feat(harness): P1+P2+P3 harness optimization complete (VERSION 1.4.0)

Task 5 one-line registry descriptions on the 8 biggest skills (remediation-tool, gc-audit, packetdial, memory-dream, human-flow, self-check, impeccable, mailprotector); skill-description injection ~3320 -> ~2123 tokens (~36%), keyword triggers preserved, frontmatter valid. Task 7 thinned /save + /sync bodies to point at sync.sh (single source) instead of re-documenting internals; Phase 0 save-vs-sync, cross-user notes, exit-75 reporting kept verbatim; mechanical sync never depends on an LLM step. Task 10 session-logs/YYYY-MM/ forward convention for new logs (scoped-grep recall, no monolithic index); existing flat logs untouched (grep covers both). Bash now-phoenix.sh helper (fixed UTC-7 epoch math; replaces unreliable TZ=America/Phoenix date that silently returns UTC on Git-Bash). P0 (1.2.0) + Task 6 CLAUDE split + Task 9 delegation (1.3.0) already shipped. Spec: specs/claudetools-harness-optimization/plan.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 08:10:58 -07:00
parent 6671a7a400
commit 68ad1dbd40
14 changed files with 1740 additions and 1710 deletions
--- a/.claude/commands/save.md
+++ b/.claude/commands/save.md
@@ -26,11 +26,20 @@ Claude writes all sections directly. Be concise, factual, technical. No filler p
 ### Location
 New logs go in a **`YYYY-MM/` month folder** under the relevant `session-logs/` dir (keeps the
 flat dir from growing unbounded; recall is scoped grep over the month folders — no monolithic
 index). `mkdir -p` the month folder before writing.
 | Work scope | Path |
 |---|---|
-| Single project | `projects/<project>/session-logs/YYYY-MM-DD-session.md` |
+| Single project | `projects/<project>/session-logs/YYYY-MM/YYYY-MM-DD-<user>-<topic>.md` |
-| Client | `clients/<slug>/session-logs/YYYY-MM-DD-session.md` |
+| Client | `clients/<slug>/session-logs/YYYY-MM/YYYY-MM-DD-<user>-<topic>.md` |
-| Multi-project / general | `session-logs/YYYY-MM-DD-session.md` |
+| Multi-project / general | `session-logs/YYYY-MM/YYYY-MM-DD-<user>-<topic>.md` |
 > Existing flat logs (`session-logs/*.md`) stay where they are — recall grep covers both `*/*.md`
 > (month folders) and `*.md` (legacy flat), so no mass migration. The month folder is added
 > *after* `session-logs/`, so wiki slug derivation (`<project>`/`<slug>` captured before
 > `session-logs/`) is unaffected. Use `bash .claude/scripts/now-phoenix.sh --date` for the date.
 ### Filename + append behavior
@@ -97,9 +106,11 @@ not on every save.
 bash .claude/scripts/sync.sh
 ```
-`sync.sh` is **serialized by a per-machine lock** (`.git/claudetools-sync.lock`) so concurrent sessions or the scheduled-task sync cannot interleave commits/rebases; if another sync is mid-flight it waits up to ~120s, then **exits 75 (deferred)** rather than racing — the next sync catches up. On a 75, do NOT print a success summary; report "**sync deferred — another sync is running; your session log is written locally and will sync on the next run**". Otherwise it: reconciles this machine's `git config user.name/email` to `.claude/identity.json` (so commit authorship can't drift), stages all changes with `git add -A` (after purging garbled Windows path-as-filename cruft), auto-commits, fetch + rebase, push, then the same flow for the vault repo, then surfaces cross-user `## Note for <user>` blocks.
+Same driver as `/sync` — see that command for the full semantics. The two load-bearing
-
+points for reporting: **exit 75 = deferred** (another sync is running; report "sync deferred
-> Note: `git add -A` is still the catch-all sweep, so a save run will also pick up any *other* dirty files in the shared tree. The lock prevents two syncs from racing, and per-session-unique log filenames prevent log overwrites — but the bare-`add -A` capture means full per-session commit isolation is a later step (see the isolation plan: drop blind `add -A` in favour of explicit per-session staging). For now, avoid running `/save` from two sessions at the exact same moment.
