devrites 1.19.0 → 2.1.0

package/CHANGELOG.md

@@ -2,12 +2,30 @@
 
 All notable changes to DevRites are documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and DevRites adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). Releases are generated automatically by [semantic-release](https://semantic-release.gitbook.io/) from Conventional Commits on `main`.
 
-## [1.19.0](https://github.com/ViktorsBaikers/DevRites/compare/v1.18.0...v1.19.0) (2026-06-22)
+## [2.1.0](https://github.com/ViktorsBaikers/DevRites/compare/v2.0.0...v2.1.0) (2026-06-23)
 
-### Features
+### Added
+
+* **agents:** perf reviewer gets Source/Measured CWV modes ([be82b20](https://github.com/ViktorsBaikers/DevRites/commit/be82b20b37252a9f55d77e0f71659ec58a213ca6))
+
+## [2.0.0](https://github.com/ViktorsBaikers/DevRites/compare/v1.18.0...v2.0.0) (2026-06-23)
+
+### ⚠ BREAKING CHANGES
+
+* **installer:** drop the Claude Code plugin install path
+
+### Added
 
 * **installer:** add npx devrites full-pack installer + npm publishing ([316a0d3](https://github.com/ViktorsBaikers/DevRites/commit/316a0d372dad1afe2fade08f0045370fd5b3d801))
 
+### Changed
+
+* **release:** group changelog by Added/Changed/Removed ([ea5772a](https://github.com/ViktorsBaikers/DevRites/commit/ea5772abca3d44ee1da496f3d904bcbe3b9ccc21))
+
+### Removed
+
+* **installer:** drop the Claude Code plugin install path ([beb825f](https://github.com/ViktorsBaikers/DevRites/commit/beb825fcb0738d4b03b32dce056871c80616ab49))
+
 ## [1.18.0](https://github.com/ViktorsBaikers/DevRites/compare/v1.17.0...v1.18.0) (2026-06-22)
 
 ### Features

package/README.md

@@ -94,13 +94,13 @@ Full diagram set (lifecycle, polish orchestrator, review fan-out, debug loop,
 rules carrier, workspace state, namespace map) →
 [`docs/flow.md`](docs/flow.md).
 
-**Status:** [`v1.19.0`](https://github.com/ViktorsBaikers/DevRites/releases/tag/v1.19.0) — see [`CHANGELOG.md`](CHANGELOG.md) for release notes.
+**Status:** [`v2.1.0`](https://github.com/ViktorsBaikers/DevRites/releases/tag/v2.1.0) — see [`CHANGELOG.md`](CHANGELOG.md) for release notes.
 
 ## Contents
 
 - [Why distributed skills](#why-distributed-skills-not-one-engine)
 - [Modes — HITL & AFK](#modes--hitl--afk)
-- [Install](#install) — [npx / bash (A, recommended)](#option-a-npx--bash-installer-recommended-full-install) · [plugin (B, partial)](#option-b-claude-code-plugin-partial--skills--agents-only)
+- [Install](#install) — [npx / bash](#installing) · [upgrade](#upgrading-an-existing-install)
 - [Recommended setup](#recommended-setup-optional-but-devrites-is-much-sharper-with-it) — codegraph · graphify · browser-harness
 - [Skills](#skills) — 31 total · full catalogue in [`docs/skills.md`](docs/skills.md)
 - [Typical workflow](#typical-workflow) · [Worked examples](docs/usage.md)
@@ -137,19 +137,10 @@ Full rationale: [`docs/architecture.md`](docs/architecture.md).
 ## Install
 
 DevRites installs **into a project** (project-local only — it never writes to
-`~/.claude`). Two install paths are supported:
+`~/.claude`). Install with `npx` (recommended) or the `curl | bash` one-liner —
+both run the same installer and ship skills, agents, **rules**, and aliases.
 
-| Path | Ships | When to use |
-|---|---|---|
-| **A. `npx` or bash installer** *(recommended)* | skills, agents, **rules**, aliases | full DevRites — `npx devrites@latest`, or `curl \| bash` on any Claude Code version |
-| B. Claude Code plugin | skills, agents *(no rules)* | Claude Code 2.1+ if you want plugin-managed updates and don't need the engineering rules |
-
-> **Heads-up:** the Claude Code plugin manifest only ships `skills/` and
-> `agents/` — there is no plugin field for the DevRites engineering rules.
-> If you install via the plugin you'll need a follow-up `--rules-only` bash
-> run to drop the rules into `.claude/rules/` (see Option B below).
-
-### Option A: npx / bash installer (recommended, full install)
+### Installing
 
