sync: auto-sync from GURU-BEAST-ROG at 2026-06-19 19:54:43

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-19 19:54:43

.agents/skills/impeccable/SKILL.md

@@ -0,0 +1,168 @@
+---
+name: impeccable
+description: "Use when the user wants to design, redesign, shape, critique, audit, polish, clarify, distill, harden, optimize, adapt, animate, colorize, extract, or otherwise improve a frontend interface. Covers websites, landing pages, dashboards, product UI, app shells, components, forms, settings, onboarding, and empty states. Handles UX review, visual hierarchy, information architecture, cognitive load, accessibility, performance, responsive behavior, theming, anti-patterns, typography, fonts, spacing, layout, alignment, color, motion, micro-interactions, UX copy, error states, edge cases, i18n, and reusable design systems or tokens. Also use for bland designs that need to become bolder or more delightful, loud designs that should become quieter, live browser iteration on UI elements, or ambitious visual effects that should feel technically extraordinary. Not for backend-only or non-UI tasks."
+argument-hint: "[{{command_hint}}] [target]"
+user-invocable: true
+allowed-tools:
+  - Bash(npx impeccable *)
+license: Apache 2.0. Based on Anthropic's frontend-design skill. See NOTICE.md for attribution.
+---
+
+Designs and iterates production-grade frontend interfaces. Real working code, committed design choices, exceptional craft.
+
+## Setup
+
+Before any design work or file edits:
+
+1. Load context (PRODUCT.md / DESIGN.md) via the loader script.
+2. Identify the register and load the matching register reference (brand.md or product.md).
+3. **If the user invoked a sub-command (e.g. `craft`, `shape`, `audit`), load its reference file too.** This is non-negotiable: `craft` without `craft.md` loaded means you'll skip the shape-and-confirm step the user expects.
+
+Skipping these produces generic output that ignores the project.
+
+### 1. Context gathering
+
+Two files, case-insensitive. The loader looks at the project root by default and falls back to `.agents/context/` and `docs/` if the root is clean. Override with `IMPECCABLE_CONTEXT_DIR=path/to/dir` (absolute or relative to cwd).
+
+- **PRODUCT.md**: required. Users, brand, tone, anti-references, strategic principles.
+- **DESIGN.md**: optional, strongly recommended. Colors, typography, elevation, components.
+
+Load both in one call:
+
+```bash
+node {{scripts_path}}/load-context.mjs
+```
+
+Consume the full JSON output. Never pipe through `head`, `tail`, `grep`, or `jq`. The output's `contextDir` field tells you where the files were resolved from.
+
+If the output is already in this session's conversation history, don't re-run. Exceptions requiring a fresh load: you just ran `{{command_prefix}}impeccable teach` or `{{command_prefix}}impeccable document` (they rewrite the files), or the user manually edited one.
+
+`{{command_prefix}}impeccable live` already warms context via `live.mjs`. If you've run `live.mjs`, don't also run `load-context.mjs` this session.
+
+If PRODUCT.md is missing, empty, or placeholder (`[TODO]` markers, <200 chars): run `{{command_prefix}}impeccable teach`, then resume the user's original task with the fresh context. If the original task was `{{command_prefix}}impeccable craft`, resume into `{{command_prefix}}impeccable shape` before any implementation work.
+
+If DESIGN.md is missing: nudge once per session (*"Run `{{command_prefix}}impeccable document` for more on-brand output"*), then proceed.
+
+### 2. Register
+
+Every design task is **brand** (marketing, landing, campaign, long-form content, portfolio: design IS the product) or **product** (app UI, admin, dashboard, tool: design SERVES the product).
+
+Identify before designing. Priority: (1) cue in the task itself ("landing page" vs "dashboard"); (2) the surface in focus (the page, file, or route being worked on); (3) `register` field in PRODUCT.md. First match wins.
+
+If PRODUCT.md lacks the `register` field (legacy), infer it once from its "Users" and "Product Purpose" sections, then cache the inferred value for the session. Suggest the user run `{{command_prefix}}impeccable teach` to add the field explicitly.
+
+Load the matching reference: [reference/brand.md](reference/brand.md) or [reference/product.md](reference/product.md). The shared design laws below apply to both.
+
+## Shared design laws
+
+Apply to every design, both registers. Match implementation complexity to the aesthetic vision: maximalism needs elaborate code, minimalism needs precision. Interpret creatively. Vary across projects; never converge on the same choices. {{model}} is capable of extraordinary work. Don't hold back.
+
+### Color
+
+- Use OKLCH. Reduce chroma as lightness approaches 0 or 100; high chroma at extremes looks garish.
+- Never use `#000` or `#fff`. Tint every neutral toward the brand hue (chroma 0.005–0.01 is enough).
+- Pick a **color strategy** before picking colors. Four steps on the commitment axis:
+  - **Restrained**: tinted neutrals + one accent ≤10%. Product default; brand minimalism.
+  - **Committed**: one saturated color carries 30–60% of the surface. Brand default for identity-driven pages.
+  - **Full palette**: 3–4 named roles, each used deliberately. Brand campaigns; product data viz.
+  - **Drenched**: the surface IS the color. Brand heroes, campaign pages.
+- The "one accent ≤10%" rule is Restrained only. Committed / Full palette / Drenched exceed it on purpose. Don't collapse every design to Restrained by reflex.
+
+### Theme
+
+Dark vs. light is never a default. Not dark "because tools look cool dark." Not light "to be safe."
+
+Before choosing, write one sentence of physical scene: who uses this, where, under what ambient light, in what mood. If the sentence doesn't force the answer, it's not concrete enough. Add detail until it does.
+
+"Observability dashboard" does not force an answer. "SRE glancing at incident severity on a 27-inch monitor at 2am in a dim room" does. Run the sentence, not the category.
+
+### Typography
+
+- Cap body line length at 65–75ch.
+- Hierarchy through scale + weight contrast (≥1.25 ratio between steps). Avoid flat scales.
+
+### Layout
+
+- Vary spacing for rhythm. Same padding everywhere is monotony.
+- Cards are the lazy answer. Use them only when they're truly the best affordance. Nested cards are always wrong.
+- Don't wrap everything in a container. Most things don't need one.
+
+### Motion
+
+- Don't animate CSS layout properties.
+- Ease out with exponential curves (ease-out-quart / quint / expo). No bounce, no elastic.
+
+### Absolute bans
+
+Match-and-refuse. If you're about to write any of these, rewrite the element with different structure.
+
+- **Side-stripe borders.** `border-left` or `border-right` greater than 1px as a colored accent on cards, list items, callouts, or alerts. Never intentional. Rewrite with full borders, background tints, leading numbers/icons, or nothing.
+- **Gradient text.** `background-clip: text` combined with a gradient background. Decorative, never meaningful. Use a single solid color. Emphasis via weight or size.
+- **Glassmorphism as default.** Blurs and glass cards used decoratively. Rare and purposeful, or nothing.
+- **The hero-metric template.** Big number, small label, supporting stats, gradient accent. SaaS cliché.
+- **Identical card grids.** Same-sized cards with icon + heading + text, repeated endlessly.
+- **Modal as first thought.** Modals are usually laziness. Exhaust inline / progressive alternatives first.
+
+### Copy
+
+- Every word earns its place. No restated headings, no intros that repeat the title.
+- **No em dashes.** Use commas, colons, semicolons, periods, or parentheses. Also not `--`.
+
+### The AI slop test
+
+If someone could look at this interface and say "AI made that" without doubt, it's failed. Cross-register failures are the absolute bans above. Register-specific failures live in each reference.
+
+**Category-reflex check.** Run at two altitudes; the second one catches what the first one misses.
+
+- **First-order:** if someone could guess the theme + palette from the category alone ("observability → dark blue", "healthcare → white + teal", "finance → navy + gold", "crypto → neon on black"), it's the first training-data reflex. Rework the scene sentence and color strategy until the answer isn't obvious from the domain.
+- **Second-order:** if someone could guess the aesthetic family from category-plus-anti-references ("AI workflow tool that's not SaaS-cream → editorial-typographic", "fintech that's not navy-and-gold → terminal-native dark mode"), it's the trap one tier deeper. The first reflex was avoided; the second wasn't. Rework until both answers are not obvious. The brand register's [reflex-reject aesthetic lanes](reference/brand.md) list catches the currently-saturated families.
+
+## Commands
+
+| Command | Category | Description | Reference |
+|---|---|---|---|
+| `craft [feature]` | Build | Shape, then build a feature end-to-end | [reference/craft.md](reference/craft.md) |
+| `shape [feature]` | Build | Plan UX/UI before writing code | [reference/shape.md](reference/shape.md) |
+| `teach` | Build | Set up PRODUCT.md and DESIGN.md context | [reference/teach.md](reference/teach.md) |
+| `document` | Build | Generate DESIGN.md from existing project code | [reference/document.md](reference/document.md) |
+| `extract [target]` | Build | Pull reusable tokens and components into design system | [reference/extract.md](reference/extract.md) |
+| `critique [target]` | Evaluate | UX design review with heuristic scoring | [reference/critique.md](reference/critique.md) |
+| `audit [target]` | Evaluate | Technical quality checks (a11y, perf, responsive) | [reference/audit.md](reference/audit.md) |
+| `polish [target]` | Refine | Final quality pass before shipping | [reference/polish.md](reference/polish.md) |
+| `bolder [target]` | Refine | Amplify safe or bland designs | [reference/bolder.md](reference/bolder.md) |
+| `quieter [target]` | Refine | Tone down aggressive or overstimulating designs | [reference/quieter.md](reference/quieter.md) |
+| `distill [target]` | Refine | Strip to essence, remove complexity | [reference/distill.md](reference/distill.md) |
+| `harden [target]` | Refine | Production-ready: errors, i18n, edge cases | [reference/harden.md](reference/harden.md) |
+| `onboard [target]` | Refine | Design first-run flows, empty states, activation | [reference/onboard.md](reference/onboard.md) |
+| `animate [target]` | Enhance | Add purposeful animations and motion | [reference/animate.md](reference/animate.md) |
+| `colorize [target]` | Enhance | Add strategic color to monochromatic UIs | [reference/colorize.md](reference/colorize.md) |
+| `typeset [target]` | Enhance | Improve typography hierarchy and fonts | [reference/typeset.md](reference/typeset.md) |
+| `layout [target]` | Enhance | Fix spacing, rhythm, and visual hierarchy | [reference/layout.md](reference/layout.md) |
+| `delight [target]` | Enhance | Add personality and memorable touches | [reference/delight.md](reference/delight.md) |
+| `overdrive [target]` | Enhance | Push past conventional limits | [reference/overdrive.md](reference/overdrive.md) |
+| `clarify [target]` | Fix | Improve UX copy, labels, and error messages | [reference/clarify.md](reference/clarify.md) |
+| `adapt [target]` | Fix | Adapt for different devices and screen sizes | [reference/adapt.md](reference/adapt.md) |
+| `optimize [target]` | Fix | Diagnose and fix UI performance | [reference/optimize.md](reference/optimize.md) |
+| `live` | Iterate | Visual variant mode: pick elements in the browser, generate alternatives | [reference/live.md](reference/live.md) |
+
+Plus two management commands: `pin <command>` and `unpin <command>`, detailed below.
+
+### Routing rules
+
+1. **No argument**: render the table above as the user-facing command menu, grouped by category. Ask what they'd like to do.
+2. **First word matches a command**: load its reference file and follow its instructions. Everything after the command name is the target.
+3. **First word doesn't match**: general design invocation. Apply the setup steps, shared design laws, and the loaded register reference, using the full argument as context.
+
+Setup (context gathering, register) is already loaded by then; sub-commands don't re-invoke `{{command_prefix}}impeccable`.
+
+If the first word is `craft`, setup still runs first, but [reference/craft.md](reference/craft.md) owns the rest of the flow. If setup invokes `teach` as a blocker, finish teach, refresh context, then resume the original command and target.
+
+## Pin / Unpin
+
+**Pin** creates a standalone shortcut so `{{command_prefix}}<command>` invokes `{{command_prefix}}impeccable <command>` directly. **Unpin** removes it. The script writes to every harness directory present in the project.
+
+```bash
+node {{scripts_path}}/pin.mjs <pin|unpin> <command>
+```
+
+Valid `<command>` is any command from the table above. Report the script's result concisely. Confirm the new shortcut on success, relay stderr verbatim on error.

.agents/skills/impeccable/agents/impeccable-asset-producer.md

@@ -0,0 +1,101 @@
+---
+name: impeccable-asset-producer
+codex-name: impeccable_asset_producer
+description: Produces clean reusable raster assets from approved Impeccable mock references without redesigning the direction.
+tools: Read, Write, Edit, Bash, Glob, Grep
+model: inherit
+effort: medium
+max-turns: 12
+providers: codex
+nickname-candidates:
+  - Asset Plate
+  - Clean Plate
+  - Crop Cutter
+---
+
+# Impeccable Asset Producer
+
+You are the asset production agent for Impeccable craft.
+
+Your job is production cleanup, not new art direction. Work only from the approved mock, assigned crops, contact sheets, and constraints the parent agent gives you. The assets you create will be used to build a real site, so treat every raster as a raw ingredient that HTML, CSS, SVG, canvas, and component code will compose.
+
+## Core Rule
+
+Do not redesign. Preserve the reference's visual role, silhouette, palette, lighting, material, texture, camera angle, and composition unless the parent explicitly asks for a change. Preserve perspective only when it belongs to the object or scene itself; if CSS should create the card transform, shadow, rounded clipping, border, or layout, remove that presentation chrome from the raster.
+
+## Input Contract
+
+Expect:
+
+- Approved mock path or screenshot reference.
+- Crop paths or a contact sheet with crop ids.
+- Output directory.
+- Required dimensions, format, transparency needs, and avoid list.
+- Notes on what should remain semantic HTML/CSS/SVG instead of raster.
+
+If the source mock is attached but has no filesystem path, use it for visual planning. Ask for a path only before cropping or writing assets.
+
+Use defaults unless contradicted:
+
+- `.webp` for opaque photos, backgrounds, and textures.
+- `.png` for transparent cutouts, seals, tickets, and illustrations.
+- Target production size or at least 2x display size when dimensions are known. Do not use small full-page mock crop size as the default shipping size.
+- Remove UI text, navigation, buttons, labels, and body copy by default.
+- Keep physical marks only when the parent says they are part of the asset.
+- Remove letterboxing, empty padding, baked card corners, borders, shadows, caption bands, and layout background unless the parent says those pixels are intrinsic to the asset.
+- Keep the final assets directory clean: only files the build will consume belong there. Put source crops, reference crops, masks, and contact sheets in a sibling `_sources`, `sources`, or review folder.
+
+Ask blockers once, globally. Missing source path/crops or output directory blocks production. Exact dimensions, compression targets, retina variants, and format preferences do not block; choose defaults and report them.
+
+## Workflow
+
+1. Inventory the full approved mock or every assigned crop.
+2. Put each visual role in exactly one bucket:
+   - `produce`: needs generation, image editing, cleanup, cutout work, or a clean plate before it can ship.
+   - `direct`: can ship as a crop, format conversion, compression pass, or sourced replacement with no generative cleanup.
+   - `semantic`: build in HTML/CSS/SVG/canvas, no raster output.
+3. Treat full-page mock crops as references, not production-resolution source assets. Put a role in `direct` only when the provided source is already a clean, sufficiently large source asset with no semantic text or presentation chrome.
+4. Give the parent an execution order for the `produce` bucket.
+5. For produced assets, choose the least inventive strategy: image-to-image clean plate, faithful regeneration from crop reference, transparent cutout, texture/pattern reconstruction, stock/project source, or semantic HTML/CSS/SVG recommendation if raster is wrong.
+6. Treat every crop as binding reference. In Codex, use the imagegen skill and built-in `image_gen` path by default when generation or editing is needed.
+7. Remove baked-in UI text, navigation, buttons, body copy, and mock chrome unless the text is part of the asset.
+8. Think through the final DOM/CSS representation before generating. If CSS will own radius, clipping, shadows, borders, perspective, responsive cropping, captions, or card frames, do not bake those into the bitmap.
+9. Save outputs non-destructively in the requested project directory.
+10. Compare each output against its source crop. If a review/QA tool is available, run it before the final manifest, then retry each major/fatal finding once before finalizing.
+
+Use `direct` only for provided source assets that can already ship after crop tightening, conversion, compression, or naming. Do not ship a small crop from the full-page mock as `direct` just because it looks close.
+
+Use `texture/pattern extraction` only when the source region is already clean enough to sample as texture. If UI, cards, labels, headings, body copy, or footer chrome must be removed to make a reusable texture or background, classify it as crop-derived cleanup or clean-plate work.
+
+Use `semantic` for dashboards, charts, controls, screenshots of whole UI sections, data widgets, card chrome, app frames, icon toolbars, logos, wordmarks, and anything the final implementation can render crisply in HTML/CSS/SVG/canvas. Only ship a screenshot raster when the parent explicitly says the screenshot itself is the final asset.
+
+Semantic does not mean ignored. For every semantic role, write a concrete implementation handoff for the parent craft agent: name the DOM/component layers, CSS-owned visual treatment, SVG/canvas/icon-library pieces, responsive behavior, and which nearby produced raster assets it should compose with. For logos and icons, prefer inline SVG/vector or icon-library implementation unless the parent provides a production logo raster.
+
+For transparency, prefer true alpha output when the tool supports it. If it does not, request a flat chroma-key background in a color that cannot appear in the subject, then post-process that color to alpha before shipping a PNG/WebP. Do not ship the keyed background as the final asset.
+
+## Prompt Pattern
+
+Use this shape for image-to-image work:
+
+```text
+Use the provided crop as the approved visual reference.
+Recreate the same asset as a clean reusable production image at the target component aspect ratio and at least 2x display resolution.
+Preserve silhouette, object/scene perspective, camera angle, palette, lighting, material, texture, and visual role.
+Remove baked-in UI copy, navigation, buttons, labels, body text, watermarks, and mock chrome unless explicitly part of the asset.
+Remove letterboxing, padding, card borders, rounded clipping, CSS shadows, perspective transforms, caption bands, and layout backgrounds that the implementation should create in code.
+Do not add new objects. Do not change the concept. Do not redesign the composition.
+```
+
+For transparent cutouts, use the imagegen skill's built-in-first chroma-key workflow unless the parent explicitly authorizes a true native transparency fallback.
+
+## Output Contract
+
+Return a complete manifest, grouped by `produce`, `direct`, and `semantic`. For each asset include: `id`, `source_crop`, `output_path` when applicable, `strategy`, `prompt_used` when applicable, `dimensions`, `format`, `transparency`, `deviations`, and `qa_status`.
+
+For each semantic row include `id`, `implementation`, `notes`, and `qa_status`. The `implementation` must be a concrete build handoff, not a short explanation that no asset was produced. It should name the likely HTML/CSS/SVG/canvas/icon/component pieces and the visual responsibilities that code owns.
+
+`qa_status` must be `accepted`, `needs_parent_review`, or `blocked`. Use `accepted` only after visual comparison passes. Use `needs_parent_review` for cut-off subjects, unwanted borders or rounded-card chrome, letterboxing, baked semantic text, low-resolution output, perspective that should have been CSS, missing transparency, or drift from the crop. Use `blocked` when inputs, permissions, image capability, or asset source quality prevent a credible result.
+
+End with `execution_order`, `blockers`, and `assumptions` sections. Keep blockers global and minimal. Do not repeat missing inputs in every row; per-asset rows should carry only asset-specific risks or decisions.
+
+Do not modify implementation code. Do not edit the approved mock. Do not produce final page copy. The parent craft agent owns implementation and final mock fidelity.

.agents/skills/impeccable/reference/adapt.md

@@ -0,0 +1,190 @@
+> **Additional context needed**: target platforms/devices and usage contexts.
+
+Adapt an existing design to a different context: another screen size, device, platform, or use case. The trap is treating adaptation as scaling. The job is rethinking the experience for the new context.
+
+
+---
+
+## Assess Adaptation Challenge
+
+Understand what needs adaptation and why:
+
+1. **Identify the source context**:
+   - What was it designed for originally? (Desktop web? Mobile app?)
+   - What assumptions were made? (Large screen? Mouse input? Fast connection?)
+   - What works well in current context?
+
+2. **Understand target context**:
+   - **Device**: Mobile, tablet, desktop, TV, watch, print?
+   - **Input method**: Touch, mouse, keyboard, voice, gamepad?
+   - **Screen constraints**: Size, resolution, orientation?
+   - **Connection**: Fast wifi, slow 3G, offline?
+   - **Usage context**: On-the-go vs desk, quick glance vs focused reading?
+   - **User expectations**: What do users expect on this platform?
+
+3. **Identify adaptation challenges**:
+   - What won't fit? (Content, navigation, features)
+   - What won't work? (Hover states on touch, tiny touch targets)
+   - What's inappropriate? (Desktop patterns on mobile, mobile patterns on desktop)
+
+**CRITICAL**: Adaptation is rethinking the experience for the new context, not scaling pixels.
+
+## Plan Adaptation Strategy
+
+Create context-appropriate strategy:
+
+### Mobile Adaptation (Desktop → Mobile)
+
+**Layout Strategy**:
+- Single column instead of multi-column
+- Vertical stacking instead of side-by-side
+- Full-width components instead of fixed widths
+- Bottom navigation instead of top/side navigation
+
+**Interaction Strategy**:
+- Touch targets 44x44px minimum (not hover-dependent)
+- Swipe gestures where appropriate (lists, carousels)
+- Bottom sheets instead of dropdowns
+- Thumbs-first design (controls within thumb reach)
+- Larger tap areas with more spacing
+
+**Content Strategy**:
+- Progressive disclosure (don't show everything at once)
+- Prioritize primary content (secondary content in tabs/accordions)
+- Shorter text (more concise)
+- Larger text (16px minimum)
+
+**Navigation Strategy**:
+- Hamburger menu or bottom navigation
+- Reduce navigation complexity
+- Sticky headers for context
+- Back button in navigation flow
+
+### Tablet Adaptation (Hybrid Approach)
+
+**Layout Strategy**:
+- Two-column layouts (not single or three-column)
+- Side panels for secondary content
+- Master-detail views (list + detail)
+- Adaptive based on orientation (portrait vs landscape)
+
+**Interaction Strategy**:
+- Support both touch and pointer
+- Touch targets 44x44px but allow denser layouts than phone
+- Side navigation drawers
+- Multi-column forms where appropriate
+
+### Desktop Adaptation (Mobile → Desktop)
+
+**Layout Strategy**:
+- Multi-column layouts (use horizontal space)
+- Side navigation always visible
+- Multiple information panels simultaneously
+- Fixed widths with max-width constraints (don't stretch to 4K)
+
+**Interaction Strategy**:
+- Hover states for additional information
+- Keyboard shortcuts
+- Right-click context menus
+- Drag and drop where helpful
+- Multi-select with Shift/Cmd
+
+**Content Strategy**:
+- Show more information upfront (less progressive disclosure)
+- Data tables with many columns
+- Richer visualizations
+- More detailed descriptions
+
+### Print Adaptation (Screen → Print)
+
+**Layout Strategy**:
+- Page breaks at logical points
+- Remove navigation, footer, interactive elements
+- Black and white (or limited color)
+- Proper margins for binding
+
+**Content Strategy**:
+- Expand shortened content (show full URLs, hidden sections)
+- Add page numbers, headers, footers
+- Include metadata (print date, page title)
+- Convert charts to print-friendly versions
+
+### Email Adaptation (Web → Email)
+
+**Layout Strategy**:
+- Narrow width (600px max)
+- Single column only
+- Inline CSS (no external stylesheets)
+- Table-based layouts (for email client compatibility)
+
+**Interaction Strategy**:
+- Large, obvious CTAs (buttons not text links)
+- No hover states (not reliable)
+- Deep links to web app for complex interactions
+
+## Implement Adaptations
+
+Apply changes systematically:
+
+### Responsive Breakpoints
+
+Choose appropriate breakpoints:
+- Mobile: 320px-767px
+- Tablet: 768px-1023px
+- Desktop: 1024px+
+- Or content-driven breakpoints (where design breaks)
+
+### Layout Adaptation Techniques
+
+- **CSS Grid/Flexbox**: Reflow layouts automatically
+- **Container Queries**: Adapt based on container, not viewport
+- **`clamp()`**: Fluid sizing between min and max
+- **Media queries**: Different styles for different contexts
+- **Display properties**: Show/hide elements per context
+
+### Touch Adaptation
+
+- Increase touch target sizes (44x44px minimum)
+- Add more spacing between interactive elements
+- Remove hover-dependent interactions
+- Add touch feedback (ripples, highlights)
+- Consider thumb zones (easier to reach bottom than top)
+
+### Content Adaptation
+
+- Use `display: none` sparingly (still downloads)
+- Progressive enhancement (core content first, enhancements on larger screens)
+- Lazy loading for off-screen content
+- Responsive images (`srcset`, `picture` element)
+
+### Navigation Adaptation
+
+- Transform complex nav to hamburger/drawer on mobile
+- Bottom nav bar for mobile apps
+- Persistent side navigation on desktop
+- Breadcrumbs on smaller screens for context
+
+**IMPORTANT**: Test on real devices. Device emulation in DevTools is helpful but not perfect.
+
+**NEVER**:
+- Hide core functionality on mobile (if it matters, make it work)
+- Assume desktop = powerful device (consider accessibility, older machines)
+- Use different information architecture across contexts (confusing)
+- Break user expectations for platform (mobile users expect mobile patterns)
+- Forget landscape orientation on mobile/tablet
+- Use generic breakpoints blindly (use content-driven breakpoints)
+- Ignore touch on desktop (many desktop devices have touch)
+
+## Verify Adaptations
+
+Test thoroughly across contexts:
+
+- **Real devices**: Test on actual phones, tablets, desktops
+- **Different orientations**: Portrait and landscape
+- **Different browsers**: Safari, Chrome, Firefox, Edge
+- **Different OS**: iOS, Android, Windows, macOS
+- **Different input methods**: Touch, mouse, keyboard
+- **Edge cases**: Very small screens (320px), very large screens (4K)
+- **Slow connections**: Test on throttled network
+
+When the adaptation feels native to each context, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/animate.md

@@ -0,0 +1,175 @@
+> **Additional context needed**: performance constraints.
+
+Add motion that conveys state, gives feedback, and clarifies hierarchy. Cut motion that exists only for decoration. Animation fatigue is a real cost; spend the budget on the moments that need it.
+
+---
+
+## Register
+
+Brand: orchestrated page-load sequences, staggered reveals, scroll-driven animation. Motion is part of the voice; one well-rehearsed entrance beats scattered micro-interactions.
+
+Product: 150–250 ms on most transitions. Motion conveys state: feedback, reveal, loading, transitions between views. No page-load choreography; users are in a task and won't wait for it.
+
+---
+
+## Assess Animation Opportunities
+
+Analyze where motion would improve the experience:
+
+1. **Identify static areas**:
+   - **Missing feedback**: Actions without visual acknowledgment (button clicks, form submission, etc.)
+   - **Jarring transitions**: Instant state changes that feel abrupt (show/hide, page loads, route changes)
+   - **Unclear relationships**: Spatial or hierarchical relationships that aren't obvious
+   - **Lack of delight**: Functional but joyless interactions
+   - **Missed guidance**: Opportunities to direct attention or explain behavior
+
+2. **Understand the context**:
+   - What's the personality? (Playful vs serious, energetic vs calm)
+   - What's the performance budget? (Mobile-first? Complex page?)
+   - Who's the audience? (Motion-sensitive users? Power users who want speed?)
+   - What matters most? (One hero animation vs many micro-interactions?)
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: Respect `prefers-reduced-motion`. Always provide non-animated alternatives for users who need them.
+
+## Plan Animation Strategy
+
+Create a purposeful animation plan:
+
+- **Hero moment**: What's the ONE signature animation? (Page load? Hero section? Key interaction?)
+- **Feedback layer**: Which interactions need acknowledgment?
+- **Transition layer**: Which state changes need smoothing?
+- **Delight layer**: Where can we surprise and delight?
+
+**IMPORTANT**: One well-orchestrated experience beats scattered animations everywhere. Focus on high-impact moments.
+
+## Implement Animations
+
+Add motion systematically across these categories:
+
+### Entrance Animations
+- **Page load choreography**: Stagger element reveals (100-150ms delays), fade + slide combinations
+- **Hero section**: Dramatic entrance for primary content (scale, parallax, or creative effects)
+- **Content reveals**: Scroll-triggered animations using intersection observer
+- **Modal/drawer entry**: Smooth slide + fade, backdrop fade, focus management
+
+### Micro-interactions
+- **Button feedback**:
+  - Hover: Subtle scale (1.02-1.05), color shift, shadow increase
+  - Click: Quick scale down then up (0.95 → 1), ripple effect
+  - Loading: Spinner or pulse state
+- **Form interactions**:
+  - Input focus: Border color transition, slight scale or glow
+  - Validation: Shake on error, check mark on success, smooth color transitions
+- **Toggle switches**: Smooth slide + color transition (200-300ms)
+- **Checkboxes/radio**: Check mark animation, ripple effect
+- **Like/favorite**: Scale + rotation, particle effects, color transition
+
+### State Transitions
+- **Show/hide**: Fade + slide (not instant), appropriate timing (200-300ms)
+- **Expand/collapse**: Height transition with overflow handling, icon rotation
+- **Loading states**: Skeleton screen fades, spinner animations, progress bars
+- **Success/error**: Color transitions, icon animations, gentle scale pulse
+- **Enable/disable**: Opacity transitions, cursor changes
+
+### Navigation & Flow
+- **Page transitions**: Crossfade between routes, shared element transitions
+- **Tab switching**: Slide indicator, content fade/slide
+- **Carousel/slider**: Smooth transforms, snap points, momentum
+- **Scroll effects**: Parallax layers, sticky headers with state changes, scroll progress indicators
+
+### Feedback & Guidance
+- **Hover hints**: Tooltip fade-ins, cursor changes, element highlights
+- **Drag & drop**: Lift effect (shadow + scale), drop zone highlights, smooth repositioning
+- **Copy/paste**: Brief highlight flash on paste, "copied" confirmation
+- **Focus flow**: Highlight path through form or workflow
+
+### Delight Moments
+- **Empty states**: Subtle floating animations on illustrations
+- **Completed actions**: Confetti, check mark flourish, success celebrations
+- **Easter eggs**: Hidden interactions for discovery
+- **Contextual animation**: Weather effects, time-of-day themes, seasonal touches
+
+## Technical Implementation
+
+Use appropriate techniques for each animation:
+
+### Timing & Easing
+
+**Durations by purpose:**
+- **100-150ms**: Instant feedback (button press, toggle)
+- **200-300ms**: State changes (hover, menu open)
+- **300-500ms**: Layout changes (accordion, modal)
+- **500-800ms**: Entrance animations (page load)
+
+**Easing curves (use these, not CSS defaults):**
+```css
+/* Recommended: natural deceleration */
+--ease-out-quart: cubic-bezier(0.25, 1, 0.5, 1);    /* Smooth */
+--ease-out-quint: cubic-bezier(0.22, 1, 0.36, 1);   /* Slightly snappier */
+--ease-out-expo: cubic-bezier(0.16, 1, 0.3, 1);     /* Confident, decisive */
+
+/* AVOID: feel dated and tacky */
+/* bounce: cubic-bezier(0.34, 1.56, 0.64, 1); */
+/* elastic: cubic-bezier(0.68, -0.6, 0.32, 1.6); */
+```
+
+**Exit animations are faster than entrances.** Use ~75% of enter duration.
+
+### CSS Animations
+```css
+/* Prefer for simple, declarative animations */
+- transitions for state changes
+- @keyframes for complex sequences
+- transform and opacity for reliable movement
+- blur, filters, masks, clip paths, shadows, and color shifts for premium atmospheric effects when verified smooth
+```
+
+### JavaScript Animation
+```javascript
+/* Use for complex, interactive animations */
+- Web Animations API for programmatic control
+- Framer Motion for React
+- GSAP for complex sequences
+```
+
+### Performance
+- **Motion materials**: Use transform/opacity for reliable movement, but use blur, filters, masks, shadows, and color shifts when they materially improve the effect
+- **Layout safety**: Avoid casual animation of layout-driving properties (`width`, `height`, `top`, `left`, margins)
+- **will-change**: Add sparingly for known expensive animations
+- **Bound expensive effects**: Keep blur/filter/shadow areas small or isolated, use `contain` where appropriate
+- **Monitor FPS**: Ensure 60fps on target devices
+
+### Accessibility
+```css
+@media (prefers-reduced-motion: reduce) {
+  * {
+    animation-duration: 0.01ms !important;
+    animation-iteration-count: 1 !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+```
+
+**NEVER**:
+- Use bounce or elastic easing curves; they feel dated and draw attention to the animation itself
+- Animate layout properties casually (`width`, `height`, `top`, `left`, margins) when transform, FLIP, or grid-based techniques would work
+- Use durations over 500ms for feedback (it feels laggy)
+- Animate without purpose (every animation needs a reason)
+- Ignore `prefers-reduced-motion` (this is an accessibility violation)
+- Animate everything (animation fatigue makes interfaces feel exhausting)
+- Block interaction during animations unless intentional
+
+## Verify Quality
+
+Test animations thoroughly:
+
+- **Smooth at 60fps**: No jank on target devices
+- **Feels natural**: Easing curves feel organic, not robotic
+- **Appropriate timing**: Not too fast (jarring) or too slow (laggy)
+- **Reduced motion works**: Animations disabled or simplified appropriately
+- **Doesn't block**: Users can interact during/after animations
+- **Adds value**: Makes interface clearer or more delightful
+
+When the motion clarifies state instead of decorating it, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/audit.md

@@ -0,0 +1,133 @@
+Run systematic **technical** quality checks and generate a comprehensive report. Don't fix issues; document them for other commands to address.
+
+This is a code-level audit, not a design critique. Check what's measurable and verifiable in the implementation.
+
+## Diagnostic Scan
+
+Run comprehensive checks across 5 dimensions. Score each dimension 0-4 using the criteria below.
+
+### 1. Accessibility (A11y)
+
+**Check for**:
+- **Contrast issues**: Text contrast ratios < 4.5:1 (or 7:1 for AAA)
+- **Missing ARIA**: Interactive elements without proper roles, labels, or states
+- **Keyboard navigation**: Missing focus indicators, illogical tab order, keyboard traps
+- **Semantic HTML**: Improper heading hierarchy, missing landmarks, divs instead of buttons
+- **Alt text**: Missing or poor image descriptions
+- **Form issues**: Inputs without labels, poor error messaging, missing required indicators
+
+**Score 0-4**: 0=Inaccessible (fails WCAG A), 1=Major gaps (few ARIA labels, no keyboard nav), 2=Partial (some a11y effort, significant gaps), 3=Good (WCAG AA mostly met, minor gaps), 4=Excellent (WCAG AA fully met, approaches AAA)
+
+### 2. Performance
+
+**Check for**:
+- **Layout thrashing**: Reading/writing layout properties in loops
+- **Expensive animations**: Casual layout-property animation, unbounded blur/filter/shadow effects, or effects that visibly drop frames
+- **Missing optimization**: Images without lazy loading, unoptimized assets, missing will-change
+- **Bundle size**: Unnecessary imports, unused dependencies
+- **Render performance**: Unnecessary re-renders, missing memoization
+
+**Score 0-4**: 0=Severe issues (layout thrash, unoptimized everything), 1=Major problems (no lazy loading, expensive animations), 2=Partial (some optimization, gaps remain), 3=Good (mostly optimized, minor improvements possible), 4=Excellent (fast, lean, well-optimized)
+
+### 3. Theming
+
+**Check for**:
+- **Hard-coded colors**: Colors not using design tokens
+- **Broken dark mode**: Missing dark mode variants, poor contrast in dark theme
+- **Inconsistent tokens**: Using wrong tokens, mixing token types
+- **Theme switching issues**: Values that don't update on theme change
+
+**Score 0-4**: 0=No theming (hard-coded everything), 1=Minimal tokens (mostly hard-coded), 2=Partial (tokens exist but inconsistently used), 3=Good (tokens used, minor hard-coded values), 4=Excellent (full token system, dark mode works perfectly)
+
+### 4. Responsive Design
+
+**Check for**:
+- **Fixed widths**: Hard-coded widths that break on mobile
+- **Touch targets**: Interactive elements < 44x44px
+- **Horizontal scroll**: Content overflow on narrow viewports
+- **Text scaling**: Layouts that break when text size increases
+- **Missing breakpoints**: No mobile/tablet variants
+
+**Score 0-4**: 0=Desktop-only (breaks on mobile), 1=Major issues (some breakpoints, many failures), 2=Partial (works on mobile, rough edges), 3=Good (responsive, minor touch target or overflow issues), 4=Excellent (fluid, all viewports, proper touch targets)
+
+### 5. Anti-Patterns (CRITICAL)
+
+Check against ALL the **DON'T** guidelines from the parent impeccable skill (already loaded in this context). Look for AI slop tells (AI color palette, gradient text, glassmorphism, hero metrics, card grids, generic fonts) and general design anti-patterns (gray on color, nested cards, bounce easing, redundant copy).
+
+**Score 0-4**: 0=AI slop gallery (5+ tells), 1=Heavy AI aesthetic (3-4 tells), 2=Some tells (1-2 noticeable), 3=Mostly clean (subtle issues only), 4=No AI tells (distinctive, intentional design)
+
+## Generate Report
+
+### Audit Health Score
+
+| # | Dimension | Score | Key Finding |
+|---|-----------|-------|-------------|
+| 1 | Accessibility | ? | [most critical a11y issue or "--"] |
+| 2 | Performance | ? | |
+| 3 | Responsive Design | ? | |
+| 4 | Theming | ? | |
+| 5 | Anti-Patterns | ? | |
+| **Total** | | **??/20** | **[Rating band]** |
+
+**Rating bands**: 18-20 Excellent (minor polish), 14-17 Good (address weak dimensions), 10-13 Acceptable (significant work needed), 6-9 Poor (major overhaul), 0-5 Critical (fundamental issues)
+
+### Anti-Patterns Verdict
+**Start here.** Pass/fail: Does this look AI-generated? List specific tells. Be brutally honest.
+
+### Executive Summary
+- Audit Health Score: **??/20** ([rating band])
+- Total issues found (count by severity: P0/P1/P2/P3)
+- Top 3-5 critical issues
+- Recommended next steps
+
+### Detailed Findings by Severity
+
+Tag every issue with **P0-P3 severity**:
+- **P0 Blocking**: Prevents task completion. Fix immediately
+- **P1 Major**: Significant difficulty or WCAG AA violation. Fix before release
+- **P2 Minor**: Annoyance, workaround exists. Fix in next pass
+- **P3 Polish**: Nice-to-fix, no real user impact. Fix if time permits
+
+For each issue, document:
+- **[P?] Issue name**
+- **Location**: Component, file, line
+- **Category**: Accessibility / Performance / Theming / Responsive / Anti-Pattern
+- **Impact**: How it affects users
+- **WCAG/Standard**: Which standard it violates (if applicable)
+- **Recommendation**: How to fix it
+- **Suggested command**: Which command to use (prefer: {{available_commands}})
+
+### Patterns & Systemic Issues
+
+Identify recurring problems that indicate systemic gaps rather than one-off mistakes:
+- "Hard-coded colors appear in 15+ components, should use design tokens"
+- "Touch targets consistently too small (<44px) throughout mobile experience"
+
+### Positive Findings
+
+Note what's working well: good practices to maintain and replicate.
+
+## Recommended Actions
+
+List recommended commands in priority order (P0 first, then P1, then P2):
+
+1. **[P?] `{{command_prefix}}command-name`**: Brief description (specific context from audit findings)
+2. **[P?] `{{command_prefix}}command-name`**: Brief description (specific context)
+
+**Rules**: Only recommend commands from: {{available_commands}}. Map findings to the most appropriate command. End with `{{command_prefix}}impeccable polish` as the final step if any fixes were recommended.
+
+After presenting the summary, tell the user:
+
+> You can ask me to run these one at a time, all at once, or in any order you prefer.
+>
+> Re-run `{{command_prefix}}impeccable audit` after fixes to see your score improve.
+
+**IMPORTANT**: Be thorough but actionable. Too many P3 issues creates noise. Focus on what actually matters.
+
+**NEVER**:
+- Report issues without explaining impact (why does this matter?)
+- Provide generic recommendations (be specific and actionable)
+- Skip positive findings (celebrate what works)
+- Forget to prioritize (everything can't be P0)
+- Report false positives without verification
+

.agents/skills/impeccable/reference/bolder.md

@@ -0,0 +1,113 @@
+When asked for "bolder," AI defaults to the same tired tricks: cyan/purple gradients, glassmorphism, neon accents on dark backgrounds, gradient text on metrics. These are the opposite of bold. Reject them first, then increase visual impact and personality through stronger hierarchy, committed scale, and decisive type.
+
+---
+
+## Register
+
+Brand: "bolder" means distinctive. Extreme scale, unexpected color, typographic risk, committed POV.
+
+Product: "bolder" rarely means theatrics; those undermine trust. It means stronger hierarchy, clearer weight contrast, one sharper accent, more committed density. The amplification is in clarity, not drama.
+
+---
+
+## Assess Current State
+
+Analyze what makes the design feel too safe or boring:
+
+1. **Identify weakness sources**:
+   - **Generic choices**: System fonts, basic colors, standard layouts
+   - **Timid scale**: Everything is medium-sized with no drama
+   - **Low contrast**: Everything has similar visual weight
+   - **Static**: No motion, no energy, no life
+   - **Predictable**: Standard patterns with no surprises
+   - **Flat hierarchy**: Nothing stands out or commands attention
+
+2. **Understand the context**:
+   - What's the brand personality? (How far can we push?)
+   - What's the purpose? (Marketing can be bolder than financial dashboards)
+   - Who's the audience? (What will resonate?)
+   - What are the constraints? (Brand guidelines, accessibility, performance)
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: "Bolder" doesn't mean chaotic or garish. It means distinctive, memorable, and confident. Think intentional drama, not random chaos.
+
+**WARNING - AI SLOP TRAP**: Review ALL the DON'T guidelines from the parent impeccable skill (already loaded in this context) before proceeding. Bold means distinctive, not "more effects."
+
+## Plan Amplification
+
+Create a strategy to increase impact while maintaining coherence:
+
+- **Focal point**: What should be the hero moment? (Pick ONE, make it amazing)
+- **Personality direction**: Maximalist chaos? Elegant drama? Playful energy? Dark moody? Choose a lane.
+- **Risk budget**: How experimental can we be? Push boundaries within constraints.
+- **Hierarchy amplification**: Make big things BIGGER, small things smaller (increase contrast)
+
+**IMPORTANT**: Bold design must still be usable. Impact without function is just decoration.
+
+## Amplify the Design
+
+Systematically increase impact across these dimensions:
+
+### Typography Amplification
+- **Replace generic fonts**: Swap system fonts for distinctive choices (see the parent skill's typography guidelines and [typography.md](typography.md) for inspiration)
+- **Extreme scale**: Create dramatic size jumps (3x-5x differences, not 1.5x)
+- **Weight contrast**: Pair 900 weights with 200 weights, not 600 with 400
+- **Unexpected choices**: Variable fonts, display fonts for headlines, condensed/extended widths, monospace as intentional accent (not as lazy "dev tool" default)
+
+### Color Intensification
+- **Increase saturation**: Shift to more vibrant, energetic colors (but not neon)
+- **Bold palette**: Introduce unexpected color combinations. Avoid the purple-blue gradient AI slop
+- **Dominant color strategy**: Let one bold color own 60% of the design
+- **Sharp accents**: High-contrast accent colors that pop
+- **Tinted neutrals**: Replace pure grays with tinted grays that harmonize with your palette
+- **Rich gradients**: Intentional multi-stop gradients (not generic purple-to-blue)
+
+### Spatial Drama
+- **Extreme scale jumps**: Make important elements 3-5x larger than surroundings
+- **Break the grid**: Let hero elements escape containers and cross boundaries
+- **Asymmetric layouts**: Replace centered, balanced layouts with tension-filled asymmetry
+- **Generous space**: Use white space dramatically (100-200px gaps, not 20-40px)
+- **Overlap**: Layer elements intentionally for depth
+
+### Visual Effects
+- **Dramatic shadows**: Large, soft shadows for elevation (but not generic drop shadows on rounded rectangles)
+- **Background treatments**: Mesh patterns, noise textures, geometric patterns, intentional gradients (not purple-to-blue)
+- **Texture & depth**: Grain, halftone, duotone, layered elements. NOT glassmorphism (it's overused AI slop)
+- **Borders & frames**: Thick borders, decorative frames, custom shapes (not rounded rectangles with colored border on one side)
+- **Custom elements**: Illustrative elements, custom icons, decorative details that reinforce brand
+
+### Motion & Animation
+- **Entrance choreography**: Staggered, dramatic page load animations with 50-100ms delays
+- **Scroll effects**: Parallax, reveal animations, scroll-triggered sequences
+- **Micro-interactions**: Satisfying hover effects, click feedback, state changes
+- **Transitions**: Smooth, noticeable transitions using ease-out-quart/quint/expo (not bounce or elastic, which cheapen the effect)
+
+### Composition Boldness
+- **Hero moments**: Create clear focal points with dramatic treatment
+- **Diagonal flows**: Escape horizontal/vertical rigidity with diagonal arrangements
+- **Full-bleed elements**: Use full viewport width/height for impact
+- **Unexpected proportions**: Golden ratio? Throw it out. Try 70/30, 80/20 splits
+
+**NEVER**:
+- Add effects randomly without purpose (chaos ≠ bold)
+- Sacrifice readability for aesthetics (body text must be readable)
+- Make everything bold (then nothing is bold; you need contrast)
+- Ignore accessibility (bold design must still meet WCAG standards)
+- Overwhelm with motion (animation fatigue is real)
+- Copy trendy aesthetics blindly (bold means distinctive, not derivative)
+
+## Verify Quality
+
+Ensure amplification maintains usability and coherence:
+
+- **NOT AI slop**: Does this look like every other AI-generated "bold" design? If yes, start over.
+- **Still functional**: Can users accomplish tasks without distraction?
+- **Coherent**: Does everything feel intentional and unified?
+- **Memorable**: Will users remember this experience?
+- **Performant**: Do all these effects run smoothly?
+- **Accessible**: Does it still meet accessibility standards?
+
+**The test**: If you showed this to someone and said "AI made this bolder," would they believe you immediately? If yes, you've failed. Bold means distinctive, not "more AI effects."
+
+When the result feels right, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/brand.md

@@ -0,0 +1,118 @@
+# Brand register
+
+When design IS the product: brand sites, landing pages, marketing surfaces, campaign pages, portfolios, long-form content, about pages. The deliverable is the design itself; a visitor's impression is the thing being made.
+
+The register spans every genre. A tech brand (Stripe, Linear, Vercel). A luxury brand (a hotel, a fashion house). A consumer product (a restaurant, a travel site, a CPG packaging page). A creative studio, an agency portfolio, a band's album page. They all share the stance (*communicate, not transact*) and diverge wildly in aesthetic. Don't collapse them into a single look.
+
+## The brand slop test
+
+If someone could look at this and say "AI made that" without hesitation, it's failed. The bar is distinctiveness; a visitor should ask "how was this made?", not "which AI made this?"
+
+Brand isn't a neutral register. AI-generated landing pages have flooded the internet, and average is no longer findable. Restraint without intent now reads as mediocre, not refined. Brand surfaces need a POV, a specific audience, a willingness to risk strangeness. Go big or go home.
+
+**The second slop test: aesthetic lane.** Before committing to moves, name the reference. A Klim-style specimen page is one lane; Stripe-minimal is another; Liquid-Death-acid-maximalism is another. Don't drift into editorial-magazine aesthetics on a brief that isn't editorial. A hiking brand with Cormorant italic drop caps has the wrong register within the register.
+
+Then the inverse test: in one sentence, describe what you're about to build the way a competitor would describe theirs. If that sentence fits the modal landing page in the category, restart.
+
+## Typography
+
+### Font selection procedure
+
+Every project. Never skip.
+
+1. Read the brief. Write three concrete brand-voice words. Not "modern" or "elegant," but "warm and mechanical and opinionated" or "calm and clinical and careful." Physical-object words.
+2. List the three fonts you'd reach for by reflex. If any appear in the reflex-reject list below, reject them; they are training-data defaults and they create monoculture.
+3. Browse a real catalog (Google Fonts, Pangram Pangram, Future Fonts, Adobe Fonts, ABC Dinamo, Klim, Velvetyne) with the three words in mind. Find the font for the brand as a *physical object*: a museum caption, a 1970s terminal manual, a fabric label, a cheap-newsprint children's book, a concert poster, a receipt from a mid-century diner. Reject the first thing that "looks designy."
+4. Cross-check. "Elegant" is not necessarily serif. "Technical" is not necessarily sans. "Warm" is not Fraunces. If the final pick lines up with the original reflex, start over.
+
+### Reflex-reject list
+
+Training-data defaults. Ban list. Look further:
+
+Fraunces · Newsreader · Lora · Crimson · Crimson Pro · Crimson Text · Playfair Display · Cormorant · Cormorant Garamond · Syne · IBM Plex Mono · IBM Plex Sans · IBM Plex Serif · Space Mono · Space Grotesk · Inter · DM Sans · DM Serif Display · DM Serif Text · Outfit · Plus Jakarta Sans · Instrument Sans · Instrument Serif
+
+### Reflex-reject aesthetic lanes
+
+Parallel to the font list. Currently saturated aesthetic families that have flooded brand surfaces. If a brief lands in one of these lanes without a register reason that *requires* it (a literal magazine, a literal terminal, a literal industrial signage system), it's the second-order training reflex: the trap one tier deeper than picking a Fraunces font. Look further.
+
+- **Editorial-typographic.** Display serif (often italic) + small mono labels + ruled separators + monochromatic restraint. Klim-influenced, magazine-cover affectation. By 2026, every Stripe-adjacent and Notion-adjacent brand has landed here. The fingerprint: three rule-separated columns, an italic Fraunces / Recoleta / Newsreader headline, lowercase track-spaced metadata, no imagery.
+
+(More entries land here on the same cadence the font list updates. Brutalist-utility and acid-maximalism may join when they saturate. Removing entries when they fall back below saturation is also fine.)
+
+The reflex-reject lists apply to **new design choices**. When the existing brand has already committed to a font or a lane as part of its identity, identity-preservation wins; variants on an existing surface don't second-guess what's already shipping. The reflex-reject lists are for greenfield decisions and for departure-mode variants in [live.md](live.md).
+
+### Pairing and voice
+
+Distinctive + refined is the goal. The specific shape depends on the brand:
+
+- **Editorial / long-form / luxury**: display serif + sans body (a magazine shape).
+- **Tech / dev tools / fintech**: one committed sans, usually; custom-tight tracking, strong weight contrast inside a single family.
+- **Consumer / food / travel**: warmer pairings, often a humanist sans plus a script or display serif.
+- **Creative studios / agencies**: rule-breaking welcome. Mono-only, or display-only, or custom-drawn type as voice.
+
+Two families minimum is the rule *only* when the voice needs it. A single well-chosen family with committed weight/size contrast is stronger than a timid display+body pair.
+
+Vary across projects. If the last brief was a serif-display landing page, this one isn't.
+
+### Scale
+
+Modular scale, fluid `clamp()` for headings, ≥1.25 ratio between steps. Flat scales (1.1× apart) read as uncommitted.
+
+Light text on dark backgrounds: add 0.05–0.1 to line-height. Light type reads as lighter weight and needs more breathing room.
+
+## Color
+
+Brand surfaces have permission for Committed, Full palette, and Drenched strategies. Use them. A single saturated color spread across a hero is not excess; it's voice. A beige-and-muted-slate landing page ignores the register.
+
+- Name a real reference before picking a strategy. "Klim Type Foundry #ff4500 orange drench", "Stripe purple-on-white restraint", "Liquid Death acid-green full palette", "Mailchimp yellow full palette", "Condé Nast Traveler muted navy restraint", "Vercel pure black monochrome". Unnamed ambition becomes beige.
+- Palette IS voice. A calm brand and a restless brand should not share palette mechanics.
+- When the strategy is Committed or Drenched, color carries the brand. Don't hedge with neutrals around the edges. Commit.
+- Don't converge across projects. If the last brand surface was restrained-on-cream, this one is not.
+- When a cultural-symbol palette is the obvious pull, reach past it. Let the cultural reading come from typography, imagery, and copy, not the palette.
+
+## Layout
+
+- Asymmetric compositions are one option. Break the grid intentionally for emphasis.
+- Fluid spacing with `clamp()` that breathes on larger viewports. Vary for rhythm: generous separations, tight groupings.
+- Alternative: a strict, visible grid as the voice (brutalist / Swiss / tech-spec aesthetics). Either asymmetric or rigorously-gridded can be "designed"; the failure mode is splitting the difference into a generic centered stack.
+- Don't default to centering everything. Left-aligned with asymmetric layouts feels more designed; a strict grid reads as confident structure. A centered-stack hero with icon-title-subtitle cards reads as template.
+- When cards ARE the right affordance, use `grid-template-columns: repeat(auto-fit, minmax(280px, 1fr))` for breakpoint-free responsiveness.
+
+## Imagery
+
+Brand surfaces lean on imagery. A restaurant, hotel, magazine, or product landing page without any imagery reads as incomplete, not as restrained. A solid-color rectangle where a hero image should go is worse than a representative stock photo.
+
+**When the brief implies imagery (restaurants, hotels, magazines, photography, hobbyist communities, food, travel, fashion, product), you must ship imagery.** Zero images is a bug, not a design choice. "Restraint" is not an excuse. If the approved comp or brief is image-led, ship real project assets, generated raster assets, or a credible canvas/SVG/WebGL scene. Do not replace photographic, architectural, product, or place imagery with generic CSS panels, decorative diagrams, cards, bullets, or copy.
+
+- **For greenfield work without local assets, use stock imagery.** Unsplash is the default. The URL shape is `https://images.unsplash.com/photo-{id}?auto=format&fit=crop&w=1600&q=80`. **Verify the URLs before referencing them.** If you have an image-search MCP, web-fetch tool, or browser access, use it to find real photo IDs and confirm they resolve. Guessed IDs (even ones that look real) often 404 and ship as broken-image placeholders. Without a verification path, pick fewer photos you're confident exist over more that you guessed; never substitute colored `<div>` placeholders.
+- **Search for the brand's physical object**, not the generic category: "handmade pasta on a scratched wooden table" beats "Italian food"; "cypress trees above a limestone hotel facade at dusk" beats "luxury hotel".
+- **One decisive photo beats five mediocre ones.** Hero imagery should commit to a mood; padding with more stock doesn't rescue an indecisive one.
+- **Alt text is part of the voice.** "Coastal fettuccine, hand-cut, served on the terrace" beats "pasta dish".
+
+"Imagery" here is broader than stock photography: product screenshots, custom data visualizations, generated SVG, and canvas/WebGL scenes are all imagery. Text-only pages where typography alone carries the entire visual weight are the failure mode.
+
+## Motion
+
+- One well-orchestrated page-load with staggered reveals beats scattered micro-interactions, when the brand invites it. Tech-minimal brands often skip entrance motion entirely; the restraint is the voice.
+- For collapsing/expanding sections, transition `grid-template-rows` rather than `height`.
+
+## Brand bans (on top of the shared absolute bans)
+
+- Monospace as lazy shorthand for "technical / developer." If the brand isn't technical, mono reads as costume.
+- Large rounded-corner icons above every heading. Screams template.
+- Single-family pages that picked the family by reflex, not voice. (A single family chosen deliberately is fine.)
+- All-caps body copy. Reserve caps for short labels and headings.
+- Timid palettes and average layouts. Safe = invisible.
+- Zero imagery on a brief that implies imagery (restaurant, hotel, food, travel, fashion, photography, hobbyist). Colored blocks where a hero photo belongs.
+- Defaulting to editorial-magazine aesthetics (display serif + italic + drop caps + broadsheet grid) on briefs that aren't magazine-shaped. Editorial is ONE aesthetic lane, not the default brand aesthetic.
+- Repeated tiny uppercase tracked labels above every section heading. A single strong kicker can be voice; repeating it as section grammar is AI scaffolding unless it's a deliberate, named brand system.
+
+## Brand permissions
+
+Brand can afford things product can't. Take them.
+
+- Ambitious first-load motion. Reveals, scroll-triggered transitions, typographic choreography.
+- Single-purpose viewports. One dominant idea per fold, long scroll, deliberate pacing.
+- Typographic risk. Enormous display type, unexpected italic cuts, mixed cases, hand-drawn headlines, a single oversize word as a hero.
+- Unexpected color strategies. Palette IS voice; a calm brand and a restless brand should not share palette mechanics.
+- Art direction per section. Different sections can have different visual worlds if the narrative demands it. Consistency of voice beats consistency of treatment.

.agents/skills/impeccable/reference/clarify.md

@@ -0,0 +1,174 @@
+> **Additional context needed**: audience technical level and users' mental state in context.
+
+Find the unclear, confusing, or poorly written interface text and rewrite it. Vague copy creates support tickets and abandonment; specific copy gets users through the task.
+
+
+---
+
+## Assess Current Copy
+
+Identify what makes the text unclear or ineffective:
+
+1. **Find clarity problems**:
+   - **Jargon**: Technical terms users won't understand
+   - **Ambiguity**: Multiple interpretations possible
+   - **Passive voice**: "Your file has been uploaded" vs "We uploaded your file"
+   - **Length**: Too wordy or too terse
+   - **Assumptions**: Assuming user knowledge they don't have
+   - **Missing context**: Users don't know what to do or why
+   - **Tone mismatch**: Too formal, too casual, or inappropriate for situation
+
+2. **Understand the context**:
+   - Who's the audience? (Technical? General? First-time users?)
+   - What's the user's mental state? (Stressed during error? Confident during success?)
+   - What's the action? (What do we want users to do?)
+   - What's the constraint? (Character limits? Space limitations?)
+
+**CRITICAL**: Clear copy helps users succeed. Unclear copy creates frustration, errors, and support tickets.
+
+## Plan Copy Improvements
+
+Create a strategy for clearer communication:
+
+- **Primary message**: What's the ONE thing users need to know?
+- **Action needed**: What should users do next (if anything)?
+- **Tone**: How should this feel? (Helpful? Apologetic? Encouraging?)
+- **Constraints**: Length limits, brand voice, localization considerations
+
+**IMPORTANT**: Good UX writing is invisible. Users should understand immediately without noticing the words.
+
+## Improve Copy Systematically
+
+Refine text across these common areas:
+
+### Error Messages
+**Bad**: "Error 403: Forbidden"
+**Good**: "You don't have permission to view this page. Contact your admin for access."
+
+**Bad**: "Invalid input"
+**Good**: "Email addresses need an @ symbol. Try: name@example.com"
+
+**Principles**:
+- Explain what went wrong in plain language
+- Suggest how to fix it
+- Don't blame the user
+- Include examples when helpful
+- Link to help/support if applicable
+
+### Form Labels & Instructions
+**Bad**: "DOB (MM/DD/YYYY)"
+**Good**: "Date of birth" (with placeholder showing format)
+
+**Bad**: "Enter value here"
+**Good**: "Your email address" or "Company name"
+
+**Principles**:
+- Use clear, specific labels (not generic placeholders)
+- Show format expectations with examples
+- Explain why you're asking (when not obvious)
+- Put instructions before the field, not after
+- Keep required field indicators clear
+
+### Button & CTA Text
+**Bad**: "Click here" | "Submit" | "OK"
+**Good**: "Create account" | "Save changes" | "Got it, thanks"
+
+**Principles**:
+- Describe the action specifically
+- Use active voice (verb + noun)
+- Match user's mental model
+- Be specific ("Save" is better than "OK")
+
+### Help Text & Tooltips
+**Bad**: "This is the username field"
+**Good**: "Choose a username. You can change this later in Settings."
+
+**Principles**:
+- Add value (don't just repeat the label)
+- Answer the implicit question ("What is this?" or "Why do you need this?")
+- Keep it brief but complete
+- Link to detailed docs if needed
+
+### Empty States
+**Bad**: "No items"
+**Good**: "No projects yet. Create your first project to get started."
+
+**Principles**:
+- Explain why it's empty (if not obvious)
+- Show next action clearly
+- Make it welcoming, not dead-end
+
+### Success Messages
+**Bad**: "Success"
+**Good**: "Settings saved! Your changes will take effect immediately."
+
+**Principles**:
+- Confirm what happened
+- Explain what happens next (if relevant)
+- Be brief but complete
+- Match the user's emotional moment (celebrate big wins)
+
+### Loading States
+**Bad**: "Loading..." (for 30+ seconds)
+**Good**: "Analyzing your data... this usually takes 30-60 seconds"
+
+**Principles**:
+- Set expectations (how long?)
+- Explain what's happening (when it's not obvious)
+- Show progress when possible
+- Offer escape hatch if appropriate ("Cancel")
+
+### Confirmation Dialogs
+**Bad**: "Are you sure?"
+**Good**: "Delete 'Project Alpha'? This can't be undone."
+
+**Principles**:
+- State the specific action
+- Explain consequences (especially for destructive actions)
+- Use clear button labels ("Delete project" not "Yes")
+- Don't overuse confirmations (only for risky actions)
+
+### Navigation & Wayfinding
+**Bad**: Generic labels like "Items" | "Things" | "Stuff"
+**Good**: Specific labels like "Your projects" | "Team members" | "Settings"
+
+**Principles**:
+- Be specific and descriptive
+- Use language users understand (not internal jargon)
+- Make hierarchy clear
+- Consider information scent (breadcrumbs, current location)
+
+## Apply Clarity Principles
+
+Every piece of copy should follow these rules:
+
+1. **Be specific**: "Enter email" not "Enter value"
+2. **Be concise**: Cut unnecessary words (but don't sacrifice clarity)
+3. **Be active**: "Save changes" not "Changes will be saved"
+4. **Be human**: "Oops, something went wrong" not "System error encountered"
+5. **Tell users what to do**, not just what happened
+6. **Be consistent**: Use same terms throughout (don't vary for variety)
+
+**NEVER**:
+- Use jargon without explanation
+- Blame users ("You made an error" → "This field is required")
+- Be vague ("Something went wrong" without explanation)
+- Use passive voice unnecessarily
+- Write overly long explanations (be concise)
+- Use humor for errors (be empathetic instead)
+- Assume technical knowledge
+- Vary terminology (pick one term and stick with it)
+- Repeat information (headers restating intros, redundant explanations)
+- Use placeholders as the only labels (they disappear when users type)
+
+## Verify Improvements
+
+Test that copy improvements work:
+
+- **Comprehension**: Can users understand without context?
+- **Actionability**: Do users know what to do next?
+- **Brevity**: Is it as short as possible while remaining clear?
+- **Consistency**: Does it match terminology elsewhere?
+- **Tone**: Is it appropriate for the situation?
+
+When the copy reads cleanly, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/codex.md

@@ -0,0 +1,105 @@
+# Codex: Visual Direction & Asset Production
+
+This file is loaded by `{{command_prefix}}impeccable craft` when the harness has native image generation (currently Codex via `image_gen`). Other harnesses skip it. It covers the two craft steps that depend on real image generation: landing the visual direction, and producing the raster assets the implementation will compose.
+
+Read this *before* generating any images. The order matters, and the per-step user pauses are what keep generated imagery from drifting away from the brief.
+
+### Four stop points before code
+
+Steps A through D each end with the user. Do not advance past any of them on your own read of the situation.
+
+1. **STOP after Step A questions.** Wait for answers.
+2. **STOP after Step B palette generation.** Wait for "confirm palette."
+3. **STOP after Step C mocks.** Wait for direction approval or delegation.
+4. **Only after Step D approves a direction** do you return to craft.md Step 4 and write code.
+
+Prior shape approval does **not** satisfy any of these. Shape's "confirm or override" advances you into Step A; it is not a substitute for it.
+
+## Step A: Explore Directions with the User
+
+Before generating anything, run a brief direction conversation grounded in the shape brief.
+
+**Step A is required even when shape just produced a confirmed brief.** The shape questions and Step A questions cover different ground: shape pins purpose, content, scope; Step A pins palette, atmosphere, and named visual references for the comps you're about to generate. The only time you can skip Step A is when the user has already answered these exact palette/atmosphere/reference questions in the same session.
+
+Ask **2-3 targeted questions** about visual lane, color strategy, atmosphere, and named anchor references. Don't enumerate generic menus; tie each question to the shape brief's answers. Example shape-grounded questions:
+
+- "Brief says 'editorial restraint, Klim-adjacent.' Are we closer to a quiet specimen page or a magazine-spread feel with hero imagery?"
+- "Palette strategy from shape was 'Committed.' Want it warm-grounded (deep oxblood + cream) or cool-grounded (slate + paper white)?"
+
+**STOP and wait for answers.** These pin the palette before any pixel gets generated. Do not proceed to Step B until the user has responded.
+
+## Step B: Generate the Brand Palette First
+
+Generate **one** palette artifact before any mocks. This is a small, focused image: typography pairing on the chosen background, primary + accent color swatches, one signature ornament or motif. Single image, single pass.
+
+Why palette first: mocks generated against a vague color sense produce noise that drowns out the structural decisions. A confirmed palette is the first concrete contract for everything downstream.
+
+Show the palette to the user. Ask one question: "This is the palette I'm locking in for the mocks. Confirm, or call out what to shift?"
+
+**STOP and wait for confirmation.** Do not generate mocks against an unconfirmed palette. "Probably good enough" is the wrong call here; the palette is the contract for everything downstream.
+
+## Step C: Generate 1-3 Visual Mocks Against the Palette
+
+Once the palette is confirmed, generate **1 to 3** high-fidelity north-star comps. Each mock must use the confirmed palette and typography. Mocks differ in *structural* direction (hierarchy, topology, density, composition), not in color or motif.
+
+- Brand work: push visual identity, composition, mood, and signature motifs.
+- Product work: push hierarchy, topology, density, tone, grounded in realistic product structure.
+- Landing pages and long-form brand surfaces: show enough of the second fold to establish the system beyond the hero.
+
+Use the `image_gen` tool directly (or via the imagegen skill when available). Don't ask the user to install anything.
+
+## Step D: Approval Loop
+
+Show the comps. Ask what carries forward. Iterate until **one direction is approved** or the user explicitly delegates.
+
+**STOP and wait for the approval or the delegation.** Do not begin Step E or return to craft.md Step 4 until a single direction is named. If the user delegates, pick the strongest direction and explain it from the brief, not personal taste.
+
+Before moving to assets, summarize what to carry into code and what *not* to literalize from the mock. This is the handoff between visual exploration and semantic implementation.
+
+## Step E: Mock Fidelity Inventory
+
+Inventory the approved mock's major visible ingredients. For each, decide implementation: semantic HTML/CSS/SVG, generated raster, sourced raster, icon library, canvas/WebGL, or accepted omission.
+
+Common ingredients to inventory:
+
+- Hero silhouette and dominant composition
+- Signature motifs (planets, devices, portraits, charts, route lines, insets, badges, etc.)
+- Nav and primary CTA treatment
+- Section sequence, especially the second fold
+- Image-native content the concept depends on
+- Typography, density, color/material treatment, motion cues
+
+Treat the mock as a north star, not a screenshot to trace. Don't rasterize core UI text. But if the live result lacks the mock's major ingredients, the implementation is wrong.
+
+If a photographic, architectural, product, or place-led mock becomes generic CSS scenery, decorative diagrams, bullets, or copy, stop and fix it. That's a broken implementation, not a harmless interpretation.
+
+Don't substitute a different hero composition or visual driver post-approval without user sign-off.
+
+## Step F: Asset Slicing via the Asset Producer
+
+Raster ingredients identified in Step E need clean production assets. Use the bundled `impeccable_asset_producer` subagent rather than producing inline.
+
+Spawn it as a scoped subagent. If you do not have explicit permission to use agents, stop and ask:
+
+```text
+Asset production will work better as a scoped subagent job. Should I spawn the Impeccable asset producer subagent for this step?
+```
+
+Pass to the agent:
+
+- Approved mock path or screenshot reference
+- Crop paths or a contact sheet with crop ids
+- Output directory
+- Required dimensions, format, transparency needs
+- Avoid list
+- Notes on what should remain semantic HTML/CSS/SVG instead of raster
+
+Attach image generation capability to the spawned agent when the harness supports it. Do **not** load image-generation reference material into the parent thread.
+
+Inline asset production is allowed only if the user declines subagents, the harness cannot spawn the authorized agent, or the user explicitly asks for single-thread mode.
+
+Prefer HTML/CSS/SVG/canvas when they can credibly reproduce an ingredient; reach for real, generated, or stock imagery when the mock or subject matter calls for actual visual content.
+
+## After This File
+
+Once Steps A through F are complete, return to `craft.md` Step 5 (Build to Production Quality). The implementation builds against the confirmed palette, approved mock, and the assets the producer wrote.

.agents/skills/impeccable/reference/cognitive-load.md

@@ -0,0 +1,106 @@
+# Cognitive Load Assessment
+
+Cognitive load is the total mental effort required to use an interface. Overloaded users make mistakes, get frustrated, and leave. This reference helps identify and fix cognitive overload.
+
+---
+
+## Three Types of Cognitive Load
+
+### Intrinsic Load: The Task Itself
+Complexity inherent to what the user is trying to do. You can't eliminate this, but you can structure it.
+
+**Manage it by**:
+- Breaking complex tasks into discrete steps
+- Providing scaffolding (templates, defaults, examples)
+- Progressive disclosure: show what's needed now, hide the rest
+- Grouping related decisions together
+
+### Extraneous Load: Bad Design
+Mental effort caused by poor design choices. **Eliminate this ruthlessly.** It's pure waste.
+
+**Common sources**:
+- Confusing navigation that requires mental mapping
+- Unclear labels that force users to guess meaning
+- Visual clutter competing for attention
+- Inconsistent patterns that prevent learning
+- Unnecessary steps between user intent and result
+
+### Germane Load: Learning Effort
+Mental effort spent building understanding. This is *good* cognitive load; it leads to mastery.
+
+**Support it by**:
+- Progressive disclosure that reveals complexity gradually
+- Consistent patterns that reward learning
+- Feedback that confirms correct understanding
+- Onboarding that teaches through action, not walls of text
+
+---
+
+## Cognitive Load Checklist
+
+Evaluate the interface against these 8 items:
+
+- [ ] **Single focus**: Can the user complete their primary task without distraction from competing elements?
+- [ ] **Chunking**: Is information presented in digestible groups (≤4 items per group)?
+- [ ] **Grouping**: Are related items visually grouped together (proximity, borders, shared background)?
+- [ ] **Visual hierarchy**: Is it immediately clear what's most important on the screen?
+- [ ] **One thing at a time**: Can the user focus on a single decision before moving to the next?
+- [ ] **Minimal choices**: Are decisions simplified (≤4 visible options at any decision point)?
+- [ ] **Working memory**: Does the user need to remember information from a previous screen to act on the current one?
+- [ ] **Progressive disclosure**: Is complexity revealed only when the user needs it?
+
+**Scoring**: Count the failed items. 0–1 failures = low cognitive load (good). 2–3 = moderate (address soon). 4+ = high cognitive load (critical fix needed).
+
+---
+
+## The Working Memory Rule
+
+**Humans can hold ≤4 items in working memory at once** (Miller's Law revised by Cowan, 2001).
+
+At any decision point, count the number of distinct options, actions, or pieces of information a user must simultaneously consider:
+- **≤4 items**: Within working memory limits, manageable
+- **5–7 items**: Pushing the boundary; consider grouping or progressive disclosure
+- **8+ items**: Overloaded; users will skip, misclick, or abandon
+
+**Practical applications**:
+- Navigation menus: ≤5 top-level items (group the rest under clear categories)
+- Form sections: ≤4 fields visible per group before a visual break
+- Action buttons: 1 primary, 1–2 secondary, group the rest in a menu
+- Dashboard widgets: ≤4 key metrics visible without scrolling
+- Pricing tiers: ≤3 options (more causes analysis paralysis)
+
+---
+
+## Common Cognitive Load Violations
+
+### 1. The Wall of Options
+**Problem**: Presenting 10+ choices at once with no hierarchy.
+**Fix**: Group into categories, highlight recommended, use progressive disclosure.
+
+### 2. The Memory Bridge
+**Problem**: User must remember info from step 1 to complete step 3.
+**Fix**: Keep relevant context visible, or repeat it where it's needed.
+
+### 3. The Hidden Navigation
+**Problem**: User must build a mental map of where things are.
+**Fix**: Always show current location (breadcrumbs, active states, progress indicators).
+
+### 4. The Jargon Barrier
+**Problem**: Technical or domain language forces translation effort.
+**Fix**: Use plain language. If domain terms are unavoidable, define them inline.
+
+### 5. The Visual Noise Floor
+**Problem**: Every element has the same visual weight; nothing stands out.
+**Fix**: Establish clear hierarchy: one primary element, 2–3 secondary, everything else muted.
+
+### 6. The Inconsistent Pattern
+**Problem**: Similar actions work differently in different places.
+**Fix**: Standardize interaction patterns. Same type of action = same type of UI.
+
+### 7. The Multi-Task Demand
+**Problem**: Interface requires processing multiple simultaneous inputs (reading + deciding + navigating).
+**Fix**: Sequence the steps. Let the user do one thing at a time.
+
+### 8. The Context Switch
+**Problem**: User must jump between screens/tabs/modals to gather info for a single decision.
+**Fix**: Co-locate the information needed for each decision. Reduce back-and-forth.

.agents/skills/impeccable/reference/color-and-contrast.md

@@ -0,0 +1,105 @@
+# Color & Contrast
+
+## Color Spaces: Use OKLCH
+
+**Stop using HSL.** Use OKLCH (or LCH) instead. It's perceptually uniform, meaning equal steps in lightness *look* equal, unlike HSL where 50% lightness in yellow looks bright while 50% in blue looks dark.
+
+The OKLCH function takes three components: `oklch(lightness chroma hue)` where lightness is 0-100%, chroma is roughly 0-0.4, and hue is 0-360. To build a primary color and its lighter / darker variants, hold the chroma+hue roughly constant and vary the lightness, but **reduce chroma as you approach white or black**, because high chroma at extreme lightness looks garish.
+
+The hue you pick is a brand decision and should not come from a default. Do not reach for blue (hue 250) or warm orange (hue 60) by reflex; those are the dominant AI-design defaults, not the right answer for any specific brand.
+
+## Building Functional Palettes
+
+### Tinted Neutrals
+
+**Pure gray is dead.** A neutral with zero chroma feels lifeless next to a colored brand. Add a tiny chroma value (0.005-0.015) to all your neutrals, hued toward whatever your brand color is. The chroma is small enough not to read as "tinted" consciously, but it creates subconscious cohesion between brand color and UI surfaces.
+
+The hue you tint toward should come from THIS project's brand, not from a "warm = friendly, cool = tech" formula. If your brand color is teal, your neutrals lean toward teal. If your brand color is amber, they lean toward amber. The point is cohesion with the SPECIFIC brand, not a stock palette.
+
+**Avoid** the trap of always tinting toward warm orange or always tinting toward cool blue. Those are the two laziest defaults and they create their own monoculture across projects.
+
+### Palette Structure
+
+A complete system needs:
+
+| Role | Purpose | Example |
+|------|---------|---------|
+| **Primary** | Brand, CTAs, key actions | 1 color, 3-5 shades |
+| **Neutral** | Text, backgrounds, borders | 9-11 shade scale |
+| **Semantic** | Success, error, warning, info | 4 colors, 2-3 shades each |
+| **Surface** | Cards, modals, overlays | 2-3 elevation levels |
+
+**Skip secondary/tertiary unless you need them.** Most apps work fine with one accent color. Adding more creates decision fatigue and visual noise.
+
+### The 60-30-10 Rule (Applied Correctly)
+
+This rule is about **visual weight**, not pixel count:
+
+- **60%**: Neutral backgrounds, white space, base surfaces
+- **30%**: Secondary colors: text, borders, inactive states
+- **10%**: Accent: CTAs, highlights, focus states
+
+The common mistake: using the accent color everywhere because it's "the brand color." Accent colors work *because* they're rare. Overuse kills their power.
+
+## Contrast & Accessibility
+
+### WCAG Requirements
+
+| Content Type | AA Minimum | AAA Target |
+|--------------|------------|------------|
+| Body text | 4.5:1 | 7:1 |
+| Large text (18px+ or 14px bold) | 3:1 | 4.5:1 |
+| UI components, icons | 3:1 | 4.5:1 |
+| Non-essential decorations | None | None |
+
+**The gotcha**: Placeholder text still needs 4.5:1. That light gray placeholder you see everywhere? Usually fails WCAG.
+
+### Dangerous Color Combinations
+
+These commonly fail contrast or cause readability issues:
+
+- Light gray text on white (the #1 accessibility fail)
+- **Gray text on any colored background**: gray looks washed out and dead on color. Use a darker shade of the background color, or transparency
+- Red text on green background (or vice versa): 8% of men can't distinguish these
+- Blue text on red background (vibrates visually)
+- Yellow text on white (almost always fails)
+- Thin light text on images (unpredictable contrast)
+
+### Never Use Pure Gray or Pure Black
+
+Pure gray (`oklch(50% 0 0)`) and pure black (`#000`) don't exist in nature; real shadows and surfaces always have a color cast. Even a chroma of 0.005-0.01 is enough to feel natural without being obviously tinted. (See tinted neutrals example above.)
+
+### Testing
+
+Don't trust your eyes. Use tools:
+
+- [WebAIM Contrast Checker](https://webaim.org/resources/contrastchecker/)
+- Browser DevTools → Rendering → Emulate vision deficiencies
+- [Polypane](https://polypane.app/) for real-time testing
+
+## Theming: Light & Dark Mode
+
+### Dark Mode Is Not Inverted Light Mode
+
+You can't just swap colors. Dark mode requires different design decisions:
+
+| Light Mode | Dark Mode |
+|------------|-----------|
+| Shadows for depth | Lighter surfaces for depth (no shadows) |
+| Dark text on light | Light text on dark (reduce font weight) |
+| Vibrant accents | Desaturate accents slightly |
+| White backgrounds | Never pure black; use dark gray (oklch 12-18%) |
+
+In dark mode, depth comes from surface lightness, not shadow. Build a 3-step surface scale where higher elevations are lighter (e.g. 15% / 20% / 25% lightness). Use the SAME hue and chroma as your brand color (whatever it is for THIS project; do not reach for blue) and only vary the lightness. Reduce body text weight slightly (e.g. 350 instead of 400) because light text on dark reads as heavier than dark text on light.
+
+### Token Hierarchy
+
+Use two layers: primitive tokens (`--blue-500`) and semantic tokens (`--color-primary: var(--blue-500)`). For dark mode, only redefine the semantic layer; primitives stay the same.
+
+## Alpha Is A Design Smell
+
+Heavy use of transparency (rgba, hsla) usually means an incomplete palette. Alpha creates unpredictable contrast, performance overhead, and inconsistency. Define explicit overlay colors for each context instead. Exception: focus rings and interactive states where see-through is needed.
+
+---
+
+**Avoid**: Relying on color alone to convey information. Creating palettes without clear roles for each color. Using pure black (#000) for large areas. Skipping color blindness testing (8% of men affected).

.agents/skills/impeccable/reference/colorize.md

@@ -0,0 +1,154 @@
+> **Additional context needed**: existing brand colors.
+
+Replace timid grayscale or single-accent designs with a strategic palette: pick a color strategy, choose a hue family that fits the brand, then apply color with intent. More color ≠ better. Strategic color beats rainbow vomit.
+
+---
+
+## Register
+
+Brand: palette IS voice. Pick a color strategy first per SKILL.md (Restrained / Committed / Full palette / Drenched) and follow its dosage. Committed, Full palette, and Drenched deliberately exceed the ≤10% rule; that rule is Restrained only. Unexpected combinations are allowed; a dominant color can own the page when the chosen strategy calls for it.
+
+Product: semantic-first and almost always Restrained. Accent color is reserved for primary action, current selection, and state indicators. Not decoration. Every color has a consistent meaning across every screen.
+
+---
+
+## Assess Color Opportunity
+
+Analyze the current state and identify opportunities:
+
+1. **Understand current state**:
+   - **Color absence**: Pure grayscale? Limited neutrals? One timid accent?
+   - **Missed opportunities**: Where could color add meaning, hierarchy, or delight?
+   - **Context**: What's appropriate for this domain and audience?
+   - **Brand**: Are there existing brand colors we should use?
+
+2. **Identify where color adds value**:
+   - **Semantic meaning**: Success (green), error (red), warning (yellow/orange), info (blue)
+   - **Hierarchy**: Drawing attention to important elements
+   - **Categorization**: Different sections, types, or states
+   - **Emotional tone**: Warmth, energy, trust, creativity
+   - **Wayfinding**: Helping users navigate and understand structure
+   - **Delight**: Moments of visual interest and personality
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: More color ≠ better. Strategic color beats rainbow vomit every time. Every color should have a purpose.
+
+## Plan Color Strategy
+
+Create a purposeful color introduction plan:
+
+- **Color palette**: What colors match the brand/context? (Choose 2-4 colors max beyond neutrals)
+- **Dominant color**: Which color owns 60% of colored elements?
+- **Accent colors**: Which colors provide contrast and highlights? (30% and 10%)
+- **Application strategy**: Where does each color appear and why?
+
+**IMPORTANT**: Color should enhance hierarchy and meaning, not create chaos. Less is more when it matters more.
+
+## Introduce Color Strategically
+
+Add color systematically across these dimensions:
+
+### Semantic Color
+- **State indicators**:
+  - Success: Green tones (emerald, forest, mint)
+  - Error: Red/pink tones (rose, crimson, coral)
+  - Warning: Orange/amber tones
+  - Info: Blue tones (sky, ocean, indigo)
+  - Neutral: Gray/slate for inactive states
+
+- **Status badges**: Colored backgrounds or borders for states (active, pending, completed, etc.)
+- **Progress indicators**: Colored bars, rings, or charts showing completion or health
+
+### Accent Color Application
+- **Primary actions**: Color the most important buttons/CTAs
+- **Links**: Add color to clickable text (maintain accessibility)
+- **Icons**: Colorize key icons for recognition and personality
+- **Headers/titles**: Add color to section headers or key labels
+- **Hover states**: Introduce color on interaction
+
+### Background & Surfaces
+- **Tinted backgrounds**: Replace pure gray (`#f5f5f5`) with warm neutrals (`oklch(97% 0.01 60)`) or cool tints (`oklch(97% 0.01 250)`)
+- **Colored sections**: Use subtle background colors to separate areas
+- **Gradient backgrounds**: Add depth with subtle, intentional gradients (not generic purple-blue)
+- **Cards & surfaces**: Tint cards or surfaces slightly for warmth
+
+**Use OKLCH for color**: It's perceptually uniform, meaning equal steps in lightness *look* equal. Great for generating harmonious scales.
+
+### Data Visualization
+- **Charts & graphs**: Use color to encode categories or values
+- **Heatmaps**: Color intensity shows density or importance
+- **Comparison**: Color coding for different datasets or timeframes
+
+### Borders & Accents
+- **Hairline borders**: 1px colored borders on full perimeter (not side-stripes; see the absolute ban on `border-left/right > 1px`)
+- **Underlines**: Color underlines for emphasis or active states
+- **Dividers**: Subtle colored dividers instead of gray lines
+- **Focus rings**: Colored focus indicators matching brand
+- **Surface tints**: A 4-8% background wash of the accent color instead of a stripe
+
+**NEVER**: `border-left` or `border-right` greater than 1px as a colored accent stripe. This is one of the three absolute bans in the parent skill. If you want to mark a card as "active" or "warning", use a full hairline border, a background tint, a leading glyph, or a numbered prefix. Not a side stripe.
+
+### Typography Color
+- **Colored headings**: Use brand colors for section headings (maintain contrast)
+- **Highlight text**: Color for emphasis or categories
+- **Labels & tags**: Small colored labels for metadata or categories
+
+### Decorative Elements
+- **Illustrations**: Add colored illustrations or icons
+- **Shapes**: Geometric shapes in brand colors as background elements
+- **Gradients**: Colorful gradient overlays or mesh backgrounds
+- **Blobs/organic shapes**: Soft colored shapes for visual interest
+
+## Balance & Refinement
+
+Ensure color addition improves rather than overwhelms:
+
+### Maintain Hierarchy
+- **Dominant color** (60%): Primary brand color or most used accent
+- **Secondary color** (30%): Supporting color for variety
+- **Accent color** (10%): High contrast for key moments
+- **Neutrals** (remaining): Gray/black/white for structure
+
+### Accessibility
+- **Contrast ratios**: Ensure WCAG compliance (4.5:1 for text, 3:1 for UI components)
+- **Don't rely on color alone**: Use icons, labels, or patterns alongside color
+- **Test for color blindness**: Verify red/green combinations work for all users
+
+### Cohesion
+- **Consistent palette**: Use colors from defined palette, not arbitrary choices
+- **Systematic application**: Same color meanings throughout (green always = success)
+- **Temperature consistency**: Warm palette stays warm, cool stays cool
+
+**NEVER**:
+- Use every color in the rainbow (choose 2-4 colors beyond neutrals)
+- Apply color randomly without semantic meaning
+- Put gray text on colored backgrounds. It looks washed out; use a darker shade of the background color or transparency instead
+- Use pure gray for neutrals. Add subtle color tint (warm or cool) for depth
+- Use pure black (`#000`) or pure white (`#fff`) for large areas
+- Violate WCAG contrast requirements
+- Use color as the only indicator (accessibility issue)
+- Make everything colorful (defeats the purpose)
+- Default to purple-blue gradients (AI slop aesthetic)
+
+## Verify Color Addition
+
+Test that colorization improves the experience:
+
+- **Better hierarchy**: Does color guide attention appropriately?
+- **Clearer meaning**: Does color help users understand states/categories?
+- **More engaging**: Does the interface feel warmer and more inviting?
+- **Still accessible**: Do all color combinations meet WCAG standards?
+- **Not overwhelming**: Is color balanced and purposeful?
+
+When the palette earns its place, hand off to `{{command_prefix}}impeccable polish` for the final pass.
+
+## Live-mode signature params
+
+When invoked from live mode, each variant MUST declare a `color-amount` param so the user can dial between a restrained accent and a drenched surface without regeneration. Author the variant's CSS against `var(--p-color-amount, 0.5)`, typically as the alpha multiplier on backgrounds, or as a scaling factor on the chroma axis in an OKLCH expression. 0 = neutral/monochrome, 1 = full saturation / dominant coverage.
+
+```json
+{"id":"color-amount","kind":"range","min":0,"max":1,"step":0.05,"default":0.5,"label":"Color amount"}
+```
+
+Layer 1-2 variant-specific params on top: palette selection (`steps` with named options), temperature warmth, or tint vs. true color. See `reference/live.md` for the full params contract.

.agents/skills/impeccable/reference/craft.md

@@ -0,0 +1,123 @@
+# Craft Flow
+
+Build a feature with impeccable UX and UI quality: shape the design, land the visual direction, build real production code, inspect and improve in-browser until it meets a high-end studio bar.
+
+Before writing code, you need: PRODUCT.md loaded, register identified and the matching reference loaded, and a confirmed design direction for this task (either from `shape` or supplied by the user). PRODUCT.md is project context, not a task-specific brief.
+
+Treat any approved visual direction (generated mock or stated reference) as a concrete contract for composition, hierarchy, density, atmosphere, signature motifs, and distinctive visual moves. Don't let mocks replace structure, copy, accessibility, or state design. But if the live result lacks the approved direction's major ingredients, the implementation is wrong.
+
+### Gates: do not compress
+
+Craft has **multiple user gates**, not one. When the harness has native image generation (Codex via `image_gen`), the gate sequence before code is:
+
+1. **Shape brief confirmed** (Step 1)
+2. **Direction questions answered** (codex.md Step A)
+3. **Palette confirmed** (codex.md Step B)
+4. **One mock direction approved or delegated** (codex.md Step D)
+
+You must stop at every gate. **Shape confirmation alone is NOT a green light to start coding.** It is the green light to begin codex.md Step A. Compressing gates 2 through 4 because the shape brief felt complete is the dominant failure mode of this flow.
+
+When the harness lacks native image generation, gates 2-4 collapse into the brief itself, and shape confirmation does advance straight to code.
+
+## Step 0: Project Foundation
+
+Before shape, before code: figure out what kind of project you're working in.
+
+Look at the working directory. Run `ls`. Check for:
+
+- An existing framework: `astro.config.mjs/ts`, `next.config.js/ts`, `nuxt.config.ts`, `svelte.config.js`, `vite.config.js/ts`, `package.json` with framework deps, `Cargo.toml` + Leptos/Yew, `Gemfile` + Rails. **If found, use it.** Do not start a parallel build, do not introduce a second framework, do not write to `dist/` or `build/` directly. Whatever pipeline the project has, respect it.
+- An existing component library or design system: `src/components/`, `app/components/`, a `tokens.css` / `theme.ts`, an `astro.config` `integrations`. Read what's there before adding to it.
+- An existing icon set: `lucide-react`, `@phosphor-icons/react`, `@iconify/*`, hand-rolled SVG sprites in `assets/icons/`. **Use what's already in the project**; don't introduce a second set.
+
+If the directory is empty (greenfield), don't pick a framework silently. Ask the user via the AskUserQuestion tool, with sensible defaults framed by the brief:
+
+```text
+What should this be built on?
+  - Astro (default for content-led brand sites, landing pages, marketing surfaces)
+  - SvelteKit / Next.js / Nuxt (when the brief implies an app surface or significant interactivity)
+  - Single index.html (one-shot demo, prototype, or a deliberately framework-free experiment)
+```
+
+Default: Astro for brand briefs, the project's existing framework for product briefs. Ask once; don't re-ask mid-task.
+
+## Step 1: Shape the Design
+
+Run {{command_prefix}}impeccable shape, passing along whatever feature description the user provided. Shape is **required** for craft; it is what produces a confirmed direction.
+
+Present the shape output and stop. Wait for the user to confirm, override, or course-correct before writing code.
+
+If the user already supplied a confirmed brief or ran shape separately, use it and skip this step.
+
+When the original prompt + PRODUCT.md already answer scope, content, and visual direction with no real ambiguity, the shape output can be **compact** (3-5 bullets stating what you're building and the visual lane, ending with one or two specific questions or "confirm or override"). The full 10-section structured brief is reserved for genuinely ambiguous, multi-screen, or stakeholder-heavy tasks. Don't pad a clear brief into a long one to look thorough; equally, don't skip the pause to look efficient.
+
+If the harness has native image generation (Codex), a compact shape's "confirm or override" advances to **Step 3 and the codex.md flow**, not to Step 4. Phrase the closing line accordingly: "Confirm or override; once we lock direction, I'll run a couple of palette and reference questions before generating any mocks." This stops the model from reading shape confirmation as code-green.
+
+## Step 2: Load References
+
+Based on the design brief's "Recommended References" section, consult the relevant impeccable reference files. At minimum, always consult:
+
+- [spatial-design.md](spatial-design.md) for layout and spacing
+- [typography.md](typography.md) for type hierarchy
+
+Then add references based on the brief's needs:
+- Complex interactions or forms? Consult [interaction-design.md](interaction-design.md)
+- Animation or transitions? Consult [motion-design.md](motion-design.md)
+- Color-heavy or themed? Consult [color-and-contrast.md](color-and-contrast.md)
+- Responsive requirements? Consult [responsive-design.md](responsive-design.md)
+- Heavy on copy, labels, or errors? Consult [ux-writing.md](ux-writing.md)
+
+## Step 3: Visual Direction & Assets (Harness-Gated)
+
+If the harness has **native image generation** (currently Codex via `image_gen`), this step is mandatory. **Stop and load [codex.md](codex.md)**. It covers palette generation, mock exploration, the approval loop, mock-fidelity inventory, and asset slicing via the `impeccable_asset_producer` subagent. Follow Steps A-F in that file, then return here for Step 4.
+
+If the harness lacks native image generation, **state in one line that the visual-direction-by-generation step is being skipped because the harness lacks native image generation, then proceed**. The one-line announcement is required; it forces a conscious decision instead of letting the step quietly evaporate. The brief is your only visual reference. Implement directly from it, treating any named anchor references and the brief's "Design Direction" as the contract.
+
+Whether you generated mocks or not: don't replace required imagery with generic cards, bullets, emoji, fake metrics, decorative CSS panels, or filler copy. Image-led briefs (restaurants, hotels, magazines, photography, hobbyist communities, food, travel, fashion, product) need real or sourced imagery in the build, not CSS scenery.
+
+## Step 4: Build to Production Quality
+
+**Precondition.** If Step 3 routed you to codex.md (native image generation available), Steps A through D in that file must be complete before any code: questions answered, palette confirmed, mocks generated, one direction approved or delegated. **Do not mention implementation, file paths, or patch plans until that's done.** A confirmed shape brief is not enough; the model that compressed those gates is the model that already failed this flow.
+
+Implement the feature following the design brief. Build in passes so structure, visual system, states, motion/media, and responsive behavior each get deliberate attention. The list below is the definition of done, not inspiration.
+
+### Production bar
+
+- **Real content.** No placeholder copy, placeholder images, dead links, fake controls, or unused scaffold at presentation time.
+- **Preserve the approved mock's major ingredients.** Missing hero objects, world/product imagery, section structure, CTA/nav treatment, or distinctive motifs are blocking defects unless the user accepted the change.
+- **Semantic first.** Real headings, landmarks, labels, form associations, button/link semantics, accessible names, state announcements where needed.
+- **Deliberate spacing and alignment.** No default gaps, arbitrary margins, unbalanced whitespace, or accidental optical misalignment.
+- **Intentional typography.** Chosen loading strategy, clear hierarchy, readable measure, stable line breaks, no overflow at any width.
+- **Realistic state coverage.** Default, hover, focus-visible, active, disabled, loading, error, success, empty, overflow, long/short text, first-run.
+- **Finished interaction quality.** Keyboard paths, touch targets, feedback timing, scroll behavior, state transitions, no hover-only functionality.
+- **Coherent icon set.** Use the project's established set; otherwise pick one library or use accessible text. Don't mix.
+- **Respect the build pipeline.** Edit source files and run the project's build (`npm run build` or equivalent). Don't write to `build/` / `dist/` / `.next/` with `cat`, heredoc, or Bash redirects; that skips asset hashing, image optimization, code splitting, and CSS extraction, and produces output the dev server won't serve.
+- **Verify image URLs before referencing them.** Use image-search MCP or web-fetch when available; guessed photo IDs ship as broken-image placeholders. Without verification, prefer fewer images you're confident about.
+- **Optimized imagery and media.** Correct dimensions, useful alt text, lazy loading below the fold, modern formats when practical, responsive `srcset`/`picture` for raster, no project-referenced asset left outside the workspace.
+- **Premium motion.** Use atmospheric blur, filter, mask, shadow, reveal when they improve the experience. Avoid casual layout-property animation, bound expensive effects, verify smoothness in-browser, respect reduced motion, and avoid choreography that blocks task completion.
+- **Maintainable.** Reusable local patterns, clear component boundaries, project conventions. No rasterized UI text or one-off hacks when a local pattern exists.
+- **Technically clean.** Production build passes, no console errors, no avoidable layout shift, no needless dependencies, no broken asset paths.
+- **Ask when uncertain.** If a discovery materially changes the brief or approved direction, stop and ask. Don't guess.
+
+## Step 5: Iterate Visually
+
+Look at what you built like a designer would. Your eyes are whatever the harness gives you: a connected browser, a screenshotting tool, Playwright, or asking the user. Use them for responsive testing (mobile, tablet, desktop minimum) and general visual validation.
+
+If your tool returns a file path, read the PNG back into the conversation. A screenshot you didn't read doesn't count.
+
+For long-form brand surfaces, inspect major sections individually. Thumbnails hide spacing, clipping, and cascade defects.
+
+After the first pass, write an honest critique against the brief, the approved mock's major ingredients (hero silhouette, motifs, imagery, nav/CTA, density), and impeccable's DON'Ts. Patch material defects and re-inspect. **Don't invent defects to demonstrate iteration.** A confident "first pass clean, shipping" beats a fake fix.
+
+Actively check: responsive behavior (composes, not shrinks), every state (empty / error / loading / edge), craft details (spacing, alignment, hierarchy, contrast, motion timing, focus), performance basics. The exit bar: defensible in a high-end studio review.
+
+Detector or QA output is defect evidence only; never proof the work is finished.
+
+## Step 6: Present
+
+Present the result to the user:
+- Show the feature in its primary state
+- Summarize the browser/viewports checked and the most important fixes made after inspection
+- Walk through the key states (empty, error, responsive)
+- Explain design decisions that connect back to the design brief and, when used, the chosen north-star mock. Include any accepted deviations from the mock; do not hide unimplemented mock ingredients.
+- Note any remaining limitations or follow-up risks honestly
+- Ask: "What's working? What isn't?"

