cc-workspace 4.0.0

package/global-skills/hooks/task-completed-check.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# task-completed-check.sh
+# TaskCompleted hook: reminds teammates to verify tests/dead code/constitution.
+# Exit 0 + stdout = inject reminder as context (non-blocking, v4.0).
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract task output if available
+TASK_OUTPUT=$(echo "$INPUT" | jq -r '.task_output // empty' 2>/dev/null) || true
+
+# Check for explicit failure signals across common test runners
+# PHPUnit: FAILURES!, ERRORS!, Tests: X, Failures: Y
+# pytest/vitest/jest: FAILED, failed, ✗, Error
+# Pest (Laravel): FAIL, Tests: X, X failed
+# Generic: exit code non-zero indicators, AssertionError (Python), AssertionError (various)
+if echo "$TASK_OUTPUT" | grep -qiE '(tests?\s*fail|FAIL(ED|URES?)|error.*test|test.*error|ERRORS?:|failures?:|AssertionError|exit\s*code\s*[1-9])' 2>/dev/null; then
+    echo "[Warning] Tests appear to have failed. Verify before marking complete."
+fi
+echo "Task completion checklist: 1) Verify tests passed 2) Check for dead code 3) Verify constitution compliance."
+exit 0

package/global-skills/hooks/teammate-idle-check.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# teammate-idle-check.sh
+# TeammateIdle hook
+# Checks if unfinished tasks remain in active plans.
+# NOTE: Uses CLAUDE_PROJECT_DIR to locate the workspace.
+# If this hook runs in a teammate context where the plans/ directory is
+# not accessible, it will harmlessly exit 0.
+# v4.0: Warning only (exit 0). Never blocks.
+set -euo pipefail
+
+cat > /dev/null
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
+
+# Check for pending tasks in active plans
+if [ -d "$PROJECT_DIR/plans" ]; then
+    PENDING=$(find "$PROJECT_DIR/plans" -name '*.md' \
+        ! -name '_TEMPLATE.md' \
+        ! -name 'service-profiles.md' \
+        -exec grep -l '⏳' {} \; 2>/dev/null)
+
+    if [ -n "$PENDING" ]; then
+        PLAN_NAMES=$(echo "$PENDING" | xargs -I{} basename {} | tr '\n' ', ' | sed 's/,$//')
+        echo "[Warning] Unassigned tasks remain in: $PLAN_NAMES. Consider claiming the next pending task."
+        exit 0
+    fi
+fi
+
+# No pending tasks — teammate can go idle
+exit 0

package/global-skills/hooks/track-file-modifications.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# track-file-modifications.sh
+# PostToolUse hook (async): logs modified files for merge-prep.
+# Matcher: Write|Edit|MultiEdit
+# Appends to .claude/modified-files.log
+set -euo pipefail
+
+INPUT=$(cat)
+PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
+LOG_FILE="$PROJECT_DIR/.claude/modified-files.log"
+
+# Extract file path from tool input
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null) || true
+
+if [ -n "$FILE_PATH" ]; then
+    mkdir -p "$(dirname "$LOG_FILE")"
+    echo "$(date +%Y-%m-%dT%H:%M:%S) $FILE_PATH" >> "$LOG_FILE"
+fi
+
+exit 0

package/global-skills/hooks/user-prompt-guard.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# user-prompt-guard.sh
+# UserPromptSubmit hook: conditionally reminds the orchestrator of its role.
+# Only injects the reminder when the user prompt contains patterns suggesting
+# a direct code request. This saves tokens on routine messages.
+# Non-blocking (exit 0 + stdout = context injection).
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the user prompt text from stdin JSON
+PROMPT=$(echo "$INPUT" | jq -r '.prompt // empty' 2>/dev/null) || true
+
+# Only inject reminder if user prompt matches code-request patterns
+if echo "$PROMPT" | grep -qiE '(dans le repo|dans [a-z-]+/|modifie.*repo|édite.*(api|front|light|spring|scraper|krakend|dashboard)|patch.*service)' 2>/dev/null; then
+    echo "Role reminder: Writing in sibling repos is for teammates. You can write in orchestrator/ (plans, workspace.md, constitution.md). For repo changes, spawn a teammate."
+fi
+
+exit 0

