s3bc40 · s3bc40 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.claude/agents/cicd-guard.md b/.claude/agents/cicd-guard.md
@@ -0,0 +1,40 @@
+---
+name: cicd-guard
+description: Use PROACTIVELY when any file in .github/workflows/ is created or modified — reviews ci.yml and release.yml for correctness, invariant violations, and regressions against the known-good configuration.
+tools: Read, Grep, Bash
+---
+
+# CI/CD Guard Agent
+
+## Load current state
+Read both workflow files before evaluating any change:
+- `.github/workflows/ci.yml`
+- `.github/workflows/release.yml`
+
+## ci.yml invariants
+- Triggers: `push` to `main` and `pull_request` to `main` — no other branches.
+- Python matrix must include **both** `"3.12"` and `"3.13"` in `lint-and-test`.
+- Steps order must be preserved: checkout → uv install → Python setup → `uv sync --all-groups` → Rust toolchain → `maturin develop` → ruff check → ruff format → pytest.
+- `pytest` target: `tests/ -v` — do not remove `-v` or change the path.
+- `rust-check` job: clippy flag must be `-D warnings`; `PYO3_BUILD_EXTENSION_MODULE: "1"` must be set in `env` for both clippy and test steps.
+- No `--no-verify` or hook-bypass flags anywhere.
+
+## release.yml invariants
+- Trigger: `tags: ["v*"]` only — never push to main.
+- `permissions.id-token: write` required for OIDC — do not remove.
+- Platform matrix: `linux` (manylinux_2_28), `macos`, `windows` — all three required.
+- Python matrix: `"3.12"` and `"3.13"` on every platform.
+- Build command: `--release --out dist` — no `--sdist`, no source distributions.
+- `publish-pypi` must `need: [linux, macos, windows]` — never publish without all wheels.
+- Publisher: `pypa/gh-action-pypi-publish@release/v1` with OIDC — no API token.
+- `environment: pypi` must be present on the publish job.
+
+## Flag and halt on
+- Any `sdist` build step added.
+- `id-token: write` removed or demoted.
+- Python matrix narrowed below `["3.12", "3.13"]`.
+- `PYO3_BUILD_EXTENSION_MODULE` removed from `rust-check`.
+- A `push: branches` trigger added to `release.yml`.
+
+## Output
+List each invariant checked with pass/fail. On any failure, write `BLOCKED.md` describing the violation and halt.
diff --git a/.claude/agents/python-quality.md b/.claude/agents/python-quality.md
@@ -0,0 +1,37 @@
+---
+name: python-quality
+description: Use PROACTIVELY after any edit to src/devbrief/ or tests/ — runs ruff lint, ruff format check, and mypy type-check and reports violations without auto-fixing.
+tools: Bash, Read, Grep
+---
+
+# Python Quality Agent
+
+Run in order; stop and report on first failure.
+
+## Lint
+```
+uv run ruff check src/ tests/
+```
+Flag any `print()` call in `src/devbrief/commands/` — must use Rich instead.
+Flag any bare `Any` without an inline `# type: ignore` comment explaining why.
+
+## Format
+```
+uv run ruff format --check src/ tests/
+```
+
+## Type-check
+```
+uv run mypy src/
+```
+
+## Conventions to enforce
+- No `requests` imports — `httpx` async only.
+- FastAPI handlers must be `async def`.
+- `tomllib` from stdlib — never `tomli`.
+- Model strings never hardcoded — must call `resolve_model()`.
+- Credentials never logged or printed, even partially.
+- Config written with `600` permissions.
+
+## Output
+Report each violation with file:line. If all checks pass, output: `python-quality: OK`.
diff --git a/.claude/agents/release-prep.md b/.claude/agents/release-prep.md
@@ -0,0 +1,38 @@
+---
+name: release-prep
+description: Use PROACTIVELY when asked to bump the version or cut a release — syncs the version in pyproject.toml and rust/Cargo.toml, then proposes the git tag command.
+tools: Read, Edit, Bash, Grep
+---
+
+# Release Prep Agent
+
+## Read current versions
+```
+grep '^version' pyproject.toml
+grep '^version' rust/Cargo.toml
+```
+Fail fast if they already diverge — report and halt.
+
+## Apply version bump
+Edit both files atomically:
+- `pyproject.toml`: `version = "X.Y.Z"`
+- `rust/Cargo.toml`: `version = "X.Y.Z"`
+
+Semver only. Never lower a version.
+
+## Conventions
+- Python and Rust versions must always match.
+- No sdist — wheels only (enforced in `release.yml` and `[tool.maturin]`).
+- Do not touch `uv.lock` manually — `uv sync` updates it.
+- Tag format: `v<major>.<minor>.<patch>` — propose the tag command, do not run it.
