feat: add Cursor, Codex, and OpenCode harnesses — maximize every AI coding tool

- AGENTS.md: universal cross-tool file read by Claude Code, Cursor, Codex, and OpenCode
- .cursor/: 15 hook events via hooks.json, 16 hook scripts with DRY adapter pattern,
  29 rules (9 common + 20 language-specific) with Cursor YAML frontmatter
- .codex/: reference config.toml, Codex-specific AGENTS.md supplement,
  10 skills ported to .agents/skills/ with openai.yaml metadata
- .opencode/: 3 new tools (format-code, lint-check, git-summary), 3 new hooks
  (shell.env, experimental.session.compacting, permission.ask), expanded instructions,
  version bumped to 1.6.0
- README: fixed Cursor section, added Codex section, added cross-tool parity table
- install.sh: now copies hooks.json + hooks/ for --target cursor

.agents/skills/api-design/SKILL.md

@@ -0,0 +1,523 @@
+---
+name: api-design
+description: REST API design patterns including resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting for production APIs.
+origin: ECC
+---
+
+# API Design Patterns
+
+Conventions and best practices for designing consistent, developer-friendly REST APIs.
+
+## When to Activate
+
+- Designing new API endpoints
+- Reviewing existing API contracts
+- Adding pagination, filtering, or sorting
+- Implementing error handling for APIs
+- Planning API versioning strategy
+- Building public or partner-facing APIs
+
+## Resource Design
+
+### URL Structure
+
+```
+# Resources are nouns, plural, lowercase, kebab-case
+GET    /api/v1/users
+GET    /api/v1/users/:id
+POST   /api/v1/users
+PUT    /api/v1/users/:id
+PATCH  /api/v1/users/:id
+DELETE /api/v1/users/:id
+
+# Sub-resources for relationships
+GET    /api/v1/users/:id/orders
+POST   /api/v1/users/:id/orders
+
+# Actions that don't map to CRUD (use verbs sparingly)
+POST   /api/v1/orders/:id/cancel
+POST   /api/v1/auth/login
+POST   /api/v1/auth/refresh
+```
+
+### Naming Rules
+
+```
+# GOOD
+/api/v1/team-members          # kebab-case for multi-word resources
+/api/v1/orders?status=active  # query params for filtering
+/api/v1/users/123/orders      # nested resources for ownership
+
+# BAD
+/api/v1/getUsers              # verb in URL
+/api/v1/user                  # singular (use plural)
+/api/v1/team_members          # snake_case in URLs
+/api/v1/users/123/getOrders   # verb in nested resource
+```
+
+## HTTP Methods and Status Codes
+
+### Method Semantics
+
+| Method | Idempotent | Safe | Use For |
+|--------|-----------|------|---------|
+| GET | Yes | Yes | Retrieve resources |
+| POST | No | No | Create resources, trigger actions |
+| PUT | Yes | No | Full replacement of a resource |
+| PATCH | No* | No | Partial update of a resource |
+| DELETE | Yes | No | Remove a resource |
+
+*PATCH can be made idempotent with proper implementation
+
+### Status Code Reference
+
+```
+# Success
+200 OK                    — GET, PUT, PATCH (with response body)
+201 Created               — POST (include Location header)
+204 No Content            — DELETE, PUT (no response body)
+
+# Client Errors
+400 Bad Request           — Validation failure, malformed JSON
+401 Unauthorized          — Missing or invalid authentication
+403 Forbidden             — Authenticated but not authorized
+404 Not Found             — Resource doesn't exist
+409 Conflict              — Duplicate entry, state conflict
+422 Unprocessable Entity  — Semantically invalid (valid JSON, bad data)
+429 Too Many Requests     — Rate limit exceeded
+
+# Server Errors
+500 Internal Server Error — Unexpected failure (never expose details)
+502 Bad Gateway           — Upstream service failed
+503 Service Unavailable   — Temporary overload, include Retry-After
+```
+
+### Common Mistakes
+
+```
+# BAD: 200 for everything
+{ "status": 200, "success": false, "error": "Not found" }
+
+# GOOD: Use HTTP status codes semantically
+HTTP/1.1 404 Not Found
+{ "error": { "code": "not_found", "message": "User not found" } }
+
+# BAD: 500 for validation errors
+# GOOD: 400 or 422 with field-level details
+
+# BAD: 200 for created resources
+# GOOD: 201 with Location header
+HTTP/1.1 201 Created
+Location: /api/v1/users/abc-123
+```
+
+## Response Format
+
+### Success Response
+
+```json
+{
+  "data": {
+    "id": "abc-123",
+    "email": "alice@example.com",
+    "name": "Alice",
+    "created_at": "2025-01-15T10:30:00Z"
+  }
+}
+```
+
+### Collection Response (with Pagination)
+
+```json
+{
+  "data": [
+    { "id": "abc-123", "name": "Alice" },
+    { "id": "def-456", "name": "Bob" }
+  ],
+  "meta": {
+    "total": 142,
+    "page": 1,
+    "per_page": 20,
+    "total_pages": 8
+  },
+  "links": {
+    "self": "/api/v1/users?page=1&per_page=20",
+    "next": "/api/v1/users?page=2&per_page=20",
+    "last": "/api/v1/users?page=8&per_page=20"
+  }
+}
+```
+
+### Error Response
+
+```json
+{
+  "error": {
+    "code": "validation_error",
+    "message": "Request validation failed",
+    "details": [
+      {
+        "field": "email",
+        "message": "Must be a valid email address",
+        "code": "invalid_format"
+      },
+      {
+        "field": "age",
+        "message": "Must be between 0 and 150",
+        "code": "out_of_range"
+      }
+    ]
+  }
+}
+```
+
+### Response Envelope Variants
+
+```typescript
+// Option A: Envelope with data wrapper (recommended for public APIs)
+interface ApiResponse<T> {
+  data: T;
+  meta?: PaginationMeta;
+  links?: PaginationLinks;
+}
+
+interface ApiError {
+  error: {
+    code: string;
+    message: string;
+    details?: FieldError[];
+  };
+}
+
+// Option B: Flat response (simpler, common for internal APIs)
+// Success: just return the resource directly
+// Error: return error object
+// Distinguish by HTTP status code
+```
+
+## Pagination
+
+### Offset-Based (Simple)
+
+```
+GET /api/v1/users?page=2&per_page=20
+
+# Implementation
+SELECT * FROM users
+ORDER BY created_at DESC
+LIMIT 20 OFFSET 20;
+```
+
+**Pros:** Easy to implement, supports "jump to page N"
+**Cons:** Slow on large offsets (OFFSET 100000), inconsistent with concurrent inserts
+
+### Cursor-Based (Scalable)
+
+```
+GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20
+
+# Implementation
+SELECT * FROM users
+WHERE id > :cursor_id
+ORDER BY id ASC
+LIMIT 21;  -- fetch one extra to determine has_next
+```
+
+```json
+{
+  "data": [...],
+  "meta": {
+    "has_next": true,
+    "next_cursor": "eyJpZCI6MTQzfQ"
+  }
+}
+```
+
+**Pros:** Consistent performance regardless of position, stable with concurrent inserts
+**Cons:** Cannot jump to arbitrary page, cursor is opaque
+
+### When to Use Which
+
+| Use Case | Pagination Type |
+|----------|----------------|
+| Admin dashboards, small datasets (<10K) | Offset |
+| Infinite scroll, feeds, large datasets | Cursor |
+| Public APIs | Cursor (default) with offset (optional) |
+| Search results | Offset (users expect page numbers) |
+
+## Filtering, Sorting, and Search
+
+### Filtering
+
+```
+# Simple equality
+GET /api/v1/orders?status=active&customer_id=abc-123
+
+# Comparison operators (use bracket notation)
+GET /api/v1/products?price[gte]=10&price[lte]=100
+GET /api/v1/orders?created_at[after]=2025-01-01
+
+# Multiple values (comma-separated)
+GET /api/v1/products?category=electronics,clothing
+
+# Nested fields (dot notation)
+GET /api/v1/orders?customer.country=US
+```
+
+### Sorting
+
+```
+# Single field (prefix - for descending)
+GET /api/v1/products?sort=-created_at
+
+# Multiple fields (comma-separated)
+GET /api/v1/products?sort=-featured,price,-created_at
+```
+
+### Full-Text Search
+
+```
+# Search query parameter
+GET /api/v1/products?q=wireless+headphones
+
+# Field-specific search
+GET /api/v1/users?email=alice
+```
+
+### Sparse Fieldsets
+
+```
+# Return only specified fields (reduces payload)
+GET /api/v1/users?fields=id,name,email
+GET /api/v1/orders?fields=id,total,status&include=customer.name
+```
+
+## Authentication and Authorization
+
+### Token-Based Auth
+
+```
+# Bearer token in Authorization header
+GET /api/v1/users
+Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
+
+# API key (for server-to-server)
+GET /api/v1/data
+X-API-Key: sk_live_abc123
+```
+
+### Authorization Patterns
+
+```typescript
+// Resource-level: check ownership
+app.get("/api/v1/orders/:id", async (req, res) => {
+  const order = await Order.findById(req.params.id);
+  if (!order) return res.status(404).json({ error: { code: "not_found" } });
+  if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } });
+  return res.json({ data: order });
+});
+
+// Role-based: check permissions
+app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => {
+  await User.delete(req.params.id);
+  return res.status(204).send();
+});
+```
+
+## Rate Limiting
+
+### Headers
+
+```
+HTTP/1.1 200 OK
+X-RateLimit-Limit: 100
+X-RateLimit-Remaining: 95
+X-RateLimit-Reset: 1640000000
+
+# When exceeded
+HTTP/1.1 429 Too Many Requests
+Retry-After: 60
+{
+  "error": {
+    "code": "rate_limit_exceeded",
+    "message": "Rate limit exceeded. Try again in 60 seconds."
+  }
+}
+```
+
+### Rate Limit Tiers
+
+| Tier | Limit | Window | Use Case |
+|------|-------|--------|----------|
+| Anonymous | 30/min | Per IP | Public endpoints |
+| Authenticated | 100/min | Per user | Standard API access |
+| Premium | 1000/min | Per API key | Paid API plans |
+| Internal | 10000/min | Per service | Service-to-service |
+
+## Versioning
+
+### URL Path Versioning (Recommended)
+
+```
+/api/v1/users
+/api/v2/users
+```
+
+**Pros:** Explicit, easy to route, cacheable
+**Cons:** URL changes between versions
+
+### Header Versioning
+
+```
+GET /api/users
+Accept: application/vnd.myapp.v2+json
+```
+
+**Pros:** Clean URLs
+**Cons:** Harder to test, easy to forget
+
+### Versioning Strategy
+
+```
+1. Start with /api/v1/ — don't version until you need to
+2. Maintain at most 2 active versions (current + previous)
+3. Deprecation timeline:
+   - Announce deprecation (6 months notice for public APIs)
+   - Add Sunset header: Sunset: Sat, 01 Jan 2026 00:00:00 GMT
+   - Return 410 Gone after sunset date
+4. Non-breaking changes don't need a new version:
+   - Adding new fields to responses
+   - Adding new optional query parameters
+   - Adding new endpoints
+5. Breaking changes require a new version:
+   - Removing or renaming fields
+   - Changing field types
+   - Changing URL structure
+   - Changing authentication method
+```
+
+## Implementation Patterns
+
+### TypeScript (Next.js API Route)
+
+```typescript
+import { z } from "zod";
+import { NextRequest, NextResponse } from "next/server";
+
+const createUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+});
+
+export async function POST(req: NextRequest) {
+  const body = await req.json();
+  const parsed = createUserSchema.safeParse(body);
+
+  if (!parsed.success) {
+    return NextResponse.json({
+      error: {
+        code: "validation_error",
+        message: "Request validation failed",
+        details: parsed.error.issues.map(i => ({
+          field: i.path.join("."),
+          message: i.message,
+          code: i.code,
+        })),
+      },
+    }, { status: 422 });
+  }
+
+  const user = await createUser(parsed.data);
+
+  return NextResponse.json(
+    { data: user },
+    {
+      status: 201,
+      headers: { Location: `/api/v1/users/${user.id}` },
+    },
+  );
+}
+```
+
+### Python (Django REST Framework)
+
+```python
+from rest_framework import serializers, viewsets, status
+from rest_framework.response import Response
+
+class CreateUserSerializer(serializers.Serializer):
+    email = serializers.EmailField()
+    name = serializers.CharField(max_length=100)
+
+class UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ["id", "email", "name", "created_at"]
+
+class UserViewSet(viewsets.ModelViewSet):
+    serializer_class = UserSerializer
+    permission_classes = [IsAuthenticated]
+
+    def get_serializer_class(self):
+        if self.action == "create":
+            return CreateUserSerializer
+        return UserSerializer
+
+    def create(self, request):
+        serializer = CreateUserSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        user = UserService.create(**serializer.validated_data)
+        return Response(
+            {"data": UserSerializer(user).data},
+            status=status.HTTP_201_CREATED,
+            headers={"Location": f"/api/v1/users/{user.id}"},
+        )
+```
+
+### Go (net/http)
+
+```go
+func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
+    var req CreateUserRequest
+    if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+        writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body")
+        return
+    }
+
+    if err := req.Validate(); err != nil {
+        writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error())
+        return
+    }
+
+    user, err := h.service.Create(r.Context(), req)
+    if err != nil {
+        switch {
+        case errors.Is(err, domain.ErrEmailTaken):
+            writeError(w, http.StatusConflict, "email_taken", "Email already registered")
+        default:
+            writeError(w, http.StatusInternalServerError, "internal_error", "Internal error")
+        }
+        return
+    }
+
+    w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID))
+    writeJSON(w, http.StatusCreated, map[string]any{"data": user})
+}
+```
+
+## API Design Checklist
+
+Before shipping a new endpoint:
+
+- [ ] Resource URL follows naming conventions (plural, kebab-case, no verbs)
+- [ ] Correct HTTP method used (GET for reads, POST for creates, etc.)
+- [ ] Appropriate status codes returned (not 200 for everything)
+- [ ] Input validated with schema (Zod, Pydantic, Bean Validation)
+- [ ] Error responses follow standard format with codes and messages
+- [ ] Pagination implemented for list endpoints (cursor or offset)
+- [ ] Authentication required (or explicitly marked as public)
+- [ ] Authorization checked (user can only access their own resources)
+- [ ] Rate limiting configured
+- [ ] Response does not leak internal details (stack traces, SQL errors)
+- [ ] Consistent naming with existing endpoints (camelCase vs snake_case)
+- [ ] Documented (OpenAPI/Swagger spec updated)

.agents/skills/api-design/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "API Design"
+  short_description: "REST API design patterns and best practices"
+  brand_color: "#F97316"
+  default_prompt: "Design REST API: resources, status codes, pagination"
+policy:
+  allow_implicit_invocation: true

.agents/skills/backend-patterns/SKILL.md

@@ -0,0 +1,598 @@
+---
+name: backend-patterns
+description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
+origin: ECC
+---
+
+# Backend Development Patterns
+
+Backend architecture patterns and best practices for scalable server-side applications.
+
+## When to Activate
+
+- Designing REST or GraphQL API endpoints
+- Implementing repository, service, or controller layers
+- Optimizing database queries (N+1, indexing, connection pooling)
+- Adding caching (Redis, in-memory, HTTP cache headers)
+- Setting up background jobs or async processing
+- Structuring error handling and validation for APIs
+- Building middleware (auth, logging, rate limiting)
+
+## API Design Patterns
+
+### RESTful API Structure
+
+```typescript
+// ✅ Resource-based URLs
+GET    /api/markets                 # List resources
+GET    /api/markets/:id             # Get single resource
+POST   /api/markets                 # Create resource
+PUT    /api/markets/:id             # Replace resource
+PATCH  /api/markets/:id             # Update resource
+DELETE /api/markets/:id             # Delete resource
+
+// ✅ Query parameters for filtering, sorting, pagination
+GET /api/markets?status=active&sort=volume&limit=20&offset=0
+```
+
+### Repository Pattern
+
+```typescript
+// Abstract data access logic
+interface MarketRepository {
+  findAll(filters?: MarketFilters): Promise<Market[]>
+  findById(id: string): Promise<Market | null>
+  create(data: CreateMarketDto): Promise<Market>
+  update(id: string, data: UpdateMarketDto): Promise<Market>
+  delete(id: string): Promise<void>
+}
+
+class SupabaseMarketRepository implements MarketRepository {
+  async findAll(filters?: MarketFilters): Promise<Market[]> {
+    let query = supabase.from('markets').select('*')
+
+    if (filters?.status) {
+      query = query.eq('status', filters.status)
+    }
+
+    if (filters?.limit) {
+      query = query.limit(filters.limit)
+    }
+
+    const { data, error } = await query
+
+    if (error) throw new Error(error.message)
+    return data
+  }
+
+  // Other methods...
+}
+```
+
+### Service Layer Pattern
+
+```typescript
+// Business logic separated from data access
+class MarketService {
+  constructor(private marketRepo: MarketRepository) {}
+
+  async searchMarkets(query: string, limit: number = 10): Promise<Market[]> {
+    // Business logic
+    const embedding = await generateEmbedding(query)
+    const results = await this.vectorSearch(embedding, limit)
+
+    // Fetch full data
+    const markets = await this.marketRepo.findByIds(results.map(r => r.id))
+
+    // Sort by similarity
+    return markets.sort((a, b) => {
+      const scoreA = results.find(r => r.id === a.id)?.score || 0
+      const scoreB = results.find(r => r.id === b.id)?.score || 0
+      return scoreA - scoreB
+    })
+  }
+
+  private async vectorSearch(embedding: number[], limit: number) {
+    // Vector search implementation
+  }
+}
+```
+
+### Middleware Pattern
+
+```typescript
+// Request/response processing pipeline
+export function withAuth(handler: NextApiHandler): NextApiHandler {
+  return async (req, res) => {
+    const token = req.headers.authorization?.replace('Bearer ', '')
+
+    if (!token) {
+      return res.status(401).json({ error: 'Unauthorized' })
+    }
+
+    try {
+      const user = await verifyToken(token)
+      req.user = user
+      return handler(req, res)
+    } catch (error) {
+      return res.status(401).json({ error: 'Invalid token' })
+    }
+  }
+}
+
+// Usage
+export default withAuth(async (req, res) => {
+  // Handler has access to req.user
+})
+```
+
+## Database Patterns
+
+### Query Optimization
+
+```typescript
+// ✅ GOOD: Select only needed columns
+const { data } = await supabase
+  .from('markets')
+  .select('id, name, status, volume')
+  .eq('status', 'active')
+  .order('volume', { ascending: false })
+  .limit(10)
+
+// ❌ BAD: Select everything
+const { data } = await supabase
+  .from('markets')
+  .select('*')
+```
+
+### N+1 Query Prevention
+
+```typescript
+// ❌ BAD: N+1 query problem
+const markets = await getMarkets()
+for (const market of markets) {
+  market.creator = await getUser(market.creator_id)  // N queries
+}
+
+// ✅ GOOD: Batch fetch
+const markets = await getMarkets()
+const creatorIds = markets.map(m => m.creator_id)
+const creators = await getUsers(creatorIds)  // 1 query
+const creatorMap = new Map(creators.map(c => [c.id, c]))
+
+markets.forEach(market => {
+  market.creator = creatorMap.get(market.creator_id)
+})
+```
+
+### Transaction Pattern
+
+```typescript
+async function createMarketWithPosition(
+  marketData: CreateMarketDto,
+  positionData: CreatePositionDto
+) {
+  // Use Supabase transaction
+  const { data, error } = await supabase.rpc('create_market_with_position', {
+    market_data: marketData,
+    position_data: positionData
+  })
+
+  if (error) throw new Error('Transaction failed')
+  return data
+}
+
+// SQL function in Supabase
+CREATE OR REPLACE FUNCTION create_market_with_position(
+  market_data jsonb,
+  position_data jsonb
+)
+RETURNS jsonb
+LANGUAGE plpgsql
+AS $$
+BEGIN
+  -- Start transaction automatically
+  INSERT INTO markets VALUES (market_data);
+  INSERT INTO positions VALUES (position_data);
+  RETURN jsonb_build_object('success', true);
+EXCEPTION
+  WHEN OTHERS THEN
+    -- Rollback happens automatically
+    RETURN jsonb_build_object('success', false, 'error', SQLERRM);
+END;
+$$;
+```
+
+## Caching Strategies
+
+### Redis Caching Layer
+
+```typescript
+class CachedMarketRepository implements MarketRepository {
+  constructor(
+    private baseRepo: MarketRepository,
+    private redis: RedisClient
+  ) {}
+
+  async findById(id: string): Promise<Market | null> {
+    // Check cache first
+    const cached = await this.redis.get(`market:${id}`)
+
+    if (cached) {
+      return JSON.parse(cached)
+    }
+
+    // Cache miss - fetch from database
+    const market = await this.baseRepo.findById(id)
+
+    if (market) {
+      // Cache for 5 minutes
+      await this.redis.setex(`market:${id}`, 300, JSON.stringify(market))
+    }
+
+    return market
+  }
+
+  async invalidateCache(id: string): Promise<void> {
+    await this.redis.del(`market:${id}`)
+  }
+}
+```
+
+### Cache-Aside Pattern
+
+```typescript
+async function getMarketWithCache(id: string): Promise<Market> {
+  const cacheKey = `market:${id}`
+
+  // Try cache
+  const cached = await redis.get(cacheKey)
+  if (cached) return JSON.parse(cached)
+
+  // Cache miss - fetch from DB
+  const market = await db.markets.findUnique({ where: { id } })
+
+  if (!market) throw new Error('Market not found')
+
+  // Update cache
+  await redis.setex(cacheKey, 300, JSON.stringify(market))
+
+  return market
+}
+```
+
+## Error Handling Patterns
+
+### Centralized Error Handler
+
+```typescript
+class ApiError extends Error {
+  constructor(
+    public statusCode: number,
+    public message: string,
+    public isOperational = true
+  ) {
+    super(message)
+    Object.setPrototypeOf(this, ApiError.prototype)
+  }
+}
+
+export function errorHandler(error: unknown, req: Request): Response {
+  if (error instanceof ApiError) {
+    return NextResponse.json({
+      success: false,
+      error: error.message
+    }, { status: error.statusCode })
+  }
+
+  if (error instanceof z.ZodError) {
+    return NextResponse.json({
+      success: false,
+      error: 'Validation failed',
+      details: error.errors
+    }, { status: 400 })
+  }
+
+  // Log unexpected errors
+  console.error('Unexpected error:', error)
+
+  return NextResponse.json({
+    success: false,
+    error: 'Internal server error'
+  }, { status: 500 })
+}
+
+// Usage
+export async function GET(request: Request) {
+  try {
+    const data = await fetchData()
+    return NextResponse.json({ success: true, data })
+  } catch (error) {
+    return errorHandler(error, request)
+  }
+}
+```
+
+### Retry with Exponential Backoff
+
+```typescript
+async function fetchWithRetry<T>(
+  fn: () => Promise<T>,
+  maxRetries = 3
+): Promise<T> {
+  let lastError: Error
+
+  for (let i = 0; i < maxRetries; i++) {
+    try {
+      return await fn()
+    } catch (error) {
+      lastError = error as Error
+
+      if (i < maxRetries - 1) {
+        // Exponential backoff: 1s, 2s, 4s
+        const delay = Math.pow(2, i) * 1000
+        await new Promise(resolve => setTimeout(resolve, delay))
+      }
+    }
+  }
+
+  throw lastError!
+}
+
+// Usage
+const data = await fetchWithRetry(() => fetchFromAPI())
+```
+
+## Authentication & Authorization
+
+### JWT Token Validation
+
+```typescript
+import jwt from 'jsonwebtoken'
+
+interface JWTPayload {
+  userId: string
+  email: string
+  role: 'admin' | 'user'
+}
+
+export function verifyToken(token: string): JWTPayload {
+  try {
+    const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload
+    return payload
+  } catch (error) {
+    throw new ApiError(401, 'Invalid token')
+  }
+}
+
+export async function requireAuth(request: Request) {
+  const token = request.headers.get('authorization')?.replace('Bearer ', '')
+
+  if (!token) {
+    throw new ApiError(401, 'Missing authorization token')
+  }
+
+  return verifyToken(token)
+}
+
+// Usage in API route
+export async function GET(request: Request) {
+  const user = await requireAuth(request)
+
+  const data = await getDataForUser(user.userId)
+
+  return NextResponse.json({ success: true, data })
+}
+```
+
+### Role-Based Access Control
+
+```typescript
+type Permission = 'read' | 'write' | 'delete' | 'admin'
+
+interface User {
+  id: string
+  role: 'admin' | 'moderator' | 'user'
+}
+
+const rolePermissions: Record<User['role'], Permission[]> = {
+  admin: ['read', 'write', 'delete', 'admin'],
+  moderator: ['read', 'write', 'delete'],
+  user: ['read', 'write']
+}
+
+export function hasPermission(user: User, permission: Permission): boolean {
+  return rolePermissions[user.role].includes(permission)
+}
+
+export function requirePermission(permission: Permission) {
+  return (handler: (request: Request, user: User) => Promise<Response>) => {
+    return async (request: Request) => {
+      const user = await requireAuth(request)
+
+      if (!hasPermission(user, permission)) {
+        throw new ApiError(403, 'Insufficient permissions')
+      }
+
+      return handler(request, user)
+    }
+  }
+}
+
+// Usage - HOF wraps the handler
+export const DELETE = requirePermission('delete')(
+  async (request: Request, user: User) => {
+    // Handler receives authenticated user with verified permission
+    return new Response('Deleted', { status: 200 })
+  }
+)
+```
+
+## Rate Limiting
+
+### Simple In-Memory Rate Limiter
+
+```typescript
+class RateLimiter {
+  private requests = new Map<string, number[]>()
+
+  async checkLimit(
+    identifier: string,
+    maxRequests: number,
+    windowMs: number
+  ): Promise<boolean> {
+    const now = Date.now()
+    const requests = this.requests.get(identifier) || []
+
+    // Remove old requests outside window
+    const recentRequests = requests.filter(time => now - time < windowMs)
+
+    if (recentRequests.length >= maxRequests) {
+      return false  // Rate limit exceeded
+    }
+
+    // Add current request
+    recentRequests.push(now)
+    this.requests.set(identifier, recentRequests)
+
+    return true
+  }
+}
+
+const limiter = new RateLimiter()
+
+export async function GET(request: Request) {
+  const ip = request.headers.get('x-forwarded-for') || 'unknown'
+
+  const allowed = await limiter.checkLimit(ip, 100, 60000)  // 100 req/min
+
+  if (!allowed) {
+    return NextResponse.json({
+      error: 'Rate limit exceeded'
+    }, { status: 429 })
+  }
+
+  // Continue with request
+}
+```
+
+## Background Jobs & Queues
+
+### Simple Queue Pattern
+
+```typescript
+class JobQueue<T> {
+  private queue: T[] = []
+  private processing = false
+
+  async add(job: T): Promise<void> {
+    this.queue.push(job)
+
+    if (!this.processing) {
+      this.process()
+    }
+  }
+
+  private async process(): Promise<void> {
+    this.processing = true
+
+    while (this.queue.length > 0) {
+      const job = this.queue.shift()!
+
+      try {
+        await this.execute(job)
+      } catch (error) {
+        console.error('Job failed:', error)
+      }
+    }
+
+    this.processing = false
+  }
+
+  private async execute(job: T): Promise<void> {
+    // Job execution logic
+  }
+}
+
+// Usage for indexing markets
+interface IndexJob {
+  marketId: string
+}
+
+const indexQueue = new JobQueue<IndexJob>()
+
+export async function POST(request: Request) {
+  const { marketId } = await request.json()
+
+  // Add to queue instead of blocking
+  await indexQueue.add({ marketId })
+
+  return NextResponse.json({ success: true, message: 'Job queued' })
+}
+```
+
+## Logging & Monitoring
+
+### Structured Logging
+
+```typescript
+interface LogContext {
+  userId?: string
+  requestId?: string
+  method?: string
+  path?: string
+  [key: string]: unknown
+}
+
+class Logger {
+  log(level: 'info' | 'warn' | 'error', message: string, context?: LogContext) {
+    const entry = {
+      timestamp: new Date().toISOString(),
+      level,
+      message,
+      ...context
+    }
+
+    console.log(JSON.stringify(entry))
+  }
+
+  info(message: string, context?: LogContext) {
+    this.log('info', message, context)
+  }
+
+  warn(message: string, context?: LogContext) {
+    this.log('warn', message, context)
+  }
+
+  error(message: string, error: Error, context?: LogContext) {
+    this.log('error', message, {
+      ...context,
+      error: error.message,
+      stack: error.stack
+    })
+  }
+}
+
+const logger = new Logger()
+
+// Usage
+export async function GET(request: Request) {
+  const requestId = crypto.randomUUID()
+
+  logger.info('Fetching markets', {
+    requestId,
+    method: 'GET',
+    path: '/api/markets'
+  })
+
+  try {
+    const markets = await fetchMarkets()
+    return NextResponse.json({ success: true, data: markets })
+  } catch (error) {
+    logger.error('Failed to fetch markets', error as Error, { requestId })
+    return NextResponse.json({ error: 'Internal error' }, { status: 500 })
+  }
+}
+```
+
+**Remember**: Backend patterns enable scalable, maintainable server-side applications. Choose patterns that fit your complexity level.

.agents/skills/backend-patterns/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Backend Patterns"
+  short_description: "API design, database, and server-side patterns"
+  brand_color: "#F59E0B"
+  default_prompt: "Apply backend patterns: API design, repository, caching"
+policy:
+  allow_implicit_invocation: true

.agents/skills/coding-standards/SKILL.md

@@ -0,0 +1,530 @@
+---
+name: coding-standards
+description: Universal coding standards, best practices, and patterns for TypeScript, JavaScript, React, and Node.js development.
+origin: ECC
+---
+
+# Coding Standards & Best Practices
+
+Universal coding standards applicable across all projects.
+
+## When to Activate
+
+- Starting a new project or module
+- Reviewing code for quality and maintainability
+- Refactoring existing code to follow conventions
+- Enforcing naming, formatting, or structural consistency
+- Setting up linting, formatting, or type-checking rules
+- Onboarding new contributors to coding conventions
+
+## Code Quality Principles
+
+### 1. Readability First
+- Code is read more than written
+- Clear variable and function names
+- Self-documenting code preferred over comments
+- Consistent formatting
+
+### 2. KISS (Keep It Simple, Stupid)
+- Simplest solution that works
+- Avoid over-engineering
+- No premature optimization
+- Easy to understand > clever code
+
+### 3. DRY (Don't Repeat Yourself)
+- Extract common logic into functions
+- Create reusable components
+- Share utilities across modules
+- Avoid copy-paste programming
+
+### 4. YAGNI (You Aren't Gonna Need It)
+- Don't build features before they're needed
+- Avoid speculative generality
+- Add complexity only when required
+- Start simple, refactor when needed
+
+## TypeScript/JavaScript Standards
+
+### Variable Naming
+
+```typescript
+// ✅ GOOD: Descriptive names
+const marketSearchQuery = 'election'
+const isUserAuthenticated = true
+const totalRevenue = 1000
+
+// ❌ BAD: Unclear names
+const q = 'election'
+const flag = true
+const x = 1000
+```
+
+### Function Naming
+
+```typescript
+// ✅ GOOD: Verb-noun pattern
+async function fetchMarketData(marketId: string) { }
+function calculateSimilarity(a: number[], b: number[]) { }
+function isValidEmail(email: string): boolean { }
+
+// ❌ BAD: Unclear or noun-only
+async function market(id: string) { }
+function similarity(a, b) { }
+function email(e) { }
+```
+
+### Immutability Pattern (CRITICAL)
+
+```typescript
+// ✅ ALWAYS use spread operator
+const updatedUser = {
+  ...user,
+  name: 'New Name'
+}
+
+const updatedArray = [...items, newItem]
+
+// ❌ NEVER mutate directly
+user.name = 'New Name'  // BAD
+items.push(newItem)     // BAD
+```
+
+### Error Handling
+
+```typescript
+// ✅ GOOD: Comprehensive error handling
+async function fetchData(url: string) {
+  try {
+    const response = await fetch(url)
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}: ${response.statusText}`)
+    }
+
+    return await response.json()
+  } catch (error) {
+    console.error('Fetch failed:', error)
+    throw new Error('Failed to fetch data')
+  }
+}
+
+// ❌ BAD: No error handling
+async function fetchData(url) {
+  const response = await fetch(url)
+  return response.json()
+}
+```
+
+### Async/Await Best Practices
+
+```typescript
+// ✅ GOOD: Parallel execution when possible
+const [users, markets, stats] = await Promise.all([
+  fetchUsers(),
+  fetchMarkets(),
+  fetchStats()
+])
+
+// ❌ BAD: Sequential when unnecessary
+const users = await fetchUsers()
+const markets = await fetchMarkets()
+const stats = await fetchStats()
+```
+
+### Type Safety
+
+```typescript
+// ✅ GOOD: Proper types
+interface Market {
+  id: string
+  name: string
+  status: 'active' | 'resolved' | 'closed'
+  created_at: Date
+}
+
+function getMarket(id: string): Promise<Market> {
+  // Implementation
+}
+
+// ❌ BAD: Using 'any'
+function getMarket(id: any): Promise<any> {
+  // Implementation
+}
+```
+
+## React Best Practices
+
+### Component Structure
+
+```typescript
+// ✅ GOOD: Functional component with types
+interface ButtonProps {
+  children: React.ReactNode
+  onClick: () => void
+  disabled?: boolean
+  variant?: 'primary' | 'secondary'
+}
+
+export function Button({
+  children,
+  onClick,
+  disabled = false,
+  variant = 'primary'
+}: ButtonProps) {
+  return (
+    <button
+      onClick={onClick}
+      disabled={disabled}
+      className={`btn btn-${variant}`}
+    >
+      {children}
+    </button>
+  )
+}
+
+// ❌ BAD: No types, unclear structure
+export function Button(props) {
+  return <button onClick={props.onClick}>{props.children}</button>
+}
+```
+
+### Custom Hooks
+
+```typescript
+// ✅ GOOD: Reusable custom hook
+export function useDebounce<T>(value: T, delay: number): T {
+  const [debouncedValue, setDebouncedValue] = useState<T>(value)
+
+  useEffect(() => {
+    const handler = setTimeout(() => {
+      setDebouncedValue(value)
+    }, delay)
+
+    return () => clearTimeout(handler)
+  }, [value, delay])
+
+  return debouncedValue
+}
+
+// Usage
+const debouncedQuery = useDebounce(searchQuery, 500)
+```
+
+### State Management
+
+```typescript
+// ✅ GOOD: Proper state updates
+const [count, setCount] = useState(0)
+
+// Functional update for state based on previous state
+setCount(prev => prev + 1)
+
+// ❌ BAD: Direct state reference
+setCount(count + 1)  // Can be stale in async scenarios
+```
+
+### Conditional Rendering
+
+```typescript
+// ✅ GOOD: Clear conditional rendering
+{isLoading && <Spinner />}
+{error && <ErrorMessage error={error} />}
+{data && <DataDisplay data={data} />}
+
+// ❌ BAD: Ternary hell
+{isLoading ? <Spinner /> : error ? <ErrorMessage error={error} /> : data ? <DataDisplay data={data} /> : null}
+```
+
+## API Design Standards
+
+### REST API Conventions
+
+```
+GET    /api/markets              # List all markets
+GET    /api/markets/:id          # Get specific market
+POST   /api/markets              # Create new market
+PUT    /api/markets/:id          # Update market (full)
+PATCH  /api/markets/:id          # Update market (partial)
+DELETE /api/markets/:id          # Delete market
+
+# Query parameters for filtering
+GET /api/markets?status=active&limit=10&offset=0
+```
+
+### Response Format
+
+```typescript
+// ✅ GOOD: Consistent response structure
+interface ApiResponse<T> {
+  success: boolean
+  data?: T
+  error?: string
+  meta?: {
+    total: number
+    page: number
+    limit: number
+  }
+}
+
+// Success response
+return NextResponse.json({
+  success: true,
+  data: markets,
+  meta: { total: 100, page: 1, limit: 10 }
+})
+
+// Error response
+return NextResponse.json({
+  success: false,
+  error: 'Invalid request'
+}, { status: 400 })
+```
+
+### Input Validation
+
+```typescript
+import { z } from 'zod'
+
+// ✅ GOOD: Schema validation
+const CreateMarketSchema = z.object({
+  name: z.string().min(1).max(200),
+  description: z.string().min(1).max(2000),
+  endDate: z.string().datetime(),
+  categories: z.array(z.string()).min(1)
+})
+
+export async function POST(request: Request) {
+  const body = await request.json()
+
+  try {
+    const validated = CreateMarketSchema.parse(body)
+    // Proceed with validated data
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return NextResponse.json({
+        success: false,
+        error: 'Validation failed',
+        details: error.errors
+      }, { status: 400 })
+    }
+  }
+}
+```
+
+## File Organization
+
+### Project Structure
+
+```
+src/
+├── app/                    # Next.js App Router
+│   ├── api/               # API routes
+│   ├── markets/           # Market pages
+│   └── (auth)/           # Auth pages (route groups)
+├── components/            # React components
+│   ├── ui/               # Generic UI components
+│   ├── forms/            # Form components
+│   └── layouts/          # Layout components
+├── hooks/                # Custom React hooks
+├── lib/                  # Utilities and configs
+│   ├── api/             # API clients
+│   ├── utils/           # Helper functions
+│   └── constants/       # Constants
+├── types/                # TypeScript types
+└── styles/              # Global styles
+```
+
+### File Naming
+
+```
+components/Button.tsx          # PascalCase for components
+hooks/useAuth.ts              # camelCase with 'use' prefix
+lib/formatDate.ts             # camelCase for utilities
+types/market.types.ts         # camelCase with .types suffix
+```
+
+## Comments & Documentation
+
+### When to Comment
+
+```typescript
+// ✅ GOOD: Explain WHY, not WHAT
+// Use exponential backoff to avoid overwhelming the API during outages
+const delay = Math.min(1000 * Math.pow(2, retryCount), 30000)
+
+// Deliberately using mutation here for performance with large arrays
+items.push(newItem)
+
+// ❌ BAD: Stating the obvious
+// Increment counter by 1
+count++
+
+// Set name to user's name
+name = user.name
+```
+
+### JSDoc for Public APIs
+
+```typescript
+/**
+ * Searches markets using semantic similarity.
+ *
+ * @param query - Natural language search query
+ * @param limit - Maximum number of results (default: 10)
+ * @returns Array of markets sorted by similarity score
+ * @throws {Error} If OpenAI API fails or Redis unavailable
+ *
+ * @example
+ * ```typescript
+ * const results = await searchMarkets('election', 5)
+ * console.log(results[0].name) // "Trump vs Biden"
+ * ```
+ */
+export async function searchMarkets(
+  query: string,
+  limit: number = 10
+): Promise<Market[]> {
+  // Implementation
+}
+```
+
+## Performance Best Practices
+
+### Memoization
+
+```typescript
+import { useMemo, useCallback } from 'react'
+
+// ✅ GOOD: Memoize expensive computations
+const sortedMarkets = useMemo(() => {
+  return markets.sort((a, b) => b.volume - a.volume)
+}, [markets])
+
+// ✅ GOOD: Memoize callbacks
+const handleSearch = useCallback((query: string) => {
+  setSearchQuery(query)
+}, [])
+```
+
+### Lazy Loading
+
+```typescript
+import { lazy, Suspense } from 'react'
+
+// ✅ GOOD: Lazy load heavy components
+const HeavyChart = lazy(() => import('./HeavyChart'))
+
+export function Dashboard() {
+  return (
+    <Suspense fallback={<Spinner />}>
+      <HeavyChart />
+    </Suspense>
+  )
+}
+```
+
+### Database Queries
+
+```typescript
+// ✅ GOOD: Select only needed columns
+const { data } = await supabase
+  .from('markets')
+  .select('id, name, status')
+  .limit(10)
+
+// ❌ BAD: Select everything
+const { data } = await supabase
+  .from('markets')
+  .select('*')
+```
+
+## Testing Standards
+
+### Test Structure (AAA Pattern)
+
+```typescript
+test('calculates similarity correctly', () => {
+  // Arrange
+  const vector1 = [1, 0, 0]
+  const vector2 = [0, 1, 0]
+
+  // Act
+  const similarity = calculateCosineSimilarity(vector1, vector2)
+
+  // Assert
+  expect(similarity).toBe(0)
+})
+```
+
+### Test Naming
+
+```typescript
+// ✅ GOOD: Descriptive test names
+test('returns empty array when no markets match query', () => { })
+test('throws error when OpenAI API key is missing', () => { })
+test('falls back to substring search when Redis unavailable', () => { })
+
+// ❌ BAD: Vague test names
+test('works', () => { })
+test('test search', () => { })
+```
+
+## Code Smell Detection
+
+Watch for these anti-patterns:
+
+### 1. Long Functions
+```typescript
+// ❌ BAD: Function > 50 lines
+function processMarketData() {
+  // 100 lines of code
+}
+
+// ✅ GOOD: Split into smaller functions
+function processMarketData() {
+  const validated = validateData()
+  const transformed = transformData(validated)
+  return saveData(transformed)
+}
+```
+
+### 2. Deep Nesting
+```typescript
+// ❌ BAD: 5+ levels of nesting
+if (user) {
+  if (user.isAdmin) {
+    if (market) {
+      if (market.isActive) {
+        if (hasPermission) {
+          // Do something
+        }
+      }
+    }
+  }
+}
+
+// ✅ GOOD: Early returns
+if (!user) return
+if (!user.isAdmin) return
+if (!market) return
+if (!market.isActive) return
+if (!hasPermission) return
+
+// Do something
+```
+
+### 3. Magic Numbers
+```typescript
+// ❌ BAD: Unexplained numbers
+if (retryCount > 3) { }
+setTimeout(callback, 500)
+
+// ✅ GOOD: Named constants
+const MAX_RETRIES = 3
+const DEBOUNCE_DELAY_MS = 500
+
+if (retryCount > MAX_RETRIES) { }
+setTimeout(callback, DEBOUNCE_DELAY_MS)
+```
+
+**Remember**: Code quality is not negotiable. Clear, maintainable code enables rapid development and confident refactoring.

