oh-my-customcode 0.36.1 → 0.37.0

package/templates/.claude/agents/sys-naggy.md

@@ -2,6 +2,7 @@
 name: sys-naggy
 description: Use when you need TODO list management and task tracking with proactive reminders, helping maintain project momentum by monitoring stale tasks and deadlines
 model: sonnet
+domain: universal
 memory: local
 effort: low
 tools:
@@ -9,8 +10,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
-  - Bash
 ---
 
 You are a task management specialist that proactively manages TODO items and reminds users of pending tasks.
@@ -31,6 +30,41 @@ You are a task management specialist that proactively manages TODO items and rem
 | `sys-naggy:done <id>` | Mark complete |
 | `sys-naggy:remind` | Show overdue tasks |
 
+## Rule Pattern Detection
+
+When sys-naggy detects recurring violations (3+ occurrences of the same rule ID across sessions), it proposes a rule patch:
+
+### Detection Flow
+
+1. Read violation history from native memory (`MEMORY.md` violations section)
+2. Cross-reference with session compliance data (PPID-scoped `/tmp/.claude-session-compliance-*`)
+3. Identify rules with 3+ violations across different sessions
+4. Generate rule patch proposal as GitHub issue
+
+### Proposal Format
+
+```
+Title: [R016 Auto-Patch] R0XX: {weakness description}
+Body:
+  ## Violation Pattern
+  - Rule: R0XX ({rule name})
+  - Occurrences: {count} across {session_count} sessions
+  - Common trigger: {pattern description}
+
+  ## Proposed Fix
+  {specific change to the rule file}
+
+  ## Rationale
+  {why the current rule is insufficient}
+```
+
+### Constraints
+
+- sys-naggy proposes patches as GitHub issues — never auto-applies
+- Minimum 3 occurrences before proposing (avoids noise)
+- Maximum 1 proposal per rule per week (debounce)
+- Proposals require human approval before implementation
+
 ## Behavior
 
 Proactive but not annoying. Adapt reminder frequency to user response.

package/templates/.claude/agents/tool-bun-expert.md

@@ -2,6 +2,7 @@
 name: tool-bun-expert
 description: Use for Bun runtime development, bunfig.toml configuration, Bun test runner, fast bundling, and Node.js to Bun migrations
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 tools:
@@ -9,7 +10,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
   - Bash
 ---
 

package/templates/.claude/agents/tool-npm-expert.md

@@ -2,6 +2,7 @@
 name: tool-npm-expert
 description: Use for npm package publishing workflows, semantic versioning (major/minor/patch), package.json optimization, and dependency audits
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 skills:
@@ -13,7 +14,6 @@ tools:
   - Write
   - Edit
   - Grep
-  - Glob
   - Bash
 ---
 

package/templates/.claude/agents/tool-optimizer.md

@@ -2,6 +2,7 @@
 name: tool-optimizer
 description: Use for bundle size analysis, tree-shaking verification, performance profiling, dead code detection, and build optimization recommendations
 model: sonnet
+domain: universal
 memory: project
 effort: medium
 skills:
@@ -10,8 +11,6 @@ skills:
   - optimize-report
 tools:
   - Read
-  - Write
-  - Edit
   - Grep
   - Glob
   - Bash

