glori-builder 1.0.0

package/.claude/commands/secrets.md

@@ -0,0 +1,122 @@
+---
+description: Manage API keys for quetrex-base. Add, list, or remove keys from the global secrets file or the current project. Usage: /secrets add KEY [--project], /secrets list, /secrets remove KEY [--project]
+argument-hint: add KEY [--project] | list | remove KEY [--project]
+---
+
+# Secrets Manager
+
+Manages API keys in `~/.claude/secrets.env` (global) or the current project's `.env` (project-level override).
+
+Parse the command from `$ARGUMENTS`:
+- `add KEY_NAME [--project]`
+- `list`
+- `remove KEY_NAME [--project]`
+
+If `$ARGUMENTS` is empty or unrecognised, show usage and stop.
+
+---
+
+## add KEY_NAME [--project]
+
+**Global** (`add LINEAR_API_KEY`): writes to `~/.claude/secrets.env`
+**Project** (`add LINEAR_API_KEY --project`): writes to `.env` in the current directory
+
+### Global add
+
+1. Confirm `~/.claude/secrets.env` exists. If not: "Run /quetrex-setup first."
+2. Ask: "Value for KEY_NAME?"
+3. Check if the key already exists:
+   ```bash
+   grep -q "^export KEY_NAME=" ~/.claude/secrets.env && echo "exists" || echo "new"
+   ```
+4. If exists: update the line using sed.
+5. If new: append to file.
+6. Confirm: "KEY_NAME added to ~/.claude/secrets.env. Run `source ~/.claude/secrets.env` to load it in your current terminal."
+
+**Format in secrets.env:**
+```bash
+export KEY_NAME="value"
+```
+
+### Project add
+
+1. Confirm we are inside a git repo:
+   ```bash
+   git rev-parse --git-dir 2>/dev/null
+   ```
+   If not: "Not inside a git repo. Run this from your project directory."
+
+2. Check `.gitignore` for `.env`:
+   ```bash
+   grep -q "^\.env$\|^\.env " .gitignore 2>/dev/null && echo "ignored" || echo "not ignored"
+   ```
+   If `.env` is not gitignored, warn: "⚠ .env is not in .gitignore. Adding it now to prevent accidental commits."
+   ```bash
+   echo '.env' >> .gitignore
+   ```
+
+3. Ask: "Value for KEY_NAME?"
+
+4. Check if `.env` exists and if the key is already there:
+   ```bash
+   [ -f .env ] && grep -q "^KEY_NAME=" .env && echo "exists" || echo "new"
+   ```
+
+5. If exists: update in place with sed.
+6. If new: append to `.env`.
+
+7. Confirm: "KEY_NAME added to .env (project-level). This overrides the global value when working in this project."
+
+**Format in project .env:**
+```bash
+KEY_NAME=value
+```
+Note: no `export` prefix — standard dotenv format.
+
+---
+
+## list
+
+Show all configured keys from both sources. Never show values — names only.
+
+```bash
+echo "=== Global (~/.claude/secrets.env) ===" 
+grep "^export " ~/.claude/secrets.env 2>/dev/null | sed 's/^export //' | cut -d= -f1 | sort
+
+echo ""
+echo "=== Project (.env) ==="
+[ -f .env ] && grep -v "^#" .env | grep "=" | cut -d= -f1 | sort || echo "(no project .env found)"
+```
+
+Display the output cleanly. If a key appears in both: note "project overrides global" next to the project entry.
+
+---
+
+## remove KEY_NAME [--project]
+
+**Global**: removes the line from `~/.claude/secrets.env`
+**Project**: removes the line from `.env`
+
+1. Confirm the key exists in the target file.
+2. If not found: "KEY_NAME not found in [file]. Nothing to remove."
+3. If found: confirm with user before deleting.
+4. Remove the line:
+   ```bash
+   # Global (macOS sed requires -i '')
+   sed -i '' "/^export KEY_NAME=/d" ~/.claude/secrets.env
+
+   # Project
+   sed -i '' "/^KEY_NAME=/d" .env
+   ```
+5. Confirm: "KEY_NAME removed from [file]."
+
+---
+
+## Notes
+
+- Global keys are your defaults across all projects — set once, work everywhere
+- Project `.env` keys override the global for that project only — use for different Linear workspaces, project-specific services, etc.
+- Never store secrets in code, CLAUDE.md, or any file that gets committed
+- All commands that need LINEAR_API_KEY read `$LINEAR_API_KEY` from the environment — the layered system (shell sources secrets.env, project .env overrides) handles the rest
+- On a new machine: run /quetrex-setup to create secrets.env and configure your primary keys
+- On a new project with a different Linear workspace: run `/secrets add LINEAR_API_KEY --project`

