From 48232392a550f9cfd80fa5d150350d7c9a693e1d Mon Sep 17 00:00:00 2001
From: Original Gary <276612211+OpenGaryBot@users.noreply.github.com>
Date: Sat, 25 Apr 2026 18:17:21 +1000
Subject: [PATCH] chore(rules): sync to canonical rule set + OP-fork desloppify
 install

---
 .claude/rules/accessibility.md                |  42 --
 .claude/rules/context-repo.md                 | 111 ++++
 .claude/rules/cost-optimization.md            |   8 +-
 .claude/rules/desloppify.md                   |  51 +-
 .claude/rules/emotional-safety.md             |  52 --
 .claude/rules/external-contribution-safety.md |  80 +++
 .claude/rules/geo-seo.md                      | 616 ------------------
 .claude/rules/git-identity.md                 |  56 ++
 .claude/rules/parallelization.md              | 106 +++
 .claude/rules/pipeline-nevers.md              |  43 ++
 .claude/rules/privacy.md                      |  42 --
 .claude/rules/research-methodology.md         |  63 ++
 .claude/rules/security.md                     |  51 --
 .claude/rules/seven-concerns.md               |  39 ++
 .claude/rules/testing.md                      |  46 --
 .claude/rules/tooling-reference.md            | 100 +++
 .claude/rules/user-profile.md                 |  17 +
 .claude/rules/voice.md                        |   8 +
 .claude/skills/advocacy-code-review/SKILL.md  |  56 --
 .../skills/advocacy-testing-strategy/SKILL.md |  60 --
 .claude/skills/geo-seo-audit/SKILL.md         | 339 ----------
 .claude/skills/git-workflow/SKILL.md          |  45 --
 .../skills/plan-first-development/SKILL.md    |  52 --
 .../skills/requirements-interview/SKILL.md    |  66 --
 .claude/skills/security-audit/SKILL.md        |  63 --
 .gitignore                                    |   4 +
 CLAUDE.md                                     |  14 +-
 27 files changed, 688 insertions(+), 1542 deletions(-)
 delete mode 100644 .claude/rules/accessibility.md
 create mode 100644 .claude/rules/context-repo.md
 delete mode 100644 .claude/rules/emotional-safety.md
 create mode 100644 .claude/rules/external-contribution-safety.md
 delete mode 100644 .claude/rules/geo-seo.md
 create mode 100644 .claude/rules/git-identity.md
 create mode 100644 .claude/rules/parallelization.md
 create mode 100644 .claude/rules/pipeline-nevers.md
 delete mode 100644 .claude/rules/privacy.md
 create mode 100644 .claude/rules/research-methodology.md
 delete mode 100644 .claude/rules/security.md
 create mode 100644 .claude/rules/seven-concerns.md
 delete mode 100644 .claude/rules/testing.md
 create mode 100644 .claude/rules/tooling-reference.md
 create mode 100644 .claude/rules/user-profile.md
 create mode 100644 .claude/rules/voice.md
 delete mode 100644 .claude/skills/advocacy-code-review/SKILL.md
 delete mode 100644 .claude/skills/advocacy-testing-strategy/SKILL.md
 delete mode 100644 .claude/skills/geo-seo-audit/SKILL.md
 delete mode 100644 .claude/skills/git-workflow/SKILL.md
 delete mode 100644 .claude/skills/plan-first-development/SKILL.md
 delete mode 100644 .claude/skills/requirements-interview/SKILL.md
 delete mode 100644 .claude/skills/security-audit/SKILL.md

diff --git a/.claude/rules/accessibility.md b/.claude/rules/accessibility.md
deleted file mode 100644
index 0c8fdf978..000000000
--- a/.claude/rules/accessibility.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-paths:
-  - "**/ui/**"
-  - "**/frontend/**"
-  - "**/i18n/**"
-  - "**/l10n/**"
----
-# Accessibility Rules for Animal Advocacy Projects
-
-Advocacy networks span borders, languages, economic conditions, and infrastructure environments. An activist coordinating a rescue in a rural area with intermittent connectivity has fundamentally different needs than a campaign organizer at a well-resourced urban nonprofit. Accessibility in advocacy software is not about compliance with standards — it is about ensuring the movement's tools work for everyone the movement serves.
-
-## Internationalization from Day One
-
-Design every user-facing component with internationalization from the start — never retrofit it. Advocacy networks operate across linguistic boundaries: a coalition might include Spanish-speaking organizers in the Americas, Mandarin-speaking activists in Asia, and English-speaking legal teams in Europe. Externalize all user-facing strings from the beginning. Support right-to-left text layouts. Handle pluralization rules that differ across languages. Date, time, currency, and number formatting must respect locale. Adding i18n after the fact requires touching every component — the cost grows exponentially with codebase size.
-
-## Low-Bandwidth Optimization
-
-Many activists operate on mobile data in regions with expensive or throttled connections. Optimize aggressively: compress all assets, lazy-load non-critical content, minimize payload sizes, implement efficient data synchronization that transfers only deltas. Set performance budgets and test against them on throttled connections. A tool that requires broadband to function excludes the activists who need it most.
