the-grimoire-cli 0.3.2 → 0.4.0

package/.agents/agents/verifier.md

@@ -1,50 +1,50 @@
----
-name: verifier
-description: Independent verification reviewer. Spawn AFTER a change is complete to confirm Definition of Done on fresh context. Receives only requirements + diff + checklist — never the implementer's reasoning. Refutes by default; runs the real verify commands and quotes real output.
-tools: Read, Grep, Glob, Bash
----
-
-You are the **independent verifier**. You did not write this code. Your job is to **refute** the
-claim that it is done — not to praise it. Default to **FAIL** when uncertain.
-
-## You receive (and ONLY this)
-
-- The requirements / acceptance criteria.
-- The diff (or the changed files).
-- The checklist (Definition of Done items).
-
-You do **not** get the implementer's reasoning or conversation. If context is missing, say so and
-FAIL — do not assume.
-
-## What you must do
-
-1. **Run the real `verify` command** for this project (`npm run verify`, or the profile's command
-   in `stack/`). If there is no verify script, run typecheck + lint + tests directly.
-2. **Quote the actual output.** Real command, real exit code, real failing/passing counts. Never
-   write "looks good", "should pass", or paraphrase results.
-3. Check the diff against **each requirement** and **each checklist item** explicitly.
-4. Look for: untested branches, security regressions (`rules/50-security.md`), hardcoded
-   roles/secrets, swallowed errors, missing doc/memory sync, scope the diff does NOT cover.
-5. **Code-quality rubric.** Load the "Review checklist" in `standards/clean-code.md` and refute the
-   diff against it (limits, readability, function design, type-safety, performance, suppression, dead
-   code). A violation without a recorded justification is a `fail`.
-6. **Scope & contract.** Output meets the task's stated acceptance criteria and nothing out-of-scope
-   crept in (`rules/10` task contract; `rules/25` surgical). Flag any addition the request did not call for.
-
-## Output (structured verdict)
-
-```
-VERDICT: pass | fail
-COMMANDS RUN:
-  <command> -> exit <code>
-  <quoted output, trimmed to the relevant lines>
-REQUIREMENTS:
-  - <req>: met | NOT met — <evidence>
-CHECKLIST:
-  - <item>: done | NOT done
-REASONS (if fail):
-  - <specific, actionable>
-```
-
-Definition of Done = tests green **AND** `VERDICT: pass` **AND** every checklist item done. If any
-one is missing, the verdict is `fail`. Save this verdict as the artifact the main thread cites.
+---
+name: verifier
+description: Independent verification reviewer. Spawn AFTER a change is complete to confirm Definition of Done on fresh context. Receives only requirements + diff + checklist — never the implementer's reasoning. Refutes by default; runs the real verify commands and quotes real output.
+tools: Read, Grep, Glob, Bash
+---
+
+You are the **independent verifier**. You did not write this code. Your job is to **refute** the
+claim that it is done — not to praise it. Default to **FAIL** when uncertain.
+
+## You receive (and ONLY this)
+
+- The requirements / acceptance criteria.
+- The diff (or the changed files).
+- The checklist (Definition of Done items).
+
+You do **not** get the implementer's reasoning or conversation. If context is missing, say so and
+FAIL — do not assume.
+
+## What you must do
+
+1. **Run the real `verify` command** for this project (`npm run verify`, or the profile's command
+   in `stack/`). If there is no verify script, run typecheck + lint + tests directly.
+2. **Quote the actual output.** Real command, real exit code, real failing/passing counts. Never
+   write "looks good", "should pass", or paraphrase results.
+3. Check the diff against **each requirement** and **each checklist item** explicitly.
+4. Look for: untested branches, security regressions (`rules/50-security.md`), hardcoded
+   roles/secrets, swallowed errors, missing doc/memory sync, scope the diff does NOT cover.
+5. **Code-quality rubric.** Load the "Review checklist" in `standards/clean-code.md` and refute the
+   diff against it (limits, readability, function design, type-safety, performance, suppression, dead
+   code). A violation without a recorded justification is a `fail`.
+6. **Scope & contract.** Output meets the task's stated acceptance criteria and nothing out-of-scope
+   crept in (`rules/10` task contract; `rules/25` surgical). Flag any addition the request did not call for.
+
+## Output (structured verdict)
+
+```
+VERDICT: pass | fail
+COMMANDS RUN:
+  <command> -> exit <code>
+  <quoted output, trimmed to the relevant lines>
+REQUIREMENTS:
+  - <req>: met | NOT met — <evidence>
+CHECKLIST:
+  - <item>: done | NOT done
+REASONS (if fail):
+  - <specific, actionable>
+```
+
+Definition of Done = tests green **AND** `VERDICT: pass` **AND** every checklist item done. If any
+one is missing, the verdict is `fail`. Save this verdict as the artifact the main thread cites.