.agents/skills/impeccable/reference/critique.md

@@ -0,0 +1,273 @@
+### Purpose
+
+Resolve one stable target, run two independent assessments, synthesize a design critique, persist a snapshot, and ask the user what to improve next. The chat response is the primary deliverable; the snapshot is an archive/backlog for future commands.
+
+### Hard Invariants
+
+- Assessment A (design review) and Assessment B (detector/browser evidence) are both required.
+- Assessment A must finish before detector findings enter the parent synthesis context. Detector output is deterministic, but it still anchors judgment.
+- If sub-agents are unavailable, fall back sequentially: finish and record Assessment A first, then run Assessment B, then synthesize.
+- A skipped detector is a failed critique run unless `detect.mjs` is missing or crashes after a real attempt.
+- Viewable targets require browser inspection when available.
+- Any local server started only for critique visualization must run in the background, have a recorded stop method, and be stopped before final reporting unless the user asks to keep it.
+- Do not claim a user-visible overlay exists unless script injection succeeded and the detector ran in the page.
+
+### Setup
+
+1. **Resolve the target** to a concrete file path or URL. Prefer a source path over a dev-server URL when both identify the same surface; ports drift, paths do not.
+   - "the homepage" -> `site/pages/index.astro` or `index.html`
+   - "the settings modal" -> the primary component file
+   - "this page" -> the current URL or source file
+2. **Compute the slug**:
+   ```bash
+   node {{scripts_path}}/critique-storage.mjs slug "<resolved-path-or-url>"
+   ```
+   Keep it. If the command exits non-zero, skip persistence and trend for this run, but continue the critique.
+3. **Read `.impeccable/critique/ignore.md`** if it exists. Drop matching findings silently; it is the only prior-run input critique consumes.
+
+### Assessment Orchestration
+
+Delegate Assessment A and Assessment B to separate sub-agents when possible. They must not see each other's output. Do not show findings to the user until synthesis.
+
+<codex>
+Codex sub-agent gate:
+- If `spawn_agent` is exposed and the user explicitly allowed sub-agents, delegation, or parallel agent work, spawn A and B immediately.
+- If `spawn_agent` is exposed but the user did not explicitly allow sub-agents, ask exactly once: "Impeccable critique is designed to run two independent sub-agents for an unanchored assessment. May I use sub-agents for this critique?" Then stop until the user answers.
+- If allowed, spawn A and B. If declined, run sequentially and report `Assessment independence: degraded (sub-agents declined by user)`.
+- If `spawn_agent` is not exposed, do not ask; run sequentially and report `Assessment independence: degraded (spawn_agent unavailable in this session)`.
+- If spawning fails after permission, run sequentially and report `Assessment independence: degraded (sub-agent spawn failed: <exact error>)`.
+Prefer `fork_context: false` with self-contained prompts containing cwd, target, live URL, references, product context, and output contract. If using `fork_context: true`, omit `agent_type`, `model`, and `reasoning_effort`.
+</codex>
+
+If browser automation is available, each assessment creates its own new tab. Never reuse an existing tab, even if it is already at the right URL.
+
+### Assessment A: Design Review
+
+Read relevant source files and visually inspect the live page when browser automation is available. Think like a design director.
+
+Evaluate:
+- **AI slop**: Would someone believe "AI made this" immediately? Check all DON'T guidance from the parent Impeccable skill.
+- **Holistic design**: hierarchy, IA, emotional fit, discoverability, composition, typography, color, accessibility, states, copy, and edge cases.
+- **Cognitive load**: consult [cognitive-load](cognitive-load.md); report checklist failures and decision points with >4 visible options.
+- **Emotional journey**: peak-end rule, emotional valleys, reassurance at high-stakes moments.
+- **Nielsen heuristics**: consult [heuristics-scoring](heuristics-scoring.md); score all 10 heuristics 0-4.
+
+Return: AI slop verdict, heuristic scores, cognitive load, emotional journey, 2-3 strengths, 3-5 priority issues, persona red flags, minor observations, and provocative questions.
+
+### Assessment B: Detector + Browser Evidence
+
+Run the bundled detector and browser visualization evidence. Assessment B is mandatory and must remain isolated from Assessment A until both are complete.
+
+CLI scan:
+```bash
+node {{scripts_path}}/detect.mjs --json [--fast] [target]
+```
+
+- Pass markup files/directories as `[target]`; do not pass CSS-only files.
+- For URLs, skip CLI scan and use browser visualization.
+- For 200+ scannable files, use `--fast`; for 500+, narrow scope or ask.
+- Exit code 0 = clean; 2 = findings.
+- If the detector entrypoint is missing or fails to load, report deterministic scan unavailable and continue with browser/manual review.
+
+Browser visualization is required for a viewable target when browser automation is available. Use a localhost dev/static URL for local files; avoid `file://` unless the available browser explicitly supports this workflow. Overlay flow:
+
+1. Create a fresh tab and navigate.
+2. Preflight mutable injection by setting `document.title` and appending a `<script>` tag. Read-only evaluate APIs do not count.
+3. If mutation is unavailable, skip live server, browser presentation, and injection; report fallback signal.
+4. If mutation is available, start `node {{scripts_path}}/live-server.mjs --background`, present the browser if supported, label `[Human]`, scroll top, inject `http://localhost:PORT/detect.js`, wait 2-3 seconds, read `impeccable` console messages, then stop the live server.
+5. For multi-view targets, inject on 3-5 representative pages.
+
+<codex>
+Codex Browser note: Use the Browser skill. Do not spend a Browser attempt on `file://`. Only call `visibility.set(true)` after mutable script injection is confirmed for the `[Human]` overlay path; verify with `get()`. Use `tab.dev.logs({ filter: "impeccable" })` for console results. Its Playwright `evaluate(...)` surface is read-only; do not rely on it for mutation.
+</codex>
+
+Return: CLI findings JSON/counts, browser console findings if applicable, false positives, and skipped/failed browser steps with concrete reasons.
+
+After Assessment B returns usable CLI findings, reuse them. Do not rerun `detect.mjs` in the parent unless Assessment B failed, was truncated, or omitted count, rule names, or file locations.
+
+<codex>
+Codex failure accounting: final Run Notes must include target slug, ignore list, assessment independence, CLI detector, browser visibility, overlay injection, live-server cleanup, temp-file cleanup, and any fallback signal used. Do not run repo status checks, late API spelunking, or unrelated verification after the report is assembled.
+</codex>
+
+### Generate Combined Critique Report
+
+Synthesize both assessments into a single report. Do NOT simply concatenate. Weave the findings together, noting where the LLM review and detector agree, where the detector caught issues the LLM missed, and where detector findings are false positives.
+
+The chat response is the primary user-facing deliverable. Present the full structured critique below in chat; do not replace it with a summary and a link. The persisted snapshot is only an archive/backlog for later commands.
+
+<codex>
+Codex final-answer note: `$impeccable critique` produces a report artifact, so the final chat response should intentionally exceed the usual concise close-out style. Do not title the final response "Critique Summary" unless the user explicitly asked for a summary.
+</codex>
+
+Structure your feedback as a design director would:
+
+#### Design Health Score
+> *Consult [heuristics-scoring](heuristics-scoring.md)*
+
+Present the Nielsen's 10 heuristics scores as a table:
+
+| # | Heuristic | Score | Key Issue |
+|---|-----------|-------|-----------|
+| 1 | Visibility of System Status | ? | [specific finding or "n/a" if solid] |
+| 2 | Match System / Real World | ? | |
+| 3 | User Control and Freedom | ? | |
+| 4 | Consistency and Standards | ? | |
+| 5 | Error Prevention | ? | |
+| 6 | Recognition Rather Than Recall | ? | |
+| 7 | Flexibility and Efficiency | ? | |
+| 8 | Aesthetic and Minimalist Design | ? | |
+| 9 | Error Recovery | ? | |
+| 10 | Help and Documentation | ? | |
+| **Total** | | **??/40** | **[Rating band]** |
+
+Be honest with scores. A 4 means genuinely excellent. Most real interfaces score 20-32.
+
+#### Anti-Patterns Verdict
+
+**Start here.** Does this look AI-generated?
+
+**LLM assessment**: Your own evaluation of AI slop tells. Cover overall aesthetic feel, layout sameness, generic composition, missed opportunities for personality.
+
+**Deterministic scan**: Summarize what the automated detector found, with counts and file locations. Note any additional issues the detector caught that you missed, and flag any false positives.
+
+**Visual overlays** (if injection succeeded): Tell the user that overlays are now visible in the **[Human]** tab in their browser, highlighting the detected issues. Summarize what the console output reported. If browser visualization was attempted but injection failed, say that no reliable user-visible overlay is available and report the fallback signal instead.
+
+#### Overall Impression
+A brief gut reaction: what works, what doesn't, and the single biggest opportunity.
+
+#### What's Working
+Highlight 2-3 things done well. Be specific about why they work.
+
+#### Priority Issues
+The 3-5 most impactful design problems, ordered by importance.
+
+For each issue, tag with **P0-P3 severity** (consult [heuristics-scoring](heuristics-scoring.md) for severity definitions):
+- **[P?] What**: Name the problem clearly
+- **Why it matters**: How this hurts users or undermines goals
+- **Fix**: What to do about it (be concrete)
+- **Suggested command**: Which command could address this (from: {{available_commands}})
+
+#### Persona Red Flags
+> *Consult [personas](personas.md)*
+
+Auto-select 2-3 personas most relevant to this interface type (use the selection table in the reference). If `{{config_file}}` contains a `## Design Context` section from `impeccable teach`, also generate 1-2 project-specific personas from the audience/brand info.
+
+For each selected persona, walk through the primary user action and list specific red flags found:
+
+**Alex (Power User)**: No keyboard shortcuts detected. Form requires 8 clicks for primary action. Forced modal onboarding. High abandonment risk.
+
+**Jordan (First-Timer)**: Icon-only nav in sidebar. Technical jargon in error messages ("404 Not Found"). No visible help. Will abandon at step 2.
+
+Be specific. Name the exact elements and interactions that fail each persona. Don't write generic persona descriptions; write what broke for them.
+
+#### Minor Observations
+Quick notes on smaller issues worth addressing.
+
+#### Questions to Consider
+Provocative questions that might unlock better solutions:
+- "What if the primary action were more prominent?"
+- "Does this need to feel this complex?"
+- "What would a confident version of this look like?"
+
+<codex>
+#### Run Notes
+Keep this compact. Include status for target slug, ignore list, assessment independence, CLI detector, browser visibility, overlay injection, live server cleanup, and temp-file cleanup. For failed or skipped steps, give the concrete observed reason and the fallback signal used. In the final chat response, also include snapshot write and trend read status after persistence has run.
+
+Codex Run Notes are final-chat only. Do not include this section in the persisted snapshot body, because persistence, trend read, and temp cleanup happen after the snapshot write and would otherwise archive stale status such as "pending after persistence."
+</codex>
+
+**Remember**:
+- Be direct. Vague feedback wastes everyone's time.
+- Be specific. "The submit button," not "some elements."
+- Say what's wrong AND why it matters to users.
+- Give concrete suggestions. Cut "consider exploring..." entirely.
+- Prioritize ruthlessly. If everything is important, nothing is.
+- Don't soften criticism. Developers need honest feedback to ship great design.
+
+### Persist the Snapshot
+
+Once the report above is finalized, write it to `.impeccable/critique/` so the user can refer back, and so `{{command_prefix}}impeccable polish` can pick up the priority issues without a copy-paste.
+
+Skip this step if the Setup slug was null (vague or root-level target).
+
+1. **Write the body to a temp file** so you can pipe it to the helper. Use the full critique report (heuristic table, anti-patterns verdict, priority issues, persona red flags, minor observations, and questions), but stop before the "Ask the User" / "Recommended Actions" sections that come later.
+
+   <codex>
+   Codex: exclude Run Notes from the temp body file; Run Notes are final-chat only because persistence, trend read, and temp cleanup happen after the snapshot write.
+   </codex>
+
+2. **Pass the structured metadata** through `IMPECCABLE_CRITIQUE_META` (JSON), then run the write command:
+   ```bash
+   IMPECCABLE_CRITIQUE_META='{"target":"<user phrasing>","total_score":<n>,"p0_count":<n>,"p1_count":<n>}' \
+     node {{scripts_path}}/critique-storage.mjs write <slug> <body-file>
+   ```
+   The helper prints the absolute path it wrote.
+
+3. **Delete the temp body file** after the write attempt completes, whether the write succeeded or failed. If deletion fails, mention `temp-file cleanup failed: <reason>` briefly in the final output, but do not block the critique.
+
+4. **Read the trend** for context:
+   ```bash
+   node {{scripts_path}}/critique-storage.mjs trend <slug> 5
+   ```
+   This returns a JSON array of the last 5 frontmatter entries (including the one you just wrote).
+
+5. **Append a single line to the user-visible output**, after the report and before the questions:
+
+   > **Trend for `<slug>` (last 5 runs): 24 → 28 → 32 → 29 → 32**
+   > Wrote `.impeccable/critique/<filename>`.
+
+   If this is the first run for the slug, the trend is just one score; say so: "First run for this target, no trend yet."
+
+This is fire-and-forget. Do not show the user the helper's JSON output; only the human-readable trend line and the written path. Failures here should not block the rest of the flow; print the error and move on.
+
+### Ask the User
+
+**After presenting findings**, use targeted questions based on what was actually found. {{ask_instruction}} These answers will shape the action plan.
+
+Ask questions along these lines (adapt to the specific findings; do NOT ask generic questions):
+
+1. **Priority direction**: Based on the issues found, ask which category matters most to the user right now. For example: "I found problems with visual hierarchy, color usage, and information overload. Which area should we tackle first?" Offer the top 2-3 issue categories as options.
+
+2. **Design intent**: If the critique found a tonal mismatch, ask whether it was intentional. For example: "The interface feels clinical and corporate. Is that the intended tone, or should it feel warmer/bolder/more playful?" Offer 2-3 tonal directions as options based on what would fix the issues found.
+
+3. **Scope**: Ask how much the user wants to take on. For example: "I found N issues. Want to address everything, or focus on the top 3?" Offer scope options like "Top 3 only", "All issues", "Critical issues only".
+
+4. **Constraints** (optional; only ask if relevant): If the findings touch many areas, ask if anything is off-limits. For example: "Should any sections stay as-is?" This prevents the plan from touching things the user considers done.
+
+**Rules for questions**:
+- Every question must reference specific findings from the report. Never ask generic "who is your audience?" questions.
+- Keep it to 2-4 questions maximum. Respect the user's time.
+- Offer concrete options, not open-ended prompts.
+- If findings are straightforward (e.g., only 1-2 clear issues), skip questions and go directly to Recommended Actions.
+
+<codex>
+Codex final-question gate: The user-visible response must either include the targeted questions or explicitly say `Questions skipped: <reason>` because the findings were straightforward. Each question must include 2-3 concrete answer options tied to the actual critique findings. Do not end with only open-ended questions.
+</codex>
+
+### Recommended Actions
+
+**After receiving the user's answers**, present a prioritized action summary reflecting the user's priorities and scope from Ask the User.
+
+#### Action Summary
+
+List recommended commands in priority order, based on the user's answers:
+
+1. **`{{command_prefix}}command-name`**: Brief description of what to fix (specific context from critique findings)
+2. **`{{command_prefix}}command-name`**: Brief description (specific context)
+...
+
+**Rules for recommendations**:
+- Only recommend commands from: {{available_commands}}
+- Order by the user's stated priorities first, then by impact
+- Each item's description should carry enough context that the command knows what to focus on
+- Map each Priority Issue to the appropriate command
+- Skip commands that would address zero issues
+- If the user chose a limited scope, only include items within that scope
+- If the user marked areas as off-limits, exclude commands that would touch those areas
+- End with `{{command_prefix}}impeccable polish` as the final step if any fixes were recommended
+
+After presenting the summary, tell the user:
+
+> You can ask me to run these one at a time, all at once, or in any order you prefer.
+>
+> Re-run `{{command_prefix}}impeccable critique` after fixes to see your score improve.

.agents/skills/impeccable/reference/delight.md

@@ -0,0 +1,302 @@
+> **Additional context needed**: what's appropriate for the domain (playful vs professional vs quirky vs elegant).
+
+Find the moments where personality and unexpected polish would turn a functional interface into one users remember and tell other people about. Add only where the moment earns it; delight everywhere reads as noise.
+
+---
+
+## Register
+
+Brand: delight can be distributed across copy voice, section transitions, discovery rewards, seasonal touches, personality across the whole surface.
+
+Product: delight at specific moments, not pages. Completion, first-time actions, error recovery, milestone crossings. Reliability and consistency carry the rest of the experience; delight pushed everywhere reads as noise.
+
+---
+
+## Assess Delight Opportunities
+
+Identify where delight would enhance (not distract from) the experience:
+
+1. **Find natural delight moments**:
+   - **Success states**: Completed actions (save, send, publish)
+   - **Empty states**: First-time experiences, onboarding
+   - **Loading states**: Waiting periods that could be entertaining
+   - **Achievements**: Milestones, streaks, completions
+   - **Interactions**: Hover states, clicks, drags
+   - **Errors**: Softening frustrating moments
+   - **Easter eggs**: Hidden discoveries for curious users
+
+2. **Understand the context**:
+   - What's the brand personality? (Playful? Professional? Quirky? Elegant?)
+   - Who's the audience? (Tech-savvy? Creative? Corporate?)
+   - What's the emotional context? (Accomplishment? Exploration? Frustration?)
+   - What's appropriate? (Banking app ≠ gaming app)
+
+3. **Define delight strategy**:
+   - **Subtle sophistication**: Refined micro-interactions (luxury brands)
+   - **Playful personality**: Whimsical illustrations and copy (consumer apps)
+   - **Helpful surprises**: Anticipating needs before users ask (productivity tools)
+   - **Sensory richness**: Satisfying sounds, smooth animations (creative tools)
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: Delight should enhance usability, never obscure it. If users notice the delight more than accomplishing their goal, you've gone too far.
+
+## Delight Principles
+
+Follow these guidelines:
+
+### Delight Amplifies, Never Blocks
+- Delight moments should be quick (< 1 second)
+- Never delay core functionality for delight
+- Make delight skippable or subtle
+- Respect user's time and task focus
+
+### Surprise and Discovery
+- Hide delightful details for users to discover
+- Reward exploration and curiosity
+- Don't announce every delight moment
+- Let users share discoveries with others
+
+### Appropriate to Context
+- Match delight to emotional moment (celebrate success, empathize with errors)
+- Respect the user's state (don't be playful during critical errors)
+- Match brand personality and audience expectations
+- Cultural sensitivity (what's delightful varies by culture)
+
+### Compound Over Time
+- Delight should remain fresh with repeated use
+- Vary responses (not same animation every time)
+- Reveal deeper layers with continued use
+- Build anticipation through patterns
+
+## Delight Techniques
+
+Add personality and joy through these methods:
+
+### Micro-interactions & Animation
+
+**Button delight**:
+```css
+/* Satisfying button press */
+.button {
+  transition: transform 0.1s, box-shadow 0.1s;
+}
+.button:active {
+  transform: translateY(2px);
+  box-shadow: 0 2px 4px rgba(0,0,0,0.2);
+}
+
+/* Ripple effect on click */
+/* Smooth lift on hover */
+.button:hover {
+  transform: translateY(-2px);
+  transition: transform 0.2s cubic-bezier(0.25, 1, 0.5, 1); /* ease-out-quart */
+}
+```
+
+**Loading delight**:
+- Playful loading animations (not just spinners)
+- Personality in loading messages (write product-specific ones, not generic AI filler)
+- Progress indication with encouraging messages
+- Skeleton screens with subtle animations
+
+**Success animations**:
+- Checkmark draw animation
+- Confetti burst for major achievements
+- Gentle scale + fade for confirmation
+- Satisfying sound effects (subtle)
+
+**Hover surprises**:
+- Icons that animate on hover
+- Color shifts or glow effects
+- Tooltip reveals with personality
+- Cursor changes (custom cursors for branded experiences)
+
+### Personality in Copy
+
+**Playful error messages**:
+```
+"Error 404"
+"This page is playing hide and seek. (And winning)"
+
+"Connection failed"
+"Looks like the internet took a coffee break. Want to retry?"
+```
+
+**Encouraging empty states**:
+```
+"No projects"
+"Your canvas awaits. Create something amazing."
+
+"No messages"
+"Inbox zero! You're crushing it today."
+```
+
+**Playful labels & tooltips**:
+```
+"Delete"
+"Send to void" (for playful brand)
+
+"Help"
+"Rescue me" (tooltip)
+```
+
+**IMPORTANT**: Match copy personality to brand. Banks shouldn't be wacky, but they can be warm.
+
+### Illustrations & Visual Personality
+
+**Custom illustrations**:
+- Empty state illustrations (not stock icons)
+- Error state illustrations (friendly monsters, quirky characters)
+- Loading state illustrations (animated characters)
+- Success state illustrations (celebrations)
+
+**Icon personality**:
+- Custom icon set matching brand personality
+- Animated icons (subtle motion on hover/click)
+- Illustrative icons (more detailed than generic)
+- Consistent style across all icons
+
+**Background effects**:
+- Subtle particle effects
+- Gradient mesh backgrounds
+- Geometric patterns
+- Parallax depth
+- Time-of-day themes (morning vs night)
+
+### Satisfying Interactions
+
+**Drag and drop delight**:
+- Lift effect on drag (shadow, scale)
+- Snap animation when dropped
+- Satisfying placement sound
+- Undo toast ("Dropped in wrong place? [Undo]")
+
+**Toggle switches**:
+- Smooth slide with spring physics
+- Color transition
+- Haptic feedback on mobile
+- Optional sound effect
+
+**Progress & achievements**:
+- Streak counters with celebratory milestones
+- Progress bars that "celebrate" at 100%
+- Badge unlocks with animation
+- Playful stats ("You're on fire! 5 days in a row")
+
+**Form interactions**:
+- Input fields that animate on focus
+- Checkboxes with a satisfying scale pulse when checked
+- Success state that celebrates valid input
+- Auto-grow textareas
+
+### Sound Design
+
+**Subtle audio cues** (when appropriate):
+- Notification sounds (distinctive but not annoying)
+- Success sounds (satisfying "ding")
+- Error sounds (empathetic, not harsh)
+- Typing sounds for chat/messaging
+- Ambient background audio (very subtle)
+
+**IMPORTANT**:
+- Respect system sound settings
+- Provide mute option
+- Keep volumes quiet (subtle cues, not alarms)
+- Don't play on every interaction (sound fatigue is real)
+
+### Easter Eggs & Hidden Delights
+
+**Discovery rewards**:
+- Konami code unlocks special theme
+- Hidden keyboard shortcuts (Cmd+K for special features)
+- Hover reveals on logos or illustrations
+- Alt text jokes on images (for screen reader users too!)
+- Console messages for developers ("Like what you see? We're hiring!")
+
+**Seasonal touches**:
+- Holiday themes (subtle, tasteful)
+- Seasonal color shifts
+- Weather-based variations
+- Time-based changes (dark at night, light during day)
+
+**Contextual personality**:
+- Different messages based on time of day
+- Responses to specific user actions
+- Randomized variations (not same every time)
+- Progressive reveals with continued use
+
+### Loading & Waiting States
+
+**Make waiting engaging**:
+- Interesting loading messages that rotate
+- Progress bars with personality
+- Mini-games during long loads
+- Fun facts or tips while waiting
+- Countdown with encouraging messages
+
+```
+Loading messages: write ones specific to your product, not generic AI filler:
+- "Crunching your latest numbers..."
+- "Syncing with your team's changes..."
+- "Preparing your dashboard..."
+- "Checking for updates since yesterday..."
+```
+
+**WARNING**: Avoid cliched loading messages like "Herding pixels", "Teaching robots to dance", "Consulting the magic 8-ball", "Counting backwards from infinity". These are AI-slop copy, instantly recognizable as machine-generated. Write messages that are specific to what your product actually does.
+
+### Celebration Moments
+
+**Success celebrations**:
+- Confetti for major milestones
+- Animated checkmarks for completions
+- Progress bar celebrations at 100%
+- "Achievement unlocked" style notifications
+- Personalized messages ("You published your 10th article!")
+
+**Milestone recognition**:
+- First-time actions get special treatment
+- Streak tracking and celebration
+- Progress toward goals
+- Anniversary celebrations
+
+## Implementation Patterns
+
+**Animation libraries**:
+- Framer Motion (React)
+- GSAP (universal)
+- Lottie (After Effects animations)
+- Canvas confetti (party effects)
+
+**Sound libraries**:
+- Howler.js (audio management)
+- Use-sound (React hook)
+
+**Physics libraries**:
+- React Spring (spring physics)
+- Popmotion (animation primitives)
+
+**IMPORTANT**: File size matters. Compress images, optimize animations, lazy load delight features.
+
+**NEVER**:
+- Delay core functionality for delight
+- Force users through delightful moments (make skippable)
+- Use delight to hide poor UX
+- Overdo it (less is more)
+- Ignore accessibility (animate responsibly, provide alternatives)
+- Make every interaction delightful (special moments should be special)
+- Sacrifice performance for delight
+- Be inappropriate for context (read the room)
+
+## Verify Delight Quality
+
+Test that delight actually delights:
+
+- **User reactions**: Do users smile? Share screenshots?
+- **Doesn't annoy**: Still pleasant after 100th time?
+- **Doesn't block**: Can users opt out or skip?
+- **Performant**: No jank, no slowdown
+- **Appropriate**: Matches brand and context
+- **Accessible**: Works with reduced motion, screen readers
+
+When the moments feel earned, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/distill.md

@@ -0,0 +1,111 @@
+Strip a design to its essence. Remove anything that doesn't earn its place: redundant elements, repeated information, decorative noise, cosmetic complexity.
+
+
+---
+
+## Assess Current State
+
+Analyze what makes the design feel complex or cluttered:
+
+1. **Identify complexity sources**:
+   - **Too many elements**: Competing buttons, redundant information, visual clutter
+   - **Excessive variation**: Too many colors, fonts, sizes, styles without purpose
+   - **Information overload**: Everything visible at once, no progressive disclosure
+   - **Visual noise**: Unnecessary borders, shadows, backgrounds, decorations
+   - **Confusing hierarchy**: Unclear what matters most
+   - **Feature creep**: Too many options, actions, or paths forward
+
+2. **Find the essence**:
+   - What's the primary user goal? (There should be ONE)
+   - What's actually necessary vs nice-to-have?
+   - What can be removed, hidden, or combined?
+   - What's the 20% that delivers 80% of value?
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: Simplicity is not about removing features. It's about removing obstacles between users and their goals. Every element should justify its existence.
+
+## Plan Simplification
+
+Create a ruthless editing strategy:
+
+- **Core purpose**: What's the ONE thing this should accomplish?
+- **Essential elements**: What's truly necessary to achieve that purpose?
+- **Progressive disclosure**: What can be hidden until needed?
+- **Consolidation opportunities**: What can be combined or integrated?
+
+**IMPORTANT**: Simplification is hard. It requires saying no to good ideas to make room for great execution. Be ruthless.
+
+## Simplify the Design
+
+Systematically remove complexity across these dimensions:
+
+### Information Architecture
+- **Reduce scope**: Remove secondary actions, optional features, redundant information
+- **Progressive disclosure**: Hide complexity behind clear entry points (accordions, modals, step-through flows)
+- **Combine related actions**: Merge similar buttons, consolidate forms, group related content
+- **Clear hierarchy**: ONE primary action, few secondary actions, everything else tertiary or hidden
+- **Remove redundancy**: If it's said elsewhere, don't repeat it here
+
+### Visual Simplification
+- **Reduce color palette**: Use 1-2 colors plus neutrals, not 5-7 colors
+- **Limit typography**: One font family, 3-4 sizes maximum, 2-3 weights
+- **Remove decorations**: Eliminate borders, shadows, backgrounds that don't serve hierarchy or function
+- **Flatten structure**: Reduce nesting, remove unnecessary containers; never nest cards inside cards
+- **Remove unnecessary cards**: Cards aren't needed for basic layout; use spacing and alignment instead
+- **Consistent spacing**: Use one spacing scale, remove arbitrary gaps
+
+### Layout Simplification
+- **Linear flow**: Replace complex grids with simple vertical flow where possible
+- **Remove sidebars**: Move secondary content inline or hide it
+- **Full-width**: Use available space generously instead of complex multi-column layouts
+- **Consistent alignment**: Pick left or center, stick with it
+- **Generous white space**: Let content breathe, don't pack everything tight
+
+### Interaction Simplification
+- **Reduce choices**: Fewer buttons, fewer options, clearer path forward (paradox of choice is real)
+- **Smart defaults**: Make common choices automatic, only ask when necessary
+- **Inline actions**: Replace modal flows with inline editing where possible
+- **Remove steps**: Can signup be one step instead of three? Can checkout be simplified?
+- **Clear CTAs**: ONE obvious next step, not five competing actions
+
+### Content Simplification
+- **Shorter copy**: Cut every sentence in half, then do it again
+- **Active voice**: "Save changes" not "Changes will be saved"
+- **Remove jargon**: Plain language always wins
+- **Scannable structure**: Short paragraphs, bullet points, clear headings
+- **Essential information only**: Remove marketing fluff, legalese, hedging
+- **Remove redundant copy**: No headers restating intros, no repeated explanations, say it once
+
+### Code Simplification
+- **Remove unused code**: Dead CSS, unused components, orphaned files
+- **Flatten component trees**: Reduce nesting depth
+- **Consolidate styles**: Merge similar styles, use utilities consistently
+- **Reduce variants**: Does that component need 12 variations, or can 3 cover 90% of cases?
+
+**NEVER**:
+- Remove necessary functionality (simplicity ≠ feature-less)
+- Sacrifice accessibility for simplicity (clear labels and ARIA still required)
+- Make things so simple they're unclear (mystery ≠ minimalism)
+- Remove information users need to make decisions
+- Eliminate hierarchy completely (some things should stand out)
+- Oversimplify complex domains (match complexity to actual task complexity)
+
+## Verify Simplification
+
+Ensure simplification improves usability:
+
+- **Faster task completion**: Can users accomplish goals more quickly?
+- **Reduced cognitive load**: Is it easier to understand what to do?
+- **Still complete**: Are all necessary features still accessible?
+- **Clearer hierarchy**: Is it obvious what matters most?
+- **Better performance**: Does simpler design load faster?
+
+## Document Removed Complexity
+
+If you removed features or options:
+- Document why they were removed
+- Consider if they need alternative access points
+- Note any user feedback to monitor
+
+When the cuts feel right, hand off to `{{command_prefix}}impeccable polish` for the final pass. As Antoine de Saint-Exupéry put it: "Perfection is achieved not when there is nothing more to add, but when there is nothing left to take away."

.agents/skills/impeccable/reference/document.md

@@ -0,0 +1,427 @@
+Generate a `DESIGN.md` file at the project root that captures the current visual design system, so AI agents generating new screens stay on-brand.
+
+DESIGN.md follows the [official Google Stitch DESIGN.md format](https://stitch.withgoogle.com/docs/design-md/format/): YAML frontmatter carrying machine-readable design tokens, followed by a markdown body with exactly six sections in a fixed order. **Tokens are normative; prose provides context for how to apply them.** Sections may be omitted when not relevant, but **do not reorder them and do not rename them**. Section headers must match the spec character-for-character so the file stays parseable by other DESIGN.md-aware tools (Stitch itself, awesome-design-md, skill-rest, etc.).
+
+## The frontmatter: token schema
+
+The YAML frontmatter is the machine-readable layer. It's what Stitch's linter validates and what the live panel renders tiles from. Keep it tight; every entry should correspond to a token the project actually uses.
+
+```yaml
+---
+name: <project title>
+description: <one-line tagline>
+colors:
+  primary: "#b8422e"
+  neutral-bg: "#faf7f2"
+  # ...one entry per extracted color; key = descriptive slug
+typography:
+  display:
+    fontFamily: "Cormorant Garamond, Georgia, serif"
+    fontSize: "clamp(2.5rem, 7vw, 4.5rem)"
+    fontWeight: 300
+    lineHeight: 1
+    letterSpacing: "normal"
+  body:
+    # ...
+rounded:
+  sm: "4px"
+  md: "8px"
+spacing:
+  sm: "8px"
+  md: "16px"
+components:
+  button-primary:
+    backgroundColor: "{colors.primary}"
+    textColor: "{colors.neutral-bg}"
+    rounded: "{rounded.sm}"
+    padding: "16px 48px"
+  button-primary-hover:
+    backgroundColor: "{colors.primary-deep}"
+---
+```
+
+Rules that matter:
+
+- **Token refs** use `{path.to.token}` (e.g. `{colors.primary}`, `{rounded.md}`). Components may reference primitives; primitives may not reference each other.
+- **Stitch validates colors as hex sRGB only** (`#RGB` / `#RGBA` / `#RRGGBB` / `#RRGGBBAA`); OKLCH/HSL/P3 trigger a linter warning, not a hard error. YAML accepts the string either way and our own parser is format-agnostic. Choose based on project posture: (a) if the project has an "OKLCH-only" doctrine or uses Display-P3 values that don't round-trip through sRGB, put OKLCH directly in the frontmatter and accept the Stitch linter warning; (b) if the project wants strict Stitch compliance or plans to use their Tailwind/DTCG export pipeline, put hex in the frontmatter and keep OKLCH in prose as the canonical reference. Never split the source of truth without explicit reason.
+- **Component sub-tokens** are limited to 8 props: `backgroundColor`, `textColor`, `typography`, `rounded`, `padding`, `size`, `height`, `width`. Shadows, motion, focus rings, backdrop-filter: none of those fit. Carry them in the sidecar (Step 4b).
+- **Scale keys are open-ended.** Use whatever names the project already uses (`warm-ash-cream`, `surface-container-low`). Don't rename to Material defaults.
+- **Variants are naming convention, not schema.** `button-primary` / `button-primary-hover` / `button-primary-active` as sibling keys.
+
+## The markdown body: six sections (exact order)
+
+1. `## Overview`
+2. `## Colors`
+3. `## Typography`
+4. `## Elevation`
+5. `## Components`
+6. `## Do's and Don'ts`
+
+Optional evocative subtitles are allowed in the form `## 2. Colors: The [Name] Palette` (Stitch's own outputs do this), but the literal word in each header (Overview, Colors, Typography, Elevation, Components, Do's and Don'ts) must be present. Do NOT add extra top-level sections (Layout Principles, Responsive Behavior, Motion, Agent Prompt Guide). Fold that content into the six spec sections where it naturally belongs.
+
+## When to run
+
+- The user just ran `/impeccable teach` and needs the visual side documented.
+- The skill noticed no `DESIGN.md` exists and nudged the user to create one.
+- An existing `DESIGN.md` is stale (the design has drifted).
+- Before a large redesign, to capture the current state as a reference.
+
+If a `DESIGN.md` already exists, **do not silently overwrite it**. Show the user the existing file and {{ask_instruction}} whether to refresh, overwrite, or merge.
+
+## Two paths
+
+- **Scan mode** (default): the project has design tokens, components, or rendered output. Extract, then confirm descriptive language. Use when there's code to analyze.
+- **Seed mode**: the project is pre-implementation (fresh teach, nothing built yet). Interview for five high-level answers, write a minimal DESIGN.md marked `<!-- SEED -->`. Re-run in scan mode once there's code.
+
+Decide by scanning first (Scan mode Step 1). If the scan finds no tokens, no component files, and no rendered site, offer seed mode; don't silently switch. `/impeccable document --seed` forces seed mode regardless of code presence.
+
+## Scan mode (approach C: auto-extract, then confirm descriptive language)
+
+### Step 1: Find the design assets
+
+Search the codebase in priority order:
+
+1. **CSS custom properties**: grep for `--color-`, `--font-`, `--spacing-`, `--radius-`, `--shadow-`, `--ease-`, `--duration-` declarations in CSS files (usually `src/styles/`, `public/css/`, `app/globals.css`, etc.). Record name, value, and the file it's defined in.
+2. **Tailwind config**: if `tailwind.config.{js,ts,mjs}` exists, read the `theme.extend` block for colors, fontFamily, spacing, borderRadius, boxShadow.
+3. **CSS-in-JS theme files**: styled-components, emotion, vanilla-extract, stitches; look for `theme.ts`, `tokens.ts`, or equivalent.
+4. **Design token files**: `tokens.json`, `design-tokens.json`, Style Dictionary output, W3C token community group format.
+5. **Component library**: scan the main button, card, input, navigation, dialog components. Note their variant APIs and default styles.
+6. **Global stylesheet**: the root CSS file usually has the base typography and color assignments.
+7. **Visible rendered output**: if browser automation tools are available, load the live site and sample computed styles from key elements (body, h1, a, button, .card). This catches values that tokens miss.
+
+### Step 2: Auto-extract what can be auto-extracted
+
+Build a structured draft from the discovered tokens. For each token class:
+
+- **Colors**: Group into Primary / Secondary / Tertiary / Neutral (the Material-derived roles Stitch uses). If the project only has one accent, express it as Primary + Neutral; omit Secondary and Tertiary rather than inventing them.
+- **Typography**: Map observed sizes and weights to the Material hierarchy (display / headline / title / body / label). Note font-family stacks and the scale ratio.
+- **Elevation**: Catalogue the shadow vocabulary. If the project is flat and uses tonal layering instead, that's a valid answer; state it explicitly.
+- **Components**: For each common component (button, card, input, chip, list item, tooltip, nav), extract shape (radius), color assignment, hover/focus treatment, internal padding.
+- **Spacing + layout**: Fold into Overview or relevant Components. The spec does NOT have a Layout section.
+
+### Step 2b: Stage the frontmatter
+
+From the auto-extracted tokens, draft the YAML frontmatter now (you'll write it at the top of DESIGN.md in Step 4). This is the machine-readable layer: what the live panel and Stitch's linter consume.
+
+- **Colors**: one entry per extracted color. Key = descriptive slug (`warm-ash-cream`, `editorial-magenta`, not `blue-800`). Value = whichever format the project treats as canonical (OKLCH or hex; see the frontmatter rules above). Don't split the source of truth: one format in the frontmatter, don't redefine the same token in prose with a different value.
+- **Typography**: one entry per role (`display`, `headline`, `title`, `body`, `label`). Typography is an object; include only the props that are real for the project (`fontFamily`, `fontSize`, `fontWeight`, `lineHeight`, `letterSpacing`, `fontFeature`, `fontVariation`).
+- **Rounded / Spacing**: whatever scale steps the project actually uses, keyed by whatever scale name the project uses (`sm` / `md` / `lg`, or `surface-sm`, or numeric steps).
+- **Components**: one entry per variant (`button-primary`, `button-primary-hover`, `button-ghost`). Reference primitives via `{colors.X}`, `{rounded.Y}`. If a variant needs a property Stitch's 8-prop set doesn't cover (shadow, focus ring, backdrop-filter), carry the full snippet in the sidecar instead.
+
+Skip anything the project doesn't have. Empty scale keys or fabricated tokens pollute the spec.
+
+### Step 3: Ask the user for qualitative language
+
+The following require creative input that cannot be auto-extracted. Group them into one `AskUserQuestion` interaction:
+
+- **Creative North Star**: a single named metaphor for the whole system ("The Editorial Sanctuary", "The Golden State Curator", "The Lab Notebook"). Offer 2-3 options that honor PRODUCT.md's brand personality.
+- **Overview voice**: mood adjectives, aesthetic philosophy in 2-3 sentences, anti-references (what the system should not feel like).
+- **Color character** (for auto-extracted colors): descriptive names ("Deep Muted Teal-Navy", not "blue-800"). Suggest 2-3 options per key color based on hue/saturation.
+- **Elevation philosophy**: flat/layered/lifted. If shadows exist, is their role ambient or structural?
+- **Component philosophy**: the feel of buttons, cards, inputs in one phrase ("tactile and confident" vs. "refined and restrained").
+
+Quote a line from PRODUCT.md when possible so the user sees their own strategic language carry forward.
+
+### Step 4: Write DESIGN.md
+
+The file opens with the YAML frontmatter staged in Step 2b (schema documented at the top of this reference), then the markdown body using the structure below. Headers must match character-for-character. Optional evocative subtitles (e.g. `## 2. Colors: The Coastal Palette`) are allowed.
+
+```markdown
+---
+name: [Project Title]
+description: [one-line tagline]
+colors:
+  # ... staged frontmatter from Step 2b
+---
+
+# Design System: [Project Title]
+
+## 1. Overview
+
+**Creative North Star: "[Named metaphor in quotes]"**
+
+[2-3 paragraph holistic description: personality, density, aesthetic philosophy. Start from the North Star and work outward. State what this system explicitly rejects (pulled from PRODUCT.md's anti-references). End with a short **Key Characteristics:** bullet list.]
+
+## 2. Colors
+
+[Describe the palette character in one sentence.]
+
+### Primary
+- **[Descriptive Name]** (#HEX / oklch(...)): [Where and why this color is used. Be specific about context, not just role.]
+
+### Secondary (optional; omit if the project has only one accent)
+- **[Descriptive Name]** (#HEX): [Role.]
+
+### Tertiary (optional)
+- **[Descriptive Name]** (#HEX): [Role.]
+
+### Neutral
+- **[Descriptive Name]** (#HEX): [Text / background / border / divider role.]
+- [...]
+
+### Named Rules (optional, powerful)
+**The [Rule Name] Rule.** [Short, forceful prohibition or doctrine, e.g. "The One Voice Rule. The primary accent is used on ≤10% of any given screen. Its rarity is the point."]
+
+## 3. Typography
+
+**Display Font:** [Family] (with [fallback])
+**Body Font:** [Family] (with [fallback])
+**Label/Mono Font:** [Family, if distinct]
+
+**Character:** [1-2 sentence personality description of the pairing.]
+
+### Hierarchy
+- **Display** ([weight], [size/clamp], [line-height]): [Purpose; where it appears.]
+- **Headline** ([weight], [size], [line-height]): [Purpose.]
+- **Title** ([weight], [size], [line-height]): [Purpose.]
+- **Body** ([weight], [size], [line-height]): [Purpose. Include max line length like 65–75ch if relevant.]
+- **Label** ([weight], [size], [letter-spacing], [case if uppercase]): [Purpose.]
+
+### Named Rules (optional)
+**The [Rule Name] Rule.** [Short doctrine about type use.]
+
+## 4. Elevation
+
+[One paragraph: does this system use shadows, tonal layering, or a hybrid? If "no shadows", say so explicitly and describe how depth is conveyed instead.]
+
+### Shadow Vocabulary (if applicable)
+- **[Role name]** (`box-shadow: [exact value]`): [When to use it.]
+- [...]
+
+### Named Rules (optional)
+**The [Rule Name] Rule.** [e.g. "The Flat-By-Default Rule. Surfaces are flat at rest. Shadows appear only as a response to state (hover, elevation, focus)."]
+
+## 5. Components
+
+For each component, lead with a short character line, then specify shape, color assignment, states, and any distinctive behavior.
+
+### Buttons
+- **Shape:** [radius described, exact value in parens]
+- **Primary:** [color assignment + padding, in semantic + exact terms]
+- **Hover / Focus:** [transitions, treatments]
+- **Secondary / Ghost / Tertiary (if applicable):** [brief description]
+
+### Chips (if used)
+- **Style:** [background, text color, border treatment]
+- **State:** [selected / unselected, filter / action variants]
+
+### Cards / Containers
+- **Corner Style:** [radius]
+- **Background:** [colors used]
+- **Shadow Strategy:** [reference Elevation section]
+- **Border:** [if any]
+- **Internal Padding:** [scale]
+
+### Inputs / Fields
+- **Style:** [stroke, background, radius]
+- **Focus:** [treatment, e.g. glow, border shift, etc.]
+- **Error / Disabled:** [if applicable]
+
+### Navigation
+- **Style, typography, default/hover/active states, mobile treatment.**
+
+### [Signature Component] (optional; if the project has a distinctive custom component worth documenting)
+[Description.]
+
+## 6. Do's and Don'ts
+
+Concrete, forceful guardrails. Lead each with "Do" or "Don't". Be specific: include exact colors, pixel values, and named anti-patterns the user mentioned in PRODUCT.md. **Every anti-reference in PRODUCT.md should show up here as a "Don't" with the same language**, so the visual spec carries the strategic line through. Quote PRODUCT.md directly where possible: if PRODUCT.md says *"avoid dark mode with purple gradients, neon accents, glassmorphism"*, the Don'ts here should repeat that by name.
+
+### Do:
+- **Do** [specific prescription with exact values / named rule].
+- **Do** [...]
+
+### Don't:
+- **Don't** [specific prohibition, e.g. "use border-left greater than 1px as a colored stripe"].
+- **Don't** [...]
+- **Don't** [...]
+```
+
+### Step 4b: Write .impeccable/design.json sidecar (extensions only)
+
+The frontmatter owns token primitives (colors, typography, rounded, spacing, components). The sidecar at `.impeccable/design.json` carries **what Stitch's schema can't hold**: tonal ramps per color, shadow/elevation tokens, motion tokens, breakpoints, full component HTML/CSS snippets (the panel renders these into a shadow DOM), and narrative (north star, rules, do's/don'ts). It extends the frontmatter, it doesn't duplicate it.
+
+Regenerate the sidecar whenever you regenerate root `DESIGN.md`. If the user only asks to refresh the sidecar (e.g., from the live panel's stale-hint), preserve `DESIGN.md` and write only `.impeccable/design.json`.
+
+#### Schema
+
+```json
+{
+  "schemaVersion": 2,
+  "generatedAt": "ISO-8601 string",
+  "title": "Design System: [Project Title]",
+  "extensions": {
+    "colorMeta": {
+      "primary":        { "role": "primary",  "displayName": "Editorial Magenta", "canonical": "oklch(60% 0.25 350)", "tonalRamp": ["...", "...", "..."] },
+      "warm-ash-cream": { "role": "neutral",  "displayName": "Warm Ash Cream",    "canonical": "oklch(96% 0.005 350)", "tonalRamp": ["...", "...", "..."] }
+    },
+    "typographyMeta": {
+      "display": { "displayName": "Display", "purpose": "Hero headlines only." }
+    },
+    "shadows": [
+      { "name": "ambient-low", "value": "0 4px 24px rgba(0,0,0,0.12)", "purpose": "Diffuse hover glow under accent elements." }
+    ],
+    "motion": [
+      { "name": "ease-standard", "value": "cubic-bezier(0.4, 0, 0.2, 1)", "purpose": "Default easing for state transitions." }
+    ],
+    "breakpoints": [
+      { "name": "sm", "value": "640px" }
+    ]
+  },
+  "components": [
+    {
+      "name": "Primary Button",
+      "kind": "button | input | nav | chip | card | custom",
+      "refersTo": "button-primary",
+      "description": "One-line what and when.",
+      "html": "<button class=\"ds-btn-primary\">GET STARTED</button>",
+      "css": ".ds-btn-primary { background: #191c1d; color: #fff; padding: 16px 48px; letter-spacing: 0.05em; text-transform: uppercase; font-weight: 500; border: none; border-radius: 0; transition: background 0.2s, transform 0.2s; } .ds-btn-primary:hover { background: oklch(60% 0.25 350); transform: translateY(-2px); }"
+    }
+  ],
+  "narrative": {
+    "northStar": "The Editorial Sanctuary",
+    "overview": "2-3 paragraphs of the philosophy, pulled from DESIGN.md Overview section.",
+    "keyCharacteristics": ["...", "..."],
+    "rules": [{ "name": "The One Voice Rule", "body": "...", "section": "colors|typography|elevation" }],
+    "dos":   ["Do use ..."],
+    "donts": ["Don't use ..."]
+  }
+}
+```
+
+**What changed from schemaVersion 1.** The old sidecar carried token primitive arrays (`tokens.colors[]`, `tokens.typography[]`, etc.). Those values now live in the frontmatter. The sidecar only carries metadata that can't live in the frontmatter (tonal ramps, canonical OKLCH when the hex is an approximation, display names, role hints), keyed by the frontmatter token name (`colorMeta.<token-name>`, `typographyMeta.<token-name>`). Components still carry full HTML/CSS because Stitch's 8-prop set can't hold them.
+
+#### Component translation rules
+
+The `html` and `css` fields must be **self-contained, drop-in snippets** that render correctly when injected into a shadow DOM. The panel applies them directly: no post-processing, no framework runtime.
+
+1. **Tailwind expansion.** If the source uses Tailwind (className="bg-primary text-white rounded-lg px-6 py-3"), expand every utility to literal CSS properties in the `css` string. Do **not** reference Tailwind classes; do **not** assume a Tailwind CSS bundle is loaded. Each component is self-contained.
+2. **Token resolution.** If the project exposes tokens as CSS custom properties on `:root` (e.g. `--color-primary`, `--radius-md`), reference them via `var(--color-primary)`; they inherit through the shadow DOM and stay live-bound. If tokens live only in JS theme objects (styled-components, CSS-in-JS), resolve to literal values at generation time.
+3. **Icons.** Inline as SVG. Do not reference Lucide/Heroicons packages, icon fonts, or `<img src="...">`. A typical icon is 16-24px; copy the SVG path data directly.
+4. **States.** Include `:hover`, `:focus-visible`, and (if meaningful) `:active` rules inline. A static default-only snapshot makes the panel feel dead. Hover + focus rules in the CSS make it feel alive.
+5. **Reset bloat.** Extract only the component's *distinctive* CSS (background, color, padding, border-radius, typography, transition). Skip universal resets (`box-sizing: border-box`, `line-height: inherit`, `-webkit-font-smoothing`). The panel already has a neutral canvas; don't re-ship resets.
+6. **Scoped class names.** Prefix every class with `ds-` (e.g. `ds-btn-primary`, `ds-input-search`) so component CSS doesn't collide with other components' CSS in the same shadow DOM.
+
+#### What to include
+
+Aim for a tight set of **5-10 components** that best represent the visual system:
+
+- **Canonical primitives (always include if the project has them):** button (each variant as a separate component entry), input/text field, navigation, chip/tag, card.
+- **Signature components (include if distinctive):** hero CTA, featured card, filter pill, any custom pattern the user mentioned as important in PRODUCT.md.
+- **Skip the rest.** Utility components, form building blocks, wrapper layouts: not worth documenting unless visually distinctive.
+
+If the project has **no component library yet** (bare landing page, new project), synthesize canonical primitives from the tokens using best-practice defaults consistent with the DESIGN.md's rules. Every `.impeccable/design.json` has *something* to render, even on day zero.
+
+#### Tonal ramps
+
+For each color token, generate an 8-step `tonalRamp` array: dark to light, same hue and chroma, stepped lightness from ~15% to ~95%. The panel renders this as a strip under the swatch. If the project already defines a tonal scale (Material `surface-container-low` family, Tailwind-style `blue-50..blue-900`), use those values. Otherwise synthesize in OKLCH.
+
+#### Narrative mapping
+
+Pull directly from the DESIGN.md you just wrote:
+
+- `narrative.northStar` → the `**Creative North Star: "..."**` line from Overview
+- `narrative.overview` → the philosophy paragraphs from Overview
+- `narrative.keyCharacteristics` → the bulleted `**Key Characteristics:**` list
+- `narrative.rules` → every `**The [Name] Rule.** [body]` across all sections, tagged with `section`
+- `narrative.dos` / `narrative.donts` → the bullet lists from Do's and Don'ts verbatim
+
+Do not reword. The panel shows these as secondary collapsible context; the same voice that's in the Markdown carries through.
+
+### Step 5: Confirm, refine, and refresh session cache
+
+1. Show the user the full DESIGN.md you wrote. Briefly highlight the non-obvious creative choices (descriptive color names, atmosphere language, named rules).
+2. Mention that `.impeccable/design.json` was also written alongside; the live panel will now render this project's actual button/input/nav primitives instead of generic approximations.
+3. Offer to refine any section: "Want me to revise a section, add component patterns I missed, or adjust the atmosphere language?"
+4. **Refresh the session cache.** Run `node {{scripts_path}}/load-context.mjs` one final time so the newly-written DESIGN.md lands in conversation. Subsequent commands in this session will use the fresh version automatically without re-reading.
+
+## Seed mode
+
+For projects with no visual system to extract yet. Produces a minimal scaffold, not a full spec.
+
+### Step 1: Confirm seed mode
+
+Before interviewing: "There's no existing visual system to scan. I'll ask five quick questions to seed a starter DESIGN.md. You can re-run `/impeccable document` once there's code, to capture the real tokens and components. OK?"
+
+If the user prefers to skip, stop. No file.
+
+### Step 2: Five questions
+
+Group into one `AskUserQuestion` interaction. Options must be concrete.
+
+1. **Color strategy.** Pick one:
+   - Restrained: tinted neutrals + one accent ≤10%
+   - Committed: one saturated color carries 30–60% of the surface
+   - Full palette: 3–4 named color roles, each deliberate
+   - Drenched: the surface IS the color
+   
+   Then: one hue family or anchor reference ("deep teal", "mustard", "Klim #ff4500 orange").
+
+2. **Typography direction.** Pick one (specific fonts come later):
+   - Serif display + sans body
+   - Single sans (warm / technical / geometric / humanist; pick a feel)
+   - Display + mono
+   - Mono-forward
+   - Editorial script + sans
+
+3. **Motion energy.** Pick one:
+   - Restrained: state changes only
+   - Responsive: feedback + transitions, no choreography
+   - Choreographed: orchestrated entrances, scroll-driven sequences
+
+4. **Three named references.** Brands, products, printed objects. Not adjectives.
+
+5. **One anti-reference.** What it should NOT feel like. Also named.
+
+### Step 3: Write seed DESIGN.md
+
+Use the six-section spec from Scan mode. Populate what the interview answers; leave the rest as honest placeholders. The seed is a scaffold, not a fabricated spec.
+
+Lead the file with:
+
+```markdown
+<!-- SEED: re-run /impeccable document once there's code to capture the actual tokens and components. -->
+```
+
+Per-section guidance in seed mode:
+
+- **Overview**: Creative North Star and philosophy phrased from the answers (color strategy + motion energy + references). Reference the user's anti-reference directly.
+- **Colors**: Color strategy as a Named Rule (e.g. *"The Drenched Rule. The surface IS the color."*). Hue family or anchor reference. No hex values; mark as `[to be resolved during implementation]`.
+- **Typography**: the direction the user picked (e.g. "Serif display + sans body"). No font names yet: `[font pairing to be chosen at implementation]`.
+- **Elevation**: inferred from motion energy. Restrained/Responsive → flat by default; Choreographed → layered. One sentence.
+- **Components**: omit entirely; no components exist yet.
+- **Do's and Don'ts**: carry PRODUCT.md's anti-references directly plus the anti-reference named in Q5.
+
+Seed mode writes a minimal frontmatter with `name` and `description` only; no colors, typography, rounded, spacing, or components yet. Real tokens land on the next Scan-mode run. Skip the `.impeccable/design.json` sidecar in seed mode for the same reason: nothing to render.
+
+### Step 4: Confirm and refresh session cache
+
+1. Show the seed DESIGN.md. Call out that it is a seed (the marker is the literal commitment).
+2. Tell the user: "Re-run `/impeccable document` once you have some code. That pass will extract real tokens and generate the sidecar."
+3. Run `node {{scripts_path}}/load-context.mjs` once so the seed lands in conversation for the rest of the session.
+
+## Style guidelines
+
+- **Frontmatter first, prose second.** Tokens go in the YAML frontmatter; prose contextualizes them. Don't redefine a token value in two places; the frontmatter is normative.
+- **Cite PRODUCT.md anti-references by name** in the Do's and Don'ts section. If PRODUCT.md lists "SaaS landing-page clichés" or "generic AI tool marketing" as anti-references, the DESIGN.md Don'ts should repeat those phrases verbatim so the visual spec enforces the strategic line.
+- **Match the spec, don't invent new sections.** The six section names are fixed. If you have Layout/Motion/Responsive content to document, fold it into Overview (philosophy-level rules) or Components (per-component behavior).
+- **Descriptive > technical**: "Gently curved edges (8px radius)" > "rounded-lg". Include the technical value in parens, lead with the description.
+- **Functional > decorative**: for each token, explain WHERE and WHY it's used, not just WHAT it is.
+- **Exact values in parens**: hex codes, px/rem values, font weights; always the number in parens alongside the description.
+- **Use Named Rules**: `**The [Name] Rule.** [short doctrine]`. These are memorable, citable, and much stickier for AI consumers than bullet lists. Stitch's own outputs use them heavily ("The No-Line Rule", "The Ghost Border Fallback"). Aim for 1-3 per section.
+- **Be forceful**. The voice of a design director. "Prohibited", "forbidden", "never", "always", not "consider", "might", "prefer". Match PRODUCT.md's tone.
+- **Concrete anti-pattern tests**. Stitch writes things like *"If it looks like a 2014 app, the shadow is too dark and the blur is too small."* A one-sentence audit test beats a paragraph of principle.
+- **Reference PRODUCT.md**. The anti-references section of PRODUCT.md should directly inform the Do's and Don'ts section here. Quote or paraphrase.
+- **Group colors by role**, not by hex-order or hue-order. Primary / Secondary / Tertiary / Neutral is the spec ordering.
+
+## Pitfalls
+
+- Don't paste raw CSS class names. Translate to descriptive language.
+- Don't extract every token. Stop at what's actually reused; one-offs pollute the system.
+- Don't invent components that don't exist. If the project only has buttons and cards, only document those.
+- Don't overwrite an existing DESIGN.md without asking.
+- Don't duplicate content from PRODUCT.md. DESIGN.md is strictly visual.
+- Don't add a "Layout Principles" or "Motion" or "Responsive Behavior" top-level section. The spec has six, not nine. Fold that content where it belongs.
+- Don't rename sections even slightly. "Colors" not "Color Palette & Roles". "Typography" not "Typography Rules". Tooling parsing depends on exact headers.
+- Don't duplicate token values between frontmatter and prose. If a color is in `colors.primary` as hex, the prose can name it and describe its role but should not reassert a different hex. The frontmatter is normative.
+- Don't invent frontmatter token groups outside Stitch's schema (no `motion:`, `breakpoints:`, `shadows:` at the top level). Stitch's Zod schema only accepts `colors`, `typography`, `rounded`, `spacing`, `components`. Anything else belongs in the sidecar's `extensions`.

.agents/skills/impeccable/reference/extract.md

@@ -0,0 +1,69 @@
+# Extract Flow
+
+Identify reusable patterns, components, and design tokens, then extract and consolidate them into the design system for systematic reuse.
+
+## Step 1: Discover the Design System
+
+Find the design system, component library, or shared UI directory. Understand its structure: component organization, naming conventions, design token structure, import/export conventions.
+
+**CRITICAL**: If no design system exists, {{ask_instruction}} before creating one. Understand the preferred location and structure first.
+
+## Step 2: Identify Patterns
+
+Look for extraction opportunities in the target area:
+
+- **Repeated components**: Similar UI patterns used 3+ times (buttons, cards, inputs)
+- **Hard-coded values**: Colors, spacing, typography, shadows that should be tokens
+- **Inconsistent variations**: Multiple implementations of the same concept
+- **Composition patterns**: Layout or interaction patterns that repeat (form rows, toolbar groups, empty states)
+- **Type styles**: Repeated font-size + weight + line-height combinations
+- **Animation patterns**: Repeated easing, duration, or keyframe combinations
+
+Assess value: only extract things used 3+ times with the same intent. Premature abstraction is worse than duplication.
+
+## Step 3: Plan Extraction
+
+Create a systematic plan:
+
+- **Components to extract**: Which UI elements become reusable components?
+- **Tokens to create**: Which hard-coded values become design tokens?
+- **Variants to support**: What variations does each component need?
+- **Naming conventions**: Component names, token names, prop names that match existing patterns
+- **Migration path**: How to refactor existing uses to consume the new shared versions
+
+**IMPORTANT**: Design systems grow incrementally. Extract what is clearly reusable now, not everything that might someday be reusable.
+
+## Step 4: Extract & Enrich
+
+Build improved, reusable versions:
+
+- **Components**: Clear props API with sensible defaults, proper variants for different use cases, accessibility built in (ARIA, keyboard navigation, focus management), documentation and usage examples
+- **Design tokens**: Clear naming (primitive vs semantic), proper hierarchy and organization, documentation of when to use each token
+- **Patterns**: When to use this pattern, code examples, variations and combinations
+
+## Step 5: Migrate
+
+Replace existing uses with the new shared versions:
+
+- **Find all instances**: Search for the patterns you extracted
+- **Replace systematically**: Update each use to consume the shared version
+- **Test thoroughly**: Ensure visual and functional parity
+- **Delete dead code**: Remove the old implementations
+
+## Step 6: Document
+
+Update design system documentation:
+
+- Add new components to the component library
+- Document token usage and values
+- Add examples and guidelines
+- Update any Storybook or component catalog
+
+**NEVER**:
+- Extract one-off, context-specific implementations without generalization
+- Create components so generic they are useless
+- Extract without considering existing design system conventions
+- Skip proper TypeScript types or prop documentation
+- Create tokens for every single value (tokens should have semantic meaning)
+- Extract things that differ in intent (two buttons that look similar but serve different purposes should stay separate)
+

.agents/skills/impeccable/reference/harden.md

@@ -0,0 +1,347 @@
+Designs that only work with perfect data aren't production-ready. Harden the interface against the inputs, errors, languages, and network conditions that real users will throw at it.
+
+## Assess Hardening Needs
+
+Identify weaknesses and edge cases:
+
+1. **Test with extreme inputs**:
+   - Very long text (names, descriptions, titles)
+   - Very short text (empty, single character)
+   - Special characters (emoji, RTL text, accents)
+   - Large numbers (millions, billions)
+   - Many items (1000+ list items, 50+ options)
+   - No data (empty states)
+
+2. **Test error scenarios**:
+   - Network failures (offline, slow, timeout)
+   - API errors (400, 401, 403, 404, 500)
+   - Validation errors
+   - Permission errors
+   - Rate limiting
+   - Concurrent operations
+
+3. **Test internationalization**:
+   - Long translations (German is often 30% longer than English)
+   - RTL languages (Arabic, Hebrew)
+   - Character sets (Chinese, Japanese, Korean, emoji)
+   - Date/time formats
+   - Number formats (1,000 vs 1.000)
+   - Currency symbols
+
+**CRITICAL**: Designs that only work with perfect data aren't production-ready. Harden against reality.
+
+## Hardening Dimensions
+
+Systematically improve resilience:
+
+### Text Overflow & Wrapping
+
+**Long text handling**:
+```css
+/* Single line with ellipsis */
+.truncate {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+/* Multi-line with clamp */
+.line-clamp {
+  display: -webkit-box;
+  -webkit-line-clamp: 3;
+  -webkit-box-orient: vertical;
+  overflow: hidden;
+}
+
+/* Allow wrapping */
+.wrap {
+  word-wrap: break-word;
+  overflow-wrap: break-word;
+  hyphens: auto;
+}
+```
+
+**Flex/Grid overflow**:
+```css
+/* Prevent flex items from overflowing */
+.flex-item {
+  min-width: 0; /* Allow shrinking below content size */
+  overflow: hidden;
+}
+
+/* Prevent grid items from overflowing */
+.grid-item {
+  min-width: 0;
+  min-height: 0;
+}
+```
+
+**Responsive text sizing**:
+- Use `clamp()` for fluid typography
+- Set minimum readable sizes (14px on mobile)
+- Test text scaling (zoom to 200%)
+- Ensure containers expand with text
+
+### Internationalization (i18n)
+
+**Text expansion**:
+- Add 30-40% space budget for translations
+- Use flexbox/grid that adapts to content
+- Test with longest language (usually German)
+- Avoid fixed widths on text containers
+
+```jsx
+// ❌ Bad: Assumes short English text
+<button className="w-24">Submit</button>
+
+// ✅ Good: Adapts to content
+<button className="px-4 py-2">Submit</button>
+```
+
+**RTL (Right-to-Left) support**:
+```css
+/* Use logical properties */
+margin-inline-start: 1rem; /* Not margin-left */
+padding-inline: 1rem; /* Not padding-left/right */
+border-inline-end: 1px solid; /* Not border-right */
+
+/* Or use dir attribute */
+[dir="rtl"] .arrow { transform: scaleX(-1); }
+```
+
+**Character set support**:
+- Use UTF-8 encoding everywhere
+- Test with Chinese/Japanese/Korean (CJK) characters
+- Test with emoji (they can be 2-4 bytes)
+- Handle different scripts (Latin, Cyrillic, Arabic, etc.)
+
+**Date/Time formatting**:
+```javascript
+// ✅ Use Intl API for proper formatting
+new Intl.DateTimeFormat('en-US').format(date); // 1/15/2024
+new Intl.DateTimeFormat('de-DE').format(date); // 15.1.2024
+
+new Intl.NumberFormat('en-US', { 
+  style: 'currency', 
+  currency: 'USD' 
+}).format(1234.56); // $1,234.56
+```
+
+**Pluralization**:
+```javascript
+// ❌ Bad: Assumes English pluralization
+`${count} item${count !== 1 ? 's' : ''}`
+
+// ✅ Good: Use proper i18n library
+t('items', { count }) // Handles complex plural rules
+```
+
+### Error Handling
+
+**Network errors**:
+- Show clear error messages
+- Provide retry button
+- Explain what happened
+- Offer offline mode (if applicable)
+- Handle timeout scenarios
+
+```jsx
+// Error states with recovery
+{error && (
+  <ErrorMessage>
+    <p>Failed to load data. {error.message}</p>
+    <button onClick={retry}>Try again</button>
+  </ErrorMessage>
+)}
+```
+
+**Form validation errors**:
+- Inline errors near fields
+- Clear, specific messages
+- Suggest corrections
+- Don't block submission unnecessarily
+- Preserve user input on error
+
+**API errors**:
+- Handle each status code appropriately
+  - 400: Show validation errors
+  - 401: Redirect to login
+  - 403: Show permission error
+  - 404: Show not found state
+  - 429: Show rate limit message
+  - 500: Show generic error, offer support
+
+**Graceful degradation**:
+- Core functionality works without JavaScript
+- Images have alt text
+- Progressive enhancement
+- Fallbacks for unsupported features
+
+### Edge Cases & Boundary Conditions
+
+**Empty states**:
+- No items in list
+- No search results
+- No notifications
+- No data to display
+- Provide clear next action
+
+**Loading states**:
+- Initial load
+- Pagination load
+- Refresh
+- Show what's loading ("Loading your projects...")
+- Time estimates for long operations
+
+**Large datasets**:
+- Pagination or virtual scrolling
+- Search/filter capabilities
+- Performance optimization
+- Don't load all 10,000 items at once
+
+**Concurrent operations**:
+- Prevent double-submission (disable button while loading)
+- Handle race conditions
+- Optimistic updates with rollback
+- Conflict resolution
+
+**Permission states**:
+- No permission to view
+- No permission to edit
+- Read-only mode
+- Clear explanation of why
+
+**Browser compatibility**:
+- Polyfills for modern features
+- Fallbacks for unsupported CSS
+- Feature detection (not browser detection)
+- Test in target browsers
+
+### Input Validation & Sanitization
+
+**Client-side validation**:
+- Required fields
+- Format validation (email, phone, URL)
+- Length limits
+- Pattern matching
+- Custom validation rules
+
+**Server-side validation** (always):
+- Never trust client-side only
+- Validate and sanitize all inputs
+- Protect against injection attacks
+- Rate limiting
+
+**Constraint handling**:
+```html
+<!-- Set clear constraints -->
+<input 
+  type="text"
+  maxlength="100"
+  pattern="[A-Za-z0-9]+"
+  required
+  aria-describedby="username-hint"
+/>
+<small id="username-hint">
+  Letters and numbers only, up to 100 characters
+</small>
+```
+
+### Accessibility Resilience
+
+**Keyboard navigation**:
+- All functionality accessible via keyboard
+- Logical tab order
+- Focus management in modals
+- Skip links for long content
+
+**Screen reader support**:
+- Proper ARIA labels
+- Announce dynamic changes (live regions)
+- Descriptive alt text
+- Semantic HTML
+
+**Motion sensitivity**:
+```css
+@media (prefers-reduced-motion: reduce) {
+  * {
+    animation-duration: 0.01ms !important;
+    animation-iteration-count: 1 !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+```
+
+**High contrast mode**:
+- Test in Windows high contrast mode
+- Don't rely only on color
+- Provide alternative visual cues
+
+### Performance Resilience
+
+**Slow connections**:
+- Progressive image loading
+- Skeleton screens
+- Optimistic UI updates
+- Offline support (service workers)
+
+**Memory leaks**:
+- Clean up event listeners
+- Cancel subscriptions
+- Clear timers/intervals
+- Abort pending requests on unmount
+
+**Throttling & Debouncing**:
+```javascript
+// Debounce search input
+const debouncedSearch = debounce(handleSearch, 300);
+
+// Throttle scroll handler
+const throttledScroll = throttle(handleScroll, 100);
+```
+
+## Testing Strategies
+
+**Manual testing**:
+- Test with extreme data (very long, very short, empty)
+- Test in different languages
+- Test offline
+- Test slow connection (throttle to 3G)
+- Test with screen reader
+- Test keyboard-only navigation
+- Test on old browsers
+
+**Automated testing**:
+- Unit tests for edge cases
+- Integration tests for error scenarios
+- E2E tests for critical paths
+- Visual regression tests
+- Accessibility tests (axe, WAVE)
+
+**IMPORTANT**: Hardening is about expecting the unexpected. Real users will do things you never imagined.
+
+**NEVER**:
+- Assume perfect input (validate everything)
+- Ignore internationalization (design for global)
+- Leave error messages generic ("Error occurred")
+- Forget offline scenarios
+- Trust client-side validation alone
+- Use fixed widths for text
+- Assume English-length text
+- Block entire interface when one component errors
+
+## Verify Hardening
+
+Test thoroughly with edge cases:
+
+- **Long text**: Try names with 100+ characters
+- **Emoji**: Use emoji in all text fields
+- **RTL**: Test with Arabic or Hebrew
+- **CJK**: Test with Chinese/Japanese/Korean
+- **Network issues**: Disable internet, throttle connection
+- **Large datasets**: Test with 1000+ items
+- **Concurrent actions**: Click submit 10 times rapidly
+- **Errors**: Force API errors, test all error states
+- **Empty**: Remove all data, test empty states
+
+When edge cases are covered, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/heuristics-scoring.md

@@ -0,0 +1,234 @@
+# Heuristics Scoring Guide
+
+Score each of Nielsen's 10 Usability Heuristics on a 0–4 scale. Be honest: a 4 means genuinely excellent, not "good enough."
+
+## Nielsen's 10 Heuristics
+
+### 1. Visibility of System Status
+
+Keep users informed about what's happening through timely, appropriate feedback.
+
+**Check for**:
+- Loading indicators during async operations
+- Confirmation of user actions (save, submit, delete)
+- Progress indicators for multi-step processes
+- Current location in navigation (breadcrumbs, active states)
+- Form validation feedback (inline, not just on submit)
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | No feedback; user is guessing what happened |
+| 1 | Rare feedback; most actions produce no visible response |
+| 2 | Partial; some states communicated, major gaps remain |
+| 3 | Good; most operations give clear feedback, minor gaps |
+| 4 | Excellent; every action confirms, progress is always visible |
+
+### 2. Match Between System and Real World
+
+Speak the user's language. Follow real-world conventions. Information appears in natural, logical order.
+
+**Check for**:
+- Familiar terminology (no unexplained jargon)
+- Logical information order matching user expectations
+- Recognizable icons and metaphors
+- Domain-appropriate language for the target audience
+- Natural reading flow (left-to-right, top-to-bottom priority)
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Pure tech jargon, alien to users |
+| 1 | Mostly confusing; requires domain expertise to navigate |
+| 2 | Mixed; some plain language, some jargon leaks through |
+| 3 | Mostly natural; occasional term needs context |
+| 4 | Speaks the user's language fluently throughout |
+
+### 3. User Control and Freedom
+
+Users need a clear "emergency exit" from unwanted states without extended dialogue.
+
+**Check for**:
+- Undo/redo functionality
+- Cancel buttons on forms and modals
+- Clear navigation back to safety (home, previous)
+- Easy way to clear filters, search, selections
+- Escape from long or multi-step processes
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Users get trapped; no way out without refreshing |
+| 1 | Difficult exits; must find obscure paths to escape |
+| 2 | Some exits; main flows have escape, edge cases don't |
+| 3 | Good control; users can exit and undo most actions |
+| 4 | Full control; undo, cancel, back, and escape everywhere |
+
+### 4. Consistency and Standards
+
+Users shouldn't wonder whether different words, situations, or actions mean the same thing.
+
+**Check for**:
+- Consistent terminology throughout the interface
+- Same actions produce same results everywhere
+- Platform conventions followed (standard UI patterns)
+- Visual consistency (colors, typography, spacing, components)
+- Consistent interaction patterns (same gesture = same behavior)
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Inconsistent everywhere; feels like different products stitched together |
+| 1 | Many inconsistencies; similar things look/behave differently |
+| 2 | Partially consistent; main flows match, details diverge |
+| 3 | Mostly consistent; occasional deviation, nothing confusing |
+| 4 | Fully consistent; cohesive system, predictable behavior |
+
+### 5. Error Prevention
+
+Better than good error messages is a design that prevents problems in the first place.
+
+**Check for**:
+- Confirmation before destructive actions (delete, overwrite)
+- Constraints preventing invalid input (date pickers, dropdowns)
+- Smart defaults that reduce errors
+- Clear labels that prevent misunderstanding
+- Autosave and draft recovery
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Errors easy to make; no guardrails anywhere |
+| 1 | Few safeguards; some inputs validated, most aren't |
+| 2 | Partial prevention; common errors caught, edge cases slip |
+| 3 | Good prevention; most error paths blocked proactively |
+| 4 | Excellent; errors nearly impossible through smart constraints |
+
+### 6. Recognition Rather Than Recall
+
+Minimize memory load. Make objects, actions, and options visible or easily retrievable.
+
+**Check for**:
+- Visible options (not buried in hidden menus)
+- Contextual help when needed (tooltips, inline hints)
+- Recent items and history
+- Autocomplete and suggestions
+- Labels on icons (not icon-only navigation)
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Heavy memorization; users must remember paths and commands |
+| 1 | Mostly recall; many hidden features, few visible cues |
+| 2 | Some aids; main actions visible, secondary features hidden |
+| 3 | Good recognition; most things discoverable, few memory demands |
+| 4 | Everything discoverable; users never need to memorize |
+
+### 7. Flexibility and Efficiency of Use
+
+Accelerators, invisible to novices, speed up expert interaction.
+
+**Check for**:
+- Keyboard shortcuts for common actions
+- Customizable interface elements
+- Recent items and favorites
+- Bulk/batch actions
+- Power user features that don't complicate the basics
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | One rigid path; no shortcuts or alternatives |
+| 1 | Limited flexibility; few alternatives to the main path |
+| 2 | Some shortcuts; basic keyboard support, limited bulk actions |
+| 3 | Good accelerators; keyboard nav, some customization |
+| 4 | Highly flexible; multiple paths, power features, customizable |
+
+### 8. Aesthetic and Minimalist Design
+
+Interfaces should not contain irrelevant or rarely needed information. Every element should serve a purpose.
+
+**Check for**:
+- Only necessary information visible at each step
+- Clear visual hierarchy directing attention
+- Purposeful use of color and emphasis
+- No decorative clutter competing for attention
+- Focused, uncluttered layouts
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Overwhelming; everything competes for attention equally |
+| 1 | Cluttered; too much noise, hard to find what matters |
+| 2 | Some clutter; main content clear, periphery noisy |
+| 3 | Mostly clean; focused design, minor visual noise |
+| 4 | Perfectly minimal; every element earns its pixel |
+
+### 9. Help Users Recognize, Diagnose, and Recover from Errors
+
+Error messages should use plain language, precisely indicate the problem, and constructively suggest a solution.
+
+**Check for**:
+- Plain language error messages (no error codes for users)
+- Specific problem identification ("Email is missing @" not "Invalid input")
+- Actionable recovery suggestions
+- Errors displayed near the source of the problem
+- Non-blocking error handling (don't wipe the form)
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | Cryptic errors; codes, jargon, or no message at all |
+| 1 | Vague errors; "Something went wrong" with no guidance |
+| 2 | Clear but unhelpful; names the problem but not the fix |
+| 3 | Clear with suggestions; identifies problem and offers next steps |
+| 4 | Perfect recovery; pinpoints issue, suggests fix, preserves user work |
+
+### 10. Help and Documentation
+
+Even if the system is usable without docs, help should be easy to find, task-focused, and concise.
+
+**Check for**:
+- Searchable help or documentation
+- Contextual help (tooltips, inline hints, guided tours)
+- Task-focused organization (not feature-organized)
+- Concise, scannable content
+- Easy access without leaving current context
+
+**Scoring**:
+| Score | Criteria |
+|-------|----------|
+| 0 | No help available anywhere |
+| 1 | Help exists but hard to find or irrelevant |
+| 2 | Basic help; FAQ or docs exist, not contextual |
+| 3 | Good documentation; searchable, mostly task-focused |
+| 4 | Excellent contextual help; right info at the right moment |
+
+---
+
+## Score Summary
+
+**Total possible**: 40 points (10 heuristics × 4 max)
+
+| Score Range | Rating | What It Means |
+|-------------|--------|---------------|
+| 36–40 | Excellent | Minor polish only; ship it |
+| 28–35 | Good | Address weak areas, solid foundation |
+| 20–27 | Acceptable | Significant improvements needed before users are happy |
+| 12–19 | Poor | Major UX overhaul required; core experience broken |
+| 0–11 | Critical | Redesign needed; unusable in current state |
+
+---
+
+## Issue Severity (P0–P3)
+
+Tag each individual issue found during scoring with a priority level:
+
+| Priority | Name | Description | Action |
+|----------|------|-------------|--------|
+| **P0** | Blocking | Prevents task completion entirely | Fix immediately; this is a showstopper |
+| **P1** | Major | Causes significant difficulty or confusion | Fix before release |
+| **P2** | Minor | Annoyance, but workaround exists | Fix in next pass |
+| **P3** | Polish | Nice-to-fix, no real user impact | Fix if time permits |
+
+**Tip**: If you're unsure between two levels, ask: "Would a user contact support about this?" If yes, it's at least P1.

.agents/skills/impeccable/reference/interaction-design.md

@@ -0,0 +1,195 @@
+# Interaction Design
+
+## The Eight Interactive States
+
+Every interactive element needs these states designed:
+
+| State | When | Visual Treatment |
+|-------|------|------------------|
+| **Default** | At rest | Base styling |
+| **Hover** | Pointer over (not touch) | Subtle lift, color shift |
+| **Focus** | Keyboard/programmatic focus | Visible ring (see below) |
+| **Active** | Being pressed | Pressed in, darker |
+| **Disabled** | Not interactive | Reduced opacity, no pointer |
+| **Loading** | Processing | Spinner, skeleton |
+| **Error** | Invalid state | Red border, icon, message |
+| **Success** | Completed | Green check, confirmation |
+
+**The common miss**: Designing hover without focus, or vice versa. They're different. Keyboard users never see hover states.
+
+## Focus Rings: Do Them Right
+
+**Never `outline: none` without replacement.** It's an accessibility violation. Instead, use `:focus-visible` to show focus only for keyboard users:
+
+```css
+/* Hide focus ring for mouse/touch */
+button:focus {
+  outline: none;
+}
+
+/* Show focus ring for keyboard */
+button:focus-visible {
+  outline: 2px solid var(--color-accent);
+  outline-offset: 2px;
+}
+```
+
+**Focus ring design**:
+- High contrast (3:1 minimum against adjacent colors)
+- 2-3px thick
+- Offset from element (not inside it)
+- Consistent across all interactive elements
+
+## Form Design: The Non-Obvious
+
+**Placeholders aren't labels.** They disappear on input. Always use visible `<label>` elements. **Validate on blur**, not on every keystroke (exception: password strength). Place errors **below** fields with `aria-describedby` connecting them.
+
+## Loading States
+
+**Optimistic updates**: Show success immediately, rollback on failure. Use for low-stakes actions (likes, follows), not payments or destructive actions. **Skeleton screens > spinners**: they preview content shape and feel faster than generic spinners.
+
+## Modals: The Inert Approach
+
+Focus trapping in modals used to require complex JavaScript. Now use the `inert` attribute:
+
+```html
+<!-- When modal is open -->
+<main inert>
+  <!-- Content behind modal can't be focused or clicked -->
+</main>
+<dialog open>
+  <h2>Modal Title</h2>
+  <!-- Focus stays inside modal -->
+</dialog>
+```
+
+Or use the native `<dialog>` element:
+
+```javascript
+const dialog = document.querySelector('dialog');
+dialog.showModal();  // Opens with focus trap, closes on Escape
+```
+
+## The Popover API
+
+For tooltips, dropdowns, and non-modal overlays, use native popovers:
+
+```html
+<button popovertarget="menu">Open menu</button>
+<div id="menu" popover>
+  <button>Option 1</button>
+  <button>Option 2</button>
+</div>
+```
+
+**Benefits**: Light-dismiss (click outside closes), proper stacking, no z-index wars, accessible by default.
+
+## Dropdown & Overlay Positioning
+
+Dropdowns rendered with `position: absolute` inside a container that has `overflow: hidden` or `overflow: auto` will be clipped. This is the single most common dropdown bug in generated code.
+
+### CSS Anchor Positioning
+
+The modern solution uses the CSS Anchor Positioning API to tether an overlay to its trigger without JavaScript:
+
+```css
+.trigger {
+  anchor-name: --menu-trigger;
+}
+
+.dropdown {
+  position: fixed;
+  position-anchor: --menu-trigger;
+  position-area: block-end span-inline-end;
+  margin-top: 4px;
+}
+
+/* Flip above if no room below */
+@position-try --flip-above {
+  position-area: block-start span-inline-end;
+  margin-bottom: 4px;
+}
+```
+
+Because the dropdown uses `position: fixed`, it escapes any `overflow` clipping on ancestor elements. The `@position-try` block handles viewport edges automatically. **Browser support**: Chrome 125+, Edge 125+. Not yet in Firefox or Safari - use a fallback for those browsers.
+
+### Popover + Anchor Combo
+
+Combining the Popover API with anchor positioning gives you stacking, light-dismiss, accessibility, and correct positioning in one pattern:
+
+```html
+<button popovertarget="menu" class="trigger">Open</button>
+<div id="menu" popover class="dropdown">
+  <button>Option 1</button>
+  <button>Option 2</button>
+</div>
+```
+
+The `popover` attribute places the element in the **top layer**, which sits above all other content regardless of z-index or overflow. No portal needed.
+
+### Portal / Teleport Pattern
+
+In component frameworks, render the dropdown at the document root and position it with JavaScript:
+
+- **React**: `createPortal(dropdown, document.body)`
+- **Vue**: `<Teleport to="body">`
+- **Svelte**: Use a portal library or mount to `document.body`
+
+Calculate position from the trigger's `getBoundingClientRect()`, then apply `position: fixed` with `top` and `left` values. Recalculate on scroll and resize.
+
+### Fixed Positioning Fallback
+
+For browsers without anchor positioning support, `position: fixed` with manual coordinates avoids overflow clipping:
+
+```css
+.dropdown {
+  position: fixed;
+  /* top/left set via JS from trigger's getBoundingClientRect() */
+}
+```
+
+Check viewport boundaries before rendering. If the dropdown would overflow the bottom edge, flip it above the trigger. If it would overflow the right edge, align it to the trigger's right side instead.
+
+### Anti-Patterns
+
+- **`position: absolute` inside `overflow: hidden`** - The dropdown will be clipped. Use `position: fixed` or the top layer instead.
+- **Arbitrary z-index values** like `z-index: 9999` - Use a semantic z-index scale: `dropdown (100) -> sticky (200) -> modal-backdrop (300) -> modal (400) -> toast (500) -> tooltip (600)`.
+- **Rendering dropdown markup inline** without an escape hatch from the parent's stacking context. Either use `popover` (top layer), a portal, or `position: fixed`.
+
+## Destructive Actions: Undo > Confirm
+
+**Undo is better than confirmation dialogs.** Users click through confirmations mindlessly. Remove from UI immediately, show undo toast, actually delete after toast expires. Use confirmation only for truly irreversible actions (account deletion), high-cost actions, or batch operations.
+
+## Keyboard Navigation Patterns
+
+### Roving Tabindex
+
+For component groups (tabs, menu items, radio groups), one item is tabbable; arrow keys move within:
+
+```html
+<div role="tablist">
+  <button role="tab" tabindex="0">Tab 1</button>
+  <button role="tab" tabindex="-1">Tab 2</button>
+  <button role="tab" tabindex="-1">Tab 3</button>
+</div>
+```
+
+Arrow keys move `tabindex="0"` between items. Tab moves to the next component entirely.
+
+### Skip Links
+
+Provide skip links (`<a href="#main-content">Skip to main content</a>`) for keyboard users to jump past navigation. Hide off-screen, show on focus.
+
+## Gesture Discoverability
+
+Swipe-to-delete and similar gestures are invisible. Hint at their existence:
+
+- **Partially reveal**: Show delete button peeking from edge
+- **Onboarding**: Coach marks on first use
+- **Alternative**: Always provide a visible fallback (menu with "Delete")
+
+Don't rely on gestures as the only way to perform actions.
+
+---
+
+**Avoid**: Removing focus indicators without alternatives. Using placeholder text as labels. Touch targets <44x44px. Generic error messages. Custom controls without ARIA/keyboard support.

.agents/skills/impeccable/reference/layout.md

@@ -0,0 +1,141 @@
+Space is the most underused design tool. Find the layout's actual problem (monotone spacing, weak hierarchy, identical card grids, the centered-stack default) and fix the structure, not the surface.
+
+---
+
+## Register
+
+Brand: asymmetric compositions, fluid spacing with `clamp()`, intentional grid-breaking for emphasis. Rhythm through contrast: tight groupings paired with generous separations.
+
+Product: predictable grids, consistent densities, familiar navigation patterns. Responsive behavior is structural (collapse sidebar, responsive table), not fluid typography. Consistency IS an affordance.
+
+---
+
+## Assess Current Layout
+
+Analyze what's weak about the current spatial design:
+
+1. **Spacing**:
+   - Is spacing consistent or arbitrary? (Random padding/margin values)
+   - Is all spacing the same? (Equal padding everywhere = no rhythm)
+   - Are related elements grouped tightly, with generous space between groups?
+
+2. **Visual hierarchy**:
+   - Apply the squint test: blur your (metaphorical) eyes. Can you still identify the most important element, second most important, and clear groupings?
+   - Is hierarchy achieved effectively? (Space and weight alone can be enough; is the current approach working?)
+   - Does whitespace guide the eye to what matters?
+
+3. **Grid & structure**:
+   - Is there a clear underlying structure, or does the layout feel random?
+   - Are identical card grids used everywhere? (Icon + heading + text, repeated endlessly)
+   - Is everything centered? (Left-aligned with asymmetric layouts feels more designed, but not a hard and fast rule)
+
+4. **Rhythm & variety**:
+   - Does the layout have visual rhythm? (Alternating tight/generous spacing)
+   - Is every section structured the same way? (Monotonous repetition)
+   - Are there intentional moments of surprise or emphasis?
+
+5. **Density**:
+   - Is the layout too cramped? (Not enough breathing room)
+   - Is the layout too sparse? (Excessive whitespace without purpose)
+   - Does density match the content type? (Data-dense UIs need tighter spacing; marketing pages need more air)
+
+**CRITICAL**: Layout problems are often the root cause of interfaces feeling "off" even when colors and fonts are fine. Space is a design material; use it with intention.
+
+## Plan Layout Improvements
+
+Consult the [spatial design reference](spatial-design.md) for detailed guidance on grids, rhythm, and container queries.
+
+Create a systematic plan:
+
+- **Spacing system**: Use a consistent scale (a framework's built-in scale like Tailwind's, rem-based tokens, or a custom system). The specific values matter less than consistency.
+- **Hierarchy strategy**: How will space communicate importance?
+- **Layout approach**: What structure fits the content? Flex for 1D, Grid for 2D, named areas for complex page layouts.
+- **Rhythm**: Where should spacing be tight vs generous?
+
+## Improve Layout Systematically
+
+### Establish a Spacing System
+
+- Use a consistent spacing scale (framework scales like Tailwind, rem-based tokens, or a custom scale all work). What matters is that values come from a defined set, not arbitrary numbers.
+- Name tokens semantically if using custom properties: `--space-xs` through `--space-xl`, not `--spacing-8`
+- Use `gap` for sibling spacing instead of margins; eliminates margin collapse hacks
+- Apply `clamp()` for fluid spacing that breathes on larger screens
+
+### Create Visual Rhythm
+
+- **Tight grouping** for related elements (8-12px between siblings)
+- **Generous separation** between distinct sections (48-96px)
+- **Varied spacing** within sections (not every row needs the same gap)
+- **Asymmetric compositions**: break the predictable centered-content pattern when it makes sense
+
+### Choose the Right Layout Tool
+
+- **Use Flexbox for 1D layouts**: Rows of items, nav bars, button groups, card contents, most component internals. Flex is simpler and more appropriate for the majority of layout tasks.
+- **Use Grid for 2D layouts**: Page-level structure, dashboards, data-dense interfaces, anything where rows AND columns need coordinated control.
+- **Don't default to Grid** when Flexbox with `flex-wrap` would be simpler and more flexible.
+- Use `repeat(auto-fit, minmax(280px, 1fr))` for responsive grids without breakpoints.
+- Use named grid areas (`grid-template-areas`) for complex page layouts; redefine at breakpoints.
+
+### Break Card Grid Monotony
+
+- Don't default to card grids for everything; spacing and alignment create visual grouping naturally
+- Use cards only when content is truly distinct and actionable. Never nest cards inside cards
+- Vary card sizes, span columns, or mix cards with non-card content to break repetition
+
+### Strengthen Visual Hierarchy
+
+- Use the fewest dimensions needed for clear hierarchy. Space alone can be enough; generous whitespace around an element draws the eye. Some of the most polished designs achieve rhythm with just space and weight. Add color or size contrast only when simpler means aren't sufficient.
+- Be aware of reading flow: in LTR languages, the eye naturally scans top-left to bottom-right, but primary action placement depends on context (e.g., bottom-right in dialogs, top in navigation).
+- Create clear content groupings through proximity and separation.
+
+### Manage Depth & Elevation
+
+- Create a semantic z-index scale (dropdown → sticky → modal-backdrop → modal → toast → tooltip)
+- Build a consistent shadow scale (sm → md → lg → xl); shadows should be subtle
+- Use elevation to reinforce hierarchy, not as decoration
+
+### Optical Adjustments
+
+- If an icon looks visually off-center despite being geometrically centered, nudge it. But only if you're confident it actually looks wrong. Don't adjust speculatively.
+
+**NEVER**:
+- Use arbitrary spacing values outside your scale
+- Make all spacing equal (variety creates hierarchy)
+- Wrap everything in cards (not everything needs a container)
+- Nest cards inside cards (use spacing and dividers for hierarchy within)
+- Use identical card grids everywhere (icon + heading + text, repeated)
+- Center everything (left-aligned with asymmetry feels more designed)
+- Default to the hero metric layout (big number, small label, stats, gradient) as a template. If showing real user data, a prominent metric can work, but it should display actual data, not decorative numbers.
+- Default to CSS Grid when Flexbox would be simpler; use the simplest tool for the job
+- Use arbitrary z-index values (999, 9999); build a semantic scale
+
+## Verify Layout Improvements
+
+- **Squint test**: Can you identify primary, secondary, and groupings with blurred vision?
+- **Rhythm**: Does the page have a satisfying beat of tight and generous spacing?
+- **Hierarchy**: Is the most important content obvious within 2 seconds?
+- **Breathing room**: Does the layout feel comfortable, not cramped or wasteful?
+- **Consistency**: Is the spacing system applied uniformly?
+- **Responsiveness**: Does the layout adapt gracefully across screen sizes?
+
+When the rhythm and hierarchy land, hand off to `{{command_prefix}}impeccable polish` for the final pass.
+
+## Live-mode signature params
+
+Each variant MUST declare a `density` param. Drive all spacing tokens in the variant's scoped CSS through `calc(var(--p-density, 1) * <base>)`: paddings, gaps, column widths. Users slide from airy to packed and see layout re-breathe with no regeneration.
+
+```json
+{"id":"density","kind":"range","min":0.6,"max":1.4,"step":0.05,"default":1,"label":"Density"}
+```
+
+For variants whose topology genuinely changes (stacked vs. side-by-side, grid vs. bento), use a `steps` param whose scoped CSS branches via `:scope[data-p-structure="X"]`. One structure param + one density param is a powerful combo; resist adding a third.
+
+```json
+{"id":"structure","kind":"steps","default":"grid","label":"Structure","options":[
+  {"value":"stacked","label":"Stacked"},
+  {"value":"grid","label":"Grid"},
+  {"value":"bento","label":"Bento"}
+]}
+```
+
+See `reference/live.md` for the full params contract.