+— your session log is written locally and will sync on the next run", NOT a success summary);
 and `git add -A` is a catch-all sweep, so avoid running `/save` from two sessions at the exact
 same moment (per-session-unique log filenames prevent log overwrites, the lock prevents racing).
 After sync, emit a **Post-commit Summary**:
--- a/.claude/commands/sync.md
+++ b/.claude/commands/sync.md
@@ -39,18 +39,15 @@ The intent: a `/sync` that finds unsaved work should default toward `/save`. Aut
 ## What this does
-Invokes `bash .claude/scripts/sync.sh`, which:
+Run it — the script is the single source of truth for all git ops (both `/sync` and `/save` invoke it):
-1. Detects local changes (including untracked-only files) via `git status --porcelain`; stages with `git add -A` and auto-commits with `sync: auto-sync from <hostname> at <timestamp>`
+```bash
-2. Fetches from origin, rebases local commits onto remote
+bash .claude/scripts/sync.sh
-3. Pushes to origin
+```
 4. Copies `.claude/commands/*.md` → `~/.claude/commands/` so the global Claude CLI commands stay current without a manual copy
 5. Repeats steps 1-3 for the **vault** repo (path read from `.claude/identity.json` `vault_path` field)
 6. Surfaces any `## Note for <user>` / `## Message for <user>` blocks from incoming session logs
-The script is the single source of truth for git operations. Both `/sync` and `/save` invoke it.
+It stages (`git add -A`, submodule gitlinks unstaged unless `--with-submodules`), auto-commits, fetch+rebase+push for this repo then the vault repo, deploys `.claude/commands/*.md` + skills to `~/.claude/`, and surfaces incoming `## Note for <user>` blocks. Full internals: `.claude/CLAUDE_EXTENDED.md` / the script header.
-**Concurrency:** the run is serialized by a per-machine lock (`.git/claudetools-sync.lock`) so two syncs (e.g. interactive + the scheduled-task sync, or two Claude sessions) can't interleave staging/commit/rebase/push. If another sync is already running, this run waits up to ~120s then **exits 75 (EX_TEMPFAIL = deferred, not a failure)** — report it as deferred, not synced; the next run catches up. Stale locks (owner process dead, or older than 10 min) are auto-reclaimed.
+**Exit 75 = deferred, not a failure.** The run is serialized by a per-machine lock (`.git/claudetools-sync.lock`); if another sync is mid-flight it waits ~120s then exits 75. On a 75, report "sync deferred — another sync is running; it will catch up next run", NOT a success summary. Stale locks (dead owner, or >10 min) auto-reclaim.
 ---
--- a/.claude/harness/CHANGELOG.md
+++ b/.claude/harness/CHANGELOG.md
@@ -30,3 +30,19 @@ or old harness during a heterogeneous rollout. See
  (full manual, on-demand). Saves ~3.7k tokens per CLAUDE.md injection; nothing lost.
 - Task 9 (P2): delegation re-tuned in CORE — act directly by default; delegate only for
  high-volume output, blast radius >3 files/layers, domain shift, or parallel work.
 ## 1.4.0 — 2026-06-08  (P1+P2+P3 complete)
 - Task 5: one-line registry descriptions on the 8 biggest skills (remediation-tool, gc-audit,
  packetdial, memory-dream, human-flow, self-check, impeccable, mailprotector). Skill-description
  injection ~3320 -> ~2123 tokens (~36% cut); keyword triggers preserved; frontmatter valid.
 - Task 7: thinned `/save` + `/sync` bodies — they point to `sync.sh` as the single source instead
  of re-documenting its internals; load-bearing LLM-judgment parts (Phase 0 save-vs-sync, cross-user
  note display, exit-75 reporting) kept verbatim. The mechanical sync never depends on an LLM step.