package/.claude/commands/update-rules.md

@@ -0,0 +1,143 @@
+---
+description: Review and update an existing project .claude/CLAUDE.md for quetrex compatibility. Audits current rules, identifies gaps, validates commands against the actual codebase, and brings it up to quetrex standards.
+---
+
+# Update Project Rules
+
+Audits `.claude/CLAUDE.md` and brings it up to quetrex standards. Use on projects that already have rules but may be incomplete, outdated, or not aligned with the quetrex pipeline.
+
+If no `.claude/CLAUDE.md` exists, say: "No project rules found. Run `/create-rules` to generate them from scratch." Then stop.
+
+---
+
+## Step 1: Read and Summarise
+
+Read `.claude/CLAUDE.md` and show a one-paragraph summary of what it currently covers.
+
+---
+
+## Step 2: Audit Against Quetrex Requirements
+
+Check each item — report **Present**, **Missing**, or **Needs Update**:
+
+**Critical — QA agent cannot work without these:**
+- `## Verification` section exists
+- Verification section contains actual runnable commands
+- Verification commands match the detected stack
+- Every command in Verification exists as a script or binary (checked in Step 3)
+
+**Important — developer agent quality:**
+- `## Stack` section with language, framework, key libraries
+- `## Conventions` with type safety / code quality rules for this language
+- `## Key Commands` for dev server and common tasks
+
+**Nice to have:**
+- Project name in heading
+- File structure conventions
+- Database commands
+
+---
+
+## Step 3: Validate Commands Against the Codebase
+
+Check that the commands in the Verification section will actually work:
+
+```bash
+# Node/TypeScript — verify scripts exist in package.json
+cat package.json 2>/dev/null | python3 -c "import json,sys; d=json.load(sys.stdin); print('\n'.join(d.get('scripts',{}).keys()))" 2>/dev/null
+
+# Python — verify tools are configured
+grep -E "ruff|mypy|pytest" pyproject.toml 2>/dev/null || grep -E "ruff|mypy|pytest" setup.cfg 2>/dev/null
+
+# Rust — check Cargo.toml exists
+cat Cargo.toml 2>/dev/null | head -5
+
+# Ruby — check Gemfile for test/lint gems
+grep -E "rspec|rubocop" Gemfile 2>/dev/null
+
+# Go — check go.mod
+cat go.mod 2>/dev/null | head -3
+```
+
+Flag any Verification command that references a script or binary that doesn't exist or isn't installed. Examples:
+- `npm run type-check` listed but no `type-check` in package.json → flag it
+- `ruff check .` listed but `ruff` not in pyproject.toml dev deps → flag it
+
+---
+
+## Step 4: Ask Only What's Needed
+
+Ask targeted questions only about what is missing, incorrect, or unclear. Do not ask about things that are already correct.
+
+Examples:
+- Verification missing: "What commands should run before every PR?"
+- Script mismatch: "The rules say `npm run lint` but package.json uses `biome check`. Which is correct?"
+- Stack unclear: "I can see Next.js but can't determine the ORM. Drizzle or Prisma?"
+- Framework version wrong: "The rules say Next.js 14 but package.json shows 16. Should I update?"
+- Type-check script missing: "No `type-check` script in package.json. Should I add `\"type-check\": \"tsc --noEmit\"` to your scripts?"
+
+---
+
+## Step 5: Show Recommendations
+
+Present a clear audit report before making any changes:
+
+```
+## Audit: .claude/CLAUDE.md
+
+### Must Fix
+- MISSING: Verification section — QA agent cannot run without this
+- BROKEN: `npm run lint` not in package.json (script is named `check`)
+
+### Should Update
+- OUTDATED: Stack says Next.js 14 — package.json shows 16.0.2
+
+### Looks Good
+- Conventions section is comprehensive and accurate
+- Key Commands are correct
+
+Apply these updates?
+```
+
+Wait for confirmation.
+
+---
+
+## Step 6: Check `.claude/decisions.md`
+
+```bash
+[ -f .claude/decisions.md ] && echo "exists" || echo "missing"
+```
+
+If missing, create it:
+
+```bash
+cat > .claude/decisions.md << 'EOF'
+# Project Decisions
+
+Architectural decisions that affect how this project is built.
+The architect agent updates this file. All agents read it.
+
+<!-- Format for new entries:
+## YYYY-MM-DD — Short title
+**Decision**: what was decided
+**Reason**: why
+**Impact**: what it affects going forward
+-->
+EOF
+```
+
+Add to the audit report: "decisions.md: {created / already existed}"
+
+---
+
+## Step 7: Apply Updates
+
+Make only the targeted changes — add missing sections, fix outdated content, correct broken commands. Do not remove content that is already correct and project-specific.
+
+```bash
+git add .claude/CLAUDE.md .claude/decisions.md
+git commit -m "chore: update project rules — {one-line summary of what changed}"
+```
+
+Report: "Rules updated. [N] issues fixed. `.claude/CLAUDE.md` and `.claude/decisions.md` are quetrex-ready."

