claude-dev-env 1.50.2 → 1.50.4

package/_shared/pr-loop/audit-contract.md

@@ -21,7 +21,7 @@ Each finding an audit produces MUST be one of exactly two shapes.
   "id": "loop<N>-<K>",
   "file": "path/relative/to/repo/root.py",
   "line": 123,
-  "category": "A | B | C | D | E | F | G | H | I | J",
+  "category": "A | B | C | D | E | F | G | H | I | J | K | L | M | N",
   "severity": "P0 | P1 | P2",
   "excerpt": "verbatim code snippet from the offending line(s)",
   "failure_mode": "one sentence describing what goes wrong and when",
@@ -37,7 +37,7 @@ Used when an audit investigates a category and does NOT find a bug. Bare "verifi
 
 ```json
 {
-  "category": "A | B | C | D | E | F | G | H | I | J",
+  "category": "A | B | C | D | E | F | G | H | I | J | K | L | M | N",
   "files_opened": ["file1.py", "file2.py"],
   "lines_quoted": [
     {"file": "file1.py", "line": 88, "text": "verbatim line content"}
@@ -120,7 +120,7 @@ Sequence:
 3. Run `py_compile` (or language-equivalent) on each modified file.
 4. Compute `fix_diff` against pre-fix contents for the modified set.
 5. Run `bugteam_code_rules_gate.py` with explicit paths for every modified file.
-6. Spawn a scoped audit of `fix_diff` with full A–J rigor, Shape A/B contract, adversarial pass, AND Haiku secondary in parallel (paranoid mode on post-fix).
+6. Spawn a scoped audit of `fix_diff` with full A–N rigor, Shape A/B contract, adversarial pass, AND Haiku secondary in parallel (paranoid mode on post-fix).
 7. Read the previous loop's outcome XML (`<worktree_path>/.bugteam-pr<N>-loop<L-1>.outcomes.xml`) and obtain its total finding count. If this is the first loop (L <= 1) or the file does not exist, skip this comparison. Compute the post-fix total: previous total minus bugs fixed in this round plus new violations found in the post-fix audit (step 6). If the post-fix total exceeds the previous total, flag all new findings as same-loop fix-targets and revise. An increase in total findings across loop transitions is a regression.
 8. Any new findings become same-loop fix-targets. Internal iteration count increments by one.
 9. After 3 internal iterations with fresh findings each time, exit `stuck: post-fix audit not converging`.

package/audit-rubrics/category_rubrics/category-e-dead-code.md

@@ -1,6 +1,6 @@
 # Category E — Dead code and unused imports
 
-**What this category audits:** imports the diff adds but leaves unreferenced, functions defined but never called, branches unreachable due to a prior return, conditions that are always true or always false, parameters that are accepted but never used, removed-but-not-deleted symbols.
+**What this category audits:** imports the diff adds but leaves unreferenced (dead imports), functions defined but never called, code made unreachable by a prior return or raise (dead returns), conditions that are always true or always false (dead branches), parameters that are accepted but never used (dead parameters), local variables assigned but never read (dead locals), removed-but-not-deleted symbols.
 
 **Examples of Category E findings:**
 - A new `import` line with zero corresponding references in the file.
@@ -8,6 +8,7 @@
 - Code after an unconditional `return` or `raise`.
 - A condition like `if False:` or `while True: ... return` where the loop body always returns immediately.
 - An accepted parameter that the function body never uses.
+- A local variable assigned and never read afterward in the same function.
 
 **Companion reference:** see `../source-material-section-types.md`.
 
@@ -21,7 +22,7 @@
 | E2 | Functions / methods defined but never called | Internal helpers defined in this PR with no call sites in this PR or elsewhere. |
 | E3 | Code after unconditional return / raise / exit | Statements following a top-level `return`, `raise`, `sys.exit`, `os._exit` that cannot execute. |
 | E4 | Always-true / always-false conditions | `if True:` / `if False:` / conditions provably constant given context. |
-| E5 | Unused parameters | Parameters declared but never read inside the function body. |
+| E5 | Unused parameters and locals | Parameters declared but never read inside the function body; local variables assigned but never read afterward in the same scope. |
 | E6 | Removed-but-not-deleted symbol references | Symbols renamed/removed elsewhere with stale import or call sites left behind. |
 | E7 | Test fixtures / helpers defined but never used | Pytest fixtures, test data builders, mock factories with no callers. |
 | E8 | Stub / placeholder code without TODO | `pass`, `...`, `raise NotImplementedError` left without explanation or tracking. |

package/audit-rubrics/prompts/category-a-api-contracts.md

@@ -95,7 +95,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket A1–A9, produce Shape
 
 # Worked example: jl-cmd/claude-code-config PR #394 (May 2026 audit experiment)
 
-Audit jl-cmd/claude-code-config PR #394 for **Category A only** (API contract verification). Skip B–J. Sub-bucket forced-exhaustion mode: Category A is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category A only** (API contract verification). Skip B–N. Sub-bucket forced-exhaustion mode: Category A is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-b-selector-engine-compat.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category B only** (selector / query / engine compatibility). Skip A, C–K. Sub-bucket forced-exhaustion mode: Category B is decomposed into 7 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category B only** (selector / query / engine compatibility). Skip A, C–N. Sub-bucket forced-exhaustion mode: Category B is decomposed into 7 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA: repo, ref/SHA, PR or commit range, file count, language matrix, declared engine/runtime/browser/DB targets — fill before running.]
 ID prefix: `find`.
@@ -80,7 +80,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket B1–B7, produce Shape
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category B only** (selector / query / engine compatibility). Skip A, C–K. Sub-bucket forced-exhaustion mode: Category B is decomposed into 7 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category B only** (selector / query / engine compatibility). Skip A, C–N. Sub-bucket forced-exhaustion mode: Category B is decomposed into 7 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-c-resource-cleanup.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category C only** (resource cleanup and lifecycle). Skip A, B, D–K. Sub-bucket forced-exhaustion mode: Category C is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category C only** (resource cleanup and lifecycle). Skip A, B, D–N. Sub-bucket forced-exhaustion mode: Category C is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Repository / artifact: [REPO_OR_ARTIFACT_NAME]
@@ -98,7 +98,7 @@ Read-only. No edits, no commits.
