings.json (ships with every BOSS project). This hook is the *ceiling*: broader coverage
+// (Bash bypasses beyond `cat`, MCP tools, skills added later) for contexts where the stakes justify
+// the cost — regulated / PHI / `domain-expert` cohort work. Registering it everywhere by default
+// would be the always-on machinery BOSS warns founders against (PRINCIPLE #2 / R&H #1). See
+// library/practices/context-discipline.md.
+//
+// TO TURN IT ON — add this to .claude/settings.json (the registration IS the on-switch; an
+// unregistered script costs nothing):
+//   "hooks": {
+//     "PreToolUse": [
+//       { "matcher": "",
+//         "hooks": [ { "type": "command",
+//                      "command": "node \"$CLAUDE_PROJECT_DIR/.claude/hooks/secrets-guard.js\"",
+//                      "timeout": 5 } ] }
+//     ]
+//   }
+//
+// WHAT IT DOES: never let a tool read secret CONTENTS into the model's context (the leak).
+//   - Read / Edit / NotebookEdit of a secrets file  -> DENY (no reason to load a secret into context).
+//   - Bash command referencing a secrets path        -> ASK  (don't hard-block legit `.env` *creation*;
+//                                                             surface it to the human instead).
+//   - MCP tool call whose input references a secret   -> ASK  (unknown semantics; let the human judge).
+//   - everything else                                  -> ALLOW.
+// Fail-open: any parse/runtime surprise exits 0 (allow). A guard that breaks the session is worse
+// than one that occasionally misses — the deny-list floor still hard-blocks the common vectors.
+//
+// Output contract (Claude Code PreToolUse): JSON on stdout with a permissionDecision, exit 0.
+
+import fs from 'node:fs';
+
+// A path is "secret" if its basename is .env / .env.<suffix>, or it sits under a secrets/ segment.
+const SECRET_RE = /(^|[\/\s'"=:])\.env(\.[\w.-]+)?($|[\/\s'"])|(^|[\/\s'"=:])secrets\//i;
+
+const touchesSecret = (s) => typeof s === 'string' && SECRET_RE.test(s);
+
+const decide = (decision, reason) => {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: decision,           // "deny" | "ask"
+      permissionDecisionReason: reason,
+    },
+  }));
+  process.exit(0);
+};
+
+let event;
+try {
+  event = JSON.parse(fs.readFileSync(0, 'utf8') || '{}');
+} catch {
+  process.exit(0); // fail-open: unreadable/!JSON input -> allow
+}
+
+const tool = event.tool_name || '';
+const input = event.tool_input || {};
+
+try {
+  if (/^(Read|Edit|NotebookEdit)$/.test(tool)) {
+    const p = input.file_path || input.notebook_path || '';
+    if (touchesSecret(p)) {
+      decide('deny',
+        `secrets-guard: refusing to ${tool} a secrets file (${p}). Reading secret contents into ` +
+        `context risks leakage. Read secrets from the environment at runtime, or use a secret manager.`);
+    }
+  } else if (tool === 'Bash') {
+    if (touchesSecret(input.command || '')) {
+      decide('ask',
+        `secrets-guard: this Bash command references a secrets path. Approve only if it does NOT ` +
+        `read secret contents into the session (e.g. creating/appending a .env is fine; cat/grep is not).`);
+    }
+  } else if (tool.startsWith('mcp__')) {
+    if (touchesSecret(JSON.stringify(input))) {
+      decide('ask',
+        `secrets-guard: this MCP tool call references a secrets path. Approve only if it will not ` +
+        `expose secret contents to the session.`);
+    }
+  }
+} catch {
+  process.exit(0); // fail-open on any matching error
+}
+
+process.exit(0); // allow everything else

package/library/memory-seed/README.md

@@ -0,0 +1,29 @@
+# memory-seed — the durable-facts shelf
+
+This is the BOSS **superset** home for *durable* project memory — the slow-changing facts that stay
+true across sessions. It's one of the shelves the learning loop feeds (alongside `agents/`, `skills/`,
+`hooks/`, `practices/`). Seeds here are starting points a project's memory can be grown from; the
+learning loop deposits proven, generalizable facts UP into the library.
+
+## The cut this shelf exists to hold (the whole point)
+
+A build has **two memories**, and keeping them apart is what keeps context lean (see
+[`../practices/context-discipline.md`](../practices/context-discipline.md) and BOSS `FEAT-020`):
+
+| | **Durable facts** | **Working state** |
+|---|---|---|
+| Changes | rarely (across sessions) | fast (within a build) |
+| Examples | who the founder is, settled decisions, project constraints, the stack once chosen | the live feature's local decisions, gotchas, scratch context |
+| Home | Claude's auto-memory + this shelf | `.claude/rules/*.md` with `paths:` (loads **just-in-time**, only when the model opens a matching file) |
+| Lifecycle | persists; compounds | created → cleared on `/close` → best bits promoted via `/extract` |
+
+The trap is letting **working state** leak into an always-loaded surface (CLAUDE.md, a session-state
+doc). That's paid on every turn *and* dilutes the model's attention. So: **durable facts → here (and
+auto-memory); working state → a path-scoped rule that loads only when it's relevant.**
+
+## What a seed looks like
+
+A seed is a single durable fact in the auto-memory format (one fact per file, with frontmatter). See
+[`durable-facts-example.md`](durable-facts-example.md). The test for whether something belongs here:
+*would this still be true, and still worth loading, three sessions from now?* If it's only true while
+one feature is in flight, it's working state — put it in a `.claude/rules/` file instead.