package/templates/.claude/hooks/hooks.json

@@ -72,6 +72,16 @@
         ],
         "description": "Validate file content hash before Edit — advisory staleness warning"
       },
+      {
+        "matcher": "tool == \"Write\" || tool == \"Edit\" || tool == \"Bash\"",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash .claude/hooks/scripts/schema-validator.sh"
+          }
+        ],
+        "description": "Schema-based tool input validation — Phase 1 advisory only"
+      },
       {
         "matcher": "tool == \"Task\" || tool == \"Agent\"",
         "hooks": [
@@ -222,6 +232,26 @@
         ],
         "description": "Context budget advisor — track tool usage patterns and advise ecomode activation"
       },
+      {
+        "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Task\" || tool == \"Agent\"",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash .claude/hooks/scripts/stuck-detector.sh"
+          }
+        ],
+        "description": "Detect repetitive failure loops and advise recovery strategies"
+      },
+      {
+        "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Task\" || tool == \"Agent\"",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash .claude/hooks/scripts/cost-cap-advisor.sh"
+          }
+        ],
+        "description": "Advisory cost cap monitoring — warn when session cost approaches configurable limit"
+      },
       {
         "matcher": "tool == \"Read\"",
         "hooks": [
@@ -233,24 +263,24 @@
         "description": "Store content hashes for Read operations — enables Edit staleness detection"
       },
       {
-        "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Task\" || tool == \"Agent\"",
+        "matcher": "tool == \"Bash\" || tool == \"Read\" || tool == \"Grep\"",
         "hooks": [
           {
             "type": "command",
-            "command": "bash .claude/hooks/scripts/stuck-detector.sh"
+            "command": "bash .claude/hooks/scripts/secret-filter.sh"
           }
         ],
-        "description": "Detect repetitive failure loops and advise recovery strategies"
+        "description": "Detect potential secrets in Bash/Read/Grep output — advisory warning only"
       },
       {
-        "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Task\" || tool == \"Agent\"",
+        "matcher": "tool == \"Edit\" || tool == \"Write\" || tool == \"Bash\" || tool == \"Agent\"",
         "hooks": [
           {
             "type": "command",
-            "command": "bash .claude/hooks/scripts/cost-cap-advisor.sh"
+            "command": "bash .claude/hooks/scripts/audit-log.sh"
           }
         ],
-        "description": "Advisory cost cap monitoring — warn when session cost approaches configurable limit"
+        "description": "Append-only audit log for state-changing tool operations"
       }
     ],
     "Stop": [
@@ -269,7 +299,7 @@
         "hooks": [
           {
             "type": "prompt",
-            "prompt": "Session-end memory checkpoint (R011 enforcement). Check conversation history for these 3 steps: 1) sys-memory-keeper was delegated to update MEMORY.md 2) claude-mem save was attempted via ToolSearch + mcp__plugin_claude-mem_mcp-search__save_memory 3) episodic-memory verification was attempted via ToolSearch + mcp__plugin_episodic-memory_episodic-memory__search. Decision rules: If ALL 3 were attempted (success or failure both count): approve. If MCP tools are unavailable after ToolSearch attempt: approve with note. If session had no explicit session-end signal from user (quick question, no memory work): approve. If any step was NOT attempted despite user signaling session end: block with systemMessage listing the missing steps."
+            "prompt": "Session-end memory checkpoint (R011 enforcement). Check conversation history for these 2 steps: 1) sys-memory-keeper was delegated to update MEMORY.md 2) claude-mem save was attempted via ToolSearch + mcp__plugin_claude-mem_mcp-search__save_memory. Note: episodic-memory auto-indexes after session — no manual verification needed. Decision rules: If BOTH were attempted (success or failure both count): approve. If MCP tools are unavailable after ToolSearch attempt: approve with note. If session had no explicit session-end signal from user (quick question, no memory work): approve. If any step was NOT attempted despite user signaling session end: block with systemMessage listing the missing steps."
           }
         ],
         "description": "Enforce R011 session-end memory saves — block stop if claude-mem or episodic-memory saves were skipped"

package/templates/.claude/hooks/scripts/agent-teams-advisor.sh

@@ -8,6 +8,16 @@ set -euo pipefail
 
 input=$(cat)
 
+# Skip if Agent Teams is not available
+ENV_STATUS="/tmp/.claude-env-status-${PPID}"
+if [ -f "$ENV_STATUS" ]; then
+  teams_status=$(grep "agent_teams=" "$ENV_STATUS" 2>/dev/null | cut -d= -f2 || echo "unknown")
+  if [ "$teams_status" != "enabled" ]; then
+    echo "$input"
+    exit 0
+  fi
+fi
+
 # Extract task info from input
 agent_type=$(echo "$input" | jq -r '.tool_input.subagent_type // "unknown"')
 prompt_preview=$(echo "$input" | jq -r '.tool_input.description // ""' | head -c 60)