.agents/skills/coding-standards/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Coding Standards"
+  short_description: "Universal coding standards and best practices"
+  brand_color: "#3B82F6"
+  default_prompt: "Apply standards: immutability, error handling, type safety"
+policy:
+  allow_implicit_invocation: true

.agents/skills/e2e-testing/SKILL.md

@@ -0,0 +1,326 @@
+---
+name: e2e-testing
+description: Playwright E2E testing patterns, Page Object Model, configuration, CI/CD integration, artifact management, and flaky test strategies.
+origin: ECC
+---
+
+# E2E Testing Patterns
+
+Comprehensive Playwright patterns for building stable, fast, and maintainable E2E test suites.
+
+## Test File Organization
+
+```
+tests/
+├── e2e/
+│   ├── auth/
+│   │   ├── login.spec.ts
+│   │   ├── logout.spec.ts
+│   │   └── register.spec.ts
+│   ├── features/
+│   │   ├── browse.spec.ts
+│   │   ├── search.spec.ts
+│   │   └── create.spec.ts
+│   └── api/
+│       └── endpoints.spec.ts
+├── fixtures/
+│   ├── auth.ts
+│   └── data.ts
+└── playwright.config.ts
+```
+
+## Page Object Model (POM)
+
+```typescript
+import { Page, Locator } from '@playwright/test'
+
+export class ItemsPage {
+  readonly page: Page
+  readonly searchInput: Locator
+  readonly itemCards: Locator
+  readonly createButton: Locator
+
+  constructor(page: Page) {
+    this.page = page
+    this.searchInput = page.locator('[data-testid="search-input"]')
+    this.itemCards = page.locator('[data-testid="item-card"]')
+    this.createButton = page.locator('[data-testid="create-btn"]')
+  }
+
+  async goto() {
+    await this.page.goto('/items')
+    await this.page.waitForLoadState('networkidle')
+  }
+
+  async search(query: string) {
+    await this.searchInput.fill(query)
+    await this.page.waitForResponse(resp => resp.url().includes('/api/search'))
+    await this.page.waitForLoadState('networkidle')
+  }
+
+  async getItemCount() {
+    return await this.itemCards.count()
+  }
+}
+```
+
+## Test Structure
+
+```typescript
+import { test, expect } from '@playwright/test'
+import { ItemsPage } from '../../pages/ItemsPage'
+
+test.describe('Item Search', () => {
+  let itemsPage: ItemsPage
+
+  test.beforeEach(async ({ page }) => {
+    itemsPage = new ItemsPage(page)
+    await itemsPage.goto()
+  })
+
+  test('should search by keyword', async ({ page }) => {
+    await itemsPage.search('test')
+
+    const count = await itemsPage.getItemCount()
+    expect(count).toBeGreaterThan(0)
+
+    await expect(itemsPage.itemCards.first()).toContainText(/test/i)
+    await page.screenshot({ path: 'artifacts/search-results.png' })
+  })
+
+  test('should handle no results', async ({ page }) => {
+    await itemsPage.search('xyznonexistent123')
+
+    await expect(page.locator('[data-testid="no-results"]')).toBeVisible()
+    expect(await itemsPage.getItemCount()).toBe(0)
+  })
+})
+```
+
+## Playwright Configuration
+
+```typescript
+import { defineConfig, devices } from '@playwright/test'
+
+export default defineConfig({
+  testDir: './tests/e2e',
+  fullyParallel: true,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 2 : 0,
+  workers: process.env.CI ? 1 : undefined,
+  reporter: [
+    ['html', { outputFolder: 'playwright-report' }],
+    ['junit', { outputFile: 'playwright-results.xml' }],
+    ['json', { outputFile: 'playwright-results.json' }]
+  ],
+  use: {
+    baseURL: process.env.BASE_URL || 'http://localhost:3000',
+    trace: 'on-first-retry',
+    screenshot: 'only-on-failure',
+    video: 'retain-on-failure',
+    actionTimeout: 10000,
+    navigationTimeout: 30000,
+  },
+  projects: [
+    { name: 'chromium', use: { ...devices['Desktop Chrome'] } },
+    { name: 'firefox', use: { ...devices['Desktop Firefox'] } },
+    { name: 'webkit', use: { ...devices['Desktop Safari'] } },
+    { name: 'mobile-chrome', use: { ...devices['Pixel 5'] } },
+  ],
+  webServer: {
+    command: 'npm run dev',
+    url: 'http://localhost:3000',
+    reuseExistingServer: !process.env.CI,
+    timeout: 120000,
+  },
+})
+```
+
+## Flaky Test Patterns
+
+### Quarantine
+
+```typescript
+test('flaky: complex search', async ({ page }) => {
+  test.fixme(true, 'Flaky - Issue #123')
+  // test code...
+})
+
+test('conditional skip', async ({ page }) => {
+  test.skip(process.env.CI, 'Flaky in CI - Issue #123')
+  // test code...
+})
+```
+
+### Identify Flakiness
+
+```bash
+npx playwright test tests/search.spec.ts --repeat-each=10
+npx playwright test tests/search.spec.ts --retries=3
+```
+
+### Common Causes & Fixes
+
+**Race conditions:**
+```typescript
+// Bad: assumes element is ready
+await page.click('[data-testid="button"]')
+
+// Good: auto-wait locator
+await page.locator('[data-testid="button"]').click()
+```
+
+**Network timing:**
+```typescript
+// Bad: arbitrary timeout
+await page.waitForTimeout(5000)
+
+// Good: wait for specific condition
+await page.waitForResponse(resp => resp.url().includes('/api/data'))
+```
+
+**Animation timing:**
+```typescript
+// Bad: click during animation
+await page.click('[data-testid="menu-item"]')
+
+// Good: wait for stability
+await page.locator('[data-testid="menu-item"]').waitFor({ state: 'visible' })
+await page.waitForLoadState('networkidle')
+await page.locator('[data-testid="menu-item"]').click()
+```
+
+## Artifact Management
+
+### Screenshots
+
+```typescript
+await page.screenshot({ path: 'artifacts/after-login.png' })
+await page.screenshot({ path: 'artifacts/full-page.png', fullPage: true })
+await page.locator('[data-testid="chart"]').screenshot({ path: 'artifacts/chart.png' })
+```
+
+### Traces
+
+```typescript
+await browser.startTracing(page, {
+  path: 'artifacts/trace.json',
+  screenshots: true,
+  snapshots: true,
+})
+// ... test actions ...
+await browser.stopTracing()
+```
+
+### Video
+
+```typescript
+// In playwright.config.ts
+use: {
+  video: 'retain-on-failure',
+  videosPath: 'artifacts/videos/'
+}
+```
+
+## CI/CD Integration
+
+```yaml
+# .github/workflows/e2e.yml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm ci
+      - run: npx playwright install --with-deps
+      - run: npx playwright test
+        env:
+          BASE_URL: ${{ vars.STAGING_URL }}
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 30
+```
+
+## Test Report Template
+
+```markdown
+# E2E Test Report
+
+**Date:** YYYY-MM-DD HH:MM
+**Duration:** Xm Ys
+**Status:** PASSING / FAILING
+
+## Summary
+- Total: X | Passed: Y (Z%) | Failed: A | Flaky: B | Skipped: C
+
+## Failed Tests
+
+### test-name
+**File:** `tests/e2e/feature.spec.ts:45`
+**Error:** Expected element to be visible
+**Screenshot:** artifacts/failed.png
+**Recommended Fix:** [description]
+
+## Artifacts
+- HTML Report: playwright-report/index.html
+- Screenshots: artifacts/*.png
+- Videos: artifacts/videos/*.webm
+- Traces: artifacts/*.zip
+```
+
+## Wallet / Web3 Testing
+
+```typescript
+test('wallet connection', async ({ page, context }) => {
+  // Mock wallet provider
+  await context.addInitScript(() => {
+    window.ethereum = {
+      isMetaMask: true,
+      request: async ({ method }) => {
+        if (method === 'eth_requestAccounts')
+          return ['0x1234567890123456789012345678901234567890']
+        if (method === 'eth_chainId') return '0x1'
+      }
+    }
+  })
+
+  await page.goto('/')
+  await page.locator('[data-testid="connect-wallet"]').click()
+  await expect(page.locator('[data-testid="wallet-address"]')).toContainText('0x1234')
+})
+```
+
+## Financial / Critical Flow Testing
+
+```typescript
+test('trade execution', async ({ page }) => {
+  // Skip on production — real money
+  test.skip(process.env.NODE_ENV === 'production', 'Skip on production')
+
+  await page.goto('/markets/test-market')
+  await page.locator('[data-testid="position-yes"]').click()
+  await page.locator('[data-testid="trade-amount"]').fill('1.0')
+
+  // Verify preview
+  const preview = page.locator('[data-testid="trade-preview"]')
+  await expect(preview).toContainText('1.0')
+
+  // Confirm and wait for blockchain
+  await page.locator('[data-testid="confirm-trade"]').click()
+  await page.waitForResponse(
+    resp => resp.url().includes('/api/trade') && resp.status() === 200,
+    { timeout: 30000 }
+  )
+
+  await expect(page.locator('[data-testid="trade-success"]')).toBeVisible()
+})
+```

.agents/skills/e2e-testing/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "E2E Testing"
+  short_description: "Playwright end-to-end testing"
+  brand_color: "#06B6D4"
+  default_prompt: "Generate Playwright E2E tests with Page Object Model"
+policy:
+  allow_implicit_invocation: true

.agents/skills/eval-harness/SKILL.md

@@ -0,0 +1,236 @@
+---
+name: eval-harness
+description: Formal evaluation framework for Claude Code sessions implementing eval-driven development (EDD) principles
+origin: ECC
+tools: Read, Write, Edit, Bash, Grep, Glob
+---
+
+# Eval Harness Skill
+
+A formal evaluation framework for Claude Code sessions, implementing eval-driven development (EDD) principles.
+
+## When to Activate
+
+- Setting up eval-driven development (EDD) for AI-assisted workflows
+- Defining pass/fail criteria for Claude Code task completion
+- Measuring agent reliability with pass@k metrics
+- Creating regression test suites for prompt or agent changes
+- Benchmarking agent performance across model versions
+
+## Philosophy
+
+Eval-Driven Development treats evals as the "unit tests of AI development":
+- Define expected behavior BEFORE implementation
+- Run evals continuously during development
+- Track regressions with each change
+- Use pass@k metrics for reliability measurement
+
+## Eval Types
+
+### Capability Evals
+Test if Claude can do something it couldn't before:
+```markdown
+[CAPABILITY EVAL: feature-name]
+Task: Description of what Claude should accomplish
+Success Criteria:
+  - [ ] Criterion 1
+  - [ ] Criterion 2
+  - [ ] Criterion 3
+Expected Output: Description of expected result
+```
+
+### Regression Evals
+Ensure changes don't break existing functionality:
+```markdown
+[REGRESSION EVAL: feature-name]
+Baseline: SHA or checkpoint name
+Tests:
+  - existing-test-1: PASS/FAIL
+  - existing-test-2: PASS/FAIL
+  - existing-test-3: PASS/FAIL
+Result: X/Y passed (previously Y/Y)
+```
+
+## Grader Types
+
+### 1. Code-Based Grader
+Deterministic checks using code:
+```bash
+# Check if file contains expected pattern
+grep -q "export function handleAuth" src/auth.ts && echo "PASS" || echo "FAIL"
+
+# Check if tests pass
+npm test -- --testPathPattern="auth" && echo "PASS" || echo "FAIL"
+
+# Check if build succeeds
+npm run build && echo "PASS" || echo "FAIL"
+```
+
+### 2. Model-Based Grader
+Use Claude to evaluate open-ended outputs:
+```markdown
+[MODEL GRADER PROMPT]
+Evaluate the following code change:
+1. Does it solve the stated problem?
+2. Is it well-structured?
+3. Are edge cases handled?
+4. Is error handling appropriate?
+
+Score: 1-5 (1=poor, 5=excellent)
+Reasoning: [explanation]
+```
+
+### 3. Human Grader
+Flag for manual review:
+```markdown
+[HUMAN REVIEW REQUIRED]
+Change: Description of what changed
+Reason: Why human review is needed
+Risk Level: LOW/MEDIUM/HIGH
+```
+
+## Metrics
+
+### pass@k
+"At least one success in k attempts"
+- pass@1: First attempt success rate
+- pass@3: Success within 3 attempts
+- Typical target: pass@3 > 90%
+
+### pass^k
+"All k trials succeed"
+- Higher bar for reliability
+- pass^3: 3 consecutive successes
+- Use for critical paths
+
+## Eval Workflow
+
+### 1. Define (Before Coding)
+```markdown
+## EVAL DEFINITION: feature-xyz
+
+### Capability Evals
+1. Can create new user account
+2. Can validate email format
+3. Can hash password securely
+
+### Regression Evals
+1. Existing login still works
+2. Session management unchanged
+3. Logout flow intact
+
+### Success Metrics
+- pass@3 > 90% for capability evals
+- pass^3 = 100% for regression evals
+```
+
+### 2. Implement
+Write code to pass the defined evals.
+
+### 3. Evaluate
+```bash
+# Run capability evals
+[Run each capability eval, record PASS/FAIL]
+
+# Run regression evals
+npm test -- --testPathPattern="existing"
+
+# Generate report
+```
+
+### 4. Report
+```markdown
+EVAL REPORT: feature-xyz
+========================
+
+Capability Evals:
+  create-user:     PASS (pass@1)
+  validate-email:  PASS (pass@2)
+  hash-password:   PASS (pass@1)
+  Overall:         3/3 passed
+
+Regression Evals:
+  login-flow:      PASS
+  session-mgmt:    PASS
+  logout-flow:     PASS
+  Overall:         3/3 passed
+
+Metrics:
+  pass@1: 67% (2/3)
+  pass@3: 100% (3/3)
+
+Status: READY FOR REVIEW
+```
+
+## Integration Patterns
+
+### Pre-Implementation
+```
+/eval define feature-name
+```
+Creates eval definition file at `.claude/evals/feature-name.md`
+
+### During Implementation
+```
+/eval check feature-name
+```
+Runs current evals and reports status
+
+### Post-Implementation
+```
+/eval report feature-name
+```
+Generates full eval report
+
+## Eval Storage
+
+Store evals in project:
+```
+.claude/
+  evals/
+    feature-xyz.md      # Eval definition
+    feature-xyz.log     # Eval run history
+    baseline.json       # Regression baselines
+```
+
+## Best Practices
+
+1. **Define evals BEFORE coding** - Forces clear thinking about success criteria
+2. **Run evals frequently** - Catch regressions early
+3. **Track pass@k over time** - Monitor reliability trends
+4. **Use code graders when possible** - Deterministic > probabilistic
+5. **Human review for security** - Never fully automate security checks
+6. **Keep evals fast** - Slow evals don't get run
+7. **Version evals with code** - Evals are first-class artifacts
+
+## Example: Adding Authentication
+
+```markdown
+## EVAL: add-authentication
+
+### Phase 1: Define (10 min)
+Capability Evals:
+- [ ] User can register with email/password
+- [ ] User can login with valid credentials
+- [ ] Invalid credentials rejected with proper error
+- [ ] Sessions persist across page reloads
+- [ ] Logout clears session
+
+Regression Evals:
+- [ ] Public routes still accessible
+- [ ] API responses unchanged
+- [ ] Database schema compatible
+
+### Phase 2: Implement (varies)
+[Write code]
+
+### Phase 3: Evaluate
+Run: /eval check add-authentication
+
+### Phase 4: Report
+EVAL REPORT: add-authentication
+==============================
+Capability: 5/5 passed (pass@3: 100%)
+Regression: 3/3 passed (pass^3: 100%)
+Status: SHIP IT
+```

.agents/skills/eval-harness/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Eval Harness"
+  short_description: "Eval-driven development with pass/fail criteria"
+  brand_color: "#EC4899"
+  default_prompt: "Set up eval-driven development with pass/fail criteria"
+policy:
+  allow_implicit_invocation: true

.agents/skills/frontend-patterns/SKILL.md

@@ -0,0 +1,642 @@
+---
+name: frontend-patterns
+description: Frontend development patterns for React, Next.js, state management, performance optimization, and UI best practices.
+origin: ECC
+---
+
+# Frontend Development Patterns
+
+Modern frontend patterns for React, Next.js, and performant user interfaces.
+
+## When to Activate
+
+- Building React components (composition, props, rendering)
+- Managing state (useState, useReducer, Zustand, Context)
+- Implementing data fetching (SWR, React Query, server components)
+- Optimizing performance (memoization, virtualization, code splitting)
+- Working with forms (validation, controlled inputs, Zod schemas)
+- Handling client-side routing and navigation
+- Building accessible, responsive UI patterns
+
+## Component Patterns
+
+### Composition Over Inheritance
+
+```typescript
+// ✅ GOOD: Component composition
+interface CardProps {
+  children: React.ReactNode
+  variant?: 'default' | 'outlined'
+}
+
+export function Card({ children, variant = 'default' }: CardProps) {
+  return <div className={`card card-${variant}`}>{children}</div>
+}
+
+export function CardHeader({ children }: { children: React.ReactNode }) {
+  return <div className="card-header">{children}</div>
+}
+
+export function CardBody({ children }: { children: React.ReactNode }) {
+  return <div className="card-body">{children}</div>
+}
+
+// Usage
+<Card>
+  <CardHeader>Title</CardHeader>
+  <CardBody>Content</CardBody>
+</Card>
+```
+
+### Compound Components
+
+```typescript
+interface TabsContextValue {
+  activeTab: string
+  setActiveTab: (tab: string) => void
+}
+
+const TabsContext = createContext<TabsContextValue | undefined>(undefined)
+
+export function Tabs({ children, defaultTab }: {
+  children: React.ReactNode
+  defaultTab: string
+}) {
+  const [activeTab, setActiveTab] = useState(defaultTab)
+
+  return (
+    <TabsContext.Provider value={{ activeTab, setActiveTab }}>
+      {children}
+    </TabsContext.Provider>
+  )
+}
+
+export function TabList({ children }: { children: React.ReactNode }) {
+  return <div className="tab-list">{children}</div>
+}
+
+export function Tab({ id, children }: { id: string, children: React.ReactNode }) {
+  const context = useContext(TabsContext)
+  if (!context) throw new Error('Tab must be used within Tabs')
+
+  return (
+    <button
+      className={context.activeTab === id ? 'active' : ''}
+      onClick={() => context.setActiveTab(id)}
+    >
+      {children}
+    </button>
+  )
+}
+
+// Usage
+<Tabs defaultTab="overview">
+  <TabList>
+    <Tab id="overview">Overview</Tab>
+    <Tab id="details">Details</Tab>
+  </TabList>
+</Tabs>
+```
+
+### Render Props Pattern
+
+```typescript
+interface DataLoaderProps<T> {
+  url: string
+  children: (data: T | null, loading: boolean, error: Error | null) => React.ReactNode
+}
+
+export function DataLoader<T>({ url, children }: DataLoaderProps<T>) {
+  const [data, setData] = useState<T | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<Error | null>(null)
+
+  useEffect(() => {
+    fetch(url)
+      .then(res => res.json())
+      .then(setData)
+      .catch(setError)
+      .finally(() => setLoading(false))
+  }, [url])
+
+  return <>{children(data, loading, error)}</>
+}
+
+// Usage
+<DataLoader<Market[]> url="/api/markets">
+  {(markets, loading, error) => {
+    if (loading) return <Spinner />
+    if (error) return <Error error={error} />
+    return <MarketList markets={markets!} />
+  }}
+</DataLoader>
+```
+
+## Custom Hooks Patterns
+
+### State Management Hook
+
+```typescript
+export function useToggle(initialValue = false): [boolean, () => void] {
+  const [value, setValue] = useState(initialValue)
+
+  const toggle = useCallback(() => {
+    setValue(v => !v)
+  }, [])
+
+  return [value, toggle]
+}
+
+// Usage
+const [isOpen, toggleOpen] = useToggle()
+```
+
+### Async Data Fetching Hook
+
+```typescript
+interface UseQueryOptions<T> {
+  onSuccess?: (data: T) => void
+  onError?: (error: Error) => void
+  enabled?: boolean
+}
+
+export function useQuery<T>(
+  key: string,
+  fetcher: () => Promise<T>,
+  options?: UseQueryOptions<T>
+) {
+  const [data, setData] = useState<T | null>(null)
+  const [error, setError] = useState<Error | null>(null)
+  const [loading, setLoading] = useState(false)
+
+  const refetch = useCallback(async () => {
+    setLoading(true)
+    setError(null)
+
+    try {
+      const result = await fetcher()
+      setData(result)
+      options?.onSuccess?.(result)
+    } catch (err) {
+      const error = err as Error
+      setError(error)
+      options?.onError?.(error)
+    } finally {
+      setLoading(false)
+    }
+  }, [fetcher, options])
+
+  useEffect(() => {
+    if (options?.enabled !== false) {
+      refetch()
+    }
+  }, [key, refetch, options?.enabled])
+
+  return { data, error, loading, refetch }
+}
+
+// Usage
+const { data: markets, loading, error, refetch } = useQuery(
+  'markets',
+  () => fetch('/api/markets').then(r => r.json()),
+  {
+    onSuccess: data => console.log('Fetched', data.length, 'markets'),
+    onError: err => console.error('Failed:', err)
+  }
+)
+```
+
+### Debounce Hook
+
+```typescript
+export function useDebounce<T>(value: T, delay: number): T {
+  const [debouncedValue, setDebouncedValue] = useState<T>(value)
+
+  useEffect(() => {
+    const handler = setTimeout(() => {
+      setDebouncedValue(value)
+    }, delay)
+
+    return () => clearTimeout(handler)
+  }, [value, delay])
+
+  return debouncedValue
+}
+
+// Usage
+const [searchQuery, setSearchQuery] = useState('')
+const debouncedQuery = useDebounce(searchQuery, 500)
+
+useEffect(() => {
+  if (debouncedQuery) {
+    performSearch(debouncedQuery)
+  }
+}, [debouncedQuery])
+```
+
+## State Management Patterns
+
+### Context + Reducer Pattern
+
+```typescript
+interface State {
+  markets: Market[]
+  selectedMarket: Market | null
+  loading: boolean
+}
+
+type Action =
+  | { type: 'SET_MARKETS'; payload: Market[] }
+  | { type: 'SELECT_MARKET'; payload: Market }
+  | { type: 'SET_LOADING'; payload: boolean }
+
+function reducer(state: State, action: Action): State {
+  switch (action.type) {
+    case 'SET_MARKETS':
+      return { ...state, markets: action.payload }
+    case 'SELECT_MARKET':
+      return { ...state, selectedMarket: action.payload }
+    case 'SET_LOADING':
+      return { ...state, loading: action.payload }
+    default:
+      return state
+  }
+}
+
+const MarketContext = createContext<{
+  state: State
+  dispatch: Dispatch<Action>
+} | undefined>(undefined)
+
+export function MarketProvider({ children }: { children: React.ReactNode }) {
+  const [state, dispatch] = useReducer(reducer, {
+    markets: [],
+    selectedMarket: null,
+    loading: false
+  })
+
+  return (
+    <MarketContext.Provider value={{ state, dispatch }}>
+      {children}
+    </MarketContext.Provider>
+  )
+}
+
+export function useMarkets() {
+  const context = useContext(MarketContext)
+  if (!context) throw new Error('useMarkets must be used within MarketProvider')
+  return context
+}
+```
+
+## Performance Optimization
+
+### Memoization
+
+```typescript
+// ✅ useMemo for expensive computations
+const sortedMarkets = useMemo(() => {
+  return markets.sort((a, b) => b.volume - a.volume)
+}, [markets])
+
+// ✅ useCallback for functions passed to children
+const handleSearch = useCallback((query: string) => {
+  setSearchQuery(query)
+}, [])
+
+// ✅ React.memo for pure components
+export const MarketCard = React.memo<MarketCardProps>(({ market }) => {
+  return (
+    <div className="market-card">
+      <h3>{market.name}</h3>
+      <p>{market.description}</p>
+    </div>
+  )
+})
+```
+
+### Code Splitting & Lazy Loading
+
+```typescript
+import { lazy, Suspense } from 'react'
+
+// ✅ Lazy load heavy components
+const HeavyChart = lazy(() => import('./HeavyChart'))
+const ThreeJsBackground = lazy(() => import('./ThreeJsBackground'))
+
+export function Dashboard() {
+  return (
+    <div>
+      <Suspense fallback={<ChartSkeleton />}>
+        <HeavyChart data={data} />
+      </Suspense>
+
+      <Suspense fallback={null}>
+        <ThreeJsBackground />
+      </Suspense>
+    </div>
+  )
+}
+```
+
+### Virtualization for Long Lists
+
+```typescript
+import { useVirtualizer } from '@tanstack/react-virtual'
+
+export function VirtualMarketList({ markets }: { markets: Market[] }) {
+  const parentRef = useRef<HTMLDivElement>(null)
+
+  const virtualizer = useVirtualizer({
+    count: markets.length,
+    getScrollElement: () => parentRef.current,
+    estimateSize: () => 100,  // Estimated row height
+    overscan: 5  // Extra items to render
+  })
+
+  return (
+    <div ref={parentRef} style={{ height: '600px', overflow: 'auto' }}>
+      <div
+        style={{
+          height: `${virtualizer.getTotalSize()}px`,
+          position: 'relative'
+        }}
+      >
+        {virtualizer.getVirtualItems().map(virtualRow => (
+          <div
+            key={virtualRow.index}
+            style={{
+              position: 'absolute',
+              top: 0,
+              left: 0,
+              width: '100%',
+              height: `${virtualRow.size}px`,
+              transform: `translateY(${virtualRow.start}px)`
+            }}
+          >
+            <MarketCard market={markets[virtualRow.index]} />
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+```
+
+## Form Handling Patterns
+
+### Controlled Form with Validation
+
+```typescript
+interface FormData {
+  name: string
+  description: string
+  endDate: string
+}
+
+interface FormErrors {
+  name?: string
+  description?: string
+  endDate?: string
+}
+
+export function CreateMarketForm() {
+  const [formData, setFormData] = useState<FormData>({
+    name: '',
+    description: '',
+    endDate: ''
+  })
+
+  const [errors, setErrors] = useState<FormErrors>({})
+
+  const validate = (): boolean => {
+    const newErrors: FormErrors = {}
+
+    if (!formData.name.trim()) {
+      newErrors.name = 'Name is required'
+    } else if (formData.name.length > 200) {
+      newErrors.name = 'Name must be under 200 characters'
+    }
+
+    if (!formData.description.trim()) {
+      newErrors.description = 'Description is required'
+    }
+
+    if (!formData.endDate) {
+      newErrors.endDate = 'End date is required'
+    }
+
+    setErrors(newErrors)
+    return Object.keys(newErrors).length === 0
+  }
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+
+    if (!validate()) return
+
+    try {
+      await createMarket(formData)
+      // Success handling
+    } catch (error) {
+      // Error handling
+    }
+  }
+
+  return (
+    <form onSubmit={handleSubmit}>
+      <input
+        value={formData.name}
+        onChange={e => setFormData(prev => ({ ...prev, name: e.target.value }))}
+        placeholder="Market name"
+      />
+      {errors.name && <span className="error">{errors.name}</span>}
+
+      {/* Other fields */}
+
+      <button type="submit">Create Market</button>
+    </form>
+  )
+}
+```
+
+## Error Boundary Pattern
+
+```typescript
+interface ErrorBoundaryState {
+  hasError: boolean
+  error: Error | null
+}
+
+export class ErrorBoundary extends React.Component<
+  { children: React.ReactNode },
+  ErrorBoundaryState
+> {
+  state: ErrorBoundaryState = {
+    hasError: false,
+    error: null
+  }
+
+  static getDerivedStateFromError(error: Error): ErrorBoundaryState {
+    return { hasError: true, error }
+  }
+
+  componentDidCatch(error: Error, errorInfo: React.ErrorInfo) {
+    console.error('Error boundary caught:', error, errorInfo)
+  }
+
+  render() {
+    if (this.state.hasError) {
+      return (
+        <div className="error-fallback">
+          <h2>Something went wrong</h2>
+          <p>{this.state.error?.message}</p>
+          <button onClick={() => this.setState({ hasError: false })}>
+            Try again
+          </button>
+        </div>
+      )
+    }
+
+    return this.props.children
+  }
+}
+
+// Usage
+<ErrorBoundary>
+  <App />
+</ErrorBoundary>
+```
+
+## Animation Patterns
+
+### Framer Motion Animations
+
+```typescript
+import { motion, AnimatePresence } from 'framer-motion'
+
+// ✅ List animations
+export function AnimatedMarketList({ markets }: { markets: Market[] }) {
+  return (
+    <AnimatePresence>
+      {markets.map(market => (
+        <motion.div
+          key={market.id}
+          initial={{ opacity: 0, y: 20 }}
+          animate={{ opacity: 1, y: 0 }}
+          exit={{ opacity: 0, y: -20 }}
+          transition={{ duration: 0.3 }}
+        >
+          <MarketCard market={market} />
+        </motion.div>
+      ))}
+    </AnimatePresence>
+  )
+}
+
+// ✅ Modal animations
+export function Modal({ isOpen, onClose, children }: ModalProps) {
+  return (
+    <AnimatePresence>
+      {isOpen && (
+        <>
+          <motion.div
+            className="modal-overlay"
+            initial={{ opacity: 0 }}
+            animate={{ opacity: 1 }}
+            exit={{ opacity: 0 }}
+            onClick={onClose}
+          />
+          <motion.div
+            className="modal-content"
+            initial={{ opacity: 0, scale: 0.9, y: 20 }}
+            animate={{ opacity: 1, scale: 1, y: 0 }}
+            exit={{ opacity: 0, scale: 0.9, y: 20 }}
+          >
+            {children}
+          </motion.div>
+        </>
+      )}
+    </AnimatePresence>
+  )
+}
+```
+
+## Accessibility Patterns
+
+### Keyboard Navigation
+
+```typescript
+export function Dropdown({ options, onSelect }: DropdownProps) {
+  const [isOpen, setIsOpen] = useState(false)
+  const [activeIndex, setActiveIndex] = useState(0)
+
+  const handleKeyDown = (e: React.KeyboardEvent) => {
+    switch (e.key) {
+      case 'ArrowDown':
+        e.preventDefault()
+        setActiveIndex(i => Math.min(i + 1, options.length - 1))
+        break
+      case 'ArrowUp':
+        e.preventDefault()
+        setActiveIndex(i => Math.max(i - 1, 0))
+        break
+      case 'Enter':
+        e.preventDefault()
+        onSelect(options[activeIndex])
+        setIsOpen(false)
+        break
+      case 'Escape':
+        setIsOpen(false)
+        break
+    }
+  }
+
+  return (
+    <div
+      role="combobox"
+      aria-expanded={isOpen}
+      aria-haspopup="listbox"
+      onKeyDown={handleKeyDown}
+    >
+      {/* Dropdown implementation */}
+    </div>
+  )
+}
+```
+
+### Focus Management
+
+```typescript
+export function Modal({ isOpen, onClose, children }: ModalProps) {
+  const modalRef = useRef<HTMLDivElement>(null)
+  const previousFocusRef = useRef<HTMLElement | null>(null)
+
+  useEffect(() => {
+    if (isOpen) {
+      // Save currently focused element
+      previousFocusRef.current = document.activeElement as HTMLElement
+
+      // Focus modal
+      modalRef.current?.focus()
+    } else {
+      // Restore focus when closing
+      previousFocusRef.current?.focus()
+    }
+  }, [isOpen])
+
+  return isOpen ? (
+    <div
+      ref={modalRef}
+      role="dialog"
+      aria-modal="true"
+      tabIndex={-1}
+      onKeyDown={e => e.key === 'Escape' && onClose()}
+    >
+      {children}
+    </div>
+  ) : null
+}
+```
+
+**Remember**: Modern frontend patterns enable maintainable, performant user interfaces. Choose patterns that fit your project complexity.

.agents/skills/frontend-patterns/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Frontend Patterns"
+  short_description: "React and Next.js patterns and best practices"
+  brand_color: "#8B5CF6"
+  default_prompt: "Apply React/Next.js patterns and best practices"
+policy:
+  allow_implicit_invocation: true

.agents/skills/security-review/SKILL.md

@@ -0,0 +1,495 @@
+---
+name: security-review
+description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
+origin: ECC
+---
+
+# Security Review Skill
+
+This skill ensures all code follows security best practices and identifies potential vulnerabilities.
+
+## When to Activate
+
+- Implementing authentication or authorization
+- Handling user input or file uploads
+- Creating new API endpoints
+- Working with secrets or credentials
+- Implementing payment features
+- Storing or transmitting sensitive data
+- Integrating third-party APIs
+
+## Security Checklist
+
+### 1. Secrets Management
+
+#### ❌ NEVER Do This
+```typescript
+const apiKey = "sk-proj-xxxxx"  // Hardcoded secret
+const dbPassword = "password123" // In source code
+```
+
+#### ✅ ALWAYS Do This
+```typescript
+const apiKey = process.env.OPENAI_API_KEY
+const dbUrl = process.env.DATABASE_URL
+
+// Verify secrets exist
+if (!apiKey) {
+  throw new Error('OPENAI_API_KEY not configured')
+}
+```
+
+#### Verification Steps
+- [ ] No hardcoded API keys, tokens, or passwords
+- [ ] All secrets in environment variables
+- [ ] `.env.local` in .gitignore
+- [ ] No secrets in git history
+- [ ] Production secrets in hosting platform (Vercel, Railway)
+
+### 2. Input Validation
+
+#### Always Validate User Input
+```typescript
+import { z } from 'zod'
+
+// Define validation schema
+const CreateUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  age: z.number().int().min(0).max(150)
+})
+
+// Validate before processing
+export async function createUser(input: unknown) {
+  try {
+    const validated = CreateUserSchema.parse(input)
+    return await db.users.create(validated)
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return { success: false, errors: error.errors }
+    }
+    throw error
+  }
+}
+```
+
+#### File Upload Validation
+```typescript
+function validateFileUpload(file: File) {
+  // Size check (5MB max)
+  const maxSize = 5 * 1024 * 1024
+  if (file.size > maxSize) {
+    throw new Error('File too large (max 5MB)')
+  }
+
+  // Type check
+  const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
+  if (!allowedTypes.includes(file.type)) {
+    throw new Error('Invalid file type')
+  }
+
+  // Extension check
+  const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
+  const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
+  if (!extension || !allowedExtensions.includes(extension)) {
+    throw new Error('Invalid file extension')
+  }
+
+  return true
+}
+```
+
+#### Verification Steps
+- [ ] All user inputs validated with schemas
+- [ ] File uploads restricted (size, type, extension)
+- [ ] No direct use of user input in queries
+- [ ] Whitelist validation (not blacklist)
+- [ ] Error messages don't leak sensitive info
+
+### 3. SQL Injection Prevention
+
+#### ❌ NEVER Concatenate SQL
+```typescript
+// DANGEROUS - SQL Injection vulnerability
+const query = `SELECT * FROM users WHERE email = '${userEmail}'`
+await db.query(query)
+```
+
+#### ✅ ALWAYS Use Parameterized Queries
+```typescript
+// Safe - parameterized query
+const { data } = await supabase
+  .from('users')
+  .select('*')
+  .eq('email', userEmail)
+
+// Or with raw SQL
+await db.query(
+  'SELECT * FROM users WHERE email = $1',
+  [userEmail]
+)
+```
+
+#### Verification Steps
+- [ ] All database queries use parameterized queries
+- [ ] No string concatenation in SQL
+- [ ] ORM/query builder used correctly
+- [ ] Supabase queries properly sanitized
+
+### 4. Authentication & Authorization
+
+#### JWT Token Handling
+```typescript
+// ❌ WRONG: localStorage (vulnerable to XSS)
+localStorage.setItem('token', token)
+
+// ✅ CORRECT: httpOnly cookies
+res.setHeader('Set-Cookie',
+  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
+```
+
+#### Authorization Checks
+```typescript
+export async function deleteUser(userId: string, requesterId: string) {
+  // ALWAYS verify authorization first
+  const requester = await db.users.findUnique({
+    where: { id: requesterId }
+  })
+
+  if (requester.role !== 'admin') {
+    return NextResponse.json(
+      { error: 'Unauthorized' },
+      { status: 403 }
+    )
+  }
+
+  // Proceed with deletion
+  await db.users.delete({ where: { id: userId } })
+}
+```
+
+#### Row Level Security (Supabase)
+```sql
+-- Enable RLS on all tables
+ALTER TABLE users ENABLE ROW LEVEL SECURITY;
+
+-- Users can only view their own data
+CREATE POLICY "Users view own data"
+  ON users FOR SELECT
+  USING (auth.uid() = id);
+
+-- Users can only update their own data
+CREATE POLICY "Users update own data"
+  ON users FOR UPDATE
+  USING (auth.uid() = id);
+```
+
+#### Verification Steps
+- [ ] Tokens stored in httpOnly cookies (not localStorage)
+- [ ] Authorization checks before sensitive operations
+- [ ] Row Level Security enabled in Supabase
+- [ ] Role-based access control implemented
+- [ ] Session management secure
+
+### 5. XSS Prevention
+
+#### Sanitize HTML
+```typescript
+import DOMPurify from 'isomorphic-dompurify'
+
+// ALWAYS sanitize user-provided HTML
+function renderUserContent(html: string) {
+  const clean = DOMPurify.sanitize(html, {
+    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
+    ALLOWED_ATTR: []
+  })
+  return <div dangerouslySetInnerHTML={{ __html: clean }} />
+}
+```
+
+#### Content Security Policy
+```typescript
+// next.config.js
+const securityHeaders = [
+  {
+    key: 'Content-Security-Policy',
+    value: `
+      default-src 'self';
+      script-src 'self' 'unsafe-eval' 'unsafe-inline';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data: https:;
+      font-src 'self';
+      connect-src 'self' https://api.example.com;
+    `.replace(/\s{2,}/g, ' ').trim()
+  }
+]
+```
+
+#### Verification Steps
+- [ ] User-provided HTML sanitized
+- [ ] CSP headers configured
+- [ ] No unvalidated dynamic content rendering
+- [ ] React's built-in XSS protection used
+
+### 6. CSRF Protection
+
+#### CSRF Tokens
+```typescript
+import { csrf } from '@/lib/csrf'
+
+export async function POST(request: Request) {
+  const token = request.headers.get('X-CSRF-Token')
+
+  if (!csrf.verify(token)) {
+    return NextResponse.json(
+      { error: 'Invalid CSRF token' },
+      { status: 403 }
+    )
+  }
+
+  // Process request
+}
+```
+
+#### SameSite Cookies
+```typescript
+res.setHeader('Set-Cookie',
+  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
+```
+
+#### Verification Steps
+- [ ] CSRF tokens on state-changing operations
+- [ ] SameSite=Strict on all cookies
+- [ ] Double-submit cookie pattern implemented
+
+### 7. Rate Limiting
+
+#### API Rate Limiting
+```typescript
+import rateLimit from 'express-rate-limit'
+
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // 100 requests per window
+  message: 'Too many requests'
+})
+
+// Apply to routes
+app.use('/api/', limiter)
+```
+
+#### Expensive Operations
+```typescript
+// Aggressive rate limiting for searches
+const searchLimiter = rateLimit({
+  windowMs: 60 * 1000, // 1 minute
+  max: 10, // 10 requests per minute
+  message: 'Too many search requests'
+})
+
+app.use('/api/search', searchLimiter)
+```
+
+#### Verification Steps
+- [ ] Rate limiting on all API endpoints
+- [ ] Stricter limits on expensive operations
+- [ ] IP-based rate limiting
+- [ ] User-based rate limiting (authenticated)
+
+### 8. Sensitive Data Exposure
+
+#### Logging
+```typescript
+// ❌ WRONG: Logging sensitive data
+console.log('User login:', { email, password })
+console.log('Payment:', { cardNumber, cvv })
+
+// ✅ CORRECT: Redact sensitive data
+console.log('User login:', { email, userId })
+console.log('Payment:', { last4: card.last4, userId })
+```
+
+#### Error Messages
+```typescript
+// ❌ WRONG: Exposing internal details
+catch (error) {
+  return NextResponse.json(
+    { error: error.message, stack: error.stack },
+    { status: 500 }
+  )
+}
+
+// ✅ CORRECT: Generic error messages
+catch (error) {
+  console.error('Internal error:', error)
+  return NextResponse.json(
+    { error: 'An error occurred. Please try again.' },
+    { status: 500 }
+  )
+}
+```
+
+#### Verification Steps
+- [ ] No passwords, tokens, or secrets in logs
+- [ ] Error messages generic for users
+- [ ] Detailed errors only in server logs
+- [ ] No stack traces exposed to users
+
+### 9. Blockchain Security (Solana)
+
+#### Wallet Verification
+```typescript
+import { verify } from '@solana/web3.js'
+
+async function verifyWalletOwnership(
+  publicKey: string,
+  signature: string,
+  message: string
+) {
+  try {
+    const isValid = verify(
+      Buffer.from(message),
+      Buffer.from(signature, 'base64'),
+      Buffer.from(publicKey, 'base64')
+    )
+    return isValid
+  } catch (error) {
+    return false
+  }
+}
+```
+
+#### Transaction Verification
+```typescript
+async function verifyTransaction(transaction: Transaction) {
+  // Verify recipient
+  if (transaction.to !== expectedRecipient) {
+    throw new Error('Invalid recipient')
+  }
+
+  // Verify amount
+  if (transaction.amount > maxAmount) {
+    throw new Error('Amount exceeds limit')
+  }
+
+  // Verify user has sufficient balance
+  const balance = await getBalance(transaction.from)
+  if (balance < transaction.amount) {
+    throw new Error('Insufficient balance')
+  }
+
+  return true
+}
+```
+
+#### Verification Steps
+- [ ] Wallet signatures verified
+- [ ] Transaction details validated
+- [ ] Balance checks before transactions
+- [ ] No blind transaction signing
+
+### 10. Dependency Security
+
+#### Regular Updates
+```bash
+# Check for vulnerabilities
+npm audit
+
+# Fix automatically fixable issues
+npm audit fix
+
+# Update dependencies
+npm update
+
+# Check for outdated packages
+npm outdated
+```
+
+#### Lock Files
+```bash
+# ALWAYS commit lock files
+git add package-lock.json
+
+# Use in CI/CD for reproducible builds
+npm ci  # Instead of npm install
+```
+
+#### Verification Steps
+- [ ] Dependencies up to date
+- [ ] No known vulnerabilities (npm audit clean)
+- [ ] Lock files committed
+- [ ] Dependabot enabled on GitHub
+- [ ] Regular security updates
+
+## Security Testing
+
+### Automated Security Tests
+```typescript
+// Test authentication
+test('requires authentication', async () => {
+  const response = await fetch('/api/protected')
+  expect(response.status).toBe(401)
+})
+
+// Test authorization
+test('requires admin role', async () => {
+  const response = await fetch('/api/admin', {
+    headers: { Authorization: `Bearer ${userToken}` }
+  })
+  expect(response.status).toBe(403)
+})
+
+// Test input validation
+test('rejects invalid input', async () => {
+  const response = await fetch('/api/users', {
+    method: 'POST',
+    body: JSON.stringify({ email: 'not-an-email' })
+  })
+  expect(response.status).toBe(400)
+})
+
+// Test rate limiting
+test('enforces rate limits', async () => {
+  const requests = Array(101).fill(null).map(() =>
+    fetch('/api/endpoint')
+  )
+
+  const responses = await Promise.all(requests)
+  const tooManyRequests = responses.filter(r => r.status === 429)
+
+  expect(tooManyRequests.length).toBeGreaterThan(0)
+})
+```
+
+## Pre-Deployment Security Checklist
+
+Before ANY production deployment:
+
+- [ ] **Secrets**: No hardcoded secrets, all in env vars
+- [ ] **Input Validation**: All user inputs validated
+- [ ] **SQL Injection**: All queries parameterized
+- [ ] **XSS**: User content sanitized
+- [ ] **CSRF**: Protection enabled
+- [ ] **Authentication**: Proper token handling
+- [ ] **Authorization**: Role checks in place
+- [ ] **Rate Limiting**: Enabled on all endpoints
+- [ ] **HTTPS**: Enforced in production
+- [ ] **Security Headers**: CSP, X-Frame-Options configured
+- [ ] **Error Handling**: No sensitive data in errors
+- [ ] **Logging**: No sensitive data logged
+- [ ] **Dependencies**: Up to date, no vulnerabilities
+- [ ] **Row Level Security**: Enabled in Supabase
+- [ ] **CORS**: Properly configured
+- [ ] **File Uploads**: Validated (size, type)
+- [ ] **Wallet Signatures**: Verified (if blockchain)
+
+## Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [Next.js Security](https://nextjs.org/docs/security)
+- [Supabase Security](https://supabase.com/docs/guides/auth)
+- [Web Security Academy](https://portswigger.net/web-security)
+
+---
+
+**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.

