docs: add HUD status control contract (#1821)

Source: maintainer-owned salvage of useful Django reviewer/build-resolver/Celery work from stale PR #1310 by mrigank2seven.

- add django-reviewer and django-build-resolver agents

- add django-celery skill with timezone-aware scheduling example

- update catalog counts to 60 agents / 221 skills and record the May 12 salvage gap pass

Co-authored-by: MRIGANK GUPTA <mrigank2seven@users.noreply.github.com>

.claude-plugin/marketplace.json

@@ -11,7 +11,7 @@
     {
       "name": "ecc",
       "source": "./",
-      "description": "The most comprehensive Claude Code plugin — 58 agents, 220 skills, 74 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
+      "description": "The most comprehensive Claude Code plugin — 60 agents, 225 skills, 75 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
       "version": "2.0.0-rc.1",
       "author": {
         "name": "Affaan Mustafa",

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ecc",
   "version": "2.0.0-rc.1",
-  "description": "Battle-tested Claude Code plugin for engineering teams — 58 agents, 220 skills, 74 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
+  "description": "Battle-tested Claude Code plugin for engineering teams — 60 agents, 225 skills, 75 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
   "author": {
     "name": "Affaan Mustafa",
     "url": "https://x.com/affaanmustafa"

AGENTS.md

@@ -1,6 +1,6 @@
 # Everything Claude Code (ECC) — Agent Instructions
 
-This is a **production-ready AI coding plugin** providing 58 specialized agents, 220 skills, 74 commands, and automated hook workflows for software development.
+This is a **production-ready AI coding plugin** providing 60 specialized agents, 225 skills, 75 commands, and automated hook workflows for software development.
 
 **Version:** 2.0.0-rc.1
 
@@ -35,6 +35,8 @@ This is a **production-ready AI coding plugin** providing 58 specialized agents,
 | kotlin-build-resolver | Kotlin/Gradle build errors | Kotlin build failures |
 | database-reviewer | PostgreSQL/Supabase specialist | Schema design, query optimization |
 | python-reviewer | Python code review | Python projects |
+| django-reviewer | Django code review | Django apps, DRF APIs, ORM, migrations |
+| django-build-resolver | Django build, migration, and setup errors | Django startup, dependency, migration, collectstatic failures |
 | java-reviewer | Java and Spring Boot code review | Java/Spring Boot projects |
 | java-build-resolver | Java/Maven/Gradle build errors | Java build failures |
 | loop-operator | Autonomous loop execution | Run loops safely, monitor stalls, intervene |
@@ -147,9 +149,9 @@ Troubleshoot failures: check test isolation → verify mocks → fix implementat
 ## Project Structure
 
 ```
-agents/          — 58 specialized subagents
-skills/          — 220 workflow skills and domain knowledge
-commands/        — 74 slash commands
+agents/          — 60 specialized subagents
+skills/          — 225 workflow skills and domain knowledge
+commands/        — 75 slash commands
 hooks/           — Trigger-based automations
 rules/           — Always-follow guidelines (common + per-language)
 scripts/         — Cross-platform Node.js utilities

README.md

@@ -358,7 +358,7 @@ If you stacked methods, clean up in this order:
 /plugin list ecc@ecc
 ```
 
-**That's it!** You now have access to 58 agents, 220 skills, and 74 legacy command shims.
+**That's it!** You now have access to 60 agents, 225 skills, and 75 legacy command shims.
 
 ### Dashboard GUI
 
@@ -456,7 +456,7 @@ everything-claude-code/
 |   |-- plugin.json         # Plugin metadata and component paths
 |   |-- marketplace.json    # Marketplace catalog for /plugin marketplace add
 |
-|-- agents/           # 58 specialized subagents for delegation
+|-- agents/           # 60 specialized subagents for delegation
 |   |-- planner.md           # Feature implementation planning
 |   |-- architect.md         # System design decisions
 |   |-- tdd-guide.md         # Test-driven development
@@ -1360,9 +1360,9 @@ The configuration is automatically detected from `.opencode/opencode.json`.
 
 | Feature | Claude Code | OpenCode | Status |
 |---------|-------------|----------|--------|
-| Agents | PASS: 58 agents | PASS: 12 agents | **Claude Code leads** |
-| Commands | PASS: 74 commands | PASS: 35 commands | **Claude Code leads** |
-| Skills | PASS: 220 skills | PASS: 37 skills | **Claude Code leads** |
+| Agents | PASS: 60 agents | PASS: 12 agents | **Claude Code leads** |
+| Commands | PASS: 75 commands | PASS: 35 commands | **Claude Code leads** |
+| Skills | PASS: 225 skills | PASS: 37 skills | **Claude Code leads** |
 | Hooks | PASS: 8 event types | PASS: 11 events | **OpenCode has more!** |
 | Rules | PASS: 29 rules | PASS: 13 instructions | **Claude Code leads** |
 | MCP Servers | PASS: 14 servers | PASS: Full | **Full parity** |
@@ -1465,9 +1465,9 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e
 
 | Feature | Claude Code | Cursor IDE | Codex CLI | OpenCode |
 |---------|------------|------------|-----------|----------|
-| **Agents** | 58 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 |
-| **Commands** | 74 | Shared | Instruction-based | 35 |
-| **Skills** | 220 | Shared | 10 (native format) | 37 |
+| **Agents** | 60 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 |
+| **Commands** | 75 | Shared | Instruction-based | 35 |
+| **Skills** | 225 | Shared | 10 (native format) | 37 |
 | **Hook Events** | 8 types | 15 types | None yet | 11 types |
 | **Hook Scripts** | 20+ scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks |
 | **Rules** | 34 (common + lang) | 34 (YAML frontmatter) | Instruction-based | 13 instructions |

