From ccbbc885035fba1b0b68019c8e03ebc315bca5d5 Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 22 Jun 2026 22:17:21 +0200 Subject: [PATCH] Replicate .claude/rules scaffolding from binect-js Add the 9-file .claude/rules set (repo-identity, session-protocol, first-session, workplan-convention, stack-and-commands, architecture, repo-boundary, credential-routing, agents), adapted to binect-chrome: slug, agent name, BCHROME-WP- workplan prefix, shared communication topic. stack/architecture/repo-boundary filled with this repo's real content. Rewrite CLAUDE.md to the @-import structure mirroring binect-js (prior prose migrated into the rule files), retaining an inline Kaizen reference. Co-Authored-By: Claude Opus 4.8 --- .claude/rules/agents.md | 20 +++++++ .claude/rules/architecture.md | 20 +++++++ .claude/rules/credential-routing.md | 50 ++++++++++++++++ .claude/rules/first-session.md | 38 ++++++++++++ .claude/rules/repo-boundary.md | 8 +++ .claude/rules/repo-identity.md | 5 ++ .claude/rules/session-protocol.md | 85 ++++++++++++++++++++++++++ .claude/rules/stack-and-commands.md | 29 +++++++++ .claude/rules/workplan-convention.md | 40 +++++++++++++ CLAUDE.md | 89 ++++------------------------ 10 files changed, 307 insertions(+), 77 deletions(-) create mode 100644 .claude/rules/agents.md create mode 100644 .claude/rules/architecture.md create mode 100644 .claude/rules/credential-routing.md create mode 100644 .claude/rules/first-session.md create mode 100644 .claude/rules/repo-boundary.md create mode 100644 .claude/rules/repo-identity.md create mode 100644 .claude/rules/session-protocol.md create mode 100644 .claude/rules/stack-and-commands.md create mode 100644 .claude/rules/workplan-convention.md diff --git a/.claude/rules/agents.md b/.claude/rules/agents.md new file mode 100644 index 0000000..0e8a5d9 --- /dev/null +++ b/.claude/rules/agents.md @@ -0,0 +1,20 @@ +## Kaizen Agents + +Specialized agent personas available on demand via the state-hub MCP. + +**Discover:** `list_kaizen_agents()` — returns all agents with name, description, category +**Load:** `get_kaizen_agent("tdd-workflow")` — returns full instructions; read and follow them + +Common agents: + +| Agent | Category | When to use | +|-------|----------|-------------| +| `tdd-workflow` | testing | Step-by-step TDD8 workflow for any feature | +| `code-refactoring` | quality | Code quality analysis and safe refactoring | +| `test-maintenance` | testing | Diagnose and fix failing tests | +| `requirements-engineering` | process | Prevent interface/mock mismatches upfront | +| `keepaTodofile` | process | Maintain TODO.md during work | +| `project-management` | process | Track status, determine next steps | +| `datamodel-optimization` | quality | Optimize dataclasses and data structures | + +All 17 agents: call `list_kaizen_agents()` for the full list. diff --git a/.claude/rules/architecture.md b/.claude/rules/architecture.md new file mode 100644 index 0000000..102d258 --- /dev/null +++ b/.claude/rules/architecture.md @@ -0,0 +1,20 @@ +## Architecture + +Chrome MV3 extension; all state in `chrome.storage.local`, nothing relies on +in-memory background state surviving service-worker suspension. Full operational +boundary is in `SCOPE.md`; inviolable principles in `INTENT.md`. + +**Key modules** +- `src/background/service-worker.ts` — MV3 service worker; message router for all popup ↔ background calls; `chrome.alarms` for credential-expiry and queue-cleanup ticks. +- `src/utils/pdf-detector.ts` — detect completed PDF downloads (Chrome Downloads API), scan recent downloads, best-effort current-tab detection, re-fetch PDF bytes from the original URL with `credentials: 'include'`. +- `src/utils/pdf-queue.ts` — `DocumentProxy` lifecycle queue (`pending → uploading → in_basket → ordering → in_production → sent`, + `failed`/`canceled`); metadata-only (never PDF content); dedup by filename + content hash; live vs. archived views; server sync/reconciliation. +- `src/utils/binect-api.ts` — thin wrapper over `@binect/js` (upload, ship, status, list, delete, testConnection) with