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category C only** (resource cleanup and lifecycle). Skip A, B, D–K. Sub-bucket forced-exhaustion mode: Category C is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category C only** (resource cleanup and lifecycle). Skip A, B, D–N. Sub-bucket forced-exhaustion mode: Category C is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-d-scoping-and-ordering.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category D only** (variable scoping, ordering, and unbound references). Skip A–C, E–K. Sub-bucket forced-exhaustion mode: Category D is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category D only** (variable scoping, ordering, and unbound references). Skip A–C, E–N. Sub-bucket forced-exhaustion mode: Category D is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Repo / artifact: [REPO_OR_ARTIFACT]
@@ -89,7 +89,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket D1–D8, produce Shape
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category D only** (variable scoping, ordering, and unbound references). Skip A–C, E–K. Sub-bucket forced-exhaustion mode: Category D is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category D only** (variable scoping, ordering, and unbound references). Skip A–C, E–N. Sub-bucket forced-exhaustion mode: Category D is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-e-dead-code.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category E only** (dead code and unused imports). Skip A–D, F–K. Sub-bucket forced-exhaustion mode: Category E is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category E only** (dead code and unused imports). Skip A–D, F–N. Sub-bucket forced-exhaustion mode: Category E is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Repo / artifact: [REPO_OR_ARTIFACT_NAME]
@@ -43,8 +43,9 @@ Inline the artifact under this section using the section types defined in the ch
 - Runtime-bound conditions (parameter values, `os.path.isdir`, `Test-Path`, environment lookups) are not constant; state the runtime source.
 - Adversarial probes for proof-of-absence: (a) any `if 1:` / `if 0:` / `if True:` / `if False:` literals in the diff? (b) any condition of the form `if x:` where `x` was just assigned a literal in the line above? (c) any `assert True` / `assert False` in test bodies? (d) any short-circuit like `x or DEFAULT` where `x` was just constructed and is statically truthy?
 
-**E5. Unused parameters**
+**E5. Unused parameters and locals**
 - For every function or method introduced or modified by the artifact, verify each declared parameter is read at least once in the body (including in default-argument expressions for inner functions, in closures, or in type guards).
+- For every function or method introduced or modified by the artifact, verify each local variable assigned in the body is read at least once afterward in the same scope; an assignment whose value is never read is a dead local.
 - Tuple-unpack discards (`for path, _, _ in os.walk(...)`) are out of scope — E5 specifically scopes "function parameters never read"; state this exclusion explicitly.
 - `*args` / `**kwargs` / TypeScript rest spreads: confirm at least one consumer (forwarded to another call, iterated, indexed) or mark the parameter unused.
 - Cross-language parameter declarations (PowerShell `param(...)`, shell positional `$1..$N`, Bash `getopts`): confirm each named parameter has at least one body reference.
@@ -86,7 +87,7 @@ Note: most Category E findings are P2 (style / cleanup) unless the dead code mas
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category E only** (dead code and unused imports). Skip A–D, F–K. Sub-bucket forced-exhaustion mode: Category E is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category E only** (dead code and unused imports). Skip A–D, F–N. Sub-bucket forced-exhaustion mode: Category E is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53
@@ -128,7 +129,7 @@ ID prefix: `find`.
 - `test_sweep_empty_dirs.py` line 13: `if str(_SCRIPTS_DIR) not in sys.path:` — runtime membership test; not constant.
 - Adversarial probes for proof-of-absence: (a) does the diff introduce any `if 1:` / `if 0:` / `if True:` / `if False:` literals? grep the diff text. (b) any condition of the form `if x:` where `x` was just assigned a literal in the line above? (c) any `assert True` or `assert False` in test bodies? (none — verify).
 
-**E5. Unused parameters**
+**E5. Unused parameters and locals**
 - `_log_walk_error(os_error: OSError) -> None` (line 14) — parameter `os_error` is read twice in the body (`os_error.filename`, `os_error.strerror`). Used.
 - `sweep(root: str, min_age_seconds: int) -> list[str]` (line 18) — `root` is passed to `os.walk` (line 21); `min_age_seconds` is read at line 26. Both used.
 - `_build_parser() -> argparse.ArgumentParser` (line 39) — zero parameters; nothing to verify.

package/audit-rubrics/prompts/category-f-silent-failures.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category F only** (silent failures). Skip A–E, G–K. Sub-bucket forced-exhaustion mode: Category F is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category F only** (silent failures). Skip A–E, G–N. Sub-bucket forced-exhaustion mode: Category F is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Title / short description: [TITLE]
@@ -98,7 +98,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket F1-F8, produce Shape A
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category F only** (silent failures). Skip A–E, G–K. Sub-bucket forced-exhaustion mode: Category F is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category F only** (silent failures). Skip A–E, G–N. Sub-bucket forced-exhaustion mode: Category F is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-g-bounds-and-overflow.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category G only** (off-by-one, bounds, integer overflow). Skip A–F, H–K. Sub-bucket forced-exhaustion mode: Category G is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category G only** (off-by-one, bounds, integer overflow). Skip A–F, H–N. Sub-bucket forced-exhaustion mode: Category G is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Repository / artifact: [REPO_OR_ARTIFACT]
@@ -61,7 +61,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket G1-G8, produce Shape A
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category G only** (off-by-one, bounds, integer overflow). Skip A–F, H–K. Sub-bucket forced-exhaustion mode: Category G is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category G only** (off-by-one, bounds, integer overflow). Skip A–F, H–N. Sub-bucket forced-exhaustion mode: Category G is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-h-security-boundaries.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category H only** (security boundaries). Skip A–G, I–K. Sub-bucket forced-exhaustion mode: Category H is decomposed into 10 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category H only** (security boundaries). Skip A–G, I–N. Sub-bucket forced-exhaustion mode: Category H is decomposed into 10 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 ## ARTIFACT METADATA — trust model
 
@@ -83,7 +83,7 @@ Note: Category H findings tend toward P0/P1 since they're security-relevant —