README.zh-CN.md

@@ -160,7 +160,7 @@ Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/"
 /plugin list ecc@ecc
 ```
 
-**完成！** 你现在可以使用 58 个代理、220 个技能和 74 个命令。
+**完成！** 你现在可以使用 60 个代理、225 个技能和 75 个命令。
 
 ### multi-* 命令需要额外配置
 

agent.yaml

@@ -158,6 +158,7 @@ commands:
   - build-fix
   - checkpoint
   - code-review
+  - cost-report
   - cpp-build
   - cpp-review
   - cpp-test

agents/code-reviewer.md

@@ -27,6 +27,80 @@ When invoked:
 - **Consolidate** similar issues (e.g., "5 functions missing error handling" not 5 separate findings)
 - **Prioritize** issues that could cause bugs, security vulnerabilities, or data loss
 
+### Pre-Report Gate
+
+Before writing a finding, answer all four questions. If any answer is "no" or
+"unsure", downgrade severity or drop the finding.
+
+1. **Can I cite the exact line?** Name the file and line. Vague findings like
+   "somewhere in the auth layer" are not actionable and must be dropped.
+2. **Can I describe the concrete failure mode?** Name the input, state, and bad
+   outcome. If you cannot name the trigger, you are pattern-matching, not
+   reviewing.
+3. **Have I read the surrounding context?** Check callers, imports, and tests.
+   Many apparent issues are already handled one frame up or guarded by a type.
+4. **Is the severity defensible?** A missing JSDoc is never HIGH. A single
+   `any` in a test fixture is never CRITICAL. Severity inflation erodes trust
+   faster than missed findings.
+
+### HIGH / CRITICAL Require Proof
+
+For any finding tagged HIGH or CRITICAL, include:
+
+- The exact snippet and line number
+- The specific failure scenario: input, state, and outcome
+- Why existing guards, such as types, validation, or framework defaults, do not
+  catch it
+
+If you cannot produce all three, demote to MEDIUM or drop.
+
+### It Is Acceptable And Expected To Return Zero Findings
+
+A clean review is a valid review. Do not manufacture findings to justify the
+invocation. If the diff is small, well-typed, tested, and follows the project's
+patterns, the correct output is a summary with zero rows and verdict `APPROVE`.
+
+Manufactured findings, filler nits, speculative "consider using X", and
+hypothetical edge cases without a trigger are the primary failure mode of LLM
+reviewers and directly undermine this agent's usefulness.
+
+## Common False Positives - Skip These
+
+Patterns that LLM reviewers commonly mis-flag. Skip unless you have evidence
+specific to this codebase:
+
+- **"Consider adding error handling"** on a call whose error path is handled by
+  the caller or framework, such as Express error middleware, React error
+  boundaries, top-level `try/catch`, or Promise chains with `.catch` upstream.
+- **"Missing input validation"** when the function is internal and its callers
+  already validate. Trace at least one caller before flagging.
+- **"Magic number"** for well-known constants: `200`, `404`, `1000` ms, `60`,
+  `24`, `1024`, array index `0` or `-1`, HTTP status codes, and single-use
+  local constants whose meaning is obvious from the variable name.
+- **"Function too long"** for exhaustive `switch` statements, configuration
+  objects, test tables, or generated code. Length is not complexity.
+- **"Missing JSDoc"** on single-purpose internal helpers whose name and
+  signature are self-describing.
+- **"Prefer `const` over `let`"** when the variable is reassigned. Read the
+  whole function before flagging.
+- **"Possible null dereference"** when the preceding line narrows the type or an
+  `if` guard is in scope. Trace type flow instead of pattern-matching on `?.`.
+- **"N+1 query"** on fixed-cardinality loops, such as iterating a four-element
+  enum, or on paths already using `DataLoader` or batching.
+- **"Missing await"** on fire-and-forget calls that are intentionally detached,
+  such as logging, metrics, or background queue pushes. Check for a comment or
+  `void` prefix before flagging.
+- **"Should use TypeScript"** or **"Should have types"** in a JavaScript-only
+  file. Match the project's existing language; do not suggest a stack change.
+- **"Hardcoded value"** for values in test fixtures, example code, or
+  documentation snippets. Tests should have hardcoded expectations.
+- **Security theater**: flagging `Math.random()` in a non-cryptographic context
+  such as animation, jitter, or sampling, or flagging `eval`/`Function` in a
+  plugin system that is explicitly a code-loading surface.
+
+When tempted to flag one of the above, ask: "Would a senior engineer on this
+team actually change this in review?" If no, skip.
+
 ## Review Checklist
 
 ### Security (CRITICAL)
@@ -206,10 +280,13 @@ Verdict: WARNING — 2 HIGH issues should be resolved before merge.
 
 ## Approval Criteria
 
-- **Approve**: No CRITICAL or HIGH issues
+- **Approve**: No CRITICAL or HIGH issues, including clean reviews with zero
+  findings. This is a valid and expected outcome.
 - **Warning**: HIGH issues only (can merge with caution)
 - **Block**: CRITICAL issues found — must fix before merge
 
+Do not withhold approval to appear rigorous. If the diff is clean, approve it.
+
 ## Project-Specific Guidelines
 
 When available, also check project-specific conventions from `CLAUDE.md` or project rules:

agents/django-build-resolver.md

@@ -0,0 +1,243 @@
+---
+name: django-build-resolver
+description: Django/Python build, migration, and dependency error resolution specialist. Fixes pip/Poetry errors, migration conflicts, import errors, Django configuration issues, and collectstatic failures with minimal changes. Use when Django setup or startup fails.
+tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
+model: sonnet
+---
+
+# Django Build Error Resolver
+
+You are an expert Django/Python error resolution specialist. Your mission is to fix build errors, migration conflicts, import failures, dependency issues, and Django startup errors with **minimal, surgical changes**.
+
+You DO NOT refactor or rewrite code — you fix the error only.
+
+## Core Responsibilities
+
+1. Resolve pip, Poetry, and virtualenv dependency errors
+2. Fix Django migration conflicts and state inconsistencies
+3. Diagnose and repair Django configuration/settings errors
+4. Resolve Python import errors and module not found issues
+5. Fix `collectstatic`, `runserver`, and management command failures
+6. Repair database connection and `DATABASES` misconfiguration
+
+## Diagnostic Commands
+
+Run these in order to locate the error:
+
+```bash
+# Check Python and Django versions
+python --version
+python -m django --version
+
+# Verify virtual environment is active
+which python
+pip list | grep -E "Django|djangorestframework|celery|psycopg"
+
+# Check for missing dependencies
+pip check
+
+# Validate Django configuration
+python manage.py check --deploy 2>&1 || python manage.py check 2>&1
+
+# List pending migrations
+python manage.py showmigrations 2>&1
+
+# Detect migration conflicts
+python manage.py migrate --check 2>&1
+
+# Static files
+python manage.py collectstatic --dry-run --noinput 2>&1
+```
+
+## Resolution Workflow
+
+```text
+1. Reproduce the error          -> Capture exact message
+2. Identify error category      -> See table below
+3. Read affected file/config    -> Understand context
+4. Apply minimal fix            -> Only what's needed
+5. python manage.py check       -> Validate Django config
+6. Run test suite               -> Ensure nothing broke
+```
+
+## Common Fix Patterns
+
+### Dependency / pip Errors
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `ModuleNotFoundError: No module named 'X'` | Missing package | `pip install X` or add to `requirements.txt` |
+| `ImportError: cannot import name 'X' from 'Y'` | Version mismatch | Pin compatible version in requirements |
+| `ERROR: pip's dependency resolver...` | Conflicting deps | Upgrade pip: `pip install --upgrade pip`, then `pip install -r requirements.txt` |
+| `Poetry: No solution found` | Conflicting constraints | Relax version pin in `pyproject.toml` |
+| `pkg_resources.DistributionNotFound` | Installed outside venv | Reinstall inside venv |
+
+```bash
+# Force reinstall all dependencies
+pip install --force-reinstall -r requirements.txt
+
+# Poetry: clear cache and resolve
+poetry cache clear --all pypi
+poetry install
+
+# Create fresh virtualenv if corrupt
+deactivate
+python -m venv .venv && source .venv/bin/activate
+pip install -r requirements.txt
+```
+
+### Migration Errors
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `django.db.migrations.exceptions.MigrationSchemaMissing` | DB tables not created | `python manage.py migrate` |
+| `InconsistentMigrationHistory` | Applied out of order | Squash or fake migrations |
+| `Migration X dependencies reference nonexistent parent Y` | Missing migration file | Recreate with `makemigrations` |
+| `Table already exists` | Migration applied outside Django | `migrate --fake-initial` |
+| `Multiple leaf nodes in the migration graph` | Conflicting migration branches | Merge: `python manage.py makemigrations --merge` |
+| `django.db.utils.OperationalError: no such column` | Unapplied migration | `python manage.py migrate` |
+
+```bash
+# Fix conflicting migrations
+python manage.py makemigrations --merge --no-input
+
+# Fake migrations already applied at DB level
+python manage.py migrate --fake <app> <migration_number>
+
+# Reset migrations for an app (dev only!)
+python manage.py migrate <app> zero
+python manage.py makemigrations <app>
+python manage.py migrate <app>
+
+# Show migration plan
+python manage.py migrate --plan
+```
+
+### Django Configuration Errors
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `django.core.exceptions.ImproperlyConfigured` | Missing setting or wrong value | Check `settings.py` for the named setting |
+| `DJANGO_SETTINGS_MODULE not set` | Env var missing | `export DJANGO_SETTINGS_MODULE=config.settings.development` |
+| `SECRET_KEY must not be empty` | Missing env var | Set `DJANGO_SECRET_KEY` in `.env` |
+| `Invalid HTTP_HOST header` | `ALLOWED_HOSTS` misconfigured | Add hostname to `ALLOWED_HOSTS` |
+| `Apps aren't loaded yet` | Importing models before `django.setup()` | Call `django.setup()` or move imports inside functions |
+| `RuntimeError: Model class ... doesn't declare an explicit app_label` | App not in `INSTALLED_APPS` | Add the app to `INSTALLED_APPS` |
+
+```bash
+# Verify settings module resolves
+python -c "import django; django.setup(); print('OK')"
+
+# Check environment variable
+echo $DJANGO_SETTINGS_MODULE
+
+# Find missing settings
+python manage.py diffsettings 2>&1
+```
+
+### Import Errors
+
+```bash
+# Diagnose circular imports
+python -c "import <module>" 2>&1
+
+# Find where an import is used
+grep -r "from <module> import" . --include="*.py"
+
+# Check installed app paths
+python -c "import <app>; print(<app>.__file__)"
+```
+
+**Circular import fix:** Move imports inside functions or use `apps.get_model()`:
+
+```python
+# Bad - top-level causes circular import
+from apps.users.models import User
+
+# Good - import inside function
+def get_user(pk):
+    from apps.users.models import User
+    return User.objects.get(pk=pk)
+
+# Good - use apps registry
+from django.apps import apps
+User = apps.get_model('users', 'User')
+```
+
+### Database Connection Errors
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `django.db.utils.OperationalError: could not connect to server` | DB not running or wrong host | Start DB or fix `DATABASES['HOST']` |
+| `django.db.utils.OperationalError: FATAL: role X does not exist` | Wrong DB user | Fix `DATABASES['USER']` |
+| `django.db.utils.ProgrammingError: relation X does not exist` | Missing migration | `python manage.py migrate` |
+| `psycopg2 not installed` | Missing driver | `pip install psycopg2-binary` |
+
+```bash
+# Test database connection
+python manage.py dbshell
+
+# Check DATABASES setting
+python -c "from django.conf import settings; print(settings.DATABASES)"
+```
+
+### collectstatic / Static Files Errors
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `staticfiles.E001: The STATICFILES_DIRS...` | Dir in both `STATICFILES_DIRS` and `STATIC_ROOT` | Remove from `STATICFILES_DIRS` |
+| `FileNotFoundError` during collectstatic | Missing static file referenced in template | Remove or create the referenced file |
+| `AttributeError: 'str' object has no attribute 'path'` | `STORAGES` not configured for Django 4.2+ | Update `STORAGES` dict in settings |
+
+```bash
+# Dry run to find issues
+python manage.py collectstatic --dry-run --noinput 2>&1
+
+# Clear and recollect
+python manage.py collectstatic --clear --noinput
+```
+
+### runserver Failures
+
+```bash
+# Port already in use
+lsof -ti:8000 | xargs kill -9
+python manage.py runserver
+
+# Use alternate port
+python manage.py runserver 8080
+
+# Verbose startup for hidden errors
+python manage.py runserver --verbosity=2 2>&1
+```
+
+## Key Principles
+
+- **Surgical fixes only** — don't refactor, just fix the error
+- **Never** delete migration files — fake them instead
+- **Always** run `python manage.py check` after fixing
+- Fix root cause over suppressing symptoms
+- Use `--fake` sparingly and only when DB state is known
+- Prefer `pip install --upgrade` over manual `requirements.txt` edits when resolving conflicts
+
+## Stop Conditions
+
+Stop and report if:
+- Migration conflict requires destructive DB changes (data loss risk)
+- Same error persists after 3 fix attempts
+- Fix requires changes to production data or irreversible DB operations
+- Missing external service (Redis, PostgreSQL) that needs user setup
+
+## Output Format
+
+```text
+[FIXED] apps/users/migrations/0003_auto.py
+Error: InconsistentMigrationHistory — 0002_add_email applied before 0001_initial
+Fix: python manage.py migrate users 0001 --fake, then re-applied
+Remaining errors: 0
+```
+
+Final: `Django Status: OK/FAILED | Errors Fixed: N | Files Modified: list`
+
+For Django architecture and ORM patterns, see `skill: django-patterns`.
+For Django security settings, see `skill: django-security`.

agents/django-reviewer.md

@@ -0,0 +1,160 @@
+---
+name: django-reviewer
+description: Expert Django code reviewer specializing in ORM correctness, DRF patterns, migration safety, security misconfigurations, and production-grade Django practices. Use for all Django code changes. MUST BE USED for Django projects.
+tools: ["Read", "Grep", "Glob", "Bash"]
+model: sonnet
+---
+
+You are a senior Django code reviewer ensuring production-grade quality, security, and performance.
+
+**Note**: This agent focuses on Django-specific concerns. Ensure `python-reviewer` has been invoked for general Python quality checks before or after this review.
+
+When invoked:
+1. Run `git diff -- '*.py'` to see recent Python file changes
+2. Run `python manage.py check` if a Django project is present
+3. Run `ruff check .` and `mypy .` if available
+4. Focus on modified `.py` files and any related migrations
+5. Assume CI checks have passed (orchestration gated); if CI status needs verification, run `gh pr checks` to confirm green before proceeding
+
+## Review Priorities
+
+### CRITICAL — Security
+
+- **SQL Injection**: Raw SQL with f-strings or `%` formatting — use `%s` parameters or ORM
+- **`mark_safe` on user input**: Never without explicit `escape()` first
+- **CSRF exemption without reason**: `@csrf_exempt` on non-webhook views
+- **`DEBUG = True` in production settings**: Leaks full stack traces
+- **Hardcoded `SECRET_KEY`**: Must come from environment variable
+- **Missing `permission_classes` on DRF views**: Defaults to global — verify intent
+- **`eval()`/`exec()` on user input**: Immediate block
+- **File upload without extension/size validation**: Path traversal risk
+
+### CRITICAL — ORM Correctness
+
+- **N+1 queries in loops**: Accessing related objects without `select_related`/`prefetch_related`
+  ```python
+  # Bad
+  for order in Order.objects.all():
+      print(order.user.email)  # N+1
+
+  # Good
+  for order in Order.objects.select_related('user').all():
+      print(order.user.email)
+  ```
+- **Missing `atomic()` for multi-step writes**: Use `transaction.atomic()` for any sequence of DB writes
+- **`bulk_create` without `update_conflicts`**: Silent data loss on duplicate keys
+- **`get()` without `DoesNotExist` handling**: Unhandled exception risk
+- **Queryset used after `delete()`**: Stale queryset reference
+
+### CRITICAL — Migration Safety
+
+- **Model change without migration**: Run `python manage.py makemigrations --check`
+- **Backward-incompatible column drop**: Must be done in two deployments (nullable first)
+- **`RunPython` without `reverse_code`**: Migration cannot be reversed
+- **`atomic = False` without justification**: Leaves DB in partial state on failure
+
+### HIGH — DRF Patterns
+
