mishkan-harness 0.1.0

package/payload/mishkan/cognee/docker-compose.ui.yml

@@ -0,0 +1,70 @@
+# MISHKAN — Cognee Graph Explorer UI overlay (OPTIONAL · profile: ui).
+# Adds the Cognee web UI (backend API + Next.js frontend) so you can visualise the
+# graph your agents build. Run TOGETHER with the self-hosted overlay, which
+# provides the shared backends (Neo4j + Postgres/pgvector) and Ollama:
+#
+#   docker compose -f docker-compose.yml -f docker-compose.hardening.yml \
+#                  -f docker-compose.selfhosted.yml -f docker-compose.ui.yml \
+#                  --profile ui up -d --build
+#
+# The UI backend uses the SAME .env as cognee-mcp (same Neo4j + Postgres + Ollama),
+# so the UI and the agents share one graph. The backend + frontend build from a
+# CLONED cognee repo — set COGNEE_SRC in .env. The Cognee UI is "work in progress"
+# upstream; confirm the frontend Dockerfile path + backend entrypoint against the
+# repo. Ports are 127.0.0.1-bound and configurable.
+
+services:
+  cognee-backend:
+    build:
+      context: ${COGNEE_SRC:?set COGNEE_SRC in .env to a cloned cognee repo}
+    image: mishkan/cognee-backend:${COGNEE_MCP_REF:?}
+    container_name: mishkan-cognee-backend
+    restart: unless-stopped
+    profiles: ["ui"]
+    depends_on:
+      neo4j:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+      ollama:
+        condition: service_healthy
+    env_file:
+      - .env            # same cognee config as cognee-mcp → shared graph
+    environment:
+      HOST: 0.0.0.0
+      ENVIRONMENT: local
+      CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:-http://localhost:${COGNEE_UI_PORT:-7724}}
+    ports:
+      - "127.0.0.1:${COGNEE_BACKEND_PORT:-7737}:8000"
+    networks:
+      - cognee_net
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "2.0"
+          memory: 3g
+
+  cognee-frontend:
+    build:
+      context: ${COGNEE_SRC:?set COGNEE_SRC in .env to a cloned cognee repo}/cognee-frontend
+    image: mishkan/cognee-frontend:${COGNEE_MCP_REF:?}
+    container_name: mishkan-cognee-frontend
+    restart: unless-stopped
+    profiles: ["ui"]
+    depends_on:
+      - cognee-backend
+    environment:
+      NEXT_PUBLIC_LOCAL_API_URL: ${NEXT_PUBLIC_LOCAL_API_URL:-http://localhost:${COGNEE_BACKEND_PORT:-7737}}
+    ports:
+      - "127.0.0.1:${COGNEE_UI_PORT:-7724}:3000"
+    networks:
+      - cognee_net
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 1g

package/payload/mishkan/cognee/docker-compose.yml

@@ -0,0 +1,71 @@
+# MISHKAN — cognee-mcp knowledge-graph server (local Docker · decision D-001).
+# Runs the official cognee-mcp in HTTP transport on port 7777 (endpoint /mcp).
+# Cognee core is a library; this container exposes it over MCP for Claude Code.
+#
+# Compliant with Migdal rules: built locally from a pinned Dockerfile (no blind
+# pulls, no :latest), SOPS-managed secrets, resource limits, healthcheck, isolated
+# network, 127.0.0.1-bound. Apply the hardening overlay on EVERY recreate:
+#   docker compose -f docker-compose.yml -f docker-compose.hardening.yml up -d
+#
+# Port: cognee-mcp listens on 7777 inside the container; COGNEE_PORT (default
+# 7777) sets the host port. (A TCP port must be <= 65535.)
+#
+# Backend stores: cognee uses local backends by default (no extra services).
+# To use PostgreSQL/pgvector or Neo4j instead, set the relevant cognee env vars
+# in .env per https://docs.cognee.ai and add the backend service here.
+
+name: mishkan-cognee
+
+services:
+  cognee-mcp:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        COGNEE_MCP_REF: ${COGNEE_MCP_REF:?set COGNEE_MCP_REF in .env to a pinned cognee git tag/commit}
+        PYTHON_VERSION: 3.12-slim
+    image: mishkan/cognee-mcp:${COGNEE_MCP_REF:?set COGNEE_MCP_REF in .env to a pinned cognee git tag/commit}
+    container_name: mishkan-cognee-mcp
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      # LLM_API_KEY (and any backend provider vars) come from .env (SOPS-managed).
+      COGNEE_PORT: "7777"
+    ports:
+      # host COGNEE_PORT (default 7777) → container 7777. Bound to localhost only.
+      - "127.0.0.1:${COGNEE_PORT:-7777}:7777"
+    volumes:
+      # Cognee's local data (graph/vector/sqlite) when using default backends.
+      - cognee_data:/app/cognee-mcp/.cognee_system
+    healthcheck:
+      test: ["CMD", "python", "-c", "import socket; s=socket.create_connection(('127.0.0.1',7777),2); s.close()"]
+      interval: 15s
+      timeout: 5s
+      retries: 5
+      start_period: 40s
+    networks:
+      - cognee_net
+    deploy:
+      resources:
+        limits:
+          cpus: "2.0"
+          memory: 3g
+
+volumes:
+  cognee_data:
+
+networks:
+  cognee_net:
+    driver: bridge
+    # Subnet pinned away from Docker's default 172.18-172.31 auto-allocation pool.
+    # On some hosts the daemon's BoltDB carries orphaned anti-spoofing iptables
+    # rules (nat PREROUTING DROP) for a dead bridge that previously owned a
+    # 172.x subnet; a new bridge auto-allocated into that subnet then has all
+    # inter-container TCP silently dropped (timeout, not refused). Pinning to an
+    # unused subnet sidesteps it durably (survives reboot/firewall reload).
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.51.0.0/16
+          gateway: 172.51.0.1