 - Task 10 (P3): `session-logs/YYYY-MM/` adopted as a FORWARD convention for new logs (recall = scoped
  grep over month folders, no monolithic index); existing flat logs untouched (grep covers both).
  Recall order (wiki -> CONTEXT/log -> coord) already lives in CORE.
 - Deterministic Bash fix: `now-phoenix.sh` helper added — fixed UTC-7 epoch math, replaces the
  unreliable `TZ=America/Phoenix date` (silently returns UTC on Git-Bash). `--iso/--date/--datetime/
  --fmt` formats. `post-bot-alert.sh` already uses `jq -nc --arg` (verified, no change needed).
 - Deferred (unchanged): full Python port = separate spec; Task 8 shard command bodies; promote
  guard to FATAL after a clean warn window; schedule memory-dream --apply-safe per-machine.
--- a/.claude/harness/VERSION
+++ b/.claude/harness/VERSION
@@ -1 +1 @@
-1.3.0
+1.4.0
--- a/.claude/scripts/now-phoenix.sh
+++ b/.claude/scripts/now-phoenix.sh
@@ -0,0 +1,50 @@
 #!/usr/bin/env bash
 # now-phoenix.sh — emit the current America/Phoenix timestamp, deterministically.
 #
 # WHY: `TZ=America/Phoenix date` is unreliable on Git-for-Windows bash (the MSYS
 # tz database is often absent, so it silently returns UTC). Arizona does NOT
 # observe DST — it is fixed UTC-7 (MST) year-round — so we compute Phoenix time
 # as (UTC epoch - 7h) and format it. No tz database, no DST edge cases, identical
 # result on Windows / macOS / Linux.
 #
 # Usage:
 #   bash now-phoenix.sh             -> 2026-06-08 14:32 PT   (default, human log line)
 #   bash now-phoenix.sh --iso       -> 2026-06-08T14:32:07-07:00
 #   bash now-phoenix.sh --date      -> 2026-06-08
 #   bash now-phoenix.sh --datetime  -> 2026-06-08 14:32:07
 #   bash now-phoenix.sh --epoch     -> 1749422327   (raw UTC epoch, for arithmetic)
 #   bash now-phoenix.sh --fmt '+%H:%M'  -> 14:32   (custom strftime, applied to Phoenix time)
 #
 # All output is on stdout, no trailing prose. Soft, dependency-free (coreutils date only).
 set -euo pipefail
 OFFSET=$((7 * 3600))            # Phoenix is UTC-7, fixed
 EPOCH_UTC="$(date -u +%s)"
 EPOCH_PHX=$((EPOCH_UTC - OFFSET))
 # Portable "format an epoch as if it were UTC" (so the wall-clock we print is Phoenix local).
 fmt_epoch() {
    local e="$1" f="$2"
    if date -u -d "@${e}" "$f" >/dev/null 2>&1; then
        date -u -d "@${e}" "$f"        # GNU/Git-Bash
    else
        date -u -r "${e}" "$f"         # BSD/macOS
    fi
 }
 case "${1:-}" in
    --iso)       printf '%s-07:00\n' "$(fmt_epoch "$EPOCH_PHX" '+%Y-%m-%dT%H:%M:%S')" ;;
    --date)      fmt_epoch "$EPOCH_PHX" '+%Y-%m-%d' ;;
    --datetime)  fmt_epoch "$EPOCH_PHX" '+%Y-%m-%d %H:%M:%S' ;;
    --epoch)     printf '%s\n' "$EPOCH_UTC" ;;
    --fmt)       fmt_epoch "$EPOCH_PHX" "${2:?--fmt needs a strftime arg, e.g. --fmt '+%H:%M'}" ;;
    ''|--pt)     printf '%s PT\n' "$(fmt_epoch "$EPOCH_PHX" '+%Y-%m-%d %H:%M')" ;;
    -h|--help)
        grep -E '^#( |$)' "$0" | sed 's/^# \{0,1\}//'
        ;;
    *)
        echo "[ERROR] now-phoenix: unknown arg '$1' (try --help)" >&2
        exit 64
        ;;
 esac
--- a/.claude/skills/gc-audit/SKILL.md
+++ b/.claude/skills/gc-audit/SKILL.md
@@ -1,22 +1,7 @@
 ---
 name: gc-audit
-description: |
+description: "Periodic end-to-end audit of the GuruConnect codebase + CI/CD (6 parallel passes: API surface, Rust, TypeScript, protocol/wire-format, security/remote-session, docs/roadmap; plus pipeline health). Explicit only via /gc-audit; optional --pass=<api|rust|ts|protocol|security|docs|pipeline>. Produces a report + updates FEATURE_ROADMAP/TECHNICAL_DEBT."