.agents/skills/impeccable/reference/live.md

@@ -0,0 +1,622 @@
+Interactive live variant mode: select elements in the browser, pick a design action, and get AI-generated HTML+CSS variants hot-swapped via the dev server's HMR.
+
+## Prerequisites
+
+A running dev server with hot module replacement (Vite, Next.js, Bun, etc.), OR a static HTML file open in the browser.
+
+## The contract (read once)
+
+Execute in order. No step skipped, no step reordered.
+
+1. `live.mjs`: boot.
+2. Navigate to the URL that serves `pageFile` (infer from `package.json`, docs, terminal output, or an open tab). If you can't infer it confidently, tell the user once to open their dev/preview URL. Never use `serverPort` as that URL; it's the helper, not the app.
+3. Poll loop with the default long timeout (600000 ms). After every event or `--reply`, run `live-poll.mjs` again immediately. Never pass a short `--timeout=`.
+4. On `generate`: read screenshot if present; load the action's reference; plan three distinct directions; write all variants in one edit; `--reply done`; poll again.
+5. On `accept` / `discard`: the poll script runs `live-accept.mjs`, acknowledges the delivered event, and prints `_completionAck`. Plain accepts/discards are terminal immediately; carbonize accepts remain recoverable until you finish cleanup, run `live-complete.mjs --id EVENT_ID`, and only then poll again.
+6. If interrupted, run `live-status.mjs` or `live-resume.mjs` before guessing. The durable journal replays unacknowledged work after helper restart.
+7. On `exit`: run the cleanup at the bottom.
+
+Harness policy:
+- **Claude Code**: run the poll as a **background task** (no short timeout). The harness notifies you when it completes, so the main conversation stays free. Do not block the shell.
+- **Cursor**: run the poll in the **foreground** (blocking shell; not a background terminal, not a subagent). Cursor background terminals and subagents do not reliably resume the chat with poll stdout.
+- **Codex**: run the poll in the **foreground** (blocking shell; not a background task, not a subagent). Codex background exec sessions do not reliably surface poll stdout back into the conversation at the moment events arrive, so a "fire-and-forget" background poll will stall live mode.
+- **Other harnesses**: foreground unless you know stdout reliably returns to this session.
+
+Chat is overhead. No recap, no tutorial output, no pasting PRODUCT / DESIGN bodies. Spend tokens on tools and edits; on failure, one or two short sentences.
+
+## Start
+
+```bash
+node {{scripts_path}}/live.mjs
+```
+
+Output JSON: `{ ok, serverPort, serverToken, pageFiles, hasProduct, product, productPath, hasDesign, design, designPath, migrated }`. `pageFiles` is the list of HTML entries the live script was injected into. Keep PRODUCT.md and DESIGN.md in mind for variant generation; **DESIGN.md wins on visual decisions; PRODUCT.md wins on strategic/voice decisions.** When DESIGN.md is missing, identity is **not** absent; extract it from CSS variables, computed styles, and sibling components on the page (see Step 4 Phase A). Identity preservation is the default; departure from existing identity requires an explicit trigger from PRODUCT.md anti-references or the user's freeform prompt. If `migrated: true`, the loader auto-renamed legacy `.impeccable.md` to `PRODUCT.md`; mention this once and suggest `/impeccable document` for the matching DESIGN.md.
+
+`serverPort` and `serverToken` belong to the small **Impeccable live helper** HTTP server (serves `/live.js`, SSE, and `/poll`). That port is **not** your dev server and is usually not the URL you open to view the app. The browser page is whatever origin serves one of the `pageFiles` entries (Vite / Next / Bun / tunnel / LAN hostname).
+
+If output is `{ ok: false, error: "config_missing" | "config_invalid", path }`, this project hasn't been configured for live mode (or its config is stale). See **First-time setup** at the bottom.
+
+## Poll loop
+
+```
+LOOP:
+  node {{scripts_path}}/live-poll.mjs   # default long timeout; no --timeout=
+  Read JSON; dispatch on "type"
+
+  "generate"  → Handle Generate; reply done; LOOP
+  "accept"    → Handle Accept; complete carbonize cleanup if required; LOOP
+  "discard"   → Handle Discard; LOOP
+  "prefetch"  → Handle Prefetch; LOOP
+  "timeout"   → LOOP
+  "exit"      → break → Cleanup
+```
+
+## Recovery commands
+
+The live helper persists an append-only journal under `.impeccable/live/sessions/`. Browser checkpoints are advisory but durable; the journal is canonical. This is local durable recovery state, not project source.
+
+Use these commands when the chat was interrupted, polling was missed, the helper restarted, or the browser reloaded:
+
+```bash
+node {{scripts_path}}/live-status.mjs
+node {{scripts_path}}/live-resume.mjs --id SESSION_ID
+node {{scripts_path}}/live-complete.mjs --id SESSION_ID
+```
+
+- `live-status.mjs` prints connected helper state, active durable sessions, and queued pending events. It works even when the helper is down by reading the journal directly.
+- `live-resume.mjs` prints the active snapshot, pending event, checkpoint phase, visible variant, parameter values, and the next safe agent action.
+- `live-complete.mjs` is the canonical manual final acknowledgement. Use it after carbonize/manual cleanup is verified and no further poll acknowledgement will happen automatically.
+
+Server restart rule: start `live-server.mjs` again, then poll. Startup requeues unacknowledged pending events from the journal, so do not ask the user to click Go again unless `live-resume.mjs` says no active session exists.
+
+## Handle `generate`
+
+Event: `{id, action, freeformPrompt?, count, pageUrl, element, screenshotPath?, comments?, strokes?}`.
+
+Speed matters; the user is watching a spinner. Minimize tool calls by using the `wrap` helper and writing all variants in a single edit.
+
+### 1. Read the screenshot (if present)
+
+`event.screenshotPath` is **only sent when the user placed at least one comment or stroke before Go.** When present, it's an absolute path to a PNG of the element as rendered with the annotations baked in. **Read it before planning**: annotations encode user intent not recoverable from `element.outerHTML` alone.
+
+When `screenshotPath` is absent, don't ask for one and don't go looking for the current rendering. The omission is deliberate: without annotations, a screenshot would anchor the model on the existing design and fight the three-distinct-directions brief. Work from `element.outerHTML`, the computed styles in `event.element`, and the freeform prompt if present.
+
+`event.comments` and `event.strokes` carry structured metadata alongside the visual. Treat the screenshot as primary; use the structured data for specifics worth quoting (e.g. the exact text of a comment).
+
+Reading annotations precisely:
+
+- **Comment position carries meaning.** Its `{x, y}` is element-local CSS px (same coord space as `element.boundingRect`). Find the child under that point and apply the comment text LOCALLY to that sub-element. A comment near the title is about the title, not a global description.
+- **Comments and strokes are independent annotations** unless clearly paired by overlap or tight proximity. Don't let the visual weight of a prominent stroke override the precise location of a textually-specific comment elsewhere.
+- **Strokes are gestures; read them by shape.** Closed loop = "this thing" (emphasis / focus); arrow = direction (move / point to); cross or slash = delete; free scribble = emphasis or delete depending on context. A loop around region X means "pay attention to X," not "only change pixels inside X."
+- **When a stroke's intent is ambiguous** (circle or arrow? emphasis or move?), state your reading in one sentence of rationale rather than silently guessing. If the uncertainty materially changes the brief, ask one short clarifying question before generating.
+
+### 2. Wrap the element
+
+```bash
+node {{scripts_path}}/live-wrap.mjs --id EVENT_ID --count EVENT_COUNT --element-id "ELEMENT_ID" --classes "class1,class2" --tag "div" --text "TEXT_SNIPPET"
+```
+
+Flag mapping. Keep them separate, don't collapse into `--query`:
+
+- `--element-id` ← `event.element.id`
+- `--classes` ← `event.element.classes` joined with commas
+- `--tag` ← `event.element.tagName`
+- `--text` ← first ~80 chars of `event.element.textContent` (trim, single-line). **Pass this every call.** When the picked element shares classes + tag with sibling components (a list of `<Card>`s, repeating sections), this is what disambiguates which branch in source to wrap. Without it, wrap silently lands on the first match and may rewrite the wrong element.
+
+The helper searches ID first, then classes, then tag + class combo. If `event.pageUrl` implies the file (e.g. `/` is usually `index.html`), pass `--file PATH` to skip the search. `--query` is a fallback for raw text search only; do not use it for normal element lookups.
+
+If `--text` matches multiple candidates equally well, wrap exits with `{ error: "element_ambiguous", candidates: [...] }` and `fallback: "agent-driven"`: read the candidate line ranges, decide which one matches the picked element from page context, and write the wrapper manually per the fallback flow.
+
+Output on success: `{ file, insertLine, commentSyntax, styleMode, styleTag, cssSelectorPrefixExamples, cssAuthoring }`.
+
+`styleMode` controls how preview CSS must be authored. Treat it as a detected capability mode, not a framework guess:
+
+- `scoped`: use `@scope ([data-impeccable-variant="N"])` rules.
+- `astro-global-prefixed`: use explicit `[data-impeccable-variant="N"]` selector prefixes and the exact `styleTag` returned by the tool.
+
+Use `cssAuthoring` as the source of truth for the current file. It includes the exact `styleTag`, selector strategy, selector examples, requirements, and forbidden patterns. Do not apply a framework-specific exception unless the returned `styleMode` / `cssAuthoring.mode` says to.
+
+**Fallback errors.** Wrap only writes into files it judges to be source (tracked by git, not marked GENERATED, not listed in config's `generatedFiles`). If it can't land on a source file, it errors without writing; accepting a variant into a generated file is silent data loss. Three shapes:
+
+- `{ error: "file_is_generated", file, hint }`: user-supplied `--file` points at a generated file.
+- `{ error: "element_not_in_source", generatedMatch, hint }`: element exists only in a generated file (the next build would wipe any edits).
+- `{ error: "element_not_found", hint }`: element isn't in any project file; likely runtime-injected (JS component, dynamic render from data).
+
+All three carry `fallback: "agent-driven"`. Follow **Handle fallback** below.
+
+### 3. Load the action's reference
+
+If `event.action` is `impeccable` (the default freeform action), use SKILL.md's shared laws plus the loaded register reference (`brand.md` or `product.md`). Do not load a sub-command reference. **Freeform is not a pass to skip parameters:** you still follow the composition budget and the freeform bias in **§7 Parameters** below. Sub-command files list MUST-have signature knobs; freeform has no such file, so sizing knobs from surface weight and primary axes is entirely on you.
+
+Any other `event.action` (`bolder`, `quieter`, `distill`, `polish`, `typeset`, `colorize`, `layout`, `adapt`, `animate`, `delight`, `overdrive`): Read `reference/<action>.md` before planning. Each sub-command encodes a specific discipline; skipping its reference produces generic output. Those files may require specific params; layer them on top of the §7 budget, not instead of it.
+
+### 4. Plan three variants: identity first, then mode, then axes
+
+The wrong frame for live mode is "show three different design directions." Live runs on an existing surface; the brand has already been chosen. The job is variation **within identity**, not selection between identities. Failure mode: three editorial-typographic variants on a brief that wasn't editorial. Bigger failure mode: three off-brand variants the user can't accept because they don't look like their product.
+
+Four phases. Do them in order.
+
+#### Phase A: Extract the identity (non-skippable)
+
+The existing surface has an identity already. Read it before planning anything. Sources, in priority order:
+
+1. **DESIGN.md** if loaded: read the visual system fields (palette, type pairing, motion, components). This is the authoritative answer.
+2. **CSS custom properties** in the page's stylesheets (`:root { --color-...; --font-...; ... }`): these are de-facto tokens.
+3. **Computed styles** on the picked element and its parent: colors, fonts, spacing scales, corner radii.
+4. **Sibling components on the page**: what visual rhetoric do existing components use? (Asymmetric or centered? Dense or airy? Bold or quiet?)
+
+Write down what you see in **one sentence**. The sentence describes the surface that's actually on screen; it is not aspirational, not opinionated, not edited toward what the brand "should" be. Capture, in roughly this order:
+
+- The dominant surface color and accent color, by hex or token name (use the actual values, not categories like "warm" or "neutral").
+- The type pairing: the actual font names loaded, primary first.
+- The layout topology: how the dominant elements are arranged (stacked / side-by-side / grid / asymmetric / overlay).
+- The surface treatment: corners, borders, shadows, density of decoration.
+- The voice tone you read off the copy itself, not off the aesthetic feel.
+
+Be specific. "Modern" is not a color, "elegant" is not a type pairing, "clean" is not a layout. If you can't extract a real value for an axis, skip it rather than fabricate. The point is to record what is, not to describe what you wish it were.
+
+Do not include adjectives that name an aesthetic family ("editorial-leaning", "terminal-flavored", "brutalist"); those are conclusions, not data. They belong to Phase C lane selection in departure mode, not to identity description. Letting them sneak into Phase A is how the identity-lock collapses into a self-fulfilling prophecy.
+
+This sentence is the **identity lock**. Every variant must be readable as the same brand if rendered side by side. Skipping this phase is the primary cause of off-brand variants. Absence of DESIGN.md is never an excuse; extract from CSS and computed styles instead.
+
+#### Phase B: Pick mode (default vs departure)
+
+**Default mode**: the existing identity is preserved. Variants vary expression axes within it. *This is the right mode for ~90% of live sessions.* The user picked an element on a real product they're shipping; they expect variants of *their* hero, not three different brands' heroes.
+
+**Departure mode**: the existing identity is rejected. Variants propose alternatives consistent with PRODUCT.md voice. Trigger only when at least one is true:
+
+- PRODUCT.md anti-references explicitly call out the current surface ("the current `index.html` is itself an example"; "diffuse away from this"; "the page on screen is the failure"). Generic anti-references that describe what to avoid in general do **not** trigger departure mode; only ones that point at *this* surface specifically.
+- The user's freeform prompt explicitly asks for departure ("rebuild this from scratch", "what if it weren't editorial at all", "show me something completely different").
+
+If you're unsure, you're in default mode. The cost of being wrong about default is "three on-brand variants with similar feel": recoverable, the user picks none. The cost of being wrong about departure is "three off-brand variants": unrecoverable, the user is annoyed.
+
+#### Phase C: Plan three variants
+
+**Default mode.** Each variant commits to a different **primary axis** of difference, while preserving the identity sentence. The six axes:
+
+1. **Hierarchy**: which element commands the eye?
+2. **Layout topology**: stacked / side-by-side / grid / asymmetric / overlay
+3. **Typographic system**: pairing logic, scale ratio, case/weight strategy *within the available faces*
+4. **Color strategy**: which existing palette role carries the surface (Restrained / Committed / Full palette / Drenched). Use the brand's existing palette tokens, not new colors.
+5. **Density**: minimal / comfortable / dense
+6. **Structural decomposition**: merge, split, progressive disclosure
+
+Three variants → three DIFFERENT axes. The trio reads as *the same brand at three angles*. Do not introduce new fonts, new palette hues, or new aesthetic-family signals; those belong to departure mode.
+
+**While planning each variant, also name its 2–3 parameter knobs** (per the §7 budget table). Parameters are part of the design, not a decoration added afterward. If the variant explores density, expose a density knob. If it explores color commitment, expose a color-amount range. Deciding "what's tunable" during planning produces better knobs than retrofitting them onto finished HTML.
+
+**Departure mode.** Each variant anchors to a different **aesthetic direction**, derived from the brand's stated voice and register in PRODUCT.md. Do NOT pick from a fixed catalog of lane categories. The right three directions for this brand are not the same as the right three for another brand, and picking from a list is itself the training-data reflex (the model selects "Swiss-grid, Terminal, Industrial-signage" every time because those are the furthest-from-editorial items in any enumerated list).
+
+Instead, work from the brand:
+
+1. Read PRODUCT.md's Brand Personality words. What physical, spatial, or material experiences would embody those words if design were not involved? (A personality described as "specific, earned, unmistakable" evokes a hand-stamped letter, a numbered print, a watchmaker's loupe. A personality described as "restless, loud, unfiltered" evokes a concert poster, a spray-painted wall, a megaphone.)
+2. From those physical experiences, derive three visual directions that are genuinely different from each other AND from the current surface you're departing.
+3. Avoid the **reflex-reject lanes** in [brand.md](brand.md). Don't trade one monoculture for another. If you find yourself reaching for "Swiss-grid" or "Terminal" or "Industrial-signage" by reflex, you are pattern-matching a catalog in your training data, not reading the brand. Start over from the personality words.
+4. Each direction must be expressible in one concrete sentence that names a real-world referent ("a museum exhibition label system for a contemporary art gallery" not "clean and minimal"). If your sentence contains only adjectives, it's not concrete enough.
+5. **While planning each direction, also name its 2–3 parameter knobs** (per the §7 budget table). The same principle as default mode: decide "what's tunable" during planning, not after writing the HTML. A departure-mode hero with 0 parameters is not "bold creative vision," it's a missed opportunity for the user to fine-tune the direction they pick.
+
+#### Phase D: Squint test
+
+**Default mode squint.** Read each variant's identity sentence and compare to the locked identity from Phase A. If any variant has drifted to a different palette, type voice, or visual rhetoric, it has crossed into departure mode by accident; rework. Then check that each variant commits to a different primary axis. Three "tighter density" variants is failure.
+
+**Departure mode squint.** Two passes, family before sentence:
+
+1. **Family pass.** Label each variant with one design-family word of your own choosing (any concrete noun: *exhibition, storefront, cockpit, recipe-card, playbill, field-manual*). If any two variants share a label, or if the label could apply to the other variants equally well, rework. Do not use a fixed vocabulary list for the labels. *This pass is non-negotiable in departure mode and catches the monoculture failure that the sentence pass misses.*
+2. **Sentence pass.** Write three one-sentence descriptions side by side. If two of them rhyme ("both feature big type" / "both are stacks of sections" / "both center the CTA"), rework the offender.
+
+**When the primary axis is color or theme, forbid the trio from sharing theme + dominant hue.** Two dark-plus-one-dark is not distinct. Aim for three color worlds, not three shades of the same.
+
+**For action-specific invocations**, each variant must vary along the dimension the action names:
+
+- `bolder`: amplify a different dimension per variant (scale / saturation / structural change). Not three "slightly bigger" variants.
+- `quieter`: pull back a different dimension (color / ornament / spacing).
+- `distill`: remove a different class of excess (visual noise / redundant content / nested structure).
+- `polish`: target a different refinement axis (rhythm / hierarchy / micro-details like corner radii, focus states, optical kerning).
+- `typeset`: different type pairing AND different scale ratio each. Not three riffs on one pairing.
+- `colorize`: different hue family each (not shades of one hue). Vary chroma and contrast strategy.
+- `layout`: different structural arrangement (stacked / side-by-side / grid / asymmetric). Not spacing tweaks.
+- `adapt`: different target context per variant (mobile-first / tablet / desktop / print or low-data). Don't make three mobile layouts.
+- `animate`: different motion vocabulary (cascade stagger / clip wipe / scale-and-focus / morph / parallax). Not three staggered fades.
+- `delight`: different flavor of personality (unexpected micro-interaction / typographic surprise / illustrated accent / sonic-or-haptic moment / easter-egg interaction).
+- `overdrive`: different convention broken (scale / structure / motion / input model / state transitions). Skip `overdrive.md`'s "propose and ask" step; live mode is non-interactive.
+
+### 5. Apply the freeform prompt (if present)
+
+`event.freeformPrompt` is the user's ceiling on direction (all variants must honor it), but still explore meaningfully different *interpretations*. The interpretations stay within whichever mode you picked in Phase B.
+
+In **default mode**, the prompt narrows the axes you choose, not the identity. *"Make it feel more confident"* → variant 1 amplifies hierarchy (one element commands the eye), variant 2 commits the existing accent color (Committed strategy on the brand's hue), variant 3 tightens density and removes decorative slack. Three different axes, same brand.
+
+In **departure mode**, the prompt narrows the lanes you draw from, not the families. *"Make it feel like a newspaper front page"* would itself be a departure-mode prompt; honor it but pick three meaningfully different newspaper-adjacent lanes (broadsheet vs. tabloid vs. trade journal), and run the family pass to confirm they don't collapse into one.
+
+When the prompt and PRODUCT.md anti-references conflict (the prompt asks for X, the anti-references ban X), the anti-references win; they describe the brand's standing position, the prompt is one moment.
+
+### 6. Write all variants in a single edit
+
+Complete HTML replacement of the original element for each variant, not a CSS-only patch. Consider the element's context (computed styles, parent structure, CSS variables from `event.element`).
+
+Write CSS + all variants in ONE edit at the `insertLine` reported by `wrap`. Colocate CSS as a `<style>` tag inside the variant wrapper; `<style>` works anywhere in modern browsers and this ensures CSS and HTML arrive atomically (no FOUC).
+
+Use the `cssAuthoring` object returned by `live-wrap.mjs` to author the temporary preview CSS. The style opening tag shown below is the common case; replace it with `cssAuthoring.styleTag` when the tool returns a different one. The variant markup shape is otherwise stable:
+
+```html
+<!-- Variants: insert below this line -->
+<style data-impeccable-css="SESSION_ID">
+  /* rules matching cssAuthoring.rulePattern */
+</style>
+<div data-impeccable-variant="1">
+  <!-- variant 1: full element replacement (single top-level element) -->
+</div>
+<div data-impeccable-variant="2" style="display: none">
+  <!-- variant 2: full element replacement -->
+</div>
+<div data-impeccable-variant="3" style="display: none">
+  <!-- variant 3: full element replacement -->
+</div>
+```
+
+**Each variant div contains exactly one top-level element: the full replacement for the original.** Use the same tag as the original (e.g. `<section>` if the user picked a `<section>`). Loose siblings (heading + paragraph + div as direct children of the variant div) break the outline tracking and the accept flow, which both assume one child.
+
+The first variant has no `display: none` (visible by default). All others do. If variants use only inline styles and no preview CSS, omit the `<style>` tag entirely.
+
+One edit, all variants; the browser's MutationObserver picks everything up in one pass.
+
+For `styleMode: "scoped"`, author every `:scope` rule with a descendant combinator. The `@scope` boundary is the **variant wrapper `<div data-impeccable-variant="N">`**, not the element you're designing. A bare `:scope { background: cream; }` styles the wrapper, not the inner replacement, so the cream lands on a `display: contents` shell while the actual element keeps page defaults. Always step in: `:scope > .card`, `:scope > section`, `:scope .hero-title`, etc. The fake test agent's CSS in `tests/live-e2e/agent.mjs` is a faithful template; every scoped rule starts `:scope > ...`.
+
+**JSX / TSX target files.** Wrap `<style>` content in a template literal so the CSS `{` / `}` aren't parsed as JSX expressions, and use `className=` / `style={{…}}` on every variant element. Keep `data-impeccable-*` attributes as-is; they're plain strings:
+
+```tsx
+<style data-impeccable-css="SESSION_ID">{`
+  @scope ([data-impeccable-variant="1"]) { ... }
+  @scope ([data-impeccable-variant="2"]) { ... }
+`}</style>
+<div data-impeccable-variant="1">
+  {/* variant 1 */}
+</div>
+<div data-impeccable-variant="2" style={{ display: 'none' }}>
+  {/* variant 2 */}
+</div>
+```
+
+The wrap script already gives you a single-rooted JSX wrapper: a `<div data-impeccable-variants="…">` outer element with the marker comments tucked inside. Drop the variants block above into the "Variants: insert below this line" comment and the source stays valid TSX.
+
+### 7. Parameters (composition-sized, 0–4 per variant)
+
+Each variant can expose **coarse** knobs alongside the full HTML/CSS replacement. The browser docks a small panel to the right of the outline with one control per parameter. The user drags/clicks and sees instant feedback: there is zero regeneration cost because the knob toggles a CSS variable or data attribute that the variant's scoped CSS is already authored against.
+
+**What “optional” does not mean.** Parameters are not nice-to-have decoration on large work. The word meant “omit controls that are redundant or cosmetic,” not “default to zero because three variants were enough work.”
+
+**When to add.** As soon as the variant’s scoped CSS has a meaningful continuous or stepped axis: density, color amount, type scale, motion intensity, column weight, and so on. If you can imagine the user muttering “a bit tighter” or “a touch more accent” **without** wanting a full regeneration, wire that axis. **Not** micro-margins or one-off nudges; those are not parameters.
+
+**Freeform (`action` is `impeccable`) bias.** You did not load a sub-command reference, so you must **choose** signature axes yourself. Match the budget table: for a hero or large composition, that means **2–3 axes per variant**, not 1. Prefer knobs that sit on the dimensions where your three variants actually differ (if density varies, expose it as a `steps` knob; if color commitment varies, expose it as a `range`). A hero that ships with **0** params is almost always a mistake, not a judgment call. A hero with exactly **1** param is underweight unless the design is genuinely a fixed-point comparison. Start from the budget table, not from zero.
+
+**Budget scales with the element's visual weight, not token budget.** Knobs need real estate to read as tunable; three sliders on a single control are noise.
+
+- **Leaf / tiny**: a single button, icon, input, bare heading, solitary paragraph: **0 params.**
+- **Small composition**: labeled input, simple card, short callout (≤ ~5 visual children): **0–1** params when one dominant axis is obvious; otherwise **0.**
+- **Medium composition**: section component, nav cluster, dense card, short feature block (6–15 visual children): **target 2**; **1** is acceptable if the block is simple; **0** only when variants are truly fixed points.
+- **Large composition**: hero section, full page region, spread layout, strong internal structure (16+ visual children or multiple sub-sections): **target 2–3**; **up to 4** when several independent axes (e.g. structure `steps` + `density` + one accent) are all authored in scoped CSS.
+
+**When in doubt, ask whether a dial exists before defaulting to zero.** The user can always request more variants, but the point of live mode is instant tuning without another Go. Crowding the panel is bad; **under-shipping** knobs on a dense composition is the more common failure for freeform. Count by **visual** children, not DOM depth; a shallow-but-wide hero is still large.
+
+**Hard cap per variant**: at most **four** parameters so the panel stays legible; rare fifth only if the reference explicitly allows it.
+
+**How to declare.** Put a JSON manifest on the variant wrapper:
+
+```html
+<div data-impeccable-variant="1" data-impeccable-params='[
+  {"id":"color-amount","kind":"range","min":0,"max":1,"step":0.05,"default":0.5,"label":"Color amount"},
+  {"id":"density","kind":"steps","default":"snug","label":"Density","options":[
+    {"value":"airy","label":"Airy"},
+    {"value":"snug","label":"Snug"},
+    {"value":"packed","label":"Packed"}
+  ]},
+  {"id":"serif","kind":"toggle","default":false,"label":"Serif display"}
+]'>
+  ...variant content...
+</div>
+```
+
+**Three kinds:**
+
+- `range`: smooth slider. Drives a CSS custom property `--p-<id>` on the variant wrapper. Author CSS with `var(--p-color-amount, 0.5)`. Fields: `min`, `max`, `step`, `default` (number), `label`.
+- `steps`: segmented radio. Drives a data attribute `data-p-<id>` on the variant wrapper. Author CSS with `:scope[data-p-density="airy"] .grid { ... }`. Fields: `options` (array of `{value, label}`), `default` (string), `label`.
+- `toggle`: on/off switch. Drives BOTH a CSS var (`--p-<id>: 0|1`) and a data attribute (present when on, absent when off). Use whichever is more convenient. Fields: `default` (boolean), `label`.
+
+**Signature params per action.** For named sub-commands, read that action’s `reference/<action>.md` for one or two **MUST** params (e.g. `layout` → `density`). Those are non-negotiable when the design can express them. **Freeform has no file-level MUST**; the **Freeform (`impeccable`) bias** in this section is the stand-in. If the user’s action is both stylized and sub-command (e.g. `colorize`), the sub-command’s MUST list takes precedence for its axes; still respect the **Hard cap** and add no redundant duplicate knobs.
+
+**Reset on variant switch.** User dials density on v1, flips to v2, v2 starts at v2's declared defaults. Known limitation; preservation across variants may land later.
+
+**On accept**, the browser sends the user's current values in the accept event. `live-accept.mjs` writes them as a sibling comment:
+
+```html
+<!-- impeccable-param-values SESSION_ID: {"color-amount":0.7,"density":"packed"} -->
+```
+
+The carbonize cleanup step (see below) reads that comment and bakes the chosen values into the final CSS. For `steps`/`toggle` attribute selectors: keep only the branch matching the chosen value, drop the others, collapse `:scope[data-p-density="packed"] .grid` to a semantic class rule. For `range` vars: either substitute the literal or keep the var with the chosen value as its new default.
+
+### 8. Signal done
+
+```bash
+node {{scripts_path}}/live-poll.mjs --reply EVENT_ID done --file RELATIVE_PATH
+```
+
+`RELATIVE_PATH` is relative to project root (`public/index.html`, `src/App.tsx`, etc.); the browser fetches source directly if the dev server lacks HMR.
+
+Then run `live-poll.mjs` again immediately.
+
+### Aborting an in-flight session
+
+If wrap or generation fails after the browser has flipped to GENERATING (e.g. wrap landed on the wrong source branch and you've already reverted it, or generation hit an unrecoverable error), tell the **browser** so its bar resets to PICKING:
+
+```bash
+node {{scripts_path}}/live-poll.mjs --reply EVENT_ID error "Short reason"
+```
+
+Don't run `live-accept --discard` for this; that's a pure file mutator, the browser doesn't see it, and the bar gets stuck on the GENERATING dots forever (the user has to refresh). `--discard` is only correct when the **browser** initiated the discard (user clicked ✕ during CYCLING) and the agent is just running source-side cleanup the browser already triggered.
+
+## Handle fallback
+
+When wrap returns `fallback: "agent-driven"`, the deterministic flow doesn't apply. Pick up here.
+
+The goal is the same: give the user three variants to choose from AND persist the accepted one in a place the next build won't wipe. The difference is that you have to pick the right source file yourself.
+
+### Step 1: Identify where the element actually lives
+
+Use the error payload:
+
+- `element_not_in_source` with `generatedMatch: "public/docs/foo.html"`: the served HTML is generated. Find the generator (grep for writers of that path, e.g. `scripts/build-sub-pages.js`, an Astro/Next template) and locate the template or partial that emits this element.
+- `element_not_found`: the element is runtime-injected. Look for the component that renders it (React/Vue/Svelte), the JS that assembles it, or the data source that feeds it.
+- `file_is_generated` with `file: "..."`: user pointed at a generated file explicitly. Same resolution as `element_not_in_source`.
+
+Read the candidate source until you're confident where a change to the element would belong. If the change is purely visual, that source might be a shared stylesheet, not the template.
+
+### Step 2: Show three variants in the DOM for preview
+
+The browser bar is waiting for variants. Even without a wrapper in source, you still need to show something:
+
+1. Manually write the wrapper scaffold into the **served** file (the one the browser actually loaded). Use the same structure `live-wrap.mjs` produces; `<!-- impeccable-variants-start ID --><div data-impeccable-variants="ID" data-impeccable-variant-count="3" style="display: contents">…</div><!-- end -->`.
+2. Insert your three variant divs inside it, same shape as the deterministic path.
+3. Signal done with `--reply EVENT_ID done --file <served file>`. The browser's no-HMR fallback will fetch and inject.
+
+This served-file edit is **temporary**: next regen wipes it, and that's fine. The real work happens on accept.
+
+### Step 3: On accept, write to true source
+
+When the accept event arrives (`_acceptResult.handled` will usually be `false` here because accept also refuses to persist into generated files; see Handle accept for the carbonize branch), extract the accepted variant's content and write it into the source you identified in Step 1:
+
+- Structural change → edit the template / component source.
+- Visual-only change → add or update rules in the appropriate stylesheet; remove the inline `<style>` scope.
+- Dynamic from data → update the data source or the render logic.
+
+Then remove the temporary wrapper from the served file if it's still there.
+
+### Step 4: On discard, clean up the served file
+
+Remove the wrapper you inserted in Step 2. Nothing else to do.
+
+## Handle `accept`
+
+Event: `{id, variantId, _acceptResult, _completionAck}`. The poll script already ran `live-accept.mjs` to handle the file operation deterministically, then acknowledged event delivery to the helper. The browser DOM is already updated.
+
+- `_completionAck.ok !== true`: do not poll yet. Run `live-status.mjs` / `live-resume.mjs`, complete the cleanup manually if needed, then run `live-complete.mjs --id EVENT_ID`.
+- `_acceptResult.handled: true` and `carbonize: false`: nothing to do. Poll again.
+- `_acceptResult.handled: true` and `carbonize: true`: **post-accept cleanup is required before the next poll.** See the "Required after accept (carbonize)" section below. The `event._acceptResult.todo` field, `_completionAck.requiresComplete`, and a stderr banner all point at this required follow-up; none are decorative. After cleanup, run `live-complete.mjs --id EVENT_ID`, then poll again.
+- `_acceptResult.handled: false, mode: "fallback"`: the session lived in a generated file and the script refused to persist there. You've already written the accepted variant into true source during Handle fallback Step 3; just clean up the temporary wrapper in the served file if any, and poll again.
+- `_acceptResult.handled: false` without `mode`: manual cleanup: read file, find markers, edit.
+
+### Required after accept (carbonize)
+
+When `_acceptResult.carbonize === true`, the accepted variant was stitched into source with helper markers and inline CSS so the browser can render it immediately with no visual gap. That stitch-in is **temporary**. The agent must rewrite it into permanent form before doing anything else. Skipping this leaves dead `@scope` rules for unaccepted variants, a pointless `data-impeccable-variant` wrapper, and `impeccable-carbonize-start/end` comment noise in the source file; all of which accumulate across sessions.
+
+Do these five steps in the current thread, synchronously, before the next poll. Do not poll again until the file is clean.
+
+1. **Locate the carbonize block** in the source file (`_acceptResult.file`). It's bracketed by `<!-- impeccable-carbonize-start SESSION_ID -->` and `<!-- impeccable-carbonize-end SESSION_ID -->` and contains a `<style data-impeccable-css="SESSION_ID">` element. If the variant declared parameters, an `<!-- impeccable-param-values SESSION_ID: {...} -->` comment sits alongside the style tag with the user's chosen values; read it first; it drives steps 3 and 4 below.
+2. **Move the CSS rules** into the project's real stylesheet. Which stylesheet depends on the project (e.g. `site/styles/workflow.css` for an Astro project, or the component's co-located CSS file for a Vite/Next project; pick whichever already owns styling for the surrounding element).
+3. **Bake in parameter values while rewriting selectors.** For `@scope ([data-impeccable-variant="N"])` wrappers: retarget to real, semantic classes on the accepted HTML (`.why-visual--v2 .v2-label { … }`). For `:scope[data-p-<id>="VALUE"]` selectors: keep only the branch matching the chosen value from the param-values comment; drop the others (they're dead after accept). For `var(--p-<id>, DEFAULT)` in the CSS: either substitute the literal value, or if the param is still useful as a knob going forward, leave the var and update its initial declaration to the chosen value.
+4. **Unwrap the accepted content.** Delete the `<div data-impeccable-variant="N" style="display: contents">` that wraps it. Drop `data-impeccable-params` and any `data-p-*` attributes from it; those are live-mode plumbing, not source.
+5. **Delete the inline `<style>` block, the `<!-- impeccable-param-values -->` comment if present, and both `<!-- impeccable-carbonize-start/end -->` markers.** Also drop any `@scope` rules for variants other than the accepted one; those are dead code now.
+
+After the file is clean, run `live-complete.mjs --id SESSION_ID`, verify it reports `phase: "completed"`, then poll again.
+
+A background agent may be used for the rewrite, but the current thread is responsible for verifying the five steps are complete before issuing the next poll. In practice, inline is usually faster and less error-prone.
+
+## Handle `discard`
+
+Event: `{id, _acceptResult, _completionAck}`. The poll script already restored the original, removed all variant markers, and acknowledged `discarded` durable completion. Nothing to do unless `_completionAck.ok !== true`; in that case run `live-complete.mjs --id EVENT_ID --discarded`, then poll again.
+
+## Handle `prefetch`
+
+Event: `{pageUrl}`. The browser fires this the first time the user selects an element on a given route, as a latency shortcut; it signals the user is likely about to Go on a page you haven't read yet.
+
+Resolve `pageUrl` to the underlying file:
+
+- Root `/` → the `pageFile` returned by `live.mjs` (usually `public/index.html` or equivalent).
+- Sub-routes (e.g. `/docs`, `/docs/live`) → the generated or source file for that route. Use your knowledge of the project layout (multi-page static sites often resolve `/foo` → `public/foo/index.html`; SPAs may map all routes to a single entry).
+
+Read the file into context, then poll again. No `--reply`: this is speculative pre-work; Go will come later. If you can't confidently resolve the route to a file, skip and poll again.
+
+Dedupe is the browser's job (one prefetch per unique pathname per session); trust it. If the same file shows up twice from different routes mapping to the same file, the second Read is cached anyway.
+
+## Exit
+
+The user can stop live mode by:
+- Saying "stop live mode" / "exit live" in chat
+- Closing the browser tab (SSE drops, poll returns `exit` after 8s)
+- The browser's exit button
+
+When the poll returns `exit`, proceed to cleanup. If the poll is still running as a background task, kill it first.
+
+## Cleanup
+
+```bash
+node {{scripts_path}}/live-server.mjs stop
+```
+
+Stops the HTTP server and runs `live-inject.mjs --remove` to strip `localhost:…/live.js` from the HTML entry. To stop the server but keep the inject tag (for a quick restart), use `stop --keep-inject`. `.impeccable/live/config.json` persists as project config for future sessions.
+
+Then:
+- Remove any leftover variant wrappers (search for `impeccable-variants-start` markers).
+- Remove any leftover carbonize blocks (search for `impeccable-carbonize-start` markers).
+
+## First-time setup (config missing or invalid)
+
+If `live.mjs` outputs `{ ok: false, error: "config_missing" | "config_invalid", path }`, write the live config at the reported path. By default this is `.impeccable/live/config.json`.
+
+Schema:
+
+```json
+{
+  "files": ["<path-or-glob>", "<path-or-glob>", ...],
+  "exclude": ["<optional-glob>", ...],
+  "insertBefore": "</body>",
+  "commentSyntax": "html",
+  "cspChecked": true
+}
+```
+
+`files` is the inject target; **the HTML files the browser actually loads**, not necessarily source. Each entry is either a literal path (`"public/index.html"`) or a glob pattern (`"public/**/*.html"`). Tracked or generated doesn't matter here; wrap has its own generated-file guard and routes accepts through the fallback flow.
+
+`exclude` (optional) is a list of glob patterns matching files to skip, even if a `files` glob would have included them. Use for email templates, demo fixtures, or any HTML that isn't a live page.
+
+`cspChecked` tracks whether the CSP detection step below has already run. Absent on first setup; set to `true` after CSP is checked (whether patched, declined, or not needed).
+
+**Hard-excluded paths (cannot be overridden).** `**/node_modules/**` and `**/.git/**` are never matched regardless of what the user writes. These are vendor/metadata directories and injecting into them would silently instrument third-party code.
+
+**Glob syntax.** `**` matches any number of path segments (including zero), `*` matches any characters except `/`, `?` matches a single character except `/`. Paths are always relative to the project root with forward slashes.
+
+| Framework | `files` | `insertBefore` | `commentSyntax` |
+|-----------|---------|----------------|-----------------|
+| SPA with single shell (Vite / React / Plain HTML) | `["index.html"]` | `</body>` | `html` |
+| Next.js (App Router) | `["app/layout.tsx"]` | `</body>` | `jsx` |
+| Next.js (Pages) | `["pages/_document.tsx"]` | `</body>` | `jsx` |
+| Nuxt | `["app.vue"]` | `</body>` | `html` |
+| Svelte / SvelteKit | `["src/app.html"]` | `</body>` | `html` |
+| Astro | `[" <root layout .astro>"]` | `</body>` | `html` |
+| Multi-page (separate HTML per route) | `["public/**/*.html"]`: a glob covering the served directory | `</body>` | `html` |
+
+Pick an anchor that exists in every file (`</body>` almost always works). Use `insertAfter` if the anchor should match **after** a specific line.
+
+For multi-page sites, **prefer a glob over a literal file list**. New pages added later are picked up automatically on the next `live-inject.mjs` run; no config maintenance needed.
+
+For multi-page sites whose pages are *rebuilt* by a generator (Astro, static-site generators, custom scripts like `build-sub-pages.js`), the inject survives only until the next regeneration. Re-run `live.mjs` after each build. Accept is unaffected; it writes to true source via the fallback flow.
+
+### Drift-heal warning
+
+On every `live.mjs` boot, after inject, the project is scanned for HTML files under common page-source roots (`public/`, `src/`, `app/`, `pages/`). If any exist that aren't covered by the resolved `files` list, the output includes a `configDrift` field:
+
+```json
+{
+  "ok": true,
+  "serverPort": 8400,
+  "pageFiles": [ "..." ],
+  "configDrift": {
+    "orphans": ["public/new-section/index.html", "public/docs/new-command.html"],
+    "orphanCount": 2,
+    "hint": "2 HTML file(s) exist but aren't in config.files. Consider adding them, or use a glob pattern like \"public/**/*.html\"."
+  }
+}
+```
+
+When `configDrift` is present, surface it to the user once per session before entering the poll loop:
+
+> Noticed N HTML file(s) in the project that aren't in `config.files`:
+>
+> - `public/new-section/index.html`
+> - `public/docs/new-command.html`
+>
+> Add them, or switch `files` to a glob like `["public/**/*.html"]` and let it track new pages automatically?
+
+Don't auto-update the config; let the user decide. `configDrift` is `null` when there's no drift.
+
+### CSP detection (first-time only)
+
+If `config.cspChecked === true`, skip this entire section. You already asked this user once; the answer sticks.
+
+Otherwise, run the detection helper:
+
+```bash
+node {{scripts_path}}/detect-csp.mjs
+```
+
+Output: `{ shape, signals }` where `shape` is one of `append-arrays`, `append-string`, `middleware`, `meta-tag`, or `null`. The shape is named by *patch mechanism*, so one template covers many frameworks.
+
+- **`null`**: no CSP; skip to writing `.impeccable/live/config.json` with `cspChecked: true`.
+- **`append-arrays`**: CSP defined as structured directive arrays. Auto-patchable. See *append-arrays* below. Covers:
+  - Monorepo helpers with `additionalScriptSrc` / `additionalConnectSrc` options (Next.js + shared config package)
+  - SvelteKit `kit.csp.directives`
+  - Nuxt `nuxt-security` module's `contentSecurityPolicy`
+- **`append-string`**: CSP written as a literal value string. Auto-patchable. See *append-string* below. Covers:
+  - Inline `next.config.*` `headers()` with a CSP literal
+  - Nuxt `routeRules` / `nitro.routeRules` headers
+- **`middleware`** or **`meta-tag`**: rarer. Detected but not auto-patched in v1. Show the user the detected files and ask them to add `http://localhost:8400` to `script-src` and `connect-src` manually, then mark `cspChecked: true` and proceed.
+
+#### Consent prompt template
+
+Use this phrasing so the experience is consistent across agents:
+
+> **CSP patch needed.** I detected a Content Security Policy in your project that blocks `http://localhost:8400`: the live picker won't load without an allowance. Here's the change I'd make:
+>
+> ```diff
+> [file: <patchTarget>]
+> [exact diff, 2–5 lines]
+> ```
+>
+> It's guarded by `NODE_ENV === "development"` so the extra entry only appears in dev and never reaches production. You can remove it any time by reverting this file. Apply? [y/n]
+
+On "no": skip the patch, mention live won't work until the user adds the allowance manually, still write `cspChecked: true` (the question's been asked).
+
+On "yes": apply the Shape-specific patch below, then write `cspChecked: true`.
+
+#### append-arrays
+
+CSP expressed as structured directive arrays. Patch mechanism: declare a dev-only array, spread it into the script-src and connect-src arrays.
+
+**Declare near the top of the file that holds the CSP arrays:**
+
+```ts
+// Dev-only allowance so impeccable live mode can load. Guarded by NODE_ENV.
+const __impeccableLiveDev =
+  process.env.NODE_ENV === "development" ? ["http://localhost:8400"] : [];
+```
+
+**Append `...__impeccableLiveDev` to the script-src and connect-src directive arrays.** Per-framework specifics:
+
+- **Next.js + monorepo helper**: edit the *app's* `next.config.*` (not the shared helper), appending to `additionalScriptSrc` and `additionalConnectSrc` passed into `createBaseNextConfig` (or equivalent). Keeps the shared package clean.
+- **SvelteKit**: edit `svelte.config.js`, appending to `kit.csp.directives['script-src']` and `kit.csp.directives['connect-src']`.
+- **Nuxt + nuxt-security**: edit `nuxt.config.*`, appending to `security.headers.contentSecurityPolicy['script-src']` and `['connect-src']`.
+
+Reference outputs:
+- `tests/framework-fixtures/nextjs-turborepo/expected-after-patch.ts` (Next.js)
+- `tests/framework-fixtures/sveltekit-csp/expected-after-patch.js` (SvelteKit)
+
+Idempotency: if `__impeccableLiveDev` already exists in the file, the patch is already applied; skip asking and just mark `cspChecked: true`.
+
+#### append-string
+
+CSP built as a literal value string. Two-point patch: declare a dev-only string near the top, interpolate it into the CSP at the `script-src` and `connect-src` directives.
+
+```ts
+// Dev-only allowance so impeccable live mode can load.
+const __impeccableLiveDev =
+  process.env.NODE_ENV === "development" ? " http://localhost:8400" : "";
+```
+
+Then in the CSP value string:
+- `script-src 'self' 'unsafe-inline'` → `` `script-src 'self' 'unsafe-inline'${__impeccableLiveDev}` ``
+- `connect-src 'self'` → `` `connect-src 'self'${__impeccableLiveDev}` ``
+
+(Leading space on the dev string so it concatenates cleanly into the existing value. Convert the literal CSP directives into template strings as part of the edit if they aren't already.)
+
+Per-framework specifics:
+- **Next.js inline `headers()`**: edit `next.config.*`, splicing the variable into the CSP value.
+- **Nuxt `routeRules`**: edit `nuxt.config.*`, splicing into the CSP in `routeRules['/**'].headers['Content-Security-Policy']`.
+
+Reference outputs:
+- `tests/framework-fixtures/nextjs-inline-csp/expected-after-patch.js` (Next.js)
+- `tests/framework-fixtures/nuxt-csp/expected-after-patch.ts` (Nuxt)
+
+### Troubleshooting
+
+If a user says "no" to the CSP patch at setup time and later complains that live doesn't work: their dev CSP blocks `http://localhost:8400`. Fix: delete `cspChecked` from `.impeccable/live/config.json` and re-run `live.mjs`: setup will ask again.
+
+Then re-run `live.mjs`.

.agents/skills/impeccable/reference/motion-design.md

@@ -0,0 +1,109 @@
+# Motion Design
+
+## Duration: The 100/300/500 Rule
+
+Timing matters more than easing. These durations feel right for most UI:
+
+| Duration | Use Case | Examples |
+|----------|----------|----------|
+| **100-150ms** | Instant feedback | Button press, toggle, color change |
+| **200-300ms** | State changes | Menu open, tooltip, hover states |
+| **300-500ms** | Layout changes | Accordion, modal, drawer |
+| **500-800ms** | Entrance animations | Page load, hero reveals |
+
+**Exit animations are faster than entrances.** Use ~75% of enter duration.
+
+## Easing: Pick the Right Curve
+
+**Don't use `ease`.** It's a compromise that's rarely optimal. Instead:
+
+| Curve | Use For | CSS |
+|-------|---------|-----|
+| **ease-out** | Elements entering | `cubic-bezier(0.16, 1, 0.3, 1)` |
+| **ease-in** | Elements leaving | `cubic-bezier(0.7, 0, 0.84, 0)` |
+| **ease-in-out** | State toggles (there → back) | `cubic-bezier(0.65, 0, 0.35, 1)` |
+
+**For micro-interactions, use exponential curves.** They feel natural because they mimic real physics (friction, deceleration):
+
+```css
+/* Quart out - smooth, refined (recommended default) */
+--ease-out-quart: cubic-bezier(0.25, 1, 0.5, 1);
+
+/* Quint out - slightly more dramatic */
+--ease-out-quint: cubic-bezier(0.22, 1, 0.36, 1);
+
+/* Expo out - snappy, confident */
+--ease-out-expo: cubic-bezier(0.16, 1, 0.3, 1);
+```
+
+**Avoid bounce and elastic curves.** They were trendy in 2015 but now feel tacky and amateurish. Real objects don't bounce when they stop; they decelerate smoothly. Overshoot effects draw attention to the animation itself rather than the content.
+
+## Premium Motion Materials
+
+Transform and opacity are reliable defaults, not the whole palette. Premium interfaces often need atmospheric properties: blur reveals, backdrop-filter panels, saturation or brightness shifts, shadow bloom, SVG filters, masks, clip paths, gradient-position movement, and variable font or shader-driven effects.
+
+Use the right material for the effect:
+
+- **Transform / opacity**: movement, press feedback, simple reveals, list choreography.
+- **Blur / filter / backdrop-filter**: focus pulls, depth, glass or lens effects, softened entrances, atmospheric transitions.
+- **Clip path / masks**: wipes, reveals, editorial cropping, product-like transitions.
+- **Shadow / glow / color filters**: energy, affordance, focus, warmth, active state.
+- **Grid-template rows or FLIP-style transforms**: expanding and reflowing layout without animating `height` directly.
+
+The hard rule is not "transform and opacity only." The hard rule is: avoid animating layout-driving properties casually (`width`, `height`, `top`, `left`, margins), keep expensive effects bounded to small or isolated areas, and verify in-browser that the result is smooth on the target viewports. If blur/filter makes the interaction feel significantly more premium and remains smooth, use it.
+
+## Staggered Animations
+
+Use CSS custom properties for cleaner stagger: `animation-delay: calc(var(--i, 0) * 50ms)` with `style="--i: 0"` on each item. **Cap total stagger time**: 10 items at 50ms = 500ms total. For many items, reduce per-item delay or cap staggered count.
+
+## Reduced Motion
+
+This is not optional. Vestibular disorders affect ~35% of adults over 40.
+
+```css
+/* Define animations normally */
+.card {
+  animation: slide-up 500ms ease-out;
+}
+
+/* Provide alternative for reduced motion */
+@media (prefers-reduced-motion: reduce) {
+  .card {
+    animation: fade-in 200ms ease-out;  /* Crossfade instead of motion */
+  }
+}
+
+/* Or disable entirely */
+@media (prefers-reduced-motion: reduce) {
+  *, *::before, *::after {
+    animation-duration: 0.01ms !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+```
+
+**What to preserve**: Functional animations like progress bars, loading spinners (slowed down), and focus indicators should still work, just without spatial movement.
+
+## Perceived Performance
+
+**Nobody cares how fast your site is, just how fast it feels.** Perception can be as effective as actual performance.
+
+**The 80ms threshold**: Our brains buffer sensory input for ~80ms to synchronize perception. Anything under 80ms feels instant and simultaneous. This is your target for micro-interactions.
+
+**Active vs passive time**: Passive waiting (staring at a spinner) feels longer than active engagement. Strategies to shift the balance:
+
+- **Preemptive start**: Begin transitions immediately while loading (iOS app zoom, skeleton UI). Users perceive work happening.
+- **Early completion**: Show content progressively, don't wait for everything. Video buffering, progressive images, streaming HTML.
+- **Optimistic UI**: Update the interface immediately, handle failures gracefully. Instagram likes work offline; the UI updates instantly, syncs later. Use for low-stakes actions; avoid for payments or destructive operations.
+
+**Easing affects perceived duration**: Ease-in (accelerating toward completion) makes tasks feel shorter because the peak-end effect weights final moments heavily. Ease-out feels satisfying for entrances, but ease-in toward a task's end compresses perceived time.
+
+**Caution**: Too-fast responses can decrease perceived value. Users may distrust instant results for complex operations (search, analysis). Sometimes a brief delay signals "real work" is happening.
+
+## Performance
+
+Don't use `will-change` preemptively, only when animation is imminent (`:hover`, `.animating`). For scroll-triggered animations, use Intersection Observer instead of scroll events; unobserve after animating once. Create motion tokens for consistency (durations, easings, common transitions).
+
+---
+
+**Avoid**: Animating everything (animation fatigue is real). Using >500ms for UI feedback. Ignoring `prefers-reduced-motion`. Using animation to hide slow loading.

.agents/skills/impeccable/reference/onboard.md

@@ -0,0 +1,234 @@
+> **Additional context needed**: the "aha moment" you want users to reach, and users' experience level.
+
+Get users to first value as fast as possible. Onboarding's job is not to teach the product. Its job is to get people to the moment that proves the product is worth their time.
+
+## Assess Onboarding Needs
+
+Understand what users need to learn and why:
+
+1. **Identify the challenge**:
+   - What are users trying to accomplish?
+   - What's confusing or unclear about current experience?
+   - Where do users get stuck or drop off?
+   - What's the "aha moment" we want users to reach?
+
+2. **Understand the users**:
+   - What's their experience level? (Beginners, power users, mixed?)
+   - What's their motivation? (Excited and exploring? Required by work?)
+   - What's their time commitment? (5 minutes? 30 minutes?)
+   - What alternatives do they know? (Coming from competitor? New to category?)
+
+3. **Define success**:
+   - What's the minimum users need to learn to be successful?
+   - What's the key action we want them to take? (First project? First invite?)
+   - How do we know onboarding worked? (Completion rate? Time to value?)
+
+**CRITICAL**: Onboarding should get users to value as quickly as possible, not teach everything possible.
+
+## Onboarding Principles
+
+Follow these core principles:
+
+### Show, Don't Tell
+- Demonstrate with working examples, not just descriptions
+- Provide real functionality in onboarding, not separate tutorial mode
+- Use progressive disclosure, teach one thing at a time
+
+### Make It Optional (When Possible)
+- Let experienced users skip onboarding
+- Don't block access to product
+- Provide "Skip" or "I'll explore on my own" options
+
+### Time to Value
+- Get users to their "aha moment" ASAP
+- Front-load most important concepts
+- Teach 20% that delivers 80% of value
+- Save advanced features for contextual discovery
+
+### Context Over Ceremony
+- Teach features when users need them, not upfront
+- Empty states are onboarding opportunities
+- Tooltips and hints at point of use
+
+### Respect User Intelligence
+- Don't patronize or over-explain
+- Be concise and clear
+- Assume users can figure out standard patterns
+
+## Design Onboarding Experiences
+
+Create appropriate onboarding for the context:
+
+### Initial Product Onboarding
+
+**Welcome Screen**:
+- Clear value proposition (what is this product?)
+- What users will learn/accomplish
+- Time estimate (honest about commitment)
+- Option to skip (for experienced users)
+
+**Account Setup**:
+- Minimal required information (collect more later)
+- Explain why you're asking for each piece of information
+- Smart defaults where possible
+- Social login when appropriate
+
+**Core Concept Introduction**:
+- Introduce 1-3 core concepts (not everything)
+- Use simple language and examples
+- Interactive when possible (do, don't just read)
+- Progress indication (step 1 of 3)
+
+**First Success**:
+- Guide users to accomplish something real
+- Pre-populated examples or templates
+- Celebrate completion (but don't overdo it)
+- Clear next steps
+
+### Feature Discovery & Adoption
+
+**Empty States**:
+Instead of blank space, show:
+- What will appear here (description + screenshot/illustration)
+- Why it's valuable
+- Clear CTA to create first item
+- Example or template option
+
+Example:
+```
+No projects yet
+Projects help you organize your work and collaborate with your team.
+[Create your first project] or [Start from template]
+```
+
+**Contextual Tooltips**:
+- Appear at relevant moment (first time user sees feature)
+- Point directly at relevant UI element
+- Brief explanation + benefit
+- Dismissable (with "Don't show again" option)
+- Optional "Learn more" link
+
+**Feature Announcements**:
+- Highlight new features when they're released
+- Show what's new and why it matters
+- Let users try immediately
+- Dismissable
+
+**Progressive Onboarding**:
+- Teach features when users encounter them
+- Badges or indicators on new/unused features
+- Unlock complexity gradually (don't show all options immediately)
+
+### Guided Tours & Walkthroughs
+
+**When to use**:
+- Complex interfaces with many features
+- Significant changes to existing product
+- Industry-specific tools needing domain knowledge
+
+**How to design**:
+- Spotlight specific UI elements (dim rest of page)
+- Keep steps short (3-7 steps max per tour)
+- Allow users to click through tour freely
+- Include "Skip tour" option
+- Make replayable (help menu)
+
+**Best practices**:
+- Interactive over passive (let users click real buttons)
+- Focus on workflow, not features ("Create a project" not "This is the project button")
+- Provide sample data so actions work
+
+### Interactive Tutorials
+
+**When to use**:
+- Users need hands-on practice
+- Concepts are complex or unfamiliar
+- High stakes (better to practice in safe environment)
+
+**How to design**:
+- Sandbox environment with sample data
+- Clear objectives ("Create a chart showing sales by region")
+- Step-by-step guidance
+- Validation (confirm they did it right)
+- Graduation moment (you're ready!)
+
+### Documentation & Help
+
+**In-product help**:
+- Contextual help links throughout interface
+- Keyboard shortcut reference
+- Search-able help center
+- Video tutorials for complex workflows
+
+**Help patterns**:
+- `?` icon near complex features
+- "Learn more" links in tooltips
+- Keyboard shortcut hints (`⌘K` shown on search box)
+
+## Empty State Design
+
+Every empty state needs:
+
+### What Will Be Here
+"Your recent projects will appear here"
+
+### Why It Matters
+"Projects help you organize your work and collaborate with your team"
+
+### How to Get Started
+[Create project] or [Import from template]
+
+### Visual Interest
+Illustration or icon (not just text on blank page)
+
+### Contextual Help
+"Need help getting started? [Watch 2-min tutorial]"
+
+**Empty state types**:
+- **First use**: Never used this feature (emphasize value, provide template)
+- **User cleared**: Intentionally deleted everything (light touch, easy to recreate)
+- **No results**: Search or filter returned nothing (suggest different query, clear filters)
+- **No permissions**: Can't access (explain why, how to get access)
+- **Error state**: Failed to load (explain what happened, retry option)
+
+## Implementation Patterns
+
+### Technical approaches:
+
+**Tooltip libraries**: Tippy.js, Popper.js
+**Tour libraries**: Intro.js, Shepherd.js, React Joyride
+**Modal patterns**: Focus trap, backdrop, ESC to close
+**Progress tracking**: LocalStorage for "seen" states
+**Analytics**: Track completion, drop-off points
+
+**Storage patterns**:
+```javascript
+// Track which onboarding steps user has seen
+localStorage.setItem('onboarding-completed', 'true');
+localStorage.setItem('feature-tooltip-seen-reports', 'true');
+```
+
+**IMPORTANT**: Don't show same onboarding twice (annoying). Track completion and respect dismissals.
+
+**NEVER**:
+- Force users through long onboarding before they can use product
+- Patronize users with obvious explanations
+- Show same tooltip repeatedly (respect dismissals)
+- Block all UI during tour (let users explore)
+- Create separate tutorial mode disconnected from real product
+- Overwhelm with information upfront (progressive disclosure!)
+- Hide "Skip" or make it hard to find
+- Forget about returning users (don't show initial onboarding again)
+
+## Verify Onboarding Quality
+
+Test with real users:
+
+- **Time to completion**: Can users complete onboarding quickly?
+- **Comprehension**: Do users understand after completing?
+- **Action**: Do users take desired next step?
+- **Skip rate**: Are too many users skipping? (Maybe it's too long or not valuable)
+- **Completion rate**: Are users completing? (If low, simplify)
+- **Time to value**: How long until users get first value?
+
+When users hit the aha moment fast and don't drop off, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/optimize.md

@@ -0,0 +1,258 @@
+Performance is a feature. Identify the actual bottleneck for THIS interface, fix it, then measure. Don't optimize what isn't slow.
+
+## Assess Performance Issues
+
+Understand current performance and identify problems:
+
+1. **Measure current state**:
+   - **Core Web Vitals**: LCP, FID/INP, CLS scores
+   - **Load time**: Time to interactive, first contentful paint
+   - **Bundle size**: JavaScript, CSS, image sizes
+   - **Runtime performance**: Frame rate, memory usage, CPU usage
+   - **Network**: Request count, payload sizes, waterfall
+
+2. **Identify bottlenecks**:
+   - What's slow? (Initial load? Interactions? Animations?)
+   - What's causing it? (Large images? Expensive JavaScript? Layout thrashing?)
+   - How bad is it? (Perceivable? Annoying? Blocking?)
+   - Who's affected? (All users? Mobile only? Slow connections?)
+
+**CRITICAL**: Measure before and after. Premature optimization wastes time. Optimize what actually matters.
+
+## Optimization Strategy
+
+Create systematic improvement plan:
+
+### Loading Performance
+
+**Optimize Images**:
+- Use modern formats (WebP, AVIF)
+- Proper sizing (don't load 3000px image for 300px display)
+- Lazy loading for below-fold images
+- Responsive images (`srcset`, `picture` element)
+- Compress images (80-85% quality is usually imperceptible)
+- Use CDN for faster delivery
+
+```html
+<img 
+  src="hero.webp"
+  srcset="hero-400.webp 400w, hero-800.webp 800w, hero-1200.webp 1200w"
+  sizes="(max-width: 400px) 400px, (max-width: 800px) 800px, 1200px"
+  loading="lazy"
+  alt="Hero image"
+/>
+```
+
+**Reduce JavaScript Bundle**:
+- Code splitting (route-based, component-based)
+- Tree shaking (remove unused code)
+- Remove unused dependencies
+- Lazy load non-critical code
+- Use dynamic imports for large components
+
+```javascript
+// Lazy load heavy component
+const HeavyChart = lazy(() => import('./HeavyChart'));
+```
+
+**Optimize CSS**:
+- Remove unused CSS
+- Critical CSS inline, rest async
+- Minimize CSS files
+- Use CSS containment for independent regions
+
+**Optimize Fonts**:
+- Use `font-display: swap` or `optional`
+- Subset fonts (only characters you need)
+- Preload critical fonts
+- Use system fonts when appropriate
+- Limit font weights loaded
+
+```css
+@font-face {
+  font-family: 'CustomFont';
+  src: url('/fonts/custom.woff2') format('woff2');
+  font-display: swap; /* Show fallback immediately */
+  unicode-range: U+0020-007F; /* Basic Latin only */
+}
+```
+
+**Optimize Loading Strategy**:
+- Critical resources first (async/defer non-critical)
+- Preload critical assets
+- Prefetch likely next pages
+- Service worker for offline/caching
+- HTTP/2 or HTTP/3 for multiplexing
+
+### Rendering Performance
+
+**Avoid Layout Thrashing**:
+```javascript
+// ❌ Bad: Alternating reads and writes (causes reflows)
+elements.forEach(el => {
+  const height = el.offsetHeight; // Read (forces layout)
+  el.style.height = height * 2; // Write
+});
+
+// ✅ Good: Batch reads, then batch writes
+const heights = elements.map(el => el.offsetHeight); // All reads
+elements.forEach((el, i) => {
+  el.style.height = heights[i] * 2; // All writes
+});
+```
+
+**Optimize Rendering**:
+- Use CSS `contain` property for independent regions
+- Minimize DOM depth (flatter is faster)
+- Reduce DOM size (fewer elements)
+- Use `content-visibility: auto` for long lists
+- Virtual scrolling for very long lists (react-window, react-virtualized)
+
+**Reduce Paint & Composite**:
+- Use `transform` and `opacity` for reliable movement, but allow blur, filters, masks, clip paths, shadows, and color shifts when they create meaningful polish
+- Avoid casual animation of layout-driving properties (`width`, `height`, `top`, `left`, margins)
+- Use `will-change` sparingly for known expensive operations
+- Bound expensive paint areas for blur/filter/shadow effects (smaller and isolated is faster)
+
+### Animation Performance
+
+**GPU Acceleration**:
+```css
+/* ✅ GPU-accelerated (fast) */
+.animated {
+  transform: translateX(100px);
+  opacity: 0.5;
+}
+
+/* ❌ CPU-bound (slow) */
+.animated {
+  left: 100px;
+  width: 300px;
+}
+```
+
+**Smooth 60fps**:
+- Target 16ms per frame (60fps)
+- Use `requestAnimationFrame` for JS animations
+- Debounce/throttle scroll handlers
+- Use CSS animations when possible
+- Avoid long-running JavaScript during animations
+
+**Intersection Observer**:
+```javascript
+// Efficiently detect when elements enter viewport
+const observer = new IntersectionObserver((entries) => {
+  entries.forEach(entry => {
+    if (entry.isIntersecting) {
+      // Element is visible, lazy load or animate
+    }
+  });
+});
+```
+
+### React/Framework Optimization
+
+**React-specific**:
+- Use `memo()` for expensive components
+- `useMemo()` and `useCallback()` for expensive computations
+- Virtualize long lists
+- Code split routes
+- Avoid inline function creation in render
+- Use React DevTools Profiler
+
+**Framework-agnostic**:
+- Minimize re-renders
+- Debounce expensive operations
+- Memoize computed values
+- Lazy load routes and components
+
+### Network Optimization
+
+**Reduce Requests**:
+- Combine small files
+- Use SVG sprites for icons
+- Inline small critical assets
+- Remove unused third-party scripts
+
+**Optimize APIs**:
+- Use pagination (don't load everything)
+- GraphQL to request only needed fields
+- Response compression (gzip, brotli)
+- HTTP caching headers
+- CDN for static assets
+
+**Optimize for Slow Connections**:
+- Adaptive loading based on connection (navigator.connection)
+- Optimistic UI updates
+- Request prioritization
+- Progressive enhancement
+
+## Core Web Vitals Optimization
+
+### Largest Contentful Paint (LCP < 2.5s)
+- Optimize hero images
+- Inline critical CSS
+- Preload key resources
+- Use CDN
+- Server-side rendering
+
+### First Input Delay (FID < 100ms) / INP (< 200ms)
+- Break up long tasks
+- Defer non-critical JavaScript
+- Use web workers for heavy computation
+- Reduce JavaScript execution time
+
+### Cumulative Layout Shift (CLS < 0.1)
+- Set dimensions on images and videos
+- Don't inject content above existing content
+- Use `aspect-ratio` CSS property
+- Reserve space for ads/embeds
+- Avoid animations that cause layout shifts
+
+```css
+/* Reserve space for image */
+.image-container {
+  aspect-ratio: 16 / 9;
+}
+```
+
+## Performance Monitoring
+
+**Tools to use**:
+- Chrome DevTools (Lighthouse, Performance panel)
+- WebPageTest
+- Core Web Vitals (Chrome UX Report)
+- Bundle analyzers (webpack-bundle-analyzer)
+- Performance monitoring (Sentry, DataDog, New Relic)
+
+**Key metrics**:
+- LCP, FID/INP, CLS (Core Web Vitals)
+- Time to Interactive (TTI)
+- First Contentful Paint (FCP)
+- Total Blocking Time (TBT)
+- Bundle size
+- Request count
+
+**IMPORTANT**: Measure on real devices with real network conditions. Desktop Chrome with fast connection isn't representative.
+
+**NEVER**:
+- Optimize without measuring (premature optimization)
+- Sacrifice accessibility for performance
+- Break functionality while optimizing
+- Use `will-change` everywhere (creates new layers, uses memory)
+- Lazy load above-fold content
+- Optimize micro-optimizations while ignoring major issues (optimize the biggest bottleneck first)
+- Forget about mobile performance (often slower devices, slower connections)
+
+## Verify Improvements
+
+Test that optimizations worked:
+
+- **Before/after metrics**: Compare Lighthouse scores
+- **Real user monitoring**: Track improvements for real users
+- **Different devices**: Test on low-end Android, not just flagship iPhone
+- **Slow connections**: Throttle to 3G, test experience
+- **No regressions**: Ensure functionality still works
+- **User perception**: Does it *feel* faster?
+
+When the user-facing numbers move, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/overdrive.md

@@ -0,0 +1,130 @@
+Start your response with:
+
+```
+──────────── ⚡ OVERDRIVE ─────────────
+》》》 Entering overdrive mode...
+```
+
+Push an interface past conventional limits. This isn't just about visual effects. It's about using the full power of the browser to make any part of an interface feel extraordinary: a table that handles a million rows, a dialog that morphs from its trigger, a form that validates in real-time with streaming feedback, a page transition that feels cinematic.
+
+**EXTRA IMPORTANT FOR THIS COMMAND**: Context determines what "extraordinary" means. A particle system on a creative portfolio is impressive. The same particle system on a settings page is embarrassing. But a settings page with instant optimistic saves and animated state transitions? That's extraordinary too. Understand the project's personality and goals before deciding what's appropriate.
+
+### Propose Before Building
+
+This command has the highest potential to misfire. Do NOT jump straight into implementation. You MUST:
+
+1. **Think through 2-3 different directions**: consider different techniques, levels of ambition, and aesthetic approaches. For each direction, briefly describe what the result would look and feel like.
+2. **{{ask_instruction}}** to present these directions and get the user's pick before writing any code. Explain trade-offs (browser support, performance cost, complexity).
+3. Only proceed with the direction the user confirms.
+
+Skipping this step risks building something embarrassing that needs to be thrown away.
+
+### Iterate with Browser Automation
+
+Technically ambitious effects almost never work on the first try. You MUST actively use browser automation tools to preview your work, visually verify the result, and iterate. Do not assume the effect looks right, check it. Expect multiple rounds of refinement. The gap between "technically works" and "looks extraordinary" is closed through visual iteration, not code alone.
+
+---
+
+## Assess What "Extraordinary" Means Here
+
+The right kind of technical ambition depends entirely on what you're working with. Before choosing a technique, ask: **what would make a user of THIS specific interface say "wow, that's nice"?**
+
+### For visual/marketing surfaces
+Pages, hero sections, landing pages, portfolios: the "wow" is often sensory: a scroll-driven reveal, a shader background, a cinematic page transition, generative art that responds to the cursor.
+
+### For functional UI
+Tables, forms, dialogs, navigation: the "wow" is in how it FEELS: a dialog that morphs from the button that triggered it via View Transitions, a data table that renders 100k rows at 60fps via virtual scrolling, a form with streaming validation that feels instant, drag-and-drop with spring physics.
+
+### For performance-critical UI
+The "wow" is invisible but felt: a search that filters 50k items without a flicker, a complex form that never blocks the main thread, an image editor that processes in near-real-time. The interface just never hesitates.
+
+### For data-heavy interfaces
+Charts and dashboards: the "wow" is in fluidity: GPU-accelerated rendering via Canvas/WebGL for massive datasets, animated transitions between data states, force-directed graph layouts that settle naturally.
+
+**The common thread**: something about the implementation goes beyond what users expect from a web interface. The technique serves the experience, not the other way around.
+
+## The Toolkit
+
+Organized by what you're trying to achieve, not by technology name.
+
+### Make transitions feel cinematic
+- **View Transitions API** (same-document: all browsers; cross-document: no Firefox): shared element morphing between states. A list item expanding into a detail page. A button morphing into a dialog. This is the closest thing to native FLIP animations.
+- **`@starting-style`** (all browsers): animate elements from `display: none` to visible with CSS only, including entry keyframes
+- **Spring physics**: natural motion with mass, tension, and damping instead of cubic-bezier. Libraries: motion (formerly Framer Motion), GSAP, or roll your own spring solver.
+
+### Tie animation to scroll position
+- **Scroll-driven animations** (`animation-timeline: scroll()`): CSS-only, no JS. Parallax, progress bars, reveal sequences all driven by scroll position. (Chrome/Edge/Safari; Firefox: flag only; always provide a static fallback)
+
+### Render beyond CSS
+- **WebGL** (all browsers): shader effects, post-processing, particle systems. Libraries: Three.js, OGL (lightweight), regl. Use for effects CSS can't express.
+- **WebGPU** (Chrome/Edge; Safari partial; Firefox: flag only): next-gen GPU compute. More powerful than WebGL but limited browser support. Always fall back to WebGL2.
+- **Canvas 2D / OffscreenCanvas**: custom rendering, pixel manipulation, or moving heavy rendering off the main thread entirely via Web Workers + OffscreenCanvas.
+- **SVG filter chains**: displacement maps, turbulence, morphology for organic distortion effects. CSS-animatable.
+
+### Make data feel alive
+- **Virtual scrolling**: render only visible rows for tables/lists with tens of thousands of items. No library required for simple cases; TanStack Virtual for complex ones.
+- **GPU-accelerated charts**: Canvas or WebGL-rendered data visualization for datasets too large for SVG/DOM. Libraries: deck.gl, regl-based custom renderers.
+- **Animated data transitions**: morph between chart states rather than replacing. D3's `transition()` or View Transitions for DOM-based charts.
+
+### Animate complex properties
+- **`@property`** (all browsers): register custom CSS properties with types, enabling animation of gradients, colors, and complex values that CSS can't normally interpolate.
+- **Web Animations API** (all browsers): JavaScript-driven animations with the performance of CSS. Composable, cancellable, reversible. The foundation for complex choreography.
+
+### Push performance boundaries
+- **Web Workers**: move computation off the main thread. Heavy data processing, image manipulation, search indexing: anything that would cause jank.
+- **OffscreenCanvas**: render in a Worker thread. The main thread stays free while complex visuals render in the background.
+- **WASM**: near-native performance for computation-heavy features. Image processing, physics simulations, codecs.
+
+### Interact with the device
+- **Web Audio API**: spatial audio, audio-reactive visualizations, sonic feedback. Requires user gesture to start.
+- **Device APIs**: orientation, ambient light, geolocation. Use sparingly and always with user permission.
+
+**NOTE**: This command is about enhancing how an interface FEELS, not changing what a product DOES. Adding real-time collaboration, offline support, or new backend capabilities are product decisions, not UI enhancements. Focus on making existing features feel extraordinary.
+
+## Implement with Discipline
+
+### Progressive enhancement is non-negotiable
+
+Every technique must degrade gracefully. The experience without the enhancement must still be good.
+
+```css
+@supports (animation-timeline: scroll()) {
+  .hero { animation-timeline: scroll(); }
+}
+```
+
+```javascript
+if ('gpu' in navigator) { /* WebGPU */ }
+else if (canvas.getContext('webgl2')) { /* WebGL2 fallback */ }
+/* CSS-only fallback must still look good */
+```
+
+### Performance rules
+
+- Target 60fps. If dropping below 50, simplify.
+- Respect `prefers-reduced-motion`, always. Provide a beautiful static alternative.
+- Lazy-initialize heavy resources (WebGL contexts, WASM modules) only when near viewport.
+- Pause off-screen rendering. Kill what you can't see.
+- Test on real mid-range devices, not just your development machine.
+
+### Polish is the difference
+
+The gap between "cool" and "extraordinary" is in the last 20% of refinement: the easing curve on a spring animation, the timing offset in a staggered reveal, the subtle secondary motion that makes a transition feel physical. Don't ship the first version that works; ship the version that feels inevitable.
+
+**NEVER**:
+- Ignore `prefers-reduced-motion`. This is an accessibility requirement, not a suggestion
+- Ship effects that cause jank on mid-range devices
+- Use bleeding-edge APIs without a functional fallback
+- Add sound without explicit user opt-in
+- Use technical ambition to mask weak design fundamentals; fix those first with other commands
+- Layer multiple competing extraordinary moments. Focus creates impact, excess creates noise
+
+## Verify the Result
+
+- **The wow test**: Show it to someone who hasn't seen it. Do they react?
+- **The removal test**: Take it away. Does the experience feel diminished, or does nobody notice?
+- **The device test**: Run it on a phone, a tablet, a Chromebook. Still smooth?
+- **The accessibility test**: Enable reduced motion. Still beautiful?
+- **The context test**: Does this make sense for THIS brand and audience?
+
+"Technically extraordinary" isn't about using the newest API. It's about making an interface do something users didn't think a website could do.

.agents/skills/impeccable/reference/personas.md

@@ -0,0 +1,179 @@
+# Persona-Based Design Testing
+
+Test the interface through the eyes of 5 distinct user archetypes. Each persona exposes different failure modes that a single "design director" perspective would miss.
+
+**How to use**: Select 2–3 personas most relevant to the interface being critiqued. Walk through the primary user action as each persona. Report specific red flags, not generic concerns.
+
+---
+
+## 1. Impatient Power User: "Alex"
+
+
+**Profile**: Expert with similar products. Expects efficiency, hates hand-holding. Will find shortcuts or leave.
+
+**Behaviors**:
+- Skips all onboarding and instructions
+- Looks for keyboard shortcuts immediately
+- Tries to bulk-select, batch-edit, and automate
+- Gets frustrated by required steps that feel unnecessary
+- Abandons if anything feels slow or patronizing
+
+**Test Questions**:
+- Can Alex complete the core task in under 60 seconds?
+- Are there keyboard shortcuts for common actions?
+- Can onboarding be skipped entirely?
+- Do modals have keyboard dismiss (Esc)?
+- Is there a "power user" path (shortcuts, bulk actions)?
+
+**Red Flags** (report these specifically):
+- Forced tutorials or unskippable onboarding
+- No keyboard navigation for primary actions
+- Slow animations that can't be skipped
+- One-item-at-a-time workflows where batch would be natural
+- Redundant confirmation steps for low-risk actions
+
+---
+
+## 2. Confused First-Timer: "Jordan"
+
+**Profile**: Never used this type of product. Needs guidance at every step. Will abandon rather than figure it out.
+
+**Behaviors**:
+- Reads all instructions carefully
+- Hesitates before clicking anything unfamiliar
+- Looks for help or support constantly
+- Misunderstands jargon and abbreviations
+- Takes the most literal interpretation of any label
+
+**Test Questions**:
+- Is the first action obviously clear within 5 seconds?
+- Are all icons labeled with text?
+- Is there contextual help at decision points?
+- Does terminology assume prior knowledge?
+- Is there a clear "back" or "undo" at every step?
+
+**Red Flags** (report these specifically):
+- Icon-only navigation with no labels
+- Technical jargon without explanation
+- No visible help option or guidance
+- Ambiguous next steps after completing an action
+- No confirmation that an action succeeded
+
+---
+
+## 3. Accessibility-Dependent User: "Sam"
+
+**Profile**: Uses screen reader (VoiceOver/NVDA), keyboard-only navigation. May have low vision, motor impairment, or cognitive differences.
+
+**Behaviors**:
+- Tabs through the interface linearly
+- Relies on ARIA labels and heading structure
+- Cannot see hover states or visual-only indicators
+- Needs adequate color contrast (4.5:1 minimum)
+- May use browser zoom up to 200%
+
+**Test Questions**:
+- Can the entire primary flow be completed keyboard-only?
+- Are all interactive elements focusable with visible focus indicators?
+- Do images have meaningful alt text?
+- Is color contrast WCAG AA compliant (4.5:1 for text)?
+- Does the screen reader announce state changes (loading, success, errors)?
+
+**Red Flags** (report these specifically):
+- Click-only interactions with no keyboard alternative
+- Missing or invisible focus indicators
+- Meaning conveyed by color alone (red = error, green = success)
+- Unlabeled form fields or buttons
+- Time-limited actions without extension option
+- Custom components that break screen reader flow
+
+---
+
+## 4. Deliberate Stress Tester: "Riley"
+
+**Profile**: Methodical user who pushes interfaces beyond the happy path. Tests edge cases, tries unexpected inputs, and probes for gaps in the experience.
+
+**Behaviors**:
+- Tests edge cases intentionally (empty states, long strings, special characters)
+- Submits forms with unexpected data (emoji, RTL text, very long values)
+- Tries to break workflows by navigating backwards, refreshing mid-flow, or opening in multiple tabs
+- Looks for inconsistencies between what the UI promises and what actually happens
+- Documents problems methodically
+
+**Test Questions**:
+- What happens at the edges (0 items, 1000 items, very long text)?
+- Do error states recover gracefully or leave the UI in a broken state?
+- What happens on refresh mid-workflow? Is state preserved?
+- Are there features that appear to work but produce broken results?
+- How does the UI handle unexpected input (emoji, special chars, paste from Excel)?
+
+**Red Flags** (report these specifically):
+- Features that appear to work but silently fail or produce wrong results
+- Error handling that exposes technical details or leaves UI in a broken state
+- Empty states that show nothing useful ("No results" with no guidance)
+- Workflows that lose user data on refresh or navigation
+- Inconsistent behavior between similar interactions in different parts of the UI
+
+---
+
+## 5. Distracted Mobile User: "Casey"
+
+**Profile**: Using phone one-handed on the go. Frequently interrupted. Possibly on a slow connection.
+
+**Behaviors**:
+- Uses thumb only; prefers bottom-of-screen actions
+- Gets interrupted mid-flow and returns later
+- Switches between apps frequently
+- Has limited attention span and low patience
+- Types as little as possible, prefers taps and selections
+
+**Test Questions**:
+- Are primary actions in the thumb zone (bottom half of screen)?
+- Is state preserved if the user leaves and returns?
+- Does it work on slow connections (3G)?
+- Can forms use autocomplete and smart defaults?
+- Are touch targets at least 44×44pt?
+
+**Red Flags** (report these specifically):
+- Important actions positioned at the top of the screen (unreachable by thumb)
+- No state persistence; progress lost on tab switch or interruption
+- Large text inputs required where selection would work
+- Heavy assets loading on every page (no lazy loading)
+- Tiny tap targets or targets too close together
+
+---
+
+## Selecting Personas
+
+Choose personas based on the interface type:
+
+| Interface Type | Primary Personas | Why |
+|---------------|-----------------|-----|
+| Landing page / marketing | Jordan, Riley, Casey | First impressions, trust, mobile |
+| Dashboard / admin | Alex, Sam | Power users, accessibility |
+| E-commerce / checkout | Casey, Riley, Jordan | Mobile, edge cases, clarity |
+| Onboarding flow | Jordan, Casey | Confusion, interruption |
+| Data-heavy / analytics | Alex, Sam | Efficiency, keyboard nav |
+| Form-heavy / wizard | Jordan, Sam, Casey | Clarity, accessibility, mobile |
+
+---
+
+## Project-Specific Personas
+
+If `{{config_file}}` contains a `## Design Context` section (generated by `impeccable teach`), derive 1–2 additional personas from the audience and brand information:
+
+1. Read the target audience description
+2. Identify the primary user archetype not covered by the 5 predefined personas
+3. Create a persona following this template:
+
+```
+### [Role]: "[Name]"
+
+**Profile**: [2-3 key characteristics derived from Design Context]
+
+**Behaviors**: [3-4 specific behaviors based on the described audience]
+
+**Red Flags**: [3-4 things that would alienate this specific user type]
+```
+
+Only generate project-specific personas when real Design Context data is available. Don't invent audience details; use the 5 predefined personas when no context exists.

.agents/skills/impeccable/reference/polish.md

@@ -0,0 +1,242 @@
+> **Additional context needed**: quality bar (MVP vs flagship).
+
+Perform a meticulous final pass to catch all the small details that separate good work from great work. The difference between shipped and polished.
+
+Detector and automated QA output are defect evidence only. A clean script result is never proof that the design is strong; gather browser evidence and inspect the real interaction path.
+
+## Design System Discovery
+
+Aligning the feature to the design system is **not optional**. Polish without alignment is decoration on top of drift, and it makes the next person's job harder. Discovery comes before any other polish work.
+
+1. **Find the design system**: Search for design system documentation, component libraries, style guides, or token definitions. Study the core patterns: design principles, target audience, color tokens, spacing scale, typography styles, component API, motion conventions.
+2. **Note the conventions**: How are shared components imported? What spacing scale is used? Which colors come from tokens vs hard-coded values? What motion and interaction patterns are established? What flow shapes are used for comparable actions (modal vs full-page, inline vs route, save-on-blur vs explicit submit)?
+3. **Identify drift, then name the root cause**: For every deviation, classify it as a **missing token** (the value should exist in the system but doesn't), a **one-off implementation** (a shared component already exists but wasn't used), or a **conceptual misalignment** (the feature's flow, IA, or hierarchy doesn't match neighboring features). The fix differs by category: patch the value, swap to the shared component, or rework the flow. Fixing the symptom without naming the cause is how drift compounds.
+
+If a design system exists, polish **must** align the feature with it. If none exists, polish against the conventions visible in the codebase. **If anything about the system is ambiguous, ask. Never guess at design system principles.**
+
+## Pre-Polish Assessment
+
+Understand the current state and goals before touching anything:
+
+1. **Review completeness**:
+   - Is it functionally complete?
+   - Are there known issues to preserve (mark with TODOs)?
+   - What's the quality bar? (MVP vs flagship feature?)
+   - When does it ship? (How much time for polish?)
+
+2. **Think experience-first**: Who actually uses this, and what's the best possible experience for them? Effective design beats decorative polish; a feature that looks beautiful but fights the user's flow is not polished. Walk the path from their perspective before opening DevTools.
+
+3. **Identify polish areas**:
+   - Visual inconsistencies
+   - Spacing and alignment issues
+   - Interaction state gaps
+   - Copy inconsistencies
+   - Edge cases and error states
+   - Loading and transition smoothness
+   - Information architecture and flow drift (does this feature reveal complexity the way neighboring features do?)
+
+4. **Pull in any prior critique** (optional signal): If `{{command_prefix}}impeccable critique` has been run on the same target, its priority issues are a useful prior for what to address first. Resolve the target to a file path or URL, then:
+   ```bash
+   slug=$(node {{scripts_path}}/critique-storage.mjs slug "<resolved>")
+   node {{scripts_path}}/critique-storage.mjs latest "$slug"
+   ```
+   Exit 0 with body = found; fold the P0/P1 items into your polish list and mention the snapshot path so the user sees what you read. Exit 2 = no snapshot, continue without it. The critique is one input among many. Do your own pass either way.
+
+5. **Triage cosmetic vs functional**: Classify each issue as **cosmetic** (looks off, doesn't impede the user) or **functional** (breaks, blocks, or confuses the experience). When polish time is tight, functional issues ship first; cosmetic ones can land in a follow-up. Quality should be consistent; never perfect one corner while leaving another rough.
+
+**CRITICAL**: Polish is the last step, not the first. Don't polish work that's not functionally complete.
+
+## Polish Systematically
+
+Work through these dimensions methodically:
+
+### Visual Alignment & Spacing
+
+- **Pixel-perfect alignment**: Everything lines up to grid
+- **Consistent spacing**: All gaps use spacing scale (no random 13px gaps)
+- **Optical alignment**: Adjust for visual weight (icons may need offset for optical centering)
+- **Responsive consistency**: Spacing and alignment work at all breakpoints
+- **Grid adherence**: Elements snap to baseline grid
+
+**Check**:
+- Enable grid overlay and verify alignment
+- Check spacing with browser inspector
+- Test at multiple viewport sizes
+- Look for elements that "feel" off
+
+### Information Architecture & Flow
+
+Visual polish on a misshapen flow is wasted work. Match the *shape* of the experience to the system, not just the surface.
+
+- **Progressive disclosure**: Match how much is revealed when, compared to neighboring features. A settings page exposing 40 fields when the rest of the app reveals 5 at a time is drift, even if every field is perfectly styled.
+- **Established user flows**: Multi-step actions follow the same shape as comparable flows elsewhere: modal vs full-page, inline edit vs separate route, save-on-blur vs explicit submit, optimistic vs pessimistic updates.
+- **Hierarchy & complexity**: The same conceptual weight gets the same visual weight throughout. Primary actions don't become tertiary in one corner of the product, and tertiary actions don't shout.
+- **Empty, loading, and arrival transitions**: How content arrives, updates, and leaves matches how it does in adjacent features.
+- **Naming and mental model**: The feature uses the same nouns and verbs as the rest of the system. A "Workspace" here shouldn't be a "Project" three screens away.
+
+### Typography Refinement
+
+- **Hierarchy consistency**: Same elements use same sizes/weights throughout
+- **Line length**: 45-75 characters for body text
+- **Line height**: Appropriate for font size and context
+- **Widows & orphans**: No single words on last line
+- **Hyphenation**: Appropriate for language and column width
+- **Kerning**: Adjust letter spacing where needed (especially headlines)
+- **Font loading**: No FOUT/FOIT flashes
+
+### Color & Contrast
+
+- **Contrast ratios**: All text meets WCAG standards
+- **Consistent token usage**: No hard-coded colors, all use design tokens
+- **Theme consistency**: Works in all theme variants
+- **Color meaning**: Same colors mean same things throughout
+- **Accessible focus**: Focus indicators visible with sufficient contrast
+- **Tinted neutrals**: No pure gray or pure black; add subtle color tint (0.01 chroma)
+- **Gray on color**: Never put gray text on colored backgrounds; use a shade of that color or transparency
+
+### Interaction States
+
+Every interactive element needs all states:
+
+- **Default**: Resting state
+- **Hover**: Subtle feedback (color, scale, shadow)
+- **Focus**: Keyboard focus indicator (never remove without replacement)
+- **Active**: Click/tap feedback
+- **Disabled**: Clearly non-interactive
+- **Loading**: Async action feedback
+- **Error**: Validation or error state
+- **Success**: Successful completion
+
+**Missing states create confusion and broken experiences**.
+
+### Micro-interactions & Transitions
+
+- **Smooth transitions**: All state changes animated appropriately (150-300ms)
+- **Consistent easing**: Use ease-out-quart/quint/expo for natural deceleration. Never bounce or elastic; they feel dated.
+- **No jank**: Smooth animations; use atmospheric blur/filter/mask/shadow effects when they add polish, but bound expensive paint areas and avoid casual layout-property animation
+- **Appropriate motion**: Motion serves purpose, not decoration
+- **Reduced motion**: Respects `prefers-reduced-motion`
+
+### Content & Copy
+
+- **Consistent terminology**: Same things called same names throughout
+- **Consistent capitalization**: Title Case vs Sentence case applied consistently
+- **Grammar & spelling**: No typos
+- **Appropriate length**: Not too wordy, not too terse
+- **Punctuation consistency**: Periods on sentences, not on labels (unless all labels have them)
+
+### Icons & Images
+
+- **Consistent style**: All icons from same family or matching style
+- **Appropriate sizing**: Icons sized consistently for context
+- **Proper alignment**: Icons align with adjacent text optically
+- **Alt text**: All images have descriptive alt text
+- **Loading states**: Images don't cause layout shift, proper aspect ratios
+- **Retina support**: 2x assets for high-DPI screens
+
+### Forms & Inputs
+
+- **Label consistency**: All inputs properly labeled
+- **Required indicators**: Clear and consistent
+- **Error messages**: Helpful and consistent
+- **Tab order**: Logical keyboard navigation
+- **Auto-focus**: Appropriate (don't overuse)
+- **Validation timing**: Consistent (on blur vs on submit)
+
+### Edge Cases & Error States
+
+- **Loading states**: All async actions have loading feedback
+- **Empty states**: Helpful empty states, not just blank space
+- **Error states**: Clear error messages with recovery paths
+- **Success states**: Confirmation of successful actions
+- **Long content**: Handles very long names, descriptions, etc.
+- **No content**: Handles missing data gracefully
+- **Offline**: Appropriate offline handling (if applicable)
+
+### Responsiveness
+
+- **All breakpoints**: Test mobile, tablet, desktop
+- **Touch targets**: 44x44px minimum on touch devices
+- **Readable text**: No text smaller than 14px on mobile
+- **No horizontal scroll**: Content fits viewport
+- **Appropriate reflow**: Content adapts logically
+
+### Performance
+
+- **Fast initial load**: Optimize critical path
+- **No layout shift**: Elements don't jump after load (CLS)
+- **Smooth interactions**: No lag or jank
+- **Optimized images**: Appropriate formats and sizes
+- **Lazy loading**: Off-screen content loads lazily
+
+### Code Quality
+
+- **Remove console logs**: No debug logging in production
+- **Remove commented code**: Clean up dead code
+- **Remove unused imports**: Clean up unused dependencies
+- **Consistent naming**: Variables and functions follow conventions
+- **Type safety**: No TypeScript `any` or ignored errors
+- **Accessibility**: Proper ARIA labels and semantic HTML
+
+## Polish Checklist
+
+Go through systematically:
+
+- [ ] Aligned to the design system (drift named and resolved by root cause)
+- [ ] Information architecture and flow shape match neighboring features
+- [ ] Visual alignment perfect at all breakpoints
+- [ ] Spacing uses design tokens consistently
+- [ ] Typography hierarchy consistent
+- [ ] All interactive states implemented
+- [ ] All transitions smooth (60fps)
+- [ ] Copy is consistent and polished
+- [ ] Icons are consistent and properly sized
+- [ ] All forms properly labeled and validated
+- [ ] Error states are helpful
+- [ ] Loading states are clear
+- [ ] Empty states are welcoming
+- [ ] Touch targets are 44x44px minimum
+- [ ] Contrast ratios meet WCAG AA
+- [ ] Keyboard navigation works
+- [ ] Focus indicators visible
+- [ ] No console errors or warnings
+- [ ] No layout shift on load
+- [ ] Works in all supported browsers
+- [ ] Respects reduced motion preference
+- [ ] Code is clean (no TODOs, console.logs, commented code)
+
+**IMPORTANT**: Polish is about details. Zoom in. Squint at it. Use it yourself. The little things add up.
+
+Sweat the details. Zoom in until the alignment is right and the spacing reads as deliberate. Then ship.
+
+**NEVER**:
+- Polish before it's functionally complete
+- Polish without aligning to the design system; that's decoration on drift
+- Guess at design system principles instead of asking when something is ambiguous
+- Spend hours on polish if it ships in 30 minutes (triage)
+- Introduce bugs while polishing (test thoroughly)
+- Ignore systematic issues (if spacing is off everywhere, fix the system, not just one screen)
+- Perfect one thing while leaving others rough (consistent quality level)
+- Create new one-off components when design system equivalents exist
+- Hard-code values that should use design tokens
+- Introduce new patterns or flows that diverge from established ones
+
+## Final Verification
+
+Before marking as done:
+
+- **Use it yourself**: Actually interact with the feature.
+- **Test on real devices**: Not just browser DevTools.
+- **Ask someone else to review**: Fresh eyes catch things.
+- **Compare to design**: Match intended design.
+- **Check all states**: Don't just test happy path.
+- **Treat automation carefully**: Run detector or QA commands when they are available and relevant, fix their defects, but never cite a clean result as proof that the work is polished.
+
+## Clean Up
+
+After polishing, ensure code quality:
+
+- **Replace custom implementations**: If the design system provides a component you reimplemented, switch to the shared version.
+- **Remove orphaned code**: Delete unused styles, components, or files made obsolete by polish.
+- **Consolidate tokens**: If you introduced new values, check whether they should be tokens.
+- **Verify DRYness**: Look for duplication introduced during polishing and consolidate.

.agents/skills/impeccable/reference/product.md

@@ -0,0 +1,62 @@
+# Product register
+
+When design SERVES the product: app UIs, admin dashboards, settings panels, data tables, tools, authenticated surfaces, anything where the user is in a task.
+
+## The product slop test
+
+Not "would someone say AI made this." Familiarity is often a feature here. The test is: would a user fluent in the category's best tools (Linear, Figma, Notion, Raycast, Stripe come to mind) sit down and trust this interface, or pause at every subtly-off component?
+
+Product UI's failure mode isn't flatness, it's strangeness without purpose: over-decorated buttons, mismatched form controls, gratuitous motion, display fonts where labels should be, invented affordances for standard tasks. The bar is earned familiarity. The tool should disappear into the task.
+
+## Typography
+
+- **System fonts are legitimate.** `-apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif` gives you native feel on every platform. Inter is the common cross-platform default for a reason.
+- **One family is often right.** Product UIs don't need display/body pairing. A well-tuned sans carries headings, buttons, labels, body, data.
+- **Fixed rem scale, not fluid.** Clamp-sized headings don't serve product UI. Users view at consistent DPI, and a fluid h1 that shrinks in a sidebar looks worse, not better.
+- **Tighter scale ratio.** 1.125–1.2 between steps is typical. More type elements here than on brand surfaces; exaggerated contrast creates noise.
+- **Line length still applies for prose** (65–75ch). Data and compact UI can run denser; tables at 120ch+ are fine.
+
+## Color
+
+Product defaults to Restrained. A single surface can earn Committed (a dashboard where one category color carries a report, an onboarding flow with a drenched welcome screen), but Restrained is the floor.
+
+- State-rich semantic vocabulary: hover, focus, active, disabled, selected, loading, error, warning, success, info. Standardize these.
+- Accent color used for primary actions, current selection, and state indicators only, not decoration.
+- A second neutral layer for sidebars, toolbars, and panels (slightly cooler or warmer than the content surface).
+
+## Layout
+
+- Predictable grids. Consistency IS an affordance; users navigate faster when the structure is expected.
+- Familiar patterns are features. Standard navigation (top bar, side nav), breadcrumbs, tabs, and form layouts have established user expectations. Don't reinvent for flavor.
+- Responsive behavior is structural (collapse sidebar, responsive table, breakpoint-driven columns), not fluid typography.
+
+## Components
+
+Every interactive component has: default, hover, focus, active, disabled, loading, error. Don't ship with half of these.
+
+- Skeleton states for loading, not spinners in the middle of content.
+- Empty states that teach the interface, not "nothing here."
+- Consistent affordances across the surface. Same button shape. Same form-control vocabulary. Same icon style.
+
+## Motion
+
+- 150–250 ms on most transitions. Users are in flow; don't make them wait for choreography.
+- Motion conveys state, not decoration. State change, feedback, loading, reveal: nothing else.
+- No orchestrated page-load sequences. Product loads into a task; users don't want to watch it load.
+
+## Product bans (on top of the shared absolute bans)
+
+- Decorative motion that doesn't convey state.
+- Inconsistent component vocabulary across screens. If the "save" button looks different in two places, one is wrong.
+- Display fonts in UI labels, buttons, data.
+- Reinventing standard affordances for flavor (custom scrollbars, weird form controls, non-standard modals).
+- Heavy color or full-saturation accents on inactive states.
+
+## Product permissions
+
+Product can afford things brand surfaces can't.
+
+- System fonts and familiar sans defaults (Inter, SF Pro, system-ui stacks).
+- Standard navigation patterns: top bar + side nav, breadcrumbs, tabs, command palettes.
+- Density. Tables with many rows, panels with many labels, dense information when users need it.
+- Consistency over surprise. The same visual vocabulary screen to screen is a virtue; delight is saved for moments, not pages.

.agents/skills/impeccable/reference/quieter.md

@@ -0,0 +1,99 @@
+Quiet design is harder than bold design. Subtlety needs precision. Reduce visual intensity in designs that are too loud, aggressive, or overstimulating without losing personality or making the result generic.
+
+---
+
+## Register
+
+Brand: "quieter" means more restrained palette, more whitespace, more typographic air. Drama is reduced, not eliminated; the POV stays intact.
+
+Product: "quieter" means reducing visual noise. Fewer background accents, flatter cards, less color, less motion. The tool should disappear more completely into the task.
+
+---
+
+## Assess Current State
+
+Analyze what makes the design feel too intense:
+
+1. **Identify intensity sources**:
+   - **Color saturation**: Overly bright or saturated colors
+   - **Contrast extremes**: Too much high-contrast juxtaposition
+   - **Visual weight**: Too many bold, heavy elements competing
+   - **Animation excess**: Too much motion or overly dramatic effects
+   - **Complexity**: Too many visual elements, patterns, or decorations
+   - **Scale**: Everything is large and loud with no hierarchy
+
+2. **Understand the context**:
+   - What's the purpose? (Marketing vs tool vs reading experience)
+   - Who's the audience? (Some contexts need energy)
+   - What's working? (Don't throw away good ideas)
+   - What's the core message? (Preserve what matters)
+
+If any of these are unclear from the codebase, {{ask_instruction}}
+
+**CRITICAL**: "Quieter" doesn't mean boring or generic. It means refined and easier on the eyes. Think luxury, not laziness.
+
+## Plan Refinement
+
+Create a strategy to reduce intensity while maintaining impact:
+
+- **Color approach**: Desaturate or shift to more restrained tones?
+- **Hierarchy approach**: Which elements should stay bold (very few), which should recede?
+- **Simplification approach**: What can be removed entirely?
+- **Sophistication approach**: How can we signal quality through restraint?
+
+**IMPORTANT**: Subtlety requires precision. Quiet without intent collapses to generic.
+
+## Refine the Design
+
+Systematically reduce intensity across these dimensions:
+
+### Color Refinement
+- **Reduce saturation**: Shift from fully saturated to 70-85% saturation
+- **Soften palette**: Replace bright colors with muted tones
+- **Reduce color variety**: Use fewer colors more thoughtfully
+- **Neutral dominance**: Let neutrals do more work, use color as accent (10% rule)
+- **Gentler contrasts**: High contrast only where it matters most
+- **Tinted grays**: Use warm or cool tinted grays instead of pure gray. Adds depth without loudness
+- **Never gray on color**: If you have gray text on a colored background, use a darker shade of that color or transparency instead
+
+### Visual Weight Reduction
+- **Typography**: Reduce font weights (900 → 600, 700 → 500), decrease sizes where appropriate
+- **Hierarchy through subtlety**: Use weight, size, and space instead of color and boldness
+- **White space**: Increase breathing room, reduce density
+- **Borders & lines**: Reduce thickness, decrease opacity, or remove entirely
+
+### Simplification
+- **Remove decorative elements**: Gradients, shadows, patterns, textures that don't serve purpose
+- **Simplify shapes**: Reduce border radius extremes, simplify custom shapes
+- **Reduce layering**: Flatten visual hierarchy where possible
+- **Clean up effects**: Reduce or remove blur effects, glows, multiple shadows
+
+### Motion Reduction
+- **Reduce animation intensity**: Shorter distances (10-20px instead of 40px), gentler easing
+- **Remove decorative animations**: Keep functional motion, remove flourishes
+- **Subtle micro-interactions**: Replace dramatic effects with gentle feedback
+- **Refined easing**: Use ease-out-quart for smooth, understated motion. Never bounce or elastic
+- **Remove animations entirely** if they're not serving a clear purpose
+
+### Composition Refinement
+- **Reduce scale jumps**: Smaller contrast between sizes creates calmer feeling
+- **Align to grid**: Bring rogue elements back into systematic alignment
+- **Even out spacing**: Replace extreme spacing variations with consistent rhythm
+
+**NEVER**:
+- Make everything the same size/weight (hierarchy still matters)
+- Remove all color (quiet ≠ grayscale)
+- Eliminate all personality (maintain character through refinement)
+- Sacrifice usability for aesthetics (functional elements still need clear affordances)
+- Make everything small and light (some anchors needed)
+
+## Verify Quality
+
+Ensure refinement maintains quality:
+
+- **Still functional**: Can users still accomplish tasks easily?
+- **Still distinctive**: Does it have character, or is it generic now?
+- **Better reading**: Is text easier to read for extended periods?
+- **Restrained, not absent**: Does the POV survive the cuts?
+
+When the result feels right, hand off to `{{command_prefix}}impeccable polish` for the final pass.

.agents/skills/impeccable/reference/responsive-design.md

@@ -0,0 +1,114 @@
+# Responsive Design
+
+## Mobile-First: Write It Right
+
+Start with base styles for mobile, use `min-width` queries to layer complexity. Desktop-first (`max-width`) means mobile loads unnecessary styles first.
+
+## Breakpoints: Content-Driven
+
+Don't chase device sizes; let content tell you where to break. Start narrow, stretch until design breaks, add breakpoint there. Three breakpoints usually suffice (640, 768, 1024px). Use `clamp()` for fluid values without breakpoints.
+
+## Detect Input Method, Not Just Screen Size
+
+**Screen size doesn't tell you input method.** A laptop with touchscreen, a tablet with keyboard. Use pointer and hover queries:
+
+```css
+/* Fine pointer (mouse, trackpad) */
+@media (pointer: fine) {
+  .button { padding: 8px 16px; }
+}
+
+/* Coarse pointer (touch, stylus) */
+@media (pointer: coarse) {
+  .button { padding: 12px 20px; }  /* Larger touch target */
+}
+
+/* Device supports hover */
+@media (hover: hover) {
+  .card:hover { transform: translateY(-2px); }
+}
+
+/* Device doesn't support hover (touch) */
+@media (hover: none) {
+  .card { /* No hover state - use active instead */ }
+}
+```
+
+**Critical**: Don't rely on hover for functionality. Touch users can't hover.
+
+## Safe Areas: Handle the Notch
+
+Modern phones have notches, rounded corners, and home indicators. Use `env()`:
+
+```css
+body {
+  padding-top: env(safe-area-inset-top);
+  padding-bottom: env(safe-area-inset-bottom);
+  padding-left: env(safe-area-inset-left);
+  padding-right: env(safe-area-inset-right);
+}
+
+/* With fallback */
+.footer {
+  padding-bottom: max(1rem, env(safe-area-inset-bottom));
+}
+```
+
+**Enable viewport-fit** in your meta tag:
+```html
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+```
+
+## Responsive Images: Get It Right
+
+### srcset with Width Descriptors
+
+```html
+<img
+  src="hero-800.jpg"
+  srcset="
+    hero-400.jpg 400w,
+    hero-800.jpg 800w,
+    hero-1200.jpg 1200w
+  "
+  sizes="(max-width: 768px) 100vw, 50vw"
+  alt="Hero image"
+>
+```
+
+**How it works**:
+- `srcset` lists available images with their actual widths (`w` descriptors)
+- `sizes` tells the browser how wide the image will display
+- Browser picks the best file based on viewport width AND device pixel ratio
+
+### Picture Element for Art Direction
+
+When you need different crops/compositions (not just resolutions):
+
+```html
+<picture>
+  <source media="(min-width: 768px)" srcset="wide.jpg">
+  <source media="(max-width: 767px)" srcset="tall.jpg">
+  <img src="fallback.jpg" alt="...">
+</picture>
+```
+
+## Layout Adaptation Patterns
+
+**Navigation**: Three stages: hamburger + drawer on mobile, horizontal compact on tablet, full with labels on desktop. **Tables**: Transform to cards on mobile using `display: block` and `data-label` attributes. **Progressive disclosure**: Use `<details>/<summary>` for content that can collapse on mobile.
+
+## Testing: Don't Trust DevTools Alone
+
+DevTools device emulation is useful for layout but misses:
+
+- Actual touch interactions
+- Real CPU/memory constraints
+- Network latency patterns
+- Font rendering differences
+- Browser chrome/keyboard appearances
+
+**Test on at least**: One real iPhone, one real Android, a tablet if relevant. Cheap Android phones reveal performance issues you'll never see on simulators.
+
+---
+
+**Avoid**: Desktop-first design. Device detection instead of feature detection. Separate mobile/desktop codebases. Ignoring tablet and landscape. Assuming all mobile devices are powerful.

.agents/skills/impeccable/reference/shape.md

@@ -0,0 +1,165 @@
+Shape the UX and UI for a feature before any code is written. This command produces a **design brief**: a structured artifact that guides implementation through discovery, not guesswork.
+
+**Scope**: Design planning only. This command does NOT write code. It produces the thinking that makes code good.
+
+**Output**: A design brief that can be handed off to {{command_prefix}}impeccable craft, or directly to {{command_prefix}}impeccable for freeform implementation. When visual direction probes are used, the images are supporting artifacts, not the primary output.
+
+## Philosophy
+
+Most AI-generated UIs fail not because of bad code, but because of skipped thinking. They jump to "here's a card grid" without asking "what is the user trying to accomplish?" This command inverts that: understand deeply first, so implementation is precise.
+
+## Phase 1: Discovery Interview
+
+**Do NOT write any code or make any design decisions during this phase.** Your only job is to understand the feature deeply enough to make excellent design decisions later.
+
+This is a required interaction, not optional guidance. Ask these questions in conversation, adapting based on answers. Don't dump them all at once; have a natural dialogue. {{ask_instruction}}
+
+### Interview cadence
+
+Discovery includes at least one user-answer round unless PRODUCT.md, DESIGN.md, or an already-confirmed brief directly answers the needed inputs. With a sparse prompt, do **not** synthesize a complete brief for confirmation on the first response.
+
+- Use the harness's structured question tool when one exists. Otherwise, ask directly in chat and stop.
+- Ask **2-3 questions per round**, then wait for answers.
+- Treat PRODUCT.md and DESIGN.md as anchors; they reduce repeated questions but do **not** replace shape for craft. Shape is task-specific.
+- One round is the default. Add a second only if the first answers leave material gaps. Don't run a second round just to feel thorough.
+- Round 1 should clarify purpose, audience/context, content/scope, and (for brand) visual direction.
+- Round 2, when needed, fills in whatever's still genuinely missing.
+
+**Assert-then-confirm, not menu-with-escape.** When PRODUCT.md and the user's prompt make one option obvious, name it and ask the user to confirm or override. Don't enumerate "Restrained / Committed / Or something else?" as a real choice; "This reads as Restrained, confirm?" beats a four-option menu when the answer is already clear.
+
+### Purpose & Context
+- What is this feature for? What problem does it solve?
+- Who specifically will use it? (Not "users"; be specific: role, context, frequency)
+- What does success look like? How will you know this feature is working?
+- What's the user's state of mind when they reach this feature? (Rushed? Exploring? Anxious? Focused?)
+
+### Content & Data
+- What content or data does this feature display or collect?
+- What are the realistic ranges? (Minimum, typical, maximum, e.g., 0 items, 5 items, 500 items)
+- What are the edge cases? (Empty state, error state, first-time use, power user)
+- Is any content dynamic? What changes and how often?
+- What visual assets are real content here? Note required images, product shots, illustrations, maps, textures, diagrams, generated objects, or existing project assets.
+
+### Design Direction
+
+Force a visual decision on three fronts. Skip anything PRODUCT.md or DESIGN.md already answers; ask only what's missing.
+
+- **Color strategy for this surface.** Pick one: Restrained / Committed / Full palette / Drenched. Can override the project default if the surface earns it (e.g. a drenched hero inside an otherwise Restrained product).
+- **Theme via scene sentence.** Write one sentence of physical context for this surface: who uses it, where, under what ambient light, in what mood. The sentence forces dark vs light. If it doesn't, add detail until it does.
+- **Two or three named anchor references.** Specific products, brands, objects. Not adjectives like "modern" or "clean."
+
+### Scope
+
+Always ask. Sketch quality and shipped quality are different outputs; don't guess between them.
+
+- **Fidelity.** Sketch / mid-fi / high-fi / production-ready?
+- **Breadth.** One screen / a flow / a whole surface?
+- **Interactivity.** Static visual / interactive prototype / shipped-quality component?
+- **Time intent.** Quick exploration, or polish until it ships?
+
+Scope answers are task-scoped. Don't write them to PRODUCT.md or DESIGN.md; carry them through the design brief only.
+
+### Constraints
+- Are there technical constraints? (Framework, performance budget, browser support)
+- Are there content constraints? (Localization, dynamic text length, user-generated content)
+- Mobile/responsive requirements?
+- Accessibility requirements beyond WCAG AA?
+
+### Anti-Goals
+- What should this NOT be? What would be a wrong direction?
+- What's the biggest risk of getting this wrong?
+
+## Phase 1.5: Visual Direction Probe (Capability-Gated)
+
+After the discovery interview, generate a small set of visual direction probes **before** writing the final brief when all of these are true:
+
+- The work is **net-new** or directionally ambiguous enough that visual exploration will clarify the brief.
+- The requested fidelity is **mid-fi, high-fi, or production-ready**. Skip for sketch-only planning.
+- The current harness gives you native image generation (Codex's `image_gen`, an equivalent MCP tool, or similar). Don't ask the user to install APIs or tooling.
+
+When those conditions are met, this step is mandatory. If image generation isn't natively available, do not ask the user to install APIs or tooling. State in one line that the image step is skipped because the harness lacks native image generation, then proceed. The one-line announcement is required, not optional; it forces a conscious decision instead of letting the step quietly evaporate.
+
+Use probes to explore visual lanes, not to replace the brief.
+
+Do not skip probes because the final UI will be semantic, editable, code-native, responsive, or accessible. Those are implementation requirements, not reasons to avoid visual exploration.
+
+### What to generate
+
+Generate **2 to 4** distinct direction probes based on the discovery answers, especially:
+
+- Color strategy
+- Theme scene sentence
+- Named anchor references
+- Scope and fidelity
+
+The probes should differ in primary visual direction (hierarchy, topology, density, typographic voice, or color strategy), not just palette tweaks.
+
+### How to use the probes
+
+- Treat them as **direction tests**, not final designs.
+- Use them to pressure-test whether the brief is pointing at the right lane.
+- Ask the user which direction feels closest, what feels off, and what should carry forward.
+- If the probes reveal a mismatch, revise the brief inputs before finalizing the brief.
+
+### Important limits
+
+- Do **not** skip discovery because image generation is available.
+- Do **not** treat generated imagery as final UX specification, final copy, or final accessibility behavior.
+- Do **not** use this step for minor refinements of existing work. It's for shaping a new surface or clarifying a big directional choice.
+
+If image generation isn't natively available, announce the skip in one line and proceed to the design brief.
+
+## Phase 2: Design Brief
+
+After the interview and any required probes, present a brief and **end your response**. The user must confirm before any implementation runs. Do not present a brief and then continue to code in the same response, even if the brief feels obvious to you. The user's confirmation is the gate.
+
+**Choose the brief shape based on how clear the answers are:**
+
+- **Compact form (3-5 bullets)** when discovery was crisp and the original prompt + PRODUCT.md already pinned scope, content, and direction. State what you're building, the visual lane, and end with one or two specific questions or a clear "confirm or override?" prompt. This is the default for typical craft requests with a clear prompt.
+- **Full structured form (sections below)** when the task is genuinely ambiguous, multi-screen, or when the user asked for shape as a standalone step. Use this when the discipline of structure earns its weight.
+
+Don't pad a clear brief into a long one to look thorough. A 70-line brief restating answers the user just gave is noise, not rigor. Equally, don't skip the confirmation pause to look efficient: the pause is the point.
+
+Present the brief, then **stop and wait for explicit confirmation**. You are not the judge of whether the user already approved. Even when the brief feels obviously right, ask once and wait. The pause is what separates shape from premature implementation.
+
+### Brief Structure
+
+**1. Feature Summary** (2-3 sentences)
+What this is, who it's for, what it needs to accomplish.
+
+**2. Primary User Action**
+The single most important thing a user should do or understand here.
+
+**3. Design Direction**
+Color strategy (Restrained / Committed / Full palette / Drenched) + the theme scene sentence + 2–3 named anchor references. Reference PRODUCT.md and DESIGN.md where they already answer, and note any per-surface overrides.
+
+If you ran the Visual Direction Probe step, name which probe direction won and what changed in the brief because of it.
+
+**4. Scope**
+Fidelity, breadth, interactivity, and time intent from the Scope section of the interview. Task-scoped; these don't persist beyond the brief.
+
+**5. Layout Strategy**
+High-level spatial approach: what gets emphasis, what's secondary, how information flows. Describe the visual hierarchy and rhythm, not specific CSS.
+
+**6. Key States**
+List every state the feature needs: default, empty, loading, error, success, edge cases. For each, note what the user needs to see and feel.
+
+**7. Interaction Model**
+How users interact with this feature. What happens on click, hover, scroll? What feedback do they get? What's the flow from entry to completion?
+
+**8. Content Requirements**
+What copy, labels, empty state messages, error messages, and microcopy are needed. Note any dynamic content and its realistic ranges. For image-led surfaces, also list the required image/media roles and their likely source (project asset, generated raster, semantic SVG/CSS, canvas/WebGL, icon library, or accepted omission).
+
+**9. Recommended References**
+Based on the brief, list which impeccable reference files would be most valuable during implementation (e.g., spatial-design.md for complex layouts, motion-design.md for animated features, interaction-design.md for form-heavy features).
+
+**10. Open Questions**
+Anything genuinely unresolved. Don't list "open questions" you've already recommended a default for; assert the default and move on. If you'd write `Recommend: X` next to a question, just decide X.
+
+---
+
+{{ask_instruction}} Ask for explicit confirmation of the brief before finishing.
+
+If the user disagrees with any part, revisit the relevant discovery questions. A shape run is incomplete until the user confirms direction.
+
+Once confirmed, the brief is complete. The user can now hand it to {{command_prefix}}impeccable, or use it to guide any other implementation approach. (If the user wants the full discovery-then-build flow in one step, they should use {{command_prefix}}impeccable craft instead, which runs this command internally.)

.agents/skills/impeccable/reference/spatial-design.md

@@ -0,0 +1,100 @@
+# Spatial Design
+
+## Spacing Systems
+
+### Use 4pt Base, Not 8pt
+
+8pt systems are too coarse; you'll frequently need 12px (between 8 and 16). Use 4pt for granularity: 4, 8, 12, 16, 24, 32, 48, 64, 96px.
+
+### Name Tokens Semantically
+
+Name by relationship (`--space-sm`, `--space-lg`), not value (`--spacing-8`). Use `gap` instead of margins for sibling spacing; it eliminates margin collapse and cleanup hacks.
+
+## Grid Systems
+
+### The Self-Adjusting Grid
+
+Use `repeat(auto-fit, minmax(280px, 1fr))` for responsive grids without breakpoints. Columns are at least 280px, as many as fit per row, leftovers stretch. For complex layouts, use named grid areas (`grid-template-areas`) and redefine them at breakpoints.
+
+## Visual Hierarchy
+
+### The Squint Test
+
+Blur your eyes (or screenshot and blur). Can you still identify:
+- The most important element?
+- The second most important?
+- Clear groupings?
+
+If everything looks the same weight blurred, you have a hierarchy problem.
+
+### Hierarchy Through Multiple Dimensions
+
+Don't rely on size alone. Combine:
+
+| Tool | Strong Hierarchy | Weak Hierarchy |
+|------|------------------|----------------|
+| **Size** | 3:1 ratio or more | <2:1 ratio |
+| **Weight** | Bold vs Regular | Medium vs Regular |
+| **Color** | High contrast | Similar tones |
+| **Position** | Top/left (primary) | Bottom/right |
+| **Space** | Surrounded by white space | Crowded |
+
+**The best hierarchy uses 2-3 dimensions at once**: A heading that's larger, bolder, AND has more space above it.
+
+### Cards Are Not Required
+
+Cards are overused. Spacing and alignment create visual grouping naturally. Use cards only when content is truly distinct and actionable, items need visual comparison in a grid, or content needs clear interaction boundaries. **Never nest cards inside cards.** Use spacing, typography, and subtle dividers for hierarchy within a card.
+
+## Container Queries
+
+Viewport queries are for page layouts. **Container queries are for components**:
+
+```css
+.card-container {
+  container-type: inline-size;
+}
+
+.card {
+  display: grid;
+  gap: var(--space-md);
+}
+
+/* Card layout changes based on its container, not viewport */
+@container (min-width: 400px) {
+  .card {
+    grid-template-columns: 120px 1fr;
+  }
+}
+```
+
+**Why this matters**: A card in a narrow sidebar stays compact, while the same card in a main content area expands automatically, without viewport hacks.
+
+## Optical Adjustments
+
+Text at `margin-left: 0` looks indented due to letterform whitespace; use negative margin (`-0.05em`) to optically align. Geometrically centered icons often look off-center; play icons need to shift right, arrows shift toward their direction.
+
+### Touch Targets vs Visual Size
+
+Buttons can look small but need large touch targets (44px minimum). Use padding or pseudo-elements:
+
+```css
+.icon-button {
+  width: 24px;  /* Visual size */
+  height: 24px;
+  position: relative;
+}
+
+.icon-button::before {
+  content: '';
+  position: absolute;
+  inset: -10px;  /* Expand tap target to 44px */
+}
+```
+
+## Depth & Elevation
+
+Create semantic z-index scales (dropdown → sticky → modal-backdrop → modal → toast → tooltip) instead of arbitrary numbers. For shadows, create a consistent elevation scale (sm → md → lg → xl). **Key insight**: Shadows should be subtle. If you can clearly see it, it's probably too strong.
+
+---
+
+**Avoid**: Arbitrary spacing values outside your scale. Making all spacing equal (variety creates hierarchy). Creating hierarchy through size alone - combine size, weight, color, and space.