-
-## Offline-First Architecture
-
-Design for disconnected operation as the default, not as an exception. Activists in areas with unreliable connectivity — rural investigation sites, countries with internet shutdowns, disaster response scenarios — need tools that work without a network connection. Local-first data storage with background sync when connectivity is available. Conflict resolution for data modified offline by multiple users. Queue operations during disconnection and replay them on reconnect. The application must be fully functional for core workflows without any network access.
-
-## Low-Literacy Design Patterns
-
-Not all advocacy participants are fluent readers. Rescue coordinators, sanctuary workers, and community organizers come from diverse educational backgrounds. Design for comprehension: use icons alongside text labels, provide visual workflows instead of text-heavy instructions, support voice input and audio output where possible, use progressive disclosure to avoid overwhelming users with information density. Test interfaces with users who have limited formal literacy.
-
-## Mesh Networking Compatibility
-
-In environments where centralized internet infrastructure is unavailable, compromised, or surveilled, mesh networking enables direct device-to-device communication. Design data synchronization protocols that can operate over mesh networks with high latency, low bandwidth, and intermittent peer availability. This is not a theoretical concern — activists operating in regions with government internet shutdowns depend on mesh-capable tools.
-
-## Graceful Degradation
-
-Every feature must have a degraded mode that functions under constrained conditions. If the encryption library fails to load, the application must refuse to transmit sensitive data rather than transmitting it in plaintext. If the media processing pipeline is unavailable, investigation footage must be stored safely for later processing rather than discarded. If the network connection is lost, the user must see clear status indicators, not silent failures. Degrade capability, never safety.
-
-## Device Seizure Preparation — Application State
-
-When connectivity is lost suddenly — device confiscated, signal jammed, power cut — the application must not leave sensitive data exposed. No temporary files with decrypted investigation content. No in-memory caches that persist to swap files. No crash dumps containing witness identities. No recovery modes that display previously viewed sensitive content without re-authentication. Design the application so that power loss at any moment leaves zero recoverable sensitive state on disk.
-
-## Multi-Language Activist Networks Across Borders
-
-Coalition tools must support simultaneous use in multiple languages within the same deployment. A shared coordination platform where each user sees the interface in their language, but shared content (campaign plans, action alerts, investigation summaries) can be viewed in translated or original form. Support both machine translation for real-time use and human-reviewed translation for legally sensitive content.
diff --git a/.claude/rules/context-repo.md b/.claude/rules/context-repo.md
new file mode 100644
index 000000000..386dae0b6
--- /dev/null
+++ b/.claude/rules/context-repo.md
@@ -0,0 +1,111 @@
+# Context Repo — Org-Wide Read Safety
+
+Activate this rule when working on `github.com/Open-Paws/context` or proposing any change that may be merged into it. The context repo is the org's single source of truth, readable by every staff member and every AI agent across the Open Paws ecosystem. That reach is what makes it valuable — and what makes misclassification costly. Material that leaks into the context repo propagates to every future agent session across the org, with no clean retraction.
+
+## The Org-Wide Read Test
+
+Before proposing, writing, reviewing, or merging any content in the context repo, ask:
+
+> Imagine this change merged. Every staff member including brand-new contractors, every intern in the May cohort, every AI agent in every repo, every persona QA agent, every scheduled Claude Code task — all of them can now read this. Is that okay?
+
+If not clearly okay, the content does not belong in the context repo. Redirect to a private location. There is no "technically private but in the context repo" category.
+
+## What Must Not Go In
+
+Non-exhaustive. Reject at plan review and redirect:
+
+- Individual personal information — salaries, compensation, health, neurodivergence disclosures, recovery status, family, relationships
+- HR / performance matters — performance feedback, interpersonal conflicts, hiring/firing discussions, contract negotiations with specific people
+- Active sensitive funder dynamics — criticism from specific funders, donor red flags, active grant negotiation positions, internal funder assessments
+- Legal matters in progress — contract disputes, IP issues, regulatory inquiries, anything a lawyer is or should be involved in
+- Unannounced partnerships or programs — anything whose premature leak would damage. Once announced, it can move in
+- Security-sensitive operational details — threat models, unpatched vulnerabilities, defense-in-depth specifics that would help an attacker
+- Credentials, secrets, API keys — never, regardless of perceived convenience
+- Personal context about individuals beyond what they've publicly chosen to share — history, politics, family situation, country-of-origin dynamics
+- Active campaign intelligence that could tip off opposition — specific corporate targets mid-campaign, undercover operation plans, timing-sensitive material
+- Sam's personal notes, journal, or private decision-making — belongs in the personal workspace repo
+- Anything treated as confidential in its originating context — Slack DMs, CryptPad docs, private channels — even if innocuous out of context
+
+Rule of thumb: gossip, personnel, legal, or "don't forward this email" — not context-repo material.
+
+## What Belongs In
+
+- Org identity, mission, public frame
+- Settled decisions, after they're settled and shareable
+- Current priorities every staff member should be aligned on
+- Program structures, playbooks, frameworks, methodology
+- Technical conventions and architecture principles that apply across repos
+- Published or ready-to-publish work
+- Glossaries, onboarding material, routing tables
+- Links out to where more detail lives
+- Decision *outcomes* and *rationale*, without embedding the sensitive discussion that produced them
+
+Test: a fresh contractor or new agent session reading cold should get (a) valuable context and (b) see nothing that would make a staff member uncomfortable. Both must be yes.