  Periodic end-to-end verification of the GuruConnect codebase and CI/CD
  infrastructure. Runs 6 parallel audit passes: (1) API/route & surface
  inventory, (2) Rust code quality & standards, (3) TypeScript/dashboard
  quality, (4) protocol & wire-format integrity (proto <-> prost <-> manual TS
  decode), (5) security & remote-session integrity, (6) docs/roadmap
  reconciliation. A 7th sequential pass audits CI/CD pipeline health (Gitea
  Actions workflows, runner registration, clippy/audit gates, deploy host).
  Produces a timestamped audit report and updates the living docs
  (FEATURE_ROADMAP.md, TECHNICAL_DEBT.md). Takes 10-20 minutes.
  Invoke explicitly only — no auto-trigger. Use /gc-audit for a full audit.
  Optional arg: --pass=<name> to run a single pass
  (api, rust, ts, protocol, security, docs, pipeline).
  The docs pass reconciles FEATURE_ROADMAP.md, TECHNICAL_DEBT.md, the docs/specs/SPEC-*.md,
  and the specs/*/plan.md task markers against the code; quality passes check code against
  the granular .claude/standards/ files. Cleans up stale entries.
 ---
 # GuruConnect End-to-End Audit
--- a/.claude/skills/human-flow/SKILL.md
+++ b/.claude/skills/human-flow/SKILL.md
@@ -1,13 +1,6 @@
 ---
 name: human-flow
-description: >
+description: "UI/UX scanner for mouse+keyboard interaction friction: Fitts's Law/target sizing, discoverability/affordances, keyboard parity, feedback loops, task efficiency, forgiving interactions. Produces reports with code locations + fixes. Use when reviewing/building interactive UI (dashboards, lists, forms, complex workflows)."
  A UI/UX scanner that specializes in detecting interaction patterns unintuitive or inefficient for humans using a mouse and keyboard. 
  Expands on frontend-design and impeccable by focusing on real human workflow friction: motor control (Fitts's Law, target sizing, precision), 
  discoverability (affordances, hover vs always-visible), keyboard parity (full navigation and activation without mouse), 
  feedback loops (immediate state changes, error recovery), task efficiency (click/keystroke count, context switches), 
  and forgiving interaction models. It produces structured reports with code locations, "why this feels bad for a human" explanations, 
  and specific, actionable recommendations to make mouse+keyboard workflows smoother, faster, and more intuitive.
  Use when reviewing or building any interactive UI, especially data-heavy tools, dashboards, lists, forms, and complex workflows.
 user-invocable: true
 argument-hint: "[scan|audit|report] [target path or component]"
 ---
--- a/.claude/skills/impeccable/SKILL.md
+++ b/.claude/skills/impeccable/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: impeccable
-description: "Use when the user wants to design, redesign, shape, critique, audit, polish, clarify, distill, harden, optimize, adapt, animate, colorize, extract, or otherwise improve a frontend interface. Covers websites, landing pages, dashboards, product UI, app shells, components, forms, settings, onboarding, and empty states. Handles UX review, visual hierarchy, information architecture, cognitive load, accessibility, performance, responsive behavior, theming, anti-patterns, typography, fonts, spacing, layout, alignment, color, motion, micro-interactions, UX copy, error states, edge cases, i18n, and reusable design systems or tokens. Also use for bland designs that need to become bolder or more delightful, loud designs that should become quieter, live browser iteration on UI elements, or ambitious visual effects that should feel technically extraordinary. Not for backend-only or non-UI tasks."
