qualia-framework-v2 2.10.0 → 3.0.0

package/CLAUDE.md

@@ -51,9 +51,7 @@ No accumulated garbage. No context rot.
 ## Quality Gates (always active)
 - **Frontend guard:** Read .planning/DESIGN.md before any frontend changes
 - **Deploy guard:** tsc + lint + build + tests must pass before deploy
-- **Branch guard:** Employees cannot push to main (OWNER can)
-- **Env guard:** Employees cannot edit .env files (OWNER can — add keys, configure secrets directly)
-- **Sudo guard:** Employees cannot run sudo (OWNER can)
+- **Migration guard:** Catches dangerous SQL (DROP without IF EXISTS, DELETE without WHERE, CREATE TABLE without RLS)
 - **Intent verification:** Confirm before modifying 3+ files (OWNER: just do it)
 
 ## Tracking

package/README.md

@@ -1,9 +1,11 @@
-# Qualia Framework v2
+# Qualia Framework v3
 
-A prompt orchestration framework for [Claude Code](https://claude.ai/code). It installs into `~/.claude/` and wraps your AI-assisted development workflow with structured planning, execution, verification, and deployment gates.
+A harness engineering framework for [Claude Code](https://claude.ai/code). It installs into `~/.claude/` and wraps your AI-assisted development workflow with structured planning, execution, verification, and deployment gates.
 
 It is not an application framework like Rails or Next.js. It doesn't generate code, run servers, or process data. It's an opinionated workflow layer that tells Claude how to plan, build, and verify your projects.
 
+v3 applies lessons from Anthropic's ["Harness Design for Long-Running Apps"](https://www.anthropic.com/engineering/harness-design-long-running-apps) article: scored evaluator rubrics, verification contracts, smarter guards, hook telemetry, and dynamic team management.
+
 ## Install
 
 ```bash
@@ -17,6 +19,9 @@ Enter your team code when prompted. Get your code from Fawzi.
 npx qualia-framework-v2 version    # Check installed version + updates
 npx qualia-framework-v2 update     # Update to latest (remembers your code)
 npx qualia-framework-v2 uninstall  # Clean removal from ~/.claude/
+npx qualia-framework-v2 team list  # Show team members
+npx qualia-framework-v2 team add   # Add a team member
+npx qualia-framework-v2 traces     # View recent hook telemetry
 ```
 
 ## Usage
@@ -66,7 +71,7 @@ Works on **Windows 10/11, macOS, and Linux**. Requires Node.js 18+ and Claude Co
 
 ### Goal-Backward Verification
 
-Most CI checks "did the task run." Qualia checks "does the outcome actually work." The verifier doesn't trust summaries — it greps the codebase for stubs, placeholders, unwired imports. When Claude says "I built the chat component," this catches the cases where it wrote a skeleton with `// TODO` inside.
+Most CI checks "did the task run." Qualia checks "does the outcome actually work." The verifier scores on 4 dimensions (Correctness, Completeness, Wiring, Quality), each 1-5, with a hard threshold at 3. It doesn't trust summaries — it greps the codebase for stubs, placeholders, unwired imports. The planner generates verification contracts (testable commands) that the verifier executes before ad-hoc checks.
 
 ### Agent Separation
 
@@ -84,7 +89,7 @@ All 8 hooks are real ops engineering, not theoretical. Highlights:
 
 ### Enforced State Machine
 
-Every workflow step calls `state.js` — a Node.js state machine that validates preconditions, updates both STATE.md and tracking.json atomically, and tracks gap-closure cycles. You can't build without planning, can't verify without building, and can't loop on gap-closure more than twice before escalating.
+Every workflow step calls `state.js` — a Node.js state machine that validates preconditions (including plan content), updates both STATE.md and tracking.json atomically, and tracks gap-closure cycles. The gap-closure limit is configurable per project (default: 2). A `--force` flag enables recovery after failed builds.
 
