claude-code-scanner 1.0.0

package/template/.claude/skills/rollback/SKILL.md

@@ -0,0 +1,75 @@
+---
+name: rollback
+description: Rollback a failed deployment, revert code changes, or undo a workflow phase. Use when deployment fails, regressions are found, or a phase needs to be undone.
+user-invocable: true
+disable-model-invocation: true
+allowed-tools: Read, Bash, Grep, Glob
+argument-hint: "[deploy|code|phase] [task-id] [--to-commit SHA]"
+---
+
+# Rollback: $ARGUMENTS
+
+## Commands
+- `/rollback deploy TASK-id` — Rollback a failed deployment
+- `/rollback code TASK-id` — Revert all code changes from a task
+- `/rollback phase TASK-id --to-phase N` — Undo work back to phase N
+- `/rollback code --to-commit SHA` — Revert to a specific commit
+
+## Deploy Rollback
+1. **Identify**: Read task record for deployment details (Phase 11)
+2. **Verify**: Confirm which deployment to rollback (staging/production)
+3. **Execute**: Run rollback procedure:
+   ```bash
+   # If merge-based deployment:
+   git revert --no-commit HEAD
+   git commit -m "revert: rollback TASK-{id} deployment"
+   # Push and trigger deploy pipeline
+   ```
+4. **Health Check**: Verify service is healthy after rollback
+5. **Update Task**: Set status back to appropriate phase
+
+## Code Rollback
+1. **Identify**: Read changes log (`.claude/tasks/TASK-{id}_changes.log`) for all modified files
+2. **Branch State**: Check if changes are committed, staged, or unstaged
+3. **Revert Strategy**:
+   - If PR not merged: close PR, delete branch
+   - If committed but not pushed: `git reset` to pre-task commit
+   - If pushed but not merged: revert commits on branch
+   - If merged: create revert commit on main
+4. **Verify**: Run test suite to confirm clean state
+5. **Update Task**: Set status to CANCELLED or route back to earlier phase
+
+## Phase Rollback
+1. **Identify**: Read task record for phase history
+2. **Determine Scope**: What artifacts were created in the target phase range
+3. **Revert Files**: Undo file changes from phases N+1 through current
+4. **Preserve**: Keep task record timeline (add rollback event)
+5. **Reset State**: Update task status to target phase
+6. **Re-enter**: Resume workflow from target phase
+
+## Safety Checks
+- NEVER rollback without confirming with user first
+- NEVER force-push to main/master
+- ALWAYS create a revert commit rather than rewriting history
+- ALWAYS run tests after rollback to verify clean state
+- ALWAYS update the task record with rollback event in timeline
+
+## Output Format
+### Rollback Report
+- **Type:** deploy / code / phase
+- **Task:** TASK-{id}
+- **Rolled Back From:** phase/commit/deployment
+- **Rolled Back To:** phase/commit/state
+- **Files Reverted:** list
+- **Test Suite:** PASS/FAIL after rollback
+- **Status:** SUCCESS / PARTIAL / FAILED
+
+### HANDOFF
+```
+HANDOFF:
+  from: /rollback
+  to: @team-lead
+  reason: rollback [complete/failed]
+  artifacts: [revert commit, task record]
+  context: [what was rolled back and current state]
+```

package/template/.claude/skills/scan-codebase/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: scan-codebase
+description: Deep-scan any codebase to fingerprint tech stack, architecture, conventions, and domain knowledge. Use when setting up Claude Code for an existing project.
+user-invocable: true
+context: fork
+allowed-tools: Read, Grep, Glob, Bash, Agent
+effort: high
+argument-hint: "[path-to-project]"
+---
+
+# Scan Codebase: $ARGUMENTS
+
+**Reference files in this skill directory:**
+- `tech-markers.md` — complete list of 100+ technology marker files to check
+- `deep-scan-instructions.md` — detailed instructions for backend, frontend, architecture, and domain scans
+
+Run 6 scanning agents using the Agent tool. Launch all 6 in a single message for maximum parallelism (Claude Code supports multiple Agent tool calls in one response). Each agent runs in its own subagent context and returns a structured report. If any agent fails (maxTurns or error), continue with the remaining agents — partial scan results are still valuable.