+description: "Design, redesign, critique, audit, or polish a frontend interface (sites, landing pages, dashboards, app UI, components, forms, onboarding, empty states). Covers UX review, visual hierarchy, IA, accessibility, performance, responsive, theming, typography, spacing, color, motion, copy, design systems/tokens. Not for backend/non-UI."
 argument-hint: "[{{command_hint}}] [target]"
 user-invocable: true
 allowed-tools:
--- a/.claude/skills/mailprotector/SKILL.md
+++ b/.claude/skills/mailprotector/SKILL.md
@@ -1,17 +1,7 @@
 ---
 name: mailprotector
-description: >-
+description: "Manage the ACG Mailprotector CloudFilter email-security gateway (emailservice.io). Search/release held/quarantined mail (in+outbound), pull mail-flow logs (why a message did/did not deliver), inspect + manage allow/block rules. Read-only default; releases/rule-changes gated --confirm. Triggers: mailprotector, cloudfilter, held/quarantined mail, release email, allow/block rule, INKY. Live production."
-  Manage the Arizona Computer Guru (ACG) Mailprotector CloudFilter email-security
+
  gateway via the live CloudFilter REST API (emailservice.io). Search and release
  held / quarantined mail (inbound and outbound), pull mail-flow logs to explain
  why a message did or did not deliver, inspect entity configuration and
  allow/block rules, find a user or alias by email, and manage allow/block rules.
  Read-only by default; every release / rule-add / config-change is gated behind
  --confirm. Invoke for: "mailprotector", "cloudfilter", "emailservice.io", "held
  mail", "quarantined email", "release email", "outbound quarantine", "why didn't
  my email arrive", "email security gateway", "INKY", "mail flow logs", "allow
  block rule", "release spam". This skill talks to the LIVE production reseller
  CloudFilter platform — treat releases conservatively.
 ---
 # Mailprotector / CloudFilter Skill
--- a/.claude/skills/memory-dream/SKILL.md
+++ b/.claude/skills/memory-dream/SKILL.md
@@ -1,19 +1,7 @@
 ---
 name: memory-dream
-description: >-
+description: "Lint + consolidate the ClaudeTools repo memory store (.claude/memory/): audits index, backlinks, file paths, duplicate clusters, stale facts. Read-only default; --apply-safe does low-risk fixes; merges/deletes surfaced as proposals. Triggers: memory dream, consolidate/lint/clean up/dedupe memory."
-  Memory lint + consolidation analyzer for the ClaudeTools REPO memory store
+
  (.claude/memory/). Audits the index, backlinks, referenced file paths,
  duplicate/overlap clusters, stale dated facts, and drift against the
  machine-local harness profile memory store. Default run is read-only.
  --apply-safe performs the low-risk fixes (append missing index lines, copy
  any profile-only files into the repo for indexing). Cluster merges, dedup
  deletes, and stale-fact removal are surfaced as PROPOSED actions for a
  human to apply -- they're judgment calls, not automation candidates. (Repo
  is the source of truth as of 2026-06-02; sync-memory.sh mirrors repo to
  profile, so PROFILE-side cleanup is handled by that script, not here. See
  feedback_memory_sync_destructive_ok.md.) Invoke for: "memory dream",
  "consolidate memory", "memory lint", "clean up memory", "memory errors",
  "dedupe memory".
 ---
 # Memory Dream
--- a/.claude/skills/packetdial/SKILL.md
+++ b/.claude/skills/packetdial/SKILL.md
@@ -1,19 +1,7 @@
 ---
 name: packetdial
-description: >-
+description: "Manage the ACG PacketDial/OITVOIP hosted VoIP via the NetSapiens API (pbx.packetdial.com). List/inspect domains, users, devices, DIDs, resellers; pull CDRs; provision domains/users/SIP/numbers (writes gated --confirm; read-only default). Triggers: packetdial, oitvoip, netsapiens, voip domain/user/extension, provision phone, add did, CDR. Live production PBX."