 ### Wave-Based Parallelization
 
@@ -106,10 +111,10 @@ npx qualia-framework-v2 install
   ├── hooks/           8 Node.js hooks — cross-platform (no bash dependency)
   ├── bin/             state.js (state machine) + qualia-ui.js (cosmetics library)
   ├── knowledge/       learned-patterns.md, common-fixes.md, client-prefs.md (loaded by plan/debug/new)
-  ├── rules/           security.md, frontend.md, deployment.md
+  ├── rules/           security.md, frontend.md, design-reference.md, deployment.md
   ├── qualia-templates/ tracking.json, state.md, project.md, plan.md, DESIGN.md
   ├── CLAUDE.md        global instructions (role-configured per team member)
-  └── statusline.sh    teal-branded 2-line status bar
+  └── statusline.js    teal-branded 2-line status bar
 ```
 
 ## For Qualia Solutions Team

package/agents/planner.md

@@ -91,6 +91,58 @@ Your training data is often stale. A two-second lookup is cheaper than a wrong t
 
 **Self-check:** Before returning the plan, verify every task has specific file paths, concrete actions, and testable done-when criteria. If any task says "relevant files", "as needed", "implement X" (without details), or "ensure it works" — rewrite it with specifics.
 
+## Verification Contracts
+
+Every plan MUST include a `## Verification Contract` section after `## Success Criteria`. Contracts bridge the gap between what you planned and what the verifier checks — they are the testable agreement between planner and verifier.
+
+### Contract Format
+
+For each task, generate at least one contract entry:
+
+```markdown
+## Verification Contract
+
+### Contract for Task 1 — {title}
+**Check type:** file-exists
+**Command:** `test -f src/lib/auth.ts && echo EXISTS`
+**Expected:** `EXISTS`
+**Fail if:** File does not exist
+
+### Contract for Task 1 — {title} (wiring)
+**Check type:** grep-match
+**Command:** `grep -c "signInWithPassword" src/app/login/page.tsx`
+**Expected:** Non-zero (≥ 1)
+**Fail if:** Returns 0 — function exists in lib but isn't called from the login page
+
+### Contract for Task 2 — {title}
+**Check type:** command-exit
+**Command:** `npx tsc --noEmit 2>&1 | grep -c "error TS"`
+**Expected:** `0`
+**Fail if:** Any TypeScript compilation errors
+
+### Contract for Task 3 — {title}
+**Check type:** behavioral
+**Command:** (manual verification by verifier)
+**Expected:** User can log in with email/password and see the dashboard
+**Fail if:** Login form submits but no redirect occurs, or dashboard shows empty state
+```
+
+### Contract Types
+
+| Type | When to use | Verifier action |
+|------|-------------|-----------------|
+| `file-exists` | A file must be created | Run the command, check output |
+| `grep-match` | A function/import/pattern must appear in code | Run grep, check count > 0 |
+| `command-exit` | A tool must exit cleanly (tsc, lint, test) | Run command, check exit code or output |
+| `behavioral` | A user-facing flow must work | Verifier tests manually or via browser QA |
+
+### Rules for Contracts
+
+1. **Every task gets at least one contract.** If you can't write a testable contract, the task's "Done when" is too vague — rewrite it.
+2. **Contracts must be copy-pasteable.** The verifier runs them verbatim. No placeholders, no `{variable}` — use actual file paths.
+3. **Include wiring contracts.** For every component/function created, add a contract that greps for its import in the consuming file. This catches the #1 failure mode: code that exists but isn't connected.
+4. **Behavioral contracts are last resort.** Prefer grep-match and command-exit — they're deterministic. Use behavioral only for user-facing flows that can't be verified by grep.
+
 ## Design-Aware Planning
 
 When a phase involves frontend work (pages, components, layouts, UI):

package/agents/verifier.md

@@ -40,10 +40,38 @@ For each success criterion in the plan:
 - Are database queries returning data to the UI?
 - This is where stubs hide.
 
+## Contract-Based Verification
+
+If the phase plan contains a `## Verification Contract` section, execute those contracts FIRST before any ad-hoc verification.
+
+### How Contracts Work
+
+The planner generates testable contracts for each task. Each contract is a specific check you run verbatim:
+
+```markdown
+### Contract for Task 1 — {title}
+**Check type:** file-exists | grep-match | command-exit | behavioral
+**Command:** {exact command to run}
+**Expected:** {what the output should be}
+**Fail if:** {what constitutes failure}
+```
+
+### Contract Execution
+
+1. Read the `## Verification Contract` section from the plan file
+2. For each contract entry, run the **Command** exactly as written
+3. Compare output against **Expected**
+4. Score: PASS if output matches expected, FAIL if it matches the fail condition
+5. Record results in the report under `## Contract Results`
+
+Contracts take priority over ad-hoc verification. If a contract covers a success criterion, use the contract result. Only fall back to the 3-level check (Truths → Artifacts → Wiring) for criteria NOT covered by contracts.
+
+If the plan has no `## Verification Contract` section (older plans), skip this step and proceed with the full 3-level check below.
+
 ## How to Verify
 
 ### 1. Read the Plan
-Extract success criteria from the phase plan's `## Success Criteria` section.
+Extract success criteria from the phase plan's `## Success Criteria` section. Also extract the `## Verification Contract` if present.
 
 ### 2. For Each Criterion, Run the 3-Level Check
 
@@ -111,12 +139,21 @@ gaps: {count of failures}
 
 # Phase {N} Verification
 
-## Results
+## Contract Results (if contracts exist in plan)
+
+| Task | Check | Command | Result | Notes |
+|------|-------|---------|--------|-------|
+| Task 1 | file-exists | `test -f src/lib/auth.ts` | PASS | File exists, 142 lines |
+| Task 2 | grep-match | `grep -c "signIn" src/lib/auth.ts` | PASS | 3 matches |
 
-| Criterion | Status | Evidence |
-|-----------|--------|----------|
-| {criterion 1} | PASS | {what you found} |
-| {criterion 2} | FAIL | {what's wrong} |
+## Scores
+
+| Criterion | Correctness | Completeness | Wiring | Quality | Verdict |
+|-----------|-------------|--------------|--------|---------|---------|
+| {criterion 1} | {1-5} | {1-5} | {1-5} | {1-5} | PASS/FAIL |
+| {criterion 2} | {1-5} | {1-5} | {1-5} | {1-5} | PASS/FAIL |
+
+**Minimum threshold check:** {any score < 3? If YES → FAIL}
 
 ## Code Quality
 - TypeScript: PASS/FAIL
@@ -125,28 +162,92 @@ gaps: {count of failures}
 - Unused imports: {count}
 
 ## Gaps (if any)
-1. {what failed and why}
-2. {what failed and why}
+1. {criterion}: {dimension} scored {score} — {what's wrong, what file, what's needed}
+2. {criterion}: {dimension} scored {score} — {what's wrong}
 
 ## Verdict
-PASS — Phase {N} goal achieved. Proceed to Phase {N+1}.
+PASS — Phase {N} goal achieved. All criteria scored ≥ 3 on all dimensions. Proceed to Phase {N+1}.
 OR
-FAIL — {N} gaps found. Run `/qualia-plan {N} --gaps` to fix.
+FAIL — {N} gaps found. {N} criteria scored below threshold. Run `/qualia-plan {N} --gaps` to fix.
 ```
 