.agents/skills/security-review/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Security Review"
+  short_description: "Comprehensive security checklist and vulnerability detection"
+  brand_color: "#EF4444"
+  default_prompt: "Run security checklist: secrets, input validation, injection prevention"
+policy:
+  allow_implicit_invocation: true

.agents/skills/strategic-compact/SKILL.md

@@ -0,0 +1,103 @@
+---
+name: strategic-compact
+description: Suggests manual context compaction at logical intervals to preserve context through task phases rather than arbitrary auto-compaction.
+origin: ECC
+---
+
+# Strategic Compact Skill
+
+Suggests manual `/compact` at strategic points in your workflow rather than relying on arbitrary auto-compaction.
+
+## When to Activate
+
+- Running long sessions that approach context limits (200K+ tokens)
+- Working on multi-phase tasks (research → plan → implement → test)
+- Switching between unrelated tasks within the same session
+- After completing a major milestone and starting new work
+- When responses slow down or become less coherent (context pressure)
+
+## Why Strategic Compaction?
+
+Auto-compaction triggers at arbitrary points:
+- Often mid-task, losing important context
+- No awareness of logical task boundaries
+- Can interrupt complex multi-step operations
+
+Strategic compaction at logical boundaries:
+- **After exploration, before execution** — Compact research context, keep implementation plan
+- **After completing a milestone** — Fresh start for next phase
+- **Before major context shifts** — Clear exploration context before different task
+
+## How It Works
+
+The `suggest-compact.js` script runs on PreToolUse (Edit/Write) and:
+
+1. **Tracks tool calls** — Counts tool invocations in session
+2. **Threshold detection** — Suggests at configurable threshold (default: 50 calls)
+3. **Periodic reminders** — Reminds every 25 calls after threshold
+
+## Hook Setup
+
+Add to your `~/.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit",
+        "hooks": [{ "type": "command", "command": "node ~/.claude/skills/strategic-compact/suggest-compact.js" }]
+      },
+      {
+        "matcher": "Write",
+        "hooks": [{ "type": "command", "command": "node ~/.claude/skills/strategic-compact/suggest-compact.js" }]
+      }
+    ]
+  }
+}
+```
+
+## Configuration
+
+Environment variables:
+- `COMPACT_THRESHOLD` — Tool calls before first suggestion (default: 50)
+
+## Compaction Decision Guide
+
+Use this table to decide when to compact:
+
+| Phase Transition | Compact? | Why |
+|-----------------|----------|-----|
+| Research → Planning | Yes | Research context is bulky; plan is the distilled output |
+| Planning → Implementation | Yes | Plan is in TodoWrite or a file; free up context for code |
+| Implementation → Testing | Maybe | Keep if tests reference recent code; compact if switching focus |
+| Debugging → Next feature | Yes | Debug traces pollute context for unrelated work |
+| Mid-implementation | No | Losing variable names, file paths, and partial state is costly |
+| After a failed approach | Yes | Clear the dead-end reasoning before trying a new approach |
+
+## What Survives Compaction
+
+Understanding what persists helps you compact with confidence:
+
+| Persists | Lost |
+|----------|------|
+| CLAUDE.md instructions | Intermediate reasoning and analysis |
+| TodoWrite task list | File contents you previously read |
+| Memory files (`~/.claude/memory/`) | Multi-step conversation context |
+| Git state (commits, branches) | Tool call history and counts |
+| Files on disk | Nuanced user preferences stated verbally |
+
+## Best Practices
+
+1. **Compact after planning** — Once plan is finalized in TodoWrite, compact to start fresh
+2. **Compact after debugging** — Clear error-resolution context before continuing
+3. **Don't compact mid-implementation** — Preserve context for related changes
+4. **Read the suggestion** — The hook tells you *when*, you decide *if*
+5. **Write before compacting** — Save important context to files or memory before compacting
+6. **Use `/compact` with a summary** — Add a custom message: `/compact Focus on implementing auth middleware next`
+
+## Related
+
+- [The Longform Guide](https://x.com/affaanmustafa/status/2014040193557471352) — Token optimization section
+- Memory persistence hooks — For state that survives compaction
+- `continuous-learning` skill — Extracts patterns before session ends

.agents/skills/strategic-compact/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Strategic Compact"
+  short_description: "Context management via strategic compaction"
+  brand_color: "#14B8A6"
+  default_prompt: "Suggest task boundary compaction for context management"
+policy:
+  allow_implicit_invocation: true

.agents/skills/tdd-workflow/SKILL.md

@@ -0,0 +1,410 @@
+---
+name: tdd-workflow
+description: Use this skill when writing new features, fixing bugs, or refactoring code. Enforces test-driven development with 80%+ coverage including unit, integration, and E2E tests.
+origin: ECC
+---
+
+# Test-Driven Development Workflow
+
+This skill ensures all code development follows TDD principles with comprehensive test coverage.
+
+## When to Activate
+
+- Writing new features or functionality
+- Fixing bugs or issues
+- Refactoring existing code
+- Adding API endpoints
+- Creating new components
+
+## Core Principles
+
+### 1. Tests BEFORE Code
+ALWAYS write tests first, then implement code to make tests pass.
+
+### 2. Coverage Requirements
+- Minimum 80% coverage (unit + integration + E2E)
+- All edge cases covered
+- Error scenarios tested
+- Boundary conditions verified
+
+### 3. Test Types
+
+#### Unit Tests
+- Individual functions and utilities
+- Component logic
+- Pure functions
+- Helpers and utilities
+
+#### Integration Tests
+- API endpoints
+- Database operations
+- Service interactions
+- External API calls
+
+#### E2E Tests (Playwright)
+- Critical user flows
+- Complete workflows
+- Browser automation
+- UI interactions
+
+## TDD Workflow Steps
+
+### Step 1: Write User Journeys
+```
+As a [role], I want to [action], so that [benefit]
+
+Example:
+As a user, I want to search for markets semantically,
+so that I can find relevant markets even without exact keywords.
+```
+
+### Step 2: Generate Test Cases
+For each user journey, create comprehensive test cases:
+
+```typescript
+describe('Semantic Search', () => {
+  it('returns relevant markets for query', async () => {
+    // Test implementation
+  })
+
+  it('handles empty query gracefully', async () => {
+    // Test edge case
+  })
+
+  it('falls back to substring search when Redis unavailable', async () => {
+    // Test fallback behavior
+  })
+
+  it('sorts results by similarity score', async () => {
+    // Test sorting logic
+  })
+})
+```
+
+### Step 3: Run Tests (They Should Fail)
+```bash
+npm test
+# Tests should fail - we haven't implemented yet
+```
+
+### Step 4: Implement Code
+Write minimal code to make tests pass:
+
+```typescript
+// Implementation guided by tests
+export async function searchMarkets(query: string) {
+  // Implementation here
+}
+```
+
+### Step 5: Run Tests Again
+```bash
+npm test
+# Tests should now pass
+```
+
+### Step 6: Refactor
+Improve code quality while keeping tests green:
+- Remove duplication
+- Improve naming
+- Optimize performance
+- Enhance readability
+
+### Step 7: Verify Coverage
+```bash
+npm run test:coverage
+# Verify 80%+ coverage achieved
+```
+
+## Testing Patterns
+
+### Unit Test Pattern (Jest/Vitest)
+```typescript
+import { render, screen, fireEvent } from '@testing-library/react'
+import { Button } from './Button'
+
+describe('Button Component', () => {
+  it('renders with correct text', () => {
+    render(<Button>Click me</Button>)
+    expect(screen.getByText('Click me')).toBeInTheDocument()
+  })
+
+  it('calls onClick when clicked', () => {
+    const handleClick = jest.fn()
+    render(<Button onClick={handleClick}>Click</Button>)
+
+    fireEvent.click(screen.getByRole('button'))
+
+    expect(handleClick).toHaveBeenCalledTimes(1)
+  })
+
+  it('is disabled when disabled prop is true', () => {
+    render(<Button disabled>Click</Button>)
+    expect(screen.getByRole('button')).toBeDisabled()
+  })
+})
+```
+
+### API Integration Test Pattern
+```typescript
+import { NextRequest } from 'next/server'
+import { GET } from './route'
+
+describe('GET /api/markets', () => {
+  it('returns markets successfully', async () => {
+    const request = new NextRequest('http://localhost/api/markets')
+    const response = await GET(request)
+    const data = await response.json()
+
+    expect(response.status).toBe(200)
+    expect(data.success).toBe(true)
+    expect(Array.isArray(data.data)).toBe(true)
+  })
+
+  it('validates query parameters', async () => {
+    const request = new NextRequest('http://localhost/api/markets?limit=invalid')
+    const response = await GET(request)
+
+    expect(response.status).toBe(400)
+  })
+
+  it('handles database errors gracefully', async () => {
+    // Mock database failure
+    const request = new NextRequest('http://localhost/api/markets')
+    // Test error handling
+  })
+})
+```
+
+### E2E Test Pattern (Playwright)
+```typescript
+import { test, expect } from '@playwright/test'
+
+test('user can search and filter markets', async ({ page }) => {
+  // Navigate to markets page
+  await page.goto('/')
+  await page.click('a[href="/markets"]')
+
+  // Verify page loaded
+  await expect(page.locator('h1')).toContainText('Markets')
+
+  // Search for markets
+  await page.fill('input[placeholder="Search markets"]', 'election')
+
+  // Wait for debounce and results
+  await page.waitForTimeout(600)
+
+  // Verify search results displayed
+  const results = page.locator('[data-testid="market-card"]')
+  await expect(results).toHaveCount(5, { timeout: 5000 })
+
+  // Verify results contain search term
+  const firstResult = results.first()
+  await expect(firstResult).toContainText('election', { ignoreCase: true })
+
+  // Filter by status
+  await page.click('button:has-text("Active")')
+
+  // Verify filtered results
+  await expect(results).toHaveCount(3)
+})
+
+test('user can create a new market', async ({ page }) => {
+  // Login first
+  await page.goto('/creator-dashboard')
+
+  // Fill market creation form
+  await page.fill('input[name="name"]', 'Test Market')
+  await page.fill('textarea[name="description"]', 'Test description')
+  await page.fill('input[name="endDate"]', '2025-12-31')
+
+  // Submit form
+  await page.click('button[type="submit"]')
+
+  // Verify success message
+  await expect(page.locator('text=Market created successfully')).toBeVisible()
+
+  // Verify redirect to market page
+  await expect(page).toHaveURL(/\/markets\/test-market/)
+})
+```
+
+## Test File Organization
+
+```
+src/
+├── components/
+│   ├── Button/
+│   │   ├── Button.tsx
+│   │   ├── Button.test.tsx          # Unit tests
+│   │   └── Button.stories.tsx       # Storybook
+│   └── MarketCard/
+│       ├── MarketCard.tsx
+│       └── MarketCard.test.tsx
+├── app/
+│   └── api/
+│       └── markets/
+│           ├── route.ts
+│           └── route.test.ts         # Integration tests
+└── e2e/
+    ├── markets.spec.ts               # E2E tests
+    ├── trading.spec.ts
+    └── auth.spec.ts
+```
+
+## Mocking External Services
+
+### Supabase Mock
+```typescript
+jest.mock('@/lib/supabase', () => ({
+  supabase: {
+    from: jest.fn(() => ({
+      select: jest.fn(() => ({
+        eq: jest.fn(() => Promise.resolve({
+          data: [{ id: 1, name: 'Test Market' }],
+          error: null
+        }))
+      }))
+    }))
+  }
+}))
+```
+
+### Redis Mock
+```typescript
+jest.mock('@/lib/redis', () => ({
+  searchMarketsByVector: jest.fn(() => Promise.resolve([
+    { slug: 'test-market', similarity_score: 0.95 }
+  ])),
+  checkRedisHealth: jest.fn(() => Promise.resolve({ connected: true }))
+}))
+```
+
+### OpenAI Mock
+```typescript
+jest.mock('@/lib/openai', () => ({
+  generateEmbedding: jest.fn(() => Promise.resolve(
+    new Array(1536).fill(0.1) // Mock 1536-dim embedding
+  ))
+}))
+```
+
+## Test Coverage Verification
+
+### Run Coverage Report
+```bash
+npm run test:coverage
+```
+
+### Coverage Thresholds
+```json
+{
+  "jest": {
+    "coverageThresholds": {
+      "global": {
+        "branches": 80,
+        "functions": 80,
+        "lines": 80,
+        "statements": 80
+      }
+    }
+  }
+}
+```
+
+## Common Testing Mistakes to Avoid
+
+### ❌ WRONG: Testing Implementation Details
+```typescript
+// Don't test internal state
+expect(component.state.count).toBe(5)
+```
+
+### ✅ CORRECT: Test User-Visible Behavior
+```typescript
+// Test what users see
+expect(screen.getByText('Count: 5')).toBeInTheDocument()
+```
+
+### ❌ WRONG: Brittle Selectors
+```typescript
+// Breaks easily
+await page.click('.css-class-xyz')
+```
+
+### ✅ CORRECT: Semantic Selectors
+```typescript
+// Resilient to changes
+await page.click('button:has-text("Submit")')
+await page.click('[data-testid="submit-button"]')
+```
+
+### ❌ WRONG: No Test Isolation
+```typescript
+// Tests depend on each other
+test('creates user', () => { /* ... */ })
+test('updates same user', () => { /* depends on previous test */ })
+```
+
+### ✅ CORRECT: Independent Tests
+```typescript
+// Each test sets up its own data
+test('creates user', () => {
+  const user = createTestUser()
+  // Test logic
+})
+
+test('updates user', () => {
+  const user = createTestUser()
+  // Update logic
+})
+```
+
+## Continuous Testing
+
+### Watch Mode During Development
+```bash
+npm test -- --watch
+# Tests run automatically on file changes
+```
+
+### Pre-Commit Hook
+```bash
+# Runs before every commit
+npm test && npm run lint
+```
+
+### CI/CD Integration
+```yaml
+# GitHub Actions
+- name: Run Tests
+  run: npm test -- --coverage
+- name: Upload Coverage
+  uses: codecov/codecov-action@v3
+```
+
+## Best Practices
+
+1. **Write Tests First** - Always TDD
+2. **One Assert Per Test** - Focus on single behavior
+3. **Descriptive Test Names** - Explain what's tested
+4. **Arrange-Act-Assert** - Clear test structure
+5. **Mock External Dependencies** - Isolate unit tests
+6. **Test Edge Cases** - Null, undefined, empty, large
+7. **Test Error Paths** - Not just happy paths
+8. **Keep Tests Fast** - Unit tests < 50ms each
+9. **Clean Up After Tests** - No side effects
+10. **Review Coverage Reports** - Identify gaps
+
+## Success Metrics
+
+- 80%+ code coverage achieved
+- All tests passing (green)
+- No skipped or disabled tests
+- Fast test execution (< 30s for unit tests)
+- E2E tests cover critical user flows
+- Tests catch bugs before production
+
+---
+
+**Remember**: Tests are not optional. They are the safety net that enables confident refactoring, rapid development, and production reliability.

.agents/skills/tdd-workflow/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "TDD Workflow"
+  short_description: "Test-driven development with 80%+ coverage"
+  brand_color: "#22C55E"
+  default_prompt: "Follow TDD: write tests first, implement, verify 80%+ coverage"
+policy:
+  allow_implicit_invocation: true

.agents/skills/verification-loop/SKILL.md

@@ -0,0 +1,126 @@
+---
+name: verification-loop
+description: "A comprehensive verification system for Claude Code sessions."
+origin: ECC
+---
+
+# Verification Loop Skill
+
+A comprehensive verification system for Claude Code sessions.
+
+## When to Use
+
+Invoke this skill:
+- After completing a feature or significant code change
+- Before creating a PR
+- When you want to ensure quality gates pass
+- After refactoring
+
+## Verification Phases
+
+### Phase 1: Build Verification
+```bash
+# Check if project builds
+npm run build 2>&1 | tail -20
+# OR
+pnpm build 2>&1 | tail -20
+```
+
+If build fails, STOP and fix before continuing.
+
+### Phase 2: Type Check
+```bash
+# TypeScript projects
+npx tsc --noEmit 2>&1 | head -30
+
+# Python projects
+pyright . 2>&1 | head -30
+```
+
+Report all type errors. Fix critical ones before continuing.
+
+### Phase 3: Lint Check
+```bash
+# JavaScript/TypeScript
+npm run lint 2>&1 | head -30
+
+# Python
+ruff check . 2>&1 | head -30
+```
+
+### Phase 4: Test Suite
+```bash
+# Run tests with coverage
+npm run test -- --coverage 2>&1 | tail -50
+
+# Check coverage threshold
+# Target: 80% minimum
+```
+
+Report:
+- Total tests: X
+- Passed: X
+- Failed: X
+- Coverage: X%
+
+### Phase 5: Security Scan
+```bash
+# Check for secrets
+grep -rn "sk-" --include="*.ts" --include="*.js" . 2>/dev/null | head -10
+grep -rn "api_key" --include="*.ts" --include="*.js" . 2>/dev/null | head -10
+
+# Check for console.log
+grep -rn "console.log" --include="*.ts" --include="*.tsx" src/ 2>/dev/null | head -10
+```
+
+### Phase 6: Diff Review
+```bash
+# Show what changed
+git diff --stat
+git diff HEAD~1 --name-only
+```
+
+Review each changed file for:
+- Unintended changes
+- Missing error handling
+- Potential edge cases
+
+## Output Format
+
+After running all phases, produce a verification report:
+
+```
+VERIFICATION REPORT
+==================
+
+Build:     [PASS/FAIL]
+Types:     [PASS/FAIL] (X errors)
+Lint:      [PASS/FAIL] (X warnings)
+Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
+Security:  [PASS/FAIL] (X issues)
+Diff:      [X files changed]
+
+Overall:   [READY/NOT READY] for PR
+
+Issues to Fix:
+1. ...
+2. ...
+```
+
+## Continuous Mode
+
+For long sessions, run verification every 15 minutes or after major changes:
+
+```markdown
+Set a mental checkpoint:
+- After completing each function
+- After finishing a component
+- Before moving to next task
+
+Run: /verify
+```
+
+## Integration with Hooks
+
+This skill complements PostToolUse hooks but provides deeper verification.
+Hooks catch issues immediately; this skill provides comprehensive review.

.agents/skills/verification-loop/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Verification Loop"
+  short_description: "Build, test, lint, typecheck verification"
+  brand_color: "#10B981"
+  default_prompt: "Run verification: build, test, lint, typecheck, security"
+policy:
+  allow_implicit_invocation: true

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "everything-claude-code",
-  "version": "1.2.0",
+  "version": "1.4.1",
   "description": "Complete collection of battle-tested Claude Code configs from an Anthropic hackathon winner - agents, skills, hooks, and rules evolved over 10+ months of intensive daily use",
   "author": {
     "name": "Affaan Mustafa",

.codex/AGENTS.md

@@ -0,0 +1,55 @@
+# ECC for Codex CLI
+
+This supplements the root `AGENTS.md` with Codex-specific guidance.
+
+## Model Recommendations
+
+| Task Type | Recommended Model |
+|-----------|------------------|
+| Routine coding, tests, formatting | o4-mini |
+| Complex features, architecture | o3 |
+| Debugging, refactoring | o4-mini |
+| Security review | o3 |
+
+## Skills Discovery
+
+Skills are auto-loaded from `.agents/skills/`. Each skill contains:
+- `SKILL.md` — Detailed instructions and workflow
+- `agents/openai.yaml` — Codex interface metadata
+
+Available skills:
+- tdd-workflow — Test-driven development with 80%+ coverage
+- security-review — Comprehensive security checklist
+- coding-standards — Universal coding standards
+- frontend-patterns — React/Next.js patterns
+- backend-patterns — API design, database, caching
+- e2e-testing — Playwright E2E tests
+- eval-harness — Eval-driven development
+- strategic-compact — Context management
+- api-design — REST API design patterns
+- verification-loop — Build, test, lint, typecheck, security
+
+## MCP Servers
+
+Configure in `~/.codex/config.toml` under `[mcp_servers]`. See `.codex/config.toml` for reference configuration with GitHub, Context7, Memory, and Sequential Thinking servers.
+
+## Key Differences from Claude Code
+
+| Feature | Claude Code | Codex CLI |
+|---------|------------|-----------|
+| Hooks | 8+ event types | Not yet supported |
+| Context file | CLAUDE.md + AGENTS.md | AGENTS.md only |
+| Skills | Skills loaded via plugin | `.agents/skills/` directory |
+| Commands | `/slash` commands | Instruction-based |
+| Agents | Subagent Task tool | Single agent model |
+| Security | Hook-based enforcement | Instruction + sandbox |
+| MCP | Full support | Command-based only |
+
+## Security Without Hooks
+
+Since Codex lacks hooks, security enforcement is instruction-based:
+1. Always validate inputs at system boundaries
+2. Never hardcode secrets — use environment variables
+3. Run `npm audit` / `pip audit` before committing
+4. Review `git diff` before every push
+5. Use `sandbox_mode = "workspace-write"` in config

.codex/config.toml

@@ -0,0 +1,80 @@
+# Everything Claude Code (ECC) — Codex CLI Reference Configuration
+#
+# Copy this file to ~/.codex/config.toml to apply globally.
+# Or keep it in your project root for project-level config.
+#
+# Docs: https://github.com/openai/codex
+
+# Model selection
+model = "o4-mini"
+model_provider = "openai"
+
+# Permissions
+[permissions]
+# "untrusted" = no writes, "on-request" = ask per action, "never" = full auto
+approval_policy = "on-request"
+# "off", "workspace-read", "workspace-write", "danger-full-access"
+sandbox_mode = "workspace-write"
+
+# Notifications (macOS)
+[notify]
+command = "terminal-notifier -title 'Codex ECC' -message 'Task completed!' -sound default"
+on_complete = true
+
+# History - persistent instructions applied to every session
+[history]
+# These are prepended to every conversation
+persistent_instructions = """
+Follow ECC principles:
+1. Test-Driven Development (TDD) - write tests first, 80%+ coverage required
+2. Immutability - always create new objects, never mutate
+3. Security-First - validate all inputs, no hardcoded secrets
+4. Conventional commits: feat|fix|refactor|docs|test|chore|perf|ci: description
+5. File organization: many small files (200-400 lines, 800 max)
+6. Error handling: handle at every level, never swallow errors
+7. Input validation: schema-based validation at system boundaries
+"""
+
+# MCP Servers
+# Codex supports command-based MCP servers
+[mcp_servers.github]
+command = "npx"
+args = ["-y", "@modelcontextprotocol/server-github"]
+
+[mcp_servers.context7]
+command = "npx"
+args = ["-y", "@upstash/context7-mcp@latest"]
+
+[mcp_servers.memory]
+command = "npx"
+args = ["-y", "@modelcontextprotocol/server-memory"]
+
+[mcp_servers.sequential-thinking]
+command = "npx"
+args = ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+
+# Additional MCP servers (uncomment as needed):
+# [mcp_servers.supabase]
+# command = "npx"
+# args = ["-y", "supabase-mcp-server@latest", "--read-only"]
+#
+# [mcp_servers.firecrawl]
+# command = "npx"
+# args = ["-y", "firecrawl-mcp"]
+#
+# [mcp_servers.railway]
+# command = "npx"
+# args = ["-y", "@anthropic/railway-mcp"]
+
+# Features
+[features]
+web_search_request = true
+
+# Profiles — switch with CODEX_PROFILE=<name>
+[profiles.strict]
+approval_policy = "on-request"
+sandbox_mode = "workspace-read"
+
+[profiles.yolo]
+approval_policy = "never"
+sandbox_mode = "workspace-write"

.cursor/hooks.json

@@ -0,0 +1,109 @@
+{
+  "hooks": {
+    "sessionStart": [
+      {
+        "command": "node .cursor/hooks/session-start.js",
+        "event": "sessionStart",
+        "description": "Load previous context and detect environment"
+      }
+    ],
+    "sessionEnd": [
+      {
+        "command": "node .cursor/hooks/session-end.js",
+        "event": "sessionEnd",
+        "description": "Persist session state and evaluate patterns"
+      }
+    ],
+    "beforeShellExecution": [
+      {
+        "command": "node .cursor/hooks/before-shell-execution.js",
+        "event": "beforeShellExecution",
+        "description": "Tmux dev server blocker, tmux reminder, git push review"
+      }
+    ],
+    "afterShellExecution": [
+      {
+        "command": "node .cursor/hooks/after-shell-execution.js",
+        "event": "afterShellExecution",
+        "description": "PR URL logging, build analysis"
+      }
+    ],
+    "afterFileEdit": [
+      {
+        "command": "node .cursor/hooks/after-file-edit.js",
+        "event": "afterFileEdit",
+        "description": "Auto-format, TypeScript check, console.log warning"
+      }
+    ],
+    "beforeMCPExecution": [
+      {
+        "command": "node .cursor/hooks/before-mcp-execution.js",
+        "event": "beforeMCPExecution",
+        "description": "MCP audit logging and untrusted server warning"
+      }
+    ],
+    "afterMCPExecution": [
+      {
+        "command": "node .cursor/hooks/after-mcp-execution.js",
+        "event": "afterMCPExecution",
+        "description": "MCP result logging"
+      }
+    ],
+    "beforeReadFile": [
+      {
+        "command": "node .cursor/hooks/before-read-file.js",
+        "event": "beforeReadFile",
+        "description": "Warn when reading sensitive files (.env, .key, .pem)"
+      }
+    ],
+    "beforeSubmitPrompt": [
+      {
+        "command": "node .cursor/hooks/before-submit-prompt.js",
+        "event": "beforeSubmitPrompt",
+        "description": "Detect secrets in prompts (sk-, ghp_, AKIA patterns)"
+      }
+    ],
+    "subagentStart": [
+      {
+        "command": "node .cursor/hooks/subagent-start.js",
+        "event": "subagentStart",
+        "description": "Log agent spawning for observability"
+      }
+    ],
+    "subagentStop": [
+      {
+        "command": "node .cursor/hooks/subagent-stop.js",
+        "event": "subagentStop",
+        "description": "Log agent completion"
+      }
+    ],
+    "beforeTabFileRead": [
+      {
+        "command": "node .cursor/hooks/before-tab-file-read.js",
+        "event": "beforeTabFileRead",
+        "description": "Block Tab from reading secrets (.env, .key, .pem, credentials)"
+      }
+    ],
+    "afterTabFileEdit": [
+      {
+        "command": "node .cursor/hooks/after-tab-file-edit.js",
+        "event": "afterTabFileEdit",
+        "description": "Auto-format Tab edits"
+      }
+    ],
+    "preCompact": [
+      {
+        "command": "node .cursor/hooks/pre-compact.js",
+        "event": "preCompact",
+        "description": "Save state before context compaction"
+      }
+    ],
+    "stop": [
+      {
+        "command": "node .cursor/hooks/stop.js",
+        "event": "stop",
+        "description": "Console.log audit on all modified files"
+      }
+    ]
+  }
+}

.cursor/hooks/adapter.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+/**
+ * Cursor-to-Claude Code Hook Adapter
+ * Transforms Cursor stdin JSON to Claude Code hook format,
+ * then delegates to existing scripts/hooks/*.js
+ */
+
+const { execFileSync } = require('child_process');
+const path = require('path');
+
+const MAX_STDIN = 1024 * 1024;
+
+function readStdin() {
+  return new Promise((resolve) => {
+    let data = '';
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', chunk => {
+      if (data.length < MAX_STDIN) data += chunk.substring(0, MAX_STDIN - data.length);
+    });
+    process.stdin.on('end', () => resolve(data));
+  });
+}
+
+function getPluginRoot() {
+  return path.resolve(__dirname, '..', '..');
+}
+
+function transformToClaude(cursorInput, overrides = {}) {
+  return {
+    tool_input: {
+      command: cursorInput.command || cursorInput.args?.command || '',
+      file_path: cursorInput.path || cursorInput.file || '',
+      ...overrides.tool_input,
+    },
+    tool_output: {
+      output: cursorInput.output || cursorInput.result || '',
+      ...overrides.tool_output,
+    },
+    _cursor: {
+      conversation_id: cursorInput.conversation_id,
+      hook_event_name: cursorInput.hook_event_name,
+      workspace_roots: cursorInput.workspace_roots,
+      model: cursorInput.model,
+    },
+  };
+}
+
+function runExistingHook(scriptName, stdinData) {
+  const scriptPath = path.join(getPluginRoot(), 'scripts', 'hooks', scriptName);
+  try {
+    execFileSync('node', [scriptPath], {
+      input: typeof stdinData === 'string' ? stdinData : JSON.stringify(stdinData),
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 15000,
+      cwd: process.cwd(),
+    });
+  } catch (e) {
+    if (e.status === 2) process.exit(2); // Forward blocking exit code
+  }
+}
+
+module.exports = { readStdin, getPluginRoot, transformToClaude, runExistingHook };

.cursor/hooks/after-file-edit.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const claudeInput = transformToClaude(input, {
+      tool_input: { file_path: input.path || input.file || '' }
+    });
+    const claudeStr = JSON.stringify(claudeInput);
+
+    // Run format, typecheck, and console.log warning sequentially
+    runExistingHook('post-edit-format.js', claudeStr);
+    runExistingHook('post-edit-typecheck.js', claudeStr);
+    runExistingHook('post-edit-console-warn.js', claudeStr);
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/after-mcp-execution.js

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const server = input.server || input.mcp_server || 'unknown';
+    const tool = input.tool || input.mcp_tool || 'unknown';
+    const success = input.error ? 'FAILED' : 'OK';
+    console.error(`[ECC] MCP result: ${server}/${tool} - ${success}`);
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/after-shell-execution.js

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const cmd = input.command || '';
+    const output = input.output || input.result || '';
+
+    // PR creation logging
+    if (/gh pr create/.test(cmd)) {
+      const m = output.match(/https:\/\/github\.com\/[^/]+\/[^/]+\/pull\/\d+/);
+      if (m) {
+        console.error('[ECC] PR created: ' + m[0]);
+        const repo = m[0].replace(/https:\/\/github\.com\/([^/]+\/[^/]+)\/pull\/\d+/, '$1');
+        const pr = m[0].replace(/.+\/pull\/(\d+)/, '$1');
+        console.error('[ECC] To review: gh pr review ' + pr + ' --repo ' + repo);
+      }
+    }
+
+    // Build completion notice
+    if (/(npm run build|pnpm build|yarn build)/.test(cmd)) {
+      console.error('[ECC] Build completed');
+    }
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/after-tab-file-edit.js

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const claudeInput = transformToClaude(input, {
+      tool_input: { file_path: input.path || input.file || '' }
+    });
+    runExistingHook('post-edit-format.js', JSON.stringify(claudeInput));
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/before-mcp-execution.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const server = input.server || input.mcp_server || 'unknown';
+    const tool = input.tool || input.mcp_tool || 'unknown';
+    console.error(`[ECC] MCP invocation: ${server}/${tool}`);
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/before-read-file.js

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const filePath = input.path || input.file || '';
+    if (/\.(env|key|pem)$|\.env\.|credentials|secret/i.test(filePath)) {
+      console.error('[ECC] WARNING: Reading sensitive file: ' + filePath);
+      console.error('[ECC] Ensure this data is not exposed in outputs');
+    }
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/before-shell-execution.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const cmd = input.command || '';
+
+    // 1. Block dev server outside tmux
+    if (process.platform !== 'win32' && /(npm run dev\b|pnpm( run)? dev\b|yarn dev\b|bun run dev\b)/.test(cmd)) {
+      console.error('[ECC] BLOCKED: Dev server must run in tmux for log access');
+      console.error('[ECC] Use: tmux new-session -d -s dev "npm run dev"');
+      process.exit(2);
+    }
+
+    // 2. Tmux reminder for long-running commands
+    if (process.platform !== 'win32' && !process.env.TMUX &&
+        /(npm (install|test)|pnpm (install|test)|yarn (install|test)?|bun (install|test)|cargo build|make\b|docker\b|pytest|vitest|playwright)/.test(cmd)) {
+      console.error('[ECC] Consider running in tmux for session persistence');
+    }
+
+    // 3. Git push review reminder
+    if (/git push/.test(cmd)) {
+      console.error('[ECC] Review changes before push: git diff origin/main...HEAD');
+    }
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/before-submit-prompt.js

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const prompt = input.prompt || input.content || input.message || '';
+    const secretPatterns = [
+      /sk-[a-zA-Z0-9]{20,}/,       // OpenAI API keys
+      /ghp_[a-zA-Z0-9]{36,}/,      // GitHub personal access tokens
+      /AKIA[A-Z0-9]{16}/,          // AWS access keys
+      /xox[bpsa]-[a-zA-Z0-9-]+/,   // Slack tokens
+      /-----BEGIN (RSA |EC )?PRIVATE KEY-----/, // Private keys
+    ];
+    for (const pattern of secretPatterns) {
+      if (pattern.test(prompt)) {
+        console.error('[ECC] WARNING: Potential secret detected in prompt!');
+        console.error('[ECC] Remove secrets before submitting. Use environment variables instead.');
+        break;
+      }
+    }
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/before-tab-file-read.js

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const filePath = input.path || input.file || '';
+    if (/\.(env|key|pem)$|\.env\.|credentials|secret/i.test(filePath)) {
+      console.error('[ECC] BLOCKED: Tab cannot read sensitive file: ' + filePath);
+      process.exit(2);
+    }
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/pre-compact.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  const claudeInput = JSON.parse(raw || '{}');
+  runExistingHook('pre-compact.js', transformToClaude(claudeInput));
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/session-end.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  const input = JSON.parse(raw);
+  const claudeInput = transformToClaude(input);
+  runExistingHook('session-end.js', claudeInput);
+  runExistingHook('evaluate-session.js', claudeInput);
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/session-start.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  const input = JSON.parse(raw);
+  const claudeInput = transformToClaude(input);
+  runExistingHook('session-start.js', claudeInput);
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/stop.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+const { readStdin, runExistingHook, transformToClaude } = require('./adapter');
+readStdin().then(raw => {
+  const claudeInput = JSON.parse(raw || '{}');
+  runExistingHook('check-console-log.js', transformToClaude(claudeInput));
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/subagent-start.js

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const agent = input.agent_name || input.agent || 'unknown';
+    console.error(`[ECC] Agent spawned: ${agent}`);
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/hooks/subagent-stop.js

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+const { readStdin } = require('./adapter');
+readStdin().then(raw => {
+  try {
+    const input = JSON.parse(raw);
+    const agent = input.agent_name || input.agent || 'unknown';
+    console.error(`[ECC] Agent completed: ${agent}`);
+  } catch {}
+  process.stdout.write(raw);
+}).catch(() => process.exit(0));

.cursor/rules/common-agents.md

@@ -0,0 +1,53 @@
+---
+description: "Agent orchestration: available agents, parallel execution, multi-perspective analysis"
+alwaysApply: true
+---
+# Agent Orchestration
+
+## Available Agents
+
+Located in `~/.claude/agents/`:
+
+| Agent | Purpose | When to Use |
+|-------|---------|-------------|
+| planner | Implementation planning | Complex features, refactoring |
+| architect | System design | Architectural decisions |
+| tdd-guide | Test-driven development | New features, bug fixes |
+| code-reviewer | Code review | After writing code |
+| security-reviewer | Security analysis | Before commits |
+| build-error-resolver | Fix build errors | When build fails |
+| e2e-runner | E2E testing | Critical user flows |
+| refactor-cleaner | Dead code cleanup | Code maintenance |
+| doc-updater | Documentation | Updating docs |
+
+## Immediate Agent Usage
+
+No user prompt needed:
+1. Complex feature requests - Use **planner** agent
+2. Code just written/modified - Use **code-reviewer** agent
+3. Bug fix or new feature - Use **tdd-guide** agent
+4. Architectural decision - Use **architect** agent
+
+## Parallel Task Execution
+
+ALWAYS use parallel Task execution for independent operations:
+
+```markdown
+# GOOD: Parallel execution
+Launch 3 agents in parallel:
+1. Agent 1: Security analysis of auth module
+2. Agent 2: Performance review of cache system
+3. Agent 3: Type checking of utilities
+
+# BAD: Sequential when unnecessary
+First agent 1, then agent 2, then agent 3
+```
+
+## Multi-Perspective Analysis
+
+For complex problems, use split role sub-agents:
+- Factual reviewer
+- Senior engineer
+- Security expert
+- Consistency reviewer
+- Redundancy checker

.cursor/rules/common-coding-style.md

@@ -0,0 +1,52 @@
+---
+description: "ECC coding style: immutability, file organization, error handling, validation"
+alwaysApply: true
+---
+# Coding Style
+
+## Immutability (CRITICAL)
+
+ALWAYS create new objects, NEVER mutate existing ones:
+
+```
+// Pseudocode
+WRONG:  modify(original, field, value) → changes original in-place
+CORRECT: update(original, field, value) → returns new copy with change
+```
+
+Rationale: Immutable data prevents hidden side effects, makes debugging easier, and enables safe concurrency.
+
+## File Organization
+
+MANY SMALL FILES > FEW LARGE FILES:
+- High cohesion, low coupling
+- 200-400 lines typical, 800 max
+- Extract utilities from large modules
+- Organize by feature/domain, not by type
+
+## Error Handling
+
+ALWAYS handle errors comprehensively:
+- Handle errors explicitly at every level
+- Provide user-friendly error messages in UI-facing code
+- Log detailed error context on the server side
+- Never silently swallow errors
+
+## Input Validation
+
+ALWAYS validate at system boundaries:
+- Validate all user input before processing
+- Use schema-based validation where available
+- Fail fast with clear error messages
+- Never trust external data (API responses, user input, file content)
+
+## Code Quality Checklist
+
+Before marking work complete:
+- [ ] Code is readable and well-named
+- [ ] Functions are small (<50 lines)
+- [ ] Files are focused (<800 lines)
+- [ ] No deep nesting (>4 levels)
+- [ ] Proper error handling
+- [ ] No hardcoded values (use constants or config)
+- [ ] No mutation (immutable patterns used)

.cursor/rules/common-development-workflow.md

@@ -0,0 +1,33 @@
+---
+description: "Development workflow: plan, TDD, review, commit pipeline"
+alwaysApply: true
+---
+# Development Workflow
+
+> This rule extends the git workflow rule with the full feature development process that happens before git operations.
+
+The Feature Implementation Workflow describes the development pipeline: planning, TDD, code review, and then committing to git.
+
+## Feature Implementation Workflow
+
+1. **Plan First**
+   - Use **planner** agent to create implementation plan
+   - Identify dependencies and risks
+   - Break down into phases
+
+2. **TDD Approach**
+   - Use **tdd-guide** agent
+   - Write tests first (RED)
+   - Implement to pass tests (GREEN)
+   - Refactor (IMPROVE)
+   - Verify 80%+ coverage
+
+3. **Code Review**
+   - Use **code-reviewer** agent immediately after writing code
+   - Address CRITICAL and HIGH issues
+   - Fix MEDIUM issues when possible
+
+4. **Commit & Push**
+   - Detailed commit messages
+   - Follow conventional commits format
+   - See the git workflow rule for commit message format and PR process

.cursor/rules/common-git-workflow.md

@@ -0,0 +1,28 @@
+---
+description: "Git workflow: conventional commits, PR process"
+alwaysApply: true
+---
+# Git Workflow
+
+## Commit Message Format
+```
+<type>: <description>
+
+<optional body>
+```
+
+Types: feat, fix, refactor, docs, test, chore, perf, ci
+
+Note: Attribution disabled globally via ~/.claude/settings.json.
+
+## Pull Request Workflow
+
+When creating PRs:
+1. Analyze full commit history (not just latest commit)
+2. Use `git diff [base-branch]...HEAD` to see all changes
+3. Draft comprehensive PR summary
+4. Include test plan with TODOs
+5. Push with `-u` flag if new branch
+
+> For the full development process (planning, TDD, code review) before git operations,
+> see the development workflow rule.