+- **Serializer without explicit `fields`**: `fields = '__all__'` exposes all columns including sensitive ones
+- **No pagination on list endpoints**: Unbounded queries can return millions of rows
+- **Missing `read_only_fields`**: Auto-generated fields (id, created_at) editable by API
+- **`perform_create` not used**: Injecting user context should happen in `perform_create`, not `validate`
+- **No throttling on auth endpoints**: Login/registration open to brute force
+- **Nested writable serializers without `update()`**: Default update silently ignores nested data
+
+### HIGH — Performance
+
+- **Queryset evaluated in template context**: Use `.values()` or pass list; avoid lazy evaluation in templates
+- **Missing `db_index` on FK/filter fields**: Full table scan on filtered queries
+- **Synchronous external API call in view**: Blocks the request thread — offload to Celery
+- **`len(queryset)` instead of `.count()`**: Forces full fetch
+- **`exists()` not used for existence checks**: `if queryset:` fetches objects unnecessarily
+
+  ```python
+  # Bad
+  if Product.objects.filter(sku=sku):
+      ...
+
+  # Good
+  if Product.objects.filter(sku=sku).exists():
+      ...
+  ```
+
+### HIGH — Code Quality
+
+- **Business logic in views or serializers**: Move to `services.py`
+- **Signal logic that belongs in a service**: Signals make flow hard to trace — use explicitly
+- **Mutable default in model field**: `default=[]` or `default={}` — use `default=list`
+- **`save()` called without `update_fields`**: Overwrites all columns — risk of clobbering concurrent writes
+
+  ```python
+  # Bad
+  user.last_active = now()
+  user.save()
+
+  # Good
+  user.last_active = now()
+  user.save(update_fields=['last_active'])
+  ```
+
+### MEDIUM — Best Practices
+
+- **`str(queryset)` or slicing for debug**: Use Django shell, not production code
+- **Accessing `request.user` in serializer `validate()`**: Pass via context, not direct access
+- **`print()` instead of `logger`**: Use `logging.getLogger(__name__)`
+- **Missing `related_name`**: Reverse accessors like `user_set` are confusing
+- **`blank=True` without `null=True` on non-string fields**: DB stores empty string for non-string types
+- **Hardcoded URLs**: Use `reverse()` or `reverse_lazy()`
+- **Missing `__str__` on models**: Django admin and logging are broken without it
+- **App not using `AppConfig.ready()`**: Signal receivers not connected properly
+
+### MEDIUM — Testing Gaps
+
+- **No test for permission boundary**: Verify unauthorized access returns 403/401
+- **`force_authenticate` instead of proper token**: Tests skip auth logic entirely
+- **Missing `@pytest.mark.django_db`**: Tests silently hit no DB
+- **Factory not used**: Raw `Model.objects.create()` in tests is fragile
+
+## Diagnostic Commands
+
+```bash
+python manage.py check               # Django system check
+python manage.py makemigrations --check  # Detect missing migrations
+ruff check .                         # Fast linter
+mypy . --ignore-missing-imports      # Type checking
+bandit -r . -ll                      # Security scan (medium+)
+pytest --cov=apps --cov-report=term-missing -q  # Tests + coverage
+```
+
+## Review Output Format
+
+```text
+[SEVERITY] Issue title
+File: apps/orders/views.py:42
+Issue: Description of the problem
+Fix: What to change and why
+```
+
+## Approval Criteria
+
+- **Approve**: No CRITICAL or HIGH issues
+- **Warning**: MEDIUM issues only (can merge with caution)
+- **Block**: CRITICAL or HIGH issues found
+
+## Framework-Specific Checks
+
+- **Migrations**: Every model change must have a migration. Two-phase for column removal.
+- **DRF**: All public endpoints need explicit `permission_classes`. Pagination on all list views.
+- **Celery**: Tasks must be idempotent. Use `bind=True` + `self.retry()` for transient failures.
+- **Django Admin**: Never expose sensitive fields. Use `readonly_fields` for auto-generated data.
+- **Signals**: Prefer explicit service calls. If signals are used, register in `AppConfig.ready()`.
+
+## Reference
+
+For Django architecture patterns and ORM examples, see `skill: django-patterns`.
+For security configuration checklists, see `skill: django-security`.
+For testing patterns and fixtures, see `skill: django-tdd`.
+
+---
+
+Review with the mindset: "Would this code safely serve 10,000 concurrent users without data loss, security breach, or a 3am pager alert?"

commands/cost-report.md

@@ -0,0 +1,107 @@
+---
+description: Generate a local Claude Code cost report from a cost-tracker SQLite database.
+argument-hint: [csv]
+---
+
+# Cost Report
+
+Query the local cost-tracking database and present a spending report by day,
+project, tool, and session. This command assumes a cost-tracking hook or plugin
+is already writing usage rows to `~/.claude-cost-tracker/usage.db`.
+
+## What This Command Does
+
+1. Check that `sqlite3` is available.
+2. Check that `~/.claude-cost-tracker/usage.db` exists.
+3. Run aggregate queries against the `usage` table.
+4. Present a compact report, or export recent rows as CSV when the argument is
+   `csv`.
+
+## Prerequisites
+
+The database must be populated by a local cost tracker. If the file is missing,
+tell the user the tracker is not set up and suggest installing or enabling a
+trusted Claude Code cost-tracking hook/plugin first.
+
+```bash
+test -f ~/.claude-cost-tracker/usage.db && echo "Database found" || echo "Database not found"
+```
+
+## Summary Query
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT
+    ROUND(COALESCE(SUM(CASE WHEN date(timestamp) = date('now') THEN cost_usd END), 0), 4) AS today_cost,
+    ROUND(COALESCE(SUM(CASE WHEN date(timestamp) = date('now', '-1 day') THEN cost_usd END), 0), 4) AS yesterday_cost,
+    ROUND(COALESCE(SUM(cost_usd), 0), 4) AS total_cost,
+    COUNT(*) AS total_calls,
+    COUNT(DISTINCT session_id) AS sessions
+  FROM usage;
+"
+```
+
+## Project Breakdown
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT project, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY project
+  ORDER BY cost DESC;
+"
+```
+
+## Tool Breakdown
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT tool_name, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY tool_name
+  ORDER BY cost DESC;
+"
+```
+
+## Last Seven Days
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT date(timestamp) AS date, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY date(timestamp)
+  ORDER BY date DESC
+  LIMIT 7;
+"
+```
+
+## CSV Export
+
+If the user asks for `/cost-report csv`, export the most recent usage rows with
+an explicit column list:
+
+```bash
+sqlite3 -csv -header ~/.claude-cost-tracker/usage.db "
+  SELECT timestamp, project, tool_name, input_tokens, output_tokens, cost_usd, session_id, model
+  FROM usage
+  ORDER BY timestamp DESC
+  LIMIT 100;
+"
+```
+
+## Report Format
+
+Format the response as:
+
+1. Summary: today, yesterday, total, calls, sessions.
+2. By project: projects ranked by total cost.
+3. By tool: tools ranked by total cost.
+4. Last seven days: date, cost, call count.
+
+Use four decimal places for sub-dollar amounts. Do not estimate pricing from raw
+tokens in this command; rely on the precomputed `cost_usd` values written by the
+tracker.
+
+## Source
+
+Salvaged from stale community PR #1304 by `MayurBhavsar`.

docs/ECC-2.0-GA-ROADMAP.md

@@ -16,10 +16,21 @@ so the live execution truth is split across:
 
 As of 2026-05-12:
 
-- Public GitHub queues are clean across `everything-claude-code`,
-  `agentshield`, `JARVIS`, `ECC-Tools`, and `ECC-website`.
+- Public GitHub queues are clean across `affaan-m/everything-claude-code`,
+  `affaan-m/agentshield`, `affaan-m/JARVIS`, `ECC-Tools/ECC-Tools`, and
+  `ECC-Tools/ECC-website`.
+- Public GitHub discussions are also clean across those tracked repos:
+  `states: OPEN` returned zero discussions for every accessible discussion
+  surface on 2026-05-12.
+- The final open public GitHub issue, #1314, was closed as a non-actionable
+  external badge/listing notification with a courtesy comment.
+- Linear issue creation for this project was re-tested after GitHub cleanup and
+  is still blocked by the workspace free issue limit. Seven roadmap-lane issue
+  creation attempts all returned the same limit error, so this repo mirror and
+  Linear project status updates remain the active tracking surfaces until the
+  workspace is upgraded or issue capacity is freed.
 - `npm run harness:audit -- --format json` reports 70/70 on current `main`.
-- `npm run observability:ready` reports 14/14 readiness on current `main`.
+- `npm run observability:ready` reports 16/16 readiness on current `main`.
 - `docs/architecture/harness-adapter-compliance.md` maps Claude Code, Codex,
   OpenCode, Cursor, Gemini, Zed-adjacent, dmux, Orca, Superset, Ghast, and
   terminal-only support to install paths, verification commands, and risk
@@ -30,6 +41,10 @@ As of 2026-05-12:
 - `docs/releases/2.0.0-rc.1/publication-readiness.md` gates GitHub release,
   npm dist-tag, Claude plugin, Codex plugin, OpenCode package, billing, and
   announcement publication on fresh evidence fields.
+- `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records the
+  rc.1 naming decision: ship as Everything Claude Code (ECC), keep
+  `ecc-universal` for npm, keep `ecc` for Claude/Codex plugin slugs, and defer
+  any broader repo/package rename until after the release pipeline is proven.
 - `docs/legacy-artifact-inventory.md` records that no `_legacy-documents-*`
   directories exist in the current checkout, inventories the two sibling
   workspace-level `_legacy-documents-*` repos as sanitized extraction sources,
@@ -58,6 +73,14 @@ As of 2026-05-12:
 - AgentShield PR #60 added category-level built-in corpus benchmark output,
   a `readyForRegressionGate` signal, terminal `--corpus` category coverage,
   README/API docs, built-CLI smoke validation, and 1,705-test coverage.
+- AgentShield PR #61 cleared the remaining Dependabot security/bugfix PR with
+  a lockfile-only `postcss` 8.5.6 -> 8.5.14 bump after local typecheck, full
+  tests, lint, build, and remote self-scan/action verification.
+- AgentShield PR #62 added organization-policy exception lifecycle audit
+  evidence: active, expiring-soon, and expired exception counts; owner, ticket,
+  scope, expiry, and days-until-expiry reporting; terminal output and GitHub
+  Action job-summary evidence; README docs; rebuilt action bundles; and
+  1,708-test validation.
 - ECC PR #1778 recovered the useful stale #1413 network/homelab architect-agent
   concepts.
 - ECC-Tools PR #26 added cost/token-risk predictive follow-ups for AI routing,
@@ -85,12 +108,52 @@ As of 2026-05-12:
   plugin, agent, hook, command, and harness config changes that lack harness
   audit, adapter matrix, cross-harness docs, or compatibility regression
   evidence.
+- ECC-Tools PR #34 added skill-quality predictive follow-ups and a Skill
+  Quality PR-risk bucket for skill, agent, command, and rule guidance changes
+  that lack examples, validation, eval, or reference evidence.
+- ECC-Tools PR #35 added RAG/evaluator predictive follow-ups and a
+  RAG/Evaluator Evidence PR-risk bucket for retrieval, embedding, ranking, and
+  evaluator changes that lack reference-set comparison, golden trace,
+  benchmark, fixture, or eval-run evidence.
+- ECC-Tools PR #36 added deep-analyzer predictive follow-ups, a Deep Analyzer
+  Evidence PR-risk bucket, and a Linear-ready project sync backlog table for
+  deferred follow-up work.
+- ECC-Tools PR #37 added a maintained analyzer corpus fixture, corpus validation
+  tests, and co-located analyzer reference-set evidence recognition for future
+  predictive follow-ups and PR-risk taxonomy checks.
+- ECC-Tools PR #38 added PR review/stale-salvage predictive follow-ups, a
+  PR Review/Salvage Evidence taxonomy bucket, and maintained corpus fixtures
+  for stale-closure salvage, reviewer-thread, and reopen-flow evidence.
+- ECC-Tools PR #39 added opt-in native Linear GraphQL sync for deferred
+  follow-up backlog items, preserving GitHub object caps while creating or
+  reusing Linear issues when `LINEAR_API_KEY` and `LINEAR_TEAM_ID` are
+  configured.
+- ECC PR #1803 landed the contributor Quarkus handling branch after maintainer
+  cleanup, current-`main` alignment, full local validation, and preservation of
+  the author's removal of incomplete ja-JP and zh-CN Quarkus translations.
+- ECC PR #1812 salvaged useful Django reviewer, Django build resolver, and
+  Django Celery guidance from stale PR #1310 through a maintainer-owned branch
+  with source credit, catalog sync, and full local/remote validation.
+- ECC PR #1813 expanded the stale PR salvage ledger with source-to-salvage
+  mappings for #1325, #1414, #1478, #1504, and #1603, confirming those useful
+  stale contributions were already preserved through later maintainer PRs.
+- ECC PR #1815 salvaged the useful stale #1304 cost-tracking and #1232
+  skill-scout work into current command/skill conventions with current catalog
+  sync and full local/remote validation.
+- ECC PR #1816 salvaged the useful stale #1659 frontend design guidance into
+  canonical ECC skill layout while preserving the guardrail that the official
+  Anthropic `frontend-design` skill remains externally sourced.
+- ECC PR #1817 salvaged the useful stale #1658 code-reviewer false-positive
+  guardrails, adding proof gates for HIGH/CRITICAL findings, common
+  false-positive exclusions, and a regression test.
+- ECC PR #1818 recorded the May 12 stale-salvage gap pass, classifying already
+  present work, skipped work, and translator/manual-review leftovers.
 
 ## Operating Rules
 
 - Keep public PRs and issues below 20, with zero as the preferred release-lane
   target.
-- Maintain 70/70 harness audit and 14/14 observability readiness after every
+- Maintain 70/70 harness audit and 16/16 observability readiness after every
   GA-readiness batch.
 - Do not publish release or social announcements until the GitHub release,
   npm/package state, billing state, and plugin submission surfaces are verified
@@ -100,6 +163,58 @@ As of 2026-05-12:
   maintainer-owned branches, and credit the source PR.
 - Do not create new Linear issues until the active issue limit is cleared.
 
+## Prompt-To-Artifact Execution Checklist
+
+This table keeps the long operator prompt tied to concrete artifacts. A status
+is not complete unless the evidence column exists and has been freshly verified.
+
+| Prompt requirement | Required artifact or gate | Current evidence | Status |
+| --- | --- | --- | --- |
+| Keep public PRs below 20 | Repo-family PR recheck | 0 open PRs across the tracked public repos on 2026-05-12 | Complete for this checkpoint |
+| Keep public issues below 20 | Repo-family issue recheck | 0 open issues across the tracked public repos on 2026-05-12 after closing #1314 as non-actionable badge/listing noise | Complete for this checkpoint |
+| Manage repository discussions | Repo-family discussion recheck | 0 open discussions across the tracked public repos on 2026-05-12 via GraphQL `states: OPEN` checks | Complete for this checkpoint |
+| Manage PR discussions | PR review/comment closure plus merge/close state | #1803 was maintainer-edited and merged; no open PRs remain | Complete for this checkpoint |
+| Salvage useful stale work | `docs/stale-pr-salvage-ledger.md` | Ledger records salvaged, superseded, skipped, and manual-review tails; #1815-#1818 added cost tracking, skill scout, frontend design guidance, code-reviewer false-positive guardrails, and the May 12 gap pass | Complete except translation/manual review tail |
+| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree | Needs final release evidence |
+| Hermes specialized skills included safely | Hermes setup/import docs and sanitized skill surface | Hermes setup and import playbook are public; secrets stay local | Needs final release review |
+| Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work |
+| Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness plus naming matrix document local validation and CLI marketplace/tag surfaces | Needs final release-commit plugin tag/install evidence |
+| Articles, tweets, and announcements | X thread, LinkedIn copy, GitHub release copy, push checklist | Draft launch collateral exists under rc.1 release docs | Needs URL-backed refresh |
+| AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit | PRs #53, #55-#62 landed with test evidence | Needs PDF/export decision or next enterprise signal |
+| ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog | PRs #26-#39 landed with test evidence | Needs capacity-backed Linear rollout / broader evaluator corpus |
+| GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy and deterministic follow-up checks | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, and PR Review/Salvage Evidence | Partially complete |