+
+## Where Sensitive Material Actually Lives
+
+| Material | Correct location |
+|---|---|
+| Personal notes, journal, draft strategic thinking | Sam's personal workspace repo |
+| Individual grant tracker, funder contact details, internal funder assessments | `private/grants/` in personal repo, or locked CryptPad |
+| HR / people matters | Outside version control — direct comms, locked docs, legal counsel where appropriate |
+| Active campaign intelligence | Per-campaign private repos or CryptPad with explicit access list |
+| Credentials | Password manager / secrets manager |
+| Early-stage partnership discussions | DM or locked doc until announced; summary can move in post-announcement |
+| Staff-specific feedback | 1:1 docs outside the context repo |
+
+If no private home exists for the rejected material, file a separate issue to establish one — in the personal workspace or ops repo, not the context repo.
+
+## Pipeline Additions For Context-Repo Changes
+
+**STAGE 2 (Triage) — classify every issue with a `sensitivity:` label:**
+
+- `sensitivity:public-ok` — already public or trivially shareable
+- `sensitivity:staff-ok` — fine for all staff + all agents (the bar for this repo)
+- `sensitivity:private` — belongs elsewhere; redirect, do not advance
+
+Issues labeled `sensitivity:private` never enter the plan wave.
+
+**STAGE 4 (Plan Review) — run the org-wide read test explicitly.** If not clearly okay, reject with guidance on what to strip or redirect.
+
+**STAGE 13 (Adversarial) — add a 7th check:**
+
+7. **Confidentiality leak** — does this merge expose any individual's personal information, any sensitive relationship dynamic, any active negotiation, any unannounced plan, or any material that originated in a confidential context? If yes, `major+` severity, back to fix loop.
+
+Adversarial patterns to flag (content that "seems fine" but leaks in context):
+
+- Closed decision citing a specific funder's objection as the reason (strip identity, keep principle)
+- Priority justified by "we lost trust with X partner" (strip dynamic, keep strategic implication)
+- Program doc listing specific individuals as "struggling" or "not meeting expectations"
+- Playbook referencing active campaign targets by name before launch
+
+## Default Direction Is Out, Not In
+
+When uncertain, keep it out. Context flows from private to public, not back. Once merged, downstream agents have already consumed it.
+
+If material genuinely belongs but currently leaks something, **rewrite at a higher level of abstraction** — keep the principle, strip the specifics.
+
+- Good: "Decision: prefer multi-year unrestricted funding over single-year restricted"
+- Bad: "Decision: avoid Funder X because they demanded reporting we found unreasonable"
+
+Same principle, different safety profile.
+
+## Decision Tree
+
+```
+Is every fact in this change something I'd say out loud in an all-staff meeting
+with interns, contractors, and partner org reps present?
+│
+├── YES → proceed through normal pipeline
+│
+└── NO → which category?
+    │
+    ├── Personal / HR / relationship → personal repo or external tool
+    ├── Active sensitive operation → locked CryptPad with access list
+    ├── Legal / contractual → outside version control, with counsel
+    ├── Credentials → secrets manager
+    ├── Sensitive but abstractable → rewrite at higher level, retry pipeline
+    └── Unclear → ask Sam before filing the issue
+```
+
+Misclassification is costly in both directions. Too restrictive and the repo becomes useless. Too loose and it leaks. When genuinely unsure, ping rather than guess.
diff --git a/.claude/rules/cost-optimization.md b/.claude/rules/cost-optimization.md
index fd0af82d6..d0a798ef3 100644
--- a/.claude/rules/cost-optimization.md
+++ b/.claude/rules/cost-optimization.md
@@ -4,7 +4,13 @@ Advocacy organizations operate on nonprofit budgets. Every dollar spent on AI co
 
 ## Model Routing — Right Model for Each Task
 
-Route tasks to the cheapest model capable of handling them well. Use cheaper, faster models for: test generation, boilerplate code, formatting assistance, simple refactoring, and documentation. Use mid-tier models for: debugging, multi-file changes, code review, and integration work. Reserve frontier models for: hard architectural problems, complex debugging, novel design challenges, and security-critical code review. Aider achieves comparable benchmark scores at 3x fewer tokens than some alternatives — consider token-efficient tools for routine workflows.
+Route tasks to the cheapest model capable of handling them well.
+
+- **Cheap tier — Claude Haiku 4.5 (`claude-haiku-4-5-20251001`)**: test generation, boilerplate code, formatting assistance, simple refactoring, mechanical edits, documentation, glue code, log parsing, summarization of structured output. Default for desloppify-driven mechanical work. Default for first-pass scout / triage when the observation is well-structured.
+- **Mid tier — Claude Sonnet 4.6 (`claude-sonnet-4-6`)**: debugging, multi-file changes, code review, integration work, plan authoring against a clear spec, test review, persona-QA narrative writing.