.cursor/rules/common-hooks.md

@@ -0,0 +1,34 @@
+---
+description: "Hooks system: types, auto-accept permissions, TodoWrite best practices"
+alwaysApply: true
+---
+# Hooks System
+
+## Hook Types
+
+- **PreToolUse**: Before tool execution (validation, parameter modification)
+- **PostToolUse**: After tool execution (auto-format, checks)
+- **Stop**: When session ends (final verification)
+
+## Auto-Accept Permissions
+
+Use with caution:
+- Enable for trusted, well-defined plans
+- Disable for exploratory work
+- Never use dangerously-skip-permissions flag
+- Configure `allowedTools` in `~/.claude.json` instead
+
+## TodoWrite Best Practices
+
+Use TodoWrite tool to:
+- Track progress on multi-step tasks
+- Verify understanding of instructions
+- Enable real-time steering
+- Show granular implementation steps
+
+Todo list reveals:
+- Out of order steps
+- Missing items
+- Extra unnecessary items
+- Wrong granularity
+- Misinterpreted requirements

.cursor/rules/common-patterns.md

@@ -0,0 +1,35 @@
+---
+description: "Common patterns: repository, API response, skeleton projects"
+alwaysApply: true
+---
+# Common Patterns
+
+## Skeleton Projects
+
+When implementing new functionality:
+1. Search for battle-tested skeleton projects
+2. Use parallel agents to evaluate options:
+   - Security assessment
+   - Extensibility analysis
+   - Relevance scoring
+   - Implementation planning
+3. Clone best match as foundation
+4. Iterate within proven structure
+
+## Design Patterns
+
+### Repository Pattern
+
+Encapsulate data access behind a consistent interface:
+- Define standard operations: findAll, findById, create, update, delete
+- Concrete implementations handle storage details (database, API, file, etc.)
+- Business logic depends on the abstract interface, not the storage mechanism
+- Enables easy swapping of data sources and simplifies testing with mocks
+
+### API Response Format
+
+Use a consistent envelope for all API responses:
+- Include a success/status indicator
+- Include the data payload (nullable on error)
+- Include an error message field (nullable on success)
+- Include metadata for paginated responses (total, page, limit)

.cursor/rules/common-performance.md

@@ -0,0 +1,59 @@
+---
+description: "Performance: model selection, context management, build troubleshooting"
+alwaysApply: true
+---
+# Performance Optimization
+
+## Model Selection Strategy
+
+**Haiku 4.5** (90% of Sonnet capability, 3x cost savings):
+- Lightweight agents with frequent invocation
+- Pair programming and code generation
+- Worker agents in multi-agent systems
+
+**Sonnet 4.6** (Best coding model):
+- Main development work
+- Orchestrating multi-agent workflows
+- Complex coding tasks
+
+**Opus 4.5** (Deepest reasoning):
+- Complex architectural decisions
+- Maximum reasoning requirements
+- Research and analysis tasks
+
+## Context Window Management
+
+Avoid last 20% of context window for:
+- Large-scale refactoring
+- Feature implementation spanning multiple files
+- Debugging complex interactions
+
+Lower context sensitivity tasks:
+- Single-file edits
+- Independent utility creation
+- Documentation updates
+- Simple bug fixes
+
+## Extended Thinking + Plan Mode
+
+Extended thinking is enabled by default, reserving up to 31,999 tokens for internal reasoning.
+
+Control extended thinking via:
+- **Toggle**: Option+T (macOS) / Alt+T (Windows/Linux)
+- **Config**: Set `alwaysThinkingEnabled` in `~/.claude/settings.json`
+- **Budget cap**: `export MAX_THINKING_TOKENS=10000`
+- **Verbose mode**: Ctrl+O to see thinking output
+
+For complex tasks requiring deep reasoning:
+1. Ensure extended thinking is enabled (on by default)
+2. Enable **Plan Mode** for structured approach
+3. Use multiple critique rounds for thorough analysis
+4. Use split role sub-agents for diverse perspectives
+
+## Build Troubleshooting
+
+If build fails:
+1. Use **build-error-resolver** agent
+2. Analyze error messages
+3. Fix incrementally
+4. Verify after each fix

.cursor/rules/common-security.md

@@ -0,0 +1,33 @@
+---
+description: "Security: mandatory checks, secret management, response protocol"
+alwaysApply: true
+---
+# Security Guidelines
+
+## Mandatory Security Checks
+
+Before ANY commit:
+- [ ] No hardcoded secrets (API keys, passwords, tokens)
+- [ ] All user inputs validated
+- [ ] SQL injection prevention (parameterized queries)
+- [ ] XSS prevention (sanitized HTML)
+- [ ] CSRF protection enabled
+- [ ] Authentication/authorization verified
+- [ ] Rate limiting on all endpoints
+- [ ] Error messages don't leak sensitive data
+
+## Secret Management
+
+- NEVER hardcode secrets in source code
+- ALWAYS use environment variables or a secret manager
+- Validate that required secrets are present at startup
+- Rotate any secrets that may have been exposed
+
+## Security Response Protocol
+
+If security issue found:
+1. STOP immediately
+2. Use **security-reviewer** agent
+3. Fix CRITICAL issues before continuing
+4. Rotate any exposed secrets
+5. Review entire codebase for similar issues

.cursor/rules/common-testing.md

@@ -0,0 +1,33 @@
+---
+description: "Testing requirements: 80% coverage, TDD workflow, test types"
+alwaysApply: true
+---
+# Testing Requirements
+
+## Minimum Test Coverage: 80%
+
+Test Types (ALL required):
+1. **Unit Tests** - Individual functions, utilities, components
+2. **Integration Tests** - API endpoints, database operations
+3. **E2E Tests** - Critical user flows (framework chosen per language)
+
+## Test-Driven Development
+
+MANDATORY workflow:
+1. Write test first (RED)
+2. Run test - it should FAIL
+3. Write minimal implementation (GREEN)
+4. Run test - it should PASS
+5. Refactor (IMPROVE)
+6. Verify coverage (80%+)
+
+## Troubleshooting Test Failures
+
+1. Use **tdd-guide** agent
+2. Check test isolation
+3. Verify mocks are correct
+4. Fix implementation, not tests (unless tests are wrong)
+
+## Agent Support
+
+- **tdd-guide** - Use PROACTIVELY for new features, enforces write-tests-first

.cursor/rules/golang-coding-style.md

@@ -0,0 +1,31 @@
+---
+description: "Go coding style extending common rules"
+globs: ["**/*.go", "**/go.mod", "**/go.sum"]
+alwaysApply: false
+---
+# Go Coding Style
+
+> This file extends the common coding style rule with Go specific content.
+
+## Formatting
+
+- **gofmt** and **goimports** are mandatory -- no style debates
+
+## Design Principles
+
+- Accept interfaces, return structs
+- Keep interfaces small (1-3 methods)
+
+## Error Handling
+
+Always wrap errors with context:
+
+```go
+if err != nil {
+    return fmt.Errorf("failed to create user: %w", err)
+}
+```
+
+## Reference
+
+See skill: `golang-patterns` for comprehensive Go idioms and patterns.

.cursor/rules/golang-hooks.md

@@ -0,0 +1,16 @@
+---
+description: "Go hooks extending common rules"
+globs: ["**/*.go", "**/go.mod", "**/go.sum"]
+alwaysApply: false
+---
+# Go Hooks
+
+> This file extends the common hooks rule with Go specific content.
+
+## PostToolUse Hooks
+
+Configure in `~/.claude/settings.json`:
+
+- **gofmt/goimports**: Auto-format `.go` files after edit
+- **go vet**: Run static analysis after editing `.go` files
+- **staticcheck**: Run extended static checks on modified packages

.cursor/rules/golang-patterns.md

@@ -0,0 +1,44 @@
+---
+description: "Go patterns extending common rules"
+globs: ["**/*.go", "**/go.mod", "**/go.sum"]
+alwaysApply: false
+---
+# Go Patterns
+
+> This file extends the common patterns rule with Go specific content.
+
+## Functional Options
+
+```go
+type Option func(*Server)
+
+func WithPort(port int) Option {
+    return func(s *Server) { s.port = port }
+}
+
+func NewServer(opts ...Option) *Server {
+    s := &Server{port: 8080}
+    for _, opt := range opts {
+        opt(s)
+    }
+    return s
+}
+```
+
+## Small Interfaces
+
+Define interfaces where they are used, not where they are implemented.
+
+## Dependency Injection
+
+Use constructor functions to inject dependencies:
+
+```go
+func NewUserService(repo UserRepository, logger Logger) *UserService {
+    return &UserService{repo: repo, logger: logger}
+}
+```
+
+## Reference
+
+See skill: `golang-patterns` for comprehensive Go patterns including concurrency, error handling, and package organization.

.cursor/rules/golang-security.md

@@ -0,0 +1,33 @@
+---
+description: "Go security extending common rules"
+globs: ["**/*.go", "**/go.mod", "**/go.sum"]
+alwaysApply: false
+---
+# Go Security
+
+> This file extends the common security rule with Go specific content.
+
+## Secret Management
+
+```go
+apiKey := os.Getenv("OPENAI_API_KEY")
+if apiKey == "" {
+    log.Fatal("OPENAI_API_KEY not configured")
+}
+```
+
+## Security Scanning
+
+- Use **gosec** for static security analysis:
+  ```bash
+  gosec ./...
+  ```
+
+## Context & Timeouts
+
+Always use `context.Context` for timeout control:
+
+```go
+ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+defer cancel()
+```

.cursor/rules/golang-testing.md

@@ -0,0 +1,30 @@
+---
+description: "Go testing extending common rules"
+globs: ["**/*.go", "**/go.mod", "**/go.sum"]
+alwaysApply: false
+---
+# Go Testing
+
+> This file extends the common testing rule with Go specific content.
+
+## Framework
+
+Use the standard `go test` with **table-driven tests**.
+
+## Race Detection
+
+Always run with the `-race` flag:
+
+```bash
+go test -race ./...
+```
+
+## Coverage
+
+```bash
+go test -cover ./...
+```
+
+## Reference
+
+See skill: `golang-testing` for detailed Go testing patterns and helpers.

.cursor/rules/python-coding-style.md

@@ -0,0 +1,42 @@
+---
+description: "Python coding style extending common rules"
+globs: ["**/*.py", "**/*.pyi"]
+alwaysApply: false
+---
+# Python Coding Style
+
+> This file extends the common coding style rule with Python specific content.
+
+## Standards
+
+- Follow **PEP 8** conventions
+- Use **type annotations** on all function signatures
+
+## Immutability
+
+Prefer immutable data structures:
+
+```python
+from dataclasses import dataclass
+
+@dataclass(frozen=True)
+class User:
+    name: str
+    email: str
+
+from typing import NamedTuple
+
+class Point(NamedTuple):
+    x: float
+    y: float
+```
+
+## Formatting
+
+- **black** for code formatting
+- **isort** for import sorting
+- **ruff** for linting
+
+## Reference
+
+See skill: `python-patterns` for comprehensive Python idioms and patterns.

.cursor/rules/python-hooks.md

@@ -0,0 +1,19 @@
+---
+description: "Python hooks extending common rules"
+globs: ["**/*.py", "**/*.pyi"]
+alwaysApply: false
+---
+# Python Hooks
+
+> This file extends the common hooks rule with Python specific content.
+
+## PostToolUse Hooks
+
+Configure in `~/.claude/settings.json`:
+
+- **black/ruff**: Auto-format `.py` files after edit
+- **mypy/pyright**: Run type checking after editing `.py` files
+
+## Warnings
+
+- Warn about `print()` statements in edited files (use `logging` module instead)

.cursor/rules/python-patterns.md

@@ -0,0 +1,39 @@
+---
+description: "Python patterns extending common rules"
+globs: ["**/*.py", "**/*.pyi"]
+alwaysApply: false
+---
+# Python Patterns
+
+> This file extends the common patterns rule with Python specific content.
+
+## Protocol (Duck Typing)
+
+```python
+from typing import Protocol
+
+class Repository(Protocol):
+    def find_by_id(self, id: str) -> dict | None: ...
+    def save(self, entity: dict) -> dict: ...
+```
+
+## Dataclasses as DTOs
+
+```python
+from dataclasses import dataclass
+
+@dataclass
+class CreateUserRequest:
+    name: str
+    email: str
+    age: int | None = None
+```
+
+## Context Managers & Generators
+
+- Use context managers (`with` statement) for resource management
+- Use generators for lazy evaluation and memory-efficient iteration
+
+## Reference
+
+See skill: `python-patterns` for comprehensive patterns including decorators, concurrency, and package organization.

.cursor/rules/python-security.md

@@ -0,0 +1,30 @@
+---
+description: "Python security extending common rules"
+globs: ["**/*.py", "**/*.pyi"]
+alwaysApply: false
+---
+# Python Security
+
+> This file extends the common security rule with Python specific content.
+
+## Secret Management
+
+```python
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+api_key = os.environ["OPENAI_API_KEY"]  # Raises KeyError if missing
+```
+
+## Security Scanning
+
+- Use **bandit** for static security analysis:
+  ```bash
+  bandit -r src/
+  ```
+
+## Reference
+
+See skill: `django-security` for Django-specific security guidelines (if applicable).

.cursor/rules/python-testing.md

@@ -0,0 +1,38 @@
+---
+description: "Python testing extending common rules"
+globs: ["**/*.py", "**/*.pyi"]
+alwaysApply: false
+---
+# Python Testing
+
+> This file extends the common testing rule with Python specific content.
+
+## Framework
+
+Use **pytest** as the testing framework.
+
+## Coverage
+
+```bash
+pytest --cov=src --cov-report=term-missing
+```
+
+## Test Organization
+
+Use `pytest.mark` for test categorization:
+
+```python
+import pytest
+
+@pytest.mark.unit
+def test_calculate_total():
+    ...
+
+@pytest.mark.integration
+def test_database_connection():
+    ...
+```
+
+## Reference
+
+See skill: `python-testing` for detailed pytest patterns and fixtures.

.cursor/rules/swift-coding-style.md

@@ -0,0 +1,47 @@
+---
+description: "Swift coding style extending common rules"
+globs: ["**/*.swift", "**/Package.swift"]
+alwaysApply: false
+---
+# Swift Coding Style
+
+> This file extends the common coding style rule with Swift specific content.
+
+## Formatting
+
+- **SwiftFormat** for auto-formatting, **SwiftLint** for style enforcement
+- `swift-format` is bundled with Xcode 16+ as an alternative
+
+## Immutability
+
+- Prefer `let` over `var` -- define everything as `let` and only change to `var` if the compiler requires it
+- Use `struct` with value semantics by default; use `class` only when identity or reference semantics are needed
+
+## Naming
+
+Follow [Apple API Design Guidelines](https://www.swift.org/documentation/api-design-guidelines/):
+
+- Clarity at the point of use -- omit needless words
+- Name methods and properties for their roles, not their types
+- Use `static let` for constants over global constants
+
+## Error Handling
+
+Use typed throws (Swift 6+) and pattern matching:
+
+```swift
+func load(id: String) throws(LoadError) -> Item {
+    guard let data = try? read(from: path) else {
+        throw .fileNotFound(id)
+    }
+    return try decode(data)
+}
+```
+
+## Concurrency
+
+Enable Swift 6 strict concurrency checking. Prefer:
+
+- `Sendable` value types for data crossing isolation boundaries
+- Actors for shared mutable state
+- Structured concurrency (`async let`, `TaskGroup`) over unstructured `Task {}`

.cursor/rules/swift-hooks.md

@@ -0,0 +1,20 @@
+---
+description: "Swift hooks extending common rules"
+globs: ["**/*.swift", "**/Package.swift"]
+alwaysApply: false
+---
+# Swift Hooks
+
+> This file extends the common hooks rule with Swift specific content.
+
+## PostToolUse Hooks
+
+Configure in `~/.claude/settings.json`:
+
+- **SwiftFormat**: Auto-format `.swift` files after edit
+- **SwiftLint**: Run lint checks after editing `.swift` files
+- **swift build**: Type-check modified packages after edit
+
+## Warning
+
+Flag `print()` statements -- use `os.Logger` or structured logging instead for production code.

.cursor/rules/swift-patterns.md

@@ -0,0 +1,66 @@
+---
+description: "Swift patterns extending common rules"
+globs: ["**/*.swift", "**/Package.swift"]
+alwaysApply: false
+---
+# Swift Patterns
+
+> This file extends the common patterns rule with Swift specific content.
+
+## Protocol-Oriented Design
+
+Define small, focused protocols. Use protocol extensions for shared defaults:
+
+```swift
+protocol Repository: Sendable {
+    associatedtype Item: Identifiable & Sendable
+    func find(by id: Item.ID) async throws -> Item?
+    func save(_ item: Item) async throws
+}
+```
+
+## Value Types
+
+- Use structs for data transfer objects and models
+- Use enums with associated values to model distinct states:
+
+```swift
+enum LoadState<T: Sendable>: Sendable {
+    case idle
+    case loading
+    case loaded(T)
+    case failed(Error)
+}
+```
+
+## Actor Pattern
+
+Use actors for shared mutable state instead of locks or dispatch queues:
+
+```swift
+actor Cache<Key: Hashable & Sendable, Value: Sendable> {
+    private var storage: [Key: Value] = [:]
+
+    func get(_ key: Key) -> Value? { storage[key] }
+    func set(_ key: Key, value: Value) { storage[key] = value }
+}
+```
+
+## Dependency Injection
+
+Inject protocols with default parameters -- production uses defaults, tests inject mocks:
+
+```swift
+struct UserService {
+    private let repository: any UserRepository
+
+    init(repository: any UserRepository = DefaultUserRepository()) {
+        self.repository = repository
+    }
+}
+```
+
+## References
+
+See skill: `swift-actor-persistence` for actor-based persistence patterns.
+See skill: `swift-protocol-di-testing` for protocol-based DI and testing.

.cursor/rules/swift-security.md

@@ -0,0 +1,33 @@
+---
+description: "Swift security extending common rules"
+globs: ["**/*.swift", "**/Package.swift"]
+alwaysApply: false
+---
+# Swift Security
+
+> This file extends the common security rule with Swift specific content.
+
+## Secret Management
+
+- Use **Keychain Services** for sensitive data (tokens, passwords, keys) -- never `UserDefaults`
+- Use environment variables or `.xcconfig` files for build-time secrets
+- Never hardcode secrets in source -- decompilation tools extract them trivially
+
+```swift
+let apiKey = ProcessInfo.processInfo.environment["API_KEY"]
+guard let apiKey, !apiKey.isEmpty else {
+    fatalError("API_KEY not configured")
+}
+```
+
+## Transport Security
+
+- App Transport Security (ATS) is enforced by default -- do not disable it
+- Use certificate pinning for critical endpoints
+- Validate all server certificates
+
+## Input Validation
+
+- Sanitize all user input before display to prevent injection
+- Use `URL(string:)` with validation rather than force-unwrapping
+- Validate data from external sources (APIs, deep links, pasteboard) before processing

.cursor/rules/swift-testing.md

@@ -0,0 +1,45 @@
+---
+description: "Swift testing extending common rules"
+globs: ["**/*.swift", "**/Package.swift"]
+alwaysApply: false
+---
+# Swift Testing
+
+> This file extends the common testing rule with Swift specific content.
+
+## Framework
+
+Use **Swift Testing** (`import Testing`) for new tests. Use `@Test` and `#expect`:
+
+```swift
+@Test("User creation validates email")
+func userCreationValidatesEmail() throws {
+    #expect(throws: ValidationError.invalidEmail) {
+        try User(email: "not-an-email")
+    }
+}
+```
+
+## Test Isolation
+
+Each test gets a fresh instance -- set up in `init`, tear down in `deinit`. No shared mutable state between tests.
+
+## Parameterized Tests
+
+```swift
+@Test("Validates formats", arguments: ["json", "xml", "csv"])
+func validatesFormat(format: String) throws {
+    let parser = try Parser(format: format)
+    #expect(parser.isValid)
+}
+```
+
+## Coverage
+
+```bash
+swift test --enable-code-coverage
+```
+
+## Reference
+
+See skill: `swift-protocol-di-testing` for protocol-based dependency injection and mock patterns with Swift Testing.

.cursor/rules/typescript-coding-style.md

@@ -0,0 +1,63 @@
+---
+description: "TypeScript coding style extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+# TypeScript/JavaScript Coding Style
+
+> This file extends the common coding style rule with TypeScript/JavaScript specific content.
+
+## Immutability
+
+Use spread operator for immutable updates:
+
+```typescript
+// WRONG: Mutation
+function updateUser(user, name) {
+  user.name = name  // MUTATION!
+  return user
+}
+
+// CORRECT: Immutability
+function updateUser(user, name) {
+  return {
+    ...user,
+    name
+  }
+}
+```
+
+## Error Handling
+
+Use async/await with try-catch:
+
+```typescript
+try {
+  const result = await riskyOperation()
+  return result
+} catch (error) {
+  console.error('Operation failed:', error)
+  throw new Error('Detailed user-friendly message')
+}
+```
+
+## Input Validation
+
+Use Zod for schema-based validation:
+
+```typescript
+import { z } from 'zod'
+
+const schema = z.object({
+  email: z.string().email(),
+  age: z.number().int().min(0).max(150)
+})
+
+const validated = schema.parse(input)
+```
+
+## Console.log
+
+- No `console.log` statements in production code
+- Use proper logging libraries instead
+- See hooks for automatic detection

.cursor/rules/typescript-hooks.md

@@ -0,0 +1,20 @@
+---
+description: "TypeScript hooks extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+# TypeScript/JavaScript Hooks
+
+> This file extends the common hooks rule with TypeScript/JavaScript specific content.
+
+## PostToolUse Hooks
+
+Configure in `~/.claude/settings.json`:
+
+- **Prettier**: Auto-format JS/TS files after edit
+- **TypeScript check**: Run `tsc` after editing `.ts`/`.tsx` files
+- **console.log warning**: Warn about `console.log` in edited files
+
+## Stop Hooks
+
+- **console.log audit**: Check all modified files for `console.log` before session ends

.cursor/rules/typescript-patterns.md

@@ -0,0 +1,50 @@
+---
+description: "TypeScript patterns extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+# TypeScript/JavaScript Patterns
+
+> This file extends the common patterns rule with TypeScript/JavaScript specific content.
+
+## API Response Format
+
+```typescript
+interface ApiResponse<T> {
+  success: boolean
+  data?: T
+  error?: string
+  meta?: {
+    total: number
+    page: number
+    limit: number
+  }
+}
+```
+
+## Custom Hooks Pattern
+
+```typescript
+export function useDebounce<T>(value: T, delay: number): T {
+  const [debouncedValue, setDebouncedValue] = useState<T>(value)
+
+  useEffect(() => {
+    const handler = setTimeout(() => setDebouncedValue(value), delay)
+    return () => clearTimeout(handler)
+  }, [value, delay])
+
+  return debouncedValue
+}
+```
+
+## Repository Pattern
+
+```typescript
+interface Repository<T> {
+  findAll(filters?: Filters): Promise<T[]>
+  findById(id: string): Promise<T | null>
+  create(data: CreateDto): Promise<T>
+  update(id: string, data: UpdateDto): Promise<T>
+  delete(id: string): Promise<void>
+}
+```

.cursor/rules/typescript-security.md

@@ -0,0 +1,26 @@
+---
+description: "TypeScript security extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+# TypeScript/JavaScript Security
+
+> This file extends the common security rule with TypeScript/JavaScript specific content.
+
+## Secret Management
+
+```typescript
+// NEVER: Hardcoded secrets
+const apiKey = "sk-proj-xxxxx"
+
+// ALWAYS: Environment variables
+const apiKey = process.env.OPENAI_API_KEY
+
+if (!apiKey) {
+  throw new Error('OPENAI_API_KEY not configured')
+}
+```
+
+## Agent Support
+
+- Use **security-reviewer** skill for comprehensive security audits

.cursor/rules/typescript-testing.md

@@ -0,0 +1,16 @@
+---
+description: "TypeScript testing extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+# TypeScript/JavaScript Testing
+
+> This file extends the common testing rule with TypeScript/JavaScript specific content.
+
+## E2E Testing
+
+Use **Playwright** as the E2E testing framework for critical user flows.
+
+## Agent Support
+
+- **e2e-runner** - Playwright E2E testing specialist

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,18 @@
+steps:
+  - name: Setup Go environment
+    uses: actions/setup-go@v6.2.0
+    with:
+      # The Go version to download (if necessary) and use. Supports semver spec and ranges. Be sure to enclose this option in single quotation marks.
+      go-version: # optional
+      # Path to the go.mod, go.work, .go-version, or .tool-versions file.
+      go-version-file: # optional
+      # Set this option to true if you want the action to always check for the latest available version that satisfies the version spec
+      check-latest: # optional
+      # Used to pull Go distributions from go-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
+      token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
+      # Used to specify whether caching is needed. Set to true, if you'd like to enable caching.
+      cache: # optional, default is true
+      # Used to specify the path to a dependency file - go.sum
+      cache-dependency-path: # optional
+      # Target architecture for Go to use. Examples: x86, x64. Will use system architecture by default.
+      architecture: # optional

.github/workflows/release.yml

@@ -25,6 +25,18 @@ jobs:
             exit 1
           fi
 
+      - name: Verify plugin.json version matches tag
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+        run: |
+          TAG_VERSION="${TAG_NAME#v}"
+          PLUGIN_VERSION=$(grep -oE '"version": *"[^"]*"' .claude-plugin/plugin.json | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+          if [ "$TAG_VERSION" != "$PLUGIN_VERSION" ]; then
+            echo "::error::Tag version ($TAG_VERSION) does not match plugin.json version ($PLUGIN_VERSION)"
+            echo "Run: ./scripts/release.sh $TAG_VERSION"
+            exit 1
+          fi
+
       - name: Generate changelog
         id: changelog
         run: |

.gitignore

@@ -21,6 +21,16 @@ Thumbs.db
 # Node
 node_modules/
 
+# Build output
+dist/
+
+# Python
+__pycache__/
+*.pyc
+
+# Task files (Claude Code teams)
+tasks/
+
 # Personal configs (if any)
 personal/
 private/

.npmignore

@@ -0,0 +1,8 @@
+# npm always includes README* — exclude translations from package
+README.zh-CN.md
+
+# Dev-only script (release is CI/local only)
+scripts/release.sh
+
+# Plugin dev notes (not needed by consumers)
+.claude-plugin/PLUGIN_SCHEMA_NOTES.md

.opencode/MIGRATION.md

@@ -214,8 +214,8 @@ Create a detailed implementation plan for: $ARGUMENTS
 {
   "instructions": [
     ".opencode/instructions/INSTRUCTIONS.md",
-    "rules/security.md",
-    "rules/coding-style.md"
+    "rules/common/security.md",
+    "rules/common/coding-style.md"
   ]
 }
 ```
@@ -285,13 +285,13 @@ The `.opencode/` directory contains everything pre-configured.
 ### Option 2: Install as npm Package
 
 ```bash
-npm install opencode-ecc
+npm install ecc-universal
 ```
 
 Then in your `opencode.json`:
 ```json
 {
-  "plugin": ["opencode-ecc"]
+  "plugin": ["ecc-universal"]
 }
 ```
 

.opencode/README.md

@@ -1,22 +1,42 @@
 # OpenCode ECC Plugin
 
+> ⚠️ This README is specific to OpenCode usage.  
+> If you installed ECC via npm (e.g. `npm install opencode-ecc`), refer to the root README instead.
+
 Everything Claude Code (ECC) plugin for OpenCode - agents, commands, hooks, and skills.
 
 ## Installation
 
+## Installation Overview
+
+There are two ways to use Everything Claude Code (ECC):
+
+1. **npm package (recommended for most users)**  
+   Install via npm/bun/yarn and use the `ecc-install` CLI to set up rules and agents.
+
+2. **Direct clone / plugin mode**  
+   Clone the repository and run OpenCode directly inside it.
+
+Choose the method that matches your workflow below.
+
 ### Option 1: npm Package
 
 ```bash
-npm install opencode-ecc
+npm install ecc-universal
 ```
 
 Add to your `opencode.json`:
 