+| Harness-agnostic learning system | Audit, adapter matrix, observability, traces, promotion loop | Audit/adapters/observability gates exist | Needs evaluation/RAG prototype |
+| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit | Needs recurring status updates after each merge batch |
+| Flow separation and progress tracking | Flow lanes with owner artifacts and update cadence | This roadmap defines lanes below | Active |
+| Realtime Linear sync | Project updates while issue limit is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items | Needs workspace capacity/config rollout |
+| Observability for self-use | Local readiness gate, traces, status snapshots, HUD/status contract, risk ledger | `npm run observability:ready` reports 16/16 | Complete for local gate |
+| Proper release and notifications | Release tag, npm publish state, plugin state, social posts | Publication readiness gate exists | Not complete |
+
+## Execution Lanes And Tracking Contract
+
+Until Linear issue capacity is cleared, this document is the durable execution
+ledger and Linear receives project status updates only. When capacity is
+available, each lane below should become a small set of Linear issues linked
+back to the repo evidence and merge commits.
+
+| Lane | Source of truth | Next tracked artifact | Update cadence |
+| --- | --- | --- | --- |
+| Queue hygiene and salvage | GitHub PR/issue state, salvage ledger | Append ledger entries for any future stale closures | Every cleanup batch |
+| Release and publication | rc.1 release docs, publication readiness doc | Naming matrix and plugin submission/contact checklist | Before any tag |
+| Harness OS core | Audit, adapter matrix, observability docs, `ecc2/` | HUD/session-control acceptance spec | Weekly until GA |
+| Evaluation and RAG | Reference-set validation, harness audit, traces | Read-only evaluator/RAG prototype design | Before deep analyzer expansion |
+| AgentShield enterprise | AgentShield PR evidence and roadmap notes | PDF-export decision or next enterprise signal | After value decision |
+| ECC Tools app | ECC-Tools PR evidence, billing audit, risk taxonomy | Capacity-backed Linear rollout or broader evaluator/RAG corpus slice | Next implementation batch |
+| Linear progress | Linear project status updates and this mirror | Status update with queue/evidence/missing gates | Every significant merge batch |
+
+The project status update should always include:
+
+1. Current public PR and issue counts.
+2. Merged evidence since the previous update.
+3. Deferred or blocked items with the reason.
+4. The next one or two implementation slices.
+5. Any release or publication gate that is still not evidence-backed.
+
 ## Reference Pressure
 
 The GA roadmap is informed by these reference surfaces:
@@ -160,7 +275,7 @@ Target: 2026-06-07
 
 Acceptance:
 
-- Observability readiness remains 14/14 and is backed by JSONL traces, status
+- Observability readiness remains 16/16 and is backed by JSONL traces, status
   snapshots, risk ledger, and exportable handoff contracts.
 - HUD/status model covers context, tool calls, active agents, todos, checks,
   cost, risk, and queue state.
@@ -189,8 +304,9 @@ Target: 2026-06-14
 
 Acceptance:
 
-- Formal policy schema exists for org baselines, exceptions, owners,
-  expiration, severity, and audit trails.
+- Formal policy schema and evaluation output exist for org baselines,
+  exceptions, owners, expiration, severity, audit trails, expiring-soon
+  visibility, and expired-exception enforcement.
 - SARIF/code-scanning output is implemented and tested.
 - GitHub Action policy gates expose organization policy status and violation
   counts for branch-protection and CI evidence.
@@ -201,7 +317,8 @@ Acceptance:
 - Prompt-injection corpus and regression benchmark are ready for continuous
   rule hardening with category-level coverage and regression-gate output.
 - Enterprise reports include JSON plus self-contained HTML executive output
-  with risk posture, priority findings, and category exposure.
+  with risk posture, priority findings, category exposure, and policy-exception
+  lifecycle evidence in terminal/CI summaries.
 
 ### 6. ECC Tools Billing, Deep Analysis, PR Checks, And Linear Sync
 
@@ -216,15 +333,31 @@ Acceptance:
   failure modes.
 - Deep analyzer covers diff patterns, CI/CD workflows, dependency/security
   surface, PR review behavior, failure history, harness config, skill quality,
-  and reference-set/RAG comparison.
+  dedicated analyzer corpus evidence, co-located analyzer reference sets,
+  PR review/stale-salvage evidence, RAG/evaluator comparison, and reference-set
+  validation.
 - PR check suite taxonomy includes Security Evidence, Harness Drift, Install
-  Manifest Integrity, CI/CD Recommendation, Cost/Token Risk, and Agent Config
-  Review.
+  Manifest Integrity, CI/CD Recommendation, Cost/Token Risk, Reference Set
+  Validation, Deep Analyzer Evidence, RAG/Evaluator Evidence,
+  PR Review/Salvage Evidence, Skill Quality, and Agent Config Review.
 - Cost/token-risk predictive follow-ups flag AI routing, model-call, usage,
   quota, and budget changes when budget evidence is missing.
 - Reference-set validation follow-ups flag analyzer, skill, agent, command, and
   harness-guidance changes that lack eval, golden trace, benchmark, or
   maintained reference-set evidence.
+- Deep-analyzer follow-ups flag repository, commit, architecture, pattern, and
+  analysis-pipeline changes that lack analyzer corpus, snapshot, fixture, or
+  benchmark evidence.
+- Analyzer corpus evidence includes maintained fixtures and tests for current
+  architecture and commit analyzer outputs, plus co-located
+  `src/analyzers/{fixtures,goldens,reference-sets,benchmarks,evals}/` evidence
+  paths.
+- RAG/evaluator follow-ups flag retrieval, embedding, ranking, and evaluator
+  changes that lack reference-set comparison, golden trace, benchmark, fixture,
+  or eval-run evidence.
+- PR review/stale-salvage follow-ups flag review, triage, stale-closure, and
+  pull-request automation changes that lack stale-salvage fixtures,
+  reviewer-thread cases, or reopen-flow reference evidence.
 - PR analysis comments summarize review follow-up signals for requested
   changes, unresolved or outdated review threads, and missing approvals.
 - CI failure-mode predictive follow-ups flag workflow and test-runner changes
@@ -233,8 +366,9 @@ Acceptance:
 - Harness-config quality predictive follow-ups flag MCP, plugin, agent, hook,
   command, and harness config changes that lack audit, adapter matrix,
   cross-harness doc, or compatibility regression evidence.
-- Linear sync design maps findings to issues/status without flooding the
-  workspace.
+- Linear sync maps deferred backlog findings to Linear issues without flooding
+  GitHub, creates or reuses exact-title Linear issues when configured, and
+  reports skipped sync when credentials or team configuration are absent.
 - Follow-up generation caps automatic GitHub object creation and keeps overflow
   findings in a copy-ready project sync backlog.
 
@@ -259,6 +393,8 @@ Acceptance:
 ## Next Engineering Slices
 
 1. Decide whether AgentShield PDF export adds value beyond the merged HTML
-   executive report and corpus benchmark output.
-2. Extend ECC Tools deep analysis and Linear/project sync without flooding the
-   workspace.
+   executive report, corpus benchmark output, and exception lifecycle audit.
+2. Enable/configure the merged Linear backlog sync path after workspace issue
+   capacity clears or the Linear workspace is upgraded.
+3. Expand the evaluator/RAG corpus with real cleanup-batch cases as future
+   maintainer-owned examples land.

docs/architecture/hud-status-session-control.md

@@ -0,0 +1,80 @@
+# HUD Status And Session Control Contract
+
+This contract defines the portable status payload ECC uses for local operator
+surfaces, handoffs, and future HUDs. It is intentionally harness-neutral: a
+Claude Code statusline, Codex pane, dmux session, OpenCode run, or terminal-only
+workflow can emit partial data without changing field names.
+
+The canonical example lives at
+[`examples/hud-status-contract.json`](../../examples/hud-status-contract.json).
+
+## Payload Shape
+
+Every status payload uses `schema_version: "ecc.hud-status.v1"` and keeps these
+top-level sections stable:
+
+| Field | Purpose | Primary Source |
+|---|---|---|
+| `context` | Model, harness, repo, branch, worktree, session id, and context-window pressure | statusline stdin, git, session adapters |
+| `toolCalls` | Recent tool counts, pending calls, stale calls, and last tool event | `loop-status`, `tool-usage.jsonl`, hook bridge |
+| `activeAgents` | Current workers/subagents, runtime state, branch, worktree, objective, and handoff paths | dmux/orchestration snapshots |
+| `todos` | Current in-progress task and todo counts | Claude todos, local task files, plan metadata |
+| `checks` | Local and remote validation status with command/check URLs when available | CI, local commands, release gates |
+| `cost` | Session spend, token counts, budget, and trend | cost tracker, metrics bridge |
+| `risk` | Attention state, conflict pressure, stale calls, dirty worktree, and manual-review flags | readiness gates, git, queue state |
+| `queueState` | GitHub PR/issue/discussion counts, conflict queue, merge queue, and stale-salvage queue | GitHub sync, work items |
+| `sessionControls` | Supported operator actions for the current target | ECC CLI, dmux, git/GitHub |
+| `sync` | Linear, GitHub, and handoff publication state | status updates, work items, handoff writer |
+
+Fields can be `null`, empty arrays, or `"unknown"` when a harness cannot expose
+the signal. Producers should not invent incompatible names. Consumers should
+render missing sections as unavailable, not as green.
+
+## Session Controls
+
+The minimum session-control vocabulary is:
+
+| Control | Meaning |
+|---|---|
+| `create` | Start a new isolated run, worktree, or orchestration plan |
+| `resume` | Reattach to an existing session or historical target |
+| `status` | Emit the current payload without mutating state |
+| `stop` | Request a graceful stop or mark the session completed |
+| `diff` | Show current working-tree or worker diff |
+| `pr` | Open or inspect the linked pull request |
+| `mergeQueue` | Show merge-ready, blocked, and waiting-check items |
+| `conflictQueue` | Show dirty/conflicting PRs or worktrees needing integration |
+
+`sessionControls.supported` lists the controls available for the current
+harness. `sessionControls.blocked` explains unavailable controls, for example a
+missing GitHub token, no tmux session, or a read-only adapter.
+
+## Sync Contract
+
+The sync section separates durable trackers:
+
+- `Linear` records project status update id, health, and whether issue creation
+  is blocked by workspace capacity.
+- `GitHub` records the current repo, PR/issue/discussion queue counts, and the
+  latest merged or open PR tied to the session.
+- `handoff` records the durable Markdown handoff path and whether it has been
+  written after the latest batch.
+
+This makes real-time progress tracking explicit without requiring every run to
+create Linear issues or GitHub comments. When Linear issue capacity is blocked,
+the status payload can still prove progress through project updates and repo
+handoffs.
+
+## Current Implementations
+
+- `ecc status --json` exposes readiness, active sessions, skill runs, install
+  health, governance, and linked work items from the SQLite state store.
+- `ecc loop-status --json --write-dir <dir>` writes live transcript snapshots
+  and attention signals for long-running loops.
+- `ecc session-inspect <target> --write <path>` emits canonical session
+  snapshots from dmux and Claude-history adapters.
+- `scripts/hooks/ecc-statusline.js` renders compact model, task, cost, tool,
+  file, duration, directory, and context pressure signals inside Claude Code.
+
+The `ecc.hud-status.v1` payload is the common outer contract these surfaces can
+project into before ECC grows a dedicated full-screen HUD.

docs/architecture/observability-readiness.md

@@ -19,6 +19,10 @@ operator needs.
 
 - Live status: `scripts/loop-status.js` can emit JSON, watch active loops, and
   write snapshots for dashboards or handoffs.
+- HUD/status contract: `docs/architecture/hud-status-session-control.md` and
+  `examples/hud-status-contract.json` define the portable payload for context,
+  tool calls, active agents, todos, checks, cost, risk, queues, session
+  controls, and tracker sync.
 - Session traces: `scripts/session-inspect.js` can inspect Claude, dmux, and
   adapter-backed sessions, then write canonical snapshots.
 - Harness baseline: `scripts/harness-audit.js` provides a repeatable scorecard
@@ -56,9 +60,11 @@ later, but only after the local event model is useful enough to trust.
    scorecard.
 3. Run `node scripts/loop-status.js --json --write-dir .ecc/loop-status`
    during longer autonomous batches.
-4. Run `node scripts/session-inspect.js --list-adapters` to confirm which
+4. Review `examples/hud-status-contract.json` before wiring a new HUD or
+   operator dashboard.
+5. Run `node scripts/session-inspect.js --list-adapters` to confirm which
    session surfaces are available.
-5. Use ECC2 tool logs for risky operations, conflict analysis, and handoff
+6. Use ECC2 tool logs for risky operations, conflict analysis, and handoff
    review before increasing autonomy.
 
 The end-state is practical: before asking ECC to run larger multi-agent loops,

docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md

@@ -0,0 +1,119 @@
+# ECC v2.0.0-rc.1 Naming And Publication Matrix
+
+Snapshot date: 2026-05-12.
+
+This matrix answers the release question "ship as Everything Claude Code, ECC,
+or a renamed surface?" for the rc.1 lane. It is evidence for planning, not a
+publication action.
+
+## Decision
+
+For `v2.0.0-rc.1`, keep the public identity as **Everything Claude Code (ECC)**.
+Use **ECC** as the short product name in copy, plugin slugs, status surfaces,
+and diagrams, but do not rename the GitHub repo, npm package, or package entry
+points before the rc.1 release.
+
+Reason:
+
+- the current install surface already works as `ecc-universal` plus the `ecc`
+  plugin slug;
+- the exact npm package name `ecc` is already occupied by an unrelated elliptic
+  curve cryptography package;
+- the repo name `affaan-m/ecc` is not present, but renaming
+  `affaan-m/everything-claude-code` before rc.1 would create avoidable URL,
+  package, docs, and marketplace churn;
+- Claude and Codex plugin surfaces are already short enough as `ecc`;
+- rc.1 should prove the release, plugin, and publication pipeline before any
+  broader brand migration.
+
+## Current Values
+
+| Surface | Current value | Evidence command | 2026-05-12 result | Release decision |
+| --- | --- | --- | --- | --- |
+| Product display name | `Everything Claude Code` | `rg -n "Everything Claude Code" README.md CHANGELOG.md docs/releases/2.0.0-rc.1` | Present across README, release notes, launch copy, and plugin manifests | Keep for rc.1 |
+| Short name | `ECC` | README/release docs | Used as the short cross-harness brand | Keep and prefer in tight copy |
+| GitHub repo | `affaan-m/everything-claude-code` | `git remote get-url origin` | `https://github.com/affaan-m/everything-claude-code.git` | Keep for rc.1 |
+| Possible short repo | `affaan-m/ecc` | `gh repo view affaan-m/ecc` | Not found with current auth | Candidate after rc.1 only |
+| npm package | `ecc-universal` | `node -p "require('./package.json').name"` | `ecc-universal` | Keep for rc.1 |
+| npm package version | `2.0.0-rc.1` local, `1.10.0` registry latest | `node -p "require('./package.json').version"` and `npm view ecc-universal name version dist-tags --json` | Local rc.1 is ready; registry latest remains `1.10.0` | Publish rc as `next`, not `latest` |
+| Exact npm short name | `ecc` | `npm view ecc name version description repository.url --json` | Occupied by `ecc@0.0.2`, "Elliptic curve cryptography functions." | Do not use |
+| Scoped npm short name | `@affaan-m/ecc` | `npm view @affaan-m/ecc name version --json` | Registry 404 | Possible future scoped package if npm scope policy permits |
+| Former package name | `everything-claude-code` | `npm view everything-claude-code name version dist-tags --json` | Registry reports unpublished on 2026-02-07 | Do not revive for rc.1 |
+| Claude plugin slug | `ecc` | `node -p "require('./.claude-plugin/plugin.json').name"` | `ecc` | Keep |
+| Claude plugin version | `2.0.0-rc.1` | `claude plugin validate .claude-plugin/plugin.json` | Validation passed on Claude Code `2.1.121` | Ready for release-tag gate |