+
+## Agent 1: Technology Fingerprinter
+Rapid scan of marker files to identify everything present.
+
+Check for ALL of these (read actual file contents, not just names):
+
+**Languages:** package.json, requirements.txt, go.mod, Cargo.toml, pom.xml, *.csproj, Gemfile, composer.json, pubspec.yaml, mix.exs, build.sbt, CMakeLists.txt
+
+**Frameworks:** Read dependency files for React/Next/Remix, Vue/Nuxt, Angular, Svelte/SvelteKit, Django, Flask, FastAPI, Spring, Rails, Laravel, Express, NestJS, ASP.NET, Gin/Echo/Fiber
+
+**Databases:** prisma/schema.prisma, ormconfig, alembic/, migrations/, mongoose, redis, elasticsearch in dependencies
+
+**API:** openapi.yaml, *.graphql, *.proto, @trpc in package.json
+
+**Testing:** jest.config, vitest.config, cypress.config, playwright.config, pytest.ini, *_test.go, spec/
+
+**Infra:** Dockerfile, docker-compose, *.tf, k8s/, serverless.yml, .github/workflows/, .gitlab-ci.yml
+
+**Monorepo:** nx.json, turbo.json, lerna.json, pnpm-workspace.yaml
+
+For every marker found, READ the file to extract exact versions, scripts, and config.
+
+Output `TECH_MANIFEST` JSON with: project_name, project_type, languages[], frontend{}, backend{}, database{}, infrastructure{}, ci_cd{}, testing{}, monorepo{}, package_manager.
+
+## Agent 2: Directory Structure Scanner
+Map full tree up to 4 levels. Classify each directory: source, tests, config, docs, scripts, build output, generated (DO NOT MODIFY), vendor (skip).
+Identify: where handlers live, where services live, where models live, where types live, where tests live.
+
+## Agent 3: Backend Deep Scanner
+Read actual source files. Identify: runtime version, framework patterns (middleware, DI, routing), API layer (every route, validation, response format, auth), database layer (ORM, migrations, queries, transactions), background jobs, external integrations, logging, error handling.
+
+## Agent 4: Frontend Deep Scanner
+Read 3-5 actual components. Identify: framework + meta-framework, rendering mode (CSR/SSR/SSG), routing pattern, state management, component architecture (props, hooks, styling), build/bundle config, TypeScript config, API communication layer.
+
+## Agent 5: Architecture Mapper
+Trace a request end-to-end. Map: module boundaries, dependency graph, communication patterns, deployment topology, security architecture (auth flow, authz model), shared code.
+
+## Agent 6: Domain & Convention Extractor
+Read 20+ files to establish patterns. Extract: naming conventions (variables, files, directories, endpoints, DB tables), code style beyond linter config, error handling patterns, git conventions (from git log), TODO/FIXME/HACK comments, existing AI config (.cursorrules, CLAUDE.md).
+
+## Output
+Combine all 6 reports into a single structured document saved to `.claude/scan-results.md`.

package/template/.claude/skills/scan-codebase/deep-scan-instructions.md

@@ -0,0 +1,101 @@
+# Deep Scan Instructions
+
+## Backend Deep Scan (Agent 3)
+Read actual source files, not just configs.
+
+### Runtime & Framework
+- Exact language/runtime version (from config, CI, Dockerfile)
+- Module system (ESM, CommonJS, mixed)
+- Framework patterns: middleware chain, DI, router structure, error handlers
+- Custom abstractions on top of framework
+
+### API Layer
+- READ every route file — list all endpoints (method + path)
+- Request validation: Zod, Joi, Pydantic, class-validator
+- Response format: envelope, direct, HAL, JSON:API
+- Error format: codes, messages, status codes
+- Pagination: cursor, offset, keyset
+- Auth: JWT/session/OAuth — read the actual auth middleware
+- Authorization: RBAC/ABAC — read actual permission checks
+
+### Database Layer
+- ORM, connection pooling, migration strategy
+- Query patterns: raw SQL, query builder, repository, active record
+- Transaction handling, caching strategy, read replicas
+
+### Background & External
+- Job queues: Bull, Celery, Sidekiq
+- Events: pub/sub, domain events, message brokers
+- Third-party APIs, SDKs, file storage, search engines
+
+### Security & Observability
+- Password hashing, token validation, input sanitization
+- Logging library, format, levels, request tracing
+- Metrics, health checks, error tracking
+
+---
+
+## Frontend Deep Scan (Agent 4)
+Read 3-5 actual components.
