mishkan-harness 0.1.0

package/payload/mishkan/hooks/pre-tool-security.sh

@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+# MISHKAN PreToolUse security hook — Ira (Mishmar).
+# Inspects Write/Edit/MultiEdit content before it lands.
+# Blocks: hardcoded secrets, eval of untrusted input, SQL string concatenation,
+# :latest Docker tags. Returns a PreToolUse deny decision on violation.
+#
+# Fail-open by design: if the payload cannot be parsed (e.g. jq missing), the
+# hook allows the operation and notes it on stderr rather than bricking all
+# writes. Positive detections always block.
+set -uo pipefail
+
+INPUT="$(cat)"
+
+# Need jq to inspect structured payload. Fail open if absent.
+if ! command -v jq >/dev/null 2>&1; then
+  echo "mishkan/pre-tool-security: jq not found — skipping inspection" >&2
+  exit 0
+fi
+
+tool_name="$(printf '%s' "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)"
+file_path="$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)"
+
+# Gather the content being written, across Write/Edit/MultiEdit shapes.
+content="$(printf '%s' "$INPUT" | jq -r '
+  [ .tool_input.content?,
+    .tool_input.new_string?,
+    ( .tool_input.edits? // [] | .[].new_string? )
+  ] | map(select(. != null)) | join("\n")
+' 2>/dev/null)"
+
+# Nothing to inspect.
+[ -z "$content" ] && exit 0
+
+deny() {
+  # PreToolUse deny via structured output.
+  jq -n --arg reason "$1" '{
+    hookSpecificOutput: {
+      hookEventName: "PreToolUse",
+      permissionDecision: "deny",
+      permissionDecisionReason: $reason
+    }
+  }'
+  exit 0
+}
+
+lc_path="$(printf '%s' "$file_path" | tr '[:upper:]' '[:lower:]')"
+
+# 1. Hardcoded secrets — assignment of a non-env, non-placeholder literal.
+if printf '%s' "$content" | grep -Eiq \
+  '(password|passwd|secret|api[_-]?key|access[_-]?key|token|client[_-]?secret)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{6,}["'"'"']'; then
+  # Allow obvious placeholders / env reads.
+  if ! printf '%s' "$content" | grep -Eiq '(CHANGEME|<[^>]+>|\$\{?[A-Z_]+\}?|os\.environ|process\.env|getenv|settings\.|pydantic|vault|sops)'; then
+    deny "Mishmar/Ira: hardcoded secret literal detected. Use SOPS/age + env injection, never literals in source. (rules/common/security.md)"
+  fi
+fi
+
+# 2. Key material, private keys, and known provider token formats.
+if printf '%s' "$content" | grep -Eq '(AKIA[0-9A-Z]{16}|-----BEGIN [A-Z ]*PRIVATE KEY-----)'; then
+  deny "Mishmar/Ira: key material detected in source. Move to SOPS-managed secrets. (rules/common/security.md)"
+fi
+if printf '%s' "$content" | grep -Eq '(gh[posu]_[A-Za-z0-9]{30,}|glpat-[A-Za-z0-9_-]{20,}|xox[baprs]-[A-Za-z0-9-]{10,}|sk_(live|test)_[A-Za-z0-9]{16,}|AIza[0-9A-Za-z_-]{30,}|ya29\.[0-9A-Za-z_-]+|SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}|dckr_pat_[A-Za-z0-9_-]{20,}|npm_[A-Za-z0-9]{30,})'; then
+  deny "Mishmar/Ira: a provider access token (GitHub/GitLab/Slack/Stripe/Google/SendGrid/Docker/npm) is hardcoded. Revoke it and move to SOPS/age + env. (rules/common/security.md)"
+fi
+
+# 2b. Connection strings with embedded credentials.
+if printf '%s' "$content" | grep -Eiq '(postgres|postgresql|mysql|mongodb|mongodb\+srv|redis|amqp|amqps)://[^:@/[:space:]]+:[^@/[:space:]]+@'; then
+  if ! printf '%s' "$content" | grep -Eiq '(<[^>]+>|\$\{?[A-Za-z_]+\}?|CHANGEME|:password@|:pass@|user:pass|env|getenv|os\.environ)'; then
+    deny "Mishmar/Ira: connection string with an embedded credential. Inject the password from SOPS/env, not the URL literal. (rules/common/security.md)"
+  fi
+fi
+
+# 3. Dynamic code execution / unsafe deserialization (py/js/ts).
+case "$lc_path" in
+  *.py|*.js|*.ts|*.tsx|*.jsx|*.mjs|*.cjs)
+    if printf '%s' "$content" | grep -Eq '(^|[^a-zA-Z0-9_.])eval[[:space:]]*\(' \
+       && ! printf '%s' "$content" | grep -Eiq '(ast\.literal_eval|# *safe-eval|json\.parse)'; then
+      deny "Mishmar/Ira: eval() on dynamic input is forbidden. (rules/common/security.md)"
+    fi
+    # new Function(...) constructor (JS/TS code-from-string)
+    if printf '%s' "$content" | grep -Eq 'new[[:space:]]+Function[[:space:]]*\('; then
+      deny "Mishmar/Ira: new Function() builds code from a string. Forbidden. (rules/common/security.md)"