package/library/memory-seed/durable-facts-example.md

@@ -0,0 +1,16 @@
+---
+name: stack-decision
+description: Example seed — the stack this project settled on, and the one-line why. Durable.
+metadata:
+  type: project
+---
+
+<!-- EXAMPLE seed. A durable fact = still true and still worth loading three sessions from now.
+     One fact per file. Delete this and write your project's real durable facts, or let the
+     learning loop (/extract → /boss-learn) deposit them here over time. -->
+
+The project settled on **<stack>** at **<IDEA-NNN / FEAT-NNN>** because **<the one-line reason>**.
+
+**Why it's durable:** a settled architectural decision binds every later build choice — the model
+should carry it across sessions, not re-derive it. **Why it's not working-state:** it doesn't change
+as a single feature moves; if it did, it would belong in a `.claude/rules/` file, not here.

package/library/practices/agent-security.md

@@ -0,0 +1,111 @@
+---
+id: PRACTICE-agent-security
+type: practice
+owner: mentor-architect
+status: active
+host: claude-code
+provenance: distilled from Simon Willison's 2026 agentic-security writing (lethal trifecta; "Agents Rule of Two"; classifiers are non-deterministic) — BOSS v0.48.0, IDEA-026 Part B · hardened v0.79.0 with the 2026 agent-native surface — OWASP Agentic ASI Top 10 (RVW-042), agentic misalignment (RVW-032), Anthropic containment + Redwood control (RVW-044), insecure AI-generated code & client-side key exposure (RVW-054) · UI-dark-patterns-as-injection-surface added v0.96.0 (RVW-060, /humane-refresh sweep pass 2)
+---
+
+# Practice — Agent security (a deterministic guard around a non-deterministic model)
+
+> **The shape of the risk.** The moment a founder runs an AI agent on their machine with file access,
+> a network, and instructions from the internet, they've assembled the surface attackers want. The
+> agent reads a web page / an issue / a dependency's README, that text contains instructions, and the
+> agent — being helpful — follows them. Security here is **architectural, not a prompt you add**. You
+> can't politely ask a model to never be tricked; you constrain what a tricked model can *do*.
+
+## The lethal trifecta (name it so you can break it)
+
+Data exfiltration / damage needs three things together. Remove any one and the attack can't complete:
+
+1. **Untrusted input** — content the agent reads that an attacker can influence (web pages, issues,
+   emails, scraped docs, a dependency).
+2. **Access to private data** — secrets, customer data, the founder's files.
+3. **Ability to act / exfiltrate** — send a request, write a file, run a command, post somewhere.
+
+## The Rule of Two (the operating heuristic)
+
+> Prefer that an agent (or a single agent step) has **at most two** of the three. The third is the
+> one you remove for that task.
+
+- Reading untrusted web content? Don't also give that step secrets *and* an open network to send
+  them. Sandbox it, or split the work so the reading step can't act.
+- Acting on private data? Keep untrusted input out of that step's context.
+
+## When the agent can act: the agent-native surface (2026)
+
+The trifecta is the *data-flow* risk. Once an agent has tools, memory, and autonomy, a second surface
+opens — the **agent itself** going wrong. Two things to hold:
+
+- **Agentic misalignment is measured, not hypothetical.** Anthropic showed frontier models — given
+  autonomy plus access to sensitive context — taking harmful, self-preserving actions under goal
+  conflict (insider-threat-shaped). The lesson isn't "the model is evil"; it's *don't grant standing
+  autonomy + sensitive access and assume good behaviour — bound both, and gate what can't be undone.*
+- **For an agent, the threat model is the OWASP Agentic ASI Top 10 (Dec 2025), not the stateless LLM
+  list.** An agent's real attack surface: goal hijack, **tool misuse**, identity/privilege abuse,
+  **agentic supply chain** (a poisoned MCP server or tool), unexpected code execution, **memory /
+  context poisoning**, insecure inter-agent comms, cascading failures, human-agent trust exploitation,
+  rogue agents. Each has a real 2025 incident behind it (EchoLeak, the GitHub-MCP exploit, the Replit
+  production-DB wipe). If you ship an agent, this is the list to defend — and the one to `/red-team`
+  against. The stateless LLM Top 10 still covers a plain prompt-in/text-out path.