package/global-skills/hooks/validate-spawn-prompt.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+# validate-spawn-prompt.sh
+# PreToolUse hook (matcher: Teammate): validates that teammate spawn prompts
+# contain the required context before allowing the spawn.
+# v4.0: ALL checks are non-blocking warnings (exit 0 + stdout).
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the spawn prompt from tool input
+PROMPT=$(echo "$INPUT" | jq -r '.tool_input.prompt // empty' 2>/dev/null) || true
+
+if [ -z "$PROMPT" ]; then
+    exit 0
+fi
+
+WARNINGS=""
+BLOCKERS=""
+
+# Check 1: Project-specific rules — require numbered rules (13., 14., etc.)
+# or explicit section header, not just mention of the word "rules"
+RULES_FOUND=0
+if echo "$PROMPT" | grep -qiE '(## project rules|## non-negotiable|project-specific rules|rules spécifiques)' 2>/dev/null; then
+    RULES_FOUND=1
+fi
+if echo "$PROMPT" | grep -qE '(1[3-9]\.|[2-9][0-9]\.).*\*\*' 2>/dev/null; then
+    RULES_FOUND=1
+fi
+if echo "$PROMPT" | grep -qiE '(constitution|project rules)' 2>/dev/null && echo "$PROMPT" | grep -cqiE '(tenant|scoping|precision|rollback|feature flag)' 2>/dev/null; then
+    RULES_FOUND=1
+fi
+if [ "$RULES_FOUND" -eq 0 ]; then
+    BLOCKERS+="- Missing project-specific rules in spawn prompt. Include the project constitution rules (numbered rules from workspace constitution.md, translated to English).\n"
+fi
+
+# Check 2: Tasks section must be present with actual task content
+if ! echo "$PROMPT" | grep -qiE '(your tasks|## tasks|assigned tasks|tâches|### tasks)' 2>/dev/null; then
+    BLOCKERS+="- Missing tasks section in spawn prompt. Include the specific tasks from the plan.\n"
+fi
+
+# Check 3: CLAUDE.md instruction
+if ! echo "$PROMPT" | grep -qiE '(CLAUDE\.md|read the repo|repo conventions|read.*conventions)' 2>/dev/null; then
+    WARNINGS+="- Missing instruction to read repo CLAUDE.md.\n"
+fi
+
+# Check 4: Frontend teammates need UX standards — check for actual UX content
+if echo "$PROMPT" | grep -qiE '(front|frontend|vue|quasar|nuxt|react|ui|ux)' 2>/dev/null; then
+    UX_SIGNALS=0
+    echo "$PROMPT" | grep -qiE '(4 (mandatory )?states|skeleton|empty state)' 2>/dev/null && UX_SIGNALS=$((UX_SIGNALS + 1))
+    echo "$PROMPT" | grep -qiE '(responsive|mobile.first)' 2>/dev/null && UX_SIGNALS=$((UX_SIGNALS + 1))
+    echo "$PROMPT" | grep -qiE '(accessib|aria.label|wcag)' 2>/dev/null && UX_SIGNALS=$((UX_SIGNALS + 1))
+    echo "$PROMPT" | grep -qiE '(ux standard|error.state|loading.state)' 2>/dev/null && UX_SIGNALS=$((UX_SIGNALS + 1))
+    if [ "$UX_SIGNALS" -lt 2 ]; then
+        BLOCKERS+="- Frontend teammate detected but UX standards not sufficiently included (found $UX_SIGNALS/4 UX signals). Inject frontend-ux-standards content.\n"
+    fi
+fi
+
+# Check 5: API teammates need contract shapes
+if echo "$PROMPT" | grep -qiE '(api|backend|endpoint|rest|graphql)' 2>/dev/null; then
+    if ! echo "$PROMPT" | grep -qiE '(contract|response shape|request shape|interface|payload|schema|GET /|POST /|PUT /|DELETE /)' 2>/dev/null; then
+        WARNINGS+="- API teammate detected but no contract/shapes found in prompt. Consider including the API contract.\n"
+    fi
+fi
+
+# Check 6: Escalation instruction
+if ! echo "$PROMPT" | grep -qiE '(escalat|STOP and report|STOP and escalate|report.*dilemma|architectural decision)' 2>/dev/null; then
+    WARNINGS+="- Missing escalation instruction. Include: 'If you hit an architectural decision NOT covered by the plan: STOP and escalate.'\n"
+fi
+
+# Report — ALL checks are warnings only (v4.0)
+ISSUES=""
+[ -n "$BLOCKERS" ] && ISSUES+="$BLOCKERS"
+[ -n "$WARNINGS" ] && ISSUES+="$WARNINGS"
+
+if [ -n "$ISSUES" ]; then
+    echo -e "Spawn prompt validation warnings (non-blocking):\n$ISSUES"
+fi
+
+exit 0