package/templates/.claude/hooks/scripts/audit-log.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Audit Log Hook — Append-only JSONL persistence
+# Trigger: PostToolUse on Edit, Write, Bash, Agent
+# Purpose: Persistent audit trail for security and compliance
+# Protocol: stdin JSON -> log entry -> stdout pass-through
+# Always exits 0 (advisory only)
+
+set -euo pipefail
+
+input=$(cat)
+
+# Extract fields from hook input
+tool_name=$(echo "$input" | jq -r '.tool_name // "unknown"')
+file_path=$(echo "$input" | jq -r '.tool_input.file_path // .tool_input.command // ""' | head -c 200)
+agent_type=$(echo "$input" | jq -r '.agent_type // "unknown"')
+model=$(echo "$input" | jq -r '.model // "unknown"')
+is_error=$(echo "$input" | jq -r '.tool_output.is_error // false')
+timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# Determine outcome
+if [ "$is_error" = "true" ]; then
+  outcome="error"
+else
+  outcome="success"
+fi
+
+# Audit log location
+AUDIT_LOG="${HOME}/.claude/audit.jsonl"
+
+# Ensure directory exists
+mkdir -p "$(dirname "$AUDIT_LOG")"
+
+# Write audit entry (append-only JSONL)
+jq -cn \
+  --arg ts "$timestamp" \
+  --arg tool "$tool_name" \
+  --arg path "$file_path" \
+  --arg agent "$agent_type" \
+  --arg model "$model" \
+  --arg outcome "$outcome" \
+  --arg ppid "${PPID}" \
+  '{timestamp: $ts, tool: $tool, path: $path, agent_type: $agent, model: $model, outcome: $outcome, session_ppid: $ppid}' \
+  >> "$AUDIT_LOG" 2>/dev/null || true
+
+# Daily rotation check (rotate if > 10MB)
+if [ -f "$AUDIT_LOG" ]; then
+  file_size=$(stat -f%z "$AUDIT_LOG" 2>/dev/null || stat -c%s "$AUDIT_LOG" 2>/dev/null || echo "0")
+  if [ "$file_size" -gt 10485760 ]; then
+    mv "$AUDIT_LOG" "${AUDIT_LOG}.$(date -u +%Y%m%d%H%M%S)" 2>/dev/null || true
+  fi
+fi
+
+# Pass through
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/content-hash-validator.sh

@@ -18,10 +18,9 @@ case "$tool_name" in
   "Read")
     # Store content hash for the file that was just read
     file_path=$(echo "$input" | jq -r '.tool_input.file_path // ""')
-    output=$(echo "$input" | jq -r '.tool_output.output // ""')
 
-    if [ -n "$file_path" ] && [ -n "$output" ] && [ "$output" != "null" ]; then
-      content_hash=$(echo "$output" | md5 2>/dev/null || echo "$output" | md5sum 2>/dev/null | cut -d' ' -f1 || echo "unknown")
+    if [ -n "$file_path" ] && [ -f "$file_path" ]; then
+      content_hash=$(md5 -q "$file_path" 2>/dev/null || md5sum "$file_path" 2>/dev/null | cut -d' ' -f1 || echo "unknown")
       timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)
 