+| Claude marketplace entry | `ecc` | `.claude-plugin/marketplace.json` | Version and repo point at current rc.1 surface | Keep |
+| Codex plugin slug | `ecc` | `node -p "require('./.codex-plugin/plugin.json').name"` | `ecc` | Keep |
+| Codex plugin version | `2.0.0-rc.1` | `node tests/docs/ecc2-release-surface.test.js` | Release surface test passed | Ready for Codex marketplace/manual marketplace gate |
+| OpenCode package | `ecc-universal` | `node -p "require('./.opencode/package.json').name"` | `ecc-universal` | Keep |
+| OpenCode build | Generated package output | `npm run build:opencode` | Passed | Ready for package dry-run gate |
+| npm pack surface | Reduced runtime package | `npm pack --dry-run --json` | Produced `ecc-universal-2.0.0-rc.1.tgz`, 969 entries, about 5.0 MB unpacked | Needs final release-commit rerun |
+
+## Publication Paths
+
+| Path | Current evidence | Required next action | Blocker |
+| --- | --- | --- | --- |
+| GitHub release | `docs/releases/2.0.0-rc.1/` and release notes are in-tree | Re-run required command evidence from the final release commit, then create/verify `v2.0.0-rc.1` prerelease | No tag/release yet |
+| npm | `ecc-universal` local package version is `2.0.0-rc.1`; registry latest is `1.10.0` | Publish rc with `npm publish --tag next` after final `npm pack --dry-run` and release tests | Do not publish before final release commit |
+| Claude plugin | `claude plugin validate .claude-plugin/plugin.json` passed; `claude plugin tag --help` confirms the release tag flow creates `{name}--v{version}` tags and can push them | Run `claude plugin tag .claude-plugin --dry-run` from the clean release commit, then tag/push only after release approval | No plugin release tag created in this pass |
+| Claude marketplace | `.claude-plugin/marketplace.json` points at `ecc` and the public repo | Verify marketplace update/install path after tag exists | External marketplace propagation not verified |
+| Codex plugin | `codex plugin marketplace` supports add/upgrade/remove; `.codex-plugin/plugin.json` is present and release-surface tests pass | Confirm marketplace source format, then test add/upgrade from the public repo or marketplace source | No public Codex marketplace submission path verified in this pass |
+| OpenCode package | `.opencode/package.json` builds from source and ships inside npm package | Re-run `npm run build:opencode` and package dry-run from release commit | OpenCode CLI 1.2.21 does not expose a separate plugin publication command in this pass |
+| ECC Tools billing claim | README and launch copy mention ECC Tools / marketplace context | Verify live GitHub App billing and plan state before any payment announcement | Billing dashboard/API evidence not recorded in this pass |
+| Social and longform copy | X thread, LinkedIn copy, article outline, GitHub release copy exist | Replace any stale URLs, then publish only after release/npm/plugin URLs work | Public URLs not final until release actions complete |
+
+## Rename After rc.1
+
+If the project moves from "Everything Claude Code" toward "ECC" after rc.1,
+do it as a staged migration:
+
+1. Keep `ecc-universal` as the npm package until a replacement package has a
+   verified owner, deprecation plan, and install migration.
+2. Keep `affaan-m/everything-claude-code` as the canonical repo until release
+   notes, docs, plugin marketplace entries, npm metadata, and external links
+   are prepared for redirects.
+3. Use `ECC` as the product name in new diagrams, status payloads, and
+   cross-harness docs immediately.
+4. Reserve or create any new GitHub/npm/package surfaces before announcing the
+   rename.
+5. Ship a compatibility guide that maps old commands, package names, plugin
+   slugs, and docs URLs to the new names.
+
+## Evidence Captured In This Pass
+
+```text
+git rev-parse HEAD
+7109ee08db7209c5d14809efcf832043020dfc57
+
+node -p "require('./package.json').name + '@' + require('./package.json').version"
+ecc-universal@2.0.0-rc.1
+
+node -p "require('./.claude-plugin/plugin.json').name + '@' + require('./.claude-plugin/plugin.json').version"
+ecc@2.0.0-rc.1
+
+node -p "require('./.codex-plugin/plugin.json').name + '@' + require('./.codex-plugin/plugin.json').version"
+ecc@2.0.0-rc.1
+
+node -p "require('./.opencode/package.json').name + '@' + require('./.opencode/package.json').version"
+ecc-universal@2.0.0-rc.1
+
+npm view ecc name version description repository.url --json
+ecc@0.0.2 is occupied by an unrelated elliptic curve cryptography package.
+
+npm view ecc-universal name version dist-tags --json
+registry latest is 1.10.0; no rc dist-tag exists yet.
+
+claude plugin validate .claude-plugin/plugin.json
+Validation passed on Claude Code 2.1.121.
+
+node tests/docs/ecc2-release-surface.test.js
+18 release-surface checks passed.
+
+node tests/scripts/npm-publish-surface.test.js
+2 npm publish-surface checks passed.
+
+npm run build:opencode
+Passed.
+
+npm pack --dry-run --json
+Produced ecc-universal-2.0.0-rc.1.tgz, 969 entries, about 5.0 MB unpacked.
+```

docs/releases/2.0.0-rc.1/publication-readiness.md

@@ -4,6 +4,9 @@ This checklist is the release gate for public publication surfaces. Do not use
 it as evidence by itself. Fill the evidence fields with fresh command output or
 URLs from the exact commit being released.
 
+For the current rc.1 naming decision and package/plugin publication path, see
+[`naming-and-publication-matrix.md`](naming-and-publication-matrix.md).
+
 ## Release Identity Matrix
 
 | Surface | Expected value | Source of truth | Fresh check | Evidence artifact | Owner | Status |
@@ -42,7 +45,7 @@ Record the exact commit SHA and command output before any publication action:
 | Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | Pending |
 | Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | Pending |
 | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | Pending |
-| Observability readiness | `npm run observability:ready` | 14/14 passing | Pending |
+| Observability readiness | `npm run observability:ready` | 16/16 passing | Pending |
 | Root suite | `node tests/run-all.js` | 0 failures | Pending |
 | Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | Pending |
 | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures | Pending |

docs/stale-pr-salvage-ledger.md

@@ -19,16 +19,22 @@ on fresh branches, and credit the source PR.
 
 | Source PR | Original contribution | Salvage result |
 | --- | --- | --- |
+| #1232 | `skill-scout` search-before-creating workflow | Salvaged in the May 12 cost/skill-scout maintainer pass with current repo wording, external-source vetting, and no stale catalog-count edits. |
+| #1304 | Cost tracking skill and `/cost-report` command | Salvaged in the May 12 cost/skill-scout maintainer pass with current command/skill conventions and without stale hard-coded model pricing. |
 | #1309 | Trading/community project material | Salvaged in #1761 as a neutral community-project README listing. |
+| #1310 | Django reviewer, build resolver, and Celery async task guidance | Salvaged in the May 12 Django/Celery maintainer pass with current catalog counts and minor example cleanup. |
 | #1322 | Vietnamese README translation | Salvaged in #1764 as `docs/vi-VN/README.md` plus selector updates. |
+| #1325 | Quarkus framework guidance, Java agents, and localization material | Salvaged across #1771 and #1803; stale broad docs/count edits were not copied. |
 | #1326 | Angular developer skill and rules | Salvaged in #1763 with current skill, rules, install wiring, and catalog updates. |
 | #1328 | Continuous-learning Windows UTF-8 stdout fix | Salvaged in #1761. |
 | #1329 | Plugin install detection hardening | Salvaged in #1761 through current harness audit detection support. |
 | #1334 | Windows desktop E2E skill | Salvaged in #1762 with install, package, and catalog wiring. |
 | #1352 | Qwen install target | Salvaged in #1738 through the current Qwen install target. |
 | #1413 | Network and homelab skills/agents | Salvaged through #1729, #1731, #1745, and #1778. |
+| #1414 | F# rules, reviewer agent, and testing skill | Salvaged in #1770 with current install manifests, detection tests, and catalog wiring. |
 | #1429 | JoyCode install target | Salvaged in #1737 through the current JoyCode install target. |
 | #1467 | Scientific skills and OpenCode discovery work | Useful USPTO and gget pieces salvaged in #1740; stale generated claims were not copied. |
+| #1478 | HarmonyOS/ArkTS rules, resolver agent, and CLAUDE example | Salvaged in #1769 with current install wiring; stale `ecc2` session/TUI edits were not carried. |
 | #1493 | SessionStart context scoping | Salvaged in #1774 with current hook semantics and tests. |
 | #1498 | PRD planning flow | Salvaged in #1777. |
 | #1504 | Statusline/context monitor hooks | Salvaged in #1776 with current hook manifest structure and tests. |
@@ -37,6 +43,9 @@ on fresh branches, and credit the source PR.
 | #1559 | `error-handling` skill | Salvaged in #1772. |
 | #1566 | Agent architecture audit skill | Salvaged in #1772. |
 | #1578 | OpenCode file-probe hardening | Salvaged in #1773. |
+| #1603 | `plan-orchestrate` skill | Salvaged in #1766 with current manifest/catalog wiring. |
+| #1658 | Code-reviewer false-positive suppression | Salvaged in the May 12 code-reviewer maintainer pass with current review-agent wording, a proof gate for HIGH/CRITICAL findings, common false-positive exclusions, and a regression test. |
+| #1659 | Frontend design direction and interface-polish skills | Salvaged in the May 12 frontend-design maintainer pass with canonical `skills/` layout and current ECC frontend guidance, while preserving the repo guardrail that the official `frontend-design` skill should be installed from `anthropics/skills`. |
 | #1674 | Production audit skill | Salvaged in #1732 after supply-chain/privacy review and rewrite. |
 | #1687 | zh-CN localization sync | Large safe subsets salvaged in #1746-#1752; remaining pieces require translator/manual review. |
 | #1694 | Portfolio curation | Useful focused curation updates salvaged in #1723 and #1724. |
@@ -50,6 +59,41 @@ on fresh branches, and credit the source PR.
 | #1727 | MySQL patterns skill | Salvaged in #1733. |
 | #1757 | Machine-learning engineering workflow | Salvaged in #1758 and tuned in #1759. |
 
+## 2026-05-12 Gap Pass
+
+The initial stale-closure ledger covered the P0 cleanup cohort and the biggest
+salvage branches. A follow-up gap pass over PRs closed on 2026-05-11 found
+additional useful items that were already present on `main` or still worth
+porting.
+
+| Source PR | Disposition |
+| --- | --- |
+| #1310 | Ported through the Django/Celery maintainer branch after confirming `agents/django-reviewer.md`, `agents/django-build-resolver.md`, and `skills/django-celery/SKILL.md` were still missing. |
+| #1325 | Useful Quarkus framework material was already preserved across #1771 and #1803; current `main` contains the Quarkus rules/skills plus Java reviewer/build-resolver surfaces. |
+| #1360 | Already present as `skills/security-bounty-hunter/`. |
+| #1414 | Useful F# support was already preserved in #1770; current `main` contains the F# rules, reviewer agent, testing skill, install wiring, and detection tests. |
+| #1415 | Already present as `skills/vite-patterns/`. |
+| #1478 | Useful HarmonyOS/ArkTS support was already preserved in #1769; current `main` contains the ArkTS rules, resolver agent, CLAUDE example, and install wiring. |
+| #1438 | Already present as `skills/ui-to-vue/`. |
+| #1504 | Already mapped to #1776 in the durable salvage table. |
+| #1508 | Already present as `skills/fastapi-patterns/` and `agents/fastapi-reviewer.md`. |
+| #1563/#1564/#1565 | Translator/manual review: zh-TW, tr, and pt-BR README syncs may contain useful localization updates, but stale README/version/count text must be reviewed by language owners before import. |
+| #1567 | Already present as the current GateGuard subagent file-gate bypass in `scripts/hooks/gateguard-fact-force.js`, with Bash gates preserved and regression tests in `tests/hooks/gateguard-fact-force.test.js`. |
+| #1570 | Already present as public `llm.prompt` imports, keyword-based `PromptBuilder` construction, and template registry helpers; current tests register the `unit` marker through `tests/conftest.py`. |
+| #1584 | Already present as the iTerm2 native desktop-notification fast path in `scripts/hooks/desktop-notify.js`, with multiplexer fallback to `osascript`. |
+| #1589 | Already present as quoted `actions/checkout` detection in `scripts/ci/validate-workflow-security.js` plus double/single-quote regression tests. |
+| #1594 | Already present as HTTP MCP reachability handling that treats HTTP 400, 401, and 403 probe responses as reachable/auth-gated, with hook tests. |
+| #1597 | Already present as catalog-count validation for README, AGENTS, zh-CN docs, `.claude-plugin/plugin.json`, and `.claude-plugin/marketplace.json`. |
+| #1602 | Already present as the `continuous-learning` v1 deprecation that routes new usage to `continuous-learning-v2` while preserving the archival v1 surface. |
+| #1603 | Useful `/plan-orchestrate` work was already preserved in #1766 with current package/catalog metadata. |
+| #1604 | Skipped: Windows drag-and-drop local installer copies files directly and runs `git pull`; current managed installer/profile flow is safer and supersedes it. |
+| #1609 | Translator/manual review: Persian README translation may be useful, but needs language review and current catalog/version refresh before import. |
+| #1613 | Already present in `rules/web/hooks.md` as the `tsc --incremental` plus timeout-capped PostToolUse example. |
+| #1631 | Already present in `scripts/hooks/suggest-compact.js` and `tests/hooks/hooks.test.js`; current code reads `session_id` from stdin JSON before falling back to `CLAUDE_SESSION_ID`. |
+| #1648 | Already present in `src/llm/providers/claude.py`; current Claude provider collects all text and tool-use content blocks and covers the behavior in `tests/test_claude_provider.py`. |
+| #1658 | Ported through the code-reviewer maintainer branch after confirming the false-positive proof gate and common false-positive skip list were still missing. |
+| #1693 | Already present as `skills/redis-patterns/`. |
+
 ## Already Present Or Superseded
 
 | Source PR | Disposition |
@@ -58,6 +102,9 @@ on fresh branches, and credit the source PR.
 | #1318 | Gemini agent adaptation utility was already present on current `main`. |
 | #1323 | Hook config update was already present on current `main`. |
 | #1337 | Catalog count update was superseded by current catalog-count sync. |
+| #1631 | `suggest-compact` stdin `session_id` isolation was already present on current `main` with hook tests. |
+| #1608 | Unsafe dashboard document/terminal open handling was already present on current `main` through safe runtime helpers and project-bound document opening. |
+| #1678 | Windows MCP `.cmd`/`.bat` fallback behavior was already present on current `main` with current health-check tests. |
 | #1682/#1701 | Strategic compact hook-path fixes were merged directly or superseded by current docs fixes. |
 | JARVIS #4/#5/#6 | Stale failing dependency-only PRs; future dependency state should be regenerated by Dependabot. |
 
@@ -70,15 +117,22 @@ on fresh branches, and credit the source PR.
 | #1341 | Very large low-signal generated change with no safe focused salvage unit. |
 | #1416/#1465 | Accidental fork-sync PRs with no focused contribution. |
 | #1475 | One-line Gemini CLI bridge idea was too stale and underspecified to port safely. |
+| #1604 | Drag-and-drop Windows installer bypasses the current managed installer, performs direct broad copies, and runs `git pull` from a local install script. |
 
 ## Remaining Manual-Review Backlog
 
-Only the #1687 localization tail remains plausibly useful but unsafe to
-auto-port.
+The remaining plausibly useful backlog is translation/localization work that is
+unsafe to auto-port without language-owner review:
+
+- #1687 zh-CN localization tail
+- #1609 Persian README translation
+- #1563 zh-TW README sync
+- #1564 Turkish README sync
+- #1565 pt-BR README sync
 
 Handling rule:
 
-1. Keep #1687 in translator/manual review.
+1. Keep these PRs in translator/manual review.
 2. Split any future work by surface: agents, commands, top-level docs, release
    and count surfaces, then skills.
 3. Do not import stale top-level docs that carry old version or catalog-count

docs/zh-CN/AGENTS.md

@@ -1,6 +1,6 @@
 # Everything Claude Code (ECC) — 智能体指令
 
-这是一个**生产就绪的 AI 编码插件**，提供 58 个专业代理、220 项技能、74 条命令以及自动化钩子工作流，用于软件开发。
+这是一个**生产就绪的 AI 编码插件**，提供 60 个专业代理、225 项技能、75 条命令以及自动化钩子工作流，用于软件开发。
 
 **版本:** 2.0.0-rc.1
 
@@ -146,9 +146,9 @@
 ## 项目结构
 