extension-friendly types and error mapping. **All Binect access delegated 1:1 to the SDK** — no API logic reimplemented here. +- `src/utils/crypto.ts` / `storage.ts` — AES-GCM (256-bit) credential encryption at rest via Web Crypto; key in `chrome.storage.local`; decrypted only in memory; 60-day inactivity expiry; manual wipe; self-deleting corrupted ciphertext. +- `src/popup/` — login + lifecycle-grouped document list with send/order/refresh/archive/restore/delete actions, badge. +- `src/tracking/` — local-only append-only transfer log (~500 cap), summary counts, CSV export, email-draft feedback; tracking/help page. + +**Design invariants** (see `INTENT.md`): zero document retention, explicit user intent for every dispatch (upload ≠ send — ordering is a separate confirmed step), no server-side component, minimal-but-`` host permission (a known Chrome Web Store review cost). + +## Quick Reference + +`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference diff --git a/.claude/rules/credential-routing.md b/.claude/rules/credential-routing.md new file mode 100644 index 0000000..6e94508 --- /dev/null +++ b/.claude/rules/credential-routing.md @@ -0,0 +1,50 @@ +# Credential and access routing + +**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect** +for inference. Run this check **before** requesting secrets, API keys, SSH access, +login tokens, or database passwords — in any repo, not only `ops-warden`. + +ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every +other credential need belongs to another subsystem. **Do not** message +`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key. + +### Lookup (do this first) + +```bash +warden route find "" --json +warden route show --json +``` + +Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`). + +| Agent runtime | How to orient | +| --- | --- | +| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=binect-chrome` is for coordination, not secret vending | +| **Claude Code** (MCP when available) | `get_domain_summary("communication")` for workstreams; **still** use `warden route` for credential ownership | +| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` | + +### Quick routing table + +| I need… | Owner | ops-warden executes? | +| --- | --- | --- | +| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` | +| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only | +| Login / OIDC / MFA | key-cape / Keycloak | No — route only | +| Authorization decision | flex-auth | No — route only | +| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` | +| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only | + +### Anti-patterns (do not do these) + +- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc. +- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist +- Pasting secrets into Git, State Hub, workplans, logs, or chat + +### Other capabilities (reuse-surface) + +Non-credential capabilities are usually discovered through **reuse-surface** federation +(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in +every repo's agent instructions because it is high-frequency, high-risk, and easy to +get wrong. + +**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml` diff --git a/.claude/rules/first-session.md b/.claude/rules/first-session.md new file mode 100644 index 0000000..ef9f3a6 --- /dev/null +++ b/.claude/rules/first-session.md @@ -0,0 +1,38 @@ +## First Session Protocol + +Triggered when `get_domain_summary("communication")` shows **no workstreams**. +The project is registered but work has not yet been structured. + +**Step 1 — Read, don't write** +- `~/the-custodian/canon/projects/communication/project_charter_v0.1.md` — purpose, scope +- `~/the-custodian/canon/projects/communication/roadmap_v0.1.md` — planned phases +- Scan repo root: README, directory structure, existing code or docs + +**Step 2 — Survey in-progress work** +Look for TODOs, open branches, half-finished files. Note done vs. started but incomplete. + +**Step 3 — Propose workstreams to Bernd** +Propose 1–3 workstreams — each a coherent strand, weeks to months, anchored to a +roadmap phase. **Wait for approval before creating.