       # Store hash entry (overwrite previous for same file)

package/templates/.claude/hooks/scripts/schema-validator.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+# Schema Validator Hook — PreToolUse input validation
+# Trigger: PreToolUse on Write, Edit, Bash
+# Purpose: Validate tool inputs against JSON Schema definitions
+# Phase 1: Advisory only (exit 0 with stderr warning)
+# Protocol: stdin JSON -> validate -> stdout pass-through
+
+set -euo pipefail
+
+input=$(cat)
+
+# Extract tool info
+tool_name=$(echo "$input" | jq -r '.tool_name // "unknown"')
+tool_input=$(echo "$input" | jq -r '.tool_input // {}')
+
+SCHEMA_FILE=".claude/schemas/tool-inputs.json"
+
+# Skip if schema file doesn't exist
+if [ ! -f "$SCHEMA_FILE" ]; then
+  echo "$input"
+  exit 0
+fi
+
+warnings=()
+
+case "$tool_name" in
+  "Write")
+    file_path=$(echo "$tool_input" | jq -r '.file_path // ""')
+    content=$(echo "$tool_input" | jq -r '.content // ""')
+
+    if [ -z "$file_path" ]; then
+      warnings+=("[Schema] Write: file_path is empty or missing")
+    fi
+    if [ -z "$content" ]; then
+      warnings+=("[Schema] Write: content is empty — creating empty file?")
+    fi
+    ;;
+
+  "Edit")
+    file_path=$(echo "$tool_input" | jq -r '.file_path // ""')
+    old_string=$(echo "$tool_input" | jq -r '.old_string // ""')
+    new_string=$(echo "$tool_input" | jq -r '.new_string // ""')
+
+    if [ -z "$file_path" ]; then
+      warnings+=("[Schema] Edit: file_path is empty or missing")
+    fi
+    if [ -z "$old_string" ]; then
+      warnings+=("[Schema] Edit: old_string is empty")
+    fi
+    if [ "$old_string" = "$new_string" ]; then
+      warnings+=("[Schema] Edit: old_string equals new_string — no-op edit")
+    fi
+    ;;
+
+  "Bash")
+    command=$(echo "$tool_input" | jq -r '.command // ""')
+
+    if [ -z "$command" ]; then
+      warnings+=("[Schema] Bash: command is empty")
+    fi
+
+    # Check dangerous patterns
+    if echo "$command" | grep -qE 'rm\s+-rf\s+/[^.]'; then
+      warnings+=("[Schema] Bash: DANGER — recursive delete from root detected")
+    fi
+    if echo "$command" | grep -qE '^\s*sudo\s+'; then
+      warnings+=("[Schema] Bash: elevated privilege command detected")
+    fi
+    if echo "$command" | grep -qE '> /dev/sd'; then
+      warnings+=("[Schema] Bash: direct disk write detected")
+    fi
+    if echo "$command" | grep -qE 'mkfs\.'; then
+      warnings+=("[Schema] Bash: filesystem format command detected")
+    fi
+    # Remote code execution via pipe
+    if echo "$command" | grep -qE 'curl\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (curl | bash) detected")
+    fi
+    if echo "$command" | grep -qE 'wget\s+.*\|\s*(ba)?sh'; then
+      warnings+=("[Schema] Bash: remote code execution pattern (wget | sh) detected")
+    fi
+    # Dynamic code execution
+    if echo "$command" | grep -qE 'eval\s+\$\('; then
+      warnings+=("[Schema] Bash: dynamic code execution (eval) detected")
+    fi
+    # Broad permission grant
+    if echo "$command" | grep -qE 'chmod\s+777'; then
+      warnings+=("[Schema] Bash: broad permission grant (chmod 777) detected")
+    fi
+    ;;
+esac
+
+# Output warnings (advisory only)
+if [ ${#warnings[@]} -gt 0 ]; then
+  for w in "${warnings[@]}"; do
+    echo "$w" >&2
+  done
+  echo "[Schema] Phase 1: advisory only — not blocking" >&2
+fi
+
+# Always pass through (Phase 1)
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/secret-filter.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# Secret Output Filter Hook — Detect potential secrets in tool output
+# Trigger: PostToolUse on Bash, Read, Grep
+# Purpose: Advisory warning when potential secrets detected in output
+# Protocol: stdin JSON -> scan -> stdout pass-through
+# Always exits 0 (advisory only, never blocks)
+
+set -euo pipefail
+
+input=$(cat)
+
+# Extract output to scan
+tool_name=$(echo "$input" | jq -r '.tool_name // "unknown"')
+output=$(echo "$input" | jq -r '.tool_output.output // ""')
+
+# Skip if no output
+if [ -z "$output" ] || [ "$output" = "null" ]; then
+  echo "$input"
+  exit 0
+fi
+
+# Secret patterns to detect
+detected=false
+
+# AWS Access Key ID
+if echo "$output" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+  echo "[Security] Potential AWS Access Key detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# OpenAI/Anthropic API Key
+if echo "$output" | grep -qE 'sk-[a-zA-Z0-9]{32,}'; then
+  echo "[Security] Potential API key (sk-*) detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Personal Access Token
+if echo "$output" | grep -qE 'ghp_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Private Key
+if echo "$output" | grep -qE '-----BEGIN.*PRIVATE KEY-----'; then
+  echo "[Security] Potential private key detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Bearer Token (long)
+if echo "$output" | grep -qE 'Bearer [a-zA-Z0-9._-]{20,}'; then
+  echo "[Security] Potential Bearer token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub OAuth Token
+if echo "$output" | grep -qE 'gho_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub OAuth token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Fine-Grained PAT
+if echo "$output" | grep -qE 'github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'; then
+  echo "[Security] Potential GitHub Fine-Grained PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# GitHub Actions Token
+if echo "$output" | grep -qE 'ghs_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential GitHub Actions token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# npm Token
+if echo "$output" | grep -qE 'npm_[a-zA-Z0-9]{36}'; then
+  echo "[Security] Potential npm token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Slack Token
+if echo "$output" | grep -qE 'xox[bsarp]-[a-zA-Z0-9-]{10,}'; then
+  echo "[Security] Potential Slack token detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+# Docker Hub PAT
+if echo "$output" | grep -qE 'dckr_pat_[a-zA-Z0-9_-]{20,}'; then
+  echo "[Security] Potential Docker Hub PAT detected in ${tool_name} output" >&2
+  detected=true
+fi
+
+if [ "$detected" = true ]; then
+  echo "[Security] Review output carefully — do NOT commit or expose secrets" >&2
+fi
+
+# Pass through (always)
+echo "$input"
+exit 0