package/payload/mishkan/cognee/ingest-curated.py

@@ -0,0 +1,92 @@
+# MISHKAN — structured ingest of the curated library into Cognee.
+# Runs INSIDE the cognee-mcp container (it needs the cognee package + the live
+# .env config: graph=Neo4j, vector=pgvector, embeddings=Ollama). Reads a JSONL
+# of CuratedResource entries and writes typed Team + CuratedResource nodes via
+# Cognee's low-level DataPoint API — NO LLM extraction (cognify), so it costs
+# only embedding calls. Use local Ollama embeddings to avoid cloud rate walls
+# on bulk ingest (Gemini free-tier embeddings 429 on ~100 nodes).
+#
+# Invoked by seed-curated-library.sh; not meant to be run standalone on the host.
+#
+#   JSONL path via COGNEE_CURATED_JSONL (default /home/cognee/curated-resources.jsonl)
+#
+# WARNING: prunes the graph first (clean, reproducible seed). Run before real
+# session knowledge accumulates, or it wipes that too.
+import asyncio
+import json
+import os
+from typing import List
+
+from cognee.low_level import setup, DataPoint
+from cognee.pipelines import run_tasks, Task
+from cognee.tasks.storage import add_data_points
+from cognee.tasks.storage.index_graph_edges import index_graph_edges
+from cognee.modules.users.methods import get_default_user
+from cognee.modules.data.methods import load_or_create_datasets
+from cognee import prune
+
+JSONL = os.environ.get("COGNEE_CURATED_JSONL", "/home/cognee/curated-resources.jsonl")
+
+
+class CuratedResource(DataPoint):
+    name: str
+    team: str
+    url: str
+    problem_class: str
+    source_tier: str
+    metadata: dict = {"index_fields": ["name", "problem_class"]}
+
+
+class Team(DataPoint):
+    name: str
+    resources: List[CuratedResource]
+    metadata: dict = {"index_fields": ["name"]}
+
+
+def build_nodes(_data=None):
+    teams: dict[str, list] = {}
+    with open(JSONL) as fh:
+        for line in fh:
+            line = line.strip()
+            if not line:
+                continue
+            d = json.loads(line)
+            teams.setdefault(d["team"], []).append(
+                CuratedResource(
+                    name=d["name"],
+                    team=d["team"],
+                    url=d["url"],
+                    problem_class=d.get("problem_class", ""),
+                    source_tier=d.get("source_tier", "curated"),
+                )
+            )
+    nodes = [Team(name=t, resources=rs) for t, rs in teams.items()]
+    print(
+        f">> built {len(nodes)} Team nodes, "
+        f"{sum(len(t.resources) for t in nodes)} CuratedResource nodes",
+        flush=True,
+    )
+    return nodes
+
+
+async def main():
+    await prune.prune_data()
+    await prune.prune_system(metadata=True)
+    print(">> pruned", flush=True)
+    await setup()
+    user = await get_default_user()
+    datasets = await load_or_create_datasets(["curated_library"], [], user)
+    tasks = [Task(build_nodes), Task(add_data_points)]
+    async for status in run_tasks(tasks, datasets[0].id, None, user, "curated_seed"):
+        print(">> status:", getattr(status, "status", status), flush=True)
+    await index_graph_edges()
+    print(">> SEEDED", flush=True)
+    # Enrichment always follows the build: memify embeds the relationship/triplet
+    # layer into the vector store (default tasks; embeddings-only, no LLM/quota).
+    import cognee
+    await cognee.memify(dataset="curated_library")
+    print(">> MEMIFIED", flush=True)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