+- **Frontier — Claude Opus 4.7 (`claude-opus-4-7`, default on this stack)**: hard architectural problems, complex debugging, novel design challenges, security-critical code review, adversarial audit, the strategic / Chat-Gary surface.
+
+Aider achieves comparable benchmark scores at 3× fewer tokens than some alternatives — consider token-efficient tools for routine workflows. The single biggest cost win in this stack is **routing cheap things to Haiku rather than reaching for Opus by default**.
 
 ## Token Budget Discipline
 
diff --git a/.claude/rules/desloppify.md b/.claude/rules/desloppify.md
index 891e9e139..96b64edf0 100644
--- a/.claude/rules/desloppify.md
+++ b/.claude/rules/desloppify.md
@@ -1,23 +1,64 @@
 # Code Quality — desloppify
 
-Run desloppify to systematically identify and fix code quality issues. Install and configure before scanning (requires Python 3.11+):
+Run desloppify to systematically identify and fix code quality issues. Install from the **Open Paws fork** (Python 3.11+):
 
 ```bash
-pip install --upgrade "desloppify[full]"
+# Install from this fork — NEVER from PyPI / upstream
+pip install "git+https://github.com/Open-Paws/desloppify.git#egg=desloppify[full]"
 desloppify update-skill claude
 ```
 
-Add `.desloppify/` to `.gitignore` — it contains local state that should not be committed. Before scanning, exclude directories that should not be analyzed (vendor, build output, generated code, worktrees) with `desloppify exclude <path>`. Share questionable candidates with the project owner before excluding.
+**Canonical install command.** This file is the single source of truth for how to install desloppify. Every other file in this stack (`skills/desloppify-playbook/SKILL.md`, `agents/desloppifier.md`, `$OP_CONTEXT_REPO/.claude/rules/desloppify.md`, every `Open-Paws/*/.claude/rules/desloppify.md`) links here rather than restating the command — duplication is how the multi-repo drift that existed pre-2026-04-25 happened. If you're editing an install command anywhere other than this file, stop.
+
+**OP fork only — never upstream.** The git install above pulls from `github.com/Open-Paws/desloppify`, which carries the movement conventions (no-speciesist-language rules, type-safety patterns, gateway response shape discipline, compassionate language enforcement, persona-QA browser testing) that upstream desloppify lacks. `pip install desloppify` from PyPI pulls upstream and is a hard-rule violation per `~/.claude/rules/pipeline-nevers.md`.
+
+Add `.desloppify/` to `.gitignore` — it contains local state that should not be committed. Before scanning, exclude generated / vendor / build dirs:
 
 ```bash
+# Exclude generated directories, then scan
+desloppify exclude node_modules dist
 desloppify scan --path .
-desloppify next
 ```
 
 `--path` is the directory to scan (use `.` for the whole project, or a subdirectory like `src/`). Your goal is to get the strict score as high as possible. The scoring resists gaming — the only way to improve it is to actually make the code better.
 
-**The loop:** run `next`. It is the execution queue from the living plan, not the whole backlog. It tells you what to fix now, which file, and the resolve command to run when done. Fix it, resolve it, run `next` again. This is your main job. Use `desloppify backlog` only when you need to inspect broader open work not currently driving execution.
+## The fix loop
+
+Run `next` → fix → resolve → repeat:
+
+```bash
+desloppify next          # get the top-priority item; shows which file and the resolve command
+# fix the code
+desloppify plan resolve  # mark it done
+desloppify next          # get the next item
+```
+
+It is the execution queue from the living plan, not the whole backlog. It tells you what to fix now, which file, and the resolve command to run when done. Use `desloppify backlog` only when you need to inspect broader open work not currently driving execution.
 
 Do not be lazy. Large refactors and small detailed fixes — do both with equal energy. No task is too big or too small. Fix things properly, not minimally.
 
 Use `plan` / `plan queue` to reorder priorities or cluster related issues. Rescan periodically. The scan output includes agent instructions — follow them, do not substitute your own analysis.
+
+## Persona-QA workflow (UI repos with persona-driven testing)
+
+```bash
+desloppify persona-qa --prepare --url https://example.com   # generate agent instructions
+# agent runs browser testing and captures findings in JSON
+desloppify persona-qa --import findings.json                 # merge into state
+desloppify persona-qa --status                               # per-persona summary
+desloppify next                                              # persona QA items now appear in the queue
+```
+
+## Baseline Capture Process
+
+**At plan time (STAGE 3):** Capture desloppify baseline against branch point:
+
+```bash
+desloppify status --json > .desloppify/baseline.json
+```
+
+Post baseline JSON as GitHub issue comment for durable storage (`.desloppify/` is gitignored).
+
+**Recovery if missing:** STAGE 9 uses `git merge-base HEAD main` to recapture against the branch point.