package/.agents/commands/INDEX.md

@@ -1,11 +1,11 @@
-# commands — index
-
-<!-- GENERATED by `grimoire index`; do not edit by hand. Re-run after adding/renaming files here. -->
-
-| File | What it covers |
-|---|---|
-| `checkpoint.md` | Snapshot the NOW whiteboard before a context boundary. |
-| `grimoire.md` | Run grimoire init or sync from inside Claude Code. |
-| `onboard.md` | Onboard an existing (pre-Grimoire) repo onto the template without losing its custom contract. |
-| `present.md` | Render the current spec / review / report / prototype / editing UI as a self-contained HTML artifact and return a file:// URL. |
-| `verify.md` | Run the verify script and dispatch the verifier subagent for independent sign-off. |
+# commands — index
+
+<!-- GENERATED by `grimoire index`; do not edit by hand. Re-run after adding/renaming files here. -->
+
+| File | What it covers |
+|---|---|
+| `checkpoint.md` | Snapshot the NOW whiteboard before a context boundary. |
+| `grimoire.md` | Run grimoire init or sync from inside Claude Code. |
+| `onboard.md` | Onboard an existing (pre-Grimoire) repo onto the template without losing its custom contract. |
+| `present.md` | Render the current spec / review / report / prototype / editing UI as a self-contained HTML artifact and return a file:// URL. |
+| `verify.md` | Run the verify script and dispatch the verifier subagent for independent sign-off. |

package/.agents/commands/checkpoint.md

@@ -1,15 +1,15 @@
----
-description: Snapshot the NOW whiteboard before a context boundary.
----
-
-Checkpoint the current session state (`rules` §6 — NOW layer).
-
-Steps:
-
-1. Ensure `journal/session/current.md` reflects the live state: mode, focus, last-done, next-step,
-   blockers, open-questions, files-touched. Rewrite it in place if stale.
-2. Copy it to `journal/session/archive/<timestamp>.md` (timestamp = `YYYY-MM-DD-HHmm`).
-3. Confirm the snapshot path back to the user.
-
-A checkpoint is **not a new file type** — it is a timestamped copy of `current.md`. Resume always
-reads `current.md`; archives are for recovery only.
+---
+description: Snapshot the NOW whiteboard before a context boundary.
+---
+
+Checkpoint the current session state (`rules` §6 — NOW layer).
+
+Steps:
+
+1. Ensure `journal/session/current.md` reflects the live state: mode, focus, last-done, next-step,
+   blockers, open-questions, files-touched. Rewrite it in place if stale.
+2. Copy it to `journal/session/archive/<timestamp>.md` (timestamp = `YYYY-MM-DD-HHmm`).
+3. Confirm the snapshot path back to the user.
+
+A checkpoint is **not a new file type** — it is a timestamped copy of `current.md`. Resume always
+reads `current.md`; archives are for recovery only.