package/payload/mishkan/commands/dep-audit.md

@@ -0,0 +1,24 @@
+---
+description: Audit dependencies across all registered projects and produce a coordinated, vetted update plan.
+argument-hint: "[optional: package name or CVE id to focus on]"
+---
+
+Run a cross-project dependency audit using the **dependency-audit** skill.
+
+Focus (if provided): $ARGUMENTS
+
+Steps:
+
+1. Run `~/.claude/mishkan/scripts/dependency-audit.sh` — inventories every project
+   in `~/.claude/mishkan/config/projects.yaml`, runs OSV-Scanner/trivy where
+   installed, aggregates shared packages, shared CVEs, and version drift.
+2. As **Benaiah** (supply-chain, Mishmar), prioritise findings by
+   severity × blast radius (how many projects each affects).
+3. For each fix, run **dependency-vetting** on the target version, then
+   **dependency-upgrade** for per-project breaking-change analysis.
+4. As **Migdal**, sequence a staging-first rollout per project. Prepare the pinned
+   manifest changes + lockfile-regen commands — **Y4NN runs the installs/deploys**.
+5. **Seraiah** documents the portfolio posture; promote a cross-harness Cognee node
+   (gated by Nehemiah + Bezalel).
+
+No fabricated CVEs. No installs or deploys executed by AI. English only.

package/payload/mishkan/commands/mishkan-init.md

@@ -0,0 +1,25 @@
+---
+description: Initialise the current project under MISHKAN (PRD→SRS→CONTRACT→ARCHITECTURE→THREAT_MODEL→C4→docs→Cognee→Sprint S0).
+argument-hint: "[optional one-line project intent]"
+---
+
+Initialise this project under MISHKAN by running the **mishkan-init** skill.
+
+Project intent (if provided): $ARGUMENTS
+
+Before writing the first document, **produce a `/plan`** and surface it to Y4NN
+for approval — the plan is the scope contract for initialisation. Then run the
+sequence exactly:
+
+Nehemiah → `docs/PRD.md`
+→ Nathan → `docs/SRS.md`
+→ Zadok → `docs/CONTRACT.md` (plan first)
+→ Bezalel + Nathan → `docs/ARCHITECTURE.md` (plan first)
+→ Benaiah → `docs/THREAT_MODEL.md` (plan first)
+→ Meshullam → `docs/diagrams/C4/` (plan first)
+→ Jehoshaphat → `docs/README.md`, `docs/adr/`, `docs/runbooks/` (plan first)
+→ seed Cognee from all docs
+→ write `./CLAUDE.md` (Sprint S0), copy settings + team rules into `.claude/`
+
+Sequence before implementation: no code is written during init. Stateful
+operations stop at Y4NN's hands. Every doc is dated. English only.

package/payload/mishkan/commands/mishkan-resume.md

@@ -0,0 +1,21 @@
+---
+description: Resume a MISHKAN project — load sprint state and open blockers, Nehemiah greets with current context.
+---
+
+Resume work on this MISHKAN project. This is the replacement for the deferred
+SessionStart hook.
+
+Do the following:
+
+1. Read `./CLAUDE.md` for the current sprint, milestone, mode, tasks, and blockers.
+2. Query Cognee (project namespace) for active blockers, open Mishmar flags, and
+   pending decisions.
+3. As **Nehemiah**, greet Y4NN with a tight context summary:
+   - current sprint + milestone + mode
+   - open tasks (id, description, status, owner)
+   - blockers — Mishmar flags first, with severity
+   - pending decisions awaiting Y4NN
+4. Ask where Y4NN wants to start.
+
+Keep it lean — surface state, do not dump raw logs. No code is written by this
+command. English only.