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category H only** (security boundaries). Skip A–G, I–K. Sub-bucket forced-exhaustion mode: Category H is decomposed into 10 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category H only** (security boundaries). Skip A–G, I–N. Sub-bucket forced-exhaustion mode: Category H is decomposed into 10 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-i-concurrency.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category I only** (concurrency hazards). Skip A–H, J–K. Sub-bucket forced-exhaustion mode: Category I is decomposed into [N] sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category I only** (concurrency hazards). Skip A–H, J–N. Sub-bucket forced-exhaustion mode: Category I is decomposed into [N] sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA — including: is this code single-threaded, threaded, asyncio, multiprocessing, or mixed? Name the runtime (CPython 3.x, Node, Go, JVM, .NET, PowerShell runspace, browser JS), the concurrency primitives actually present (`threading`, `asyncio`, `multiprocessing`, `concurrent.futures`, `Thread`, `goroutine`, `Promise`, `Task`, `Start-ThreadJob`, `ForEach-Object -Parallel`, etc.), and the inter-process surface (shared filesystem, shared DB, shared cache, shared queue, signals). State explicitly which primitives are absent so each sub-bucket has a Shape B basis.]
 
@@ -88,7 +88,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket I1–I8, produce Shape
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category I only** (concurrency hazards). Skip A–H, J–K. Sub-bucket forced-exhaustion mode: Category I is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category I only** (concurrency hazards). Skip A–H, J–N. Sub-bucket forced-exhaustion mode: Category I is decomposed into 8 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-j-code-rules-compliance.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category J only** (CODE_RULES.md compliance). Skip A–I, K. Sub-bucket forced-exhaustion mode: Category J is decomposed into 12 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category J only** (CODE_RULES.md compliance). Skip A–I, K–N. Sub-bucket forced-exhaustion mode: Category J is decomposed into 12 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA]
 - Artifact: [PR title / commit subject / file set / patch series]
@@ -100,7 +100,7 @@ Note: most Category J findings are P2 (style / cleanup) since they don't affect
 
 # Worked example: jl-cmd/claude-code-config PR #394
 
-Audit jl-cmd/claude-code-config PR #394 for **Category J only** (CODE_RULES.md compliance). Skip A–I, K. Sub-bucket forced-exhaustion mode: Category J is decomposed into 12 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #394 for **Category J only** (CODE_RULES.md compliance). Skip A–I, K–N. Sub-bucket forced-exhaustion mode: Category J is decomposed into 12 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: feat(scripts): add sweep-empty-dirs utility and scheduled-task installer
 Head SHA: 62c9c169ee7a44824e5da25c4cf8b74fdca08a53

package/audit-rubrics/prompts/category-k-codebase-conflicts.md

@@ -1,4 +1,4 @@
-Audit [REPO/ARTIFACT] [TARGET_ID] for **Category K only** (codebase conflicts — incomplete propagation). Skip A–J. Sub-bucket forced-exhaustion mode: Category K is decomposed into 9 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit [REPO/ARTIFACT] [TARGET_ID] for **Category K only** (codebase conflicts — incomplete propagation). Skip A–J, L–N. Sub-bucket forced-exhaustion mode: Category K is decomposed into 9 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 [ARTIFACT METADATA — including the BEFORE state of changed surfaces, so the agent can compare before vs after]
 
@@ -79,7 +79,7 @@ Lead: `Total: N (P0=N, P1=N, P2=N)`. For each sub-bucket K1-K9, produce Shape A
 
 Note: PR #397 is the K canonical case, NOT #394.
 
-Audit jl-cmd/claude-code-config PR #397 for **Category K only** (codebase conflicts — incomplete propagation). Skip A–J. Sub-bucket forced-exhaustion mode: Category K is decomposed into 9 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
+Audit jl-cmd/claude-code-config PR #397 for **Category K only** (codebase conflicts — incomplete propagation). Skip A–J, L–N. Sub-bucket forced-exhaustion mode: Category K is decomposed into 9 sub-buckets below. Each sub-bucket REQUIRES at least one Shape A finding OR exactly one Shape B proof-of-absence with **at least 3 adversarial probes** specific to that sub-bucket. A sub-bucket returning neither is a protocol gap.
 
 PR: fix(hooks): improve hedging-language guardrail to surface user questions
 Base SHA: 76f9c1a0048729b87c44626a3380dc840065c2fa (origin/main at PR open time)

package/docs/CODE_RULES.md

@@ -354,7 +354,7 @@ These principles cannot be reduced to a regex or AST visitor. They live in user-
 
 ### Audit-rubric reference
 
-For multi-file architectural reviews see [`packages/claude-dev-env/audit-rubrics/`](../audit-rubrics/). Categories A–F, I, K stay as agent rubrics rather than ⚡ blocking rules because they require multi-file reasoning that single-file hooks cannot perform.
+For multi-file architectural reviews see [`packages/claude-dev-env/audit-rubrics/`](../audit-rubrics/). Categories A–N are maintained as agent rubrics. Category J (CODE_RULES.md compliance) mirrors the ⚡ hook-enforced rules as an audit-side rubric; the other categories stay agent rubrics because they rest on multi-file reasoning beyond a single-file hook's reach.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-dev-env",
-    "version": "1.50.2",
+    "version": "1.50.4",
     "description": "Claude Code development standards — rules, hooks, agents, commands, and skills",
     "type": "module",
     "bin": {

package/skills/_shared/pr-loop/scripts/build_audit_prompt.py

@@ -1,7 +1,9 @@
 """Emit the complete AUDIT spawn prompt XML to stdout.
 
-Substitutes <context>, <scope>, <bug_categories>, <constraints>,
-<comment_posting>, and <output_format> blocks from CLI args.
+Builds <context> and <scope> from CLI args; <bug_categories>,
+<rubric_reference>, and <constraints> come from the shared constants in
+skills_pr_loop_constants; <comment_posting> and <output_format> are built
+inline.
 
 Usage:
   python scripts/build_audit_prompt.py --owner jl-cmd --repo claude-code-config --pr-number 422 --loop 1 --head-ref feat/branch --base-ref main --worktree-path <PATH> --run-temp-dir <PATH>
@@ -22,6 +24,7 @@ from _xml_utils import emit_pretty_xml
 from skills_pr_loop_constants.path_resolver_constants import (
     ALL_AUDIT_CATEGORY_ENTRIES,
     ALL_AUDIT_CONSTRAINT_TEXTS,
+    AUDIT_RUBRIC_REFERENCE_TEXT,
 )
 
 
@@ -74,6 +77,9 @@ def build_audit_prompt_xml(
         cat_elem = SubElement(bug_categories, "category", {"id": each_category_id})
         cat_elem.text = each_category_label
 
+    rubric_reference = SubElement(root, "rubric_reference")
+    rubric_reference.text = AUDIT_RUBRIC_REFERENCE_TEXT
+
     constraints = SubElement(root, "constraints")
     for each_constraint in ALL_AUDIT_CONSTRAINT_TEXTS:
         SubElement(constraints, "constraint").text = each_constraint
@@ -167,12 +173,12 @@ def main(all_arguments: list[str]) -> int:
     xml_output = emit_audit_prompt(
         owner=arguments.owner,
         repo=arguments.repo,
-        pr_number=getattr(arguments, "pr_number"),
+        pr_number=arguments.pr_number,
         loop=arguments.loop,
-        head_ref=getattr(arguments, "head_ref"),
-        base_ref=getattr(arguments, "base_ref"),
-        worktree_path=getattr(arguments, "worktree_path"),
-        run_temp_dir=getattr(arguments, "run_temp_dir"),
+        head_ref=arguments.head_ref,