 **Fastest — `npx` (Node 18+):**
 
@@ -209,7 +200,7 @@ Common flags:
 | `--force` | Overwrite existing non-DevRites files |
 | `--no-rules` | Skip the engineering rules |
 | `--no-agents` | Skip the review subagents |
-| `--rules-only` | Install only the engineering rules — pair with Option B below |
+| `--rules-only` | Install only the engineering rules |
 | `--short-aliases=all` | Add `/define`, `/build`, `/prove`, `/seal` short aliases (off by default) |
 
 Every installed file is recorded in `.claude/devrites.manifest` (with the installed
@@ -217,40 +208,6 @@ version and the original install flags in the header). `./uninstall.sh` removes
 exactly those files (and prunes empty dirs) — your feature data in
 `.devrites/work/` and `.devrites/ACTIVE` is preserved.
 
-### Option B: Claude Code plugin (partial — skills + agents only)
-
-```bash
-claude plugin marketplace add ViktorsBaikers/DevRites
-claude plugin install devrites@devrites-marketplace
-```
-
-The plugin runtime places **skills + agents** in their canonical Claude Code
-locations and lets you manage updates with `claude plugin update devrites`.
-Uninstall with `claude plugin uninstall devrites`.
-
-**The plugin does not install the DevRites engineering rules.** The Claude
-Code plugin manifest has no `rules` field — `core.md`, `afk-hitl.md`,
-`coding-style.md`, `testing.md`, `security.md`, and the rest of
-`.claude/rules/` won't be present. Many skills (`/rite-build`, `/rite-prove`,
-`/rite-polish`, …) cite those rules at runtime and degrade noticeably without
-them.
-
-To add the rules after a plugin install, run the bash installer in
-`--rules-only` mode:
-
-```bash
-# Drop only the engineering rules into the current project's .claude/rules/
-curl -fsSL https://raw.githubusercontent.com/ViktorsBaikers/DevRites/main/install.sh | bash -s -- --rules-only
-
-# Or target a specific project
-curl -fsSL https://raw.githubusercontent.com/ViktorsBaikers/DevRites/main/install.sh | bash -s -- --target /path/to/your/project --rules-only
-```
-
-This writes nothing outside `.claude/rules/` and records the rule files in
-`.claude/devrites.manifest`. Running `./uninstall.sh` later removes only
-what's in the manifest (just the rules in this case) — the plugin's own
-skills + agents are managed by `claude plugin uninstall devrites`.
-
 ### Upgrading an existing install
 