package/payload/mishkan/commands/promote.md

@@ -0,0 +1,19 @@
+---
+description: Manually promote a learning into Cognee at an explicit blast-radius tier.
+argument-hint: "<agent-private|team-level|cross-harness> <what to promote>"
+---
+
+Manually promote a learning using the **cognee-promote** skill.
+
+Requested promotion: $ARGUMENTS
+
+Parse the first token as the blast-radius tier and the rest as the learning.
+
+- `agent-private` → record in the agent's `MEMORY.md`; do **not** write Cognee.
+- `team-level` → Team Lead decision; update team rules / shared topic file, and
+  write a `team-level` Cognee node.
+- `cross-harness` → requires Nehemiah + Bezalel sign-off; write a `cross-harness`
+  Cognee node per `~/.claude/mishkan/ontology.md` with the correct entity type and edges.
+
+If the tier is ambiguous, ask: does this affect only the agent, the team, or
+everyone? No fabricated facts. English only.

package/payload/mishkan/commands/sefer-pull.md

@@ -0,0 +1,19 @@
+---
+description: Trigger a Sefer documentation pull outside the milestone (event-driven).
+argument-hint: "<event: architecture-decision|security-finding-closed|schema-change> [detail]"
+---
+
+Trigger a Sefer documentation pull using the **sefer-pull** skill, Mode B
+(triggered pull).
+
+Event: $ARGUMENTS
+
+Jehoshaphat coordinates. Pull only from the team that triggered the event and
+update only the affected docs:
+
+- `architecture-decision` → ARCHITECTURE.md + new ADR (Joah, MADR).
+- `security-finding-closed` → THREAT_MODEL.md + security posture (Shevna).
+- `schema-change` → data docs + migration runbook (Joah).
+
+Sefer writes to `docs/` only — never code. Every doc dated, Diátaxis quadrant
+declared, sourced from Cognee/reporters. English only.

package/payload/mishkan/commands/sprint-close.md

@@ -0,0 +1,21 @@
+---
+description: Close the current sprint — reporters surface, Nehemiah aggregates, Bezalel reviews, Sefer pulls, Cognee promotes, next sprint begins.
+---
+
+Close the current sprint milestone. First **produce a `/plan`** of what will be
+promoted to Cognee and what will be closed, and surface it to Y4NN for approval.
+Then run:
+
+1. Each **Team Reporter** surfaces its `team-report.json` (Maaseiah, Igal,
+   Elasah, Ahikam, Zaccur, Huldah) — via the **sprint-report** skill.
+2. **Nehemiah** aggregates all six team reports.
+3. **Bezalel** reviews architectural and security flags.
+4. **Sefer** runs a sequential pull (**sefer-pull** skill, Mode A) — changelogs,
+   ADRs, API docs, runbooks, team docs updated in `docs/`.
+5. Resolved research + decisions promoted to the Cognee project graph
+   (**cognee-promote** skill) — gated by Nehemiah + Bezalel.
+6. Observability aggregation runs; improvement-layer queries refresh.
+7. Update `./CLAUDE.md` to the next sprint (S+1) and reset milestone.
+
+Stateful operations stop at Y4NN's hands. Reporters surface structured summaries
+only. English only.