package/.agents/commands/grimoire.md

@@ -1,14 +1,14 @@
----
-description: Run grimoire init or sync from inside Claude Code.
----
-
-Wrap the Grimoire CLI (`bin/grimoire.mjs`).
-
-- **init** — scaffold `.agents/` + pointers into a new project. Run:
-  `npx github:nuttchanon/the-grimoire init` (or `node bin/grimoire.mjs init` when developing the template).
-- **sync** — pull the latest template into an existing project. Overwrites **managed paths only**
-  (`.agents/grimoire.manifest`); never touches `codex/ journal/ local/`. Run:
-  `npx github:nuttchanon/the-grimoire sync`.
-
-After `sync`, print the changelog (git log between the old and new template sha) and bump
-`.agents/VERSION`. Confirm with the user before running `sync` if there are uncommitted changes.
+---
+description: Run grimoire init or sync from inside Claude Code.
+---
+
+Wrap the Grimoire CLI (`bin/grimoire.mjs`).
+
+- **init** — scaffold `.agents/` + pointers into a new project. Run:
+  `npx github:nuttchanon/the-grimoire init` (or `node bin/grimoire.mjs init` when developing the template).
+- **sync** — pull the latest template into an existing project. Overwrites **managed paths only**
+  (`.agents/grimoire.manifest`); never touches `codex/ journal/ local/`. Run:
+  `npx github:nuttchanon/the-grimoire sync`.
+
+After `sync`, print the changelog (git log between the old and new template sha) and bump
+`.agents/VERSION`. Confirm with the user before running `sync` if there are uncommitted changes.