 **One-liner over the network**:
@@ -519,7 +476,7 @@ real UI state, and **prove both layers** (contract tests + browser proof).
 
 ```
 devrites/
-  .claude-plugin/      # plugin.json + marketplace.json (claude plugin install path)
+  bin/                 # devrites.mjs — npx CLI entry point (wraps install.sh)
   .github/             # workflows/ (ci, release, dependabot-auto-merge) + dependabot.yml
   .husky/              # commit-msg hook (Conventional Commits via commitlint)
   .releaserc.json      # semantic-release config (CHANGELOG, version sync, tarball, GitHub Release)
@@ -566,7 +523,7 @@ written by the installer (cf. CVE-2026-33068).
 
 - **Changelog:** [`CHANGELOG.md`](CHANGELOG.md) — Keep-a-Changelog + SemVer, regenerated by semantic-release on every release.
 - **Code of conduct:** [`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md) (Contributor Covenant 2.1).
-- **Code owners:** [`CODEOWNERS`](CODEOWNERS) — review required on `pack/`, `scripts/`, `install.sh`, `uninstall.sh`, `.claude-plugin/`.
+- **Code owners:** [`CODEOWNERS`](CODEOWNERS) — review required on `pack/`, `scripts/`, `install.sh`, `uninstall.sh`, `bin/`.
 - **Notices:** [`NOTICE.md`](NOTICE.md).
 - **CI:** GitHub Actions runs `scripts/validate.sh`, install/uninstall smoke, fixture install, commitlint, and the eval suite on every PR.
 - **Commits:** Conventional Commits enforced via husky + commitlint.
@@ -575,7 +532,7 @@ written by the installer (cf. CVE-2026-33068).
 ## License
 
 **Free to use, with approval gating redistribution.** Personal use and *listing this
-repository in plugin marketplaces* are permitted without approval. Any other use —
+repository in package registries or plugin marketplaces* are permitted without approval. Any other use —
 distributing it, distributing modified versions, mirroring as a fork, or commercial /
 organizational use — requires **approval on request** (ask via
 [the repo](https://github.com/ViktorsBaikers/DevRites)). Source-available. See

package/SECURITY.md

@@ -38,8 +38,8 @@ Once a `1.0` release ships, the latest two minor lines will be supported.
 ### Scope
 
 DevRites is a Claude Code **skills pack**: Markdown skill files, a few helper
-shell scripts, a bash installer, and (in plugin form) a `.claude-plugin/`
-manifest. It ships **no binary and no network service**. The only server is an
+shell scripts, a bash installer, and a thin `npx` CLI wrapper (`bin/devrites.mjs`)
+that shells out to that installer. It ships **no binary and no network service**. The only server is an
 **optional, opt-in MCP stdio server** (`mcp/devrites-mcp.mjs`) that speaks
 JSON-RPC over stdin/stdout (no port, no socket), is not installed or registered
 by default, and only shells out to the local `devrites` CLI — read/gate ops over
@@ -121,13 +121,13 @@ uninstall.
 The installer touches no global state. It does not invoke `sudo`, modify
 shell rc files, fetch remote code, or alter Claude Code settings.
 
-### Plugin install path
+### npx install path
 
-When installed via `claude plugin install devrites@devrites-marketplace`,
-the plugin runtime owns file placement. DevRites does not ship a post-install
-hook that modifies user files. The plugin manifest ships only skills and agents —
-the engineering rules are not delivered by the plugin and are never written into
-the user's `~/.claude/CLAUDE.md` (add them with a `--rules-only` bash install).
+When installed via `npx devrites@latest`, the CLI (`bin/devrites.mjs`) is a thin
+shim that runs the **bundled** `install.sh` against the pack shipped inside the npm
+package — no remote code is fetched at install time, and the install is pinned to
+the requested package version. It has no runtime npm dependencies and makes no
+global writes; the same project-local guarantees as the bash installer apply.
 
 ### Recommended Claude Code permissions for managed deployments
 

package/docs/release.md

@@ -3,10 +3,11 @@
 Releases are **fully automated** via [semantic-release](https://semantic-release.gitbook.io/): every push to `main` is analyzed; if the merged commits carry a `feat:`, `fix:`, `perf:`, `refactor:`, `build:`, `docs(README):` (or a `BREAKING CHANGE:` footer) the `.github/workflows/release.yml` job determines the next SemVer version and:
 
 1. Runs `scripts/validate.sh` + install / uninstall smoke tests.
-2. Syncs the new version into `package.json`, `.claude-plugin/plugin.json`, and `.claude-plugin/marketplace.json` (`scripts/sync-version.sh`).
-3. Builds a `dist/devrites-v<version>.tar.gz` release artifact via `scripts/build-release-tarball.sh` — the extractable bundle end-users get if they don't install via the plugin marketplace.
+2. Syncs the new version into `package.json` and the README status line (`scripts/sync-version.sh`).
+3. Builds a `dist/devrites-v<version>.tar.gz` release artifact via `scripts/build-release-tarball.sh` — the extractable bundle end-users get from the `curl | bash` installer.
 4. Regenerates `CHANGELOG.md` from the commits.
-5. Commits the version bump + changelog as `chore(release): <version> [skip ci]`, creates a git tag `v<version>`, and publishes a GitHub Release with the tarball attached.
+5. Publishes the `devrites` package to the npm registry (`@semantic-release/npm`, needs the `NPM_TOKEN` secret) — this is what `npx devrites@latest` resolves.
+6. Commits the version bump + changelog as `chore(release): <version> [skip ci]`, creates a git tag `v<version>`, and publishes a GitHub Release with the tarball attached.
 
 Local dry-run: `npm run release:dry` (shows the version bump + draft notes without publishing). The release job is gated by passing CI — a broken `main` won't ship.
 

package/install.sh

@@ -8,8 +8,6 @@
 #   ./install.sh --no-agents          skip the review subagents
 #   ./install.sh --no-rules           skip the DevRites engineering rules
 #   ./install.sh --rules-only         install only the engineering rules
-#                                     (use after `claude plugin install devrites`
-#                                      to add the rules the plugin can't ship)
 #   ./install.sh --short-aliases=all  install /define /build /prove /seal aliases
 #
 # Network install (no git clone needed):
@@ -308,10 +306,12 @@ fi
 
 # ---- detect installed version + flags (recorded in manifest header) -----
 DR_INSTALLED_VERSION="unknown"
-_plugin_json="$SELF_DIR/.claude-plugin/plugin.json"
-if [ -r "$_plugin_json" ]; then
+_pkg_json="$SELF_DIR/package.json"
+if [ -r "$_pkg_json" ]; then