package/payload/mishkan/config/curated-library.yaml

@@ -0,0 +1,113 @@
+# MISHKAN curated library — per-team vetted references, ingested into Cognee as
+# CuratedResource nodes (ontology: type=CuratedResource). Specific to Y4NN's
+# actual stack. Distinct from the research pipeline: the pipeline finds new
+# things; this library holds proven things agents load without searching.
+# Seeded by scripts/seed-curated-library.sh once Cognee is running.
+
+chosheb:   # Design
+  - { name: "NN/g — 10 Usability Heuristics", url: "https://www.nngroup.com/articles/ten-usability-heuristics/", problem_class: "heuristic-evaluation" }
+  - { name: "Laws of UX", url: "https://lawsofux.com/", problem_class: "cognitive-load-decision-architecture" }
+  - { name: "Refactoring UI", url: "https://www.refactoringui.com/", problem_class: "visual-design-heuristics" }
+  - { name: "Material Design 3", url: "https://m3.material.io/", problem_class: "design-system-reference" }
+  - { name: "Apple HIG", url: "https://developer.apple.com/design/human-interface-guidelines/", problem_class: "platform-native-design" }
+  - { name: "WCAG 2.2 Quick Reference", url: "https://www.w3.org/WAI/WCAG22/quickref/", problem_class: "accessibility-checklist" }
+  - { name: "Inclusive Components", url: "https://inclusive-components.design/", problem_class: "accessible-component-patterns" }
+  - { name: "IBM Carbon Design System", url: "https://carbondesignsystem.com/", problem_class: "design-system-architecture" }
+
+panim:   # Frontend
+  - { name: "MDN Web Docs", url: "https://developer.mozilla.org/", problem_class: "web-platform-reference" }
+  - { name: "React docs", url: "https://react.dev/", problem_class: "react-patterns" }
+  - { name: "TanStack docs hub", url: "https://tanstack.com/", problem_class: "data-fetching-routing" }
+  - { name: "TanStack Router v1", url: "https://tanstack.com/router/latest", problem_class: "routing" }
+  - { name: "Vite docs", url: "https://vitejs.dev/", problem_class: "build-tooling" }
+  - { name: "pnpm docs", url: "https://pnpm.io/", problem_class: "package-management" }
+  - { name: "Vercel docs", url: "https://vercel.com/docs", problem_class: "frontend-deployment" }
+  - { name: "TailwindCSS docs", url: "https://tailwindcss.com/docs", problem_class: "styling-system" }
+  - { name: "Nuxt 3 docs", url: "https://nuxt.com/docs", problem_class: "vue-ssr" }
+  - { name: "Storybook docs", url: "https://storybook.js.org/docs", problem_class: "component-isolation" }
+  - { name: "web.dev Core Web Vitals", url: "https://web.dev/articles/vitals", problem_class: "performance-budgets" }
+  - { name: "WAI-ARIA APG", url: "https://www.w3.org/WAI/ARIA/apg/", problem_class: "accessible-js-components" }
+  - { name: "Can I Use", url: "https://caniuse.com/", problem_class: "browser-compatibility" }
+  - { name: "Patterns.dev", url: "https://www.patterns.dev/", problem_class: "frontend-patterns" }
+
+yasad:   # Backend
+  - { name: "FastAPI docs", url: "https://fastapi.tiangolo.com/", problem_class: "python-api-framework" }
+  - { name: "Pydantic v2 docs", url: "https://docs.pydantic.dev/latest/", problem_class: "data-validation" }
+  - { name: "asyncpg docs", url: "https://magicstack.github.io/asyncpg/current/", problem_class: "async-postgres-driver" }
+  - { name: "Alembic docs", url: "https://alembic.sqlalchemy.org/en/latest/", problem_class: "schema-migrations" }
+  - { name: "SQLAlchemy 2.0 async", url: "https://docs.sqlalchemy.org/en/20/orm/extensions/asyncio.html", problem_class: "async-orm" }
+  - { name: "Hono docs", url: "https://hono.dev/", problem_class: "ts-edge-api" }
+  - { name: "NestJS docs", url: "https://docs.nestjs.com/", problem_class: "ts-enterprise-api" }
+  - { name: "Fastify docs", url: "https://fastify.dev/docs/latest/", problem_class: "ts-api-framework" }
+  - { name: "PostgreSQL docs", url: "https://www.postgresql.org/docs/current/", problem_class: "relational-db" }
+  - { name: "Use the Index, Luke", url: "https://use-the-index-luke.com/", problem_class: "sql-indexing" }
+  - { name: "MongoDB docs", url: "https://www.mongodb.com/docs/", problem_class: "document-db" }
+  - { name: "DynamoDB developer guide", url: "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/", problem_class: "key-value-db" }
+  - { name: "LangChain Python docs", url: "https://python.langchain.com/docs/introduction/", problem_class: "llm-orchestration" }
+  - { name: "LangGraph docs", url: "https://langchain-ai.github.io/langgraph/", problem_class: "stateful-ai-workflows" }
+  - { name: "HuggingFace Hub docs", url: "https://huggingface.co/docs/hub/", problem_class: "model-hub" }
+  - { name: "OpenRouter docs", url: "https://openrouter.ai/docs", problem_class: "model-routing" }
+  - { name: "Docker Model Runner docs", url: "https://docs.docker.com/ai/model-runner/", problem_class: "local-inference" }
+  - { name: "ChromaDB docs", url: "https://docs.trychroma.com/", problem_class: "vector-db" }
+  - { name: "Google AIP", url: "https://google.aip.dev/", problem_class: "api-design-standard" }
+  - { name: "OpenAPI 3.1 spec", url: "https://spec.openapis.org/oas/v3.1.0", problem_class: "api-contract" }
+  - { name: "AsyncAPI spec", url: "https://www.asyncapi.com/docs/reference/specification/latest", problem_class: "event-contract" }
+  - { name: "Twelve-Factor App", url: "https://12factor.net/", problem_class: "saas-app-design" }
+  - { name: "Martin Fowler", url: "https://martinfowler.com/", problem_class: "enterprise-patterns" }
+  - { name: "Designing Data-Intensive Applications", url: "https://dataintensive.net/", problem_class: "distributed-data" }
+
+mishmar:   # Security
+  - { name: "OWASP Top 10", url: "https://owasp.org/Top10/", problem_class: "web-app-risk" }