 ```
-agents/          — 58 个专业子代理
-skills/          — 220 个工作流技能和领域知识
-commands/        — 74 个斜杠命令
+agents/          — 60 个专业子代理
+skills/          — 225 个工作流技能和领域知识
+commands/        — 75 个斜杠命令
 hooks/           — 基于触发的自动化
 rules/           — 始终遵循的指导方针（通用 + 每种语言）
 scripts/         — 跨平台 Node.js 实用工具

docs/zh-CN/README.md

@@ -224,7 +224,7 @@ Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/"
 /plugin list ecc@ecc
 ```
 
-**搞定！** 你现在可以使用 58 个智能体、220 项技能和 74 个命令了。
+**搞定！** 你现在可以使用 60 个智能体、225 项技能和 75 个命令了。
 
 ***
 
@@ -1136,9 +1136,9 @@ opencode
 
 | 功能特性 | Claude Code | OpenCode | 状态 |
 |---------|-------------|----------|--------|
-| 智能体 | PASS: 58 个 | PASS: 12 个 | **Claude Code 领先** |
-| 命令 | PASS: 74 个 | PASS: 35 个 | **Claude Code 领先** |
-| 技能 | PASS: 220 项 | PASS: 37 项 | **Claude Code 领先** |
+| 智能体 | PASS: 60 个 | PASS: 12 个 | **Claude Code 领先** |
+| 命令 | PASS: 75 个 | PASS: 35 个 | **Claude Code 领先** |
+| 技能 | PASS: 225 项 | PASS: 37 项 | **Claude Code 领先** |
 | 钩子 | PASS: 8 种事件类型 | PASS: 11 种事件 | **OpenCode 更多！** |
 | 规则 | PASS: 29 条 | PASS: 13 条指令 | **Claude Code 领先** |
 | MCP 服务器 | PASS: 14 个 | PASS: 完整 | **完全对等** |
@@ -1244,9 +1244,9 @@ ECC 是**第一个最大化利用每个主要 AI 编码工具的插件**。以
 
 | 功能特性 | Claude Code | Cursor IDE | Codex CLI | OpenCode |
 |---------|------------|------------|-----------|----------|
-| **智能体** | 58 | 共享 (AGENTS.md) | 共享 (AGENTS.md) | 12 |
-| **命令** | 74 | 共享 | 基于指令 | 35 |
-| **技能** | 220 | 共享 | 10 (原生格式) | 37 |
+| **智能体** | 60 | 共享 (AGENTS.md) | 共享 (AGENTS.md) | 12 |
+| **命令** | 75 | 共享 | 基于指令 | 35 |
+| **技能** | 225 | 共享 | 10 (原生格式) | 37 |
 | **钩子事件** | 8 种类型 | 15 种类型 | 暂无 | 11 种类型 |
 | **钩子脚本** | 20+ 个脚本 | 16 个脚本 (DRY 适配器) | N/A | 插件钩子 |
 | **规则** | 34 (通用 + 语言) | 34 (YAML 前页) | 基于指令 | 13 条指令 |

examples/hud-status-contract.json

@@ -0,0 +1,117 @@
+{
+  "schema_version": "ecc.hud-status.v1",
+  "generatedAt": "2026-05-12T00:00:00.000Z",
+  "context": {
+    "harness": "codex",
+    "model": "gpt-5",
+    "repo": "affaan-m/everything-claude-code",
+    "branch": "main",
+    "worktree": "/repo/everything-claude-code",
+    "sessionId": "session-active",
+    "contextWindow": {
+      "remainingPct": 62,
+      "pressure": "normal"
+    }
+  },
+  "toolCalls": {
+    "total": 47,
+    "pending": 0,
+    "stale": 0,
+    "lastTool": {
+      "name": "gh-pr-view",
+      "status": "success",
+      "finishedAt": "2026-05-12T00:00:00.000Z"
+    }
+  },
+  "activeAgents": [
+    {
+      "id": "worker-release-docs",
+      "state": "completed",
+      "branch": "codex/release-docs",
+      "worktree": "/tmp/ecc-release-docs",
+      "objective": "Update release readiness docs",
+      "handoffPath": "/tmp/ecc-release-docs/handoff.md"
+    }
+  ],
+  "todos": {
+    "inProgress": "Verify release publication matrix",
+    "counts": {
+      "pending": 2,
+      "inProgress": 1,
+      "completed": 6
+    }
+  },
+  "checks": {
+    "local": [
+      {
+        "command": "npm run observability:ready",
+        "status": "pass"
+      }
+    ],
+    "remote": [
+      {
+        "name": "CI",
+        "status": "pass",
+        "url": "https://github.com/affaan-m/everything-claude-code/actions"
+      }
+    ]
+  },
+  "cost": {
+    "sessionUsd": 1.23,
+    "budgetUsd": 10,
+    "trend": "within-budget"
+  },
+  "risk": {
+    "status": "attention",
+    "reasons": [
+      "release tag not published"
+    ],
+    "dirtyWorktree": false,
+    "conflicts": 0,
+    "manualReviewRequired": true
+  },
+  "queueState": {
+    "github": {
+      "openPullRequests": 0,
+      "openIssues": 0,
+      "openDiscussions": 0
+    },
+    "mergeQueue": [],
+    "conflictQueue": [],
+    "staleSalvageQueue": [
+      {
+        "sourcePullRequest": 1310,
+        "status": "landed"
+      }
+    ]
+  },
+  "sessionControls": {
+    "supported": [
+      "create",
+      "resume",
+      "status",
+      "stop",
+      "diff",
+      "pr",
+      "mergeQueue",
+      "conflictQueue"
+    ],
+    "blocked": []
+  },
+  "sync": {
+    "Linear": {
+      "project": "ECC 2.0 GA",
+      "health": "atRisk",
+      "issueCapacityBlocked": true,
+      "latestStatusUpdateId": "status-update-id"
+    },
+    "GitHub": {
+      "repo": "affaan-m/everything-claude-code",
+      "latestPullRequest": 1820
+    },
+    "handoff": {
+      "path": "~/.cluster-swarm/handoffs/ecc-update.md",
+      "written": true
+    }
+  }
+}

manifests/install-modules.json

@@ -137,8 +137,10 @@
         "skills/django-verification",
         "skills/dotnet-patterns",
         "skills/fastapi-patterns",
+        "skills/frontend-design-direction",
         "skills/frontend-patterns",
         "skills/frontend-slides",
+        "skills/make-interfaces-feel-better",
         "skills/motion-ui",
         "skills/golang-patterns",
         "skills/golang-testing",
@@ -236,6 +238,7 @@
         "skills/iterative-retrieval",
         "skills/plankton-code-quality",
         "skills/production-audit",
+        "skills/skill-scout",
         "skills/skill-stocktake",
         "skills/strategic-compact",
         "skills/tdd-workflow",
@@ -369,6 +372,7 @@
         "skills/automation-audit-ops",
         "skills/api-connector-builder",
         "skills/connections-optimizer",
+        "skills/cost-tracking",
         "skills/customer-billing-ops",
         "skills/dashboard-builder",
         "skills/ecc-tools-cost-audit",

package.json

@@ -124,6 +124,7 @@
     "skills/continuous-learning/",
     "skills/continuous-learning-v2/",
     "skills/cost-aware-llm-pipeline/",
+    "skills/cost-tracking/",
     "skills/council/",
     "skills/cpp-coding-standards/",
     "skills/cpp-testing/",
@@ -158,6 +159,7 @@
     "skills/fastapi-patterns/",
     "skills/finance-billing-ops/",
     "skills/foundation-models-on-device/",
+    "skills/frontend-design-direction/",
     "skills/frontend-patterns/",
     "skills/frontend-slides/",
     "skills/fsharp-testing/",
@@ -194,6 +196,7 @@
     "skills/logistics-exception-management/",
     "skills/manim-video/",
     "skills/market-research/",
+    "skills/make-interfaces-feel-better/",
     "skills/mcp-server-patterns/",
     "skills/messages-ops/",
     "skills/mle-workflow/",
@@ -241,6 +244,7 @@
     "skills/security-review/",
     "skills/security-scan/",
     "skills/seo/",
+    "skills/skill-scout/",
     "skills/skill-stocktake/",
     "skills/social-graph-ranker/",
     "skills/springboot-patterns/",

scripts/observability-readiness.js

@@ -103,6 +103,13 @@ function includesAll(text, needles) {
   return needles.every(needle => text.includes(needle));
 }
 
+function hasObjectKeys(value, keys) {
+  return value
+    && typeof value === 'object'
+    && !Array.isArray(value)
+    && keys.every(key => Object.prototype.hasOwnProperty.call(value, key));
+}
+
 function buildChecks(rootDir) {
   const packageJsonText = readText(rootDir, 'package.json');
   const packageJson = safeParseJson(packageJsonText) || {};
@@ -116,6 +123,8 @@ function buildChecks(rootDir) {
   const sessionStoreRust = readText(rootDir, 'ecc2/src/session/store.rs');
   const sessionManagerRust = readText(rootDir, 'ecc2/src/session/manager.rs');
   const readinessDoc = readText(rootDir, 'docs/architecture/observability-readiness.md');
+  const hudStatusContract = readText(rootDir, 'docs/architecture/hud-status-session-control.md');
+  const hudStatusFixture = safeParseJson(readText(rootDir, 'examples/hud-status-contract.json')) || {};
   const quickstart = readText(rootDir, 'docs/releases/2.0.0-rc.1/quickstart.md');
   const releaseNotes = readText(rootDir, 'docs/releases/2.0.0-rc.1/release-notes.md');
 
@@ -130,6 +139,50 @@ function buildChecks(rootDir) {
         && includesAll(loopStatus, ['--json', '--watch', '--write-dir']),
       fix: 'Restore loop-status JSON/watch/write-dir support.'
     },
+    {
+      id: 'hud-status-control-contract',
+      category: 'Live Status',
+      points: 2,
+      path: 'docs/architecture/hud-status-session-control.md',
+      description: 'HUD/status and session-control surfaces have a portable JSON contract',
+      pass: fileExists(rootDir, 'docs/architecture/hud-status-session-control.md')
+        && fileExists(rootDir, 'examples/hud-status-contract.json')
+        && includesAll(hudStatusContract, [
+          'context',
+          'toolCalls',
+          'activeAgents',
+          'todos',
+          'checks',
+          'cost',
+          'risk',
+          'queueState',
+          'create',
+          'resume',
+          'status',
+          'stop',
+          'diff',
+          'pr',
+          'mergeQueue',
+          'conflictQueue',
+          'Linear',
+          'GitHub',
+          'handoff'
+        ])
+        && hudStatusFixture.schema_version === 'ecc.hud-status.v1'
+        && hasObjectKeys(hudStatusFixture, [
+          'context',
+          'toolCalls',
+          'activeAgents',
+          'todos',
+          'checks',
+          'cost',
+          'risk',
+          'queueState',
+          'sessionControls',
+          'sync'
+        ]),
+      fix: 'Add the HUD/status session-control contract doc and example JSON fixture.'
+    },
     {
       id: 'session-inspect-adapter-registry',
       category: 'Session Trace',

skills/cost-tracking/SKILL.md

@@ -0,0 +1,147 @@
+---
+name: cost-tracking
+description: Track and report Claude Code token usage, spending, and budgets from a local cost-tracking database. Use when the user asks about costs, spending, usage, tokens, budgets, or cost breakdowns by project, tool, session, or date.
+origin: community
+---
+
+# Cost Tracking
+
+Use this skill to analyze Claude Code cost and usage history from a local SQLite
+database. It is intended for users who already have a cost-tracking hook or
+plugin writing usage rows to `~/.claude-cost-tracker/usage.db`.
+
+Source: salvaged from stale community PR #1304 by `MayurBhavsar`.
+
+## When to Use
+
+- The user asks "how much have I spent?", "what did this session cost?", or
+  "what is my token usage?"
+- The user mentions budgets, spending limits, overruns, or cost controls.
+- The user wants a cost breakdown by project, tool, session, model, or date.
+- The user wants to compare today against yesterday or inspect a recent trend.
+- The user asks for a CSV export of recent usage records.
+
+## How It Works
+
+First verify prerequisites:
+
+```bash
+command -v sqlite3 >/dev/null && echo "sqlite3 available" || echo "sqlite3 missing"
+test -f ~/.claude-cost-tracker/usage.db && echo "Database found" || echo "Database not found"
+```
+
+If the database is missing, do not fabricate usage data. Tell the user that cost
+tracking is not configured and suggest installing or enabling a trusted local
+cost-tracking hook/plugin.
+
+The expected `usage` table usually contains one row per tool call or model
+interaction. Column names vary by tracker, but the examples below assume:
+
+| Column | Meaning |
+| --- | --- |
+| `timestamp` | ISO timestamp for the usage event |
+| `project` | Project or repository name |
+| `tool_name` | Tool or event name |
+| `input_tokens` | Input token count, when recorded |
+| `output_tokens` | Output token count, when recorded |
+| `cost_usd` | Precomputed cost in USD |
+| `session_id` | Claude Code session identifier |
+| `model` | Model used for the event |
+
+Prefer `cost_usd` over hand-calculating pricing. Model prices and cache pricing
+change over time, and the tracker should be the source of truth for how each row
+was priced.
+
+## Examples
+
+### Quick Summary
+
+```bash
+sqlite3 ~/.claude-cost-tracker/usage.db "
+  SELECT
+    'Today: $' || ROUND(COALESCE(SUM(CASE WHEN date(timestamp) = date('now') THEN cost_usd END), 0), 4) ||
+    ' | Total: $' || ROUND(COALESCE(SUM(cost_usd), 0), 4) ||
+    ' | Calls: ' || COUNT(*) ||
+    ' | Sessions: ' || COUNT(DISTINCT session_id)
+  FROM usage;
+"
+```
+
+### Cost By Project
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT project, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY project
+  ORDER BY cost DESC;
+"
+```
+
+### Cost By Tool
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT tool_name, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY tool_name
+  ORDER BY cost DESC;
+"
+```
+
+### Last Seven Days
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT date(timestamp) AS date, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
+  FROM usage
+  GROUP BY date(timestamp)
+  ORDER BY date DESC
+  LIMIT 7;
+"
+```
+
+### Session Drilldown
+
+```bash
+sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
+  SELECT session_id,
+    MIN(timestamp) AS started,
+    MAX(timestamp) AS ended,
+    ROUND(SUM(cost_usd), 4) AS cost,
+    COUNT(*) AS calls
+  FROM usage
+  GROUP BY session_id
+  ORDER BY started DESC
+  LIMIT 10;
+"
+```
+
+## Reporting Guidance
+
+When presenting cost data, include:
+
+1. Today's spend and yesterday comparison.
+2. Total spend across the tracked database.
+3. Top projects ranked by cost.
+4. Top tools ranked by cost.
+5. Session count and average cost per session when enough data exists.
+
+For small amounts, format currency with four decimal places. For larger amounts,
+two decimals are enough.
+
+## Anti-Patterns
+
+- Do not estimate costs from raw token counts when `cost_usd` is present.
+- Do not assume the database exists without checking.
+- Do not run unbounded `SELECT *` exports on large databases.
+- Do not hard-code current model pricing in user-facing answers.
+- Do not recommend installing unreviewed hooks or plugins that execute arbitrary
+  code.
+
+## Related
+
+- `/cost-report` - Command-form report using the same database.
+- `cost-aware-llm-pipeline` - Model-routing and budget-design patterns.
+- `token-budget-advisor` - Context and token-budget planning.
+- `strategic-compact` - Context compaction to reduce repeated token spend.

skills/django-celery/SKILL.md

@@ -0,0 +1,457 @@
+---
+name: django-celery
+description: Django + Celery async task patterns — configuration, task design, beat scheduling, retries, canvas workflows, monitoring, and testing. Use when adding background jobs, scheduled tasks, or async processing to a Django app.
+origin: ECC
+---
+
+# Django + Celery Async Task Patterns
+
+Production-grade patterns for background task processing in Django using Celery with Redis or RabbitMQ.
+
+## When to Activate
+
+- Adding background jobs or async processing to a Django app
+- Implementing periodic/scheduled tasks
+- Offloading slow operations (email, PDF generation, API calls) from request cycle
+- Setting up Celery Beat for cron-like scheduling
+- Debugging task failures, retries, or queue backlogs
+- Writing tests for Celery tasks
+
+## Project Setup
+
+### Installation
+
+```bash
+pip install celery[redis] django-celery-results django-celery-beat
+```
+
+### `celery.py` — App Entrypoint
+
+```python
+# config/celery.py
+import os
+from celery import Celery
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'config.settings.development')
+
+app = Celery('myproject')
+app.config_from_object('django.conf:settings', namespace='CELERY')
+app.autodiscover_tasks()  # Discovers tasks.py in each INSTALLED_APP
+
+@app.task(bind=True, ignore_result=True)
+def debug_task(self):
+    print(f'Request: {self.request!r}')
+```
+
+```python
+# config/__init__.py
+from .celery import app as celery_app
+
+__all__ = ('celery_app',)
+```
+
+### Django Settings
+
+```python
+# config/settings/base.py
+
+# Broker (Redis recommended for production)
+CELERY_BROKER_URL = env('CELERY_BROKER_URL', default='redis://localhost:6379/0')
+CELERY_RESULT_BACKEND = env('CELERY_RESULT_BACKEND', default='django-db')
+
+# Serialization
+CELERY_ACCEPT_CONTENT = ['json']
+CELERY_TASK_SERIALIZER = 'json'
+CELERY_RESULT_SERIALIZER = 'json'
+
+# Task behavior
+CELERY_TASK_TRACK_STARTED = True
+CELERY_TASK_TIME_LIMIT = 30 * 60        # Hard limit: 30 min
+CELERY_TASK_SOFT_TIME_LIMIT = 25 * 60   # Soft limit: sends SoftTimeLimitExceeded
+CELERY_WORKER_PREFETCH_MULTIPLIER = 1   # Prevent worker hoarding long tasks
+CELERY_TASK_ACKS_LATE = True            # Re-queue on worker crash
+
+# Result persistence
+CELERY_RESULT_EXPIRES = 60 * 60 * 24   # Keep results 24 hours
+
+# Beat scheduler (for periodic tasks)
+CELERY_BEAT_SCHEDULER = 'django_celery_beat.schedulers:DatabaseScheduler'