package/.agents/commands/onboard.md

@@ -1,56 +1,56 @@
----
-description: Onboard an existing (pre-Grimoire) repo onto the template without losing its custom contract.
----
-
-# onboard — adopt Grimoire in an existing repo
-
-Use this when a repo already has its own agent contract (a hand-rolled `.agents/`, a long `CLAUDE.md`,
-ad-hoc rules) and you want it on the managed template. `init` lays the base and **backs up** an
-existing `.agents/` to `.agents.bak-<timestamp>/`; this playbook moves the project's signal into
-`local/` so nothing is lost and `grimoire sync` stays conflict-free. Work on a branch.
-
-## Steps
-
-1. **Branch + survey.** `git checkout -b chore/grimoire-onboard`. Read the existing `.agents/` (every
-   rule), `CLAUDE.md`, and any existing ADR/requirements layout (e.g. `docs/adr/`, `docs/requirements/`).
-   Note what is project-specific (domain, stack, security model, env gotchas) vs generic (it'll be
-   replaced by the base).
-
-2. **Run init.** `npx github:nuttchanon/the-grimoire init`. If an `.agents/` was present it is now
-   safe in `.agents.bak-<timestamp>/`; the managed base + `local/` skeleton are in place. `init` also
-   seeds a single project-owned `codex/` tree at the repo root (decisions, requirements, runbooks,
-   domain, evidence, …) via `seedCodex` — seed-once, only when `codex/` is absent, and never touched
-   by `grimoire sync`.
-
-3. **Move custom rules → `local/rules/`.** For each project rule worth keeping, recreate it under
-   `local/rules/` with a **`local-` prefix** (avoids number collisions with the base — see
-   `local/README.md`). Carry the content verbatim; add a frontmatter `description:`.
-
-4. **Move CLAUDE.md context → `local/AGENTS.local.md` (+ big docs → `local/reference/`).** Set the
-   profile (stack, testing policy, verify command). Move the system model, doc map, domain pointers,
-   access/auth model, and env/build gotchas into **Project facts**; park large domain contracts (IPC
-   tables, confirmed values) in `local/reference/`. Record any base behaviour you're overriding under
-   **Override declarations**.
-
-5. **Slim CLAUDE.md to a pointer.** Reduce it to the Grimoire imports
-   (`@.agents/AGENTS.md` + `@local/AGENTS.local.md`) plus one line of orientation.
-
-6. **Migrate ADRs/requirements into `codex/`.** If the repo already had `docs/adr/` (or
-   `docs/requirements/`, or another ADR layout), move those decisions into `codex/decisions/` and
-   requirements into `codex/requirements/`, then remove the old trees. `seedCodex` only scaffolds
-   `codex/` when it is absent, so it won't clobber a `codex/` you populate. Note any non-default
-   location in **Override declarations**.
-
-7. **Move bespoke paths to the repo root.** `.agents/` is now a fully read-only contract — `sync`
-   wholesale-replaces it, so nothing project-owned can live under it. Any bespoke project dirs (e.g.
-   `field-reports/`, `handoff/`) belong at the repo root, alongside `codex/`, `journal/`, and `local/`.
-
-8. **Verify + clean up.** `grimoire index` (regen INDEX.md), `grimoire doctor` (check wiring), run the
-   project's verify command, confirm the contract loads. Delete the `.agents.bak-*` backup once
-   everything is migrated. Commit; open a PR.
-
-## Done when
-
-The `.agents.bak-*` backup is gone · every kept project rule lives under `local/rules/` (prefixed) ·
-`CLAUDE.md` is a thin pointer · `grimoire index --check` + `grimoire doctor` are clean · decisions and
-requirements live under `codex/` with no leftover `docs/adr/` (or `docs/requirements/`) tree.
+---
+description: Onboard an existing (pre-Grimoire) repo onto the template without losing its custom contract.
+---
+
+# onboard — adopt Grimoire in an existing repo
+
+Use this when a repo already has its own agent contract (a hand-rolled `.agents/`, a long `CLAUDE.md`,
+ad-hoc rules) and you want it on the managed template. `init` lays the base and **backs up** an
+existing `.agents/` to `.agents.bak-<timestamp>/`; this playbook moves the project's signal into
+`local/` so nothing is lost and `grimoire sync` stays conflict-free. Work on a branch.
+
+## Steps
+
+1. **Branch + survey.** `git checkout -b chore/grimoire-onboard`. Read the existing `.agents/` (every
+   rule), `CLAUDE.md`, and any existing ADR/requirements layout (e.g. `docs/adr/`, `docs/requirements/`).
+   Note what is project-specific (domain, stack, security model, env gotchas) vs generic (it'll be
+   replaced by the base).
+
+2. **Run init.** `npx github:nuttchanon/the-grimoire init`. If an `.agents/` was present it is now
+   safe in `.agents.bak-<timestamp>/`; the managed base + `local/` skeleton are in place. `init` also
+   seeds a single project-owned `codex/` tree at the repo root (decisions, requirements, runbooks,
+   domain, evidence, …) via `seedCodex` — seed-once, only when `codex/` is absent, and never touched
+   by `grimoire sync`.
+
+3. **Move custom rules → `local/rules/`.** For each project rule worth keeping, recreate it under
+   `local/rules/` with a **`local-` prefix** (avoids number collisions with the base — see
+   `local/README.md`). Carry the content verbatim; add a frontmatter `description:`.
+
+4. **Move CLAUDE.md context → `local/AGENTS.local.md` (+ big docs → `local/reference/`).** Set the
+   profile (stack, testing policy, verify command). Move the system model, doc map, domain pointers,
+   access/auth model, and env/build gotchas into **Project facts**; park large domain contracts (IPC
+   tables, confirmed values) in `local/reference/`. Record any base behaviour you're overriding under
+   **Override declarations**.
+
+5. **Slim CLAUDE.md to a pointer.** Reduce it to the Grimoire imports
+   (`@.agents/AGENTS.md` + `@local/AGENTS.local.md`) plus one line of orientation.
+
+6. **Migrate ADRs/requirements into `codex/`.** If the repo already had `docs/adr/` (or
+   `docs/requirements/`, or another ADR layout), move those decisions into `codex/decisions/` and
+   requirements into `codex/requirements/`, then remove the old trees. `seedCodex` only scaffolds
+   `codex/` when it is absent, so it won't clobber a `codex/` you populate. Note any non-default
+   location in **Override declarations**.
+
+7. **Move bespoke paths to the repo root.** `.agents/` is now a fully read-only contract — `sync`
+   wholesale-replaces it, so nothing project-owned can live under it. Any bespoke project dirs (e.g.
+   `field-reports/`, `handoff/`) belong at the repo root, alongside `codex/`, `journal/`, and `local/`.
+
+8. **Verify + clean up.** `grimoire index` (regen INDEX.md), `grimoire doctor` (check wiring), run the
+   project's verify command, confirm the contract loads. Delete the `.agents.bak-*` backup once
+   everything is migrated. Commit; open a PR.
+
+## Done when
+
+The `.agents.bak-*` backup is gone · every kept project rule lives under `local/rules/` (prefixed) ·
+`CLAUDE.md` is a thin pointer · `grimoire index --check` + `grimoire doctor` are clean · decisions and
+requirements live under `codex/` with no leftover `docs/adr/` (or `docs/requirements/`) tree.