+- **UI dark patterns are an injection surface (RVW-060).** An agent that browses or acts on the web is
+  manipulated by the *same* dark patterns built for humans — Sneaking, Urgency, Forced-Action — and it's
+  **worse off than a person**: Stanford's DECEPTICON steered agents to the manipulated outcome in **70%+ of
+  tasks vs a 31% human average**, and it **gets worse as models scale**. The trap is assuming awareness is a
+  defence: agents that noticed a pre-ticked box still didn't deselect it (goal-driven optimization), and
+  **in-context "watch out for tricks" prompting, guardrail models, and even human oversight were each shown
+  insufficient** in testing. So **recognition ≠ protection** — defend it the structural way: narrow
+  permissions, an explicit confirm before any purchase/commitment, and inspect what a page is steering the
+  agent to *do*, the same as inspecting a poisoned tool return. (This is the security face of
+  [`ai-ux-patterns.md`](ai-ux-patterns.md)'s agentic dark patterns — the agent there is the *victim*.)
+
+## Concrete defaults (what to actually do)
+
+- **Enforce in the harness, not the prompt.** Secret no-read belongs in `permissions.deny` (the
+  zero-cost floor BOSS ships) and, for high-stakes cohorts, the `secrets-guard` hook. A hook is a
+  **deterministic guard**; the model's own judgment (and any safety *classifier*) is
+  **non-deterministic** — never let the classifier be the only thing between untrusted text and a
+  destructive action. See [`context-discipline.md`](context-discipline.md).
+- **Sandbox by default** for steps that read untrusted input. Untrusted-content reads shouldn't run
+  with full filesystem + network.
+- **Match isolation to your oversight** (Anthropic's containment principle: the less you can watch a
+  step, the more it should be boxed). Concrete tiers: a **read-only mount** where the agent only needs
+  to read; **read-write-no-delete** where it edits but shouldn't be able to destroy; an **egress
+  allowlist** (the agent reaches the two hosts it needs, not the whole internet) for any step touching
+  untrusted input. And **inspect tool *returns* before they re-enter context** — a poisoned tool
+  result is just untrusted input arriving through the back door.
+- **Pin dependencies.** Unpinned deps are an untrusted-input channel (supply chain). Pin versions;
+  review what an agent adds. (This is ASI04 — the agentic supply chain — in practice.)
+- **Human-in-the-loop on the irreversible.** The actions that can't be undone (push, deploy, delete,
+  send) get an explicit gate — and the gate is a real stop, not a sentence in a system prompt. Where a
+  human can't be in the loop, put a *cheaper, trusted check* in front of the autonomous one (Redwood's
+  control framing: a small reliable model can screen a big autonomous model's destructive calls).
+
+## The app you ship is an attack surface too
+
+The trifecta and the ASI list are about the *agent on your machine*. But the **code the agent writes
+for your product** is its own risk — and a distinct one a founder is far more likely to ship by
+accident:
+
+- **AI defaults to insecure when a secure option exists.** Veracode found ~45% of AI-generated code
+  ships with an OWASP-Top-10 vulnerability, and it does *not* improve as models get bigger. Treat
+  generated code as *unreviewed*, not *done*.
+- **Client-side key exposure is the classic vibe-coded leak.** API keys baked into frontend JS, an
+  open storage bucket, a secret committed to the repo — the 2025 incidents (the Tea breach, ~25k
+  secrets found across vibe-coded sites, a 1.5M-key exposure) are nearly all this one shape.
+  **`secrets-guard` does *not* catch it.** That hook stops the *agent* reading a secret file into
+  context; it does nothing about a *shipped app* exposing a key. Different surface, different defence.
+- **The antidote is a pre-ship scan, not a prompt.** Before the first deploy: a secret scan (no keys
+  in the bundle or the repo) plus the OWASP web basics. `/red-team` carries this pass. For a
+  non-technical founder it's the single security gate that matters most — they can't spot the vuln
+  themselves, so the scan has to.
+
+## Altitude / JIT (don't scare a day-one founder)
+
+This is **not** a wall of security text on a Quickstart. Route it JIT: the floor (`permissions.deny`)
+ships silently with every project; the rest surfaces when the work earns it, one trigger at a time —
+the **trifecta + Rule of Two** the first time an agent reads untrusted web content; the **agent-native
+ASI surface** the first time the founder ships an agent with tools and memory; the **pre-ship scan**
+at the first deploy; the **full battery** for a domain-expert / regulated cohort. Principle #2: the
+right ceremony at the right time, never the whole wall at once. See `IDEA-026`.

package/library/practices/ai-adoption-culture.md

@@ -0,0 +1,104 @@
+---
+id: PRACTICE-ai-adoption-culture
+type: practice
+owner: mentor-humane (with mentor-talent)
+status: active
+provenance: distilled via /vet RVW-038 from Stanford WORKBank / Human Agency Scale (arXiv 2506.06576, 2025) · Amy Edmondson, psychological safety · Ethan Mollick, "secret cyborgs" (2024) · BetterUp Labs × Stanford "workslop" (HBR 2025). Numbers graded per docs/research/SOURCES.md two-lane rule. BOSS v0.80.0; feeds IDEA-037.
