coulomb/binect-chrome
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Replicate .claude/rules scaffolding from binect-js

Browse Source 
Add the 9-file .claude/rules set (repo-identity, session-protocol,
first-session, workplan-convention, stack-and-commands, architecture,
repo-boundary, credential-routing, agents), adapted to binect-chrome:
slug, agent name, BCHROME-WP- workplan prefix, shared communication topic.
stack/architecture/repo-boundary filled with this repo's real content.

Rewrite CLAUDE.md to the @-import structure mirroring binect-js (prior
prose migrated into the rule files), retaining an inline Kaizen reference.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-22 22:17:21 +02:00
parent 15c4ee5e1a
commit ccbbc88503
10 changed files with 307 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.claude/rules/agents.md Normal file
View File

@@ -0,0 +1,20 @@
## Kaizen Agents
Specialized agent personas available on demand via the state-hub MCP.
**Discover:** `list_kaizen_agents()` — returns all agents with name, description, category
**Load:** `get_kaizen_agent("tdd-workflow")` — returns full instructions; read and follow them
Common agents:
| Agent | Category | When to use |
|-------|----------|-------------|
| `tdd-workflow` | testing | Step-by-step TDD8 workflow for any feature |
| `code-refactoring` | quality | Code quality analysis and safe refactoring |
| `test-maintenance` | testing | Diagnose and fix failing tests |
| `requirements-engineering` | process | Prevent interface/mock mismatches upfront |
| `keepaTodofile` | process | Maintain TODO.md during work |
| `project-management` | process | Track status, determine next steps |
| `datamodel-optimization` | quality | Optimize dataclasses and data structures |
All 17 agents: call `list_kaizen_agents()` for the full list.

20
.claude/rules/architecture.md Normal file
View File

@@ -0,0 +1,20 @@
## Architecture
Chrome MV3 extension; all state in `chrome.storage.local`, nothing relies on
in-memory background state surviving service-worker suspension. Full operational
boundary is in `SCOPE.md`; inviolable principles in `INTENT.md`.
**Key modules**
- `src/background/service-worker.ts` — MV3 service worker; message router for all popup ↔ background calls; `chrome.alarms` for credential-expiry and queue-cleanup ticks.
- `src/utils/pdf-detector.ts` — detect completed PDF downloads (Chrome Downloads API), scan recent downloads, best-effort current-tab detection, re-fetch PDF bytes from the original URL with `credentials: 'include'`.
- `src/utils/pdf-queue.ts``DocumentProxy` lifecycle queue (`pending → uploading → in_basket → ordering → in_production → sent`, + `failed`/`canceled`); metadata-only (never PDF content); dedup by filename + content hash; live vs. archived views; server sync/reconciliation.
- `src/utils/binect-api.ts` — thin wrapper over `@binect/js` (upload, ship, status, list, delete, testConnection) with extension-friendly types and error mapping. **All Binect access delegated 1:1 to the SDK** — no API logic reimplemented here.
- `src/utils/crypto.ts` / `storage.ts` — AES-GCM (256-bit) credential encryption at rest via Web Crypto; key in `chrome.storage.local`; decrypted only in memory; 60-day inactivity expiry; manual wipe; self-deleting corrupted ciphertext.
- `src/popup/` — login + lifecycle-grouped document list with send/order/refresh/archive/restore/delete actions, badge.
- `src/tracking/` — local-only append-only transfer log (~500 cap), summary counts, CSV export, email-draft feedback; tracking/help page.
**Design invariants** (see `INTENT.md`): zero document retention, explicit user intent for every dispatch (upload ≠ send — ordering is a separate confirmed step), no server-side component, minimal-but-`<all_urls>` host permission (a known Chrome Web Store review cost).
## Quick Reference
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference

50
.claude/rules/credential-routing.md Normal file
View File

@@ -0,0 +1,50 @@
# Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=binect-chrome` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("communication")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes**`warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`