package/.agents/commands/present.md

@@ -1,23 +1,23 @@
----
-description: Render the current spec / review / report / prototype / editing UI as a self-contained HTML artifact and return a file:// URL.
----
-
-Turn a human-facing deliverable into an interactive HTML page a person will actually read — not a
-long Markdown wall they skim. Use for a spec comparison, code-review dashboard, report/explainer,
-design prototype, or a custom editing UI (see `skills/catalog.md` -> Presentation).
-
-Honor presentation mode (`rules/45-presentation.md`): render HTML only when the mode is on for this
-project (`local/AGENTS.local.md`) or the user asks; otherwise stay in Markdown.
-
-Steps:
-
-1. Keep the **source canonical** — the Markdown/spec stays the source of truth; the HTML is a *view*
-   generated from it.
-2. Build ONE self-contained `.html`: inline CSS + JS, **no external/remote `<script>` or CDN**, works
-   offline via `file://`. **Escape** any code/diff/user text you embed (no raw injection).
-3. Write it to `journal/session/artifacts/<YYYY-MM-DD-HHmm>-<slug>.html` (ephemeral, gitignored).
-4. Return the absolute `file://` path so the user can open it in a browser.
-5. For editing UIs, include a **"copy as JSON / copy as Markdown"** button so the user can export
-   their changes back into the conversation (close the loop).
-
-Token-aware: render HTML for deliverables that earn it, not routine replies.
+---
+description: Render the current spec / review / report / prototype / editing UI as a self-contained HTML artifact and return a file:// URL.
+---
+
+Turn a human-facing deliverable into an interactive HTML page a person will actually read — not a
+long Markdown wall they skim. Use for a spec comparison, code-review dashboard, report/explainer,
+design prototype, or a custom editing UI (see `skills/catalog.md` -> Presentation).
+
+Honor presentation mode (`rules/45-presentation.md`): render HTML only when the mode is on for this
+project (`local/AGENTS.local.md`) or the user asks; otherwise stay in Markdown.
+
+Steps:
+
+1. Keep the **source canonical** — the Markdown/spec stays the source of truth; the HTML is a *view*
+   generated from it.
+2. Build ONE self-contained `.html`: inline CSS + JS, **no external/remote `<script>` or CDN**, works
+   offline via `file://`. **Escape** any code/diff/user text you embed (no raw injection).
+3. Write it to `journal/session/artifacts/<YYYY-MM-DD-HHmm>-<slug>.html` (ephemeral, gitignored).
+4. Return the absolute `file://` path so the user can open it in a browser.
+5. For editing UIs, include a **"copy as JSON / copy as Markdown"** button so the user can export
+   their changes back into the conversation (close the loop).
+
+Token-aware: render HTML for deliverables that earn it, not routine replies.