 ```json
 {
-  "plugin": ["opencode-ecc"]
+  "plugin": ["ecc-universal"]
 }
 ```
+After installation, the `ecc-install` CLI becomes available:
+
+```bash
+npx ecc-install typescript
+```
 
 ### Option 2: Direct Use
 

.opencode/index.ts

@@ -2,23 +2,23 @@
  * Everything Claude Code (ECC) Plugin for OpenCode
  *
  * This package provides a complete OpenCode plugin with:
- * - 12 specialized agents (planner, architect, code-reviewer, etc.)
- * - 24 commands (/plan, /tdd, /code-review, etc.)
- * - Plugin hooks (auto-format, TypeScript check, console.log warning, etc.)
- * - Custom tools (run-tests, check-coverage, security-audit)
- * - 16 skills (coding-standards, security-review, tdd-workflow, etc.)
+ * - 13 specialized agents (planner, architect, code-reviewer, etc.)
+ * - 31 commands (/plan, /tdd, /code-review, etc.)
+ * - Plugin hooks (auto-format, TypeScript check, console.log warning, env injection, etc.)
+ * - Custom tools (run-tests, check-coverage, security-audit, format-code, lint-check, git-summary)
+ * - 37 skills (coding-standards, security-review, tdd-workflow, etc.)
  *
  * Usage:
  *
  * Option 1: Install via npm
  * ```bash
- * npm install opencode-ecc
+ * npm install ecc-universal
  * ```
  *
  * Then add to your opencode.json:
  * ```json
  * {
- *   "plugin": ["opencode-ecc"]
+ *   "plugin": ["ecc-universal"]
  * }
  * ```
  *
@@ -39,18 +39,18 @@ export { ECCHooksPlugin, default } from "./plugins/index.js"
 export * from "./plugins/index.js"
 
 // Version export
-export const VERSION = "1.0.0"
+export const VERSION = "1.6.0"
 
 // Plugin metadata
 export const metadata = {
-  name: "opencode-ecc",
+  name: "ecc-universal",
   version: VERSION,
   description: "Everything Claude Code plugin for OpenCode",
   author: "affaan-m",
   features: {
-    agents: 12,
-    commands: 24,
-    skills: 16,
+    agents: 13,
+    commands: 31,
+    skills: 37,
     hookEvents: [
       "file.edited",
       "tool.execute.before",
@@ -59,13 +59,18 @@ export const metadata = {
       "session.idle",
       "session.deleted",
       "file.watcher.updated",
-      "permission.asked",
+      "permission.ask",
       "todo.updated",
+      "shell.env",
+      "experimental.session.compacting",
     ],
     customTools: [
       "run-tests",
       "check-coverage",
       "security-audit",
+      "format-code",
+      "lint-check",
+      "git-summary",
     ],
   },
 }

.opencode/opencode.json

@@ -4,11 +4,19 @@
   "small_model": "anthropic/claude-haiku-4-5",
   "default_agent": "build",
   "instructions": [
+    "AGENTS.md",
     "CONTRIBUTING.md",
     ".opencode/instructions/INSTRUCTIONS.md",
     "skills/tdd-workflow/SKILL.md",
     "skills/security-review/SKILL.md",
-    "skills/coding-standards/SKILL.md"
+    "skills/coding-standards/SKILL.md",
+    "skills/frontend-patterns/SKILL.md",
+    "skills/backend-patterns/SKILL.md",
+    "skills/e2e-testing/SKILL.md",
+    "skills/verification-loop/SKILL.md",
+    "skills/api-design/SKILL.md",
+    "skills/strategic-compact/SKILL.md",
+    "skills/eval-harness/SKILL.md"
   ],
   "plugin": [
     "./.opencode/plugins"

.opencode/package-lock.json

@@ -0,0 +1,83 @@
+{
+  "name": "ecc-universal",
+  "version": "1.4.1",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "ecc-universal",
+      "version": "1.4.1",
+      "license": "MIT",
+      "devDependencies": {
+        "@opencode-ai/plugin": "^1.0.0",
+        "@types/node": "^20.0.0",
+        "typescript": "^5.3.0"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "peerDependencies": {
+        "@opencode-ai/plugin": ">=1.0.0"
+      }
+    },
+    "node_modules/@opencode-ai/plugin": {
+      "version": "1.1.53",
+      "resolved": "https://registry.npmjs.org/@opencode-ai/plugin/-/plugin-1.1.53.tgz",
+      "integrity": "sha512-9ye7Wz2kESgt02AUDaMea4hXxj6XhWwKAG8NwFhrw09Ux54bGaMJFt1eIS8QQGIMaD+Lp11X4QdyEg96etEBJw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@opencode-ai/sdk": "1.1.53",
+        "zod": "4.1.8"
+      }
+    },
+    "node_modules/@opencode-ai/sdk": {
+      "version": "1.1.53",
+      "resolved": "https://registry.npmjs.org/@opencode-ai/sdk/-/sdk-1.1.53.tgz",
+      "integrity": "sha512-RUIVnPOP1CyyU32FrOOYuE7Ge51lOBuhaFp2NSX98ncApT7ffoNetmwzqrhOiJQgZB1KrbCHLYOCK6AZfacxag==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/node": {
+      "version": "20.19.33",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.33.tgz",
+      "integrity": "sha512-Rs1bVAIdBs5gbTIKza/tgpMuG1k3U/UMJLWecIMxNdJFDMzcM5LOiLVRYh3PilWEYDIeUDv7bpiHPLPsbydGcw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~6.21.0"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/zod": {
+      "version": "4.1.8",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-4.1.8.tgz",
+      "integrity": "sha512-5R1P+WwQqmmMIEACyzSvo4JXHY5WiAFHRMg+zBZKgKS+Q1viRa0C1hmUKtHltoIFKtIdki3pRxkmpP74jnNYHQ==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    }
+  }
+}

.opencode/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "opencode-ecc",
-  "version": "1.0.0",
+  "name": "ecc-universal",
+  "version": "1.6.0",
   "description": "Everything Claude Code (ECC) plugin for OpenCode - agents, commands, hooks, and skills",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

.opencode/plugins/ecc-hooks.ts

@@ -13,18 +13,21 @@
  * - SessionEnd → session.deleted
  */
 
-import type { PluginContext } from "@opencode-ai/plugin"
+import type { PluginInput } from "@opencode-ai/plugin"
 
 export const ECCHooksPlugin = async ({
-  project,
   client,
   $,
   directory,
   worktree,
-}: PluginContext) => {
+}: PluginInput) => {
   // Track files edited in current session for console.log audit
   const editedFiles = new Set<string>()
 
+  // Helper to call the SDK's log API with correct signature
+  const log = (level: "debug" | "info" | "warn" | "error", message: string) =>
+    client.app.log({ body: { service: "ecc", level, message } })
+
   return {
     /**
      * Prettier Auto-Format Hook
@@ -41,7 +44,7 @@ export const ECCHooksPlugin = async ({
       if (event.path.match(/\.(ts|tsx|js|jsx)$/)) {
         try {
           await $`prettier --write ${event.path} 2>/dev/null`
-          client.app.log("info", `[ECC] Formatted: ${event.path}`)
+          log("info", `[ECC] Formatted: ${event.path}`)
         } catch {
           // Prettier not installed or failed - silently continue
         }
@@ -53,7 +56,7 @@ export const ECCHooksPlugin = async ({
           const result = await $`grep -n "console\\.log" ${event.path} 2>/dev/null`.text()
           if (result.trim()) {
             const lines = result.trim().split("\n").length
-            client.app.log(
+            log(
               "warn",
               `[ECC] console.log found in ${event.path} (${lines} occurrence${lines > 1 ? "s" : ""})`
             )
@@ -82,21 +85,21 @@ export const ECCHooksPlugin = async ({
       ) {
         try {
           await $`npx tsc --noEmit 2>&1`
-          client.app.log("info", "[ECC] TypeScript check passed")
+          log("info", "[ECC] TypeScript check passed")
         } catch (error: unknown) {
           const err = error as { stdout?: string }
-          client.app.log("warn", "[ECC] TypeScript errors detected:")
+          log("warn", "[ECC] TypeScript errors detected:")
           if (err.stdout) {
             // Log first few errors
             const errors = err.stdout.split("\n").slice(0, 5)
-            errors.forEach((line: string) => client.app.log("warn", `  ${line}`))
+            errors.forEach((line: string) => log("warn", `  ${line}`))
           }
         }
       }
 
       // PR creation logging
       if (input.tool === "bash" && input.args?.toString().includes("gh pr create")) {
-        client.app.log("info", "[ECC] PR created - check GitHub Actions status")
+        log("info", "[ECC] PR created - check GitHub Actions status")
       }
     },
 
@@ -115,7 +118,7 @@ export const ECCHooksPlugin = async ({
         input.tool === "bash" &&
         input.args?.toString().includes("git push")
       ) {
-        client.app.log(
+        log(
           "info",
           "[ECC] Remember to review changes before pushing: git diff origin/main...HEAD"
         )
@@ -135,7 +138,7 @@ export const ECCHooksPlugin = async ({
           !filePath.includes("LICENSE") &&
           !filePath.includes("CONTRIBUTING")
         ) {
-          client.app.log(
+          log(
             "warn",
             `[ECC] Creating ${filePath} - consider if this documentation is necessary`
           )
@@ -150,7 +153,7 @@ export const ECCHooksPlugin = async ({
           cmd.match(/^cargo\s+(build|test|run)/) ||
           cmd.match(/^go\s+(build|test|run)/)
         ) {
-          client.app.log(
+          log(
             "info",
             "[ECC] Long-running command detected - consider using background execution"
           )
@@ -166,13 +169,13 @@ export const ECCHooksPlugin = async ({
      * Action: Loads context and displays welcome message
      */
     "session.created": async () => {
-      client.app.log("info", "[ECC] Session started - Everything Claude Code hooks active")
+      log("info", "[ECC] Session started - Everything Claude Code hooks active")
 
       // Check for project-specific context files
       try {
         const hasClaudeMd = await $`test -f ${worktree}/CLAUDE.md && echo "yes"`.text()
         if (hasClaudeMd.trim() === "yes") {
-          client.app.log("info", "[ECC] Found CLAUDE.md - loading project context")
+          log("info", "[ECC] Found CLAUDE.md - loading project context")
         }
       } catch {
         // No CLAUDE.md found
@@ -189,7 +192,7 @@ export const ECCHooksPlugin = async ({
     "session.idle": async () => {
       if (editedFiles.size === 0) return
 
-      client.app.log("info", "[ECC] Session idle - running console.log audit")
+      log("info", "[ECC] Session idle - running console.log audit")
 
       let totalConsoleLogCount = 0
       const filesWithConsoleLogs: string[] = []
@@ -210,16 +213,16 @@ export const ECCHooksPlugin = async ({
       }
 
       if (totalConsoleLogCount > 0) {
-        client.app.log(
+        log(
           "warn",
           `[ECC] Audit: ${totalConsoleLogCount} console.log statement(s) in ${filesWithConsoleLogs.length} file(s)`
         )
         filesWithConsoleLogs.forEach((f) =>
-          client.app.log("warn", `  - ${f}`)
+          log("warn", `  - ${f}`)
         )
-        client.app.log("warn", "[ECC] Remove console.log statements before committing")
+        log("warn", "[ECC] Remove console.log statements before committing")
       } else {
-        client.app.log("info", "[ECC] Audit passed: No console.log statements found")
+        log("info", "[ECC] Audit passed: No console.log statements found")
       }
 
       // Desktop notification (macOS)
@@ -241,7 +244,7 @@ export const ECCHooksPlugin = async ({
      * Action: Final cleanup and state saving
      */
     "session.deleted": async () => {
-      client.app.log("info", "[ECC] Session ended - cleaning up")
+      log("info", "[ECC] Session ended - cleaning up")
       editedFiles.clear()
     },
 
@@ -258,17 +261,6 @@ export const ECCHooksPlugin = async ({
       }
     },
 
-    /**
-     * Permission Asked Hook
-     * OpenCode-only feature
-     *
-     * Triggers: When permission is requested
-     * Action: Logs for audit trail
-     */
-    "permission.asked": async (event: { tool: string; args: unknown }) => {
-      client.app.log("info", `[ECC] Permission requested for: ${event.tool}`)
-    },
-
     /**
      * Todo Updated Hook
      * OpenCode-only feature
@@ -280,9 +272,134 @@ export const ECCHooksPlugin = async ({
       const completed = event.todos.filter((t) => t.done).length
       const total = event.todos.length
       if (total > 0) {
-        client.app.log("info", `[ECC] Progress: ${completed}/${total} tasks completed`)
+        log("info", `[ECC] Progress: ${completed}/${total} tasks completed`)
       }
     },
+
+    /**
+     * Shell Environment Hook
+     * OpenCode-specific: Inject environment variables into shell commands
+     *
+     * Triggers: Before shell command execution
+     * Action: Sets PROJECT_ROOT, PACKAGE_MANAGER, DETECTED_LANGUAGES, ECC_VERSION
+     */
+    "shell.env": async () => {
+      const env: Record<string, string> = {
+        ECC_VERSION: "1.6.0",
+        ECC_PLUGIN: "true",
+        PROJECT_ROOT: worktree || directory,
+      }
+
+      // Detect package manager
+      const lockfiles: Record<string, string> = {
+        "bun.lockb": "bun",
+        "pnpm-lock.yaml": "pnpm",
+        "yarn.lock": "yarn",
+        "package-lock.json": "npm",
+      }
+      for (const [lockfile, pm] of Object.entries(lockfiles)) {
+        try {
+          await $`test -f ${worktree}/${lockfile}`
+          env.PACKAGE_MANAGER = pm
+          break
+        } catch {
+          // Not found, try next
+        }
+      }
+
+      // Detect languages
+      const langDetectors: Record<string, string> = {
+        "tsconfig.json": "typescript",
+        "go.mod": "go",
+        "pyproject.toml": "python",
+        "Cargo.toml": "rust",
+        "Package.swift": "swift",
+      }
+      const detected: string[] = []
+      for (const [file, lang] of Object.entries(langDetectors)) {
+        try {
+          await $`test -f ${worktree}/${file}`
+          detected.push(lang)
+        } catch {
+          // Not found
+        }
+      }
+      if (detected.length > 0) {
+        env.DETECTED_LANGUAGES = detected.join(",")
+        env.PRIMARY_LANGUAGE = detected[0]
+      }
+
+      return env
+    },
+
+    /**
+     * Session Compacting Hook
+     * OpenCode-specific: Control context compaction behavior
+     *
+     * Triggers: Before context compaction
+     * Action: Push ECC context block and custom compaction prompt
+     */
+    "experimental.session.compacting": async () => {
+      const contextBlock = [
+        "# ECC Context (preserve across compaction)",
+        "",
+        "## Active Plugin: Everything Claude Code v1.6.0",
+        "- Hooks: file.edited, tool.execute.before/after, session.created/idle/deleted, shell.env, compacting, permission.ask",
+        "- Tools: run-tests, check-coverage, security-audit, format-code, lint-check, git-summary",
+        "- Agents: 13 specialized (planner, architect, tdd-guide, code-reviewer, security-reviewer, build-error-resolver, e2e-runner, refactor-cleaner, doc-updater, go-reviewer, go-build-resolver, database-reviewer, python-reviewer)",
+        "",
+        "## Key Principles",
+        "- TDD: write tests first, 80%+ coverage",
+        "- Immutability: never mutate, always return new copies",
+        "- Security: validate inputs, no hardcoded secrets",
+        "",
+      ]
+
+      // Include recently edited files
+      if (editedFiles.size > 0) {
+        contextBlock.push("## Recently Edited Files")
+        for (const f of editedFiles) {
+          contextBlock.push(`- ${f}`)
+        }
+        contextBlock.push("")
+      }
+
+      return {
+        context: contextBlock.join("\n"),
+        compaction_prompt: "Focus on preserving: 1) Current task status and progress, 2) Key decisions made, 3) Files created/modified, 4) Remaining work items, 5) Any security concerns flagged. Discard: verbose tool outputs, intermediate exploration, redundant file listings.",
+      }
+    },
+
+    /**
+     * Permission Auto-Approve Hook
+     * OpenCode-specific: Auto-approve safe operations
+     *
+     * Triggers: When permission is requested
+     * Action: Auto-approve reads, formatters, and test commands; log all for audit
+     */
+    "permission.ask": async (event: { tool: string; args: unknown }) => {
+      log("info", `[ECC] Permission requested for: ${event.tool}`)
+
+      const cmd = String((event.args as Record<string, unknown>)?.command || event.args || "")
+
+      // Auto-approve: read/search tools
+      if (["read", "glob", "grep", "search", "list"].includes(event.tool)) {
+        return { approved: true, reason: "Read-only operation" }
+      }
+
+      // Auto-approve: formatters
+      if (event.tool === "bash" && /^(npx )?(prettier|biome|black|gofmt|rustfmt|swift-format)/.test(cmd)) {
+        return { approved: true, reason: "Formatter execution" }
+      }
+
+      // Auto-approve: test execution
+      if (event.tool === "bash" && /^(npm test|npx vitest|npx jest|pytest|go test|cargo test)/.test(cmd)) {
+        return { approved: true, reason: "Test execution" }
+      }
+
+      // Everything else: let user decide
+      return { approved: undefined }
+    },
   }
 }
 

.opencode/plugins/index.ts

@@ -6,7 +6,7 @@
  * while taking advantage of OpenCode's more sophisticated 20+ event types.
  */
 
-export { ECCHooksPlugin, default } from "./ecc-hooks"
+export { ECCHooksPlugin, default } from "./ecc-hooks.js"
 
 // Re-export for named imports
-export * from "./ecc-hooks"
+export * from "./ecc-hooks.js"

.opencode/tools/check-coverage.ts

@@ -5,7 +5,7 @@
  * Supports common coverage report formats.
  */
 
-import { tool } from "@opencode-ai/plugin"
+import { tool } from "@opencode-ai/plugin/tool"
 import * as path from "path"
 import * as fs from "fs"
 
@@ -58,13 +58,13 @@ export default tool({
     }
 
     if (!coverageData) {
-      return {
+      return JSON.stringify({
         success: false,
         error: "No coverage report found",
         suggestion:
           "Run tests with coverage first: npm test -- --coverage",
         searchedPaths: coveragePaths,
-      }
+      })
     }
 
     const passed = coverageData.total.percentage >= threshold
@@ -96,7 +96,7 @@ export default tool({
         .join("\n")}`
     }
 
-    return result
+    return JSON.stringify(result)
   },
 })
 

.opencode/tools/format-code.ts

@@ -0,0 +1,66 @@
+/**
+ * ECC Custom Tool: Format Code
+ *
+ * Language-aware code formatter that auto-detects the project's formatter.
+ * Supports: Biome/Prettier (JS/TS), Black (Python), gofmt (Go), rustfmt (Rust)
+ */
+
+import { tool } from "@opencode-ai/plugin"
+import { z } from "zod"
+
+export default tool({
+  name: "format-code",
+  description: "Format a file using the project's configured formatter. Auto-detects Biome, Prettier, Black, gofmt, or rustfmt.",
+  parameters: z.object({
+    filePath: z.string().describe("Path to the file to format"),
+    formatter: z.string().optional().describe("Override formatter: biome, prettier, black, gofmt, rustfmt (default: auto-detect)"),
+  }),
+  execute: async ({ filePath, formatter }, { $ }) => {
+    const ext = filePath.split(".").pop()?.toLowerCase() || ""
+
+    // Auto-detect formatter based on file extension and config files
+    let detected = formatter
+    if (!detected) {
+      if (["ts", "tsx", "js", "jsx", "json", "css", "scss"].includes(ext)) {
+        // Check for Biome first, then Prettier
+        try {
+          await $`test -f biome.json || test -f biome.jsonc`
+          detected = "biome"
+        } catch {
+          detected = "prettier"
+        }
+      } else if (["py", "pyi"].includes(ext)) {
+        detected = "black"
+      } else if (ext === "go") {
+        detected = "gofmt"
+      } else if (ext === "rs") {
+        detected = "rustfmt"
+      }
+    }
+
+    if (!detected) {
+      return { formatted: false, message: `No formatter detected for .${ext} files` }
+    }
+
+    const commands: Record<string, string> = {
+      biome: `npx @biomejs/biome format --write ${filePath}`,
+      prettier: `npx prettier --write ${filePath}`,
+      black: `black ${filePath}`,
+      gofmt: `gofmt -w ${filePath}`,
+      rustfmt: `rustfmt ${filePath}`,
+    }
+
+    const cmd = commands[detected]
+    if (!cmd) {
+      return { formatted: false, message: `Unknown formatter: ${detected}` }
+    }
+
+    try {
+      const result = await $`${cmd}`.text()
+      return { formatted: true, formatter: detected, output: result }
+    } catch (error: unknown) {
+      const err = error as { stderr?: string }
+      return { formatted: false, formatter: detected, error: err.stderr || "Format failed" }
+    }
+  },
+})

.opencode/tools/git-summary.ts

@@ -0,0 +1,56 @@
+/**
+ * ECC Custom Tool: Git Summary
+ *
+ * Provides a comprehensive git status including branch info, status,
+ * recent log, and diff against base branch.
+ */
+
+import { tool } from "@opencode-ai/plugin"
+import { z } from "zod"
+
+export default tool({
+  name: "git-summary",
+  description: "Get comprehensive git summary: branch, status, recent log, and diff against base branch.",
+  parameters: z.object({
+    depth: z.number().optional().describe("Number of recent commits to show (default: 5)"),
+    includeDiff: z.boolean().optional().describe("Include diff against base branch (default: true)"),
+    baseBranch: z.string().optional().describe("Base branch for comparison (default: main)"),
+  }),
+  execute: async ({ depth = 5, includeDiff = true, baseBranch = "main" }, { $ }) => {
+    const results: Record<string, string> = {}
+
+    try {
+      results.branch = (await $`git branch --show-current`.text()).trim()
+    } catch {
+      results.branch = "unknown"
+    }
+
+    try {
+      results.status = (await $`git status --short`.text()).trim()
+    } catch {
+      results.status = "unable to get status"
+    }
+
+    try {
+      results.log = (await $`git log --oneline -${depth}`.text()).trim()
+    } catch {
+      results.log = "unable to get log"
+    }
+
+    if (includeDiff) {
+      try {
+        results.stagedDiff = (await $`git diff --cached --stat`.text()).trim()
+      } catch {
+        results.stagedDiff = ""
+      }
+
+      try {
+        results.branchDiff = (await $`git diff ${baseBranch}...HEAD --stat`.text()).trim()
+      } catch {
+        results.branchDiff = `unable to diff against ${baseBranch}`
+      }
+    }
+
+    return results
+  },
+})

.opencode/tools/index.ts

@@ -8,3 +8,6 @@
 export { default as runTests } from "./run-tests.js"
 export { default as checkCoverage } from "./check-coverage.js"
 export { default as securityAudit } from "./security-audit.js"
+export { default as formatCode } from "./format-code.js"
+export { default as lintCheck } from "./lint-check.js"
+export { default as gitSummary } from "./git-summary.js"

.opencode/tools/lint-check.ts

@@ -0,0 +1,74 @@
+/**
+ * ECC Custom Tool: Lint Check
+ *
+ * Multi-language linter that auto-detects the project's linting tool.
+ * Supports: ESLint/Biome (JS/TS), Pylint/Ruff (Python), golangci-lint (Go)
+ */
+
+import { tool } from "@opencode-ai/plugin"
+import { z } from "zod"
+
+export default tool({
+  name: "lint-check",
+  description: "Run linter on files or directories. Auto-detects ESLint, Biome, Ruff, Pylint, or golangci-lint.",
+  parameters: z.object({
+    target: z.string().optional().describe("File or directory to lint (default: current directory)"),
+    fix: z.boolean().optional().describe("Auto-fix issues if supported (default: false)"),
+    linter: z.string().optional().describe("Override linter: eslint, biome, ruff, pylint, golangci-lint (default: auto-detect)"),
+  }),
+  execute: async ({ target = ".", fix = false, linter }, { $ }) => {
+    // Auto-detect linter
+    let detected = linter
+    if (!detected) {
+      try {
+        await $`test -f biome.json || test -f biome.jsonc`
+        detected = "biome"
+      } catch {
+        try {
+          await $`test -f .eslintrc.json || test -f .eslintrc.js || test -f .eslintrc.cjs || test -f eslint.config.js || test -f eslint.config.mjs`
+          detected = "eslint"
+        } catch {
+          try {
+            await $`test -f pyproject.toml && grep -q "ruff" pyproject.toml`
+            detected = "ruff"
+          } catch {
+            try {
+              await $`test -f .golangci.yml || test -f .golangci.yaml`
+              detected = "golangci-lint"
+            } catch {
+              // Fall back based on file extensions in target
+              detected = "eslint"
+            }
+          }
+        }
+      }
+    }
+
+    const fixFlag = fix ? " --fix" : ""
+    const commands: Record<string, string> = {
+      biome: `npx @biomejs/biome lint${fix ? " --write" : ""} ${target}`,
+      eslint: `npx eslint${fixFlag} ${target}`,
+      ruff: `ruff check${fixFlag} ${target}`,
+      pylint: `pylint ${target}`,
+      "golangci-lint": `golangci-lint run${fixFlag} ${target}`,
+    }
+
+    const cmd = commands[detected]
+    if (!cmd) {
+      return { success: false, message: `Unknown linter: ${detected}` }
+    }
+
+    try {
+      const result = await $`${cmd}`.text()
+      return { success: true, linter: detected, output: result, issues: 0 }
+    } catch (error: unknown) {
+      const err = error as { stdout?: string; stderr?: string }
+      return {
+        success: false,
+        linter: detected,
+        output: err.stdout || "",
+        errors: err.stderr || "",
+      }
+    }
+  },
+})

.opencode/tools/run-tests.ts

@@ -5,7 +5,7 @@
  * Automatically detects the package manager and test framework.
  */
 
-import { tool } from "@opencode-ai/plugin"
+import { tool } from "@opencode-ai/plugin/tool"
 import * as path from "path"
 import * as fs from "fs"
 
@@ -82,7 +82,7 @@ export default tool({
 
     const command = cmd.join(" ")
 
-    return {
+    return JSON.stringify({
       command,
       packageManager,
       testFramework,
@@ -93,7 +93,7 @@ export default tool({
         updateSnapshots: updateSnapshots || false,
       },
       instructions: `Run this command to execute tests:\n\n${command}`,
-    }
+    })
   },
 })
 

.opencode/tools/security-audit.ts

@@ -8,7 +8,7 @@
  * The regex patterns below are used to DETECT potential issues in user code.
  */
 
-import { tool } from "@opencode-ai/plugin"
+import { tool } from "@opencode-ai/plugin/tool"
 import * as path from "path"
 import * as fs from "fs"
 
@@ -102,7 +102,7 @@ export default tool({
     // Generate recommendations
     results.recommendations = generateRecommendations(results)
 
-    return results
+    return JSON.stringify(results)
   },
 })
 

AGENTS.md

@@ -0,0 +1,136 @@
+# Everything Claude Code (ECC) — Agent Instructions
+
+This is a **production-ready AI coding plugin** providing 13 specialized agents, 50+ skills, 33 commands, and automated hook workflows for software development.
+
+## Core Principles
+
+1. **Agent-First** — Delegate to specialized agents for domain tasks
+2. **Test-Driven** — Write tests before implementation, 80%+ coverage required
+3. **Security-First** — Never compromise on security; validate all inputs
+4. **Immutability** — Always create new objects, never mutate existing ones
+5. **Plan Before Execute** — Plan complex features before writing code
+
+## Available Agents
+
+| Agent | Purpose | When to Use |
+|-------|---------|-------------|
+| planner | Implementation planning | Complex features, refactoring |
+| architect | System design and scalability | Architectural decisions |
+| tdd-guide | Test-driven development | New features, bug fixes |
+| code-reviewer | Code quality and maintainability | After writing/modifying code |
+| security-reviewer | Vulnerability detection | Before commits, sensitive code |
+| build-error-resolver | Fix build/type errors | When build fails |
+| e2e-runner | End-to-end Playwright testing | Critical user flows |
+| refactor-cleaner | Dead code cleanup | Code maintenance |
+| doc-updater | Documentation and codemaps | Updating docs |
+| go-reviewer | Go code review | Go projects |
+| go-build-resolver | Go build errors | Go build failures |
+| database-reviewer | PostgreSQL/Supabase specialist | Schema design, query optimization |
+| python-reviewer | Python code review | Python projects |
+
+## Agent Orchestration
+
+Use agents proactively without user prompt:
+- Complex feature requests → **planner**
+- Code just written/modified → **code-reviewer**
+- Bug fix or new feature → **tdd-guide**
+- Architectural decision → **architect**
+- Security-sensitive code → **security-reviewer**
+
+Use parallel execution for independent operations — launch multiple agents simultaneously.
+
+## Security Guidelines
+
+**Before ANY commit:**
+- No hardcoded secrets (API keys, passwords, tokens)
+- All user inputs validated
+- SQL injection prevention (parameterized queries)
+- XSS prevention (sanitized HTML)
+- CSRF protection enabled
+- Authentication/authorization verified
+- Rate limiting on all endpoints
+- Error messages don't leak sensitive data
+
+**Secret management:** NEVER hardcode secrets. Use environment variables or a secret manager. Validate required secrets at startup. Rotate any exposed secrets immediately.
+
+**If security issue found:** STOP → use security-reviewer agent → fix CRITICAL issues → rotate exposed secrets → review codebase for similar issues.
+
+## Coding Style
+
+**Immutability (CRITICAL):** Always create new objects, never mutate. Return new copies with changes applied.
+
+**File organization:** Many small files over few large ones. 200-400 lines typical, 800 max. Organize by feature/domain, not by type. High cohesion, low coupling.
+
+**Error handling:** Handle errors at every level. Provide user-friendly messages in UI code. Log detailed context server-side. Never silently swallow errors.
+
+**Input validation:** Validate all user input at system boundaries. Use schema-based validation. Fail fast with clear messages. Never trust external data.
+
+**Code quality checklist:**
+- Functions small (<50 lines), files focused (<800 lines)
+- No deep nesting (>4 levels)
+- Proper error handling, no hardcoded values
+- Readable, well-named identifiers
+
+## Testing Requirements
+
+**Minimum coverage: 80%**
+
+Test types (all required):
+1. **Unit tests** — Individual functions, utilities, components
+2. **Integration tests** — API endpoints, database operations
+3. **E2E tests** — Critical user flows
+
+**TDD workflow (mandatory):**
+1. Write test first (RED) — test should FAIL
+2. Write minimal implementation (GREEN) — test should PASS
+3. Refactor (IMPROVE) — verify coverage 80%+
+
+Troubleshoot failures: check test isolation → verify mocks → fix implementation (not tests, unless tests are wrong).
+
+## Development Workflow
+
+1. **Plan** — Use planner agent, identify dependencies and risks, break into phases
+2. **TDD** — Use tdd-guide agent, write tests first, implement, refactor
+3. **Review** — Use code-reviewer agent immediately, address CRITICAL/HIGH issues
+4. **Commit** — Conventional commits format, comprehensive PR summaries
+
+## Git Workflow
+
+**Commit format:** `<type>: <description>` — Types: feat, fix, refactor, docs, test, chore, perf, ci
+
+**PR workflow:** Analyze full commit history → draft comprehensive summary → include test plan → push with `-u` flag.
+
+## Architecture Patterns
+
+**API response format:** Consistent envelope with success indicator, data payload, error message, and pagination metadata.
+
+**Repository pattern:** Encapsulate data access behind standard interface (findAll, findById, create, update, delete). Business logic depends on abstract interface, not storage mechanism.
+
+**Skeleton projects:** Search for battle-tested templates, evaluate with parallel agents (security, extensibility, relevance), clone best match, iterate within proven structure.
+
+## Performance
+
+**Context management:** Avoid last 20% of context window for large refactoring and multi-file features. Lower-sensitivity tasks (single edits, docs, simple fixes) tolerate higher utilization.
+
+**Build troubleshooting:** Use build-error-resolver agent → analyze errors → fix incrementally → verify after each fix.
+
+## Project Structure
+
+```
+agents/          — 13 specialized subagents
+skills/          — 50+ workflow skills and domain knowledge
+commands/        — 33 slash commands
+hooks/           — Trigger-based automations
+rules/           — Always-follow guidelines (common + per-language)
+scripts/         — Cross-platform Node.js utilities
+mcp-configs/     — 14 MCP server configurations
+tests/           — Test suite
+```
+
+## Success Metrics
+
+- All tests pass with 80%+ coverage
+- No security vulnerabilities
+- Code is readable and maintainable
+- Performance is acceptable
+- User requirements are met

CLAUDE.md

@@ -0,0 +1,60 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a **Claude Code plugin** - a collection of production-ready agents, skills, hooks, commands, rules, and MCP configurations. The project provides battle-tested workflows for software development using Claude Code.
+
+## Running Tests
+
+```bash
+# Run all tests
+node tests/run-all.js
+
+# Run individual test files
+node tests/lib/utils.test.js
+node tests/lib/package-manager.test.js
+node tests/hooks/hooks.test.js
+```
+
+## Architecture
+
+The project is organized into several core components:
+
+- **agents/** - Specialized subagents for delegation (planner, code-reviewer, tdd-guide, etc.)
+- **skills/** - Workflow definitions and domain knowledge (coding standards, patterns, testing)
+- **commands/** - Slash commands invoked by users (/tdd, /plan, /e2e, etc.)
+- **hooks/** - Trigger-based automations (session persistence, pre/post-tool hooks)
+- **rules/** - Always-follow guidelines (security, coding style, testing requirements)
+- **mcp-configs/** - MCP server configurations for external integrations
+- **scripts/** - Cross-platform Node.js utilities for hooks and setup
+- **tests/** - Test suite for scripts and utilities
+
+## Key Commands
+
+- `/tdd` - Test-driven development workflow
+- `/plan` - Implementation planning
+- `/e2e` - Generate and run E2E tests
+- `/code-review` - Quality review
+- `/build-fix` - Fix build errors
+- `/learn` - Extract patterns from sessions
+- `/skill-create` - Generate skills from git history
+
+## Development Notes
+
+- Package manager detection: npm, pnpm, yarn, bun (configurable via `CLAUDE_PACKAGE_MANAGER` env var or project config)
+- Cross-platform: Windows, macOS, Linux support via Node.js scripts
+- Agent format: Markdown with YAML frontmatter (name, description, tools, model)
+- Skill format: Markdown with clear sections for when to use, how it works, examples
+- Hook format: JSON with matcher conditions and command/notification hooks
+
+## Contributing
+
+Follow the formats in CONTRIBUTING.md:
+- Agents: Markdown with frontmatter (name, description, tools, model)
+- Skills: Clear sections (When to Use, How It Works, Examples)
+- Commands: Markdown with description frontmatter
+- Hooks: JSON with matcher and hooks array
+
+File naming: lowercase with hyphens (e.g., `python-reviewer.md`, `tdd-workflow.md`)

CONTRIBUTING.md

@@ -85,6 +85,7 @@ skills/
 ---
 name: your-skill-name
 description: Brief description shown in skill list
+origin: ECC
 ---
 
 # Your Skill Title

README.md

@@ -3,19 +3,25 @@
 # Everything Claude Code
 
 [![Stars](https://img.shields.io/github/stars/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/stargazers)
+[![Forks](https://img.shields.io/github/forks/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/network/members)
+[![Contributors](https://img.shields.io/github/contributors/affaan-m/everything-claude-code?style=flat)](https://github.com/affaan-m/everything-claude-code/graphs/contributors)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 ![Shell](https://img.shields.io/badge/-Shell-4EAA25?logo=gnu-bash&logoColor=white)
 ![TypeScript](https://img.shields.io/badge/-TypeScript-3178C6?logo=typescript&logoColor=white)
+![Python](https://img.shields.io/badge/-Python-3776AB?logo=python&logoColor=white)
 ![Go](https://img.shields.io/badge/-Go-00ADD8?logo=go&logoColor=white)
+![Java](https://img.shields.io/badge/-Java-ED8B00?logo=openjdk&logoColor=white)
 ![Markdown](https://img.shields.io/badge/-Markdown-000000?logo=markdown&logoColor=white)
 
+> **50K+ stars** | **6K+ forks** | **30 contributors** | **6 languages supported** | **Anthropic Hackathon Winner**
+
 ---
 
 <div align="center">
 
 **🌐 Language / 语言 / 語言**
 
-[**English**](README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md)
+[**English**](README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md)
 
 </div>
 
@@ -61,6 +67,47 @@ This repo is the raw code only. The guides explain everything.
 
 ---
 
+## What's New
+
+### v1.6.0 — Codex CLI, AgentShield & Marketplace (Feb 2026)
+
+- **Codex CLI support** — New `/codex-setup` command generates `codex.md` for OpenAI Codex CLI compatibility
+- **7 new skills** — `search-first`, `swift-actor-persistence`, `swift-protocol-di-testing`, `regex-vs-llm-structured-text`, `content-hash-cache-pattern`, `cost-aware-llm-pipeline`, `skill-stocktake`
+- **AgentShield integration** — `/security-scan` skill runs AgentShield directly from Claude Code; 1282 tests, 102 rules
+- **GitHub Marketplace** — ECC Tools GitHub App live at [github.com/marketplace/ecc-tools](https://github.com/marketplace/ecc-tools) with free/pro/enterprise tiers
+- **30+ community PRs merged** — Contributions from 30 contributors across 6 languages
+- **978 internal tests** — Expanded validation suite across agents, skills, commands, hooks, and rules
+
+### v1.4.1 — Bug Fix (Feb 2026)
+
+- **Fixed instinct import content loss** — `parse_instinct_file()` was silently dropping all content after frontmatter (Action, Evidence, Examples sections) during `/instinct-import`. Fixed by community contributor @ericcai0814 ([#148](https://github.com/affaan-m/everything-claude-code/issues/148), [#161](https://github.com/affaan-m/everything-claude-code/pull/161))
+
+### v1.4.0 — Multi-Language Rules, Installation Wizard & PM2 (Feb 2026)
+
+- **Interactive installation wizard** — New `configure-ecc` skill provides guided setup with merge/overwrite detection
+- **PM2 & multi-agent orchestration** — 6 new commands (`/pm2`, `/multi-plan`, `/multi-execute`, `/multi-backend`, `/multi-frontend`, `/multi-workflow`) for managing complex multi-service workflows
+- **Multi-language rules architecture** — Rules restructured from flat files into `common/` + `typescript/` + `python/` + `golang/` directories. Install only the languages you need
+- **Chinese (zh-CN) translations** — Complete translation of all agents, commands, skills, and rules (80+ files)
+- **GitHub Sponsors support** — Sponsor the project via GitHub Sponsors
+- **Enhanced CONTRIBUTING.md** — Detailed PR templates for each contribution type
+
+### v1.3.0 — OpenCode Plugin Support (Feb 2026)
+
+- **Full OpenCode integration** — 12 agents, 24 commands, 16 skills with hook support via OpenCode's plugin system (20+ event types)
+- **3 native custom tools** — run-tests, check-coverage, security-audit
+- **LLM documentation** — `llms.txt` for comprehensive OpenCode docs
+
+### v1.2.0 — Unified Commands & Skills (Feb 2026)
+
+- **Python/Django support** — Django patterns, security, TDD, and verification skills
+- **Java Spring Boot skills** — Patterns, security, TDD, and verification for Spring Boot
+- **Session management** — `/sessions` command for session history
+- **Continuous learning v2** — Instinct-based learning with confidence scoring, import/export, evolution
+
+See the full changelog in [Releases](https://github.com/affaan-m/everything-claude-code/releases).
+
+---
+
 ## 🚀 Quick Start
 
 Get up and running in under 2 minutes:
@@ -79,19 +126,22 @@ Get up and running in under 2 minutes:
 
 > ⚠️ **Important:** Claude Code plugins cannot distribute `rules` automatically. Install them manually:
 
+
 ```bash
 # Clone the repo first
 git clone https://github.com/affaan-m/everything-claude-code.git
+cd everything-claude-code
 
-# Install common rules (required)
-cp -r everything-claude-code/rules/common/* ~/.claude/rules/
-
-# Install language-specific rules (pick your stack)
-cp -r everything-claude-code/rules/typescript/* ~/.claude/rules/
-cp -r everything-claude-code/rules/python/* ~/.claude/rules/
-cp -r everything-claude-code/rules/golang/* ~/.claude/rules/
+# Recommended: use the installer (handles common + language rules safely)
+./install.sh typescript    # or python or golang
+# You can pass multiple languages:
+# ./install.sh typescript python golang
+# or target cursor:
+# ./install.sh --target cursor typescript
 ```
 
+For manual install instructions see the README in the `rules/` folder.
+
 ### Step 3: Start Using
 
 ```bash
@@ -102,7 +152,7 @@ cp -r everything-claude-code/rules/golang/* ~/.claude/rules/
 /plugin list everything-claude-code@everything-claude-code
 ```
 
-✨ **That's it!** You now have access to 15+ agents, 30+ skills, and 20+ commands.
+✨ **That's it!** You now have access to 13 agents, 48 skills, and 32 commands.
 
 ---
 
@@ -161,11 +211,14 @@ everything-claude-code/
 |   |-- e2e-runner.md        # Playwright E2E testing
 |   |-- refactor-cleaner.md  # Dead code cleanup
 |   |-- doc-updater.md       # Documentation sync
-|   |-- go-reviewer.md       # Go code review (NEW)
-|   |-- go-build-resolver.md # Go build error resolution (NEW)
+|   |-- go-reviewer.md       # Go code review
+|   |-- go-build-resolver.md # Go build error resolution
+|   |-- python-reviewer.md   # Python code review (NEW)
+|   |-- database-reviewer.md # Database/Supabase review (NEW)
 |
 |-- skills/           # Workflow definitions and domain knowledge
 |   |-- coding-standards/           # Language best practices
+|   |-- clickhouse-io/              # ClickHouse analytics, queries, data engineering
 |   |-- backend-patterns/           # API, database, caching patterns
 |   |-- frontend-patterns/          # React, Next.js patterns
 |   |-- continuous-learning/        # Auto-extract patterns from sessions (Longform Guide)
@@ -176,8 +229,42 @@ everything-claude-code/
 |   |-- security-review/            # Security checklist
 |   |-- eval-harness/               # Verification loop evaluation (Longform Guide)
 |   |-- verification-loop/          # Continuous verification (Longform Guide)
-|   |-- golang-patterns/            # Go idioms and best practices (NEW)
-|   |-- golang-testing/             # Go testing patterns, TDD, benchmarks (NEW)
+|   |-- golang-patterns/            # Go idioms and best practices
+|   |-- golang-testing/             # Go testing patterns, TDD, benchmarks
+|   |-- cpp-coding-standards/         # C++ coding standards from C++ Core Guidelines (NEW)
+|   |-- cpp-testing/                # C++ testing with GoogleTest, CMake/CTest (NEW)
+|   |-- django-patterns/            # Django patterns, models, views (NEW)
+|   |-- django-security/            # Django security best practices (NEW)
+|   |-- django-tdd/                 # Django TDD workflow (NEW)
+|   |-- django-verification/        # Django verification loops (NEW)
+|   |-- python-patterns/            # Python idioms and best practices (NEW)
+|   |-- python-testing/             # Python testing with pytest (NEW)
+|   |-- springboot-patterns/        # Java Spring Boot patterns (NEW)
+|   |-- springboot-security/        # Spring Boot security (NEW)
+|   |-- springboot-tdd/             # Spring Boot TDD (NEW)
+|   |-- springboot-verification/    # Spring Boot verification (NEW)
+|   |-- configure-ecc/              # Interactive installation wizard (NEW)
+|   |-- security-scan/              # AgentShield security auditor integration (NEW)
+|   |-- java-coding-standards/     # Java coding standards (NEW)
+|   |-- jpa-patterns/              # JPA/Hibernate patterns (NEW)
+|   |-- postgres-patterns/         # PostgreSQL optimization patterns (NEW)
+|   |-- nutrient-document-processing/ # Document processing with Nutrient API (NEW)
+|   |-- project-guidelines-example/   # Template for project-specific skills
+|   |-- database-migrations/         # Migration patterns (Prisma, Drizzle, Django, Go) (NEW)
+|   |-- api-design/                  # REST API design, pagination, error responses (NEW)
+|   |-- deployment-patterns/         # CI/CD, Docker, health checks, rollbacks (NEW)
+|   |-- docker-patterns/            # Docker Compose, networking, volumes, container security (NEW)
+|   |-- e2e-testing/                 # Playwright E2E patterns and Page Object Model (NEW)
+|   |-- content-hash-cache-pattern/  # SHA-256 content hash caching for file processing (NEW)
+|   |-- cost-aware-llm-pipeline/     # LLM cost optimization, model routing, budget tracking (NEW)
+|   |-- regex-vs-llm-structured-text/ # Decision framework: regex vs LLM for text parsing (NEW)
+|   |-- swift-actor-persistence/     # Thread-safe Swift data persistence with actors (NEW)
+|   |-- swift-protocol-di-testing/   # Protocol-based DI for testable Swift code (NEW)
+|   |-- search-first/               # Research-before-coding workflow (NEW)
+|   |-- skill-stocktake/            # Audit skills and commands for quality (NEW)
+|   |-- liquid-glass-design/         # iOS 26 Liquid Glass design system (NEW)
+|   |-- foundation-models-on-device/ # Apple on-device LLM with FoundationModels (NEW)
+|   |-- swift-concurrency-6-2/       # Swift 6.2 Approachable Concurrency (NEW)
 |
 |-- commands/         # Slash commands for quick execution
 |   |-- tdd.md              # /tdd - Test-driven development
@@ -187,6 +274,7 @@ everything-claude-code/
 |   |-- build-fix.md        # /build-fix - Fix build errors
 |   |-- refactor-clean.md   # /refactor-clean - Dead code removal
 |   |-- learn.md            # /learn - Extract patterns mid-session (Longform Guide)
+|   |-- learn-eval.md       # /learn-eval - Extract, evaluate, and save patterns (NEW)
 |   |-- checkpoint.md       # /checkpoint - Save verification state (Longform Guide)
 |   |-- verify.md           # /verify - Run verification loop (Longform Guide)
 |   |-- setup-pm.md         # /setup-pm - Configure package manager
@@ -197,7 +285,20 @@ everything-claude-code/
 |   |-- instinct-status.md  # /instinct-status - View learned instincts (NEW)
 |   |-- instinct-import.md  # /instinct-import - Import instincts (NEW)
 |   |-- instinct-export.md  # /instinct-export - Export instincts (NEW)
-|   |-- evolve.md           # /evolve - Cluster instincts into skills (NEW)
+|   |-- evolve.md           # /evolve - Cluster instincts into skills
+|   |-- pm2.md              # /pm2 - PM2 service lifecycle management (NEW)
+|   |-- multi-plan.md       # /multi-plan - Multi-agent task decomposition (NEW)
+|   |-- multi-execute.md    # /multi-execute - Orchestrated multi-agent workflows (NEW)
+|   |-- multi-backend.md    # /multi-backend - Backend multi-service orchestration (NEW)
+|   |-- multi-frontend.md   # /multi-frontend - Frontend multi-service orchestration (NEW)
+|   |-- multi-workflow.md   # /multi-workflow - General multi-service workflows (NEW)
+|   |-- orchestrate.md      # /orchestrate - Multi-agent coordination
+|   |-- sessions.md         # /sessions - Session history management
+|   |-- eval.md             # /eval - Evaluate against criteria
+|   |-- test-coverage.md    # /test-coverage - Test coverage analysis
+|   |-- update-docs.md      # /update-docs - Update documentation
+|   |-- update-codemaps.md  # /update-codemaps - Update codemaps
+|   |-- python-review.md    # /python-review - Python code review (NEW)
 |
 |-- rules/            # Always-follow guidelines (copy to ~/.claude/rules/)
 |   |-- README.md            # Structure overview and installation guide
@@ -215,6 +316,7 @@ everything-claude-code/
 |   |-- golang/              # Go specific
 |
 |-- hooks/            # Trigger-based automations
+|   |-- README.md                 # Hook documentation, recipes, and customization guide
 |   |-- hooks.json                # All hooks config (PreToolUse, PostToolUse, Stop, etc.)
 |   |-- memory-persistence/       # Session lifecycle hooks (Longform Guide)
 |   |-- strategic-compact/        # Compaction suggestions (Longform Guide)
@@ -242,8 +344,12 @@ everything-claude-code/
 |   |-- research.md         # Research/exploration mode context
 |
 |-- examples/         # Example configurations and sessions
-|   |-- CLAUDE.md           # Example project-level config
-|   |-- user-CLAUDE.md      # Example user-level config
+|   |-- CLAUDE.md             # Example project-level config
+|   |-- user-CLAUDE.md        # Example user-level config
+|   |-- saas-nextjs-CLAUDE.md   # Real-world SaaS (Next.js + Supabase + Stripe)
+|   |-- go-microservice-CLAUDE.md # Real-world Go microservice (gRPC + PostgreSQL)
+|   |-- django-api-CLAUDE.md      # Real-world Django REST API (DRF + Celery)
+|   |-- rust-api-CLAUDE.md        # Real-world Rust API (Axum + SQLx + PostgreSQL) (NEW)
 |
 |-- mcp-configs/      # MCP server configurations
 |   |-- mcp-servers.json    # GitHub, Supabase, Vercel, Railway, etc.
@@ -288,6 +394,36 @@ Both options create:
 - **Instinct collections** - For continuous-learning-v2
 - **Pattern extraction** - Learns from your commit history
 
+### AgentShield — Security Auditor
+
+> Built at the Claude Code Hackathon (Cerebral Valley x Anthropic, Feb 2026). 1282 tests, 98% coverage, 102 static analysis rules.
+
+Scan your Claude Code configuration for vulnerabilities, misconfigurations, and injection risks.
+
+```bash
+# Quick scan (no install needed)
+npx ecc-agentshield scan
+
+# Auto-fix safe issues
+npx ecc-agentshield scan --fix
+
+# Deep analysis with three Opus 4.6 agents
+npx ecc-agentshield scan --opus --stream
+
+# Generate secure config from scratch
+npx ecc-agentshield init
+```
+
+**What it scans:** CLAUDE.md, settings.json, MCP configs, hooks, agent definitions, and skills across 5 categories — secrets detection (14 patterns), permission auditing, hook injection analysis, MCP server risk profiling, and agent config review.
+
+**The `--opus` flag** runs three Claude Opus 4.6 agents in a red-team/blue-team/auditor pipeline. The attacker finds exploit chains, the defender evaluates protections, and the auditor synthesizes both into a prioritized risk assessment. Adversarial reasoning, not just pattern matching.
+
+**Output formats:** Terminal (color-graded A-F), JSON (CI pipelines), Markdown, HTML. Exit code 2 on critical findings for build gates.
+
+Use `/security-scan` in Claude Code to run it, or add to CI with the [GitHub Action](https://github.com/affaan-m/agentshield).
+
+[GitHub](https://github.com/affaan-m/agentshield) | [npm](https://www.npmjs.com/package/ecc-agentshield)
+
 ### 🧠 Continuous Learning v2
 
 The instinct-based learning system automatically learns your patterns:
@@ -371,6 +507,7 @@ This gives you instant access to all commands, agents, skills, and hooks.
 > git clone https://github.com/affaan-m/everything-claude-code.git
 >
 > # Option A: User-level rules (applies to all projects)
+> mkdir -p ~/.claude/rules
 > cp -r everything-claude-code/rules/common/* ~/.claude/rules/
 > cp -r everything-claude-code/rules/typescript/* ~/.claude/rules/   # pick your stack
 > cp -r everything-claude-code/rules/python/* ~/.claude/rules/
@@ -481,6 +618,122 @@ See [`rules/README.md`](rules/README.md) for installation and structure details.
 
 ---
 
+## 🗺️ Which Agent Should I Use?
+
+Not sure where to start? Use this quick reference:
+
+| I want to... | Use this command | Agent used |
+|--------------|-----------------|------------|
+| Plan a new feature | `/plan "Add auth"` | planner |
+| Design system architecture | `/plan` + architect agent | architect |
+| Write code with tests first | `/tdd` | tdd-guide |
+| Review code I just wrote | `/code-review` | code-reviewer |
+| Fix a failing build | `/build-fix` | build-error-resolver |
+| Run end-to-end tests | `/e2e` | e2e-runner |
+| Find security vulnerabilities | `/security-scan` | security-reviewer |
+| Remove dead code | `/refactor-clean` | refactor-cleaner |
+| Update documentation | `/update-docs` | doc-updater |
+| Review Go code | `/go-review` | go-reviewer |
+| Review Python code | `/python-review` | python-reviewer |
+| Audit database queries | *(auto-delegated)* | database-reviewer |
+
+### Common Workflows
+
+**Starting a new feature:**
+```
+/plan "Add user authentication with OAuth"   → planner creates implementation blueprint
+/tdd                                          → tdd-guide enforces write-tests-first
+/code-review                                  → code-reviewer checks your work
+```
+
+**Fixing a bug:**
+```
+/tdd                                          → tdd-guide: write a failing test that reproduces it
+                                              → implement the fix, verify test passes
+/code-review                                  → code-reviewer: catch regressions
+```
+
+**Preparing for production:**
+```
+/security-scan                                → security-reviewer: OWASP Top 10 audit
+/e2e                                          → e2e-runner: critical user flow tests
+/test-coverage                                → verify 80%+ coverage
+```
+
+---
+
+## ❓ FAQ
+
+<details>
+<summary><b>How do I check which agents/commands are installed?</b></summary>
+
+```bash
+/plugin list everything-claude-code@everything-claude-code
+```
+
+This shows all available agents, commands, and skills from the plugin.
+</details>
+
+<details>
+<summary><b>My hooks aren't working / I see "Duplicate hooks file" errors</b></summary>
+
+This is the most common issue. **Do NOT add a `"hooks"` field to `.claude-plugin/plugin.json`.** Claude Code v2.1+ automatically loads `hooks/hooks.json` from installed plugins. Explicitly declaring it causes duplicate detection errors. See [#29](https://github.com/affaan-m/everything-claude-code/issues/29), [#52](https://github.com/affaan-m/everything-claude-code/issues/52), [#103](https://github.com/affaan-m/everything-claude-code/issues/103).
+</details>
+
+<details>
+<summary><b>My context window is shrinking / Claude is running out of context</b></summary>
+
+Too many MCP servers eat your context. Each MCP tool description consumes tokens from your 200k window, potentially reducing it to ~70k.
+
+**Fix:** Disable unused MCPs per project:
+```json
+// In your project's .claude/settings.json
+{
+  "disabledMcpServers": ["supabase", "railway", "vercel"]
+}
+```
+
+Keep under 10 MCPs enabled and under 80 tools active.
+</details>
+
+<details>
+<summary><b>Can I use only some components (e.g., just agents)?</b></summary>
+
+Yes. Use Option 2 (manual installation) and copy only what you need:
+
+```bash
+# Just agents
+cp everything-claude-code/agents/*.md ~/.claude/agents/
+
+# Just rules
+cp -r everything-claude-code/rules/common/* ~/.claude/rules/
+```
+
+Each component is fully independent.
+</details>
+
+<details>
+<summary><b>Does this work with Cursor / OpenCode / Codex?</b></summary>
+
+Yes. ECC is cross-platform:
+- **Cursor**: Pre-translated configs in `.cursor/`. See [Cursor IDE Support](#cursor-ide-support).
+- **OpenCode**: Full plugin support in `.opencode/`. See [OpenCode Support](#-opencode-support).
+- **Codex**: First-class support with adapter drift guards and SessionStart fallback. See PR [#257](https://github.com/affaan-m/everything-claude-code/pull/257).
+- **Claude Code**: Native — this is the primary target.
+</details>
+
+<details>
+<summary><b>How do I contribute a new skill or agent?</b></summary>
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). The short version:
+1. Fork the repo
+2. Create your skill in `skills/your-skill-name/SKILL.md` (with YAML frontmatter)
+3. Or create an agent in `agents/your-agent.md`
+4. Submit a PR with a clear description of what it does and when to use it
+</details>
+
+---
+
 ## 🧪 Running Tests
 
 The plugin includes a comprehensive test suite:
@@ -511,14 +764,115 @@ Please contribute! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ### Ideas for Contributions
 
-- Language-specific skills (Python, Rust patterns) - Go now included!
-- Framework-specific configs (Django, Rails, Laravel)
-- DevOps agents (Kubernetes, Terraform, AWS)
-- Testing strategies (different frameworks)
+- Language-specific skills (Rust, C#, Swift, Kotlin) — Go, Python, Java already included
+- Framework-specific configs (Rails, Laravel, FastAPI, NestJS) — Django, Spring Boot already included
+- DevOps agents (Kubernetes, Terraform, AWS, Docker)
+- Testing strategies (different frameworks, visual regression)
 - Domain-specific knowledge (ML, data engineering, mobile)
 
 ---
 
+## Cursor IDE Support
+
+ECC provides **full Cursor IDE support** with hooks, rules, agents, skills, commands, and MCP configs adapted for Cursor's native format.
+
+### Quick Start (Cursor)
+
+```bash
+# Install for your language(s)
+./install.sh --target cursor typescript
+./install.sh --target cursor python golang swift
+```
+
+### What's Included
+
+| Component | Count | Details |
+|-----------|-------|---------|
+| Hook Events | 15 | sessionStart, beforeShellExecution, afterFileEdit, beforeMCPExecution, beforeSubmitPrompt, and 10 more |
+| Hook Scripts | 16 | Thin Node.js scripts delegating to `scripts/hooks/` via shared adapter |
+| Rules | 29 | 9 common (alwaysApply) + 20 language-specific (TypeScript, Python, Go, Swift) |
+| Agents | Shared | Via AGENTS.md at root (read by Cursor natively) |
+| Skills | Shared | Via AGENTS.md at root |
+| Commands | Shared | `.cursor/commands/` if installed |
+| MCP Config | Shared | `.cursor/mcp.json` if installed |
+
+### Hook Architecture (DRY Adapter Pattern)
+
+Cursor has **more hook events than Claude Code** (20 vs 8). The `.cursor/hooks/adapter.js` module transforms Cursor's stdin JSON to Claude Code's format, allowing existing `scripts/hooks/*.js` to be reused without duplication.
+
+```
+Cursor stdin JSON → adapter.js → transforms → scripts/hooks/*.js
+                                              (shared with Claude Code)
+```
+
+Key hooks:
+- **beforeShellExecution** — Blocks dev servers outside tmux (exit 2), git push review
+- **afterFileEdit** — Auto-format + TypeScript check + console.log warning
+- **beforeSubmitPrompt** — Detects secrets (sk-, ghp_, AKIA patterns) in prompts
+- **beforeTabFileRead** — Blocks Tab from reading .env, .key, .pem files (exit 2)
+- **beforeMCPExecution / afterMCPExecution** — MCP audit logging
+
+### Rules Format
+
+Cursor rules use YAML frontmatter with `description`, `globs`, and `alwaysApply`:
+
+```yaml
+---
+description: "TypeScript coding style extending common rules"
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+alwaysApply: false
+---
+```
+
+---
+
+## Codex CLI Support
+
+ECC provides **first-class Codex CLI support** with a reference configuration, Codex-specific AGENTS.md supplement, and 10 ported skills.
+
+### Quick Start (Codex)
+
+```bash
+# Copy the reference config to your home directory
+cp .codex/config.toml ~/.codex/config.toml
+
+# Run Codex in the repo — AGENTS.md is auto-detected
+codex
+```
+
+### What's Included
+
+| Component | Count | Details |
+|-----------|-------|---------|
+| Config | 1 | `.codex/config.toml` — model, permissions, MCP servers, persistent instructions |
+| AGENTS.md | 2 | Root (universal) + `.codex/AGENTS.md` (Codex-specific supplement) |
+| Skills | 10 | `.agents/skills/` — SKILL.md + agents/openai.yaml per skill |
+| MCP Servers | 4 | GitHub, Context7, Memory, Sequential Thinking (command-based) |
+| Profiles | 2 | `strict` (read-only sandbox) and `yolo` (full auto-approve) |
+
+### Skills
+
+Skills at `.agents/skills/` are auto-loaded by Codex:
+
+| Skill | Description |
+|-------|-------------|
+| tdd-workflow | Test-driven development with 80%+ coverage |
+| security-review | Comprehensive security checklist |
+| coding-standards | Universal coding standards |
+| frontend-patterns | React/Next.js patterns |
+| backend-patterns | API design, database, caching |
+| e2e-testing | Playwright E2E tests |
+| eval-harness | Eval-driven development |
+| strategic-compact | Context management |
+| api-design | REST API design patterns |
+| verification-loop | Build, test, lint, typecheck, security |
+
+### Key Limitation
+
+Codex CLI does **not yet support hooks** ([GitHub Issue #2109](https://github.com/openai/codex/issues/2109), 430+ upvotes). Security enforcement is instruction-based via `persistent_instructions` in config.toml and the sandbox permission system.
+
+---
+
 ## 🔌 OpenCode Support
 
 ECC provides **full OpenCode support** including plugins and hooks.
@@ -539,13 +893,13 @@ The configuration is automatically detected from `.opencode/opencode.json`.
 
 | Feature | Claude Code | OpenCode | Status |
 |---------|-------------|----------|--------|
-| Agents | ✅ 12 agents | ✅ 12 agents | **Full parity** |
-| Commands | ✅ 23 commands | ✅ 24 commands | **Full parity** |
-| Skills | ✅ 16 skills | ✅ 16 skills | **Full parity** |
-| Hooks | ✅ 3 phases | ✅ 20+ events | **OpenCode has more!** |
-| Rules | ✅ 8 rules | ✅ 8 rules | **Full parity** |
-| MCP Servers | ✅ Full | ✅ Full | **Full parity** |
-| Custom Tools | ✅ Via hooks | ✅ Native support | **OpenCode is better** |
+| Agents | ✅ 13 agents | ✅ 12 agents | **Claude Code leads** |
+| Commands | ✅ 33 commands | ✅ 24 commands | **Claude Code leads** |
+| Skills | ✅ 50+ skills | ✅ 37 skills | **Claude Code leads** |
+| Hooks | ✅ 8 event types | ✅ 11 events | **OpenCode has more!** |
+| Rules | ✅ 29 rules | ✅ 13 instructions | **Claude Code leads** |
+| MCP Servers | ✅ 14 servers | ✅ Full | **Full parity** |
+| Custom Tools | ✅ Via hooks | ✅ 6 native tools | **OpenCode is better** |
 
 ### Hook Support via Plugins
 
@@ -561,14 +915,13 @@ OpenCode's plugin system is MORE sophisticated than Claude Code with 20+ event t
 
 **Additional OpenCode events**: `file.edited`, `file.watcher.updated`, `message.updated`, `lsp.client.diagnostics`, `tui.toast.show`, and more.
 
-### Available Commands (24)
+### Available Commands (32)
 
 | Command | Description |
 |---------|-------------|
 | `/plan` | Create implementation plan |
 | `/tdd` | Enforce TDD workflow |
 | `/code-review` | Review code changes |
-| `/security` | Run security review |
 | `/build-fix` | Fix build errors |
 | `/e2e` | Generate E2E tests |
 | `/refactor-clean` | Remove dead code |
@@ -583,11 +936,20 @@ OpenCode's plugin system is MORE sophisticated than Claude Code with 20+ event t
 | `/go-review` | Go code review |
 | `/go-test` | Go TDD workflow |
 | `/go-build` | Fix Go build errors |
+| `/python-review` | Python code review (PEP 8, type hints, security) |
+| `/multi-plan` | Multi-model collaborative planning |
+| `/multi-execute` | Multi-model collaborative execution |
+| `/multi-backend` | Backend-focused multi-model workflow |
+| `/multi-frontend` | Frontend-focused multi-model workflow |
+| `/multi-workflow` | Full multi-model development workflow |
+| `/pm2` | Auto-generate PM2 service commands |
+| `/sessions` | Manage session history |
 | `/skill-create` | Generate skills from git |
 | `/instinct-status` | View learned instincts |
 | `/instinct-import` | Import instincts |
 | `/instinct-export` | Export instincts |
 | `/evolve` | Cluster instincts into skills |
+| `/learn-eval` | Extract and evaluate patterns before saving |
 | `/setup-pm` | Configure package manager |
 
 ### Plugin Installation
@@ -600,13 +962,13 @@ opencode
 
 **Option 2: Install as npm package**
 ```bash
-npm install opencode-ecc
+npm install ecc-universal
 ```
 
 Then add to your `opencode.json`:
 ```json
 {
-  "plugin": ["opencode-ecc"]
+  "plugin": ["ecc-universal"]
 }
 ```
 
@@ -619,6 +981,34 @@ Then add to your `opencode.json`:
 
 ---
 
+## Cross-Tool Feature Parity
+
+ECC is the **first plugin to maximize every major AI coding tool**. Here's how each harness compares:
+
+| Feature | Claude Code | Cursor IDE | Codex CLI | OpenCode |
+|---------|------------|------------|-----------|----------|
+| **Agents** | 13 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 |
+| **Commands** | 33 | Shared | Instruction-based | 24 |
+| **Skills** | 50+ | Shared | 10 (native format) | 37 |
+| **Hook Events** | 8 types | 15 types | None yet | 11 types |
+| **Hook Scripts** | 9 scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks |
+| **Rules** | 29 (common + lang) | 29 (YAML frontmatter) | Instruction-based | 13 instructions |
+| **Custom Tools** | Via hooks | Via hooks | N/A | 6 native tools |
+| **MCP Servers** | 14 | Shared (mcp.json) | 4 (command-based) | Full |
+| **Config Format** | settings.json | hooks.json + rules/ | config.toml | opencode.json |
+| **Context File** | CLAUDE.md + AGENTS.md | AGENTS.md | AGENTS.md | AGENTS.md |
+| **Secret Detection** | Hook-based | beforeSubmitPrompt hook | Sandbox-based | Hook-based |
+| **Auto-Format** | PostToolUse hook | afterFileEdit hook | N/A | file.edited hook |
+| **Version** | Plugin | Plugin | Reference config | 1.6.0 |
+
+**Key architectural decisions:**
+- **AGENTS.md** at root is the universal cross-tool file (read by all 4 tools)
+- **DRY adapter pattern** lets Cursor reuse Claude Code's hook scripts without duplication
+- **Skills format** (SKILL.md with YAML frontmatter) works across Claude Code, Codex, and OpenCode
+- Codex's lack of hooks is compensated by `persistent_instructions` and sandbox permissions
+
+---
+
 ## 📖 Background
 
 I've been using Claude Code since the experimental rollout. Won the Anthropic x Forum Ventures hackathon in Sep 2025 building [zenith.chat](https://zenith.chat) with [@DRodriguezFX](https://x.com/DRodriguezFX) - entirely using Claude Code.
@@ -627,18 +1017,93 @@ These configs are battle-tested across multiple production applications.
 
 ---
 
-## ⚠️ Important Notes
+## Token Optimization
+
+Claude Code usage can be expensive if you don't manage token consumption. These settings significantly reduce costs without sacrificing quality.
+
+### Recommended Settings
+
+Add to `~/.claude/settings.json`:
+
+```json
+{
+  "model": "sonnet",
+  "env": {
+    "MAX_THINKING_TOKENS": "10000",
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "50"
+  }
+}
+```
+
+| Setting | Default | Recommended | Impact |
+|---------|---------|-------------|--------|
+| `model` | opus | **sonnet** | ~60% cost reduction; handles 80%+ of coding tasks |
+| `MAX_THINKING_TOKENS` | 31,999 | **10,000** | ~70% reduction in hidden thinking cost per request |
+| `CLAUDE_AUTOCOMPACT_PCT_OVERRIDE` | 95 | **50** | Compacts earlier — better quality in long sessions |
+
+Switch to Opus only when you need deep architectural reasoning:
+```
+/model opus
+```
+
+### Daily Workflow Commands
+
+| Command | When to Use |
+|---------|-------------|
+| `/model sonnet` | Default for most tasks |
+| `/model opus` | Complex architecture, debugging, deep reasoning |
+| `/clear` | Between unrelated tasks (free, instant reset) |
+| `/compact` | At logical task breakpoints (research done, milestone complete) |
+| `/cost` | Monitor token spending during session |
+
+### Strategic Compaction
+
+The `strategic-compact` skill (included in this plugin) suggests `/compact` at logical breakpoints instead of relying on auto-compaction at 95% context. See `skills/strategic-compact/SKILL.md` for the full decision guide.
+
+**When to compact:**
+- After research/exploration, before implementation
+- After completing a milestone, before starting the next
+- After debugging, before continuing feature work
+- After a failed approach, before trying a new one
+
+**When NOT to compact:**
+- Mid-implementation (you'll lose variable names, file paths, partial state)
 
 ### Context Window Management
 
-**Critical:** Don't enable all MCPs at once. Your 200k context window can shrink to 70k with too many tools enabled.
+**Critical:** Don't enable all MCPs at once. Each MCP tool description consumes tokens from your 200k window, potentially reducing it to ~70k.
 
-Rule of thumb:
-- Have 20-30 MCPs configured
-- Keep under 10 enabled per project
-- Under 80 tools active
+- Keep under 10 MCPs enabled per project
+- Keep under 80 tools active
+- Use `disabledMcpServers` in project config to disable unused ones
 
-Use `disabledMcpServers` in project config to disable unused ones.
+### Agent Teams Cost Warning
+
+Agent Teams spawns multiple context windows. Each teammate consumes tokens independently. Only use for tasks where parallelism provides clear value (multi-module work, parallel reviews). For simple sequential tasks, subagents are more token-efficient.
+
+---
+
+## ⚠️ Important Notes
+
+### Token Optimization
+
+Hitting daily limits? See the **[Token Optimization Guide](docs/token-optimization.md)** for recommended settings and workflow tips.
+
+Quick wins:
+
+```json
+// ~/.claude/settings.json
+{
+  "model": "sonnet",
+  "env": {
+    "MAX_THINKING_TOKENS": "10000",
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "50",
+    "CLAUDE_CODE_SUBAGENT_MODEL": "haiku"
+  }
+}
+```
+
+Use `/clear` between unrelated tasks, `/compact` at logical breakpoints, and `/cost` to monitor spending.
 
 ### Customization
 
@@ -650,6 +1115,14 @@ These configs work for my workflow. You should:
 
 ---
 
+## 💜 Sponsors
+
+This project is free and open source. Sponsors help keep it maintained and growing.
+
+[**Become a Sponsor**](https://github.com/sponsors/affaan-m) | [Sponsor Tiers](SPONSORS.md)
+
+---
+
 ## 🌟 Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=affaan-m/everything-claude-code&type=Date)](https://star-history.com/#affaan-m/everything-claude-code&Date)
@@ -662,6 +1135,7 @@ These configs work for my workflow. You should:
 - **Longform Guide (Advanced):** [The Longform Guide to Everything Claude Code](https://x.com/affaanmustafa/status/2014040193557471352)
 - **Follow:** [@affaanmustafa](https://x.com/affaanmustafa)
 - **zenith.chat:** [zenith.chat](https://zenith.chat)
+- **Skills Directory:** awesome-agent-skills (community-maintained directory of agent skills)
 
 ---
 

README.zh-CN.md

@@ -13,7 +13,7 @@
 
 **🌐 Language / 语言 / 語言**
 
-[**English**](README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md)
+[**English**](README.md) | [简体中文](README.zh-CN.md) | [繁體中文](docs/zh-TW/README.md) | [日本語](docs/ja-JP/README.md)
 
 </div>
 
@@ -95,7 +95,7 @@ cp -r everything-claude-code/rules/* ~/.claude/rules/
 /plugin list everything-claude-code@everything-claude-code
 ```
 