+  - { name: "OWASP API Security Top 10 2023", url: "https://owasp.org/API-Security/editions/2023/en/0x00-header/", problem_class: "api-risk" }
+  - { name: "OWASP ASVS", url: "https://owasp.org/www-project-application-security-verification-standard/", problem_class: "verification-standard" }
+  - { name: "OWASP Cheat Sheet Series", url: "https://cheatsheetseries.owasp.org/", problem_class: "secure-coding-lookup" }
+  - { name: "MITRE ATT&CK", url: "https://attack.mitre.org/", problem_class: "adversary-tactics" }
+  - { name: "MITRE CWE Top 25", url: "https://cwe.mitre.org/top25/", problem_class: "code-weakness-patterns" }
+  - { name: "NVD / CVE", url: "https://nvd.nist.gov/", problem_class: "vulnerability-data" }
+  - { name: "OSV.dev", url: "https://osv.dev/", problem_class: "dependency-vulnerabilities" }
+  - { name: "SLSA Framework", url: "https://slsa.dev/", problem_class: "supply-chain-security" }
+  - { name: "Keycloak documentation", url: "https://www.keycloak.org/documentation", problem_class: "identity-provider" }
+  - { name: "Keycloak hardening guide", url: "https://www.keycloak.org/server/hardening", problem_class: "identity-hardening" }
+  - { name: "SOPS documentation", url: "https://getsops.io/docs/", problem_class: "secret-management" }
+  - { name: "age encryption", url: "https://age-encryption.org/", problem_class: "encryption" }
+  - { name: "STRIDE threat modeling", url: "https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats", problem_class: "threat-modelling" }
+  - { name: "NIST SSDF SP 800-218", url: "https://csrc.nist.gov/Projects/ssdf", problem_class: "secure-sdlc" }
+  - { name: "CIS Benchmarks", url: "https://www.cisecurity.org/cis-benchmarks", problem_class: "hardening-baselines" }
+  - { name: "Traefik security docs", url: "https://doc.traefik.io/traefik/https/tls/", problem_class: "tls-ingress-security" }
+
+migdal:   # Infrastructure
+  - { name: "Docker Compose docs", url: "https://docs.docker.com/compose/", problem_class: "container-orchestration" }
+  - { name: "Docker networking docs", url: "https://docs.docker.com/network/", problem_class: "container-networking" }
+  - { name: "Docker security docs", url: "https://docs.docker.com/engine/security/", problem_class: "container-security" }
+  - { name: "Traefik v3 docs", url: "https://doc.traefik.io/traefik/", problem_class: "reverse-proxy" }
+  - { name: "GitLab CI/CD docs", url: "https://docs.gitlab.com/ee/ci/", problem_class: "ci-cd-pipeline" }
+  - { name: "GitLab CI variables", url: "https://docs.gitlab.com/ee/ci/variables/", problem_class: "ci-secrets" }
+  - { name: "GitLab protected branches", url: "https://docs.gitlab.com/ee/user/project/protected_branches.html", problem_class: "deploy-gating" }
+  - { name: "Ansible docs", url: "https://docs.ansible.com/", problem_class: "config-management" }
+  - { name: "Kubernetes docs", url: "https://kubernetes.io/docs/home/", problem_class: "k8s-orchestration" }
+  - { name: "Terraform best practices", url: "https://www.terraform-best-practices.com/", problem_class: "iac-patterns" }
+  - { name: "CIS Kubernetes Benchmark", url: "https://www.cisecurity.org/benchmark/kubernetes", problem_class: "k8s-hardening" }
+  - { name: "AWS Well-Architected", url: "https://aws.amazon.com/architecture/well-architected/", problem_class: "cloud-architecture-review" }
+  - { name: "GCP Architecture Framework", url: "https://cloud.google.com/architecture/framework", problem_class: "cloud-architecture-review" }
+  - { name: "CNCF Landscape", url: "https://landscape.cncf.io/", problem_class: "cloud-native-tooling" }
+  - { name: "OpenTelemetry docs", url: "https://opentelemetry.io/docs/", problem_class: "observability-instrumentation" }
+  - { name: "Prometheus docs", url: "https://prometheus.io/docs/", problem_class: "metrics" }
+  - { name: "Grafana docs", url: "https://grafana.com/docs/", problem_class: "dashboards" }
+  - { name: "Loki docs", url: "https://grafana.com/docs/loki/latest/", problem_class: "log-aggregation" }
+  - { name: "Sentry docs", url: "https://docs.sentry.io/", problem_class: "error-tracking" }
+  - { name: "Google SRE Book", url: "https://sre.google/sre-book/table-of-contents/", problem_class: "sre-foundation" }
+  - { name: "Google SRE Workbook", url: "https://sre.google/workbook/table-of-contents/", problem_class: "sre-practice" }
+  - { name: "NIST CSF 2.0", url: "https://www.nist.gov/cyberframework", problem_class: "security-posture" }
+
+sefer:   # Documentation
+  - { name: "Diátaxis Framework", url: "https://diataxis.fr/", problem_class: "doc-architecture" }
+  - { name: "Google Dev Documentation Style Guide", url: "https://developers.google.com/style", problem_class: "technical-writing-style" }
+  - { name: "MADR ADR template", url: "https://adr.github.io/madr/", problem_class: "adr-format" }
+  - { name: "C4 Model", url: "https://c4model.com/", problem_class: "architecture-diagrams" }
+  - { name: "Keep a Changelog", url: "https://keepachangelog.com/en/1.1.0/", problem_class: "changelog-convention" }
+  - { name: "Semantic Versioning 2.0", url: "https://semver.org/", problem_class: "versioning" }
+  - { name: "Conventional Commits", url: "https://www.conventionalcommits.org/en/v1.0.0/", problem_class: "commit-convention" }
+  - { name: "OpenAPI → API docs", url: "https://spec.openapis.org/oas/v3.1.0", problem_class: "api-documentation" }
+  - { name: "Stripe API docs (quality benchmark)", url: "https://docs.stripe.com/api", problem_class: "api-doc-quality-bar" }
+  - { name: "Docusaurus", url: "https://docusaurus.io/", problem_class: "docs-site-generator" }
+  - { name: "Write the Docs", url: "https://www.writethedocs.org/guide/", problem_class: "docs-workflow" }