package/.agents/commands/verify.md

@@ -1,20 +1,20 @@
----
-description: Run the verify script and dispatch the verifier subagent for independent sign-off.
----
-
-Verify the current change to Definition-of-Done standard (`rules/30-verification.md`).
-
-Steps:
-
-1. Identify the `verify` command for this project (package script `verify`, or the active
-   `stack/` profile's command). If none exists, fall back to typecheck + lint + tests.
-2. Run it. Capture real output and exit code.
-3. Spawn the **verifier** subagent (Task/Agent tool) on **fresh context**, passing ONLY:
-   - the requirements / acceptance criteria for this change,
-   - the diff (`git diff` of the change),
-   - the Definition-of-Done checklist.
-   Do **not** pass your own reasoning or this conversation.
-4. Relay the verifier's structured verdict. If `fail`, the change is **not done** — address the
-   reasons and re-run. Do not declare done without a `pass` artifact.
-
-For large or risky changes, also run `/code-review` (or `/code-review ultra`).
+---
+description: Run the verify script and dispatch the verifier subagent for independent sign-off.
+---
+
+Verify the current change to Definition-of-Done standard (`rules/30-verification.md`).
+
+Steps:
+
+1. Identify the `verify` command for this project (package script `verify`, or the active
+   `stack/` profile's command). If none exists, fall back to typecheck + lint + tests.
+2. Run it. Capture real output and exit code.
+3. Spawn the **verifier** subagent (Task/Agent tool) on **fresh context**, passing ONLY:
+   - the requirements / acceptance criteria for this change,
+   - the diff (`git diff` of the change),
+   - the Definition-of-Done checklist.
+   Do **not** pass your own reasoning or this conversation.
+4. Relay the verifier's structured verdict. If `fail`, the change is **not done** — address the
+   reasons and re-run. Do not declare done without a `pass` artifact.
+
+For large or risky changes, also run `/code-review` (or `/code-review ultra`).

package/.agents/grimoire.manifest

@@ -1,18 +1,18 @@
-# Managed contract surface — everything under `.agents/` is read-only and OVERWRITTEN by
-# `grimoire sync` (wholesale replace). This file documents the contract; sync no longer needs
-# it to compute carve-outs. One path (file or dir) per line, relative to .agents/.
-
-AGENTS.md
-NAVIGATOR.md
-rules/
-standards/
-stack/
-agents/
-skills/
-commands/
-tooling.json
-
-# Project-owned, NEVER synced — live at the repo ROOT, outside .agents/ (listed for clarity):
-#   codex/    — knowledge base (domain, requirements, decisions, evidence, runbooks)
-#   journal/  — agent working state (memory/, backlog/, session/)
-#   local/    — project override config (loads last, wins)
+# Managed contract surface — everything under `.agents/` is read-only and OVERWRITTEN by
+# `grimoire sync` (wholesale replace). This file documents the contract; sync no longer needs
+# it to compute carve-outs. One path (file or dir) per line, relative to .agents/.
+
+AGENTS.md
+NAVIGATOR.md
+rules/
+standards/
+stack/
+agents/
+skills/
+commands/
+tooling.json
+
+# Project-owned, NEVER synced — live at the repo ROOT, outside .agents/ (listed for clarity):
+#   codex/    — knowledge base (domain, requirements, decisions, evidence, runbooks)
+#   journal/  — agent working state (memory/, backlog/, session/)
+#   local/    — project override config (loads last, wins)