+    fi
+    ;;
+esac
+case "$lc_path" in
+  *.py|*.pyi)
+    # exec() on dynamic input
+    if printf '%s' "$content" | grep -Eq '(^|[^a-zA-Z0-9_.])exec[[:space:]]*\(' \
+       && ! printf '%s' "$content" | grep -Eiq '# *safe-exec'; then
+      deny "Mishmar/Ira: exec() executes dynamic code. Forbidden. (rules/common/security.md)"
+    fi
+    # unsafe deserialization
+    if printf '%s' "$content" | grep -Eq '(pickle\.loads?|cloudpickle\.loads?|marshal\.loads)[[:space:]]*\('; then
+      deny "Mishmar/Ira: pickle/marshal deserialization of untrusted data is an RCE vector. Use a safe format (JSON). (rules/common/security.md)"
+    fi
+    # yaml.load without a safe loader
+    if printf '%s' "$content" | grep -Eq 'yaml\.load[[:space:]]*\(' \
+       && ! printf '%s' "$content" | grep -Eq '(SafeLoader|safe_load|Loader[[:space:]]*=[[:space:]]*yaml\.Safe)'; then
+      deny "Mishmar/Ira: yaml.load() without SafeLoader can execute arbitrary objects. Use yaml.safe_load(). (rules/common/security.md)"
+    fi
+    # shell command injection vectors
+    if printf '%s' "$content" | grep -Eq 'os\.system[[:space:]]*\('; then
+      deny "Mishmar/Ira: os.system() invites command injection. Use subprocess with an argument list and no shell. (rules/common/security.md)"
+    fi
+    if printf '%s' "$content" | grep -Eq 'subprocess\.[A-Za-z_]+\(.*shell[[:space:]]*=[[:space:]]*True'; then
+      deny "Mishmar/Ira: subprocess with shell=True is a command-injection risk. Pass an argument list, shell=False. (rules/common/security.md)"
+    fi
+    ;;
+esac
+case "$lc_path" in
+  *.js|*.ts|*.tsx|*.jsx|*.mjs|*.cjs)
+    # child_process exec with interpolation
+    if printf '%s' "$content" | grep -Eq '(child_process|require\(.child_process.\))' \
+       && printf '%s' "$content" | grep -Eq 'exec(Sync)?[[:space:]]*\(.*(\$\{|`.*\$|"[[:space:]]*\+)'; then
+      deny "Mishmar/Ira: child_process exec with string interpolation is a command-injection risk. Use execFile with an args array. (rules/common/security.md)"
+    fi
+    ;;
+esac
+
+# 4. SQL string concatenation / f-string interpolation.
+if printf '%s' "$content" | grep -Eiq '(select|insert|update|delete)[[:space:]].*("[[:space:]]*\+|\+[[:space:]]*"|f"[^"]*\{|%[[:space:]]*\()'; then
+  deny "Mishmar/Ira: SQL built by string concatenation/interpolation. Use parameterised queries (asyncpg params / ORM bindings). (rules/common/security.md)"
+fi
+
+# 5. :latest Docker tags (and untagged FROM).
+case "$lc_path" in
+  *dockerfile*|*docker-compose*|*compose*|*.yaml|*.yml)
+    if printf '%s' "$content" | grep -Eiq '(image:[[:space:]]*[^[:space:]]+:latest|^[[:space:]]*FROM[[:space:]]+[^[:space:]]+:latest)'; then
+      deny "Mishmar/Ira: ':latest' tag detected. Pin all image versions. (rules/infrastructure/migdal.md, y4nn-standards)"
+    fi
+    ;;
+esac
+
+# 6. TLS/certificate verification disabled.
+if printf '%s' "$content" | grep -Eiq '(verify[[:space:]]*=[[:space:]]*False|rejectUnauthorized[[:space:]]*:[[:space:]]*false|InsecureSkipVerify[[:space:]]*:[[:space:]]*true|NODE_TLS_REJECT_UNAUTHORIZED[[:space:]]*=[[:space:]]*.?0|curl_setopt.*CURLOPT_SSL_VERIFYPEER.*false|ssl[._]?verify[[:space:]]*=[[:space:]]*false)'; then
+  deny "Mishmar/Ira: TLS/certificate verification is being disabled. This breaks transport security. (rules/common/security.md)"
+fi
+
+# 7. Weak hashing used on a password/secret.
+if printf '%s' "$content" | grep -Eiq '(md5|sha1)[[:space:]]*\([^)]*(pass|pwd|secret|token|credential)'; then
+  deny "Mishmar/Ira: weak hash (MD5/SHA1) applied to a credential. Use bcrypt/argon2/scrypt for passwords. (rules/common/security.md)"
+fi
+
+# 8. CORS wildcard combined with credentials (same write).
+if printf '%s' "$content" | grep -Eiq 'access-control-allow-origin["'"'"'[:space:]]*[:=][[:space:]]*["'"'"']?\*' \
+   && printf '%s' "$content" | grep -Eiq 'access-control-allow-credentials["'"'"'[:space:]]*[:=][[:space:]]*["'"'"']?true'; then
+  deny "Mishmar/Ira: CORS '*' origin together with credentials:true is forbidden by the CORS spec and leaks credentials. Pin explicit origins. (rules/common/security.md, OWASP API Top 10)"
+fi
+
+exit 0