   # Best-effort: extract the top-level "version" field without depending on jq.
-  DR_INSTALLED_VERSION="$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' "$_plugin_json" | head -n1)"
+  # package.json's first "version" key is the top-level one (devDependency keys
+  # are package names, not "version"), so head -n1 is safe.
+  DR_INSTALLED_VERSION="$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' "$_pkg_json" | head -n1)"
   [ -n "$DR_INSTALLED_VERSION" ] || DR_INSTALLED_VERSION="unknown"
 fi
 

package/pack/.claude/agents/devrites-performance-reviewer.md

@@ -1,6 +1,6 @@
 ---
 name: devrites-performance-reviewer
-description: Fresh-context, measure-first performance reviewer for /rite-seal. Use to independently review a DevRites feature diff for N+1s, hot-path work, payload/bundle size, and Core Web Vitals risks. Won't claim a slowdown without a number or a measurement to take.
+description: Fresh-context, measure-first performance reviewer for /rite-seal. Use to independently review a DevRites feature diff for N+1s, hot-path work, payload/bundle size, and Core Web Vitals risks. Runs in Source mode (static scan, findings tagged potential) or Measured mode (judges real Lighthouse/PSI/CrUX/trace numbers and leads with a source-labeled CWV scorecard). Won't claim a slowdown without a number or a measurement to take, and never presents lab data as field data.
 tools: Read, Grep, Glob, Bash
 hooks:
   PreToolUse:
@@ -17,19 +17,50 @@ You are measure-first: no performance claim without a number or a specified meas
 
 ## Inputs
 Workspace `.devrites/work/<slug>/`: read `spec.md` (any perf budget), `evidence.md`,
-`touched-files.md`. Run `git diff` and read the touched files.
+`touched-files.md`. Run `git diff` and read the touched files. Also look for Core Web
+Vitals artifacts — numbers already in `evidence.md`, a Lighthouse / PageSpeed Insights /
+CrUX JSON path the builder left, or a browser-proof capture in `browser-evidence.md`.
+
+Read the baseline checklist on demand (resolve the path like the readonly hook):
+```
+C=.claude/skills/rite-review/reference/performance-checklist.md
+[ -f "$C" ] || C="$CLAUDE_PLUGIN_ROOT/pack/.claude/skills/rite-review/reference/performance-checklist.md"
+[ -f "$C" ] || C=pack/.claude/skills/rite-review/reference/performance-checklist.md
+```
+
+## Two modes (the inputs set the mode, not a flag)
+- **Source mode** — default, no perf artifacts present. Scan the diff statically for
+  structural anti-patterns. Every frontend finding is **potential impact**, never a
+  measurement; name the command that would confirm it. Emit **no scorecard**.
+- **Measured mode** — a CWV artifact or a real number exists. Judge it against the
+  `spec.md` budget or the pre-change baseline, and lead with the scorecard.
+
+Source mode is the same discipline as the old "specify the measurement" — it just names
+the contract for when the scorecard appears.
 
 ## Review (feature scope)
-- **Backend** — N+1 queries, missing indexes on new queries, unbounded result sets,
-  per-request work that should be cached/batched, blocking sync work.
-- **Frontend (Core Web Vitals)** — LCP (oversized images, render-blocking work), CLS
-  (layout shift), INP (interaction latency), bundle growth, unnecessary re-renders.
+- **Backend** (always, every feature) — N+1 queries, missing indexes on new queries,
+  unbounded result sets, per-request work that should be cached/batched, blocking sync
+  work. *AI-codegen smell:* over-fetching "just in case", sequential `await`s where
+  `Promise.all` fits, redundant calls a dedup would collapse.
+- **Frontend (Core Web Vitals)** — only when the feature is UI-facing. Identify the
+  framework and rendering model first (React / Vue / Svelte / Angular / Next / Astro /
+  vanilla) and apply only that stack's idioms — don't recommend `next/image` to a Vue app
+  or `React.memo` to Svelte. Check LCP (oversized images, render-blocking work, missing
+  `fetchpriority`), CLS (layout shift, missing image dimensions), INP (long tasks, heavy
+  event handlers), bundle growth, unnecessary re-renders. *AI-codegen smell:* `memo` /
+  `useMemo` / `useCallback` wrapping everything, over-eager effect deps, broad watchers.
 - **General** — accidental quadratic loops, repeated hot-path work, large allocations.
 
 ## Measure-first discipline
-- If a real number exists in `evidence.md`, judge it against the budget/baseline.
+- If a real number exists, judge it against the budget/baseline; state the before/after.
 - If not, **specify the measurement** (command, scenario, metric) instead of asserting a
   regression. Distinguish "measured regression" from "likely hot spot, verify with X".
+- **Source-honesty.** Label every measured CWV value with where it came from —
+  `Field (CrUX)` (real users, p75), `Lab (Lighthouse)` (one synthetic run), or
+  `Trace (DevTools)`. Field and lab are not interchangeable; presenting one as the other
+  is fabrication. Reading static source cannot measure LCP / INP / CLS — never invent a
+  number for a value you did not capture.
 
 ## Rules
 - Don't edit. Findings only, labeled Critical / Important / Suggestion / Nit / FYI with
@@ -37,9 +68,26 @@ Workspace `.devrites/work/<slug>/`: read `spec.md` (any perf budget), `evidence.
   micro-opt with no measured impact is a Suggestion at most. Feature scope only.
 
 ## Output
+
+**Measured mode** — lead with a compact scorecard, then the line findings:
+```
+Performance review (<slug>) — independent
+Scorecard (source-labeled):
+  LCP <value>  <Field(CrUX) | Lab(LH) | Trace>  <Good/Needs Work/Poor>  (target ≤2.5s)
+  INP <value>  <source>                          <status>               (target ≤200ms)
+  CLS <value>  <source>                          <status>               (target ≤0.1)
+  [Lighthouse perf <score> Lab(LH)]  Artifacts: <which>  Stack: <detected>
+[Critical]/[Important] file:line — issue. measured: <number>. direction.
+[Suggestion]/[Nit]/[FYI] ...
+Budget: <breached? | none stated>
+Verdict: <blockers? none/list>
+```
+
+**Source mode** — no artifacts; one scorecard line, findings tagged `potential`:
 ```
 Performance review (<slug>) — independent
-[Important] file:line — issue. measured: <number | "measure: <cmd/metric>">. direction.
+Scorecard: not measured (Source mode)
+[Important] file:line — issue. potential; verify: <cmd/metric>. direction.
 [Suggestion]/[Nit]/[FYI] ...
 Budget: <breached? | none stated>
 To prove any win: <measure X before/after>