+
+### Framework & Rendering
+- Exact version, rendering mode (CSR/SSR/SSG/ISR)
+- Component flavor: hooks, Composition API, class-based, signals
+
+### Routing & State
+- Router library, route definition pattern (file-based/config-based)
+- State: Redux/Zustand/Pinia/NgRx/Context
+- Server state: React Query/SWR/Apollo
+- Form state: React Hook Form/Formik
+
+### Component Architecture
+- File structure, naming, organization pattern
+- Prop patterns, common component patterns (compound, HOC, hooks)
+- Design system / UI library
+
+### Styling & Build
+- CSS Modules/Tailwind/styled-components/SCSS
+- Bundler config, env var prefix (NEXT_PUBLIC_, VITE_)
+- TypeScript strict mode, path aliases
+
+### Testing & API
+- Unit: Jest/Vitest + testing-library patterns
+- E2E: Cypress/Playwright patterns
+- HTTP client, API layer abstraction, error/loading handling
+
+---
+
+## Architecture Scan (Agent 5)
+- Trace a request end-to-end through all layers
+- Map module boundaries and dependency graph
+- Identify circular dependencies
+- Classify: monolith/modular monolith/microservices
+- Document deployment topology, CDN, load balancer
+- Map auth flow step-by-step
+- Identify shared code across modules/packages
+
+---
+
+## Domain & Convention Scan (Agent 6)
+Read 20+ files to establish patterns.
+
+### Naming (per context)
+- Variables, functions, classes/types, files, directories
+- Test names, API endpoints, DB tables/columns, env vars
+
+### Code Style (beyond linter)
+- Import ordering/grouping, export style
+- Ternary vs if-else preference, arrow vs function
+- Async patterns: await, .then(), callbacks
+
+### Conventions
+- Error types/classes, how errors propagate
+- Git commit format (from last 20 commits), branch naming
+- Documentation: JSDoc/docstring coverage, README structure
+
+### Gotchas
+- ALL TODO/FIXME/HACK comments with context
+- Workarounds with explanatory comments
+- Dead code, deprecated features still present
+- Implicit ordering dependencies, magic values
+- Existing AI config: .cursorrules, CLAUDE.md, .aider

package/template/.claude/skills/scan-codebase/tech-markers.md

@@ -0,0 +1,87 @@
+# Technology Marker Reference
+
+## Package Managers & Languages
+- **JavaScript/TypeScript:** package.json, yarn.lock, pnpm-lock.yaml, package-lock.json, bun.lockb, .npmrc, .nvmrc, .node-version
+- **Python:** requirements.txt, Pipfile, pyproject.toml, setup.py, setup.cfg, poetry.lock, conda.yml, tox.ini
+- **Go:** go.mod, go.sum
+- **Rust:** Cargo.toml, Cargo.lock
+- **Java/Kotlin:** pom.xml, build.gradle, build.gradle.kts, settings.gradle, gradlew, .mvn/
+- **C#/.NET:** *.csproj, *.sln, Directory.Build.props, nuget.config, global.json
+- **Ruby:** Gemfile, Gemfile.lock, .ruby-version
+- **PHP:** composer.json, composer.lock, artisan
+- **Dart/Flutter:** pubspec.yaml
+- **Swift:** Package.swift, *.xcodeproj, Podfile
+- **Elixir:** mix.exs
+- **Scala:** build.sbt
+- **C/C++:** CMakeLists.txt, Makefile, configure.ac, meson.build, vcpkg.json
+
+## Frameworks (read config to confirm version)
+- **React:** package.json → "react", "next", "gatsby", "remix"
+- **Vue:** package.json → "vue", "nuxt"
+- **Angular:** angular.json, package.json → "@angular/core"
+- **Svelte:** svelte.config.js, package.json → "svelte", "@sveltejs/kit"
+- **Django:** manage.py, settings.py, wsgi.py, asgi.py
