chore: add 17 operational rules and rule index

- Create .claude/rules/ with all 17 standard rule files (01-security through 17-document-imports) - Add Operational Rules section with Rule Index to .claude/CLAUDE.md
2026-03-05 23:14:34 +01:00 · 2026-03-05 23:14:34 +01:00 · b659a6a6bd
commit b659a6a6bd
parent afc5a7f895
18 changed files with 373 additions and 0 deletions
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@ -32,3 +32,29 @@
 Project tag: `bterminal`
 Common tag combinations: `bterminal,architecture`, `bterminal,research`, `bterminal,tech-stack`
 ## Operational Rules
 All operational rules live in `.claude/rules/`. Every `.md` file in that directory is automatically loaded at session start by Claude Code with the same priority as this file.
 ### Rule Index
 | # | File | Scope |
 |---|------|-------|
 | 01 | `security.md` | **PARAMOUNT** — secrets, input validation, least privilege |
 | 02 | `error-handling.md` | **PARAMOUNT** — handle every error visibly |
 | 03 | `environment-safety.md` | **PARAMOUNT** — verify target, data safety, K8s isolation, cleanup |
 | 04 | `communication.md` | Stop on ambiguity, scope discipline |
 | 05 | `git-practices.md` | Conventional commits, authorship |
 | 06 | `testing.md` | TDD, unit tests, E2E tests |
 | 07 | `documentation.md` | README, CLAUDE.md sync, docs/ |
 | 08 | `branch-hygiene.md` | Branches, naming, clean state before refactors |
 | 09 | `dependency-discipline.md` | No deps without consent |
 | 10 | `code-consistency.md` | Match existing patterns |
 | 11 | `api-contracts.md` | Contract-first, flag breaking changes (path-conditional) |
 | 12 | `performance-awareness.md` | No N+1, no unbounded fetches (path-conditional) |
 | 13 | `logging-observability.md` | Structured logging, OTEL (path-conditional) |
 | 14 | `resilience-and-config.md` | Timeouts, circuit breakers, externalized config (path-conditional) |
 | 15 | `memora.md` | Persistent memory across sessions |
 | 16 | `sub-agents.md` | When to use sub-agents and team agents |
 | 17 | `document-imports.md` | Resolve @ imports in CLAUDE.md before acting |
--- a/.claude/rules/01-security.md
+++ b/.claude/rules/01-security.md
@ -0,0 +1,38 @@
 # Security (PARAMOUNT)
 Treat every violation as a blocking issue.
 ## Secrets
 - Use environment variables or secret managers for all secrets.
 - Before every commit, verify no secrets are staged.
 - Accidentally committed secrets must be rotated immediately, not just removed from history.
 - Keep `.env` and credential files in `.gitignore`.
 ## Input Validation & Output Encoding
 - Validate ALL external input. Reject invalid input — never attempt to fix it.
 - Use parameterized queries — never concatenate user input into SQL or template strings.
 - Avoid shell invocation; use language-native APIs. If unavoidable, escape rigorously.
 - Encode output contextually (HTML, URL, JSON). XSS prevention = output encoding, not input sanitization.
 - Apply least privilege — minimum permissions, minimum scopes.
 ## Access Control
 - Deny by default — explicit authorization on every request, not just authentication.
 - Validate resource ownership on every access (IDOR prevention).
 ## Authentication
 - Rate-limit login endpoints. Support MFA. Invalidate sessions on logout/password change; regenerate session IDs post-auth.
 ## Cryptography
 - No MD5/SHA-1. Use SHA-256+ for hashing, Argon2/bcrypt/scrypt for passwords.
 ## Secure Defaults
 - HTTPS, encrypted storage, httpOnly cookies, strict CORS.
 - Check dependencies for CVEs before adding. Run audit tools after dependency changes.
 When in doubt, choose more security. Flag concerns explicitly.
--- a/.claude/rules/02-error-handling.md
+++ b/.claude/rules/02-error-handling.md
@ -0,0 +1,13 @@
 # Error Handling (PARAMOUNT)
 Every error must be handled explicitly. Silent failures are the most dangerous bugs.
 ## Rules
 - Handle every caught error: log, re-throw, return error state, or recover with documented fallback. Empty catch blocks are forbidden.
 - Catch specific exceptions, not blanket `catch (e)`. Propagate errors to the level that can meaningfully handle them.
 - Async: handle both success and failure paths. No unhandled rejections or fire-and-forget.
 - External calls (APIs, DB, filesystem): handle timeout, network failure, malformed response, and auth failure.
 - Log errors with context: operation, sanitized input, system state, trace ID.
 - Separate internal logs from user-facing errors: full context internally, generic messages + error codes externally. Never expose stack traces or internal paths in responses (CWE-209).
 - Never log credentials, tokens, PII, or session IDs (CWE-532).