package/payload/mishkan/hooks/session-start.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# MISHKAN SessionStart hook — DEFERRED (design §20, pending Claude Code stability).
+#
+# Intended behaviour: on a new context window, load sprint state from the
+# project ./CLAUDE.md and query Cognee for active blockers, so Nehemiah greets
+# with current context. Until the SessionStart hook event is validated as
+# stable, this work lives in the /mishkan-resume command instead, and this
+# script is NOT registered in settings.json.
+#
+# Kept here so that, once SessionStart is confirmed, wiring it is a one-line
+# settings change rather than new development.
+set -uo pipefail
+
+PROJECT_CLAUDE="./CLAUDE.md"
+ts="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+if [ -f "$PROJECT_CLAUDE" ] && grep -q "Cognee namespace" "$PROJECT_CLAUDE" 2>/dev/null; then
+  echo "mishkan/session-start: MISHKAN project detected at ${ts}. Run /mishkan-resume to restore sprint state." >&2
+fi
+exit 0

package/payload/mishkan/hooks/stop-reporter.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# MISHKAN Stop hook — Team Reporter milestone trigger.
+#
+# Claude Code's Stop fires on main-agent stop; SubagentStop fires for subagents.
+# Detecting "a Team Reporter is finishing" from the hook payload alone is not
+# reliable, so this hook uses a marker file convention: a Reporter agent (or the
+# /sprint-close command) touches ~/.claude/mishkan/logs/.reporter-active with the
+# team name before assembling its report. This hook checks for that marker and,
+# if present, signals the sprint-report skill to run, then clears the marker.
+#
+# Without the marker this hook is a no-op so it never interferes with ordinary
+# session stops (which already play the finish sound via the existing Stop hook).
+set -uo pipefail
+
+MARKER="${HOME}/.claude/mishkan/logs/.reporter-active"
+
+[ -f "$MARKER" ] || exit 0
+
+team="$(cat "$MARKER" 2>/dev/null || echo unknown)"
+ts="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+# Record that a reporter milestone assembly is due. The sprint-report skill,
+# invoked by the reporter agent, performs the actual team-report.json assembly;
+# this hook only emits the trigger breadcrumb and clears the marker.
+echo "{\"event\":\"reporter_milestone\",\"team\":\"${team}\",\"timestamp\":\"${ts}\"}" \
+  >> "${HOME}/.claude/mishkan/logs/milestones.jsonl" 2>/dev/null
+
+rm -f "$MARKER" 2>/dev/null
+exit 0