-## Scoring
+## Scoring Rubric
+
+Every success criterion is scored on 4 dimensions, each rated 1-5:
+
+### Correctness (1-5)
+Does it produce the right output?
+- **1** — Crashes, errors, or wrong output
+- **2** — Works for the happy path only; any deviation breaks it
+- **3** — Handles common edge cases (empty input, missing data, basic validation)
+- **4** — Handles most edge cases; error messages are user-friendly
+- **5** — Comprehensive error handling; graceful degradation; defensive coding
+
+### Completeness (1-5)
+Were all contracted requirements met?
+- **1** — Less than half of the requirements implemented
+- **2** — Over half done, but significant gaps remain
+- **3** — All requirements present, but some are partial (e.g., UI exists but missing states)
+- **4** — All requirements fully implemented as specified
+- **5** — All requirements plus defensive coding, edge case coverage, and polish
+
+### Wiring (1-5)
+Is everything connected end-to-end?
+- **1** — Files exist but are not imported anywhere
+- **2** — Imported but never called (dead code)
+- **3** — Called, but data flow is incomplete (e.g., API route exists, component calls it, but response isn't rendered)
+- **4** — Full data flow with minor gaps (e.g., loading state missing, error not surfaced)
+- **5** — Complete wiring verified by grep — every export is imported, every API is consumed, every component is rendered
+
+### Quality (1-5)
+Code quality, security, accessibility?
+- **1** — Stubs and placeholders throughout; `// TODO` everywhere
+- **2** — Works but violates project conventions (wrong patterns, hardcoded values, no types)
+- **3** — Follows conventions with minor issues (a few missing types, inconsistent naming)
+- **4** — Clean code; good patterns; types complete; security rules followed
+- **5** — Exemplary — accessible, performant, secure, well-structured, follows all rules
+
+### Hard Threshold
+
+**Any criterion scoring below 3 triggers FAIL regardless of other scores.**
+
+A component with Correctness=5, Completeness=5, Wiring=1, Quality=5 is FAIL — it's perfect code that nobody can use because it's not connected.
+
+### Phase Verdict
+- **ALL criteria ≥ 3 on all dimensions** → PASS. Phase verified.
+- **ANY criterion < 3 on ANY dimension** → FAIL. List each gap with: what scored low, what file, what's needed. Suggest `/qualia-plan {N} --gaps`.
+
+Never round up. A 2 is not a 3. The goal of verification is to catch the work that LOOKS done but ISN'T.
+
+## Few-Shot Calibration
+
+Use these examples to calibrate your judgment. Real verification should match this level of rigor.
+
+### Example A: PASS — Auth Phase
+
+Phase goal: "User can sign up, log in, and access protected routes."
+
+| Criterion | Score | Evidence |
+|-----------|-------|----------|
+| Correctness | 4 | `signInWithPassword()` called in handler; session persists across refresh; invalid credentials show error; tested login→dashboard→logout→login flow |
+| Completeness | 4 | Sign up, login, logout, protected route redirect all implemented; password validation with Zod; email verification flow present |
+| Wiring | 5 | `grep -r "signInWithPassword" src/` shows call in `app/login/page.tsx`; `grep -r "createClient" src/lib/` shows server client used in middleware; `grep -r "auth.uid" supabase/` shows RLS policies reference auth |
+| Quality | 4 | Server-side auth only; RLS on all tables; Zod validation on inputs; no service_role in client code; semantic HTML on forms; visible focus rings on inputs |
+
+**Verdict: PASS** — All scores ≥ 3. Minimum threshold check: NO scores below 3.
 