-  Manage the Arizona Computer Guru (ACG) PacketDial / OITVOIP hosted-VoIP
+
  platform via the NetSapiens SNAPsolution API v2 (pbx.packetdial.com,
  v44.4). List and inspect domains, users, devices/phones, DIDs (phone
  numbers), resellers, and pull CDRs (call detail records). Provision new
  customer domains, users, SIP devices, and phone numbers (all writes gated
  behind --confirm). Read-only by default. Invoke for: "packetdial",
  "oitvoip", "oit voip", "netsapiens", "voip portal", "pbx portal", "voip
  domain", "voip user", "voip extension", "provision phone", "add did",
  "phone number on voip", "call detail records", "cdr", "voip.packetdial",
  "pbx.packetdial". NOTE: voip.packetdial.com is the customer-facing portal
  (the fax/UC dashboard, e.g. Cascades account 28598) and has no API — the
  programmable surface is pbx.packetdial.com. This skill talks to the LIVE
  production reseller PBX; treat writes conservatively.
 ---
 # PacketDial / NetSapiens (OITVOIP) Skill
--- a/.claude/skills/remediation-tool/SKILL.md
+++ b/.claude/skills/remediation-tool/SKILL.md
@@ -1,11 +1,7 @@
 ---
 name: remediation-tool
-description: |
+description: "M365 tenant investigation + remediation via the ComputerGuru MSP app suite (Security Investigator/Exchange Operator/User Manager/Tenant Admin/Defender). Direct Graph+Exchange REST (not CIPP). Triggers: 365 remediation, breach/credential-stuffing check, check a mailbox, inbox rules, mailbox forwarding, delegate/SendAs audit, OAuth consent, sign-in/risky-user lookup, tenant sweep."
  M365 tenant investigation and remediation using the ComputerGuru tiered MSP app suite (5 apps: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on). Auto-invoke when the user says "remediation tool", "365 remediation", "check <user>'s mailbox/box", "credential stuffing" against an M365 user, "breach check" on an M365 tenant, or needs M365 admin API work that client-credentials Graph + Exchange REST can perform. NOT for CIPP — this is the direct Graph API app suite.
  Also invoke when the user needs any of: inbox rule enumeration, mailbox forwarding check, delegate/SendAs audit, OAuth consent audit, sign-in log queries, risky user lookup, directory audit queries, B2B guest invite audit against M365.
  Triggers: "365 remediation", "remediation tool", "check <user> box/mailbox/account for breach", "credential stuff*", "who's getting attacked", "foreign sign-in", "inbox rule", "mailbox forward*", "oauth consent" (in MSP context), "tenant sweep", "risky user", "hidden rule", Exchange Online admin API, "adminapi/beta/{tenant}/InvokeCommand".
 ---
 # 365 Remediation Tool
--- a/.claude/skills/self-check/SKILL.md
+++ b/.claude/skills/self-check/SKILL.md
@@ -1,17 +1,7 @@
 ---
 name: self-check
-description: >-
+description: "Self-diagnose this machine's harness conformance vs the fleet baseline: identity.json, tooling, env/paths, hooks, skill/command/script set, vault decrypt, coord/Gitea reachability, capability tier. Grades RED/AMBER/GREEN; can publish a census. Triggers: self check/test, doctor, health check, am I configured right, harness/fleet conformance."
-  Self-diagnose a ClaudeTools session's machine: verify the harness is wired the
+
  same way as every other instance while allowing for architectural / OS / hardware
  differences. Checks that identity.json exists and is correct (the map of WHERE
  things live on this box), required tooling is installed, env/paths resolve,
  hooks are wired, the skill/command/script set matches the baseline, the vault
  decrypts, coord/Gitea are reachable, and the machine's capability tier (e.g. no
  local Ollama) resolves to the right fallback ruleset. Grades RED/AMBER/GREEN and
  can publish a census to the coord API so the fleet baseline can be built/refined.
