- sdlc: trim to application-repo scope with Phase 1-5 pipeline; engineer
self-merges all branches with per-branch prerequisites; move infra,
Flux, tofu, and operator-install content out
- devops: new skill mirroring groombook/org/skills/devops — owns
cartsnitch/infra, Flux GitOps, OpenTofu controller, cluster topology,
Flux Image Tag Automation denied policy
- safety: add Gitea-origin board-approval gate, board-approval scope
section, and adapterConfig.env read-before-write rule
- coding-standards: replace "no agent merges their own PR" with the
reviews-required-then-engineer-may-merge rule consistent with sdlc
- CLAUDE.md: update skill index, branch & merge policy, and SDLC phase
summary to reflect engineer-self-merge and the new devops skill
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Align with groombook SDLC style: engineer self-merges dev, QA merges uat,
CEO merges main. Drop the explicit 3-step handoff protocol (Paperclip
handles it via in_review). Remove the redundant "no self-merge" footer.
Keep delegation model tier, board approval gate, and cc @cpfarhood.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Migrate container registry from ghcr.io to git.farh.net
- Update environment FQDNs: cartsnitch.farh.net → cartsnitch.com, etc.
- Add UUIDs to all agent role references for handoff protocol accuracy
- Add Agent Roster table to CLAUDE.md for quick reference
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Replace github-app-token skill with GITEA_TOKEN env var and tea CLI
- Update all GitHub references to Gitea (auth, issues, PRs, origin policy)
- Add CLAUDE.md with org-level guidance for future Claude Code sessions
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Set modelProfile cheap only for mechanical, bounded tasks. Leave unset
(judgment/reasoning/QA) for standard tier. When in doubt, leave unset.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- safety: drop tools section (moved to sdlc); relax kubectl-apply ban to
production-only (dev and uat permit direct kubectl for iteration);
keep kubectl-create-secret ban at all environments
- sdlc: split Authentication into its own section (Better-Auth + Google +
Apple + Authentik); add Tools (canonical, not alternatives) section
moved from safety, including the playwright MCP and ghcr.io registry
standard
Mirrors the groombook/org and privilegedescalation/org pattern: extract
company-wide policy that's currently inlined across each agent's AGENTS.md
(plus auxiliary HEARTBEAT.md / GITHUB.md / SOUL.md / TOOLS.md /
INFRASTRUCTURE.md files) into three shared skills.
Agents will reference these via one-line invocation reminders in their Wake
additions section once the AGENTS.md files are rewritten.
Chris Farhood