package/pack/.claude/rules/performance.md

@@ -21,6 +21,15 @@ Measure first. An optimization without a measurement is a guess that adds comple
 - Don't trade correctness or readability for a micro-win that doesn't matter.
 - Prefer a better algorithm or query over micro-tuning; the big wins are structural.
 
+## Frontend — Core Web Vitals
+For UI work, measure-first means LCP / INP / CLS judged against real numbers, each labeled
+by source (`Field (CrUX)`, `Lab (Lighthouse)`, `Trace (DevTools)`) — field and lab are not
+interchangeable, and static source cannot measure a CWV. The reviewer captures these via the
+browser-proof ladder when a budget exists, then judges them in Measured mode (a
+source-labeled scorecard); with no artifact it runs in Source mode and names the command.
+Baseline checks + measurement commands:
+[`rite-review/reference/performance-checklist.md`](../skills/rite-review/reference/performance-checklist.md).
+
 ## Scope
 Optimize what the change touches or what a measurement flags. Project-wide performance
 work is its own effort — record it as a follow-up, don't smuggle it into an unrelated

package/pack/.claude/skills/devrites-audit/SKILL.md

@@ -11,7 +11,7 @@ Dispatch one read-only review subagent against the active feature's workspace +
 
 This is the **inline single-axis pass** used during build / polish — one axis at a time, on demand, where a quick read keeps a slice honest. It is intentionally distinct from the seal/review **gate**, where the reviewer agents fan out in parallel across all relevant axes in their own fresh contexts (see `/rite-seal`). Same agents, different role: the audit is a cheap mid-flight check; the seal fan-out is the blocking gate. Both reading the same agent disciplines is the point, not a divergence.
 
-Why a subagent rather than inline: an adversarial reviewer with no author context is more likely to find what's wrong. Anthropic bug [#49559](https://github.com/anthropics/claude-code/issues/49559) leaves `context: fork` silently inline under plugin install, so `Task` dispatch is the reliable path under both plugin and bash installs.
+Why a subagent rather than inline: an adversarial reviewer with no author context is more likely to find what's wrong. Anthropic bug [#49559](https://github.com/anthropics/claude-code/issues/49559) can leave `context: fork` silently inline, so `Task` dispatch is the reliable path.
 
 ## Axis selection
 

package/pack/.claude/skills/devrites-browser-proof/SKILL.md

@@ -22,12 +22,32 @@ of the ladder that's available; record which one.
    the project's existing commands. Don't add a new framework.
 5. **Manual fallback** — none available: record the limitation + exact manual steps.
 