package/global-skills/hooks/worktree-create-context.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# worktree-create-context.sh
+# WorktreeCreate hook: logs worktree creation and reminds teammate to read repo CLAUDE.md.
+# Parses stdin JSON to extract the worktree path for a specific reminder.
+set -euo pipefail
+
+INPUT=$(cat)
+
+WORKTREE_PATH=$(echo "$INPUT" | jq -r '.worktree_path // empty' 2>/dev/null) || true
+
+if [ -n "$WORKTREE_PATH" ]; then
+    echo "[WorktreeCreate] Worktree created at: $WORKTREE_PATH"
+    if [ -f "$WORKTREE_PATH/CLAUDE.md" ]; then
+        echo "Read $WORKTREE_PATH/CLAUDE.md first — follow its conventions."
+    else
+        echo "WARNING: No CLAUDE.md found in $WORKTREE_PATH. Check repo root or run bootstrap-repo."
+    fi
+else
+    echo "[WorktreeCreate] Worktree created. Read the CLAUDE.md in the repo root first."
+fi
+
+exit 0

package/global-skills/incident-debug/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: incident-debug
+description: >
+  Debug incidents across a multi-service stack. Spawns parallel
+  investigators per layer. Use when user reports a bug, says "erreur",
+  "500", "bug", "debug", "ça marche pas", "investigate", or pastes
+  stack traces or error logs.
+argument-hint: "[error description or stack trace]"
+context: fork
+allowed-tools: Read, Write, Glob, Grep, Task, Teammate, SendMessage
+---
+
+# Incident Debug — Multi-Layer Investigation
+
+You investigate. You do NOT fix. You produce a diagnosis.
+
+## Phase 1: Triage
+
+Read `./workspace.md` for the service map.
+Parse the user's report for signals:
+
+| Signal | Start with |
+|--------|-----------|
+| HTTP 4xx/5xx | API layer |
+| JS error / white screen | Frontend |
+| Auth loop / 401/403 | Auth + middleware |
+| Slow / timeout | DB + gateway |
+| Wrong data | Data layer + API |
+| 502/503 | Infra |
+
+If unclear, investigate all layers.
+
+## Phase 2: Investigate (parallel)
+
+Spawn investigators via Agent Teams (Teammate tool):
+- **API/Backend**: full Sonnet teammate with write-capable investigation. Use the **LSP tool** (go-to-definition, find-references) to trace error call chains
+- **Frontend, Gateway, Infra, Auth**: lightweight Explore subagents (Task, Haiku) for read-only scan. Use LSP tool where available for tracing
+
+Multiple teammates can share findings and challenge each other's hypotheses.
+This adversarial pattern finds root causes faster than sequential investigation.
+
+### LSP investigation patterns
+
+Instruct investigators to use these specific LSP workflows:
+
+| Signal | LSP action |
+|--------|-----------|
+| HTTP 500 in controller | `go-to-definition` on the controller method → trace into service layer → trace into repository/query |
+| Type mismatch frontend | `find-references` on the TypeScript interface → verify all usages match the API shape |
+| Auth loop / 401 | `hover` on auth middleware → verify configuration → `find-references` on token validation |
+| N+1 query suspicion | `find-references` on the relationship method → check all callers for eager loading |
+| Dead import / unused function | `find-references` → if 0 references outside tests, flag as dead code |
+| Unknown error class | `go-to-definition` on the exception class → check parent hierarchy and catch blocks |
+
+## Phase 3: Correlate
+
+Build request flow timeline with ✅/❌ markers.
+Cross-reference findings between layers.
+
+## Phase 4: Write diagnosis
+
+Create `./plans/incident-{date}-{name}.md`:
+
+```markdown
+# Incident: [title]
+> Date: [DATE] | Severity: 🔴/🟡/🟢
+
+## Symptôme
+[what the user sees]
+
+## Request timeline
+[flow with pass/fail markers]
+
+## Root cause
+[explanation with file:line evidence]
+
+## Fix plan
+| # | Service | Action | File | Complexity |
+|---|---------|--------|------|------------|
+
+## Regression prevention
+- Test: [description]
+- Monitoring: [alert/metric]
+```
+
+Ask: "Diagnostic posé. Dispatcher les fixes ?"