package/payload/mishkan/ontology.md

@@ -0,0 +1,87 @@
+# MISHKAN — Cognee Graph Ontology
+
+The schema for the shared knowledge graph. Entity types are nodes; relationship
+types are edges. The graph starts near-empty and grows through working sessions —
+nothing is pre-seeded except the curated library (Phase 8).
+
+This ontology is versioned in `harness/` so changes are reviewable. Schema drift
+is expected; amend with a dated entry rather than rewriting silently.
+
+---
+
+## Entity types (nodes)
+
+| Entity | Description | Key properties |
+|---|---|---|
+| **Agent** | One of the 45 MISHKAN agents | `alias`, `team`, `role`, `model_tier` |
+| **Team** | One of the six teams | `name`, `hebrew`, `domain`, `lead_alias` |
+| **Project** | A repo MISHKAN was initialised on | `name`, `path`, `stack`, `created_sprint` |
+| **Sprint** | A delivery cycle within a project | `id` (S0, S1…), `project`, `started`, `closed`, `milestone` |
+| **Task** | A scoped unit of work | `id` (T-N), `sprint`, `description`, `status`, `assigned_team`, `assigned_agent` |
+| **Decision** | An architectural or scope decision | `id`, `made_by`, `sprint`, `summary`, `drivers`, `consequences`, `adr_ref` |
+| **ResearchOutput** | A resolved research pipeline result | `id`, `agent`, `team`, `query_intent`, `summary`, `outcome`, `applied_to_task` |
+| **CaseNode** | A problem solved using a curated resource | `team`, `agent`, `problem_class`, `resource_applied`, `resolution`, `outcome`, `sprint`, `task` |
+| **CuratedResource** | A vetted professional reference | `name`, `url`, `team`, `problem_class`, `source_tier` |
+| **Incident** | A documented failure + recovery | `id`, `date`, `service`, `root_causes[]`, `resolution`, `postmortem_ref` |
+| **ADR** | Architecture Decision Record | `id`, `title`, `date`, `status`, `drivers`, `decision`, `consequences` |
+| **RunbookProcedure** | An operational procedure | `id`, `title`, `service`, `trigger`, `steps_ref`, `status` |
+| **SecurityFinding** | A finding from Mishmar | `id`, `severity`, `location`, `rule_violated`, `remediation`, `status`, `sprint` |
+| **CuratedLibraryHit** | Telemetry: a curated resource was used | `resource`, `team`, `problem_class`, `sprint`, `count` |
+
+---
+
+## Relationship types (edges)
+
+| Edge | From → To | Meaning |
+|---|---|---|
+| **member-of** | Agent → Team | agent belongs to team |
+| **leads** | Agent → Team | agent is the team lead |
+| **assigned-to** | Task → Agent / Team | who owns the task |
+| **part-of** | Task → Sprint, Sprint → Project | hierarchy |
+| **applies-to** | CuratedResource → Task / problem_class | resource is relevant here |
+| **supersedes** | ADR → ADR, Decision → Decision, Doc → Doc | replaces a prior |
+| **validated-by** | Decision → ResearchOutput / CaseNode | evidence backing a decision |
+| **blocks** | Task → Task, SecurityFinding → Task | dependency / gate |
+| **derives-from** | Decision → ResearchOutput, ADR → Decision | provenance |
+| **escalated-to** | Task / Decision → Agent | who it was escalated to |
+| **written-by** | ResearchOutput / Decision / CaseNode → Agent | authorship |
+| **references** | any → any | loose citation link |
+| **mitigates** | Decision / Task → SecurityFinding / Incident | what addresses a risk |
+| **resolved-by** | Incident / SecurityFinding → Task / Decision | closure link |
+| **uses** | CaseNode → CuratedResource | which resource solved the case |
+| **documents** | ADR / RunbookProcedure → Decision / Incident / Task | doc covers this |
+
+---
+
+## Blast-radius tagging
+
+Every node written to the graph carries a `blast_radius` property used by the
+knowledge-promotion model (design §9):
+
+- `agent-private` — stays in subagent MEMORY.md, not promoted to graph
+  (these generally do not reach Cognee at all).
+- `team-level` — promoted by Team Lead; tagged with `team`.
+- `cross-harness` — promoted by Nehemiah + Bezalel at sprint close; visible
+  to all agents.
+
+Only `team-level` and `cross-harness` nodes live in Cognee. `agent-private`
+knowledge stays in flat MEMORY.md files per the promotion model.
+
+---
+
+## Query patterns the improvement layer relies on
+
+These saved queries (Phase 8) read the graph:
+
+1. **Most expensive agents per sprint** — `Agent` nodes with aggregated
+   observability metrics, ordered by cost.
+2. **Tools called most per team** — observability metrics grouped by `team`.
+3. **Blocker hot spots** — `Task` nodes with `blocks` edges, clustered.
+4. **Components accumulating findings** — `SecurityFinding` nodes grouped by
+   `location`.
+5. **Curated library hit rate per problem class** — `CuratedLibraryHit`
+   aggregated by `problem_class`, joined to `CuratedResource`.
+
+---
+
+*Ontology v1, locked May 2026. Amend with dated entries on schema drift.*

package/payload/mishkan/rules/backend/yasad.md

@@ -0,0 +1,23 @@
+---
+description: Yasad (Backend) rules — load on backend files
+globs: ["**/*.py", "**/*.pyi", "**/*.ts", "**/*.go", "**/*.rs", "**/*.java", "**/*.kt", "**/*.sql", "**/*.prisma", "**/*.proto", "**/*.graphql", "**/api/**", "**/migrations/**", "**/alembic/**", "**/models/**", "**/schemas/**", "**/services/**", "**/repositories/**", "**/routers/**", "**/handlers/**", "**/middleware/**", "**/tests/**", "**/conftest.py", "**/pyproject.toml", "**/poetry.lock", "**/uv.lock", "**/requirements*.txt", "**/go.mod", "**/go.sum", "**/Cargo.toml", "**/Cargo.lock", "**/openapi*.{yaml,yml,json}", "**/asyncapi*.{yaml,yml,json}"]
+alwaysApply: false
+---
+
+# Yasad — Backend Rules
+
+Load only on `.py`/`.ts`/`.go`/`.rs`/`api/**`. Owned by Zerubbabel (Team Lead).
+
+- **OpenAPI 3.1 contract defined before any endpoint implementation.**
+- **FastAPI (primary Python):** Pydantic v2 models for all request/response. Lifespan for startup/shutdown. asyncpg for PostgreSQL. Dependency injection for shared resources.
+- **No raw SQL string formatting.** asyncpg parameters always.
+- **Alembic for all schema migrations.** No manual `ALTER TABLE`.
+- **Repository pattern** for data access — no ORM calls in route handlers.
+- **LangGraph for stateful AI workflows** — not raw LangChain chains.
+- **pydantic-settings** for environment config — not `os.environ` directly.
+- **Hono (TS):** typed routes, Zod validation on all inputs.
+- **NestJS (TS):** modules, providers, guards pattern — no God controllers.
+- **Fastify (TS):** schema-validated routes.
+- Alternate backends: Go, Rust, PHP/Laravel (working level).
+- AI/ML layer: LangChain, LangGraph, HuggingFace Hub, OpenRouter, ChromaDB, sentence-transformers.
+- Databases: PostgreSQL primary (indexing, query planning, extensions); MongoDB, DynamoDB also in use.