package/.claude/hooks/auto-format.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Auto-format files after edits using Biome
+# Runs on PostToolUse hook for Write|Edit
+
+input=$(cat)
+FILE_PATH=$(echo "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+# Only format JS/TS/JSON files
+case "$FILE_PATH" in
+  *.ts|*.tsx|*.js|*.jsx|*.json|*.jsonc)
+    # Find the nearest biome.json or biome.jsonc
+    DIR=$(dirname "$FILE_PATH")
+    while [ "$DIR" != "/" ]; do
+      if [ -f "$DIR/biome.json" ] || [ -f "$DIR/biome.jsonc" ]; then
+        npx biome format --write "$FILE_PATH" 2>/dev/null
+        exit 0
+      fi
+      DIR=$(dirname "$DIR")
+    done
+    ;;
+esac
+
+exit 0

package/.claude/hooks/check-quetrex-update.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Daily background check for quetrex-base updates.
+# Runs on session Stop. Fast exit if checked within 24 hours.
+
+TIMESTAMP_FILE="$HOME/.claude/.quetrex-last-check"
+FLAG_FILE="$HOME/.claude/.quetrex-update-available"
+
+# Fast path: skip if checked within the last 24 hours
+if [ -f "$TIMESTAMP_FILE" ]; then
+  LAST=$(cat "$TIMESTAMP_FILE" 2>/dev/null)
+  NOW=$(date +%s)
+  if [ -n "$LAST" ] && [ $(( NOW - LAST )) -lt 86400 ]; then
+    exit 0
+  fi
+fi
+
+# Update timestamp immediately so concurrent sessions don't double-check
+date +%s > "$TIMESTAMP_FILE"
+
+# Run the npm check in the background so it doesn't delay session exit
+(
+  INSTALLED=$(npm list -g @quetrex/base --depth=0 --json 2>/dev/null \
+    | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('dependencies',{}).get('@quetrex/base',{}).get('version',''))" 2>/dev/null)
+
+  LATEST=$(npm show @quetrex/base version 2>/dev/null)
+
+  if [ -n "$INSTALLED" ] && [ -n "$LATEST" ] && [ "$INSTALLED" != "$LATEST" ]; then
+    echo "$LATEST" > "$FLAG_FILE"
+  else
+    rm -f "$FLAG_FILE"
+  fi
+) &
+
+exit 0

package/.claude/hooks/enforce-branch.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# HARD-RULE #6: Block git commit/push on main/master
+# Runs on PreToolUse hook for Bash
+# Work should happen in worktrees, not on main
+
+# Read hook input from stdin
+input=$(cat)
+
+# Get the command being executed
+COMMAND=$(echo "$input" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+# Only check git commit and git push commands
+if [[ "$COMMAND" != *"git commit"* ]] && [[ "$COMMAND" != *"git push"* ]]; then
+  exit 0
+fi
+
+# Allow pushing tags from main (deploy rollback tags, version tags)
+# The command may use shell variables ($TAG) so we check for tag patterns in the full command:
+# 1. Command contains "git tag" (creating + pushing a tag in same pipeline)
+# 2. Command pushes refs/tags/ explicitly
+# 3. Command pushes deploy/* or v[0-9] tag patterns literally
+if [[ "$COMMAND" == *"git push"* ]]; then
+  if [[ "$COMMAND" == *"git tag"* ]] || \
+     [[ "$COMMAND" == *"refs/tags/"* ]] || \
+     [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]]+origin[[:space:]]+deploy/ ]] || \
+     [[ "$COMMAND" =~ git[[:space:]]+push[[:space:]]+origin[[:space:]]+v[0-9] ]]; then
+    exit 0
+  fi
+fi
+
+# Determine the working directory: prefer the session's cwd from hook input,
+# then check for cd/git -C patterns in the command, then fall back to $PWD.
+SESSION_CWD=$(echo "$input" | jq -r '.cwd // empty' 2>/dev/null)
+
+# Extract target directory from command patterns:
+#   cd /path && git commit ...
+#   git -C /path commit ...
+TARGET_DIR=""
+if [[ "$COMMAND" =~ cd[[:space:]]+([^&\;]+)[[:space:]]*\&\& ]]; then
+  TARGET_DIR="${BASH_REMATCH[1]}"
+  # Trim whitespace and quotes
+  TARGET_DIR=$(echo "$TARGET_DIR" | sed 's/^[ "'\'']*//;s/[ "'\'']*$//')
+elif [[ "$COMMAND" =~ git[[:space:]]+-C[[:space:]]+([^[:space:]]+) ]]; then
+  TARGET_DIR="${BASH_REMATCH[1]}"
+fi
+
+# Check current branch: explicit target dir > session cwd > hook's own CWD
+if [ -n "$TARGET_DIR" ] && [ -d "$TARGET_DIR" ]; then
+  CURRENT_BRANCH=$(git -C "$TARGET_DIR" branch --show-current 2>/dev/null)
+elif [ -n "$SESSION_CWD" ] && [ -d "$SESSION_CWD" ]; then
+  CURRENT_BRANCH=$(git -C "$SESSION_CWD" branch --show-current 2>/dev/null)
+else
+  CURRENT_BRANCH=$(git branch --show-current 2>/dev/null)
+fi
+
+if [ "$CURRENT_BRANCH" = "main" ] || [ "$CURRENT_BRANCH" = "master" ]; then
+  echo '{"decision": "block", "reason": "HARD-RULE #6: Use worktrees. Cannot commit/push on main."}'
+  exit 0
+fi
+
+# Not on main/master -- allow
+exit 0