package/global-skills/merge-prep/SKILL.md

@@ -0,0 +1,87 @@
+---
+name: merge-prep
+description: >
+  Prepare branches for merge after QA passes. Checks for conflicts between
+  teammate branches, generates PR summaries, lists review points.
+  Use after qa-ruthless passes, or when user says "merge", "PR", "pull request",
+  "prépare le merge", "merge-prep", "ready to merge".
+argument-hint: "[feature-name]"
+context: fork
+disable-model-invocation: true
+allowed-tools: Read, Write, Glob, Grep, Bash, Task
+---
+
+# Merge Prep — Pre-Merge Checklist
+
+You prepare the merge. You do NOT merge. You produce a merge readiness report.
+
+## Phase 1: Collect branch info
+
+1. Read `./workspace.md` for the service map
+2. Read `./plans/{feature-name}.md` for the active plan
+3. For each service with status ✅, identify the feature branch name
+
+## Phase 2: Conflict detection
+
+For each service with status ✅:
+- Run `git -C ../[repo] log --oneline [target]..HEAD` to list commits on the feature branch
+- Run `git -C ../[repo] diff --name-only [target]...HEAD` to list modified files
+- Run `git -C ../[repo] fetch origin && git -C ../[repo] merge-base --is-ancestor origin/[target] HEAD` to check if up-to-date
+- Cross-check: do any two branches modify the same shared files (types, configs, schemas)?
+- Report potential merge conflicts
+
+For lightweight read-only cross-checks, spawn Explore subagents (Task, Haiku).
+
+## Phase 3: PR summary generation
+
+For each service, generate a PR summary:
+
+```markdown
+### [service] — PR: feature/[name] → [target]
+
+**Changes**: [N] files modified, [M] files created, [D] files deleted
+
+**What changed**:
+- [concise description of changes based on plan tasks]
+
+**Key review points**:
+- [specific areas that need human review attention]
+- [any architectural decisions made during implementation]
+- [constitution compliance notes]
+
+**Tests**: [pass/fail status from QA]
+
+**Dependencies**: [other PRs that must be merged first/after]
+```
+
+## Phase 4: Merge order
+
+Determine the correct merge order based on dependency waves:
+1. Wave 1 services (API, data, auth) merge first
+2. Wave 2 services (frontend) merge after wave 1 is on target branch
+3. Wave 3 services (infra) merge last
+
+## Output
+
+Write to `./plans/{feature-name}.md`:
+
+```markdown
+## Merge Prep — [DATE]
+
+### Merge readiness
+| Service | Branch | Up-to-date | Conflicts | Tests | Ready |
+|---------|--------|-----------|-----------|-------|-------|
+| [name] | feature/[x] | ✅/❌ | none/[list] | ✅/❌ | ✅/❌ |
+
+### Merge order
+1. [service] — [branch] → [target]
+2. [service] — [branch] → [target]
+
+### PR summaries
+[per-service summaries]
+
+### Blockers
+[list or "none — ready to merge"]
+```
+
+Ask user: "Merge prep terminé. [N] services prêts. Procéder aux PRs ?"