+- **Flask:** app.py/wsgi.py → "from flask"
+- **FastAPI:** Python files → "from fastapi"
+- **Spring Boot:** pom.xml/build.gradle → "spring-boot"
+- **Rails:** config/routes.rb, Rakefile, bin/rails
+- **Laravel:** artisan, config/app.php, routes/web.php
+- **Express:** package.json → "express"
+- **NestJS:** package.json → "@nestjs/core", nest-cli.json
+- **ASP.NET:** *.csproj → "Microsoft.AspNetCore"
+- **Gin/Echo/Fiber:** go.mod → "gin-gonic", "labstack/echo", "gofiber"
+
+## Databases & ORMs
+- **Prisma:** prisma/schema.prisma
+- **TypeORM:** ormconfig.ts/json, "typeorm" in package.json
+- **SQLAlchemy:** "from sqlalchemy" in Python files
+- **Sequelize:** "sequelize" in package.json, .sequelizerc
+- **Drizzle:** drizzle.config.ts, "drizzle-orm" in package.json
+- **Mongoose:** "mongoose" in package.json
+- **Migrations:** migrations/, db/migrate/, alembic/, prisma/migrations/
+
+## APIs
+- **OpenAPI:** openapi.yaml, swagger.json
+- **GraphQL:** *.graphql, "graphql"/"apollo" in dependencies
+- **gRPC:** *.proto, buf.yaml
+- **tRPC:** "@trpc" in package.json
+
+## Testing
+- **Jest:** jest.config.*, "jest" in package.json
+- **Vitest:** vitest.config.*, "vitest" in package.json
+- **Cypress:** cypress.config.*, cypress/
+- **Playwright:** playwright.config.*, "@playwright/test" in package.json
+- **Pytest:** pytest.ini, conftest.py, [tool.pytest] in pyproject.toml
+- **Go test:** *_test.go files
+- **RSpec:** spec/, .rspec
+
+## Infrastructure
+- **Docker:** Dockerfile, docker-compose.yml, .dockerignore
+- **Kubernetes:** k8s/, kustomization.yaml, Chart.yaml
+- **Terraform:** *.tf, .terraform/
+- **Serverless:** serverless.yml, sam-template.yaml
+- **CI/CD:** .github/workflows/, .gitlab-ci.yml, Jenkinsfile, .circleci/config.yml
+
+## Monorepo
+- **Nx:** nx.json
+- **Turborepo:** turbo.json
+- **Lerna:** lerna.json
+- **pnpm:** pnpm-workspace.yaml
+- **Yarn:** "workspaces" in package.json
+- **Bazel:** WORKSPACE, BUILD
+
+## TECH_MANIFEST Output Schema
+```json
+{
+  "project_name": "", "project_type": "monorepo|fullstack|backend|frontend|library|cli|mobile",
+  "languages": [{"name": "", "version": "", "detected_from": ""}],
+  "frontend": {"exists": false, "framework": "", "version": "", "ui_library": "", "state_management": "", "routing": "", "styling": "", "bundler": "", "ssr": false, "root_dir": "", "entry_point": "", "dev_command": "", "build_command": "", "test_command": ""},
+  "backend": {"exists": false, "framework": "", "version": "", "language": "", "runtime_version": "", "api_style": "REST|GraphQL|gRPC|tRPC|mixed", "root_dir": "", "entry_point": "", "dev_command": "", "build_command": "", "test_command": ""},
+  "database": {"type": "", "orm": "", "migration_tool": "", "migration_dir": "", "schema_file": ""},
+  "infrastructure": {"containerized": false, "orchestration": "", "iac": "", "cloud": ""},
+  "ci_cd": {"platform": "", "config_file": ""},
+  "testing": {"unit": "", "integration": "", "e2e": "", "coverage_tool": ""},
+  "monorepo": {"tool": "", "packages": []},
+  "package_manager": ""
+}
+```

package/template/.claude/skills/setup-smithery/SKILL.md

@@ -0,0 +1,38 @@
+---
+name: setup-smithery
+description: Install Smithery skills and MCP servers matching the project tech stack. Use after /generate-environment.