+        base_ref=arguments.base_ref,
+        worktree_path=arguments.worktree_path,
+        run_temp_dir=arguments.run_temp_dir,
     )
     sys.stdout.write(xml_output)
     return 0

package/skills/_shared/pr-loop/scripts/skills_pr_loop_constants/path_resolver_constants.py

@@ -29,19 +29,29 @@ ALL_AUDIT_CONSTRAINT_TEXTS = [
 ]
 
 ALL_AUDIT_CATEGORY_ENTRIES = [
-    ("A", "Documentation / API call accuracy"),
-    ("B", "Type safety / boundary types"),
-    ("C", "Magic values / hardcoded constants"),
-    ("D", "Naming / banned identifiers"),
-    ("E", "Orphans / dead code"),
-    ("F", "Error handling / bare except"),
-    ("G", "Bounds / silent cap exits"),
-    ("H", "Testing / test quality"),
-    ("I", "Control flow / logic errors"),
-    ("J", "Architecture / SOLID violations"),
-    ("K", "Codebase conflicts / DRY"),
+    ("A", "API contract verification"),
+    ("B", "Selector / query / engine compatibility"),
+    ("C", "Resource cleanup and lifecycle"),
+    ("D", "Variable scoping, ordering, and unbound references"),
+    ("E", "Dead code and unused imports"),
+    ("F", "Silent failures"),
+    ("G", "Off-by-one, bounds, integer overflow"),
+    ("H", "Security boundaries"),
+    ("I", "Concurrency hazards"),
+    ("J", "CODE_RULES.md compliance"),
+    ("K", "Codebase conflicts (incomplete propagation)"),
+    ("L", "Behavior-equivalence for refactors"),
+    ("M", "Producer/consumer cardinality vs collection-type contract"),
+    ("N", "Test-name scenario verifier"),
 ]
 
+AUDIT_RUBRIC_REFERENCE_TEXT = (
+    "The category list above is a summary. The binding definition of each "
+    "category is its rubric file under $HOME/.claude/audit-rubrics/category_rubrics/ "
+    "(ready-to-send prompt variants under $HOME/.claude/audit-rubrics/prompts/). "
+    "Read the rubric files before auditing."
+)
+
 ALL_FIX_EXECUTION_STEPS = [
     "Read the finding and verify it against the current file at file:line.",
     "Write a failing test that reproduces the bug.",

package/skills/_shared/pr-loop/scripts/test_build_audit_prompt.py

@@ -0,0 +1,92 @@
+"""Tests pinning build_audit_prompt's emitted A-N category taxonomy."""
+
+from __future__ import annotations
+
+import importlib.util
+import re
+import sys
+from pathlib import Path
+from types import ModuleType
+from xml.etree.ElementTree import Element
+
+_SCRIPTS_DIR = Path(__file__).resolve().parent
+if str(_SCRIPTS_DIR) not in sys.path:
+    sys.path.insert(0, str(_SCRIPTS_DIR))
+
+from skills_pr_loop_constants.path_resolver_constants import (
+    ALL_AUDIT_CATEGORY_ENTRIES,
+)
+
+_CATEGORY_RUBRICS_DIR = _SCRIPTS_DIR.parents[3] / "audit-rubrics" / "category_rubrics"
+_HEADING_PATTERN = re.compile(r"^# Category ([A-N]) — (.+)$")
+
+
+def _load_build_audit_prompt() -> ModuleType:
+    module_path = _SCRIPTS_DIR / "build_audit_prompt.py"
+    spec = importlib.util.spec_from_file_location("build_audit_prompt", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    sys.modules["build_audit_prompt"] = module
+    spec.loader.exec_module(module)
+    return module
+
+
+build_audit_prompt = _load_build_audit_prompt()
+
+
+def _rubric_label_by_letter() -> dict[str, str]:
+    assert _CATEGORY_RUBRICS_DIR.is_dir(), f"Missing rubric directory: {_CATEGORY_RUBRICS_DIR}"
+    all_labels: dict[str, str] = {}
+    for each_rubric_file in sorted(_CATEGORY_RUBRICS_DIR.glob("category-*.md")):
+        all_rubric_lines = each_rubric_file.read_text(encoding="utf-8").splitlines()
+        assert all_rubric_lines, f"Empty rubric file: {each_rubric_file}"
+        each_match = _HEADING_PATTERN.match(all_rubric_lines[0])
+        assert each_match is not None, f"Heading pattern not matched in {each_rubric_file}"
+        all_labels[each_match.group(1)] = each_match.group(2)
+    return all_labels
+
+
+def _build_audit_root() -> Element:
+    return build_audit_prompt.build_audit_prompt_xml(
+        owner="jl-cmd",
+        repo="claude-code-config",
+        pr_number=422,
+        loop=1,
+        head_ref="feat/branch",
+        base_ref="main",
+        worktree_path=Path("/tmp/bugteam-pr-422/worktree"),
+        run_temp_dir=Path("/tmp/bugteam-pr-422"),
+    )
+
+
+def test_bug_categories_carry_ids_a_through_n_in_order() -> None:
+    root = _build_audit_root()
+    bug_categories = root.find("bug_categories")
+    assert bug_categories is not None
+    all_emitted_ids = [each_category.get("id") for each_category in bug_categories]
+    all_expected_ids = list("ABCDEFGHIJKLMN")
+    assert all_emitted_ids == all_expected_ids
+
+
+def test_emitted_category_labels_match_constant_entries() -> None:
+    root = _build_audit_root()
+    bug_categories = root.find("bug_categories")
+    assert bug_categories is not None
+    label_by_id = {
+        each_category.get("id"): each_category.text for each_category in bug_categories
+    }
+    for each_category_id, each_category_label in ALL_AUDIT_CATEGORY_ENTRIES:
+        assert label_by_id[each_category_id] == each_category_label
+
+
+def test_category_labels_match_rubric_file_headings() -> None:
+    assert dict(ALL_AUDIT_CATEGORY_ENTRIES) == _rubric_label_by_letter()
+
+
+def test_rubric_reference_element_names_category_rubrics_directory() -> None:
+    root = _build_audit_root()
+    rubric_reference = root.find("rubric_reference")
+    assert rubric_reference is not None
+    assert rubric_reference.text is not None
+    assert "audit-rubrics/category_rubrics" in rubric_reference.text

package/skills/bugteam/CONSTRAINTS.md

@@ -2,7 +2,7 @@
 
 ## Constraints
 
-- **Full A–K audit every loop, no exceptions.** PR size, "focused audit," "team overhead," "CODE_RULES already passed" — not valid reasons. Empty `<findings/>` for any category is a valid result. The audit agent walks all A–K rubrics each loop.
+- **Full A–N audit every loop, no exceptions.** PR size, "focused audit," "team overhead," "CODE_RULES already passed" — not valid reasons. Empty `<findings/>` for any category is a valid result. The audit agent walks all A–N rubrics each loop.
 - **One run per invocation, multi-PR supported.** All PRs in a single /bugteam invocation share one `run_temp_dir`. Per-PR identity lives in the subagent name prefix (`bugfind-pr<N>-loop<L>` / `bugfix-pr<N>-loop<L>`) and the `<run_temp_dir>/pr-<N>/` subfolder containing that PR's git worktree, diff patches, and outcome XML files.
 - **Grant before any spawn, revoke before any return.** Step 0 grants project `.claude/**` permissions; Step 5 revokes. Both are mandatory. Revoke runs on every exit path including error, cap-reached, and stuck.
 - **Fresh subagent per loop.** Both bugfind and bugfix are spawned new each loop. Reusing a subagent across loops accumulates context inside that subagent's window — defeats clean-room.

package/skills/bugteam/PROMPTS.md

@@ -44,58 +44,30 @@ cd into `<worktree_path>` before any git or file operation.
   a `---` separator and a worked example against an authentic PR below —
   are in `$HOME/.claude/audit-rubrics/prompts/`):
 
-  A. API contract verification (signatures, return types, async/await correctness)
+  A. API contract verification
   B. Selector / query / engine compatibility
-  C. Resource cleanup and lifecycle (file handles, connections, processes, locks)
+  C. Resource cleanup and lifecycle