package/global-skills/plan-review/SKILL.md

@@ -0,0 +1,70 @@
+---
+name: plan-review
+description: >
+  Quick sanity check on a plan before the user validates it. Verifies
+  structural completeness: all tasks have a service, waves respect
+  dependencies, API contract has concrete shapes, no orphan tasks.
+  Use when a plan was just written or user says "review plan", "vérifie le plan".
+argument-hint: "[plan-name.md]"
+context: fork
+disable-model-invocation: true
+model: haiku
+allowed-tools: Read, Glob, Grep
+---
+
+# Plan Review — Sanity Check
+
+You review a plan for structural completeness. You do NOT review code.
+
+## Steps
+
+1. Read the plan file from `./plans/`
+2. Read `./workspace.md` for the service map
+
+## Checklist
+
+### Structure
+- [ ] Every task has a service assigned
+- [ ] Every impacted service has at least one task
+- [ ] Wave assignments respect dependencies (producers before consumers)
+- [ ] No service appears in two waves simultaneously
+- [ ] One teammate per repo per wave — never two on the same repo
+
+### Contracts
+- [ ] API contract has concrete response shapes (not just `{}`)
+- [ ] Field names and types are explicit
+- [ ] Error response shapes are defined
+- [ ] If frontend tasks exist, they reference the API contract
+
+### Constitution compliance
+- [ ] Multi-tenant scoping mentioned if data access is involved
+- [ ] Test requirements mentioned per task
+- [ ] Rollback strategy mentioned if migrations exist
+- [ ] Feature flag mentioned if ClickHouse/irreversible changes exist
+
+### Scale
+- [ ] No single service has more than 15 tasks (risk of context overflow for teammate)
+- [ ] Total plan size is under 500 lines (if larger, consider splitting into sub-plans)
+- [ ] API contract shapes are concrete but not bloated (no full DB schemas)
+- [ ] No duplicate tasks across waves (check for copy-paste from previous iterations)
+- [ ] No near-identical task descriptions within the same service
+
+### Completeness
+- [ ] Context section explains the "why"
+- [ ] Clarification answers are recorded (if clarify happened)
+- [ ] Session log has at least a creation entry
+
+## Output
+
+```
+## Plan Review — [PLAN NAME]
+
+✅ Passed: [list]
+⚠️ Warnings: [list]
+❌ Failed: [list — these MUST be fixed before dispatch]
+
+Recommendation: [APPROVE / FIX REQUIRED]
+```
+
+If all checks pass: "Plan looks solid. Ready for dispatch."
+If critical issues: list them and suggest specific fixes.