.agents/skills/impeccable/reference/teach.md

@@ -0,0 +1,156 @@
+# Teach Flow
+
+Gathers design context for a project and writes two complementary files at the project root:
+
+- **PRODUCT.md** (strategic): root project file for register, target users, product purpose, brand personality, anti-references, strategic design principles. Answers "who/what/why".
+- **DESIGN.md** (visual): root project file for visual theme, color palette, typography, components, layout. Follows the [Google Stitch DESIGN.md format](https://stitch.withgoogle.com/docs/design-md/format/). Answers "how it looks".
+
+Every other impeccable command reads these files before doing any work.
+
+## Step 1: Load current state
+
+Run the shared loader first so you know what already exists:
+
+```bash
+node {{scripts_path}}/load-context.mjs
+```
+
+The output tells you whether PRODUCT.md and/or DESIGN.md already exist. If `migrated: true`, legacy `.impeccable.md` was auto-renamed to `PRODUCT.md`. Mention this once to the user.
+
+Decision tree:
+- **Neither file exists (empty project or no context yet)**: do Steps 2-4 (write PRODUCT.md), then decide on DESIGN.md based on whether there's code to analyze.
+- **PRODUCT.md exists, DESIGN.md missing**: skip to Step 5 and offer to run `/impeccable document` for DESIGN.md.
+- **PRODUCT.md exists but has no `## Register` section (legacy)**: add it. Infer a hypothesis from the codebase (see Step 2), confirm with the user, write the field.
+- **Both exist**: {{ask_instruction}} Ask which file to refresh. Skip the one the user doesn't want changed.
+- **Just DESIGN.md exists (unusual)**: do Steps 2-4 to produce PRODUCT.md.
+
+Never silently overwrite an existing file. Always confirm first.
+
+If teach was invoked as a setup blocker by another command, such as `{{command_prefix}}impeccable craft landing page`, pause that command here. Complete teach, re-run the loader, then resume the original command with the freshly loaded context. For craft, resume into shape next; teach creates project context, but it is not a substitute for the task-specific shape interview and confirmed design brief.
+
+## Step 2: Explore the codebase
+
+Before asking questions, thoroughly scan the project to discover what you can:
+
+- **README and docs**: Project purpose, target audience, any stated goals
+- **Package.json / config files**: Tech stack, dependencies, existing design libraries
+- **Existing components**: Current design patterns, spacing, typography in use
+- **Brand assets**: Logos, favicons, color values already defined
+- **Design tokens / CSS variables**: Existing color palettes, font stacks, spacing scales
+- **Any style guides or brand documentation**
+
+Also form a **register hypothesis** from what you find:
+
+- Brand signals: `/`, `/about`, `/pricing`, `/blog/*`, `/docs/*`, hero sections, big typography, scroll-driven sections, landing-page-shaped content.
+- Product signals: `/app/*`, `/dashboard`, `/settings`, `/(auth)`, forms, data tables, side/top nav, app-shell components.
+
+Register is a hypothesis at this point, not a decision; Step 3 confirms it.
+
+Note what you've learned and what remains unclear. This exploration feeds both PRODUCT.md and DESIGN.md.
+
+## Step 3: Ask strategic questions (for PRODUCT.md)
+
+{{ask_instruction}} Ask only about what you couldn't infer from the codebase.
+
+### Interview mode, not confirmation mode
+
+If the repo is empty or the user's brief is sparse, run a short interview before proposing PRODUCT.md. Do **not** turn a one-sentence request into a complete inferred PRODUCT.md and ask for blanket confirmation.
+
+- Use the harness's structured question tool when one exists. Otherwise, ask directly in chat and stop.
+- Ask **2-3 questions per round**, then wait for answers.
+- Use inferred answers as hypotheses or options, not as finished facts.
+- Complete at least one real user-answer round before drafting PRODUCT.md, unless every required answer is directly discoverable from repo docs.
+- Round 1 should establish register, users/purpose, and desired outcome.
+- Round 2 should establish brand personality or references, anti-references, and accessibility needs.
+
+### Minimum viable interview
+
+Ask enough to complete PRODUCT.md. At minimum, cover register confirmation, users and purpose, brand personality, anti-references, and accessibility needs unless each answer is directly discoverable from repo context. After at least one interview round, you may propose inferred answers, but the user must confirm them before you write PRODUCT.md. Never synthesize PRODUCT.md from the original task prompt alone.
+
+### Register (ask first; it shapes everything below)
+
+Every design task is either **brand** (marketing, landing, campaign, long-form content, portfolio: design IS the product) or **product** (app UI, admin, dashboards, tools: design SERVES the product).
+
+If Step 2 produced a clear hypothesis, lead with it: *"From the codebase, this looks like a [brand / product] surface. Does that match your intent, or should we treat it differently?"*
+
+If the signal is genuinely split (e.g. a product with a big marketing landing), {{ask_instruction}} Ask which register describes the **primary** surface. The register can be overridden per task later, but PRODUCT.md carries one default.
+
+### Users & Purpose
+- Who uses this? What's their context when using it?
+- What job are they trying to get done?
+- For brand: what emotions should the interface evoke? (confidence, delight, calm, urgency)
+- For product: what workflow are they in? What's the primary task on any given screen?
+
+### Brand & Personality
+- How would you describe the brand personality in 3 words?
+- Reference sites or apps that capture the right feel? What specifically about them?
+  - For brand, push for real-world references in the right lane (tech-minimal, editorial-magazine, consumer-warm, brutalist-grid, etc.), not generic "modern" adjectives.
+  - For product, push for category best-tool references (Linear, Figma, Notion, Raycast, Stripe).
+- What should this explicitly NOT look like? Any anti-references?
+
+### Accessibility & Inclusion
+- Specific accessibility requirements? (WCAG level, known user needs)
+- Considerations for reduced motion, color blindness, or other accommodations?
+
+Skip questions where the answer is already clear. **Do NOT ask about colors, fonts, radii, or visual styling here.** Those belong in DESIGN.md, not PRODUCT.md.
+
+## Step 4: Write PRODUCT.md
+
+Write PRODUCT.md only after the user has confirmed the strategic answers from Step 3. If an inferred answer is uncertain or unconfirmed, ask before writing.
+
+Synthesize into a strategic document:
+
+```markdown
+# Product
+
+## Register
+
+product
+
+## Users
+[Who they are, their context, the job to be done]
+
+## Product Purpose
+[What this product does, why it exists, what success looks like]
+
+## Brand Personality
+[Voice, tone, 3-word personality, emotional goals]
+
+## Anti-references
+[What this should NOT look like. Specific bad-example sites or patterns to avoid.]
+
+## Design Principles
+[3-5 strategic principles derived from the conversation. Principles like "practice what you preach", "show, don't tell", "expert confidence". NOT visual rules like "use OKLCH" or "magenta accent".]
+
+## Accessibility & Inclusion
+[WCAG level, known user needs, considerations]
+```
+
+Register is either `brand` or `product` as a bare value. No prose, no commentary.
+
+Write to `PROJECT_ROOT/PRODUCT.md`. If `.impeccable.md` existed, the loader already renamed it; merge into that content rather than starting from scratch.
+
+## Step 5: Decide on DESIGN.md
+
+Offer `/impeccable document` either way. Two paths:
+
+- **Code exists** (CSS tokens, components, a running site): "I can generate a DESIGN.md that captures your visual system (colors, typography, components) so variants stay on-brand. Want to do that now?"
+- **Pre-implementation** (empty project): "I can seed a starter DESIGN.md from five quick questions about color strategy, type direction, motion energy, and references. You can re-run once there's code, to capture the real tokens. Want to do that now?"
+
+If the user agrees, delegate to `/impeccable document` (it auto-detects scan vs seed). Load its reference and follow that flow.
+
+If the user prefers to skip, mention they can run `/impeccable document` any time later.
+
+## Step 6: Confirm and wrap up
+
+Summarize:
+- Register captured (brand / product)
+- What was written (PRODUCT.md, DESIGN.md, or both)
+- The 3-5 strategic principles from PRODUCT.md that will guide future work
+- If DESIGN.md is pending, remind the user how to generate it later
+
+**Critical: re-run the loader to refresh session context.** After writing PRODUCT.md, run `node {{scripts_path}}/load-context.mjs` one final time and let its full JSON output land in conversation. This ensures subsequent commands in this session use the freshly-written PRODUCT.md, not a stale earlier version.
+
+If teach was invoked as a blocker by another impeccable command (e.g. the user ran `/impeccable polish` with no PRODUCT.md), resume that original task now with the fresh context.
+
+Optionally {{ask_instruction}} Ask whether they'd like a brief summary of PRODUCT.md appended to {{config_file}} for easier agent reference. If yes, append a short **Design Context** pointer section there.

.agents/skills/impeccable/reference/typeset.md

@@ -0,0 +1,124 @@
+Typography carries most of the information on the page. Replace generic defaults (Inter, Roboto, system fallback at flat scale) with type that reflects the brand and scales with intentional contrast.
+
+---
+
+## Register
+
+Brand: run the font selection procedure in [brand.md](brand.md). Pairing follows the brand's lane (display serif + sans body for editorial/luxury, one committed sans for tech, etc.). Fluid `clamp()` scale, ≥1.25 ratio between steps.
+
+Product: system fonts and familiar sans stacks are legitimate here. One well-tuned family typically carries the whole UI. Fixed `rem` scale, 1.125–1.2 ratio between more closely-spaced steps.
+
+---
+
+## Assess Current Typography
+
+Analyze what's weak or generic about the current type:
+
+1. **Font choices**:
+   - Are we using invisible defaults? (Inter, Roboto, Arial, Open Sans, system defaults)
+   - Does the font match the brand personality? (A playful brand shouldn't use a corporate typeface)
+   - Are there too many font families? (More than 2-3 is almost always a mess)
+
+2. **Hierarchy**:
+   - Can you tell headings from body from captions at a glance?
+   - Are font sizes too close together? (14px, 15px, 16px = muddy hierarchy)
+   - Are weight contrasts strong enough? (Medium vs Regular is barely visible)
+
+3. **Sizing & scale**:
+   - Is there a consistent type scale, or are sizes arbitrary?
+   - Does body text meet minimum readability? (16px+)
+   - Is the sizing strategy appropriate for the context? (Fixed `rem` scales for app UIs; fluid `clamp()` for marketing/content page headings)
+
+4. **Readability**:
+   - Are line lengths comfortable? (45-75 characters ideal)
+   - Is line-height appropriate for the font and context?
+   - Is there enough contrast between text and background?
+
+5. **Consistency**:
+   - Are the same elements styled the same way throughout?
+   - Are font weights used consistently? (Not bold in one section, semibold in another for the same role)
+   - Is letter-spacing intentional or default everywhere?
+
+**CRITICAL**: The goal isn't to make text "fancier." It's to make it clearer, more readable, and more intentional. Good typography is invisible; bad typography is distracting.
+
+## Plan Typography Improvements
+
+Consult the [typography reference](typography.md) for detailed guidance on scales, pairing, and loading strategies.
+
+Create a systematic plan:
+
+- **Font selection**: Do fonts need replacing? What fits the brand/context?
+- **Type scale**: Establish a modular scale (e.g., 1.25 ratio) with clear hierarchy
+- **Weight strategy**: Which weights serve which roles? (Regular for body, Semibold for labels, Bold for headings, or whatever fits)
+- **Spacing**: Line-heights, letter-spacing, and margins between typographic elements
+
+## Improve Typography Systematically
+
+### Font Selection
+
+If fonts need replacing:
+- Choose fonts that reflect the brand personality
+- Pair with genuine contrast (serif + sans, geometric + humanist), or use a single family in multiple weights
+- Ensure web font loading doesn't cause layout shift (`font-display: swap`, metric-matched fallbacks)
+
+### Establish Hierarchy
+
+Build a clear type scale:
+- **5 sizes cover most needs**: caption, secondary, body, subheading, heading
+- **Use a consistent ratio** between levels (1.25, 1.333, or 1.5)
+- **Combine dimensions**: Size + weight + color + space for strong hierarchy. Don't rely on size alone
+- **App UIs**: Use a fixed `rem`-based type scale, optionally adjusted at 1-2 breakpoints. Fluid sizing undermines the spatial predictability that dense, container-based layouts need
+- **Marketing / content pages**: Use fluid sizing via `clamp(min, preferred, max)` for headings and display text. Keep body text fixed
+
+### Fix Readability
+
+- Set `max-width` on text containers using `ch` units (`max-width: 65ch`)
+- Adjust line-height per context: tighter for headings (1.1-1.2), looser for body (1.5-1.7)
+- Increase line-height slightly for light-on-dark text
+- Ensure body text is at least 16px / 1rem
+
+### Refine Details
+
+- Use `tabular-nums` for data tables and numbers that should align
+- Apply proper `letter-spacing`: slightly open for small caps and uppercase, default or tight for large display text
+- Use semantic token names (`--text-body`, `--text-heading`), not value names (`--font-16`)
+- Set `font-kerning: normal` and consider OpenType features where appropriate
+
+### Weight Consistency
+
+- Define clear roles for each weight and stick to them
+- Don't use more than 3-4 weights (Regular, Medium, Semibold, Bold is plenty)
+- Load only the weights you actually use (each weight adds to page load)
+
+**NEVER**:
+- Use more than 2-3 font families
+- Pick sizes arbitrarily; commit to a scale
+- Set body text below 16px
+- Use decorative/display fonts for body text
+- Disable browser zoom (`user-scalable=no`)
+- Use `px` for font sizes; use `rem` to respect user settings
+- Default to Inter/Roboto/Open Sans when personality matters
+- Pair fonts that are similar but not identical (two geometric sans-serifs)
+
+## Verify Typography Improvements
+
+- **Hierarchy**: Can you identify heading vs body vs caption instantly?
+- **Readability**: Is body text comfortable to read in long passages?
+- **Consistency**: Are same-role elements styled identically throughout?
+- **Personality**: Does the typography reflect the brand?
+- **Performance**: Are web fonts loading efficiently without layout shift?
+- **Accessibility**: Does text meet WCAG contrast ratios? Is it zoomable to 200%?
+
+When the type carries the hierarchy on its own, hand off to `{{command_prefix}}impeccable polish` for the final pass.
+
+## Live-mode signature params
+
+Each variant MUST declare a `scale` param controlling the hierarchy ratio. Express all font sizes in the variant's scoped CSS through `calc(var(--p-scale, 1) * <base>)` or, better, scale the type ramp via `clamp(min, calc(var(--p-scale, 1) * Npx), max)`. Users slide from subdued to commanding.
+
+```json
+{"id":"scale","kind":"range","min":0.85,"max":1.3,"step":0.05,"default":1,"label":"Scale"}
+```
+
+Where the variant riffs on a specific pairing, expose the pairing choice as a `steps` param (e.g. "serif display + sans body" vs. "mono display + sans body" vs. "all-sans"). Each branch routes through `:scope[data-p-pairing="X"]` selectors in scoped CSS.
+
+See `reference/live.md` for the full params contract.

.agents/skills/impeccable/reference/typography.md

@@ -0,0 +1,159 @@
+# Typography
+
+## Classic Typography Principles
+
+### Vertical Rhythm
+
+Your line-height should be the base unit for ALL vertical spacing. If body text has `line-height: 1.5` on `16px` type (= 24px), spacing values should be multiples of 24px. This creates subconscious harmony; text and space share a mathematical foundation.
+
+### Modular Scale & Hierarchy
+
+The common mistake: too many font sizes that are too close together (14px, 15px, 16px, 18px...). This creates muddy hierarchy.
+
+**Use fewer sizes with more contrast.** A 5-size system covers most needs:
+
+| Role | Typical Ratio | Use Case |
+|------|---------------|----------|
+| xs | 0.75rem | Captions, legal |
+| sm | 0.875rem | Secondary UI, metadata |
+| base | 1rem | Body text |
+| lg | 1.25-1.5rem | Subheadings, lead text |
+| xl+ | 2-4rem | Headlines, hero text |
+
+Popular ratios: 1.25 (major third), 1.333 (perfect fourth), 1.5 (perfect fifth). Pick one and commit.
+
+### Readability & Measure
+
+Use `ch` units for character-based measure (`max-width: 65ch`). Line-height scales inversely with line length: narrow columns need tighter leading, wide columns need more.
+
+**Non-obvious**: Light text on dark backgrounds needs compensation on three axes, not just one. Bump line-height by 0.05–0.1, add a touch of letter-spacing (0.01–0.02em), and optionally step the body weight up one notch (regular → medium). The perceived weight drops across all three; fix all three.
+
+**Paragraph rhythm**: Pick either space between paragraphs OR first-line indentation. Never both. Digital usually wants space; editorial/long-form can justify indent-only.
+
+## Font Selection & Pairing
+
+The tactical selection procedure and the reflex-reject list live in [reference/brand.md](brand.md) under **Font selection procedure** and **Reflex-reject list** (loaded for brand-register tasks). The rest of this section covers the adjacent knowledge: anti-reflex corrections, system font use, and pairing rules.
+
+### Anti-reflexes worth defending against
+
+- A technical/utilitarian brief does NOT need a serif "for warmth." Most tech tools should look like tech tools.
+- An editorial/premium brief does NOT need the same expressive serif everyone is using right now. Premium can be Swiss-modern, can be neo-grotesque, can be a literal monospace, can be a quiet humanist sans.
+- A children's product does NOT need a rounded display font. Kids' books use real type.
+- A "modern" brief does NOT need a geometric sans. The most modern thing you can do is not use the font everyone else is using.
+
+**System fonts are underrated**: `-apple-system, BlinkMacSystemFont, "Segoe UI", system-ui` looks native, loads instantly, and is highly readable. Consider this for apps where performance > personality.
+
+### Pairing Principles
+
+**The non-obvious truth**: You often don't need a second font. One well-chosen font family in multiple weights creates cleaner hierarchy than two competing typefaces. Only add a second font when you need genuine contrast (e.g., display headlines + body serif).
+
+When pairing, contrast on multiple axes:
+- Serif + Sans (structure contrast)
+- Geometric + Humanist (personality contrast)
+- Condensed display + Wide body (proportion contrast)
+
+**Never pair fonts that are similar but not identical** (e.g., two geometric sans-serifs). They create visual tension without clear hierarchy.
+
+### Web Font Loading
+
+The layout shift problem: fonts load late, text reflows, and users see content jump. Here's the fix:
+
+```css
+/* 1. Use font-display: swap for visibility */
+@font-face {
+  font-family: 'CustomFont';
+  src: url('font.woff2') format('woff2');
+  font-display: swap;
+}
+
+/* 2. Match fallback metrics to minimize shift */
+@font-face {
+  font-family: 'CustomFont-Fallback';
+  src: local('Arial');
+  size-adjust: 105%;        /* Scale to match x-height */
+  ascent-override: 90%;     /* Match ascender height */
+  descent-override: 20%;    /* Match descender depth */
+  line-gap-override: 10%;   /* Match line spacing */
+}
+
+body {
+  font-family: 'CustomFont', 'CustomFont-Fallback', sans-serif;
+}
+```
+
+Tools like [Fontaine](https://github.com/unjs/fontaine) calculate these overrides automatically.
+
+**`swap` vs `optional`**: `swap` shows fallback text immediately and FOUT-swaps when the web font arrives. `optional` uses the fallback if the web font misses a small load budget (~100ms) and avoids the shift entirely. Pick `optional` when zero layout shift matters more than seeing the branded font on slow networks.
+
+**Preload the critical weight only**: typically the regular-weight body font used above the fold. Preloading every weight costs more bandwidth than it saves.
+
+**Variable fonts for 3+ weights or styles**: a single variable font file is usually smaller than three static weight files, gives fractional weight control, and pairs well with `font-optical-sizing: auto`. For 1–2 weights, static is fine.
+
+## Modern Web Typography
+
+### Fluid Type
+
+Fluid typography via `clamp(min, preferred, max)` scales text smoothly with the viewport. The middle value (e.g., `5vw + 1rem`) controls scaling rate (higher vw = faster scaling). Add a rem offset so it doesn't collapse to 0 on small screens.
+
+**Use fluid type for**: Headings and display text on marketing/content pages where text dominates the layout and needs to breathe across viewport sizes.
+
+**Use fixed `rem` scales for**: App UIs, dashboards, and data-dense interfaces. No major app design system (Material, Polaris, Primer, Carbon) uses fluid type in product UI; fixed scales with optional breakpoint adjustments give the spatial predictability that container-based layouts need. Body text should also be fixed even on marketing pages, since the size difference across viewports is too small to warrant it.
+
+**Bound your clamp()**: keep `max-size ≤ ~2.5 × min-size`. Wider ratios break the browser's zoom and reflow behaviour and make large viewports feel like the page is shouting.
+
+**Scale container width and font-size together** so effective character measure stays in the 45–75ch band at every viewport. A heading that widens faster than its container drifts out of the comfortable measure at the top end.
+
+### OpenType Features
+
+Most developers don't know these exist. Use them for polish:
+
+```css
+/* Tabular numbers for data alignment */
+.data-table { font-variant-numeric: tabular-nums; }
+
+/* Proper fractions */
+.recipe-amount { font-variant-numeric: diagonal-fractions; }
+
+/* Small caps for abbreviations */
+abbr { font-variant-caps: all-small-caps; }
+
+/* Disable ligatures in code */
+code { font-variant-ligatures: none; }
+
+/* Enable kerning (usually on by default, but be explicit) */
+body { font-kerning: normal; }
+```
+
+Check what features your font supports at [Wakamai Fondue](https://wakamaifondue.com/).
+
+### Rendering polish
+
+```css
+/* Even out heading line lengths (browser picks better break points) */
+h1, h2, h3 { text-wrap: balance; }
+
+/* Reduce orphans and ragged endings in long prose */
+article p { text-wrap: pretty; }
+
+/* Variable fonts: pick the right optical-size master automatically */
+body { font-optical-sizing: auto; }
+```
+
+**ALL-CAPS tracking**: capitals sit too close at default spacing. Add 5–12% letter-spacing (`letter-spacing: 0.05em` to `0.12em`) to short all-caps labels, eyebrows, and small headings. Real small caps (via `font-variant-caps`) need the same treatment, slightly gentler.
+
+## Typography System Architecture
+
+Name tokens semantically (`--text-body`, `--text-heading`), not by value (`--font-size-16`). Include font stacks, size scale, weights, line-heights, and letter-spacing in your token system.
+
+## Accessibility Considerations
+
+Beyond contrast ratios (which are well-documented), consider:
+
+- **Never disable zoom**: `user-scalable=no` breaks accessibility. If your layout breaks at 200% zoom, fix the layout.
+- **Use rem/em for font sizes**: This respects user browser settings. Never `px` for body text.
+- **Minimum 16px body text**: Smaller than this strains eyes and fails WCAG on mobile.
+- **Adequate touch targets**: Text links need padding or line-height that creates 44px+ tap targets.
+
+---
+
+**Avoid**: More than 2-3 font families per project. Skipping fallback font definitions. Ignoring font loading performance (FOUT/FOIT). Using decorative fonts for body text.

.agents/skills/impeccable/reference/ux-writing.md

@@ -0,0 +1,107 @@
+# UX Writing
+
+## The Button Label Problem
+
+**Never use "OK", "Submit", or "Yes/No".** These are lazy and ambiguous. Use specific verb + object patterns:
+
+| Bad | Good | Why |
+|-----|------|-----|
+| OK | Save changes | Says what will happen |
+| Submit | Create account | Outcome-focused |
+| Yes | Delete message | Confirms the action |
+| Cancel | Keep editing | Clarifies what "cancel" means |
+| Click here | Download PDF | Describes the destination |
+
+**For destructive actions**, name the destruction:
+- "Delete" not "Remove" (delete is permanent, remove implies recoverable)
+- "Delete 5 items" not "Delete selected" (show the count)
+
+## Error Messages: The Formula
+
+Every error message should answer: (1) What happened? (2) Why? (3) How to fix it? Example: "Email address isn't valid. Please include an @ symbol." not "Invalid input".
+
+### Error Message Templates
+
+| Situation | Template |
+|-----------|----------|
+| **Format error** | "[Field] needs to be [format]. Example: [example]" |
+| **Missing required** | "Please enter [what's missing]" |
+| **Permission denied** | "You don't have access to [thing]. [What to do instead]" |
+| **Network error** | "We couldn't reach [thing]. Check your connection and [action]." |
+| **Server error** | "Something went wrong on our end. We're looking into it. [Alternative action]" |
+
+### Don't Blame the User
+
+Reframe errors: "Please enter a date in MM/DD/YYYY format" not "You entered an invalid date".
+
+## Empty States Are Opportunities
+
+Empty states are onboarding moments: (1) Acknowledge briefly, (2) Explain the value of filling it, (3) Provide a clear action. "No projects yet. Create your first one to get started." not just "No items".
+
+## Voice vs Tone
+
+**Voice** is your brand's personality, consistent everywhere.
+**Tone** adapts to the moment.
+
+| Moment | Tone Shift |
+|--------|------------|
+| Success | Celebratory, brief: "Done! Your changes are live." |
+| Error | Empathetic, helpful: "That didn't work. Here's what to try..." |
+| Loading | Reassuring: "Saving your work..." |
+| Destructive confirm | Serious, clear: "Delete this project? This can't be undone." |
+
+**Never use humor for errors.** Users are already frustrated. Be helpful, not cute.
+
+## Writing for Accessibility
+
+**Link text** must have standalone meaning: "View pricing plans" not "Click here". **Alt text** describes information, not the image: "Revenue increased 40% in Q4" not "Chart". Use `alt=""` for decorative images. **Icon buttons** need `aria-label` for screen reader context.
+
+## Writing for Translation
+
+### Plan for Expansion
+
+German text is ~30% longer than English. Allocate space:
+
+| Language | Expansion |
+|----------|-----------|
+| German | +30% |
+| French | +20% |
+| Finnish | +30-40% |
+| Chinese | -30% (fewer chars, but same width) |
+
+### Translation-Friendly Patterns
+
+Keep numbers separate ("New messages: 3" not "You have 3 new messages"). Use full sentences as single strings (word order varies by language). Avoid abbreviations ("5 minutes ago" not "5 mins ago"). Give translators context about where strings appear.
+
+## Consistency: The Terminology Problem
+
+Pick one term and stick with it:
+
+| Inconsistent | Consistent |
+|--------------|------------|
+| Delete / Remove / Trash | Delete |
+| Settings / Preferences / Options | Settings |
+| Sign in / Log in / Enter | Sign in |
+| Create / Add / New | Create |
+
+Build a terminology glossary and enforce it. Variety creates confusion.
+
+## Avoid Redundant Copy
+
+If the heading explains it, the intro is redundant. If the button is clear, don't explain it again. Say it once, say it well.
+
+## Loading States
+
+Be specific: "Saving your draft..." not "Loading...". For long waits, set expectations ("This usually takes 30 seconds") or show progress.
+
+## Confirmation Dialogs: Use Sparingly
+
+Most confirmation dialogs are design failures; consider undo instead. When you must confirm: name the action, explain consequences, use specific button labels ("Delete project" / "Keep project", not "Yes" / "No").
+
+## Form Instructions
+
+Show format with placeholders, not instructions. For non-obvious fields, explain why you're asking.
+
+---
+
+**Avoid**: Jargon without explanation. Blaming users ("You made an error" → "This field is required"). Vague errors ("Something went wrong"). Varying terminology for variety. Humor for errors.

.agents/skills/impeccable/scripts/cleanup-deprecated.mjs

@@ -0,0 +1,284 @@
+#!/usr/bin/env node
+/**
+ * Cleans up deprecated Impeccable skill files, symlinks, and
+ * skills-lock.json entries left over from previous versions.
+ *
+ * Safe to run repeatedly -- it is a no-op when nothing needs cleaning.
+ *
+ * Usage (from the project root):
+ *   node {{scripts_path}}/cleanup-deprecated.mjs
+ *
+ * What it does:
+ *   1. Finds every harness-specific skills directory (.claude/skills,
+ *      .cursor/skills, .agents/skills, etc.).
+ *   2. For each deprecated skill name (with and without i- prefix),
+ *      checks if the directory exists and its SKILL.md mentions
+ *      "impeccable" (to avoid deleting unrelated user skills).
+ *   3. Deletes confirmed matches (files, directories, or symlinks).
+ *   4. Removes the corresponding entries from skills-lock.json.
+ */
+
+import { existsSync, readFileSync, writeFileSync, rmSync, readdirSync, statSync, lstatSync, unlinkSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+
+// Skills that were renamed, merged, or folded in v2.0, v2.1, and v3.0.
+const DEPRECATED_NAMES = [
+  // v2.0 renames
+  'frontend-design',    // renamed to impeccable
+  'teach-impeccable',   // folded into /impeccable teach
+  // v2.1 merges
+  'arrange',            // renamed to layout
+  'normalize',          // merged into polish
+  'onboard',            // merged into harden
+  'extract',            // merged into /impeccable extract
+  // v3.0 consolidation: all standalone skills -> /impeccable sub-commands
+  'adapt',
+  'animate',
+  'audit',
+  'bolder',
+  'clarify',
+  'colorize',
+  'critique',
+  'delight',
+  'distill',
+  'harden',
+  'layout',
+  'optimize',
+  'overdrive',
+  'polish',
+  'quieter',
+  'shape',
+  'typeset',
+];
+
+// All known harness directories that may contain a skills/ subfolder.
+const HARNESS_DIRS = [
+  '.claude', '.cursor', '.gemini', '.codex', '.agents',
+  '.trae', '.trae-cn', '.pi', '.opencode', '.kiro', '.rovodev',
+];
+
+// Per-skill fingerprints for SKILL.md bodies that never mentioned
+// "impeccable" in their v2.x source. Used as a last-resort match
+// when no skills-lock.json exists and the word heuristic fails.
+// The strings are lifted verbatim from the v2.x frontmatter
+// descriptions, so collisions with hand-written user skills are
+// vanishingly unlikely.
+const SKILL_FINGERPRINTS = {
+  harden: 'Make interfaces production-ready: error handling, empty states',
+  optimize: 'Diagnoses and fixes UI performance across loading speed',
+};
+
+/**
+ * Walk up from startDir until we find a directory that looks like a
+ * project root (has package.json, .git, or skills-lock.json).
+ */
+export function findProjectRoot(startDir = process.cwd()) {
+  let dir = resolve(startDir);
+  const { root } = { root: '/' };
+  while (dir !== root) {
+    if (
+      existsSync(join(dir, 'package.json')) ||
+      existsSync(join(dir, '.git')) ||
+      existsSync(join(dir, 'skills-lock.json'))
+    ) {
+      return dir;
+    }
+    const parent = resolve(dir, '..');
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return resolve(startDir);
+}
+
+/**
+ * Load skills-lock.json from the project root, or null if missing/unreadable.
+ */
+export function loadLock(projectRoot) {
+  const lockPath = join(projectRoot, 'skills-lock.json');
+  if (!existsSync(lockPath)) return null;
+  try {
+    return JSON.parse(readFileSync(lockPath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check whether a skill directory belongs to Impeccable. Three layered
+ * signals, in order of reliability:
+ *   1. Lock source equals "pbakaus/impeccable" (authoritative).
+ *   2. SKILL.md body contains the word "impeccable".
+ *   3. SKILL.md body contains a per-skill fingerprint (for harden and
+ *      optimize, whose v2.x SKILL.md never mentioned the pack name).
+ */
+export function isImpeccableSkill(skillDir, { skillName, lock } = {}) {
+  // 1. Authoritative: the lock file claims this skill is ours.
+  if (skillName && lock?.skills?.[skillName]?.source === 'pbakaus/impeccable') {
+    return true;
+  }
+  const skillMd = join(skillDir, 'SKILL.md');
+  if (!existsSync(skillMd)) return false;
+  let content;
+  try {
+    content = readFileSync(skillMd, 'utf-8');
+  } catch {
+    return false;
+  }
+  // 2. Word-level content heuristic.
+  if (/impeccable/i.test(content)) return true;
+  // 3. Per-skill fingerprint for old skills that never mentioned the pack.
+  //    Strip the i- prefix so both `harden` and `i-harden` resolve to the
+  //    same fingerprint entry.
+  const unprefixed = skillName?.startsWith('i-') ? skillName.slice(2) : skillName;
+  const fingerprint = unprefixed && SKILL_FINGERPRINTS[unprefixed];
+  if (fingerprint && content.includes(fingerprint)) return true;
+  return false;
+}
+
+/**
+ * Build the full list of names to check: each deprecated name, plus
+ * its i-prefixed variant.
+ */
+export function buildTargetNames() {
+  const names = [];
+  for (const name of DEPRECATED_NAMES) {
+    names.push(name);
+    names.push(`i-${name}`);
+  }
+  return names;
+}
+
+/**
+ * Find every skills directory across all harness dirs in the project.
+ * Returns absolute paths that exist on disk.
+ */
+export function findSkillsDirs(projectRoot) {
+  const dirs = [];
+  for (const harness of HARNESS_DIRS) {
+    const candidate = join(projectRoot, harness, 'skills');
+    if (existsSync(candidate)) {
+      dirs.push(candidate);
+    }
+  }
+  return dirs;
+}
+
+/**
+ * Remove deprecated skill directories/symlinks from all harness dirs.
+ * Reads skills-lock.json so the authoritative "source" field can
+ * drive deletion even when SKILL.md never mentions impeccable.
+ * Returns an array of paths that were deleted.
+ */
+export function removeDeprecatedSkills(projectRoot, lock) {
+  if (lock === undefined) lock = loadLock(projectRoot);
+  const targets = buildTargetNames();
+  const skillsDirs = findSkillsDirs(projectRoot);
+  const deleted = [];
+
+  for (const skillsDir of skillsDirs) {
+    for (const name of targets) {
+      const skillPath = join(skillsDir, name);
+
+      // Use lstat to detect symlinks (existsSync follows symlinks and
+      // returns false for dangling ones).
+      let stat;
+      try {
+        stat = lstatSync(skillPath);
+      } catch {
+        continue; // does not exist at all
+      }
+
+      if (stat.isSymbolicLink()) {
+        // Symlink: check the target if it's alive, otherwise treat
+        // dangling symlinks to deprecated names as safe to remove.
+        const targetAlive = existsSync(skillPath);
+        const isMatch = targetAlive
+          ? isImpeccableSkill(skillPath, { skillName: name, lock })
+          : true;
+        if (isMatch) {
+          unlinkSync(skillPath);
+          deleted.push(skillPath);
+        }
+        continue;
+      }
+
+      // Regular directory -- verify it belongs to impeccable
+      if (isImpeccableSkill(skillPath, { skillName: name, lock })) {
+        rmSync(skillPath, { recursive: true, force: true });
+        deleted.push(skillPath);
+      }
+    }
+  }
+
+  return deleted;
+}
+
+/**
+ * Remove deprecated entries from skills-lock.json.
+ * Only removes entries whose source is "pbakaus/impeccable".
+ * Returns the list of removed skill names.
+ */
+export function cleanSkillsLock(projectRoot) {
+  const lockPath = join(projectRoot, 'skills-lock.json');
+  if (!existsSync(lockPath)) return [];
+
+  let lock;
+  try {
+    lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
+  } catch {
+    return [];
+  }
+
+  if (!lock.skills || typeof lock.skills !== 'object') return [];
+
+  const targets = buildTargetNames();
+  const removed = [];
+
+  for (const name of targets) {
+    const entry = lock.skills[name];
+    if (!entry) continue;
+    // Only remove if it belongs to impeccable
+    if (entry.source === 'pbakaus/impeccable') {
+      delete lock.skills[name];
+      removed.push(name);
+    }
+  }
+
+  if (removed.length > 0) {
+    writeFileSync(lockPath, JSON.stringify(lock, null, 2) + '\n', 'utf-8');
+  }
+
+  return removed;
+}
+
+/**
+ * Run the full cleanup. Returns a summary object.
+ *
+ * Order matters: read the lock and delete directories first, then
+ * strip lock entries. Otherwise the authoritative signal is gone by
+ * the time directory deletion runs.
+ */
+export function cleanup(projectRoot) {
+  const root = projectRoot || findProjectRoot();
+  const lock = loadLock(root);
+  const deletedPaths = removeDeprecatedSkills(root, lock);
+  const removedLockEntries = cleanSkillsLock(root);
+  return { deletedPaths, removedLockEntries, projectRoot: root };
+}
+
+// CLI entry point
+if (process.argv[1] && resolve(process.argv[1]) === resolve(new URL(import.meta.url).pathname)) {
+  const result = cleanup();
+  if (result.deletedPaths.length === 0 && result.removedLockEntries.length === 0) {
+    console.log('No deprecated Impeccable skills found. Nothing to clean up.');
+  } else {
+    if (result.deletedPaths.length > 0) {
+      console.log(`Removed ${result.deletedPaths.length} deprecated skill(s):`);
+      for (const p of result.deletedPaths) console.log(`  - ${p}`);
+    }
+    if (result.removedLockEntries.length > 0) {
+      console.log(`Cleaned ${result.removedLockEntries.length} entry/entries from skills-lock.json:`);
+      for (const name of result.removedLockEntries) console.log(`  - ${name}`);
+    }
+  }
+}

.agents/skills/impeccable/scripts/command-metadata.json

@@ -0,0 +1,94 @@
+{
+  "craft": {
+    "description": "Full confirmed-brief-then-build flow. Runs multi-round shape discovery first, resolves visual probe and north-star mock gates when available, then builds and visually iterates. Use when building a new feature end-to-end.",
+    "argumentHint": "[feature description]"
+  },
+  "teach": {
+    "description": "Gathers design context for a project. Runs a multi-round discovery interview when context is missing and writes PRODUCT.md (strategic: users, brand, principles) and, when code exists to analyze, DESIGN.md (visual: colors, typography, components). Every other command reads these files before doing work. Use once per project.",
+    "argumentHint": ""
+  },
+  "document": {
+    "description": "Generate a DESIGN.md file that captures the current visual design system. Auto-extracts colors, typography, spacing, radii, and component patterns from the codebase, then asks the user to confirm descriptive language for atmosphere and color character. Follows the Google Stitch DESIGN.md format so the file is tool-compatible. Use when you need a visual design spec an AI agent can follow to stay on-brand.",
+    "argumentHint": ""
+  },
+  "extract": {
+    "description": "Pull reusable patterns, components, and design tokens into the design system. Identifies repeated patterns and consolidates them. Use when you have drift across the codebase and want to bring things back to a consistent system.",
+    "argumentHint": "[target]"
+  },
+  "live": {
+    "description": "Interactive live variant mode. Select elements in the browser, pick a design action, and get AI-generated HTML+CSS variants hot-swapped via HMR. Requires a running dev server. Use when you want to visually experiment with design alternatives in real time.",
+    "argumentHint": ""
+  },
+  "adapt": {
+    "description": "Adapt designs to work across different screen sizes, devices, contexts, or platforms. Implements breakpoints, fluid layouts, and touch targets. Use when the user mentions responsive design, mobile layouts, breakpoints, viewport adaptation, or cross-device compatibility.",
+    "argumentHint": "[target] [context (mobile, tablet, print...)]"
+  },
+  "animate": {
+    "description": "Review a feature and enhance it with purposeful animations, micro-interactions, and motion effects that improve usability and delight. Use when the user mentions adding animation, transitions, micro-interactions, motion design, hover effects, or making the UI feel more alive.",
+    "argumentHint": "[target]"
+  },
+  "audit": {
+    "description": "Run technical quality checks across accessibility, performance, theming, responsive design, and anti-patterns. Generates a scored report with P0-P3 severity ratings and actionable plan. Use when the user wants an accessibility check, performance audit, or technical quality review.",
+    "argumentHint": "[area (feature, page, component...)]"
+  },
+  "bolder": {
+    "description": "Amplify safe or boring designs to make them more visually interesting and stimulating. Increases impact while maintaining usability. Use when the user says the design looks bland, generic, too safe, lacks personality, or wants more visual impact and character.",
+    "argumentHint": "[target]"
+  },
+  "clarify": {
+    "description": "Improve unclear UX copy, error messages, microcopy, labels, and instructions to make interfaces easier to understand. Use when the user mentions confusing text, unclear labels, bad error messages, hard-to-follow instructions, or wanting better UX writing.",
+    "argumentHint": "[target]"
+  },
+  "colorize": {
+    "description": "Add strategic color to features that are too monochromatic or lack visual interest, making interfaces more engaging and expressive. Use when the user mentions the design looking gray, dull, lacking warmth, needing more color, or wanting a more vibrant or expressive palette.",
+    "argumentHint": "[target]"
+  },
+  "critique": {
+    "description": "Evaluate design from a UX perspective, assessing visual hierarchy, information architecture, emotional resonance, cognitive load, and overall quality with quantitative scoring, persona-based testing, automated anti-pattern detection, and actionable feedback. Use when the user asks to review, critique, evaluate, or give feedback on a design or component.",
+    "argumentHint": "[area (feature, page, component...)]"
+  },
+  "delight": {
+    "description": "Add moments of joy, personality, and unexpected touches that make interfaces memorable and enjoyable to use. Elevates functional to delightful. Use when the user asks to add polish, personality, animations, micro-interactions, delight, or make an interface feel fun or memorable.",
+    "argumentHint": "[target]"
+  },
+  "distill": {
+    "description": "Strip designs to their essence by removing unnecessary complexity. Great design is simple, powerful, and clean. Use when the user asks to simplify, declutter, reduce noise, remove elements, or make a UI cleaner and more focused.",
+    "argumentHint": "[target]"
+  },
+  "harden": {
+    "description": "Make interfaces production-ready: error handling, i18n, text overflow, edge case management, and resilience under real-world data. Use when the user asks to harden, make production-ready, handle edge cases, add error states, or fix overflow and i18n issues.",
+    "argumentHint": "[target]"
+  },
+  "onboard": {
+    "description": "Design onboarding flows, first-run experiences, and empty states that guide new users to value. Covers welcome screens, account setup, progressive disclosure, contextual tooltips, feature announcements, and activation moments. Use when the user mentions onboarding, first-time users, empty states, activation, getting started, new user flows, or the aha moment.",
+    "argumentHint": "[target]"
+  },
+  "layout": {
+    "description": "Improve layout, spacing, and visual rhythm. Fixes monotonous grids, inconsistent spacing, and weak visual hierarchy. Use when the user mentions layout feeling off, spacing issues, visual hierarchy, crowded UI, alignment problems, or wanting better composition.",
+    "argumentHint": "[target]"
+  },
+  "optimize": {
+    "description": "Diagnoses and fixes UI performance across loading speed, rendering, animations, images, and bundle size. Use when the user mentions slow, laggy, janky, performance, bundle size, load time, or wants a faster, smoother experience.",
+    "argumentHint": "[target]"
+  },
+  "overdrive": {
+    "description": "Pushes interfaces past conventional limits with technically ambitious implementations — shaders, spring physics, scroll-driven reveals, 60fps animations. Use when the user wants to wow, impress, go all-out, or make something that feels extraordinary.",
+    "argumentHint": "[target]"
+  },
+  "polish": {
+    "description": "Performs a final quality pass fixing alignment, spacing, consistency, and micro-detail issues before shipping. Use when the user mentions polish, finishing touches, pre-launch review, something looks off, or wants to go from good to great.",
+    "argumentHint": "[target]"
+  },
+  "quieter": {
+    "description": "Tones down visually aggressive or overstimulating designs, reducing intensity while preserving quality. Use when the user mentions too bold, too loud, overwhelming, aggressive, garish, or wants a calmer, more refined aesthetic.",
+    "argumentHint": "[target]"
+  },
+  "shape": {
+    "description": "Plan UX and UI before code. Runs a required multi-round discovery interview, uses visual probes when available, and produces a user-confirmed design brief for implementation.",
+    "argumentHint": "[feature to shape]"
+  },
+  "typeset": {
+    "description": "Improves typography by fixing font choices, hierarchy, sizing, weight, and readability so text feels intentional. Use when the user mentions fonts, type, readability, text hierarchy, sizing looks off, or wants more polished, intentional typography.",
+    "argumentHint": "[target]"
+  }
+}

.agents/skills/impeccable/scripts/critique-storage.mjs

@@ -0,0 +1,242 @@
+#!/usr/bin/env node
+/**
+ * Critique persistence helper.
+ *
+ * Each run of /impeccable critique writes a per-target snapshot to
+ *   .impeccable/critique/<timestamp>__<slug>.md
+ * with a small YAML frontmatter carrying the score + P0/P1 counts.
+ *
+ * /impeccable polish reads the latest matching snapshot at start as its
+ * fix backlog. No other skill auto-reads critique output.
+ *
+ * The slug is derived mechanically from the *resolved* primary artifact
+ * (file path or URL), never from the user's natural-language phrasing.
+ * Slug stability across runs is what lets the trend display work.
+ *
+ * CLI entry points (called from skill instructions):
+ *   node critique-storage.mjs slug <resolved-target>
+ *   node critique-storage.mjs write <slug> <snapshot-body-file>
+ *   node critique-storage.mjs latest <slug>
+ *   node critique-storage.mjs trend <slug> [limit]
+ *
+ * Note: there is intentionally no `ignore` subcommand. ignore.md is a plain
+ * markdown file; the model reads it directly with its file-read tool. This
+ * helper only exists for operations the model can't trivially do inline
+ * (normalizing paths, generating filenames, globbing + parsing frontmatter).
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+import { getCritiqueDir } from './impeccable-paths.mjs';
+
+const SLUG_MAX = 50;
+
+/**
+ * Mechanically derive a slug from a resolved target. Returns null if the
+ * input doesn't look like a stable identifier (empty, project root, etc).
+ *
+ * Accepts file paths and URLs. The model resolves "the homepage" to a
+ * concrete artifact before calling this — we never slug a natural-language
+ * phrase.
+ */
+export function slugFromTarget(resolved, { cwd = process.cwd() } = {}) {
+  if (!resolved || typeof resolved !== 'string') return null;
+  const trimmed = resolved.trim();
+  if (!trimmed) return null;
+
+  // URL
+  if (/^https?:\/\//i.test(trimmed)) {
+    let url;
+    try { url = new URL(trimmed); } catch { return null; }
+    const hostPath = `${url.hostname}${url.pathname}`;
+    return kebab(hostPath);
+  }
+
+  // File path. Make it project-relative so two devs critiquing the same
+  // checkout get the same slug regardless of where their repo is cloned.
+  const abs = path.isAbsolute(trimmed) ? trimmed : path.resolve(cwd, trimmed);
+  let rel = path.relative(cwd, abs);
+  // If the target is outside cwd, fall back to the basename so we still
+  // produce a stable slug (vs the absolute path, which would include
+  // home dirs / usernames).
+  if (rel.startsWith('..') || path.isAbsolute(rel)) {
+    rel = path.basename(abs);
+  }
+  if (!rel || rel === '.' || rel === '') return null;
+  return kebab(rel);
+}
+
+function kebab(s) {
+  const slug = s
+    .toLowerCase()
+    .replace(/[/\\.]+/g, '-')
+    .replace(/[^a-z0-9-]+/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-|-$/g, '');
+  if (!slug) return null;
+  // Cap from the tail — the tail (filename) is more identifying than the
+  // top-level directory.
+  return slug.length <= SLUG_MAX ? slug : slug.slice(slug.length - SLUG_MAX).replace(/^-/, '');
+}
+
+/**
+ * Filename-safe UTC ISO timestamp: hyphens for separators, trailing Z.
+ * Plain colons aren't allowed on Windows filesystems.
+ */
+export function nowFilenameStamp(date = new Date()) {
+  const iso = date.toISOString();           // 2026-05-12T18:30:00.123Z
+  return iso.replace(/[:.]/g, '-').replace(/-\d+Z$/, 'Z');
+}
+
+/**
+ * Write a snapshot for `slug`. `meta` carries the small structured frontmatter
+ * keys read back by readTrend(). `body` is the human-readable critique
+ * report (everything below the frontmatter).
+ *
+ * Returns the absolute path written.
+ */
+export function writeSnapshot({ slug, meta, body, cwd = process.cwd(), now = new Date() }) {
+  if (!slug) throw new Error('writeSnapshot requires a slug');
+  const dir = getCritiqueDir(cwd);
+  fs.mkdirSync(dir, { recursive: true });
+  const timestamp = nowFilenameStamp(now);
+  const filePath = path.join(dir, `${timestamp}__${slug}.md`);
+  // Spread `meta` first so internally computed `timestamp` and `slug`
+  // always win. Otherwise a caller-supplied meta blob (parsed from the
+  // IMPECCABLE_CRITIQUE_META env var) could clobber them, leaving the
+  // filename in disagreement with its frontmatter and corrupting trends.
+  const front = serializeFrontmatter({ ...meta, timestamp, slug });
+  fs.writeFileSync(filePath, `${front}\n${body.trim()}\n`, 'utf-8');
+  return filePath;
+}
+
+function serializeFrontmatter(obj) {
+  const lines = ['---'];
+  for (const [key, value] of Object.entries(obj)) {
+    if (value === undefined || value === null) continue;
+    const str = typeof value === 'string' ? value : String(value);
+    // Quote strings that contain : or # to keep parsing simple.
+    const needsQuotes = typeof value === 'string' && /[:#]/.test(str);
+    lines.push(`${key}: ${needsQuotes ? JSON.stringify(str) : str}`);
+  }
+  lines.push('---');
+  return lines.join('\n');
+}
+
+function parseFrontmatter(text) {
+  const match = text.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!match) return {};
+  const out = {};
+  for (const line of match[1].split(/\r?\n/)) {
+    const colon = line.indexOf(':');
+    if (colon < 0) continue;
+    const key = line.slice(0, colon).trim();
+    let value = line.slice(colon + 1).trim();
+    if (/^".*"$/.test(value)) {
+      try { value = JSON.parse(value); } catch { /* leave as-is */ }
+    } else if (/^-?\d+$/.test(value)) {
+      value = Number(value);
+    }
+    out[key] = value;
+  }
+  return out;
+}
+
+/**
+ * Return all snapshot files for `slug`, sorted oldest → newest.
+ */
+function listSnapshotsForSlug(slug, cwd) {
+  const dir = getCritiqueDir(cwd);
+  if (!fs.existsSync(dir)) return [];
+  const suffix = `__${slug}.md`;
+  return fs.readdirSync(dir)
+    .filter((f) => f.endsWith(suffix))
+    .sort()
+    .map((f) => path.join(dir, f));
+}
+
+/**
+ * Return the most recent snapshot for `slug`, or null. Polish reads this
+ * to find its fix backlog when the slug matches.
+ */
+export function readLatestSnapshot(slug, { cwd = process.cwd() } = {}) {
+  const all = listSnapshotsForSlug(slug, cwd);
+  if (!all.length) return null;
+  const latest = all[all.length - 1];
+  const body = fs.readFileSync(latest, 'utf-8');
+  return { path: latest, body, meta: parseFrontmatter(body) };
+}
+
+/**
+ * Return the last `limit` snapshots' frontmatter, oldest → newest.
+ * Critique appends a one-line trend to its output using this.
+ */
+export function readTrend(slug, { limit = 5, cwd = process.cwd() } = {}) {
+  const all = listSnapshotsForSlug(slug, cwd);
+  const slice = all.slice(-limit);
+  return slice.map((file) => parseFrontmatter(fs.readFileSync(file, 'utf-8')));
+}
+
+// ---- CLI ---------------------------------------------------------------
+
+function main(argv) {
+  const [cmd, ...args] = argv;
+  switch (cmd) {
+    case 'slug': {
+      const slug = slugFromTarget(args[0]);
+      if (!slug) { process.stderr.write('no stable slug for input\n'); process.exit(1); }
+      process.stdout.write(`${slug}\n`);
+      return;
+    }
+    case 'write': {
+      const [slug, bodyFile] = args;
+      if (!slug || !bodyFile) { process.stderr.write('usage: write <slug> <body-file>\n'); process.exit(1); }
+      const raw = fs.readFileSync(bodyFile, 'utf-8');
+      // The body file may be a full report. The caller passes the meta as
+      // a JSON object on stdin if it wants structured frontmatter; otherwise
+      // we write with minimal metadata.
+      let meta = {};
+      const metaArg = process.env.IMPECCABLE_CRITIQUE_META;
+      if (metaArg) {
+        try { meta = JSON.parse(metaArg); } catch { /* ignore */ }
+      }
+      const out = writeSnapshot({ slug, meta, body: raw });
+      process.stdout.write(`${out}\n`);
+      return;
+    }
+    case 'latest': {
+      const latest = readLatestSnapshot(args[0]);
+      if (!latest) { process.exit(2); }
+      process.stdout.write(latest.body);
+      return;
+    }
+    case 'trend': {
+      const rows = readTrend(args[0], { limit: args[1] ? Number(args[1]) : 5 });
+      process.stdout.write(JSON.stringify(rows, null, 2) + '\n');
+      return;
+    }
+    default:
+      process.stderr.write('usage: critique-storage.mjs <slug|write|latest|trend> [args]\n');
+      process.exit(1);
+  }
+}
+
+function isMainModule() {
+  if (!process.argv[1]) return false;
+  try {
+    return fs.realpathSync(fileURLToPath(import.meta.url)) === fs.realpathSync(process.argv[1]);
+  } catch {
+    // pathToFileURL normalizes Windows paths; keep it as a fallback for any
+    // environment where realpath is unavailable.
+    return import.meta.url === pathToFileURL(process.argv[1]).href;
+  }
+}
+
+// Why the realpath check: generated skills are often reached through symlinked
+// harness directories (for example a demo repo's `.agents` -> source `.agents`).
+// Node resolves import.meta.url to the real file, while process.argv[1] keeps
+// the symlink path. Comparing canonical paths prevents a silent exit-0 no-op.
+if (isMainModule()) {
+  main(process.argv.slice(2));
+}

.agents/skills/impeccable/scripts/design-parser.mjs

@@ -0,0 +1,820 @@
+// Parse a DESIGN.md (Stitch-spec format) into a structured JSON model that
+// the live-mode design-system panel can render. Deterministic, dependency-free.
+//
+// Two-layer: YAML frontmatter (machine-readable tokens) + markdown body
+// (prose with six canonical H2 sections). When frontmatter is present, it's
+// exposed on `model.frontmatter` alongside the prose-scraped sections;
+// consumers can prefer frontmatter values and fall back to prose.
+
+const CANONICAL_SECTIONS = [
+  'Overview',
+  'Colors',
+  'Typography',
+  'Elevation',
+  'Components',
+  "Do's and Don'ts",
+];
+
+// ---------- Frontmatter (Stitch YAML subset) ----------
+
+function parseFrontmatter(md) {
+  const lines = md.split(/\r?\n/);
+  if (lines[0]?.trim() !== '---') return { frontmatter: null, body: md };
+
+  let end = -1;
+  for (let i = 1; i < lines.length; i++) {
+    if (lines[i].trim() === '---') { end = i; break; }
+  }
+  if (end === -1) return { frontmatter: null, body: md };
+
+  const yaml = lines.slice(1, end).join('\n');
+  const body = lines.slice(end + 1).join('\n');
+  try {
+    return { frontmatter: parseYamlSubset(yaml), body };
+  } catch {
+    return { frontmatter: null, body: md };
+  }
+}
+
+// Minimal YAML reader for the Stitch frontmatter subset: scalar maps with
+// one level of nested objects (typography roles, components). Indent-based,
+// 2-space convention. No arrays, no anchors, no multi-line scalars — Stitch's
+// schema doesn't need them and accepting them would require a real YAML
+// dependency we don't want to vendor.
+function parseYamlSubset(yaml) {
+  const lines = yaml.split(/\r?\n/);
+  const root = {};
+  const stack = [{ indent: -1, obj: root }];
+
+  for (const raw of lines) {
+    // Skip blanks and line-only comments. Don't strip inline comments:
+    // unquoted hex values start with `#` and can't be safely distinguished
+    // from a comment after whitespace.
+    if (!raw.trim() || /^\s*#/.test(raw)) continue;
+
+    const indent = raw.match(/^\s*/)[0].length;
+    const content = raw.slice(indent);
+
+    const colonIdx = findTopLevelColon(content);
+    if (colonIdx === -1) continue;
+
+    while (stack.length > 1 && stack[stack.length - 1].indent >= indent) {
+      stack.pop();
+    }
+
+    const key = content.slice(0, colonIdx).trim();
+    const rest = content.slice(colonIdx + 1).trim();
+    const parent = stack[stack.length - 1].obj;
+
+    if (rest === '') {
+      const obj = {};
+      parent[key] = obj;
+      stack.push({ indent, obj });
+    } else {
+      parent[key] = parseScalar(rest);
+    }
+  }
+
+  return root;
+}
+
+function findTopLevelColon(s) {
+  let inQuote = null;
+  for (let i = 0; i < s.length; i++) {
+    const ch = s[i];
+    if (inQuote) {
+      if (ch === inQuote && s[i - 1] !== '\\') inQuote = null;
+    } else if (ch === '"' || ch === "'") {
+      inQuote = ch;
+    } else if (ch === ':') {
+      return i;
+    }
+  }
+  return -1;
+}
+
+function parseScalar(raw) {
+  const s = raw.trim();
+  if ((s.startsWith('"') && s.endsWith('"')) || (s.startsWith("'") && s.endsWith("'"))) {
+    return s.slice(1, -1);
+  }
+  if (s === 'true') return true;
+  if (s === 'false') return false;
+  if (s === 'null' || s === '~') return null;
+  if (/^-?\d+$/.test(s)) return Number(s);
+  if (/^-?\d*\.\d+$/.test(s)) return Number(s);
+  return s;
+}
+
+const HEX_RE = /#[0-9a-fA-F]{3,8}\b/g;
+const OKLCH_RE = /oklch\([^)]+\)/gi;
+const RGBA_RE = /rgba?\([^)]+\)/gi;
+const BOX_SHADOW_RE = /(?:box-shadow:\s*)?((?:-?\d[\w\d\s\-.,/()#%]*)+)/;
+const NAMED_RULE_RE = /\*\*(The [^*]+?Rule)\.\*\*\s*(.+)/;
+
+// ---------- Section splitting ----------
+
+function splitSections(md) {
+  const lines = md.split(/\r?\n/);
+  let title = null;
+  const sections = {};
+  let current = null;
+
+  for (const raw of lines) {
+    const line = raw.trimEnd();
+
+    if (!title && line.startsWith('# ') && !line.startsWith('## ')) {
+      title = line.replace(/^#\s+/, '').trim();
+      continue;
+    }
+
+    const h2 = line.match(/^##\s+(?:\d+\.\s*)?([^:\n]+?)(?::\s*(.+))?$/);
+    if (h2) {
+      const rawName = normalizeApostrophes(h2[1].trim());
+      const subtitle = h2[2] ? h2[2].trim() : null;
+      const canonical = matchCanonicalSection(rawName);
+      if (canonical) {
+        current = { name: canonical, subtitle, lines: [] };
+        sections[canonical] = current;
+        continue;
+      }
+      // non-canonical H2 — ignore but stop feeding into current
+      current = null;
+      continue;
+    }
+
+    if (current) current.lines.push(raw);
+  }
+
+  return { title, sections };
+}
+
+function normalizeApostrophes(s) {
+  return s.replace(/[\u2018\u2019]/g, "'");
+}
+
+function matchCanonicalSection(name) {
+  const normalized = normalizeApostrophes(name).toLowerCase();
+  // Exact match first
+  for (const c of CANONICAL_SECTIONS) {
+    if (normalizeApostrophes(c).toLowerCase() === normalized) return c;
+  }
+  // Keyword-contained match: "Overview & Creative North Star" -> "Overview",
+  // "Elevation & Depth" -> "Elevation", etc.
+  for (const c of CANONICAL_SECTIONS) {
+    const key = normalizeApostrophes(c).toLowerCase();
+    const pattern = new RegExp(`\\b${key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\b`);
+    if (pattern.test(normalized)) return c;
+  }
+  return null;
+}
+
+// ---------- Subsection splitting (inside a canonical section) ----------
+
+function splitSubsections(lines) {
+  const subs = [];
+  let current = { name: null, lines: [] };
+  subs.push(current);
+
+  for (const raw of lines) {
+    const h3 = raw.match(/^###\s+(.+?)\s*$/);
+    if (h3) {
+      current = { name: h3[1].trim(), lines: [] };
+      subs.push(current);
+      continue;
+    }
+    current.lines.push(raw);
+  }
+
+  return subs;
+}
+
+// ---------- Generic helpers ----------
+
+function collectParagraphs(lines) {
+  const paragraphs = [];
+  let buf = [];
+  const flush = () => {
+    if (buf.length) {
+      paragraphs.push(buf.join(' ').trim());
+      buf = [];
+    }
+  };
+  for (const raw of lines) {
+    const trimmed = raw.trim();
+    if (trimmed === '') { flush(); continue; }
+    // Horizontal rules (---, ***) and headings/bullets end a paragraph.
+    if (/^(?:-{3,}|\*{3,}|_{3,})$/.test(trimmed)) { flush(); continue; }
+    if (raw.startsWith('#') || raw.match(/^[-*]\s/)) { flush(); continue; }
+    buf.push(trimmed);
+  }
+  flush();
+  return paragraphs.filter(Boolean);
+}
+
+function collectBullets(lines) {
+  const bullets = [];
+  let current = null;
+  for (const raw of lines) {
+    const m = raw.match(/^\s*[-*]\s+(.+)$/);
+    if (m) {
+      if (current) bullets.push(current);
+      current = m[1];
+      continue;
+    }
+    // continuation of a bullet (indented line)
+    if (current && raw.match(/^\s{2,}\S/)) {
+      current += ' ' + raw.trim();
+      continue;
+    }
+    // blank line ends a bullet
+    if (raw.trim() === '' && current) {
+      bullets.push(current);
+      current = null;
+    }
+  }
+  if (current) bullets.push(current);
+  return bullets;
+}
+
+function stripBold(s) {
+  return s.replace(/\*\*(.+?)\*\*/g, '$1');
+}
+
+function extractNamedRules(lines) {
+  const rules = [];
+  const seen = new Set();
+
+  // Style A (Impeccable): "**The X Rule.** body body body" — can span lines.
+  const joined = lines.join('\n');
+  const inlineStart = /\*\*(The [^*]+?Rule)\.\*\*/g;
+  const inlineMatches = [];
+  let m;
+  while ((m = inlineStart.exec(joined)) !== null) {
+    inlineMatches.push({ name: m[1], start: m.index, end: inlineStart.lastIndex });
+  }
+  for (let i = 0; i < inlineMatches.length; i++) {
+    const mm = inlineMatches[i];
+    const bodyEnd = i + 1 < inlineMatches.length ? inlineMatches[i + 1].start : joined.length;
+    const body = joined
+      .slice(mm.end, bodyEnd)
+      .replace(/\n##[^\n]*$/s, '')
+      .replace(/\n###[^\n]*$/s, '')
+      .trim();
+    const name = stripBold(mm.name).trim();
+    seen.add(name.toLowerCase());
+    rules.push({ name, body: stripBold(body) });
+  }
+
+  // Style B (Stitch): `### The "X" Rule` or `### The X Fallback`, body is the
+  // bullets/paragraphs until the next heading. Accept Rule / Fallback / Principle.
+  for (let i = 0; i < lines.length; i++) {
+    const h3 = lines[i].match(/^###\s+(.+?)\s*$/);
+    if (!h3) continue;
+    const headerName = stripBold(h3[1]).replace(/["“”]/g, '').trim();
+    if (!/^The\b.*\b(Rule|Fallback|Principle)\b/i.test(headerName)) continue;
+    if (seen.has(headerName.toLowerCase())) continue;
+
+    const bodyLines = [];
+    for (let j = i + 1; j < lines.length; j++) {
+      if (/^##\s|^###\s/.test(lines[j])) break;
+      bodyLines.push(lines[j]);
+    }
+    const body = stripBold(bodyLines.join('\n').replace(/\n+/g, ' ')).trim();
+    if (body) {
+      seen.add(headerName.toLowerCase());
+      rules.push({ name: headerName, body });
+    }
+  }
+
+  // Style C (Stitch bullet form): "*   **The Layering Principle:** body"
+  // Colon/period lives inside the bold, so match "**...**" then inspect.
+  for (const b of collectBullets(lines)) {
+    const mm = b.match(/^\*\*([^*]+?)\*\*\s*(.+)$/);
+    if (!mm) continue;
+    const nameRaw = mm[1].replace(/[.:]\s*$/, '').replace(/["“”]/g, '').trim();
+    if (!/^The\b.+\b(Rule|Fallback|Principle)$/i.test(nameRaw)) continue;
+    if (seen.has(nameRaw.toLowerCase())) continue;
+    seen.add(nameRaw.toLowerCase());
+    rules.push({ name: nameRaw, body: stripBold(mm[2]).trim() });
+  }
+
+  return rules;
+}
+
+// ---------- Per-section extractors ----------
+
+function extractOverview(section) {
+  if (!section) return null;
+  const text = section.lines.join('\n');
+  const northStar = text.match(/\*\*Creative North Star:\s*"([^"]+)"\*\*/);
+  const keyChars = [];
+  const keyCharMatch = text.match(/\*\*Key Characteristics:\*\*\s*\n([\s\S]+?)(?:\n##|\n###|$)/);
+  if (keyCharMatch) {
+    for (const line of keyCharMatch[1].split('\n')) {
+      const m = line.match(/^\s*[-*]\s+(.+)$/);
+      if (m) keyChars.push(stripBold(m[1].trim()));
+    }
+  }
+
+  // Philosophy paragraphs: everything that isn't a rule header or key-char block
+  const paragraphs = collectParagraphs(section.lines).filter(
+    (p) =>
+      !p.startsWith('**Creative North Star') &&
+      !p.startsWith('**Key Characteristics')
+  );
+
+  return {
+    subtitle: section.subtitle,
+    creativeNorthStar: northStar ? northStar[1] : null,
+    philosophy: paragraphs,
+    keyCharacteristics: keyChars,
+  };
+}
+
+function extractColors(section) {
+  if (!section) return null;
+  const subs = splitSubsections(section.lines);
+
+  const description = collectParagraphs(subs[0].lines).join(' ');
+  const groups = [];
+  const ROLE_KEYWORDS = /^(primary|secondary|tertiary|neutral|accent)\b/i;
+
+  for (const sub of subs.slice(1)) {
+    if (!sub.name || /Named Rules?/i.test(sub.name) || /^The\s/i.test(sub.name)) continue;
+
+    const bullets = collectBullets(sub.lines);
+    const parsed = bullets.map((b) => parseColorBullet(b)).filter(Boolean);
+    if (parsed.length === 0) continue;
+
+    // If every bullet starts with a role keyword (Primary/Secondary/...), promote
+    // each bullet to its own group. Otherwise keep the subsection as the group.
+    const allRoleBullets =
+      parsed.length > 0 && parsed.every((p) => p.name && ROLE_KEYWORDS.test(p.name));
+
+    if (allRoleBullets) {
+      for (const p of parsed) {
+        groups.push({ role: p.name, colors: [p] });
+      }
+    } else {
+      groups.push({ role: sub.name, colors: parsed });
+    }
+  }
+
+  // If the Colors section has no subsections at all (unlikely), fall back to
+  // scanning the whole section as a flat bullet list.
+  if (groups.length === 0) {
+    const flat = collectBullets(section.lines)
+      .map((b) => parseColorBullet(b))
+      .filter(Boolean);
+    if (flat.length) {
+      for (const p of flat) {
+        if (p.name && ROLE_KEYWORDS.test(p.name)) {
+          groups.push({ role: p.name, colors: [p] });
+        } else {
+          const fallback = groups.find((g) => g.role === 'Palette');
+          if (fallback) fallback.colors.push(p);
+          else groups.push({ role: 'Palette', colors: [p] });
+        }
+      }
+    }
+  }
+
+  return {
+    subtitle: section.subtitle,
+    description: description || null,
+    groups,
+    rules: extractNamedRules(section.lines),
+  };
+}
+
+function parseColorBullet(bullet) {
+  const text = bullet.trim();
+
+  // Case 1 (Impeccable): **Name** (value-with-maybe-nested-parens): description
+  const bold = text.match(/^\*\*(.+?)\*\*\s*(.*)$/);
+  if (bold && bold[2].startsWith('(')) {
+    const value = extractParenGroup(bold[2]);
+    if (value !== null) {
+      const after = bold[2].slice(value.length + 2).trimStart();
+      if (after.startsWith(':')) {
+        return buildColor(bold[1], value, after.slice(1).trim());
+      }
+    }
+  }
+
+  // Case 2 (Stitch): **Name (values):** description   — value embedded in bold.
+  const stitch = text.match(/^\*\*([^*]+?)\s*\(([^)]+)\):\*\*\s*(.*)$/);
+  if (stitch) {
+    return buildColor(stitch[1].trim(), stitch[2], stitch[3]);
+  }
+
+  // Case 3: bullet without bold, just hex/oklch inside.
+  const values = collectColorValues(text);
+  if (values.length) {
+    return buildColor(null, values.join(' to '), text);
+  }
+  return null;
+}
+
+function extractParenGroup(s) {
+  if (s[0] !== '(') return null;
+  let depth = 0;
+  for (let i = 0; i < s.length; i++) {
+    if (s[i] === '(') depth++;
+    else if (s[i] === ')') {
+      depth--;
+      if (depth === 0) return s.slice(1, i);
+    }
+  }
+  return null;
+}
+
+function buildColor(name, rawValue, description) {
+  const values = collectColorValues(rawValue);
+  const primary = values[0] ?? rawValue.trim();
+  return {
+    name: name ? stripBold(name).trim() : null,
+    value: primary,
+    valueRange: values.length > 1 ? values : null,
+    format: detectFormat(primary),
+    description: stripBold(description || '').trim() || null,
+  };
+}
+
+function collectColorValues(s) {
+  const out = [];
+  s.replace(HEX_RE, (v) => {
+    out.push(v);
+    return v;
+  });
+  s.replace(OKLCH_RE, (v) => {
+    out.push(v);
+    return v;
+  });
+  return out;
+}
+
+function detectFormat(v) {
+  if (!v) return 'unknown';
+  if (v.startsWith('#')) return 'hex';
+  if (/^oklch/i.test(v)) return 'oklch';
+  if (/^rgb/i.test(v)) return 'rgb';
+  return 'unknown';
+}
+
+function scanInlineColors(lines) {
+  const out = [];
+  for (const line of lines) {
+    if (!/^\s*[-*]\s/.test(line)) continue;
+    const trimmed = line.replace(/^\s*[-*]\s+/, '');
+    const color = parseColorBullet(trimmed);
+    if (color) out.push(color);
+  }
+  return out;
+}
+
+function parseStitchInlineGroups(lines) {
+  // Stitch writes: `*   **Primary (`#00478d` to `#005eb8`):** Use for "..."`
+  // Each bullet IS its own role. Group them under the spoken role name.
+  const out = [];
+  for (const line of lines) {
+    if (!/^\s*[-*]\s/.test(line)) continue;
+    const trimmed = line.replace(/^\s*[-*]\s+/, '').trim();
+    const m = trimmed.match(
+      /^\*\*([A-Z][a-zA-Z]+)\s*\(([^)]+)\):\*\*\s*(.*)$/
+    );
+    if (m) {
+      const role = m[1];
+      const color = buildColor(role, m[2], m[3]);
+      out.push({ role, colors: [color] });
+    }
+  }
+  return out;
+}
+
+function extractTypography(section) {
+  if (!section) return null;
+  const text = section.lines.join('\n');
+
+  const fonts = {};
+  // Pattern A: **Display Font:** Family (with fallback)
+  const fontLineRe = /\*\*([\w\s/]+?)Font:\*\*\s*([^\n(]+?)(?:\s*\(with\s+([^)]+)\))?\s*$/gm;
+  let fm;
+  while ((fm = fontLineRe.exec(text)) !== null) {
+    const rawRole = fm[1].trim().toLowerCase().replace(/\s+/g, '-');
+    const role = normalizeFontRole(rawRole) || 'display';
+    fonts[role] = {
+      family: fm[2].trim(),
+      fallback: fm[3] ? fm[3].trim() : null,
+    };
+  }
+
+  // Pattern B (Stitch): *   **Display & Headlines (Noto Serif):** description
+  if (Object.keys(fonts).length === 0) {
+    const stitchRe = /\*\*([\w\s&/]+?)\s*\(([^)]+)\):\*\*\s*(.+)/g;
+    let sm;
+    while ((sm = stitchRe.exec(text)) !== null) {
+      const rawRole = sm[1]
+        .trim()
+        .toLowerCase()
+        .replace(/\s*&\s*/g, '-')
+        .replace(/\s+/g, '-');
+      const role = normalizeFontRole(rawRole) || rawRole;
+      fonts[role] = { family: sm[2].trim(), fallback: null, purpose: sm[3].trim() };
+    }
+  }
+
+  // Character paragraph — either a **Character:** label, or fall back to the
+  // first free paragraph under the section header (Stitch style).
+  const characterMatch = text.match(/\*\*Character:\*\*\s*([^\n]+(?:\n[^\n]+)*?)(?=\n\n|\n###|\n##|$)/);
+  let character = characterMatch ? characterMatch[1].replace(/\n/g, ' ').trim() : null;
+  if (!character) {
+    const paragraphs = collectParagraphs(section.lines).filter(
+      (p) => !/^\*\*[\w\s/&]+Font/i.test(p) && !/^\*\*[\w\s/&]+\([^)]+\)/.test(p)
+    );
+    if (paragraphs.length) character = paragraphs[0];
+  }
+
+  // Hierarchy bullets under ### Hierarchy
+  const subs = splitSubsections(section.lines);
+  let hierarchy = [];
+  const hierSub = subs.find((s) => s.name && /hierarch/i.test(s.name));
+  if (hierSub) {
+    const bullets = collectBullets(hierSub.lines);
+    hierarchy = bullets.map(parseTypeBullet).filter(Boolean);
+  }
+
+  return {
+    subtitle: section.subtitle,
+    fonts,
+    character,
+    hierarchy,
+    rules: extractNamedRules(section.lines),
+  };
+}
+
+function normalizeFontRole(raw) {
+  // Canonical roles the panel cares about: display, body, label, mono.
+  // Stitch often writes compound roles like "display-&-headlines" or "ui-&-body"
+  // — collapse them to the first canonical role present.
+  const tokens = raw.split(/[-/&\s]+/).filter(Boolean);
+  const priority = ['display', 'headline', 'body', 'ui', 'label', 'mono'];
+  const canonical = { headline: 'display', ui: 'body' };
+  for (const p of priority) {
+    if (tokens.includes(p)) return canonical[p] || p;
+  }
+  return null;
+}
+
+function parseTypeBullet(bullet) {
+  // - **Display** (family, weight 300, italic, clamp(...), line-height 1): purpose
+  const m = bullet.match(/^\*\*(.+?)\*\*\s*\(([^)]+)\):\s*(.*)$/);
+  if (!m) return null;
+  const name = m[1].trim();
+  const specs = m[2].split(',').map((s) => s.trim());
+  return {
+    name,
+    specs,
+    purpose: stripBold(m[3] || '').trim() || null,
+  };
+}
+
+function extractElevation(section) {
+  if (!section) return null;
+  const subs = splitSubsections(section.lines);
+
+  const description = collectParagraphs(subs[0].lines).join(' ') || null;
+
+  const shadows = [];
+  const seen = new Set();
+  const dedupe = (entry) => {
+    const key = (entry.name || '') + '::' + entry.value;
+    if (seen.has(key)) return;
+    seen.add(key);
+    shadows.push(entry);
+  };
+
+  for (const b of collectBullets(section.lines)) {
+    const parsed = parseShadowBullet(b);
+    if (parsed) dedupe(parsed);
+  }
+
+  // Fallback: extract shadows written inline in prose. Stitch style is
+  //   "...use an extra-diffused shadow: `box-shadow: 0 12px 40px rgba(...)`."
+  for (const p of collectParagraphs(section.lines)) {
+    for (const inline of extractInlineShadows(p)) dedupe(inline);
+  }
+  for (const b of collectBullets(section.lines)) {
+    for (const inline of extractInlineShadows(b)) dedupe(inline);
+  }
+
+  return {
+    subtitle: section.subtitle,
+    description,
+    shadows,
+    rules: extractNamedRules(section.lines),
+  };
+}
+
+function extractInlineShadows(text) {
+  // Find `box-shadow: ...` anywhere in prose and capture the value. Work on the
+  // raw string so it handles both backtick-fenced and unfenced variants.
+  const out = [];
+  const re = /box-shadow\s*:\s*([^`;\n]+)/gi;
+  let m;
+  while ((m = re.exec(text)) !== null) {
+    const value = m[1].replace(/[`.)]+$/, '').trim();
+    if (!value) continue;
+    // Name heuristic: the noun immediately before the shadow phrase.
+    // e.g. "an extra-diffused shadow: ..." -> "extra-diffused shadow"
+    const before = text.slice(0, m.index);
+    const nameMatch = before.match(/\b([A-Za-z][A-Za-z\- ]{2,40})\s+shadow\b[^A-Za-z0-9]*$/i);
+    let name = null;
+    if (nameMatch) {
+      const stripped = nameMatch[1]
+        .replace(/^(?:use|using|apply|applying|is|are|looks? like)\s+/i, '')
+        .replace(/^(?:a|an|the)\s+/i, '')
+        .trim();
+      if (stripped) {
+        name =
+          stripped.charAt(0).toUpperCase() + stripped.slice(1) + ' shadow';
+      }
+    }
+    out.push({
+      name,
+      value,
+      purpose: null,
+    });
+  }
+  return out;
+}
+
+function parseShadowBullet(bullet) {
+  // - **Name** (`box-shadow: value`): purpose
+  // - **Name** (`value`): purpose
+  // Only accept if the paren content looks like a shadow value (contains px,
+  // rem, rgba, or box-shadow). This filters out `**Rule Name:**` bullets.
+  const m = bullet.match(/^\*\*(.+?)\*\*\s*\(`?([^`]+?)`?\):\s*(.*)$/);
+  if (!m) return null;
+  const rawValue = m[2].replace(/^box-shadow:\s*/i, '').trim();
+  const looksLikeShadow =
+    /box-shadow|rgba?\(|\bpx\b|\brem\b|^-?\d+\s/i.test(rawValue) &&
+    /\d/.test(rawValue);
+  if (!looksLikeShadow) return null;
+  const name = stripBold(m[1]).trim();
+  return {
+    name,
+    value: rawValue,
+    purpose: stripBold(m[3] || '').trim() || null,
+  };
+}
+
+function extractComponents(section) {
+  if (!section) return null;
+  const subs = splitSubsections(section.lines);
+  const components = [];
+
+  for (const sub of subs.slice(1)) {
+    if (!sub.name) continue;
+
+    const bullets = collectBullets(sub.lines);
+    const paragraphs = collectParagraphs(sub.lines);
+
+    const variants = [];
+    const properties = {};
+
+    for (const b of bullets) {
+      // - **Key:** value
+      const m = b.match(/^\*\*(.+?):?\*\*:?\s*(.+)$/);
+      if (m) {
+        const key = stripBold(m[1]).trim();
+        const value = stripBold(m[2]).trim();
+        // Heuristic: "Primary", "Secondary", "Hover", "Focus" etc are variants;
+        // "Shape", "Background", "Padding" are properties.
+        if (/^(primary|secondary|tertiary|ghost|hover|focus|active|disabled|default|error|selected|unselected|state)$/i.test(key.split(/[\s/]/)[0])) {
+          variants.push({ name: key, description: value });
+        } else {
+          properties[key.toLowerCase()] = value;
+        }
+      }
+    }
+
+    components.push({
+      name: sub.name,
+      description: paragraphs.join(' ') || null,
+      properties,
+      variants,
+    });
+  }
+
+  return {
+    subtitle: section.subtitle,
+    components,
+  };
+}
+
+function extractDosDonts(section) {
+  if (!section) return null;
+  const subs = splitSubsections(section.lines);
+  const dos = [];
+  const donts = [];
+
+  for (const sub of subs.slice(1)) {
+    if (!sub.name) continue;
+    const subName = normalizeApostrophes(sub.name);
+    const bullets = collectBullets(sub.lines).map((b) => stripBold(b).trim());
+    if (/^do'?t?:?$/i.test(subName) || /^do:?$/i.test(subName)) {
+      dos.push(...bullets);
+    } else if (/^don'?t:?$/i.test(subName)) {
+      donts.push(...bullets);
+    }
+  }
+
+  // Classify by bullet prefix as a backup (catches loose bullets outside H3 wrappers)
+  for (const b of collectBullets(section.lines)) {
+    const stripped = normalizeApostrophes(stripBold(b).trim());
+    if (/^don'?t\b/i.test(stripped)) {
+      if (!donts.some((d) => normalizeApostrophes(d) === stripped)) donts.push(stripped);
+    } else if (/^do\b/i.test(stripped)) {
+      if (!dos.some((d) => normalizeApostrophes(d) === stripped)) dos.push(stripped);
+    }
+  }
+
+  return { dos, donts };
+}
+
+// ---------- Coverage assessment ----------
+
+function assessCoverage(model) {
+  const report = {};
+
+  report.overview = model.overview
+    ? {
+        northStar: Boolean(model.overview.creativeNorthStar),
+        philosophy: model.overview.philosophy.length > 0,
+        keyCharacteristics: model.overview.keyCharacteristics.length,
+      }
+    : 'missing';
+
+  report.colors = model.colors
+    ? {
+        groups: model.colors.groups.length,
+        totalColors: model.colors.groups.reduce((n, g) => n + g.colors.length, 0),
+        rules: model.colors.rules.length,
+      }
+    : 'missing';
+
+  report.typography = model.typography
+    ? {
+        fonts: Object.keys(model.typography.fonts).length,
+        hierarchyEntries: model.typography.hierarchy.length,
+        character: Boolean(model.typography.character),
+        rules: model.typography.rules.length,
+      }
+    : 'missing';
+
+  report.elevation = model.elevation
+    ? {
+        shadows: model.elevation.shadows.length,
+        rules: model.elevation.rules.length,
+        description: Boolean(model.elevation.description),
+      }
+    : 'missing';
+
+  report.components = model.components
+    ? {
+        count: model.components.components.length,
+        variantTotal: model.components.components.reduce((n, c) => n + c.variants.length, 0),
+      }
+    : 'missing';
+
+  report.dosDonts = model.dosDonts
+    ? {
+        dos: model.dosDonts.dos.length,
+        donts: model.dosDonts.donts.length,
+      }
+    : 'missing';
+
+  return report;
+}
+
+// ---------- Main ----------
+
+export function parseDesignMd(md) {
+  const { frontmatter, body } = parseFrontmatter(md);
+  const { title, sections } = splitSections(body);
+  return {
+    schemaVersion: 2,
+    title,
+    frontmatter,
+    overview: extractOverview(sections['Overview']),
+    colors: extractColors(sections['Colors']),
+    typography: extractTypography(sections['Typography']),
+    elevation: extractElevation(sections['Elevation']),
+    components: extractComponents(sections['Components']),
+    dosDonts: extractDosDonts(sections["Do's and Don'ts"]),
+  };
+}
+
+export { assessCoverage };

.agents/skills/impeccable/scripts/detect-csp.mjs

@@ -0,0 +1,198 @@
+/**
+ * Scan a project tree for Content-Security-Policy signals and classify the
+ * shape so the agent knows which patch template to propose.
+ *
+ * Used at first-time `live.mjs` setup. Mechanical (grep-based) — no network,
+ * no dev server, no JS evaluation. The classification drives a user-facing
+ * consent prompt; the agent does the actual patch writing.
+ *
+ * Shapes are named by patch mechanism, not framework origin:
+ *   - "append-arrays":  CSP defined as structured directive arrays. Patch
+ *                       appends a dev-only localhost entry. Covers:
+ *                         - Monorepo helpers with additional*Src options
+ *                           (e.g. createBaseNextConfig for Next)
+ *                         - SvelteKit kit.csp.directives
+ *                         - nuxt-security module's contentSecurityPolicy
+ *   - "append-string":  CSP built as a literal value string. Patch splices
+ *                       a dev-only token into script-src and connect-src.
+ *                       Covers:
+ *                         - Inline Next.js headers() with CSP string
+ *                         - Nuxt routeRules / nitro.routeRules CSP headers
+ *   - "middleware":     CSP set dynamically in middleware.{ts,js}.
+ *                       Detected but not auto-patched in v1.
+ *   - "meta-tag":       <meta http-equiv="Content-Security-Policy"> in
+ *                       layout files. Detected but not auto-patched in v1.
+ *   - null:             no CSP signals found; no patch needed.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+const SKIP_DIRS = new Set([
+  'node_modules',
+  '.git',
+  '.next',
+  '.turbo',
+  '.svelte-kit',
+  '.nuxt',
+  '.astro',
+  'dist',
+  'build',
+  'out',
+  '.vercel',
+]);
+
+const SCAN_EXTS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.tsx', '.jsx']);
+const LAYOUT_EXTS = new Set(['.tsx', '.jsx', '.astro', '.vue', '.svelte', '.html']);
+const MAX_DEPTH = 6;
+const MAX_READ_BYTES = 64 * 1024;
+
+// append-arrays signals: CSP expressed as structured directive arrays
+const MONOREPO_HELPER_SIGNALS = [
+  /\bbuildCSPConfig\b/,
+  /\bbuildSecurityHeaders\b/,
+  /\badditionalScriptSrc\b/,
+  /\badditionalConnectSrc\b/,
+  /\bcreateBaseNextConfig\b/,
+];
+const SVELTEKIT_CSP_SIGNALS = [
+  /\bkit\s*:/,
+  /\bcsp\s*:/,
+  /\bdirectives\s*:/,
+];
+const NUXT_SECURITY_SIGNALS = [
+  /['"]nuxt-security['"]/,
+  /\bcontentSecurityPolicy\b/,
+];
+
+// append-string signals: CSP written as a literal value string
+const INLINE_HEADER_SIGNALS = [
+  /["']Content-Security-Policy["']/i,
+  /\bscript-src\b/,
+  /\bconnect-src\b/,
+];
+const NUXT_ROUTE_RULES_SIGNALS = [
+  /\brouteRules\b/,
+  /Content-Security-Policy/i,
+  /\bscript-src\b/,
+];
+
+const MIDDLEWARE_HINT = /headers\.set\(\s*["']Content-Security-Policy["']/i;
+const META_TAG_HINT = /http-equiv\s*=\s*["']Content-Security-Policy["']/i;
+
+/**
+ * @param {string} cwd Project root.
+ * @returns {{ shape: string|null, signals: string[] }}
+ */
+export function detectCsp(cwd = process.cwd()) {
+  const hits = { appendArrays: [], appendString: [], middleware: [], metaTag: [] };
+
+  walk(cwd, cwd, 0, (absPath, relPath, body) => {
+    const ext = path.extname(absPath);
+    const base = path.basename(absPath).toLowerCase();
+    const isConfig = (name) =>
+      new RegExp('(^|/)' + name + '\\.config\\.').test(relPath);
+
+    // === append-arrays candidates ===
+
+    // Monorepo CSP helper: packages/*/src/.../(config|security)/*
+    if (SCAN_EXTS.has(ext) &&
+        /packages\/[^/]+\/src\/.*(config|next-config|security)/.test(relPath) &&
+        MONOREPO_HELPER_SIGNALS.some((re) => re.test(body))) {
+      hits.appendArrays.push(relPath);
+      return;
+    }
+
+    // SvelteKit kit.csp.directives
+    if (SCAN_EXTS.has(ext) && isConfig('svelte') &&
+        SVELTEKIT_CSP_SIGNALS.every((re) => re.test(body))) {
+      hits.appendArrays.push(relPath);
+      return;
+    }
+
+    // Nuxt nuxt-security module
+    if (SCAN_EXTS.has(ext) && isConfig('nuxt') &&
+        NUXT_SECURITY_SIGNALS.every((re) => re.test(body))) {
+      hits.appendArrays.push(relPath);
+      return;
+    }
+
+    // === append-string candidates ===
+
+    // Inline headers in Next/Nuxt/SvelteKit/Astro/Vite config
+    if (SCAN_EXTS.has(ext) &&
+        /(^|\/)(next|nuxt|vite|astro|svelte)\.config\./.test(relPath) &&
+        INLINE_HEADER_SIGNALS.every((re) => re.test(body))) {
+      // Nuxt routeRules is a sub-shape of append-string; we already covered
+      // nuxt-security above via return, so any remaining Nuxt CSP match here
+      // is a route-rules / inline-headers case. Either way, same patch
+      // mechanism.
+      hits.appendString.push(relPath);
+      return;
+    }
+
+    // === detect-only shapes ===
+
+    if ((base === 'middleware.ts' || base === 'middleware.js' || base === 'middleware.mjs') &&
+        MIDDLEWARE_HINT.test(body)) {
+      hits.middleware.push(relPath);
+    }
+
+    if (LAYOUT_EXTS.has(ext) && META_TAG_HINT.test(body)) {
+      hits.metaTag.push(relPath);
+    }
+  });
+
+  // Priority: append-arrays > append-string > middleware > meta-tag.
+  // Structured patches are safer than string splices; runtime and HTML
+  // injection patches are less reliable and v1 doesn't auto-apply them.
+  if (hits.appendArrays.length > 0) {
+    return { shape: 'append-arrays', signals: hits.appendArrays };
+  }
+  if (hits.appendString.length > 0) {
+    return { shape: 'append-string', signals: hits.appendString };
+  }
+  if (hits.middleware.length > 0) {
+    return { shape: 'middleware', signals: hits.middleware };
+  }
+  if (hits.metaTag.length > 0) {
+    return { shape: 'meta-tag', signals: hits.metaTag };
+  }
+  return { shape: null, signals: [] };
+}
+
+function walk(root, dir, depth, visit) {
+  if (depth > MAX_DEPTH) return;
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+  catch { return; }
+
+  for (const entry of entries) {
+    const abs = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) continue;
+      walk(root, abs, depth + 1, visit);
+      continue;
+    }
+    if (!entry.isFile()) continue;
+    const ext = path.extname(entry.name);
+    if (!SCAN_EXTS.has(ext) && !LAYOUT_EXTS.has(ext)) continue;
+    let body;
+    try {
+      const fd = fs.openSync(abs, 'r');
+      try {
+        const buf = Buffer.alloc(MAX_READ_BYTES);
+        const n = fs.readSync(fd, buf, 0, MAX_READ_BYTES, 0);
+        body = buf.slice(0, n).toString('utf-8');
+      } finally { fs.closeSync(fd); }
+    } catch { continue; }
+    visit(abs, path.relative(root, abs), body);
+  }
+}
+
+// CLI mode
+const _running = process.argv[1];
+if (_running?.endsWith('detect-csp.mjs') || _running?.endsWith('detect-csp.mjs/')) {
+  const result = detectCsp(process.cwd());
+  console.log(JSON.stringify(result, null, 2));
+}

.agents/skills/impeccable/scripts/detect.mjs

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { pathToFileURL, fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const candidates = [
+  path.join(__dirname, 'detector', 'detect-antipatterns.mjs'),
+  path.join(__dirname, '..', '..', 'cli', 'engine', 'detect-antipatterns.mjs'),
+];
+const detectorPath = candidates.find(p => fs.existsSync(p));
+
+if (!detectorPath) {
+  process.stderr.write('Error: bundled detector not found.\n');
+  process.exit(1);
+}
+
+const { detectCli } = await import(pathToFileURL(detectorPath));
+
+await detectCli();

.agents/skills/impeccable/scripts/impeccable-paths.mjs

@@ -0,0 +1,110 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const IMPECCABLE_DIR = '.impeccable';
+export const LIVE_DIR = 'live';
+export const CRITIQUE_DIR = 'critique';
+
+export function getImpeccableDir(cwd = process.cwd()) {
+  return path.join(cwd, IMPECCABLE_DIR);
+}
+
+export function getDesignSidecarPath(cwd = process.cwd()) {
+  return path.join(getImpeccableDir(cwd), 'design.json');
+}
+
+export function getDesignSidecarCandidates(cwd = process.cwd(), contextDir = cwd) {
+  const candidates = [
+    getDesignSidecarPath(cwd),
+    path.join(cwd, 'DESIGN.json'),
+  ];
+  const contextLegacy = path.join(contextDir, 'DESIGN.json');
+  if (!candidates.includes(contextLegacy)) candidates.push(contextLegacy);
+  return candidates;
+}
+
+export function resolveDesignSidecarPath(cwd = process.cwd(), contextDir = cwd) {
+  return firstExisting(getDesignSidecarCandidates(cwd, contextDir));
+}
+
+export function getLiveDir(cwd = process.cwd()) {
+  return path.join(getImpeccableDir(cwd), LIVE_DIR);
+}
+
+export function getLiveConfigPath(cwd = process.cwd()) {
+  return path.join(getLiveDir(cwd), 'config.json');
+}
+
+export function getLegacyLiveConfigPath(scriptsDir) {
+  return path.join(scriptsDir, 'config.json');
+}
+
+export function resolveLiveConfigPath({ cwd = process.cwd(), scriptsDir, env = process.env } = {}) {
+  if (env.IMPECCABLE_LIVE_CONFIG && env.IMPECCABLE_LIVE_CONFIG.trim()) {
+    const configured = env.IMPECCABLE_LIVE_CONFIG.trim();
+    return path.isAbsolute(configured) ? configured : path.resolve(cwd, configured);
+  }
+  const primary = getLiveConfigPath(cwd);
+  if (fs.existsSync(primary)) return primary;
+  if (scriptsDir) {
+    const legacy = getLegacyLiveConfigPath(scriptsDir);
+    if (fs.existsSync(legacy)) return legacy;
+  }
+  return primary;
+}
+
+export function getLiveServerPath(cwd = process.cwd()) {
+  return path.join(getLiveDir(cwd), 'server.json');
+}
+
+export function getLegacyLiveServerPath(cwd = process.cwd()) {
+  return path.join(cwd, '.impeccable-live.json');
+}
+
+export function readLiveServerInfo(cwd = process.cwd()) {
+  for (const filePath of [getLiveServerPath(cwd), getLegacyLiveServerPath(cwd)]) {
+    try {
+      return { info: JSON.parse(fs.readFileSync(filePath, 'utf-8')), path: filePath };
+    } catch {
+      /* try next */
+    }
+  }
+  return null;
+}
+
+export function writeLiveServerInfo(cwd = process.cwd(), info) {
+  const filePath = getLiveServerPath(cwd);
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(info));
+  return filePath;
+}
+
+export function removeLiveServerInfo(cwd = process.cwd()) {
+  for (const filePath of [getLiveServerPath(cwd), getLegacyLiveServerPath(cwd)]) {
+    try { fs.unlinkSync(filePath); } catch {}
+  }
+}
+
+export function getLiveSessionsDir(cwd = process.cwd()) {
+  return path.join(getLiveDir(cwd), 'sessions');
+}
+
+export function getLegacyLiveSessionsDir(cwd = process.cwd()) {
+  return path.join(cwd, '.impeccable-live', 'sessions');
+}
+
+export function getLiveAnnotationsDir(cwd = process.cwd()) {
+  return path.join(getLiveDir(cwd), 'annotations');
+}
+
+export function getCritiqueDir(cwd = process.cwd()) {
+  return path.join(getImpeccableDir(cwd), CRITIQUE_DIR);
+}
+
+export function getLegacyLiveAnnotationsDir(cwd = process.cwd()) {
+  return path.join(cwd, '.impeccable-live', 'annotations');
+}
+
+function firstExisting(paths) {
+  return paths.find((filePath) => fs.existsSync(filePath)) || null;
+}

.agents/skills/impeccable/scripts/is-generated.mjs

@@ -0,0 +1,69 @@
+/**
+ * Decide whether a given file is "generated" (regenerated by a build step,
+ * unsafe to write variants into) or "source" (safe to edit, changes persist).
+ *
+ * Why this matters: when the user picks an element on a page whose underlying
+ * file is regenerated by a build step (e.g. `scripts/build-sub-pages.js`
+ * rewriting `public/docs/*.html`), writing variants or accepted changes into
+ * that file is silent data loss — the next build wipes them.
+ *
+ * Signals, in order of reliability:
+ *   1. Git check-ignore: gitignored files are assumed generated.
+ *   2. File-header markers ("GENERATED", "DO NOT EDIT", "AUTO-GENERATED")
+ *      within the first ~300 characters — catches non-git projects.
+ */
+
+import { execSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const HEADER_SCAN_BYTES = 300;
+const HEADER_MARKERS = [
+  /@generated\b/i,
+  /\bGENERATED\s+FILE\b/,
+  /\bAUTO-?GENERATED\b/i,
+  /\bDO\s+NOT\s+EDIT\b/i,
+];
+
+/**
+ * @param {string} filePath - absolute or cwd-relative path
+ * @param {object} [options]
+ * @param {string} [options.cwd] - project root (defaults to process.cwd())
+ */
+export function isGeneratedFile(filePath, options = {}) {
+  const cwd = options.cwd || process.cwd();
+  const absPath = path.isAbsolute(filePath) ? filePath : path.resolve(cwd, filePath);
+
+  if (isGitIgnored(absPath, cwd)) return true;
+  if (hasGeneratedHeader(absPath)) return true;
+  return false;
+}
+
+function isGitIgnored(absPath, cwd) {
+  try {
+    execSync(`git check-ignore --quiet ${JSON.stringify(absPath)}`, {
+      cwd,
+      stdio: 'ignore',
+    });
+    return true; // exit 0 = ignored
+  } catch (err) {
+    // Exit code 1 = not ignored. Exit code 128 = not a git repo or other error.
+    // In both cases, treat as "not known to be ignored."
+    return false;
+  }
+}
+
+function hasGeneratedHeader(absPath) {
+  let fd;
+  try {
+    fd = fs.openSync(absPath, 'r');
+    const buf = Buffer.alloc(HEADER_SCAN_BYTES);
+    const bytesRead = fs.readSync(fd, buf, 0, HEADER_SCAN_BYTES, 0);
+    const head = buf.slice(0, bytesRead).toString('utf-8');
+    return HEADER_MARKERS.some((re) => re.test(head));
+  } catch {
+    return false;
+  } finally {
+    if (fd !== undefined) { try { fs.closeSync(fd); } catch {} }
+  }
+}