   D. Variable scoping, ordering, and unbound references
-  E. Dead code: dead parameters, dead locals, dead imports, dead branches, dead returns, and unused imports
-  F. Silent failures (catch-all excepts, unconditional success returns, missing error propagation)
-  G. Off-by-one, bounds, and integer overflow
-  H. Security boundaries (injection, path traversal, auth bypass, secret leakage)
-  I. Concurrency hazards (race conditions, missing awaits, shared mutable state)
-  J. Magic values and configuration drift
-  K. Codebase conflicts — a change updates one site of a pattern but a parallel
-     site in unchanged code stays stale, producing contradictory behavior;
-     the diff is internally consistent, the bug emerges only against unchanged
-     code (canonical example: jl-cmd/claude-code-config PR #397 r3210166636)
-  L. Behavior-equivalence for refactors. When the PR rewrites an existing
-     function (especially an enforcement check, parser, or path classifier),
-     compare the rewrite's edge-case handling against the sibling implementation
-     at the same git commit base. Pin the historically-valid inputs in a
-     `KNOWN_GOOD_INPUTS` table and assert each still passes. Cited in audits:
-     ccc#479 F1 (`#noqa` no-space variant dropped after a tokenize-based
-     refactor); ccc#479 F4 (bare `#` lookalike misclassified after refactor);
-     ccc#479 F5 (inline `#!` lookalike misclassified); ccc#479 F6 (early-exit
-     invariant dropped); ccc#472 F44 (`startswith('## Problem')` too loose vs
-     the sibling regex shape).
-  M. Producer/consumer cardinality vs collection-type contract. For each new
-     function returning `list[X]`, `Sequence[X]`, or `Iterable[X]`, ask
-     whether the return can contain duplicates and whether any downstream
-     consumer treats the value as a set. Subprocess-stdout parsers must return
-     `frozenset[Path]` or `dict.fromkeys`-deduplicated `list[Path]`.
-     Functions whose consumer is itself an `extend(...)` into a list pass;
-     functions with explicit "duplicates preserved" docstring text pass.
-     Cited in audits: pa#143 F10 (`_extract_paths_from_everything_cli_stdout`
-     duplicates → `RuntimeError` — the only High-severity crash bug in the
-     audit set); pa#136 F30 / F32 (duplicate content_id rows submit twice;
-     writeback ignores content_id key).
-  N. Test-name claims a scenario the body does not enter. Tests named
-     `test_*_at_*`, `test_*_under_*`, `test_*_when_*`, and `test_*_with_*`
-     must, via monkeypatch / fixture inspection, demonstrate the named
-     condition is in effect when the system under test runs. Path-decision
-     functions (registered in `*_path_exemptions.py` / `is_*_path` /
-     `_resolve_*_path` modules) must ship with a parametric matrix of
-     canonical edge cases (empty string, single filename, tilde, UNC,
-     drive-letter, symlinked, `..`-containing, trailing-slash). Tests with
-     neutral names (`test_returns_empty_list_on_x`) are unaffected. Cited
-     in audits: ccc#476 F5 / F21 / F23 / F26 / F27 (cross-platform
-     scenarios never exercised under the claimed conditions); pa#135 F11 /
-     F15 (string-shape and integration tests that exercise only the no-op
-     branch); pa#136 F50 (`<substring> not in executed_sql` assertion that
-     cannot fail because the substring shape never matches the real
-     fragment).
+  E. Dead code and unused imports
+  F. Silent failures
+  G. Off-by-one, bounds, integer overflow
+  H. Security boundaries
+  I. Concurrency hazards
+  J. CODE_RULES.md compliance
+  K. Codebase conflicts (incomplete propagation)
+  L. Behavior-equivalence for refactors
+  M. Producer/consumer cardinality vs collection-type contract
+  N. Test-name scenario verifier
 </bug_categories>
 
+<rubric_reference>
+  The category list above is a summary. The binding definition of each
+  category is its rubric file under
+  `$HOME/.claude/audit-rubrics/category_rubrics/` (ready-to-send prompt
+  variants under `$HOME/.claude/audit-rubrics/prompts/`). Read the rubric
+  files before auditing.
+</rubric_reference>
+
 <constraints>
   - Read-only on source code: the audit does not modify any source file.
   - Cite file:line for every finding.

package/skills/bugteam/SKILL.md

@@ -11,10 +11,10 @@ description: >-
 # Bugteam
 
 Audit–fix until convergence. Bugfind: `code-quality-agent`, fresh context each
-loop, auditing all A–K categories. Bugfix: `clean-coder`. Hard cap: 20 audit
+loop, auditing all A–N categories. Bugfix: `clean-coder`. Hard cap: 20 audit
 loops. Grant `.claude/**` at start, revoke always at end.
 
-The audit agent loads the A–K category rubrics from
+The audit agent loads the A–N category rubrics from
 `$HOME/.claude/audit-rubrics/{category_rubrics,prompts}/` alongside
 [`PROMPTS.md`](PROMPTS.md) and produces a single outcome XML per loop.
 
@@ -146,7 +146,7 @@ end-to-end mental model before starting Step 0.
 | Posting the end-of-pass audit review via `post_audit_thread.py` (APPROVE on CLEAN — the request event; GitHub stores it as `state=APPROVED` — REQUEST_CHANGES with inline anchored comments on DIRTY) | [§ Audit posting](#audit-posting) |
 | Posting per-finding fix replies via GitHub MCP `add_reply_to_pull_request_comment` (rendered with the unified template at [`_shared/pr-loop/audit-reply-template.md`](../../_shared/pr-loop/audit-reply-template.md)) | [reference/github-pr-reviews.md](reference/github-pr-reviews.md) |
 | Teardown, PR description rewrite via `pr-description-writer`, permission revoke, final report | [reference/teardown-publish-permissions.md](reference/teardown-publish-permissions.md) |
-| Spawn-prompt XML, A–K category bindings, outcome XML schemas | [PROMPTS.md](PROMPTS.md) |
+| Spawn-prompt XML, A–N category bindings, outcome XML schemas | [PROMPTS.md](PROMPTS.md) |
 | Per-category audit content (sub-buckets, decision criteria, ready-to-send Variant C templates) | `$HOME/.claude/audit-rubrics/{category_rubrics,prompts}/` |
 | Invariants and design rationale | [CONSTRAINTS.md](CONSTRAINTS.md), [reference/design-rationale.md](reference/design-rationale.md) |
 | Audit-contract finding shape (Shape A / B), Haiku secondary, post-fix self-audit | [reference/audit-contract.md](reference/audit-contract.md) |
@@ -159,11 +159,11 @@ end-to-end mental model before starting Step 0.
 - `SKILL.md` — this hub.
 - `reference/` — workflow detail per situation.
 - `scripts/` — utility scripts executed, not loaded as primary context.
-- `PROMPTS.md` — spawn XML, A–K category bindings, outcome schemas.
+- `PROMPTS.md` — spawn XML, A–N category bindings, outcome schemas.
 - `CONSTRAINTS.md` — invariants.
 - `EXAMPLES.md` — exit scenarios.
 - `sources.md` — doc URLs and verbatim quotes.
 - `~/.claude/audit-rubrics/` — installed by `npx claude-dev-env` from
-  `packages/claude-dev-env/audit-rubrics/`; the audit agent reads all A–K
+  `packages/claude-dev-env/audit-rubrics/`; the audit agent reads all A–N
   rubrics under `category_rubrics/` and prompts under `prompts/`. Required
   at audit time alongside `PROMPTS.md`.

package/skills/bugteam/reference/audit-and-teammates.md

@@ -116,7 +116,7 @@ Repeat until an exit condition fires.
 
 ## AUDIT action
 
-Spawn one audit agent that walks all A–K categories:
+Spawn one audit agent that walks all A–N categories:
 