+## Core Web Vitals capture (when the spec states a perf budget)
+If `spec.md` carries a perf budget — or a frontend regression risk is visible — capture the
+CWV numbers here so the perf reviewer judges real data instead of guessing. Use the highest
+rung available; **detect, don't install**.
+
+1. **Chrome DevTools MCP** (if configured) — `lighthouse_audit` for LCP/INP/CLS + the
+   Lighthouse performance score. Source label: **Lab (Lighthouse)**. A `performance_*` trace
+   gives **Trace (DevTools)** attribution.
+2. **browser-harness** — drive the route, capture a performance trace over CDP. Source
+   label: **Trace (DevTools)**.
+3. **CrUX / PageSpeed Insights** — only if the user supplied an API key. Field data, p75.
+   Source label: **Field (CrUX)**.
+4. **None available** → mark CWV **pending (manual)** and name the exact command
+   (`npx lighthouse <url> --output json …`). Don't install anything; don't fake a number.
+
+Write each captured value **with its source label** to `evidence.md` (so the perf reviewer
+reads it in Measured mode) and note the tool + route in `browser-evidence.md`. Never present
+a lab value as a field value or vice versa.
+
 ## Evidence schema → `browser-evidence.md`
 Tooling used · route(s) · viewports (375/768/1280) · screenshot paths **opened and
 described** · console errors/warnings · network failures · interaction path tested ·
-accessibility basics · responsive checks · **design-reference match** (if the spec saved
-references in `references/`, compare the built UI to them and note match/diffs) ·
-limitations.
+accessibility basics · responsive checks · **CWV capture** (tool + route + each
+source-labeled value, or `pending (manual)` + the command) · **design-reference match** (if
+the spec saved references in `references/`, compare the built UI to them and note
+match/diffs) · limitations.
 
 ## Hard rules
 - A screenshot **path is not proof** — open it and describe what's visible.

package/pack/.claude/skills/rite-review/reference/performance-checklist.md

@@ -0,0 +1,80 @@
+# Performance checklist (baseline for the perf reviewer)
+
+The minimum baseline `devrites-performance-reviewer` checks against, in feature scope. It
+is a checklist, not a mandate: flag what the diff actually touches or what a measurement
+flags, never a project-wide sweep. The philosophy lives in
+[`rules/performance.md`](../../../rules/performance.md) (measure first) — this file is the
+concrete what-to-look-for.
+
+## Core Web Vitals targets
+
+| Metric | Good | Needs work | Poor |
+|---|---|---|---|
+| LCP — Largest Contentful Paint | ≤ 2.5s | ≤ 4.0s | > 4.0s |
+| INP — Interaction to Next Paint | ≤ 200ms | ≤ 500ms | > 500ms |
+| CLS — Cumulative Layout Shift | ≤ 0.1 | ≤ 0.25 | > 0.25 |
+
+A CWV value only counts when it carries a source — `Field (CrUX)`, `Lab (Lighthouse)`, or
+`Trace (DevTools)`. No source → it's a Source-mode hypothesis, not a measurement.
+
+## Frontend (only when the feature is UI-facing)
+
+Identify the framework first; apply only its idioms.
+
+- **Images** — modern format (WebP/AVIF); responsive `srcset`/`sizes`; explicit
+  `width`/`height` to reserve space (CLS); below-the-fold `loading="lazy"`; the LCP image
+  gets `fetchpriority="high"` and is **not** lazy-loaded.
+- **JavaScript** — initial bundle stays small (≈200KB gzipped is the usual line); code-split
+  routes and heavy features; no blocking script in `<head>` without `defer`/`async`; break
+  long tasks (>50ms) so the main thread stays free (the main INP lever); `memo`/`useMemo`/
+  `useCallback` only where profiling shows a win, not wrapped over everything.
+- **CSS** — critical CSS not render-blocking; no per-render CSS-in-JS runtime cost in prod.
+- **Fonts** — 2–3 families max; WOFF2; self-hosted where possible; preload the LCP font;
+  `font-display: swap`; subset with `unicode-range`.
+- **Rendering** — no layout thrashing (batch reads, then writes); animate `transform`/
+  `opacity` only; virtualize long lists; `content-visibility: auto` for off-screen sections;
+  don't break bfcache (no `unload` handler, no `Cache-Control: no-store` on HTML).
+
+## Backend (every feature, UI or not)
+
+- No N+1 queries; eager-load / join / batch instead.
+- New queries have the indexes they need for their filter/sort columns.
+- List endpoints paginate — never an unbounded `SELECT *`.
+- Per-request work that doesn't change per call is cached or hoisted.
+- Responses compressed (gzip/brotli); bulk operations instead of a loop of single calls.
+
+## Network
+
+- Static assets cached with a long `max-age` + content hashing.
+- Known origins `preconnect`-ed; no unnecessary redirects; HTTP/2 or HTTP/3 where available.
+
+## AI-codegen perf smells (fold into the area above, not a separate finding category)
+
+- State duplicated instead of lifted; effects with over-broad deps that re-run needlessly.
+- Sequential `await`s where `Promise.all` / parallel fetch fits.
+- Over-fetching "just in case"; redundant calls a dedup would collapse.
+- Defensive memoization wrapping cheap components — cost with no benefit.
+
+## Modern APIs to consider (one-liners — reach for these, don't gate on them)
+
+`scheduler.yield()` to keep input responsive in long loops · Speculation Rules for
+prefetch/prerender · View Transitions on SPA navigation · Long Animation Frames (LoAF) for
+production INP attribution · `fetchpriority` on critical non-image resources.
+
+## Measurement commands (name these in Source mode; don't run installs in review)
+
+```bash
+# Lighthouse (lab)
+npx lighthouse <url> --output json --output-path ./report.json
+# or via the Chrome DevTools MCP CLI, no install:
+npx -p chrome-devtools-mcp chrome-devtools lighthouse_audit --output-format=json > report.json
+
+# Bundle size
+npx vite-bundle-visualizer        # Vite
+npx webpack-bundle-analyzer stats.json   # webpack
+
+# Field data: CrUX / PageSpeed Insights (real users, p75) — needs an API key
+```
+
+Field is what real users experienced; lab is one synthetic run. Don't present one as the
+other.