** + +**Step 4 — Create workplan file first, then DB record (ADR-001)** +``` +workplans/BCHROME-WP-NNNN-.md ← write this first +``` +Then register in the hub: +``` +create_workstream(topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc", title="...", owner="...", description="...") +create_task(workstream_id="", title="...", priority="high|medium|low") +``` + +**Step 5 — Record the setup** +``` +add_progress_event( + summary="First session: structured communication into N workstreams, M tasks", + event_type="milestone", + topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc", + detail={"workstreams": [...], "tasks_created": M} +) +``` + + diff --git a/.claude/rules/repo-boundary.md b/.claude/rules/repo-boundary.md new file mode 100644 index 0000000..2ffc83b --- /dev/null +++ b/.claude/rules/repo-boundary.md @@ -0,0 +1,8 @@ +## Repo boundary + +This repo owns **BinectChrome** (the Chrome extension) only. It does not own: + +- Binect REST API access / SDK logic → `binect-js` (`@binect/js`). New API coverage belongs upstream there, surfaced through the thin `src/utils/binect-api.ts` wrapper — never reimplemented here. +- The Binect backend service itself → external (Binect). +- State hub code → `state-hub/`. +- Credential issuance / routing → see `credential-routing.md` (ops-warden, OpenBao, etc.). diff --git a/.claude/rules/repo-identity.md b/.claude/rules/repo-identity.md new file mode 100644 index 0000000..0058a84 --- /dev/null +++ b/.claude/rules/repo-identity.md @@ -0,0 +1,5 @@ +**Purpose:** Chrome (MV3) extension that detects PDFs in the browser and sends them to Binect for physical mail, then tracks each document through its Binect lifecycle. Backend-free, zero-retention (metadata-only proxies), AES-GCM credential storage. Consumes the @binect/js SDK. Governance in INTENT.md / SCOPE.md. + +**Domain:** communication +**Repo slug:** binect-chrome +**Topic ID:** 36c7421b-c537-4723-bf75-42a3ebc6a1dc diff --git a/.claude/rules/session-protocol.md b/.claude/rules/session-protocol.md new file mode 100644 index 0000000..758903b --- /dev/null +++ b/.claude/rules/session-protocol.md @@ -0,0 +1,85 @@ +## Session Protocol + +Dev Hub (State Hub API): http://127.0.0.1:8000 +MCP server name in `~/.claude.json`: `dev-hub` + +**Step 1 — Orient** + +Read the offline-safe brief first — it works without a live hub connection: +```bash +cat .custodian-brief.md +``` +Then call the MCP tool for richer cross-domain context when MCP tools are exposed: +``` +get_domain_summary("communication") +``` +If MCP tools are unavailable in the current agent session, use the REST API: +```bash +curl -s "http://127.0.0.1:8000/state/summary" | python3 -m json.tool +``` +If the hub is offline: `cd ~/state-hub && make api` + +**Step 2 — Check inbox** +With MCP tools: +``` +get_messages(to_agent="binect-chrome", unread_only=True) +``` +Mark read with `mark_message_read(message_id)`. Reply or act on coordination +requests before proceeding. + +Without MCP tools: +```bash +curl -s "http://127.0.0.1:8000/messages/?to_agent=binect-chrome&unread_only=true" \ + | python3 -m json.tool +curl -s -X PATCH "http://127.0.0.1:8000/messages//read" \ + -H "Content-Type: application/json" -d '{}' +``` + +**Step 3 — Scan workplans** +```bash +ls workplans/ +``` +For each file with `status: ready`, `active`, or `blocked`, note pending +`wait`/`todo`/`progress` tasks. + +**Step 4 — Present brief** + +1. **Active workstreams** for `communication` — title, task counts, blocking decisions +2. **Pending tasks** from `workplans/` + any `[repo:binect-chrome]` hub tasks +3. **Goal guidance** — if `goal_guidance` in summary: + - `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"* + - `alignment_warnings`: flag if active work is not aligned with current goal +4. **Suggested next action** — highest-priority open item +5. **SBOM status** — flag if `last_sbom_at` is unset for this repo + +If no workstreams: follow First Session Protocol (`first-session.md`). + +**During work:** `record_decision()` · `add_progress_event()` · `resolve_decision()` + +> State Hub is a *read model*. Bootstrap tools (`create_workstream`, `create_task`) +> are First Session Protocol only. Work structure belongs in repo files (ADR-001). + +**Session close:** +With MCP tools: +``` +add_progress_event(summary="...", topic_id="36c7421b-c537-4723-bf75-42a3ebc6a1dc", workstream_id="") +``` +Without MCP tools: +```bash +curl -s -X POST http://127.0.0.1:8000/progress/ \ + -H "Content-Type: application/json" \ + -d '{"topic_id":"36c7421b-c537-4723-bf75-42a3ebc6a1dc","workstream_id":"","event_type":"note","summary":"what changed","author":"codex"}' +``` +If workplan files were modified, ensure the local copy is up to date first: +```bash +git -C pull --ff-only +cd ~/state-hub && make fix-consistency REPO=binect-chrome +``` +For repos where implementation runs on a remote machine (e.g. CoulombCore), +use the combined target which pulls before fixing: +```bash +cd ~/state-hub && make fix-consistency-remote REPO=binect-chrome +``` +**C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback +will sync the file to match DB. **C-16** (repo behind remote) blocks all writes +until you pull — intentional to prevent clobbering remote progress. diff --git a/.claude/rules/stack-and-commands.md b/.claude/rules/stack-and-commands.md new file mode 100644 index 0000000..c701129 --- /dev/null +++ b/.claude/rules/stack-and-commands.md @@ -0,0 +1,29 @@ +## Stack + +- **Language:** TypeScript (Chrome Extension, Manifest V3) +- **Key deps:** `@binect/js` (local `file:../binect-js` SDK — sibling repo must be present to build); Web Crypto API (AES-GCM credentials); Chrome APIs (`downloads`, `storage`, `alarms`, `activeTab`) +- **Build/test tooling:** Webpack, Jest, ESLint, `tsc` (type-check only) + +## Dev Commands + +```bash +# Install dependencies +npm install + +# Build (production bundle → dist/) +npm run build + +# Watch build for development +npm run dev + +# Run tests +npm test # jest +npm run test:watch # jest --watch + +# Lint / type check +npm run lint # eslint src/**/*.{js,ts} +npm run lint:fix # eslint --fix +npm run type-check # tsc --noEmit +``` + +Load the unpacked extension from `dist/` via `chrome://extensions` (Developer mode) to test in-browser. diff --git a/.claude/rules/workplan-convention.md b/.claude/rules/workplan-convention.md new file mode 100644 index 0000000..9e26141 --- /dev/null +++ b/.claude/rules/workplan-convention.md @@ -0,0 +1,40 @@ +## Workplan Convention (ADR-001) + +File location: `workplans/BCHROME-WP-NNNN-.md` +ID prefix: `BCHROME-WP-` + +Work items originate as files in this repo **before** being registered in the hub. + +Canonical workplan/workstream frontmatter statuses are: +`proposed`, `ready`, `active`, `blocked`, `backlog`, `finished`, `archived`. +Use `proposed` for a newly drafted plan, `ready` after review against current +repo state, and `finished` when implementation is complete. `stalled` and +`needs_review` are derived health labels, not stored statuses. + +Closed workplans may be moved to `workplans/archived/` with a completion-date +prefix: `YYMMDD-BCHROME-WP-NNNN-.md`. The frontmatter id remains +unchanged; the prefix is only for quick visual reference. + +Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**: +`workplans/ADHOC-YYYY-MM-DD.md`, workstream slug `adhoc-YYYY-MM-DD`, and task ids +`ADHOC-YYYY-MM-DD-T01`, `T02`, etc. Use adhocs only for low-risk work completed +directly. Promote anything requiring analysis, design, approval, dependencies, or +multiple planned phases into a normal workplan. + +Ecosystem todos from other agents arrive as `[repo:binect-chrome]` hub tasks — +visible at session start. Pick one up by creating the workplan file, then registering +the workstream. + +Task blocks use this shape: + +```task +id: BCHROME-WP-NNNN-T01 +status: wait | todo | progress | done | cancel +priority: high | medium | low +state_hub_task_id: "" # written by fix-consistency — do not edit +``` + +Status progression