+
+**Score-cannot-regress gate.** STAGE 9 blocks merge if the strict score drops below baseline. Regression requires `override:allow-score-drop` label (human-only — agents cannot apply it).
diff --git a/.claude/rules/emotional-safety.md b/.claude/rules/emotional-safety.md
deleted file mode 100644
index 622a08f04..000000000
--- a/.claude/rules/emotional-safety.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-paths:
-  - "**/content/**"
-  - "**/media/**"
-  - "**/display/**"
-  - "**/upload/**"
----
-# Emotional Safety Rules for Animal Advocacy Projects
-
-Animal advocacy software routinely handles content documenting extreme suffering: factory farm conditions, slaughterhouse footage, animal testing documentation, and witness testimony of abuse. This content is necessary for the movement's work — it drives investigations, legal cases, public campaigns, and policy change. But uncontrolled exposure to this content causes measurable psychological harm. Every display decision must balance the operational need for access against the human cost of exposure. Emotional safety is not a UX preference — it is a duty of care to the people doing this work.
-
-## Progressive Disclosure of Traumatic Content
-
-NEVER display graphic content by default. Every piece of investigation footage, slaughter documentation, or exploitation imagery must be behind at least one intentional interaction. The default state is always safe: blurred, hidden, or represented by a text description. Users escalate to more graphic content through deliberate choices, never through automatic loading, scrolling, or navigation.
-
-## Configurable Detail Levels
-
-Implement user-controlled detail settings that persist across sessions. At minimum, provide three tiers: (1) text-only descriptions with no imagery, (2) blurred or low-detail representations with contextual descriptions, (3) full-resolution content. Each user chooses their own default level. The system MUST remember this preference and never reset it. Different roles need different defaults: a legal reviewer may need full-resolution evidence access; a campaign coordinator may only need text summaries.
-
-## Content Warnings — Mandatory Before Display
-
-Every piece of content involving animal suffering, investigation footage, or slaughter documentation MUST be preceded by a specific content warning describing what the content contains. Generic warnings like "sensitive content" are insufficient — the warning must indicate whether the content includes: graphic injury, death, distress vocalizations, confined living conditions, or slaughter processes. Users must be able to make an informed decision about whether to view specific content, not just "something sensitive."
-
-## Investigation Footage Handling
-
-Investigation footage is the most operationally important and psychologically dangerous content in the system. Implementation requirements:
-- NEVER auto-play video or audio from investigations
-- ALWAYS display footage in blurred state by default
-- Require explicit opt-in for full resolution — a deliberate click, not a hover or scroll
-- Provide frame-by-frame navigation for reviewers who need to examine specific moments without watching continuous footage
-- Strip audio by default — distress vocalizations cause acute stress responses; audio should be a separate opt-in from video
-- Support annotation without full-resolution viewing (reviewers can mark timestamps and regions on blurred preview)
-
-## Witness Testimony Display
-
-Before displaying any witness testimony: (1) verify that display consent is current and has not been withdrawn, (2) anonymize by default — display pseudonyms, not legal names, (3) require explicit opt-in to view identifying details, (4) log access to testimony for audit purposes while protecting the identity of who accessed it. When testimony includes descriptions of animal suffering, apply the same progressive disclosure and content warning rules as for visual media.
-
-## Burnout Prevention Patterns
-
-Advocacy software should actively support user wellbeing during extended content review sessions:
-- **Session time awareness** — track continuous exposure time to traumatic content and surface non-intrusive reminders after configurable intervals (default: 30 minutes of active content review)
-- **"Take a break" prompts** — for content reviewers who have been processing investigation footage or testimony for extended periods; these are suggestions, not blocks
-- **Session summaries** — at the end of a content review session, provide a summary of what was reviewed so the reviewer does not need to re-expose themselves to verify completeness
-- **Workload distribution** — when multiple reviewers are available, the system should support distributing traumatic content review across the team rather than concentrating it
-
-## Secondary Trauma Mitigation
-
-Secondary trauma affects not just end users but also **developers** building and testing this software. Design the development workflow to minimize unnecessary exposure: use abstract test data (described references, not actual footage) in automated tests, provide mock data generators that produce realistic metadata without graphic content, and document which test suites involve real content so developers can prepare. The CI/CD pipeline must never display graphic content in test output, logs, or failure reports.
-
-## Opt-In Escalation of Graphic Content
-
-When a user needs to access full-resolution graphic content, require multiple confirmation steps proportional to content severity. A single click is insufficient for the most graphic content. Implement a confirmation dialog that names what the user is about to see, requires an explicit "I understand" acknowledgment, and provides an alternative (text description, blurred summary) alongside the full-access option. This is not friction for friction's sake — it is informed consent applied to content exposure.
diff --git a/.claude/rules/external-contribution-safety.md b/.claude/rules/external-contribution-safety.md
new file mode 100644
index 000000000..3685ce10c
--- /dev/null
+++ b/.claude/rules/external-contribution-safety.md
@@ -0,0 +1,80 @@
+# External Contribution Safety
+
+When helping a developer contribute to a third-party repository — any repo whose git remote does not belong to your organization — the AI tool must suppress all identity, attribution, and advocacy framing from commits, pull requests, and branches. This is last-line-of-defense enforcement: configure your tool to disable attribution trailers as the first line, and rely on these instructions when configuration alone is insufficient.
+
+## Repo Classification
+
+Before producing any commit message, PR description, or branch name, check the remote:
+
+```bash
+git remote get-url origin
+```
+
+- If the remote matches `github.com/Open-Paws/` or `github.com:Open-Paws/` (SSH), you are in an **internal repo** — full identity is fine.