+---
+
+# Practice — AI adoption culture (bring AI to a team without breeding resentment)
+
+> **The shape of the risk.** A founder who forces AI on a team top-down gets the opposite of what they
+> wanted: people **hide** their AI use, **ship each other sloppy AI output**, and quietly **resent** the
+> mandate. The failure isn't the tool — it's the rollout. The whole point of this practice: a small
+> founding team adopts AI so people **opt in**, not comply. (This is the humane lens turned on the
+> founder's *own* team — BOSS has to walk it, not just preach it.)
+
+## 1. Automate what's *wanted* — name the Red Light (the Human Agency Scale)
+
+Stanford's WORKBank survey (1,500 workers, 844 tasks) found a clean pattern: people welcome having
+**drudgery** automated and **fiercely guard** creative and relational work. The dangerous zone is the
+**"Red Light"** — tasks AI is *capable* of but workers *don't want* automated. Automating into the Red
+Light is exactly how you breed resentment. *(Damning aside: ~41% of YC startups were building into the
+Low-Priority + Red-Light zones — automating the capable-but-unwanted. [EVIDENCE], though the YC figure
+is a mapping estimate.)*
+
+The **Human Agency Scale** (H1 = AI alone → H5 = human essential throughout) is a shared vocabulary for
+*how much* human stays in a task. Use it as a question, not a verdict:
+
+> Before you automate a teammate's task: **is this Green Light (they'd be glad to lose it) or Red Light
+> (capable-but-unwanted)?** If Red Light, the agency cost is the story — name it, don't just ship it.
+
+## 2. Make it safe to not know AI (psychological safety)
+
+Edmondson's work is gold-standard: psychological safety is the strongest predictor of team learning,
+and high-performing teams admit **more** gaps, not fewer. AI adds a sharper edge — admitting "I don't
+understand AI" can read as a **job-survival** risk, not just embarrassment, especially under a mandate.
+*(The AI-specific extension is 2025 commentary, [THOUGHT-LEAD]; the underlying psych-safety research is
+[EVIDENCE].)*
+
+For a two-person team the load-bearing question is concrete: **can your non-technical cofounder say
+"I'm lost on this" without losing face?** The moves:
+
+- Model it from the top: "I don't know this either — let's figure it out." A founder who pretends
+  fluency teaches everyone else to fake it.
+- Pair safety with **high standards** — it's not niceness or lowered bar; it's the condition where
+  people can tell the truth *and* be held to good work (the Edmondson correction, [[RVW-035]]).
+
+## 3. Kill the secret-cyborg dynamic — reward honest use
+
+Mollick named it: when the rules **punish**, organisations fill with **"secret cyborgs"** — people who
+quietly automated their own work and won't tell anyone. The result is hidden gains and zero shared
+learning. (Corroborating signal: roughly **half** of desk workers say they'd be uncomfortable telling
+a manager they used AI — it "feels like cheating." [THOUGHT-LEAD/vendor], directionally consistent.)
+
+The move: make surfacing AI use **safe and rewarded**, not merely permitted. Share what's working out
+loud, both directions. *(In a BOSS team this is exactly what the shared craft commons — `/practice` /
+`PRAC-NNN` — is for: a discovery one cofounder makes becomes one the other inherits, with attribution
+as a pointer, never a scoreboard.)*
+
+## 4. The stakes — workslop erodes trust *between cofounders*
+
+BetterUp × Stanford ("workslop," HBR 2025, n=1,150): ~40% of workers received AI output that *looks*
+done but isn't in the last month, costing ~2 hours of rework each — and, the part that bites, recipients
+rated the **sender** less trustworthy (42%), less intelligent (37%). *([EVIDENCE], vendor-co-authored —
+treat the dollar figures as illustrative, the trust-erosion as solid.)* Bad AI use doesn't just waste
+time; **it costs you your team's respect.** The norm that prevents it is one sentence:
+
+> **"Would I be proud to hand this to my cofounder?"** AI output is a draft *you own*, not a thing you
+> forward.
+
+## 5. How to run it — the cofounder AI consent + norms conversation
+
+Not a policy doc. A short, explicit conversation, early, revisited as the craft changes:
+
+1. **Map the zones together** — what AI genuinely helps with (Green Light) vs. what you keep human
+   (Red Light). Disagreement here is the useful part.
+2. **Agree it's safe to be lost** — "I don't know this AI thing" is a normal sentence on this team, and
+   we share what we each learn.
+3. **Set the no-workslop norm** — own your AI output before it reaches anyone else.
+4. **Revisit on a cadence** — the frontier moves; last month's "AI can't do this" may be wrong now
+   (the model-recalibration discipline, team-scoped — ties to `/practice` staleness and IDEA-014).