package/pack/.claude/skills/rite-review/reference/performance-review.md

@@ -17,6 +17,10 @@ a hunch.
   unnecessary re-renders.
 - **General**: accidental quadratic loops, repeated work in hot paths, large allocations.
 
+The agent runs **Source mode** (static scan, findings tagged `potential` + the verify
+command) or **Measured mode** (real CWV numbers → a source-labeled scorecard). Baseline
+checks + measurement commands: [`performance-checklist.md`](performance-checklist.md).
+
 ## Optimize responsibly
 - Fix the measured bottleneck, then **re-measure** to prove the win (before/after in
   `evidence.md`). An optimization with no measured improvement is just added complexity.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devrites",
-  "version": "1.19.0",
+  "version": "2.1.0",
   "description": "DevRites — disciplined senior-engineer workflow skills pack for Claude Code",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://github.com/ViktorsBaikers/DevRites#readme",
@@ -33,7 +33,6 @@
     "install.sh",
     "uninstall.sh",
     "update.sh",
-    ".claude-plugin/",
     "mcp/",
     "docs/",
     "README.md",

package/scripts/build-release-tarball.sh

@@ -27,7 +27,6 @@ mkdir -p "$STAGE"
 # Files and directories shipped to end-users.
 PAYLOAD=(
   pack
-  .claude-plugin
   scripts
   mcp
   docs

package/scripts/sync-version.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-# Sync the semantic-release-determined version across every DevRites manifest
-# so plugin.json, marketplace.json and package.json stay in lockstep.
+# Sync the semantic-release-determined version into package.json and the README
+# status line so the published version stays in step with the released tag.
 #
 # Usage: sync-version.sh <version>
 set -euo pipefail
@@ -23,8 +23,6 @@ const version = process.argv[2];
 
 const updates = [
   { file: 'package.json',                       set: (j) => { j.version = version; } },
-  { file: '.claude-plugin/plugin.json',         set: (j) => { j.version = version; } },
-  { file: '.claude-plugin/marketplace.json',    set: (j) => { j.plugins.forEach(p => { if (p.name === 'devrites') p.version = version; }); } },
 ];
 
 for (const u of updates) {

package/scripts/validate.sh

@@ -65,29 +65,6 @@ for a in $AGENT_FILES; do
   if [ -f "$AGENTS/$a.md" ]; then good "$a"; else bad "missing agent: $a"; fi
 done
 
-section "plugin manifest agents list matches pack/.claude/agents"
-PLUGIN_JSON="$ROOT/.claude-plugin/plugin.json"
-if [ -r "$PLUGIN_JSON" ] && command -v python3 >/dev/null 2>&1; then
-  manifest_list="$(python3 -c '
-import json, sys
-m = json.load(open(sys.argv[1]))
-a = m.get("agents", [])
-if isinstance(a, str):
-    a = [a]
-for p in a:
-    print(p.lstrip("./"))
-' "$PLUGIN_JSON" | sort -u)"
-  disk_list="$(cd "$ROOT" && ls pack/.claude/agents/*.md 2>/dev/null | sort -u)"
-  if [ "$manifest_list" = "$disk_list" ]; then
-    good "plugin.json agents array matches pack/.claude/agents/*.md"
-  else
-    bad "plugin.json agents array out of sync with pack/.claude/agents/*.md"
-    diff <(printf '%s\n' "$manifest_list") <(printf '%s\n' "$disk_list") || true
-  fi
-else
-  echo "skip: cannot validate manifest sync (missing python3 or plugin.json)"
-fi
-
 # ---- 5. frontmatter validation ------------------------------------------
 section "frontmatter"
 if command -v python3 >/dev/null 2>&1; then
@@ -169,30 +146,7 @@ else
   bad "rule-uniqueness check failed (see scripts/check-rule-uniqueness.sh)"
 fi
 