.agents/skills/impeccable/scripts/live-accept.mjs

@@ -0,0 +1,595 @@
+/**
+ * CLI helper: deterministic accept/discard of variant sessions.
+ *
+ * Usage:
+ *   node live-accept.mjs --id SESSION_ID --discard
+ *   node live-accept.mjs --id SESSION_ID --variant N
+ *
+ * For discard: removes the entire variant wrapper and restores the original.
+ * For accept: replaces the wrapper with the chosen variant's content. If the
+ * session had a colocated <style> block, it's preserved with carbonize markers
+ * for a background agent to integrate into the project's CSS.
+ *
+ * Output: JSON to stdout.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { isGeneratedFile } from './is-generated.mjs';
+
+const EXTENSIONS = ['.html', '.jsx', '.tsx', '.vue', '.svelte', '.astro'];
+
+// ---------------------------------------------------------------------------
+// CLI
+// ---------------------------------------------------------------------------
+
+export async function acceptCli() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`Usage: node live-accept.mjs [options]
+
+Deterministic accept/discard for live variant sessions.
+
+Modes:
+  --discard          Remove variants, restore original
+  --variant N        Accept variant N, discard the rest
+
+Required:
+  --id SESSION_ID    Session ID of the variant wrapper
+
+Output (JSON):
+  { handled, file, carbonize }`);
+    process.exit(0);
+  }
+
+  const id = argVal(args, '--id');
+  const variantNum = argVal(args, '--variant');
+  const paramValuesRaw = argVal(args, '--param-values');
+  const isDiscard = args.includes('--discard');
+
+  if (!id) { console.error('Missing --id'); process.exit(1); }
+  if (!isDiscard && !variantNum) { console.error('Need --discard or --variant N'); process.exit(1); }
+
+  let paramValues = null;
+  if (paramValuesRaw) {
+    try { paramValues = JSON.parse(paramValuesRaw); }
+    catch { paramValues = null; } // malformed blob: skip the comment rather than failing the accept
+  }
+
+  // Find the file containing this session's markers
+  const found = findSessionFile(id, process.cwd());
+  if (!found) {
+    console.log(JSON.stringify({ handled: false, error: 'Session markers not found for id: ' + id }));
+    process.exit(0);
+  }
+
+  const { file: targetFile, content, lines } = found;
+  const relFile = path.relative(process.cwd(), targetFile);
+
+  // Bail if the session lives in a generated file. The agent manually wrote
+  // the wrapper there for preview, and is responsible for writing the
+  // accepted variant to true source (or cleaning up on discard). See
+  // "Handle fallback" in live.md.
+  if (isGeneratedFile(targetFile, { cwd: process.cwd() })) {
+    console.log(JSON.stringify({
+      handled: false,
+      mode: 'fallback',
+      file: relFile,
+      hint: 'Session is in a generated file. Persist the accepted variant in source; do not rely on this script.',
+    }));
+    process.exit(0);
+  }
+
+  if (isDiscard) {
+    const result = handleDiscard(id, lines, targetFile);
+    console.log(JSON.stringify({ handled: true, file: relFile, carbonize: false, ...result }));
+  } else {
+    const result = handleAccept(id, variantNum, lines, targetFile, paramValues);
+    // Single-line attention-grabber when cleanup is required. The full
+    // five-step checklist lives in reference/live.md (loaded once per
+    // session); repeating it per-event would waste tokens.
+    if (result.carbonize) {
+      result.todo = 'REQUIRED before next poll: carbonize cleanup in ' + relFile + '. See reference/live.md "Required after accept".';
+    }
+    console.log(JSON.stringify({ handled: true, file: relFile, ...result }));
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Discard
+// ---------------------------------------------------------------------------
+
+function handleDiscard(id, lines, targetFile) {
+  const block = findMarkerBlock(id, lines);
+  if (!block) return { handled: false, error: 'Markers not found' };
+
+  const original = extractOriginal(lines, block);
+  const isJsx = detectCommentSyntax(targetFile).open === '{/*';
+  const replaceRange = expandReplaceRange(block, lines, isJsx);
+
+  // Restore at the line we're actually replacing FROM, not the marker line.
+  // For JSX wrappers the marker comments live INSIDE the outer `<div>`, so
+  // `block.start` sits 2 spaces deeper than the original element. Using that
+  // as the deindent base would push the restored content 2 spaces too far
+  // right on every JSX/TSX session. `replaceRange.start` is the outer wrapper
+  // line, which is at the original element's indent for both HTML and JSX.
+  const indent = lines[replaceRange.start].match(/^(\s*)/)[1];
+  const restored = deindentContent(original, indent);
+
+  const newLines = [
+    ...lines.slice(0, replaceRange.start),
+    ...restored,
+    ...lines.slice(replaceRange.end + 1),
+  ];
+  fs.writeFileSync(targetFile, newLines.join('\n'), 'utf-8');
+  return {};
+}
+
+// ---------------------------------------------------------------------------
+// Accept
+// ---------------------------------------------------------------------------
+
+function handleAccept(id, variantNum, lines, targetFile, paramValues) {
+  const block = findMarkerBlock(id, lines);
+  if (!block) return { handled: false, error: 'Markers not found' };
+
+  const commentSyntax = detectCommentSyntax(targetFile);
+  const isJsx = commentSyntax.open === '{/*';
+  // Anchor indent on the line we're replacing FROM (the outer wrapper),
+  // not on `block.start` — for JSX that's the marker comment 2 spaces
+  // deeper than the original element. See handleDiscard for the full
+  // rationale.
+  const replaceRange = expandReplaceRange(block, lines, isJsx);
+  const indent = lines[replaceRange.start].match(/^(\s*)/)[1];
+
+  // Extract the chosen variant's inner content
+  const variantContent = extractVariant(lines, block, variantNum);
+  if (!variantContent) return { handled: false, error: 'Variant ' + variantNum + ' not found' };
+
+  // Extract CSS block if present
+  const cssContent = extractCss(lines, block, id);
+
+  // Check if carbonizing is needed:
+  // - CSS block exists, OR
+  // - variant HTML contains helper classes/attributes that need cleanup
+  const variantText = variantContent.join('\n');
+  const hasHelperAttrs = variantText.includes('data-impeccable-variant');
+  const needsCarbonize = !!(cssContent || hasHelperAttrs);
+
+  // Build the replacement
+  const restored = deindentContent(variantContent, indent);
+  const replacement = [];
+
+  if (cssContent) {
+    replacement.push(indent + commentSyntax.open + ' impeccable-carbonize-start ' + id + ' ' + commentSyntax.close);
+    // JSX targets need the CSS body wrapped in a template literal so that the
+    // `{` and `}` in CSS rules don't get parsed as JSX expressions.
+    replacement.push(indent + '<style data-impeccable-css="' + id + '">' + (isJsx ? '{`' : ''));
+    // Re-indent CSS content to match
+    for (const cssLine of cssContent) {
+      replacement.push(indent + cssLine.trimStart());
+    }
+    replacement.push(indent + (isJsx ? '`}</style>' : '</style>'));
+    if (paramValues && Object.keys(paramValues).length > 0) {
+      // Preserve the user's knob positions for the carbonize-cleanup agent
+      // to bake into the final CSS when it collapses scoped rules.
+      replacement.push(indent + commentSyntax.open + ' impeccable-param-values ' + id + ': ' + JSON.stringify(paramValues) + ' ' + commentSyntax.close);
+    }
+    replacement.push(indent + commentSyntax.open + ' impeccable-carbonize-end ' + id + ' ' + commentSyntax.close);
+  }
+
+  // Keep the `@scope ([data-impeccable-variant="N"])` selectors in the
+  // carbonize CSS block working visually by re-wrapping the accepted content
+  // in a data-impeccable-variant="N" div with `display: contents` (so layout
+  // isn't affected). The carbonize agent strips this attribute + wrapper when
+  // it moves the CSS to a proper stylesheet.
+  //
+  // Style attribute syntax has to follow the host file's flavor — JSX files
+  // need the object form, otherwise React 19 throws "Failed to set indexed
+  // property [0] on CSSStyleDeclaration" while parsing the string char-by-char.
+  if (cssContent) {
+    const styleAttr = isJsx ? "style={{ display: 'contents' }}" : 'style="display: contents"';
+    replacement.push(indent + '<div data-impeccable-variant="' + variantNum + '" ' + styleAttr + '>');
+    replacement.push(...restored);
+    replacement.push(indent + '</div>');
+  } else {
+    replacement.push(...restored);
+  }
+
+  const newLines = [
+    ...lines.slice(0, replaceRange.start),
+    ...replacement,
+    ...lines.slice(replaceRange.end + 1),
+  ];
+  fs.writeFileSync(targetFile, newLines.join('\n'), 'utf-8');
+
+  return { carbonize: needsCarbonize };
+}
+
+// ---------------------------------------------------------------------------
+// Parsing helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Find the start/end marker lines for a session.
+ * Returns { start, end } (0-indexed line numbers) or null.
+ */
+function findMarkerBlock(id, lines) {
+  let start = -1;
+  let end = -1;
+  const startPattern = 'impeccable-variants-start ' + id;
+  const endPattern = 'impeccable-variants-end ' + id;
+
+  for (let i = 0; i < lines.length; i++) {
+    if (start === -1 && lines[i].includes(startPattern)) start = i;
+    if (lines[i].includes(endPattern)) { end = i; break; }
+  }
+
+  return (start !== -1 && end !== -1) ? { start, end } : null;
+}
+
+/**
+ * Compute the line range to REPLACE (vs. just the marker range to extract
+ * from). For JSX/TSX wrappers, live-wrap places the marker comments INSIDE
+ * the `<div data-impeccable-variants="ID">` outer wrapper so the picked
+ * element's JSX slot keeps a single child — a Fragment `<></>` would have
+ * solved the multi-sibling case but failed inside `asChild` / cloneElement
+ * parents with "Invalid prop supplied to React.Fragment".
+ *
+ * That means the marker block is enclosed by the wrapper `<div>` opener
+ * (with `data-impeccable-variants="ID"`) and its matching `</div>`. We
+ * walk back to the opener and forward to the closer so accept/discard
+ * remove the entire scaffold, not just the inner markers.
+ *
+ * Marker lines themselves stay where they were so extractOriginal /
+ * extractVariant / extractCss continue to walk the same range.
+ */
+function expandReplaceRange(block, lines, isJsx) {
+  if (!isJsx) return { start: block.start, end: block.end };
+
+  let { start, end } = block;
+
+  // Walk back for the wrapper `<div data-impeccable-variants="..."` opener.
+  // The attr may sit on a continuation line of a multi-line opening tag, so
+  // also walk to the line that actually contains `<div`.
+  for (let i = start - 1; i >= Math.max(0, start - 12); i--) {
+    if (/data-impeccable-variants=/.test(lines[i])) {
+      let opener = i;
+      while (opener > 0 && !/<div\b/.test(lines[opener])) opener--;
+      start = opener;
+      break;
+    }
+  }
+
+  // Walk forward to the matching `</div>` by div-depth tracking from the
+  // wrapper opener. Operate on JOINED text instead of per-line: a
+  // multi-line self-closing JSX `<div\n  className="spacer"\n/>` would
+  // fool per-line regex tracking (the `<div` line matches openRe but the
+  // `/>` line never matches selfCloseRe since it needs `<div` on the same
+  // line). That left depth permanently over-counted and the wrapper's
+  // outer `</div>` orphaned after accept/discard. Single regex with
+  // `[^>]*?` (which spans newlines in JS) handles either form correctly.
+  const joined = lines.slice(start).join('\n');
+  // Match either `<div … />` (self-close, group 1 is `/`), `<div … >`
+  // (open, group 1 is empty), or `</div>`.
+  const tagRe = /<div\b[^>]*?(\/?)>|<\/div\s*>/g;
+  let depth = 0;
+  let m;
+  while ((m = tagRe.exec(joined)) !== null) {
+    const isClose = m[0].startsWith('</');
+    const isSelfClose = !isClose && m[1] === '/';
+    if (isClose) depth--;
+    else if (!isSelfClose) depth++;
+    if (depth <= 0) {
+      // m.index is offset within `joined`; convert back to a file line.
+      const linesBefore = joined.slice(0, m.index + m[0].length).split('\n').length - 1;
+      const candidateEnd = start + linesBefore;
+      if (candidateEnd >= end) {
+        end = candidateEnd;
+        break;
+      }
+    }
+  }
+
+  return { start, end };
+}
+
+/**
+ * Join wrapper lines into a single string with `<style>` elements removed so
+ * marker matching and div-depth tracking aren't confused by:
+ *   - CSS `@scope ([data-impeccable-variant="N"])` strings that look like the
+ *     HTML marker we're searching for
+ *   - JSX self-closing `<style ... />` (no separate `</style>` to close on)
+ *   - Same-line `<style>…</style>` blocks
+ *   - Multi-line `<style>\n…\n</style>` blocks
+ */
+function stripStyleAndJoin(lines, block) {
+  const out = [];
+  let inStyle = false;
+  for (let i = block.start; i <= block.end; i++) {
+    let line = lines[i];
+
+    if (!inStyle) {
+      // Strip any complete <style> elements on this line (self-closed or
+      // same-line-closed), including their body content.
+      line = line
+        .replace(/<style\b[^>]*>[\s\S]*?<\/style\s*>/g, '')
+        .replace(/<style\b[^>]*\/\s*>/g, '');
+
+      // If a <style> opener remains (multi-line body starts here), strip from
+      // the opener to end-of-line and flip into skip mode.
+      const openerIdx = line.search(/<style\b/);
+      if (openerIdx !== -1) {
+        line = line.slice(0, openerIdx);
+        inStyle = true;
+      }
+      out.push(line);
+    } else {
+      // In multi-line style body; drop everything until we see </style>.
+      const closeIdx = line.search(/<\/style\s*>/);
+      if (closeIdx !== -1) {
+        inStyle = false;
+        out.push(line.slice(closeIdx).replace(/<\/style\s*>/, ''));
+      }
+      // else: skip line entirely
+    }
+  }
+  return out.join('\n');
+}
+
+/**
+ * Find the inner content of `<TAG ...attrMatch...>…</TAG>` inside `text`,
+ * handling nested same-tag elements via depth counting. `attrMatch` is a
+ * regex source fragment that must appear inside the opener tag.
+ * Returns the inner string (may be empty), or null if not found.
+ */
+function extractInnerByAttr(text, attrMatch) {
+  const openerRe = new RegExp('<([A-Za-z][A-Za-z0-9]*)\\b[^>]*' + attrMatch + '[^>]*>');
+  const openMatch = text.match(openerRe);
+  if (!openMatch) return null;
+
+  const tagName = openMatch[1];
+  const innerStart = openMatch.index + openMatch[0].length;
+
+  // Match any opener or closer of this tag name after innerStart.
+  // (Does not match self-closing <TAG … />, which doesn't contribute to depth.)
+  const tagRe = new RegExp('<(?:/)?' + tagName + '\\b[^>]*>', 'g');
+  tagRe.lastIndex = innerStart;
+
+  let depth = 1;
+  let m;
+  while ((m = tagRe.exec(text))) {
+    const isClose = m[0].startsWith('</');
+    const isSelfClose = !isClose && /\/\s*>$/.test(m[0]);
+    if (isClose) {
+      depth--;
+      if (depth === 0) return text.slice(innerStart, m.index);
+    } else if (!isSelfClose) {
+      depth++;
+    }
+  }
+  return null;
+}
+
+/**
+ * Extract the original element content from within the variant wrapper.
+ * Returns an array of lines.
+ */
+function extractOriginal(lines, block) {
+  const text = stripStyleAndJoin(lines, block);
+  const inner = extractInnerByAttr(text, 'data-impeccable-variant="original"');
+  if (inner === null) return [];
+  return inner.split('\n');
+}
+
+/**
+ * Extract a specific variant's inner content (stripping the wrapper div).
+ * Returns an array of lines, or null if not found.
+ */
+function extractVariant(lines, block, variantNum) {
+  const text = stripStyleAndJoin(lines, block);
+  const inner = extractInnerByAttr(text, 'data-impeccable-variant="' + variantNum + '"');
+  if (inner === null) return null;
+  const result = inner.split('\n');
+  // Collapse a lone empty leading/trailing line (common after string splice).
+  while (result.length > 1 && result[0].trim() === '') result.shift();
+  while (result.length > 1 && result[result.length - 1].trim() === '') result.pop();
+  return result.length > 0 ? result : null;
+}
+
+/**
+ * Extract the colocated <style> block content (between the style tags).
+ * Returns an array of CSS lines, or null if no style block found.
+ *
+ * Handles three shapes of `<style data-impeccable-css="ID" ...>`:
+ *   1. Self-closing: `<style ... />` — no body; return null (nothing to carbonize).
+ *   2. Same-line open+close: `<style>...</style>` — return the inner content.
+ *   3. Multi-line: `<style>` on one line, `</style>` on a later line — return
+ *      the lines between them.
+ */
+function extractCss(lines, block, id) {
+  const styleAttr = 'data-impeccable-css="' + id + '"';
+  let inStyle = false;
+  const content = [];
+
+  for (let i = block.start; i <= block.end; i++) {
+    const line = lines[i];
+
+    if (!inStyle && line.includes(styleAttr)) {
+      // Self-closing: nothing to carbonize.
+      if (/<style\b[^>]*\/\s*>/.test(line)) return null;
+      // Same-line open + close: extract inner text.
+      const sameLine = line.match(/<style\b[^>]*>([\s\S]*?)<\/style\s*>/);
+      if (sameLine) {
+        const inner = stripJsxTemplateWrap(sameLine[1]);
+        return inner.length > 0 ? inner.split('\n') : null;
+      }
+      inStyle = true;
+      continue; // skip the <style> opening tag
+    }
+
+    if (inStyle) {
+      // Detect </style> anywhere on the line — JSX template-literal closes
+      // (`}</style>`) put the close mid-line, and we don't want to absorb the
+      // template-literal punctuation as CSS content.
+      const closeIdx = line.indexOf('</style>');
+      if (closeIdx !== -1) break;
+      content.push(line);
+    }
+  }
+
+  if (content.length === 0) return null;
+  return stripJsxTemplateLines(content);
+}
+
+/**
+ * Strip a JSX template-literal wrap (`{` … `}`) from CSS extracted out of a
+ * `<style>` element in a JSX/TSX file. The agent may write the wrap with
+ * `{` and `}` directly attached to the `<style>` tags, on their own lines,
+ * or attached to the first/last CSS lines — all three are JSX-legal.
+ *
+ * Stripping is required because handleAccept re-wraps the CSS itself when
+ * carbonizing. Without this, two consecutive accepts (or a previously-
+ * accepted variants block being carbonized) would produce nested
+ * `{` `{` … `}` `}`, which oxc rejects with "Expected `}` but found `@`".
+ */
+function stripJsxTemplateLines(content) {
+  const out = content.slice();
+
+  // Drop any leading blank lines so we don't miss a `{` line buried below
+  // them; same for trailing.
+  while (out.length > 0 && out[0].trim() === '') out.shift();
+  while (out.length > 0 && out[out.length - 1].trim() === '') out.pop();
+  if (out.length === 0) return null;
+
+  // Leading `{`: own line, or attached to the first CSS line.
+  const firstTrim = out[0].trimStart();
+  if (firstTrim === '{`') {
+    out.shift();
+  } else if (firstTrim.startsWith('{`')) {
+    const idx = out[0].indexOf('{`');
+    out[0] = out[0].slice(0, idx) + out[0].slice(idx + 2);
+    if (out[0].trim() === '') out.shift();
+  }
+  if (out.length === 0) return null;
+
+  // Trailing `` ` `` `}`: own line, or attached to the last CSS line.
+  const lastIdx = out.length - 1;
+  const lastTrim = out[lastIdx].trimEnd();
+  if (lastTrim === '`}') {
+    out.pop();
+  } else if (lastTrim.endsWith('`}')) {
+    const text = out[lastIdx];
+    const idx = text.lastIndexOf('`}');
+    out[lastIdx] = text.slice(0, idx) + text.slice(idx + 2);
+    if (out[lastIdx].trim() === '') out.pop();
+  }
+
+  return out.length > 0 ? out : null;
+}
+
+function stripJsxTemplateWrap(text) {
+  const lines = text.split('\n');
+  const stripped = stripJsxTemplateLines(lines);
+  return stripped ? stripped.join('\n') : '';
+}
+
+/**
+ * De-indent content that was indented by live-wrap.mjs.
+ * The wrap script adds `indent + '    '` (4 extra spaces) to each line.
+ * We restore to just `indent` level.
+ */
+function deindentContent(contentLines, baseIndent) {
+  // Find the minimum indentation in the content to determine how much was added
+  let minIndent = Infinity;
+  for (const line of contentLines) {
+    if (line.trim() === '') continue;
+    const leadingSpaces = line.match(/^(\s*)/)[1].length;
+    minIndent = Math.min(minIndent, leadingSpaces);
+  }
+  if (minIndent === Infinity) minIndent = 0;
+
+  // Strip the extra indentation and re-add base indent
+  return contentLines.map(line => {
+    if (line.trim() === '') return '';
+    return baseIndent + line.slice(minIndent);
+  });
+}
+
+function detectCommentSyntax(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  if (ext === '.jsx' || ext === '.tsx') {
+    return { open: '{/*', close: '*/}' };
+  }
+  return { open: '<!--', close: '-->' };
+}
+
+// ---------------------------------------------------------------------------
+// File search (find the file containing session markers)
+// ---------------------------------------------------------------------------
+
+function findSessionFile(id, cwd) {
+  const marker = 'impeccable-variants-start ' + id;
+  const searchDirs = ['src', 'app', 'pages', 'components', 'public', 'views', 'templates', '.'];
+  const seen = new Set();
+
+  for (const dir of searchDirs) {
+    const absDir = path.join(cwd, dir);
+    if (!fs.existsSync(absDir)) continue;
+    const result = searchDir(absDir, marker, seen, 0);
+    if (result) {
+      const content = fs.readFileSync(result, 'utf-8');
+      return { file: result, content, lines: content.split('\n') };
+    }
+  }
+  return null;
+}
+
+function searchDir(dir, query, seen, depth) {
+  if (depth > 5) return null;
+  let realDir;
+  try { realDir = fs.realpathSync(dir); } catch { return null; }
+  if (seen.has(realDir)) return null;
+  seen.add(realDir);
+
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+  catch { return null; }
+
+  for (const entry of entries) {
+    if (!entry.isFile()) continue;
+    if (!EXTENSIONS.includes(path.extname(entry.name).toLowerCase())) continue;
+    const filePath = path.join(dir, entry.name);
+    try {
+      const content = fs.readFileSync(filePath, 'utf-8');
+      if (content.includes(query)) return filePath;
+    } catch { /* skip */ }
+  }
+
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (['node_modules', '.git', 'dist', 'build'].includes(entry.name)) continue;
+    const result = searchDir(path.join(dir, entry.name), query, seen, depth + 1);
+    if (result) return result;
+  }
+
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Utilities
+// ---------------------------------------------------------------------------
+
+function argVal(args, flag) {
+  const idx = args.indexOf(flag);
+  return idx !== -1 && idx + 1 < args.length ? args[idx + 1] : null;
+}
+
+// Auto-execute when run directly
+const _running = process.argv[1];
+if (_running?.endsWith('live-accept.mjs') || _running?.endsWith('live-accept.mjs/')) {
+  acceptCli();
+}
+
+export { findMarkerBlock, extractOriginal, extractVariant, extractCss, deindentContent, detectCommentSyntax };

.agents/skills/impeccable/scripts/live-browser-session.js

@@ -0,0 +1,123 @@
+/**
+ * Browser-side durable session helpers for Impeccable live mode.
+ *
+ * Kept separate from live-browser.js so recovery state can be tested without
+ * booting the full overlay UI. Served before live-browser.js and attached to
+ * window.__IMPECCABLE_LIVE_SESSION__.
+ */
+(function (root) {
+  'use strict';
+
+  function createLiveBrowserSessionState({ prefix, storage, idFactory }) {
+    if (!prefix) throw new Error('prefix required');
+    const store = storage || root.localStorage;
+    const makeId = idFactory || function () { return Math.random().toString(16).slice(2, 10); };
+    const sessionKey = prefix + '-session';
+    const handledKey = sessionKey + '-handled';
+    const scrollKey = sessionKey + '-scroll';
+    let checkpointRevision = 0;
+    const owner = makeId();
+
+    function safeRead(key) {
+      try { return store.getItem(key); } catch { return null; }
+    }
+
+    function safeWrite(key, value) {
+      try { store.setItem(key, value); } catch { /* quota exceeded or private mode */ }
+    }
+
+    function safeRemove(key) {
+      try { store.removeItem(key); } catch { /* unavailable storage */ }
+    }
+
+    function loadSession() {
+      try {
+        const raw = safeRead(sessionKey);
+        if (!raw) return null;
+        const parsed = JSON.parse(raw);
+        if (Number.isInteger(parsed.checkpointRevision)) {
+          checkpointRevision = Math.max(checkpointRevision, parsed.checkpointRevision);
+        }
+        return parsed;
+      } catch { return null; }
+    }
+
+    function saveSession(session) {
+      if (!session || !session.id) return;
+      const payload = {
+        ...session,
+        checkpointRevision,
+      };
+      safeWrite(sessionKey, JSON.stringify(payload));
+    }
+
+    function clearSession() {
+      safeRemove(sessionKey);
+    }
+
+    function nextCheckpointRevision() {
+      checkpointRevision += 1;
+      const existing = loadSession();
+      if (existing?.id) saveSession(existing);
+      return checkpointRevision;
+    }
+
+    function seedCheckpointRevision(value) {
+      if (Number.isInteger(value)) checkpointRevision = Math.max(checkpointRevision, value);
+      return checkpointRevision;
+    }
+
+    function currentCheckpointRevision() {
+      return checkpointRevision;
+    }
+
+    function markHandled(id) {
+      if (!id) return;
+      safeWrite(handledKey, id);
+    }
+
+    function isHandled(id) {
+      return !!id && safeRead(handledKey) === id;
+    }
+
+    function clearHandled() {
+      safeRemove(handledKey);
+    }
+
+    function writeScrollY(y) {
+      safeWrite(scrollKey, String(y));
+    }
+
+    function readScrollY() {
+      const raw = safeRead(scrollKey);
+      if (raw == null) return null;
+      const n = parseFloat(raw);
+      return isFinite(n) ? n : null;
+    }
+
+    function clearScrollY() {
+      safeRemove(scrollKey);
+    }
+
+    return {
+      owner,
+      sessionKey,
+      handledKey,
+      scrollKey,
+      saveSession,
+      loadSession,
+      clearSession,
+      nextCheckpointRevision,
+      seedCheckpointRevision,
+      currentCheckpointRevision,
+      markHandled,
+      isHandled,
+      clearHandled,
+      writeScrollY,
+      readScrollY,
+      clearScrollY,
+    };
+  }
+
+  root.__IMPECCABLE_LIVE_SESSION__ = { createLiveBrowserSessionState };
+})(typeof window !== 'undefined' ? window : globalThis);

.agents/skills/impeccable/scripts/live-complete.mjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+/**
+ * Canonical durable completion acknowledgement for Impeccable live sessions.
+ */
+
+import { createLiveSessionStore } from './live-session-store.mjs';
+import { readLiveServerInfo } from './impeccable-paths.mjs';
+
+function parseArgs(argv) {
+  const out = { status: 'complete' };
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === '--id') out.id = argv[++i];
+    else if (arg.startsWith('--id=')) out.id = arg.slice('--id='.length);
+    else if (arg === '--discarded' || arg === '--discard') out.status = 'discarded';
+    else if (arg === '--error') { out.status = 'agent_error'; out.message = argv[++i] || 'unknown error'; }
+    else if (arg.startsWith('--error=')) { out.status = 'agent_error'; out.message = arg.slice('--error='.length); }
+    else if (arg === '--help' || arg === '-h') out.help = true;
+  }
+  return out;
+}
+
+export async function completeCli() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.help || !args.id) {
+    console.log(`Usage: node live-complete.mjs --id SESSION_ID [--discarded|--error MESSAGE]\n\nAppend the final durable session acknowledgement. Use after accept/discard cleanup is verified.`);
+    process.exit(args.help ? 0 : 1);
+  }
+
+  const serverInfo = readServerInfo();
+  const serverResult = serverInfo ? await completeThroughServer(serverInfo, args) : null;
+  if (serverResult?.ok) {
+    const store = createLiveSessionStore({ cwd: process.cwd(), sessionId: args.id });
+    const snapshot = store.getSnapshot(args.id, { includeCompleted: true });
+    console.log(JSON.stringify({ ok: true, id: args.id, phase: snapshot?.phase || args.status, snapshot }, null, 2));
+    return;
+  }
+
+  const store = createLiveSessionStore({ cwd: process.cwd(), sessionId: args.id });
+  const event = args.status === 'discarded'
+    ? { type: 'discarded', id: args.id }
+    : args.status === 'agent_error'
+      ? { type: 'agent_error', id: args.id, message: args.message || 'unknown error' }
+      : { type: 'complete', id: args.id };
+  const snapshot = store.appendEvent(event);
+  console.log(JSON.stringify({ ok: true, id: args.id, phase: snapshot.phase, snapshot }, null, 2));
+}
+
+function readServerInfo() {
+  return readLiveServerInfo(process.cwd())?.info || null;
+}
+
+async function completeThroughServer(info, args) {
+  const type = args.status === 'discarded'
+    ? 'discarded'
+    : args.status === 'agent_error'
+      ? 'error'
+      : 'complete';
+  try {
+    const res = await fetch(`http://localhost:${info.port}/poll`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token: info.token, id: args.id, type, message: args.message }),
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+
+const _running = process.argv[1];
+if (_running?.endsWith('live-complete.mjs') || _running?.endsWith('live-complete.mjs/')) {
+  completeCli();
+}

.agents/skills/impeccable/scripts/live-completion.mjs

@@ -0,0 +1,18 @@
+export function completionTypeForAcceptResult(eventType, acceptResult) {
+  if (eventType === 'discard') return acceptResult?.handled === true ? 'discarded' : 'error';
+  if (acceptResult?.handled === true && acceptResult?.carbonize === true) return 'agent_done';
+  if (acceptResult?.handled === true) return 'complete';
+  if (acceptResult?.mode === 'error') return 'error';
+  return 'agent_done';
+}
+
+export function completionAckForAcceptResult(eventId, completionType, acceptResult) {
+  const ack = { ok: true, type: completionType };
+  if (acceptResult?.handled === true && acceptResult?.carbonize === true) {
+    ack.final = false;
+    ack.requiresComplete = true;
+    ack.nextCommand = `live-complete.mjs --id ${eventId}`;
+    ack.message = 'Carbonize cleanup must be verified, then the session must be completed explicitly before polling again.';
+  }
+  return ack;
+}

.agents/skills/impeccable/scripts/live-inject.mjs

@@ -0,0 +1,446 @@
+/**
+ * CLI helper: insert/remove the live variant mode script tag in the project's
+ * main HTML entry point.
+ *
+ * On first live run, the agent generates `.impeccable/live/config.json`
+ * with the project's insertion target (framework-specific). On
+ * every subsequent run, this script handles insert/remove deterministically
+ * with zero LLM involvement.
+ *
+ * Usage:
+ *   node live-inject.mjs --port PORT   # Insert the live script tag
+ *   node live-inject.mjs --remove      # Remove the live script tag
+ *   node live-inject.mjs --check       # Check whether live config exists
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { resolveLiveConfigPath } from './impeccable-paths.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CONFIG_PATH = resolveLiveConfigPath({ cwd: process.cwd(), scriptsDir: __dirname });
+const MARKER_OPEN_TEXT = 'impeccable-live-start';
+const MARKER_CLOSE_TEXT = 'impeccable-live-end';
+
+/**
+ * Hard-excluded directory patterns. These are NEVER user-facing pages and
+ * matching them would silently inject tracking scripts into third-party
+ * code. The user cannot turn these off via config — they are the floor.
+ */
+const HARD_EXCLUDES = [
+  '**/node_modules/**',
+  '**/.git/**',
+];
+
+export async function injectCli() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`Usage: node live-inject.mjs [options]
+
+Insert or remove the live mode script tag in the project's HTML entry point.
+Reads configuration from .impeccable/live/config.json.
+
+Modes:
+  --port PORT   Insert script tag pointing at http://localhost:PORT/live.js
+  --remove      Remove the script tag (if present)
+  --check       Print whether .impeccable/live/config.json exists and its content
+
+Output (JSON):
+  { ok, file, inserted|removed, config? }`);
+    process.exit(0);
+  }
+
+  if (args.includes('--check')) {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      console.log(JSON.stringify({ ok: false, error: 'config_missing', path: CONFIG_PATH }));
+      process.exit(0);
+    }
+    let cfg;
+    try {
+      cfg = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8'));
+    } catch (err) {
+      console.log(JSON.stringify({ ok: false, error: 'config_invalid', message: err.message, path: CONFIG_PATH }));
+      return;
+    }
+    try {
+      validateConfig(cfg);
+    } catch (err) {
+      console.log(JSON.stringify({ ok: false, error: 'config_invalid', message: err.message, path: CONFIG_PATH }));
+      return;
+    }
+    console.log(JSON.stringify({ ok: true, config: cfg, path: CONFIG_PATH }));
+    return;
+  }
+
+  // Load config
+  if (!fs.existsSync(CONFIG_PATH)) {
+    console.error(JSON.stringify({ ok: false, error: 'config_missing', path: CONFIG_PATH }));
+    process.exit(1);
+  }
+  const config = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8'));
+  validateConfig(config);
+
+  const resolvedFiles = resolveFiles(process.cwd(), config);
+
+  if (args.includes('--remove')) {
+    const results = resolvedFiles.map((relFile) => {
+      const absFile = path.resolve(process.cwd(), relFile);
+      if (!fs.existsSync(absFile)) return { file: relFile, error: 'file_not_found' };
+      const content = fs.readFileSync(absFile, 'utf-8');
+      const detagged = removeTag(content, config.commentSyntax);
+      const updated = revertCspMeta(detagged);
+      if (updated === content) return { file: relFile, removed: false, note: 'no tag present' };
+      fs.writeFileSync(absFile, updated, 'utf-8');
+      return {
+        file: relFile,
+        removed: detagged !== content,
+        cspReverted: updated !== detagged,
+      };
+    });
+    console.log(JSON.stringify({ ok: true, results }));
+    return;
+  }
+
+  // Insert mode — need --port
+  const portIdx = args.indexOf('--port');
+  const port = portIdx !== -1 ? parseInt(args[portIdx + 1], 10) : NaN;
+  if (!Number.isFinite(port)) {
+    console.error(JSON.stringify({ ok: false, error: 'missing_port' }));
+    process.exit(1);
+  }
+
+  const results = resolvedFiles.map((relFile) => {
+    const absFile = path.resolve(process.cwd(), relFile);
+    if (!fs.existsSync(absFile)) return { file: relFile, error: 'file_not_found' };
+    const content = fs.readFileSync(absFile, 'utf-8');
+    const withoutOld = revertCspMeta(removeTag(content, config.commentSyntax));
+    const withTag = insertTag(withoutOld, config, port);
+    if (withTag === withoutOld) {
+      return { file: relFile, error: 'insertion_point_not_found', anchor: config.insertBefore || config.insertAfter };
+    }
+    const updated = patchCspMeta(withTag, port);
+    fs.writeFileSync(absFile, updated, 'utf-8');
+    return {
+      file: relFile,
+      inserted: true,
+      cspPatched: updated !== withTag,
+    };
+  });
+  const anyInserted = results.some((r) => r.inserted);
+  console.log(JSON.stringify({ ok: anyInserted, port, results }));
+  if (!anyInserted) process.exit(1);
+}
+
+/**
+ * Expand config.files (which may contain glob patterns) into a literal list
+ * of existing file paths relative to rootDir. Literal entries pass through;
+ * glob patterns are expanded via fs.globSync. HARD_EXCLUDES and config.exclude
+ * are applied as filters. Duplicates are removed. Order is preserved by
+ * first appearance.
+ */
+export function resolveFiles(rootDir, config) {
+  const patterns = config.files;
+  const userExcludes = Array.isArray(config.exclude) ? config.exclude : [];
+  const allExcludes = [...HARD_EXCLUDES, ...userExcludes];
+  const excludeRegexes = allExcludes.map(globToRegex);
+
+  const isExcluded = (relPath) => excludeRegexes.some((re) => re.test(relPath));
+  const isGlob = (s) => /[*?[]/.test(s);
+
+  const seen = new Set();
+  const out = [];
+  for (const pat of patterns) {
+    if (!isGlob(pat)) {
+      // Literal path — include even if it doesn't exist yet; the caller
+      // reports file_not_found per-entry. Exclude list doesn't apply to
+      // explicit literal entries (user named it on purpose).
+      if (!seen.has(pat)) {
+        seen.add(pat);
+        out.push(pat);
+      }
+      continue;
+    }
+    let matches;
+    try {
+      matches = fs.globSync(pat, { cwd: rootDir, withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const ent of matches) {
+      if (!ent.isFile || !ent.isFile()) continue;
+      const abs = path.join(ent.parentPath || ent.path || rootDir, ent.name);
+      const rel = path.relative(rootDir, abs).split(path.sep).join('/');
+      if (isExcluded(rel)) continue;
+      if (seen.has(rel)) continue;
+      seen.add(rel);
+      out.push(rel);
+    }
+  }
+  return out;
+}
+
+/**
+ * Convert a glob pattern to a RegExp. Supports:
+ *   **  → any number of path segments (including zero)
+ *   *   → any chars except `/`
+ *   ?   → any single char except `/`
+ * Paths are normalized to forward slashes before matching.
+ */
+function globToRegex(pattern) {
+  let re = '';
+  let i = 0;
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*') {
+      if (pattern[i + 1] === '*') {
+        // ** — any number of segments, including zero. Handle the common
+        // **/ and /** forms so `a/**/b` matches `a/b` as well as `a/x/y/b`.
+        if (pattern[i + 2] === '/') {
+          re += '(?:.*/)?';
+          i += 3;
+        } else {
+          re += '.*';
+          i += 2;
+        }
+      } else {
+        re += '[^/]*';
+        i += 1;
+      }
+    } else if (c === '?') {
+      re += '[^/]';
+      i += 1;
+    } else if (/[.+^${}()|[\]\\]/.test(c)) {
+      re += '\\' + c;
+      i += 1;
+    } else {
+      re += c;
+      i += 1;
+    }
+  }
+  return new RegExp('^' + re + '$');
+}
+
+// ---------------------------------------------------------------------------
+// Core operations
+// ---------------------------------------------------------------------------
+
+function validateConfig(cfg) {
+  if (!cfg || typeof cfg !== 'object') throw new Error('config.json must be an object');
+  if (!Array.isArray(cfg.files) || cfg.files.length === 0) {
+    throw new Error('config.files (non-empty string array) required');
+  }
+  if (!cfg.files.every((f) => typeof f === 'string' && f.length > 0)) {
+    throw new Error('config.files must contain only non-empty strings');
+  }
+  if (cfg.exclude !== undefined) {
+    if (!Array.isArray(cfg.exclude)) {
+      throw new Error('config.exclude, if present, must be a string array');
+    }
+    if (!cfg.exclude.every((f) => typeof f === 'string' && f.length > 0)) {
+      throw new Error('config.exclude must contain only non-empty strings');
+    }
+  }
+  if (typeof cfg.insertBefore !== 'string' && typeof cfg.insertAfter !== 'string') {
+    throw new Error('config.insertBefore or config.insertAfter (string) required');
+  }
+  if (cfg.commentSyntax !== 'html' && cfg.commentSyntax !== 'jsx') {
+    throw new Error("config.commentSyntax must be 'html' or 'jsx'");
+  }
+  if (cfg.cspChecked !== undefined && typeof cfg.cspChecked !== 'boolean') {
+    throw new Error("config.cspChecked, if present, must be a boolean");
+  }
+}
+
+function commentOpen(syntax) { return syntax === 'jsx' ? '{/*' : '<!--'; }
+function commentClose(syntax) { return syntax === 'jsx' ? '*/}' : '-->'; }
+
+function buildTagBlock(syntax, port) {
+  const open = commentOpen(syntax);
+  const close = commentClose(syntax);
+  return (
+    open + ' ' + MARKER_OPEN_TEXT + ' ' + close + '\n' +
+    '<script src="http://localhost:' + port + '/live.js"></script>\n' +
+    open + ' ' + MARKER_CLOSE_TEXT + ' ' + close + '\n'
+  );
+}
+
+function insertTag(content, config, port) {
+  const block = buildTagBlock(config.commentSyntax, port);
+  // insertBefore: match the LAST occurrence. Anchors like `</body>` naturally
+  // belong at the end, and the same literal can appear earlier in code blocks
+  // within rendered documentation pages.
+  if (config.insertBefore) {
+    const idx = content.lastIndexOf(config.insertBefore);
+    if (idx === -1) return content;
+    return content.slice(0, idx) + block + content.slice(idx);
+  }
+  // insertAfter: match the FIRST occurrence — typical anchors like `<head>` or
+  // `<body>` open near the top of the document.
+  const idx = content.indexOf(config.insertAfter);
+  if (idx === -1) return content;
+  const after = idx + config.insertAfter.length;
+  // Preserve a single trailing newline if the anchor didn't end with one
+  const prefix = content[after] === '\n' ? content.slice(0, after + 1) : content.slice(0, after) + '\n';
+  return prefix + block + content.slice(prefix.length);
+}
+
+/**
+ * Remove the live script block. Matches either HTML or JSX comment markers
+ * regardless of config (so stale tags from a wrong config can still be cleaned).
+ *
+ * Indent-preserving: captures any whitespace immediately preceding the opener
+ * marker and re-emits it in place of the removed block. `insertTag` inserted
+ * the block *after* the original line's indent and *before* the anchor (e.g.
+ * `</body>`), which moved the indent onto the opener line and left the anchor
+ * unindented. Replacing the whole block (plus its trailing newline) with just
+ * the captured indent hands the indent back to the anchor that follows.
+ */
+function removeTag(content, _syntax) {
+  const patterns = [
+    /([ \t]*)<!--\s*impeccable-live-start\s*-->[\s\S]*?<!--\s*impeccable-live-end\s*-->[ \t]*\n/,
+    /([ \t]*)\{\/\*\s*impeccable-live-start\s*\*\/\}[\s\S]*?\{\/\*\s*impeccable-live-end\s*\*\/\}[ \t]*\n/,
+  ];
+  for (const pat of patterns) {
+    const next = content.replace(pat, '$1');
+    if (next !== content) return next;
+  }
+  return content;
+}
+
+// ---------------------------------------------------------------------------
+// Content-Security-Policy meta-tag patcher
+//
+// When the user's HTML carries `<meta http-equiv="Content-Security-Policy">`,
+// the cross-origin load of /live.js (and the SSE/POST connection back to
+// localhost:PORT) is blocked unless the CSP explicitly allows that origin.
+//
+// On insert: append `http://localhost:PORT` to `script-src` and `connect-src`,
+// and stash the original `content` value in a `data-impeccable-csp-original`
+// attribute (base64) so revert is exact.
+//
+// On remove: detect the marker attribute, decode it, restore the original
+// content value verbatim, drop the marker.
+//
+// Header-based CSP (Next.js headers, Nuxt routeRules, SvelteKit kit.csp,
+// shared helpers) is NOT patched here — those need framework-specific config
+// edits and are handled via the existing detect-csp.mjs reference output.
+// Only the in-source meta-tag form gets the auto-patch.
+// ---------------------------------------------------------------------------
+
+const CSP_MARKER_ATTR = 'data-impeccable-csp-original';
+
+function findCspMetaTags(content) {
+  const out = [];
+  const tagRe = /<meta\s+([^>]*?)\/?>/gis;
+  let m;
+  while ((m = tagRe.exec(content)) !== null) {
+    const attrs = m[1];
+    if (!/(http-equiv|httpEquiv)\s*=\s*(['"])Content-Security-Policy\2/i.test(attrs)) continue;
+    out.push({ start: m.index, end: m.index + m[0].length, full: m[0], attrs });
+  }
+  return out;
+}
+
+function getAttr(attrs, name) {
+  const re = new RegExp(`\\b${name}\\s*=\\s*(['"])([\\s\\S]*?)\\1`, 'i');
+  const m = attrs.match(re);
+  return m ? { quote: m[1], value: m[2], full: m[0] } : null;
+}
+
+function appendOriginToDirective(csp, directive, origin) {
+  const re = new RegExp(`(^|;)(\\s*)(${directive})\\s+([^;]*)`, 'i');
+  const m = csp.match(re);
+  if (m) {
+    const tokens = m[4].trim().split(/\s+/);
+    if (tokens.includes(origin)) return csp;
+    return csp.replace(re, `${m[1]}${m[2]}${m[3]} ${[...tokens, origin].join(' ')}`);
+  }
+  // Directive missing — add it. Use 'self' + origin so we don't inadvertently
+  // narrow the policy compared to the default-src fallback (most users with
+  // an explicit CSP have 'self' there).
+  return csp.trim().replace(/;?\s*$/, '') + `; ${directive} 'self' ${origin}`;
+}
+
+export function patchCspMeta(content, port) {
+  const tags = findCspMetaTags(content);
+  if (tags.length === 0) return content;
+  const origin = `http://localhost:${port}`;
+
+  // Walk last-to-first so prior splices don't invalidate later indices.
+  let result = content;
+  for (let i = tags.length - 1; i >= 0; i--) {
+    const tag = tags[i];
+    const attrs = tag.attrs;
+    if (getAttr(attrs, CSP_MARKER_ATTR)) continue; // already patched
+    const contentAttr = getAttr(attrs, 'content');
+    if (!contentAttr) continue;
+
+    const original = contentAttr.value;
+    let patched = original;
+    patched = appendOriginToDirective(patched, 'script-src', origin);
+    patched = appendOriginToDirective(patched, 'connect-src', origin);
+    // The shader overlay during 'generating' creates a screenshot via
+    // URL.createObjectURL, producing a `blob:` URL — img-src 'self' rejects
+    // those. Add `blob:` so the overlay doesn't throw a CSP violation.
+    patched = appendOriginToDirective(patched, 'img-src', 'blob:');
+    if (patched === original) continue;
+
+    const newContentAttr = `content=${contentAttr.quote}${patched}${contentAttr.quote}`;
+    const marker = `${CSP_MARKER_ATTR}="${Buffer.from(original, 'utf-8').toString('base64')}"`;
+    // The tagRe captures any whitespace between the last attribute and the
+    // closing `/>` as part of `attrs`. Naively appending ` ${marker}` after
+    // a replace would land it BEFORE that trailing space, leaving a double
+    // space inside attrs and clobbering the space before `/>`. Split off
+    // the trailing whitespace, splice the marker into the attribute body,
+    // and re-append the original trailing whitespace so a self-closing
+    // `<meta … />` round-trips byte-for-byte.
+    const trailingWs = (attrs.match(/[ \t]*$/) || [''])[0];
+    const attrsBody = attrs.slice(0, attrs.length - trailingWs.length);
+    const newAttrs = attrsBody.replace(contentAttr.full, newContentAttr) + ' ' + marker + trailingWs;
+    const newTag = tag.full.replace(attrs, newAttrs);
+
+    result = result.slice(0, tag.start) + newTag + result.slice(tag.end);
+  }
+  return result;
+}
+
+export function revertCspMeta(content) {
+  const tags = findCspMetaTags(content);
+  if (tags.length === 0) return content;
+
+  let result = content;
+  for (let i = tags.length - 1; i >= 0; i--) {
+    const tag = tags[i];
+    const origAttr = getAttr(tag.attrs, CSP_MARKER_ATTR);
+    if (!origAttr) continue;
+    const contentAttr = getAttr(tag.attrs, 'content');
+    if (!contentAttr) continue;
+
+    let originalValue;
+    try { originalValue = Buffer.from(origAttr.value, 'base64').toString('utf-8'); }
+    catch { continue; }
+
+    const newContentAttr = `content=${contentAttr.quote}${originalValue}${contentAttr.quote}`;
+    let newAttrs = tag.attrs.replace(contentAttr.full, newContentAttr);
+    // Drop the marker attribute and any single space immediately preceding it.
+    newAttrs = newAttrs.replace(new RegExp(`\\s*${origAttr.full}`), '');
+    const newTag = tag.full.replace(tag.attrs, newAttrs);
+
+    result = result.slice(0, tag.start) + newTag + result.slice(tag.end);
+  }
+  return result;
+}
+
+// ---------------------------------------------------------------------------
+// Auto-execute
+// ---------------------------------------------------------------------------
+
+const _running = process.argv[1];
+if (_running?.endsWith('live-inject.mjs') || _running?.endsWith('live-inject.mjs/')) {
+  injectCli();
+}
+
+export { insertTag, removeTag, validateConfig, buildTagBlock };
+// patchCspMeta + revertCspMeta are exported above where they're defined.

.agents/skills/impeccable/scripts/live-poll.mjs

@@ -0,0 +1,200 @@
+/**
+ * CLI client for the live variant mode poll/reply protocol.
+ *
+ * Usage:
+ *   npx impeccable poll                         # Block until browser event, print JSON
+ *   npx impeccable poll --timeout=600000        # Custom timeout (ms); default is long-poll friendly
+ *   npx impeccable poll --reply <id> done       # Reply "done" to event <id>
+ *   npx impeccable poll --reply <id> error "msg" # Reply with error
+ */
+
+import { execFileSync } from 'node:child_process';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { completionAckForAcceptResult, completionTypeForAcceptResult } from './live-completion.mjs';
+import { readLiveServerInfo } from './impeccable-paths.mjs';
+
+// Node's built-in fetch (undici under the hood) enforces a 300s headers
+// timeout that can't be lowered per-request. We cap each request below
+// that ceiling and loop in `pollOnce` to synthesize a long poll without
+// depending on the standalone undici package.
+const PER_REQUEST_TIMEOUT_MS = 270_000;
+
+function readServerInfo() {
+  const record = readLiveServerInfo(process.cwd());
+  if (!record) {
+    console.error('No running live server found. Start one with: npx impeccable live');
+    process.exit(1);
+  }
+  return record.info;
+}
+
+export function buildPollReplyPayload(token, { id, type, message, file, data }) {
+  return { token, id, type, message, file, data };
+}
+
+async function postReply(base, token, reply) {
+  const res = await fetch(`${base}/poll`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(buildPollReplyPayload(token, reply)),
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({}));
+    throw new Error(body.error || res.statusText);
+  }
+}
+
+export async function pollCli() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`Usage: impeccable poll [options]
+
+Wait for a browser event from the live variant server, or reply to one.
+
+Modes:
+  poll                             Block until a browser event arrives, print JSON
+  poll --reply <id> done           Reply "done" to event <id>
+  poll --reply <id> error "msg"    Reply with an error message
+
+Options:
+  --timeout=MS   Long-poll timeout in ms (default: 600000). Use the default unless the user asked to pause live; never use a short timeout to end the chat turn
+  --help         Show this help message`);
+    process.exit(0);
+  }
+
+  const info = readServerInfo();
+  const base = `http://localhost:${info.port}`;
+
+  // Reply mode: npx impeccable poll --reply <id> <status> [--file path] [message]
+  const replyIdx = args.indexOf('--reply');
+  if (replyIdx !== -1) {
+    const id = args[replyIdx + 1];
+    const status = args[replyIdx + 2] || 'done';
+    const fileIdx = args.indexOf('--file');
+    const filePath = fileIdx !== -1 && fileIdx + 1 < args.length ? args[fileIdx + 1] : undefined;
+    // Message is any remaining positional arg that isn't a flag
+    const message = args.find((a, i) => i > replyIdx + 2 && !a.startsWith('--') && i !== fileIdx + 1) || undefined;
+
+    if (!id) {
+      console.error('Usage: npx impeccable poll --reply <id> <status> [--file path] [message]');
+      process.exit(1);
+    }
+
+    try {
+      await postReply(base, info.token, { id, type: status, message, file: filePath });
+
+      // Success — silent exit (agent doesn't need output for replies)
+    } catch (err) {
+      if (err.cause?.code === 'ECONNREFUSED') {
+        console.error('Live server not running. Start one with: npx impeccable live');
+      } else {
+        console.error('Reply failed:', err.message);
+      }
+      process.exit(1);
+    }
+    return;
+  }
+
+  // Poll mode: block until browser event. Default 10 min. Node's built-in
+  // fetch enforces a 300s headers timeout, so we loop in slices under that
+  // ceiling and keep re-polling until we get a real event or the user's
+  // total timeout runs out.
+  const timeoutArg = args.find(a => a.startsWith('--timeout='));
+  const totalTimeout = timeoutArg ? parseInt(timeoutArg.split('=')[1], 10) : 600000;
+
+  const deadline = Date.now() + totalTimeout;
+  let event;
+  try {
+    while (true) {
+      const remaining = deadline - Date.now();
+      if (remaining <= 0) {
+        event = { type: 'timeout' };
+        break;
+      }
+      const slice = Math.min(remaining, PER_REQUEST_TIMEOUT_MS);
+      const res = await fetch(`${base}/poll?token=${info.token}&timeout=${slice}`);
+
+      if (res.status === 401) {
+        console.error('Authentication failed. The server token may have changed.');
+        console.error('Try restarting: npx impeccable live stop && npx impeccable live');
+        process.exit(1);
+      }
+
+      if (!res.ok) {
+        console.error(`Poll failed: ${res.status} ${res.statusText}`);
+        process.exit(1);
+      }
+
+      const next = await res.json();
+      // Server-side timeout means no browser event arrived in this slice.
+      // Loop and re-poll until we get a real event or we hit the user's
+      // total deadline.
+      if (next?.type === 'timeout' && Date.now() < deadline) continue;
+      event = next;
+      break;
+    }
+
+    // Auto-handle accept/discard via deterministic script
+    if (event.type === 'accept' || event.type === 'discard') {
+      const __dirname = path.dirname(fileURLToPath(import.meta.url));
+      const acceptScript = path.join(__dirname, 'live-accept.mjs');
+      const scriptArgs = event.type === 'discard'
+        ? ['--id', event.id, '--discard']
+        : ['--id', event.id, '--variant', event.variantId];
+      if (event.type === 'accept' && event.paramValues && Object.keys(event.paramValues).length > 0) {
+        scriptArgs.push('--param-values', JSON.stringify(event.paramValues));
+      }
+      try {
+        const out = execFileSync(
+          'node',
+          [acceptScript, ...scriptArgs],
+          { encoding: 'utf-8', cwd: process.cwd(), timeout: 30_000 }
+        );
+        event._acceptResult = JSON.parse(out.trim());
+      } catch (err) {
+        event._acceptResult = { handled: false, mode: 'error', error: err.message };
+      }
+
+      const completionType = completionTypeForAcceptResult(event.type, event._acceptResult);
+      try {
+        await postReply(base, info.token, {
+          id: event.id,
+          type: completionType,
+          message: event._acceptResult?.error,
+          file: event._acceptResult?.file,
+          data: event._acceptResult?.carbonize === true ? { carbonize: true } : undefined,
+        });
+      } catch (err) {
+        event._completionAck = { ok: false, error: err.message };
+      }
+      if (!event._completionAck) {
+        event._completionAck = completionAckForAcceptResult(event.id, completionType, event._acceptResult);
+      }
+    }
+
+    // Second signal path: stderr banner in case the agent parses stdout
+    // JSON but skips nested fields. One line is enough — the full checklist
+    // is in reference/live.md.
+    if (event._acceptResult?.carbonize === true) {
+      process.stderr.write('\n⚠ Carbonize cleanup REQUIRED before next poll. After cleanup, run live-complete.mjs --id ' + event.id + '. See reference/live.md "Required after accept".\n\n');
+    }
+
+    // Print the event as JSON — the agent reads this from stdout
+    console.log(JSON.stringify(event));
+  } catch (err) {
+    if (err.cause?.code === 'ECONNREFUSED') {
+      console.error('Live server not running. Start one with: npx impeccable live');
+    } else {
+      console.error('Poll failed:', err.message);
+    }
+    process.exit(1);
+  }
+}
+
+// Auto-execute when run directly
+const _running = process.argv[1];
+if (_running?.endsWith('live-poll.mjs') || _running?.endsWith('live-poll.mjs/')) {
+  pollCli();
+}

.agents/skills/impeccable/scripts/live-resume.mjs

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+/**
+ * Recover the next agent action from the durable live-session journal.
+ */
+
+import { createLiveSessionStore } from './live-session-store.mjs';
+
+function parseArgs(argv) {
+  const out = { id: null };
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === '--id') out.id = argv[++i];
+    else if (arg.startsWith('--id=')) out.id = arg.slice('--id='.length);
+    else if (arg === '--help' || arg === '-h') out.help = true;
+  }
+  return out;
+}
+
+export async function resumeCli() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.help) {
+    console.log(`Usage: node live-resume.mjs [--id SESSION_ID]\n\nPrint the active durable session checkpoint and the next safe agent action.`);
+    return;
+  }
+
+  const store = createLiveSessionStore({ cwd: process.cwd(), sessionId: args.id || undefined });
+  const snapshot = args.id ? store.getSnapshot(args.id) : store.listActiveSessions()[0] || null;
+  if (!snapshot) {
+    console.log(JSON.stringify({ active: false, nextAction: 'No active durable live session found.' }, null, 2));
+    return;
+  }
+
+  const pending = snapshot.pendingEvent || null;
+  const nextAction = pending
+    ? `Run live-poll.mjs, handle ${pending.type} ${pending.id}, then acknowledge with live-poll.mjs --reply ${pending.id} done.`
+    : snapshot.phase === 'carbonize_required'
+      ? `Finish carbonize cleanup${snapshot.sourceFile ? ` in ${snapshot.sourceFile}` : ''}, then run live-complete.mjs --id ${snapshot.id}.`
+      : snapshot.phase === 'accept_requested'
+        ? `Run live-complete.mjs --id ${snapshot.id} after verifying the accepted variant is written.`
+        : `Inspect ${snapshot.id}; no pending agent event is currently queued.`;
+
+  console.log(JSON.stringify({ active: true, snapshot, pendingEvent: pending, nextAction }, null, 2));
+}
+
+const _running = process.argv[1];
+if (_running?.endsWith('live-resume.mjs') || _running?.endsWith('live-resume.mjs/')) {
+  resumeCli();
+}

.agents/skills/impeccable/scripts/live-server.mjs

@@ -0,0 +1,838 @@
+#!/usr/bin/env node
+/**
+ * Live variant mode server (self-contained, zero dependencies).
+ *
+ * Serves the browser script (/live.js), the detection overlay (/detect.js),
+ * uses Server-Sent Events (SSE) for server→browser push, and HTTP POST for
+ * browser→server events. Agent communicates via HTTP long-poll (/poll).
+ *
+ * Usage:
+ *   node <scripts_path>/live-server.mjs              # start
+ *   node <scripts_path>/live-server.mjs stop         # stop + remove injected live.js tag
+ *   node <scripts_path>/live-server.mjs stop --keep-inject   # stop only
+ *   node <scripts_path>/live-server.mjs --help
+ */
+
+import http from 'node:http';
+import { randomUUID } from 'node:crypto';
+import { spawn, execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import net from 'node:net';
+import { fileURLToPath } from 'node:url';
+import { parseDesignMd } from './design-parser.mjs';
+import { resolveContextDir } from './load-context.mjs';
+import { createLiveSessionStore } from './live-session-store.mjs';
+import {
+  getDesignSidecarPath,
+  getLiveAnnotationsDir,
+  readLiveServerInfo,
+  removeLiveServerInfo,
+  resolveDesignSidecarPath,
+  writeLiveServerInfo,
+} from './impeccable-paths.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+// PRODUCT.md / DESIGN.md live wherever load-context.mjs resolves. The generated
+// DESIGN sidecar is project-local at .impeccable/design.json, with legacy
+// DESIGN.json fallback for existing projects.
+const CONTEXT_DIR = resolveContextDir(process.cwd());
+const DEFAULT_POLL_TIMEOUT = 600_000;   // 10 min — agent re-polls on timeout anyway
+const SSE_HEARTBEAT_INTERVAL = 30_000;  // keepalive ping every 30s
+
+// ---------------------------------------------------------------------------
+// Port detection
+// ---------------------------------------------------------------------------
+
+async function findOpenPort(start = 8400) {
+  return new Promise((resolve) => {
+    const srv = net.createServer();
+    srv.listen(start, '127.0.0.1', () => {
+      const port = srv.address().port;
+      srv.close(() => resolve(port));
+    });
+    srv.on('error', () => resolve(findOpenPort(start + 1)));
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Session state
+// ---------------------------------------------------------------------------
+
+const state = {
+  token: null,
+  port: null,
+  sseClients: new Set(),   // SSE response objects (server→browser push)
+  pendingEvents: [],        // browser events waiting for agent ack ({ event, leaseUntil })
+  pendingPolls: [],         // agent poll callbacks waiting for browser events
+  exitTimer: null,
+  sessionDir: null,         // per-session tmp dir for annotation screenshots
+  sessionStore: null,
+  leaseTimer: null,
+};
+
+// Cap per-annotation upload size. A full 1920×1080 PNG is typically <1 MB;
+// cap at 10 MB to guard against runaway writes from a misbehaving client.
+const MAX_ANNOTATION_BYTES = 10 * 1024 * 1024;
+
+function enqueueEvent(event) {
+  if (!event || (event.id && state.pendingEvents.some((entry) => entry.event?.id === event.id && entry.event?.type === event.type))) return;
+  state.pendingEvents.push({ event, leaseUntil: 0 });
+  flushPendingPolls();
+}
+
+function restorePendingEventsFromStore() {
+  if (!state.sessionStore) return;
+  for (const snapshot of state.sessionStore.listActiveSessions()) {
+    if (snapshot.pendingEvent) enqueueEvent(snapshot.pendingEvent);
+  }
+}
+
+function findAvailablePendingEvent(now = Date.now()) {
+  return state.pendingEvents.find((entry) => !entry.leaseUntil || entry.leaseUntil <= now);
+}
+
+function leaseEvent(entry, leaseMs) {
+  if (!entry.event?.id) {
+    const idx = state.pendingEvents.indexOf(entry);
+    if (idx !== -1) state.pendingEvents.splice(idx, 1);
+    return entry.event;
+  }
+  entry.leaseUntil = Date.now() + leaseMs;
+  return entry.event;
+}
+
+function acknowledgePendingEvent(id) {
+  if (!id) return false;
+  const idx = state.pendingEvents.findIndex((entry) => entry.event?.id === id);
+  if (idx === -1) return false;
+  state.pendingEvents.splice(idx, 1);
+  scheduleLeaseFlush();
+  return true;
+}
+
+function scheduleLeaseFlush() {
+  if (state.leaseTimer) {
+    clearTimeout(state.leaseTimer);
+    state.leaseTimer = null;
+  }
+  if (state.pendingPolls.length === 0) return;
+  const now = Date.now();
+  const nextLeaseUntil = state.pendingEvents
+    .map((entry) => entry.leaseUntil || 0)
+    .filter((leaseUntil) => leaseUntil > now)
+    .sort((a, b) => a - b)[0];
+  if (!nextLeaseUntil) return;
+  state.leaseTimer = setTimeout(() => {
+    state.leaseTimer = null;
+    flushPendingPolls();
+  }, Math.max(0, nextLeaseUntil - now));
+}
+
+function flushPendingPolls() {
+  while (state.pendingPolls.length > 0) {
+    const entry = findAvailablePendingEvent();
+    if (!entry) {
+      scheduleLeaseFlush();
+      return;
+    }
+    const poll = state.pendingPolls.shift();
+    poll.resolve(leaseEvent(entry, poll.leaseMs));
+  }
+  scheduleLeaseFlush();
+}
+
+/** Push a message to all connected SSE clients. */
+function broadcast(msg) {
+  const data = 'data: ' + JSON.stringify(msg) + '\n\n';
+  for (const res of state.sseClients) {
+    try { res.write(data); } catch { /* client gone */ }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Load scripts
+// ---------------------------------------------------------------------------
+
+function loadBrowserScripts() {
+  // Detection script: prefer the skill-bundled detector, then fall back to
+  // source/npm package locations for local development and older installs.
+  // This one IS cached — detect.js rarely changes during a session.
+  const detectPaths = [
+    path.join(__dirname, 'detector', 'detect-antipatterns-browser.js'),
+    path.join(__dirname, '..', '..', 'cli', 'engine', 'detect-antipatterns-browser.js'),
+    path.join(__dirname, '..', '..', '..', '..', 'cli', 'engine', 'detect-antipatterns-browser.js'),
+    path.join(process.cwd(), 'node_modules', 'impeccable', 'cli', 'engine', 'detect-antipatterns-browser.js'),
+  ];
+  let detectScript = '';
+  for (const p of detectPaths) {
+    try { detectScript = fs.readFileSync(p, 'utf-8'); break; } catch { /* try next */ }
+  }
+
+  // live-browser.js: DO NOT cache. Return the path so the /live.js handler
+  // can re-read on every request. Editing the browser script during iteration
+  // should land on the next tab reload, not require a server restart.
+  const sessionPath = path.join(__dirname, 'live-browser-session.js');
+  const livePath = path.join(__dirname, 'live-browser.js');
+  for (const p of [sessionPath, livePath]) {
+    if (!fs.existsSync(p)) {
+      process.stderr.write('Error: live browser script not found at ' + p + '\n');
+      process.exit(1);
+    }
+  }
+
+  return { detectScript, sessionPath, livePath };
+}
+
+function hasProjectContext() {
+  // PRODUCT.md carries brand voice / anti-references — that's what determines
+  // whether variants are brand-aware. DESIGN.md (visual tokens) is a separate
+  // concern, surfaced by the design panel's own empty state. Legacy
+  // .impeccable.md is auto-migrated to PRODUCT.md by load-context.mjs.
+  try {
+    fs.accessSync(path.join(CONTEXT_DIR, 'PRODUCT.md'), fs.constants.R_OK);
+    return true;
+  } catch { return false; }
+}
+
+function statOrNull(filePath) {
+  try { return fs.statSync(filePath); } catch { return null; }
+}
+
+// ---------------------------------------------------------------------------
+// Validation (inline — no external import needed for self-contained script)
+// ---------------------------------------------------------------------------
+
+const VISUAL_ACTIONS = [
+  'impeccable', 'bolder', 'quieter', 'distill', 'polish', 'typeset',
+  'colorize', 'layout', 'adapt', 'animate', 'delight', 'overdrive',
+];
+
+// Browser generates ids via crypto.randomUUID().slice(0, 8) (8 hex chars)
+// and variantIds via String(small integer). Restrict to those shapes so
+// any value that reaches a downstream child_process or DOM selector is
+// inert by construction.
+const ID_PATTERN = /^[0-9a-f]{8}$/;
+const VARIANT_ID_PATTERN = /^[0-9]{1,3}$/;
+
+function isValidId(v) { return typeof v === 'string' && ID_PATTERN.test(v); }
+function isValidVariantId(v) { return typeof v === 'string' && VARIANT_ID_PATTERN.test(v); }
+
+function validateEvent(msg) {
+  if (!msg || typeof msg !== 'object' || !msg.type) return 'Missing or invalid message';
+  switch (msg.type) {
+    case 'generate':
+      if (!isValidId(msg.id)) return 'generate: missing or malformed id';
+      if (!msg.action || !VISUAL_ACTIONS.includes(msg.action)) return 'generate: invalid action';
+      if (!Number.isInteger(msg.count) || msg.count < 1 || msg.count > 8) return 'generate: count must be 1-8';
+      if (!msg.element || !msg.element.outerHTML) return 'generate: missing element context';
+      // Optional annotation fields (all-or-nothing: if any present, all must be well-formed).
+      if (msg.screenshotPath !== undefined && typeof msg.screenshotPath !== 'string') return 'generate: screenshotPath must be string';
+      if (msg.comments !== undefined && !Array.isArray(msg.comments)) return 'generate: comments must be array';
+      if (msg.strokes !== undefined && !Array.isArray(msg.strokes)) return 'generate: strokes must be array';
+      return null;
+    case 'accept':
+      if (!isValidId(msg.id)) return 'accept: missing or malformed id';
+      if (!isValidVariantId(msg.variantId)) return 'accept: missing or malformed variantId';
+      if (msg.paramValues !== undefined) {
+        if (typeof msg.paramValues !== 'object' || msg.paramValues === null || Array.isArray(msg.paramValues)) {
+          return 'accept: paramValues must be an object';
+        }
+      }
+      return null;
+    case 'discard':
+      return isValidId(msg.id) ? null : 'discard: missing or malformed id';
+    case 'checkpoint':
+      if (!isValidId(msg.id)) return 'checkpoint: missing or malformed id';
+      if (!Number.isInteger(msg.revision) || msg.revision < 0) return 'checkpoint: revision must be a non-negative integer';
+      if (msg.paramValues !== undefined && (typeof msg.paramValues !== 'object' || msg.paramValues === null || Array.isArray(msg.paramValues))) {
+        return 'checkpoint: paramValues must be an object';
+      }
+      return null;
+    case 'exit':
+      return null;
+    case 'prefetch':
+      if (!msg.pageUrl || typeof msg.pageUrl !== 'string') return 'prefetch: missing pageUrl';
+      return null;
+    default:
+      return 'Unknown event type: ' + msg.type;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP request handler
+// ---------------------------------------------------------------------------
+
+function createRequestHandler({ detectScript, sessionPath, livePath }) {
+  return (req, res) => {
+    const url = new URL(req.url, `http://localhost:${state.port}`);
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+
+    const p = url.pathname;
+
+    // --- Scripts ---
+    if (p === '/live.js') {
+      // Re-read from disk each request so edits to live-browser.js land on
+      // the next tab reload. No-store headers prevent browser caching across
+      // sessions — during iteration, a cached old script silently breaks
+      // every subsequent session.
+      let sessionScript;
+      let liveScript;
+      try {
+        sessionScript = fs.readFileSync(sessionPath, 'utf-8');
+        liveScript = fs.readFileSync(livePath, 'utf-8');
+      } catch (err) {
+        res.writeHead(500, { 'Content-Type': 'text/plain' });
+        res.end('Error reading live browser scripts: ' + err.message);
+        return;
+      }
+      const body =
+        `window.__IMPECCABLE_TOKEN__ = '${state.token}';\n` +
+        `window.__IMPECCABLE_PORT__ = ${state.port};\n` +
+        sessionScript + '\n' +
+        liveScript;
+      res.writeHead(200, {
+        'Content-Type': 'application/javascript',
+        'Cache-Control': 'no-store, no-cache, must-revalidate, max-age=0',
+        'Pragma': 'no-cache',
+      });
+      res.end(body);
+      return;
+    }
+    if (p === '/detect.js' || p === '/') {
+      if (!detectScript) { res.writeHead(404); res.end('Not available'); return; }
+      res.writeHead(200, { 'Content-Type': 'application/javascript' });
+      res.end(detectScript);
+      return;
+    }
+
+    // --- Vendored modern-screenshot (UMD build) ---
+    // Lazy-loaded by live.js when the user clicks Go; exposes
+    // window.modernScreenshot.domToBlob(...) for capture.
+    if (p === '/modern-screenshot.js') {
+      const vendorPath = path.join(__dirname, 'modern-screenshot.umd.js');
+      try {
+        res.writeHead(200, {
+          'Content-Type': 'application/javascript',
+          'Cache-Control': 'public, max-age=31536000, immutable',
+        });
+        res.end(fs.readFileSync(vendorPath));
+      } catch {
+        res.writeHead(404); res.end('Vendor script not found');
+      }
+      return;
+    }
+
+    // --- Annotation upload (browser → server, raw PNG body) ---
+    // Client generates the eventId, POSTs the PNG, then POSTs the generate
+    // event with screenshotPath already set. Keeps bytes out of the SSE/poll
+    // bridge and preserves the "one shot from the user's POV" UX.
+    if (p === '/annotation' && req.method === 'POST') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401); res.end('Unauthorized'); return; }
+      const eventId = url.searchParams.get('eventId');
+      if (!eventId || !/^[A-Za-z0-9_-]{1,64}$/.test(eventId)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid eventId' }));
+        return;
+      }
+      if ((req.headers['content-type'] || '').toLowerCase() !== 'image/png') {
+        res.writeHead(415, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Content-Type must be image/png' }));
+        return;
+      }
+      if (!state.sessionDir) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Session dir unavailable' }));
+        return;
+      }
+      const chunks = [];
+      let total = 0;
+      let aborted = false;
+      req.on('data', (c) => {
+        if (aborted) return;
+        total += c.length;
+        if (total > MAX_ANNOTATION_BYTES) {
+          aborted = true;
+          res.writeHead(413, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Payload too large' }));
+          req.destroy();
+          return;
+        }
+        chunks.push(c);
+      });
+      req.on('end', () => {
+        if (aborted) return;
+        const absPath = path.join(state.sessionDir, eventId + '.png');
+        try {
+          fs.writeFileSync(absPath, Buffer.concat(chunks));
+        } catch (err) {
+          res.writeHead(500, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Write failed: ' + err.message }));
+          return;
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ok: true, path: absPath }));
+      });
+      req.on('error', () => {
+        if (!aborted) {
+          res.writeHead(500, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Upload failed' }));
+        }
+      });
+      return;
+    }
+
+    // --- Health ---
+    if (p === '/status') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Unauthorized' })); return; }
+      const sessions = state.sessionStore ? state.sessionStore.listActiveSessions() : [];
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        status: 'ok',
+        port: state.port,
+        connectedClients: state.sseClients.size,
+        pendingEvents: state.pendingEvents.map((entry) => ({
+          id: entry.event?.id,
+          type: entry.event?.type,
+          leased: !!(entry.leaseUntil && entry.leaseUntil > Date.now()),
+          leaseUntil: entry.leaseUntil || null,
+        })),
+        activeSessions: sessions,
+      }));
+      return;
+    }
+
+    if (p === '/health') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        status: 'ok', port: state.port, mode: 'variant',
+        hasProjectContext: hasProjectContext(),
+        connectedClients: state.sseClients.size,
+      }));
+      return;
+    }
+
+    // --- Design system (unified v2 response) + raw ---
+    //   /design-system.json    returns both parsed DESIGN.md and .impeccable/design.json
+    //                          sidecar when present. Panel merges them:
+    //                            { present, parsed, sidecar, hasMd, hasSidecar,
+    //                              mdNewerThanJson, parseError?, sidecarError? }
+    //                          - parsed: output of parseDesignMd (frontmatter
+    //                            + six canonical sections) when DESIGN.md exists.
+    //                          - sidecar: .impeccable/design.json contents when present.
+    //                            Expected shape: schemaVersion 2, carrying
+    //                            extensions + components + narrative.
+    //   /design-system/raw     returns DESIGN.md markdown verbatim
+    if (p === '/design-system.json' || p === '/design-system/raw') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401); res.end('Unauthorized'); return; }
+
+      const mdPath = path.join(CONTEXT_DIR, 'DESIGN.md');
+      const jsonPath = resolveDesignSidecarPath(process.cwd(), CONTEXT_DIR) || getDesignSidecarPath(process.cwd());
+      const mdStat = statOrNull(mdPath);
+      const jsonStat = statOrNull(jsonPath);
+
+      if (p === '/design-system/raw') {
+        if (!mdStat) { res.writeHead(404); res.end('Not found'); return; }
+        res.writeHead(200, { 'Content-Type': 'text/markdown; charset=utf-8' });
+        res.end(fs.readFileSync(mdPath, 'utf-8'));
+        return;
+      }
+
+      if (!mdStat && !jsonStat) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ present: false }));
+        return;
+      }
+
+      const response = {
+        present: true,
+        hasMd: !!mdStat,
+        hasSidecar: !!jsonStat,
+        mdNewerThanJson: !!(mdStat && jsonStat && mdStat.mtimeMs > jsonStat.mtimeMs + 1000),
+      };
+
+      if (mdStat) {
+        try {
+          response.parsed = parseDesignMd(fs.readFileSync(mdPath, 'utf-8'));
+        } catch (err) {
+          response.parseError = err.message;
+        }
+      }
+
+      if (jsonStat) {
+        try {
+          response.sidecar = JSON.parse(fs.readFileSync(jsonPath, 'utf-8'));
+        } catch (err) {
+          response.sidecarError = 'Failed to parse .impeccable/design.json: ' + err.message;
+        }
+      }
+
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(response));
+      return;
+    }
+
+    // --- Source file (no-HMR fallback) ---
+    if (p === '/source') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401); res.end('Unauthorized'); return; }
+      const filePath = url.searchParams.get('path');
+      if (!filePath || filePath.includes('..')) { res.writeHead(400); res.end('Bad path'); return; }
+      const absPath = path.resolve(process.cwd(), filePath);
+      if (!absPath.startsWith(process.cwd())) { res.writeHead(403); res.end('Forbidden'); return; }
+      let content;
+      try { content = fs.readFileSync(absPath, 'utf-8'); }
+      catch { res.writeHead(404); res.end('File not found'); return; }
+      res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+      res.end(content);
+      return;
+    }
+
+    // --- SSE: server→browser push (replaces WebSocket) ---
+    if (p === '/events' && req.method === 'GET') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401); res.end('Unauthorized'); return; }
+      res.writeHead(200, {
+        'Content-Type': 'text/event-stream',
+        'Cache-Control': 'no-cache',
+        'Connection': 'keep-alive',
+      });
+      res.write('data: ' + JSON.stringify({
+        type: 'connected',
+        hasProjectContext: hasProjectContext(),
+      }) + '\n\n');
+
+      state.sseClients.add(res);
+      clearTimeout(state.exitTimer);
+
+      // Keepalive: SSE comment every 30s prevents silent connection drops.
+      const heartbeat = setInterval(() => {
+        try { res.write(': keepalive\n\n'); } catch { clearInterval(heartbeat); }
+      }, SSE_HEARTBEAT_INTERVAL);
+
+      req.on('close', () => {
+        clearInterval(heartbeat);
+        state.sseClients.delete(res);
+        if (state.sseClients.size === 0) {
+          clearTimeout(state.exitTimer);
+          state.exitTimer = setTimeout(() => {
+            if (state.sseClients.size === 0) enqueueEvent({ type: 'exit' });
+          }, 8000);
+        }
+      });
+      return;
+    }
+
+    // --- Browser→server events (replaces WebSocket messages) ---
+    if (p === '/events' && req.method === 'POST') {
+      let body = '';
+      req.on('data', (c) => { body += c; });
+      req.on('end', () => {
+        let msg;
+        try { msg = JSON.parse(body); } catch {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Invalid JSON' }));
+          return;
+        }
+        if (msg.token !== state.token) {
+          res.writeHead(401, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Unauthorized' }));
+          return;
+        }
+        const error = validateEvent(msg);
+        if (error) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error }));
+          return;
+        }
+        if (state.sessionStore && msg.id) {
+          try {
+            state.sessionStore.appendEvent(msg);
+          } catch (err) {
+            res.writeHead(500, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'session_store_append_failed', message: err.message }));
+            return;
+          }
+        }
+        if (msg.type !== 'checkpoint') enqueueEvent(msg);
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ok: true }));
+      });
+      return;
+    }
+
+    // --- Stop ---
+    if (p === '/stop') {
+      const token = url.searchParams.get('token');
+      if (token !== state.token) { res.writeHead(401); res.end('Unauthorized'); return; }
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end('stopping');
+      shutdown();
+      return;
+    }
+
+    // --- Agent poll ---
+    if (p === '/poll' && req.method === 'GET') {
+      handlePollGet(req, res, url);
+      return;
+    }
+    if (p === '/poll' && req.method === 'POST') {
+      handlePollPost(req, res);
+      return;
+    }
+
+    res.writeHead(404); res.end('Not found');
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Agent poll endpoints (unchanged from WS version)
+// ---------------------------------------------------------------------------
+
+function handlePollGet(req, res, url) {
+  const token = url.searchParams.get('token');
+  if (token !== state.token) {
+    res.writeHead(401, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Unauthorized' }));
+    return;
+  }
+  const timeout = parseInt(url.searchParams.get('timeout') || DEFAULT_POLL_TIMEOUT, 10);
+  const leaseMs = parseInt(url.searchParams.get('leaseMs') || '30000', 10);
+  const available = findAvailablePendingEvent();
+  if (available) {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify(leaseEvent(available, leaseMs)));
+    return;
+  }
+  const poll = { resolve, leaseMs };
+  const timer = setTimeout(() => {
+    const idx = state.pendingPolls.indexOf(poll);
+    if (idx !== -1) state.pendingPolls.splice(idx, 1);
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ type: 'timeout' }));
+  }, timeout);
+  function resolve(event) {
+    clearTimeout(timer);
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify(event));
+  }
+  state.pendingPolls.push(poll);
+  scheduleLeaseFlush();
+  req.on('close', () => {
+    clearTimeout(timer);
+    const idx = state.pendingPolls.indexOf(poll);
+    if (idx !== -1) state.pendingPolls.splice(idx, 1);
+  });
+}
+
+function handlePollPost(req, res) {
+  let body = '';
+  req.on('data', (c) => { body += c; });
+  req.on('end', () => {
+    let msg;
+    try { msg = JSON.parse(body); } catch {
+      res.writeHead(400, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Invalid JSON' }));
+      return;
+    }
+    if (msg.token !== state.token) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    acknowledgePendingEvent(msg.id);
+    if (state.sessionStore && msg.id) {
+      try {
+        const eventType = msg.type === 'discard' || msg.type === 'discarded'
+          ? 'discarded'
+          : msg.type === 'complete'
+            ? 'complete'
+            : msg.type === 'error'
+              ? 'agent_error'
+              : 'agent_done';
+        state.sessionStore.appendEvent({
+          type: eventType,
+          id: msg.id,
+          file: msg.file,
+          message: msg.message,
+          carbonize: msg.data?.carbonize === true,
+        });
+      } catch { /* keep reply path best-effort; browser still needs SSE */ }
+    }
+    flushPendingPolls();
+    // Forward the reply to the browser via SSE
+    broadcast({ type: msg.type || 'done', id: msg.id, message: msg.message, file: msg.file, data: msg.data });
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ ok: true }));
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Lifecycle
+// ---------------------------------------------------------------------------
+
+let httpServer = null;
+
+function shutdown() {
+  removeLiveServerInfo(process.cwd());
+  if (state.leaseTimer) clearTimeout(state.leaseTimer);
+  state.leaseTimer = null;
+  if (state.sessionDir) {
+    try { fs.rmSync(state.sessionDir, { recursive: true, force: true }); } catch {}
+  }
+  for (const res of state.sseClients) { try { res.end(); } catch {} }
+  state.sseClients.clear();
+  for (const poll of state.pendingPolls) poll.resolve({ type: 'exit' });
+  state.pendingPolls.length = 0;
+  if (httpServer) httpServer.close();
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+const args = process.argv.slice(2);
+
+if (args.includes('--help') || args.includes('-h')) {
+  console.log(`Usage: node live-server.mjs [options]
+
+Start the live variant mode server (zero dependencies).
+
+Commands:
+  (default)     Start the server (foreground)
+  stop          Stop the server and remove the injected live.js script tag
+  stop --keep-inject   Stop the server only (leave the script tag in the HTML entry)
+
+Options:
+  --background  Start detached, print connection JSON to stdout, then exit
+  --port=PORT   Use a specific port (default: auto-detect starting at 8400)
+  --keep-inject Only with stop: skip live-inject.mjs --remove
+  --help        Show this help
+
+Endpoints:
+  /live.js             Browser script (element picker + variant cycling)
+  /detect.js           Detection overlay (backwards compatible)
+  /modern-screenshot.js Vendored modern-screenshot UMD build (lazy-loaded by live.js)
+  /annotation          POST raw image/png to stage a variant screenshot
+  /events              SSE stream (server→browser) + POST (browser→server)
+  /poll                Long-poll for agent CLI
+  /source              Raw source file reader (no-HMR fallback)
+  /status              Durable recovery status (token-protected)
+  /health              Health check`);
+  process.exit(0);
+}
+
+if (args.includes('stop')) {
+  const keepInject = args.includes('--keep-inject');
+  try {
+    const { info } = readLiveServerInfo(process.cwd()) || {};
+    const res = await fetch(`http://localhost:${info.port}/stop?token=${info.token}`);
+    if (res.ok) console.log(`Stopped live server on port ${info.port}.`);
+  } catch {
+    console.log('No running live server found.');
+  }
+  if (!keepInject) {
+    const injectPath = path.join(__dirname, 'live-inject.mjs');
+    try {
+      const out = execFileSync(process.execPath, [injectPath, '--remove'], {
+        encoding: 'utf-8',
+        cwd: process.cwd(),
+      });
+      const line = out.trim().split('\n').filter(Boolean).pop();
+      if (line) {
+        try {
+          const j = JSON.parse(line);
+          if (j.removed === true) {
+            console.log(`Removed live script tag from ${j.file}.`);
+          }
+        } catch {
+          /* ignore non-JSON lines */
+        }
+      }
+    } catch (err) {
+      const detail = err.stderr?.toString?.().trim?.()
+        || err.stdout?.toString?.().trim?.()
+        || err.message
+        || String(err);
+      console.warn(`Note: could not remove live script tag (${detail.split('\n')[0]})`);
+    }
+  }
+  process.exit(0);
+}
+
+// --background: spawn a detached child server, wait for it to be ready,
+// print the connection JSON, then exit.  This keeps the startup command
+// simple (no shell backgrounding or chained commands).
+if (args.includes('--background')) {
+  const childArgs = args.filter(a => a !== '--background');
+  const child = spawn(process.execPath, [fileURLToPath(import.meta.url), ...childArgs], {
+    detached: true,
+    stdio: 'ignore',
+    cwd: process.cwd(),
+  });
+  child.unref();
+
+  // Poll for the PID file (the child writes it once the HTTP server is listening).
+  const deadline = Date.now() + 10_000;
+  while (Date.now() < deadline) {
+    try {
+      const { info } = readLiveServerInfo(process.cwd()) || {};
+      if (info.pid !== process.pid) {
+        // Output JSON so the agent can read port + token from stdout.
+        console.log(JSON.stringify(info));
+        process.exit(0);
+      }
+    } catch { /* not ready yet */ }
+    await new Promise(r => setTimeout(r, 200));
+  }
+  console.error('Timed out waiting for live server to start.');
+  process.exit(1);
+}
+
+// Check for existing session
+const existingRecord = readLiveServerInfo(process.cwd());
+if (existingRecord?.info) {
+  const existing = existingRecord.info;
+  try {
+    process.kill(existing.pid, 0);
+    console.error(`Live server already running on port ${existing.port} (pid ${existing.pid}).`);
+    console.error('Stop it first with: node ' + path.basename(fileURLToPath(import.meta.url)) + ' stop');
+    process.exit(1);
+  } catch {
+    try { fs.unlinkSync(existingRecord.path); } catch {}
+  }
+}
+
+state.token = randomUUID();
+state.sessionStore = createLiveSessionStore({ cwd: process.cwd() });
+restorePendingEventsFromStore();
+const portArg = args.find(a => a.startsWith('--port='));
+state.port = portArg ? parseInt(portArg.split('=')[1], 10) : await findOpenPort();
+// Annotation screenshots live in the project root so the agent's Read tool
+// doesn't trip a per-file permission prompt. Sessioned by token so concurrent
+// projects (or quick restarts) don't collide.
+const annotRoot = getLiveAnnotationsDir(process.cwd());
+fs.mkdirSync(annotRoot, { recursive: true });
+state.sessionDir = fs.mkdtempSync(path.join(annotRoot, 'session-'));
+
+const { detectScript, sessionPath, livePath } = loadBrowserScripts();
+httpServer = http.createServer(createRequestHandler({ detectScript, sessionPath, livePath }));
+
+httpServer.listen(state.port, '127.0.0.1', () => {
+  writeLiveServerInfo(process.cwd(), { pid: process.pid, port: state.port, token: state.token });
+  const url = `http://localhost:${state.port}`;
+  console.log(`\nImpeccable live server running on ${url}`);
+  console.log(`Token: ${state.token}\n`);
+  console.log(`Inject: <script src="${url}/live.js"><\/script>`);
+  console.log(`Stop:   node ${path.basename(fileURLToPath(import.meta.url))} stop`);
+});
+
+process.on('SIGINT', shutdown);
+process.on('SIGTERM', shutdown);

.agents/skills/impeccable/scripts/live-session-store.mjs

@@ -0,0 +1,254 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { getLegacyLiveSessionsDir, getLiveSessionsDir } from './impeccable-paths.mjs';
+
+const COMPLETED_PHASES = new Set(['completed', 'discarded']);
+
+export function createLiveSessionStore({ cwd = process.cwd(), sessionId } = {}) {
+  const rootDir = getLiveSessionsDir(cwd);
+  const legacyRootDir = getLegacyLiveSessionsDir(cwd);
+  fs.mkdirSync(rootDir, { recursive: true });
+  const snapshotCache = new Map();
+
+  function loadCachedOrRebuild(id) {
+    const cached = snapshotCache.get(id);
+    if (cached) return cached;
+    const journalPath = getReadableJournalPath(id);
+    const rebuilt = rebuildSnapshotFromJournal(journalPath, id);
+    snapshotCache.set(id, rebuilt);
+    return rebuilt;
+  }
+
+  function getReadableJournalPath(id) {
+    const primary = getJournalPath(rootDir, id);
+    if (fs.existsSync(primary)) return primary;
+    const legacy = getJournalPath(legacyRootDir, id);
+    if (fs.existsSync(legacy)) return legacy;
+    return primary;
+  }
+
+  return {
+    rootDir,
+    legacyRootDir,
+    appendEvent(event) {
+      const normalized = normalizeEvent(event, sessionId);
+      const journalPath = getJournalPath(rootDir, normalized.id);
+      const snapshotPath = getSnapshotPath(rootDir, normalized.id);
+      const legacyJournalPath = getJournalPath(legacyRootDir, normalized.id);
+      if (!fs.existsSync(journalPath) && fs.existsSync(legacyJournalPath)) {
+        fs.copyFileSync(legacyJournalPath, journalPath);
+      }
+      const prior = loadCachedOrRebuild(normalized.id);
+      const seq = prior.nextSeq;
+      const entry = {
+        seq,
+        id: normalized.id,
+        type: normalized.type,
+        ts: new Date().toISOString(),
+        event: normalized,
+      };
+      fs.appendFileSync(journalPath, JSON.stringify(entry) + '\n');
+      const next = applyEvent(prior.snapshot, entry, prior.diagnostics);
+      snapshotCache.set(normalized.id, { snapshot: next, diagnostics: next.diagnostics || [], nextSeq: seq + 1 });
+      writeSnapshot(snapshotPath, next);
+      return next;
+    },
+    getSnapshot(id = sessionId, opts = {}) {
+      if (!id) throw new Error('session id required');
+      const journalPath = getReadableJournalPath(id);
+      const snapshotPath = getSnapshotPath(rootDir, id);
+      const rebuilt = rebuildSnapshotFromJournal(journalPath, id);
+      snapshotCache.set(id, rebuilt);
+      writeSnapshot(snapshotPath, rebuilt.snapshot);
+      if (!opts.includeCompleted && COMPLETED_PHASES.has(rebuilt.snapshot.phase)) return null;
+      return rebuilt.snapshot;
+    },
+    listActiveSessions() {
+      const ids = new Set();
+      for (const dir of [legacyRootDir, rootDir]) {
+        if (!fs.existsSync(dir)) continue;
+        for (const name of fs.readdirSync(dir)) {
+          if (name.endsWith('.jsonl')) ids.add(name.slice(0, -'.jsonl'.length));
+        }
+      }
+      return [...ids]
+        .sort()
+        .map((id) => this.getSnapshot(id))
+        .filter(Boolean);
+    },
+  };
+}
+
+function normalizeEvent(event, fallbackId) {
+  if (!event || typeof event !== 'object') throw new Error('event object required');
+  const id = event.id || fallbackId;
+  if (!id || typeof id !== 'string') throw new Error('event id required');
+  if (!event.type || typeof event.type !== 'string') throw new Error('event type required');
+  return { ...event, id };
+}
+
+function getJournalPath(rootDir, id) {
+  return path.join(rootDir, safeSessionId(id) + '.jsonl');
+}
+
+function getSnapshotPath(rootDir, id) {
+  return path.join(rootDir, safeSessionId(id) + '.snapshot.json');
+}
+
+function safeSessionId(id) {
+  if (!/^[A-Za-z0-9_-]{1,128}$/.test(id)) throw new Error('invalid session id: ' + id);
+  return id;
+}
+
+function baseSnapshot(id) {
+  return {
+    id,
+    phase: 'new',
+    pageUrl: null,
+    sourceFile: null,
+    expectedVariants: 0,
+    arrivedVariants: 0,
+    visibleVariant: null,
+    paramValues: {},
+    pendingEventSeq: null,
+    pendingEvent: null,
+    deliveryLease: null,
+    checkpointRevision: 0,
+    activeOwner: null,
+    sourceMarkers: {},
+    fallbackMode: null,
+    annotationArtifacts: [],
+    diagnostics: [],
+    updatedAt: null,
+  };
+}
+
+function rebuildSnapshotFromJournal(journalPath, id) {
+  let snapshot = baseSnapshot(id);
+  const diagnostics = [];
+  let nextSeq = 1;
+  if (!fs.existsSync(journalPath)) return { snapshot, diagnostics, nextSeq };
+
+  const lines = fs.readFileSync(journalPath, 'utf-8').split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (!line.trim()) continue;
+    try {
+      const entry = JSON.parse(line);
+      if (!entry || typeof entry !== 'object') throw new Error('entry is not object');
+      if (Number.isInteger(entry.seq)) nextSeq = Math.max(nextSeq, entry.seq + 1);
+      snapshot = applyEvent(snapshot, entry);
+    } catch (err) {
+      diagnostics.push({
+        error: 'journal_parse_failed',
+        line: i + 1,
+        message: err.message,
+      });
+    }
+  }
+  snapshot.diagnostics = [...snapshot.diagnostics, ...diagnostics];
+  return { snapshot, diagnostics, nextSeq };
+}
+
+function applyEvent(snapshot, entry, inheritedDiagnostics = []) {
+  const event = entry.event || entry;
+  const next = {
+    ...snapshot,
+    paramValues: { ...(snapshot.paramValues || {}) },
+    sourceMarkers: { ...(snapshot.sourceMarkers || {}) },
+    annotationArtifacts: [...(snapshot.annotationArtifacts || [])],
+    diagnostics: [...(snapshot.diagnostics || [])],
+    updatedAt: entry.ts || new Date().toISOString(),
+  };
+
+  if (inheritedDiagnostics.length && next.diagnostics.length === 0) {
+    next.diagnostics = [...inheritedDiagnostics];
+  }
+
+  switch (event.type) {
+    case 'generate':
+      next.phase = 'generate_requested';
+      next.pageUrl = event.pageUrl ?? next.pageUrl;
+      next.expectedVariants = event.count ?? next.expectedVariants;
+      next.pendingEventSeq = entry.seq ?? next.pendingEventSeq;
+      next.pendingEvent = toPendingEvent(event);
+      if (event.screenshotPath) upsertArtifact(next.annotationArtifacts, { type: 'screenshot', path: event.screenshotPath });
+      break;
+    case 'variants_ready':
+    case 'agent_done':
+      next.phase = event.carbonize === true ? 'carbonize_required' : 'variants_ready';
+      next.sourceFile = event.file ?? next.sourceFile;
+      next.arrivedVariants = event.arrivedVariants ?? (next.arrivedVariants ?? next.expectedVariants);
+      next.pendingEventSeq = null;
+      next.pendingEvent = null;
+      if (event.carbonize === true) {
+        next.diagnostics.push({
+          error: 'carbonize_cleanup_required',
+          file: event.file || null,
+          message: 'Accepted variant still has carbonize markers that must be folded into source CSS.',
+        });
+      }
+      break;
+    case 'checkpoint':
+      if ((event.revision ?? 0) >= (next.checkpointRevision ?? 0)) {
+        next.phase = event.phase ?? next.phase;
+        next.checkpointRevision = event.revision ?? next.checkpointRevision;
+        next.activeOwner = event.owner ?? next.activeOwner;
+        next.arrivedVariants = event.arrivedVariants ?? next.arrivedVariants;
+        next.visibleVariant = event.visibleVariant ?? next.visibleVariant;
+        if (event.paramValues) next.paramValues = { ...event.paramValues };
+      } else {
+        next.diagnostics.push({ error: 'stale_checkpoint_ignored', revision: event.revision });
+      }
+      break;
+    case 'accept':
+    case 'accept_intent':
+      next.phase = 'accept_requested';
+      next.visibleVariant = Number(event.variantId ?? next.visibleVariant);
+      if (event.paramValues) next.paramValues = { ...event.paramValues };
+      next.pendingEventSeq = entry.seq ?? next.pendingEventSeq;
+      next.pendingEvent = toPendingEvent(event);
+      break;
+    case 'discard':
+      next.phase = 'discard_requested';
+      next.pendingEventSeq = entry.seq ?? next.pendingEventSeq;
+      next.pendingEvent = toPendingEvent(event);
+      break;
+    case 'discarded':
+      next.phase = 'discarded';
+      next.pendingEventSeq = null;
+      next.pendingEvent = null;
+      break;
+    case 'complete':
+      next.phase = 'completed';
+      next.pendingEventSeq = null;
+      next.pendingEvent = null;
+      break;
+    case 'agent_error':
+      next.phase = 'agent_error';
+      next.pendingEventSeq = null;
+      next.pendingEvent = null;
+      next.diagnostics.push({ error: 'agent_error', message: event.message || 'unknown agent error' });
+      break;
+    default:
+      next.diagnostics.push({ error: 'unknown_event_type', type: event.type });
+      break;
+  }
+  return next;
+}
+
+function toPendingEvent(event) {
+  const pending = { ...event };
+  delete pending.token;
+  return pending;
+}
+
+function upsertArtifact(artifacts, artifact) {
+  if (!artifacts.some((existing) => existing.path === artifact.path && existing.type === artifact.type)) {
+    artifacts.push(artifact);
+  }
+}
+
+function writeSnapshot(snapshotPath, snapshot) {
+  fs.writeFileSync(snapshotPath, JSON.stringify(snapshot, null, 2) + '\n');
+}

.agents/skills/impeccable/scripts/live-status.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+/**
+ * Print durable recovery status for Impeccable live sessions.
+ */
+
+import { createLiveSessionStore } from './live-session-store.mjs';
+import { readLiveServerInfo } from './impeccable-paths.mjs';
+
+function readServerInfo() {
+  return readLiveServerInfo(process.cwd())?.info || null;
+}
+
+async function fetchServerStatus(info) {
+  if (!info) return null;
+  try {
+    const res = await fetch(`http://localhost:${info.port}/status?token=${info.token}`);
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+
+export async function statusCli() {
+  const info = readServerInfo();
+  const server = await fetchServerStatus(info);
+  const store = createLiveSessionStore({ cwd: process.cwd() });
+  const activeSessions = store.listActiveSessions();
+  const payload = {
+    liveServer: server ? {
+      status: server.status,
+      port: server.port,
+      connectedClients: server.connectedClients,
+      pendingEvents: server.pendingEvents,
+    } : null,
+    activeSessions: server?.activeSessions || activeSessions,
+    recoveryHint: server
+      ? 'Run live-poll.mjs to continue pending work, or live-complete.mjs --id <session> after manual cleanup.'
+      : 'Start live-server.mjs to requeue pending durable events, then run live-poll.mjs.',
+  };
+  console.log(JSON.stringify(payload, null, 2));
+}
+
+const _running = process.argv[1];
+if (_running?.endsWith('live-status.mjs') || _running?.endsWith('live-status.mjs/')) {
+  statusCli();
+}