+- If the remote is anything else, treat it as **external** — apply all rules below.
+- If there is no remote configured, treat it as **external** (safe default).
+
+Confidence must be positive that you are in an internal repo. Absence of a matching remote is not ambiguous — it defaults to external mode.
+
+## What to Suppress in External Repos
+
+**Tool identity** — Do not mention Claude Code, Cursor, Copilot, Windsurf, Cline, or any other AI coding tool in commits, PR descriptions, branch names, or code comments.
+
+**Organization** — Do not mention Open Paws, any Open Paws project name, or any advocacy organization in any contribution artifact.
+
+**Mission framing** — Do not use advocacy language (liberation, compassionate, animal rights, plant-based, vegan) in code, commits, PR titles, or PR bodies unless the target project is explicitly about those topics.
+
+**Attribution trailers** — No `Co-Authored-By: Claude` lines. No "Generated with Claude Code" footers. No AI attribution in commit messages or PR descriptions.
+
+## Commit Message Rules in External Repos
+
+Read the last five commits in the target repo before writing a commit message:
+
+```bash
+git log --oneline -5
+```
+
+Match their exact style: length, format (conventional vs prose vs terse), tense, specificity. Then apply these constraints:
+
+- **Proportional to diff** — a one-line change gets a one-line commit. A 50-line change gets two or three sentences maximum.
+- **Imperative mood** — "Fix", "Add", "Update", not "Fixed", "Added", "Updated".
+- **No AI-generated patterns** — reject "This commit introduces...", "Updated X to support Y", "Added support for Z", "Improve overall...".
+- **Self-check** — Read the message. Does it look indistinguishable from the existing commits in this repo? If not, shorten it and remove any summary language.
+
+## PR Description Rules in External Repos
+
+Check how merged PRs are described in the target repo before writing a PR body:
+
+```bash
+gh pr list --state merged --limit 5
+```
+
+Then apply:
+
+- **Match the target repo's style** — if merged PRs are two sentences, write two sentences. If they use headers, use headers. If they use none, use none.
+- **No section headers for small changes** — omit `##`, `###`, "Summary:", "Motivation:", "Background:", "Approach:" unless the target repo uses them.
+- **No bullet lists of benefits** — a list of what this improves is an AI tell. One explanation of what changed and why is sufficient.
+- **Length** — most good external PRs are one to three sentences. Longer is rarely better.
+- **Self-check** — read it aloud. Does it sound like a developer who works on this codebase, without a toolkit or an agenda? If not, cut it by half.
+
+## Branch Naming in External Repos
+
+Check existing open PRs for branch naming conventions:
+
+```bash
+gh pr list --state open --limit 10
+```
+
+Use that convention. If no clear pattern exists, default to `fix/short-description` or `add/short-description`. Keep the branch name under 40 characters. Do not include advocacy language, org identifiers, or tool names in branch names.
+
+## Defense-in-Depth Principle
+
+These instructions are the last line of defense, not the first. Before contributing to any external repo, configure your tool to disable attribution trailers:
+
+- Claude Code: set `"attribution": { "commit": "", "pr": "" }` in `~/.claude/settings.json` (deprecates `includeCoAuthoredBy`; already wired on this machine)
+- Cursor: disable "Add AI attribution" in settings
+- Copilot: no attribution trailers are inserted by default in commit flows
+
+Git author identity (who shows up in `git log`, not the AI-tool trailer) is governed separately by `git-identity.md` — external repos inherit the same bot identity by default. If a target repo requires a different author for some reason, raise it before committing; do not quietly switch.
+
+Instructions to the AI are what you rely on when tool configuration fails or when the tool generates surrounding prose (PR descriptions, branch names) that configuration does not control.
diff --git a/.claude/rules/geo-seo.md b/.claude/rules/geo-seo.md
deleted file mode 100644
index 5ff43d3e5..000000000
--- a/.claude/rules/geo-seo.md
+++ /dev/null
@@ -1,616 +0,0 @@
----
-paths:
-  - "**/*.html"
-  - "**/robots.txt"
-  - "**/sitemap.xml"
-  - "**/llms.txt"
-  - "**/head/**"
-  - "**/seo/**"
-  - "**/meta/**"
-  - "**/schema/**"
-  - "**/structured-data/**"
-  - "**/layout.*"
-  - "**/Layout.*"
-  - "**/BaseHead.*"
-  - "**/Head.*"
----
-# SEO + GEO Rules for Animal Advocacy Websites
-
-Websites built for animal advocacy serve two discovery channels: traditional search engines and AI answer systems (ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, Bing Copilot). The game has shifted from optimizing for keyword matching to optimizing for **intent satisfaction** (does your content completely solve the user's problem?), **entity authority** (does Google recognize your brand as a trusted entity in its knowledge graph?), and **technical excellence** (can crawlers efficiently process your site?). Approximately 60% of searches end without a click — appearing in search results is no longer enough; you need to be the source Google trusts enough to synthesize into AI-generated answers.