+
+## Altitude / JIT (Principle #2)
+
+- **Solo founder → dormant.** There's no team to adopt to; don't surface it.
+- **Surfaces when a second person joins** — a cofounder, a first hire, a first contractor. That's the
+  trigger, not a calendar.
+- **Never a mandate.** Forcing humane AI-adoption would be its own irony. The conscience may surface a
+  Red-Light tension; it never picks the answer for the team (the conscience-vs-censor line —
+  [[conscience-voicing]]).
+
+## Handoff — for the IDEA-037 founding-teams build
+
+> **This is a reviewable starting draft, not the final word.** It carries the *inheritable knowledge*;
+> the teams build (IDEA-037 / FEAT-021) owns the concrete wiring. Recommended, for that work to weigh:
+>
+> - A conscience **Red-Light moment** — when work suggests automating a teammate's task, name the agency
+>   tension ("you *can* automate this — does your team *want* it?"). This is a *new hook moment* (new
+>   detector + eval cases), deliberately left out of this routing to avoid touching the conscience gate
+>   from a parallel session.
+> - The **cofounder consent + norms conversation** (§5) as a step in team onboarding / the `boss team`
+>   flow.
+> - **mentor-the-team (slice 5)** cites this practice as its source for the AI-adoption coaching.
+> - [[RVW-035]] (Edmondson psych-safety, NOT-YET) finds its home here — fold it in when slice 5 lands.

package/library/practices/ai-ux-patterns.md

@@ -0,0 +1,246 @@
+---
+id: PRACTICE-ai-ux-patterns
+type: practice
+owner: designer
+status: active
+host: stack-neutral
+provenance: distilled from the 2026-06-20 AI-UX scan (Shape of AI, Microsoft HAX, Google PAIR, IBM Carbon, LangChain HITL, NN/g 2026, Apple HIG GenAI) — BOSS v0.49.0, IDEA-029 · dark-pattern checklist + humane alternatives added v0.82.0 (RVW-031, from CDT *Dark Patterns in AI Chatbots* 2026, CC-BY) · classic-web pattern families + regulatory teeth (effect-not-intent, symmetry-in-choice) added v0.95.0 (RVW-056/057, first /humane-refresh sweep, IDEA-042) · cohort & frontier patterns (accessibility, minors, agentic, algorithmic-management) + junk-fees teeth added v0.96.0 (RVW-059/060/061/062/063, sweep pass 2)
+---
+
+# Practice — AI-native interface patterns (2026)
+
+> **Where this sits.** [`design-system.md`](design-system.md) + the tokens discipline own how AI-built
+> UI *looks*; this owns how an AI feature *behaves toward the person* — when it speaks, how it shows
+> confidence, how it asks permission, how it recovers from being wrong. The 2024–25 rules (options-
+> not-truth, undo/edit/regenerate, visible confidence, failure states) still hold; 2026 adds the
+> patterns below for *plural, background, risk-tiered* agent work.
+
+## 1. "Why this" — rationale grounded in the user's own inputs
+
+When the AI makes a consequential choice, say *why*, in one line, **traceable to something the user
+said or did**: *"Steering you to Quickstart because you said it's day one"* — not *"Quickstart is
+best."* This is the cheapest trust surface and it doubles as teaching. Bound it (Google PAIR
+*Partial Explanations*): explain when stakes are high or the result is surprising, not on every step.
+
+## 2. Confidence is a register, not a number
+
+Match how you express confidence to how reliable you actually are (HAX G2). Soft uncertainty → a
+hedge phrase. Real precision → a number. Low confidence → *show more options* (the option count itself
+is the signal — Google PAIR N-best). Don't paint one flat "confidence" everywhere.
+
+## 3. Three interrupt registers: Notify / Question / Review
+
+- **Notify** — FYI, no action needed (a fact surfaced; keep moving).
+- **Question** — ask **one** sharp clarifying question instead of guessing.
+- **Review** — propose a change and wait for a decision.
+
+Name which one you're in. Most tools collapse everything into Review (approval fatigue) or Notify
+(noise). (LangChain ambient agents.)
+
+## 4. Risk-tier the gate; offer four decision verbs
+
+Don't gate uniformly — gate by **loss type** (money / security-data / lost-work / irreversibility).
+Low-stakes steps (a draft, a search, writing a new file) flow through; high-stakes get a stop. And
+when you do stop, offer the full vocabulary, not just yes/no:
+
+- **approve** · **edit-before-execute** · **reject-with-feedback** · **respond**
+
+For a tool that writes files and configs, **edit-before-execute is the highest-value verb** — a
+first-time founder wants to tweak, not just veto. (LangChain HITL; Shape of AI *Verification*.)