package/.claude/hooks/security-check.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Block writes and edits containing hardcoded secrets/API keys
+# Runs on PreToolUse hook for Write|Edit
+
+input=$(cat)
+TOOL_NAME=$(echo "$input" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Extract content based on tool type
+if [ "$TOOL_NAME" = "Write" ]; then
+  CONTENT=$(echo "$input" | jq -r '.tool_input.content // empty' 2>/dev/null)
+elif [ "$TOOL_NAME" = "Edit" ]; then
+  CONTENT=$(echo "$input" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+else
+  exit 0
+fi
+
+if [ -z "$CONTENT" ]; then
+  exit 0
+fi
+
+# Secret patterns — add new services here as needed
+if echo "$CONTENT" | grep -qE \
+  'AKIA[0-9A-Z]{16}|'\
+  '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY|'\
+  'sk_live_[0-9a-zA-Z]{24,}|'\
+  'sk_test_[0-9a-zA-Z]{24,}|'\
+  'sk-ant-[0-9a-zA-Z-]{20,}|'\
+  'sk-[a-zA-Z0-9]{40,}|'\
+  'ghp_[0-9a-zA-Z]{36}|'\
+  'github_pat_[0-9a-zA-Z_]{59}|'\
+  'xox[bpoas]-[0-9a-zA-Z-]+|'\
+  'lin_api_[0-9a-zA-Z]+|'\
+  'FlyV1 [a-zA-Z0-9+/]+|'\
+  'rnd_[0-9a-zA-Z]{32,}'; then
+  echo '{"decision": "block", "reason": "BLOCKED: Detected hardcoded secret/API key. Use environment variables or ~/.claude/secrets.env instead."}'
+  exit 0
+fi
+
+exit 0

package/.claude/settings.json

@@ -0,0 +1,89 @@
+{
+  "env": {
+    "ENABLE_TOOL_SEARCH": "true",
+    "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1"
+  },
+  "permissions": {
+    "allow": [
+      "Bash(npx biome:*)",
+      "Bash(npm run:*)",
+      "Bash(npx playwright:*)",
+      "Bash(npx stryker:*)",
+      "Bash(npx knip:*)",
+      "Bash(git checkout:*)",
+      "Bash(git merge:*)",
+      "Bash(git push:*)",
+      "Bash(git worktree:*)",
+      "Bash(gh pr:*)",
+      "Bash(gh run:*)",
+      "Read(/Users/barnent1/Desktop/**)",
+      "WebSearch"
+    ],
+    "deny": [
+      "Bash(rm -rf *)",
+      "Bash(rm -rf .)",
+      "Bash(rm -rf /*)",
+      "Bash(git reset --hard*)",
+      "Bash(git checkout -- .)",
+      "Bash(git clean -f*)",
+      "Bash(git push --force*main*)",
+      "Bash(git push --force*master*)"
+    ],
+    "defaultMode": "dontAsk"
+  },
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash /Users/barnent1/.claude/hooks/enforce-branch.sh",
+            "timeout": 5000
+          }
+        ]
+      },
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash /Users/barnent1/.claude/hooks/security-check.sh",
+            "timeout": 5000
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash /Users/barnent1/.claude/hooks/auto-format.sh",
+            "timeout": 10000
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash ~/.claude/hooks/check-quetrex-update.sh",
+            "timeout": 3000
+          }
+        ]
+      }
+    ]
+  },
+  "statusLine": {
+    "type": "command",
+    "command": "bash ~/.claude/statusline-command.sh"
+  },
+  "skipDangerousModePermissionPrompt": true,
+  "voiceEnabled": true,
+  "teammateMode": "auto",
+  "remoteControlAtStartup": false
+}