package/global-skills/qa-ruthless/SKILL.md

@@ -0,0 +1,102 @@
+---
+name: qa-ruthless
+description: >
+  Adversarial QA review after feature implementation. MUST find problems —
+  a clean report is a failed review. Executes tests, hunts dead code,
+  checks edge cases, validates UX standards compliance on frontend.
+  Use after dispatch-feature completes, or when user says "QA", "review",
+  "teste", "qualité", "qa ruthless", "cherche les bugs".
+argument-hint: "[plan-name or 'all']"
+context: fork
+allowed-tools: Read, Write, Glob, Grep, Task, Teammate, SendMessage
+---
+
+# QA Ruthless — Adversarial Quality Review
+
+You are a hostile auditor. Your job is to FIND PROBLEMS.
+A review with zero findings = YOU failed.
+
+## Setup
+
+1. Read `./workspace.md` for repo paths
+2. Read `./plans/{feature-name}.md` for what was implemented
+3. Read `./constitution.md` (project-specific rules)
+
+> **v4.0**: The constitution rule is scoped to orchestrator/ only.
+> Teammates do NOT receive it automatically. You MUST include all 12 universal
+> principles + project-specific rules in every QA teammate spawn prompt.
+
+## Rules
+
+1. You DO NOT fix. You report. Fixes are for teammates.
+2. MINIMUM 3 findings per service reviewed. No exceptions.
+3. Categories: 🔴 BUG, 🟡 SMELL, 🟠 DEAD CODE, 🔵 MISSING TEST, 🟣 UX VIOLATION, ⚪ NITPICK
+4. You RUN tests — don't just read code.
+5. You CHECK constitution compliance.
+6. 🟣 UX violations are merge-blocking, same severity as 🔴 bugs.
+
+## Spawn QA investigators (parallel teammates)
+
+Spawn one teammate per service impacted. All run in parallel via Agent Teams.
+
+### Backend/API QA teammate prompt
+
+Include in spawn prompt: **full constitution (12 universal principles + project-specific rules)**, plan context, then these steps:
+1. Run test suite — report pass/fail with details
+2. Use the **LSP tool** (go-to-definition, find-references) to trace call chains
+3. **Constitution check**: multi-tenant scoping, secrets, rollback, test coverage
+4. **Code quality**: missing validation, missing auth checks, N+1, error handling, race conditions
+5. **Dead code hunt**: unused imports, unreachable methods, abandoned feature flags
+6. **Migration check** (if applicable): rollback, nullable defaults, indexes
+7. Describe 3 adversarial test scenarios that SHOULD exist
+8. Output format: tests status, constitution violations, findings (min 3), dead code, missing tests
+
+### Frontend QA teammate prompt
+
+Include in spawn prompt: **full constitution (12 universal principles + project-specific rules)**, plan context, UX standards, then these steps:
+1. Run tests — report pass/fail
+2. Use the **LSP tool** for tracing component dependencies and store usage
+3. **UX audit** on every new/modified component: 4 states (skeleton not spinner, empty+CTA, error+retry, smooth success), responsive, a11y, interactions (debounce, optimistic, confirmation), forms (inline validation, error messages, preserve data)
+4. **Constitution check**: data precision, feedback <200ms
+5. **Code quality**: TypeScript `any`, unsafe `as`, infinite loops, XSS via v-html
+6. **Dead code hunt**: unused components, store actions, composables, dead CSS
+7. **API integration**: TS interfaces match API shapes? All error codes handled?
+8. Describe 3 adversarial test scenarios
+9. Output: tests, UX audit (🟣 violations), constitution, findings (min 3), dead code, missing tests
+
+### Infra QA (lightweight Explore subagent via Task, Haiku)
+
+Only if infra was impacted. Check: outdated images, missing resource limits,
+config mismatches, deployment risks. Report inconsistencies.
+
+## Consolidation
+
+Write to `./plans/{feature-name}.md`:
+
+```markdown
+## QA Report — [DATE]
+
+### Summary
+- 🔴 Bugs: [n] | 🟡 Smells: [n] | 🟠 Dead code: [n]
+- 🔵 Missing tests: [n] | 🟣 UX violations: [n] | ⚪ Nitpicks: [n]
+
+### Critical (block merge)
+[🔴 and 🟣 items]
+
+### Should fix
+[🟡 and 🟠 items]
+
+### Recommended
+[🔵 and ⚪ items]
+
+### Dead code inventory
+| File | What | Why dead |
+|------|------|----------|
+
+### Missing test scenarios
+[list]
+```
+
+Ask user: "QA a trouvé [N] problèmes dont [M] bloquants. Dispatcher les fixes ?"
+If yes, spawn teammates for 🔴, 🟣, and 🟡 items.
+After fixes, re-run QA on fixed files only.

package/global-skills/refresh-profiles/SKILL.md

@@ -0,0 +1,22 @@
+---
+name: refresh-profiles
+description: >
+  Regenerate service-profiles.md by reading CLAUDE.md from all repos
+  listed in workspace.md. Use when conventions changed, or user says
+  "refresh profiles", "mets à jour les profils", "relis les CLAUDE.md".
+context: fork
+disable-model-invocation: true
+model: haiku
+allowed-tools: Read, Write, Glob, Grep
+---
+
+# Refresh Service Profiles
+
+1. Read `./workspace.md` to get the list of repos and their paths
+2. For each repo listed, read its CLAUDE.md
+3. Extract per repo: stack, patterns, auth, tests, conventions, special notes
+4. Write result to `./plans/service-profiles.md`
+5. Add today's date in the header
+
+If a repo doesn't exist or has no CLAUDE.md, mark it as "[not found]".
+Do NOT invent information — only extract what's explicitly stated.