package/payload/mishkan/rules/common/dependencies.md

@@ -0,0 +1,53 @@
+---
+description: Dependency management & supply-chain security — load on dependency manifests and lockfiles (Mishmar/Benaiah-owned)
+globs: ["**/package.json", "**/pnpm-lock.yaml", "**/pnpm-workspace.yaml", "**/requirements*.txt", "**/pyproject.toml", "**/poetry.lock", "**/uv.lock", "**/Pipfile*", "**/go.mod", "**/go.sum", "**/Cargo.toml", "**/Cargo.lock", "**/composer.json", "**/composer.lock", "**/Gemfile*", "**/pom.xml", "**/build.gradle*", "**/*.csproj"]
+alwaysApply: false
+---
+
+# Dependency Management & Supply-Chain Security
+
+Owned by Benaiah (supply-chain) with Ira at the code level. Loads whenever a
+dependency manifest or lockfile is touched. Adding or upgrading a dependency is a
+**security decision**, not a convenience.
+
+## Before adding or upgrading any dependency — vet it first
+
+Run the **dependency-vetting** skill (drives the research pipeline). Do not adopt
+a package until the following are checked and recorded in a research log:
+
+1. **Known vulnerabilities** — query OSV.dev / NVD for the exact version.
+2. **Maintenance health** — last release, open critical issues, single-maintainer
+   risk, deprecation status.
+3. **Typosquatting / impersonation** — confirm the package name and namespace are
+   the genuine, intended ones (a frequent supply-chain vector).
+4. **Provenance** — signed releases / SLSA level where available; source repo matches.
+5. **Transitive blast radius** — what it pulls in; new transitive risk.
+
+If vetting is not clean, do not add it — surface the finding to the team lead.
+
+## Pinning & lockfiles
+
+- **Pin exact versions.** No `"*"`, no `"latest"`, no unbounded ranges in manifests.
+- **Commit the lockfile** and treat it as the source of truth. `pnpm-lock.yaml` for
+  JS/TS (pnpm only — never `package-lock.json`/`yarn.lock`), `poetry.lock`/`uv.lock`
+  for Python, `go.sum`, `Cargo.lock`, `composer.lock`.
+- **Never hand-edit a lockfile.** Regenerate it via the package manager so the
+  integrity hashes stay valid.
+- **CVE pin comment** — when a version is pinned to dodge a CVE, cite the CVE id inline.
+
+## Sources & integrity
+
+- Only HTTPS package sources. No `http://`, no `git+http://`.
+- No installing from arbitrary URLs or unpinned git refs (`git+https#<commit-sha>` only).
+- Verify registry integrity / hashes are enabled (`pnpm` strict, pip hash-checking
+  where used).
+
+## Updates during the SDLC
+
+- Staged upgrades, not blind bumps: use the **dependency-upgrade** skill —
+  compatibility analysis, changelog/breaking-change review, test before merge.
+- Group security patches separately from feature bumps.
+- Re-vet (steps 1–5) on every **major** version change and on any maintainer/owner
+  change of the package.
+- Dependency scanning (`trivy`, OSV-Scanner) runs in CI as a gate (Ira), and the
+  `security:scan` stage blocks merge on a new critical/high.

package/payload/mishkan/rules/common/quality.md

@@ -0,0 +1,16 @@
+---
+description: MISHKAN common quality rules — apply to all files (Bezalel-owned)
+alwaysApply: true
+---
+
+# Common Quality Rules
+
+Owned by Bezalel. Apply to all files.
+
+- **No commented-out code** in commits.
+- **No TODO without an owner and a linked task.**
+- **No magic numbers** — use named constants.
+- **Tests required** for any business logic.
+- **Diagnose before fix** — root cause documented before solution implemented.
+- **Two root causes** on any non-trivial failure.
+- **OpenAPI 3.1 contract before implementation** on any API endpoint.