+
+# Installed apps
+INSTALLED_APPS += [
+    'django_celery_results',
+    'django_celery_beat',
+]
+```
+
+### Running Workers
+
+```bash
+# Start worker (development)
+celery -A config worker --loglevel=info
+
+# Start beat scheduler (periodic tasks)
+celery -A config beat --loglevel=info --scheduler django_celery_beat.schedulers:DatabaseScheduler
+
+# Combined worker + beat (dev only, never production)
+celery -A config worker --beat --loglevel=info
+
+# Production: multiple workers with concurrency
+celery -A config worker --loglevel=warning --concurrency=4 -Q default,high_priority
+```
+
+## Task Design Patterns
+
+### Basic Task
+
+```python
+# apps/notifications/tasks.py
+from celery import shared_task
+import logging
+
+logger = logging.getLogger(__name__)
+
+@shared_task(name='notifications.send_welcome_email')
+def send_welcome_email(user_id: int) -> None:
+    """Send welcome email to newly registered user."""
+    from apps.users.models import User
+    from apps.notifications.services import EmailService
+
+    try:
+        user = User.objects.get(pk=user_id)
+    except User.DoesNotExist:
+        logger.warning('send_welcome_email: user %s not found', user_id)
+        return  # Idempotent — do not raise, task already impossible to complete
+
+    EmailService.send_welcome(user)
+    logger.info('Welcome email sent to user %s', user_id)
+```
+
+### Retryable Task
+
+```python
+@shared_task(
+    bind=True,
+    name='integrations.sync_to_crm',
+    max_retries=5,
+    default_retry_delay=60,       # seconds before first retry
+    autoretry_for=(ConnectionError, TimeoutError),
+    retry_backoff=True,           # exponential backoff
+    retry_backoff_max=600,        # cap at 10 minutes
+    retry_jitter=True,            # randomise to avoid thundering herd
+)
+def sync_contact_to_crm(self, contact_id: int) -> dict:
+    """Sync contact to external CRM with retry on transient failures."""
+    from apps.crm.services import CRMClient
+
+    try:
+        result = CRMClient().sync(contact_id)
+        return result
+    except CRMClient.RateLimitError as exc:
+        # Specific retry delay from response header
+        raise self.retry(exc=exc, countdown=int(exc.retry_after))
+```
+
+### Idempotent Task Pattern
+
+Design tasks so they can safely run multiple times with the same inputs:
+
+```python
+@shared_task(name='orders.mark_shipped')
+def mark_order_shipped(order_id: int, tracking_number: str) -> None:
+    """Mark order as shipped — safe to run multiple times."""
+    from apps.orders.models import Order
+
+    updated = Order.objects.filter(
+        pk=order_id,
+        status=Order.Status.PROCESSING,    # Guard: only update if not already shipped
+    ).update(
+        status=Order.Status.SHIPPED,
+        tracking_number=tracking_number,
+    )
+
+    if not updated:
+        logger.info('mark_order_shipped: order %s already shipped or not found', order_id)
+```
+
+### Task with Soft Time Limit
+
+```python
+from celery.exceptions import SoftTimeLimitExceeded
+
+@shared_task(
+    bind=True,
+    name='reports.generate_pdf',
+    soft_time_limit=120,
+    time_limit=150,
+)
+def generate_pdf_report(self, report_id: int) -> str:
+    """Generate PDF report with graceful timeout handling."""
+    from apps.reports.services import PDFGenerator
+
+    try:
+        path = PDFGenerator.build(report_id)
+        return path
+    except SoftTimeLimitExceeded:
+        # Clean up partial files before hard kill
+        PDFGenerator.cleanup(report_id)
+        raise
+```
+
+## Calling Tasks
+
+```python
+from datetime import timedelta
+from django.utils import timezone
+
+# Fire and forget (async)
+send_welcome_email.delay(user.pk)
+
+# Schedule in the future
+send_reminder.apply_async(args=[user.pk], countdown=3600)  # 1 hour from now
+send_reminder.apply_async(args=[user.pk], eta=timezone.now() + timedelta(days=1))
+
+# Apply with queue routing
+sync_contact_to_crm.apply_async(args=[contact.pk], queue='high_priority')
+
+# Run synchronously (tests / debugging only)
+result = generate_pdf_report.apply(args=[report.pk])
+```
+
+## Beat Scheduling (Periodic Tasks)
+
+### Code-Defined Schedule
+
+```python
+# config/settings/base.py
+from celery.schedules import crontab
+
+CELERY_BEAT_SCHEDULE = {
+    'cleanup-expired-sessions': {
+        'task': 'users.cleanup_expired_sessions',
+        'schedule': crontab(hour=2, minute=0),   # 2am daily
+    },
+    'sync-inventory': {
+        'task': 'products.sync_inventory',
+        'schedule': 60.0,                         # every 60 seconds
+    },
+    'weekly-digest': {
+        'task': 'notifications.send_weekly_digest',
+        'schedule': crontab(day_of_week='monday', hour=8, minute=0),
+    },
+}
+```
+
+### Database-Defined Schedule (via django-celery-beat)
+
+```python
+# Manage periodic tasks from Django admin or code
+from django_celery_beat.models import PeriodicTask, CrontabSchedule
+import json
+
+schedule, _ = CrontabSchedule.objects.get_or_create(
+    hour='*/6', minute='0',
+    timezone='UTC',
+)
+
+PeriodicTask.objects.update_or_create(
+    name='Sync inventory every 6 hours',
+    defaults={
+        'crontab': schedule,
+        'task': 'products.sync_inventory',
+        'args': json.dumps([]),
+        'enabled': True,
+    }
+)
+```
+
+## Canvas: Chaining and Grouping Tasks
+
+```python
+from celery import chain, group, chord
+
+# Chain: run tasks sequentially, passing results
+pipeline = chain(
+    fetch_data.s(source_id),
+    transform_data.s(),          # receives fetch_data result as first arg
+    load_to_warehouse.s(),
+)
+pipeline.delay()
+
+# Group: run tasks in parallel
+parallel = group(
+    send_welcome_email.s(user_id)
+    for user_id in new_user_ids
+)
+parallel.delay()
+
+# Chord: parallel tasks + callback when all complete
+result = chord(
+    group(process_chunk.s(chunk) for chunk in data_chunks),
+    aggregate_results.s(),       # called with list of chunk results
+)
+result.delay()
+```
+
+## Error Handling and Dead Letter Queue
+
+```python
+# apps/core/tasks.py
+from celery.signals import task_failure
+
+@task_failure.connect
+def on_task_failure(sender, task_id, exception, args, kwargs, traceback, einfo, **kw):
+    """Log all task failures to Sentry / alerting."""
+    import sentry_sdk
+    with sentry_sdk.new_scope() as scope:
+        scope.set_context('celery', {
+            'task': sender.name,
+            'task_id': task_id,
+            'args': args,
+            'kwargs': kwargs,
+        })
+        sentry_sdk.capture_exception(exception)
+```
+
+```python
+# Route failed tasks to dead-letter queue after max retries
+@shared_task(
+    bind=True,
+    max_retries=3,
+    name='payments.charge_card',
+)
+def charge_card(self, order_id: int) -> None:
+    from apps.payments.models import Order, FailedCharge
+
+    try:
+        _do_charge(order_id)
+    except Exception as exc:
+        if self.request.retries >= self.max_retries:
+            # Persist to dead-letter table for manual review
+            FailedCharge.objects.create(
+                order_id=order_id,
+                error=str(exc),
+                task_id=self.request.id,
+            )
+            return  # Don't raise — task is permanently failed
+        raise self.retry(exc=exc)
+```
+
+## Testing Celery Tasks
+
+### Unit Testing (No Broker)
+
+```python
+# tests/test_tasks.py
+import pytest
+from unittest.mock import patch, MagicMock
+from apps.notifications.tasks import send_welcome_email
+
+class TestSendWelcomeEmail:
+
+    @pytest.mark.django_db
+    def test_sends_email_to_existing_user(self, user):
+        with patch('apps.notifications.services.EmailService') as mock_email:
+            send_welcome_email(user.pk)
+            mock_email.send_welcome.assert_called_once_with(user)
+
+    @pytest.mark.django_db
+    def test_skips_missing_user_gracefully(self):
+        """Should not raise when user is deleted between enqueue and execute."""
+        send_welcome_email(99999)  # Non-existent user — must not raise
+```
+
+### Integration Testing with CELERY_TASK_ALWAYS_EAGER
+
+```python
+# config/settings/test.py
+CELERY_TASK_ALWAYS_EAGER = True      # Run tasks synchronously in tests
+CELERY_TASK_EAGER_PROPAGATES = True  # Re-raise exceptions from tasks
+
+# tests/test_integration.py
+@pytest.mark.django_db
+def test_registration_triggers_welcome_email(client):
+    with patch('apps.notifications.services.EmailService') as mock_email:
+        response = client.post('/api/users/', {
+            'email': 'new@example.com',
+            'password': 'strongpass123',
+        })
+
+    assert response.status_code == 201
+    mock_email.send_welcome.assert_called_once()
+```
+
+### Testing Retries
+
+```python
+@pytest.mark.django_db
+def test_task_retries_on_connection_error():
+    with patch('apps.crm.services.CRMClient.sync') as mock_sync:
+        mock_sync.side_effect = ConnectionError('timeout')
+
+        with pytest.raises(ConnectionError):
+            sync_contact_to_crm.apply(args=[1], throw=True)
+
+        assert mock_sync.call_count == 1  # First attempt only when eager
+```
+
+## Monitoring
+
+```bash
+# Inspect active workers and queues
+celery -A config inspect active
+celery -A config inspect stats
+celery -A config inspect reserved
+
+# Check queue lengths (Redis)
+redis-cli llen celery
+
+# Flower: web-based real-time monitor
+pip install flower
+celery -A config flower --port=5555
+```
+
+## Anti-Patterns
+
+```python
+# BAD: Passing model instances — they may be stale by execution time
+send_welcome_email.delay(user)        # Never pass ORM objects
+send_welcome_email.delay(user.pk)     # Always pass PKs
+
+# BAD: Calling tasks synchronously in production views
+result = generate_report.apply()      # Blocks the request thread
+
+# BAD: Non-idempotent task without guards
+@shared_task
+def charge_and_fulfill(order_id):
+    order.charge()     # May charge twice if task retries!
+    order.fulfill()
+
+# GOOD: Idempotent with status guard
+@shared_task
+def charge_and_fulfill(order_id):
+    order = Order.objects.select_for_update().get(pk=order_id)
+    if order.status != Order.Status.PENDING:
+        return  # Already processed
+    order.charge()
+    order.fulfill()
+```
+
+## Production Checklist
+
+| Check | Setting |
+|-------|---------|
+| Worker restarts on crash | `supervisord` or `systemd` unit |
+| `CELERY_TASK_ACKS_LATE = True` | Re-queue tasks on worker crash |
+| `CELERY_WORKER_PREFETCH_MULTIPLIER = 1` | Fair distribution of long tasks |
+| Separate queues per priority | `-Q default,high_priority,low_priority` |
+| `CELERY_TASK_SOFT_TIME_LIMIT` set | Graceful timeout before hard kill |
+| Sentry integration | Capture all `task_failure` signals |
+| Flower or other monitor | Visibility into queue depths |
+| Beat runs on single node only | Prevents duplicate scheduled task execution |
+
+## Related Skills
+
+- `django-patterns` — ORM, service layer, and project structure
+- `django-tdd` — Testing Django models, views, and services
+- `python-testing` — pytest configuration and fixtures

skills/frontend-design-direction/SKILL.md

@@ -0,0 +1,92 @@
+---
+name: frontend-design-direction
+description: Set an ECC-specific frontend design direction for production UI work. Use when building or improving websites, dashboards, applications, components, landing pages, visual tools, or any web UI that needs stronger product-specific design judgment.
+origin: community
+---
+
+# Frontend Design Direction
+
+Use this skill when the work is not just making UI function, but making it feel
+purposeful, polished, and appropriate to the product domain.
+
+Source: salvaged from stale community PR #1659 by `linus707`.
+
+Note: ECC intentionally does not rebundle the canonical Anthropic
+`frontend-design` skill. Install that from `anthropics/skills` when you want the
+official upstream skill. This skill is the ECC-specific design-direction salvage
+of the useful local guidance from #1659.
+
+## When to Use
+
+- The user asks to build a web page, app, dashboard, artifact, component, or UI.
+- The user asks to make an interface more polished, distinctive, beautiful, or
+  less generic.
+- The implementation needs visual hierarchy, typography, color, motion, layout,
+  and interaction choices.
+- The current UI works but reads as flat, generic, templated, or mismatched to
+  the audience.
+
+## Design Direction
+
+Before coding, choose a specific direction:
+
+1. Purpose: what job does the interface do?
+2. Audience: who repeats this workflow, and what do they need to scan first?
+3. Tone: utilitarian, editorial, playful, industrial, refined, technical,
+   maximal, minimal, dense, calm, or another explicit direction.
+4. Memorable detail: one design idea that makes the result feel intentional.
+5. Constraints: framework, accessibility, performance, responsiveness, and
+   existing design system.
+
+Match the direction to the domain. A SaaS operations tool should usually be
+dense, quiet, and scannable. A portfolio, launch page, game, or editorial piece
+can be more expressive. Do not force a landing-page composition onto a tool that
+needs repeated daily use.
+
+## Implementation Guidance
+
+- Build the actual usable experience as the first screen unless the user
+  explicitly asks for marketing copy.
+- Use existing project components, tokens, icon libraries, and routing patterns
+  before introducing a new visual system.
+- Use real or generated visual assets when the interface depends on images,
+  products, places, people, gameplay, charts, or inspectable media.
+- Prefer contextual typography and spacing over generic oversized hero text.
+- Keep palettes multi-dimensional: avoid a UI dominated by one hue family.
+- Use CSS variables or existing design tokens so the direction remains
+  coherent across states.
+- Design responsive constraints explicitly: grids, aspect ratios, min/max
+  sizes, stable toolbars, and fixed-format controls should not shift when labels
+  or hover states appear.
+- Use motion sparingly but deliberately. Prefer high-signal transitions that
+  clarify state over decorative animation.
+- Verify text fit on mobile and desktop. Long labels must wrap or resize
+  cleanly rather than overflowing.
+
+## Anti-Patterns
+
+- Do not default to common generated patterns: purple gradients, decorative
+  blobs, oversized cards, vague hero copy, or stock-like atmospheric media.
+- Do not add UI cards inside other cards.
+- Do not use a single decorative style everywhere when the domain calls for
+  restraint.
+- Do not hide the primary product, tool, object, or workflow behind generic
+  marketing sections.
+- Do not add a new dependency for a design flourish unless it clearly pays for
+  itself.
+- Do not describe the UI's features inside the UI when the controls can speak
+  for themselves.
+
+## Review Checklist
+
+- The first viewport immediately communicates the product, workflow, or object.
+- The visual hierarchy supports scanning and repeated use.
+- Typography fits the container and does not overlap adjacent content.
+- Color choices have contrast and do not collapse into a one-note palette.
+- Icons are used for familiar tool actions where available.
+- Responsive layout has stable dimensions for boards, grids, toolbars,
+  controls, tiles, and counters.
+- Assets render and carry the subject matter instead of acting as filler.
+- Motion improves orientation and does not mask sluggishness.
+- The result matches the repo's existing frontend conventions unless there is a
+  clear reason to depart.

skills/make-interfaces-feel-better/SKILL.md

@@ -0,0 +1,151 @@
+---
+name: make-interfaces-feel-better
+description: Apply concrete design-engineering details that make interfaces feel polished. Use when reviewing or improving UI spacing, typography, borders, shadows, motion, hit areas, icons, text wrapping, and interaction states.
+origin: community
+---
+
+# Make Interfaces Feel Better
+
+Use this skill for the small design-engineering details that compound into a
+more polished interface.
+
+Source: salvaged from stale community PR #1659 by `linus707`.
+
+## When to Use
+