 ```
 Agent(

package/skills/bugteam/reference/audit-contract.md

@@ -21,7 +21,7 @@ Each finding an audit produces MUST be one of exactly two shapes.
   "id": "loop<L>-<K>",
   "file": "path/relative/to/repo/root.py",
   "line": 123,
-  "category": "A | B | C | D | E | F | G | H | I | J | K",
+  "category": "A | B | C | D | E | F | G | H | I | J | K | L | M | N",
   "severity": "P0 | P1 | P2",
   "excerpt": "verbatim code snippet from the offending line(s)",
   "failure_mode": "one sentence describing what goes wrong and when",
@@ -37,7 +37,7 @@ Used when an audit investigates a category and does NOT find a bug. Bare "verifi
 
 ```json
 {
-  "category": "A | B | C | D | E | F | G | H | I | J | K",
+  "category": "A | B | C | D | E | F | G | H | I | J | K | L | M | N",
   "files_opened": ["file1.py", "file2.py"],
   "lines_quoted": [
     {"file": "file1.py", "line": 88, "text": "verbatim line content"}
@@ -89,7 +89,7 @@ After the primary finding list is complete, every audit runs a second pass again
 
 The audit must either produce new Shape A findings citing new file:line references not present in the first pass, or cite explicit Shape B adversarial-probe entries for each category it re-examined. An adversarial pass that returns "nothing new, confident first pass was complete" is REJECTED — produce evidence or findings, not confidence.
 
-For `/bugteam`, the single audit agent provides per-category coverage by walking all A–K rubrics in one invocation.
+For `/bugteam`, the single audit agent provides per-category coverage by walking all A–N rubrics in one invocation.
 
 ## Merge rules
 
@@ -113,7 +113,7 @@ Sequence:
 3. Run `py_compile` (or language-equivalent) on each modified file.
 4. Compute `fix_diff` against pre-fix contents for the modified set.
 5. Run `bugteam_code_rules_gate.py` with explicit paths for every modified file.
-6. Spawn a scoped audit of `fix_diff` with full A–K rigor, Shape A/B contract, adversarial pass, AND Haiku secondary in parallel (paranoid mode on post-fix).
+6. Spawn a scoped audit of `fix_diff` with full A–N rigor, Shape A/B contract, adversarial pass, AND Haiku secondary in parallel (paranoid mode on post-fix).
 7. Any new findings become same-loop fix-targets. Internal iteration count increments by one.
 8. After 3 internal iterations with fresh findings each time, exit `stuck: post-fix audit not converging`.
 9. Only when `gate_findings` empty AND `post_fix_findings` empty: `git add`, commit, push.

package/skills/bugteam/reference/design-rationale.md

@@ -2,7 +2,7 @@
 
 ## Core principle (expanded)
 
-One audit agent (`code-quality-agent`, opus) walks all A–K categories per loop. One fix agent (`clean-coder`, opus) addresses the audit's findings.
+One audit agent (`code-quality-agent`, opus) walks all A–N categories per loop. One fix agent (`clean-coder`, opus) addresses the audit's findings.
 
 Fresh-spawn clean-room isolation: each `Agent` call creates a new subagent with its own context window and no access to prior conversation. After the subagent writes its outcome XML and self-terminates, the lead reads the file. Results never accumulate in the lead’s context beyond the XML artifact. Verbatim Anthropic quotes and URLs: [`../sources.md`](../sources.md).
 

package/skills/findbugs/SKILL.md

@@ -88,16 +88,25 @@ The XML prompt skeleton:
 
 <bug_categories>
   Investigate each explicitly:
-  A. API contract verification (signatures, return types, async/await correctness)
+  A. API contract verification
   B. Selector / query / engine compatibility
-  C. Resource cleanup and lifecycle (file handles, connections, processes, locks)
+  C. Resource cleanup and lifecycle
   D. Variable scoping, ordering, and unbound references
   E. Dead code and unused imports
-  F. Silent failures (catch-all excepts, unconditional success returns, missing error propagation)
-  G. Off-by-one, bounds, and integer overflow
-  H. Security boundaries (injection, path traversal, auth bypass, secret leakage)
-  I. Concurrency hazards (race conditions, missing awaits, shared mutable state)
-  J. Magic values and configuration drift
+  F. Silent failures
+  G. Off-by-one, bounds, integer overflow
+  H. Security boundaries
+  I. Concurrency hazards
+  J. CODE_RULES.md compliance
+  K. Codebase conflicts (incomplete propagation)
+  L. Behavior-equivalence for refactors
+  M. Producer/consumer cardinality vs collection-type contract
+  N. Test-name scenario verifier
+
+  The category list above is a summary. The binding definition of each
+  category is its rubric file under $HOME/.claude/audit-rubrics/category_rubrics/
+  (ready-to-send prompt variants under $HOME/.claude/audit-rubrics/prompts/).
+  Read the rubric files before auditing.
 </bug_categories>
 
 <constraints>
@@ -256,18 +265,18 @@ Want me to run /fixbugs for the P0/P1 findings?
 User: `/findbugs`
 Claude: [resolves PR #42 from current branch, fetches full diff, spawns code-quality-agent foreground with self-contained prompt, returns]
 
-`1 P0 / 2 P1 / 0 P2 — 7 categories cleared`
+`1 P0 / 2 P1 / 0 P2 — 11 categories cleared`
 
 `P0 — race condition on shared cache write`
-`  src/cache.py:88 — concurrent writers can both pass the existence check before either writes (category: concurrency)`
+`  src/cache.py:88 — concurrent writers can both pass the existence check before either writes (category: I — Concurrency hazards)`
 
 `P1 — silent paste failure`
-`  utils/clipboard.py:33 — validated_paste returns success without verifying the post-paste state (category: silent failure)`
+`  utils/clipboard.py:33 — validated_paste returns success without verifying the post-paste state (category: F — Silent failures)`
 
 `P1 — unbound variable on early-exception path`
-`  src/processor.py:283 — scheduling_log referenced after try/finally where it may be unbound (category: scoping)`
+`  src/processor.py:283 — scheduling_log referenced after try/finally where it may be unbound (category: D — Variable scoping, ordering, and unbound references)`
 
-`Verified clean: API contract, selector compatibility, resource cleanup, dead code, off-by-one, security boundaries, magic values`
+`Verified clean: API contract, selector compatibility, resource cleanup, dead code, off-by-one, security boundaries, CODE_RULES.md compliance, codebase conflicts, behavior-equivalence, producer/consumer cardinality, Test-name scenario verifier`
 
 `Open questions: none`
 

package/skills/fixbugs/SKILL.md

@@ -33,7 +33,7 @@ Locate the most recent `/findbugs` output in the current conversation. For each
 
 - Severity (`P0` / `P1` / `P2`)
 - `file:line`
-- Category (the A–J letter or category name `/findbugs` reported)
+- Category (the A–N letter or category name `/findbugs` reported)
 - One-sentence description as `/findbugs` wrote it
 
 Apply the severity filter from `$ARGUMENTS` if present:

package/skills/pr-converge/SKILL.md

@@ -105,6 +105,15 @@ For each unresolved thread, verify the concern against current HEAD;
 either fix-and-resolve, or reply-with-note-and-resolve when the concern
 no longer applies.
 
+**Full-PR-diff rule: every CODE-REVIEW round (Step 5) and every BUGTEAM
+round (Step 6) covers the FULL `origin/main...HEAD` diff — every file