+user-invocable: true
+disable-model-invocation: true
+allowed-tools: Read, Bash, Grep
+---
+
+# Setup Smithery: $ARGUMENTS
+
+Read `.claude/scan-results.md` for tech stack. Install matching skills and MCP servers.
+
+## Always Install
+```bash
+smithery skill add anthropics/skill-creator --agent claude-code
+smithery skill add anthropics/frontend-design --agent claude-code
+smithery skill add anthropics/webapp-testing --agent claude-code
+smithery skill add anthropics/mcp-builder --agent claude-code
+smithery skill add anthropics/pdf --agent claude-code
+```
+
+## Conditional on Tech Stack
+- React/Expo → `smithery skill search "react"`, Expo skills
+- shadcn/ui → shadcn skill
+- Playwright → anthropics/webapp-testing
+- Security code → Trail of Bits security skills
+- Docker/K8s → `smithery skill search "docker kubernetes"`
+- GitHub Actions → `smithery skill search "github actions"`
+
+## MCP Servers (scope to agents, max 5)
+- GitHub → @api-builder, @infra
+- PostgreSQL/MongoDB → @api-builder
+- Playwright → @frontend
+- AWS/GCP → @infra
+- Slack/Sentry → global (if used)
+
+## After Install
+Run `/context-check` to verify under 60%. Remove low-priority items if over budget.

package/template/.claude/skills/sync/SKILL.md

@@ -0,0 +1,239 @@
+---
+name: sync
+description: Detect drift between the Claude Code environment and the actual codebase. Updates CLAUDE.md, agents, skills, rules, hooks, and settings when roles change, dependencies update, or project structure evolves.
+user-invocable: true
+context: fork
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob, Agent
+argument-hint: "[--check|--fix|--full-rescan] [--component agents|skills|rules|hooks|claude-md|all]"
+effort: high
+---
+
+# Sync: $ARGUMENTS
+
+Detect and resolve drift between the Claude Code environment (`.claude/`) and the actual project codebase.
+
+## Commands
+- `/sync` or `/sync --check` — Detect drift only, report what's stale (no changes)
+- `/sync --fix` — Detect drift and auto-fix all stale files
+- `/sync --fix --component agents` — Fix only agent files
+- `/sync --fix --component claude-md` — Fix only CLAUDE.md
+- `/sync --full-rescan` — Complete re-scan + regenerate everything (like fresh install)
+
+## When to Run
+- After adding/removing dependencies (`npm install`, `pip install`, etc.)
+- After adding/removing agents, skills, hooks, or rules manually
+- After major refactors that change file structure
+- After team role changes (new agent types needed, roles removed)
+- Periodically (weekly recommended) to catch gradual drift
+- At workflow Phase 1 (Task Intake) — automatic drift check before starting work
+
+---
+
+## Step 1: Read Current Manifest
+Read `.claude/manifest.json` if it exists. This tracks what was last generated and from what state.
+
+If manifest doesn't exist, create one from current state (first-time sync).
+
+## Step 2: Detect Drift (8 categories)
+
+### 2a: Agent Drift
+Compare `.claude/agents/*.md` against actual state:
+- **Added agents:** .md files in agents/ that aren't in manifest
+- **Removed agents:** manifest entries with no matching .md file
+- **Modified agents:** .md files newer than manifest timestamp
+- **CLAUDE.md agent table stale:** agents listed in CLAUDE.md vs actual agent files
+- **Workflow agent team stale:** agents in workflow SKILL.md agent table vs actual files
+- **commands-template stale:** agent @-mentions in commands doc vs actual files
+
+Check each agent for compliance:
+- Has required fields? (name, description, tools, model, maxTurns, effort, memory, HANDOFF, Limitations)
+- Read-only agents have permissionMode: plan + disallowedTools?
+- Dev agents have isolation: worktree?