.agents/skills/impeccable/scripts/live-wrap.mjs

@@ -0,0 +1,632 @@
+/**
+ * CLI helper: find an element in source and wrap it in a variant container.
+ *
+ * Usage:
+ *   npx impeccable wrap --id SESSION_ID --count N --query "hero-combined-left" [--file path]
+ *
+ * Searches project files for the element matching the query (class name, ID, or
+ * text snippet), wraps it with the variant scaffolding, and prints the file path
+ * + line range where the agent should insert variant HTML.
+ *
+ * This replaces 3-4 agent tool calls (grep + read + edit) with a single CLI call.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { isGeneratedFile } from './is-generated.mjs';
+
+const EXTENSIONS = ['.html', '.jsx', '.tsx', '.vue', '.svelte', '.astro'];
+
+export async function wrapCli() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`Usage: impeccable wrap [options]
+
+Find an element in source and wrap it in a variant container.
+
+Required:
+  --id ID            Session ID for the variant wrapper
+  --count N          Number of expected variants (1-8)
+
+Element identification (at least one required):
+  --element-id ID    HTML id attribute of the element
+  --classes A,B,C    Comma-separated CSS class names
+  --tag TAG          Tag name (div, section, etc.)
+  --query TEXT       Fallback: raw text to search for
+
+Optional:
+  --file PATH        Source file to search in (skips auto-detection)
+  --text TEXT        Picked element's textContent. Used to disambiguate when
+                     classes/tag match multiple sibling elements (e.g. a list
+                     of <Card>s with the same className). Pass the first ~80
+                     chars of event.element.textContent.
+  --help             Show this help message
+
+Output (JSON):
+  { file, startLine, endLine, insertLine, commentSyntax }
+
+The agent should insert variant HTML at insertLine.`);
+    process.exit(0);
+  }
+
+  const id = argVal(args, '--id');
+  const count = parseInt(argVal(args, '--count') || '3');
+  const elementId = argVal(args, '--element-id');
+  const classes = argVal(args, '--classes');
+  const tag = argVal(args, '--tag');
+  const query = argVal(args, '--query');
+  const filePath = argVal(args, '--file');
+  const text = argVal(args, '--text');
+
+  if (!id) { console.error('Missing --id'); process.exit(1); }
+  if (!elementId && !classes && !query) {
+    console.error('Need at least one of: --element-id, --classes, --query');
+    process.exit(1);
+  }
+
+  // Build search queries in priority order (most specific first)
+  const queries = buildSearchQueries(elementId, classes, tag, query);
+
+  const genOpts = { cwd: process.cwd() };
+
+  // Find the source file. Generated files are excluded from auto-search so we
+  // don't silently write variants into a file the next build will wipe.
+  let targetFile = filePath;
+  let matchedQuery = null;
+  if (!targetFile) {
+    for (const q of queries) {
+      targetFile = findFileWithQuery(q, process.cwd(), genOpts);
+      if (targetFile) { matchedQuery = q; break; }
+    }
+    if (!targetFile) {
+      // Nothing in source. Did the element show up in a generated file? That
+      // tells the agent "fall back to the agent-driven flow" vs "element just
+      // doesn't exist in this project."
+      let generatedHit = null;
+      for (const q of queries) {
+        generatedHit = findFileWithQuery(q, process.cwd(), { ...genOpts, includeGenerated: true });
+        if (generatedHit) break;
+      }
+      if (generatedHit) {
+        console.error(JSON.stringify({
+          error: 'element_not_in_source',
+          fallback: 'agent-driven',
+          generatedMatch: path.relative(process.cwd(), generatedHit),
+          hint: 'Element found only in a generated file. See "Handle fallback" in live.md.',
+        }));
+      } else {
+        console.error(JSON.stringify({
+          error: 'element_not_found',
+          fallback: 'agent-driven',
+          hint: 'Element not found in any project file. It may be runtime-injected (JS component, etc.). See "Handle fallback" in live.md.',
+        }));
+      }
+      process.exit(1);
+    }
+  } else {
+    if (isGeneratedFile(targetFile, genOpts)) {
+      console.error(JSON.stringify({
+        error: 'file_is_generated',
+        fallback: 'agent-driven',
+        file: path.relative(process.cwd(), path.resolve(process.cwd(), targetFile)),
+        hint: 'Explicit --file points at a generated file. Writing here gets wiped by the next build. See "Handle fallback" in live.md.',
+      }));
+      process.exit(1);
+    }
+    matchedQuery = queries[0];
+  }
+
+  const content = fs.readFileSync(targetFile, 'utf-8');
+  const lines = content.split('\n');
+
+  // Find the element, trying each query in priority order. When `--text` is
+  // supplied, collect every candidate the queries surface and disambiguate
+  // by the picked element's textContent. Without `--text`, fall back to the
+  // legacy first-match behavior so unmodified callers keep working.
+  let match = null;
+  if (text) {
+    const candidates = [];
+    for (const q of queries) {
+      const all = findAllElements(lines, q, tag);
+      for (const c of all) {
+        if (!candidates.some((x) => x.startLine === c.startLine)) {
+          candidates.push(c);
+        }
+      }
+      // Once a more-specific query (ID, full className combo) yielded a unique
+      // result, stop — falling through to the loose tag+single-class query
+      // would readmit the siblings we just disambiguated past.
+      if (candidates.length === 1) break;
+    }
+    if (candidates.length === 0) {
+      console.error(JSON.stringify({ error: 'Found file but could not locate element in ' + targetFile + '. Searched for: ' + queries.join(', ') }));
+      process.exit(1);
+    }
+    if (candidates.length === 1) {
+      match = candidates[0];
+    } else {
+      const filtered = filterByText(candidates, lines, text);
+      if (filtered.length === 1) {
+        match = filtered[0];
+      } else if (filtered.length === 0) {
+        // Source uses dynamic content (`<h1>{title}</h1>` etc.) so the
+        // browser-side textContent doesn't appear literally in source. Fall
+        // back to first-match rather than refusing — this is the same
+        // behavior unmodified callers see, just preserved.
+        match = candidates[0];
+      } else {
+        // Multiple candidates ALSO match the text. Truly ambiguous — refuse
+        // rather than pick wrong, and hand the agent the candidate locations
+        // so it can disambiguate by reading the file.
+        console.error(JSON.stringify({
+          error: 'element_ambiguous',
+          fallback: 'agent-driven',
+          file: path.relative(process.cwd(), targetFile),
+          candidates: filtered.map((c) => ({
+            startLine: c.startLine + 1,
+            endLine: c.endLine + 1,
+          })),
+          hint: 'Multiple source elements match both classes/tag and textContent. Pass --element-id, a more specific --text, or write the wrapper manually. See "Handle fallback" in live.md.',
+        }));
+        process.exit(1);
+      }
+    }
+  } else {
+    for (const q of queries) {
+      match = findElement(lines, q, tag);
+      if (match) break;
+    }
+    if (!match) {
+      console.error(JSON.stringify({ error: 'Found file but could not locate element in ' + targetFile + '. Searched for: ' + queries.join(', ') }));
+      process.exit(1);
+    }
+  }
+
+  const { startLine, endLine } = match;
+  const commentSyntax = detectCommentSyntax(targetFile);
+  const styleMode = detectStyleMode(targetFile);
+  const isJsx = commentSyntax.open === '{/*';
+  const indent = lines[startLine].match(/^(\s*)/)[1];
+
+  // Extract the original element. Reindent under the wrapper while preserving
+  // the relative depth between lines — `l.trimStart()` would strip ALL leading
+  // whitespace and collapse e.g. `<aside>`/`  <h1>`/`</aside>` (6/8/6 spaces)
+  // to a single uniform indent, so on accept/discard the round-trip restores
+  // the inner element at its parent's depth instead of nested inside it.
+  // Strip only the COMMON minimum leading whitespace across the picked lines;
+  // `deindentContent` on the accept side already mirrors this convention.
+  const originalLines = lines.slice(startLine, endLine + 1);
+  const originalBaseIndent = minLeadingSpaces(originalLines);
+  const reindentOriginal = (extra) => originalLines
+    .map((l) => (l.trim() === '' ? '' : indent + extra + l.slice(originalBaseIndent)))
+    .join('\n');
+  const originalIndented = reindentOriginal('    ');
+
+  // Wrapper attributes differ by syntax. HTML allows plain string attrs;
+  // JSX requires object-literal style and parses string attrs as HTML (which
+  // either type-errors or renders a literal CSS string).
+  const styleContents = isJsx ? 'style={{ display: "contents" }}' : 'style="display: contents"';
+
+  // JSX/TSX guard: the picked element occupies a single JSX child slot
+  // (inside `return (...)`, an array `.map(...)`, an `asChild` branch, or
+  // any other expression position). Replacing it with `comment + <div> +
+  // comment` yields three adjacent siblings — invalid JSX. We can't use a
+  // Fragment `<></>` either: parents that clone children (Radix `asChild`,
+  // Headless UI, etc.) hit "Invalid prop supplied to React.Fragment" when
+  // they try to pass an `id` through.
+  //
+  // Solution: keep the wrapper `<div>` as the single JSX-slot child and
+  // tuck both marker comments INSIDE it. accept/discard then expands its
+  // replacement range to include the wrapper's `<div>` open / close lines
+  // so the entire scaffold gets removed cleanly.
+  const wrapperLines = isJsx ? [
+    indent + '<div data-impeccable-variants="' + id + '" data-impeccable-variant-count="' + count + '" ' + styleContents + '>',
+    indent + '  ' + commentSyntax.open + ' impeccable-variants-start ' + id + ' ' + commentSyntax.close,
+    indent + '  ' + commentSyntax.open + ' Original ' + commentSyntax.close,
+    indent + '  <div data-impeccable-variant="original">',
+    reindentOriginal('    '),
+    indent + '  </div>',
+    indent + '  ' + commentSyntax.open + ' Variants: insert below this line ' + commentSyntax.close,
+    indent + '  ' + commentSyntax.open + ' impeccable-variants-end ' + id + ' ' + commentSyntax.close,
+    indent + '</div>',
+  ] : [
+    indent + commentSyntax.open + ' impeccable-variants-start ' + id + ' ' + commentSyntax.close,
+    indent + '<div data-impeccable-variants="' + id + '" data-impeccable-variant-count="' + count + '" ' + styleContents + '>',
+    indent + '  ' + commentSyntax.open + ' Original ' + commentSyntax.close,
+    indent + '  <div data-impeccable-variant="original">',
+    originalIndented,
+    indent + '  </div>',
+    indent + '  ' + commentSyntax.open + ' Variants: insert below this line ' + commentSyntax.close,
+    indent + '</div>',
+    indent + commentSyntax.open + ' impeccable-variants-end ' + id + ' ' + commentSyntax.close,
+  ];
+
+  // Replace the original element with the wrapper
+  const newLines = [
+    ...lines.slice(0, startLine),
+    ...wrapperLines,
+    ...lines.slice(endLine + 1),
+  ];
+  fs.writeFileSync(targetFile, newLines.join('\n'), 'utf-8');
+
+  // Calculate insert line (the "insert below this line" comment).
+  // 0-indexed file position. Both HTML and JSX wrappers have 6 lines above
+  // the insert marker (HTML: start-comment + outer-div + Original-comment +
+  // original-div + content + close-original-div; JSX: outer-div +
+  // start-comment + Original-comment + original-div + content +
+  // close-original-div). Multi-line originals push the marker by their
+  // extra line count.
+  const insertLine = startLine + 6 + (originalLines.length - 1);
+
+  console.log(JSON.stringify({
+    file: path.relative(process.cwd(), targetFile),
+    startLine: startLine + 1,       // 1-indexed for the agent
+    // wrapperLines is an array but one element (the original-content slot)
+    // is a `\n`-joined multi-line string, so the actual file-row count is
+    // wrapperLines.length + (originalLines.length - 1). Without the offset,
+    // endLine pointed inside the wrapper for any picked element that
+    // spanned more than one source line.
+    endLine: startLine + wrapperLines.length + (originalLines.length - 1), // 1-indexed
+    insertLine: insertLine + 1,     // 1-indexed: where variants go
+    commentSyntax: commentSyntax,
+    styleMode: styleMode.mode,
+    styleTag: styleMode.styleTag,
+    cssSelectorPrefixExamples: buildCssSelectorPrefixExamples(styleMode.mode, count),
+    cssAuthoring: buildCssAuthoring(styleMode, count),
+    originalLineCount: originalLines.length,
+  }));
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function argVal(args, flag) {
+  const idx = args.indexOf(flag);
+  return idx !== -1 && idx + 1 < args.length ? args[idx + 1] : null;
+}
+
+/**
+ * Build search query strings in priority order (most specific first).
+ * ID is most reliable, then specific class combos, then single classes, then raw query.
+ */
+function buildSearchQueries(elementId, classes, tag, query) {
+  const queries = [];
+
+  // 1. ID is the most specific
+  if (elementId) {
+    queries.push('id="' + elementId + '"');
+  }
+
+  // 2. Full class attribute match (for elements with distinctive multi-class combos).
+  // Emit both class="..." (HTML) and className="..." (React/JSX) so whichever
+  // convention the file uses will match.
+  if (classes) {
+    const classList = classes.split(',').map(c => c.trim()).filter(Boolean);
+    if (classList.length > 1) {
+      const joined = classList.join(' ');
+      const sorted = [...classList].sort((a, b) => b.length - a.length);
+      queries.push('class="' + joined + '"');
+      queries.push('className="' + joined + '"');
+      queries.push(sorted[0]); // most distinctive single class, fallback
+    } else if (classList.length === 1) {
+      queries.push(classList[0]);
+    }
+  }
+
+  // 3. Tag + class combo (e.g., <section class="hero">).
+  // Same dual-emit for JSX compatibility.
+  if (tag && classes) {
+    const firstClass = classes.split(',')[0].trim();
+    queries.push('<' + tag + ' class="' + firstClass);
+    queries.push('<' + tag + ' className="' + firstClass);
+  }
+
+  // 4. Raw fallback query
+  if (query) {
+    queries.push(query);
+  }
+
+  return queries;
+}
+
+function detectCommentSyntax(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  if (ext === '.jsx' || ext === '.tsx') {
+    return { open: '{/*', close: '*/}' };
+  }
+  // HTML, Vue, Svelte, Astro all use HTML comments
+  return { open: '<!--', close: '-->' };
+}
+
+function detectStyleMode(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  if (ext === '.astro') {
+    return {
+      mode: 'astro-global-prefixed',
+      styleTag: '<style is:inline data-impeccable-css="SESSION_ID">',
+    };
+  }
+  return {
+    mode: 'scoped',
+    styleTag: '<style data-impeccable-css="SESSION_ID">',
+  };
+}
+
+function buildCssSelectorPrefixExamples(styleMode, count) {
+  if (styleMode !== 'astro-global-prefixed') return [];
+  return Array.from({ length: count }, (_, i) => `[data-impeccable-variant="${i + 1}"]`);
+}
+
+function buildCssAuthoring(styleMode, count) {
+  const variantNumbers = Array.from({ length: count }, (_, i) => i + 1);
+  if (styleMode.mode === 'astro-global-prefixed') {
+    return {
+      mode: styleMode.mode,
+      styleTag: styleMode.styleTag,
+      strategy: 'global-prefixed',
+      rulePattern: '[data-impeccable-variant="N"] > .variant-class { ... }',
+      selectorExamples: variantNumbers.map((n) => `[data-impeccable-variant="${n}"] > .variant-class`),
+      requirements: [
+        'Use the styleTag exactly; the is:inline attribute is required for this file.',
+        'Prefix every preview selector with the matching [data-impeccable-variant="N"] selector.',
+        'Keep selectors anchored to the generated variant wrapper; do not rely on component CSS scoping for preview rules.',
+      ],
+      forbidden: [
+        'Do not use @scope for this styleMode.',
+      ],
+    };
+  }
+  return {
+    mode: styleMode.mode,
+    styleTag: styleMode.styleTag,
+    strategy: 'scope-rule',
+    rulePattern: '@scope ([data-impeccable-variant="N"]) { :scope > .variant-class { ... } }',
+    selectorExamples: variantNumbers.map((n) => `@scope ([data-impeccable-variant="${n}"]) { :scope > .variant-class { ... } }`),
+    requirements: [
+      'Use @scope blocks keyed to each [data-impeccable-variant="N"] wrapper.',
+      'Inside each @scope block, make :scope rules step into the replacement element with a descendant combinator.',
+      'Use the styleTag exactly; do not add framework-specific style attributes unless this object says to.',
+    ],
+    forbidden: [
+      'Do not use global [data-impeccable-variant="N"] selector prefixes for this styleMode.',
+      'Do not add is:inline to the style tag for this styleMode.',
+    ],
+  };
+}
+
+/**
+ * Search project files for the query string (class name, ID, etc.)
+ * Returns the first matching file path, or null.
+ */
+function findFileWithQuery(query, cwd, genOpts = {}) {
+  const searchDirs = ['src', 'app', 'pages', 'components', 'public', 'views', 'templates', '.'];
+  const seen = new Set();
+
+  for (const dir of searchDirs) {
+    const absDir = path.join(cwd, dir);
+    if (!fs.existsSync(absDir)) continue;
+    const result = searchDir(absDir, query, seen, 0, genOpts);
+    if (result) return result;
+  }
+  return null;
+}
+
+function searchDir(dir, query, seen, depth, genOpts) {
+  if (depth > 5) return null; // don't go too deep
+  const realDir = fs.realpathSync(dir);
+  if (seen.has(realDir)) return null;
+  seen.add(realDir);
+
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+  catch { return null; }
+
+  // Check files first
+  for (const entry of entries) {
+    if (!entry.isFile()) continue;
+    const ext = path.extname(entry.name).toLowerCase();
+    if (!EXTENSIONS.includes(ext)) continue;
+
+    const filePath = path.join(dir, entry.name);
+    if (!genOpts.includeGenerated && isGeneratedFile(filePath, genOpts)) continue;
+    try {
+      const content = fs.readFileSync(filePath, 'utf-8');
+      if (content.includes(query)) return filePath;
+    } catch { /* skip unreadable files */ }
+  }
+
+  // Then recurse into directories. Always skip node_modules and .git (never
+  // project content). dist/build/out are left to the isGeneratedFile guard so
+  // the includeGenerated second-pass can still find the element there and
+  // report `generatedMatch`.
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (entry.name === 'node_modules' || entry.name === '.git') continue;
+    const result = searchDir(path.join(dir, entry.name), query, seen, depth + 1, genOpts);
+    if (result) return result;
+  }
+
+  return null;
+}
+
+/**
+ * Regex that matches a tag opener on a line. Allows the tag name to be
+ * followed by whitespace, `>`, `/`, or end-of-line so that multi-line JSX
+ * openers (e.g. `<section\n  className="..."\n>`) are recognised.
+ */
+const OPENER_RE = /<([A-Za-z][A-Za-z0-9]*)(?=[\s/>]|$)/;
+
+/**
+ * Find the element's start and end line in the file.
+ *
+ * `query` is a class name, attribute fragment (`class="..."`, `className="..."`,
+ * `id="..."`), or a raw text snippet. Because a query can appear on a
+ * continuation line of a multi-line tag (e.g. the `className="..."` row of a
+ * `<section\n  className="..."\n>` JSX tag), we walk backward from the match
+ * line to find the actual tag opener. When `tag` is provided, opener candidates
+ * must match that tag name.
+ */
+/**
+ * Return the smallest leading-whitespace count across a set of lines,
+ * ignoring blank lines (whose indent isn't load-bearing). Used to compute
+ * the common base indent of a multi-line picked element so reindenting
+ * under the wrapper preserves the relative depth between lines.
+ */
+function minLeadingSpaces(lines) {
+  let min = Infinity;
+  for (const l of lines) {
+    if (l.trim() === '') continue;
+    const m = l.match(/^(\s*)/);
+    if (m && m[1].length < min) min = m[1].length;
+  }
+  return min === Infinity ? 0 : min;
+}
+
+function findElement(lines, query, tag = null) {
+  // Iterate all matches — the first substring hit isn't always the right one.
+  for (let i = 0; i < lines.length; i++) {
+    if (!lines[i].includes(query)) continue;
+
+    const stripped = lines[i].trim();
+    if (stripped.startsWith('<!--') || stripped.startsWith('{/*') || stripped.startsWith('//')) continue;
+    // Skip lines already inside a variant wrapper
+    if (lines[i].includes('data-impeccable-variant')) continue;
+
+    const openerLine = findOpenerLine(lines, i, tag);
+    if (openerLine === -1) continue;
+
+    const endLine = findClosingLine(lines, openerLine);
+    return { startLine: openerLine, endLine };
+  }
+
+  return null;
+}
+
+/**
+ * Like findElement, but returns every match. Used for ambiguity detection
+ * when the agent passes --text: when the same className appears on multiple
+ * sibling elements (a list of cards, repeated section variants, etc.),
+ * first-match silently lands on the wrong branch. Returning all matches lets
+ * the caller narrow by textContent or fail with a structured ambiguity error.
+ */
+function findAllElements(lines, query, tag = null) {
+  const out = [];
+  const seen = new Set();
+  for (let i = 0; i < lines.length; i++) {
+    if (!lines[i].includes(query)) continue;
+    const stripped = lines[i].trim();
+    if (stripped.startsWith('<!--') || stripped.startsWith('{/*') || stripped.startsWith('//')) continue;
+    if (lines[i].includes('data-impeccable-variant')) continue;
+    const openerLine = findOpenerLine(lines, i, tag);
+    if (openerLine === -1) continue;
+    if (seen.has(openerLine)) continue; // multiple matches inside the same element
+    seen.add(openerLine);
+    const endLine = findClosingLine(lines, openerLine);
+    out.push({ startLine: openerLine, endLine });
+  }
+  return out;
+}
+
+/**
+ * Narrow a candidate set to those whose source body matches a meaningful
+ * prefix of the picked element's textContent. The compare strips tags and
+ * JSX expressions, then checks two whitespace normalizations side-by-side:
+ *
+ *   - single-space ("hero two second card body")
+ *   - no-whitespace ("herotwosecondcardbody")
+ *
+ * Both are needed because `el.textContent` concatenates sibling text without
+ * inserting whitespace (e.g. `<h1>Hero Two</h1><p>Second…</p>` reads as
+ * `"Hero TwoSecond…"`), while the source has whitespace between tags. If
+ * EITHER normalization matches, the candidate keeps. A snippet shorter than
+ * 8 chars after stripping is too weak to disambiguate — the caller falls
+ * back to first-match.
+ */
+function filterByText(candidates, lines, text) {
+  const trimmed = text.replace(/\s+/g, ' ').trim().toLowerCase().slice(0, 80);
+  // Too short to disambiguate. Return [] so the caller's `filtered.length
+  // === 0` branch fires (fall back to first-match) — the previous
+  // `candidates.slice()` return forced `filtered.length > 1` and surfaced
+  // a spurious `element_ambiguous` error on every short-text picker event
+  // with multiple candidates.
+  if (trimmed.length < 8) return [];
+  const targetSpaced = trimmed;
+  const targetCompact = trimmed.replace(/\s+/g, '');
+
+  return candidates.filter((c) => {
+    const body = lines.slice(c.startLine, c.endLine + 1).join(' ');
+    const inner = body
+      .replace(/<[^>]*>/g, ' ')   // strip HTML/JSX tags
+      .replace(/\{[^}]*\}/g, ' ')  // strip JSX expressions
+      .toLowerCase();
+    const sourceSpaced = inner.replace(/\s+/g, ' ').trim();
+    const sourceCompact = inner.replace(/\s+/g, '');
+    return sourceSpaced.includes(targetSpaced) || sourceCompact.includes(targetCompact);
+  });
+}
+
+/**
+ * Resolve a match line to the real tag opener. If the match line itself opens
+ * a tag, return it. Otherwise walk up to 10 lines backward looking for the
+ * first tag opener. If `tag` is specified, the opener must match that tag
+ * name; an opener with a different tag name aborts the backward walk for this
+ * match (we don't jump across element boundaries).
+ *
+ * Returns the line index of the opener, or -1 if none can be resolved.
+ */
+function findOpenerLine(lines, matchLine, tag) {
+  const self = lines[matchLine].match(OPENER_RE);
+  if (self) {
+    if (!tag || self[1] === tag) return matchLine;
+    return -1;
+  }
+  const MAX_BACKWALK = 10;
+  for (let i = matchLine - 1; i >= Math.max(0, matchLine - MAX_BACKWALK); i--) {
+    const opener = lines[i].match(OPENER_RE);
+    if (!opener) continue;
+    if (!tag || opener[1] === tag) return i;
+    // Different tag name than requested — abort; we're inside a non-target opener.
+    return -1;
+  }
+  return -1;
+}
+
+/**
+ * Starting from a line with an opening tag, find the line with the matching
+ * closing tag by counting tag nesting depth.
+ */
+function findClosingLine(lines, start) {
+  const openMatch = lines[start].match(OPENER_RE);
+  if (!openMatch) return start; // caller passed a non-opener; nothing to span
+
+  const tagName = openMatch[1];
+  let depth = 0;
+  const openRe = new RegExp('<' + tagName + '(?=[\\s/>]|$)', 'g');
+  const selfCloseRe = new RegExp('<' + tagName + '[^>]*/>', 'g');
+  const closeRe = new RegExp('</' + tagName + '\\s*>', 'g');
+
+  for (let i = start; i < lines.length; i++) {
+    const line = lines[i];
+    const opens = (line.match(openRe) || []).length;
+    const selfCloses = (line.match(selfCloseRe) || []).length;
+    const closes = (line.match(closeRe) || []).length;
+
+    depth += opens - selfCloses - closes;
+
+    if (depth <= 0) return i;
+  }
+
+  // If we can't find the close, return a reasonable guess
+  return Math.min(start + 50, lines.length - 1);
+}
+
+// Auto-execute when run directly (node live-wrap.mjs ...)
+const _running = process.argv[1];
+if (_running?.endsWith('live-wrap.mjs') || _running?.endsWith('live-wrap.mjs/')) {
+  wrapCli();
+}
+
+// Test exports (used by tests/live-wrap.test.mjs)
+export { buildSearchQueries, findElement, findClosingLine, detectCommentSyntax };

.agents/skills/impeccable/scripts/live.mjs

@@ -0,0 +1,247 @@
+/**
+ * CLI entry point: prepare everything needed to enter the live variant poll loop.
+ *
+ * Does (all in one command):
+ *   1. Check .impeccable/live/config.json (returns config_missing if first-ever run)
+ *   2. Start the live server in the background (or reuse a running one)
+ *   3. Inject the browser script tag into the project's entry file
+ *   4. Read PRODUCT.md / DESIGN.md for project context
+ *   5. Print a single JSON blob with everything the agent needs
+ *
+ * After this, the agent's only remaining steps are:
+ *   - Open the project's live dev/preview URL in the browser (optional, if browser automation exists)—not `serverPort`; that port is the Impeccable helper for /live.js and /poll
+ *   - Enter the poll loop: `node live-poll.mjs`
+ *
+ * Usage:
+ *   node live.mjs                   # Prepare everything, print JSON, exit
+ *   node live.mjs --help
+ */
+
+import { execSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { loadContext } from './load-context.mjs';
+import { resolveFiles } from './live-inject.mjs';
+import { readLiveServerInfo } from './impeccable-paths.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+async function liveCli() {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(`Usage: node live.mjs
+
+Prepare everything for live variant mode in a single command:
+  - Checks .impeccable/live/config.json (required, created once per project)
+  - Starts (or reuses) the live server in the background
+  - Injects the browser script tag
+  - Reads PRODUCT.md / DESIGN.md for project context
+
+On success, prints a JSON blob with:
+  { ok, serverPort, serverToken, pageFile, hasContext, context }
+
+On config_missing, prints:
+  { ok: false, error: "config_missing", configPath, hint }
+
+The agent should then:
+  1. If config_missing, create the config and re-run this script
+  2. Optionally open the project's dev/preview URL in the browser (see reference/live.md—not serverPort)
+  3. Enter the poll loop: node live-poll.mjs`);
+    process.exit(0);
+  }
+
+  // 1. Check config (fail fast if missing — no point starting anything else)
+  const checkOut = runScript('live-inject.mjs', ['--check']);
+  const checkResult = safeParse(checkOut);
+  if (!checkResult || !checkResult.ok) {
+    console.log(JSON.stringify(checkResult || { ok: false, error: 'check_failed', raw: checkOut }));
+    process.exit(0);
+  }
+
+  // 2. Start server (or reuse existing)
+  const serverInfo = ensureServerRunning();
+  if (!serverInfo) {
+    console.log(JSON.stringify({ ok: false, error: 'server_start_failed' }));
+    process.exit(1);
+  }
+
+  // 3. Inject the script tag at the current port
+  const injectOut = runScript('live-inject.mjs', ['--port', String(serverInfo.port)]);
+  const injectResult = safeParse(injectOut);
+  if (!injectResult || !injectResult.ok) {
+    console.log(JSON.stringify({
+      ok: false,
+      error: 'inject_failed',
+      detail: injectResult || injectOut,
+      serverPort: serverInfo.port,
+    }));
+    process.exit(1);
+  }
+
+  // 4. Load PRODUCT.md + DESIGN.md context (auto-migrates legacy .impeccable.md)
+  const ctx = loadContext(process.cwd());
+
+  // 5. Compute drift-heal: compare resolved inject targets against the
+  //    project's HTML files. Orphans are HTML files not covered by config.
+  //    Warning only — the agent decides whether to act.
+  const resolvedFiles = resolveFiles(process.cwd(), checkResult.config);
+  const drift = scanForDrift(process.cwd(), resolvedFiles, checkResult.config);
+
+  // 6. Emit everything the agent needs
+  console.log(JSON.stringify({
+    ok: true,
+    serverPort: serverInfo.port,
+    serverToken: serverInfo.token,
+    pageFiles: resolvedFiles,
+    configDrift: drift,
+    hasProduct: ctx.hasProduct,
+    product: ctx.product,
+    productPath: ctx.productPath,
+    hasDesign: ctx.hasDesign,
+    design: ctx.design,
+    designPath: ctx.designPath,
+    migrated: ctx.migrated,
+  }, null, 2));
+}
+
+/**
+ * Drift-heal scan. Walks the project for HTML files under common
+ * page-source directories (public/, src/, app/, pages/) and reports any
+ * that aren't covered by the resolved inject targets. This is purely
+ * advisory — the agent can ignore it, or suggest the user add the
+ * orphans to config.files.
+ *
+ * Skipped if config.files already contains at least one glob pattern
+ * covering everything in practice (signaled by the orphan count being 0).
+ */
+function scanForDrift(rootDir, resolvedFiles, config) {
+  const SCAN_ROOTS = ['public', 'src', 'app', 'pages'];
+  const IGNORE_DIRS = new Set([
+    'node_modules', '.git', '.next', '.nuxt', '.svelte-kit', '.astro',
+    '.turbo', '.vercel', '.cache', 'coverage', 'dist', 'build',
+  ]);
+
+  const resolvedSet = new Set(resolvedFiles.map((f) => f.split(path.sep).join('/')));
+
+  // Files matching the user's `exclude` globs are intentional omissions,
+  // not drift. Compile them to regexes so the orphan list stays signal.
+  const userExcludeRegexes = (Array.isArray(config.exclude) ? config.exclude : [])
+    .map((p) => globToRegex(p));
+  const isUserExcluded = (rel) => userExcludeRegexes.some((re) => re.test(rel));
+
+  const orphans = [];
+
+  const walk = (dir, relBase) => {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+    catch { return; }
+    for (const e of entries) {
+      const rel = relBase ? `${relBase}/${e.name}` : e.name;
+      if (e.isDirectory()) {
+        if (IGNORE_DIRS.has(e.name) || e.name.startsWith('.')) continue;
+        walk(path.join(dir, e.name), rel);
+      } else if (e.isFile() && e.name.endsWith('.html')) {
+        if (resolvedSet.has(rel)) continue;
+        if (isUserExcluded(rel)) continue;
+        orphans.push(rel);
+      }
+    }
+  };
+
+  for (const root of SCAN_ROOTS) {
+    const abs = path.join(rootDir, root);
+    if (fs.existsSync(abs) && fs.statSync(abs).isDirectory()) {
+      walk(abs, root);
+    }
+  }
+
+  if (orphans.length === 0) return null;
+  const capped = orphans.slice(0, 20);
+  return {
+    orphans: capped,
+    orphanCount: orphans.length,
+    hint: `${orphans.length} HTML file(s) exist but aren't in config.files. Consider adding them, or use a glob pattern like "public/**/*.html".`,
+  };
+}
+
+/**
+ * Same glob-to-regex mapping used by live-inject.mjs. Kept inline here
+ * to avoid a circular import (live-inject.mjs already imports nothing
+ * from live.mjs). The two must stay in sync.
+ */
+function globToRegex(pattern) {
+  let re = '';
+  let i = 0;
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*') {
+      if (pattern[i + 1] === '*') {
+        if (pattern[i + 2] === '/') { re += '(?:.*/)?'; i += 3; }
+        else { re += '.*'; i += 2; }
+      } else {
+        re += '[^/]*';
+        i += 1;
+      }
+    } else if (c === '?') {
+      re += '[^/]';
+      i += 1;
+    } else if (/[.+^${}()|[\]\\]/.test(c)) {
+      re += '\\' + c;
+      i += 1;
+    } else {
+      re += c;
+      i += 1;
+    }
+  }
+  return new RegExp('^' + re + '$');
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function runScript(name, args) {
+  const scriptPath = path.join(__dirname, name);
+  const cmd = `node "${scriptPath}" ${args.map(a => `"${a}"`).join(' ')}`;
+  try {
+    return execSync(cmd, { encoding: 'utf-8', cwd: process.cwd(), timeout: 15_000 });
+  } catch (err) {
+    // execSync throws on non-zero exit; return stdout if any
+    return err.stdout || err.message || '';
+  }
+}
+
+function safeParse(out) {
+  try { return JSON.parse(String(out).trim()); } catch { return null; }
+}
+
+/**
+ * Return { pid, port, token } for the running live server, starting one if needed.
+ */
+function ensureServerRunning() {
+  // Try to reuse an existing server
+  try {
+    const existing = readLiveServerInfo(process.cwd())?.info;
+    if (existing && existing.pid) {
+      try {
+        process.kill(existing.pid, 0); // throws if dead
+        return existing;
+      } catch { /* stale PID file — the server script will clean it up */ }
+    }
+  } catch { /* no PID file */ }
+
+  // Start a new server
+  const out = runScript('live-server.mjs', ['--background']);
+  return safeParse(out);
+}
+
+// ---------------------------------------------------------------------------
+// Auto-execute
+// ---------------------------------------------------------------------------
+
+const _running = process.argv[1];
+if (_running?.endsWith('live.mjs') || _running?.endsWith('live.mjs/')) {
+  liveCli();
+}

.agents/skills/impeccable/scripts/load-context.mjs

@@ -0,0 +1,141 @@
+/**
+ * Shared context loader for every impeccable command that needs to know
+ * "who is this for" and "what does this look like".
+ *
+ * Input: project root (process.cwd()).
+ *
+ * Output (JSON to stdout):
+ *   {
+ *     hasProduct: boolean,        // PRODUCT.md found (or auto-migrated)
+ *     product: string | null,     // PRODUCT.md contents
+ *     productPath: string | null, // relative path
+ *     hasDesign: boolean,         // DESIGN.md found
+ *     design: string | null,      // DESIGN.md contents
+ *     designPath: string | null,
+ *     migrated: boolean,          // true if we auto-renamed .impeccable.md -> PRODUCT.md
+ *     contextDir: string,         // absolute path of the directory the files were found in
+ *   }
+ *
+ * Filename matching is case-insensitive for PRODUCT.md and DESIGN.md. The
+ * Google DESIGN.md convention is uppercase at repo root; Kiro-style and
+ * lowercase variants are also matched so users don't get punished for case.
+ *
+ * Lookup directory resolution (first match wins):
+ *   1. process.env.IMPECCABLE_CONTEXT_DIR (absolute or relative to cwd)
+ *   2. cwd, if PRODUCT.md / DESIGN.md / .impeccable.md is there (back-compat)
+ *   3. Auto-fallback subdirectories of cwd: .agents/context/, then docs/
+ *   4. cwd as a default "no context found" location
+ *
+ * Legacy `.impeccable.md` -> PRODUCT.md migration only fires at cwd root;
+ * fallback directories are read-only as far as auto-rename is concerned.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+const PRODUCT_NAMES = ['PRODUCT.md', 'Product.md', 'product.md'];
+const DESIGN_NAMES = ['DESIGN.md', 'Design.md', 'design.md'];
+const LEGACY_NAMES = ['.impeccable.md'];
+const FALLBACK_DIRS = ['.agents/context', 'docs'];
+
+/**
+ * Resolve the directory that holds PRODUCT.md / DESIGN.md for
+ * this project. Exported so other scripts (e.g. live-server.mjs) can read the
+ * design files from the same location the loader uses.
+ */
+export function resolveContextDir(cwd = process.cwd()) {
+  // 1. Explicit override
+  const envDir = process.env.IMPECCABLE_CONTEXT_DIR;
+  if (envDir && envDir.trim()) {
+    const trimmed = envDir.trim();
+    return path.isAbsolute(trimmed) ? trimmed : path.resolve(cwd, trimmed);
+  }
+
+  // 2. cwd wins if any canonical or legacy file is there. We check legacy too
+  //    so the auto-migration path in loadContext stays predictable.
+  if (firstExisting(cwd, [...PRODUCT_NAMES, ...DESIGN_NAMES, ...LEGACY_NAMES])) {
+    return cwd;
+  }
+
+  // 3. Auto-fallback subdirs. Match if PRODUCT.md or DESIGN.md is present;
+  //    legacy `.impeccable.md` does not pull the lookup into a fallback dir.
+  for (const rel of FALLBACK_DIRS) {
+    const candidate = path.resolve(cwd, rel);
+    if (firstExisting(candidate, [...PRODUCT_NAMES, ...DESIGN_NAMES])) {
+      return candidate;
+    }
+  }
+
+  // 4. Nothing found — keep the historical "default to cwd" behaviour so the
+  //    caller's `hasProduct === false` branch still fires the same way.
+  return cwd;
+}
+
+export function loadContext(cwd = process.cwd()) {
+  let migrated = false;
+  const contextDir = resolveContextDir(cwd);
+
+  // 1. Look for PRODUCT.md (case-insensitive) in the resolved dir
+  let productPath = firstExisting(contextDir, PRODUCT_NAMES);
+
+  // 2. Legacy: if no PRODUCT.md but .impeccable.md exists at cwd root, rename
+  //    it in place. We only migrate at the root — fallback dirs are read-only
+  //    so we don't surprise users by mutating files under docs/ or .agents/.
+  if (!productPath && contextDir === cwd) {
+    const legacyPath = firstExisting(cwd, LEGACY_NAMES);
+    if (legacyPath) {
+      const newPath = path.join(cwd, 'PRODUCT.md');
+      try {
+        fs.renameSync(legacyPath, newPath);
+        productPath = newPath;
+        migrated = true;
+      } catch {
+        // Rename failed (permissions, etc.) — fall back to reading legacy in place
+        productPath = legacyPath;
+      }
+    }
+  }
+
+  // 3. DESIGN.md (case-insensitive)
+  const designPath = firstExisting(contextDir, DESIGN_NAMES);
+
+  const product = productPath ? safeRead(productPath) : null;
+  const design = designPath ? safeRead(designPath) : null;
+
+  return {
+    hasProduct: !!product,
+    product,
+    productPath: productPath ? path.relative(cwd, productPath) : null,
+    hasDesign: !!design,
+    design,
+    designPath: designPath ? path.relative(cwd, designPath) : null,
+    migrated,
+    contextDir,
+  };
+}
+
+function firstExisting(dir, names) {
+  for (const name of names) {
+    const abs = path.join(dir, name);
+    if (fs.existsSync(abs)) return abs;
+  }
+  return null;
+}
+
+function safeRead(p) {
+  try { return fs.readFileSync(p, 'utf-8'); } catch { return null; }
+}
+
+// ---------------------------------------------------------------------------
+// CLI mode — print the context as JSON
+// ---------------------------------------------------------------------------
+
+function cli() {
+  const result = loadContext(process.cwd());
+  console.log(JSON.stringify(result, null, 2));
+}
+
+const _running = process.argv[1];
+if (_running?.endsWith('load-context.mjs') || _running?.endsWith('load-context.mjs/')) {
+  cli();
+}

.agents/skills/impeccable/scripts/pin.mjs

@@ -0,0 +1,214 @@
+#!/usr/bin/env node
+/**
+ * Pin/unpin sub-commands as standalone skill shortcuts.
+ *
+ * Usage:
+ *   node <scripts_path>/pin.mjs pin <command>
+ *   node <scripts_path>/pin.mjs unpin <command>
+ *
+ * `pin audit` creates a lightweight /audit skill that redirects to /impeccable audit.
+ * `unpin audit` removes that shortcut.
+ *
+ * The script discovers harness directories (.claude/skills, .cursor/skills, etc.)
+ * in the project root and creates/removes the pin in all of them.
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, rmSync, readdirSync } from 'node:fs';
+import { join, resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// All known harness directories
+const HARNESS_DIRS = [
+  '.claude', '.cursor', '.gemini', '.codex', '.agents',
+  '.trae', '.trae-cn', '.pi', '.opencode', '.kiro', '.rovodev',
+];
+
+// Valid sub-command names
+const VALID_COMMANDS = [
+  'craft', 'teach', 'extract', 'document', 'shape',
+  'critique', 'audit',
+  'polish', 'bolder', 'quieter', 'distill', 'harden', 'onboard', 'live',
+  'animate', 'colorize', 'typeset', 'layout', 'delight', 'overdrive',
+  'clarify', 'adapt', 'optimize',
+];
+
+// Marker to identify pinned skills (so unpin doesn't delete user skills)
+const PIN_MARKER = '<!-- impeccable-pinned-skill -->';
+
+/**
+ * Walk up from startDir to find a project root.
+ */
+function findProjectRoot(startDir = process.cwd()) {
+  let dir = resolve(startDir);
+  while (dir !== '/') {
+    if (
+      existsSync(join(dir, 'package.json')) ||
+      existsSync(join(dir, '.git')) ||
+      existsSync(join(dir, 'skills-lock.json'))
+    ) {
+      return dir;
+    }
+    const parent = resolve(dir, '..');
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return resolve(startDir);
+}
+
+/**
+ * Find harness skill directories that have an impeccable skill installed.
+ */
+function findHarnessDirs(projectRoot) {
+  const dirs = [];
+  for (const harness of HARNESS_DIRS) {
+    const skillsDir = join(projectRoot, harness, 'skills');
+    // Only pin in harness dirs that already have impeccable installed
+    const impeccableDir = join(skillsDir, 'impeccable');
+    if (existsSync(impeccableDir) || existsSync(join(skillsDir, 'i-impeccable'))) {
+      dirs.push(skillsDir);
+    }
+  }
+  return dirs;
+}
+
+/**
+ * Load command metadata (descriptions for pinned skills).
+ */
+function loadCommandMetadata() {
+  const metadataPath = join(__dirname, 'command-metadata.json');
+  if (existsSync(metadataPath)) {
+    return JSON.parse(readFileSync(metadataPath, 'utf-8'));
+  }
+  return {};
+}
+
+/**
+ * Generate a pinned skill's SKILL.md content.
+ */
+function generatePinnedSkill(command, metadata) {
+  const desc = metadata[command]?.description || `Shortcut for /impeccable ${command}.`;
+  const hint = metadata[command]?.argumentHint || '[target]';
+
+  return `---
+name: ${command}
+description: "${desc}"
+argument-hint: "${hint}"
+user-invocable: true
+---
+
+${PIN_MARKER}
+
+This is a pinned shortcut for \`{{command_prefix}}impeccable ${command}\`.
+
+Invoke {{command_prefix}}impeccable ${command}, passing along any arguments provided here, and follow its instructions.
+`;
+}
+
+/**
+ * Pin a command: create shortcut skill in all harness dirs.
+ */
+function pin(command, projectRoot) {
+  const metadata = loadCommandMetadata();
+  const harnessDirs = findHarnessDirs(projectRoot);
+
+  if (harnessDirs.length === 0) {
+    console.log('No harness directories with impeccable installed found.');
+    return false;
+  }
+
+  const content = generatePinnedSkill(command, metadata);
+  let created = 0;
+
+  for (const skillsDir of harnessDirs) {
+    // Check if skill already exists (and isn't a pin)
+    const skillDir = join(skillsDir, command);
+    if (existsSync(skillDir)) {
+      const existingMd = join(skillDir, 'SKILL.md');
+      if (existsSync(existingMd)) {
+        const existing = readFileSync(existingMd, 'utf-8');
+        if (!existing.includes(PIN_MARKER)) {
+          console.log(`  SKIP: ${skillDir} (non-pinned skill already exists)`);
+          continue;
+        }
+      }
+    }
+
+    mkdirSync(skillDir, { recursive: true });
+    writeFileSync(join(skillDir, 'SKILL.md'), content, 'utf-8');
+    console.log(`  + ${skillDir}`);
+    created++;
+  }
+
+  if (created > 0) {
+    console.log(`\nPinned '${command}' as a standalone shortcut in ${created} location(s).`);
+    console.log(`You can now use /${command} directly.`);
+  }
+
+  return created > 0;
+}
+
+/**
+ * Unpin a command: remove shortcut skill from all harness dirs.
+ */
+function unpin(command, projectRoot) {
+  const harnessDirs = findHarnessDirs(projectRoot);
+  let removed = 0;
+
+  for (const skillsDir of harnessDirs) {
+    const skillDir = join(skillsDir, command);
+    if (!existsSync(skillDir)) continue;
+
+    const skillMd = join(skillDir, 'SKILL.md');
+    if (!existsSync(skillMd)) continue;
+
+    // Safety: only remove if it's a pinned skill
+    const content = readFileSync(skillMd, 'utf-8');
+    if (!content.includes(PIN_MARKER)) {
+      console.log(`  SKIP: ${skillDir} (not a pinned skill)`);
+      continue;
+    }
+
+    rmSync(skillDir, { recursive: true, force: true });
+    console.log(`  - ${skillDir}`);
+    removed++;
+  }
+
+  if (removed > 0) {
+    console.log(`\nUnpinned '${command}' from ${removed} location(s).`);
+    console.log(`Use /impeccable ${command} to access it.`);
+  } else {
+    console.log(`No pinned '${command}' shortcut found.`);
+  }
+
+  return removed > 0;
+}
+
+// --- CLI ---
+const [,, action, command] = process.argv;
+
+if (!action || !command) {
+  console.log('Usage: node pin.mjs <pin|unpin> <command>');
+  console.log(`\nAvailable commands: ${VALID_COMMANDS.join(', ')}`);
+  process.exit(1);
+}
+
+if (action !== 'pin' && action !== 'unpin') {
+  console.error(`Unknown action: ${action}. Use 'pin' or 'unpin'.`);
+  process.exit(1);
+}
+
+if (!VALID_COMMANDS.includes(command)) {
+  console.error(`Unknown command: ${command}`);
+  console.error(`Available commands: ${VALID_COMMANDS.join(', ')}`);
+  process.exit(1);
+}
+
+const root = findProjectRoot();
+
+if (action === 'pin') {
+  pin(command, root);
+} else {
+  unpin(command, root);
+}

.claire/tmp/watchdog-impl/api_watchdog_alerts.rs

@@ -0,0 +1 @@
+placeholder

.claude/AGENT_COORDINATION_RULES.md

@@ -1,38 +0,0 @@
-# Agent Coordination Rules
-
-**Purpose:** Reference for agents about their responsibilities and coordination patterns.
-**Main Claude behavioral rules are in CLAUDE.md - this file is for agent reference only.**
-
----
-
-## Agent Responsibilities
-
-| Agent | Authority | Examples |
-|-------|-----------|----------|
-| Database Agent | ALL data operations | Queries, inserts, updates, deletes, API calls |
-| Coding Agent | Production code | Python, PowerShell, Bash; new code and modifications |
-| Testing Agent | Test execution | pytest, validation scripts, performance tests |
-| Code Review Agent | Code quality (MANDATORY) | Security, standards, quality checks before commits |
-| Gitea Agent | Git/version control | Commits, pushes, branches, tags |
-| Backup Agent | Backup/restore | Create backups, restore data, verify integrity |
-
-## Coordination Flow
-
-```
-User request -> Main Claude (coordinator) -> Launches agent(s) -> Agent returns summary -> Main Claude presents to user
-```
-
-- Main Claude NEVER queries databases, writes production code, runs tests, or commits directly
-- Agents return concise summaries, not raw data
-- Independent operations run in parallel
-- Use Sequential Thinking MCP for genuinely complex problems
-
-## Skills vs Agents
-
-- **Skills** (Skill tool): Specialized enhancements - frontend-design validation, design patterns
-- **Agents** (Task tool): Core operations - database, code, testing, git, backups
-- **Rule:** Skills enhance/validate. Agents execute/operate.
-
----
-
-**Last Updated:** 2026-02-17

.claude/CLAUDE.md

@@ -0,0 +1,85 @@
+# ClaudeTools — Core Operating Rules
+
+> Lean CORE, always loaded. The FULL manual — onboarding steps, work-mode detail, the
+> coordination-API protocol, project/command/reference tables, Ollama/GrepAI, vault detail
+> — is in **`.claude/CLAUDE_EXTENDED.md`**. Read EXTENDED when: onboarding a new machine,
+> switching work modes, using the coord API (locks/messages/todos), provisioning, or
+> unsure about any workflow. Harness version: `.claude/harness/VERSION`.
+
+## Identity & multi-user (check first)
+Shared repo across the team. At session start read `.claude/identity.json` (gitignored,
+per-machine) and greet by name. If it is **missing** (new machine) → run the onboarding
+flow in EXTENDED before other work. Team: **Mike Swanson** (admin/owner), **Howard Enos**
+(tech, full trust — same access). Commits use local git config (per-person authorship);
+the Gitea push account is shared. Every session log needs a `## User` block (use
+`.claude/scripts/whoami-block.sh`).
+
+## How you work — act directly, delegate deliberately
+You are the main operator. **ACT DIRECTLY by default.** Delegate to a sub-agent ONLY when:
+(a) the task produces high-volume tool output, (b) blast radius >3 files across layers,
+(c) a genuine domain shift needs a specialized agent, or (d) independent work can run in
+parallel. Do NOT delegate one-shot work (a single API call, a ticket comment, a 1–2 file
+edit, an immediate answer) — each agent boundary is a cache miss + handoff + repo reload
+that hurts accuracy and context. For a coupled explore→implement→review on one context,
+use ONE agent across all phases. Agent defs: `.claude/agents/`.
+
+## Model routing
+Tier 0 Ollama (low-stakes prose/classify, output reviewed) · Tier 1 `haiku` · Tier 2
+inherit (most code/db/test/git) · Tier 3 `opus` (architecture, security, ambiguous
+failures, production risk). Bump one tier for: security, auth, credential, migration,
+production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`.
+
+## Key rules (always)
+- **NO EMOJIS.** Use ASCII markers: `[OK]` `[ERROR]` `[WARNING]` `[INFO]` `[CRITICAL]`.
+- **Credentials — capture, vault, document (ALWAYS).** ANY credential that surfaces in a
+  session — one the user pastes, one you create/rotate, one you discover in a log/config — you
+  MUST immediately store it in the SOPS vault **via the `vault` skill** (the canonical path —
+  this is why the vault exists; do not improvise raw `sops`/`vault.sh`) AND document it
+  thoroughly in the entry: what it is, what it's for, and exactly how it's used (auth method,
+  endpoint, gotchas). Read with the skill too; `vault.sh get-field <path> <field>` is the
+  underlying read (1Password fallback). Never commit plaintext secrets (pre-commit
+  `harness-guard.sh` warns). Losing/forgetting infra credentials wastes real time — capturing
+  them is not optional.
+- **SSH:** system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git-for-Windows SSH.
+- **Data integrity:** never placeholder/fake data — check vault, wiki, or ask.
+- **Hard-to-reverse or outward-facing actions:** confirm first (per-action, per-session).
+- **Error logging (mandatory, all skills):** when a task or skill hits a GENUINE functional error during execution (failed command, API/auth failure, unexpected API response, tool call), record it to `errorlog.md` (repo root) via the canonical helper — never hand-format: `bash .claude/scripts/log-skill-error.sh "<skill/command>" "<brief error>" [--context "k=v ..."]`. It stamps UTC date + machine (from `identity.json`) and inserts in the standard `YYYY-MM-DD | MACHINE | skill | error` format (newest on top) for later skill **linting**, and soft-fails so it never breaks the caller. **Every skill MUST call it at its failure branches**; you (main loop) call it after any skill/command genuinely fails. Do NOT log expected/handled conditions (no search matches, no unread messages, a user declining a prompt) — only real failures worth spotting a pattern. Python skills shell out to the same helper.
+- **Log user corrections too (`--correction`):** when the user CORRECTS an improper assumption or wrong approach you took (e.g. "don't use INKY unless onboarded", "EXO already has Mail.Send", "I don't need an exact match"), log it: `bash .claude/scripts/log-skill-error.sh "<skill/context>" "assumed X; correct is Y" --correction`. These are the highest-value entries — they surface recurring bad assumptions so we can train them out of the system. If the correction is a durable preference, ALSO save it as a `feedback` memory (the two are complementary: memory fixes future behavior, errorlog tracks the pattern for linting).
+- **Log preventable friction too (`--friction`):** any time you waste tokens on a preventable, repeatable self-inflicted error — harness/env/tool misuse (Git-Bash `/tmp` path mismatch, shell env not persisting between Bash calls, passing huge args on the command line, PowerShell var case-collisions, etc.) — log it: `bash .claude/scripts/log-skill-error.sh "<context e.g. bash/env>" "what wasted tokens + the fix" --friction [--context "ref=<memory-or-rule>"]`. **If it repeats something already in memory or CLAUDE.md, that's the highest-value entry** — it means a rule/memory isn't working; cite the ref. This log is the corpus we lint to build better CLAUDE.md rules and to clean stale/misleading memory. Goal: stop paying twice for the same mistake.
+- **Windows:** ensure `bash` resolves to Git-for-Windows MSYS bash, not the WSL stub; write
+  `.claude/current-mode` with a relative/forward-slash path only (never a backslash Windows
+  path). Detail + fixes: EXTENDED.
+
+## Coordination (live source of truth)
+The coord API (`http://172.16.3.30:8001/api/coord`, no auth) holds live locks, messages,
+todos, component state. **If a `system-reminder` contains "UNREAD COORD MESSAGES", you MUST
+reproduce the full message block verbatim at the top of your response before anything else**
+— the user cannot see system-reminders. Session-start checks, locks, inter-session
+messaging, todos, softfail queue: EXTENDED (and the `coord` skill).
+
+## Context loading (don't ask for what's recorded)
+Before responding, load context when a trigger fires — a client/project/system/server is
+named, or the user says continue/resume/back-to/finish: read **`wiki/`** FIRST (synthesized
+knowledge; index `wiki/index.md`), then the relevant `CONTEXT.md` / session logs, then the
+coord API. Never ask for infra or recent-work facts that live in the wiki or `CONTEXT.md`.
+Full trigger table + recovery: EXTENDED; the `/context` command.
+
+## Work modes
+Auto-detect mode (remediation / client / infra / dev / general) from each message. On
+change: announce `[MODE -> x]`, tell the user to run `/color <c>`, and write the mode to
+`.claude/current-mode`. Mode postures + triggers: EXTENDED.
+
+## Memory & knowledge layers
+Shared memory in `.claude/memory/` (index `MEMORY.md`, loaded each session) — write here
+(repo-relative), NEVER `~/.claude/projects/*/memory/`. Wiki = synthesized truth (on-demand);
+session-logs = archive; memory = small ephemeral facts + harness quirks. Save user
+facts/feedback/project/reference per the memory format; one fact per file + an index line.
+
+## RMM Thoughts
+GuruRMM ideas from Mike/Howard go to `projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md`
+(Status: Raw) → discuss → `/shape-spec` → roadmap → build. Don't build until an explicit go.
+`/feature-request` captures Howard's requests there.
+
+---
+Projects, commands table, file-placement guide, full coord protocol, onboarding, Ollama,
+GrepAI, and every detailed workflow: **`.claude/CLAUDE_EXTENDED.md`**.

.claude/CLAUDE_EXTENDED.md

@@ -0,0 +1,371 @@
+# ClaudeTools — Extended Operating Manual
+
+> Full reference. The lean always-loaded CORE is `.claude/CLAUDE.md`. Read this when
+> onboarding, switching modes, using the coord API, or unsure about a workflow.
+
+---
+
+# ClaudeTools Project Context
+
+## Multi-User Environment (CHECK FIRST)
+
+This repo is shared across multiple team members. **At every session start, BEFORE doing anything else:**
+
+1. **Read `.claude/identity.json`** (local, gitignored). If it exists, greet the user by name and proceed.
+2. **If identity.json does NOT exist** (first sync on a new machine):
+   - Read `.claude/users.json` for the known user list
+   - Ask: "This looks like a new machine. Are you **Mike Swanson** or **Howard Enos**? (Or someone new?)"
+   - Based on their answer, create `.claude/identity.json`:
+     ```json
+     {
+       "user": "mike",
+       "full_name": "Mike Swanson",
+       "email": "mike@azcomputerguru.com",
+       "role": "admin",
+       "machine": "<HOSTNAME>",
+       "vault_path": "<absolute path to vault repo on this machine>",
+       "claudetools_root": "<absolute path to ClaudeTools repo on this machine>"
+     }
+     ```
+     Ask the user where the vault repo is cloned (e.g., `D:/vault`, `~/vault`, `/Users/howard/vault`) and where ClaudeTools is cloned (e.g., `D:/claudetools`, `~/ClaudeTools`, `/Users/mike/ClaudeTools`).
+   - Set local git config: `git config user.name "<full_name>"` and `git config user.email "<email>"`
+   - Set git remote (read `gitea_username` from users.json): `git remote set-url origin https://<gitea_username>@git.azcomputerguru.com/azcomputerguru/claudetools.git`
+   - Add hostname to user's `known_machines` in users.json and commit.
+   - Run `.claude/scripts/migrate-identity.sh` to populate machine-specific config (ollama, python, platform, architecture).
+   - **Show the user `.claude/ONBOARDING.md`** — present section by section, explain the WHY, answer questions.
+3. **If hostname doesn't match any known machine** for the identified user, update their `known_machines` in users.json.
+
+### Session Log Attribution
+
+Every session log MUST include a `## User` section:
+```markdown
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+```
+
+Commits use local git config (user.name / user.email). Gitea push account is shared (azcomputerguru) but commit authorship tracks the actual person.
+
+### Current Team
+
+| User | Role | Notes |
+|---|---|---|
+| **Mike Swanson** (mike) | admin | Owner, President of Arizona Computer Guru LLC |
+| **Howard Enos** (howard) | tech | Employee, technician. Full trust — same access as admin. |
+
+---
+
+## Work Mode
+
+Auto-detect on every user message (first match wins):
+
+| Mode | Triggers | Posture |
+|------|----------|---------|
+| **remediation** | "remediation tool", "365", "breach", "tenant sweep", M365 keywords | Graph API focus, compliance language, full audit trail |
+| **client** | client name, `clients/` work, "for \<client\>" | Careful with data, session logs in `clients/`, name the client |
+| **infra** | server names/IPs, SSH, firewall, DNS, deploy, service restart | Confirm before destructive ops, backup-first |
+| **dev** | code, build, Rust/cargo, npm, GuruRMM dev, `projects/` work | Delegate freely, less confirmation friction |
+| **general** | default | Lightweight |
+
+On mode change: announce `[MODE -> infra]`, tell user to run `/color <color>`. Full details: `.claude/commands/mode.md`
+
+**MANDATORY on every mode change:** write the new mode to `.claude/current-mode` so hooks can read it:
+```bash
+echo dev > .claude/current-mode   # substitute the actual mode name
+```
+This file is gitignored (machine-local). The `UserPromptSubmit` hook reads it to gate the lock check on dev mode.
+
+**Windows/Git Bash:** always use the relative path above (or forward slashes — `/d/claudetools/.claude/current-mode`). NEVER a backslashed Windows path like `D:\claudetools\.claude\current-mode`: Git Bash strips the backslashes and substitutes the illegal `:` with a Unicode PUA char, creating a garbled junk file instead of writing the path. A `PreToolUse(Bash)` hook (`.claude/hooks/block-backslash-winpath.sh`) blocks such redirects; `sync.sh` also strips any that slip through before staging.
+
+**Windows bash command (the `bash` executable):** In PowerShell contexts (including the Grok/Claude tool run_terminal_command), `bash` often resolves to the WSL stub (`WindowsApps\bash.exe`) instead of the required Git for Windows/MSYS bash. This breaks vault.sh, sync.sh, hooks, etc. 
+
+Fix (idempotent):
+```powershell
+$gitBin = "C:\Program Files\Git\bin"
+$gitUsrBin = "C:\Program Files\Git\usr\bin"
+if ((Test-Path $gitBin) -and ((Get-Command bash -ErrorAction SilentlyContinue).Source -notlike '*Git*bin*bash.exe')) {
+    $env:Path = "$gitBin;$gitUsrBin;" + ($env:Path -replace [regex]::Escape("$gitBin;"), '' -replace [regex]::Escape("$gitUsrBin;"), '')
+}
+```
+Then plain `bash .claude/scripts/vault.sh ...` works and shows the MSYS version.
+
+Project helper: `. .claude/scripts/ensure-git-bash.ps1` (see that file + `.claude/memory/feedback_windows_bash_mapping.md`).
+
+The user's PowerShell `$PROFILE` auto-applies the remap on new sessions. For critical calls, prefer the full path `"C:\Program Files\Git\bin\bash.exe" .claude/scripts/...` if env is uncertain. Git Bash terminals (direct launch) are already correct. Related: always use system OpenSSH, not Git's.
+
+**Auto-initialization:** If `.claude/current-mode` is missing (e.g., fresh clone), the UserPromptSubmit hook automatically creates it with "general" as the default mode. No manual setup required.
+
+---
+
+## Identity: You Are a Coordinator
+
+You are NOT an executor. You coordinate specialized agents and preserve your context window.
+
+**Delegate ALL significant work:**
+
+| Operation | Delegate To |
+|-----------|------------|
+| Database queries/inserts/updates | Database Agent |
+| Production code generation | Coding Agent |
+| Code review (MANDATORY after changes) | Code Review Agent |
+| Test execution | Testing Agent |
+| Git commits/push/branch | Gitea Agent |
+| Backups/restore | Backup Agent |
+| File exploration (broad) | Explore Agent |
+| Semantic code search | deep-explore Agent (uses GrepAI) |
+| Complex reasoning | General-purpose + Sequential Thinking |
+
+**Do yourself:** Simple responses, reading 1-2 files, presenting results, planning, decisions.
+**Rule:** >500 tokens of work = delegate. Code or database = ALWAYS delegate.
+
+**DO NOT** query databases directly. **DO NOT** write production code. **DO NOT** run tests. **DO NOT** commit/push.
+
+**Single-agent for coupled tasks:** For explore → implement or explore → implement → review flows where the context is the same throughout, use one agent across all phases rather than spawning three. Each agent boundary is a cache miss and a context-handoff cost. Spawn separate agents only when tasks are genuinely independent or run in parallel.
+
+### Model Routing (Complexity-Based)
+
+| Tier | Model | When |
+|------|-------|------|
+| 0 | **Ollama** (local) | Low-stakes: summarize, classify, extract, draft — no code changes, output reviewed before use |
+| 1 | `haiku` | Ollama unavailable, or task needs agent tool use / file access |
+| 2 | (inherit) | Standard code, DB, tests, git — most work |
+| 3 | `opus` | Architecture, security, ambiguous failures, production risk |
+
+**Bump rule:** if the request involves `security`, `auth`, `credential`, `migration`, `production`, or `data loss` — bump one tier up.
+
+Pass `model: "haiku"` or `model: "opus"` explicitly. Omit for Tier 2. Tier 0 is a direct Bash call — see `.claude/OLLAMA.md`.
+
+---
+
+## Automatic Context Loading (CRITICAL)
+
+Load context **before responding** when any trigger fires. Never ask for info that's already in CONTEXT.md.
+
+| Trigger | Action |
+|---------|--------|
+| Client name mentioned | Read `wiki/clients/<slug>.md` FIRST, then `clients/<name>/session-logs/` for recent detail |
+| GuruRMM / Dataforth / project keywords | Read `wiki/projects/<slug>.md` FIRST, then `projects/<project>/CONTEXT.md`, query coord API status + components |
+| Server/hostname/IP mentioned | Read `wiki/systems/<slug>.md` FIRST for synthesized knowledge |
+| "continue", "resume", "back to", "finish" | Read project wiki article + CONTEXT.md, check coord API for locks + unread messages |
+| Servers, IPs, credentials, deploy questions | Check wiki/systems first, then CONTEXT.md — answer from it, never ask |
+| Uncertainty >5% about infra or recent work | Check wiki first, then CONTEXT.md before asking the user |
+
+CONTEXT.md locations: `projects/msp-tools/guru-rmm/CONTEXT.md`, `projects/dataforth-dos/CONTEXT.md`, `CONTEXT.md` (root).
+Wiki location: `wiki/` (root) — `wiki/clients/`, `wiki/projects/`, `wiki/systems/`, `wiki/patterns/`. Index: `wiki/index.md`.
+
+---
+
+## Projects
+
+**ClaudeTools** — MSP Work Tracking System (Production-Ready)
+- Database: MariaDB 10.6.22 @ 172.16.3.30:3306 | API: http://172.16.3.30:8001
+- 95+ endpoints, 38 tables, JWT auth, AES-256-GCM encryption
+- DB creds: `bash D:/vault/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password`
+
+**GuruRMM** — Remote Monitoring & Management (Active Development)
+- Server: Rust/Axum @ 172.16.3.30:3001 | Dashboard: https://rmm.azcomputerguru.com
+- Repo: `azcomputerguru/gururmm` on Gitea (active) — the `projects/msp-tools/guru-rmm/` submodule tracks it. A separate Gitea repo named `guru-rmm` (hyphenated) is an abandoned duplicate; ignore it.
+- Roadmap: `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` (also `docs/UI_GAPS.md`)
+
+---
+
+## Key Rules
+
+- **Coord messages in system-reminder:** If a `system-reminder` contains "UNREAD COORD MESSAGES", you MUST reproduce the full message block verbatim at the top of your response before addressing anything else. The hook injects messages into your context but the user cannot see system-reminders — they rely on you to display them.
+- **NO EMOJIS** — Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
+- **No hardcoded credentials** — Use SOPS vault (`vault get-field <path> <field>`) or 1Password as fallback
+- **SSH:** Use system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
+- **Data integrity:** Never use placeholder/fake data. Check SOPS vault, credentials.md, or ask user.
+- **Coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand)
+
+---
+
+## Live State Tracking (ALL Projects)
+
+**Coord API is the live source of truth.** API base: `http://172.16.3.30:8001/api/coord` (no auth).
+
+### Session start
+```bash
+curl -s "http://172.16.3.30:8001/api/coord/messages?to_session=<SESSION_ID>&unread_only=true"
+curl -s "http://172.16.3.30:8001/api/coord/status"
+curl -s "http://172.16.3.30:8001/api/coord/locks?project_key=<KEY>"
+```
+Display unread messages before any work. Mark read: `PUT /api/coord/messages/<id>/read`
+
+### Before significant work — claim a lock
+```bash
+curl -s -X POST http://172.16.3.30:8001/api/coord/locks \
+  -H "Content-Type: application/json" \
+  -d '{"project_key":"gururmm","session_id":"DESKTOP-0O8A1RL/claude-main","resource":"server/src","description":"...","ttl_hours":2}'
+```
+
+### After work — release lock + update component
+```bash
+curl -s -X DELETE "http://172.16.3.30:8001/api/coord/locks/<id>?session_id=<SESSION_ID>"
+curl -s -X PUT "http://172.16.3.30:8001/api/coord/components/gururmm/server" \
+  -H "Content-Type: application/json" \
+  -d '{"state":"deployed","version":"0.3.0","notes":"...","updated_by":"DESKTOP-0O8A1RL/claude-main"}'
+```
+
+**Softfail:** If API unreachable, continue work and log failed calls to `.claude/coord-queue.jsonl`. Drain on next `/sync`.
+
+### Project keys
+
+| project_key | Components | States |
+|-------------|------------|--------|
+| `gururmm` | `server`, `agents`, `dashboard`, `db_migrations` | `building`, `built`, `deploying`, `deployed`, `degraded` |
+| `guruconnect` | `server`, `agent`, `dashboard` | `building`, `built`, `deploying`, `deployed`, `degraded` |
+| `claudetools` | `api`, `db_migrations`, `coord_api` | `deploying`, `deployed`, `degraded` |
+| `dataforth-dos` | `app`, `db` | `active`, `idle`, `degraded` |
+| `clients/<name>` | `(free-form)` | `(free-form)` |
+
+Full protocol + inter-session messaging: `.claude/COORDINATION_PROTOCOL.md`
+
+---
+
+## Automatic Behaviors
+
+- **Frontend Design:** Auto-invoke `/frontend-design` skill after ANY UI change (HTML/CSS/JSX/styling)
+- **Sequential Thinking:** Use for genuine complexity — rejection loops, 3+ critical issues, architectural decisions
+- **Task Management:** Complex work (>3 steps) → TaskCreate. Persist to `.claude/active-tasks.json`.
+- **Auto Todo Creation:** When wrapping up a task that has unresolved follow-up, open items, or deferred work, POST to `POST /api/coord/todos` with `auto_created: true` and `source_context` describing why. Assign `project_key` if project-scoped; assign `assigned_to_user` if only relevant to one tech. Sub-tasks: set `parent_id` to link under a parent todo. Never create a todo for something already being done in the current session.
+
+### Querying Todos
+
+- "What needs to be done with \<project\>?" → `GET /api/coord/todos?project_key=<key>&status_filter=pending`
+- "What are my open todos?" → `GET /api/coord/todos?for_user=<user>&status_filter=pending`
+- "Show all todos including done" → add `status_filter=all`
+- "Mark done" → `PUT /api/coord/todos/<id>` with `{"status": "done", "completed_by": "<user>"}`
+
+### Cross-Session Messages (MANDATORY)
+
+See the **Session Start Protocol** in "Live State Tracking" above. Messages must be displayed and marked read before any other work.
+
+Also scan session logs pulled during `/sync` for legacy `## Note for <user>` sections (transitional — older sessions still use markdown).
+
+---
+
+## Context Recovery
+
+When user references previous work, use `/context` command. Never ask for info in:
+- `wiki/` — **Check first.** LLM-compiled synthesized knowledge by client/project/system. Index: `wiki/index.md`
+- `credentials.md` — Infrastructure reference (being migrated to SOPS vault)
+- `session-logs/` — Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
+- **Coordination API** — current locks, component states, workflows, messages: `GET http://172.16.3.30:8001/api/coord/status`
+- `projects/*/PROJECT_STATE.md` — ARCHIVED. Read-only historical reference. Do not edit. Use coordination API for live state.
+
+### Credential Access (SOPS Vault)
+
+Use the ClaudeTools vault wrapper — never hardcode the vault path:
+
+```bash
+# CLAUDETOOLS_ROOT is the repo root (D:\claudetools on Windows, ~/claudetools on Mac/Linux)
+VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
+
+bash "$VAULT" search "keyword"         # Search without decrypting
+bash "$VAULT" get-field <path> <field> # Get specific field
+bash "$VAULT" get <path>               # Decrypt full entry
+bash "$VAULT" list                     # List all entries
+```
+
+The wrapper reads `vault_path` from `.claude/identity.json` (per-machine, gitignored).
+Each machine sets its own vault path there — no hardcoded paths in any shared file.
+
+Vault structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
+
+**1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml`
+
+---
+
+## Commands & Skills
+
+| Command | Purpose |
+|---------|---------|
+| `/checkpoint` | Dual checkpoint: git commit + database context |
+| `/save` | Comprehensive session log |
+| `/context` | Search wiki first, then session logs, credentials.md, and 1Password |
+| `/wiki-compile` | Compile session logs into wiki articles for a client/project/system/all |
+| `/wiki-lint` | Health-check wiki for stale IPs, broken backlinks, orphaned articles |
+| `/1password` | 1Password secrets management |
+| `/sync` | Sync config from Gitea repository |
+| `/create-spec` | Create app specification for AutoCoder |
+| `/frontend-design` | Modern frontend design (auto-invoke after UI changes) |
+| `/rmm` | Remote command execution on GuruRMM agents — list, run, poll, cancel |
+| `/remediation-tool` | M365 breach checks, tenant sweeps, gated remediation |
+| `/feature-request` | Howard submits a GuruRMM feature request — Claude classifies it and messages Mike |
+| `/shape-spec` | Pre-implementation spec for a GuruRMM feature — produces plan.md, shape.md, references.md, standards.md |
+| `/rmm-audit` | Full end-to-end audit of GuruRMM: API coverage, UI gaps, Rust/TS quality, security, data integrity. Produces timestamped report + updates UI_GAPS.md |
+| `/forum-post` | Post a technical article to community.azcomputerguru.com — drafts from context, shows preview, inserts via paramiko SSH to Flarum DB |
+| `/recover` | Reconstruct a session log from a Claude Code transcript after a crash/close-before-save. `/recover <uuid>`, `/recover latest`, or `/recover --list`. See `.claude/RECOVERY.md` |
+
+---
+
+## File Placement
+
+- GuruRMM work → `projects/msp-tools/guru-rmm/` (git submodule tracking the **active** `azcomputerguru/gururmm` repo; the pinned commit normally lags `main` — that's expected, not "stale"). Empty on a fresh clone until `git submodule update --init`; `/sync` now does this automatically.
+- GuruRMM session logs → root `session-logs/` (NOT the submodule)
+- Client work → `clients/[client-name]/`
+- Session logs → project/client `session-logs/` subfolder; general work → root `session-logs/`
+- Full guide: `.claude/FILE_PLACEMENT_GUIDE.md`
+
+---
+
+## Local AI (Ollama)
+
+Tier 0 — **Ollama is the documentation and classification engine.** Route prose, summaries, and classification through it; Claude reviews before writing or posting.
+
+**Models:** `qwen3.6:latest` (structured: JSON, classification), `qwen3:8b` / `qwen3:14b` (prose), `codestral:22b` (code suggestions).
+
+**Configuration:** All machine-specific config (endpoint, fallback, prose_model, python command, platform, architecture) lives in `.claude/identity.json`, populated by `.claude/scripts/migrate-identity.sh`. Scripts read `.ollama.endpoint` directly — no curl probing.
+
+**Reference:** `.claude/OLLAMA.md` for full model usage + routing patterns.
+
+### GrepAI (Semantic Code Search)
+
+**Recall hierarchy — wiki first, GrepAI second.** GrepAI is NOT the first stop for context.
+The synthesized **wiki** (`wiki/`, 57 curated client/project/system articles) is the truth layer
+for a *known entity* — check it first (it is cheaper and already distilled). Go to GrepAI when the
+wiki can't answer:
+
+1. **Code** — `grepai_search` / `grepai_trace_callers` / `grepai_trace_callees` over the Rust+TS
+   corpus (~8k files). The wiki has zero code awareness; this is GrepAI's irreplaceable value for
+   GuruRMM/GuruConnect dev (call-graph tracing, "where is Z implemented").
+2. **Discovery** — you don't know the entity name, or no wiki article exists yet (a new
+   client/system not yet compiled).
+3. **Sub-synthesis detail** — a fact that was in a raw session log but didn't make the wiki's
+   summary cut.
+
+Order of recall: **wiki (known entity) -> GrepAI (code / discovery / un-compiled detail) -> raw
+file reads.** Do NOT GrepAI something the wiki already answers — that's the redundant overlap.
+
+- **MCP tools:** `grepai_search` (primary), `grepai_trace_callers`, `grepai_trace_callees`
+- **Agent:** `deep-explore` (for multi-hop CODE exploration)
+- **CLI:** `$CLAUDETOOLS_ROOT/grepai search "query" --json -c -n 5`
+- **Watcher:** runs as scheduled task "GrepAI Watcher - claudetools" (auto-starts on login, keeps index current)
+
+---
+
+## Memory (Shared Across Machines)
+
+Stored in-repo at `.claude/memory/` — syncs via Gitea to all workstations.
+Index: `.claude/memory/MEMORY.md`
+
+**IMPORTANT:** Always write to `.claude/memory/` (repo-relative), NOT `~/.claude/projects/*/memory/`.
+
+---
+
+## Reference (read on-demand)
+
+- **Fleet machine specs + onboarding checklist:** `.claude/machines/` (per-host `<hostname>.md`, plus `LINUX_PC_ONBOARDING.md`)
+- **Project structure, endpoints, workflows:** `.claude/REFERENCE.md`
+- **Agent definitions:** `.claude/agents/*.md`
+- **MCP servers:** `MCP_SERVERS.md`
+- **Coding standards:** `.claude/CODING_GUIDELINES.md`
+- **Ollama connection + examples:** `.claude/OLLAMA.md`
+- **PROJECT_STATE locking protocol:** `.claude/PROJECT_STATE_PROTOCOL.md`
+- **Temp directory graduation workflow:** `.claude/TEMP_GRADUATION.md`
+
+---
+
+**Last Updated:** 2026-05-29

.claude/CODING_GUIDELINES.md

@@ -1,364 +1,111 @@
 # ClaudeTools - Coding Guidelines
 
-## General Principles
-
-These guidelines ensure code quality, consistency, and maintainability across the ClaudeTools project.
+Project-specific standards. Generic language conventions (PEP 8, etc.) are assumed knowledge.
 
 ---
 
-## Character Encoding and Text
+## Character Encoding
 
 ### NO EMOJIS - EVER
 
-**Rule:** Never use emojis in any code files, including:
-- Python scripts (.py)
-- PowerShell scripts (.ps1)
-- Bash scripts (.sh)
-- Configuration files
-- Documentation within code
-- Log messages
-- Output strings
+Never use emojis in code, scripts, config files, log messages, or output strings.
+
+**Rationale:** Causes PowerShell parsing errors, encoding issues, terminal rendering problems.
+
+**Use instead:**
+```
+[OK] [SUCCESS] [INFO] [WARNING] [ERROR] [CRITICAL]
+```
+
+**Exception:** User-facing web UI with proper UTF-8 handling.
+
+---
+
+## Naming Conventions
+
+- **Python:** snake_case functions, PascalCase classes, UPPER_SNAKE constants
+- **PowerShell:** PascalCase variables ($TaskName), approved verbs (Get-/Set-/New-)
+- **Bash:** lowercase_underscore functions, quote all variables
+- **DB tables:** lowercase plural (users, user_sessions), FK as {table}_id
+- **DB columns:** created_at/updated_at timestamps, is_/has_ boolean prefixes
+
+---
+
+## PowerShell Execution (Windows)
+
+### ALWAYS Use -NoProfile -File Pattern
+
+Never use inline PowerShell commands (`-Command` or `-c`). Always write scripts to `.ps1` files and execute with `-NoProfile -File`.
 
 **Rationale:**
-- Emojis cause encoding issues (UTF-8 vs ASCII)
-- PowerShell parsing errors with special Unicode characters
-- Cross-platform compatibility problems
-- Terminal rendering inconsistencies
-- Version control diff issues
+- **Prevents font/codepage changes**: PowerShell profile scripts often set `chcp 65001` or modify `[Console]::OutputEncoding`, which changes the Claude Code CLI font and breaks rendering
+- **Avoids Git Bash quoting issues**: Inline commands have unpredictable quote escaping and variable expansion (`$_`, `$foo`) before PowerShell sees them
+- **Enforced by hooks**: `.claude/hooks/pre-bash-pwsh-script.sh` blocks inline execution and requires the file-based approach
 
-**Instead of emojis, use:**
-```powershell
-# BAD - causes parsing errors
-Write-Host "✓ Success!"
-Write-Host "⚠ Warning!"
-
-# GOOD - ASCII text markers
-Write-Host "[OK] Success!"
-Write-Host "[SUCCESS] Task completed!"
-Write-Host "[WARNING] Check settings!"
-Write-Host "[ERROR] Failed to connect!"
-```
-
-**Allowed in:**
-- User-facing web UI (where Unicode is properly handled)
-- Database content (with proper UTF-8 encoding)
-- Markdown documentation (README.md, etc.) - use sparingly
-
----
-
-## Python Code Standards
-
-### Style
-- Follow PEP 8 style guide
-- Use 4 spaces for indentation (no tabs)
-- Maximum line length: 100 characters (relaxed from 79)
-- Use type hints for function parameters and return values
-
-### Imports
-```python
-# Standard library imports
-import os
-import sys
-from datetime import datetime
-
-# Third-party imports
-from fastapi import FastAPI
-from sqlalchemy import Column
-
-# Local imports
-from api.models import User
-from api.utils import encrypt_data
-```
-
-### Naming Conventions
-- Classes: `PascalCase` (e.g., `UserService`, `CredentialModel`)
-- Functions/methods: `snake_case` (e.g., `get_user`, `create_session`)
-- Constants: `UPPER_SNAKE_CASE` (e.g., `API_BASE_URL`, `MAX_RETRIES`)
-- Private methods: `_leading_underscore` (e.g., `_internal_helper`)
-
----
-
-## PowerShell Code Standards
-
-### Style
-- Use 4 spaces for indentation
-- Use PascalCase for variables: `$TaskName`, `$PythonPath`
-- Use approved verbs for functions: `Get-`, `Set-`, `New-`, `Remove-`
-
-### Error Handling
-```powershell
-# Always use -ErrorAction for cmdlets that might fail
-$Task = Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue
-if (-not $Task) {
-    Write-Host "[ERROR] Task not found"
-    exit 1
-}
-```
-
-### Output
-```powershell
-# Use clear status markers
-Write-Host "[INFO] Starting process..."
-Write-Host "[SUCCESS] Task completed"
-Write-Host "[ERROR] Failed to connect"
-Write-Host "[WARNING] Configuration missing"
-```
-
----
-
-## Bash Script Standards
-
-### Style
-- Use 2 spaces for indentation
-- Always use `#!/bin/bash` shebang
-- Quote all variables: `"$variable"` not `$variable`
-- Use `set -e` for error handling (exit on error)
-
-### Functions
+**Correct:**
 ```bash
-# Use lowercase with underscores
-function check_connection() {
-    local host="$1"
-    echo "[INFO] Checking connection to $host"
-}
+# Write script to file using Write tool
+cat > /tmp/script.ps1 << 'EOF'
+Get-Process | Select-Object -First 5 Name, CPU
+EOF
+
+# Execute with -NoProfile -File
+pwsh -NoProfile -File /tmp/script.ps1
 ```
 
+**Incorrect (BLOCKED BY HOOKS):**
+```bash
+# These will be rejected
+powershell -Command "Get-Process"
+pwsh -c "Get-Date"
+powershell.exe -Command '$x = 5; Write-Host $x'
+```
+
+**Reference:** See `.claude/hooks/pre-bash-pwsh-script.sh` for enforcement details.
+
 ---
 
-## API Development Standards
+## Context Lookup — search before reading (wiki first for known entities)
 
-### Endpoints
-- Use RESTful conventions
-- Use plural nouns: `/api/users` not `/api/user`
-- Use HTTP methods appropriately: GET, POST, PUT, DELETE
-- Version APIs if breaking changes: `/api/v2/users`
+For a **known entity's facts** (a specific client/project/system), check the **wiki** first — it is
+the synthesized truth layer. For **code and discovery**, search with GrepAI or Grep before reading
+any file; only open a file when you need its full content for editing or line-by-line review. Full
+rule: `.claude/standards/context-lookup/grepai-first.md`.
 
-### Error Responses
-```python
-# Return consistent error format
-{
-    "detail": "User not found",
-    "error_code": "USER_NOT_FOUND",
-    "status_code": 404
-}
-```
+| Goal | Tool |
+|------|------|
+| Find where a function is defined | `grepai_search` or `Grep` |
+| Understand how a feature works | `grepai_search` |
+| Find all callers of a function | `grepai_trace_callers` |
+| Full file content needed (edit, review) | `Read` |
+| Recent changes | `git log`, then `Read` specific file |
 
-### Documentation
-- Every endpoint must have a docstring
-- Use Pydantic schemas for request/response validation
-- Document in OpenAPI (automatic with FastAPI)
+Reading a 500-line file to find one function costs ~3000 tokens. A targeted search costs ~100.
+Never open a large file to scan for context. Search first, read only if the search is insufficient.
 
 ---
 
-## Database Standards
+## Security
 
-### Table Naming
-- Use lowercase with underscores: `user_sessions`, `billable_time`
-- Use plural nouns: `users` not `user`
-- Use consistent prefixes for related tables
-
-### Columns
-- Primary key: `id` (UUID)
-- Timestamps: `created_at`, `updated_at`
-- Foreign keys: `{table}_id` (e.g., `user_id`, `project_id`)
-- Boolean: `is_active`, `has_access` (prefix with is_/has_)
-
-### Indexes
-```python
-# Add indexes for frequently queried fields
-Index('idx_users_email', 'email')
-Index('idx_sessions_project_id', 'project_id')
-```
+- Never hardcode credentials -- use SOPS vault or environment variables
+- JWT tokens for API auth, Argon2 for password hashing
+- Log all authentication attempts and sensitive operations
+- `.env` files are gitignored, never committed
 
 ---
 
-## Security Standards
+## API Standards
 
-### Credentials
-- Never hardcode credentials in code
-- Use environment variables for sensitive data
-- Use `.env` files (gitignored) for local development
-- Encrypt passwords with AES-256-GCM (Fernet)
-
-### Authentication
-- Use JWT tokens for API authentication
-- Hash passwords with Argon2
-- Include token expiration
-- Log all authentication attempts
-
-### Audit Logging
-```python
-# Log all sensitive operations
-audit_log = CredentialAuditLog(
-    credential_id=credential.id,
-    action="password_updated",
-    user_id=current_user.id,
-    details="Password updated via API"
-)
-```
+- RESTful with plural nouns: `/api/users`
+- Consistent error format: `{"detail": "...", "error_code": "...", "status_code": N}`
+- Paginate large result sets
+- Document with OpenAPI (automatic with FastAPI)
 