-# ---- 12. version lockstep across manifests -------------------------------
-section "version lockstep (package.json == plugin.json == marketplace.json)"
-if command -v python3 >/dev/null 2>&1; then
-  if python3 - "$ROOT" <<'PY'
-import json, sys, os
-root = sys.argv[1]
-pkg  = json.load(open(os.path.join(root, "package.json")))["version"]
-plug = json.load(open(os.path.join(root, ".claude-plugin/plugin.json")))["version"]
-mkt  = json.load(open(os.path.join(root, ".claude-plugin/marketplace.json")))
-mver = next((p.get("version") for p in mkt.get("plugins", []) if p.get("name") == "devrites"), None)
-print("  package.json     %s" % pkg)
-print("  plugin.json      %s" % plug)
-print("  marketplace.json %s" % mver)
-if pkg == plug == mver and mver is not None:
-    sys.exit(0)
-print("FAIL: version mismatch across manifests")
-sys.exit(1)
-PY
-  then good "versions match across package.json / plugin.json / marketplace.json"; else bad "version mismatch across manifests (run scripts/sync-version.sh)"; fi
-else
-  echo "skip: python3 not found"
-fi
-
-# ---- 13. no runtime-broken pack/.claude/ path in installed prose ---------
+# ---- 12. no runtime-broken pack/.claude/ path in installed prose ---------
 # After install the leading pack/ is stripped, so any literal pack/.claude/rules/
 # or pack/.claude/skills/ in shipped SKILL.md / reference prose is a dead path
 # at runtime. (Repo README/docs links are out of scope — they're GitHub links.)

package/.claude-plugin/marketplace.json

@@ -1,24 +0,0 @@
-{
-  "name": "devrites-marketplace",
-  "description": "DevRites — disciplined senior-engineer workflow skills pack for Claude Code.",
-  "owner": {
-    "name": "Viktors Baikers",
-    "url": "https://github.com/ViktorsBaikers"
-  },
-  "plugins": [
-    {
-      "name": "devrites",
-      "source": "./",
-      "description": "Spec → plan → build → prove → polish → review → seal → ship workflow with persistent state, drift guard, browser-proof ladder, and anti-AI-slop guardrails.",
-      "version": "1.19.0",
-      "license": "personal-use-or-by-approval",
-      "keywords": [
-        "workflow",
-        "skills",
-        "senior-engineer",
-        "spec-driven",
-        "anti-slop"
-      ]
-    }
-  ]
-}

package/.claude-plugin/plugin.json

@@ -1,43 +0,0 @@
-{
-  "name": "devrites",
-  "version": "1.19.0",
-  "description": "Disciplined senior-engineer workflow skills pack — spec/plan/build/prove/polish/review/seal/ship with persistent .devrites/ Markdown state, Spec Drift Guard, browser-proof ladder, fullstack contract-first slicing, and anti-AI-slop guardrails.",
-  "author": {
-    "name": "Viktors Baikers",
-    "url": "https://github.com/ViktorsBaikers"
-  },
-  "homepage": "https://github.com/ViktorsBaikers/DevRites",
-  "repository": "https://github.com/ViktorsBaikers/DevRites",
-  "license": "SEE LICENSE IN LICENSE",
-  "keywords": [
-    "claude-code",
-    "skills",
-    "agent-skills",
-    "workflow",
-    "senior-engineer",
-    "spec-driven",
-    "tdd",
-    "code-review",
-    "polish",
-    "frontend",
-    "fullstack",
-    "anti-slop",
-    "design-system",
-    "devrites"
-  ],
-  "skills": "./pack/.claude/skills",
-  "hooks": "./pack/.claude/hooks/hooks.json",
-  "agents": [
-    "./pack/.claude/agents/devrites-code-reviewer.md",
-    "./pack/.claude/agents/devrites-doubt-reviewer.md",
-    "./pack/.claude/agents/devrites-frontend-reviewer.md",
-    "./pack/.claude/agents/devrites-performance-reviewer.md",
-    "./pack/.claude/agents/devrites-plan-reviewer.md",
-    "./pack/.claude/agents/devrites-security-auditor.md",
-    "./pack/.claude/agents/devrites-simplifier-reviewer.md",
-    "./pack/.claude/agents/devrites-slice-wright.md",
-    "./pack/.claude/agents/devrites-spec-reviewer.md",
-    "./pack/.claude/agents/devrites-strategy-reviewer.md",
-    "./pack/.claude/agents/devrites-test-analyst.md"
-  ]
-}