+
+### 2b: Skill Drift
+Compare `.claude/skills/*/SKILL.md` against actual state:
+- **Added skills:** SKILL.md files not in manifest
+- **Removed skills:** manifest entries with no matching skill dir
+- **Modified skills:** SKILL.md files newer than manifest timestamp
+- **Missing frontmatter:** skills without name/description/user-invocable
+- **Missing context:fork:** heavy skills (>30 lines) without fork
+- **Stale cross-references:** skills referenced in generate-environment but not in skills dir
+
+### 2c: Hook Drift
+Compare `.claude/hooks/*.js` against settings.json:
+- **Orphan hooks:** .js files not registered in any settings.json hook event
+- **Missing hooks:** settings.json references a .js file that doesn't exist
+- **New hooks not registered:** .js files added to hooks/ but not in settings.json
+
+### 2d: Rule Drift
+Compare `.claude/rules/*.md` against codebase:
+- **Rules referencing non-existent paths:** `paths:` globs that match zero files
+- **Missing rules for new directories:** new source directories with no matching rule
+- **Stale content:** rules mentioning frameworks/patterns no longer in the project
+
+### 2e: CLAUDE.md Drift
+Compare root CLAUDE.md against actual project state:
+- **Tech stack stale:** versions in CLAUDE.md vs package.json/go.mod/Cargo.toml/etc.
+- **Commands stale:** build/test/lint commands in CLAUDE.md vs actual scripts
+- **Agent table stale:** agents listed vs actual .claude/agents/ files
+- **Key paths stale:** referenced directories/files that no longer exist
+- **Line count over limit:** CLAUDE.md exceeds 200 lines
+
+### 2f: Settings Drift
+Compare `.claude/settings.json` against hooks and project state:
+- **Hook events missing:** supported events without any hooks registered
+- **Permission patterns stale:** allow/deny patterns referencing commands that don't exist
+- **Missing env vars:** project requires env vars not documented in settings
+
+### 2g: Dependency/Tech Stack Drift
+Compare project dependencies against what was scanned:
+- Read package.json, go.mod, Cargo.toml, requirements.txt, etc.
+- Compare current dependency versions vs what's in CLAUDE.md tech stack
+- Detect: new frameworks added, frameworks removed, major version bumps
+- Flag: if a new framework means a new agent or rule is needed
+
+### 2h: Project Structure Drift
+Compare directory structure against what was scanned:
+- New source directories not covered by rules
+- Removed directories still referenced in rules/CLAUDE.md
+- New test directories not in testing rules
+- New config files not in infrastructure rules
+
+---
+
+## Step 3: Generate Drift Report
+
+Output drift report to stdout AND save to `.claude/reports/drift-report.md`:
+
+```markdown
+# Drift Report — {ISO timestamp}
+
+## Summary
+| Category | Status | Drift Items |
+|----------|--------|-------------|
+| Agents | {OK/STALE} | {count} changes |
+| Skills | {OK/STALE} | {count} changes |
+| Hooks | {OK/STALE} | {count} changes |
+| Rules | {OK/STALE} | {count} changes |
+| CLAUDE.md | {OK/STALE} | {count} changes |
+| Settings | {OK/STALE} | {count} changes |
+| Tech Stack | {OK/STALE} | {count} changes |
+| Structure | {OK/STALE} | {count} changes |
+| **Overall** | **{IN_SYNC/DRIFT_DETECTED}** | **{total}** |
+
+## Details
+### Agents
+- [ADDED] new-agent.md found in agents/ but not in manifest
+- [REMOVED] old-agent.md in manifest but no file on disk
+- [STALE] CLAUDE.md lists 12 agents but 14 agent files exist
+- [COMPLIANCE] agent-x.md missing memory: project field
+
+### Skills
+- [ADDED] new-skill/SKILL.md found but not in manifest
+- [STALE] workflow/SKILL.md modified after last sync
+...
+
+### CLAUDE.md
+- [STALE] Tech stack: react 18.2.0 in CLAUDE.md but 19.0.0 in package.json
+- [STALE] Agent table: 12 agents listed but 14 files exist
+- [STALE] Command: "npm test" in CLAUDE.md but "vitest" in package.json scripts
+...