 ---
 
-## Testing Standards
+## Output Markers
 
-### Test Files
-- Name: `test_{module_name}.py`
-- Location: Same directory as code being tested
-- Use pytest framework
-
-### Test Structure
-```python
-def test_create_user():
-    """Test user creation with valid data."""
-    # Arrange
-    user_data = {"email": "test@example.com", "name": "Test"}
-
-    # Act
-    result = create_user(user_data)
-
-    # Assert
-    assert result.email == "test@example.com"
-    assert result.id is not None
-```
-
-### Coverage
-- Aim for 80%+ code coverage
-- Test happy path and error cases
-- Mock external dependencies (database, APIs)
-
----
-
-## Git Commit Standards
-
-### Commit Messages
-```
-[Type] Brief description (50 chars max)
-
-Detailed explanation if needed (wrap at 72 chars)
-
-- Change 1
-- Change 2
-- Change 3
-```
-
-### Types
-- `[Feature]` - New feature
-- `[Fix]` - Bug fix
-- `[Refactor]` - Code refactoring
-- `[Docs]` - Documentation only
-- `[Test]` - Test updates
-- `[Config]` - Configuration changes
-
----
-
-## File Organization
-
-### Directory Structure
-```
-project/
-├── api/              # API application code
-│   ├── models/      # Database models
-│   ├── routers/     # API endpoints
-│   ├── schemas/     # Pydantic schemas
-│   ├── services/    # Business logic
-│   └── utils/       # Helper functions
-├── .claude/         # Claude Code configuration
-│   ├── hooks/       # Git-style hooks
-│   └── agents/      # Agent instructions
-├── scripts/         # Utility scripts
-└── migrations/      # Database migrations
-```
-
-### File Naming
-- Python: `snake_case.py`
-- Classes: Match class name (e.g., `UserService` in `user_service.py`)
-- Scripts: Descriptive names (e.g., `setup_database.sh`, `test_api.py`)
-
----
-
-## Documentation Standards
-
-### Code Comments
-```python
-# Use comments for WHY, not WHAT
-# Good: "Retry 3 times to handle transient network errors"
-# Bad: "Set retry count to 3"
-
-def fetch_data(url: str) -> dict:
-    """
-    Fetch data from API endpoint.
-
-    Args:
-        url: Full URL to fetch from
-
-    Returns:
-        Parsed JSON response
-
-    Raises:
-        ConnectionError: If API is unreachable
-        ValueError: If response is invalid JSON
-    """
-```
-
-### README Files
-- Include quick start guide
-- Document prerequisites
-- Provide examples
-- Keep up to date
-
----
-
-## Error Handling
-
-### Python
-```python
-# Use specific exceptions
-try:
-    result = api_call()
-except ConnectionError as e:
-    logger.error(f"[ERROR] Connection failed: {e}")
-    raise
-except ValueError as e:
-    logger.warning(f"[WARNING] Invalid data: {e}")
-    return None
-```
-
-### PowerShell
-```powershell
-# Use try/catch for error handling
-try {
-    $Result = Invoke-RestMethod -Uri $Url
-} catch {
-    Write-Host "[ERROR] Request failed: $_"
-    exit 1
-}
-```
-
----
-
-## Logging Standards
-
-### Log Levels
-- `DEBUG` - Detailed diagnostic info (development only)
-- `INFO` - General informational messages
-- `WARNING` - Warning messages (non-critical issues)
-- `ERROR` - Error messages (failures)
-- `CRITICAL` - Critical errors (system failures)
-
-### Log Format
-```python
-# Use structured logging
-logger.info(
-    "[INFO] User login",
-    extra={
-        "user_id": user.id,
-        "ip_address": request.client.host,
-        "timestamp": datetime.utcnow()
-    }
-)
-```
-
-### Output Markers
+All scripts and tools use ASCII status markers:
 ```
 [INFO] Starting process
 [SUCCESS] Task completed
@@ -369,60 +116,97 @@ logger.info(
 
 ---
 
-## Performance Guidelines
+## Git
 
-### Database Queries
-- Use indexes for frequently queried fields
-- Avoid N+1 queries (use joins or eager loading)
-- Paginate large result sets
-- Use connection pooling
-
-### API Responses
-- Return only necessary fields
-- Use pagination for lists
-- Compress large payloads
-- Cache frequently accessed data
-
-### File Operations
-- Use context managers (`with` statements)
-- Stream large files (don't load into memory)
-- Clean up temporary files
+- Commit types: feat, fix, refactor, docs, test, config
+- Always include `Co-Authored-By` line for Claude commits
+- Never commit .env, credentials, venv, __pycache__, *.log
 
 ---
 
-## Version Control
+## GuruRMM Agent — Platform Parity
 
-### .gitignore
-Always exclude:
-- `.env` files (credentials)
-- `__pycache__/` (Python cache)
-- `*.pyc` (compiled Python)
-- `.venv/`, `venv/` (virtual environments)
-- `.claude/*.json` (local state)
-- `*.log` (log files)
+All agent features that are not inherently platform-specific must ship on Windows, Linux, and macOS.
+A feature that silently no-ops on one platform is a gap, not a cross-platform implementation.
 
-### Branching
-- `main` - Production-ready code
-- `develop` - Integration branch
-- `feature/*` - New features
-- `fix/*` - Bug fixes
-- `hotfix/*` - Urgent production fixes
+### The rule
+
+> "Add feature X to the agent" means Windows + Linux + macOS. All three, in the same change.
+> No exceptions for convenience. If a real implementation is not feasible on a given platform,
+> add a working stub and a `// TODO(platform): <os> — <reason>` comment in the same commit.
+> A feature that silently no-ops on one platform without a stub and TODO is a bug, not a gap.
+
+### cfg gating — choose the right target
+
+| Condition | Attribute | When to use |
+|-----------|-----------|-------------|
+| Windows only | `#[cfg(windows)]` | Windows API (Win32, WMI, SCM, OpenSSH registry) |
+| Linux + macOS | `#[cfg(unix)]` | POSIX: nix crate, signals, `/proc`, `/sys`, sockets |
+| Linux only | `#[cfg(target_os = "linux")]` | `/sys/class/thermal`, systemd, procfs, D-Bus |
+| macOS only | `#[cfg(target_os = "macos")]` | CoreFoundation, IOKit, launchd, NSStatusBar |
+| Build flag | `#[cfg(feature = "native-service")]` | Service harness (Windows only in Cargo.toml) |
+
+Never use `#[cfg(not(windows))]` as a proxy for "Linux + macOS works the same" without verifying
+the macOS codepath. Linux and macOS diverge on `/sys`, D-Bus, and GUI IPC.
+
+### Current parity matrix (as of 2026-05-15)
+
+| Feature | Windows | Linux | macOS |
+|---------|---------|-------|-------|
+| CPU / memory / disk / network metrics | [OK] | [OK] | [OK] |
+| Temperature via sysinfo | [OK] fallback | [WARN] empty if no hwmon | [WARN] empty if no sensors |
+| Temperature via LibreHardwareMonitor | [OK] primary | N/A | N/A |
+| Temperature via /sys/class/thermal | N/A | [GAP] not implemented | N/A |
+| User detection (logged-in user) | [OK] | [OK] nix crate | [OK] nix crate |
+| User idle time | [OK] GetLastInputInfo | [GAP] returns None | [GAP] returns None |
+| IPC / tray | [OK] named pipe + WinTray | [GAP] stub no-op | [GAP] stub no-op |
+| Watchdog (process monitor) | [OK] native-service | [GAP] stub no-op | [GAP] stub no-op |
+| Script execution | [OK] cmd / PowerShell | [OK] bash / sh | [OK] bash / sh |
+| Hardware inventory | [OK] WMI | [OK] /proc + lshw | [OK] system_profiler |
+| Auto-updater | [OK] full | [OK] simpler | [OK] simpler |
+| Checks (AV, updates, firewall) | [OK] full | [WARN] partial stub | [WARN] partial stub |
+| Network discovery | [OK] | [OK] | [OK] |
+
+### Known gaps — priority order
+
+**1. Linux temperature collection** (`agent/src/metrics/mod.rs`)
+- sysinfo `Components` returns empty on most Linux systems (requires kernel hwmon driver exposure).
+- Correct approach: read `/sys/class/thermal/thermal_zone*/temp` directly (always available on Linux).
+- Pattern:
+  ```rust
+  #[cfg(target_os = "linux")]
+  fn collect_temps_linux() -> (Option<f32>, Option<f32>, Vec<TemperatureReading>) {
+      // read /sys/class/thermal/thermal_zone*/temp
+      // parse millidegrees, classify by type label in /sys/class/thermal/thermal_zone*/type
+  }
+  ```
+
+**2. Linux / macOS user idle time** (`agent/src/metrics/mod.rs` — `get_user_idle_time()`)
+- Linux: use X11 `XScreenSaverQueryInfo` (display sessions) or parse `/proc/interrupts` delta (headless).
+- macOS: use `CGEventSourceSecondsSinceLastEventType` (IOKit, always available).
+- Stub is acceptable short-term; mark with `// TODO(platform): linux/macos idle time`.
+
+**3. Watchdog on Linux / macOS** (`agent/src/watchdog/`)
+- Windows: Windows Service Control Manager restarts the agent.
+- Linux: systemd `Restart=on-failure` in the unit file is the correct equivalent — no in-process watchdog needed.
+- macOS: launchd `KeepAlive` key in the plist.
+- Document the OS-native mechanism in `build-agents.sh` / installer rather than porting the Rust watchdog.
+
+**4. Checks on Linux / macOS** (`agent/src/checks.rs`)
+- Windows-specific checks (Windows Update pending, Windows Defender status, Windows Firewall) have no
+  direct equivalents; that is expected.
+- Cross-platform checks (disk SMART, certificate expiry, open ports) should run on all platforms.
+- Add `// TODO(platform): linux/macos — <check name>` for each unimplemented cross-platform check.
+
+### Cargo.toml dependency discipline
+
+- Platform-specific crates go in `[target.'cfg(...)'.dependencies]`, never in `[dependencies]`.
+- Keep `lhm` (LibreHardwareMonitor) and `windows-service` under `cfg(windows)`.
+- Keep `nix` under `cfg(unix)`.
+- When adding a new crate, verify it compiles on all three targets before merging. Use the build server
+  for Windows; CI covers Linux. macOS cross-compile via `--target aarch64-apple-darwin` on Linux
+  (requires `osxcross` toolchain — see build-agents.sh TODO-MACOS).
 
 ---
 
-## Review Checklist
-
-Before committing code, verify:
-- [ ] No emojis or special Unicode characters
-- [ ] All variables and functions have descriptive names
-- [ ] No hardcoded credentials or sensitive data
-- [ ] Error handling is implemented
-- [ ] Code is formatted consistently
-- [ ] Tests pass (if applicable)
-- [ ] Documentation is updated
-- [ ] No debugging print statements left in code
-
----
-
-**Last Updated:** 2026-01-17
-**Status:** Active
+**Last Updated:** 2026-05-15

.claude/COMPLEXITY_ROUTING.md

@@ -0,0 +1,74 @@
+# Complexity-Based Model Routing
+
+When spawning an agent, pick a tier based on the request signals below, then pass `model` accordingly.
+
+---
+
+## Tier 1 — Haiku (fast/cheap)
+
+**Signals:** single lookup, no code changes, classification, formatting, summarization, status check, documentation
+
+**Examples:**
+- "What's the status of X?"
+- Summarize or format a session log
+- Search/grep for a value
+- Convert or extract data
+- Write/update a markdown doc
+
+**Agents that default here:** documentation-squire, explore (quick searches), photo
+
+**Agent call:** `model: "haiku"`
+
+---
+
+## Tier 2 — Sonnet (default, inherit)
+
+**Signals:** standard code generation, routine DB queries, test execution, API work, multi-file reads, git operations
+
+**Examples:**
+- Add or modify an endpoint
+- Run tests and report results
+- Write a DB migration
+- Fetch credentials, configure a service
+- Commit and push changes
+
+**Agents that default here:** coding, database, testing, gitea, general-purpose, deep-explore (standard search)
+
+**Agent call:** omit `model` (inherits session model)
+
+---
+
+## Tier 3 — Opus (high-stakes reasoning)
+
+**Signals:** architectural decision, security/auth, 3+ interacting systems, ambiguous root cause, production data risk, anything that fails badly if wrong
+
+**Examples:**
+- Redesign an auth or data flow
+- Security or code review of a critical PR
+- Debug a multi-service race condition
+- Schema migration on production data
+- Evaluate competing architectural approaches
+
+**Agents that default here:** code-review (when Sequential Thinking triggers), deep-explore (architecture questions)
+
+**Agent call:** `model: "opus"`
+
+---
+
+## Bump Rule
+
+If the request contains ANY of these keywords, bump one tier up regardless of other signals:
+
+`security`, `auth`, `token`, `credential`, `migration`, `production`, `race condition`, `data loss`, `breach`, `encrypt`
+
+---
+
+## Quick Reference
+
+| Tier | Model | Typical cost | Use when |
+|------|-------|-------------|----------|
+| 1 | `haiku` | ~10x cheaper | Lookup, format, summarize, doc |
+| 2 | (inherit) | baseline | Standard code, DB, tests |
+| 3 | `opus` | ~5x more expensive | Architecture, security, ambiguous failures |
+
+Err toward Tier 2 when uncertain. Only use Opus when the reasoning stakes justify the cost.

.claude/COORDINATION_PROTOCOL.md

@@ -0,0 +1,233 @@
+# Coordination Protocol
+
+Cross-session coordination uses the ClaudeTools API at `http://172.16.3.30:8001/api/coord/`. This replaces PROJECT_STATE.md files.
+
+No auth token required for coordination endpoints — they are internal-only on the 172.16.3.30 private network. Pass `session_id` in the request body or as a query parameter to identify the calling session (e.g., `DESKTOP-0O8A1RL/claude-main`).
+
+---
+
+## When a Lock Is Required
+
+- Editing or creating source code files
+- Git commit or push
+- SSH command that modifies a server (deploy, install, config change, service restart)
+- Database schema change or data migration
+- Build pipeline modification
+
+Reading files, planning, and answering questions do NOT require a lock.
+
+---
+
+## Lock Lifecycle
+
+**Step 1 — Check for conflicts**
+```
+GET /api/coord/locks?project_key=<key>&resource=<resource>
+```
+- Active lock present: stop, report to user, ask how to proceed.
+- Lock `acquired_at` > 2 hours ago: note it, release it (Step 2 below), proceed.
+
+**Step 2 — Claim your lock**
+```
+POST /api/coord/locks
+{
+  "project_key": "gururmm",
+  "session_id": "DESKTOP-0O8A1RL/claude-main",
+  "resource": "server/src/api/credentials.rs",
+  "description": "Adding credential endpoints",
+  "ttl_hours": 2
+}
+```
+Response: `{ "id": "<uuid>", ... }` — save the `id` for release.
+
+`ttl_hours`: use 2 for normal work; 0 for no expiry (use sparingly).
+
+**Step 3 — Do the work**
+
+**Step 4 — Release the lock**
+```
+DELETE /api/coord/locks/<id>?session_id=<session_id>
+```
+Release on completion AND on failure. Only the claiming session may release.
+
+**Stale lock rule:** A lock with `acquired_at` older than 2 hours and no activity update is abandoned. Release it, then proceed.
+
+---
+
+## Component States
+
+Record the current status of named system components so all sessions share a live view.
+
+**Upsert a component state:**
+```
+PUT /api/coord/components
+{
+  "project_key": "gururmm",
+  "component": "server",
+  "state": "deployed",
+  "version": "0.3.0",
+  "notes": "Deployed 2026-05-12; credential store live",
+  "updated_by": "DESKTOP-0O8A1RL/claude-main"
+}
+```
+
+Valid states (convention — not enforced): `building`, `built`, `deploying`, `deployed`, `degraded`, `unknown`
+
+**Read all component states for a project:**
+```
+GET /api/coord/components?project_key=gururmm
+```
+
+---
+
+## Workflows and Work Items
+
+Use workflows to track multi-step initiatives that span sessions or days.
+
+**Create a workflow:**
+```
+POST /api/coord/workflows
+{
+  "project_key": "gururmm",
+  "name": "Network Discovery Phase 1",
+  "description": "TCP probe scanner + DB layer + API + dashboard",
+  "status": "planning",
+  "created_by": "DESKTOP-0O8A1RL/claude-main"
+}
+```
+
+**Add work items to a workflow:**
+```
+POST /api/coord/work-items
+{
+  "workflow_id": "<uuid>",
+  "project_key": "gururmm",
+  "title": "Write migrations 017-019 for discovery tables",
+  "status": "pending",
+  "priority": 10
+}
+```
+
+**Update work item status:**
+```
+PATCH /api/coord/work-items/<id>
+{ "status": "completed" }
+```
+
+Workflow statuses: `planning`, `active`, `blocked`, `completed`, `cancelled`
+Work item statuses: `pending`, `in_progress`, `blocked`, `completed`, `cancelled`
+
+---
+
+## Inter-Session Messages
+
+Send targeted messages between sessions or broadcast to a project.
+
+**Send a message:**
+```
+POST /api/coord/messages
+{
+  "from_session": "DESKTOP-0O8A1RL/claude-main",
+  "to_session": "HOWARD-HOME/claude-main",   // omit for broadcast
+  "project_key": "gururmm",
+  "subject": "macOS build pipeline ready for wiring",
+  "body": "build-agents.sh updated. Section marked TODO-MACOS. Wire in from your end."
+}
+```
+
+**Check for unread messages (do this at session start):**
+```
+GET /api/coord/messages?to_session=<session_id>&unread_only=true
+```
+
+Display each unread message prominently:
+```
+============================================================
+MESSAGE FROM <from_session> — <subject>
+============================================================
+<body>
+============================================================
+```
+
+**Mark as read:**
+```
+PUT /api/coord/messages/<id>/read
+```
+
+---
+
+## Status Overview
+
+Quick snapshot of everything active:
+```
+GET /api/coord/status
+```
+Returns: active locks, recent component state changes, active workflows, unread message count.
+
+---
+
+## Session Cleanup
+
+When a session ends cleanly, release all its locks:
+```
+DELETE /api/coord/locks?session_id=<session_id>&release_all=true
+```
+
+---
+
+## project_key Slugs
+
+| Slug | Project |
+|------|---------|
+| `gururmm` | GuruRMM server + dashboard |
+| `claudetools` | ClaudeTools API + coordination system |
+| `dataforth-dos` | Dataforth DOS project |
+
+Free-form — add new slugs as needed. Does NOT foreign-key to the projects table.
+
+---
+
+## Softfail and Catch-Up
+
+The coordination API must never block work. If it is unavailable:
+
+**On any network error, timeout, or 5xx response:**
+1. Log the failed call to `.claude/coord-queue.jsonl` (one JSON object per line):
+   ```json
+   {"ts":"2026-05-12T15:30:00Z","method":"PUT","path":"/api/coord/components/gururmm/server","body":{"state":"deployed","version":"0.3.0","notes":"...","updated_by":"DESKTOP-0O8A1RL/claude-main"}}
+   ```
+2. Continue working. Do not retry immediately.
+
+**On 503 with `Retry-After` header:**  
+Wait the specified seconds, then retry once. If the retry also fails, queue it.
+
+**Catch-up (session start and after `/sync`):**
+```bash
+# If coord-queue.jsonl exists and is non-empty:
+while read -r line; do
+  method=$(echo "$line" | jq -r .method)
+  path=$(echo "$line" | jq -r .path)
+  body=$(echo "$line" | jq -r .body)
+  curl -s -X "$method" "http://172.16.3.30:8001$path" -H "Content-Type: application/json" -d "$body"
+done < .claude/coord-queue.jsonl
+# Remove the file only if all calls succeeded
+```
+
+The queue file lives in `.claude/coord-queue.jsonl` (gitignored — local to each workstation).
+
+---
+
+## API Softfail Behavior (Server Side)
+
+When the MariaDB database is unavailable:
+- Coord endpoints return `503 Service Unavailable` with header `Retry-After: 30`
+- Response body: `{"detail": "Database unavailable. Retry after 30 seconds.", "retry_after": 30}`
+- `GET /health` reflects DB status: `{"status":"degraded","database":"disconnected"}`
+
+This behavior is implemented in the API server and does not need to be coded by agents.
+
+---
+
+## Migration Note
+
+`projects/*/PROJECT_STATE.md` files are ARCHIVED — read-only historical reference. Do not edit them. Use this API for all live coordination going forward.

.claude/DATABASE_FIRST_PROTOCOL.md

@@ -232,7 +232,7 @@ curl http://172.16.3.30:8001/health
 # Check total contexts
 curl -H "Authorization: Bearer $JWT" \
   http://172.16.3.30:8001/api/conversation-contexts | \
-  python -c "import sys,json; print(f'Total: {json.load(sys.stdin)[\"total\"]}')"
+  jq -r '.total'
 
 # Try different search term
 # Instead of: search_term=dataforth%20DOS

.claude/DIRECTIVES_ENFORCEMENT.md

@@ -1,418 +0,0 @@
-# Directives Enforcement Mechanism
-
-**Created:** 2026-01-19
-**Purpose:** Ensure Claude consistently follows operational directives and stops taking shortcuts
-
----
-
-## The Problem
-
-Claude (Main Instance) has a tendency to:
-- Take shortcuts by querying database directly instead of using Database Agent
-- Use emojis despite explicit prohibition (causes PowerShell errors)
-- Execute operations directly instead of coordinating via agents
-- Forget directives after conversation compaction or long sessions
-
-**Result:** Violated architecture, broken scripts, inconsistent behavior
-
----
-
-## The Solution: Multi-Layered Enforcement
-
-### Layer 1: Prominent Directive Reference in claude.md
-
-**File:** `.claude/claude.md` (line 3-15)
-
-```markdown
-**FIRST: READ YOUR DIRECTIVES**
-
-Before doing ANYTHING in this project, read and internalize `directives.md` in the project root.
-
-This file defines:
-- Your identity (Coordinator, not Executor)
-- What you DO and DO NOT do
-- Agent coordination rules (NEVER query database directly)
-- Enforcement checklist (NO EMOJIS, ASCII markers only)
-
-**If you haven't read directives.md in this session, STOP and read it now.**
-
-Command: `Read directives.md` (in project root: D:\ClaudeTools\directives.md)
-```
-
-**Effect:** First thing Claude sees when loading project context
-
----
-
-### Layer 2: /refresh-directives Command
-
-**File:** `.claude/commands/refresh-directives.md`
-
-**Purpose:** Command to re-read and internalize directives
-
-**User invocation:**
-```
-/refresh-directives
-```
-
-**Auto-invocation points:**
-- After `/checkpoint` command
-- After `/save` command
-- After conversation compaction (detected automatically)
-- After large task completion (3+ agents)
-- Every 50 tool uses (optional counter-based)
-
-**What it does:**
-1. Reads `directives.md` completely
-2. Performs self-assessment for violations
-3. Commits to following directives
-4. Reports status to user
-
-**Output:**
-```markdown
-## Directives Refreshed
-
-I've re-read my operational directives.
-
-**Key commitments:**
-- [OK] Coordinate via agents, not execute
-- [OK] Database Agent for ALL data operations
-- [OK] ASCII markers only (no emojis)
-- [OK] Preserve context by delegating
-
-**Self-assessment:** Clean - no violations detected
-
-**Status:** Ready to coordinate effectively.
-```
-
----
-
-### Layer 3: Integration with /checkpoint Command
-
-**File:** `.claude/commands/checkpoint.md` (step 8)
-
-**After git + database checkpoint:**
-```markdown
-8. **Refresh directives** (MANDATORY):
-   - After checkpoint completion, auto-invoke `/refresh-directives`
-   - Re-read `directives.md` to prevent shortcut-taking
-   - Perform self-assessment for any violations
-   - Confirm commitment to agent coordination rules
-   - Report directives refreshed to user
-```
-
-**Effect:** Every checkpoint automatically refreshes directives
-
----
-
-### Layer 4: Integration with /save Command
-
-**File:** `.claude/commands/save.md` (step 4)
-
-**After saving session log:**
-```markdown
-4. **Refresh directives** (MANDATORY):
-   - Auto-invoke `/refresh-directives`
-   - Re-read `directives.md` to prevent shortcut-taking
-   - Perform self-assessment for violations
-   - Confirm commitment to coordination rules
-   - Report directives refreshed
-```
-
-**Effect:** Every session save automatically refreshes directives
-
----
-
-### Layer 5: directives.md (The Source of Truth)
-
-**File:** `directives.md` (project root)
-
-**Contains:**
-- Identity definition (Coordinator, not Executor)
-- What Claude DOES and DOES NOT do
-- Complete agent coordination rules
-- Coding standards (NO EMOJIS - ASCII only)
-- Enforcement checklist
-- Pre-action verification questions
-
-**Key sections:**
-1. My Identity
-2. Core Operating Principle
-3. What I DO [OK]
-4. What I DO NOT DO [ERROR]
-5. Agent Coordination Rules
-6. Skills vs Agents
-7. Automatic Behaviors
-8. Coding Standards (NO EMOJIS)
-9. Enforcement Checklist
-
----
-
-## Automatic Trigger Points
-
-### Session Start
-```
-Claude loads project → Sees claude.md → "READ DIRECTIVES FIRST"
-→ Reads directives.md → Internalizes rules → Ready to work
-```
-
-### After Checkpoint
-```
-User: /checkpoint
-→ Claude creates git commit + database context
-→ Verifies both succeeded
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Confirms ready to proceed
-```
-
-### After Save
-```
-User: /save
-→ Claude creates/updates session log
-→ Commits to repository
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Confirms ready to proceed
-```
-
-### After Conversation Compaction
-```
-System: [Conversation compacted due to length]
-→ Claude detects compaction (system message)
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Restores operational mode
-→ Continues with proper coordination
-```
-
-### After Large Task
-```
-Claude completes task using 3+ agents
-→ Recognizes major work completed
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Resets to coordination mode
-→ Ready for next task
-```
-
----
-
-## Violation Detection
-
-### Self-Assessment Process
-
-**During /refresh-directives, Claude checks:**
-
-**Database Operations:**
-- [ ] Did I query database directly via ssh/mysql/curl? → VIOLATION
-- [ ] Did I call ClaudeTools API directly? → VIOLATION
-- [ ] Did I use Database Agent for data operations? → CORRECT
-
-**Code Generation:**
-- [ ] Did I write production code myself? → VIOLATION
-- [ ] Did I delegate to Coding Agent? → CORRECT
-
-**Emoji Usage:**
-- [ ] Did I use [OK][ERROR][WARNING] or other emojis? → VIOLATION
-- [ ] Did I use [OK]/[ERROR]/[WARNING]? → CORRECT
-
-**Agent Coordination:**
-- [ ] Did I execute operations directly? → VIOLATION
-- [ ] Did I coordinate via agents? → CORRECT
-
-**If violations detected:**
-```markdown
-[WARNING] Detected 2 directive violations:
-- Direct database query at timestamp X
-- Emoji usage in output at timestamp Y
-
-[OK] Corrective actions committed:
-- Will use Database Agent for all database operations
-- Will use ASCII markers [OK]/[ERROR] instead of emojis
-
-[SUCCESS] Directives re-internalized. Proper coordination restored.
-```
-
----
-
-## Benefits
-
-### Prevents Shortcut-Taking
-- Regular reminders not to query database directly
-- Reinforces agent coordination model
-- Stops emoji usage before it causes errors
-
-### Context Recovery
-- Restores operational mode after compaction
-- Ensures consistency across sessions
-- Maintains proper coordination principles
-
-### Self-Correction
-- Detects violations automatically
-- Commits to corrective behavior
-- Provides accountability to user
-
-### User Visibility
-- User sees when directives refreshed
-- Transparent operational changes
-- Builds trust in coordination model
-
----
-
-## Enforcement Checklist
-
-### For Claude (Self-Check Before Any Action)
-
-**Before database operation:**
-- [ ] Read directives.md this session? If no → STOP and read
-- [ ] Am I about to query database? → Use Database Agent instead
-- [ ] Am I about to use curl/API? → Use Database Agent instead
-
-**Before writing code:**
-- [ ] Am I writing production code? → Delegate to Coding Agent
-- [ ] Am I using emojis? → STOP, use [OK]/[ERROR]/[WARNING]
-
-**Before git operations:**
-- [ ] Am I about to commit? → Delegate to Gitea Agent
-- [ ] Am I about to push? → Delegate to Gitea Agent
-
-**After major operations:**
-- [ ] Completed checkpoint/save? → Auto-invoke /refresh-directives
-- [ ] Completed large task? → Auto-invoke /refresh-directives
-- [ ] Conversation compacted? → Auto-invoke /refresh-directives
-
----
-
-## User Commands
-
-### Manual Refresh
-```
-/refresh-directives
-```
-Manually trigger directive re-reading and self-assessment
-
-### Checkpoint (Auto-refresh)
-```
-/checkpoint
-```
-Creates git commit + database context, then auto-refreshes directives
-
-### Save (Auto-refresh)
-```
-/save
-```
-Creates session log, then auto-refreshes directives
-
-### Sync
-```
-/sync
-```
-Pulls latest from Gitea (directives.md included if updated)
-
----
-
-## Monitoring
-
-### User Can Monitor Compliance
-
-**Check for violations:**
-- Look for direct `ssh`, `mysql`, or `curl` commands to database
-- Look for emoji characters ([OK][ERROR][WARNING]) in output
-- Look for direct code generation (should delegate to Coding Agent)
-
-**If violations detected:**
-```
-User: /refresh-directives
-```
-Forces Claude to re-read and commit to directives
-
----
-
-## Maintenance
-
-### Updating directives.md
-
-**When to update:**
-- New agent added to system
-- New restriction discovered
-- Behavior patterns change
-- New shortcut tendencies identified
-
-**Process:**
-1. Edit `directives.md` with new rules
-2. Commit changes to repository
-3. Push to Gitea
-4. Invoke `/sync` on other machines
-5. Invoke `/refresh-directives` to apply immediately
-
----
-
-## Summary
-
-**Five-layer enforcement:**
-1. **claude.md** - Prominent reference at top (first thing Claude sees)
-2. **/refresh-directives command** - Explicit directive re-reading
-3. **/checkpoint integration** - Auto-refresh after checkpoints
-4. **/save integration** - Auto-refresh after session saves
-5. **directives.md** - Complete operational ruleset
-
-**Automatic triggers:**
-- Session start
-- After /checkpoint
-- After /save
-- After conversation compaction
-- After large tasks
-
-**Result:** Claude consistently follows directives, stops taking shortcuts, maintains proper agent coordination architecture.
-
----
-
-## Example: Full Enforcement Flow
-
-```
-Session Start:
-→ Claude loads .claude/claude.md
-→ Sees "READ YOUR DIRECTIVES FIRST"
-→ Reads directives.md completely
-→ Internalizes rules
-→ Ready to coordinate (not execute)
-
-User Request:
-→ "How many projects in database?"
-→ Claude recognizes database operation
-→ Checks directives: "Database Agent handles ALL database operations"
-→ Launches Database Agent with task
-→ Receives count from agent
-→ Presents to user
-
-After /checkpoint:
-→ Git commit created
-→ Database context saved
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Self-assessment: Clean
-→ Confirms: "Directives refreshed. Ready to coordinate."
-
-Conversation Compacted:
-→ System compacts conversation
-→ Claude detects compaction
-→ AUTO-INVOKES /refresh-directives
-→ Re-reads directives.md
-→ Restores coordination mode
-→ Continues properly
-```
-
----
-
-**This enforcement mechanism ensures Claude maintains proper operational behavior throughout the entire session lifecycle.**
-
----
-
-**Created:** 2026-01-19
-**Files Modified:**
-- `.claude/claude.md` - Added directive reference at top
-- `.claude/commands/checkpoint.md` - Added step 8 (refresh directives)
-- `.claude/commands/save.md` - Added step 4 (refresh directives)
-- `.claude/commands/refresh-directives.md` - New command definition
-
-**Status:** Active enforcement system

.claude/FILE_PLACEMENT_GUIDE.md

@@ -16,9 +16,11 @@
 | Client Info | Client details | `clients/[client-name]/CLIENT_INFO.md` |
 | Client Session Logs | Support notes | `clients/[client-name]/session-logs/` |
 | ClaudeTools API Code | `*.py`, migrations | `api/`, `migrations/` (keep existing structure) |
-| ClaudeTools API Logs | Session notes | `projects/claudetools-api/session-logs/` |
+| ClaudeTools API Logs | Session notes | `session-logs/` (root) |
+| GuruRMM Session Logs | RMM work | `session-logs/YYYY-MM-DD-session.md` (root — NOT in gururmm submodule) |
 | General Session Logs | Mixed work | `session-logs/YYYY-MM-DD-session.md` |
 | Credentials | All credentials | `credentials.md` (root - shared) |
+| **Wiki articles** | Compiled knowledge | `wiki/clients/`, `wiki/projects/`, `wiki/systems/`, `wiki/patterns/` — LLM-maintained, do not edit manually |
 
 ---
 
@@ -28,7 +30,7 @@
 
 **Ask yourself:** What project or client is this related to?
 - Dataforth DOS → `projects/dataforth-dos/`
-- ClaudeTools API → `projects/claudetools-api/` or root API folders
+- ClaudeTools API → root `api/`, `migrations/` folders; session logs to root `session-logs/`
 - Specific Client → `clients/[client-name]/`
 - Multiple projects → Root or `session-logs/`
 
@@ -96,8 +98,8 @@ clients/[client-name]/
 **Files Created:**
 - New router → `api/routers/new_endpoint.py` (existing structure)
 - Migration → `migrations/versions/xxx_add_table.py` (existing structure)
-- Session log → `projects/claudetools-api/session-logs/2026-01-20-session.md`
-- API docs → `projects/claudetools-api/documentation/NEW_ENDPOINT.md`
+- Session log → `session-logs/2026-01-20-session.md` (root)
+- API docs → `api/` or root `docs/` if cross-cutting
 
 ### Scenario 4: Mixed Work (Multiple Projects)
 

.claude/HOOKS.md

@@ -0,0 +1,196 @@
+# Git Hooks Configuration
+
+## Overview
+
+Git hooks automatically send notifications to the `dev-alerts` coordination channel when feature specifications are created or significant commits are made to main branches.
+
+## Installed Hooks
+
+### post-commit (Main Repo)
+
+**Location:** `.git/hooks/post-commit`
+
+**Triggers:**
+- **Feature Spec Creation:** When a commit includes new `docs/specs/SPEC-NNN-*.md` files
+- **Build Events:** When commits with conventional commit prefixes (`spec:`, `feat:`, `fix:`, `build:`) are made to `main` branch
+
+**Actions:**
+- Extracts SPEC number, priority, effort, and overview from spec file
+- Sends coordination message to `dev-alerts` channel
+- Includes commit hash, author, branch, and affected files
+
+**Message Format (Feature Spec):**
+```
+Subject: [ProjectName] Feature Spec: SPEC-NNN [Feature Name]
+Body:
+  - SPEC number and name
+  - Priority and effort estimate
+  - Overview excerpt
+  - Commit hash and author
+  - Link to spec file
+```
+
+**Message Format (Build Event):**
+```
+Subject: [ProjectName] Build: [commit type] on main
+Body:
+  - Commit hash and type
+  - Files changed count
+  - Branch and author
+  - Full commit message
+```
+
+### post-commit (GuruConnect Submodule)
+
+**Location:** `.git/modules/projects/msp-tools/guru-connect/hooks/post-commit`
+
+**Triggers:** Same as main repo
+**Project Key:** `guruconnect`
+**Project Name:** GuruConnect
+
+### post-commit (GuruRMM Submodule)
+
+**Location:** `.git/modules/projects/msp-tools/guru-rmm/hooks/post-commit`
+
+**Status:** To be created when submodule is initialized
+**Project Key:** `gururmm`
+**Project Name:** GuruRMM
+
+## Setup
+
+### Install Hooks Manually
+
+```bash
+# Main repo
+cp .claude/hooks/post-commit.template .git/hooks/post-commit
+chmod +x .git/hooks/post-commit
+
+# GuruConnect submodule
+cp .claude/hooks/post-commit.template .git/modules/projects/msp-tools/guru-connect/hooks/post-commit
+chmod +x .git/modules/projects/msp-tools/guru-connect/hooks/post-commit
+
+# GuruRMM submodule (when initialized)
+cp .claude/hooks/post-commit.template .git/modules/projects/msp-tools/guru-rmm/hooks/post-commit
+chmod +x .git/modules/projects/msp-tools/guru-rmm/hooks/post-commit
+```
+
+### Verify Hook Installation
+
+```bash
+# Check if hook exists and is executable
+ls -l .git/hooks/post-commit
+ls -l .git/modules/projects/msp-tools/guru-connect/hooks/post-commit
+
+# Test manually (run from repo root after a commit)
+.git/hooks/post-commit
+```
+
+## Coordination API Integration
+
+Hooks send messages to the coordination API at `http://172.16.3.30:8001/api/coord/messages` with:
+
+- **from_session:** `$(hostname)/claude-main`
+- **to_session:** `dev-alerts`
+- **project_key:** `guruconnect`, `gururmm`, or `claudetools`
+- **subject:** Auto-generated based on event type
+- **body:** Formatted notification with commit details
+
+## Message Recipients
+
+Messages sent to `dev-alerts` can be queried by any session:
+
+```bash
+# Check unread dev-alerts messages
+curl -s "http://172.16.3.30:8001/api/coord/messages?to_session=dev-alerts&unread_only=true"
+
+# Check all dev-alerts messages for a project
+curl -s "http://172.16.3.30:8001/api/coord/messages?to_session=dev-alerts&project_key=guruconnect"
+```
+
+## Troubleshooting
+
+### Hook Not Firing
+
+1. **Check executable permission:**
+   ```bash
+   chmod +x .git/hooks/post-commit
+   ```
+
+2. **Test manually:**
+   ```bash
+   .git/hooks/post-commit
+   ```
+
+3. **Check coordination API:**
+   ```bash
+   curl -s http://172.16.3.30:8001/api/coord/status
+   ```
+
+### Debug Hook Execution
+
+Temporarily add debug output to hook:
+
+```bash
+#!/bin/bash
+set -x  # Enable debug mode
+# ... rest of hook code ...
+```
+
+Then check git output after commit.
+
+## Customization
+
+### Add Custom Event Types
+
+Edit the hook and add new patterns to detect:
+
+```bash
+# Example: Detect documentation commits
+if echo "$COMMIT_MSG" | grep -qE '^docs:.*API'; then
+    # Send custom dev-alerts message
+fi
+```
+
+### Change Alert Channel
+
+Replace `dev-alerts` with a different channel name:
+
+```bash
+curl -s -X POST http://172.16.3.30:8001/api/coord/messages \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"from_session\": \"$SESSION_ID\",
+    \"to_session\": \"build-notifications\",  # Changed from dev-alerts
+    ...
+  }"
+```
+
+## Maintenance
+
+### Disable Hooks Temporarily
+
+```bash
+# Rename to disable
+mv .git/hooks/post-commit .git/hooks/post-commit.disabled
+
+# Re-enable
+mv .git/hooks/post-commit.disabled .git/hooks/post-commit
+```
+
+### Update All Hooks
+
+When the hook logic changes, update all installations:
+
+```bash
+# Update template
+vim .claude/hooks/post-commit.template
+
+# Reinstall to all repos
+cp .claude/hooks/post-commit.template .git/hooks/post-commit
+cp .claude/hooks/post-commit.template .git/modules/projects/msp-tools/guru-connect/hooks/post-commit
+cp .claude/hooks/post-commit.template .git/modules/projects/msp-tools/guru-rmm/hooks/post-commit
+```
+
+---
+
+**Last Updated:** 2026-05-31

.claude/MAC-vault-readiness-test.md

@@ -0,0 +1,197 @@
+# Mac Vault Readiness Test Results
+
+**Date:** 2026-04-21
+**Machine:** Mikes-MacBook-Air.local
+**Purpose:** Test vault access capability for remediation-tool
+
+---
+
+## Test Results Summary
+
+**Status:** NOT READY - Multiple blockers present
+
+### Dependencies Check
+
+| Component | Status | Notes |
+|-----------|--------|-------|
+| jq | ✓ INSTALLED | jq-1.7.1-apple |
+| SOPS | ✗ NOT INSTALLED | Required for decrypting .sops.yaml files |
+| age | ✗ NOT INSTALLED | Required for SOPS encryption/decryption |
+| age key | ✗ NOT CONFIGURED | ~/.config/sops/age/keys.txt missing |
+| vault repo | ✗ NOT CLONED | Git authentication blocked |
+| vault_path in identity.json | ✗ NOT SET | Would point to ~/vault once cloned |
+
+### What Works
+
+**[OK] Vault wrapper script exists and reports correct errors:**
+```bash
+bash .claude/scripts/vault.sh list
+→ [ERROR] vault_path not set in identity.json
+```
+
+**[OK] get-token.sh bug fixes applied:**
+- Variable collision fixed (VAULT_PATH → VAULT_ROOT_ENV)
+- Directory traversal corrected (4 levels up instead of 3)
+
+**[OK] Remediation-tool scripts are executable:**
+```bash
+ls -la .claude/skills/remediation-tool/scripts/*.sh
+→ All scripts have execute permissions
+```
+
+### What's Blocked
+
+**1. Vault Repository Clone**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+→ fatal: could not read Password: Device not configured
+```
+
+Git cannot prompt for credentials in this terminal session.
+
+**2. SOPS Installation**
+```bash
+sops --version
+→ command not found
+```
+
+SOPS not installed via Homebrew or other package manager.
+
+**3. age Installation**
+```bash
+age --version
+→ command not found
+```
+
+age encryption tool not installed.
+
+**4. age Key Configuration**
+```bash
+test -f ~/.config/sops/age/keys.txt
+→ File does not exist
+```
+
+No SOPS age private key configured.
+
+---
+
+## What Would Be Required to Unblock
+
+### Installation Steps (If Vault Access on Mac is Needed)
+
+**1. Install Homebrew (if not already installed):**
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+**2. Install SOPS:**
+```bash
+brew install sops
+```
+
+**3. Install age:**
+```bash
+brew install age
+```
+
+**4. Copy age private key from Windows:**
+
+On Windows (DESKTOP-0O8A1RL):
+```bash
+cat C:\Users\<username>\.config\sops\age\keys.txt
+```
+
+On Mac:
+```bash
+mkdir -p ~/.config/sops/age
+# Paste the private key content into:
+nano ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+**5. Configure Git credential helper:**
+```bash
+git config --global credential.helper osxkeychain
+```
+
+**6. Clone vault repository:**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Will prompt for password - enter Gitea password
+```
+
+**7. Add vault_path to identity.json:**
+```bash
+# Edit .claude/identity.json and add:
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+**8. Test token acquisition:**
+```bash
+cd .claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+Should return a JWT token if all configured correctly.
+
+---
+
+## Is This Worth Doing?
+
+**Probably not, unless you need remediation-tool on Mac.**
+
+**Why it's not urgent:**
+- Windows (DESKTOP-0O8A1RL) has working vault + remediation-tool ✓
+- Vault sync validated on Windows - all 5 tiers working ✓
+- Howard can be unblocked by pulling vault on ACG-Tech03L ✓
+- Mac is just for testing/portability
+
+**Use cases for Mac vault:**
+- Running breach checks while away from Windows desktop
+- Testing remediation-tool portability across platforms
+- Validating vault sync from Mac perspective
+
+**Alternatives:**
+- Use Windows for all remediation-tool work (current state)
+- SSH into Windows from Mac when needed
+- Remote desktop to Windows desktop
+
+---
+
+## Recommendation
+
+**Skip Mac vault setup for now.**
+
+**Reasons:**
+1. Windows already validated vault sync works
+2. All 5 SOPS files confirmed present
+3. Token acquisition tested on all 5 tiers
+4. Howard can be notified to pull
+5. Mac setup requires 4 installations + credential management
+
+**Only set up Mac vault if:**
+- You frequently work from Mac and need remediation-tool
+- You want to test cross-platform portability
+- Windows desktop is unavailable for extended periods
+
+---
+
+## Current Capability on Mac
+
+**What works:**
+- Reading/editing remediation-tool scripts
+- Viewing tenant lists (references/tenants.md)
+- Resolving tenant IDs: `./resolve-tenant.sh <domain>`
+- All other ClaudeTools functionality
+
+**What doesn't work:**
+- Token acquisition (no vault)
+- SOPS decryption (no vault + no SOPS)
+- Running breach checks (needs tokens)
+- Testing remediation-tool workflows (needs tokens)
+
+---
+
+**Status:** Documented and understood - Mac not currently set up for vault access
+**Action:** No action needed unless Mac remediation-tool access becomes necessary
+**Validated on:** Windows (DESKTOP-0O8A1RL) - all 5 tiers working

.claude/MCP_SERVERS.md

@@ -0,0 +1,109 @@
+# MCP Servers — Configuration Reference
+
+MCP (Model Context Protocol) servers extend Claude Code with external tool
+capabilities. Each server runs as a child process and exposes tools that
+Claude can call.
+
+**Config file:** `.mcp.json` in repo root (shared across machines via git).
+
+---
+
+## Active Servers
+
+### TickTick
+
+Task management integration for TickTick (todo/project tracking app).
+
+**Tools provided:**
+- `ticktick_create_task`, `ticktick_update_task`, `ticktick_complete_task`, `ticktick_delete_task`
+- `ticktick_create_project`, `ticktick_update_project`, `ticktick_delete_project`
+- `ticktick_list_projects`, `ticktick_get_project`
+
+**Auth:** OAuth token stored in vault at `services/ticktick.sops.yaml`. Token file
+auto-generated by `mcp-servers/ticktick/ticktick_auth.py` on first use.
+
+**Config in `.mcp.json`:**
+```json
+{
+  "mcpServers": {
+    "ticktick": {
+      "command": "python",
+      "args": ["D:\\claudetools\\mcp-servers\\ticktick\\ticktick_mcp.py"]
+    }
+  }
+}
+```
+
+### Claude-in-Chrome (browser automation)
+
+Installed as a Chrome browser extension. Provides browser automation tools
+for web interaction, form filling, page reading, screenshots, GIF recording.
+
+**Not configured in `.mcp.json`** — runs as a Chrome extension that connects
+automatically when the Claude Code extension is active and Chrome is open.
+
+**Tools provided:** `tabs_context_mcp`, `tabs_create_mcp`, `navigate`, `computer`
+(click/type/screenshot), `read_page`, `find`, `form_input`, `javascript_tool`,
+`get_page_text`, `read_console_messages`, `gif_creator`, etc.
+
+**Requires:** Chrome browser with the Claude-in-Chrome extension installed.
+
+---
+
+## Available but Not Wired
+
+These server directories exist but aren't in `.mcp.json`. Add them when needed.
+
+### GrepAI MCP Server
+
+Semantic code search over the indexed codebase. Alternative to using the
+`grepai search` CLI directly.
+
+**To activate:** Add to `.mcp.json`:
+```json
+{
+  "grepai": {
+    "command": "D:\\claudetools\\grepai.exe",
+    "args": ["mcp-serve"]
+  }
+}
+```
+
+**Requires:** GrepAI initialized (`grepai init`) + Ollama running with
+`nomic-embed-text` model. Index builds automatically via `grepai watch`.
+
+### Ollama Assistant
+
+Local LLM integration for delegating simple tasks (summarization,
+classification, drafting) to locally-running models.
+
+**Location:** `mcp-servers/ollama-assistant/`
+
+**To activate:** Check the server's README for the exact `.mcp.json` entry.
+Requires Ollama running at `http://localhost:11434` with models pulled.
+
+### Feature Management
+
+Feature flag management server.
+
+**Location:** `mcp-servers/feature-management/`
+
+**Status:** Exists but purpose unclear. Check directory for README.
+
+---
+
+## Adding a New MCP Server
+
+1. Create directory: `mcp-servers/<name>/`
+2. Write the server script (Python or Node recommended)
+3. Add entry to `.mcp.json` with `command` and `args`
+4. Restart Claude Code to pick up the new server
+5. Document in this file
+
+**Important:** `.mcp.json` is tracked in git. Changes sync to all machines.
+Machine-specific server paths should use absolute paths that work on all
+team workstations (or use relative paths from repo root).
+
+---
+
+*Last updated: 2026-04-16*

.claude/OLLAMA.md

@@ -0,0 +1,224 @@
+# Ollama — Local AI Reference
+
+Ollama's always-on host is **GURU-BEAST-ROG** (RTX 4090, 24 GB VRAM, Tailscale `100.101.122.4`). It is the canonical Tailscale fallback for all machines without a local Ollama. DESKTOP-0O8A1RL and other workstations use local when available, Beast otherwise.
+
+## Models
+
+| Model | Size | Use For |
+|-------|------|---------|
+| `qwen3.6:latest` | 23 GB | Strict-format work: JSON/structured extraction, classification, per-item rules, redaction, word-limited summaries, adherence-critical drafting. 36B MoE. |
+| `qwen3:14b` | 9.3 GB | Bulk prose on machines with >16 GB VRAM: session log narrative, commit bodies, client notes, free-text handoffs. |
+| `qwen3:8b` | 5.2 GB | Bulk prose on DESKTOP-0O8A1RL (12 GB VRAM). Same role as qwen3:14b but fits fully in VRAM on that machine. |
+| `codestral:22b` | 12 GB | Code generation, refactoring suggestions, docstrings |
+| `nomic-embed-text` | 274 MB | Embeddings only (used by GrepAI) |
+
+### Routing basis
+
+Quality routing: 16-prompt benchmark on 2026-05-16 (`benchmark_qwen_3_6.py` in repo root). qwen3.6 scored 15/16 vs qwen3:14b 11/16 and qwen3:32b 12/16. 3.6 won every strict-format and adherence test. **Known regression**: 3.6 missed one small reasoning prompt — re-validate when qwen3.7 lands. qwen3:32b dominated on every axis; not in rotation.
+
+Speed routing: benchmarked 2026-05-16 on DESKTOP-0O8A1RL (RTX 5070 Ti Laptop, 12 GB VRAM):
+
+| Model | VRAM fit | Tok/s (this machine) | Tok/s (full-VRAM ref) |
+|-------|----------|----------------------|------------------------|
+| qwen3:8b | 100% (10.9/10.9 GB) | **74-86** | ~90 |
+| qwen3:14b | 73% (11.3/15.6 GB) | 17-18 | ~66 |
+| qwen3.6 | 41% (11.3/27.5 GB) | 17-19 | ~32 |
+
+qwen3:14b and qwen3.6 are CPU-bottlenecked on this machine (split mode, PCIe bandwidth limited). qwen3:8b fits entirely in VRAM and is **4.8x faster** than qwen3:14b here.
+
+### Machine-specific prose model
+
+| Machine | GPU VRAM | Prose model |
+|---------|----------|-------------|
+| GURU-BEAST-ROG | 24 GB (RTX 4090) | `qwen3:14b` (always-on Tailscale host — `100.101.122.4`) |
+| DESKTOP-0O8A1RL | 12 GB (RTX 5070 Ti Laptop) | `qwen3:8b` (local — 4.8x faster than 14b here) |
+| Mikes-MacBook-Air | unified memory | `qwen3:14b` |
+| HOWARD-HOME | local Ollama | `qwen3:14b` |
+| GURU-KALI | 8 GB (RTX 4070 Mobile) — see note | remote Beast / `qwen3:14b` now; `qwen3:8b` if local installed |
+| Other | Tailscale fallback (Beast) | `qwen3:14b` |
+
+> **GURU-KALI status (2026-05-24):** Tailscale installed — remote Ollama
+> (Beast at `100.101.122.4`) is reachable, so it uses the Tailscale-fallback prose model
+> `qwen3:14b` (the "Other" row). No local Ollama yet. It has strong hardware
+> but the GPU runs the nouveau driver (no CUDA), so a future local
+> Ollama would need the proprietary NVIDIA driver for GPU accel; `qwen3:8b` would
+> then fit its 8 GB VRAM (mirrors DESKTOP-0O8A1RL), with larger models splitting to
+> CPU. Full machine profile: `.claude/machines/guru-kali.md`.
+>
+> **GURU-BEAST-ROG models (2026-05-25):** `gemma3:27b`, `qwen3:32b`, `qwen3:14b`, `codestral:22b`, `nomic-embed-text`. Note: `qwen3.6:latest` and `qwen3:8b` not yet installed — add if strict-format or speed routing is needed.
+
+## Endpoints
+
+Endpoint comes from `.claude/identity.json` `ollama` (Phase 2 centralization, 2026-05-26) — read the declared endpoint, no curl probe per call:
+
+```bash
+OLLAMA=$(jq -r '.ollama.endpoint // .ollama.fallback // "http://localhost:11434"' .claude/identity.json)
+MODEL=$(jq  -r '.ollama.prose_model // "qwen3:14b"' .claude/identity.json)
+```
+
+`migrate-identity.sh` sets the `ollama` object per machine — `endpoint` (the one to use), `fallback` (backup, usually GURU-BEAST-ROG `100.101.122.4`), `prose_model` (qwen3:8b on 12 GB boxes, qwen3:14b elsewhere). Re-run `migrate-identity.sh` to re-detect after an Ollama/network change.
+
+Rationale:
+- **Local-Ollama machines** (e.g. Howard-Home, GURU-5070) get `endpoint=localhost` at migration — faster, zero Tailscale hop.
+- **GURU-BEAST-ROG:** always-on RTX 4090; the usual `fallback`, and many machines' `endpoint`.
+- **Machines without local Ollama** (e.g. GURU-KALI) get `endpoint=fallback=Beast`.
+- **No per-call probe:** the declared endpoint is trusted; re-run migrate-identity.sh if the Ollama/network topology changes.
+
+Manual override (for testing or explicit preference): set `OLLAMA=http://100.101.122.4:11434` before the call.
+
+Check reachability:
+```bash
+curl -s $OLLAMA/api/tags | jq -r '.models[].name'
+```
+
+If neither endpoint responds: verify Tailscale (`tailscale status`) and whether your local Ollama service is running.
+
+## Access Control
+
+- Port 11434 allowed ONLY from Tailscale subnet (100.0.0.0/8)
+- NOT exposed to LAN, VPN, or internet
+- Binding: `OLLAMA_HOST=0.0.0.0:11434` (firewall restricts)
+
+## Calling Ollama
+
+Use the `/api/chat` endpoint with `think:false` for qwen3 models. The older `/api/generate` endpoint on qwen3 puts output into thinking tokens that don't appear in the `response` field — you'll get an empty response if you use `/api/generate`.
+
+Preferred one-liner — endpoint **and** model come from `identity.json` (consistent with
+**Endpoints** above; no per-call probe). The old inline auto-detect was REMOVED: it called
+`urlopen()` as a truthiness test, which *raises* `URLError` on a down host instead of
+yielding the fallback — so it crashed on a down localhost rather than failing over to Beast,
+and it violated the "no per-call probe" rule.
+```bash
+OLLAMA="${OLLAMA:-$(jq -r '.ollama.endpoint // .ollama.fallback // "http://localhost:11434"' .claude/identity.json)}"
+MODEL="${MODEL:-$(jq  -r '.ollama.prose_model // "qwen3:14b"' .claude/identity.json)}"
+OLLAMA="$OLLAMA" MODEL="$MODEL" python -c "
+import urllib.request, json, sys, os
+body = json.dumps({
+  'model': os.environ['MODEL'],
+  'messages':[{'role':'user','content': sys.argv[1]}],
+  'stream':False,
+  'think':False
+}).encode()
+res = json.loads(urllib.request.urlopen(urllib.request.Request(os.environ['OLLAMA']+'/api/chat', body), timeout=120).read())
+print(res['message']['content'])
+" "Your prompt here"
+```
+
+Or set `$OLLAMA` once from bash (see auto-detect formula above) and reuse it across calls.
+
+For code suggestions, swap `qwen3:14b` for `codestral:22b`. Codestral doesn't need `think:false`.
+
+Cold-start is ~30-50s on first call per model per session. Warm calls are 1-5s.
+
+## Documentation Engine
+
+**Ollama is the default documentation engine for all prose output.** Any time stored text needs to be generated — session logs, commit messages, ticket comments, client notes, code docs — route it through Ollama first. Claude reviews, corrects if needed, then writes or posts.
+
+This keeps Claude tokens focused on reasoning, decisions, and execution. Ollama handles the writing.
+
+### What Ollama owns
+
+| Output | Model | Claude's role |
+|--------|-------|---------------|
+| Session log narrative (summary, decisions, problems) | qwen3:14b / qwen3:8b* | Review + assemble with factual sections |
+| Commit message body | qwen3:14b / qwen3:8b* | Review + execute git commit |
+| Syncro comment bodies + billing descriptions | qwen3:14b / qwen3:8b* | Review checklist + post via API |
+| Ticket initial issue / description text | qwen3:14b / qwen3:8b* | Review + post |
+| Client-facing notes and summaries | qwen3:14b / qwen3:8b* | Review for accuracy |
+| Agent phase handoff summaries (explore → plan, plan → implement) | qwen3:14b / qwen3:8b* | Review + include in agent brief |
+| Client email drafts | qwen3:14b / qwen3:8b* | Review for accuracy + tone before sending |
+| Ticket / issue classification (priority, type, category) | qwen3.6 | Review + apply label |
+| Diff summarization before commit | qwen3.6 | Review + use in commit message |
+| Error message categorization (transient / config / bug) | qwen3.6 | Review + act on classification |
+| Structured data extraction (JSON, fields, tags) | qwen3.6 | Review + use programmatically |
+| PII redaction in logs/transcripts | qwen3.6 | Review before publishing |
+| Strict word-limit summaries (e.g. ticket subject, alert text) | qwen3.6 | Review + use |
+| Multi-step / per-item rule application on lists | qwen3.6 | Review + use |
+| Code comments and docstrings | codestral:22b | Review before applying |
+| Refactor suggestions | codestral:22b | Review before applying |
+
+\* Use `qwen3:8b` on DESKTOP-0O8A1RL — 4.8x faster than 14b there due to full VRAM fit. Use `qwen3:14b` on all other machines.
+
+### What Claude always owns (never Ollama)
+
+- Credentials, passwords, API keys — must be verbatim accurate
+- Infrastructure details, IPs, hostnames — must be verbatim accurate
+- Command outputs and error messages — verbatim from actual output
+- Security decisions, auth review, production migrations
+- Final field values on API payloads (rates, IDs, quantities)
+
+### GrepAI config (re-apply on new machines)
+
+`.grepai/` is gitignored (90 MB index + machine-specific timestamps). After running `grepai init` on a new machine, apply these overrides to `.grepai/config.yaml`:
+
+**Remove the `.md` penalty** (markdown is primary content here, not docs noise):
+```yaml
+# DELETE this block:
+- pattern: .md
+  factor: 0.6
+```
+
+**Add these bonuses** under `search.boost.bonuses`:
+```yaml
+- pattern: session-logs/
+  factor: 1.3
+- pattern: .claude/
+  factor: 1.2
+- pattern: /clients/
+  factor: 1.1
+```
+
+**Start watcher + register scheduled task:**
+```bash
+D:/claudetools/grepai.exe watch --background
+# Then in PowerShell (admin not required):
+$action = New-ScheduledTaskAction -Execute "D:\claudetools\grepai.exe" -Argument "watch --background" -WorkingDirectory "D:\claudetools"
+$trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
+$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 0) -MultipleInstances IgnoreNew
+Register-ScheduledTask -TaskName "GrepAI Watcher - claudetools" -Action $action -Trigger $trigger -Settings $settings -Force
+```
+
+### Warm-start and GrepAI
+
+GrepAI uses `nomic-embed-text` for context lookups, which keeps the Ollama **service** running continuously. The 30-50s service cold-start is effectively eliminated in normal workflow. `qwen3:14b` may take ~5s to swap into VRAM if it hasn't been called recently, but that's the worst case — not 50s.
+
+If the first Ollama call of a session needs to be fast, send a throwaway warm-up ping:
+```bash
+py -c "
+import urllib.request, json
+body = json.dumps({'model':'qwen3:14b','messages':[{'role':'user','content':'ok'}],'stream':False,'think':False}).encode()
+urllib.request.urlopen(urllib.request.Request('$OLLAMA/api/chat', body), timeout=60).read()
+print('warm')
+"
+```
+
+## When to Use Which Model
+
+| Task | Model |
+|------|-------|
+| Session log narrative sections | qwen3:8b* / qwen3:14b |
+| Commit message body | qwen3:8b* / qwen3:14b |
+| Ticket / client comment drafting | qwen3:8b* / qwen3:14b |
+| Summarize logs, diffs, incident notes (no length cap) | qwen3:8b* / qwen3:14b |
+| Agent phase handoff summaries | qwen3:8b* / qwen3:14b |
+| Client email drafts | qwen3:8b* / qwen3:14b |
+| Classify bug type, severity, category, priority | qwen3.6 |
+| Extract structured data from text (JSON, fields) | qwen3.6 |
+| Diff summarization with strict format / fields | qwen3.6 |
+| Error categorization (transient / config / bug / permission) | qwen3.6 |
+| PII redaction, output preserving format | qwen3.6 |
+| Strict word-limit summaries (subject lines, alerts) | qwen3.6 |
+| Multi-step rule application across lists | qwen3.6 |
+| Untrusted input that may contain prompt injection | qwen3.6 |
+| Code comment / docstring generation | codestral:22b |
+| Refactor suggestions | codestral:22b |
+
+\* On DESKTOP-0O8A1RL only — 4.8x faster (86 tok/s vs 18 tok/s). Use `qwen3:14b` on all other machines.
+
+**Rule of thumb:** if the output is *prose someone will read*, use the per-machine prose model (qwen3:8b on DESKTOP-0O8A1RL, qwen3:14b elsewhere). If the output is *structured data something will parse* or *must obey a tight format*, use qwen3.6.
+
+## Review Policy
+
+- Documentation output (session logs, commit messages, comments) — Claude reviews before writing/posting
+- Code suggestions from codestral — always review before applying
+- Never use Ollama for: credentials, auth decisions, production migrations, security review, API payload field values

.claude/ONBOARDING.md

@@ -0,0 +1,331 @@
+# Welcome to ClaudeTools — Onboarding Guide
+
+Hey! This guide explains how our Claude Code setup works, WHY it's built the way it is, and how to use it effectively for daily MSP work. Read this once, then use it as reference when something feels unfamiliar.
+
+---
+
+## What is this?
+
+ClaudeTools is our shared workspace for **Claude Code** — the AI coding + automation assistant. It's a git repo that syncs across our workstations via Gitea (our self-hosted Git server). Everything Claude learns, every session log, every automation script, every project we build — it all lives here and stays in sync.
+
+**Why a repo instead of just using Claude directly?**
+- Claude Code loses context between sessions. This repo IS the memory.
+- Session logs preserve what we did, what creds we used, what decisions we made.
+- CLAUDE.md tells Claude HOW to behave specifically for our org (not generic defaults).
+- Skills and commands give us reusable shortcuts for common MSP tasks.
+- The vault (separate repo) stores all credentials encrypted so Claude can access them without us typing passwords every session.
+
+---
+
+## First time setup
+
+When you open Claude Code for the first time on a new machine, Claude will ask who you are. Just answer with your name. Claude then:
+
+1. Creates a local identity file (so it knows who's at the keyboard)
+2. Sets your git name/email for commits
+3. Registers your machine in the shared users list
+
+After that, every session log and git commit is attributed to you.
+
+### Machine-local configuration
+
+Some configuration files are **machine-local** (gitignored, not synced) because they contain machine-specific paths or settings:
+
+| File | Purpose | Auto-created? |
+|------|---------|---------------|
+| `.claude/identity.json` | Your name, email, vault path | YES — during onboarding |
+| `.claude/current-mode` | Work mode (dev, infra, client, etc.) | YES — defaults to "general" |
+| `.claude/settings.local.json` | Per-machine env (`CLAUDETOOLS_ROOT`) + local permissions | env via provisioner (below) |
+
+**`CLAUDETOOLS_ROOT` env — run once per machine after `identity.json` exists:**
+
+```bash
+py .claude/scripts/ensure-settings-env.py
+```
+
+This seeds `env.CLAUDETOOLS_ROOT` in `.claude/settings.local.json` from
+`identity.json.claudetools_root`. Many skill docs invoke
+`py "$CLAUDETOOLS_ROOT/.claude/skills/.../x.py"`; Claude Code injects the settings `env`
+block into every Bash call, so without this the var is empty and those commands resolve to
+the wrong path (the failure logged in `errorlog.md` on 2026-06-14). Idempotent; takes effect
+at the next session start. The script is also safe to re-run any time the clone moves.
+
+**`.claude/current-mode`** is used by coordination hooks to determine behavior:
+- In `dev` mode: Hooks show active locks as warnings but don't block
+- In other modes: Hooks enforce coordination protocol more strictly
+
+You never need to manually create this file — the UserPromptSubmit hook initializes it automatically on first run. Claude updates it when switching modes (e.g., when you say "work on Dataforth" switches to client mode).
+
+### GuruRMM repo — one-time setup per machine
+
+The GuruRMM repo (`projects/msp-tools/guru-rmm/`) requires one extra step after cloning or first use. Run this from the repo root:
+
+```bash
+bash scripts/install-hooks.sh
+```
+
+This does three things permanently:
+- Points git at `scripts/hooks/` so pre-commit checks run automatically (and stay current as hooks evolve — no re-install after updates)
+- Sets `core.autocrlf=false` and `core.eol=lf` for this repo (prevents sqlx migration checksum drift from Windows CRLF line endings)
+- Sets `core.autocrlf=false` globally on this machine
+
+**Why this matters:** sqlx verifies migration files by sha384 hash. A file committed with CRLF line endings hashes differently than the same file with LF — the server sees the mismatch and refuses to start. The `.gitattributes` file handles new commits automatically; this command configures the git client for existing checkouts.
+
+### Claude Code Hooks — where each hook lives
+
+Claude Code fires hooks on specific events (before tool use, on message submit, etc.). We have two active hooks:
+
+| Hook | File | What it does |
+|------|------|--------------|
+| `PreToolUse` (Bash) | `~/.claude/settings.json` (global, per-machine) | Blocks `powershell -Command` inline invocations from Git Bash — prevents a class of shell escaping bugs |
+| `UserPromptSubmit` | `.claude/settings.json` (project-level, committed) | Checks the coord API for unread cross-session messages on every prompt; fires Windows toast notifications |
+
+**The `UserPromptSubmit` hook is in the project `.claude/settings.json` and uses `$CLAUDE_PROJECT_DIR`** — a variable Claude Code sets automatically to the project root. This makes it portable across all machines without any machine-specific paths.
+
+**If you have an old UserPromptSubmit entry in `~/.claude/settings.json` or `.claude/settings.local.json`, remove it.** The project-level hook fires correctly and the old entry causes double-firing. Symptoms of double-firing: two toast notifications per prompt, or messages marked read before you see them.
+
+To clean up on any machine:
+
+1. Check `~/.claude/settings.json` — the `hooks` section should contain ONLY `PreToolUse` (the pwsh-script block). If there's a `UserPromptSubmit` block there, delete it.
+2. Check `.claude/settings.local.json` — if there's a `hooks` section with `UserPromptSubmit`, delete the entire `hooks` block.
+3. The `PreToolUse` hook path in `~/.claude/settings.json` uses `$CLAUDETOOLS_ROOT/.claude/hooks/pre-bash-pwsh-script.sh` — update this if your claudetools clone is at a different path.
+
+**The `PreToolUse` hook path is still machine-specific** (hardcoded path in `~/.claude/settings.json`) because global user settings don't have access to `$CLAUDE_PROJECT_DIR`. If you're on Windows with claudetools at `D:/claudetools`, the entry is:
+```json
+"command": "\"D:/claudetools/.claude/hooks/pre-bash-pwsh-script.sh\""
+```
+On Mac (claudetools at `~/claudetools`):
+```json
+"command": "\"~/claudetools/.claude/hooks/pre-bash-pwsh-script.sh\""
+```
+
+---
+
+## The slash commands (most important daily tools)
+
+Type these in Claude Code's prompt. They're shortcuts for common operations.
+
+| Command | What it does | When to use |
+|---------|-------------|-------------|
+| `/save` | Saves a comprehensive session log (what you did, creds used, decisions made) | **End of every significant work session.** This is how future-you (or future-me) recovers context. |
+| `/sync` | Pull + push changes to/from Gitea | Start of session (get latest), end of session (push yours) |
+| `/context` | Searches session logs and credentials for previous work | "What did we do for Dataforth last week?" or "What's the password for AD2?" |
+| `/checkpoint` | Git commit + database context save | After completing a feature or fix |
+| `/scc` | Save + Commit + Push (all three in one shot) | Quick end-of-session wrap-up |
+| `/1password` | Access secrets from 1Password | When vault doesn't have a credential |
+
+### Why these exist
+
+Without `/save`, you'd lose everything when a session ends. Without `/sync`, your work stays on one machine. Without `/context`, you'd re-discover the same information every session. These three commands are 90% of daily usage.
+
+---
+
+## The SOPS vault (how credentials work)
+
+We store ALL credentials in an encrypted vault (separate git repo). Files are YAML encrypted with age/SOPS. Claude can decrypt them on the fly.
+
+**How Claude accesses a credential:**
+```bash
+# Always via the ClaudeTools wrapper — never a hardcoded path
+bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field clients/dataforth/ad2.sops.yaml credentials.password
+```
+
+**Why this matters:**
+- We never hardcode passwords in scripts or session logs (they're vault references)
+- The vault syncs across machines via Gitea (same as claudetools)
+- Encryption uses an age key — this key needs to be on each machine that decrypts
+
+**Setup required on each machine:**
+
+1. **Clone the vault repo** somewhere convenient (e.g., `~/vault` on Mac/Linux, `D:\vault` on Windows)
+
+2. **Add `vault_path` to `.claude/identity.json`** (created during onboarding):
+   ```json
+   {
+     "user": "howard",
+     "vault_path": "/Users/howard/vault"
+   }
+   ```
+   This is the only place the path lives — no hardcoded paths in any shared file.
+
+3. **Install your age key.** Mike will give you the key file. Drop it at:
+   - **Windows:** `C:\Users\<you>\AppData\Roaming\sops\age\keys.txt`
+   - **Mac/Linux:** `~/.config/sops/age/keys.txt`
+
+Without the age key, vault commands fail. Everything else works fine.
+
+---
+
+## How Claude knows about our infrastructure
+
+### CLAUDE.md (the brain)
+
+`.claude/CLAUDE.md` is the master instructions file. Claude reads it at the start of every session. It tells Claude:
+
+- **Who we are** (AZ Computer Guru, MSP)
+- **How to behave** (delegate to agents, no emojis, use vault for creds)
+- **What projects exist** (GuruRMM, Dataforth, ClaudeTools API)
+- **How to load context** automatically when you mention a project keyword
+
+**Key behavior:** If you say "work on Dataforth", Claude automatically reads `projects/dataforth-dos/CONTEXT.md` before responding. Same for "GuruRMM" → reads `projects/msp-tools/guru-rmm/CONTEXT.md`. This means Claude starts every project conversation with full context — server IPs, current state, recent work, anti-patterns to avoid.
+
+### CONTEXT.md files (per-project state)
+
+Each major project has a `CONTEXT.md` that captures:
+- Server IPs, ports, credentials references
+- Current deployment state
+- Recent session logs (what was done last)
+- Anti-patterns (things NOT to do, learned from past mistakes)
+- What to work on next
+
+These files are the **single source of truth** for "where are we on this project."
+
+### Session logs (the history)
+
+Every significant work session gets a log saved to `session-logs/` (root for general, or `projects/*/session-logs/` for project-specific). These include:
+- What was accomplished
+- Full credentials used (unredacted — needed for future sessions)
+- Infrastructure changes made
+- Commands that worked and errors that didn't
+- What's still pending
+
+**This is why `/save` matters.** Without it, the next person (or the next Claude session) starts from scratch.
+
+---
+
+## Skills (auto-invoked behaviors)
+
+Skills are more powerful than commands — some trigger automatically.
+
+| Skill | Auto-invokes? | What it does |
+|-------|--------------|-------------|
+| `frontend-design` | YES — after any UI change | Validates visual correctness, accessibility, design quality |
+| `stop-slop` | YES — always active | Prevents generic/lazy AI output. Enforces quality. |
+| `remediation-tool` | When you say "remediation tool" or "365" | M365 tenant investigation via our Graph API app |
+| `skill-creator` | On request | Helps build new custom skills |
+| `theme-factory` | On request | Apply visual themes to HTML artifacts |
+
+### Why "stop-slop" exists
+
+Without it, Claude defaults to generic patterns (purple gradients, Inter font, emoji-heavy prose). Our `stop-slop` skill enforces our standards: ASCII markers instead of emojis, specific rather than vague, no filler phrases.
+
+---
+
+## Agents (specialized workers)
+
+Claude Code can spawn sub-agents for specific tasks. These are defined in `.claude/agents/`. The main ones you'll encounter:
+
+| Agent | What it does | When Claude uses it |
+|-------|-------------|-------------------|
+| **Database Agent** | Runs SQL queries on our databases | Any database operation — Claude should NEVER query directly |
+| **Code Review Agent** | Reviews code changes for quality/security | After any code modification |
+| **Coding Agent** | Writes production code | When Claude needs to generate code (not just edit) |
+| **Explore Agent** | Searches codebases quickly | When looking for files, patterns, or understanding code |
+| **Gitea Agent** | Git commits, pushes, branch operations | Commit workflow |
+| **Backup Agent** | Backup operations | Before destructive changes |
+
+**Why agents?** Claude has a limited context window. If it does everything itself, it runs out of memory mid-conversation. Agents handle heavy work in isolation and return just the summary. Also: separation of concerns — the Code Review Agent can independently evaluate code the Coding Agent wrote.
+
+---
+
+## Local AI tools (when available)
+
+### Ollama (local LLM)
+
+Ollama runs AI models locally on your GPU. Used for tasks that don't need Claude's full reasoning power — summarization, classification, data extraction.
+
+**Models we use:**
+- `qwen3:14b` — general purpose (summarization, drafting)
+- `codestral:22b` — code generation assistance
+- `nomic-embed-text` — embeddings for semantic search
+
+**Ollama runs on Mike's workstation** and is shared via Tailscale. You don't need to install it locally.
+
+**To use from your machine (Tailscale must be connected):**
+```bash
+curl -s http://100.92.127.64:11434/api/tags
+```
+
+If that returns models, you're connected. Claude automatically uses the right URL based on which machine you're on (reads from `identity.json`).
+
+If it fails: check that Tailscale is connected (`tailscale status`) and Mike's workstation is online.
+
+### GrepAI (semantic code search)
+
+Searches code by MEANING rather than exact text. "How does auth work?" finds authentication code even if the word "auth" doesn't appear.
+
+**Status:** Requires setup per-machine (index build). The `deep-explore` agent uses it. If it's not installed, Claude uses regular grep (still works, just less smart).
+
+---
+
+## Project structure
+
+```
+D:\claudetools\
+  .claude/           — Claude's brain (CLAUDE.md, agents, skills, memory, commands)
+  session-logs/      — General work logs
+  projects/
+    dataforth-dos/   — Dataforth test datasheet pipeline (AD2, testdatadb)
+    msp-tools/
+      guru-rmm/      — GuruRMM agent + server (Rust, our product)
+    newsletter/      — Marketing newsletters
+  clients/
+    dataforth/       — Dataforth-specific client docs
+    pavon/           — Pavon/client docs
+    ...              — Other clients
+  credentials.md     — Quick-reference credentials (vault is source of truth)
+  CONTEXT.md         — Root-level project context
+
+D:\vault\            — SOPS-encrypted credentials (separate repo)
+  infrastructure/    — Our servers (Jupiter, Uranus, pfSense, etc.)
+  clients/           — Client credentials
+  services/          — Service credentials (Cloudflare, Azure, Gitea, etc.)
+  projects/          — Project-specific secrets
+```
+
+---
+
+## Daily workflow
+
+### Starting a work session
+1. Open Claude Code in the project directory
+2. Claude greets you by name (reads identity.json)
+3. Tell Claude what you're working on — it auto-loads the right context
+4. Work normally — ask questions, make changes, run commands
+
+### Ending a work session
+1. `/save` — creates the session log (DO THIS EVERY TIME)
+2. `/sync` — pushes everything to Gitea
+3. Close Claude Code
+
+### When switching projects mid-session
+Just say "let's work on GuruRMM" or "switch to Dataforth" — Claude reads the relevant CONTEXT.md and picks up where the last session left off.
+
+---
+
+## Things to know
+
+**Claude remembers across sessions** — via session logs and memory files, not magic. If you don't `/save`, the next session starts cold.
+
+**Credentials are in the vault** — don't ask Mike for passwords; ask Claude. It decrypts from the vault.
+
+**Git commits are attributed to YOU** — your name and email appear on every commit from your machine.
+
+**Production deployments need care** — Claude will warn before destructive operations (git push --force, database drops, service restarts). Read the warnings.
+
+**If Claude seems confused about a project** — say `/context` and ask it to search for recent work. Or read the project's CONTEXT.md yourself.
+
+**If something breaks** — session logs have the full history. `git log` shows what changed and who changed it. Gitea keeps everything.
+
+---
+
+## Getting help
+
+- Ask Claude: "What commands do I have?" or "How do I access credentials?"
+- Read `.claude/CLAUDE.md` for the full rulebook
+- Check `session-logs/` for recent work examples
+- Ask Mike
+
+---
+
+*Last updated: 2026-04-16*

.claude/POWER_FAILURE_RUNBOOK.md

@@ -0,0 +1,257 @@
+# Power Failure Recovery Runbook — ACG Office
+
+Run through these checks IN ORDER after any unplanned power event.
+All SSH uses `C:\Windows\System32\OpenSSH\ssh.exe` (never Git SSH).
+
+---
+
+## 0. Confirm you have LAN access
+
+If working remotely, Tailscale must be fixed before anything else can be reached.
+If on-site LAN, skip to Step 1.
+
+---
+
+## 1. pfSense — Tailscale subnet routes
+
+**What breaks:** After reboot, pfSense loses its advertised Tailscale routes (`AdvertiseRoutes: null`).
+Remote machines can no longer reach 172.16.x.x.
+
+**Check:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" -p 2248 admin@172.16.0.1 "tailscale debug prefs" | Select-String "AdvertiseRoutes|RouteAll"
+```
+Healthy output: `"AdvertiseRoutes": ["172.16.0.0/22"]` and `"RouteAll": true`
+
+**Fix:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" -p 2248 admin@172.16.0.1 "tailscale up --advertise-routes=172.16.0.0/22 --accept-routes"
+```
+
+**Verify:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" -p 2248 admin@172.16.0.1 "tailscale status"
+# pfsense-2 should NOT show "rx 0" after a few seconds
+Test-NetConnection -ComputerName 172.16.3.20 -Port 22
+```
+
+---
+
+## 2. Jupiter (Unraid) — libvirt / VMs
+
+**What breaks:** libvirt.img (contains /etc/libvirt/ configs) is not loop-mounted on boot.
+libvirtd fails with "socket already in use" or "snapshot dir not a directory". All VMs are down.
+
+**Host:** 172.16.3.20 (SSH as root, no password — key auth)
+
+### 2a. Check if libvirt.img is mounted
+
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "mount | grep libvirt"
+```
+Healthy: shows `/dev/loopN on /etc/libvirt`
+Broken: no output
+
+### 2b. Check libvirtd process
+
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "ps aux | grep libvirtd | grep -v grep"
+```
+
+### 2c. Fix — mount image and start libvirtd
+
+```powershell
+# Mount libvirt config image
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "losetup -f --show /mnt/user/system/libvirt/libvirt.img"
+# Note the loop device returned (e.g. /dev/loop4)
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "mount /dev/loop4 /etc/libvirt && ls /etc/libvirt/qemu"
+
+# Start libvirtd
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "libvirtd -d"
+
+# Verify VMs came up
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "virsh -c qemu:///system list --all"
+```
+
+**Expected VM list:**
+| Name | Expected State |
+|------|---------------|
+| GuruRMM | running |
+| Unifi | running |
+| OwnCloud | running |
+| Claude-Builder | running |
+| Windows 7 | shut off |
+| Windows Server 2016 | shut off |
+| Windows Server 2016_Template | shut off |
+
+### 2d. Stale socket cleanup (if libvirtd still fails)
+
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "ls -la /run/libvirt/libvirt-sock"
+# If it shows as a directory (not a socket), remove it:
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "rm -rf /run/libvirt/libvirt-sock"
+# Then retry libvirtd -d
+```
+
+---
+
+## 3. Seafile — seahub process
+
+**What breaks:** Seahub (Django/gunicorn) does not survive container restart cleanly.
+Containers show "Up" but sync.azcomputerguru.com returns 5xx.
+
+**Check:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "docker exec seafile ps aux 2>&1 | grep gunicorn | grep -v grep"
+```
+Healthy: 3+ gunicorn worker processes visible
+Broken: no gunicorn output
+
+**Fix:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "docker exec seafile bash -c 'cd /opt/seafile/seafile-pro-server-12.0.19 && ./seahub.sh start 2>&1'"
+```
+
+**Verify:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "docker exec seafile curl -s -o /dev/null -w '%{http_code}' http://localhost:8000/"
+# Should return 302
+```
+
+---
+
+## 4. NPM — iptables port 443 rule
+
+**What breaks:** The iptables PREROUTING rule that routes :443 → NPM container is added at boot
+via `/boot/config/go` on Jupiter. If that rule is missing (e.g. first boot after it was added),
+sync.azcomputerguru.com HTTPS will fail even though NPM is running.
+
+**Check:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "iptables -t nat -L PREROUTING -n | grep 'dpt:443'"
+```
+Healthy: `DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.0.2:443`
+
+**Fix (if missing):**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443"
+```
+
+---
+
+## 5. NPM — nginx health
+
+**What breaks:** NPM's nginx may not be serving after a container restart.
+
+**Check:**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "docker exec npm nginx -t 2>&1"
+```
+
+**Fix (reload nginx config):**
+```powershell
+& "C:\Windows\System32\OpenSSH\ssh.exe" root@172.16.3.20 "docker exec npm nginx -s reload"
+```
+
+---
+
+## 6. End-to-End Verification
+
+Run all of these. Any False or non-2xx is a problem.
+
+```powershell
+# Core network
+$checks = @(
+    @{host="172.16.3.20"; port=22;   label="Jupiter SSH"},
+    @{host="172.16.3.20"; port=3000; label="Gitea"},
+    @{host="172.16.3.30"; port=22;   label="GuruRMM SSH (physical box)"},
+    @{host="172.16.3.30"; port=3001; label="GuruRMM server"},
+    @{host="172.16.3.30"; port=8001; label="Coord API"},
+    @{host="172.16.3.20"; port=443;  label="NPM HTTPS (via iptables)"},
+    @{host="172.16.3.20"; port=8082; label="Seafile direct"}
+)
+foreach ($c in $checks) {
+    $r = Test-NetConnection -ComputerName $c.host -Port $c.port -WarningAction SilentlyContinue
+    $status = if ($r.TcpTestSucceeded) { "[OK]" } else { "[FAIL]" }
+    Write-Host "$status $($c.label) ($($c.host):$($c.port))"
+}
+
+# DNS
+Clear-DnsClientCache
+$dns = Resolve-DnsName sync.azcomputerguru.com -ErrorAction SilentlyContinue
+$dnsOk = $dns.IPAddress -eq "172.16.3.20"
+Write-Host "$(if ($dnsOk) {'[OK]'} else {'[FAIL]'}) DNS sync.azcomputerguru.com -> $($dns.IPAddress) (want 172.16.3.20)"
+
+# HTTPS end-to-end
+$resp = Invoke-WebRequest -Uri "https://sync.azcomputerguru.com/" -UseBasicParsing -ErrorAction SilentlyContinue
+Write-Host "$(if ($resp.StatusCode -eq 200) {'[OK]'} else {'[FAIL]'}) sync.azcomputerguru.com HTTPS -> $($resp.StatusCode)"
+```
+
+---
+
+## Infrastructure Reference
+
+| Host | IP | Role |
+|------|----|------|
+| pfSense | 172.16.0.1 (SSH port 2248) | Router, DNS, Tailscale subnet router |
+| Jupiter | 172.16.3.20 | Unraid NAS — hosts all VMs + Docker |
+| Uranus | 172.16.3.21 | OwnCloud additional storage (not a proxy) |
+| GuruRMM | 172.16.3.30 | **Physical box** (Lenovo ThinkCentre M83, Ubuntu 26.04), NOT a Jupiter VM — GuruRMM server, Coord API, MariaDB/PostgreSQL. Boots independently of Jupiter. |
+| Pluto | 172.16.3.36 | Windows Server 2019 VM on Jupiter — build server |
+| Tailscale range | 172.16.0.0/22 | Advertised via pfSense pfsense-2 node |
+
+**Docker containers on Jupiter (172.16.3.20):**
+| Container | Purpose | Key ports |
+|-----------|---------|-----------|
+| npm | Nginx Proxy Manager | 1880 (HTTP), 7818 (admin), 18443 (HTTPS) |
+| seafile | Seafile web/app | 8082 (HTTP) |
+| seafile-mysql | Seafile DB | internal |
+| seafile-elasticsearch | Seafile search | internal |
+| seafile-memcached | Seafile cache | internal |
+
+**NPM proxy hosts:**
+| Domain | Backend |
+|--------|---------|
+| sync.azcomputerguru.com | 172.16.3.20:8082 (Seafile) |
+| rmm.azcomputerguru.com | 172.16.3.30:3001 (GuruRMM) |
+| rmm-api.azcomputerguru.com | 172.16.3.30:3001 |
+| git.azcomputerguru.com | 172.16.3.20:3000 (Gitea) |
+| unifi.azcomputerguru.com | (Unifi VM) |
+| emby.azcomputerguru.com | (Emby) |
+
+---
+
+## Known Post-Power-Failure Issue Pattern
+
+Unraid's VM plugin (`dynamix.vm.manager`) should auto-mount `libvirt.img` at boot.
+When it doesn't, the root cause is usually that the Unraid array came up before emhttp
+finished initializing, or the go script ran before the array was fully mounted.
+
+**Permanent fix (TODO):** Add a user script via Unraid's User Scripts plugin that runs at
+array start and checks/mounts libvirt.img if not already mounted. This would eliminate
+the manual step 2c above.
+
+---
+
+---
+
+## 2026-05-17 Post-Mortem
+
+**Root cause:** Power flicker at the office. UPS batteries were disconnected during a rack
+reorganization move, so units had no backup capacity and shut down on the flicker instead
+of riding through it.
+
+**Resolution:** Mike reconnected batteries and restarted UPS units.
+
+**Auto-recovery:** Jupiter (172.16.3.20) and Uranus (172.16.3.21) started automatically.
+
+**Manual intervention required:** IX server (neptune/exchange host) did NOT auto-restart —
+required a physical button press at the rack. Note for future: verify whether this is always
+the case or was a one-off (BIOS power-on-after-failure setting may need adjustment).
+
+**Remote fixes applied:** All steps 1–5 above were needed. Total recovery time ~1 hour.
+
+---
+
+*Last updated: 2026-05-17 — documented after power failure recovery*
+*Checked by: Mike Swanson*

.claude/PROJECT_STATE_PROTOCOL.md

@@ -0,0 +1,42 @@
+# PROJECT_STATE.md Locking Protocol
+
+This protocol prevents conflicts between concurrent Claude sessions. Follow it for every significant action on any project that has a PROJECT_STATE.md.
+
+## What Requires a Lock
+
+- Editing or creating source code files
+- Git commit or push
+- SSH command that modifies a server (deploy, install, config change, service restart)
+- Database schema change or data migration
+- Build pipeline modification
+
+Reading files, planning, and answering questions do NOT require a lock.
+
+## The Protocol
+
+**Step 1 — Read before acting**
+Re-read PROJECT_STATE.md before starting:
+- Check Active Session Locks: is anything locked that you need to touch?
+- Conflicting lock < 2 hours old: stop, report to user, ask how to proceed.
+- Lock > 2 hours old (stale): note it to user, clear the row, proceed.
+
+**Step 2 — Claim your lock**
+Add a row to Active Session Locks before performing the action:
+
+| Session | Working On | Status | Blocks | Started |
+|---------|-----------|--------|--------|---------|
+| DESKTOP-0O8A1RL/Claude | Brief description | IN_PROGRESS | What others must avoid | HH:MM UTC |
+
+Use `{machine}/{Claude or agent description}` as the Session identifier.
+
+**Step 3 — Perform the action**
+
+**Step 4 — Update on completion OR failure**
+1. Remove your lock row
+2. Add a Recent Changes entry with status: `COMPLETE`, `FAILED`, `PARTIAL`, or `ROLLED_BACK`
+3. Update Current Project State if any component status changed
+4. Check off completed Pending items
+
+## Stale Lock Rule
+
+A lock older than 2 hours with no timestamp update is abandoned. Clear it, note `[Cleared stale lock from {session}]` in Recent Changes, then proceed.

.claude/RECOVERY.md

@@ -0,0 +1,76 @@
+# Session Recovery
+
+Never lose work again when a Claude Code session crashes or is closed before `/save`.
+
+Claude Code writes every session live to a transcript JSONL. This toolset distills those transcripts back into normal session logs in the `.claude/commands/save.md` format.
+
+---
+
+## The three pieces
+
+| Piece | File | Role |
+|---|---|---|
+| Engine | `.claude/scripts/recover_session.py` | Parses one transcript, classifies it, and reconstructs a full session log. CLI: `--uuid` / `--latest` / `--path` with `--print` (default), `--auto`, or `--json`. |
+| Detector | `.claude/scripts/detect_orphaned_sessions.py` | Scans all idle transcripts, auto-recovers the orphans (substantive + unsaved), updates the ledger, commits + pushes, and posts an FYI to `#bot-alerts`. CLI: `--dry-run`, `--idle-min N`, `--no-commit`, `--no-alert`. |
+| Command | `.claude/commands/recover.md` | `/recover <uuid>` / `/recover latest` / `/recover --list` — the **manual, reviewed** path where Claude edits the draft before writing. |
+
+The scheduled-task registration script `.claude/scripts/register-orphan-detector.ps1` wires the detector into the Windows Task Scheduler (Windows only).
+
+---
+
+## Where things live
+
+- **Transcripts:** `~/.claude/projects/<slug>/<uuid>.jsonl`, where `<slug>` is the claudetools repo root with `/`, `\`, and `:` each replaced by `-`. On a `D:\claudetools` machine the slug is `D--claudetools`, so `C:\Users\<you>\.claude\projects\D--claudetools\*.jsonl`. The slug is computed portably from `claudetools_root` in `.claude/identity.json`. Sibling `<uuid>/` dirs hold subagent transcripts and are ignored for the main narrative.
+- **Ledger:** `.claude/state/recovered-sessions.json` (machine-local, gitignored). Records every processed uuid with its verdict (`recovered` / `skipped-saved` / `skipped-trivial` / `error`) so it is never re-scanned. Transcripts are per-machine, so the ledger is too.
+
+---
+
+## How to run
+
+```bash
+# See candidate orphans without writing anything:
+py .claude/scripts/detect_orphaned_sessions.py --dry-run
+
+# Inspect one transcript's verdict as JSON (writes nothing):
+py .claude/scripts/recover_session.py --json --uuid <uuid>
+
+# Print a reconstructed log to stdout (writes nothing):
+py .claude/scripts/recover_session.py --uuid <uuid> --print
+
+# Full unattended run (writes logs, updates ledger, commits, pushes, alerts):
+py .claude/scripts/detect_orphaned_sessions.py
+```
+
+### Register the scheduled task (Windows)
+
+```powershell
+powershell -ExecutionPolicy Bypass -File D:\claudetools\.claude\scripts\register-orphan-detector.ps1
+```
+
+Registers `ClaudeTools - Orphaned Session Detector`: runs at logon and every 4 hours. The 4-hour cadence pairs with the detector's 90-minute idle gate so an active session is never grabbed mid-flight.
+
+---
+
+## Accuracy split: Ollama prose vs Python verbatim
+
+This is the core design principle.
+
+- **Ollama drafts prose only** — Session Summary, Key Decisions, Problems Encountered, Pending / Incomplete Tasks. It never sees and never emits commands, IPs, credentials, file paths, commit SHAs, or ticket IDs. If Ollama is unreachable the log is still produced with a placeholder note in the prose sections.
+- **Python extracts the verbatim evidence** — Configuration Changes (Write/Edit/NotebookEdit targets), Commands & Outputs (mutating Bash/PowerShell with truncated results), Reference Information (regex-extracted SHAs, URLs, IPs, ticket numbers, coord message ids), and Infrastructure & Servers. This is the high-value, accuracy-critical part and it comes straight from the transcript.
+
+Trust the verbatim sections for facts; treat the prose as a draft.
+
+---
+
+## Classification
+
+- **substantive** — the session did real work: a Write/Edit/NotebookEdit, a mutating Bash/PowerShell command (git commit/push/add, ssh, schtasks, New-Item, Set-Content, Remove-Item, Out-File, a POST/PUT/DELETE/PATCH curl, an `/api/` call, `vault.sh`, a mutating Invoke-RestMethod), or a mutating Skill (syncro, rmm, remediation-tool, mailbox, forum-post, syncro-emergency-billing).
+- **saved** — the session was already saved: a save/scc/checkpoint Skill, or a Write/Edit into a `session-logs/` path.
+- **orphan** = substantive AND not saved. Only orphans are auto-recovered.
+- **scope** — client / project / general, decided by Python from the transcript text, `cwd`, and `gitBranch` against the known client and project slugs. Conservative: ambiguous resolves to `general`.
+
+---
+
+## Banner discipline
+
+Auto-recovered logs are written with a `[RECOVERED -- UNVERIFIED]` banner. **The banner stays until a human reviews the log** and removes it. The manual `/recover` path lets Claude review and correct the draft before writing, and drops the banner once verified.

.claude/TEMP_GRADUATION.md

@@ -0,0 +1,172 @@
+# Temp Directory Graduation Guide
+
+## Problem
+
+The `temp/` directory is gitignored for rapid iteration, but useful scripts disappear during cleanup. We need a deliberate graduation process before mass deletions.
+
+## Philosophy
+
+**Scratch → Proven → Permanent**
+
+1. **Scratch** — `temp/` is the right place for first drafts, one-off investigations, and exploration
+2. **Proven** — Scripts run multiple times, referenced in session logs, or solving recurring problems deserve promotion
+3. **Permanent** — Graduate to proper locations with documentation before cleanup
+
+## Before Cleanup: Review Protocol
+
+**MANDATORY before running `git rm temp/*` or similar mass cleanup:**
+
+### 1. Identify Candidates
+
+```bash
+# Most recently modified (likely still relevant)
+ls -lt temp/*.{py,ps1,sh} 2>/dev/null | head -20
+
+# Largest files (substantial work invested)
+ls -lhS temp/*.{py,ps1,sh} 2>/dev/null | head -20
+
+# Referenced in recent session logs
+grep -r "temp/" session-logs/ --include="*.md" | tail -50
+
+# Multiple executions (appears in bash history or logs)
+grep -h "temp/" ~/.bash_history | sort | uniq -c | sort -rn | head -20
+```
+
+### 2. Graduation Decision Tree
+
+For each candidate file, ask:
+
+| Question | Yes → | No → |
+|----------|-------|------|
+| **Was it run more than once?** | Keep reviewing | DELETE |
+| **Does it solve a recurring problem?** | GRADUATE | Keep reviewing |
+| **Is it referenced in session logs?** | GRADUATE | Keep reviewing |
+| **Does it contain unique investigation logic?** | GRADUATE (even if one-time, the pattern may recur) | DELETE |
+| **Is it client-specific remediation?** | GRADUATE to `clients/<client>/scripts/` | DELETE |
+| **Is it general MSP automation?** | GRADUATE to `.claude/scripts/` | DELETE |
+| **Is it project tooling?** | GRADUATE to `projects/<project>/tools/` | DELETE |
+
+## Graduation Locations
+
+| Type | Destination | Examples |
+|------|-------------|----------|
+| ClaudeTools automation | `.claude/scripts/` | onboarding-diagnostic.ps1, post-bot-alert.sh, ksteen-smartbadge-verify.ps1 |
+| Client-specific scripts | `clients/<client>/scripts/` | Bardach contact dedup suite, VWP BEC investigation |
+| Project tools | `projects/<project>/tools/` | GuruRMM test harnesses, build utilities |
+| General MSP tools | `scripts/` (root, create if needed) | Multi-client remediation patterns, generic M365 tools |
+
+## Graduation Checklist
+
+Before moving a script from `temp/` to permanent location:
+
+- [ ] **Add header comment**:
+  ```python
+  """
+  Purpose: One-line description of what this does
+  Usage: python script.py <args>
+  Author: <name>
+  Created: YYYY-MM-DD
+  Last Updated: YYYY-MM-DD
+  """
+  ```
+
+- [ ] **Vault-ize credentials**:
+  - Replace hardcoded tokens/passwords with vault lookups
+  - Example: `TOKEN = "abc123"` → `TOKEN = subprocess.check_output(["bash", VAULT, "get-field", "path", "field"]).decode().strip()`
+
+- [ ] **Test once more**:
+  - Confirm it still works after credential changes
+  - Run with `-h` or `--help` if implemented
+
+- [ ] **Document**:
+  - Add to relevant README if location has one
+  - Or mention in session log with file path and purpose
+  - Or add to `.claude/REFERENCE.md` if it's a key tool
+
+- [ ] **Rename if needed**:
+  - `temp/vwp_bec_investigation.py` → `clients/valley-wide-plastering/scripts/bec-investigation.py`
+  - Use kebab-case for permanent scripts (more readable than underscores)
+
+- [ ] **Move and commit**:
+  ```bash
+  git mv temp/useful-script.py .claude/scripts/
+  git commit -m "chore: graduate temp/useful-script.py to permanent location"
+  ```
+
+## Examples from May 2026 Cleanup
+
+**What was deleted but might have been worth keeping:**
+
+| File | Why Keep? | Where? |
+|------|-----------|--------|
+| `temp/bardach_dedup_step*.py` | 5-step contact dedup workflow, could recur for other clients | `clients/bardach/scripts/contact-dedup/` |
+| `temp/vwp_bec_investigation.py` | BEC investigation framework (721 lines), reusable pattern | `scripts/m365/bec-investigation.py` (generalized) |
+| `temp/m365_security_scan.py` | Tenant security audit, generic tool | `scripts/m365/security-scan.py` |
+| `temp/lonestar-*-2fa-fix.py` | 2FA remediation pattern | `scripts/m365/2fa-remediation.py` (generalized) OR `clients/lonestar/scripts/` |
+
+**What was correctly kept (already in permanent locations):**
+
+| File | Location |
+|------|----------|
+| `onboarding-diagnostic.ps1` | `.claude/scripts/` |
+| `post-bot-alert.sh` | `.claude/scripts/` |
+| `ksteen-smartbadge-verify.ps1` | `.claude/scripts/` |
+
+**What was correctly deleted (true scratch):**
+
+- `temp/_debug_graph*.py` — debugging iterations, no lasting value
+- `temp/test-*.ps1` — one-off connectivity tests
+- `temp/*_output.txt` — command output captures
+- `temp/*_token.txt` — ephemeral auth tokens
+
+## Integration with Cleanup Commands
+
+If adding a "cleanup temp/" command or script, include this prompt:
+
+```
+[INFO] Found <N> scripts in temp/. Running graduation review...
+
+Recent scripts (modified in last 7 days):
+  - temp/foo.py (245 lines, modified 2 days ago)
+  - temp/bar.sh (89 lines, modified 5 days ago)
+
+Referenced in session logs:
+  - temp/foo.py (3 references in session-logs/2026-05-*.md)
+
+Candidates for graduation: <N>
+
+Options:
+1. Review candidates and graduate useful scripts
+2. Delete all temp/ scripts (PERMANENT - cannot undo)
+3. Cancel
+
+Choice?
+```
+
+## Anti-Patterns
+
+**DON'T:**
+- Mass-delete temp/ without review ("clean slate" mindset loses knowledge)
+- Graduate everything (temp/ becomes permanent clutter)
+- Leave credentials hardcoded in graduated scripts
+- Graduate without testing (broken scripts in permanent locations confuse future sessions)
+
+**DO:**
+- Review before cleanup (10 minutes of review saves hours of reconstruction)
+- Graduate proven patterns (even if one-time, the investigation logic may recur)
+- Generalize when graduating (remove client-specific details from general tools)
+- Document purpose (a 2-line comment saves 30 minutes of reverse engineering)
+
+## When in Doubt
+
+If uncertain whether a script deserves graduation:
+
+1. **Check session logs**: `grep -r "temp/<filename>" session-logs/`
+2. **Ask**: "Would I want this script if a similar problem happens next month?"
+3. **Bias toward keeping investigation scripts**: Even one-time investigations contain patterns worth preserving
+
+Better to graduate 3 scripts that turn out to be useless than to delete 1 script that would have saved hours later.
+
+---
+
+**Last Updated:** 2026-05-29

.claude/VAULT-SETUP-GUIDE.md

@@ -0,0 +1,522 @@
+# Vault Setup Guide - Multi-Machine Reference
+
+**Last Updated:** 2026-04-21
+**Tested On:** Mikes-MacBook-Air.local (Mac), DESKTOP-0O8A1RL (Windows)
+**Purpose:** Complete guide for setting up vault access on any machine
+
+---
+
+## Overview
+
+The vault repository contains encrypted credentials (SOPS files) required for remediation-tool to acquire tokens. This guide covers full setup from scratch on any machine.
+
+---
+
+## Prerequisites
+
+Before starting, you need:
+- ClaudeTools repository cloned
+- Network access to Gitea server (http://172.16.3.20:3000)
+- Gitea credentials (username: azcomputerguru, password: see below)
+- Age key (private key shared across team - see below)
+
+---
+
+## Quick Reference - Credentials
+
+### Gitea Password
+```
+Gptf*77ttb123!@#-git
+```
+
+### Age Private Key
+```
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+```
+
+---
+
+## Installation Steps
+
+### Step 1: Install Dependencies
+
+**Mac (Homebrew):**
+```bash
+brew install sops age jq
+```
+
+**Windows (Chocolatey):**
+```powershell
+choco install sops age jq
+```
+
+**Windows (Manual):**
+- Download SOPS: https://github.com/mozilla/sops/releases
+- Download age: https://github.com/FiloSottile/age/releases
+- Download jq: https://jqlang.github.io/jq/download/
+- Add to PATH
+
+**Linux (apt):**
+```bash
+sudo apt install age jq
+# SOPS from GitHub releases (not in apt)
+wget https://github.com/mozilla/sops/releases/download/v3.12.2/sops-v3.12.2.linux.amd64 -O /usr/local/bin/sops
+chmod +x /usr/local/bin/sops
+```
+
+### Step 2: Clone Vault Repository
+
+**Mac/Linux:**
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+# Password when prompted: Gptf*77ttb123!@#-git
+```
+
+**Windows:**
+```cmd
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git D:\vault
+REM Password when prompted: Gptf*77ttb123!@#-git
+```
+
+**Important:** Must use real terminal, not Claude Code shell (auth prompts don't work in Claude Code).
+
+### Step 3: Configure Age Key
+
+**Mac/Linux:**
+```bash
+mkdir -p ~/.config/sops/age
+cat > ~/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+**Windows (PowerShell):**
+```powershell
+$KeyDir = "$env:USERPROFILE\.config\sops\age"
+New-Item -ItemType Directory -Force -Path $KeyDir | Out-Null
+
+$KeyContent = @"
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+"@
+
+Set-Content -Path "$KeyDir\keys.txt" -Value $KeyContent -NoNewline
+```
+
+**Windows (Git Bash):**
+```bash
+mkdir -p /c/Users/$USER/.config/sops/age
+cat > /c/Users/$USER/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+```
+
+### Step 4: Configure SOPS Environment Variable
+
+**Mac (zsh):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.zshenv
+source ~/.zshenv
+```
+
+**Mac (bash):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bash_profile
+source ~/.bash_profile
+```
+
+**Windows (PowerShell - permanent):**
+```powershell
+[Environment]::SetEnvironmentVariable("SOPS_AGE_KEY_FILE", "$env:USERPROFILE\.config\sops\age\keys.txt", "User")
+```
+
+**Windows (Git Bash):**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bashrc
+source ~/.bashrc
+```
+
+**Linux:**
+```bash
+echo 'export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt' >> ~/.bashrc
+source ~/.bashrc
+```
+
+### Step 5: Fix vault.sh Line Endings (If Needed)
+
+**If you see error: `env: bash\r: No such file or directory`**
+
+This means vault.sh has Windows line endings (CRLF). Fix with:
+
+**Mac/Linux:**
+```bash
+# Using perl (always available)
+perl -pi -e 's/\r\n/\n/g' ~/vault/scripts/vault.sh
+
+# Or using dos2unix if installed
+dos2unix ~/vault/scripts/vault.sh
+```
+
+**Windows (Git Bash):**
+```bash
+dos2unix /d/vault/scripts/vault.sh
+```
+
+**Make executable:**
+```bash
+chmod +x ~/vault/scripts/vault.sh  # Mac/Linux
+chmod +x /d/vault/scripts/vault.sh  # Windows Git Bash
+```
+
+### Step 6: Add vault_path to identity.json
+
+**Edit ClaudeTools identity.json:**
+
+**Mac:**
+```bash
+# File: ~/ClaudeTools/.claude/identity.json
+# Add this field:
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+**Windows:**
+```bash
+# File: D:\ClaudeTools\.claude\identity.json
+# Add this field:
+"vault_path": "D:/vault"
+```
+
+**Linux:**
+```bash
+# File: ~/ClaudeTools/.claude/identity.json
+# Add this field:
+"vault_path": "/home/<username>/vault"
+```
+
+**Full example:**
+```json
+{
+  "user": "mike",
+  "full_name": "Mike Swanson",
+  "email": "mike@azcomputerguru.com",
+  "role": "admin",
+  "machine": "Mikes-MacBook-Air",
+  "mode": "general",
+  "last_updated": "2026-04-19T08:40:00Z",
+  "vault_path": "/Users/azcomputerguru/vault"
+}
+```
+
+---
+
+## Verification Steps
+
+### Test 1: Verify SOPS Can Decrypt
+
+**Mac/Linux:**
+```bash
+sops --decrypt ~/vault/msp-tools/computerguru-security-investigator.sops.yaml | head -10
+```
+
+**Windows:**
+```bash
+sops --decrypt D:/vault/msp-tools/computerguru-security-investigator.sops.yaml | head -10
+```
+
+**Expected output:** YAML content starting with `kind: entra-app`
+
+**If you see:** `Failed to get the data key` → Age key not configured correctly
+
+### Test 2: Verify vault.sh Works
+
+**Mac/Linux:**
+```bash
+~/vault/scripts/vault.sh get-field msp-tools/computerguru-security-investigator.sops.yaml credentials.client_id
+```
+
+**Windows:**
+```bash
+bash D:/vault/scripts/vault.sh get-field msp-tools/computerguru-security-investigator.sops.yaml credentials.client_id
+```
+
+**Expected output:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
+
+### Test 3: Verify Token Acquisition
+
+**Mac/Linux:**
+```bash
+cd ~/ClaudeTools/.claude/skills/remediation-tool/scripts
+./get-token.sh grabblaw.com investigator
+```
+
+**Windows:**
+```bash
+cd D:\ClaudeTools\.claude\skills\remediation-tool\scripts
+bash get-token.sh grabblaw.com investigator
+```
+
+**Expected output:** JWT token starting with `eyJ0eXAiOiJKV1Qi...`
+
+### Test 4: Test All Tiers
+
+**Mac/Linux/Windows (Git Bash):**
+```bash
+for tier in investigator investigator-exo user-manager tenant-admin; do
+    echo "Testing tier: $tier"
+    ./get-token.sh grabblaw.com $tier | head -c 50
+    echo "..."
+    echo "---"
+done
+```
+
+**Expected:** JWT tokens for all 4 tiers (defender will fail - not consented in grabblaw.com)
+
+---
+
+## Common Issues and Solutions
+
+### Issue 1: "Device not configured" when cloning vault
+
+**Symptom:**
+```
+fatal: could not read Password for 'http://azcomputerguru@172.16.3.20:3000': Device not configured
+```
+
+**Cause:** Git cannot prompt for password in Claude Code shell
+
+**Solution:** Clone in real terminal (Terminal.app, PowerShell, etc.)
+
+### Issue 2: "env: bash\r: No such file or directory"
+
+**Symptom:** vault.sh won't execute, complains about `bash\r`
+
+**Cause:** Windows line endings (CRLF) in vault.sh
+
+**Solution:**
+```bash
+perl -pi -e 's/\r\n/\n/g' ~/vault/scripts/vault.sh
+chmod +x ~/vault/scripts/vault.sh
+```
+
+### Issue 3: "Failed to get the data key"
+
+**Symptom:** SOPS can't decrypt files
+
+**Cause:** Age key not found or SOPS_AGE_KEY_FILE not set
+
+**Solution:**
+1. Verify age key exists: `cat ~/.config/sops/age/keys.txt`
+2. Set environment variable: `export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt`
+3. Add to shell RC file for persistence
+
+### Issue 4: "vault_path not set in identity.json"
+
+**Symptom:** get-token.sh fails with vault_path error
+
+**Cause:** Missing vault_path field in .claude/identity.json
+
+**Solution:** Add `"vault_path": "/path/to/vault"` to identity.json
+
+### Issue 5: Python "pipefail: invalid option name"
+
+**Symptom:** vault.sh fails on Mac with pipefail error
+
+**Cause:** macOS ships with old bash (3.2) that doesn't support `set -o pipefail`
+
+**Solution:** Already fixed in vault.sh - ensure you have latest version
+
+### Issue 6: "command not found: sops"
+
+**Symptom:** SOPS not in PATH
+
+**Cause:** SOPS not installed or not in PATH
+
+**Solution:**
+- Mac: `brew install sops`
+- Windows: `choco install sops` or add to PATH manually
+- Linux: Download from GitHub releases
+
+---
+
+## What Gets Installed
+
+After successful setup, these files/directories exist:
+
+### Mac/Linux
+```
+~/.config/sops/age/keys.txt           # Age private key
+~/vault/                               # Vault repository
+~/vault/.sops.yaml                     # SOPS config
+~/vault/msp-tools/*.sops.yaml          # Encrypted credentials (6 files)
+~/vault/scripts/vault.sh               # Vault CLI wrapper
+~/ClaudeTools/.claude/identity.json    # Contains vault_path
+~/.zshenv (or ~/.bashrc)               # Contains SOPS_AGE_KEY_FILE
+```
+
+### Windows
+```
+C:\Users\<user>\.config\sops\age\keys.txt    # Age private key
+D:\vault\                                     # Vault repository
+D:\vault\.sops.yaml                           # SOPS config
+D:\vault\msp-tools\*.sops.yaml                # Encrypted credentials (6 files)
+D:\vault\scripts\vault.sh                     # Vault CLI wrapper
+D:\ClaudeTools\.claude\identity.json          # Contains vault_path
+Environment variable: SOPS_AGE_KEY_FILE       # System environment
+```
+
+---
+
+## Vault Repository Structure
+
+```
+vault/
+├── .sops.yaml                    # SOPS encryption config
+├── README.md                     # Vault documentation
+├── scripts/
+│   ├── vault.sh                  # CLI wrapper
+│   └── yaml-query.py             # YAML parser (yq fallback)
+├── msp-tools/
+│   ├── computerguru-security-investigator.sops.yaml    # Tier 1: Graph read
+│   ├── computerguru-exchange-operator.sops.yaml        # Tier 2: EXO write
+│   ├── computerguru-user-manager.sops.yaml             # Tier 3: Graph user write
+│   ├── computerguru-tenant-admin.sops.yaml             # Tier 4: Graph admin
+│   ├── computerguru-defender-addon.sops.yaml           # Tier 5: MDE only
+│   └── computerguru-management.sops.yaml               # Legacy (deprecated)
+├── infrastructure/
+├── clients/
+├── services/
+└── projects/
+```
+
+---
+
+## Security Notes
+
+### Age Key Security
+
+**The age private key decrypts ALL vault secrets. Treat it like a master password.**
+
+- Never commit to git repositories
+- Never share in plaintext over unsecured channels
+- File permissions: 600 (owner read/write only)
+- Store in `.config/sops/age/` (standard location)
+
+### Gitea Credentials
+
+- Password: `Gptf*77ttb123!@#-git`
+- Used for vault repo clone/pull/push
+- Same credentials on all machines
+- Consider using SSH keys instead of HTTPS for better security
+
+### SOPS Files
+
+- Encrypted at rest with age
+- Only `credentials`, `password`, `secret`, `api_key`, `token` fields are encrypted
+- Metadata (kind, name, description) is plaintext
+- Encrypted regex defined in `.sops.yaml`
+
+---
+
+## Maintenance
+
+### Pulling Latest Vault Changes
+
+**Mac/Linux:**
+```bash
+cd ~/vault
+git pull origin main
+```
+
+**Windows:**
+```bash
+cd D:\vault
+git pull origin main
+```
+
+**Run this periodically to get:**
+- New SOPS files
+- Updated credentials
+- Vault script improvements
+
+### Rotating Age Key
+
+If the age key needs to be rotated:
+
+1. Generate new age key: `age-keygen -o new-key.txt`
+2. Re-encrypt all SOPS files with new key
+3. Distribute new key to all machines
+4. Update `.config/sops/age/keys.txt` on each machine
+5. Update `.sops.yaml` with new public key
+
+**Note:** This is a team-wide operation requiring coordination.
+
+---
+
+## Multi-Machine Status
+
+| Machine | Vault Status | Notes |
+|---------|--------------|-------|
+| DESKTOP-0O8A1RL (Windows) | ✓ WORKING | Original setup, all tiers tested |
+| Mikes-MacBook-Air (Mac) | ✓ WORKING | Full setup completed 2026-04-21 |
+| ACG-Tech03L (Howard) | PENDING | Needs vault clone + age key setup |
+| HOWARD-HOME | PENDING | Needs vault clone + age key setup |
+
+---
+
+## For Howard (ACG-Tech03L Setup)
+
+Howard, when you're ready to set up remediation-tool:
+
+### Quick Setup (Git Bash)
+
+```bash
+# 1. Clone vault
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git D:/vault
+# Password: Gptf*77ttb123!@#-git
+
+# 2. Install age key
+mkdir -p ~/.config/sops/age
+cat > ~/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+
+# 3. Set environment variable (PowerShell)
+# Run this in PowerShell (not Git Bash):
+[Environment]::SetEnvironmentVariable("SOPS_AGE_KEY_FILE", "$env:USERPROFILE\.config\sops\age\keys.txt", "User")
+
+# 4. Add vault_path to identity.json
+# Edit C:\claudetools\.claude\identity.json
+# Add: "vault_path": "D:/vault"
+
+# 5. Fix line endings if needed
+dos2unix /d/vault/scripts/vault.sh
+chmod +x /d/vault/scripts/vault.sh
+
+# 6. Test
+bash C:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator
+```
+
+---
+
+## References
+
+- **SOPS:** https://github.com/mozilla/sops
+- **age:** https://github.com/FiloSottile/age
+- **Vault repo:** http://172.16.3.20:3000/azcomputerguru/vault
+- **ClaudeTools repo:** http://172.16.3.20:3000/azcomputerguru/claudetools
+
+---
+
+**Last tested:** 2026-04-21 on Mikes-MacBook-Air.local
+**Status:** Complete and validated - all 4 tiers working
+**Maintainer:** Mike Swanson

.claude/active-tasks.json

@@ -1,4 +1,66 @@
 {
-  "last_updated": "2026-01-23T00:00:00Z",
-  "tasks": []
+  "last_updated": "2026-03-23T20:10:00Z",
+  "tasks": [
+    {
+      "id": "win-setup-001",
+      "title": "Windows Machine Setup - Align with Directives",
+      "created": "2026-03-23",
+      "status": "in_progress",
+      "context": "Setting up Windows guru workstation to match ClaudeTools project directives. This session is non-elevated. Elevated session should pick up remaining items.",
+      "completed_items": [
+        "Node.js v24.14.0 installed via winget (PATH: C:\\Program Files\\nodejs)",
+        ".mcp.json created at C:\\Users\\guru\\ClaudeTools\\.mcp.json (filesystem + sequential-thinking)",
+        "GrepAI v0.35.0 binary downloaded to C:\\Users\\guru\\ClaudeTools\\grepai.exe"
+      ],
+      "remaining_items": [
+        {
+          "step": 1,
+          "item": "Finish Ollama installation",
+          "priority": "HIGH",
+          "details": "winget install was downloading v0.18.2 (1.61GB) but session interrupted ~50%. Run: winget install Ollama.Ollama --accept-package-agreements --accept-source-agreements. Verify with: ollama --version"
+        },
+        {
+          "step": 2,
+          "item": "Pull Ollama models",
+          "priority": "HIGH",
+          "depends_on": "step 1",
+          "details": "ollama pull nomic-embed-text && ollama pull qwen3:14b && ollama pull codestral:22b"
+        },
+        {
+          "step": 3,
+          "item": "Initialize GrepAI index",
+          "priority": "HIGH",
+          "depends_on": "step 2 (needs nomic-embed-text)",
+          "details": "cd C:\\Users\\guru\\ClaudeTools && ./grepai.exe init && ./grepai.exe watch --background"
+        },
+        {
+          "step": 4,
+          "item": "Add GrepAI to .mcp.json",
+          "priority": "HIGH",
+          "depends_on": "step 3",
+          "details": "Add to C:\\Users\\guru\\ClaudeTools\\.mcp.json mcpServers section: \"grepai\": { \"command\": \"C:\\\\Users\\\\guru\\\\ClaudeTools\\\\grepai.exe\", \"args\": [\"mcp-serve\"] }"
+        },
+        {
+          "step": 5,
+          "item": "Verify MCP servers load",
+          "priority": "MEDIUM",
+          "depends_on": "steps 1-4",
+          "details": "Restart Claude Code and confirm sequential-thinking, filesystem, and grepai MCP servers connect. Node.js is installed but current shell may need PATH refresh."
+        },
+        {
+          "step": 6,
+          "item": "Update machine memory record",
+          "priority": "LOW",
+          "depends_on": "all above",
+          "details": "Update .claude/memory/machine_windows_guru_setup_status.md to reflect completed setup. Remove all 'Missing' items, mark as fully aligned."
+        }
+      ],
+      "notes": [
+        "GitHub MCP server intentionally excluded - project uses Gitea not GitHub",
+        "User said they'll get back on git setup separately",
+        "Node.js may not be in current shell PATH - new terminal needed",
+        "Ollama download was partially through when interrupted"
+      ]
+    }
+  ]
 }

.claude/agents/deep-explore.md

@@ -0,0 +1,59 @@
+---
+name: deep-explore
+description: Deep codebase exploration using grepai semantic search and call graph tracing. Use this agent for understanding code architecture, finding implementations by intent, analyzing function relationships, and exploring unfamiliar code areas.
+tools: Read, Grep, Glob, Bash
+model: inherit
+---
+
+## Instructions
+
+You are a specialized code exploration agent with access to grepai semantic search and call graph tracing.
+
+### Primary Tools
+
+#### 1. Semantic Search: `grepai search`
+
+Use this to find code by intent and meaning:
+
+```bash
+# Use English queries for best results (--compact saves ~80% tokens)
+grepai search "authentication flow" --json --compact
+grepai search "error handling middleware" --json --compact
+grepai search "database connection management" --json --compact
+```
+
+#### 2. Call Graph Tracing: `grepai trace`
+
+Use this to understand function relationships and code flow:
+
+```bash
+# Find all functions that call a symbol
+grepai trace callers "HandleRequest" --json
+
+# Find all functions called by a symbol
+grepai trace callees "ProcessOrder" --json
+
+# Build complete call graph
+grepai trace graph "ValidateToken" --depth 3 --json
+```
+
+Use `grepai trace` when you need to:
+- Find all callers of a function
+- Understand the call hierarchy
+- Analyze the impact of changes to a function
+- Map dependencies between components
+
+### When to use standard tools
+
+Only fall back to Grep/Glob when:
+- You need exact text matching (variable names, imports)
+- grepai is not available or returns errors
+- You need file path patterns
+
+### Workflow
+
+1. Start with `grepai search` to find relevant code semantically
+2. Use `grepai trace` to understand function relationships and call graphs
+3. Use `Read` to examine promising files in detail
+4. Use Grep only for exact string searches if needed
+5. Synthesize findings into a clear summary

.claude/agents/gitea.md

@@ -56,6 +56,17 @@ You are the Gitea Agent - the sole custodian of version control for all ClaudeTo
 **Authentication:** SSH key (C:\Users\MikeSwanson\.ssh\id_ed25519)
 **Local Git:** git.exe (Windows Git)
 
+### Non-interactive auth (IMPORTANT)
+Mike's hard requirement: git must NEVER sit at an interactive credential/password prompt. That is his actual objection to Git for Windows — its Git Credential Manager (`credential.helper = manager`) pops a prompt and silently hangs any automation/background push. This repo (`D:\ClaudeTools`) is configured to authenticate silently instead: repo-local `credential.helper = store`, primed with the `azcomputerguru` Gitea API token in `~/.git-credentials`, scoped to the internal host `172.16.3.20:3000`. So a plain `git push origin main` / `git fetch` just works with no prompt. The global GCM default is left untouched for other repos.
+
+Rules when running git here:
+- Run git from the **PowerShell tool** using native `git.exe`; quote Windows paths as-is.
+- ALWAYS set `GIT_TERMINAL_PROMPT=0` (PowerShell: `$env:GIT_TERMINAL_PROMPT='0'`) so a credential failure errors immediately instead of hanging on a hidden prompt — a hang is fatal for background agents.
+- If the stored credential is ever missing, get the token from vault `services/gitea.sops.yaml` field `api-token` (username `azcomputerguru`) and either re-append the `store` line to `~/.git-credentials` or push once to `http://azcomputerguru:<token>@172.16.3.20:3000/azcomputerguru/claudetools.git`.
+- Note: git writes progress (including "Everything up-to-date") to stderr; under PowerShell 5.1 that surfaces as a `NativeCommandError` even on success — trust `$LASTEXITCODE`/`EXIT=0`, not the red text.
+- System OpenSSH (not Git's bundled SSH) remains the rule for any SSH-based remote.
+See memory: `feedback_git_noninteractive_auth`.
+
 ## Repository Structure
 
 ### System Repository

.claude/bootstrap/RESTORE.md

@@ -0,0 +1,136 @@
+# ClaudeTools Windows Bootstrap & Recovery Runbook
+
+Rebuild this workstation (GURU-5070, Lenovo Legion Pro 7 16IAX10H) after a clean
+Windows reset. Everything here is driven by two scripts in this folder:
+
+- `windows-bootstrap.ps1` — installs tools, restores secrets, clones repos, wires tasks
+- `restore-secrets.ps1` — copies secrets/identity from the recovery bundle back into place
+
+The recovery bundle lives on the removable drives:
+
+| Drive | Label   | Holds |
+|-------|---------|-------|
+| **E:** | (FAT32) | `claudetools-recovery\` — secrets + identity + manifests (redundant copy) |
+| **F:** | Ventoy  | `claudetools-recovery\` — same bundle **plus** `data\` (large client data) |
+
+> F: is also a bootable rescue stick (SystemRescue, Boot Repair) — keep it; it can
+> help fix the machine. The bundle lives in `F:\claudetools-recovery\`, Ventoy is untouched.
+
+---
+
+## What's in the bundle (and why it can't just be re-cloned)
+
+`claudetools-recovery\`
+- `secrets\`
+  - `sops-age\keys.txt` — **THE most critical file.** The SOPS age private key. Without
+    it the entire vault (`D:\vault`) is permanently undecryptable. Not stored in any repo.
+  - `ssh\` — `id_ed25519` (+pub), `pst-cc-ucg` (+pub), `config`, `known_hosts`
+  - `claude\` — `.claude.json`, `.credentials.json` (Claude Code login), settings, keybindings, statusline
+  - `grok\` — `auth.json`, `config.toml`, `agent_id`
+  - `gemini\` — `oauth_creds.json`, `google_accounts.json`, settings, installation_id
+  - `git\.gitconfig`, `powershell\Microsoft.PowerShell_profile.ps1`
+- `identity\` — repo-local gitignored files: `identity.json`, `settings.local.json`,
+  `current-mode`, `coord-broadcasts-seen`, `mcp.json`, `.claude/state\`, ticktick tokens, dataforth oauth
+- `config\` — Windows Terminal settings, fleet `hosts` file, quote-wizard `.env.production`
+- `manifests\` — `installed-tools.txt`, `ollama-models.txt`, `git-global-config.txt`,
+  `repos.txt`, `user-environment.reg` / `.txt` (incl. `OLLAMA_MODELS`/`OLLAMA_HOST`/`PROTOC`), `scheduled-tasks\*.xml`
+- `at-risk-work\` — local-only WIP rescued from the submodules (not on any remote):
+  guru-rmm stashes as `.patch` files + guru-connect `tmp-spec018.diff`. The bootstrap
+  re-applies these automatically in Phase 6 (`restore-at-risk-work.ps1`) — the guru-rmm
+  ones are put back **as stashes** (`git stash list`), the guru-connect diff is dropped
+  back as its untracked working file. See `RESTORE-at-risk-work.txt` for manual steps.
+- `data\` (F: only) — large non-Gitea client/project data, repo-relative paths
+
+Everything else (all tracked code, skills, commands, docs, session logs, wiki) comes
+back from Gitea on clone — no need to back it up.
+
+---
+
+## Fast path (one shot)
+
+From an **elevated PowerShell**, with E: or F: plugged in:
+
+```powershell
+# copy the script off the drive first (so it survives a re-clone)
+Copy-Item F:\claudetools-recovery\bootstrap\windows-bootstrap.ps1 $env:TEMP\boot.ps1
+& $env:TEMP\..  # or just run directly:
+F:\claudetools-recovery\bootstrap\windows-bootstrap.ps1 -SkipModels
+```
+
+Run it from an **elevated** shell so Phase 0 can rename the machine to `GURU-5070`
+(read from the bundle's identity.json; override with `-Hostname <name>`). The rename
+needs a **reboot** to take effect — the script reminds you at the end. Re-run after the
+reboot to finish any phases that depend on the hostname.
+
+`-SkipModels` defers the ~50 GB Ollama downloads. Drop it (or run Phase 8 later) when
+you want them. Add `-RestoreData` to also pull back the large client data from `F:\...\data`.
+
+The script is **idempotent** — safe to re-run; it skips anything already done. To run
+just part of it: `-OnlyPhases "1,2,3"`.
+
+---
+
+## Manual path (if you'd rather do it by hand)
+
+0. **Set the hostname** (elevated): `Rename-Computer -NewName GURU-5070 -Restart`. Do this
+   first so scheduled tasks / coord session IDs line up after the reboot.
+1. **Install App Installer** (winget) from the Microsoft Store if missing.
+2. **Core tools** (winget ids):
+   `Git.Git`, `OpenJS.NodeJS.LTS`, `Python.Python.3.14`, `Rustlang.Rustup`,
+   `Microsoft.VisualStudioCode`, `Ollama.Ollama`, `jqlang.jq`,
+   `SecretsOPerationS.SOPS`, `FiloSottile.age`, `GitHub.cli`, `AgileBits.1Password.CLI`,
+   `Microsoft.DotNet.SDK.8`, `Google.Protobuf`, `oschwartz10612.Poppler`, `Tailscale.Tailscale`
+   Then `dotnet tool install --global wix` (MSI builds).
+   Set env: `OLLAMA_MODELS=D:\OllamaModels`, `OLLAMA_HOST=0.0.0.0:11434`, `PROTOC=<protoc.exe>`.
+3. **AI CLIs:**
+   - Claude: `irm https://claude.ai/install.ps1 | iex`  → `~/.local/bin/claude.exe`
+   - Gemini: `npm install -g @google/gemini-cli`
+   - Grok:   `bash -c "curl -fsSL https://x.ai/cli/install.sh | bash"`  (Git Bash)
+4. **Restore home secrets:** `F:\claudetools-recovery\bootstrap\restore-secrets.ps1 -Group home`
+5. **Clone repos:**
+   ```
+   git clone https://git.azcomputerguru.com/azcomputerguru/claudetools.git D:\claudetools
+   cd D:\claudetools; git submodule update --init --recursive
+   git clone https://git.azcomputerguru.com/azcomputerguru/vault.git D:\vault
+   ```
+   (On-network you can use `http://172.16.3.20:3000/...` to bypass the SSL-renewal blips.)
+6. **Restore identity:** `restore-secrets.ps1 -Group repo`
+7. **Ollama models (proper set for this 12 GB-VRAM laptop):**
+   `ollama pull nomic-embed-text:latest` (GrepAI embeddings) and `ollama pull qwen3:8b` (prose_model).
+   Models live on `D:\OllamaModels` (47.8 GB) — **if D: survived the reset they're already there, skip this.**
+   Heavy extras (`qwen3:14b`, `codestral:22b`, `qwen3.6:latest`) are opt-in only; they over-saturate 12 GB VRAM.
+8. **Scheduled tasks:** import each XML in `manifests\scheduled-tasks\` via
+   `Register-ScheduledTask -Xml (Get-Content x.xml -Raw) -TaskName "..."`.
+9. **Verify:** `D:\claudetools\.claude\scripts\onboarding-diagnostic.ps1`, then `/self-check` in Claude Code.
+
+---
+
+## Post-install: things that need an interactive login
+
+Auth tokens are backed up, but some expire. If a tool says it's unauthenticated:
+
+- **Claude Code:** run `claude`, then `/login` (browser).
+- **GitHub CLI:** `gh auth login`
+- **1Password:** `op signin`
+- **Gemini:** launch `gemini`, complete the Google OAuth browser flow.
+- **Grok:** `grok login` (tokens expire after 7 days).
+- **Gitea git push:** uses the Windows Credential Manager (`credential.helper=manager`).
+  First push prompts for the shared `azcomputerguru` account. **Do NOT** bake the password
+  into the remote URL (the old `D:\work\gururmm` clone did — reset it to a clean URL).
+
+## Verify the vault decrypts (proves the age key restored correctly)
+
+```
+bash D:/claudetools/.claude/scripts/vault.sh list
+bash D:/claudetools/.claude/scripts/vault.sh get-field projects/claudetools/database.sops.yaml credentials.password
+```
+
+If that returns the password, recovery succeeded. If it errors about decryption, the
+age key at `%APPDATA%\sops\age\keys.txt` and `~/.config/sops/age/keys.txt` is missing/wrong.
+
+---
+
+## Refreshing this bundle later
+
+Re-run the backup any time (it's just file copies):
+`D:\claudetools\.claude\bootstrap\backup-to-bundle.ps1` (writes to E: and F:).

.claude/bootstrap/backup-to-bundle.ps1

@@ -0,0 +1,169 @@
+<#
+.SYNOPSIS
+  Back up ClaudeTools secrets + identity (and optionally large client data) to a
+  recovery bundle on a removable drive. The inverse of restore-secrets.ps1.
+
+.DESCRIPTION
+  Captures everything that will NOT come back from a `git clone`:
+    - out-of-repo secrets under the user profile (age key, ssh, tool auth, git, PS profile)
+    - repo-local gitignored identity files
+    - environment manifests (installed tools, ollama models, scheduled-task XML, vscode ext)
+    - (optional) large gitignored client/project data clusters
+
+  Safe to re-run; it refreshes the bundle in place.
+
+.PARAMETER Drives        Target drive roots. Default 'E:','F:' (writes the small bundle to both).
+.PARAMETER IncludeData   Also copy the large client-data clusters (only to the FIRST drive with room; exFAT recommended).
+.PARAMETER ClaudeToolsRoot  Default D:\claudetools.
+
+.EXAMPLE
+  .\backup-to-bundle.ps1                 # secrets+identity+manifests to E: and F:
+  .\backup-to-bundle.ps1 -IncludeData    # also large data (to F:)
+#>
+[CmdletBinding()]
+param(
+  [string[]]$Drives = @('E:','F:'),
+  [switch]$IncludeData,
+  [string]$ClaudeToolsRoot = 'D:\claudetools',
+  [string]$DataDrive = 'F:'
+)
+$ErrorActionPreference = 'Stop'
+$u = $env:USERPROFILE
+
+# Decode native (git) stdout as UTF-8 so captured patch text is not mangled, and give
+# us a UTF-8 (no BOM) encoding for writing patches `git apply` can actually parse.
+try { [Console]::OutputEncoding = [System.Text.UTF8Encoding]::new($false) } catch {}
+$Utf8NoBom = New-Object System.Text.UTF8Encoding($false)
+
+function Save($src,$dst){
+  if (Test-Path -LiteralPath $src) {
+    $p = Split-Path $dst -Parent; if (-not (Test-Path $p)) { New-Item -ItemType Directory -Force -Path $p | Out-Null }
+    Copy-Item -LiteralPath $src -Destination $dst -Force; Write-Host "[OK]   $src"
+  } else { Write-Host "[MISS] $src" }
+}
+
+# Build the bundle once under the first available target, then mirror to the rest.
+$primary = $Drives | Where-Object { Test-Path "$_\" } | Select-Object -First 1
+if (-not $primary) { throw "None of the target drives are accessible: $($Drives -join ', ')" }
+$root = "$primary\claudetools-recovery"
+Write-Host "=== building bundle at $root ===" -ForegroundColor Cyan
+foreach ($d in 'secrets\sops-age','secrets\ssh','secrets\claude','secrets\grok','secrets\gemini','secrets\git','secrets\powershell','identity\state','manifests\scheduled-tasks','bootstrap') {
+  New-Item -ItemType Directory -Force -Path "$root\$d" | Out-Null
+}
+
+# --- secrets ---
+Save "$u\.config\sops\age\keys.txt"          "$root\secrets\sops-age\keys.txt"
+if (Test-Path "$u\.ssh") { Copy-Item "$u\.ssh\*" "$root\secrets\ssh\" -Force; Write-Host "[OK]   ~/.ssh/*" }
+Save "$u\.claude.json"                        "$root\secrets\claude\.claude.json"
+Save "$u\.claude\.credentials.json"           "$root\secrets\claude\.credentials.json"
+Save "$u\.claude\settings.json"               "$root\secrets\claude\settings.json"
+Save "$u\.claude\keybindings.json"            "$root\secrets\claude\keybindings.json"
+Save "$u\.claude\statusline-command.sh"       "$root\secrets\claude\statusline-command.sh"
+Save "$u\.grok\auth.json"                     "$root\secrets\grok\auth.json"
+Save "$u\.grok\config.toml"                   "$root\secrets\grok\config.toml"
+Save "$u\.grok\agent_id"                      "$root\secrets\grok\agent_id"
+Save "$u\.gemini\oauth_creds.json"            "$root\secrets\gemini\oauth_creds.json"
+Save "$u\.gemini\google_accounts.json"        "$root\secrets\gemini\google_accounts.json"
+Save "$u\.gemini\settings.json"               "$root\secrets\gemini\settings.json"
+Save "$u\.gemini\installation_id"             "$root\secrets\gemini\installation_id"
+Save "$u\.gitconfig"                          "$root\secrets\git\.gitconfig"
+# user-global Claude commands + plugins (not in repo)
+if (Test-Path "$u\.claude\commands") { New-Item -ItemType Directory -Force -Path "$root\secrets\claude-global\commands" | Out-Null; robocopy "$u\.claude\commands" "$root\secrets\claude-global\commands" /E /R:1 /W:1 /NFL /NDL /NJH /NJS /NP | Out-Null; Write-Host "[OK]   ~/.claude/commands" }
+if (Test-Path "$u\.claude\plugins")  { New-Item -ItemType Directory -Force -Path "$root\secrets\claude-global\plugins"  | Out-Null; robocopy "$u\.claude\plugins"  "$root\secrets\claude-global\plugins"  /E /R:1 /W:1 /NFL /NDL /NJH /NJS /NP | Out-Null; Write-Host "[OK]   ~/.claude/plugins" }
+Save $PROFILE                                 "$root\secrets\powershell\Microsoft.PowerShell_profile.ps1"
+
+# --- repo-local identity ---
+Save "$ClaudeToolsRoot\.claude\identity.json"            "$root\identity\identity.json"
+Save "$ClaudeToolsRoot\.claude\settings.local.json"      "$root\identity\settings.local.json"
+Save "$ClaudeToolsRoot\.claude\current-mode"             "$root\identity\current-mode"
+Save "$ClaudeToolsRoot\.claude\coord-broadcasts-seen"    "$root\identity\coord-broadcasts-seen"
+Save "$ClaudeToolsRoot\.mcp.json"                        "$root\identity\mcp.json"
+Save "$ClaudeToolsRoot\mcp-servers\ticktick\.tokens.json" "$root\identity\ticktick-tokens.json"
+Save "$ClaudeToolsRoot\clients\dataforth\Oauth.txt"      "$root\identity\dataforth-oauth.txt"
+if (Test-Path "$ClaudeToolsRoot\.claude\state") { Copy-Item "$ClaudeToolsRoot\.claude\state\*" "$root\identity\state\" -Recurse -Force -ErrorAction SilentlyContinue }
+
+# --- bootstrap scripts (so the drive is self-contained) ---
+Copy-Item "$ClaudeToolsRoot\.claude\bootstrap\*.ps1" "$root\bootstrap\" -Force -ErrorAction SilentlyContinue
+Copy-Item "$ClaudeToolsRoot\.claude\bootstrap\RESTORE.md" "$root\bootstrap\" -Force -ErrorAction SilentlyContinue
+
+# --- at-risk local WIP: stashes + untracked diffs that are on NO remote ---
+# Written as UTF-8 (no BOM, LF) so restore-at-risk-work.ps1 / `git apply` can parse them.
+# (Earlier ad-hoc captures used PowerShell `>` redirection = UTF-16, which git apply
+#  rejects with "No valid patches in input" - hence the explicit byte-level write here.)
+$awRoot = "$root\at-risk-work"
+function Save-RepoStashes($repo,$label){
+  if (-not (Test-Path "$repo\.git")) { return }
+  $marks = @(& git -C $repo stash list --format='%gd' 2>$null)
+  if (-not $marks) { return }
+  $dir = "$awRoot\$label"; New-Item -ItemType Directory -Force -Path $dir | Out-Null
+  $base = (& git -C $repo rev-parse HEAD 2>$null)
+  [System.IO.File]::WriteAllText("$dir\BASE-COMMIT.txt", "$base`n", $Utf8NoBom)
+  for ($i=0; $i -lt $marks.Count; $i++) {
+    $files = @(& git -C $repo stash show --name-only "stash@{$i}" 2>$null)
+    $slug  = if ($files.Count) { ([IO.Path]::GetFileNameWithoutExtension($files[0])) -replace '[^\w\-]','_' } else { "stash$i" }
+    $lines = @(& git -C $repo --no-pager stash show -p "stash@{$i}" 2>$null)
+    [System.IO.File]::WriteAllText("$dir\stash$i-$slug.patch", (($lines -join "`n") + "`n"), $Utf8NoBom)
+    Write-Host "[OK]   at-risk stash: $label stash@{$i} -> stash$i-$slug.patch"
+  }
+}
+Save-RepoStashes "$ClaudeToolsRoot\projects\msp-tools\guru-rmm"     'guru-rmm'
+Save-RepoStashes "$ClaudeToolsRoot\projects\msp-tools\guru-connect" 'guru-connect'
+# untracked working diffs (e.g. tmp-*.diff) that aren't committed anywhere
+$gcRepo = "$ClaudeToolsRoot\projects\msp-tools\guru-connect"
+if (Test-Path $gcRepo) {
+  Get-ChildItem $gcRepo -Filter 'tmp-*.diff' -File -ErrorAction SilentlyContinue | ForEach-Object {
+    $dir = "$awRoot\guru-connect"; New-Item -ItemType Directory -Force -Path $dir | Out-Null
+    Copy-Item $_.FullName "$dir\$($_.Name)" -Force; Write-Host "[OK]   at-risk untracked diff: guru-connect\$($_.Name)"
+  }
+}
+
+# --- manifests ---
+$m = "$root\manifests"
+$tools = 'node','npm','claude','gemini','grok','ollama','py','git','gh','jq','sops','age','cargo','rustc','code','op'
+($tools | ForEach-Object { $c = Get-Command $_ -ErrorAction SilentlyContinue; if ($c) { $v = try { (& $_ --version 2>$null | Select-Object -First 1) } catch {''}; "{0,-10} {1,-55} {2}" -f $_,$c.Source,$v } else { "{0,-10} NOT INSTALLED" -f $_ } }) | Out-File "$m\installed-tools.txt" -Encoding utf8
+ollama list 2>$null | Out-File "$m\ollama-models.txt" -Encoding utf8
+git config --global --list | Out-File "$m\git-global-config.txt" -Encoding utf8
+$ext = & code --list-extensions 2>$null; if ($ext) { $ext | Out-File "$m\vscode-extensions.txt" -Encoding utf8 }
+foreach ($tn in "GrepAI Watcher - claudetools","ClaudeTools - Orphaned Session Detector","ClaudeTools - KSTEEN SmartBadge Daily") {
+  $safe = ($tn -replace '[^\w\-]','_')
+  try { Export-ScheduledTask -TaskName $tn 2>$null | Out-File "$m\scheduled-tasks\$safe.xml" -Encoding utf8 } catch {}
+}
+# user environment vars (.reg restorable + readable)
+reg export "HKCU\Environment" "$m\user-environment.reg" /y 2>$null | Out-Null
+(Get-Item 'HKCU:\Environment' | Select-Object -ExpandProperty Property | ForEach-Object { "{0}={1}" -f $_, (Get-ItemProperty 'HKCU:\Environment' -Name $_).$_ }) | Out-File "$m\user-environment.txt" -Encoding utf8
+
+# --- machine config (Windows Terminal, hosts, repo-local real .env files) ---
+New-Item -ItemType Directory -Force -Path "$root\config" | Out-Null
+$wt = "$env:LOCALAPPDATA\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json"
+if (Test-Path $wt) { Save $wt "$root\config\windows-terminal-settings.json" }
+Save "$env:WINDIR\System32\drivers\etc\hosts" "$root\config\hosts"
+Save "$ClaudeToolsRoot\projects\msp-tools\quote-wizard\frontend\.env.production" "$root\config\quote-wizard.frontend.env.production"
+
+# --- large data (optional) ---
+if ($IncludeData) {
+  $base = "$DataDrive\claudetools-recovery\data"
+  $xd = @('node_modules','.venv','venv','__pycache__','target','.grepai','.pytest_cache','dist','build')
+  $xf = @('Thumbs.db','desktop.ini','*.pyc','*.mp3')  # radio-show MP3s live on IX Web Hosting - not backed up here
+  $clusters = @(
+    'clients\valleywide\app-modernization\source-analysis',
+    'clients\grabb-durando\ai-demand-review',
+    'projects\dataforth-dos\datasheet-pipeline',
+    'projects\dataforth-dos\dfwds-research',
+    'projects\radio-show\audio-processor'
+  )
+  Write-Host "=== copying large data to $base ===" -ForegroundColor Cyan
+  foreach ($c in $clusters) {
+    if (Test-Path "$ClaudeToolsRoot\$c") { robocopy "$ClaudeToolsRoot\$c" "$base\$c" /E /R:1 /W:1 /XD $xd /XF $xf /NFL /NDL /NP | Out-Null; Write-Host "[OK]   $c" }
+  }
+}
+
+# --- mirror small bundle to the other drives ---
+foreach ($d in $Drives) {
+  if ($d -eq $primary) { continue }
+  if (Test-Path "$d\") {
+    Write-Host "=== mirroring bundle -> $d\claudetools-recovery ===" -ForegroundColor Cyan
+    robocopy $root "$d\claudetools-recovery" /E /R:1 /W:1 /XD data /NFL /NDL /NP | Out-Null
+    Write-Host "[OK]   mirrored to $d"
+  }
+}
+Write-Host "`n[DONE] backup-to-bundle.ps1" -ForegroundColor Green

.claude/bootstrap/restore-at-risk-work.ps1

@@ -0,0 +1,113 @@
+<#
+.SYNOPSIS
+  Restore local-only WIP (stashes + untracked diffs) that was rescued into the
+  recovery bundle's at-risk-work\ folder. Run AFTER the repos + submodules are cloned.
+
+.DESCRIPTION
+  guru-rmm  : each stashN-*.patch is applied to the working tree and then re-stashed,
+              faithfully recreating the original `git stash` entries. Patches are
+              processed highest-N-first so stash0 ends up on top (stash@{0}), matching
+              the original LIFO order. The working tree is left CLEAN (changes live in
+              the stash, exactly as before).
+  guru-connect : tmp-spec018.diff was an UNTRACKED working file, so it is copied back
+              into the repo as-is (not applied). Apply it yourself if/when you want it.
+
+  Non-destructive and re-runnable. If a patch won't apply cleanly (submodule moved on),
+  it is reported and the .patch file is left in place for manual `git apply --3way`.
+
+  ROBUSTNESS NOTES (why this is not just `git apply <file>`):
+    * Patch files may have been written by PowerShell redirection (UTF-16 LE/BE w/ BOM).
+      `git apply` only understands UTF-8/ASCII and otherwise reports
+      "No valid patches in input". Get-Utf8PatchPath normalizes any encoding to a
+      UTF-8 (no BOM) temp copy before applying.
+    * git writes progress/errors to stderr; capturing that with `2>&1` while
+      $ErrorActionPreference='Stop' turns it into a *terminating* error (PS 5.1
+      NativeCommandError) that aborts the whole bootstrap. Invoke-Git captures
+      output without that trap and returns the real exit code.
+    * If the submodule still has stashes, the WIP almost certainly survived the reset.
+      Re-applying would create DUPLICATE stashes, so we skip and report instead.
+
+.PARAMETER BundlePath        Recovery bundle root (auto-detect F:\ then E:\).
+.PARAMETER ClaudeToolsRoot   Default D:\claudetools.
+#>
+[CmdletBinding()]
+param([string]$BundlePath,[string]$ClaudeToolsRoot='D:\claudetools')
+$ErrorActionPreference='Stop'
+
+# Read a patch regardless of encoding (UTF-16 LE/BE +/- BOM, UTF-8 +/- BOM) and return
+# the path to a normalized UTF-8 (no BOM) temp copy that `git apply` can parse.
+function Get-Utf8PatchPath($path){
+  $bytes = [System.IO.File]::ReadAllBytes($path)
+  if     ($bytes.Length -ge 2 -and $bytes[0] -eq 0xFF -and $bytes[1] -eq 0xFE) { $text = [System.Text.Encoding]::Unicode.GetString($bytes,2,$bytes.Length-2) }
+  elseif ($bytes.Length -ge 2 -and $bytes[0] -eq 0xFE -and $bytes[1] -eq 0xFF) { $text = [System.Text.Encoding]::BigEndianUnicode.GetString($bytes,2,$bytes.Length-2) }
+  elseif ($bytes.Length -ge 3 -and $bytes[0] -eq 0xEF -and $bytes[1] -eq 0xBB -and $bytes[2] -eq 0xBF) { $text = [System.Text.Encoding]::UTF8.GetString($bytes,3,$bytes.Length-3) }
+  else {
+    # No BOM: detect UTF-16 LE without BOM by counting interleaved NUL bytes in the head.
+    $nul = 0; $n = [Math]::Min(64,$bytes.Length)
+    for ($i=0; $i -lt $n; $i++) { if ($bytes[$i] -eq 0) { $nul++ } }
+    if ($nul -gt 8) { $text = [System.Text.Encoding]::Unicode.GetString($bytes) }
+    else            { $text = [System.Text.Encoding]::UTF8.GetString($bytes) }
+  }
+  $text = $text -replace "`r`n","`n"   # normalize to LF so git apply is happy
+  $tmp = [System.IO.Path]::GetTempFileName()
+  [System.IO.File]::WriteAllText($tmp, $text, (New-Object System.Text.UTF8Encoding($false)))
+  return $tmp
+}
+
+# Run git without letting native stderr (under $ErrorActionPreference='Stop') become a
+# terminating error. Returns [pscustomobject]@{ Code; Output }.
+function Invoke-Git([string[]]$GitArgs){
+  $old = $ErrorActionPreference; $ErrorActionPreference = 'Continue'
+  try { $out = (& git @GitArgs 2>&1 | Out-String); $code = $LASTEXITCODE }
+  finally { $ErrorActionPreference = $old }
+  [pscustomobject]@{ Code = $code; Output = ($out).Trim() }
+}
+
+if (-not $BundlePath) { foreach ($d in 'F:','E:','D:') { if (Test-Path "$d\claudetools-recovery\at-risk-work") { $BundlePath="$d\claudetools-recovery"; break } } }
+$aw = "$BundlePath\at-risk-work"
+if (-not $BundlePath -or -not (Test-Path $aw)) { Write-Host "[INFO] no at-risk-work folder found in bundle - nothing to restore"; return }
+Write-Host "[INFO] restoring at-risk WIP from $aw" -ForegroundColor Cyan
+
+function Have-Git($repo){ Test-Path "$repo\.git" }
+
+# ---- guru-rmm stashes ----
+$rmm = "$ClaudeToolsRoot\projects\msp-tools\guru-rmm"
+if ((Test-Path "$aw\guru-rmm") -and (Have-Git $rmm)) {
+  $existing = (Invoke-Git @('-C',$rmm,'stash','list')).Output
+  if ($existing) {
+    Write-Host "[SKIP] guru-rmm already has stashes (local WIP survived the reset) - not re-applying to avoid duplicates:" -ForegroundColor Yellow
+    Write-Host $existing
+    Write-Host "       Bundle patches remain in $aw\guru-rmm; apply by hand if you really need them." -ForegroundColor Yellow
+  }
+  elseif ((Invoke-Git @('-C',$rmm,'status','--porcelain')).Output) {
+    Write-Host "[WARN] guru-rmm working tree is dirty; skipping auto-restore to avoid mixing changes. Apply patches in $aw\guru-rmm manually." -ForegroundColor Yellow
+  } else {
+    # highest N first so stash0 lands at stash@{0}
+    $patches = Get-ChildItem "$aw\guru-rmm" -Filter '*.patch' | Sort-Object Name -Descending
+    foreach ($p in $patches) {
+      $u8 = Get-Utf8PatchPath $p.FullName
+      try {
+        $chk = Invoke-Git @('-C',$rmm,'apply','--check','--3way',$u8)
+        if ($chk.Code -ne 0) { Write-Host "[WARN] won't apply cleanly, left for manual restore: $($p.Name) ($($chk.Output))" -ForegroundColor Yellow; continue }
+        Invoke-Git @('-C',$rmm,'apply','--3way',$u8) | Out-Null
+        Invoke-Git @('-C',$rmm,'stash','push','-u','-m',"restored WIP: $($p.BaseName)") | Out-Null
+        Write-Host "[OK]   re-stashed guru-rmm: $($p.BaseName)" -ForegroundColor Green
+      } finally { Remove-Item $u8 -Force -ErrorAction SilentlyContinue }
+    }
+    Write-Host "[INFO] guru-rmm stashes now:" -ForegroundColor Cyan
+    Write-Host (Invoke-Git @('-C',$rmm,'stash','list')).Output
+  }
+}
+
+# ---- guru-connect untracked diff ----
+$gc = "$ClaudeToolsRoot\projects\msp-tools\guru-connect"
+$diff = "$aw\guru-connect\tmp-spec018.diff"
+if ((Test-Path $diff) -and (Test-Path $gc)) {
+  if (Test-Path "$gc\tmp-spec018.diff") {
+    Write-Host "[SKIP] guru-connect\tmp-spec018.diff already present in repo (survived the reset) - not overwriting." -ForegroundColor Yellow
+  } else {
+    Copy-Item $diff "$gc\tmp-spec018.diff" -Force
+    Write-Host "[OK]   guru-connect\tmp-spec018.diff restored (untracked working file - 'git apply --3way tmp-spec018.diff' to apply it)" -ForegroundColor Green
+  }
+}
+Write-Host "[DONE] at-risk WIP restore" -ForegroundColor Cyan

.claude/bootstrap/restore-secrets.ps1

@@ -0,0 +1,147 @@
+<#
+.SYNOPSIS
+  Restore ClaudeTools secrets + machine identity from a recovery bundle
+  (produced by the Windows bootstrap backup) back to their real locations.
+
+.DESCRIPTION
+  Two restore groups:
+    [home]  -> out-of-repo secrets that live under the user profile
+              (SOPS age key, SSH keys, Claude/grok/gemini auth, git config,
+               PowerShell profile). These are needed BEFORE cloning repos.
+    [repo]  -> repo-local, gitignored files that go back into D:\claudetools
+              (identity.json, settings.local.json, current-mode, .mcp.json,
+               .claude/state, ticktick tokens, dataforth oauth). These require
+               the claudetools repo to already be cloned.
+
+  Idempotent. Only restores files that exist in the bundle. Never overwrites a
+  newer file unless -Force is given.
+
+.PARAMETER BundlePath
+  Path to the recovery bundle root (the folder containing 'secrets' and
+  'identity'). Auto-detected from F:\ then E:\ if not supplied.
+
+.PARAMETER ClaudeToolsRoot
+  Where claudetools is / will be cloned. Default D:\claudetools.
+
+.PARAMETER Group
+  home | repo | all  (default all).
+
+.EXAMPLE
+  .\restore-secrets.ps1 -Group home      # before cloning repos
+  .\restore-secrets.ps1 -Group repo      # after cloning claudetools
+#>
+[CmdletBinding()]
+param(
+  [string]$BundlePath,
+  [string]$ClaudeToolsRoot = 'D:\claudetools',
+  [ValidateSet('home','repo','all')][string]$Group = 'all',
+  [switch]$Force
+)
+$ErrorActionPreference = 'Stop'
+
+function Find-Bundle {
+  foreach ($d in 'F:','E:','D:') {
+    $p = "$d\claudetools-recovery"
+    if (Test-Path "$p\secrets") { return $p }
+  }
+  return $null
+}
+if (-not $BundlePath) { $BundlePath = Find-Bundle }
+if (-not $BundlePath -or -not (Test-Path "$BundlePath\secrets")) {
+  throw "Recovery bundle not found. Plug in the drive or pass -BundlePath. Looked for <drive>:\claudetools-recovery\secrets"
+}
+Write-Host "[INFO] Using recovery bundle: $BundlePath" -ForegroundColor Cyan
+
+function Restore-One($src, $dst) {
+  if (-not (Test-Path -LiteralPath $src)) { Write-Host "[SKIP] not in bundle: $src"; return }
+  $parent = Split-Path $dst -Parent
+  if ($parent -and -not (Test-Path $parent)) { New-Item -ItemType Directory -Force -Path $parent | Out-Null }
+  if ((Test-Path -LiteralPath $dst) -and -not $Force) {
+    Write-Host "[KEEP] exists (use -Force to overwrite): $dst" -ForegroundColor Yellow
+    return
+  }
+  Copy-Item -LiteralPath $src -Destination $dst -Force
+  Write-Host "[OK]   $dst" -ForegroundColor Green
+}
+
+# ---------------------------------------------------------------- HOME secrets
+if ($Group -in 'home','all') {
+  Write-Host "`n=== Restoring home-profile secrets ===" -ForegroundColor Cyan
+  $u = $env:USERPROFILE
+  $s = "$BundlePath\secrets"
+
+  # SOPS age key (CRITICAL - vault is undecryptable without it)
+  New-Item -ItemType Directory -Force -Path "$u\.config\sops\age" | Out-Null
+  New-Item -ItemType Directory -Force -Path "$env:APPDATA\sops\age" | Out-Null
+  Restore-One "$s\sops-age\keys.txt" "$u\.config\sops\age\keys.txt"
+  Restore-One "$s\sops-age\keys.txt" "$env:APPDATA\sops\age\keys.txt"
+
+  # SSH
+  New-Item -ItemType Directory -Force -Path "$u\.ssh" | Out-Null
+  if (Test-Path "$s\ssh") {
+    Get-ChildItem "$s\ssh" -File | ForEach-Object { Restore-One $_.FullName "$u\.ssh\$($_.Name)" }
+    # lock down private key perms (remove inheritance, owner-only)
+    Get-ChildItem "$u\.ssh" -File | Where-Object { $_.Name -notmatch '\.pub$' -and $_.Name -ne 'known_hosts' -and $_.Name -ne 'config' } | ForEach-Object {
+      icacls $_.FullName /inheritance:r /grant:r "$($env:USERNAME):(F)" 2>$null | Out-Null
+    }
+  }
+
+  # Claude Code auth/config
+  Restore-One "$s\claude\.claude.json"          "$u\.claude.json"
+  Restore-One "$s\claude\.credentials.json"     "$u\.claude\.credentials.json"
+  Restore-One "$s\claude\settings.json"         "$u\.claude\settings.json"
+  Restore-One "$s\claude\keybindings.json"      "$u\.claude\keybindings.json"
+  Restore-One "$s\claude\statusline-command.sh" "$u\.claude\statusline-command.sh"
+
+  # grok
+  Restore-One "$s\grok\auth.json"   "$u\.grok\auth.json"
+  Restore-One "$s\grok\config.toml" "$u\.grok\config.toml"
+  Restore-One "$s\grok\agent_id"    "$u\.grok\agent_id"
+
+  # gemini
+  Restore-One "$s\gemini\oauth_creds.json"     "$u\.gemini\oauth_creds.json"
+  Restore-One "$s\gemini\google_accounts.json" "$u\.gemini\google_accounts.json"
+  Restore-One "$s\gemini\settings.json"        "$u\.gemini\settings.json"
+  Restore-One "$s\gemini\installation_id"      "$u\.gemini\installation_id"
+
+  # user-global Claude commands + plugins (not in the repo)
+  if (Test-Path "$s\claude-global\commands") {
+    New-Item -ItemType Directory -Force -Path "$u\.claude\commands" | Out-Null
+    Copy-Item "$s\claude-global\commands\*" "$u\.claude\commands\" -Recurse -Force
+    Write-Host "[OK]   $u\.claude\commands\*" -ForegroundColor Green
+  }
+  if (Test-Path "$s\claude-global\plugins") {
+    New-Item -ItemType Directory -Force -Path "$u\.claude\plugins" | Out-Null
+    Copy-Item "$s\claude-global\plugins\*" "$u\.claude\plugins\" -Recurse -Force
+    Write-Host "[OK]   $u\.claude\plugins\*" -ForegroundColor Green
+  }
+
+  # git global config
+  Restore-One "$s\git\.gitconfig" "$u\.gitconfig"
+
+  # PowerShell profile
+  Restore-One "$s\powershell\Microsoft.PowerShell_profile.ps1" $PROFILE
+}
+
+# ---------------------------------------------------------------- REPO-local
+if ($Group -in 'repo','all') {
+  Write-Host "`n=== Restoring repo-local identity files ===" -ForegroundColor Cyan
+  if (-not (Test-Path $ClaudeToolsRoot)) {
+    Write-Host "[WARN] $ClaudeToolsRoot does not exist yet. Clone the repo first, then re-run with -Group repo." -ForegroundColor Yellow
+  } else {
+    $i = "$BundlePath\identity"
+    Restore-One "$i\identity.json"        "$ClaudeToolsRoot\.claude\identity.json"
+    Restore-One "$i\settings.local.json"  "$ClaudeToolsRoot\.claude\settings.local.json"
+    Restore-One "$i\current-mode"         "$ClaudeToolsRoot\.claude\current-mode"
+    Restore-One "$i\coord-broadcasts-seen" "$ClaudeToolsRoot\.claude\coord-broadcasts-seen"
+    Restore-One "$i\mcp.json"             "$ClaudeToolsRoot\.mcp.json"
+    Restore-One "$i\ticktick-tokens.json" "$ClaudeToolsRoot\mcp-servers\ticktick\.tokens.json"
+    Restore-One "$i\dataforth-oauth.txt"  "$ClaudeToolsRoot\clients\dataforth\Oauth.txt"
+    if (Test-Path "$i\state") {
+      New-Item -ItemType Directory -Force -Path "$ClaudeToolsRoot\.claude\state" | Out-Null
+      Copy-Item "$i\state\*" "$ClaudeToolsRoot\.claude\state\" -Recurse -Force
+      Write-Host "[OK]   $ClaudeToolsRoot\.claude\state\*" -ForegroundColor Green
+    }
+  }
+}
+Write-Host "`n[DONE] restore-secrets.ps1 ($Group)" -ForegroundColor Cyan

.claude/bootstrap/windows-bootstrap.ps1

@@ -0,0 +1,346 @@
+<#
+.SYNOPSIS
+  ClaudeTools Windows bootstrap - rebuild a workstation after a clean OS reset.
+
+.DESCRIPTION
+  Installs every tool ClaudeTools needs, restores secrets + identity from the
+  recovery bundle, clones the repos, wires up scheduled tasks, and verifies.
+  Designed to be run top-to-bottom on a fresh Windows 11 install. Idempotent:
+  re-running skips anything already present.
+
+  ORDER OF OPERATIONS (each phase depends on the previous):
+    0. Preflight        - winget, execution policy, UTF-8
+    1. Core tooling     - git, node, python, rust, vscode, ollama, jq, sops, age, gh, op
+    2. PATH refresh     - make freshly-installed tools callable this session
+    3. AI CLIs          - claude (native), gemini (npm), grok (git-bash installer)
+    4. Restore secrets  - age key, ssh, tool auth, git config, PS profile  [home group]
+    5. Clone repos      - claudetools + vault + submodules
+    6. Restore identity - identity.json, settings.local, .mcp.json, state    [repo group]
+    7. Python deps      - pip installs for MCP servers / scripts
+    8. Ollama models    - pull qwen/codestral/nomic (optional, large)
+    9. Scheduled tasks  - GrepAI watcher, orphan detector, smartbadge
+   10. Large data       - restore client data from bundle (optional)
+   11. Verify           - onboarding diagnostic
+
+.PARAMETER BundlePath
+  Recovery bundle root (folder containing 'secrets'/'identity'). Auto-detect F:\ then E:\.
+
+.PARAMETER SkipModels      Skip the multi-GB ollama model pulls.
+.PARAMETER RestoreData     Also restore the large client data from <bundle>\data.
+.PARAMETER GiteaHost       Gitea base URL. Default git.azcomputerguru.com (use 172.16.3.20:3000 on-network).
+.PARAMETER OnlyPhases      Comma list of phase numbers to run (e.g. "1,2,3"). Default: all.
+
+.EXAMPLE
+  # full rebuild, skip giant model downloads for now
+  .\windows-bootstrap.ps1 -SkipModels
+
+.NOTES
+  Run from an elevated PowerShell for cleanest winget machine-scope installs,
+  though most packages also install at user scope without admin.
+#>
+[CmdletBinding()]
+param(
+  [string]$BundlePath,
+  [switch]$SkipModels,
+  [switch]$RestoreData,
+  [string]$GiteaHost = 'https://git.azcomputerguru.com',
+  [string]$ClaudeToolsRoot = 'D:\claudetools',
+  [string]$VaultRoot = 'D:\vault',
+  [string]$Hostname,          # target computer name; default = identity.json .machine, else GURU-5070
+  [string]$OnlyPhases
+)
+$ErrorActionPreference = 'Stop'
+$here = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+function Phase($n,$title){ if ($OnlyPhases -and ($OnlyPhases -split ',').Trim() -notcontains "$n") { return $false }; Write-Host "`n========== PHASE $n : $title ==========" -ForegroundColor Cyan; return $true }
+function Info($m){ Write-Host "[INFO] $m" }
+function Ok($m){ Write-Host "[OK]   $m" -ForegroundColor Green }
+function Warn($m){ Write-Host "[WARN] $m" -ForegroundColor Yellow }
+function Have($cmd){ [bool](Get-Command $cmd -ErrorAction SilentlyContinue) }
+function Refresh-Path { $env:Path = [Environment]::GetEnvironmentVariable('Path','Machine') + ';' + [Environment]::GetEnvironmentVariable('Path','User') }
+
+function Find-Bundle {
+  if ($BundlePath -and (Test-Path "$BundlePath\secrets")) { return $BundlePath }
+  foreach ($d in 'F:','E:','D:') { if (Test-Path "$d\claudetools-recovery\secrets") { return "$d\claudetools-recovery" } }
+  return $null
+}
+
+# ============================================================ PHASE 0
+if (Phase 0 'Preflight') {
+  [Console]::OutputEncoding = [System.Text.Encoding]::UTF8
+  try { Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force } catch {}
+  if (-not (Have winget)) { throw "winget not found. Install 'App Installer' from the Microsoft Store, then re-run." }
+  Ok "winget present: $((Get-Command winget).Source)"
+  $script:Bundle = Find-Bundle
+  if ($script:Bundle) { Ok "recovery bundle: $script:Bundle" } else { Warn "no recovery bundle found - secret/identity restore phases will be skipped" }
+
+  # Hostname - a fresh Windows install is DESKTOP-xxxxx; identity.json + scheduled tasks
+  # + coord session IDs all expect the real name. Rename needs admin and a reboot to apply.
+  $target = $Hostname
+  if (-not $target -and $script:Bundle -and (Test-Path "$script:Bundle\identity\identity.json")) {
+    try { $target = (Get-Content "$script:Bundle\identity\identity.json" -Raw | ConvertFrom-Json).machine } catch {}
+  }
+  if (-not $target) { $target = 'GURU-5070' }
+  if ($env:COMPUTERNAME -ne $target) {
+    $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
+    if ($isAdmin) {
+      try { Rename-Computer -NewName $target -Force -ErrorAction Stop; $script:RebootNeeded = $true; Ok "hostname: $env:COMPUTERNAME -> $target (takes effect after reboot)" }
+      catch { Warn "rename to '$target' failed: $($_.Exception.Message)" }
+    } else { Warn "hostname is '$env:COMPUTERNAME', target '$target' - run this script as Administrator to rename (or manually: Rename-Computer -NewName $target -Restart)" }
+  } else { Ok "hostname already '$target'" }
+}
+
+# ============================================================ PHASE 1
+if (Phase 1 'Core tooling (winget)') {
+  $pkgs = @(
+    @{id='Git.Git';                     cmd='git'},
+    @{id='OpenJS.NodeJS.LTS';           cmd='node'},
+    @{id='Python.Python.3.14';          cmd='py'},
+    @{id='Rustlang.Rustup';             cmd='cargo'},
+    @{id='Microsoft.VisualStudioCode';  cmd='code'},
+    @{id='Ollama.Ollama';               cmd='ollama'},
+    @{id='jqlang.jq';                   cmd='jq'},
+    @{id='SecretsOPerationS.SOPS';      cmd='sops'},
+    @{id='FiloSottile.age';             cmd='age'},
+    @{id='GitHub.cli';                  cmd='gh'},
+    @{id='AgileBits.1Password.CLI';     cmd='op'},
+    @{id='Microsoft.DotNet.SDK.8';      cmd='dotnet'},   # MSI builds / wix
+    @{id='Google.Protobuf';             cmd='protoc'},   # gururmm prost builds (PROTOC env)
+    @{id='oschwartz10612.Poppler';      cmd='pdftoppm'}, # dataforth datasheet PDF pipeline
+    @{id='Tailscale.Tailscale';         cmd='tailscale'} # fleet connectivity (100.x mesh)
+  )
+  foreach ($p in $pkgs) {
+    if (Have $p.cmd) { Ok "$($p.cmd) already installed"; continue }
+    Info "installing $($p.id) ..."
+    winget install --id $p.id --exact --silent --accept-package-agreements --accept-source-agreements --disable-interactivity
+    if ($LASTEXITCODE -ne 0) { Warn "winget returned $LASTEXITCODE for $($p.id) (may already be installed or need elevation)" }
+  }
+  Refresh-Path
+}
+
+# ============================================================ PHASE 2
+if (Phase 2 'PATH refresh') {
+  Refresh-Path
+  foreach ($c in 'git','node','npm','py','cargo','jq','sops','age','gh','op','ollama','code','dotnet','protoc','tailscale') {
+    if (Have $c) { Ok "$c -> $((Get-Command $c).Source)" } else { Warn "$c still not on PATH (open a new shell after install)" }
+  }
+  # PROTOC env var for Rust prost builds (path is version-specific, so resolve it live)
+  $protoc = (Get-Command protoc -ErrorAction SilentlyContinue).Source
+  if ($protoc) { [Environment]::SetEnvironmentVariable('PROTOC',$protoc,'User'); $env:PROTOC=$protoc; Ok "PROTOC=$protoc" }
+}
+
+# ============================================================ PHASE 3
+if (Phase 3 'AI CLIs') {
+  # Claude Code - official native installer -> %USERPROFILE%\.local\bin\claude.exe
+  if (Have claude) { Ok "claude already installed" } else {
+    Info "installing Claude Code (native installer)"
+    try { irm https://claude.ai/install.ps1 | iex } catch { Warn "claude install failed: $_  (manual: irm https://claude.ai/install.ps1 | iex)" }
+  }
+  # Gemini CLI - npm global
+  if (Have gemini) { Ok "gemini already installed" } else {
+    Info "installing @google/gemini-cli"
+    npm install -g @google/gemini-cli
+  }
+  # Grok CLI - xAI installer (bash; needs Git Bash from Phase 1)
+  if (Have grok) { Ok "grok already installed" } else {
+    $bash = 'C:\Program Files\Git\bin\bash.exe'
+    if (Test-Path $bash) { Info "installing grok via $bash"; & $bash -lc "curl -fsSL https://x.ai/cli/install.sh | bash" }
+    else { Warn "Git Bash not found; install Git first, then: bash -c 'curl -fsSL https://x.ai/cli/install.sh | bash'" }
+  }
+  Refresh-Path
+  $env:Path += ";$env:USERPROFILE\.local\bin;$env:USERPROFILE\.grok\bin;$env:APPDATA\npm"
+  # Persist the AI-CLI dirs to the User PATH so claude/grok/gemini stay callable in
+  # every new shell (their installers don't always add these; grok especially is a
+  # bare ~\.grok\bin drop that was session-only after the 2026-06-06 rebuild).
+  $userPath = [Environment]::GetEnvironmentVariable('Path','User')
+  foreach ($d in "$env:USERPROFILE\.local\bin", "$env:USERPROFILE\.grok\bin", "$env:APPDATA\npm") {
+    if ((Test-Path $d) -and ($userPath -notmatch [regex]::Escape($d))) { $userPath = $userPath.TrimEnd(';') + ";$d" }
+  }
+  [Environment]::SetEnvironmentVariable('Path', $userPath, 'User')
+  Ok "AI-CLI dirs persisted to User PATH"
+}
+
+# ============================================================ PHASE 4
+if (Phase 4 'Restore home secrets + machine config') {
+  if ($script:Bundle) {
+    & "$here\restore-secrets.ps1" -BundlePath $script:Bundle -Group home
+
+    # Stable machine env vars (NOT a blanket reg import - the saved PATH has stale
+    # version-pinned winget paths. user-environment.reg is kept as reference only.)
+    [Environment]::SetEnvironmentVariable('OLLAMA_MODELS','D:\OllamaModels','User'); $env:OLLAMA_MODELS='D:\OllamaModels'
+    [Environment]::SetEnvironmentVariable('OLLAMA_HOST','0.0.0.0:11434','User');     $env:OLLAMA_HOST='0.0.0.0:11434'
+    Ok "set OLLAMA_MODELS=D:\OllamaModels, OLLAMA_HOST=0.0.0.0:11434"
+
+    # Windows Terminal settings
+    $wtDst = "$env:LOCALAPPDATA\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json"
+    if (Test-Path "$script:Bundle\config\windows-terminal-settings.json") {
+      $p = Split-Path $wtDst -Parent
+      if (Test-Path $p) { Copy-Item "$script:Bundle\config\windows-terminal-settings.json" $wtDst -Force; Ok "Windows Terminal settings restored" }
+      else { Warn "Windows Terminal not installed yet - restore its settings.json later from config\" }
+    }
+
+    # hosts file (fleet Tailscale MagicDNS entries) - needs admin; merge note only
+    if (Test-Path "$script:Bundle\config\hosts") {
+      Warn "fleet hosts entries are in config\hosts - merge into $env:WINDIR\System32\drivers\etc\hosts as admin if Tailscale MagicDNS isn't resolving"
+    }
+  }
+  else { Warn "no bundle - skipping. Restore the SOPS age key + SSH keys manually or the vault will not decrypt." }
+}
+
+# ============================================================ PHASE 5
+if (Phase 5 'Clone repos') {
+  if (-not (Test-Path "$ClaudeToolsRoot\.git")) {
+    Info "cloning claudetools -> $ClaudeToolsRoot"
+    git clone "$GiteaHost/azcomputerguru/claudetools.git" $ClaudeToolsRoot
+    Push-Location $ClaudeToolsRoot
+    Info "initializing submodules (gururmm / guruconnect)"
+    git submodule update --init --recursive
+    Pop-Location
+  } else { Ok "claudetools repo already present" }
+
+  if (-not (Test-Path "$VaultRoot\.git")) {
+    Info "cloning vault -> $VaultRoot"
+    git clone "$GiteaHost/azcomputerguru/vault.git" $VaultRoot
+  } else { Ok "vault repo already present" }
+
+  # safe.directory entries (mirror the prior machine)
+  foreach ($d in $ClaudeToolsRoot,$VaultRoot,"$ClaudeToolsRoot/projects/msp-tools/guru-rmm") {
+    git config --global --add safe.directory ($d -replace '\\','/') 2>$null
+  }
+}
+
+# ============================================================ PHASE 6
+if (Phase 6 'Restore repo-local identity + at-risk WIP') {
+  if ($script:Bundle) {
+    & "$here\restore-secrets.ps1" -BundlePath $script:Bundle -Group repo -ClaudeToolsRoot $ClaudeToolsRoot
+    # Recreate local-only WIP (guru-rmm stashes, guru-connect untracked diff) that
+    # would otherwise have been lost - faithfully puts the stashes back as stashes.
+    & "$here\restore-at-risk-work.ps1" -BundlePath $script:Bundle -ClaudeToolsRoot $ClaudeToolsRoot
+  }
+  else { Warn "no bundle - you must hand-create .claude/identity.json (see CLAUDE.md multi-user section)" }
+
+  # Non-interactive git auth (Mike's hard requirement: git must NEVER hang on a
+  # Git Credential Manager password prompt). setup-git-auth.sh primes the `store`
+  # credential helper from the vault Gitea token, scoped to each repo's actual remote
+  # host. Needs the age key (Phase 4) + identity.json (above) + vault repo (Phase 5).
+  # Idempotent + fail-silent; also runs from the SessionStart hook in settings.json.
+  $ghauth = "$ClaudeToolsRoot\.claude\scripts\setup-git-auth.sh"
+  $gbash  = 'C:\Program Files\Git\bin\bash.exe'
+  if ((Test-Path $ghauth) -and (Test-Path $gbash)) {
+    Info "priming non-interactive git auth (vault token -> credential store)"
+    & $gbash "$ghauth"
+    Ok "git credential store primed; GIT_TERMINAL_PROMPT=0 enforced via .claude/settings.json env"
+  } else { Warn "setup-git-auth.sh or Git Bash missing - prime git creds manually so pushes don't prompt" }
+}
+
+# ============================================================ PHASE 7
+if (Phase 7 'Python deps + .NET tools') {
+  # WiX toolset (MSI builds, e.g. gururmm agent) - dotnet global tool
+  if (Have dotnet) {
+    if (dotnet tool list --global 2>$null | Select-String '\bwix\b') { Ok "wix tool already installed" }
+    else { Info "installing wix dotnet tool"; dotnet tool install --global wix 2>$null }
+  }
+  # IMPORTANT: ClaudeTools uses TWO python interpreters on Windows and they must
+  # BOTH have the deps, or pieces silently break:
+  #   - `py`     -> Python 3.14 : vault yaml-query.py (get-field), helper/skill
+  #                               scripts, scheduled tasks (detect_orphaned_sessions)
+  #   - `python` -> Python 3.12 : the interpreter `.mcp.json` launches the MCP
+  #                               servers with (ticktick needs httpx + mcp)
+  # Installing into only one leaves the other broken (the 2026-06-06 rebuild shipped
+  # with ticktick MCP dead = no httpx/mcp in 3.12, and vault get-field dead = no
+  # PyYAML in 3.14). De-dupe by real sys.executable so a single install isn't run twice.
+  $interps = @(); $seen = @{}
+  foreach ($cand in 'py','python','python3') {
+    if (Have $cand) {
+      $real = (& $cand -c "import sys;print(sys.executable)" 2>$null)
+      if ($real -and -not $seen[$real]) { $seen[$real] = $true; $interps += $cand }
+    }
+  }
+  if (-not $interps) { Warn "no python interpreter found - skip python deps" }
+  else {
+    $reqs = Get-ChildItem $ClaudeToolsRoot -Recurse -Filter 'requirements*.txt' -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -notmatch '\\(node_modules|\.venv|venv|target)\\' }
+    # baseline libs used by helper scripts / MCP / vault across the harness
+    $baseline = @('requests','paramiko','mcp','httpx','pyyaml','websocket-client')
+    foreach ($ic in $interps) {
+      Info "[$ic] upgrading pip"; & $ic -m pip install --upgrade pip 2>$null
+      foreach ($r in $reqs) { Info "[$ic] pip install -r $($r.Name)"; & $ic -m pip install -r $r.FullName 2>$null }
+      Info "[$ic] baseline libs"; & $ic -m pip install @baseline 2>$null
+    }
+    Ok "python deps installed into: $($interps -join ', ') (best-effort)"
+  }
+}
+
+# ============================================================ PHASE 8
+if (Phase 8 'Ollama models') {
+  # Expected model set for THIS machine (identity.json prose_model + OLLAMA.md routing):
+  #   nomic-embed-text - REQUIRED for GrepAI semantic search (embeddings)
+  #   qwen3:8b         - prose_model           qwen3:14b      - heavier prose
+  #   codestral:22b    - code suggestions      qwen3.6:latest - structured/JSON + classify
+  # All five live on D:\OllamaModels (~48 GB) and SURVIVE an OS reset when D: is intact,
+  # so a normal rebuild pulls NOTHING. Only a wiped D: triggers the full re-download.
+  $models = @('nomic-embed-text:latest','qwen3:8b','qwen3:14b','codestral:22b','qwen3.6:latest')
+  if ($SkipModels) { Warn "-SkipModels set, skipping model pulls" }
+  elseif (Have ollama) {
+    if (-not $env:OLLAMA_MODELS) { [Environment]::SetEnvironmentVariable('OLLAMA_MODELS','D:\OllamaModels','User'); $env:OLLAMA_MODELS='D:\OllamaModels' }
+    # GOTCHA (2026-06-06): right after login `ollama list` can return EMPTY even though
+    # D:\OllamaModels is fully populated - the tray app's server needs a few seconds to
+    # hydrate its model-list cache. Do NOT treat an empty list as "models gone" or you
+    # re-download 48 GB for nothing. If manifests are on disk, restart + wait first.
+    $listed = (ollama list 2>$null | Out-String).Trim() -split "`n" | Select-Object -Skip 1
+    if ((Test-Path 'D:\OllamaModels\manifests') -and -not $listed) {
+      Warn "ollama list empty but D:\OllamaModels populated - restarting ollama, waiting for hydration"
+      Get-Process 'ollama','ollama app' -ErrorAction SilentlyContinue | Stop-Process -Force; Start-Sleep 2
+      $oapp = "$env:LOCALAPPDATA\Programs\Ollama\ollama app.exe"
+      if (Test-Path $oapp) { Start-Process $oapp } else { Start-Process ollama -ArgumentList 'serve' -WindowStyle Hidden }
+      Start-Sleep 10
+    }
+    $have = (ollama list 2>$null | Out-String)
+    foreach ($m in $models) {
+      $short = $m -replace ':latest$',''
+      if ($have -match [regex]::Escape($short)) { Ok "$m already present on D:\OllamaModels (no download)" }
+      else { Info "ollama pull $m"; ollama pull $m }
+    }
+  } else { Warn "ollama missing - skip" }
+}
+
+# ============================================================ PHASE 9
+if (Phase 9 'Scheduled tasks') {
+  $tdir = "$script:Bundle\manifests\scheduled-tasks"
+  if ($script:Bundle -and (Test-Path $tdir)) {
+    Get-ChildItem $tdir -Filter *.xml | ForEach-Object {
+      $name = ($_.BaseName -replace '_',' ')
+      try {
+        $xml = Get-Content $_.FullName -Raw
+        Register-ScheduledTask -TaskName $name -Xml $xml -Force -ErrorAction Stop | Out-Null
+        Ok "registered task: $name"
+      } catch { Warn "task '$name' import failed: $($_.Exception.Message) (paths/user may differ - re-create manually)" }
+    }
+  } else { Warn "no exported tasks in bundle - skip (see manifests\scheduled-tasks)" }
+}
+
+# ============================================================ PHASE 10
+if (Phase 10 'Large client data (optional)') {
+  if ($RestoreData -and $script:Bundle -and (Test-Path "$script:Bundle\data")) {
+    Info "restoring large data $script:Bundle\data -> $ClaudeToolsRoot"
+    robocopy "$script:Bundle\data" $ClaudeToolsRoot /E /R:1 /W:1 /NFL /NDL /NP | Out-Null
+    Ok "large data restored"
+  } else { Warn "skipped (pass -RestoreData to restore client data clusters)" }
+}
+
+# ============================================================ PHASE 11
+if (Phase 11 'Verify') {
+  $diag = "$ClaudeToolsRoot\.claude\scripts\onboarding-diagnostic.ps1"
+  if (Test-Path $diag) { Info "running onboarding diagnostic"; & $diag }
+  else { Warn "diagnostic not found - run '/self-check' inside Claude Code to verify wiring" }
+  Write-Host "`n[NEXT] Interactive logins that may need a refresh (tokens expire):" -ForegroundColor Cyan
+  Write-Host "   claude  (if .credentials.json expired: run 'claude' and /login)"
+  Write-Host "   gh auth login        op signin        gemini (browser)        grok login"
+  Write-Host "   Verify vault: bash $ClaudeToolsRoot/.claude/scripts/vault.sh list"
+}
+
+if ($script:RebootNeeded) {
+  Write-Host "`n[REBOOT] Hostname was changed to '$target' - REBOOT for it to take effect." -ForegroundColor Yellow
+  Write-Host "         (scheduled tasks + coord session IDs read the hostname, so reboot before relying on them)"
+}
+Write-Host "`n[DONE] windows-bootstrap.ps1 complete." -ForegroundColor Green

.claude/claude.md

@@ -1,97 +0,0 @@
-# ClaudeTools Project Context
-
-## Identity: You Are a Coordinator
-
-You are NOT an executor. You coordinate specialized agents and preserve your context window.
-
-**Delegate ALL significant work:**
-
-| Operation | Delegate To |
-|-----------|------------|
-| Database queries/inserts/updates | Database Agent |
-| Production code generation | Coding Agent |
-| Code review (MANDATORY after changes) | Code Review Agent |
-| Test execution | Testing Agent |
-| Git commits/push/branch | Gitea Agent |
-| Backups/restore | Backup Agent |
-| File exploration (broad) | Explore Agent |
-| Complex reasoning | General-purpose + Sequential Thinking |
-
-**Do yourself:** Simple responses, reading 1-2 files, presenting results, planning, decisions.
-**Rule:** >500 tokens of work = delegate. Code or database = ALWAYS delegate.
-
-**DO NOT** query databases directly (no SSH/mysql/curl to API). **DO NOT** write production code. **DO NOT** run tests. **DO NOT** commit/push. Use the appropriate agent.
-
----
-
-## Project Overview
-
-**Type:** MSP Work Tracking System | **Status:** Production-Ready (Phase 5 Complete)
-**Database:** MariaDB 10.6.22 @ 172.16.3.30:3306 | **API:** http://172.16.3.30:8001
-**Stats:** 95+ endpoints, 38 tables, JWT auth, AES-256-GCM encryption
-
-**DB Connection:** Host: 172.16.3.30:3306 | DB: claudetools | User: claudetools | Password: CT_e8fcd5a3952030a79ed6debae6c954ed
-**Details:** `.claude/agents/DATABASE_CONNECTION_INFO.md`
-
----
-
-## Key Rules
-
-- **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
-- **No hardcoded credentials** - Use encrypted storage
-- **SSH:** Use system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git for Windows SSH
-- **Data integrity:** Never use placeholder/fake data. Check credentials.md or ask user.
-- **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
-
----
-
-## Automatic Behaviors
-
-- **Frontend Design:** Auto-invoke `/frontend-design` skill after ANY UI change (HTML/CSS/JSX/styling)
-- **Sequential Thinking:** Use for genuine complexity - rejection loops, 3+ critical issues, architectural decisions, multi-step debugging
-- **Task Management:** Complex work (>3 steps) -> TaskCreate. Persist to `.claude/active-tasks.json`.
-
----
-
-## Context Recovery
-
-When user references previous work, use `/context` command. Never ask user for info in:
-- `credentials.md` - All infrastructure credentials (UNREDACTED)
-- `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
-- `SESSION_STATE.md` - Project history
-
----
-
-## Commands & Skills
-
-| Command | Purpose |
-|---------|---------|
-| `/checkpoint` | Dual checkpoint: git commit + database context |
-| `/save` | Comprehensive session log (credentials, decisions, changes) |
-| `/context` | Search session logs and credentials.md |
-| `/sync` | Sync config from Gitea repository |
-| `/create-spec` | Create app specification for AutoCoder |
-| `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) |
-
----
-
-## File Placement (Quick Rules)
-
-- **Dataforth DOS work** -> `projects/dataforth-dos/`
-- **ClaudeTools API code** -> `api/`, `migrations/` (existing structure)
-- **Client work** -> `clients/[client-name]/`
-- **Session logs** -> project or client `session-logs/` subfolder; general -> root `session-logs/`
-- **Full guide:** `.claude/FILE_PLACEMENT_GUIDE.md` (read when saving files, not every session)
-
----
-
-## Reference (read on-demand, not every session)
-
-- **Project structure, endpoints, workflows, troubleshooting:** `.claude/REFERENCE.md`
-- **Agent definitions:** `.claude/agents/*.md`
-- **MCP servers:** `MCP_SERVERS.md`
-- **Coding standards:** `.claude/CODING_GUIDELINES.md`
-
----
-
-**Last Updated:** 2026-02-17

.claude/commands/1password.md

@@ -0,0 +1,259 @@
+---
+name: 1password
+description: >
+  Integrate 1Password secrets management into Claude Code workflows. Use when the user wants to:
+  store API keys or credentials in 1Password, read secrets from 1Password into scripts or config,
+  set up .env files using 1Password secret references, rotate or update credentials, manage
+  developer secrets across projects, use 1Password service accounts for CI/CD, or integrate
+  1Password with tools like Claude Desktop, n8n, Docker, Supabase, GitHub Actions, or Replit.
+  Triggers on phrases like "store in 1Password", "read from 1Password", "op://", "secret reference",
+  "manage API keys with 1Password", "1Password CLI", or any request involving the `op` command.
+---
+
+# 1Password Skill
+
+## ⚠️ Critical: Never Type Secrets Into Claude Code
+
+**Claude Code can see everything typed in its terminal and chat.**
+
+When a user needs to store a secret, ALWAYS use the Terminal launch pattern:
+1. Generate a pre-filled script with known values already set
+2. Use `launch-in-terminal.sh` to open it in Terminal.app
+3. User types secrets in that window — Claude Code cannot see it
+4. 1Password stores the secret, outputs `op://` references back to Claude
+
+```bash
+# Claude generates the script, then launches it outside its own view:
+bash scripts/launch-in-terminal.sh /tmp/setup-my-service.sh "Service Name Setup"
+```
+
+Never ask users to paste API keys, passwords, or tokens into:
+- The Claude Code chat
+- A Bash tool call visible in Claude Code
+- Any file Claude Code writes before it's stored in 1Password
+
+---
+
+## ⚠️ MANDATORY: Use the SOPS-vaulted service account token, never the desktop session
+
+**Every `op` invocation in agent flows must run with `OP_SERVICE_ACCOUNT_TOKEN` set.** The desktop-app integration prompts to unlock the app, which interrupts the agent flow and is unacceptable. The service token is in the SOPS vault at `infrastructure/1password-service-account.sops.yaml` (vault entry kind=`api-key`, name=`1Password Service Account (Agentic-RW)`).
+
+### Load the token at the start of any 1Password work
+
+```bash
+# Decrypt the service token from SOPS (uses the machine's age key)
+export OP_SERVICE_ACCOUNT_TOKEN=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null \
+  | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+
+# Verify
+op whoami    # expect "User Type: SERVICE_ACCOUNT"
+```
+
+After `export`, every subsequent `op` call in the same bash invocation inherits the token. For one-off calls without exporting:
+
+```bash
+SVC=$(sops -d /c/Users/guru/vault/infrastructure/1password-service-account.sops.yaml 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+OP_SERVICE_ACCOUNT_TOKEN="$SVC" op item get "Item Name" --vault Infrastructure
+```
+
+### Vault path resolution
+
+The vault lives wherever `.claude/identity.json` says (`vault_path`). On the current Windows workstation it's `C:/Users/guru/vault`, but other machines (Howard's, future workstations) may differ. Resolve dynamically when needed:
+
+```bash
+VAULT_DIR=$(python -c "import json; print(json.load(open('/c/Users/guru/ClaudeTools/.claude/identity.json'))['vault_path'])")
+SVC=$(sops -d "$VAULT_DIR/infrastructure/1password-service-account.sops.yaml" 2>/dev/null | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)
+export OP_SERVICE_ACCOUNT_TOKEN="$SVC"
+```
+
+### Service account scope (verified 2026-04-30)
+
+The Agentic-RW service account has access to: **Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting**. The Private vault is intentionally NOT shared with the service account — if you need to read from Private, that's a different conversation, not a fallback to desktop session.
+
+### When the token fails
+
+- `op vault list` returns "account is not signed in" with the token set → token is malformed or revoked. Decrypt directly via `sops -d` and inspect.
+- `vault.sh get-field` may fail with "PyYAML not installed" — use direct `sops -d` + grep instead until that wrapper bug is fixed.
+- Never fall back to the desktop-app session in agent flows. If the service token is unrecoverable, stop and tell Mike.
+
+---
+
+## Setup Check (only for net-new machine onboarding)
+
+For a fresh workstation that doesn't have the service token wired up yet:
+
+```bash
+bash scripts/check_setup.sh
+```
+
+If not installed: https://developer.1password.com/docs/cli/get-started/
+
+The desktop-app sign-in flow is for **interactive human use**, not agent flows — those go through the service account above.
+
+---
+
+## Storing Secrets: The Terminal Launch Pattern
+
+When a user needs to store a new secret or credential:
+
+**Step 1 — Generate the script** (Claude does this, with known values pre-filled):
+
+```bash
+cat > /tmp/setup-SERVICE.sh << 'EOF'
+bash /path/to/store-mcp-credentials.sh \
+  --vault Dev \
+  --item "Service Name" \
+  --set "url=https://known-url.com" \
+  --set "env=production" \
+  --secret "api_key" \
+  --secret "webhook_secret"
+EOF
+```
+
+**Step 2 — Launch in Terminal.app** (secrets stay out of Claude Code):
+
+```bash
+bash scripts/launch-in-terminal.sh /tmp/setup-SERVICE.sh "Service Name Setup"
+```
+
+**Step 3 — Update config** (Claude uses the `op://` references from the output):
+
+```json
+"SERVICE_API_KEY": "op://Dev/Service Name/api_key"
+```
+
+---
+
+## Core Patterns
+
+### Read a secret
+
+```bash
+op read "op://VaultName/ItemTitle/field_name"
+export API_KEY=$(op read "op://Dev/Anthropic/api_key")
+```
+
+### Store a new secret
+
+```bash
+# Basic
+bash scripts/store_secret.sh --title "My API Key" --field api_key --value "sk-..."
+
+# With vault
+bash scripts/store_secret.sh --title "My API Key" --vault Dev --field api_key --value "sk-..."
+
+# From environment variable
+bash scripts/store_secret.sh --from-env ANTHROPIC_API_KEY --title "Anthropic"
+
+# Generate a secure credential
+bash scripts/store_secret.sh --title "App Secret" --field secret --generate --length 32
+```
+
+### Update an existing secret
+
+```bash
+bash scripts/store_secret.sh --update --title "My API Key" --field api_key --value "new-value"
+# Or directly:
+op item edit "My API Key" api_key[password]=new-value
+```
+
+### Generate a .env from 1Password
+
+```bash
+# Interactive — lists items, choose one
+bash scripts/env_from_op.sh
+
+# From a specific item (dry run preview)
+bash scripts/env_from_op.sh --item "Project Credentials" --dry-run
+
+# Write .env.tpl (secret references — safe to commit)
+bash scripts/env_from_op.sh --item "Project Credentials" --output .env.tpl
+
+# Write .env with resolved real values (DO NOT commit)
+bash scripts/env_from_op.sh --item "Project Credentials" --resolve --output .env
+```
+
+---
+
+## Secret References (op://)
+
+The safest pattern — store `op://` references in config files instead of real values.
+
+> **Privacy note:** `op://` references reveal vault names, item names, and field names.
+> Safe to commit to **private repos**. For public repos, check that your vault/item naming
+> doesn't expose sensitive structure (client names, internal service names, etc.).
+
+```
+op://VaultName/ItemTitle/field_name
+```
+
+```bash
+# .env.tpl (commit this file)
+ANTHROPIC_API_KEY=op://Dev/Anthropic/api_key
+N8N_API_KEY=op://Dev/n8n/api_key
+SUPABASE_SERVICE_KEY=op://Dev/Supabase/service_key
+
+# ✅ Inject at runtime — secrets stay in subprocess, never in shell history
+op run --env-file=.env.tpl -- your-command
+
+# ⚠️  Avoid sourcing into current shell — unsafe if values contain $(...) or backticks
+# source <(op run --env-file=.env.tpl -- env)   ← skip this pattern
+```
+
+For full syntax and edge cases: [references/secret_references.md](references/secret_references.md)
+
+---
+
+## Integration Guides
+
+Read [references/integrations.md](references/integrations.md) for patterns with:
+
+- **Claude Desktop** — MCP server config using `op run`
+- **n8n** — Environment injection at startup, credential push via API
+- **Docker / Docker Compose** — `op run -- docker compose up`
+- **GitHub Actions** — `1password/load-secrets-action`
+- **Python scripts** — subprocess + 1Password SDK
+- **Supabase** — Storing and retrieving project credentials
+- **Replit** — Local dev → Replit Secrets bridge
+- **Rotation workflow** — Update in service → update in 1Password → re-inject
+
+---
+
+## Common CLI Commands
+
+Full reference: [references/op_commands.md](references/op_commands.md)
+
+```bash
+op item list                           # List all items
+op item list --vault Dev               # Filter by vault
+op item get "Item Title"               # View item details
+op item get "Item Title" --format json # JSON output
+op vault list                          # List vaults
+op whoami                              # Check auth status
+op account list                        # List accounts
+```
+
+---
+
+## CI/CD: Service Accounts
+
+For non-interactive environments (GitHub Actions, Docker, n8n server):
+
+```bash
+export OP_SERVICE_ACCOUNT_TOKEN="ops_eyJ..."
+op read "op://Dev/MyApp/api_key"   # works without signin prompt
+```
+
+Create service accounts: 1Password UI → Settings → Developer → Service Accounts.
+Grant vault access only to what the service needs.
+
+---
+
+## Security Rules
+
+1. **Never hardcode secrets** — always use `op://` references or runtime injection
+2. **Commit `.env.tpl`** to private repos only — it exposes vault/item structure, not values
+3. **Never commit `.env`** (real values) — add it to `.gitignore` immediately: `echo ".env" >> .gitignore`
+4. **Use vaults to scope access** — separate vault per project or team
+5. **Rotate on exposure** — use `store_secret.sh --update` then re-inject everywhere
+6. **Service accounts for CI/CD** — never use personal account tokens in automation

.claude/commands/README.md

@@ -1,6 +1,8 @@
-# Claude Code Commands
+# Claude Code Commands (also available to Grok)
 
-Custom commands that extend Claude Code's capabilities.
+Custom commands that extend the AI's capabilities (Claude Code or Grok).
+
+These live in `.claude/commands/*.md`. For Grok coexistence, thin native wrappers exist in `.grok/skills/<name>/SKILL.md` (with `name:` frontmatter so `/save`, `/rmm` etc. work as first-class Grok slash commands via project skill discovery). The wrappers delegate to these files (read them at runtime + adapt tool names). Single source of truth remains here. See `.grok/README.md` for details.
 
 ## Available Commands
 

.claude/commands/checkpoint.md

@@ -14,25 +14,51 @@ Please create a comprehensive git checkpoint with the following steps:
    - Run `git diff` to see detailed changes in tracked files
    - Run `git log -5 --oneline` to understand the commit message style of this repository
 
-3. **Stage everything**:
+3. **Decide what will be staged** (do NOT stage yet):
 
-   - Add ALL tracked changes (modified and deleted files)
-   - Add ALL untracked files (new files)
-   - Use `git add -A` or `git add .` to stage everything
+   - Identify all tracked changes (modified/deleted) and untracked (new) files via `git status`.
+   - Staging is done **atomically with the commit, under the repo lock, in step 5** — do not run a separate `git add` here. This prevents a concurrent session in a shared worktree (e.g. ClaudeTools) from having its dirty files swept into this checkpoint.
 
-4. **Create a detailed commit message**:
+4. **Draft commit message body via Ollama** (documentation engine):
 
-   - **First line**: Write a clear, concise summary (50-72 chars) describing the primary change
-     - Use imperative mood (e.g., "Add feature" not "Added feature")
-     - Examples: "feat: add user authentication", "fix: resolve database connection issue", "refactor: improve API route structure"
-   - **Body**: Provide a detailed description including:
-     - What changes were made (list of key modifications)
-     - Why these changes were made (purpose/motivation)
-     - Any important technical details or decisions
-     - Breaking changes or migration notes if applicable
-   - **Footer**: Include co-author attribution as shown in the Git Safety Protocol
+   ```bash
+   # Resolve Ollama
+   if curl -s -m 2 http://localhost:11434/api/tags >/dev/null 2>&1; then OLLAMA="http://localhost:11434"
+   elif curl -s -m 3 http://100.92.127.64:11434/api/tags >/dev/null 2>&1; then OLLAMA="http://100.92.127.64:11434"
+   else OLLAMA=""; fi
 