package/payload/mishkan/rules/common/security.md

@@ -0,0 +1,20 @@
+---
+description: MISHKAN common security rules — apply to all files (Mishmar-owned)
+alwaysApply: true
+---
+
+# Common Security Rules
+
+Owned by Mishmar. Apply to all files. Security is a constraint shaping output
+from the start, not an audit at the end.
+
+- **No hardcoded secrets.** No passwords, tokens, API keys, or connection strings in source.
+- **No `eval()`** or equivalent dynamic code execution from untrusted input.
+- **No SQL string concatenation.** Parameterised queries always (asyncpg parameters, ORM bindings).
+- **Input validation** on every API boundary — validate type, range, and shape before use.
+- **Output encoding** for all user-facing content (prevent XSS, injection in rendered output).
+- **Rate limiting** on all public API endpoints.
+- **Session security middleware** always present on stateful services.
+- **SOPS + age** for secret management. Never commit plaintext `.env` to version control.
+- **Hardening overlay** re-applied on every container recreate — not optional, not one-time.
+- **Keycloak SSO** as the identity source for any multi-service system.

package/payload/mishkan/rules/documentation/sefer.md

@@ -0,0 +1,19 @@
+---
+description: Sefer (Documentation) rules — load on docs files
+globs: ["**/docs/**", "**/*.md", "**/*.mdx", "**/*.rst", "**/*.adoc", "**/adr/**", "**/rfc/**", "**/runbooks/**", "**/diagrams/**", "**/CHANGELOG.md", "**/CHANGES.md", "**/README.md", "**/CONTRIBUTING.md", "**/SECURITY.md", "**/ARCHITECTURE.md", "**/mkdocs.y*ml", "**/docusaurus.config.*", "**/.github/ISSUE_TEMPLATE/**", "**/.github/PULL_REQUEST_TEMPLATE*"]
+alwaysApply: false
+---
+
+# Sefer — Documentation Rules
+
+Load only on `docs/**` and markdown. Owned by Jehoshaphat (Team Lead).
+
+- **Diátaxis quadrant declared** on every doc: Tutorial / How-to / Reference / Explanation.
+- **ADR format: MADR template.** Decision drivers explicit. Consequences documented (positive/negative/risk).
+- **Changelog: Keep a Changelog format.** Semantic versioning.
+- **Commit messages feed the changelog** — Conventional Commits convention.
+- **README: 50–150 lines.** Written for builders, not end users. Terse.
+- **Design documents: 300–800 lines.** Heavy. Future-engineer audience.
+- **Runbooks: copy-paste safe under stress.** One command per failure mode, no thinking required at execution time.
+- **No documentation without a date.** No undated decisions.
+- Sefer writes to `docs/` only — never to the codebase.

package/payload/mishkan/rules/frontend/panim.md

@@ -0,0 +1,21 @@
+---
+description: Panim (Frontend) rules — load on frontend files
+globs: ["**/*.tsx", "**/*.jsx", "**/*.ts", "**/*.js", "**/*.mjs", "**/*.cjs", "**/*.vue", "**/*.svelte", "**/*.astro", "**/*.css", "**/*.scss", "**/*.sass", "**/*.less", "**/*.html", "**/*.webmanifest", "**/components/**", "**/pages/**", "**/layouts/**", "**/composables/**", "**/stores/**", "**/hooks/**", "**/*.stories.*", "**/*.spec.{ts,tsx,js,jsx}", "**/*.test.{ts,tsx,js,jsx}", "**/.storybook/**", "**/vite.config.*", "**/vitest.config.*", "**/playwright.config.*", "**/tailwind.config.*", "**/postcss.config.*", "**/nuxt.config.*", "**/next.config.*", "**/.eslintrc*", "**/eslint.config.*"]
+alwaysApply: false
+---
+
+# Panim — Frontend Rules
+
+Load only on `.tsx`/`.jsx`/`.vue`/`.css`/`.html`. Owned by Huram (Team Lead).
+
+- **pnpm only.** No `package-lock.json` or `yarn.lock` committed.
+- **TailwindCSS utility classes** — no arbitrary CSS unless justified in a comment.
+- **WCAG 2.2 AA minimum** on all interactive components.
+- **Core Web Vitals budgets:** LCP < 2.5s, INP < 200ms, CLS < 0.1.
+- **TanStack Query** for all data fetching — no raw `fetch` in components.
+- **TanStack Router** for routing — no `react-router` unless maintaining legacy.
+- **Component co-location** — component, test, and story in the same directory.
+- **No inline styles. No `!important`.**
+- **WAI-ARIA roles and labels** on all interactive elements.
+- **Vercel deployment config** present for frontend projects.
+- Stack: HTML/CSS/Tailwind, JS/TS, React, TanStack, Vite, Storybook; Nuxt 3 / Vue 3 where used.