+```
+
+---
+
+## Step 4: Auto-Fix (when `--fix` flag is present)
+
+### Fix Agent Drift
+1. **New agents:** Add to CLAUDE.md agent table, workflow agent team, commands-template
+2. **Removed agents:** Remove from CLAUDE.md, workflow, commands-template
+3. **Non-compliant agents:** Add missing fields (memory: project, HANDOFF, Limitations)
+4. **CLAUDE.md stale:** Regenerate agent table section from actual agent files
+
+### Fix Skill Drift
+1. **New skills:** Add to generate-environment skill list, commands-template
+2. **Removed skills:** Remove from generate-environment, commands-template
+3. **Missing frontmatter:** Add name/description from directory name
+4. **Missing fork:** Add `context: fork` to skills >30 lines
+
+### Fix Hook Drift
+1. **Orphan hooks:** Register in settings.json under appropriate event (guess from filename)
+2. **Missing hooks:** Remove from settings.json OR create placeholder .js
+3. **Unregistered hooks:** Add to settings.json with appropriate matcher
+
+### Fix Rule Drift
+1. **Dead path rules:** Update `paths:` to match current directory structure
+2. **New directories:** Create new rule files for uncovered source dirs
+3. **Stale content:** Flag for manual review (can't auto-update domain rules)
+
+### Fix CLAUDE.md
+1. **Tech stack:** Read dependency files, update version numbers
+2. **Commands:** Read package.json scripts (or equivalent), update Quick Commands section
+3. **Agent table:** Regenerate from actual `.claude/agents/*.md` files
+4. **Key paths:** Verify each path exists, remove dead paths, add new entry points
+5. **@imports:** Verify imported files exist
+
+### Fix Settings
+1. **Missing hook registrations:** Add entries for unregistered hooks
+2. **Dead permissions:** Remove allow/deny patterns for non-existent commands
+
+---
+
+## Step 5: Update Manifest
+
+After sync (check or fix), update `.claude/manifest.json`:
+
+```json
+{
+  "last_sync": "ISO timestamp",
+  "last_scan": "ISO timestamp of last /scan-codebase",
+  "environment_version": "1.0.0",
+  "agents": {
+    "team-lead.md": { "hash": "sha256...", "modified": "ISO timestamp" },
+    "architect.md": { "hash": "sha256...", "modified": "ISO timestamp" }
+  },
+  "skills": {
+    "workflow": { "hash": "sha256...", "modified": "ISO timestamp" }
+  },
+  "hooks": {
+    "session-start.js": { "hash": "sha256...", "registered_in": ["SessionStart"] }
+  },
+  "rules": {
+    "context-budget.md": { "hash": "sha256...", "paths": ["**/*"] }
+  },
+  "tech_stack": {
+    "package.json": { "hash": "sha256...", "modified": "ISO timestamp" },
+    "go.mod": null
+  },
+  "claude_md": {
+    "hash": "sha256...",
+    "line_count": 62,
+    "agents_listed": 12
+  },
+  "project_structure": {
+    "source_dirs": ["src/", "lib/"],
+    "test_dirs": ["tests/", "__tests__/"],
+    "config_files": ["package.json", "tsconfig.json"]
+  }
+}
+```
+
+---
+
+## Step 6: Output Summary
+
+```
+SYNC RESULT
+===========
+Status:     {IN_SYNC / DRIFT_DETECTED / FIXED}
+Categories: {N}/8 in sync
+Drift:      {N} items found
+Fixed:      {N} items auto-fixed (if --fix)
+Manual:     {N} items need manual review
+
+Next: {recommendation}
+  - "All synced. No action needed."
+  - "Run /sync --fix to auto-repair N items."
+  - "N items need manual review — see .claude/reports/drift-report.md"
+  - "Major drift detected. Consider /sync --full-rescan."
+```

package/template/.claude/skills/task-tracker/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: task-tracker
+description: Track task progress across all SDLC phases. Use when asking about task status, progress, blockers, or needing reports.