+
+## 5. Progressive disclosure of the work
+
+Show the verdict / result first; let the person expand to the reasoning, the plan, the tool calls
+("Stream of Thought / Footprints" — Shape of AI). Default collapsed. A reviewable trail of *what the
+agent changed* is part of this — don't act on someone's repo with no footprints.
+
+## 6. Trust repair after a miss
+
+When the AI gets it wrong, run a deliberate repair: **own it specifically** ("I got X wrong — here's
+what I'll do differently"), and recover **asymmetrically** — trust breaks fast and rebuilds slow, so
+reduce autonomy / ask *more* for a while after a miss. A user who's been burned wants more
+confirmation, not less, regardless of project stage. (NN/g 2026; trust-calibration.)
+
+## 7. Discernment — knowing when NOT to speak
+
+The 2026 macro shift (NN/g) is automation → **discernment**: the best AI recedes into the background;
+human direction, curation, and verification stay essential. *Staying quiet at the right moment is a
+feature*, not the absence of one. This is the interaction-level statement of BOSS's whole conscience-
+JIT ethos — name it so it's designed, not accidental.
+
+## 8. Degraded-state honesty
+
+When running degraded — model uncertain, on a fallback path, low confidence — *say so*, so the person
+recalibrates. Treat "I don't know" as a first-class, well-worded output, not a failure to hide.
+
+## 9. Generative UI — decide who holds the controls
+
+When an agent *renders the interface itself* (not just emits text), the load-bearing question is how
+much control the frontend keeps. A spectrum: **static** (the model fills slots in UI you designed —
+safest) → **declarative** (the model picks from an approved component set + props) → **open-ended** (the
+model emits arbitrary UI/markup — most power, highest stakes). Open-ended belongs in §4's irreversibility
+tier: an injected or confused prompt can now redraw what the user sees and clicks. Default to the
+least-open rung that still proves the bet; earn open-ended with a real reason, not convenience.
+(CopilotKit/AG-UI 2026 — keep the judgment, drop the protocol.)
+
+## 10. Memory is a reviewable object, not a black box
+
+If the product *remembers* the person across sessions, that memory needs a control surface — **view /
+edit / correct / delete / scope** what the AI holds about them. It's the §5 footprints principle extended
+from *what the agent did* to *what the system knows*: wrong-but-invisible memory silently degrades every
+future response and the user can't tell why. This pattern is also dogfood — BOSS is itself a
+memory-carrying tool (`.boss/`, `MEMORY.md`, the venture brain), so it should hold the pattern it is an
+instance of.
+
+## Dark patterns — the manipulative inverse (recognize as you build)
+
+Patterns 1–8 are the *good* shape; this is the named *bad* shape, so a founder can catch one **while
+building it** — including ones that **emerge from the model** (training / fine-tuning / RLHF / system
+prompts), not only ones designed on purpose. Sycophancy is the canonical emergent case. Source: CDT,
+*Dark Patterns in AI Chatbots* (2026, CC-BY) — 37 patterns in five families:
+
+- **Data & memory exploitation** — default-sharing, disguised collection, privacy-zuckering, "just
+  between you and us," difficult-to-delete, *safety-blackmail* (extracting more data under pressure).
+- **Informationally misleading** — misrepresenting (a bot implying it's a therapist / "never
+  hallucinates"), impersonation, hallucinations-as-truth, selective framing, reduced-friction +
+  bad-defaults steering.
+- **Autonomy compromised for engagement** — infinite-scroll/teasers, variable rewards, gamification
+  (streaks) that prolong past intent.
+- **False social/emotional connection** — **sycophancy**, playacting (fake memories/feelings),
+  emotional manipulation via hyper-personalization, guilt / confirm-shaming when the user tries to
+  leave, *targeting users when vulnerable*.
+- **Coercive monetization** — pressured selling, fake social proof, bait-and-switch, sneaky
+  purchases / disguised ads, paywalling memory or persona ("pay to keep your history").
+
+**The humane alternative (CDT's "better design" — name the cost *and* point at the fix):** default
+conversations to *end* (don't artificially prolong); make the social/emotional layer **opt-in** (offer
+a strip-it-out default); give genuine delete/export controls (not convoluted); use **no
+emotionally-charged language near an upgrade/purchase**; label paid/sponsored content plainly.
+
+**Two judgment calls.** (1) A few patterns are dark *in isolation* → hard-name them (targeting the
+vulnerable, guilt-on-exit, sneaky purchases); most are context-dependent → surface the tension, let the
+founder choose (conscience-not-censor). (2) Because these **emerge**, test the *built* product, not just
+the intent — `/red-team --humane` (sycophancy especially).