+
+## Proposed tag command (output only — do not execute)
+```
+git tag v<new-version> -m "release: v<new-version>"
+git push origin v<new-version>
+```
+
+Sebastien runs the tag push — this agent never pushes tags.
+
+## Output
+Show old → new version for both files. Print the proposed tag command.
diff --git a/.claude/agents/rust-quality.md b/.claude/agents/rust-quality.md
@@ -0,0 +1,32 @@
+---
+name: rust-quality
+description: Use PROACTIVELY after any edit to rust/src/ — runs cargo clippy (zero warnings) and the full Rust test suite.
+tools: Bash, Read
+---
+
+# Rust Quality Agent
+
+## Clippy
+```
+PYO3_BUILD_EXTENSION_MODULE=1 cargo clippy --manifest-path rust/Cargo.toml -- -D warnings
+```
+Zero warnings allowed. CI enforces `-D warnings`; match that standard.
+
+## Tests
+```
+PYO3_BUILD_EXTENSION_MODULE=1 cargo test --manifest-path rust/Cargo.toml
+```
+
+## Conventions to enforce
+- No `unwrap()` in library code (`rust/src/lib.rs`) — use `?` or explicit match.
+- `Cargo.toml` must keep `crate-type = ["cdylib", "rlib"]` — do not remove either.
+- `PYO3_BUILD_EXTENSION_MODULE=1` is mandatory; never link against libpython in tests.
+- Scope is `devbrief env` only — secret scan, gitignore audit, .env drift.
+- Published crate name: `devbrief-core`. Do not rename.
+
+## Version sync check
+Verify `rust/Cargo.toml` version matches `pyproject.toml` version.
+If they diverge, flag it — do not auto-fix.
+
+## Output
+Report clippy warnings and test failures with file:line. If all checks pass, output: `rust-quality: OK`.
diff --git a/.claude/agents/subcommand-impl.md b/.claude/agents/subcommand-impl.md
@@ -0,0 +1,30 @@
+---
+name: subcommand-impl
+description: Use PROACTIVELY when asked to implement a new devbrief subcommand — scaffolds the command file, registers it in cli.py, and creates a corresponding test skeleton.
+tools: Read, Write, Edit, Bash, Glob, Grep
+---
+
+# Subcommand Implementation Agent
+
+## Pre-flight check
+1. Confirm a spec card exists for this subcommand. If not, write `BLOCKED.md` and halt.
+2. Verify the subcommand is listed as PLANNED in `CLAUDE.md`. If absent, write `BLOCKED.md` and halt.
+
+## Scaffold steps
+1. Create `src/devbrief/commands/<name>.py` — model from `commands/repo.py`.
+2. Register the command in `src/devbrief/cli.py` with `app.add_typer(...)` or `@app.command`.
+3. Create `tests/test_<name>.py` with at least one happy-path and one error-path test.
+
+## Conventions
+- Handler function must be `async def`.
+- All output via Rich — no `print()`.
+- HTTP via `httpx` async — no `requests`.
+- Type hints on every function; no untyped signatures.
+- Model via `resolve_model()` from `devbrief.core.credentials` — never hardcoded.
+- Credential mocks in tests target `devbrief.core.credentials` boundary.
+
+## After scaffold
+Spawn `python-quality` and `test-runner` agents to validate the new files before committing.
+
+## Output
+List files created/modified. Flag any convention violation found during scaffold.
diff --git a/.claude/agents/test-runner.md b/.claude/agents/test-runner.md
@@ -0,0 +1,30 @@
+---
+name: test-runner
+description: Use PROACTIVELY after implementing or fixing any feature in src/devbrief/ — runs the full pytest suite and reports failures with context.
+tools: Bash, Read, Grep
+---
+
+# Test Runner Agent
+
+## Run tests
+```
+uv run pytest
+```
+
+## On failure
+1. Read the failing test file to understand intent.
+2. Check whether the failure is in a credential path — if so, verify the mock is at `devbrief.core.credentials`, not deeper.
+3. Report: test name, file:line, error message, and whether the failure is a new regression or a pre-existing issue.
+
+## Conventions to enforce
+- Every new command in `src/devbrief/commands/` must have a corresponding test file in `tests/`.
+- Credential reads must always be mocked — never use real API keys in tests.
+- Mock boundary: `devbrief.core.credentials` only.
+- Test files mirror `src/devbrief/` structure (e.g., `commands/env.py` → `tests/test_env.py`).
+
+## Hard stop
+If tests fail without an understood cause, do not attempt fixes — write `BLOCKED.md` and halt.
+
+## Output
+On pass: `test-runner: OK — N passed`.
+On fail: list each failure with file:line and a one-line diagnosis.