+the PR touches.** A round that scopes to a subset — only the last commit,
+only files touched since the prior clean SHA, only bugbot-flagged paths,
+or any other delta cut — does not satisfy the gate, and a "clean" verdict
+against a partial diff is not a valid clean. Re-run the round against the
+full diff before recording `code_review_clean_at` or treating the bugteam
+round as converged. This rule holds every tick, every loop, every PR.
+
 - [ ] **Step 0: Grant project permissions**
       `python "$HOME/.claude/skills/bugteam/scripts/grant_project_claude_permissions.py"`
 
@@ -159,12 +168,22 @@ no longer applies.
 
       Pre-condition: `bugbot_clean_at == current_head` (or `bugbot_down == true`).
 
-      Run Claude Code's built-in `/code-review --fix` on the current diff —
+      Run Claude Code's built-in `/code-review --fix` on the full
+      `origin/main...HEAD` diff —
       the [local diff review](https://code.claude.com/docs/en/code-review#review-a-diff-locally)
       — so it reviews the diff and applies its findings to the working
       tree. Pass no effort argument, so the review uses the session's
       current effort.
 
+      **Scope: the FULL `origin/main...HEAD` diff every tick** — every file
+      the PR touches. Do not delta-scope to commits added since the prior
+      clean SHA, do not scope to a single file, do not scope to bugbot's
+      flagged paths. Before running, confirm the working tree is on the
+      PR's HEAD with no uncommitted edits, then invoke `/code-review --fix`
+      with no path arguments so it audits the whole branch diff against
+      `origin/main`. A partial-scope round does not count and cannot set
+      `code_review_clean_at`.
+
       - [ ] **fixes applied** (working tree changed) →
             - [ ] Commit the applied fixes (one commit) → push
             - [ ] reset `bugbot_clean_at = null`, `code_review_clean_at = null`
@@ -187,6 +206,14 @@ no longer applies.
       `pr_converge_bugteam_enforcer` hook blocks it. `qbug` is NOT an accepted
       substitute; `bugteam` is the only allowed skill at this step.
 
+      **Scope: the FULL `origin/main...HEAD` diff every tick** — every file
+      the PR touches. Pass the PR URL as the sole argument so bugteam audits
+      the whole branch diff against `origin/main`. Do not pass a file list,
+      a path filter, a commit range, or any "just the new commits since
+      last clean" cut — bugteam owns its own discovery on the full PR diff.
+      A partial-scope round does not count and cannot satisfy the
+      converged-on-current-HEAD condition below.
+
       After bugteam completes, re-resolve HEAD.
 
       - [ ] **bugteam pushed new commits** →

package/skills/pr-converge/reference/per-tick.md

@@ -117,14 +117,23 @@ c. Decide (four branches; match first whose predicate holds):
 
 Local correctness/quality pass between BUGBOT clean and BUGTEAM. Enters
 after BUGBOT reports clean on `current_head` (or `bugbot_down == true`).
-Runs Claude Code's built-in `/code-review --fix` on the current diff; it
-produces no GitHub review artifact, so there are no code-review threads to
-resolve.
-
-a. Run Claude Code's built-in `/code-review --fix` on the current diff —
-   the [local diff review](https://code.claude.com/docs/en/code-review#review-a-diff-locally).
-   It reviews the diff and applies its findings to the working tree. Pass
-   no effort argument, so the review uses the session's current effort.
+Runs Claude Code's built-in `/code-review --fix` on the full
+`origin/main...HEAD` diff; it produces no GitHub review artifact, so there
+are no code-review threads to resolve.
+
+a. Run Claude Code's built-in `/code-review --fix` on the FULL
+   `origin/main...HEAD` diff — every file the PR touches — via the
+   [local diff review](https://code.claude.com/docs/en/code-review#review-a-diff-locally).
+   It reviews the diff and applies its findings to the working tree.
+
+   Before running, confirm the working tree sits on the PR's HEAD with no
+   uncommitted edits, then invoke `/code-review --fix` with no path
+   arguments so it audits the whole branch diff against `origin/main`. Do
+   not delta-scope to commits added since the prior clean SHA, do not
+   scope to a single file, do not scope to bugbot's flagged paths. A
+   partial-scope round does not count and cannot set
+   `code_review_clean_at`. Pass no effort argument, so the review uses
+   the session's current effort.
 
 b. Decide (two branches; match first whose predicate holds):
 
@@ -144,6 +153,13 @@ b. Decide (two branches; match first whose predicate holds):
 
 a. Run **bugteam** on current PR.
 
+   Pass the PR URL as the sole argument so bugteam audits the FULL
+   `origin/main...HEAD` diff — every file the PR touches. Bugteam owns
+   its own discovery on the full PR diff. Do not pass a file list, a
+   path filter, a commit range, or any "just the new commits since last
+   clean" cut. A partial-scope round does not count and cannot satisfy
+   the converged-on-current-HEAD condition in step (d).
+
    - **`Skill` invokable**: invoke bugteam
      with `Skill`.
 

package/skills/qbug/SKILL.md

@@ -3,7 +3,7 @@ name: qbug
 description: >-
   Required baseline review for every new PR. Runs the /bugteam audit → fix →
   commit → push cycle via one clean-coder subagent (not a full team), looping
-  until convergence or stuck. Uses the same CODE_RULES gate, A–J category
+  until convergence or stuck. Uses the same CODE_RULES gate, A–N category
   rubric, and per-loop PR review shape as /bugteam — without TeamCreate,
   teammates, per-loop clean-room, or a loop cap. Invoke /bugteam instead for
   larger PRs that need per-loop bias isolation or a hard loop cap. Triggers:
@@ -21,7 +21,7 @@ Shared artifacts with /bugteam are referenced below by path, using the `${CLAUDE
 
 - Pre-flight script: `${CLAUDE_SKILL_DIR}/../../_shared/pr-loop/scripts/preflight.py`
 - Code-rules gate script: `${CLAUDE_SKILL_DIR}/../../_shared/pr-loop/scripts/code_rules_gate.py`
-- Bug category rubric A–J: [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md#audit-spawn-prompt-xml-bugfind-teammate)
+- Bug category rubric A–N: [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md#audit-spawn-prompt-xml-bugfind-teammate)
 - **Audit contract** (finding schema, proof-of-absence, adversarial pass, Haiku secondary, post-fix self-audit, diagnostics JSON): [`bugteam/reference/audit-contract.md`](../bugteam/reference/audit-contract.md)
 - PR comment lifecycle shape: [`bugteam/SKILL.md`](../bugteam/SKILL.md#audit-posting)
 
@@ -117,7 +117,7 @@ Agent(
   subagent_type="code-quality-agent",
   model="haiku",
   description="qbug Haiku secondary audit for PR <number>",
-  prompt="<audit-only prompt: read the PR diff, apply A-J categories from <categories_file>, return structured findings. No FIX, no git add, no git commit, no git push.>",
+  prompt="<audit-only prompt: read the PR diff, apply A-N categories from <categories_file>, return structured findings. No FIX, no git add, no git commit, no git push.>",
   run_in_background=False
 )
 ```
@@ -188,7 +188,7 @@ The subagent receives this prompt and loops internally — the lead does not re-
 