package/payload/mishkan/rules/infrastructure/migdal.md

@@ -0,0 +1,22 @@
+---
+description: Migdal (Infrastructure) rules — load on infra files
+globs: ["**/Dockerfile*", "**/*.dockerfile", "**/.dockerignore", "**/docker-compose*", "**/compose*.y*ml", "**/*.tf", "**/*.tfvars", "**/*.hcl", "**/*.yaml", "**/*.yml", "**/*.sh", "**/*.bash", "**/*.conf", "**/*.cnf", "**/*.ini", "**/*.toml", "**/*.service", "**/*.timer", "**/*.tpl", "**/Makefile", "**/Justfile", "**/Caddyfile", "**/.gitlab-ci.yml", "**/.gitlab/**", "**/infra/**", "**/deploy/**", "**/ops/**", "**/ansible/**", "**/playbooks/**", "**/helm/**", "**/charts/**", "**/k8s/**", "**/kustomize/**", "**/kustomization*", "**/.github/workflows/**", "**/nginx*", "**/traefik*", "**/prometheus*", "**/grafana/**"]
+alwaysApply: false
+---
+
+# Migdal — Infrastructure Rules
+
+Load only on `Dockerfile`/`docker-compose*`/`*.tf`/`*.yaml`/`infra/**`. Owned by Eliashib (Team Lead).
+
+- **No `:latest` tags.** Pin all image versions.
+- **All resources tagged** with environment, owner, project.
+- **Least privilege** — no root processes in containers unless strictly required.
+- **Hardening overlay always applied** — not optional on recreate.
+- **Hash-based drift detection** on docker-compose changes (sha256 diff triggers recreate).
+- **SOPS-encrypted secrets** — no plaintext `.env` files committed.
+- **Traefik as reverse proxy** — nginx as static/fallback only.
+- **GitLab CI:** environment scoping on all jobs. Protected branches gate production deploys. Runner-to-runtime SSH patterns documented.
+- **Health checks on every service.** Idempotent recreate logic.
+- **Ansible for configuration management** — no manual server config.
+- Orchestration: Docker Compose primary; Kubernetes where scale requires. Terraform for declarative IaC. AWS + GCP.
+- Observability: Prometheus, Grafana, Loki, Sentry, GlitchTip. OpenTelemetry for instrumentation.