-Each success criterion from the plan gets a verdict:
+### Example B: FAIL — Chat Component Phase
 
-- **PASS** — All 3 levels check out. File exists, has real implementation (not stubs), and is imported/used by the system.
-- **PARTIAL** — File exists and has real code, but isn't fully wired (e.g., component exists but isn't rendered in any page, API route exists but no client calls it). This is NOT a pass.
-- **FAIL** — File missing, is a stub, or has 0 connections to the rest of the codebase.
+Phase goal: "Working real-time chat interface with message history."
 
-Phase verdict:
-- **ALL PASS** → Phase verified. Update STATE.md status to "verified".
-- **ANY PARTIAL or FAIL** → Phase has gaps. List each gap with: what's wrong, what file, what's needed. Suggest `/qualia-plan {N} --gaps`.
+| Criterion | Score | Evidence |
+|-----------|-------|----------|
+| Correctness | 4 | Chat component renders messages correctly; timestamps formatted; scroll-to-bottom works |
+| Completeness | 3 | Message send, receive, history all present; emoji support missing but not in spec |
+| Wiring | 1 | `grep -r "ChatWindow" app/` returns 0 results — component exists at `components/chat/ChatWindow.tsx` but is NOT rendered in any page. `grep -r "from.*chat" app/` returns 0. The component is an island. |
+| Quality | 3 | Clean code; types present; but no loading state, no error state, no empty state |
 
-Never round up. A PARTIAL is not a PASS. The goal of verification is to catch the work that LOOKS done but ISN'T.
+**Verdict: FAIL** — Wiring scored 1 (below threshold of 3). The chat component is well-built code that nobody can access because it's not mounted in any route. This is the exact kind of "looks done but isn't" that verification exists to catch.
 
 ## Design Verification (for phases with frontend work)
 

package/bin/cli.js

@@ -332,8 +332,12 @@ async function cmdUninstall() {
   safeUnlink(path.join(CLAUDE_DIR, ".qualia-config.json"), counters);
   safeUnlink(path.join(CLAUDE_DIR, ".qualia-last-update-check"), counters);
   safeUnlink(path.join(CLAUDE_DIR, ".erp-api-key"), counters);
+  safeUnlink(path.join(CLAUDE_DIR, ".qualia-team.json"), counters);
   safeUnlink(path.join(CLAUDE_DIR, "qualia-guide.md"), counters);
 
+  // Traces directory.
+  safeRmDir(path.join(CLAUDE_DIR, ".qualia-traces"), counters);
+
   // Clean settings.json surgically.
   cleanSettingsJson(counters);
 