        - Read the patch file.
        - Audit only added/modified lines. Read <categories_file> for the
-         A–J category definitions; investigate each category explicitly.
+         A–N category definitions; investigate each category explicitly.
        - Follow the shared audit contract at
          bugteam/reference/audit-contract.md. Per category: produce
          either a Shape A structured finding or a Shape B structured
@@ -444,7 +444,7 @@ Delete the resolved `<qbug_temp_dir>` tree and any `.qbug-*.md` temp files in th
 - **No loop cap.** Cycle runs until `converged`, `stuck`, or `error`. User can interrupt.
 - **Code rules gate before every AUDIT.** Same `validate_content` logic as /bugteam.
 - **One commit per FIX action.** Linear branch, fast-forward push only.
-- **Categories A–J.** Same rubric as [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md).
+- **Categories A–N.** Same rubric as [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md).
 - **One review per loop.** Anchored findings as `comments[]`; unanchored findings surface in the calling skill's user-facing output (chat reply to the user) rather than in the PR review body.
 - **PR description rewrite on every exit**, same as /bugteam Step 4.5.
 - **Temp file cleanup on every exit path.**

package/skills/qbug/test_qbug_skill_audit_schema.py

@@ -11,20 +11,21 @@ from pathlib import Path
 
 
 SKILL_FILE_PATH = Path(__file__).parent / "SKILL.md"
-PROMPTS_FILE_PATH = Path(__file__).parent.parent / "bugteam" / "PROMPTS.md"
 CONTRACT_FILE_PATH = (
     Path(__file__).parent.parent / "bugteam" / "reference" / "audit-contract.md"
 )
+CATEGORY_E_RUBRIC_FILE_PATH = (
+    Path(__file__).parent.parent.parent
+    / "audit-rubrics"
+    / "category_rubrics"
+    / "category-e-dead-code.md"
+)
 
 
 def _load_skill_text() -> str:
     return SKILL_FILE_PATH.read_text(encoding="utf-8")
 
 
-def _load_prompts_text() -> str:
-    return PROMPTS_FILE_PATH.read_text(encoding="utf-8")
-
-
 def _load_contract_text() -> str:
     return CONTRACT_FILE_PATH.read_text(encoding="utf-8")
 
@@ -136,21 +137,10 @@ def test_step2_spawn_should_reference_clean_coder_and_haiku_secondary() -> None:
     )
 
 
-def test_prompts_md_should_contain_expanded_category_e_dead_code_variants() -> None:
-    prompts_text = _load_prompts_text()
-    assert (
-        "dead parameter" in prompts_text.lower()
-        or "dead parameters" in prompts_text.lower()
-    ), "Category E must cover dead parameters"
-    assert (
-        "dead local" in prompts_text.lower() or "dead locals" in prompts_text.lower()
-    ), "Category E must cover dead locals"
-    assert (
-        "dead import" in prompts_text.lower() or "dead imports" in prompts_text.lower()
-    ), "Category E must cover dead imports"
-    assert (
-        "dead branch" in prompts_text.lower() or "dead branches" in prompts_text.lower()
-    ), "Category E must cover dead branches"
-    assert (
-        "dead return" in prompts_text.lower() or "dead returns" in prompts_text.lower()
-    ), "Category E must cover dead returns"
+def test_category_e_rubric_should_cover_expanded_dead_code_variants() -> None:
+    rubric_text = CATEGORY_E_RUBRIC_FILE_PATH.read_text(encoding="utf-8").lower()
+    assert "dead parameter" in rubric_text, "Category E must cover dead parameters"
+    assert "dead local" in rubric_text, "Category E must cover dead locals"
+    assert "dead import" in rubric_text, "Category E must cover dead imports"
+    assert "dead branch" in rubric_text, "Category E must cover dead branches"
+    assert "dead return" in rubric_text, "Category E must cover dead returns"

package/skills/refine/SKILL.md

@@ -164,7 +164,7 @@ Spawn `general-purpose` (`subagent_type: general-purpose`, foreground) with:
   - **Ambiguity** — no parked open questions where a decision is required for implementation to begin
   - **Implementer-readiness** — a downstream implementer can act on each step without back-and-forth (file paths named, agents named, change concrete)
 - A required return shape: structured findings as `severity (P0/P1/P2) | location | violation`, plus an explicit `CLEAN` verdict when no findings remain
-- An explicit instruction NOT to apply code-review rubrics (CODE_RULES categories A–K, API contracts, resource cleanup, etc.) — the audit target is a markdown plan, not source code
+- An explicit instruction NOT to apply code-review rubrics (CODE_RULES categories A–N, API contracts, resource cleanup, etc.) — the audit target is a markdown plan, not source code
 
 If the verdict is `CLEAN`: skip step 8 and proceed to step 10.