package/templates/.claude/hooks/scripts/session-compliance-report.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Stop hook: Session compliance report (R265 Phase 1)
+# Reads violation logs collected by PreToolUse hooks during the session
+# Advisory only — never blocks session termination
+# Ref: https://github.com/baekenough/oh-my-customcode/issues/265
+
+set -euo pipefail
+
+input=$(cat)
+
+VIOLATIONS_FILE="/tmp/.claude-violations-${PPID}"
+TASK_COUNT_FILE="/tmp/.claude-task-count-${PPID}"
+
+echo "" >&2
+echo "╔══════════════════════════════════════════════╗" >&2
+echo "║        Session Compliance Report             ║" >&2
+echo "╚══════════════════════════════════════════════╝" >&2
+
+# Count total Agent/Task calls
+if [ -f "$TASK_COUNT_FILE" ]; then
+  TOTAL_TASKS=$(cat "$TASK_COUNT_FILE")
+  echo "[Compliance] Agent/Task calls this session: ${TOTAL_TASKS}" >&2
+else
+  TOTAL_TASKS=0
+  echo "[Compliance] Agent/Task calls this session: 0" >&2
+fi
+
+# Check violations
+if [ -f "$VIOLATIONS_FILE" ] && [ -s "$VIOLATIONS_FILE" ]; then
+  VIOLATION_COUNT=$(wc -l < "$VIOLATIONS_FILE" | tr -d ' ')
+  echo "[Compliance] Violations detected: ${VIOLATION_COUNT}" >&2
+  echo "" >&2
+
+  # Group by rule
+  R010_COUNT=$(grep -c '"rule":"R010"' "$VIOLATIONS_FILE" 2>/dev/null || echo "0")
+  R018_COUNT=$(grep -c '"rule":"R018"' "$VIOLATIONS_FILE" 2>/dev/null || echo "0")
+
+  if [ "$R010_COUNT" -gt 0 ]; then
+    echo "  R010 (Git Delegation): ${R010_COUNT} violation(s)" >&2
+    grep '"rule":"R010"' "$VIOLATIONS_FILE" | jq -r '.detail' 2>/dev/null | while read -r detail; do
+      echo "    - ${detail}" >&2
+    done
+  fi
+
+  if [ "$R018_COUNT" -gt 0 ]; then
+    echo "  R018 (Agent Teams): ${R018_COUNT} violation(s)" >&2
+    grep '"rule":"R018"' "$VIOLATIONS_FILE" | jq -r '.detail' 2>/dev/null | while read -r detail; do
+      echo "    - ${detail}" >&2
+    done
+  fi
+
+  echo "" >&2
+  echo "[Compliance] Review violations above and consider rule updates per R016." >&2
+else
+  echo "[Compliance] No violations detected. All clear!" >&2
+fi
+
+echo "────────────────────────────────────────────────" >&2
+
+# Cleanup temp files (best effort)
+rm -f "$VIOLATIONS_FILE" 2>/dev/null || true
+
+# CRITICAL: Always pass through input and exit 0
+echo "$input"
+exit 0