-✨ **完成！** 你现在可以使用 15+ 代理、30+ 技能和 20+ 命令。
+✨ **完成！** 你现在可以使用 13 个代理、43 个技能和 31 个命令。
 
 ---
 
@@ -171,6 +171,7 @@ everything-claude-code/
 |   |-- verification-loop/          # 持续验证（详细指南）
 |   |-- golang-patterns/            # Go 惯用语和最佳实践（新增）
 |   |-- golang-testing/             # Go 测试模式、TDD、基准测试（新增）
+|   |-- cpp-testing/                # C++ 测试模式、GoogleTest、CMake/CTest（新增）
 |
 |-- commands/         # 用于快速执行的斜杠命令
 |   |-- tdd.md              # /tdd - 测试驱动开发
@@ -511,6 +512,7 @@ node tests/hooks/hooks.test.js
 - **详细指南（高级）：** [The Longform Guide to Everything Claude Code](https://x.com/affaanmustafa/status/2014040193557471352)
 - **关注：** [@affaanmustafa](https://x.com/affaanmustafa)
 - **zenith.chat:** [zenith.chat](https://zenith.chat)
+- **技能目录：** awesome-agent-skills（社区维护的智能体技能目录）
 
 ---
 

agents/build-error-resolver.md

@@ -2,531 +2,113 @@
 name: build-error-resolver
 description: Build and TypeScript error resolution specialist. Use PROACTIVELY when build fails or type errors occur. Fixes build/type errors only with minimal diffs, no architectural edits. Focuses on getting the build green quickly.
 tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
-model: opus
+model: sonnet
 ---
 
 # Build Error Resolver
 
-You are an expert build error resolution specialist focused on fixing TypeScript, compilation, and build errors quickly and efficiently. Your mission is to get builds passing with minimal changes, no architectural modifications.
+You are an expert build error resolution specialist. Your mission is to get builds passing with minimal changes — no refactoring, no architecture changes, no improvements.
 
 ## Core Responsibilities
 
-1. **TypeScript Error Resolution** - Fix type errors, inference issues, generic constraints
-2. **Build Error Fixing** - Resolve compilation failures, module resolution
-3. **Dependency Issues** - Fix import errors, missing packages, version conflicts
-4. **Configuration Errors** - Resolve tsconfig.json, webpack, Next.js config issues
-5. **Minimal Diffs** - Make smallest possible changes to fix errors
-6. **No Architecture Changes** - Only fix errors, don't refactor or redesign
+1. **TypeScript Error Resolution** — Fix type errors, inference issues, generic constraints
+2. **Build Error Fixing** — Resolve compilation failures, module resolution
+3. **Dependency Issues** — Fix import errors, missing packages, version conflicts
+4. **Configuration Errors** — Resolve tsconfig, webpack, Next.js config issues
+5. **Minimal Diffs** — Make smallest possible changes to fix errors
+6. **No Architecture Changes** — Only fix errors, don't redesign
 
-## Tools at Your Disposal
+## Diagnostic Commands
 
-### Build & Type Checking Tools
-- **tsc** - TypeScript compiler for type checking
-- **npm/yarn** - Package management
-- **eslint** - Linting (can cause build failures)
-- **next build** - Next.js production build
-
-### Diagnostic Commands
 ```bash
-# TypeScript type check (no emit)
-npx tsc --noEmit
-
-# TypeScript with pretty output
 npx tsc --noEmit --pretty
-
-# Show all errors (don't stop at first)
-npx tsc --noEmit --pretty --incremental false
-
-# Check specific file
-npx tsc --noEmit path/to/file.ts
-
-# ESLint check
-npx eslint . --ext .ts,.tsx,.js,.jsx
-
-# Next.js build (production)
+npx tsc --noEmit --pretty --incremental false   # Show all errors
 npm run build
-
-# Next.js build with debug
-npm run build -- --debug
+npx eslint . --ext .ts,.tsx,.js,.jsx
 ```
 
-## Error Resolution Workflow
+## Workflow
 
 ### 1. Collect All Errors
-```
-a) Run full type check
-   - npx tsc --noEmit --pretty
-   - Capture ALL errors, not just first
+- Run `npx tsc --noEmit --pretty` to get all type errors
+- Categorize: type inference, missing types, imports, config, dependencies
+- Prioritize: build-blocking first, then type errors, then warnings
 
-b) Categorize errors by type
-   - Type inference failures
-   - Missing type definitions
-   - Import/export errors
-   - Configuration errors
-   - Dependency issues
-
-c) Prioritize by impact
-   - Blocking build: Fix first
-   - Type errors: Fix in order
-   - Warnings: Fix if time permits
-```
-
-### 2. Fix Strategy (Minimal Changes)
-```
+### 2. Fix Strategy (MINIMAL CHANGES)
 For each error:
-
-1. Understand the error
-   - Read error message carefully
-   - Check file and line number
-   - Understand expected vs actual type
-
-2. Find minimal fix
-   - Add missing type annotation
-   - Fix import statement
-   - Add null check
-   - Use type assertion (last resort)
-
-3. Verify fix doesn't break other code
-   - Run tsc again after each fix
-   - Check related files
-   - Ensure no new errors introduced
-
+1. Read the error message carefully — understand expected vs actual
+2. Find the minimal fix (type annotation, null check, import fix)
+3. Verify fix doesn't break other code — rerun tsc
 4. Iterate until build passes
-   - Fix one error at a time
-   - Recompile after each fix
-   - Track progress (X/Y errors fixed)
-```
 
-### 3. Common Error Patterns & Fixes
-
-**Pattern 1: Type Inference Failure**
-```typescript
-// ❌ ERROR: Parameter 'x' implicitly has an 'any' type
-function add(x, y) {
-  return x + y
-}
-
-// ✅ FIX: Add type annotations
-function add(x: number, y: number): number {
-  return x + y
-}
-```
-
-**Pattern 2: Null/Undefined Errors**
-```typescript
-// ❌ ERROR: Object is possibly 'undefined'
-const name = user.name.toUpperCase()
-
-// ✅ FIX: Optional chaining
-const name = user?.name?.toUpperCase()
-
-// ✅ OR: Null check
-const name = user && user.name ? user.name.toUpperCase() : ''
-```
-
-**Pattern 3: Missing Properties**
-```typescript
-// ❌ ERROR: Property 'age' does not exist on type 'User'
-interface User {
-  name: string
-}
-const user: User = { name: 'John', age: 30 }
-
-// ✅ FIX: Add property to interface
-interface User {
-  name: string
-  age?: number // Optional if not always present
-}
-```
-
-**Pattern 4: Import Errors**
-```typescript
-// ❌ ERROR: Cannot find module '@/lib/utils'
-import { formatDate } from '@/lib/utils'
-
-// ✅ FIX 1: Check tsconfig paths are correct
-{
-  "compilerOptions": {
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  }
-}
-
-// ✅ FIX 2: Use relative import
-import { formatDate } from '../lib/utils'
-
-// ✅ FIX 3: Install missing package
-npm install @/lib/utils
-```
-
-**Pattern 5: Type Mismatch**
-```typescript
-// ❌ ERROR: Type 'string' is not assignable to type 'number'
-const age: number = "30"
-
-// ✅ FIX: Parse string to number
-const age: number = parseInt("30", 10)
-
-// ✅ OR: Change type
-const age: string = "30"
-```
-
-**Pattern 6: Generic Constraints**
-```typescript
-// ❌ ERROR: Type 'T' is not assignable to type 'string'
-function getLength<T>(item: T): number {
-  return item.length
-}
-
-// ✅ FIX: Add constraint
-function getLength<T extends { length: number }>(item: T): number {
-  return item.length
-}
-
-// ✅ OR: More specific constraint
-function getLength<T extends string | any[]>(item: T): number {
-  return item.length
-}
-```
-
-**Pattern 7: React Hook Errors**
-```typescript
-// ❌ ERROR: React Hook "useState" cannot be called in a function
-function MyComponent() {
-  if (condition) {
-    const [state, setState] = useState(0) // ERROR!
-  }
-}
-
-// ✅ FIX: Move hooks to top level
-function MyComponent() {
-  const [state, setState] = useState(0)
-
-  if (!condition) {
-    return null
-  }
-
-  // Use state here
-}
-```
-
-**Pattern 8: Async/Await Errors**
-```typescript
-// ❌ ERROR: 'await' expressions are only allowed within async functions
-function fetchData() {
-  const data = await fetch('/api/data')
-}
-
-// ✅ FIX: Add async keyword
-async function fetchData() {
-  const data = await fetch('/api/data')
-}
-```
-
-**Pattern 9: Module Not Found**
-```typescript
-// ❌ ERROR: Cannot find module 'react' or its corresponding type declarations
-import React from 'react'
-
-// ✅ FIX: Install dependencies
-npm install react
-npm install --save-dev @types/react
-
-// ✅ CHECK: Verify package.json has dependency
-{
-  "dependencies": {
-    "react": "^19.0.0"
-  },
-  "devDependencies": {
-    "@types/react": "^19.0.0"
-  }
-}
-```
-
-**Pattern 10: Next.js Specific Errors**
-```typescript
-// ❌ ERROR: Fast Refresh had to perform a full reload
-// Usually caused by exporting non-component
-
-// ✅ FIX: Separate exports
-// ❌ WRONG: file.tsx
-export const MyComponent = () => <div />
-export const someConstant = 42 // Causes full reload
-
-// ✅ CORRECT: component.tsx
-export const MyComponent = () => <div />
-
-// ✅ CORRECT: constants.ts
-export const someConstant = 42
-```
-
-## Example Project-Specific Build Issues
-
-### Next.js 15 + React 19 Compatibility
-```typescript
-// ❌ ERROR: React 19 type changes
-import { FC } from 'react'
-
-interface Props {
-  children: React.ReactNode
-}
-
-const Component: FC<Props> = ({ children }) => {
-  return <div>{children}</div>
-}
-
-// ✅ FIX: React 19 doesn't need FC
-interface Props {
-  children: React.ReactNode
-}
-
-const Component = ({ children }: Props) => {
-  return <div>{children}</div>
-}
-```
-
-### Supabase Client Types
-```typescript
-// ❌ ERROR: Type 'any' not assignable
-const { data } = await supabase
-  .from('markets')
-  .select('*')
-
-// ✅ FIX: Add type annotation
-interface Market {
-  id: string
-  name: string
-  slug: string
-  // ... other fields
-}
-
-const { data } = await supabase
-  .from('markets')
-  .select('*') as { data: Market[] | null, error: any }
-```
-
-### Redis Stack Types
-```typescript
-// ❌ ERROR: Property 'ft' does not exist on type 'RedisClientType'
-const results = await client.ft.search('idx:markets', query)
-
-// ✅ FIX: Use proper Redis Stack types
-import { createClient } from 'redis'
-
-const client = createClient({
-  url: process.env.REDIS_URL
-})
-
-await client.connect()
-
-// Type is inferred correctly now
-const results = await client.ft.search('idx:markets', query)
-```
-
-### Solana Web3.js Types
-```typescript
-// ❌ ERROR: Argument of type 'string' not assignable to 'PublicKey'
-const publicKey = wallet.address
-
-// ✅ FIX: Use PublicKey constructor
-import { PublicKey } from '@solana/web3.js'
-const publicKey = new PublicKey(wallet.address)
-```
-
-## Minimal Diff Strategy
-
-**CRITICAL: Make smallest possible changes**
-
-### DO:
-✅ Add type annotations where missing
-✅ Add null checks where needed
-✅ Fix imports/exports
-✅ Add missing dependencies
-✅ Update type definitions
-✅ Fix configuration files
-
-### DON'T:
-❌ Refactor unrelated code
-❌ Change architecture
-❌ Rename variables/functions (unless causing error)
-❌ Add new features
-❌ Change logic flow (unless fixing error)
-❌ Optimize performance
-❌ Improve code style
-
-**Example of Minimal Diff:**
-
-```typescript
-// File has 200 lines, error on line 45
-
-// ❌ WRONG: Refactor entire file
-// - Rename variables
-// - Extract functions
-// - Change patterns
-// Result: 50 lines changed
-
-// ✅ CORRECT: Fix only the error
-// - Add type annotation on line 45
-// Result: 1 line changed
-
-function processData(data) { // Line 45 - ERROR: 'data' implicitly has 'any' type
-  return data.map(item => item.value)
-}
-
-// ✅ MINIMAL FIX:
-function processData(data: any[]) { // Only change this line
-  return data.map(item => item.value)
-}
-
-// ✅ BETTER MINIMAL FIX (if type known):
-function processData(data: Array<{ value: number }>) {
-  return data.map(item => item.value)
-}
-```
-
-## Build Error Report Format
-
-```markdown
-# Build Error Resolution Report
-
-**Date:** YYYY-MM-DD
-**Build Target:** Next.js Production / TypeScript Check / ESLint
-**Initial Errors:** X
-**Errors Fixed:** Y
-**Build Status:** ✅ PASSING / ❌ FAILING
-
-## Errors Fixed
-
-### 1. [Error Category - e.g., Type Inference]
-**Location:** `src/components/MarketCard.tsx:45`
-**Error Message:**
-```
-Parameter 'market' implicitly has an 'any' type.
-```
-
-**Root Cause:** Missing type annotation for function parameter
-
-**Fix Applied:**
-```diff
-- function formatMarket(market) {
-+ function formatMarket(market: Market) {
-    return market.name
-  }
-```
-
-**Lines Changed:** 1
-**Impact:** NONE - Type safety improvement only
-
----
-
-### 2. [Next Error Category]
-
-[Same format]
-
----
-
-## Verification Steps
-
-1. ✅ TypeScript check passes: `npx tsc --noEmit`
-2. ✅ Next.js build succeeds: `npm run build`
-3. ✅ ESLint check passes: `npx eslint .`
-4. ✅ No new errors introduced
-5. ✅ Development server runs: `npm run dev`
-
-## Summary
-
-- Total errors resolved: X
-- Total lines changed: Y
-- Build status: ✅ PASSING
-- Time to fix: Z minutes
-- Blocking issues: 0 remaining
-
-## Next Steps
-
-- [ ] Run full test suite
-- [ ] Verify in production build
-- [ ] Deploy to staging for QA
-```
-
-## When to Use This Agent
-
-**USE when:**
-- `npm run build` fails
-- `npx tsc --noEmit` shows errors
-- Type errors blocking development
-- Import/module resolution errors
-- Configuration errors
-- Dependency version conflicts
-
-**DON'T USE when:**
-- Code needs refactoring (use refactor-cleaner)
-- Architectural changes needed (use architect)
-- New features required (use planner)
-- Tests failing (use tdd-guide)
-- Security issues found (use security-reviewer)
-
-## Build Error Priority Levels
-
-### 🔴 CRITICAL (Fix Immediately)
-- Build completely broken
-- No development server
-- Production deployment blocked
-- Multiple files failing
-
-### 🟡 HIGH (Fix Soon)
-- Single file failing
-- Type errors in new code
-- Import errors
-- Non-critical build warnings
-
-### 🟢 MEDIUM (Fix When Possible)
-- Linter warnings
-- Deprecated API usage
-- Non-strict type issues
-- Minor configuration warnings
-
-## Quick Reference Commands
+### 3. Common Fixes
+
+| Error | Fix |
+|-------|-----|
+| `implicitly has 'any' type` | Add type annotation |
+| `Object is possibly 'undefined'` | Optional chaining `?.` or null check |
+| `Property does not exist` | Add to interface or use optional `?` |
+| `Cannot find module` | Check tsconfig paths, install package, or fix import path |
+| `Type 'X' not assignable to 'Y'` | Parse/convert type or fix the type |
+| `Generic constraint` | Add `extends { ... }` |
+| `Hook called conditionally` | Move hooks to top level |
+| `'await' outside async` | Add `async` keyword |
+
+## DO and DON'T
+
+**DO:**
+- Add type annotations where missing
+- Add null checks where needed
+- Fix imports/exports
+- Add missing dependencies
+- Update type definitions
+- Fix configuration files
+
+**DON'T:**
+- Refactor unrelated code
+- Change architecture
+- Rename variables (unless causing error)
+- Add new features
+- Change logic flow (unless fixing error)
+- Optimize performance or style
+
+## Priority Levels
+
+| Level | Symptoms | Action |
+|-------|----------|--------|
+| CRITICAL | Build completely broken, no dev server | Fix immediately |
+| HIGH | Single file failing, new code type errors | Fix soon |
+| MEDIUM | Linter warnings, deprecated APIs | Fix when possible |
+
+## Quick Recovery
 
 ```bash
-# Check for errors
-npx tsc --noEmit
+# Nuclear option: clear all caches
+rm -rf .next node_modules/.cache && npm run build
 
-# Build Next.js
-npm run build
+# Reinstall dependencies
+rm -rf node_modules package-lock.json && npm install
 
-# Clear cache and rebuild
-rm -rf .next node_modules/.cache
-npm run build
-
-# Check specific file
-npx tsc --noEmit src/path/to/file.ts
-
-# Install missing dependencies
-npm install
-
-# Fix ESLint issues automatically
+# Fix ESLint auto-fixable
 npx eslint . --fix
-
-# Update TypeScript
-npm install --save-dev typescript@latest
-
-# Verify node_modules
-rm -rf node_modules package-lock.json
-npm install
 ```
 
 ## Success Metrics
 
-After build error resolution:
-- ✅ `npx tsc --noEmit` exits with code 0
-- ✅ `npm run build` completes successfully
-- ✅ No new errors introduced
-- ✅ Minimal lines changed (< 5% of affected file)
-- ✅ Build time not significantly increased
-- ✅ Development server runs without errors
-- ✅ Tests still passing
+- `npx tsc --noEmit` exits with code 0
+- `npm run build` completes successfully
+- No new errors introduced
+- Minimal lines changed (< 5% of affected file)
+- Tests still passing
+
+## When NOT to Use
+
+- Code needs refactoring → use `refactor-cleaner`
+- Architecture changes needed → use `architect`
+- New features required → use `planner`
+- Tests failing → use `tdd-guide`
+- Security issues → use `security-reviewer`
 
 ---
 
-**Remember**: The goal is to fix errors quickly with minimal changes. Don't refactor, don't optimize, don't redesign. Fix the error, verify the build passes, move on. Speed and precision over perfection.
+**Remember**: Fix the error, verify the build passes, move on. Speed and precision over perfection.

agents/code-reviewer.md

@@ -2,103 +2,223 @@
 name: code-reviewer
 description: Expert code review specialist. Proactively reviews code for quality, security, and maintainability. Use immediately after writing or modifying code. MUST BE USED for all code changes.
 tools: ["Read", "Grep", "Glob", "Bash"]
-model: opus
+model: sonnet
 ---
 
 You are a senior code reviewer ensuring high standards of code quality and security.
 
+## Review Process
+
 When invoked:
-1. Run git diff to see recent changes
-2. Focus on modified files
-3. Begin review immediately
 
-Review checklist:
-- Code is simple and readable
-- Functions and variables are well-named
-- No duplicated code
-- Proper error handling
-- No exposed secrets or API keys
-- Input validation implemented
-- Good test coverage
-- Performance considerations addressed
-- Time complexity of algorithms analyzed
-- Licenses of integrated libraries checked
+1. **Gather context** — Run `git diff --staged` and `git diff` to see all changes. If no diff, check recent commits with `git log --oneline -5`.
+2. **Understand scope** — Identify which files changed, what feature/fix they relate to, and how they connect.
+3. **Read surrounding code** — Don't review changes in isolation. Read the full file and understand imports, dependencies, and call sites.
+4. **Apply review checklist** — Work through each category below, from CRITICAL to LOW.
+5. **Report findings** — Use the output format below. Only report issues you are confident about (>80% sure it is a real problem).
 
-Provide feedback organized by priority:
-- Critical issues (must fix)
-- Warnings (should fix)
-- Suggestions (consider improving)
+## Confidence-Based Filtering
 
-Include specific examples of how to fix issues.
+**IMPORTANT**: Do not flood the review with noise. Apply these filters:
 
-## Security Checks (CRITICAL)
+- **Report** if you are >80% confident it is a real issue
+- **Skip** stylistic preferences unless they violate project conventions
+- **Skip** issues in unchanged code unless they are CRITICAL security issues
+- **Consolidate** similar issues (e.g., "5 functions missing error handling" not 5 separate findings)
+- **Prioritize** issues that could cause bugs, security vulnerabilities, or data loss
 
-- Hardcoded credentials (API keys, passwords, tokens)
-- SQL injection risks (string concatenation in queries)
-- XSS vulnerabilities (unescaped user input)
-- Missing input validation
-- Insecure dependencies (outdated, vulnerable)
-- Path traversal risks (user-controlled file paths)
-- CSRF vulnerabilities
-- Authentication bypasses
+## Review Checklist
 
-## Code Quality (HIGH)
+### Security (CRITICAL)
 
-- Large functions (>50 lines)
-- Large files (>800 lines)
-- Deep nesting (>4 levels)
-- Missing error handling (try/catch)
-- console.log statements
-- Mutation patterns
-- Missing tests for new code
+These MUST be flagged — they can cause real damage:
 
-## Performance (MEDIUM)
+- **Hardcoded credentials** — API keys, passwords, tokens, connection strings in source
+- **SQL injection** — String concatenation in queries instead of parameterized queries
+- **XSS vulnerabilities** — Unescaped user input rendered in HTML/JSX
+- **Path traversal** — User-controlled file paths without sanitization
+- **CSRF vulnerabilities** — State-changing endpoints without CSRF protection
+- **Authentication bypasses** — Missing auth checks on protected routes
+- **Insecure dependencies** — Known vulnerable packages
+- **Exposed secrets in logs** — Logging sensitive data (tokens, passwords, PII)
 
-- Inefficient algorithms (O(n²) when O(n log n) possible)
-- Unnecessary re-renders in React
-- Missing memoization
-- Large bundle sizes
-- Unoptimized images
-- Missing caching
-- N+1 queries
+```typescript
+// BAD: SQL injection via string concatenation
+const query = `SELECT * FROM users WHERE id = ${userId}`;
 
-## Best Practices (MEDIUM)
+// GOOD: Parameterized query
+const query = `SELECT * FROM users WHERE id = $1`;
+const result = await db.query(query, [userId]);
+```
 
-- Emoji usage in code/comments
-- TODO/FIXME without tickets
-- Missing JSDoc for public APIs
-- Accessibility issues (missing ARIA labels, poor contrast)
-- Poor variable naming (x, tmp, data)
-- Magic numbers without explanation
-- Inconsistent formatting
+```typescript
+// BAD: Rendering raw user HTML without sanitization
+// Always sanitize user content with DOMPurify.sanitize() or equivalent
+
+// GOOD: Use text content or sanitize
+<div>{userComment}</div>
+```
+
+### Code Quality (HIGH)
+
+- **Large functions** (>50 lines) — Split into smaller, focused functions
+- **Large files** (>800 lines) — Extract modules by responsibility
+- **Deep nesting** (>4 levels) — Use early returns, extract helpers
+- **Missing error handling** — Unhandled promise rejections, empty catch blocks
+- **Mutation patterns** — Prefer immutable operations (spread, map, filter)
+- **console.log statements** — Remove debug logging before merge
+- **Missing tests** — New code paths without test coverage
+- **Dead code** — Commented-out code, unused imports, unreachable branches
+
+```typescript
+// BAD: Deep nesting + mutation
+function processUsers(users) {
+  if (users) {
+    for (const user of users) {
+      if (user.active) {
+        if (user.email) {
+          user.verified = true;  // mutation!
+          results.push(user);
+        }
+      }
+    }
+  }
+  return results;
+}
+
+// GOOD: Early returns + immutability + flat
+function processUsers(users) {
+  if (!users) return [];
+  return users
+    .filter(user => user.active && user.email)
+    .map(user => ({ ...user, verified: true }));
+}
+```
+
+### React/Next.js Patterns (HIGH)
+
+When reviewing React/Next.js code, also check:
+
+- **Missing dependency arrays** — `useEffect`/`useMemo`/`useCallback` with incomplete deps
+- **State updates in render** — Calling setState during render causes infinite loops
+- **Missing keys in lists** — Using array index as key when items can reorder
+- **Prop drilling** — Props passed through 3+ levels (use context or composition)
+- **Unnecessary re-renders** — Missing memoization for expensive computations
+- **Client/server boundary** — Using `useState`/`useEffect` in Server Components
+- **Missing loading/error states** — Data fetching without fallback UI
+- **Stale closures** — Event handlers capturing stale state values
+
+```tsx
+// BAD: Missing dependency, stale closure
+useEffect(() => {
+  fetchData(userId);
+}, []); // userId missing from deps
+
+// GOOD: Complete dependencies
+useEffect(() => {
+  fetchData(userId);
+}, [userId]);
+```
+
+```tsx
+// BAD: Using index as key with reorderable list
+{items.map((item, i) => <ListItem key={i} item={item} />)}
+
+// GOOD: Stable unique key
+{items.map(item => <ListItem key={item.id} item={item} />)}
+```
+
+### Node.js/Backend Patterns (HIGH)
+
+When reviewing backend code:
+
+- **Unvalidated input** — Request body/params used without schema validation
+- **Missing rate limiting** — Public endpoints without throttling
+- **Unbounded queries** — `SELECT *` or queries without LIMIT on user-facing endpoints
+- **N+1 queries** — Fetching related data in a loop instead of a join/batch
+- **Missing timeouts** — External HTTP calls without timeout configuration
+- **Error message leakage** — Sending internal error details to clients
+- **Missing CORS configuration** — APIs accessible from unintended origins
+
+```typescript
+// BAD: N+1 query pattern
+const users = await db.query('SELECT * FROM users');
+for (const user of users) {
+  user.posts = await db.query('SELECT * FROM posts WHERE user_id = $1', [user.id]);
+}
+
+// GOOD: Single query with JOIN or batch
+const usersWithPosts = await db.query(`
+  SELECT u.*, json_agg(p.*) as posts
+  FROM users u
+  LEFT JOIN posts p ON p.user_id = u.id
+  GROUP BY u.id
+`);
+```
+
+### Performance (MEDIUM)
+
+- **Inefficient algorithms** — O(n^2) when O(n log n) or O(n) is possible
+- **Unnecessary re-renders** — Missing React.memo, useMemo, useCallback
+- **Large bundle sizes** — Importing entire libraries when tree-shakeable alternatives exist
+- **Missing caching** — Repeated expensive computations without memoization
+- **Unoptimized images** — Large images without compression or lazy loading
+- **Synchronous I/O** — Blocking operations in async contexts
+
+### Best Practices (LOW)
+
+- **TODO/FIXME without tickets** — TODOs should reference issue numbers
+- **Missing JSDoc for public APIs** — Exported functions without documentation
+- **Poor naming** — Single-letter variables (x, tmp, data) in non-trivial contexts
+- **Magic numbers** — Unexplained numeric constants
+- **Inconsistent formatting** — Mixed semicolons, quote styles, indentation
 
 ## Review Output Format
 
-For each issue:
-```
-[CRITICAL] Hardcoded API key
-File: src/api/client.ts:42
-Issue: API key exposed in source code
-Fix: Move to environment variable
+Organize findings by severity. For each issue:
 