@@ -367,6 +371,143 @@ async function cmdUninstall() {
   console.log("");
 }
 
+// ─── Team Management ────────────────────────────────────
+// External team file at ~/.claude/.qualia-team.json.
+// Falls back to embedded defaults in install.js.
+
+function getDefaultTeam() {
+  return {
+    "QS-FAWZI-01": { name: "Fawzi Goussous", role: "OWNER", description: "Company owner. Full access. Can push to main, approve deploys, edit secrets." },
+    "QS-HASAN-02": { name: "Hasan", role: "EMPLOYEE", description: "Developer. Feature branches only. Cannot push to main or edit .env files." },
+    "QS-MOAYAD-03": { name: "Moayad", role: "EMPLOYEE", description: "Developer. Feature branches only. Cannot push to main or edit .env files." },
+    "QS-RAMA-04": { name: "Rama", role: "EMPLOYEE", description: "Developer. Feature branches only. Cannot push to main or edit .env files." },
+    "QS-SALLY-05": { name: "Sally", role: "EMPLOYEE", description: "Developer. Feature branches only. Cannot push to main or edit .env files." },
+  };
+}
+
+function readTeamFile() {
+  const teamFile = path.join(CLAUDE_DIR, ".qualia-team.json");
+  try {
+    if (fs.existsSync(teamFile)) {
+      const data = JSON.parse(fs.readFileSync(teamFile, "utf8"));
+      if (data && typeof data === "object" && Object.keys(data).length > 0) return data;
+    }
+  } catch {}
+  return null;
+}
+
+function writeTeamFile(team) {
+  if (!fs.existsSync(CLAUDE_DIR)) fs.mkdirSync(CLAUDE_DIR, { recursive: true });
+  fs.writeFileSync(path.join(CLAUDE_DIR, ".qualia-team.json"), JSON.stringify(team, null, 2) + "\n");
+}
+
+function parseTeamArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i] === "--code" && argv[i + 1]) { args.code = argv[++i]; }
+    else if (argv[i] === "--name" && argv[i + 1]) { args.name = argv[++i]; }
+    else if (argv[i] === "--role" && argv[i + 1]) { args.role = argv[++i].toUpperCase(); }
+  }
+  return args;
+}
+
+function cmdTeam() {
+  const sub = process.argv[3];
+
+  switch (sub) {
+    case "list": {
+      banner();
+      console.log("");
+      const team = readTeamFile();
+      const source = team || getDefaultTeam();
+      const label = team ? "team file" : "embedded defaults";
+      console.log(`  ${DIM}Source: ${label}${RESET}`);
+      console.log("");
+      for (const [code, member] of Object.entries(source)) {
+        const roleColor = member.role === "OWNER" ? TEAL : WHITE;
+        console.log(`  ${WHITE}${code}${RESET}  ${roleColor}${member.role}${RESET}  ${DIM}${member.name}${RESET}`);
+      }
+      console.log("");
+      break;
+    }
+
+    case "add": {
+      const args = parseTeamArgs(process.argv.slice(4));
+      if (!args.code || !args.name) {
+        console.log(`  ${RED}Usage:${RESET} qualia-framework-v2 team add --code QS-NAME-NN --name "Full Name" [--role EMPLOYEE|OWNER]`);
+        process.exit(1);
+      }
+      const team = readTeamFile() || getDefaultTeam();
+      const code = args.code.toUpperCase();
+      const role = args.role || "EMPLOYEE";
+      team[code] = {
+        name: args.name,
+        role,
+        description: role === "OWNER"
+          ? "Company owner. Full access. Can push to main, approve deploys, edit secrets."