38
.claude/rules/first-session.md Normal file
View File

@@ -0,0 +1,38 @@
## First Session Protocol
Triggered when `get_domain_summary("communication")` shows **no workstreams**.
The project is registered but work has not yet been structured.
**Step 1 — Read, don't write**
- `~/the-custodian/canon/projects/communication/project_charter_v0.1.md` — purpose, scope
- `~/the-custodian/canon/projects/communication/roadmap_v0.1.md` — planned phases
- Scan repo root: README, directory structure, existing code or docs
**Step 2 — Survey in-progress work**
Look for TODOs, open branches, half-finished files. Note done vs. started but incomplete.
**Step 3 — Propose workstreams to Bernd**
Propose 13 workstreams — each a coherent strand, weeks to months, anchored to a
roadmap phase. **Wait for approval before creating.**
**Step 4 — Create workplan file first, then DB record (ADR-001)**
```
workplans/BCHROME-WP-NNNN-<slug>.md ← write this first
```
Then register in the hub:
```
create_workstream(topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc", title="...", owner="...", description="...")
create_task(workstream_id="<id>", title="...", priority="high|medium|low")
```
**Step 5 — Record the setup**
```
add_progress_event(
summary="First session: structured communication into N workstreams, M tasks",
event_type="milestone",
topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc",
detail={"workstreams": [...], "tasks_created": M}
)
```
<!-- Delete or archive this file once past first session -->

8
.claude/rules/repo-boundary.md Normal file
View File

@@ -0,0 +1,8 @@
## Repo boundary
This repo owns **BinectChrome** (the Chrome extension) only. It does not own:
- Binect REST API access / SDK logic → `binect-js` (`@binect/js`). New API coverage belongs upstream there, surfaced through the thin `src/utils/binect-api.ts` wrapper — never reimplemented here.
- The Binect backend service itself → external (Binect).
- State hub code → `state-hub/`.
- Credential issuance / routing → see `credential-routing.md` (ops-warden, OpenBao, etc.).

5
.claude/rules/repo-identity.md Normal file
View File

@@ -0,0 +1,5 @@
**Purpose:** Chrome (MV3) extension that detects PDFs in the browser and sends them to Binect for physical mail, then tracks each document through its Binect lifecycle. Backend-free, zero-retention (metadata-only proxies), AES-GCM credential storage. Consumes the @binect/js SDK. Governance in INTENT.md / SCOPE.md.
**Domain:** communication
**Repo slug:** binect-chrome
**Topic ID:** 36c7421b-c537-4723-bf75-42a3ebc6a1dc