package/.agents/rules/00-always.md

@@ -1,42 +1,42 @@
----
-updated: 2026-05-31
-description: The non-negotiable rules; violating any is a hard error, not a style nit. Read every session.
----
-
-# 00 — Always (hard errors)
-
-Always-on. Violating any of these is a hard error, not a style nit.
-
-- **Verify before done.** Code is not done until the independent verifier (`30-verification.md`)
-  returns `pass` on **fresh context**. The author of a change cannot mark it done — bias comes from
-  shared context. Definition of Done = tests green **AND** verifier `pass` **AND** checklist complete.
-  For **user-facing, data-collecting** apps, the launch-security checklist
-  (`standards/launch-security-checklist.md`) is part of Done, not a later pass.
-- **Read the knowledge base first.** Before domain/feature work, read `codex/INDEX.md` — the
-  project's source-of-truth knowledge base (domain, requirements, decisions, evidence). Don't start
-  blind.
-- **Doc-sync same turn.** Any behavior/interface change updates its doc and `journal/memory/` in the **same
-  turn** as the code. No "I'll document later".
-- **Security first.** Never hardcode roles, permissions, secrets, or hostnames. Validate and
-  authorize on the server. Fail **closed**. (Detail: `50-security.md`.)
-- **No hardcoded roles.** Gate behavior through helpers/config, never string literals like
-  `if (user.role === "admin")`.
-- **Effort is not a constraint.** Never reduce scope, skip tests, or pick the lazy design to save
-  effort. If the work is large, **spawn parallel subagents** — do not cut corners.
-- **No silent test gaps.** Shipping a unit of work without a test suite is a *recorded decision*, not
-  a silent omission: write an ADR (`codex/decisions/`) stating why (spike/throwaway, external constraint) and
-  when tests get backfilled. A missing test suite with no ADR is a defect.
-- **Confirmed values change with their ADR.** When a decision alters ground-truth values the code
-  reads back (IPC channels, error codes, permission keys, tenant configs, shared enums), the ADR sets
-  `updates-confirmed-values: yes` and the same PR updates the project's confirmed-values table.
-- **Small increments.** One coherent change at a time; keep the diff reviewable. (Detail: `10-working-process.md`.)
-- **Surgical changes.** Every changed line traces to the request; don't touch adjacent code you were
-  not asked to. (Detail: `25-surgical-changes.md`.)
-- **Never edit the managed base; customize in `local/`.** In a consuming project, the base
-  (`.agents/AGENTS.md`, `rules/`, `standards/`, `stack/`, `agents/`, `skills/`, `commands/`,
-  `tooling.json`) is overwritten by `grimoire sync`. Put every project change under root `local/`
-  (never synced) — it loads last and wins. Protocol: `local/README.md`.
-- **State your assumptions; don't pick silently.** If a requirement is ambiguous, name what is
-  confusing and present the interpretations — do not choose one quietly. Ask when the wrong guess is
-  expensive; otherwise pick the obvious default and say so. Push back when a simpler or better
-  approach exists.
+---
+updated: 2026-05-31
+description: The non-negotiable rules; violating any is a hard error, not a style nit. Read every session.
+---
+
+# 00 — Always (hard errors)
+
+Always-on. Violating any of these is a hard error, not a style nit.
+
+- **Verify before done.** Code is not done until the independent verifier (`30-verification.md`)
+  returns `pass` on **fresh context**. The author of a change cannot mark it done — bias comes from
+  shared context. Definition of Done = tests green **AND** verifier `pass` **AND** checklist complete.
+  For **user-facing, data-collecting** apps, the launch-security checklist
+  (`standards/launch-security-checklist.md`) is part of Done, not a later pass.
+- **Read the knowledge base first.** Before domain/feature work, read `codex/INDEX.md` — the
+  project's source-of-truth knowledge base (domain, requirements, decisions, evidence). Don't start
+  blind.
+- **Doc-sync same turn.** Any behavior/interface change updates its doc and `journal/memory/` in the **same
+  turn** as the code. No "I'll document later".
+- **Security first.** Never hardcode roles, permissions, secrets, or hostnames. Validate and
+  authorize on the server. Fail **closed**. (Detail: `50-security.md`.)
+- **No hardcoded roles.** Gate behavior through helpers/config, never string literals like
+  `if (user.role === "admin")`.
+- **Effort is not a constraint.** Never reduce scope, skip tests, or pick the lazy design to save
+  effort. If the work is large, **spawn parallel subagents** — do not cut corners.
+- **No silent test gaps.** Shipping a unit of work without a test suite is a *recorded decision*, not
+  a silent omission: write an ADR (`codex/decisions/`) stating why (spike/throwaway, external constraint) and
+  when tests get backfilled. A missing test suite with no ADR is a defect.
+- **Confirmed values change with their ADR.** When a decision alters ground-truth values the code
+  reads back (IPC channels, error codes, permission keys, tenant configs, shared enums), the ADR sets
+  `updates-confirmed-values: yes` and the same PR updates the project's confirmed-values table.
+- **Small increments.** One coherent change at a time; keep the diff reviewable. (Detail: `10-working-process.md`.)
+- **Surgical changes.** Every changed line traces to the request; don't touch adjacent code you were
+  not asked to. (Detail: `25-surgical-changes.md`.)
+- **Never edit the managed base; customize in `local/`.** In a consuming project, the base
+  (`.agents/AGENTS.md`, `rules/`, `standards/`, `stack/`, `agents/`, `skills/`, `commands/`,
+  `tooling.json`) is overwritten by `grimoire sync`. Put every project change under root `local/`
+  (never synced) — it loads last and wins. Protocol: `local/README.md`.
+- **State your assumptions; don't pick silently.** If a requirement is ambiguous, name what is
+  confusing and present the interpretations — do not choose one quietly. Ask when the wrong guess is
+  expensive; otherwise pick the obvious default and say so. Push back when a simpler or better
+  approach exists.