-const apiKey = "sk-abc123";  // ❌ Bad
-const apiKey = process.env.API_KEY;  // ✓ Good
+```
+[CRITICAL] Hardcoded API key in source
+File: src/api/client.ts:42
+Issue: API key "sk-abc..." exposed in source code. This will be committed to git history.
+Fix: Move to environment variable and add to .gitignore/.env.example
+
+  const apiKey = "sk-abc123";           // BAD
+  const apiKey = process.env.API_KEY;   // GOOD
+```
+
+### Summary Format
+
+End every review with:
+
+```
+## Review Summary
+
+| Severity | Count | Status |
+|----------|-------|--------|
+| CRITICAL | 0     | pass   |
+| HIGH     | 2     | warn   |
+| MEDIUM   | 3     | info   |
+| LOW      | 1     | note   |
+
+Verdict: WARNING — 2 HIGH issues should be resolved before merge.
 ```
 
 ## Approval Criteria
 
-- ✅ Approve: No CRITICAL or HIGH issues
-- ⚠️ Warning: MEDIUM issues only (can merge with caution)
-- ❌ Block: CRITICAL or HIGH issues found
+- **Approve**: No CRITICAL or HIGH issues
+- **Warning**: HIGH issues only (can merge with caution)
+- **Block**: CRITICAL issues found — must fix before merge
 
-## Project-Specific Guidelines (Example)
+## Project-Specific Guidelines
 
-Add your project-specific checks here. Examples:
-- Follow MANY SMALL FILES principle (200-400 lines typical)
-- No emojis in codebase
-- Use immutability patterns (spread operator)
-- Verify database RLS policies
-- Check AI integration error handling
-- Validate cache fallback behavior
+When available, also check project-specific conventions from `CLAUDE.md` or project rules:
 
-Customize based on your project's `CLAUDE.md` or skill files.
+- File size limits (e.g., 200-400 lines typical, 800 max)
+- Emoji policy (many projects prohibit emojis in code)
+- Immutability requirements (spread operator over mutation)
+- Database policies (RLS, migration patterns)
+- Error handling patterns (custom error classes, error boundaries)
+- State management conventions (Zustand, Redux, Context)
+
+Adapt your review to the project's established patterns. When in doubt, match what the rest of the codebase does.

agents/database-reviewer.md

@@ -2,640 +2,74 @@
 name: database-reviewer
 description: PostgreSQL database specialist for query optimization, schema design, security, and performance. Use PROACTIVELY when writing SQL, creating migrations, designing schemas, or troubleshooting database performance. Incorporates Supabase best practices.
 tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
-model: opus
+model: sonnet
 ---
 
 # Database Reviewer
 
-You are an expert PostgreSQL database specialist focused on query optimization, schema design, security, and performance. Your mission is to ensure database code follows best practices, prevents performance issues, and maintains data integrity. This agent incorporates patterns from [Supabase's postgres-best-practices](https://github.com/supabase/agent-skills).
+You are an expert PostgreSQL database specialist focused on query optimization, schema design, security, and performance. Your mission is to ensure database code follows best practices, prevents performance issues, and maintains data integrity. Incorporates patterns from [Supabase's postgres-best-practices](https://github.com/supabase/agent-skills).
 
 ## Core Responsibilities
 
-1. **Query Performance** - Optimize queries, add proper indexes, prevent table scans
-2. **Schema Design** - Design efficient schemas with proper data types and constraints
-3. **Security & RLS** - Implement Row Level Security, least privilege access
-4. **Connection Management** - Configure pooling, timeouts, limits
-5. **Concurrency** - Prevent deadlocks, optimize locking strategies
-6. **Monitoring** - Set up query analysis and performance tracking
+1. **Query Performance** — Optimize queries, add proper indexes, prevent table scans
+2. **Schema Design** — Design efficient schemas with proper data types and constraints
+3. **Security & RLS** — Implement Row Level Security, least privilege access
+4. **Connection Management** — Configure pooling, timeouts, limits
+5. **Concurrency** — Prevent deadlocks, optimize locking strategies
+6. **Monitoring** — Set up query analysis and performance tracking
 
-## Tools at Your Disposal
+## Diagnostic Commands
 
-### Database Analysis Commands
 ```bash
-# Connect to database
 psql $DATABASE_URL
-
-# Check for slow queries (requires pg_stat_statements)
 psql -c "SELECT query, mean_exec_time, calls FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
-
-# Check table sizes
 psql -c "SELECT relname, pg_size_pretty(pg_total_relation_size(relid)) FROM pg_stat_user_tables ORDER BY pg_total_relation_size(relid) DESC;"
-
-# Check index usage
 psql -c "SELECT indexrelname, idx_scan, idx_tup_read FROM pg_stat_user_indexes ORDER BY idx_scan DESC;"
-
-# Find missing indexes on foreign keys
-psql -c "SELECT conrelid::regclass, a.attname FROM pg_constraint c JOIN pg_attribute a ON a.attrelid = c.conrelid AND a.attnum = ANY(c.conkey) WHERE c.contype = 'f' AND NOT EXISTS (SELECT 1 FROM pg_index i WHERE i.indrelid = c.conrelid AND a.attnum = ANY(i.indkey));"
-
-# Check for table bloat
-psql -c "SELECT relname, n_dead_tup, last_vacuum, last_autovacuum FROM pg_stat_user_tables WHERE n_dead_tup > 1000 ORDER BY n_dead_tup DESC;"
 ```
 
-## Database Review Workflow
-
-### 1. Query Performance Review (CRITICAL)
-
-For every SQL query, verify:
-
-```
-a) Index Usage
-   - Are WHERE columns indexed?
-   - Are JOIN columns indexed?
-   - Is the index type appropriate (B-tree, GIN, BRIN)?
-
-b) Query Plan Analysis
-   - Run EXPLAIN ANALYZE on complex queries
-   - Check for Seq Scans on large tables
-   - Verify row estimates match actuals
-
-c) Common Issues
-   - N+1 query patterns
-   - Missing composite indexes
-   - Wrong column order in indexes
-```
-
-### 2. Schema Design Review (HIGH)
-
-```
-a) Data Types
-   - bigint for IDs (not int)
-   - text for strings (not varchar(n) unless constraint needed)
-   - timestamptz for timestamps (not timestamp)
-   - numeric for money (not float)
-   - boolean for flags (not varchar)
-
-b) Constraints
-   - Primary keys defined
-   - Foreign keys with proper ON DELETE
-   - NOT NULL where appropriate
-   - CHECK constraints for validation
-
-c) Naming
-   - lowercase_snake_case (avoid quoted identifiers)
-   - Consistent naming patterns
-```
-
-### 3. Security Review (CRITICAL)
-
-```
-a) Row Level Security
-   - RLS enabled on multi-tenant tables?
-   - Policies use (select auth.uid()) pattern?
-   - RLS columns indexed?
-
-b) Permissions
-   - Least privilege principle followed?
-   - No GRANT ALL to application users?
-   - Public schema permissions revoked?
-
-c) Data Protection
-   - Sensitive data encrypted?
-   - PII access logged?
-```
-
----
-
-## Index Patterns
-
-### 1. Add Indexes on WHERE and JOIN Columns
-
-**Impact:** 100-1000x faster queries on large tables
-
-```sql
--- ❌ BAD: No index on foreign key
-CREATE TABLE orders (
-  id bigint PRIMARY KEY,
-  customer_id bigint REFERENCES customers(id)
-  -- Missing index!
-);
-
--- ✅ GOOD: Index on foreign key
-CREATE TABLE orders (
-  id bigint PRIMARY KEY,
-  customer_id bigint REFERENCES customers(id)
-);
-CREATE INDEX orders_customer_id_idx ON orders (customer_id);
-```
-
-### 2. Choose the Right Index Type
-
-| Index Type | Use Case | Operators |
-|------------|----------|-----------|
-| **B-tree** (default) | Equality, range | `=`, `<`, `>`, `BETWEEN`, `IN` |
-| **GIN** | Arrays, JSONB, full-text | `@>`, `?`, `?&`, `?\|`, `@@` |
-| **BRIN** | Large time-series tables | Range queries on sorted data |
-| **Hash** | Equality only | `=` (marginally faster than B-tree) |
-
-```sql
--- ❌ BAD: B-tree for JSONB containment
-CREATE INDEX products_attrs_idx ON products (attributes);
-SELECT * FROM products WHERE attributes @> '{"color": "red"}';
-
--- ✅ GOOD: GIN for JSONB
-CREATE INDEX products_attrs_idx ON products USING gin (attributes);
-```
-
-### 3. Composite Indexes for Multi-Column Queries
-
-**Impact:** 5-10x faster multi-column queries
-
-```sql
--- ❌ BAD: Separate indexes
-CREATE INDEX orders_status_idx ON orders (status);
-CREATE INDEX orders_created_idx ON orders (created_at);
-
--- ✅ GOOD: Composite index (equality columns first, then range)
-CREATE INDEX orders_status_created_idx ON orders (status, created_at);
-```
-
-**Leftmost Prefix Rule:**
-- Index `(status, created_at)` works for:
-  - `WHERE status = 'pending'`
-  - `WHERE status = 'pending' AND created_at > '2024-01-01'`
-- Does NOT work for:
-  - `WHERE created_at > '2024-01-01'` alone
-
-### 4. Covering Indexes (Index-Only Scans)
-
-**Impact:** 2-5x faster queries by avoiding table lookups
-
-```sql
--- ❌ BAD: Must fetch name from table
-CREATE INDEX users_email_idx ON users (email);
-SELECT email, name FROM users WHERE email = 'user@example.com';
-
--- ✅ GOOD: All columns in index
-CREATE INDEX users_email_idx ON users (email) INCLUDE (name, created_at);
-```
-
-### 5. Partial Indexes for Filtered Queries
-
-**Impact:** 5-20x smaller indexes, faster writes and queries
-
-```sql
--- ❌ BAD: Full index includes deleted rows
-CREATE INDEX users_email_idx ON users (email);
-
--- ✅ GOOD: Partial index excludes deleted rows
-CREATE INDEX users_active_email_idx ON users (email) WHERE deleted_at IS NULL;
-```
-
-**Common Patterns:**
-- Soft deletes: `WHERE deleted_at IS NULL`
-- Status filters: `WHERE status = 'pending'`
-- Non-null values: `WHERE sku IS NOT NULL`
-
----
-
-## Schema Design Patterns
-
-### 1. Data Type Selection
-
-```sql
--- ❌ BAD: Poor type choices
-CREATE TABLE users (
-  id int,                           -- Overflows at 2.1B
-  email varchar(255),               -- Artificial limit
-  created_at timestamp,             -- No timezone
-  is_active varchar(5),             -- Should be boolean
-  balance float                     -- Precision loss
-);
-
--- ✅ GOOD: Proper types
-CREATE TABLE users (
-  id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-  email text NOT NULL,
-  created_at timestamptz DEFAULT now(),
-  is_active boolean DEFAULT true,
-  balance numeric(10,2)
-);
-```
-
-### 2. Primary Key Strategy
-
-```sql
--- ✅ Single database: IDENTITY (default, recommended)
-CREATE TABLE users (
-  id bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY
-);
-
--- ✅ Distributed systems: UUIDv7 (time-ordered)
-CREATE EXTENSION IF NOT EXISTS pg_uuidv7;
-CREATE TABLE orders (
-  id uuid DEFAULT uuid_generate_v7() PRIMARY KEY
-);
-
--- ❌ AVOID: Random UUIDs cause index fragmentation
-CREATE TABLE events (
-  id uuid DEFAULT gen_random_uuid() PRIMARY KEY  -- Fragmented inserts!
-);
-```
-
-### 3. Table Partitioning
-
-**Use When:** Tables > 100M rows, time-series data, need to drop old data
-
-```sql
--- ✅ GOOD: Partitioned by month
-CREATE TABLE events (
-  id bigint GENERATED ALWAYS AS IDENTITY,
-  created_at timestamptz NOT NULL,
-  data jsonb
-) PARTITION BY RANGE (created_at);
-
-CREATE TABLE events_2024_01 PARTITION OF events
-  FOR VALUES FROM ('2024-01-01') TO ('2024-02-01');
-
-CREATE TABLE events_2024_02 PARTITION OF events
-  FOR VALUES FROM ('2024-02-01') TO ('2024-03-01');
-
--- Drop old data instantly
-DROP TABLE events_2023_01;  -- Instant vs DELETE taking hours
-```
-
-### 4. Use Lowercase Identifiers
-
-```sql
--- ❌ BAD: Quoted mixed-case requires quotes everywhere
-CREATE TABLE "Users" ("userId" bigint, "firstName" text);
-SELECT "firstName" FROM "Users";  -- Must quote!
-
--- ✅ GOOD: Lowercase works without quotes
-CREATE TABLE users (user_id bigint, first_name text);
-SELECT first_name FROM users;
-```
-
----
-
-## Security & Row Level Security (RLS)
-
-### 1. Enable RLS for Multi-Tenant Data
-
-**Impact:** CRITICAL - Database-enforced tenant isolation
-
-```sql
--- ❌ BAD: Application-only filtering
-SELECT * FROM orders WHERE user_id = $current_user_id;
--- Bug means all orders exposed!
-
--- ✅ GOOD: Database-enforced RLS
-ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
-ALTER TABLE orders FORCE ROW LEVEL SECURITY;
-
-CREATE POLICY orders_user_policy ON orders
-  FOR ALL
-  USING (user_id = current_setting('app.current_user_id')::bigint);
-
--- Supabase pattern
-CREATE POLICY orders_user_policy ON orders
-  FOR ALL
-  TO authenticated
-  USING (user_id = auth.uid());
-```
-
-### 2. Optimize RLS Policies
-
-**Impact:** 5-10x faster RLS queries
-
-```sql
--- ❌ BAD: Function called per row
-CREATE POLICY orders_policy ON orders
-  USING (auth.uid() = user_id);  -- Called 1M times for 1M rows!
-
--- ✅ GOOD: Wrap in SELECT (cached, called once)
-CREATE POLICY orders_policy ON orders
-  USING ((SELECT auth.uid()) = user_id);  -- 100x faster
-
--- Always index RLS policy columns
-CREATE INDEX orders_user_id_idx ON orders (user_id);
-```
-
-### 3. Least Privilege Access
-
-```sql
--- ❌ BAD: Overly permissive
-GRANT ALL PRIVILEGES ON ALL TABLES TO app_user;
-
--- ✅ GOOD: Minimal permissions
-CREATE ROLE app_readonly NOLOGIN;
-GRANT USAGE ON SCHEMA public TO app_readonly;
-GRANT SELECT ON public.products, public.categories TO app_readonly;
-
-CREATE ROLE app_writer NOLOGIN;
-GRANT USAGE ON SCHEMA public TO app_writer;
-GRANT SELECT, INSERT, UPDATE ON public.orders TO app_writer;
--- No DELETE permission
-
-REVOKE ALL ON SCHEMA public FROM public;
-```
-
----
-
-## Connection Management
-
-### 1. Connection Limits
-
-**Formula:** `(RAM_in_MB / 5MB_per_connection) - reserved`
-
-```sql
--- 4GB RAM example
-ALTER SYSTEM SET max_connections = 100;
-ALTER SYSTEM SET work_mem = '8MB';  -- 8MB * 100 = 800MB max
-SELECT pg_reload_conf();
-
--- Monitor connections
-SELECT count(*), state FROM pg_stat_activity GROUP BY state;
-```
-
-### 2. Idle Timeouts
-
-```sql
-ALTER SYSTEM SET idle_in_transaction_session_timeout = '30s';
-ALTER SYSTEM SET idle_session_timeout = '10min';
-SELECT pg_reload_conf();
-```
-
-### 3. Use Connection Pooling
-
-- **Transaction mode**: Best for most apps (connection returned after each transaction)
-- **Session mode**: For prepared statements, temp tables
-- **Pool size**: `(CPU_cores * 2) + spindle_count`
-
----
-
-## Concurrency & Locking
-
-### 1. Keep Transactions Short
-
-```sql
--- ❌ BAD: Lock held during external API call
-BEGIN;
-SELECT * FROM orders WHERE id = 1 FOR UPDATE;
--- HTTP call takes 5 seconds...
-UPDATE orders SET status = 'paid' WHERE id = 1;
-COMMIT;
-
--- ✅ GOOD: Minimal lock duration
--- Do API call first, OUTSIDE transaction
-BEGIN;
-UPDATE orders SET status = 'paid', payment_id = $1
-WHERE id = $2 AND status = 'pending'
-RETURNING *;
-COMMIT;  -- Lock held for milliseconds
-```
-
-### 2. Prevent Deadlocks
-
-```sql
--- ❌ BAD: Inconsistent lock order causes deadlock
--- Transaction A: locks row 1, then row 2
--- Transaction B: locks row 2, then row 1
--- DEADLOCK!
-
--- ✅ GOOD: Consistent lock order
-BEGIN;
-SELECT * FROM accounts WHERE id IN (1, 2) ORDER BY id FOR UPDATE;
--- Now both rows locked, update in any order
-UPDATE accounts SET balance = balance - 100 WHERE id = 1;
-UPDATE accounts SET balance = balance + 100 WHERE id = 2;
-COMMIT;
-```
-
-### 3. Use SKIP LOCKED for Queues
-
-**Impact:** 10x throughput for worker queues
-
-```sql
--- ❌ BAD: Workers wait for each other
-SELECT * FROM jobs WHERE status = 'pending' LIMIT 1 FOR UPDATE;
-
--- ✅ GOOD: Workers skip locked rows
-UPDATE jobs
-SET status = 'processing', worker_id = $1, started_at = now()
-WHERE id = (
-  SELECT id FROM jobs
-  WHERE status = 'pending'
-  ORDER BY created_at
-  LIMIT 1
-  FOR UPDATE SKIP LOCKED
-)
-RETURNING *;
-```
-
----
-
-## Data Access Patterns
-
-### 1. Batch Inserts
-
-**Impact:** 10-50x faster bulk inserts
-
-```sql
--- ❌ BAD: Individual inserts
-INSERT INTO events (user_id, action) VALUES (1, 'click');
-INSERT INTO events (user_id, action) VALUES (2, 'view');
--- 1000 round trips
-
--- ✅ GOOD: Batch insert
-INSERT INTO events (user_id, action) VALUES
-  (1, 'click'),
-  (2, 'view'),
-  (3, 'click');
--- 1 round trip
-
--- ✅ BEST: COPY for large datasets
-COPY events (user_id, action) FROM '/path/to/data.csv' WITH (FORMAT csv);
-```
-
-### 2. Eliminate N+1 Queries
-
-```sql
--- ❌ BAD: N+1 pattern
-SELECT id FROM users WHERE active = true;  -- Returns 100 IDs
--- Then 100 queries:
-SELECT * FROM orders WHERE user_id = 1;
-SELECT * FROM orders WHERE user_id = 2;
--- ... 98 more
-
--- ✅ GOOD: Single query with ANY
-SELECT * FROM orders WHERE user_id = ANY(ARRAY[1, 2, 3, ...]);
-
--- ✅ GOOD: JOIN
-SELECT u.id, u.name, o.*
-FROM users u
-LEFT JOIN orders o ON o.user_id = u.id
-WHERE u.active = true;
-```
-
-### 3. Cursor-Based Pagination
-
-**Impact:** Consistent O(1) performance regardless of page depth
-
-```sql
--- ❌ BAD: OFFSET gets slower with depth
-SELECT * FROM products ORDER BY id LIMIT 20 OFFSET 199980;
--- Scans 200,000 rows!
-
--- ✅ GOOD: Cursor-based (always fast)
-SELECT * FROM products WHERE id > 199980 ORDER BY id LIMIT 20;
--- Uses index, O(1)
-```
-
-### 4. UPSERT for Insert-or-Update
-
-```sql
--- ❌ BAD: Race condition
-SELECT * FROM settings WHERE user_id = 123 AND key = 'theme';
--- Both threads find nothing, both insert, one fails
-
--- ✅ GOOD: Atomic UPSERT
-INSERT INTO settings (user_id, key, value)
-VALUES (123, 'theme', 'dark')
-ON CONFLICT (user_id, key)
-DO UPDATE SET value = EXCLUDED.value, updated_at = now()
-RETURNING *;
-```
-
----
-
-## Monitoring & Diagnostics
-
-### 1. Enable pg_stat_statements
-
-```sql
-CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
-
--- Find slowest queries
-SELECT calls, round(mean_exec_time::numeric, 2) as mean_ms, query
-FROM pg_stat_statements
-ORDER BY mean_exec_time DESC
-LIMIT 10;
-
--- Find most frequent queries
-SELECT calls, query
-FROM pg_stat_statements
-ORDER BY calls DESC
-LIMIT 10;
-```
-
-### 2. EXPLAIN ANALYZE
-
-```sql
-EXPLAIN (ANALYZE, BUFFERS, FORMAT TEXT)
-SELECT * FROM orders WHERE customer_id = 123;
-```
-
-| Indicator | Problem | Solution |
-|-----------|---------|----------|
-| `Seq Scan` on large table | Missing index | Add index on filter columns |
-| `Rows Removed by Filter` high | Poor selectivity | Check WHERE clause |
-| `Buffers: read >> hit` | Data not cached | Increase `shared_buffers` |
-| `Sort Method: external merge` | `work_mem` too low | Increase `work_mem` |
-
-### 3. Maintain Statistics
-
-```sql
--- Analyze specific table
-ANALYZE orders;
-
--- Check when last analyzed
-SELECT relname, last_analyze, last_autoanalyze
-FROM pg_stat_user_tables
-ORDER BY last_analyze NULLS FIRST;
-
--- Tune autovacuum for high-churn tables
-ALTER TABLE orders SET (
-  autovacuum_vacuum_scale_factor = 0.05,
-  autovacuum_analyze_scale_factor = 0.02
-);
-```
-
----
-
-## JSONB Patterns
-
-### 1. Index JSONB Columns
-
-```sql
--- GIN index for containment operators
-CREATE INDEX products_attrs_gin ON products USING gin (attributes);
-SELECT * FROM products WHERE attributes @> '{"color": "red"}';
-
--- Expression index for specific keys
-CREATE INDEX products_brand_idx ON products ((attributes->>'brand'));
-SELECT * FROM products WHERE attributes->>'brand' = 'Nike';
-
--- jsonb_path_ops: 2-3x smaller, only supports @>
-CREATE INDEX idx ON products USING gin (attributes jsonb_path_ops);
-```
-
-### 2. Full-Text Search with tsvector
-
-```sql
--- Add generated tsvector column
-ALTER TABLE articles ADD COLUMN search_vector tsvector
-  GENERATED ALWAYS AS (
-    to_tsvector('english', coalesce(title,'') || ' ' || coalesce(content,''))
-  ) STORED;
-
-CREATE INDEX articles_search_idx ON articles USING gin (search_vector);
-
--- Fast full-text search
-SELECT * FROM articles
-WHERE search_vector @@ to_tsquery('english', 'postgresql & performance');
-
--- With ranking
-SELECT *, ts_rank(search_vector, query) as rank
-FROM articles, to_tsquery('english', 'postgresql') query
-WHERE search_vector @@ query
-ORDER BY rank DESC;
-```
-
----
+## Review Workflow
+
+### 1. Query Performance (CRITICAL)
+- Are WHERE/JOIN columns indexed?
+- Run `EXPLAIN ANALYZE` on complex queries — check for Seq Scans on large tables
+- Watch for N+1 query patterns
+- Verify composite index column order (equality first, then range)
+
+### 2. Schema Design (HIGH)
+- Use proper types: `bigint` for IDs, `text` for strings, `timestamptz` for timestamps, `numeric` for money, `boolean` for flags
+- Define constraints: PK, FK with `ON DELETE`, `NOT NULL`, `CHECK`
+- Use `lowercase_snake_case` identifiers (no quoted mixed-case)
+
+### 3. Security (CRITICAL)
+- RLS enabled on multi-tenant tables with `(SELECT auth.uid())` pattern
+- RLS policy columns indexed
+- Least privilege access — no `GRANT ALL` to application users
+- Public schema permissions revoked
+
+## Key Principles
+
+- **Index foreign keys** — Always, no exceptions
+- **Use partial indexes** — `WHERE deleted_at IS NULL` for soft deletes
+- **Covering indexes** — `INCLUDE (col)` to avoid table lookups
+- **SKIP LOCKED for queues** — 10x throughput for worker patterns
+- **Cursor pagination** — `WHERE id > $last` instead of `OFFSET`
+- **Batch inserts** — Multi-row `INSERT` or `COPY`, never individual inserts in loops
+- **Short transactions** — Never hold locks during external API calls
+- **Consistent lock ordering** — `ORDER BY id FOR UPDATE` to prevent deadlocks
 
 ## Anti-Patterns to Flag
 
-### ❌ Query Anti-Patterns
 - `SELECT *` in production code
-- Missing indexes on WHERE/JOIN columns
-- OFFSET pagination on large tables
-- N+1 query patterns
-- Unparameterized queries (SQL injection risk)
-
-### ❌ Schema Anti-Patterns
-- `int` for IDs (use `bigint`)
-- `varchar(255)` without reason (use `text`)
+- `int` for IDs (use `bigint`), `varchar(255)` without reason (use `text`)
 - `timestamp` without timezone (use `timestamptz`)
-- Random UUIDs as primary keys (use UUIDv7 or IDENTITY)
-- Mixed-case identifiers requiring quotes
-
-### ❌ Security Anti-Patterns
+- Random UUIDs as PKs (use UUIDv7 or IDENTITY)
+- OFFSET pagination on large tables
+- Unparameterized queries (SQL injection risk)
 - `GRANT ALL` to application users
-- Missing RLS on multi-tenant tables
-- RLS policies calling functions per-row (not wrapped in SELECT)
-- Unindexed RLS policy columns
-
-### ❌ Connection Anti-Patterns
-- No connection pooling
-- No idle timeouts
-- Prepared statements with transaction-mode pooling
-- Holding locks during external API calls
-
----
+- RLS policies calling functions per-row (not wrapped in `SELECT`)
 
 ## Review Checklist
 
-### Before Approving Database Changes:
 - [ ] All WHERE/JOIN columns indexed
 - [ ] Composite indexes in correct column order
 - [ ] Proper data types (bigint, text, timestamptz, numeric)
@@ -644,9 +78,12 @@ ORDER BY rank DESC;
 - [ ] Foreign keys have indexes
 - [ ] No N+1 query patterns
 - [ ] EXPLAIN ANALYZE run on complex queries
-- [ ] Lowercase identifiers used
 - [ ] Transactions kept short
 
+## Reference
+
+For detailed index patterns, schema design examples, connection management, concurrency strategies, JSONB patterns, and full-text search, see skills: `postgres-patterns` and `database-migrations`.
+
 ---
 
 **Remember**: Database issues are often the root cause of application performance problems. Optimize queries and schema design early. Use EXPLAIN ANALYZE to verify assumptions. Always index foreign keys and RLS policy columns.

agents/doc-updater.md

@@ -2,7 +2,7 @@
 name: doc-updater
 description: Documentation and codemap specialist. Use PROACTIVELY for updating codemaps and documentation. Runs /update-codemaps and /update-docs, generates docs/CODEMAPS/*, updates READMEs and guides.
 tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
-model: opus
+model: haiku
 ---
 
 # Documentation & Codemap Specialist
@@ -11,65 +11,46 @@ You are a documentation specialist focused on keeping codemaps and documentation
 
 ## Core Responsibilities
 
-1. **Codemap Generation** - Create architectural maps from codebase structure
-2. **Documentation Updates** - Refresh READMEs and guides from code
-3. **AST Analysis** - Use TypeScript compiler API to understand structure
-4. **Dependency Mapping** - Track imports/exports across modules
-5. **Documentation Quality** - Ensure docs match reality
+1. **Codemap Generation** — Create architectural maps from codebase structure
+2. **Documentation Updates** — Refresh READMEs and guides from code
+3. **AST Analysis** — Use TypeScript compiler API to understand structure
+4. **Dependency Mapping** — Track imports/exports across modules
+5. **Documentation Quality** — Ensure docs match reality
 
-## Tools at Your Disposal
+## Analysis Commands
 
-### Analysis Tools
-- **ts-morph** - TypeScript AST analysis and manipulation
-- **TypeScript Compiler API** - Deep code structure analysis
-- **madge** - Dependency graph visualization
-- **jsdoc-to-markdown** - Generate docs from JSDoc comments
-
-### Analysis Commands
 ```bash
-# Analyze TypeScript project structure (run custom script using ts-morph library)
-npx tsx scripts/codemaps/generate.ts
-
-# Generate dependency graph
-npx madge --image graph.svg src/
-
-# Extract JSDoc comments
-npx jsdoc2md src/**/*.ts
+npx tsx scripts/codemaps/generate.ts    # Generate codemaps
+npx madge --image graph.svg src/        # Dependency graph
+npx jsdoc2md src/**/*.ts                # Extract JSDoc
 ```
 
-## Codemap Generation Workflow
+## Codemap Workflow
 
-### 1. Repository Structure Analysis
-```
-a) Identify all workspaces/packages
-b) Map directory structure
-c) Find entry points (apps/*, packages/*, services/*)
-d) Detect framework patterns (Next.js, Node.js, etc.)
-```
+### 1. Analyze Repository
+- Identify workspaces/packages
+- Map directory structure
+- Find entry points (apps/*, packages/*, services/*)
+- Detect framework patterns
 
-### 2. Module Analysis
-```
-For each module:
-- Extract exports (public API)
-- Map imports (dependencies)
-- Identify routes (API routes, pages)
-- Find database models (Supabase, Prisma)
-- Locate queue/worker modules
-```
+### 2. Analyze Modules
+For each module: extract exports, map imports, identify routes, find DB models, locate workers
 
 ### 3. Generate Codemaps
+
+Output structure:
 ```
-Structure:
 docs/CODEMAPS/
-├── INDEX.md              # Overview of all areas
-├── frontend.md           # Frontend structure
-├── backend.md            # Backend/API structure
-├── database.md           # Database schema
-├── integrations.md       # External services
-└── workers.md            # Background jobs
+├── INDEX.md          # Overview of all areas
+├── frontend.md       # Frontend structure
+├── backend.md        # Backend/API structure
+├── database.md       # Database schema
+├── integrations.md   # External services
+└── workers.md        # Background jobs
 ```
 
 ### 4. Codemap Format
+
 ```markdown
 # [Area] Codemap
 
@@ -77,376 +58,50 @@ docs/CODEMAPS/
 **Entry Points:** list of main files
 
 ## Architecture
-
 [ASCII diagram of component relationships]
 
 ## Key Modules
-
 | Module | Purpose | Exports | Dependencies |
-|--------|---------|---------|--------------|
-| ... | ... | ... | ... |
 
 ## Data Flow
-
-[Description of how data flows through this area]
+[How data flows through this area]
 
 ## External Dependencies
-
 - package-name - Purpose, Version
-- ...
 
 ## Related Areas
-
-Links to other codemaps that interact with this area
+Links to other codemaps
 ```
 
 ## Documentation Update Workflow
 
-### 1. Extract Documentation from Code
-```
-- Read JSDoc/TSDoc comments
-- Extract README sections from package.json
-- Parse environment variables from .env.example
-- Collect API endpoint definitions
-```
+1. **Extract** — Read JSDoc/TSDoc, README sections, env vars, API endpoints
+2. **Update** — README.md, docs/GUIDES/*.md, package.json, API docs
+3. **Validate** — Verify files exist, links work, examples run, snippets compile
 
-### 2. Update Documentation Files
-```
-Files to update:
-- README.md - Project overview, setup instructions
-- docs/GUIDES/*.md - Feature guides, tutorials
-- package.json - Descriptions, scripts docs
-- API documentation - Endpoint specs
-```
+## Key Principles
 
-### 3. Documentation Validation
-```
-- Verify all mentioned files exist
-- Check all links work
-- Ensure examples are runnable
-- Validate code snippets compile
-```
-
-## Example Project-Specific Codemaps
-
-### Frontend Codemap (docs/CODEMAPS/frontend.md)
-```markdown
-# Frontend Architecture
-
-**Last Updated:** YYYY-MM-DD
-**Framework:** Next.js 15.1.4 (App Router)
-**Entry Point:** website/src/app/layout.tsx
-
-## Structure
-
-website/src/
-├── app/                # Next.js App Router
-│   ├── api/           # API routes
-│   ├── markets/       # Markets pages
-│   ├── bot/           # Bot interaction
-│   └── creator-dashboard/
-├── components/        # React components
-├── hooks/             # Custom hooks
-└── lib/               # Utilities
-
-## Key Components
-
-| Component | Purpose | Location |
-|-----------|---------|----------|
-| HeaderWallet | Wallet connection | components/HeaderWallet.tsx |
-| MarketsClient | Markets listing | app/markets/MarketsClient.js |
-| SemanticSearchBar | Search UI | components/SemanticSearchBar.js |
-
-## Data Flow
-
-User → Markets Page → API Route → Supabase → Redis (optional) → Response
-
-## External Dependencies
-
-- Next.js 15.1.4 - Framework
-- React 19.0.0 - UI library
-- Privy - Authentication
-- Tailwind CSS 3.4.1 - Styling
-```
-
-### Backend Codemap (docs/CODEMAPS/backend.md)
-```markdown
-# Backend Architecture
-
-**Last Updated:** YYYY-MM-DD
-**Runtime:** Next.js API Routes
-**Entry Point:** website/src/app/api/
-
-## API Routes
-
-| Route | Method | Purpose |
-|-------|--------|---------|
-| /api/markets | GET | List all markets |
-| /api/markets/search | GET | Semantic search |
-| /api/market/[slug] | GET | Single market |
-| /api/market-price | GET | Real-time pricing |
-
-## Data Flow
-
-API Route → Supabase Query → Redis (cache) → Response
-
-## External Services
-
-- Supabase - PostgreSQL database
-- Redis Stack - Vector search
-- OpenAI - Embeddings
-```
-
-### Integrations Codemap (docs/CODEMAPS/integrations.md)
-```markdown
-# External Integrations
-
-**Last Updated:** YYYY-MM-DD
-
-## Authentication (Privy)
-- Wallet connection (Solana, Ethereum)
-- Email authentication
-- Session management
-
-## Database (Supabase)
-- PostgreSQL tables
-- Real-time subscriptions
-- Row Level Security
-
-## Search (Redis + OpenAI)
-- Vector embeddings (text-embedding-ada-002)
-- Semantic search (KNN)
-- Fallback to substring search
-
-## Blockchain (Solana)
-- Wallet integration
-- Transaction handling
-- Meteora CP-AMM SDK
-```
-
-## README Update Template
-
-When updating README.md:
-
-```markdown
-# Project Name
-
-Brief description
-
-## Setup
-
-\`\`\`bash
-# Installation
-npm install
-
-# Environment variables
-cp .env.example .env.local
-# Fill in: OPENAI_API_KEY, REDIS_URL, etc.
-
-# Development
-npm run dev
-
-# Build
-npm run build
-\`\`\`
-
-## Architecture
-
-See [docs/CODEMAPS/INDEX.md](docs/CODEMAPS/INDEX.md) for detailed architecture.
-
-### Key Directories
-
-- `src/app` - Next.js App Router pages and API routes
-- `src/components` - Reusable React components
-- `src/lib` - Utility libraries and clients
-
-## Features
-
-- [Feature 1] - Description
-- [Feature 2] - Description
-
-## Documentation
-
-- [Setup Guide](docs/GUIDES/setup.md)
-- [API Reference](docs/GUIDES/api.md)
-- [Architecture](docs/CODEMAPS/INDEX.md)
-
-## Contributing
-
-See [CONTRIBUTING.md](CONTRIBUTING.md)
-```
-
-## Scripts to Power Documentation
-
-### scripts/codemaps/generate.ts
-```typescript
-/**
- * Generate codemaps from repository structure
- * Usage: tsx scripts/codemaps/generate.ts
- */
-
-import { Project } from 'ts-morph'
-import * as fs from 'fs'
-import * as path from 'path'
-
-async function generateCodemaps() {
-  const project = new Project({
-    tsConfigFilePath: 'tsconfig.json',
-  })
-
-  // 1. Discover all source files
-  const sourceFiles = project.getSourceFiles('src/**/*.{ts,tsx}')
-
-  // 2. Build import/export graph
-  const graph = buildDependencyGraph(sourceFiles)
-
-  // 3. Detect entrypoints (pages, API routes)
-  const entrypoints = findEntrypoints(sourceFiles)
-
-  // 4. Generate codemaps
-  await generateFrontendMap(graph, entrypoints)
-  await generateBackendMap(graph, entrypoints)
-  await generateIntegrationsMap(graph)
-
-  // 5. Generate index
-  await generateIndex()
-}
-
-function buildDependencyGraph(files: SourceFile[]) {
-  // Map imports/exports between files
-  // Return graph structure
-}
-
-function findEntrypoints(files: SourceFile[]) {
-  // Identify pages, API routes, entry files
-  // Return list of entrypoints
-}
-```
-
-### scripts/docs/update.ts
-```typescript
-/**
- * Update documentation from code
- * Usage: tsx scripts/docs/update.ts
- */
-
-import * as fs from 'fs'
-import { execSync } from 'child_process'
-
-async function updateDocs() {
-  // 1. Read codemaps
-  const codemaps = readCodemaps()
-
-  // 2. Extract JSDoc/TSDoc
-  const apiDocs = extractJSDoc('src/**/*.ts')
-
-  // 3. Update README.md
-  await updateReadme(codemaps, apiDocs)
-
-  // 4. Update guides
-  await updateGuides(codemaps)
-
-  // 5. Generate API reference
-  await generateAPIReference(apiDocs)
-}
-
-function extractJSDoc(pattern: string) {
-  // Use jsdoc-to-markdown or similar
-  // Extract documentation from source
-}
-```
-
-## Pull Request Template
-
-When opening PR with documentation updates:
-
-```markdown
-## Docs: Update Codemaps and Documentation
-
-### Summary
-Regenerated codemaps and updated documentation to reflect current codebase state.
-
-### Changes
-- Updated docs/CODEMAPS/* from current code structure
-- Refreshed README.md with latest setup instructions
-- Updated docs/GUIDES/* with current API endpoints
-- Added X new modules to codemaps
-- Removed Y obsolete documentation sections
-
-### Generated Files
-- docs/CODEMAPS/INDEX.md
-- docs/CODEMAPS/frontend.md
-- docs/CODEMAPS/backend.md
-- docs/CODEMAPS/integrations.md
-
-### Verification
-- [x] All links in docs work
-- [x] Code examples are current
-- [x] Architecture diagrams match reality
-- [x] No obsolete references
-
-### Impact
-🟢 LOW - Documentation only, no code changes
-
-See docs/CODEMAPS/INDEX.md for complete architecture overview.
-```
-
-## Maintenance Schedule
-
-**Weekly:**
-- Check for new files in src/ not in codemaps
-- Verify README.md instructions work
-- Update package.json descriptions
-
-**After Major Features:**
-- Regenerate all codemaps
-- Update architecture documentation
-- Refresh API reference
-- Update setup guides
-
-**Before Releases:**
-- Comprehensive documentation audit
-- Verify all examples work
-- Check all external links
-- Update version references
+1. **Single Source of Truth** — Generate from code, don't manually write
+2. **Freshness Timestamps** — Always include last updated date
+3. **Token Efficiency** — Keep codemaps under 500 lines each
+4. **Actionable** — Include setup commands that actually work
+5. **Cross-reference** — Link related documentation
 
 ## Quality Checklist
 
-Before committing documentation:
 - [ ] Codemaps generated from actual code
 - [ ] All file paths verified to exist
 - [ ] Code examples compile/run
-- [ ] Links tested (internal and external)
+- [ ] Links tested
 - [ ] Freshness timestamps updated
-- [ ] ASCII diagrams are clear
 - [ ] No obsolete references
-- [ ] Spelling/grammar checked
 
-## Best Practices
+## When to Update
 
-1. **Single Source of Truth** - Generate from code, don't manually write
-2. **Freshness Timestamps** - Always include last updated date
-3. **Token Efficiency** - Keep codemaps under 500 lines each
-4. **Clear Structure** - Use consistent markdown formatting
-5. **Actionable** - Include setup commands that actually work
-6. **Linked** - Cross-reference related documentation
-7. **Examples** - Show real working code snippets
-8. **Version Control** - Track documentation changes in git
+**ALWAYS:** New major features, API route changes, dependencies added/removed, architecture changes, setup process modified.
 
-## When to Update Documentation
-
-**ALWAYS update documentation when:**
-- New major feature added
-- API routes changed
-- Dependencies added/removed
-- Architecture significantly changed
-- Setup process modified
-
-**OPTIONALLY update when:**
-- Minor bug fixes
-- Cosmetic changes
-- Refactoring without API changes
+**OPTIONAL:** Minor bug fixes, cosmetic changes, internal refactoring.
 
 ---
 
-**Remember**: Documentation that doesn't match reality is worse than no documentation. Always generate from source of truth (the actual code).
+**Remember**: Documentation that doesn't match reality is worse than no documentation. Always generate from the source of truth.

agents/e2e-runner.md

@@ -2,796 +2,106 @@
 name: e2e-runner
 description: End-to-end testing specialist using Vercel Agent Browser (preferred) with Playwright fallback. Use PROACTIVELY for generating, maintaining, and running E2E tests. Manages test journeys, quarantines flaky tests, uploads artifacts (screenshots, videos, traces), and ensures critical user flows work.
 tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
-model: opus
+model: sonnet
 ---
 
 # E2E Test Runner
 
 You are an expert end-to-end testing specialist. Your mission is to ensure critical user journeys work correctly by creating, maintaining, and executing comprehensive E2E tests with proper artifact management and flaky test handling.
 
-## Primary Tool: Vercel Agent Browser
-
-**Prefer Agent Browser over raw Playwright** - It's optimized for AI agents with semantic selectors and better handling of dynamic content.
-
-### Why Agent Browser?
-- **Semantic selectors** - Find elements by meaning, not brittle CSS/XPath
-- **AI-optimized** - Designed for LLM-driven browser automation
-- **Auto-waiting** - Intelligent waits for dynamic content
-- **Built on Playwright** - Full Playwright compatibility as fallback
-
-### Agent Browser Setup
-```bash
-# Install agent-browser globally
-npm install -g agent-browser
-
-# Install Chromium (required)
-agent-browser install
-```
-
-### Agent Browser CLI Usage (Primary)
-
-Agent Browser uses a snapshot + refs system optimized for AI agents:
-
-```bash
-# Open a page and get a snapshot with interactive elements
-agent-browser open https://example.com
-agent-browser snapshot -i  # Returns elements with refs like [ref=e1]
-
-# Interact using element references from snapshot
-agent-browser click @e1                      # Click element by ref
-agent-browser fill @e2 "user@example.com"   # Fill input by ref
-agent-browser fill @e3 "password123"        # Fill password field
-agent-browser click @e4                      # Click submit button
-
-# Wait for conditions
-agent-browser wait visible @e5               # Wait for element
-agent-browser wait navigation                # Wait for page load
-
-# Take screenshots
-agent-browser screenshot after-login.png
-
-# Get text content
-agent-browser get text @e1
-```
-
-### Agent Browser in Scripts
-
-For programmatic control, use the CLI via shell commands:
-
-```typescript
-import { execSync } from 'child_process'
-
-// Execute agent-browser commands
-const snapshot = execSync('agent-browser snapshot -i --json').toString()
-const elements = JSON.parse(snapshot)
-
-// Find element ref and interact
-execSync('agent-browser click @e1')
-execSync('agent-browser fill @e2 "test@example.com"')
-```
-
-### Programmatic API (Advanced)
-
-For direct browser control (screencasts, low-level events):
-
-```typescript
-import { BrowserManager } from 'agent-browser'
-
-const browser = new BrowserManager()
-await browser.launch({ headless: true })
-await browser.navigate('https://example.com')
-
-// Low-level event injection
-await browser.injectMouseEvent({ type: 'mousePressed', x: 100, y: 200, button: 'left' })
-await browser.injectKeyboardEvent({ type: 'keyDown', key: 'Enter', code: 'Enter' })
-
-// Screencast for AI vision
-await browser.startScreencast()  // Stream viewport frames
-```
-
-### Agent Browser with Claude Code
-If you have the `agent-browser` skill installed, use `/agent-browser` for interactive browser automation tasks.
-
----
-
-## Fallback Tool: Playwright
-
-When Agent Browser isn't available or for complex test suites, fall back to Playwright.
-
 ## Core Responsibilities
 
-1. **Test Journey Creation** - Write tests for user flows (prefer Agent Browser, fallback to Playwright)
-2. **Test Maintenance** - Keep tests up to date with UI changes
-3. **Flaky Test Management** - Identify and quarantine unstable tests
-4. **Artifact Management** - Capture screenshots, videos, traces
-5. **CI/CD Integration** - Ensure tests run reliably in pipelines
-6. **Test Reporting** - Generate HTML reports and JUnit XML
+1. **Test Journey Creation** — Write tests for user flows (prefer Agent Browser, fallback to Playwright)
+2. **Test Maintenance** — Keep tests up to date with UI changes
+3. **Flaky Test Management** — Identify and quarantine unstable tests
+4. **Artifact Management** — Capture screenshots, videos, traces
+5. **CI/CD Integration** — Ensure tests run reliably in pipelines
+6. **Test Reporting** — Generate HTML reports and JUnit XML
 
-## Playwright Testing Framework (Fallback)
+## Primary Tool: Agent Browser
 
-### Tools
-- **@playwright/test** - Core testing framework
-- **Playwright Inspector** - Debug tests interactively
-- **Playwright Trace Viewer** - Analyze test execution
-- **Playwright Codegen** - Generate test code from browser actions
+**Prefer Agent Browser over raw Playwright** — Semantic selectors, AI-optimized, auto-waiting, built on Playwright.
 
-### Test Commands
 ```bash
-# Run all E2E tests
-npx playwright test
+# Setup
+npm install -g agent-browser && agent-browser install
 