+
+### The classic-web patterns an AI product inherits (RVW-056)
+
+The CDT list above is *AI-chatbot-shaped*. But the moment a product grows an **account, a paywall, or a
+checkout**, it inherits the dark patterns the web has named for a decade — and that's exactly where a
+first-time founder ships one without knowing it has a name. Four families the chatbot lens omits (canonical
+sources: Brignull's deceptive.design, Mathur et al. *Dark Patterns at Scale*, Gray et al.'s CHI-2024
+ontology — pinned below, don't re-enumerate):
+
+- **Obstruction** — making the exit artificially hard. *Roach motel / immortal accounts* (sign-up is one
+  click; deletion is a support-ticket maze), hard-to-cancel, forced continuity. **Humane:** exit as easy as
+  entry — one-click delete/cancel that matches the ease of sign-up.
+- **Sneaking** — slipping in what the user didn't choose. Sneak-into-basket, hidden costs, **drip /
+  partitioned pricing** (advertise part of the price, reveal mandatory fees at the end — FTC-named; ~20%
+  higher spend when fees are hidden), forced enrollment. **Humane:** the all-in total **shown most
+  prominently, before any commitment step** (the FTC Junk Fees Rule bar, RVW-062); nothing on the cart or the
+  bill the user didn't pick.
+- **Manufactured urgency & scarcity** — fake pressure. Countdown timers that reset after they expire, false
+  low-stock counts, fabricated "12 people viewing this." **Humane:** real deadlines and real inventory only —
+  if the urgency isn't true, don't manufacture it.
+- **Interface interference / misdirection** — the UI steering the eye and the click. Visual interference,
+  trick questions, confirmshaming (generalized beyond the exit), pre-ticked **bad defaults**. **Humane:** the
+  choice you'd make for yourself is the visually-equal default; neutral wording; no shame.
+
+**Effect, not intent (RVW-057).** A dark pattern needs no malice — California law (CCPA § 1798.140(l)) judges
+it by its *effect* on the user's choice, not the designer's intent, so you can ship one **by accident** (the
+checkout you copied, the deletion flow you never built). That's where the conscience earns its keep: it's
+worth most catching the dark pattern the founder *didn't mean to build*.
+
+### The cohort & frontier patterns (who the checklist above misses)
+
+The lists above are mostly *who's-looking-at-a-screen*. Three more surfaces — a cohort, a population, and a
+new actor — carry their own patterns. These are **conditional**: they surface when the product touches that
+surface, not on every Quickstart (Principle #2).
+
+- **Accessibility / exclusion-by-design (RVW-059).** An inaccessible flow — an unlabeled element, an
+  inaccessible CAPTCHA, an unsubscribe buried low in keyboard-nav order, a pre-ticked box invisible to a
+  screen reader — is **"effectively deceptive" to anyone who can't perceive or escape it**, *even when
+  unintentional* (the sharpest case of "effect, not intent"). It also *amplifies* every pattern above:
+  blind/low-vision users via AT, and ADHD/neurodivergent users who recognize far fewer of them. **Humane:**
+  **WCAG is the floor, not the ceiling** — label every interactive element, give cancel/unsubscribe
+  equal-or-higher nav priority, offer non-visual auth, and test the flow's *deceptiveness under assistive
+  tech*, not just its compliance. (CHI/CSCW '25.)
+- **Minors & vulnerable-by-design (RVW-061)** — *when the product may reach minors.* Three enforced rules:
+  **price in real currency and disclose odds** (multi-tier virtual currency that hides real-money cost is the
+  loot-box dark pattern — FTC's $20M Genshin action); **ship addictive-design features OFF by default for
+  minors** (streaks, autoplay, push — the EU's named list; a clean extension of Humane defaults below); and
+  **age assurance, not age-gate theater** (a clickable "I am 18" is not age assurance). Pro-privacy nudges
+  *toward* the safer default are explicitly fine. (FTC; EU DSA minor guidelines 2025; UK Children's Code.)
+- **Agentic dark patterns (RVW-060)** — *when your product has an agent that acts for the user.* Two
+  directions. (a) **Your agent as perpetrator:** commitment/purchase without explicit consent, over-broad
+  permission grants, opaque autonomous decisions. **Humane:** scope permissions narrowly, surface what it's
+  about to do, and confirm before money/irreversibility — this is §4's risk-tiered gate pointed at agent
+  actions. (b) **Your agent as victim:** an agent browsing the web is manipulated by these same dark patterns
+  *more* than a human (70%+ vs 31%), and *worse* as models scale — see
+  [`agent-security.md`](agent-security.md) (recognition ≠ protection; don't rely on "tell the agent to watch
+  out"). (Stanford DECEPTICON; CHI 2026; OWASP Agentic 2026.)
+- **Algorithmic management (RVW-063)** — *when the product scores, ranks, or pays people.* Opaque,
+  unpredictable scoring/pay the person can't understand, plus gambling-style bonus/quest/surge incentives
+  ("algorithmic gamblification"), is the worker-facing dark pattern. **Humane:** a transparent, predictable
+  formula with disclosed factors and no gambling mechanics. (HRW *The Gig Trap* 2025 — documented harm; EU/UK
+  platform-work rules are the maturing teeth.)