-
-**How AI citation works:** Google generates an answer first, then scores content against it using embedding distance. Only 17-32% of AI Overview citations come from pages ranking in the organic top 10 — lower-authority pages can win with the right structure (source: Authoritas AI Overviews study, 2024). Domain Authority correlates with AI citations at only r=0.18; topical authority (r=0.40) and branded web mentions (r=0.664) are the real predictors (source: Kalicube GEO correlation study, 2025). 80% of URLs cited by AI assistants do not rank in Google's top search results for the same queries (source: Semrush AI citation analysis, 2024).
-
----
-
-## HTML Structure
-
-Every page needs exactly one `<h1>` tag containing the primary topic. Use a logical heading hierarchy (`h1 > h2 > h3`), never skipping levels. Phrase `<h2>` headings as questions when the section answers something — question-based headings improve Featured Snippet selection, People Also Ask appearance, and produce 7× more AI citations for smaller sites. The first paragraph after any heading must directly answer that question in 40-60 words. AI systems pull from the first 30% of content 44% of the time — lead with the answer.
-
-Keep paragraphs to 2-4 sentences (40-60 words). Structure content as self-contained 120-180 word modules — this generates 70% more ChatGPT citations than unstructured prose.
-
-Use semantic HTML correctly: `<article>`, `<section>`, `<nav>`, `<aside>`, `<header>`, `<footer>`, `<main>`. Add `lang` attribute to `<html>`. Every `<img>` must have a descriptive `alt` attribute. Every `<a>` must have meaningful anchor text — never "click here".
-
-Prefer these semantic elements for structured data:
-
-- `<table>` for comparison data (32.5% of AI-cited content uses tables)
-- `<ol>` and `<ul>` for lists (78% of AI answers include list formats)
-- `<blockquote cite="...">` for expert quotations (+28-40% AI visibility)
-- `<time datetime="YYYY-MM-DD">` for dates
-- `<dfn>` for term definitions
-- `<abbr title="full term">` on first use
-- Add `id` attributes to all `<h2>` and `<h3>` elements
-
-**Do NOT:**
-- Hide content behind JavaScript-only rendering — AI crawlers often cannot execute JS, and relying on JS rendering increases crawl cost for search engines. All critical content must be in the initial HTML response (SSR or pre-rendered).
-- Use `display:none` or `visibility:hidden` on content to be indexed.
-- Rely on infinite scroll — use paginated `<a>` links.
-- Use iframes for primary content.
-- Keyword-stuff — stuffing decreases AI visibility by 10% and triggers spam detection.
-
----
-
-## Semantic Writing for AI Retrieval
-
-AI citation systems retrieve at the sentence and paragraph level, not the page level. Every piece of content must be written to survive extraction from context.
-
-**Entity salience — use active voice:** Always make the primary entity the grammatical subject. "Open Paws documented 34% adoption growth in 2025" gives Open Paws a salience score of 0.74. The passive equivalent ("adoption growth of 34% was documented in 2025") drops the entity to 0.11. AI systems weight entities by their grammatical prominence — this has measurable effects on whether content is cited.
-
-**Atomic claims:** Write every sentence as a self-contained semantic triple (subject + verb + object with explicit context). Eliminate vague pronouns — every sentence must make sense in isolation. "It increased significantly" is never acceptable; "Factory farm enforcement actions increased 34% between 2023 and 2025 according to USDA's annual report" is a citable claim.
-
-**Proper noun density:** AI-cited text averages 20.6% proper nouns versus 5-8% in standard English. Name the organization, the researcher, the report, the year. Vague attribution ("experts say") never gets cited; specific attribution ("according to Compassion in World Farming's 2025 annual report") does.
-
-**Content density sweet spot:** Pages under 5,000 characters get approximately 66% of their content used by AI retrieval. Pages over 20,000 characters get only 12%. Keep individual topic pages focused and information-dense rather than exhaustive. Gemini allocates roughly 380 words per webpage per query — you're competing for a fixed slice.
-
-**Opening structure:** 71% of AI-cited paragraphs contain four lines or fewer. Open every major section with a 40-60 word declarative statement containing the answer. Information buried deep in paragraphs is rarely retrieved.
-
----
-
-## Content Strategy
-
-### Search intent — match before writing
-
-Google evaluates intent at the level of the specific problem depth, decision stage, and expected outcome. Before writing any page, study the top 5 results for the target keyword to understand what format Google currently considers the best match. Writing excellent content that targets the wrong intent format does not rank.
-
-| Intent type | Expected format |
-|-------------|----------------|
-| Informational | How-to guides, tutorials, explainers, definitions |
-| Commercial investigation | Comparison articles, review roundups, "best of" lists |
-| Transactional | Product pages, pricing pages, application forms |
-| Navigational | Homepage, specific brand/product pages |
-
-### Google's Helpful Content System
-
-Since the March 2024 core update, the Helpful Content System is integrated directly into core ranking. It evaluates whether content was created primarily for users or primarily for search engines.