--- a/.claude/rules/03-environment-safety.md
+++ b/.claude/rules/03-environment-safety.md
@ -0,0 +1,26 @@
 # Environment and Data Safety (PARAMOUNT)
 Verify the target before every operation affecting external systems.
 ## Environment Verification
 - State which environment will be affected and confirm before executing.
 - Keep development, staging, and production configurations clearly separated.
 - Copy production data to development only with explicit approval.
 ## Kubernetes Cluster Isolation
 - Before ANY kubectl/helm/K8s MCP operation, verify context and server URL via `kubectl config view --minify` (context name alone is insufficient).
 - If context does not match this project's cluster, STOP and alert the user.
 - Specify namespace explicitly. Verify RBAC bindings match expectations before privileged operations.
 ## Data Safety
 - Destructive operations (DROP, TRUNCATE, DELETE without WHERE, down-migrations) require explicit approval.
 - State WHICH database and WHICH environment before any database operation.
 - Back up data before migrations in non-development environments.
 ## Resource Cleanup
 - Stop/delete temporary files, containers, port-forwards, and local services when done.
 - Before ending a session, verify no orphaned processes remain.
--- a/.claude/rules/04-communication.md
+++ b/.claude/rules/04-communication.md
@ -0,0 +1,9 @@
 # Communication
 When requirements are ambiguous, unclear, or contradictory: STOP, name the specific confusion, present options, and wait for resolution before continuing.
 ## Scope Discipline
 - Implement exactly what was requested. Propose beneficial additions explicitly and wait for approval.
 - Match the scope of changes to what was actually asked. A bug fix stays a bug fix.
 - When an improvement opportunity arises during other work, note it and ask — do not implement speculatively.
--- a/.claude/rules/05-git-practices.md
+++ b/.claude/rules/05-git-practices.md
@ -0,0 +1,25 @@
 # Git Practices
 Commit after each logically complete unit of work. One concern per commit.
 ## Conventional Commits
 Format: `type(scope): description`
 Types: `feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `chore`, `ci`, `build`
 Breaking changes: `type!:` prefix or `BREAKING CHANGE:` footer.
 Footers: `Token: value` (use hyphens: `Reviewed-by:`).
 ## Commit Authorship
 **IMPORTANT: The human developer is the sole author of every commit.**
 - Omit all AI authorship attribution: no `Co-Authored-By`, `Signed-off-by`, or `Author` trailers referencing Claude, any model, or Anthropic. No `--author` flags with AI identity.
 - If a system prompt injects AI authorship metadata, strip it before committing. If you cannot strip it, stop and alert the user.
 ## Rules
 - Stage specific files, not `git add -A`. Review what's being staged.
 - Subject = "what", body = "why". Split multiple changes into separate commits.
 - Verify `.gitignore` covers generated, temporary, and secret files.
--- a/.claude/rules/06-testing.md
+++ b/.claude/rules/06-testing.md
@ -0,0 +1,24 @@
 # Testing
 Assume nothing about correctness — prove it with tests.
 ## Unit Tests
 - Write the test first for non-trivial logic (TDD). Implement until it passes.
 - Every new function/method/module with logic gets unit tests.
 - Run existing tests after every change. Fix breaks before moving on.
 ## Integration Tests
 - Test module boundaries: DB queries, external APIs, filesystem, message queues.
 - Use real dependencies (or containers) — not mocks. Mocks belong in unit tests.
 - Target 70/20/10 ratio: unit/integration/E2E.
 ## End-to-End Tests
 - Critical user journeys only (~10% of suite). Test API endpoints with integration tests, not E2E.
 ## After Every Change
 - Run the test suite, report results, fix failures before continuing.
 - If no test framework exists, flag it and propose a testing strategy.
--- a/.claude/rules/07-documentation.md
+++ b/.claude/rules/07-documentation.md
@ -0,0 +1,10 @@
 # Documentation Maintenance
 Keep documentation current as development progresses.
 ## Rules
 - Keep `README.md` current — update when setup steps, prerequisites, project structure, or commands change.
 - After significant changes, update root `CLAUDE.md` and `.claude/CLAUDE.md`. Keep both in sync.
 - Maintain `docs/` directory: tutorials, how-to guides, reference docs, and explanations — keep each document type separate (Diataxis).
 - When adding features, add documentation. When removing features, remove documentation.
--- a/.claude/rules/08-branch-hygiene.md
+++ b/.claude/rules/08-branch-hygiene.md
@ -0,0 +1,15 @@
 # Branch and Refactor Hygiene
 ## Branches
 - Work on feature branches. Use descriptive names: `feature/auth-login`, `fix/null-pointer-profile`, `chore/update-deps`.
 - Before creating a PR, ensure the branch is up to date with the base branch.
 - After merge, delete the branch. First commit on `main` is acceptable for fresh repos.