package/payload/mishkan/scripts/dependency-audit.sh

@@ -0,0 +1,171 @@
+#!/usr/bin/env bash
+# MISHKAN — cross-project dependency audit.
+# Reads config/projects.yaml, inventories manifests across every project root,
+# parses declared dependencies, computes cross-project shared packages + version
+# drift, and (where OSV-Scanner / trivy are installed) collects vulnerabilities
+# per project. Writes a portfolio report under logs/.
+#
+# Read-only: never installs, never edits manifests. Prepares the picture; the
+# dependency-audit skill turns it into a coordinated, vetted update plan.
+set -uo pipefail
+
+MISHKAN="${HOME}/.claude/mishkan"
+REG="${MISHKAN}/config/projects.yaml"
+TS="$(date -u +%Y%m%dT%H%M%SZ)"
+OUT="${MISHKAN}/logs/dep-audit-${TS}.json"
+
+command -v python3 >/dev/null 2>&1 || { echo "python3 required" >&2; exit 1; }
+[ -f "$REG" ] || { echo "project registry not found: $REG" >&2; exit 1; }
+
+OSV_BIN="$(command -v osv-scanner || true)"
+TRIVY_BIN="$(command -v trivy || true)"
+[ -n "$OSV_BIN" ]   && echo "osv-scanner: $OSV_BIN" || echo "osv-scanner: not installed (skipping CVE scan; inventory + drift still produced)"
+[ -n "$TRIVY_BIN" ] && echo "trivy: $TRIVY_BIN"     || echo "trivy: not installed"
+
+OSV_BIN="$OSV_BIN" TRIVY_BIN="$TRIVY_BIN" python3 - "$REG" "$OUT" <<'PY'
+import sys, os, json, glob, re, subprocess
+from collections import defaultdict
+try:
+    import yaml
+except ImportError:
+    sys.exit("pyyaml required: pip install pyyaml")
+
+reg_path, out_path = sys.argv[1], sys.argv[2]
+reg = yaml.safe_load(open(reg_path)) or {}
+manifest_globs = reg.get("manifest_globs", [])
+exclude = set(reg.get("exclude_dirs", []))
+
+def expand(p):
+    return os.path.expanduser(os.path.expandvars(p)) if p else p
+
+# Resolve project roots portably: explicit override > discovery under workspace.
+roots = [expand(r) for r in (reg.get("project_roots") or []) if r]
+if not roots:
+    ws = os.environ.get("MISHKAN_WORKSPACE") or expand(reg.get("workspace_root") or "")
+    if not ws:
+        ws = os.path.dirname(os.getcwd())  # cwd's parent
+    # discover git repositories under the workspace root (one level of nesting)
+    found = []
+    if os.path.isdir(ws):
+        for entry in sorted(os.listdir(ws)):
+            full = os.path.join(ws, entry)
+            if os.path.isdir(os.path.join(full, ".git")):
+                found.append(full)
+    roots = found
+    print(f"discovery: workspace={ws} -> {len(roots)} git repos", file=sys.stderr)
+osv = os.environ.get("OSV_BIN") or None
+trivy = os.environ.get("TRIVY_BIN") or None
+
+def find_manifests(root):
+    hits = []
+    for dirpath, dirnames, filenames in os.walk(root):
+        dirnames[:] = [d for d in dirnames if d not in exclude]
+        for fn in filenames:
+            for g in manifest_globs:
+                # simple glob match on filename
+                if glob.fnmatch.fnmatch(fn, g):
+                    hits.append(os.path.join(dirpath, fn)); break
+    return hits
+
+def parse_deps(path):
+    """Return {package: version_or_range} best-effort across ecosystems."""
+    deps = {}
+    fn = os.path.basename(path)
+    try:
+        if fn == "package.json":
+            d = json.load(open(path))
+            for k in ("dependencies", "devDependencies", "peerDependencies"):
+                deps.update({n: v for n, v in (d.get(k) or {}).items()})
+        elif fn.startswith("requirements") and fn.endswith(".txt"):
+            for line in open(path):
+                line = line.strip()
+                if not line or line.startswith("#"): continue
+                m = re.match(r"^([A-Za-z0-9_.\-]+)\s*([=<>!~]=?.*)?$", line)
+                if m: deps[m.group(1).lower()] = (m.group(2) or "").strip()
+        elif fn == "pyproject.toml":
+            txt = open(path).read()
+            for m in re.finditer(r'"([A-Za-z0-9_.\-]+)\s*([=<>!~][^"]*)?"', txt):
+                deps[m.group(1).lower()] = (m.group(2) or "").strip()
+        elif fn == "go.mod":
+            for m in re.finditer(r'^\s*([^\s]+/[^\s]+)\s+(v[0-9][^\s]*)', open(path).read(), re.M):
+                deps[m.group(1)] = m.group(2)
+        elif fn == "Cargo.toml":
+            in_deps = False
+            for line in open(path):
+                s = line.strip()
+                if s.startswith("["):
+                    in_deps = s.startswith("[dependencies") or s.startswith("[dev-dependencies")
+                    continue
+                if in_deps:
+                    m = re.match(r'^([A-Za-z0-9_\-]+)\s*=\s*"?([^"\n]*)"?', s)
+                    if m: deps[m.group(1)] = m.group(2).strip()
+        elif fn in ("composer.json",):
+            d = json.load(open(path))
+            for k in ("require", "require-dev"):
+                deps.update({n: v for n, v in (d.get(k) or {}).items()})
+    except Exception as e:
+        deps["_parse_error"] = str(e)
+    return deps
+
+def run_osv(root):
+    if not osv: return None
+    try:
+        r = subprocess.run([osv, "--format", "json", "-r", root],
+                           capture_output=True, text=True, timeout=180)
+        return json.loads(r.stdout) if r.stdout.strip() else {}
+    except Exception as e:
+        return {"_error": str(e)}
+
+# pkg -> {project: version}
+pkg_projects = defaultdict(dict)
+project_inventory = {}
+osv_results = {}
+
+for root in roots:
+    name = os.path.basename(root.rstrip("/"))
+    if not os.path.isdir(root):
+        project_inventory[name] = {"present": False}
+        continue
+    manifests = find_manifests(root)
+    declared = {}
+    for mpath in manifests:
+        for pkg, ver in parse_deps(mpath).items():
+            if pkg.startswith("_"): continue
+            declared[pkg] = ver
+            pkg_projects[pkg][name] = ver
+    project_inventory[name] = {"present": True,
+                               "manifests": [os.path.relpath(m, root) for m in manifests],
+                               "declared_count": len(declared)}
+    res = run_osv(root)
+    if res is not None:
+        osv_results[name] = res
+
+# cross-project: packages used in >1 project, and version drift
+shared = {}
+drift = {}
+for pkg, byproj in pkg_projects.items():
+    if len(byproj) > 1:
+        shared[pkg] = byproj
+        versions = set(v for v in byproj.values() if v)
+        if len(versions) > 1:
+            drift[pkg] = byproj
+
+report = {
+    "audit_date": out_path.split("dep-audit-")[-1].replace(".json", ""),
+    "scanners": {"osv_scanner": bool(osv), "trivy": bool(trivy)},
+    "projects_scanned": [n for n, v in project_inventory.items() if v.get("present")],
+    "projects_missing": [n for n, v in project_inventory.items() if not v.get("present")],
+    "inventory": project_inventory,
+    "shared_packages_count": len(shared),
+    "version_drift": drift,
+    "shared_packages": shared,
+    "osv_results_present": list(osv_results.keys()),
+    "note": "CVE detail in osv_results requires osv-scanner installed; otherwise this is inventory + drift only. Feed into the dependency-audit skill for prioritisation + vetted update plan.",
+}
+json.dump(report, open(out_path, "w"), indent=2)
+print(f"audited {len(report['projects_scanned'])} projects -> {out_path}")
+print(f"shared packages (>1 project): {len(shared)}; version drift: {len(drift)}")
+PY
+
+echo "Report written. Run the dependency-audit skill to prioritise (severity x blast"
+echo "radius), vet target versions, and produce the coordinated update plan."