package/.agents/rules/05-code-quality.md

@@ -1,28 +1,28 @@
----
-updated: 2026-05-31
-description: Always-on code-quality essentials; the full standard lives in standards/clean-code.md.
----
-
-# 05 — Code quality (standards overview)
-
-- **Small files.** Split when a file grows past its single responsibility. Prefer many small,
-  named modules over one large one.
-- **Minimal comments — why, not what.** Code says *what*; comments explain *why* only when
-  non-obvious. Delete comments that restate the code.
-- **DRY, but not prematurely.** Extract on the *third* repetition, not the first.
-- **YAGNI — climb the ladder.** Before writing, stop at the first rung that holds: skip it → stdlib →
-  native platform → existing dependency → one line → only then minimal code. No speculative
-  abstraction, config, or hooks; no error handling for impossible scenarios. Mark a deliberate
-  shortcut with `// ponytail: <ceiling>, <upgrade path>`. Full ladder + the "never simplify away"
-  guardrail: `standards/clean-code.md`.
-- **Simplicity first.** Minimum code that solves the problem. If 200 lines could be 50, rewrite.
-  Sanity check: would a senior engineer call this overcomplicated? If yes, simplify.
-- **Naming mirrors the domain.** Names come from the problem domain, not the implementation.
-  Match the surrounding code's idiom, casing, and comment density.
-
-- **No silent suppression.** `eslint-disable` / `@ts-ignore` / `any` need an inline comment naming
-  the constraint + a follow-up. Greening CI by disabling a rule without a replacement guard is
-  tracked tech debt (ADR if structural).
-
-Full standard: `standards/clean-code.md` (limits, type-safety, performance, suppression) +
-`standards/general.md` + the per-language file.
+---
+updated: 2026-05-31
+description: Always-on code-quality essentials; the full standard lives in standards/clean-code.md.
+---
+
+# 05 — Code quality (standards overview)
+
+- **Small files.** Split when a file grows past its single responsibility. Prefer many small,
+  named modules over one large one.
+- **Minimal comments — why, not what.** Code says *what*; comments explain *why* only when
+  non-obvious. Delete comments that restate the code.
+- **DRY, but not prematurely.** Extract on the *third* repetition, not the first.
+- **YAGNI — climb the ladder.** Before writing, stop at the first rung that holds: skip it → stdlib →
+  native platform → existing dependency → one line → only then minimal code. No speculative
+  abstraction, config, or hooks; no error handling for impossible scenarios. Mark a deliberate
+  shortcut with `// ponytail: <ceiling>, <upgrade path>`. Full ladder + the "never simplify away"
+  guardrail: `standards/clean-code.md`.
+- **Simplicity first.** Minimum code that solves the problem. If 200 lines could be 50, rewrite.
+  Sanity check: would a senior engineer call this overcomplicated? If yes, simplify.
+- **Naming mirrors the domain.** Names come from the problem domain, not the implementation.
+  Match the surrounding code's idiom, casing, and comment density.
+
+- **No silent suppression.** `eslint-disable` / `@ts-ignore` / `any` need an inline comment naming
+  the constraint + a follow-up. Greening CI by disabling a rule without a replacement guard is
+  tracked tech debt (ADR if structural).
+
+Full standard: `standards/clean-code.md` (limits, type-safety, performance, suppression) +
+`standards/general.md` + the per-language file.