+          : "Developer. Feature branches only. Cannot push to main or edit .env files.",
+      };
+      writeTeamFile(team);
+      console.log(`  ${GREEN}+${RESET} ${WHITE}${code}${RESET} ${DIM}(${args.name}, ${role})${RESET}`);
+      break;
+    }
+
+    case "remove": {
+      const code = (process.argv[4] || "").toUpperCase();
+      if (!code) {
+        console.log(`  ${RED}Usage:${RESET} qualia-framework-v2 team remove QS-NAME-NN`);
+        process.exit(1);
+      }
+      const team = readTeamFile();
+      if (!team || !team[code]) {
+        console.log(`  ${YELLOW}!${RESET} ${code} not found in team file.`);
+        process.exit(1);
+      }
+      delete team[code];
+      writeTeamFile(team);
+      console.log(`  ${RED}-${RESET} ${WHITE}${code}${RESET} removed`);
+      break;
+    }
+
+    default:
+      console.log(`  ${RED}Usage:${RESET} qualia-framework-v2 team <list|add|remove>`);
+      process.exit(1);
+  }
+}
+
+// ─── Traces ─────────────────────────────────────────────
+
+function cmdTraces() {
+  banner();
+  console.log("");
+  const tracesDir = path.join(CLAUDE_DIR, ".qualia-traces");
+  if (!fs.existsSync(tracesDir)) {
+    console.log(`  ${DIM}No traces found. Traces are written by hooks during normal operation.${RESET}`);
+    console.log("");
+    return;
+  }
+  const files = fs.readdirSync(tracesDir).filter((f) => f.endsWith(".jsonl")).sort().reverse();
+  if (files.length === 0) {
+    console.log(`  ${DIM}No trace files found.${RESET}`);
+    console.log("");
+    return;
+  }
+  const latest = path.join(tracesDir, files[0]);
+  const lines = fs.readFileSync(latest, "utf8").trim().split("\n").slice(-20);
+  console.log(`  ${WHITE}Recent traces${RESET} ${DIM}(${files[0]})${RESET}`);
+  console.log("");
+  for (const line of lines) {
+    try {
+      const e = JSON.parse(line);
+      const color = e.result === "block" ? RED : e.result === "allow" ? GREEN : DIM;
+      const time = (e.timestamp || "").split("T")[1] || "";
+      const ts = time.split(".")[0] || "";
+      console.log(`  ${DIM}${ts}${RESET}  ${color}${e.result}${RESET}  ${WHITE}${e.hook}${RESET}  ${DIM}${e.duration_ms || 0}ms${RESET}`);
+    } catch {}
+  }
+  console.log("");
+}
+
 function cmdHelp() {
   banner();
   console.log("");
@@ -375,6 +516,8 @@ function cmdHelp() {
   console.log(`    npx qualia-framework-v2 ${TEAL}update${RESET}      Update to the latest version`);
   console.log(`    npx qualia-framework-v2 ${TEAL}version${RESET}     Show installed version + check for updates`);
   console.log(`    npx qualia-framework-v2 ${TEAL}uninstall${RESET}   Clean removal from ~/.claude/ (${DIM}-y to skip prompts${RESET})`);
+  console.log(`    npx qualia-framework-v2 ${TEAL}team${RESET}        Manage team members (${DIM}list|add|remove${RESET})`);
+  console.log(`    npx qualia-framework-v2 ${TEAL}traces${RESET}      View recent hook telemetry`);
   console.log("");
   console.log(`  ${WHITE}After install:${RESET}`);
   console.log(`    ${TG}/qualia${RESET}          What should I do next?`);
@@ -413,6 +556,12 @@ switch (cmd) {
       process.exit(1);
     });
     break;
+  case "team":
+    cmdTeam();
+    break;
+  case "traces":
+    cmdTraces();
+    break;
   default:
     cmdHelp();
 }