85
.claude/rules/session-protocol.md Normal file
View File

@@ -0,0 +1,85 @@
## Session Protocol
Dev Hub (State Hub API): http://127.0.0.1:8000
MCP server name in `~/.claude.json`: `dev-hub`
**Step 1 — Orient**
Read the offline-safe brief first — it works without a live hub connection:
```bash
cat .custodian-brief.md
```
Then call the MCP tool for richer cross-domain context when MCP tools are exposed:
```
get_domain_summary("communication")
```
If MCP tools are unavailable in the current agent session, use the REST API:
```bash
curl -s "http://127.0.0.1:8000/state/summary" | python3 -m json.tool
```
If the hub is offline: `cd ~/state-hub && make api`
**Step 2 — Check inbox**
With MCP tools:
```
get_messages(to_agent="binect-chrome", unread_only=True)
```
Mark read with `mark_message_read(message_id)`. Reply or act on coordination
requests before proceeding.
Without MCP tools:
```bash
curl -s "http://127.0.0.1:8000/messages/?to_agent=binect-chrome&unread_only=true" \
| python3 -m json.tool
curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
-H "Content-Type: application/json" -d '{}'
```
**Step 3 — Scan workplans**
```bash
ls workplans/
```
For each file with `status: ready`, `active`, or `blocked`, note pending
`wait`/`todo`/`progress` tasks.
**Step 4 — Present brief**
1. **Active workstreams** for `communication` — title, task counts, blocking decisions
2. **Pending tasks** from `workplans/` + any `[repo:binect-chrome]` hub tasks
3. **Goal guidance** — if `goal_guidance` in summary:
- `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"*
- `alignment_warnings`: flag if active work is not aligned with current goal
4. **Suggested next action** — highest-priority open item
5. **SBOM status** — flag if `last_sbom_at` is unset for this repo
If no workstreams: follow First Session Protocol (`first-session.md`).
**During work:** `record_decision()` · `add_progress_event()` · `resolve_decision()`
> State Hub is a *read model*. Bootstrap tools (`create_workstream`, `create_task`)
> are First Session Protocol only. Work structure belongs in repo files (ADR-001).
**Session close:**
With MCP tools:
```
add_progress_event(summary="...", topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc", workstream_id="<uuid>")
```
Without MCP tools:
```bash
curl -s -X POST http://127.0.0.1:8000/progress/ \
-H "Content-Type: application/json" \
-d '{"topic_id":"36c7421b-c537-4723-bf75-42a3ebc6a1dc","workstream_id":"<uuid>","event_type":"note","summary":"what changed","author":"codex"}'
```
If workplan files were modified, ensure the local copy is up to date first:
```bash
git -C <repo_path> pull --ff-only
cd ~/state-hub && make fix-consistency REPO=binect-chrome
```
For repos where implementation runs on a remote machine (e.g. CoulombCore),
use the combined target which pulls before fixing:
```bash
cd ~/state-hub && make fix-consistency-remote REPO=binect-chrome
```
**C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback
will sync the file to match DB. **C-16** (repo behind remote) blocks all writes
until you pull — intentional to prevent clobbering remote progress.

29
.claude/rules/stack-and-commands.md Normal file
View File

@@ -0,0 +1,29 @@
## Stack
- **Language:** TypeScript (Chrome Extension, Manifest V3)
- **Key deps:** `@binect/js` (local `file:../binect-js` SDK — sibling repo must be present to build); Web Crypto API (AES-GCM credentials); Chrome APIs (`downloads`, `storage`, `alarms`, `activeTab`)
- **Build/test tooling:** Webpack, Jest, ESLint, `tsc` (type-check only)
## Dev Commands
```bash
# Install dependencies
npm install
# Build (production bundle → dist/)
npm run build
# Watch build for development
npm run dev
# Run tests
npm test # jest
npm run test:watch # jest --watch
# Lint / type check
npm run lint # eslint src/**/*.{js,ts}
npm run lint:fix # eslint --fix
npm run type-check # tsc --noEmit
```
Load the unpacked extension from `dist/` via `chrome://extensions` (Developer mode) to test in-browser.

40
.claude/rules/workplan-convention.md Normal file
View File

@@ -0,0 +1,40 @@
## Workplan Convention (ADR-001)
File location: `workplans/BCHROME-WP-NNNN-<slug>.md`
ID prefix: `BCHROME-WP-`
Work items originate as files in this repo **before** being registered in the hub.
Canonical workplan/workstream frontmatter statuses are:
`proposed`, `ready`, `active`, `blocked`, `backlog`, `finished`, `archived`.
Use `proposed` for a newly drafted plan, `ready` after review against current
repo state, and `finished` when implementation is complete. `stalled` and
`needs_review` are derived health labels, not stored statuses.
Closed workplans may be moved to `workplans/archived/` with a completion-date
prefix: `YYMMDD-BCHROME-WP-NNNN-<slug>.md`. The frontmatter id remains
unchanged; the prefix is only for quick visual reference.
Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**:
`workplans/ADHOC-YYYY-MM-DD.md`, workstream slug `adhoc-YYYY-MM-DD`, and task ids
`ADHOC-YYYY-MM-DD-T01`, `T02`, etc. Use adhocs only for low-risk work completed
directly. Promote anything requiring analysis, design, approval, dependencies, or
multiple planned phases into a normal workplan.
Ecosystem todos from other agents arrive as `[repo:binect-chrome]` hub tasks —
visible at session start. Pick one up by creating the workplan file, then registering
the workstream.
Task blocks use this shape:
```task
id: BCHROME-WP-NNNN-T01
status: wait | todo | progress | done | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
```
Status progression is `todo``progress``done`; use `wait` for waiting or
blocked work and `cancel` for stopped work.
<!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->