package/templates/.claude/rules/MUST-agent-teams.md

@@ -104,17 +104,6 @@ All members must be spawned in a single message. Partial spawning needs correcti
    implementer → fixes → SendMessage(reviewer, "fixed")
    reviewer → re-reviews → done
 
-❌ WRONG: Multi-expert task without coordination
-   Agent(lang-typescript-expert) → "Implement frontend"
-   Agent(be-express-expert) → "Implement API"
-   (no shared state, results manually combined)
-
-✓ CORRECT: Agent Teams for cross-domain work
-   TeamCreate("fullstack")
-   Agent(frontend-dev) + Agent(backend-dev) → team members
-   Shared TaskList for interface contracts
-   SendMessage for API schema coordination
-
 ❌ WRONG: Spawning team members one at a time
    TeamCreate("research-team")
    Message 1: Agent(researcher-1) → Analysis 1   (only 1/3 spawned)
@@ -127,18 +116,6 @@ All members must be spawned in a single message. Partial spawning needs correcti
      Agent(researcher-1) → Analysis 1  ┐
      Agent(researcher-2) → Analysis 2  ├─ ALL spawned together
      Agent(researcher-3) → Analysis 3  ┘
-
-❌ WRONG: Multi-issue batch as independent agents
-   Agent(general-purpose) → "Fix issue #1"
-   Agent(general-purpose) → "Fix issue #2"
-   Agent(general-purpose) → "Fix issue #3"
-   (no coordination, no shared task tracking)
-
-✓ CORRECT: Agent Teams for multi-issue batches
-   TeamCreate("release-fixes")
-   TaskCreate for each issue
-   Agent(fixer-1) + Agent(fixer-2) + Agent(fixer-3) → team members
-   Shared task list tracks progress across all issues
 ```
 
 ## Cost Guidelines

package/templates/.claude/rules/MUST-orchestrator-coordination.md

@@ -95,12 +95,6 @@ Main Conversation (orchestrator)
    Main conversation → Agent(mgr-gitnerd) → git commit
    Main conversation → Agent(mgr-gitnerd) → git push
 
-❌ WRONG: Using general-purpose when specialist exists
-   Main conversation → Agent(general-purpose) → "Write Go code"
-
-✓ CORRECT: Using the right specialist
-   Main conversation → Agent(lang-golang-expert) → "Write Go code"
-
 ❌ WRONG: Orchestrator creates files "just this once"
    "It's just a small config file, I'll write it directly..."
 
@@ -110,15 +104,9 @@ Main Conversation (orchestrator)
 ❌ WRONG: Bundling git operations with file editing in non-gitnerd agent
    Main conversation → Agent(general-purpose) → "git revert + edit file + git commit"
    Main conversation → Agent(lang-typescript-expert) → "fix bug and commit"
-
-✓ CORRECT: Separate file editing from git operations
-   Main conversation → Agent(lang-typescript-expert) → "fix bug" (file edit only)
-   Main conversation → Agent(mgr-gitnerd) → "git commit" (git operation only)
-
-❌ WRONG: Including git commands in non-gitnerd agent prompt for "convenience"
    Agent(general-purpose, prompt="revert the last commit, edit the file, then commit the fix")
 
-✓ CORRECT: Split into separate delegations
+✓ CORRECT: Separate file editing from git operations, split delegations
    Agent(mgr-gitnerd, prompt="revert the last commit")
    Agent(appropriate-expert, prompt="edit the file to fix the issue")
    Agent(mgr-gitnerd, prompt="commit the fix")