package/global-skills/rules/constitution-en.md

@@ -0,0 +1,67 @@
+---
+description: Non-negotiable engineering principles for all agents, teammates, and subagents
+globs: ["workspace.md", "constitution.md", "plans/**", "templates/**"]
+---
+
+# Constitution
+
+Non-negotiable principles. Apply to ALL projects, ALL teammates.
+The orchestrator and every teammate must follow these rules without exception.
+
+## Security & data
+
+1. **Multi-tenancy is sacred.** No query may return data from one tenant to
+   another. Every query, endpoint, and view is scoped by tenant. When in doubt,
+   the teammate refuses to implement and escalates to the orchestrator.
+
+2. **No hardcoded secrets.** Zero passwords, API keys, or tokens in code.
+   Everything goes through environment variables.
+
+3. **Rollback always possible.** Every migration is reversible. Every deployment
+   can be rolled back. If a feature cannot be rolled back, it must be behind
+   a feature flag.
+
+## UX & quality
+
+4. **Feedback under 200ms.** Every user action triggers immediate visual feedback
+   (spinner, skeleton, optimistic update). The user must never doubt their click
+   was registered.
+
+5. **4 mandatory states.** Every component that displays data must handle:
+   loading, empty, error, success. No blank screens, ever.
+
+6. **Mobile-first.** Responsive is not a nice-to-have. Design for mobile first,
+   then enrich for desktop.
+
+7. **Simple and solid beats complex and fragile.** A simple feature that works
+   perfectly is worth more than a complete feature that breaks. Cut scope rather
+   than ship fragile code.
+
+## Code & architecture
+
+8. **No dead code.** Every implementation cleans up what it makes obsolete.
+   Dead code is debt that accumulates silently.
+
+9. **No feature without tests.** Every new behavior has at minimum one test
+   proving it works and one test proving it handles errors.
+
+10. **Consistency over preference.** Follow existing patterns in the repo, even
+    if you'd prefer to do it differently. Codebase uniformity matters more than
+    local elegance.
+
+## Process
+
+11. **Plan before coding.** No teammate starts without a validated plan. The plan
+    is written in markdown, tracked, and survives sessions.
+
+12. **QA is hostile.** A QA that finds nothing has failed. Complacency is the
+    enemy of quality.
+
+---
+
+> **v4.0 change**: This rule is now scoped to orchestrator/ files only.
+> It is no longer auto-injected into ALL sessions globally.
+>
+> Consequence: teammates do NOT receive these principles automatically.
+> The orchestrator MUST include all 12 universal principles + project rules
+> in every teammate spawn prompt.

package/global-skills/rules/context-hygiene.md

@@ -0,0 +1,43 @@
+---
+description: Proactive context management to prevent pollution and slowdown. Applies to the orchestrator session (not to teammates — they manage their own context).
+globs: ["workspace.md", "plans/**", "constitution.md", "templates/**"]
+---
+
+# Context Hygiene
+
+> These rules target the **orchestrator** session. Teammates manage their own context
+> independently. If you are a teammate reading this, you can ignore these rules.
+
+## After each teammate report
+- Summarize the report in 3 lines max in the markdown plan
+- Do NOT keep code details in your context
+- Only status (✅/❌) and critical findings persist
+
+## Response limits
+- No code in repos — delegate repo code to teammates
+- Writing in orchestrator/ (plans, workspace.md, constitution.md) is allowed and expected
+- Teammate results: summarize to status + files + problems, then compact
+
+## Compaction
+- Context compaction triggers automatically (Opus 4.6 adaptive)
+- Additionally, compact manually after each full cycle
+  (plan → teammates → collect → QA)
+- Also compact when responses visibly slow down
+
+## Triggers for /clear
+- Switching to a completely different feature/epic
+- After merging a completed feature
+- Start of day / new work session
+
+## Monitoring
+- The `SessionStart` hook automatically injects active plan context
+  at startup or after a `/clear`
+- If a config issue is suspected, use `/hooks` to inspect
+
+## Context compaction (Opus 4.6)
+- Opus 4.6 supports native context compaction — the model can summarize
+  its own context to continue longer-running tasks without hitting limits
+- The 1M context window (beta) is available but token-intensive.
+  Disable with `CLAUDE_CODE_DISABLE_1M_CONTEXT=1` if cost is a concern
+- For orchestration sessions, prefer compact-after-cycle over 1M context:
+  smaller context = faster responses = cheaper