+- The user says the UI feels off, flat, generic, cramped, jumpy, or unfinished.
+- You are building controls, cards, lists, dashboards, navigation, forms, or
+  toolbars.
+- A component needs hover, active, focus, enter, exit, loading, or empty states.
+- A frontend review needs specific before/after recommendations.
+
+## Core Principles
+
+### Concentric Radius
+
+For nearby nested rounded surfaces:
+
+```text
+outer radius = inner radius + padding
+```
+
+If padding is large, treat layers as separate surfaces instead of forcing the
+math. The point is optical coherence, not formula worship.
+
+### Optical Alignment
+
+Geometric centering is not always visual centering. Icon buttons, play
+triangles, arrows, stars, and asymmetric icons often need a small offset. Fix the
+SVG when possible; otherwise adjust with a pixel-level margin or padding change.
+
+### Shadows And Borders
+
+Use borders for separation and focus rings. Use layered shadows when a card,
+button, dropdown, or popover needs depth. Shadows should be transparent and
+subtle enough to work across backgrounds.
+
+### Text Wrapping
+
+- Use `text-wrap: balance` on headings and short titles.
+- Use `text-wrap: pretty` on short-to-medium body text, captions, descriptions,
+  and list items.
+- Avoid both on long prose, code, and preformatted content.
+- Use `font-variant-numeric: tabular-nums` for counters, timers, prices, tables,
+  and other updating numbers.
+
+### Font Smoothing
+
+On macOS, apply antialiased font smoothing at the root layout when the project
+does not already do so:
+
+```css
+html {
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+```
+
+### Image Outlines
+
+Images often need a subtle inset outline so their edges do not blur into the
+surface.
+
+```css
+img {
+  outline: 1px solid rgba(0, 0, 0, 0.1);
+  outline-offset: -1px;
+}
+
+@media (prefers-color-scheme: dark) {
+  img {
+    outline-color: rgba(255, 255, 255, 0.1);
+  }
+}
+```
+
+Use neutral black or white alpha outlines. Do not tint image outlines with the
+brand palette.
+
+### Motion
+
+Use CSS transitions for interactive state changes because they can retarget
+when the user changes intent mid-motion. Reserve keyframes for staged
+one-shot entrances or loading sequences.
+
+Good motion defaults:
+
+- Enter: combine opacity, small `translateY`, and optionally blur.
+- Exit: shorter and quieter than enter, usually 150ms.
+- Press: `scale(0.96)` for tactile buttons, with a way to disable it when the
+  movement distracts.
+- Icon swaps: cross-fade with opacity, scale, and blur instead of instant
+  visibility toggles.
+
+### Transition Scope
+
+Never use `transition: all`. Specify the changed properties:
+
+```css
+.button {
+  transition-property: transform, background-color, box-shadow;
+  transition-duration: 150ms;
+  transition-timing-function: ease-out;
+}
+```
+
+Use `will-change` only for first-frame stutter on compositor-friendly
+properties such as `transform`, `opacity`, and `filter`. Never use
+`will-change: all`.
+
+### Hit Areas
+
+Interactive controls should have at least a 40x40px hit area, ideally 44x44px
+where the layout allows it. Expand with a pseudo-element when the visible icon
+is smaller, but do not let expanded hit areas overlap.
+
+## Review Output
+
+When reviewing a UI polish pass, report concrete changes in before/after rows:
+
+| Principle | Before | After |
+| --- | --- | --- |
+| Concentric radius | Same radius on parent and child | Parent radius accounts for padding |
+| Tabular numbers | Counter shifts as digits change | Counter uses `tabular-nums` |
+| Transition scope | `transition: all` | Explicit transition properties |
+
+Include file paths and properties when they are not obvious from the snippets.
+Omit principles that you checked but did not change.
+
+## Checklist
+
+- Nested rounded elements are optically coherent.
+- Icons are visually centered.
+- Buttons, cards, and popovers use borders or shadows for the right reason.
+- Headings and short text avoid awkward wrapping.
+- Dynamic numbers use tabular numerals.
+- Images have neutral outlines where needed.
+- Enter and exit animations are split, subtle, and interruptible where
+  appropriate.
+- Buttons have tactile active states without exaggerated motion.
+- `transition: all` and `will-change: all` are absent.
+- Small controls still have usable hit areas.

skills/skill-scout/SKILL.md

@@ -0,0 +1,140 @@
+---
+name: skill-scout
+description: Search existing local, marketplace, GitHub, and web skill sources before creating a new skill. Use when the user wants to create, build, fork, or find a skill for a workflow.
+origin: community
+---
+
+# Skill Scout
+
+Use this skill before creating a new skill. The goal is to avoid duplicating
+existing community or marketplace work, while still vetting anything external
+before adoption.
+
+Source: salvaged from stale community PR #1232 by `redminwang`.
+
+## When to Use
+
+- The user says "create a skill", "build a skill", "make a skill", or "new
+  skill".
+- The user asks "is there a skill for X?" or "does a skill exist that does Y?"
+- The user describes a workflow and you are about to suggest creating a new
+  skill.
+- The user wants to fork or extend an existing skill.
+
+If the user explicitly says to skip search or create from scratch, acknowledge
+that and proceed with the requested creation workflow.
+
+## How It Works
+
+### Step 1 - Capture Intent
+
+Extract:
+
+- The task the skill should perform.
+- The trigger conditions for using it.
+- The domain, tools, frameworks, or data sources involved.
+- Three to five search keywords plus useful synonyms.
+
+### Step 2 - Search Local Sources
+
+Search installed and marketplace skill names first. Local sources are preferred
+because they are already part of the user's environment.
+
+```bash
+find ~/.claude/skills -maxdepth 2 -name SKILL.md 2>/dev/null | grep -iE "keyword|synonym"
+find ~/.claude/plugins/marketplaces -path '*/skills/*/SKILL.md' 2>/dev/null | grep -iE "keyword|synonym"
+```
+
+Then search frontmatter descriptions:
+
+```bash
+grep -RilE "keyword|synonym" ~/.claude/skills ~/.claude/plugins/marketplaces 2>/dev/null
+```
+
+### Step 3 - Search Remote Sources
+
+Use available GitHub and web search tools. Prefer concise queries:
+
+```bash
+gh search repos "claude code skill keyword" --limit 10 --sort stars
+gh search code "name: keyword" --filename SKILL.md --limit 10
+```
+
+For web search, use at most three targeted queries such as:
+
+```text
+"claude code skill" keyword
+"SKILL.md" keyword
+"everything-claude-code" keyword
+```
+
+### Step 4 - Vet External Matches
+
+Before recommending any external skill for adoption or forking:
+
+- Read the `SKILL.md` frontmatter and instructions.
+- Look for unexpected shell commands, file writes, network calls, credential
+  handling, or package installs.
+- Check whether the repository appears maintained.
+- Prefer copying into a fresh local branch and reviewing the diff over editing
+  marketplace originals.
+
+### Step 5 - Rank Results
+
+Rank candidates by:
+
+1. Exact keyword match in the skill name.
+2. Keyword or synonym match in description.
+3. Local installed or marketplace source.
+4. Maintained GitHub source with recent activity.
+5. Web-only mention.
+
+Cap the final list at 10 results.
+
+### Step 6 - Present Decision Options
+
+Give the user a short table:
+
+| Option | Meaning |
+| --- | --- |
+| Use existing | Invoke or install a matching skill as-is. |
+| Fork or extend | Copy the closest skill and modify it. |
+| Create fresh | Build a new skill after confirming no close match exists. |
+
+Only create a new skill after the user chooses that path or after the search
+finds no close match.
+
+## Examples
+
+### Result Table
+
+```markdown
+| # | Skill | Source | Why it matches | Gap |
+| --- | --- | --- | --- | --- |
+| 1 | article-writing | Local ECC | Drafts articles and guides | Not focused on release notes |
+| 2 | content-engine | Local ECC | Multi-format content workflow | Heavier than needed |
+| 3 | blog-writer | GitHub | Blog writing skill with recent commits | Needs security review |
+```
+
+### User-Facing Summary
+
+```markdown
+I found two close local matches and one external candidate. The closest fit is
+`article-writing`; it covers drafting and revision, but it does not include the
+release-note checklist you asked for. I can either use it as-is, fork it into a
+release-note variant, or create a fresh skill.
+```
+
+## Anti-Patterns
+
+- Do not jump directly to new skill creation when a search is reasonable.
+- Do not install external skills without reading them first.
+- Do not present a long unranked list of weak matches.
+- Do not treat web-only mentions as trusted sources.
+- Do not edit installed marketplace originals in place.
+
+## Related
+
+- `search-first` - General search-before-building workflow.
+- `skill-stocktake` - Audit installed skills for health, duplicates, and gaps.
+- `agent-sort` - Categorize and organize existing agents and skills.

tests/ci/code-reviewer-false-positive-guard.test.js

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+'use strict';
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+
+const repoRoot = path.resolve(__dirname, '..', '..');
+const reviewerPath = path.join(repoRoot, 'agents', 'code-reviewer.md');
+
+const requiredHeadings = [
+  '## Confidence-Based Filtering',
+  '### Pre-Report Gate',
+  '### HIGH / CRITICAL Require Proof',
+  '### It Is Acceptable And Expected To Return Zero Findings',
+  '## Common False Positives - Skip These',
+];
+
+const requiredPatterns = [
+  /Can I cite the exact line/i,
+  /concrete failure mode/i,
+  /Have I read the surrounding context/i,
+  /Severity inflation/i,
+  /exact snippet and line number/i,
+  /specific failure scenario/i,
+  /demote to MEDIUM or drop/i,
+  /clean review is a valid review/i,
+  /Manufactured findings/i,
+  /Common False Positives/i,
+  /Consider adding error handling/i,
+  /Missing input validation/i,
+  /Magic number/i,
+  /Would a senior engineer on this\s+team actually change this in review/i,
+  /Do not withhold approval to appear rigorous/i,
+];
+
+let passed = 0;
+let failed = 0;
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  PASS ${name}`);
+    passed++;
+  } catch (error) {
+    console.log(`  FAIL ${name}`);
+    console.log(`    Error: ${error.message}`);
+    failed++;
+  }
+}
+
+function readReviewer() {
+  return fs.readFileSync(reviewerPath, 'utf8');
+}
+
+console.log('\n=== Testing code-reviewer false-positive guardrails ===\n');
+
+for (const heading of requiredHeadings) {
+  test(`code-reviewer.md contains heading: ${heading}`, () => {
+    const source = readReviewer();
+    assert.ok(source.includes(heading), `code-reviewer.md missing required heading "${heading}"`);
+  });
+}
+
+for (const pattern of requiredPatterns) {
+  test(`code-reviewer.md matches ${pattern}`, () => {
+    const source = readReviewer();
+    assert.ok(pattern.test(source), `code-reviewer.md missing required pattern ${pattern}`);
+  });
+}
+
+test('code-reviewer.md retains the >80% confidence threshold', () => {
+  const source = readReviewer();
+  assert.ok(/>\s*80%\s*confident/i.test(source), 'code-reviewer.md missing >80% confidence threshold');
+});
+
+if (failed > 0) {
+  console.log(`\nFailed: ${failed}`);
+  process.exit(1);
+}
+
+console.log(`\nPassed: ${passed}`);

tests/docs/stale-pr-salvage-ledger.test.js

@@ -46,11 +46,20 @@ test('stale PR salvage ledger preserves representative source attribution', () =
 
   for (const pr of [
     '#1309',
+    '#1232',
+    '#1304',
     '#1322',
     '#1326',
+    '#1310',
+    '#1325',
     '#1413',
+    '#1414',
+    '#1478',
     '#1493',
     '#1528/#1529/#1547',
+    '#1603',
+    '#1658',
+    '#1659',
     '#1674',
     '#1687',
     '#1705/#1780',
@@ -71,10 +80,13 @@ test('stale PR salvage ledger records skipped junk and superseded work', () => {
   assert.ok(source.includes('too low-signal'));
 });
 
-test('stale PR salvage ledger keeps the zh-CN tail manual-review only', () => {
+test('stale PR salvage ledger keeps localization tails manual-review only', () => {
   const source = read('docs/stale-pr-salvage-ledger.md');
 
-  assert.ok(source.includes('Only the #1687 localization tail remains'));
+  assert.ok(source.includes('The remaining plausibly useful backlog is translation/localization work'));
+  assert.ok(source.includes('#1687 zh-CN localization tail'));
+  assert.ok(source.includes('#1609 Persian README translation'));
+  assert.ok(source.includes('#1563 zh-TW README sync'));
   assert.ok(source.includes('translator/manual review'));
   assert.ok(source.includes('Do not import stale top-level docs'));
 });
@@ -88,10 +100,54 @@ test('legacy inventory and roadmap link to the durable salvage ledger', () => {
   assert.ok(roadmap.includes('#1687 translator/manual'));
 });
 
+test('stale PR salvage ledger records the May 12 gap pass', () => {
+  const source = read('docs/stale-pr-salvage-ledger.md');
+
+  for (const pr of [
+    '#1310',
+    '#1325',
+    '#1360',
+    '#1414',
+    '#1415',
+    '#1478',
+    '#1438',
+    '#1504',
+    '#1508',
+    '#1563/#1564/#1565',
+    '#1567',
+    '#1570',
+    '#1584',
+    '#1589',
+    '#1594',
+    '#1597',
+    '#1602',
+    '#1603',
+    '#1604',
+    '#1609',
+    '#1613',
+    '#1631',
+    '#1648',
+    '#1658',
+    '#1693',
+  ]) {
+    assert.ok(source.includes(pr), `Missing May 12 gap-pass PR ${pr}`);
+  }
+
+  assert.ok(source.includes('Django/Celery maintainer branch'));
+  assert.ok(source.includes('already preserved in #1770'));
+  assert.ok(source.includes('already preserved in #1769'));
+  assert.ok(source.includes('already preserved in #1766'));
+  assert.ok(source.includes('GateGuard subagent file-gate bypass'));
+  assert.ok(source.includes('HTTP MCP reachability handling'));
+  assert.ok(source.includes('current managed installer/profile flow'));
+  assert.ok(source.includes('false-positive proof gate'));
+  assert.ok(source.includes('session_id` from stdin JSON'));
+  assert.ok(source.includes('Already present as `skills/redis-patterns/`'));
+});
+
 if (failed > 0) {
   console.log(`\nFailed: ${failed}`);
   process.exit(1);
 }
 
 console.log(`\nPassed: ${passed}`);
-

tests/scripts/observability-readiness.test.js

@@ -62,6 +62,24 @@ function seedMinimalRepo(rootDir, overrides = {}) {
     'ecc2/src/session/store.rs': 'insert_tool_log query_tool_logs',
     'ecc2/src/session/manager.rs': 'sync_tool_activity_metrics tool-usage.jsonl',
     'docs/architecture/observability-readiness.md': 'node scripts/observability-readiness.js --format json',
+    'docs/architecture/hud-status-session-control.md': [
+      'context toolCalls activeAgents todos checks cost risk queueState',
+      'create resume status stop diff pr mergeQueue conflictQueue',
+      'Linear GitHub handoff'
+    ].join('\n'),
+    'examples/hud-status-contract.json': JSON.stringify({
+      schema_version: 'ecc.hud-status.v1',
+      context: {},
+      toolCalls: {},
+      activeAgents: [],
+      todos: {},
+      checks: {},
+      cost: {},
+      risk: {},
+      queueState: {},
+      sessionControls: {},
+      sync: {}
+    }, null, 2),
     'docs/releases/2.0.0-rc.1/quickstart.md': 'observability-readiness.md',
     'docs/releases/2.0.0-rc.1/release-notes.md': 'observability-readiness.md'
   };
@@ -195,6 +213,23 @@ function runTests() {
     }
   })) passed++; else failed++;
 
+  if (test('missing HUD status contract fails without disturbing core tool checks', () => {
+    const projectRoot = createTempDir('observability-readiness-hud-fail-');
+
+    try {
+      seedMinimalRepo(projectRoot, {
+        'examples/hud-status-contract.json': null
+      });
+      const report = buildReport(projectRoot);
+
+      assert.strictEqual(report.ready, false);
+      assert.ok(report.checks.some(check => check.id === 'hud-status-control-contract' && !check.pass));
+      assert.ok(report.checks.some(check => check.id === 'loop-status-live-signal' && check.pass));
+    } finally {
+      cleanup(projectRoot);
+    }
+  })) passed++; else failed++;
+
   console.log('\nResults:');
   console.log(`  Passed: ${passed}`);
   console.log(`  Failed: ${failed}`);