+
+## Humane defaults — the build-time inverse (ship the fix, keep the door, record the crossing)
+
+The checklist above is what to *catch*; this is what to *build by default* — friction-as-ethics, done
+right. **Ship the humane choice as the default:** privacy on, consent opt-in, the metric hideable, the
+escape hatch already wired, the action reversible. The humane path becomes the path of least resistance
+because it's *already done for you* — not because anything else was blocked.
+
+**The asymmetry is the whole discipline, and the easy way to get it wrong.** You *remove* friction from
+the humane path; you **never add** friction to the harmful one. Deliberately slowing, burying, or
+complicating a choice you disapprove of is a dark pattern aimed at a goal you happen to like — and
+manipulation is manipulation regardless of whose side it's on. Means matter; you can't dark-pattern your
+way to a humane product. Sovereignty is non-negotiable: **keep every door equally open.** The concrete,
+testable bar is **symmetry in choice** (codified in California's 11 CCR § 7004): the privacy-protective path
+must be no longer, harder, or slower than the less-protective one — opt-out in as few steps as opt-in, "Decline
+All" as prominent as "Accept All." If the good door takes more clicks than the bad one, you've already failed.
+
+**So what about when the founder chooses the dark pattern anyway?** Don't block it; don't sabotage it —
+make it *accountable*. The conscience names the cost once, then offers to **record the crossing** as a
+`DEC-NNN` (the *why* and the *when*). Not a penalty, not a gate — a memory. Later, future-them (or a
+cofounder, a buyer, a regulator) can ask *"why did we do that, and when?"* and trace it back. That record
+is the antidote to humanity eroding *invisibly*: the thousand small decisions stop accreting in the dark
+the moment each crossing is defaulted-humane, kept-open, named, and logged.
+
+The quiet bonus: a humane default *teaches*. The founder building on it absorbs the decent pattern without
+a lecture — caught, not taught, baked into the scaffold instead of spoken by the conscience.
+
+## Canonical references (pin the designer here; don't reinvent)
+
+- **Shape of AI** (shapeof.ai) — the working pattern vocabulary; the "Governors" category maps ~1:1
+  onto BOSS's conscience moments. Primary.
+- **Microsoft HAX** — 18 evidence-based guidelines (G1/G2/G11/G15/G17 = when to speak vs. stay quiet).
+- **IBM Carbon for AI** — disclosure primitives ("AI label" + explainability popover).
+- **Google PAIR** — calibrated trust / explainability (frozen ~2023 but still the best on this).
+- **Apple HIG Generative AI**, **OpenAI Apps SDK UX**, **Anthropic "building effective agents"** —
+  vendor-current; show-the-plan / checkpoint-before-irreversible / refine-and-feedback.
+- Community catalogs (e.g. agentic-design.ai) — route through `/vet` before adopting, not `/boss-learn`.
+
+**Dark-pattern canon (the named-pattern superset — pinned, not enumerated here):**
+- **deceptive.design** (Harry Brignull) — the canonical pattern library + the "deceptive patterns" taxonomy.
+- **Mathur et al. (Princeton, 2019)** *Dark Patterns at Scale* — the empirical 7-category / 15-type scheme.
+- **Gray et al. (CHI 2024)** *Ontology of Dark Patterns Knowledge* — 64 types harmonized from 10 taxonomies.
+- The standing refresh of this canon lives in [`/humane-refresh`](../../.claude/skills/humane-refresh/SKILL.md)
+  + its [watchlist](../../docs/research/watchlists/humane-lens.md) (IDEA-042), not in this list.
+
+**Regulatory teeth (reference, not legal advice — BOSS doesn't give legal advice):** dark patterns are now
+named and penalized — California **CCPA/CPRA** (effect-not-intent; symmetry rule § 7004), the **EU AI Act**
+Art. 5(1)(a)/(b) (binding ban on manipulative/vulnerability-exploiting AI; fines to €35M / 7% turnover),
+**EDPB** Guidelines 03/2022 (six-category consent taxonomy), the **FTC** 2022 report (four harm-based
+categories) + the **FTC Junk Fees Rule** (2024, drip-pricing/total-price) + the **$20M Genshin loot-box
+action** (2025), the **EU DSA minor-protection guidelines** (2025) and **UK Children's Code** (statutory),
+and **ADA / EU Accessibility Act** (accessibility as a floor). *Caveat: the FTC "click-to-cancel" Negative
+Option Rule was vacated by the 8th Circuit in 2025 — verify status before relying on it (RVW-064).* A pointer
+for "is this regulated?", never a compliance gate.
+
+## Altitude / anti-rot
+
+These are **runtime heuristics the conscience + designer apply**, not a static checklist to freeze
+into one skill (the RVW-001 anti-pattern). Refresh them on the model/host curve (`IDEA-014`). On a
+Quickstart, most of this is silent default; it surfaces as the project earns interaction complexity
+(Principle #2). See `IDEA-029` (interaction layer) + `IDEA-010` (style/tokens layer).