is `todo` → `progress` → `done`; use `wait` for waiting or +blocked work and `cancel` for stopped work. + + diff --git a/CLAUDE.md b/CLAUDE.md index 3f80258..d8e22dc 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,83 +1,18 @@ -# CLAUDE.md +# BinectChrome — Claude Code Instructions -This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. - -## Project Overview - -**BinectChrome** is a Chrome extension (Manifest V3) that enables users to send PDF documents from arbitrary cloud applications directly to Binect for physical printing and postal delivery, eliminating the manual download-upload workflow. - -## Core Architecture Principles - -### Browser Extension Structure (Manifest V3) -- Service worker-based background script (no persistent background pages) -- Popup UI for user interaction -- Chrome Downloads API for PDF detection -- Chrome Storage API for encrypted credential storage - -### Privacy-First Design -- **Zero PDF storage**: PDFs are never stored by the extension -- **Explicit user intent**: No automatic sending; all transfers require user click -- **Metadata minimization**: No content inspection or filename persistence -- **Local-only tracking**: All tracking data stored locally in browser, never transmitted except in support requests - -### Authentication & Security -- **Credential storage**: Username/password encrypted at rest in extension storage -- **60-day retention**: Credentials auto-expire after 60 days of inactivity -- **No backend relay**: Extension communicates directly with Binect API -- **Minimal permissions**: Only `downloads`, `storage`, `activeTab`, and Binect API host permission - -## Key Functional Components - -### 1. PDF Detection System -- **Primary**: Detect completed PDF downloads via Chrome Downloads API - - Identify by `.pdf` extension or `Content-Type: application/pdf` headers -- **Secondary**: Detect in-browser PDF navigation via `Content-Type: application/pdf` -- **Limitation**: blob URLs and complex JS viewers may not be detectable - -### 2. PDF Acquisition & Transfer -- Re-fetch PDF from original URL using user session (preferred) -- Upload to Binect via official API -- Show progress states: Uploading → Success/Failure - -### 3. Credential Management -- Encrypt at rest, decrypt only in memory during use -- "Use" = successful authentication or successful send -- Auto-delete after 60 days inactivity -- Manual wipe option always available - -### 4. Local Tracking ("Score") -Track locally only: -- Timestamp -- Source domain/URL -- Destination URL -- PDF filesize -- Result (success/failure + error class) - -Cap at ~500 entries to prevent unbounded growth. - -### 5. User Interface -- **Popup**: Shows last detected PDF (filename, size, timestamp, source domain) + "Send PDF to Binect" button -- **Info/Help ("?")**: Access tracking view with summary counts and chronological transfer list -- **Feedback link**: Opens email to bernd.worsch@binect.de with tracking data as CSV (embedded in body and/or clipboard) - -## Technical Constraints - -- Chrome Extension Manifest V3 required -- No external backend services -- No cross-browser support in v1 (Chrome only) -- Service worker lifecycle limitations (no persistent background) - -## Distribution - -- Automated publication via Chrome Web Store -- Must pass Chrome Web Store security review (minimal permissions critical) +@SCOPE.md +@.claude/rules/repo-identity.md +@.claude/rules/session-protocol.md +@.claude/rules/first-session.md +@.claude/rules/workplan-convention.md +@.claude/rules/stack-and-commands.md +@.claude/rules/architecture.md +@.claude/rules/repo-boundary.md +@.claude/rules/credential-routing.md +@.claude/rules/agents.md ## Kaizen Agents Specialized kaizen agent personas are available on demand via the state-hub MCP — discover with `list_kaizen_agents()` and load with `get_kaizen_agent("")`, -then read and follow their instructions. - -## Contact & Support - -Feature requests and bug reports: bernd.worsch@binect.de +then read and follow their instructions. Full guidance in `.claude/rules/agents.md`.