-5. **Execute the commit**: Create the commit with the properly formatted message following this repository's conventions.
+   # Capture diff summary for Ollama prompt
+   { git diff --stat HEAD; echo "---"; git diff HEAD | head -200; } \
+     > "C:/Users/guru/AppData/Local/Temp/checkpoint_diff.txt"
+
+   # Ollama drafts the body; fallback to Claude if unavailable
+   if [ -n "$OLLAMA" ]; then
+     BODY=$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/py.sh" -c "
+import urllib.request, json
+diff = open('C:/Users/guru/AppData/Local/Temp/checkpoint_diff.txt', encoding='utf-8').read()
+prompt = 'Write a git commit message BODY only (not the summary line). Imperative mood. What changed and why. No filler. Under 150 words.\n\nDIFF:\n' + diff
+body = json.dumps({'model':'qwen3:14b','messages':[{'role':'user','content':prompt}],'stream':False,'think':False}).encode()
+res = json.loads(urllib.request.urlopen(urllib.request.Request('$OLLAMA/api/chat', body), timeout=60).read())
+print(res['message']['content'])
+")
+   fi
+   ```
+
+   - **Summary line** (first line): Claude writes — 50-72 chars, imperative mood, from `git diff --stat`
+   - **Body**: Ollama draft (Claude reviews); Claude writes directly if Ollama unavailable
+   - **Footer**: `Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>`
+
+5. **Execute the commit (locked)**: Write the final message (summary line + body + footer) to a temp file, then stage + commit **atomically under the repo's commit lock** so concurrent sessions can't interleave or get swept in:
+
+   ```bash
+   # MSG = path to the composed commit-message file; LOCK = the shared lock wrapper
+   LOCK="${CLAUDETOOLS_ROOT:-/d/claudetools}/.claude/scripts/sync-lock.sh"
+   bash "$LOCK" run bash -c 'git add -A && git commit -F "$1"' _ "$MSG"
+   ```
+   - The lock is scoped to the **current repo** (`git rev-parse --show-toplevel`/.git), so this serializes correctly whether the checkpoint is in ClaudeTools (shares the same lock as `/sync` and `/scc`) or in a project repo (its own lock). The wrapper errors out (exit 2) if you're not in a git repo.
+   - If it **exits 75**, another commit/sync holds the lock — wait briefly and retry, or report "checkpoint deferred".
+   - This is a **local commit only** (no push), matching checkpoint's purpose.
+   - `$CLAUDETOOLS_ROOT` should be set per-machine; the `/d/claudetools` fallback is for this box only — on Mac/Linux it resolves from the env var.
 
 ## Part 2: Verify Git Checkpoint
 
@@ -40,15 +66,6 @@ Please create a comprehensive git checkpoint with the following steps:
    - Confirm git commit succeeded by running `git log -1`
    - Report commit status to user
 
-## Part 3: Refresh Directives (MANDATORY)
-
-7. **Refresh directives** (MANDATORY):
-   - After checkpoint completion, auto-invoke `/refresh-directives`
-   - Re-read `directives.md` to prevent shortcut-taking
-   - Perform self-assessment for any violations
-   - Confirm commitment to agent coordination rules
-   - Report directives refreshed to user
-
 ## Benefits of Git Checkpoint
 
 **Git Checkpoint provides:**

.claude/commands/discord-dm.md

@@ -0,0 +1,30 @@
+---
+name: discord-dm
+description: Send a Discord message to an org member's DMs or a team channel via the ClaudeTools bot. Prepopulated with user + channel IDs. Use for copy-paste-friendly delivery of wrapped command lines (consent links, long one-liners) or to ping someone directly.
+---
+
+# /discord-dm — direct Discord messaging
+
+Thin entry point to the `discord-dm` skill. Engine: `.claude/scripts/discord-dm.sh`.
+
+## Usage
+
+```
+/discord-dm <recipient> <message>     Send a DM (mike|howard|rob|winter) or post to a channel (#bot-alerts|#dev-alerts)
+/discord-dm list                      Show known users + channel IDs
+```
+
+Examples:
+
+```bash
+bash .claude/scripts/discord-dm.sh mike "https://login.microsoftonline.com/.../adminconsent?client_id=..."
+bash .claude/scripts/discord-dm.sh dev "build promoted to stable"
+echo "$LONG_LINK" | bash .claude/scripts/discord-dm.sh mike
+```
+
+## Standing rule
+
+Any **wrapped / long single-line output** (M365 consent links, long CLI one-liners,
+URLs with query strings) should be **DM'd to `mike`** so it's cleanly copy-pasteable
+rather than mangled by terminal wrapping. See `.claude/skills/discord-dm/SKILL.md`
+for the recipient forms, prepopulated directory, and gotchas.

.claude/commands/feature-request.md

@@ -0,0 +1,101 @@
+# GuruRMM Feature Request -> RMM Thoughts
+
+When Howard (or Mike) submits a GuruRMM feature request, **capture it as a raw entry in
+the RMM Thoughts backlog** — do NOT jump straight to a full spec or the roadmap. Those
+are downstream, decision-gated stages.
+
+Pipeline (see `.claude/memory/feedback_rmm_thoughts_backlog.md`):
+**THOUGHT (this command, Status: Raw) -> DISCUSS -> SPEC (`/shape-spec` -> `specs/<slug>/`)
+-> ROADMAP (`docs/FEATURE_ROADMAP.md`) -> BUILD.**
+
+Backlog doc: `projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md`.
+
+---
+
+## Phase 1 — Light triage (Ollama, optional)
+
+Read `.claude/identity.json` for the user (Howard/Mike) and the Ollama endpoint
+(`.ollama.endpoint`). Call Ollama `qwen3.6:latest` (strict JSON) for a LIGHT triage —
+NOT deep research, NOT a spec:
+
+```
+You are triaging a GuruRMM feature request into a backlog. Request: $ARGUMENTS
+Respond JSON only:
+{"title": "short kebab-or-title-case name", "summary": "1-2 sentence plain-English summary",
+ "section_guess": "Core Agent | Server/API | Dashboard & UI | Platform | Integrations | Security | Alerting | Other",
+ "priority_guess": "P1|P2|P3"}
+```
+
+If Ollama is unreachable, do this triage yourself. Do NOT search the codebase or write a
+spec at this stage.
+
+---
+
+## Phase 2 — Append to RMM Thoughts
+
+Append a new entry to the bottom of `projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md`:
+
+```markdown
+
+## <Title>
+- Added: <Howard|Mike>, <YYYY-MM-DD> | Status: Raw | section guess: <section> | priority guess: <P?>
+
+<the request, in the submitter's words> <one-line triage summary if it adds clarity>
+```
+
+Keep it short — it is a RAW thought, not a spec. Do not embellish or design it.
+
+---
+
+## Phase 3 — Notify + track
+
+- **Coord todo** (so it is visible fleet-wide), via `coord` skill:
+  `todo add "RMM THOUGHT (Raw): <title> — <summary>. See docs/RMM_THOUGHTS.md." --project gururmm --auto --source "feature-request by <who> <date>"`
+- **If Howard submitted it**, send a coord message so Mike sees it:
+  `msg send ALL "RMM Thought added: <title>" "<who> added a GuruRMM thought (Status: Raw) to docs/RMM_THOUGHTS.md: <summary>. Ready to discuss when you are — not spec'd or roadmapped yet."`
+
+---
+
+## Phase 4 — Commit (docs-only, gururmm repo)
+
+```bash
+cd projects/msp-tools/guru-rmm
+git checkout -b docs/rmm-thought-<slug>
+git add docs/RMM_THOUGHTS.md
+git commit -m "docs(rmm-thoughts): add thought - <title> (requested by <who>)"   # + Co-Authored-By trailer
+git fetch origin && git rebase origin/main
+git push origin docs/rmm-thought-<slug>:main
+git checkout main && git merge --ff-only origin/main && git branch -d docs/rmm-thought-<slug>
+```
+
+Do NOT touch the parent repo submodule pointer.
+
+---
+
+## Phase 5 — Respond
+
+Tell the user the request was **added to RMM Thoughts at Status: Raw** — summarize it,
+and say it will be discussed before any spec or roadmap entry. Do NOT claim a spec was
+created or that it is on the roadmap.
+
+```
+[OK] Added to RMM Thoughts (Status: Raw)
+
+<Title>  (section guess: <section> | priority guess: <P?>)
+<summary>
+
+Next: we discuss it -> /shape-spec if approved -> roadmap -> build.
+Tracked: coord todo <id>.<if Howard: coord message sent to Mike.>
+```
+
+---
+
+## Notes
+
+- This command does NOT auto-create a SPEC-XXX doc or a roadmap entry anymore. The old
+  behaviour (full Ollama spec generation + roadmap edit on every request) jumped past the
+  discuss stage; spec work now happens via `/shape-spec` once a thought is approved.
+- To advance a thought later: discuss it (-> Status: Discussed), `/shape-spec` it
+  (-> Spec'd, `specs/<slug>/`), then add it to `FEATURE_ROADMAP.md` (-> Roadmapped).
+- Ollama unreachable: do the triage yourself, no degradation. Coord API down: warn and
+  continue (the doc commit is the durable record).

.claude/commands/forum-post.md

@@ -0,0 +1,324 @@
+Post a technical article to community.azcomputerguru.com (Flarum forum).
+
+Converts markdown to Flarum's s9e TextFormatter XML format and inserts directly into the
+database via paramiko SSH to IX. Shows a preview and waits for user confirmation before posting.
+
+---
+
+## Usage
+
+```
+/forum-post                    Draft interactively — Claude asks for title, content, tag
+/forum-post <topic hint>       Claude drafts from conversation context, then confirms
+```
+
+Arguments are optional. With no args, Claude uses the current conversation context to
+determine what to post (the most recent technical problem solved, fix documented, etc.).
+
+---
+
+## Infrastructure
+
+| Item | Value |
+|---|---|
+| Forum URL | https://community.azcomputerguru.com |
+| DB host | localhost (on IX) |
+| DB name | azcompu_flarum |
+| DB user | azcompu_flarum |
+| DB pass | vault: `services/flarum-community.sops.yaml credentials.db_password` |
+| IX SSH | root@172.16.3.10 — password from vault: `infrastructure/ix-server.sops.yaml credentials.password` |
+| Admin user_id | 1 (MikeSwanson) |
+
+Get the IX SSH password via vault before connecting:
+```bash
+bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.password
+```
+
+---
+
+## Known Tags
+
+| tag_id | Name | When to use |
+|--------|------|-------------|
+| 7 | How-Tos & Tips | Technical fixes, how-tos, diagnostics, field notes |
+
+To see all current tags: query `SELECT id, name_singular FROM tags;` on azcompu_flarum.
+Default to tag_id=7 unless the user specifies otherwise.
+
+---
+
+## Phase 1: Gather Inputs
+
+Collect in one pass — do not ask field by field:
+
+1. **Title** — descriptive, search-friendly, sentence case. Include the technology/product.
+   Good: `OneDrive KFM Fails After Folder Redirection Migration -- Here's What's Actually Going On`
+   Bad: `OneDrive issue fix`
+
+2. **Content** — full markdown body. Minimum useful length: 3-4 paragraphs with concrete detail.
+   Write from the conversation context: what was the problem, what was tried, what actually worked, what to remember.
+
+3. **Tag** — default How-Tos & Tips (7) unless user says otherwise.
+
+Generate the slug from the title: lowercase, spaces/punctuation to hyphens, remove apostrophes,
+collapse multiple hyphens. Max ~90 chars. Example:
+`onedrive-kfm-fails-after-folder-redirection-migration-heres-whats-actually-going-on`
+
+---
+
+## Phase 2: Show Preview
+
+Before posting, show:
+
+```
+FORUM POST PREVIEW
+------------------
+Title:  <title>
+Tag:    How-Tos & Tips
+Slug:   <slug>
+URL:    https://community.azcomputerguru.com/d/<next_id>-<slug>
+
+--- Content ---
+<first 500 chars of markdown>
+...
+
+Post this? (yes/no)
+```
+
+Wait for explicit confirmation before executing.
+
+---
+
+## Phase 3: Execute
+
+Write and run a Python script (use `py` on Windows). The script must:
+
+1. **Get IX SSH password** from vault (see Infrastructure above)
+2. **Connect via paramiko** (`AutoAddPolicy`, password auth)
+3. **Generate the s9e XML** from the markdown (see Converter section below)
+4. **Build the PHP insert script** (see PHP Template below)
+5. **SFTP upload** the PHP script to `/tmp/flarum_post_<timestamp>.php` on IX
+6. **Run** `php /tmp/flarum_post_<timestamp>.php 2>&1` via SSH
+7. **Parse output** — look for `Discussion ID: N` and `Post ID: N`
+8. **Clean up** — `rm /tmp/flarum_post_<timestamp>.php`
+9. **Report** the live URL
+
+---
+
+## Markdown → s9e XML Converter
+
+Flarum stores post content as s9e TextFormatter XML, not raw markdown. The stored format
+must match what Flarum's TextFormatter produces. Based on confirmed existing posts:
+
+### Inline elements
+
+| Markdown | s9e XML |
+|---|---|
+| `**bold**` | `<STRONG><s>**</s>bold<e>**</e></STRONG>` |
+| `*italic*` | `<EM><s>*</s>italic<e>*</e></EM>` |
+| `` `code` `` | `<C><s>`</s>code<e>`</e></C>` |
+
+XML-escape `&` → `&amp;`, `<` → `&lt;`, `>` → `&gt;` in all text content and code spans.
+
+### Block elements
+
+| Markdown | s9e XML |
+|---|---|
+| `## Heading` | `<H2><s>## </s>Heading</H2>` |
+| `### Heading` | `<H3><s>### </s>Heading</H3>` |
+| Paragraph | `<p>text</p>` |
+| `- item` (list) | `<LIST><LI><s>- </s>item</LI>\n<LI>...</LI></LIST>` |
+| `1. item` (ordered) | `<LIST type="decimal"><LI><s>1. </s>item</LI>\n...</LIST>` |
+| ` ```lang ` fenced block | `<CODE lang="lang"><s>```lang</s><i>\n</i>code\n<e>```</e></CODE>` |
+
+Block elements are separated by `\n\n` (two real newlines) inside the `<r>` root.
+List items are separated by `\n` (one newline).
+Entire content is wrapped: `<r>...</r>`.
+
+### Python converter (copy this directly into the py script)
+
+```python
+import re
+
+def xml_escape(t):
+    return t.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;')
+
+def inline_to_xml(text):
+    result = ''
+    i = 0
+    while i < len(text):
+        if text[i:i+2] == '**':
+            end = text.find('**', i+2)
+            if end != -1:
+                inner = inline_to_xml(text[i+2:end])
+                result += '<STRONG><s>**</s>' + inner + '<e>**</e></STRONG>'
+                i = end + 2; continue
+        if text[i] == '`':
+            end = text.find('`', i+1)
+            if end != -1:
+                result += '<C><s>`</s>' + xml_escape(text[i+1:end]) + '<e>`</e></C>'
+                i = end + 1; continue
+        if text[i] == '*' and text[i:i+2] != '**':
+            j = i + 1; end = -1
+            while j < len(text):
+                if text[j] == '*' and text[j:j+2] != '**': end = j; break
+                j += 1
+            if end != -1:
+                result += '<EM><s>*</s>' + xml_escape(text[i+1:end]) + '<e>*</e></EM>'
+                i = end + 1; continue
+        result += xml_escape(text[i]); i += 1
+    return result
+
+def md_to_s9e(md):
+    lines = md.split('\n')
+    elements = []
+    i = 0
+    while i < len(lines):
+        line = lines[i]
+        if not line.strip(): i += 1; continue
+        if line.startswith('## '):
+            elements.append('<H2><s>## </s>' + inline_to_xml(line[3:]) + '</H2>'); i += 1
+        elif line.startswith('### '):
+            elements.append('<H3><s>### </s>' + inline_to_xml(line[4:]) + '</H3>'); i += 1
+        elif line.startswith('- '):
+            items = []
+            while i < len(lines) and lines[i].startswith('- '):
+                items.append('<LI><s>- </s>' + inline_to_xml(lines[i][2:]) + '</LI>'); i += 1
+            elements.append('<LIST>' + '\n'.join(items) + '</LIST>')
+        elif re.match(r'^\d+\. ', line):
+            items = []
+            while i < len(lines) and re.match(r'^\d+\. ', lines[i]):
+                m = re.match(r'^(\d+)\. (.*)', lines[i])
+                items.append('<LI><s>' + m.group(1) + '. </s>' + inline_to_xml(m.group(2)) + '</LI>'); i += 1
+            elements.append('<LIST type="decimal">' + '\n'.join(items) + '</LIST>')
+        elif line.startswith('```'):
+            lang = line[3:].strip(); code_lines = []; i += 1
+            while i < len(lines) and not lines[i].startswith('```'):
+                code_lines.append(xml_escape(lines[i])); i += 1
+            i += 1
+            tag = f'<CODE lang="{lang}">' if lang else '<CODE>'
+            elements.append(tag + f'<s>```{lang}</s><i>\n</i>' + '\n'.join(code_lines) + '\n<e>```</e></CODE>')
+        else:
+            para_lines = []
+            while i < len(lines) and lines[i].strip():
+                l = lines[i]
+                if l.startswith('## ') or l.startswith('### ') or l.startswith('- ') or l.startswith('```') or re.match(r'^\d+\. ', l): break
+                para_lines.append(l); i += 1
+            elements.append('<p>' + inline_to_xml('\n'.join(para_lines)) + '</p>')
+    return '<r>' + '\n\n'.join(elements) + '</r>'
+```
+
+---
+
+## PHP Insert Template
+
+Use `%%XML_CONTENT%%` as the placeholder — replace with the generated s9e XML before uploading.
+The closing nowdoc marker `FLARUM_POST_XML_END;` must be at column 0 with no leading whitespace.
+
+```php
+<?php
+ini_set('display_errors', 1); error_reporting(E_ALL);
+$dsn = 'mysql:host=localhost;dbname=azcompu_flarum;charset=utf8mb4';
+$pdo = new PDO($dsn, 'azcompu_flarum', '<DB_PASS from vault services/flarum-community.sops.yaml>', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+
+$user_id = 1; $tag_id = %%TAG_ID%%;
+$title   = %%TITLE_PHP%%;
+$slug    = '%%SLUG%%';
+$now     = date('Y-m-d H:i:s');
+
+$content = <<<'FLARUM_POST_XML_END'
+%%XML_CONTENT%%
+FLARUM_POST_XML_END;
+
+// Insert discussion first (post refs are nullable)
+$stmt = $pdo->prepare("INSERT INTO discussions (title, comment_count, post_number_index, created_at, user_id, slug, is_private, is_approved) VALUES (?, 1, 1, ?, ?, ?, 0, 1)");
+$stmt->execute([$title, $now, $user_id, $slug]);
+$disc_id = $pdo->lastInsertId();
+echo "Discussion ID: $disc_id\n";
+
+// Insert post
+$stmt = $pdo->prepare("INSERT INTO posts (discussion_id, number, created_at, user_id, type, content, is_private, is_approved) VALUES (?, 1, ?, ?, 'comment', ?, 0, 1)");
+$stmt->execute([$disc_id, $now, $user_id, $content]);
+$post_id = $pdo->lastInsertId();
+echo "Post ID: $post_id\n";
+
+// Link post back to discussion
+$pdo->prepare("UPDATE discussions SET first_post_id=?, last_post_id=?, last_posted_at=?, last_posted_user_id=?, last_post_number=1 WHERE id=?")->execute([$post_id, $post_id, $now, $user_id, $disc_id]);
+
+// Tag
+$pdo->prepare("INSERT INTO discussion_tag (discussion_id, tag_id) VALUES (?, ?)")->execute([$disc_id, $tag_id]);
+
+echo "Done! URL: https://community.azcomputerguru.com/d/$disc_id-$slug\n";
+```
+
+### Template substitutions
+
+| Placeholder | How to fill |
+|---|---|
+| `%%TAG_ID%%` | Integer (e.g. `7`) |
+| `%%TITLE_PHP%%` | PHP double-quoted string with escaped `"` — e.g. `"The Title Here"` |
+| `%%SLUG%%` | URL-safe slug string |
+| `%%XML_CONTENT%%` | The output of `md_to_s9e(content_md)` |
+
+Build the PHP script in Python using `.replace()` — never f-strings (curly braces in XML content
+will cause Python to try to expand them as template expressions).
+
+---
+
+## Paramiko Execution Pattern
+
+```python
+import paramiko, time
+
+client = paramiko.SSHClient()
+client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+client.connect('172.16.3.10', username='root', password=IX_PASS, timeout=10)
+
+# Upload
+remote_path = f'/tmp/flarum_post_{int(time.time())}.php'
+sftp = client.open_sftp()
+with sftp.open(remote_path, 'wb') as f:
+    f.write(php_script.encode('utf-8'))
+sftp.close()
+
+# Execute
+def run_chan(cmd):
+    chan = client.get_transport().open_session()
+    chan.exec_command(cmd)
+    chan.shutdown_write()
+    out = b''
+    while not chan.exit_status_ready():
+        if chan.recv_ready(): out += chan.recv(4096)
+    while chan.recv_ready(): out += chan.recv(4096)
+    return out.decode('utf-8', errors='replace'), chan.recv_exit_status()
+
+out, rc = run_chan(f'php {remote_path} 2>&1')
+run_chan(f'rm -f {remote_path}')
+client.close()
+```
+
+---
+
+## Error Handling
+
+| rc | Symptom | Cause | Fix |
+|---|---|---|---|
+| 255, no output | Script crashes silently | Exception with display_errors off | Script already includes `ini_set('display_errors',1)` |
+| FK constraint error | Cannot add child row | Post inserted before discussion | Use discussion-first insert order (template above does this) |
+| Empty curl response | localhost curl returns nothing | HTTP→HTTPS redirect on vhost | Use paramiko PHP approach, not curl |
+| Cloudflare challenge | API blocked externally | Bot protection | Always insert via paramiko, never via external HTTP |
+
+---
+
+## After Posting
+
+Report:
+```
+[SUCCESS] Posted to community.azcomputerguru.com
+Discussion: #<id>
+URL: https://community.azcomputerguru.com/d/<id>-<slug>
+Tag: How-Tos & Tips
+```
+
+Do NOT try to verify via curl or browser — Cloudflare blocks external API calls and
+localhost curl has a redirect issue. The DB output is the authoritative confirmation.

.claude/commands/gc-feature-request.md

@@ -0,0 +1,117 @@
+GuruConnect Feature Request — Analysis & Specification
+
+Produce a researched specification for a GuruConnect feature, place it in the GC roadmap, and commit
+it. GuruConnect is a standalone remote-support product (separate repo `azcomputerguru/guru-connect`,
+tracked as the `projects/msp-tools/guru-connect` submodule). Do NOT confuse it with GuruRMM — see its
+ADR-001. Use `/feature-request` for GuruRMM instead.
+
+`$ARGUMENTS` = the feature request text.
+
+---
+
+## Phase 1 — Context
+
+Read:
+- `projects/msp-tools/guru-connect/docs/FEATURE_ROADMAP.md` — sections, priorities, existing items
+- `projects/msp-tools/guru-connect/docs/ARCHITECTURE_DECISIONS.md` — ADRs (esp. ADR-001 standalone+contract)
+- `projects/msp-tools/guru-connect/CLAUDE.md` — architecture, design constraints, coding standards
+- `projects/msp-tools/guru-connect/docs/specs/` — existing SPEC-NNN files (to pick the next number)
+
+GuruConnect architecture vocabulary: **agent** (Windows capture/input/viewer), **relay-server**
+(Axum), **viewer** (native + React/TS web viewer), **dashboard**. Transport: protobuf-over-WSS.
+
+## Phase 2 — Classify (Ollama)
+
+Call Ollama `qwen3.6:latest` (strict JSON). Endpoint from `.claude/identity.json` (`.ollama.endpoint`).
+
+```
+Analyze a feature request for GuruConnect, a Rust remote-desktop product (agent + Axum relay +
+native/web viewer), protobuf-over-WSS.
+Roadmap sections: Core Remote Control, GuruRMM Integration, Server/API, Security & Infrastructure,
+Operational Tooling, Future Considerations.
+Feature request: $ARGUMENTS
+Respond JSON only: {"section","subsection","priority":"P1|P2|P3","brief_summary",
+"similar_features":[],"research_needed":[]}
+```
+If Ollama is unreachable, classify yourself.
+
+## Phase 3 — Research
+
+- Grep `projects/msp-tools/guru-connect/{agent,server,dashboard,proto}/` for related code; cite file:line.
+- Note where the feature lives (agent / relay-server / viewer / dashboard / proto / DB migration).
+- If it touches the GuruRMM integration surface, cross-reference `docs/specs/native-remote-control/`
+  and keep the integration contract authoritative (GC owns it).
+
+## Phase 4 — Write the spec
+
+Next number = highest existing `SPEC-NNN` + 1. Write `docs/specs/SPEC-NNN-<slug>.md`:
+
+```markdown
+# SPEC-NNN: <Feature Name>
+
+**Status:** Proposed
+**Priority:** P1|P2|P3
+**Requested By:** <Mike|Howard> (<date>)
+**Estimated Effort:** Small|Medium|Large|X-Large
+
+## Overview
+<2-3 sentences; user-facing benefit; primary use cases; success criteria>
+
+## Scope
+### Included in v1
+### Explicitly out of scope
+
+## Architecture
+- Agent / Relay-server / Viewer / Dashboard responsibilities
+- Protobuf changes (`proto/guruconnect.proto`)
+- DB schema (migrations)
+- API endpoints / WS messages
+
+## Implementation details
+- Files to touch (file:line where known), structs/messages, key logic
+
+## Security considerations
+- Auth (JWT/agent key/support code), input validation, audit events, threat model
+
+## Testing strategy
+- Unit / integration / manual scenarios
+
+## Effort estimate & dependencies
+- Size; what must precede it; what it unblocks
+
+## Open questions
+```
+
+Generate the prose via Ollama `qwen3:14b` if available (fallback: write it yourself). Be specific —
+real file paths and message/struct names from Phase 3.
+
+## Phase 5 — Roadmap
+
+Add/insert the item in the right `docs/FEATURE_ROADMAP.md` section:
+`- [ ] **<Feature>** — P<n> — <one-liner>. (SPEC-NNN)` with a link to the spec.
+
+## Phase 6 — Commit (GC submodule, then bump pointer)
+
+```bash
+cd projects/msp-tools/guru-connect
+git add docs/specs/SPEC-NNN-<slug>.md docs/FEATURE_ROADMAP.md
+git commit -m "spec: add SPEC-NNN <feature name>"
+# push only if the user asks; pushing main triggers GC CI
+cd ../../..
+git add projects/msp-tools/guru-connect
+git commit -m "chore: bump guru-connect submodule (SPEC-NNN <feature name>)"
+```
+
+## Phase 7 — Optional coord message
+
+If Howard submitted it (not Mike), POST to the coord API with `project_key: "guruconnect"`,
+subject "GC Feature Spec: <name>", summarizing the spec for Mike's review.
+
+## Phase 8 — Respond
+
+Summarize: SPEC number, priority, effort, placement, overview, key components, dependencies, files
+created. Use ASCII markers ([SUCCESS]/[INFO]); no emojis.
+
+## Notes
+- Never edit GuruConnect product code as part of "RMM work"; this skill is the GC product's own intake.
+- Spec is a living doc; refine during planning.

.claude/commands/import.md

@@ -0,0 +1,132 @@
+# /import — Ingest a folder into ClaudeTools
+
+Import any folder of data into the ClaudeTools structure. Claude analyzes each file's content, classifies it, proposes placement, sanitizes credentials, and organizes everything into the correct locations.
+
+## Usage
+
+```
+/import <path>                    Import a folder
+/import <path> --dry-run          Show plan without executing
+/import <path> --client <name>    Hint: this data belongs to a specific client
+/import <path> --project <name>   Hint: this data belongs to a specific project
+```
+
+## Arguments
+
+The first argument is a folder path to ingest. Everything inside (recursive) is scanned and classified.
+
+## Process
+
+Follow these steps IN ORDER. Do not skip any step.
+
+### Step 1: Scan
+
+Read the source folder recursively. For each file, note:
+- Filename + extension
+- Size
+- First ~200 lines of content (for text files)
+- Binary vs text detection
+
+Skip files >50 MB (flag them for manual review).
+
+### Step 2: Classify
+
+For each file, determine its category based on content analysis:
+
+| Category | Signals | Destination |
+|---|---|---|
+| **Session log** | Conversation transcript, dated entries, "accomplished", "session" | `session-logs/` or `projects/*/session-logs/` or `clients/*/session-logs/` |
+| **Client work** | Client name mentioned, ticket/case references, client-specific infra | `clients/<client>/` |
+| **Project code** | Source code, configs, build files, READMEs | `projects/<project>/` |
+| **Credentials** | Passwords, API keys, tokens, connection strings, SSH keys | `D:\vault\` (SOPS encrypted) |
+| **Infrastructure docs** | Server configs, network diagrams, IP lists, runbooks | `credentials.md` update or memory entry |
+| **Tool/script** | Standalone utility, automation script, helper | `tools/` or `projects/msp-tools/` |
+| **Documentation** | Guides, how-tos, notes, procedures | Project-specific docs or root docs |
+| **Unknown** | Can't classify | Flag for user decision |
+
+If `--client` or `--project` was specified, weight classification toward that target.
+
+### Step 3: Credential extraction
+
+Before placing ANY file, scan for sensitive data:
+- Passwords (inline, in configs, in notes)
+- API keys / tokens (any string matching `[A-Za-z0-9_\-]{20,}` near words like key/token/secret)
+- Connection strings (jdbc:, postgres://, mysql://, mongodb://)
+- SSH private keys (`-----BEGIN`)
+- Certificate private keys
+
+For each credential found:
+1. Show the user: "Found credential in `<file>`: `<context>` — move to vault?"
+2. If approved: create a vault SOPS entry, replace inline value with a vault reference
+3. If declined: leave as-is but warn
+
+### Step 4: Present plan
+
+Show a table:
+
+```
+SOURCE                          → DESTINATION                              ACTION
+────────────────────────────────────────────────────────────────────────────────────
+notes/client-acme.md            → clients/acme/notes.md                    copy
+scripts/backup-check.ps1        → tools/backup-check.ps1                  copy
+creds.txt                       → D:\vault\clients\acme.sops.yaml         vault + delete source
+session-2026-04-10.md           → clients/acme/session-logs/2026-04-10.md copy
+my-tool/src/main.rs             → projects/msp-tools/howard-tools/src/    copy (new project)
+random-binary.exe               → (SKIP - 85 MB, too large)               flag
+unknown-doc.pdf                 → (UNKNOWN - needs your input)             ask
+```
+
+Ask: "Does this plan look right? I can adjust any placement before executing."
+
+### Step 5: Execute
+
+After approval:
+1. Copy files to destinations (never move from source — source is the user's data)
+2. Create destination directories as needed
+3. Encrypt credential files via SOPS
+4. Update `MEMORY.md` if new knowledge was gained
+5. Update project `CONTEXT.md` files if project state changed
+6. Update `credentials.md` if infrastructure details were discovered
+
+### Step 6: Report
+
+Write a summary showing:
+- Files imported: N
+- Credentials vaulted: N
+- New directories created: list
+- Skipped files: list with reasons
+- Suggested follow-ups (e.g., "review clients/acme/ for completeness")
+
+Commit the imported files with message: `import: ingested <N> files from <source_path>`
+
+## Special cases
+
+### Claude Code session data (~/.claude/projects/)
+
+If the source folder IS a Claude Code projects directory (contains `.jsonl` files):
+- Use `tools/import-sessions.py` to extract summaries first
+- Then apply the standard classification to the summaries
+- Don't import raw JSONL (too large, mostly noise)
+
+### Existing project detection
+
+If imported code has a `Cargo.toml`, `package.json`, `pyproject.toml`, or similar:
+- Detect the project name from the manifest
+- Check if it already exists under `projects/`
+- If new: propose creating a new project directory
+- If existing: propose merging into the existing project
+
+### Duplicate detection
+
+Before copying, check if a file with the same name already exists at the destination:
+- If content is identical: skip (report as "already present")
+- If content differs: ask user which version to keep, or keep both with suffix
+
+## File placement rules
+
+Follow the conventions in `.claude/FILE_PLACEMENT_GUIDE.md`. Key rules:
+- Dataforth work → `projects/dataforth-dos/`
+- GuruRMM work → `projects/msp-tools/guru-rmm/`
+- Client work → `clients/<client-name>/`
+- General session logs → `session-logs/`
+- Credentials → SOPS vault at `D:\vault\`, NEVER in plaintext in the repo

.claude/commands/inject-standards.md

@@ -0,0 +1,94 @@
+# /inject-standards — Load relevant coding standards into context
+
+Loads one or more standards files from `.claude/standards/` and displays their full content.
+
+## Usage
+
+```
+/inject-standards                          — auto-select based on the current task
+/inject-standards powershell/execution-pattern   — load a specific standard by path
+/inject-standards "syncro billing comment"       — load standards relevant to a task description
+/inject-standards syncro/comment-dedup syncro/time-entry-protocol   — load multiple specific standards
+```
+
+## Procedure
+
+Follow these steps exactly when /inject-standards is invoked:
+
+### Step 1 — Parse $ARGUMENTS
+
+- If $ARGUMENTS is empty: proceed to Step 2 (auto-select based on conversation context).
+- If $ARGUMENTS contains one or more paths that match known standards slugs (e.g., `powershell/execution-pattern`, `syncro/comment-dedup`): skip Step 2, go directly to Step 3 with those paths.
+- If $ARGUMENTS is a task description (plain English, not a path): use it as the query in Step 2.
+
+### Step 2 — Auto-select relevant standards
+
+1. Read `D:/claudetools/.claude/standards/index.yml`.
+2. Review the descriptions for all entries.
+3. Select the 2–5 standards most relevant to either:
+   - The task description in $ARGUMENTS, or
+   - The current conversation context (what has the user been working on?).
+4. Prefer specificity: `syncro/comment-dedup` is more relevant than `conventions/no-emojis` for a Syncro billing task.
+5. Always include `conventions/no-emojis` when writing any output that will go into scripts, logs, or client-facing text.
+
+### Step 3 — Load and display the selected standards
+
+For each selected standard (in order of relevance):
+
+1. Read the file at `D:/claudetools/.claude/standards/<slug>.md`.
+2. Display a header:
+   ```
+   === STANDARD: <slug> ===
+   ```
+3. Display the full file content (including frontmatter).
+4. Add a blank line between standards.
+
+### Step 4 — Report
+
+After displaying all standards, print a one-line summary:
+
+```
+[INFO] Loaded N standards: <slug1>, <slug2>, ...
+```
+
+If auto-selection was used, briefly explain why each standard was chosen (one phrase per standard).
+
+## Examples
+
+**Specific standards:**
+```
+/inject-standards powershell/execution-pattern git/commit-style
+```
+Loads those two files directly and displays them.
+
+**Task description:**
+```
+/inject-standards "writing a PowerShell script to check Windows service status"
+```
+Would select: `powershell/execution-pattern`, `conventions/no-emojis`, `conventions/output-markers`
+
+**Syncro billing task:**
+```
+/inject-standards "billing Syncro ticket for emergency onsite"
+```
+Would select: `syncro/time-entry-protocol`, `syncro/comment-dedup`, `syncro/html-formatting`
+
+**GuruRMM agent feature:**
+```
+/inject-standards "adding Linux temperature collection to the agent"
+```
+Would select: `gururmm/platform-parity`, `gururmm/build-pipeline`, `conventions/no-emojis`
+
+**Empty (auto from context):**
+```
+/inject-standards
+```
+Reads the recent conversation, infers the task type, selects 2–5 most relevant standards.
+
+## Standards index location
+
+`D:/claudetools/.claude/standards/index.yml`
+
+## Standards files location
+
+`D:/claudetools/.claude/standards/<folder>/<name>.md`