89
CLAUDE.md
View File

@@ -1,83 +1,18 @@
# CLAUDE.md
# BinectChrome — Claude Code Instructions
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
**BinectChrome** is a Chrome extension (Manifest V3) that enables users to send PDF documents from arbitrary cloud applications directly to Binect for physical printing and postal delivery, eliminating the manual download-upload workflow.
## Core Architecture Principles
### Browser Extension Structure (Manifest V3)
- Service worker-based background script (no persistent background pages)
- Popup UI for user interaction
- Chrome Downloads API for PDF detection
- Chrome Storage API for encrypted credential storage
### Privacy-First Design
- **Zero PDF storage**: PDFs are never stored by the extension
- **Explicit user intent**: No automatic sending; all transfers require user click
- **Metadata minimization**: No content inspection or filename persistence
- **Local-only tracking**: All tracking data stored locally in browser, never transmitted except in support requests
### Authentication & Security
- **Credential storage**: Username/password encrypted at rest in extension storage
- **60-day retention**: Credentials auto-expire after 60 days of inactivity
- **No backend relay**: Extension communicates directly with Binect API
- **Minimal permissions**: Only `downloads`, `storage`, `activeTab`, and Binect API host permission
## Key Functional Components
### 1. PDF Detection System
- **Primary**: Detect completed PDF downloads via Chrome Downloads API
- Identify by `.pdf` extension or `Content-Type: application/pdf` headers
- **Secondary**: Detect in-browser PDF navigation via `Content-Type: application/pdf`
- **Limitation**: blob URLs and complex JS viewers may not be detectable
### 2. PDF Acquisition & Transfer
- Re-fetch PDF from original URL using user session (preferred)
- Upload to Binect via official API
- Show progress states: Uploading → Success/Failure
### 3. Credential Management
- Encrypt at rest, decrypt only in memory during use
- "Use" = successful authentication or successful send
- Auto-delete after 60 days inactivity
- Manual wipe option always available
### 4. Local Tracking ("Score")
Track locally only:
- Timestamp
- Source domain/URL
- Destination URL
- PDF filesize
- Result (success/failure + error class)
Cap at ~500 entries to prevent unbounded growth.
### 5. User Interface
- **Popup**: Shows last detected PDF (filename, size, timestamp, source domain) + "Send PDF to Binect" button
- **Info/Help ("?")**: Access tracking view with summary counts and chronological transfer list
- **Feedback link**: Opens email to bernd.worsch@binect.de with tracking data as CSV (embedded in body and/or clipboard)
## Technical Constraints
- Chrome Extension Manifest V3 required
- No external backend services
- No cross-browser support in v1 (Chrome only)
- Service worker lifecycle limitations (no persistent background)
## Distribution
- Automated publication via Chrome Web Store
- Must pass Chrome Web Store security review (minimal permissions critical)
@SCOPE.md
@.claude/rules/repo-identity.md
@.claude/rules/session-protocol.md
@.claude/rules/first-session.md
@.claude/rules/workplan-convention.md
@.claude/rules/stack-and-commands.md
@.claude/rules/architecture.md
@.claude/rules/repo-boundary.md
@.claude/rules/credential-routing.md
@.claude/rules/agents.md
## Kaizen Agents
Specialized kaizen agent personas are available on demand via the state-hub MCP —
discover with `list_kaizen_agents()` and load with `get_kaizen_agent("<name>")`,
then read and follow their instructions.
## Contact & Support
Feature requests and bug reports: bernd.worsch@binect.de
then read and follow their instructions. Full guidance in `.claude/rules/agents.md`.