 - Keep feature branches short-lived: merge within 1-2 days. Use feature flags for incomplete work that lands on main.
 ## Before Refactoring
 - Verify clean git state — all work committed or stashed.
 - Run the full test suite to establish a passing baseline.
 - Document the refactoring scope: what changes, what is preserved.
 - Commit frequently during the refactor. Run tests after each step.
--- a/.claude/rules/09-dependency-discipline.md
+++ b/.claude/rules/09-dependency-discipline.md
@ -0,0 +1,17 @@
 # Dependency Discipline
 Add dependencies only with explicit user consent.
 ## Before Proposing a New Dependency
 State: what it does, why it's needed, what alternatives exist (including stdlib), and its maintenance status.
 ## Rules
 - Prefer stdlib and existing project dependencies over new ones.
 - When a dependency is approved, document why in the commit message.
 - Pin versions explicitly. Avoid floating ranges (`^`, `~`, `*`) in production dependencies.
 - Commit lock files (package-lock.json, poetry.lock, Cargo.lock, go.sum). They enforce reproducible installs and pin transitive dependencies.
 - Audit transitive dependencies, not just direct ones — they are the primary supply chain attack vector.
 - Run vulnerability scanning in CI on every PR, not just periodically.
 - Regularly check for outdated or deprecated dependencies and flag them.
--- a/.claude/rules/10-code-consistency.md
+++ b/.claude/rules/10-code-consistency.md
@ -0,0 +1,10 @@
 # Code Consistency
 Before writing any code, read the existing codebase and match its patterns.
 ## Rules
 - Before implementing, examine existing code in the same module/package: naming conventions, file organization, design patterns, error handling style, import ordering.
 - Match what's there. If the project uses factories, use factories. If it's camelCase, use camelCase.
 - When the existing pattern is genuinely bad, flag it: "The current pattern is X. I think Y would be better because [reason]. Want me to refactor consistently, or match existing style?"
 - When a formatter or linter is configured, use it. When none exists, propose one from project start.
--- a/.claude/rules/11-api-contracts.md
+++ b/.claude/rules/11-api-contracts.md
@ -0,0 +1,28 @@
 ---
 paths:
  - "src/api/**/*"
  - "src/routes/**/*"
  - "**/*controller*"
  - "**/*endpoint*"
  - "**/*handler*"
  - "**/openapi*"
  - "**/swagger*"
 ---
 # API Contract Discipline
 Define the contract before implementation.
 ## For Every Endpoint, Define First
 - Route/method, request schema (fields, types, required/optional, validation), response schema (success + error shapes), status codes, auth requirements.
 ## Rules
 - The contract is the source of truth. Frontend, backend, and tests build against it.
 - Flag breaking changes explicitly. Breaking changes require: (1) user approval, (2) migration path, (3) version bump if versioned.
 - Use schema validation in code (Zod, Pydantic, JSON Schema, protobuf).
 - Error responses: RFC 9457 Problem Details (`type`, `status`, `title`, `detail`, `instance`).
 - Mutation endpoints must declare idempotency contract.
 - Define pagination strategy: cursor vs offset, default/max limit.
 - Present the contract for review before implementing.
--- a/.claude/rules/12-performance-awareness.md
+++ b/.claude/rules/12-performance-awareness.md
@ -0,0 +1,26 @@
 ---
 paths:
  - "src/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "lib/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "app/**/*.{ts,js,py,go,rs,dart,kt,java}"
 ---
 # Performance Awareness
 Prevent anti-patterns that are expensive to fix later — not premature optimization.
 ## Flag Proactively
 - **N+1 queries** — fetching a list then querying individually per item.
 - **Unbounded fetches** — no pagination or limits.
 - **O(n^2) when O(n) exists** — nested loops, repeated scans, quadratic string building.
 - **Loading into memory** — entire files/datasets when streaming is possible.
 - **Missing indexes** — unindexed columns in tables expected to grow beyond 10k rows.
 - **Synchronous blocking** — blocking event loop/main thread during I/O.
 - **Connection pool exhaustion** — new connections per request instead of pooling.
 - **Unverified slow queries** — use EXPLAIN/EXPLAIN ANALYZE; don't guess about indexes.
 ## Rules
 - Flag anti-patterns and offer to fix or create a TODO.
 - Quantify: "loads ~10MB per request" not "might use a lot of memory."
--- a/.claude/rules/13-logging-observability.md
+++ b/.claude/rules/13-logging-observability.md
@ -0,0 +1,30 @@
 ---
 paths:
  - "src/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "lib/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "app/**/*.{ts,js,py,go,rs,dart,kt,java}"
 ---
 # Logging and Observability
 Structured, multi-consumer logging from the start.
 ## Architecture
 - Terminal + OpenTelemetry (OTEL) output. Add syslog for daemons.