+user-invocable: true
+allowed-tools: Read, Write, Edit, Bash, Grep, Glob
+context: fork
+argument-hint: "create|status|update|report|dashboard|history|blockers|metrics [args]"
+---
+
+# Task Tracker: $ARGUMENTS
+
+## Commands
+- `/task-tracker create "title"` — Create task in `.claude/tasks/TASK-{id}.md`
+- `/task-tracker status [TASK-id]` — Dashboard or single task status
+- `/task-tracker update TASK-id phase=N status=STATE` — Update state
+- `/task-tracker update TASK-id blocked="reason" owner="who"` — Log blocker
+- `/task-tracker update TASK-id unblocked` — Clear blocker
+- `/task-tracker report [TASK-id]` — Full detail report
+- `/task-tracker dashboard` — Visual dashboard
+- `/task-tracker history [TASK-id]` — Timeline of events
+- `/task-tracker blockers` — All open blockers
+- `/task-tracker metrics` — Aggregate performance
+
+## Task States
+BACKLOG → INTAKE → ANALYZING → DESIGNING → APPROVED → DEVELOPING → DEV_TESTING → REVIEWING → CI_PENDING → QA_TESTING → QA_SIGNOFF → BIZ_SIGNOFF → TECH_SIGNOFF → DEPLOYING → MONITORING → CLOSED
+(+ BLOCKED, CANCELLED, ON_HOLD at any state)
+
+## Task Record (`.claude/tasks/TASK-{id}.md`)
+Frontmatter: id, title, type, scope, complexity, priority, status, branch, pr, created, updated
+Sections: Current Status, Timeline (every event with timestamp/agent/duration), Phase Details (1-12), Blockers Log, Decision Log, Risk Register
+
+## Bug Tracking
+Bugs logged as: BUG-{task_id}-{number} with severity (P0-P4), steps to reproduce, expected/actual, evidence, status tracking (OPEN → IN_PROGRESS → FIXED → QA_VERIFY → VERIFIED/REOPENED → CLOSED)
+
+## Reports (use /progress-report for stakeholder-specific)
+- dev: files changed, test results, agent activity, commands
+- qa: what changed, test scenarios, regression risks, environment
+- business: acceptance criteria status, progress bar, ETA
+- management: portfolio table, health indicators, blockers
+- executive: status light, key metrics, trends

package/template/.claude/skills/validate-setup/SKILL.md

@@ -0,0 +1,30 @@
+---
+name: validate-setup
+description: Validate the generated Claude Code environment meets all standards. Use after /generate-environment completes.
+user-invocable: true
+context: fork
+allowed-tools: Read, Bash, Grep, Glob
+---
+
+# Validate Setup
+
+## Checks
+1. **CLAUDE.md** — exists, under 150 lines (recommended under 200), no `{placeholder}` values
+2. **Rules** — each under 50 lines, has `paths:` frontmatter for scoped rules
+3. **Agents (12 required)** — each has name/description/tools, SDLC role agents present (team-lead, architect, product-owner, qa-lead), read-only agents have `permissionMode: plan` and `disallowedTools`, dev agents have `isolation: worktree`, all have `memory: project`, all have structured output format and HANDOFF block and Limitations section
+4. **Skills** — each has name/description, heavy ones have `context: fork`, user-facing have `argument-hint`, dangerous ones have `disable-model-invocation: true`
+5. **Settings** — valid JSON, has `permissions.defaultMode`, `permissions.allow`, `permissions.deny`, `env`, all hooks registered
+6. **Hooks** — Node.js scripts exist and are valid, all hooks in settings.json point to existing files
+7. **Templates** — extracted from real code (not generic)
+8. **.gitignore** — includes settings.local.json, tasks/, reports/
+9. **Commands work** — build, test, lint commands actually execute
+10. **Context budget** — total always-loaded under 200 lines, run `/context`
+11. **Handoff protocol** — workflow skill includes structured HANDOFF format
+12. **Loop tracking** — task record schema includes Loop State section
+
+## Run verification script
+```bash
+node .claude/scripts/verify-setup.js
+```
+
+Report results as PASS/FAIL/WARN with specific fix instructions for failures.