package/payload/mishkan/config/improvement-queries.md

@@ -0,0 +1,29 @@
+# MISHKAN — Improvement Layer Queries
+
+Saved queries the improvement layer runs against Cognee (and the observability
+aggregate) to make MISHKAN better over time. Run after `/sprint-close`, once two
+or three sprints of data exist.
+
+These are intent specifications; the concrete query syntax binds to the deployed
+Cognee API (D-001). Each maps to an action.
+
+| # | Query intent | Reads | Action it drives |
+|---|---|---|---|
+| 1 | **Most expensive agents per sprint** | observability aggregate (cost, tokens) + `Agent` nodes | Prompt-optimisation targets; retier a costly Sonnet→Haiku where quality allows |
+| 2 | **Tools called most per team** | observability aggregate (tool_calls) grouped by team | MCP access refinement; prune unused tool grants, keep the <10 MCP / <80 tool budget |
+| 3 | **Blocker hot spots** | `Task` nodes with `blocks` edges, clustered | Workflow bottleneck detection; resequence or split tasks |
+| 4 | **Components accumulating findings** | `SecurityFinding` nodes grouped by `location` | Structural risk surfacing; flag a component for refactor/threat-review |
+| 5 | **Curated library hit rate per problem class** | `CuratedLibraryHit` joined to `CuratedResource` | Identify under-used resources (prune) and high-value ones (promote); detect gaps where the web pipeline is used because the library lacks coverage |
+| 6 | **Cache hit rate per agent** | observability aggregate (tokens_cached / tokens_input) | Validate the token-optimisation layer; fix agents whose static prefix is not caching |
+| 7 | **Research outcome ratio** | `ResearchOutput` nodes (resolved/partial/blocked) | Detect problem classes the pipeline repeatedly fails; seed the curated library |
+
+## Cadence
+
+- Per sprint close: run queries 1–3, 6 (cost + flow health).
+- Every ~3 sprints: run queries 4, 5, 7 (structural + library health).
+
+## Owner
+
+Nehemiah + Bezalel review the outputs at sprint close and decide actions
+(retiering, MCP pruning, library updates, refactor flags). The improvement layer
+surfaces; the orchestrators act.

