chore: add 17 operational rules and rule index

- Create .claude/rules/ with all 17 standard rule files (01-security through 17-document-imports)
- Add Operational Rules section with Rule Index to .claude/CLAUDE.md

.claude/rules/01-security.md

@@ -0,0 +1,38 @@
+# Security (PARAMOUNT)
+
+Treat every violation as a blocking issue.
+
+## Secrets
+
+- Use environment variables or secret managers for all secrets.
+- Before every commit, verify no secrets are staged.
+- Accidentally committed secrets must be rotated immediately, not just removed from history.
+- Keep `.env` and credential files in `.gitignore`.
+
+## Input Validation & Output Encoding
+
+- Validate ALL external input. Reject invalid input — never attempt to fix it.
+- Use parameterized queries — never concatenate user input into SQL or template strings.
+- Avoid shell invocation; use language-native APIs. If unavoidable, escape rigorously.
+- Encode output contextually (HTML, URL, JSON). XSS prevention = output encoding, not input sanitization.
+- Apply least privilege — minimum permissions, minimum scopes.
+
+## Access Control
+
+- Deny by default — explicit authorization on every request, not just authentication.
+- Validate resource ownership on every access (IDOR prevention).
+
+## Authentication
+
+- Rate-limit login endpoints. Support MFA. Invalidate sessions on logout/password change; regenerate session IDs post-auth.
+
+## Cryptography
+
+- No MD5/SHA-1. Use SHA-256+ for hashing, Argon2/bcrypt/scrypt for passwords.
+
+## Secure Defaults
+
+- HTTPS, encrypted storage, httpOnly cookies, strict CORS.
+- Check dependencies for CVEs before adding. Run audit tools after dependency changes.
+
+When in doubt, choose more security. Flag concerns explicitly.