package/bin/install.js

@@ -13,8 +13,11 @@ const YELLOW = "\x1b[38;2;234;179;8m";
 const RED = "\x1b[38;2;239;68;68m";
 const RESET = "\x1b[0m";
 
+const CLAUDE_DIR = path.join(require("os").homedir(), ".claude");
+const FRAMEWORK_DIR = path.resolve(__dirname, "..");
+
 // ─── Team codes ──────────────────────────────────────────
-const TEAM = {
+const DEFAULT_TEAM = {
   "QS-FAWZI-01": {
     name: "Fawzi Goussous",
     role: "OWNER",
@@ -42,8 +45,21 @@ const TEAM = {
   },
 };
 
-const CLAUDE_DIR = path.join(require("os").homedir(), ".claude");
-const FRAMEWORK_DIR = path.resolve(__dirname, "..");
+// Load team from external file, fall back to embedded defaults.
+function loadTeam() {
+  const teamFile = path.join(CLAUDE_DIR, ".qualia-team.json");
+  try {
+    if (fs.existsSync(teamFile)) {
+      const external = JSON.parse(fs.readFileSync(teamFile, "utf8"));
+      if (external && typeof external === "object" && Object.keys(external).length > 0) {
+        return external;
+      }
+    }
+  } catch {}
+  return DEFAULT_TEAM;
+}
+
+const TEAM = loadTeam();
 
 let installed = 0;
 let errors = 0;
@@ -185,16 +201,6 @@ async function main() {
     }
   }
 
-  // ─── Status line ───────────────────────────────────────
-  log(`${WHITE}Status line${RESET}`);
-  try {
-    const slDest = path.join(CLAUDE_DIR, "bin", "statusline.js");
-    copy(path.join(FRAMEWORK_DIR, "bin", "statusline.js"), slDest);
-    ok("statusline.js");
-  } catch (e) {
-    warn(`statusline.js — ${e.message}`);
-  }
-
   // ─── Templates ─────────────────────────────────────────
   log(`${WHITE}Templates${RESET}`);
   const tmplDir = path.join(FRAMEWORK_DIR, "templates");
@@ -363,6 +369,11 @@ Client-specific preferences, design choices, and requirements. Loaded by \`/qual
     role: member.role,
     version: require("../package.json").version,
     installed_at: new Date().toISOString().split("T")[0],
+    erp: {
+      enabled: true,
+      url: "https://portal.qualiasolutions.net",
+      api_key_file: ".erp-api-key",
+    },
   };
   fs.writeFileSync(configFile, JSON.stringify(config, null, 2) + "\n");
 