package/payload/mishkan/config/model-routing.yaml

@@ -0,0 +1,87 @@
+# MISHKAN model routing — Claude tiers only (decision D-002, no local models).
+# AUTHORITATIVE: the PreToolUse hook hooks/model-route.py reads this file on
+# every Task/Agent call and injects `model` for any agent LISTED below, which
+# overrides that agent's frontmatter `model:`. So this file is the single source
+# of truth for the 45 MISHKAN agents. Agents NOT listed here (e.g. aiobi-ops,
+# Explore) are left untouched and keep their own frontmatter model. Three tiers:
+# opus, sonnet, haiku. (Edit here, not frontmatter — frontmatter is the fallback
+# used only if the hook is removed.)
+#
+# Rationale per tier:
+#   opus   — orchestration, team leadership, knowledge publication (judgement-heavy)
+#   sonnet — anything that WRITES code/config into the codebase (precision matters
+#            on Y4NN's code) + senior specialists + research clarify/formulate/research
+#   haiku  — agents that do NOT write code: QA (evaluate-only), Reporters
+#            (collect-only), pure advisors (Deborah, Rehum), research
+#            summarise/evaluate/report. Cost-sensitive, no precision risk to code.
+
+defaults:
+  unlisted_agent: sonnet   # documented default tier for a NEW mishkan agent not
+                           # yet added below. NOT hook-enforced on foreign agents
+                           # (they keep their own model). Add new agents to the map.
+
+agents:
+  # Orchestration
+  nehemiah: opus
+  bezalel: opus
+
+  # Research pipeline
+  jakin: sonnet
+  ezra: sonnet
+  caleb: sonnet
+  shaphan: haiku
+  shemaiah: haiku
+  baruch: haiku
+
+  # Mishmar (Security)
+  phinehas: opus      # lead
+  ira: sonnet
+  benaiah: sonnet
+  joab: sonnet
+  hushai: sonnet
+  maaseiah: haiku     # reporter
+
+  # Yasad (Backend)
+  zerubbabel: opus    # lead
+  nathan: sonnet      # architecture
+  zadok: sonnet       # contracts / design system
+  hizkiah: sonnet     # implementation — writes backend code
+  shallum: sonnet     # databases
+  uriah: haiku        # QA
+  igal: haiku         # reporter
+
+  # Chosheb (Design)
+  aholiab: opus       # lead
+  hiram: sonnet       # writes prototype code
+  deborah: haiku      # advisory only, no code
+  elasah: haiku       # reporter
+
+  # Panim (Frontend)
+  huram: opus         # lead
+  oholiab: sonnet     # design system expert
+  salma: sonnet       # writes frontend code
+  obed: sonnet        # writes asset-pipeline config
+  asaph: sonnet       # remediates markup
+  jahaziel: haiku     # QA — evaluate only
+  ahikam: haiku       # reporter
+
+  # Migdal (Infrastructure)
+  eliashib: opus      # lead
+  meshullam: sonnet   # infra design
+  palal: sonnet       # writes system configs/scripts
+  meremoth: sonnet    # writes CI/pipeline code
+  hanun: sonnet       # writes hardening/observability config
+  rehum: haiku        # advisor — no code
+  zaccur: haiku       # reporter
+
+  # Sefer (Documentation)
+  jehoshaphat: opus   # lead
+  seraiah: sonnet
+  joah: sonnet
+  shevna: haiku
+  jehonathan: opus    # knowledge publication
+  huldah: haiku       # reporter
+
+# Tier totals: opus=9, sonnet=22, haiku=14  (45 agents)
+# Principle: any agent that writes code/config into the codebase runs on Sonnet
+# (precision on Y4NN's code). Haiku only for evaluate/collect/advise roles.

package/payload/mishkan/config/projects.yaml

@@ -0,0 +1,38 @@
+# MISHKAN project registry — portable, NOT machine-bound.
+# The cross-project dependency audit discovers projects rather than hardcoding
+# paths. Resolution order:
+#   1. $MISHKAN_WORKSPACE env var, if set
+#   2. workspace_root below, if set (supports ~ and $HOME)
+#   3. the current working directory's parent
+# Under the resolved workspace root, every git repository is treated as a project
+# (excluding the dirs below). Set explicit `project_roots` only to override
+# discovery. Ship with discovery on and no hardcoded paths.
+
+workspace_root: ""          # e.g. "~/Projects" — empty = auto (env or cwd parent)
+
+project_roots: []           # explicit override; empty = discover git repos under workspace_root
+
+# Manifest/lockfile filenames the audit looks for in each project (recursively,
+# excluding the dirs below).
+manifest_globs:
+  - package.json
+  - pnpm-lock.yaml
+  - requirements*.txt
+  - pyproject.toml
+  - poetry.lock
+  - uv.lock
+  - go.mod
+  - Cargo.toml
+  - composer.json
+  - composer.lock
+  - pom.xml
+  - build.gradle
+
+exclude_dirs:
+  - node_modules
+  - vendor
+  - .git
+  - dist
+  - build
+  - .venv
+  - target