  Invoke for: "self check", "self diagnosis", "self test", "doctor", "health check",
  "am I configured right", "is my machine set up correctly", "harness conformance",
  "fleet conformance", "check my environment", "is everything wired up".
 ---
 # Self-Check — ClaudeTools Harness Self-Diagnosis
--- a/specs/claudetools-harness-optimization/plan.md
+++ b/specs/claudetools-harness-optimization/plan.md
@@ -18,10 +18,36 @@
  serialized (per-article coord lock, TTL evict, coord-down=warn+proceed) + STAGED
  (`.claude/wiki_staging/` -> review diff -> apply -> commit -> release). No blind merge.
 - **P0 COMPLETE (2026-06-08, VERSION 1.2.0).** Fleet broadcast sent.
- NEXT — P1 context diet (Task 5a inventory -> Task 5 one-line descriptions -> Task 6
+- [DONE] Task 6 — CLAUDE.md split: lean CORE (~1.2k tokens, was ~4.9k) + `CLAUDE_EXTENDED.md`
-  CLAUDE CORE/EXTENDED -> Task 7 thin save/sync). Then P2 delegation re-tune, P3 knowledge.
+  (full original preserved verbatim). All safety-critical rules retained in CORE (v1.3.0).
- Promote the warn-only guard (Task 4) to FATAL after a clean warn window (check
+- [DONE] Task 9 (P2) — delegation re-tune folded into CORE: act-directly-by-default; delegate
-  `.claude/harness/guard.log` across the fleet).
+  only for (a) high-volume output, (b) blast radius >3 files across layers, (c) domain shift,
  (d) parallel. Single-agent-for-coupled-tasks kept.
 - [DONE] Task 5 — one-line registry descriptions on the 8 biggest skills (remediation-tool,
  gc-audit, packetdial, memory-dream, human-flow, self-check, impeccable, mailprotector);
  skill-description injection ~3320 -> ~2123 tokens (~36% cut), keyword triggers preserved,
  frontmatter still valid.
 - [DONE] Task 7 — thinned `/save` + `/sync` command bodies: they now point to `sync.sh` as the
  single source instead of re-documenting its internals; load-bearing LLM-judgment parts (Phase 0
  save-vs-sync, cross-user note display, exit-75 reporting) kept verbatim. Mechanical sync never
  depends on an LLM step.
 - [DONE] Deterministic Bash fixes (from the "deferred to separate spec" carve-out): `now-phoenix.sh`
  helper added (fixed UTC-7 epoch math — no `TZ=America/Phoenix` Git-Bash bug); `post-bot-alert.sh`
  already builds JSON via `jq -nc --arg` (verified). Full Python port remains a separate future spec.
 - [DONE] Task 10 (P3) — knowledge tiering: recall order already in CORE (wiki -> CONTEXT/log ->
  coord); adopted `session-logs/YYYY-MM/` as a FORWARD convention for new logs (verified: nested
  path still matches the Phase 0 log-detection grep and wiki slug derivation). Existing flat logs
  left in place — recall grep covers both layouts; NO mass migration (would break wiki `source_logs`
  refs for low payoff).
 - **P1+P2+P3 COMPLETE (2026-06-08, VERSION 1.4.0).**
 - REMAINING (ops follow-ups, not blocking):
  - Promote the warn-only guard (Task 4) to FATAL after a clean warn window (check
    `.claude/harness/guard.log` across the fleet).
  - Schedule `memory-dream --apply-safe` per-machine (deliberate per-box ops setup; default is
    read-only/proposals, so unattended --apply-safe is a judgment call left to the operator).
  - Optional later: migrate existing flat session-logs into month folders if/when the flat dir
    becomes unwieldy (low priority; grep recall already covers both).
  - Task 8 (shard big command bodies) stays DEFERRED per Grok/Gemini.
 ## Task 0: Commit this spec
 Commit `specs/claudetools-harness-optimization/` (incl. `review-3way.md`).