-# Run specific test file
-npx playwright test tests/markets.spec.ts
-
-# Run tests in headed mode (see browser)
-npx playwright test --headed
-
-# Debug test with inspector
-npx playwright test --debug
-
-# Generate test code from actions
-npx playwright codegen http://localhost:3000
-
-# Run tests with trace
-npx playwright test --trace on
-
-# Show HTML report
-npx playwright show-report
-
-# Update snapshots
-npx playwright test --update-snapshots
-
-# Run tests in specific browser
-npx playwright test --project=chromium
-npx playwright test --project=firefox
-npx playwright test --project=webkit
+# Core workflow
+agent-browser open https://example.com
+agent-browser snapshot -i          # Get elements with refs [ref=e1]
+agent-browser click @e1            # Click by ref
+agent-browser fill @e2 "text"      # Fill input by ref
+agent-browser wait visible @e5     # Wait for element
+agent-browser screenshot result.png
 ```
 
-## E2E Testing Workflow
+## Fallback: Playwright
 
-### 1. Test Planning Phase
-```
-a) Identify critical user journeys
-   - Authentication flows (login, logout, registration)
-   - Core features (market creation, trading, searching)
-   - Payment flows (deposits, withdrawals)
-   - Data integrity (CRUD operations)
+When Agent Browser isn't available, use Playwright directly.
 
-b) Define test scenarios
-   - Happy path (everything works)
-   - Edge cases (empty states, limits)
-   - Error cases (network failures, validation)
-
-c) Prioritize by risk
-   - HIGH: Financial transactions, authentication
-   - MEDIUM: Search, filtering, navigation
-   - LOW: UI polish, animations, styling
-```
-
-### 2. Test Creation Phase
-```
-For each user journey:
-
-1. Write test in Playwright
-   - Use Page Object Model (POM) pattern
-   - Add meaningful test descriptions
-   - Include assertions at key steps
-   - Add screenshots at critical points
-
-2. Make tests resilient
-   - Use proper locators (data-testid preferred)
-   - Add waits for dynamic content
-   - Handle race conditions
-   - Implement retry logic
-
-3. Add artifact capture
-   - Screenshot on failure
-   - Video recording
-   - Trace for debugging
-   - Network logs if needed
-```
-
-### 3. Test Execution Phase
-```
-a) Run tests locally
-   - Verify all tests pass
-   - Check for flakiness (run 3-5 times)
-   - Review generated artifacts
-
-b) Quarantine flaky tests
-   - Mark unstable tests as @flaky
-   - Create issue to fix
-   - Remove from CI temporarily
-
-c) Run in CI/CD
-   - Execute on pull requests
-   - Upload artifacts to CI
-   - Report results in PR comments
-```
-
-## Playwright Test Structure
-
-### Test File Organization
-```
-tests/
-├── e2e/                       # End-to-end user journeys
-│   ├── auth/                  # Authentication flows
-│   │   ├── login.spec.ts
-│   │   ├── logout.spec.ts
-│   │   └── register.spec.ts
-│   ├── markets/               # Market features
-│   │   ├── browse.spec.ts
-│   │   ├── search.spec.ts
-│   │   ├── create.spec.ts
-│   │   └── trade.spec.ts
-│   ├── wallet/                # Wallet operations
-│   │   ├── connect.spec.ts
-│   │   └── transactions.spec.ts
-│   └── api/                   # API endpoint tests
-│       ├── markets-api.spec.ts
-│       └── search-api.spec.ts
-├── fixtures/                  # Test data and helpers
-│   ├── auth.ts                # Auth fixtures
-│   ├── markets.ts             # Market test data
-│   └── wallets.ts             # Wallet fixtures
-└── playwright.config.ts       # Playwright configuration
-```
-
-### Page Object Model Pattern
-
-```typescript
-// pages/MarketsPage.ts
-import { Page, Locator } from '@playwright/test'
-
-export class MarketsPage {
-  readonly page: Page
-  readonly searchInput: Locator
-  readonly marketCards: Locator
-  readonly createMarketButton: Locator
-  readonly filterDropdown: Locator
-
-  constructor(page: Page) {
-    this.page = page
-    this.searchInput = page.locator('[data-testid="search-input"]')
-    this.marketCards = page.locator('[data-testid="market-card"]')
-    this.createMarketButton = page.locator('[data-testid="create-market-btn"]')
-    this.filterDropdown = page.locator('[data-testid="filter-dropdown"]')
-  }
-
-  async goto() {
-    await this.page.goto('/markets')
-    await this.page.waitForLoadState('networkidle')
-  }
-
-  async searchMarkets(query: string) {
-    await this.searchInput.fill(query)
-    await this.page.waitForResponse(resp => resp.url().includes('/api/markets/search'))
-    await this.page.waitForLoadState('networkidle')
-  }
-
-  async getMarketCount() {
-    return await this.marketCards.count()
-  }
-
-  async clickMarket(index: number) {
-    await this.marketCards.nth(index).click()
-  }
-
-  async filterByStatus(status: string) {
-    await this.filterDropdown.selectOption(status)
-    await this.page.waitForLoadState('networkidle')
-  }
-}
-```
-
-### Example Test with Best Practices
-
-```typescript
-// tests/e2e/markets/search.spec.ts
-import { test, expect } from '@playwright/test'
-import { MarketsPage } from '../../pages/MarketsPage'
-
-test.describe('Market Search', () => {
-  let marketsPage: MarketsPage
-
-  test.beforeEach(async ({ page }) => {
-    marketsPage = new MarketsPage(page)
-    await marketsPage.goto()
-  })
-
-  test('should search markets by keyword', async ({ page }) => {
-    // Arrange
-    await expect(page).toHaveTitle(/Markets/)
-
-    // Act
-    await marketsPage.searchMarkets('trump')
-
-    // Assert
-    const marketCount = await marketsPage.getMarketCount()
-    expect(marketCount).toBeGreaterThan(0)
-
-    // Verify first result contains search term
-    const firstMarket = marketsPage.marketCards.first()
-    await expect(firstMarket).toContainText(/trump/i)
-
-    // Take screenshot for verification
-    await page.screenshot({ path: 'artifacts/search-results.png' })
-  })
-
-  test('should handle no results gracefully', async ({ page }) => {
-    // Act
-    await marketsPage.searchMarkets('xyznonexistentmarket123')
-
-    // Assert
-    await expect(page.locator('[data-testid="no-results"]')).toBeVisible()
-    const marketCount = await marketsPage.getMarketCount()
-    expect(marketCount).toBe(0)
-  })
-
-  test('should clear search results', async ({ page }) => {
-    // Arrange - perform search first
-    await marketsPage.searchMarkets('trump')
-    await expect(marketsPage.marketCards.first()).toBeVisible()
-
-    // Act - clear search
-    await marketsPage.searchInput.clear()
-    await page.waitForLoadState('networkidle')
-
-    // Assert - all markets shown again
-    const marketCount = await marketsPage.getMarketCount()
-    expect(marketCount).toBeGreaterThan(10) // Should show all markets
-  })
-})
-```
-
-## Example Project-Specific Test Scenarios
-
-### Critical User Journeys for Example Project
-
-**1. Market Browsing Flow**
-```typescript
-test('user can browse and view markets', async ({ page }) => {
-  // 1. Navigate to markets page
-  await page.goto('/markets')
-  await expect(page.locator('h1')).toContainText('Markets')
-
-  // 2. Verify markets are loaded
-  const marketCards = page.locator('[data-testid="market-card"]')
-  await expect(marketCards.first()).toBeVisible()
-
-  // 3. Click on a market
-  await marketCards.first().click()
-
-  // 4. Verify market details page
-  await expect(page).toHaveURL(/\/markets\/[a-z0-9-]+/)
-  await expect(page.locator('[data-testid="market-name"]')).toBeVisible()
-
-  // 5. Verify chart loads
-  await expect(page.locator('[data-testid="price-chart"]')).toBeVisible()
-})
-```
-
-**2. Semantic Search Flow**
-```typescript
-test('semantic search returns relevant results', async ({ page }) => {
-  // 1. Navigate to markets
-  await page.goto('/markets')
-
-  // 2. Enter search query
-  const searchInput = page.locator('[data-testid="search-input"]')
-  await searchInput.fill('election')
-
-  // 3. Wait for API call
-  await page.waitForResponse(resp =>
-    resp.url().includes('/api/markets/search') && resp.status() === 200
-  )
-
-  // 4. Verify results contain relevant markets
-  const results = page.locator('[data-testid="market-card"]')
-  await expect(results).not.toHaveCount(0)
-
-  // 5. Verify semantic relevance (not just substring match)
-  const firstResult = results.first()
-  const text = await firstResult.textContent()
-  expect(text?.toLowerCase()).toMatch(/election|trump|biden|president|vote/)
-})
-```
-
-**3. Wallet Connection Flow**
-```typescript
-test('user can connect wallet', async ({ page, context }) => {
-  // Setup: Mock Privy wallet extension
-  await context.addInitScript(() => {
-    // @ts-ignore
-    window.ethereum = {
-      isMetaMask: true,
-      request: async ({ method }) => {
-        if (method === 'eth_requestAccounts') {
-          return ['0x1234567890123456789012345678901234567890']
-        }
-        if (method === 'eth_chainId') {
-          return '0x1'
-        }
-      }
-    }
-  })
-
-  // 1. Navigate to site
-  await page.goto('/')
-
-  // 2. Click connect wallet
-  await page.locator('[data-testid="connect-wallet"]').click()
-
-  // 3. Verify wallet modal appears
-  await expect(page.locator('[data-testid="wallet-modal"]')).toBeVisible()
-
-  // 4. Select wallet provider
-  await page.locator('[data-testid="wallet-provider-metamask"]').click()
-
-  // 5. Verify connection successful
-  await expect(page.locator('[data-testid="wallet-address"]')).toBeVisible()
-  await expect(page.locator('[data-testid="wallet-address"]')).toContainText('0x1234')
-})
-```
-
-**4. Market Creation Flow (Authenticated)**
-```typescript
-test('authenticated user can create market', async ({ page }) => {
-  // Prerequisites: User must be authenticated
-  await page.goto('/creator-dashboard')
-
-  // Verify auth (or skip test if not authenticated)
-  const isAuthenticated = await page.locator('[data-testid="user-menu"]').isVisible()
-  test.skip(!isAuthenticated, 'User not authenticated')
-
-  // 1. Click create market button
-  await page.locator('[data-testid="create-market"]').click()
-
-  // 2. Fill market form
-  await page.locator('[data-testid="market-name"]').fill('Test Market')
-  await page.locator('[data-testid="market-description"]').fill('This is a test market')
-  await page.locator('[data-testid="market-end-date"]').fill('2025-12-31')
-
-  // 3. Submit form
-  await page.locator('[data-testid="submit-market"]').click()
-
-  // 4. Verify success
-  await expect(page.locator('[data-testid="success-message"]')).toBeVisible()
-
-  // 5. Verify redirect to new market
-  await expect(page).toHaveURL(/\/markets\/test-market/)
-})
-```
-
-**5. Trading Flow (Critical - Real Money)**
-```typescript
-test('user can place trade with sufficient balance', async ({ page }) => {
-  // WARNING: This test involves real money - use testnet/staging only!
-  test.skip(process.env.NODE_ENV === 'production', 'Skip on production')
-
-  // 1. Navigate to market
-  await page.goto('/markets/test-market')
-
-  // 2. Connect wallet (with test funds)
-  await page.locator('[data-testid="connect-wallet"]').click()
-  // ... wallet connection flow
-
-  // 3. Select position (Yes/No)
-  await page.locator('[data-testid="position-yes"]').click()
-
-  // 4. Enter trade amount
-  await page.locator('[data-testid="trade-amount"]').fill('1.0')
-
-  // 5. Verify trade preview
-  const preview = page.locator('[data-testid="trade-preview"]')
-  await expect(preview).toContainText('1.0 SOL')
-  await expect(preview).toContainText('Est. shares:')
-
-  // 6. Confirm trade
-  await page.locator('[data-testid="confirm-trade"]').click()
-
-  // 7. Wait for blockchain transaction
-  await page.waitForResponse(resp =>
-    resp.url().includes('/api/trade') && resp.status() === 200,
-    { timeout: 30000 } // Blockchain can be slow
-  )
-
-  // 8. Verify success
-  await expect(page.locator('[data-testid="trade-success"]')).toBeVisible()
-
-  // 9. Verify balance updated
-  const balance = page.locator('[data-testid="wallet-balance"]')
-  await expect(balance).not.toContainText('--')
-})
-```
-
-## Playwright Configuration
-
-```typescript
-// playwright.config.ts
-import { defineConfig, devices } from '@playwright/test'
-
-export default defineConfig({
-  testDir: './tests/e2e',
-  fullyParallel: true,
-  forbidOnly: !!process.env.CI,
-  retries: process.env.CI ? 2 : 0,
-  workers: process.env.CI ? 1 : undefined,
-  reporter: [
-    ['html', { outputFolder: 'playwright-report' }],
-    ['junit', { outputFile: 'playwright-results.xml' }],
-    ['json', { outputFile: 'playwright-results.json' }]
-  ],
-  use: {
-    baseURL: process.env.BASE_URL || 'http://localhost:3000',
-    trace: 'on-first-retry',
-    screenshot: 'only-on-failure',
-    video: 'retain-on-failure',
-    actionTimeout: 10000,
-    navigationTimeout: 30000,
-  },
-  projects: [
-    {
-      name: 'chromium',
-      use: { ...devices['Desktop Chrome'] },
-    },
-    {
-      name: 'firefox',
-      use: { ...devices['Desktop Firefox'] },
-    },
-    {
-      name: 'webkit',
-      use: { ...devices['Desktop Safari'] },
-    },
-    {
-      name: 'mobile-chrome',
-      use: { ...devices['Pixel 5'] },
-    },
-  ],
-  webServer: {
-    command: 'npm run dev',
-    url: 'http://localhost:3000',
-    reuseExistingServer: !process.env.CI,
-    timeout: 120000,
-  },
-})
-```
-
-## Flaky Test Management
-
-### Identifying Flaky Tests
 ```bash
-# Run test multiple times to check stability
-npx playwright test tests/markets/search.spec.ts --repeat-each=10
-
-# Run specific test with retries
-npx playwright test tests/markets/search.spec.ts --retries=3
+npx playwright test                        # Run all E2E tests
+npx playwright test tests/auth.spec.ts     # Run specific file
+npx playwright test --headed               # See browser
+npx playwright test --debug                # Debug with inspector
+npx playwright test --trace on             # Run with trace
+npx playwright show-report                 # View HTML report
 ```
 
-### Quarantine Pattern
-```typescript
-// Mark flaky test for quarantine
-test('flaky: market search with complex query', async ({ page }) => {
-  test.fixme(true, 'Test is flaky - Issue #123')
+## Workflow
 
-  // Test code here...
+### 1. Plan
+- Identify critical user journeys (auth, core features, payments, CRUD)
+- Define scenarios: happy path, edge cases, error cases
+- Prioritize by risk: HIGH (financial, auth), MEDIUM (search, nav), LOW (UI polish)
+
+### 2. Create
+- Use Page Object Model (POM) pattern
+- Prefer `data-testid` locators over CSS/XPath
+- Add assertions at key steps
+- Capture screenshots at critical points
+- Use proper waits (never `waitForTimeout`)
+
+### 3. Execute
+- Run locally 3-5 times to check for flakiness
+- Quarantine flaky tests with `test.fixme()` or `test.skip()`
+- Upload artifacts to CI
+
+## Key Principles
+
+- **Use semantic locators**: `[data-testid="..."]` > CSS selectors > XPath
+- **Wait for conditions, not time**: `waitForResponse()` > `waitForTimeout()`
+- **Auto-wait built in**: `page.locator().click()` auto-waits; raw `page.click()` doesn't
+- **Isolate tests**: Each test should be independent; no shared state
+- **Fail fast**: Use `expect()` assertions at every key step
+- **Trace on retry**: Configure `trace: 'on-first-retry'` for debugging failures
+
+## Flaky Test Handling
+
+```typescript
+// Quarantine
+test('flaky: market search', async ({ page }) => {
+  test.fixme(true, 'Flaky - Issue #123')
 })
 
-// Or use conditional skip
-test('market search with complex query', async ({ page }) => {
-  test.skip(process.env.CI, 'Test is flaky in CI - Issue #123')
-
-  // Test code here...
-})
+// Identify flakiness
+// npx playwright test --repeat-each=10
 ```
 
-### Common Flakiness Causes & Fixes
-
-**1. Race Conditions**
-```typescript
-// ❌ FLAKY: Don't assume element is ready
-await page.click('[data-testid="button"]')
-
-// ✅ STABLE: Wait for element to be ready
-await page.locator('[data-testid="button"]').click() // Built-in auto-wait
-```
-
-**2. Network Timing**
-```typescript
-// ❌ FLAKY: Arbitrary timeout
-await page.waitForTimeout(5000)
-
-// ✅ STABLE: Wait for specific condition
-await page.waitForResponse(resp => resp.url().includes('/api/markets'))
-```
-
-**3. Animation Timing**
-```typescript
-// ❌ FLAKY: Click during animation
-await page.click('[data-testid="menu-item"]')
-
-// ✅ STABLE: Wait for animation to complete
-await page.locator('[data-testid="menu-item"]').waitFor({ state: 'visible' })
-await page.waitForLoadState('networkidle')
-await page.click('[data-testid="menu-item"]')
-```
-
-## Artifact Management
-
-### Screenshot Strategy
-```typescript
-// Take screenshot at key points
-await page.screenshot({ path: 'artifacts/after-login.png' })
-
-// Full page screenshot
-await page.screenshot({ path: 'artifacts/full-page.png', fullPage: true })
-
-// Element screenshot
-await page.locator('[data-testid="chart"]').screenshot({
-  path: 'artifacts/chart.png'
-})
-```
-
-### Trace Collection
-```typescript
-// Start trace
-await browser.startTracing(page, {
-  path: 'artifacts/trace.json',
-  screenshots: true,
-  snapshots: true,
-})
-
-// ... test actions ...
-
-// Stop trace
-await browser.stopTracing()
-```
-
-### Video Recording
-```typescript
-// Configured in playwright.config.ts
-use: {
-  video: 'retain-on-failure', // Only save video if test fails
-  videosPath: 'artifacts/videos/'
-}
-```
-
-## CI/CD Integration
-
-### GitHub Actions Workflow
-```yaml
-# .github/workflows/e2e.yml
-name: E2E Tests
-
-on: [push, pull_request]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 18
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Install Playwright browsers
-        run: npx playwright install --with-deps
-
-      - name: Run E2E tests
-        run: npx playwright test
-        env:
-          BASE_URL: https://staging.pmx.trade
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: playwright-report
-          path: playwright-report/
-          retention-days: 30
-
-      - name: Upload test results
-        if: always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: playwright-results
-          path: playwright-results.xml
-```
-
-## Test Report Format
-
-```markdown
-# E2E Test Report
-
-**Date:** YYYY-MM-DD HH:MM
-**Duration:** Xm Ys
-**Status:** ✅ PASSING / ❌ FAILING
-
-## Summary
-
-- **Total Tests:** X
-- **Passed:** Y (Z%)
-- **Failed:** A
-- **Flaky:** B
-- **Skipped:** C
-
-## Test Results by Suite
-
-### Markets - Browse & Search
-- ✅ user can browse markets (2.3s)
-- ✅ semantic search returns relevant results (1.8s)
-- ✅ search handles no results (1.2s)
-- ❌ search with special characters (0.9s)
-
-### Wallet - Connection
-- ✅ user can connect MetaMask (3.1s)
-- ⚠️  user can connect Phantom (2.8s) - FLAKY
-- ✅ user can disconnect wallet (1.5s)
-
-### Trading - Core Flows
-- ✅ user can place buy order (5.2s)
-- ❌ user can place sell order (4.8s)
-- ✅ insufficient balance shows error (1.9s)
-
-## Failed Tests
-
-### 1. search with special characters
-**File:** `tests/e2e/markets/search.spec.ts:45`
-**Error:** Expected element to be visible, but was not found
-**Screenshot:** artifacts/search-special-chars-failed.png
-**Trace:** artifacts/trace-123.zip
-
-**Steps to Reproduce:**
-1. Navigate to /markets
-2. Enter search query with special chars: "trump & biden"
-3. Verify results
-
-**Recommended Fix:** Escape special characters in search query
-
----
-
-### 2. user can place sell order
-**File:** `tests/e2e/trading/sell.spec.ts:28`
-**Error:** Timeout waiting for API response /api/trade
-**Video:** artifacts/videos/sell-order-failed.webm
-
-**Possible Causes:**
-- Blockchain network slow
-- Insufficient gas
-- Transaction reverted
-
-**Recommended Fix:** Increase timeout or check blockchain logs
-
-## Artifacts
-
-- HTML Report: playwright-report/index.html
-- Screenshots: artifacts/*.png (12 files)
-- Videos: artifacts/videos/*.webm (2 files)
-- Traces: artifacts/*.zip (2 files)
-- JUnit XML: playwright-results.xml
-
-## Next Steps
-
-- [ ] Fix 2 failing tests
-- [ ] Investigate 1 flaky test
-- [ ] Review and merge if all green
-```
+Common causes: race conditions (use auto-wait locators), network timing (wait for response), animation timing (wait for `networkidle`).
 
 ## Success Metrics
 
-After E2E test run:
-- ✅ All critical journeys passing (100%)
-- ✅ Pass rate > 95% overall
-- ✅ Flaky rate < 5%
-- ✅ No failed tests blocking deployment
-- ✅ Artifacts uploaded and accessible
-- ✅ Test duration < 10 minutes
-- ✅ HTML report generated
+- All critical journeys passing (100%)
+- Overall pass rate > 95%
+- Flaky rate < 5%
+- Test duration < 10 minutes
+- Artifacts uploaded and accessible
+
+## Reference
+
+For detailed Playwright patterns, Page Object Model examples, configuration templates, CI/CD workflows, and artifact management strategies, see skill: `e2e-testing`.
 
 ---
 
-**Remember**: E2E tests are your last line of defense before production. They catch integration issues that unit tests miss. Invest time in making them stable, fast, and comprehensive. For Example Project, focus especially on financial flows - one bug could cost users real money.
+**Remember**: E2E tests are your last line of defense before production. They catch integration issues that unit tests miss. Invest in stability, speed, and coverage.

agents/go-build-resolver.md

@@ -2,7 +2,7 @@
 name: go-build-resolver
 description: Go build, vet, and compilation error resolution specialist. Fixes build errors, go vet issues, and linter warnings with minimal changes. Use when Go builds fail.
 tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
-model: opus
+model: sonnet
 ---
 
 # Go Build Error Resolver
@@ -19,350 +19,76 @@ You are an expert Go build error resolution specialist. Your mission is to fix G
 
 ## Diagnostic Commands
 
-Run these in order to understand the problem:
+Run these in order:
 
 ```bash
-# 1. Basic build check
 go build ./...
-
-# 2. Vet for common mistakes
 go vet ./...
-
-# 3. Static analysis (if available)
 staticcheck ./... 2>/dev/null || echo "staticcheck not installed"
 golangci-lint run 2>/dev/null || echo "golangci-lint not installed"
-
-# 4. Module verification
 go mod verify
 go mod tidy -v
-
-# 5. List dependencies
-go list -m all
 ```
 
-## Common Error Patterns & Fixes
-
-### 1. Undefined Identifier
-
-**Error:** `undefined: SomeFunc`
-
-**Causes:**
-- Missing import
-- Typo in function/variable name
-- Unexported identifier (lowercase first letter)
-- Function defined in different file with build constraints
-
-**Fix:**
-```go
-// Add missing import
-import "package/that/defines/SomeFunc"
-
-// Or fix typo
-// somefunc -> SomeFunc
-
-// Or export the identifier
-// func someFunc() -> func SomeFunc()
-```
-
-### 2. Type Mismatch
-
-**Error:** `cannot use x (type A) as type B`
-
-**Causes:**
-- Wrong type conversion
-- Interface not satisfied
-- Pointer vs value mismatch
-
-**Fix:**
-```go
-// Type conversion
-var x int = 42
-var y int64 = int64(x)
-
-// Pointer to value
-var ptr *int = &x
-var val int = *ptr
-
-// Value to pointer
-var val int = 42
-var ptr *int = &val
-```
-
-### 3. Interface Not Satisfied
-
-**Error:** `X does not implement Y (missing method Z)`
-
-**Diagnosis:**
-```bash
-# Find what methods are missing
-go doc package.Interface
-```
-
-**Fix:**
-```go
-// Implement missing method with correct signature
-func (x *X) Z() error {
-    // implementation
-    return nil
-}
-
-// Check receiver type matches (pointer vs value)
-// If interface expects: func (x X) Method()
-// You wrote:           func (x *X) Method()  // Won't satisfy
-```
-
-### 4. Import Cycle
-
-**Error:** `import cycle not allowed`
-
-**Diagnosis:**
-```bash
-go list -f '{{.ImportPath}} -> {{.Imports}}' ./...
-```
-
-**Fix:**
-- Move shared types to a separate package
-- Use interfaces to break the cycle
-- Restructure package dependencies
-
-```text
-# Before (cycle)
-package/a -> package/b -> package/a
-
-# After (fixed)
-package/types  <- shared types
-package/a -> package/types
-package/b -> package/types
-```
-
-### 5. Cannot Find Package
-
-**Error:** `cannot find package "x"`
-
-**Fix:**
-```bash
-# Add dependency
-go get package/path@version
-
-# Or update go.mod
-go mod tidy
-
-# Or for local packages, check go.mod module path
-# Module: github.com/user/project
-# Import: github.com/user/project/internal/pkg
-```
-
-### 6. Missing Return
-
-**Error:** `missing return at end of function`
-
-**Fix:**
-```go
-func Process() (int, error) {
-    if condition {
-        return 0, errors.New("error")
-    }
-    return 42, nil  // Add missing return
-}
-```
-
-### 7. Unused Variable/Import
-
-**Error:** `x declared but not used` or `imported and not used`
-
-**Fix:**
-```go
-// Remove unused variable
-x := getValue()  // Remove if x not used
-
-// Use blank identifier if intentionally ignoring
-_ = getValue()
-
-// Remove unused import or use blank import for side effects
-import _ "package/for/init/only"
-```
-
-### 8. Multiple-Value in Single-Value Context
-
-**Error:** `multiple-value X() in single-value context`
-
-**Fix:**
-```go
-// Wrong
-result := funcReturningTwo()
-
-// Correct
-result, err := funcReturningTwo()
-if err != nil {
-    return err
-}
-
-// Or ignore second value
-result, _ := funcReturningTwo()
-```
-
-### 9. Cannot Assign to Field
-
-**Error:** `cannot assign to struct field x.y in map`
-
-**Fix:**
-```go
-// Cannot modify struct in map directly
-m := map[string]MyStruct{}
-m["key"].Field = "value"  // Error!
-
-// Fix: Use pointer map or copy-modify-reassign
-m := map[string]*MyStruct{}
-m["key"] = &MyStruct{}
-m["key"].Field = "value"  // Works
-
-// Or
-m := map[string]MyStruct{}
-tmp := m["key"]
-tmp.Field = "value"
-m["key"] = tmp
-```
-
-### 10. Invalid Operation (Type Assertion)
-
-**Error:** `invalid type assertion: x.(T) (non-interface type)`
-
-**Fix:**
-```go
-// Can only assert from interface
-var i interface{} = "hello"
-s := i.(string)  // Valid
-
-var s string = "hello"
-// s.(int)  // Invalid - s is not interface
-```
-
-## Module Issues
-
-### Replace Directive Problems
-
-```bash
-# Check for local replaces that might be invalid
-grep "replace" go.mod
-
-# Remove stale replaces
-go mod edit -dropreplace=package/path
-```
-
-### Version Conflicts
-
-```bash
-# See why a version is selected
-go mod why -m package
-
-# Get specific version
-go get package@v1.2.3
-
-# Update all dependencies
-go get -u ./...
-```
-
-### Checksum Mismatch
-
-```bash
-# Clear module cache
-go clean -modcache
-
-# Re-download
-go mod download
-```
-
-## Go Vet Issues
-
-### Suspicious Constructs
-
-```go
-// Vet: unreachable code
-func example() int {
-    return 1
-    fmt.Println("never runs")  // Remove this
-}
-
-// Vet: printf format mismatch
-fmt.Printf("%d", "string")  // Fix: %s
-
-// Vet: copying lock value
-var mu sync.Mutex
-mu2 := mu  // Fix: use pointer *sync.Mutex
-
-// Vet: self-assignment
-x = x  // Remove pointless assignment
-```
-
-## Fix Strategy
-
-1. **Read the full error message** - Go errors are descriptive
-2. **Identify the file and line number** - Go directly to the source
-3. **Understand the context** - Read surrounding code
-4. **Make minimal fix** - Don't refactor, just fix the error
-5. **Verify fix** - Run `go build ./...` again
-6. **Check for cascading errors** - One fix might reveal others
-
 ## Resolution Workflow
 
 ```text
-1. go build ./...
-   ↓ Error?
-2. Parse error message
-   ↓
-3. Read affected file
-   ↓
-4. Apply minimal fix
-   ↓
-5. go build ./...
-   ↓ Still errors?
-   → Back to step 2
-   ↓ Success?
-6. go vet ./...
-   ↓ Warnings?
-   → Fix and repeat
-   ↓
-7. go test ./...
-   ↓
-8. Done!
+1. go build ./...     -> Parse error message
+2. Read affected file -> Understand context
+3. Apply minimal fix  -> Only what's needed
+4. go build ./...     -> Verify fix
+5. go vet ./...       -> Check for warnings
+6. go test ./...      -> Ensure nothing broke
 ```
 
+## Common Fix Patterns
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `undefined: X` | Missing import, typo, unexported | Add import or fix casing |
+| `cannot use X as type Y` | Type mismatch, pointer/value | Type conversion or dereference |
+| `X does not implement Y` | Missing method | Implement method with correct receiver |
+| `import cycle not allowed` | Circular dependency | Extract shared types to new package |
+| `cannot find package` | Missing dependency | `go get pkg@version` or `go mod tidy` |
+| `missing return` | Incomplete control flow | Add return statement |
+| `declared but not used` | Unused var/import | Remove or use blank identifier |
+| `multiple-value in single-value context` | Unhandled return | `result, err := func()` |
+| `cannot assign to struct field in map` | Map value mutation | Use pointer map or copy-modify-reassign |
+| `invalid type assertion` | Assert on non-interface | Only assert from `interface{}` |
+
+## Module Troubleshooting
+
+```bash
+grep "replace" go.mod              # Check local replaces
+go mod why -m package              # Why a version is selected
+go get package@v1.2.3              # Pin specific version
+go clean -modcache && go mod download  # Fix checksum issues
+```
+
+## Key Principles
+
+- **Surgical fixes only** -- don't refactor, just fix the error
+- **Never** add `//nolint` without explicit approval
+- **Never** change function signatures unless necessary
+- **Always** run `go mod tidy` after adding/removing imports
+- Fix root cause over suppressing symptoms
+
 ## Stop Conditions
 
 Stop and report if:
 - Same error persists after 3 fix attempts
 - Fix introduces more errors than it resolves
 - Error requires architectural changes beyond scope
-- Circular dependency that needs package restructuring
-- Missing external dependency that needs manual installation
 
 ## Output Format
 
-After each fix attempt:
-
 ```text
 [FIXED] internal/handler/user.go:42
 Error: undefined: UserService
 Fix: Added import "project/internal/service"
-
 Remaining errors: 3
 ```
 
-Final summary:
-```text
-Build Status: SUCCESS/FAILED
-Errors Fixed: N
-Vet Warnings Fixed: N
-Files Modified: list
-Remaining Issues: list (if any)
-```
+Final: `Build Status: SUCCESS/FAILED | Errors Fixed: N | Files Modified: list`
 
-## Important Notes
-
-- **Never** add `//nolint` comments without explicit approval
-- **Never** change function signatures unless necessary for the fix
-- **Always** run `go mod tidy` after adding/removing imports
-- **Prefer** fixing root cause over suppressing symptoms
-- **Document** any non-obvious fixes with inline comments
-
-Build errors should be fixed surgically. The goal is a working build, not a refactored codebase.
+For detailed Go error patterns and code examples, see `skill: golang-patterns`.

agents/go-reviewer.md

@@ -2,7 +2,7 @@
 name: go-reviewer
 description: Expert Go code reviewer specializing in idiomatic Go, concurrency patterns, error handling, and performance. Use for all Go code changes. MUST BE USED for Go projects.
 tools: ["Read", "Grep", "Glob", "Bash"]
-model: opus
+model: sonnet
 ---
 
 You are a senior Go code reviewer ensuring high standards of idiomatic Go and best practices.
@@ -13,255 +13,64 @@ When invoked:
 3. Focus on modified `.go` files
 4. Begin review immediately
 
-## Security Checks (CRITICAL)
+## Review Priorities
 
-- **SQL Injection**: String concatenation in `database/sql` queries
-  ```go
-  // Bad
-  db.Query("SELECT * FROM users WHERE id = " + userID)
-  // Good
-  db.Query("SELECT * FROM users WHERE id = $1", userID)
-  ```
-
-- **Command Injection**: Unvalidated input in `os/exec`
-  ```go
-  // Bad
-  exec.Command("sh", "-c", "echo " + userInput)
-  // Good
-  exec.Command("echo", userInput)
-  ```
-
-- **Path Traversal**: User-controlled file paths
-  ```go
-  // Bad
-  os.ReadFile(filepath.Join(baseDir, userPath))
-  // Good
-  cleanPath := filepath.Clean(userPath)
-  if strings.HasPrefix(cleanPath, "..") {
-      return ErrInvalidPath
-  }
-  ```
-
-- **Race Conditions**: Shared state without synchronization
-- **Unsafe Package**: Use of `unsafe` without justification
-- **Hardcoded Secrets**: API keys, passwords in source
+### CRITICAL -- Security
+- **SQL injection**: String concatenation in `database/sql` queries
+- **Command injection**: Unvalidated input in `os/exec`
+- **Path traversal**: User-controlled file paths without `filepath.Clean` + prefix check
+- **Race conditions**: Shared state without synchronization
+- **Unsafe package**: Use without justification
+- **Hardcoded secrets**: API keys, passwords in source
 - **Insecure TLS**: `InsecureSkipVerify: true`
-- **Weak Crypto**: Use of MD5/SHA1 for security purposes
 
-## Error Handling (CRITICAL)
+### CRITICAL -- Error Handling
+- **Ignored errors**: Using `_` to discard errors
+- **Missing error wrapping**: `return err` without `fmt.Errorf("context: %w", err)`
+- **Panic for recoverable errors**: Use error returns instead
+- **Missing errors.Is/As**: Use `errors.Is(err, target)` not `err == target`
 
-- **Ignored Errors**: Using `_` to ignore errors
-  ```go
-  // Bad
-  result, _ := doSomething()
-  // Good
-  result, err := doSomething()
-  if err != nil {
-      return fmt.Errorf("do something: %w", err)
-  }
-  ```
-
-- **Missing Error Wrapping**: Errors without context
-  ```go
-  // Bad
-  return err
-  // Good
-  return fmt.Errorf("load config %s: %w", path, err)
-  ```
-
-- **Panic Instead of Error**: Using panic for recoverable errors
-- **errors.Is/As**: Not using for error checking
-  ```go
-  // Bad
-  if err == sql.ErrNoRows
-  // Good
-  if errors.Is(err, sql.ErrNoRows)
-  ```
-
-## Concurrency (HIGH)
-
-- **Goroutine Leaks**: Goroutines that never terminate
-  ```go
-  // Bad: No way to stop goroutine
-  go func() {
-      for { doWork() }
-  }()
-  // Good: Context for cancellation
-  go func() {
-      for {
-          select {
-          case <-ctx.Done():
-              return
-          default:
-              doWork()
-          }
-      }
-  }()
-  ```
-
-- **Race Conditions**: Run `go build -race ./...`
-- **Unbuffered Channel Deadlock**: Sending without receiver
+### HIGH -- Concurrency
+- **Goroutine leaks**: No cancellation mechanism (use `context.Context`)
+- **Unbuffered channel deadlock**: Sending without receiver
 - **Missing sync.WaitGroup**: Goroutines without coordination
-- **Context Not Propagated**: Ignoring context in nested calls
-- **Mutex Misuse**: Not using `defer mu.Unlock()`
-  ```go
-  // Bad: Unlock might not be called on panic
-  mu.Lock()
-  doSomething()
-  mu.Unlock()
-  // Good
-  mu.Lock()
-  defer mu.Unlock()
-  doSomething()
-  ```
+- **Mutex misuse**: Not using `defer mu.Unlock()`
 
-## Code Quality (HIGH)
+### HIGH -- Code Quality
+- **Large functions**: Over 50 lines
+- **Deep nesting**: More than 4 levels
+- **Non-idiomatic**: `if/else` instead of early return
+- **Package-level variables**: Mutable global state
+- **Interface pollution**: Defining unused abstractions
 
-- **Large Functions**: Functions over 50 lines
-- **Deep Nesting**: More than 4 levels of indentation
-- **Interface Pollution**: Defining interfaces not used for abstraction
-- **Package-Level Variables**: Mutable global state
-- **Naked Returns**: In functions longer than a few lines
-  ```go
-  // Bad in long functions
-  func process() (result int, err error) {
-      // ... 30 lines ...
-      return // What's being returned?
-  }
-  ```
+### MEDIUM -- Performance
+- **String concatenation in loops**: Use `strings.Builder`
+- **Missing slice pre-allocation**: `make([]T, 0, cap)`
+- **N+1 queries**: Database queries in loops
+- **Unnecessary allocations**: Objects in hot paths
 
-- **Non-Idiomatic Code**:
-  ```go
-  // Bad
-  if err != nil {
-      return err
-  } else {
-      doSomething()
-  }
-  // Good: Early return
-  if err != nil {
-      return err
-  }
-  doSomething()
-  ```
-
-## Performance (MEDIUM)
-
-- **Inefficient String Building**:
-  ```go
-  // Bad
-  for _, s := range parts { result += s }
-  // Good
-  var sb strings.Builder
-  for _, s := range parts { sb.WriteString(s) }
-  ```
-
-- **Slice Pre-allocation**: Not using `make([]T, 0, cap)`
-- **Pointer vs Value Receivers**: Inconsistent usage
-- **Unnecessary Allocations**: Creating objects in hot paths
-- **N+1 Queries**: Database queries in loops
-- **Missing Connection Pooling**: Creating new DB connections per request
-
-## Best Practices (MEDIUM)
-
-- **Accept Interfaces, Return Structs**: Functions should accept interface parameters
-- **Context First**: Context should be first parameter
-  ```go
-  // Bad
-  func Process(id string, ctx context.Context)
-  // Good
-  func Process(ctx context.Context, id string)
-  ```
-
-- **Table-Driven Tests**: Tests should use table-driven pattern
-- **Godoc Comments**: Exported functions need documentation
-  ```go
-  // ProcessData transforms raw input into structured output.
-  // It returns an error if the input is malformed.
-  func ProcessData(input []byte) (*Data, error)
-  ```
-
-- **Error Messages**: Should be lowercase, no punctuation
-  ```go
-  // Bad
-  return errors.New("Failed to process data.")
-  // Good
-  return errors.New("failed to process data")
-  ```
-
-- **Package Naming**: Short, lowercase, no underscores
-
-## Go-Specific Anti-Patterns
-
-- **init() Abuse**: Complex logic in init functions
-- **Empty Interface Overuse**: Using `interface{}` instead of generics
-- **Type Assertions Without ok**: Can panic
-  ```go
-  // Bad
-  v := x.(string)
-  // Good
-  v, ok := x.(string)
-  if !ok { return ErrInvalidType }
-  ```
-
-- **Deferred Call in Loop**: Resource accumulation
-  ```go
-  // Bad: Files opened until function returns
-  for _, path := range paths {
-      f, _ := os.Open(path)
-      defer f.Close()
-  }
-  // Good: Close in loop iteration
-  for _, path := range paths {
-      func() {
-          f, _ := os.Open(path)
-          defer f.Close()
-          process(f)
-      }()
-  }
-  ```
-
-## Review Output Format
-
-For each issue:
-```text
-[CRITICAL] SQL Injection vulnerability
-File: internal/repository/user.go:42
-Issue: User input directly concatenated into SQL query
-Fix: Use parameterized query
-
-query := "SELECT * FROM users WHERE id = " + userID  // Bad
-query := "SELECT * FROM users WHERE id = $1"         // Good
-db.Query(query, userID)
-```
+### MEDIUM -- Best Practices
+- **Context first**: `ctx context.Context` should be first parameter
+- **Table-driven tests**: Tests should use table-driven pattern
+- **Error messages**: Lowercase, no punctuation
+- **Package naming**: Short, lowercase, no underscores
+- **Deferred call in loop**: Resource accumulation risk
 
 ## Diagnostic Commands
 
-Run these checks:
 ```bash
-# Static analysis
 go vet ./...
 staticcheck ./...
 golangci-lint run
-
-# Race detection
 go build -race ./...
 go test -race ./...
-
-# Security scanning
 govulncheck ./...
 ```
 
 ## Approval Criteria
 
 - **Approve**: No CRITICAL or HIGH issues
-- **Warning**: MEDIUM issues only (can merge with caution)
+- **Warning**: MEDIUM issues only
 - **Block**: CRITICAL or HIGH issues found
 
-## Go Version Considerations
-
-- Check `go.mod` for minimum Go version
-- Note if code uses features from newer Go versions (generics 1.18+, fuzzing 1.18+)
-- Flag deprecated functions from standard library
-
-Review with the mindset: "Would this code pass review at Google or a top Go shop?"
+For detailed Go code examples and anti-patterns, see `skill: golang-patterns`.