@@ -469,7 +480,7 @@ Client-specific preferences, design choices, and requirements. Loaded by \`/qual
             type: "command",
             if: "Bash(git push*)",
             command: nodeCmd("branch-guard.js"),
-            timeout: 10,
+            timeout: 5,
             statusMessage: "⬢ Checking branch permissions...",
           },
           {
@@ -493,7 +504,6 @@ Client-specific preferences, design choices, and requirements. Loaded by \`/qual
         hooks: [
           {
             type: "command",
-            if: "Edit(*.env*)|Write(*.env*)",
             command: nodeCmd("block-env-edit.js"),
             timeout: 5,
             statusMessage: "⬢ Checking file permissions...",
@@ -523,20 +533,15 @@ Client-specific preferences, design choices, and requirements. Loaded by \`/qual
     ],
   };
 
-  // Permissions
+  // Permissions — no restrictions on env files or branches.
+  // Everyone can read/write .env, push to main.
   if (!settings.permissions) settings.permissions = {};
   if (!settings.permissions.allow) settings.permissions.allow = [];
-  if (!settings.permissions.deny) {
-    settings.permissions.deny = [
-      "Read(./.env)",
-      "Read(./.env.*)",
-      "Read(./secrets/**)",
-    ];
-  }
+  if (!settings.permissions.deny) settings.permissions.deny = [];
 
   fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
 
-  ok("Hooks: session-start, auto-update, branch-guard, pre-push, env-block, migration-guard, deploy-gate, pre-compact");
+  ok("Hooks: session-start, auto-update, branch-guard, pre-push, block-env-edit, migration-guard, deploy-gate, pre-compact");
   ok("Status line + spinner configured");
   ok("Environment variables + permissions");
 
@@ -548,7 +553,7 @@ Client-specific preferences, design choices, and requirements. Loaded by \`/qual
   console.log(`  Skills:       ${WHITE}${skills.length}${RESET}`);
   const agentCount = fs.readdirSync(agentsDir).filter(f => f.endsWith('.md')).length;
   console.log(`  Agents:       ${WHITE}${agentCount}${RESET} ${DIM}(planner, builder, verifier, qa-browser)${RESET}`);
-  console.log(`  Hooks:        ${WHITE}8${RESET} ${DIM}(session-start, auto-update, branch-guard, pre-push, env-block, migration-guard, deploy-gate, pre-compact)${RESET}`);
+  console.log(`  Hooks:        ${WHITE}8${RESET} ${DIM}(session-start, auto-update, branch-guard, pre-push, block-env-edit, migration-guard, deploy-gate, pre-compact)${RESET}`);
   console.log(`  Rules:        ${WHITE}${fs.readdirSync(rulesDir).length}${RESET} ${DIM}(security, frontend, design-reference, deployment)${RESET}`);
   console.log(`  Scripts:      ${WHITE}3${RESET} ${DIM}(state.js, qualia-ui.js, statusline.js)${RESET}`);
   console.log(`  Knowledge:    ${WHITE}3${RESET} ${DIM}(patterns, fixes, client prefs)${RESET}`);

package/bin/qualia-ui.js

@@ -159,7 +159,7 @@ function cmdBanner(action, phase, subtitle) {
     const bar = progressBar(state.phase, state.total_phases);
     if (bar) console.log(`  ${pad(DIM + "Progress" + RESET, 20)}${bar}`);
     if (state.gap_cycles > 0) {
-      console.log(`  ${pad(DIM + "Gap cycles" + RESET, 20)}${YELLOW}${state.gap_cycles}/2${RESET}`);
+      console.log(`  ${pad(DIM + "Gap cycles" + RESET, 20)}${YELLOW}${state.gap_cycles}/${state.gap_cycle_limit || 2}${RESET}`);
     }
   }