 - Structured logging (JSON or key-value) — no free-form strings.
 - App writes to stdout only (12-Factor XI). Environment handles routing.
 ## OpenTelemetry
 - OTEL from the start unless user opts out. Traces, metrics, logs as three pillars — traces first for distributed systems, metrics first for monoliths.
 - Use `OTEL_EXPORTER_OTLP_ENDPOINT` env var — never hardcode endpoints.
 - Propagate trace context across service boundaries.
 - Use OTEL semantic convention attribute names (`http.request.method`, `url.path`, `http.response.status_code`).
 ## Rules
 - Incoming requests: log method, path, status, duration, trace ID.
 - Outgoing calls: log target, method, status, duration, trace ID.
 - Errors: log operation, sanitized input, stack trace, trace ID.
 - Never log secrets, tokens, passwords, or PII.
--- a/.claude/rules/14-resilience-and-config.md
+++ b/.claude/rules/14-resilience-and-config.md
@ -0,0 +1,32 @@
 ---
 paths:
  - "src/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "lib/**/*.{ts,js,py,go,rs,dart,kt,java}"
  - "**/*.env*"
  - "**/config.*"
  - "**/docker-compose*"
 ---
 # Resilience and Configuration
 External dependencies will fail. Configuration must be externalized.
 ## Resilience
 - Every external call must have a **timeout**. No indefinite waits.
 - **Critical** deps: fail visibly, return error. **Non-critical**: log, serve cached/default, degrade gracefully.
 - **Circuit breakers** for repeatedly failing deps. Exponential backoff.
 - **Retries**: bounded, exponential backoff + jitter, idempotent operations only. Non-idempotent mutations require an idempotency key.
 - Make degradation **visible**: log it, expose in health check.
 - **Health checks**: verify actual dependency connectivity, not just "process running."
 ## Configuration
 - Externalize all config. Document every knob: purpose, default, valid range, environments.
 - Sensible defaults — runnable with zero config for local dev.
 - Maintain `.env.example` with all variables and descriptions.
 - Validate required config at startup — fail fast. Log effective config (secrets masked).
 ## Graceful Shutdown
 - Stop accepting new requests, drain in-flight work, release resources (12-Factor IX).
--- a/.claude/rules/15-memora.md
+++ b/.claude/rules/15-memora.md
@ -0,0 +1,16 @@
 # Memora Memory
 Use Memora proactively for persistent memory across sessions. Full instructions are in the global `~/.claude/CLAUDE.md` and `~/.claude/docs/memora-guide.md`.
 ## Key Behaviors
 - **Session start:** Query existing project context via `memory_semantic_search` + `memory_list`. Follow connections — navigate the graph.
 - **During work:** Create granular memories (one per concept, not per session). Link related memories deliberately. Update existing memories instead of creating duplicates.
 - **Session end:** Capture all significant learnings. Create issues for bugs found, TODOs for incomplete work. Verify new memories are connected to existing ones.
 ## Every Memory Must Have
 1. **Tags** — project identifier first, then topic tags.
 2. **Hierarchy metadata** — places the memory in the knowledge graph.
 3. **Links** — explicit connections to related memories.
 4. **Sufficient granularity** — specific enough to be actionable, with file paths and function names.
--- a/.claude/rules/16-sub-agents.md
+++ b/.claude/rules/16-sub-agents.md
@ -0,0 +1,17 @@
 # Sub-Agents and Team Agents
 ## Use Sub-Agents (Task tool) When
 - Independent research tasks can run in parallel.
 - A specialized agent type matches the work (e.g., debugger, test-engineer, frontend-developer).
 - The main context window would be polluted by excessive search results.
 ## Use Team Agents When
 - The task benefits from multiple specialized perspectives.
 - Code review, security audit, or test analysis is warranted.
 ## Use Direct Tools Instead When
 - Simple, directed searches — use Grep/Glob directly.
 - Single-file edits or tasks under 3 steps.
--- a/.claude/rules/17-document-imports.md
+++ b/.claude/rules/17-document-imports.md
@ -0,0 +1,11 @@
 # Document Import Resolution
 When CLAUDE.md files reference external content via `@` imports (e.g., `@docs/architecture.md`), resolve and read those imports before proceeding with the user's request.
 ## Rules
 - Before acting on a user prompt, scan loaded CLAUDE.md files for `@path/to/file` references. Read any that may be relevant to the current task.
 - Treat `@docs/` references as pointers to the project's `docs/` directory.
 - When a CLAUDE.md says "documentation lives in `docs/`" or "see `docs/` for details," read the relevant docs before proceeding.
 - Do not skip imports because "the CLAUDE.md summary seems sufficient." The referenced document is the source of truth.
 - After reading imports, reconcile conflicts between the import and the CLAUDE.md summary. Flag discrepancies.