-
-**Content that performs well:**
-- Solves a specific problem clearly and completely in one visit
-- Demonstrates genuine first-hand knowledge and experience
-- Includes accurate, up-to-date information with specific attribution
-- Would be useful if search engines didn't exist
-
-**Content that gets demoted:**
-- Created primarily to attract traffic, not to help users
-- Uses AI to mass-produce content without adding original insight or editorial judgment
-- Summarizes what others have said without adding genuine expertise
-- Thin content that doesn't satisfy the intent completely
-
-Google's position on AI content (Mueller, November 2025): "Our systems don't care if content is created by AI or humans. What matters is whether it's helpful for users." However, since June 2025, Google issues manual actions for "scaled content abuse" targeting mass-published AI content. Unedited AI drafts bounce 18% higher and retain visitors 31% less than human-refined versions. Use AI as a tool in a human-led editorial process — add genuine expertise, original data, and editorial judgment.
-
-### E-E-A-T signals (Experience, Expertise, Authoritativeness, Trustworthiness)
-
-E-E-A-T is not a direct ranking signal but describes what Google's quality raters evaluate. In 2026, it applies to all content, not just YMYL topics. Content with proper author metadata gets cited 40% more by AI systems.
-
-**How to demonstrate E-E-A-T on every content page:**
-- **Experience:** Original data, case studies, screenshots, specific processes you've actually run, unique organizational knowledge
-- **Expertise:** Detailed author bio with verifiable credentials, consistent coverage of the topic, citations from specific credible sources with dates
-- **Authoritativeness:** Third-party coverage, industry recognition, organizational partnerships, links from relevant authoritative sources
-- **Trustworthiness:** Clear contact information, privacy policy, transparent organizational identity, HTTPS, cited and accurate claims
-
-Every content page must have: visible author name and credentials, link to author profile page with Person schema (photo, bio, credentials, links to external authoritative profiles).
-
-### Content freshness — what counts and what doesn't
-
-76% of the most-cited AI content was updated within 30 days. Perplexity gives a 3.4× citation advantage to content updated within 30 days. These freshness signals count:
-- Genuinely new information added to existing content
-- Updated statistics and dated references
-- Visible "Last Updated: [date]" using `<time datetime="YYYY-MM-DD">`
-- Accurate `dateModified` in Article schema, synchronized with the visible date
-
-Google detects "date freshness hacking" — changing dates without changing content — and this triggers penalties. Only update dates when content actually changes.
-
-### Original research and proprietary data
-
-The most powerful content strategy for both SEO and AI citation. Pages with original statistics see 30-40% higher AI visibility. Original or proprietary data generates 4.31× more AI citations per URL. Companies publishing proprietary data earn 45% more AI citations than those relying on standard content.
-
-For Open Paws: publish annual impact reports, platform usage benchmarks, program outcome data, and advocacy industry adoption statistics as dedicated, permanently-addressable pages.
-
-### First-mover advantage in data voids
-
-For topics with few authoritative sources, publishing first creates a durable citation position. One documented case: content on an obscure topic was cited by ChatGPT, Gemini, AI Overviews, and Grok within 24 hours. A replication attempt two days later failed — the first mover had captured the position. Identify emerging advocacy topics and publish before competitors.
-
----
-
-## E-E-A-T: Author Pages and Person Schema
-
-Every author who publishes on the site needs a dedicated profile page with:
-- `@type: Person` schema with `name`, `url`, `jobTitle`, `description`, `image`, `sameAs` (LinkedIn, relevant external profiles)
-- Photo, bio, credentials, and verifiable external presence
-- Links to all content by that author
-
-Author pages are linked from every article. This creates a trust chain: Article schema → author `@id` → Person schema → `sameAs` external profiles → third-party corroboration. Without this chain, content is treated as anonymous and cited 40% less.
-
----
-
-## Structured Data (JSON-LD)
-
-Implement JSON-LD schema in the `<head>` of every page. Sites with structured data achieve 41% AI citation rates vs 15% without. Only 12.4% of websites implement it.
-
-### Organization + WebSite schema (every page)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@graph": [
-    {
-      "@type": "Organization",
-      "@id": "https://yoursite.com/#organization",
-      "name": "Organization Name",
-      "url": "https://yoursite.com",
-      "logo": { "@type": "ImageObject", "url": "https://yoursite.com/logo.png" },
-      "sameAs": [
-        "https://www.linkedin.com/company/your-org",
-        "https://twitter.com/your-org",
-        "https://github.com/your-org",
-        "https://en.wikipedia.org/wiki/Your_Org",
-        "https://www.wikidata.org/wiki/QXXXXXXX"
-      ],
-      "description": "One-sentence description"
-    },
-    {
-      "@type": "WebSite",
-      "@id": "https://yoursite.com/#website",
-      "url": "https://yoursite.com",
-      "name": "Site Name",
-      "publisher": { "@id": "https://yoursite.com/#organization" }
-    }
-  ]
-}
-</script>
-```
-
-### Article schema (every content page)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "Article",
-  "headline": "Page title",
-  "author": {
-    "@type": "Person",
-    "name": "Author Name",
-    "url": "https://yoursite.com/team/author-name",
-    "jobTitle": "Their role"
-  },
-  "publisher": { "@id": "https://yoursite.com/#organization" },
-  "datePublished": "2026-01-15T08:00:00Z",
-  "dateModified": "2026-03-20T10:30:00Z",
-  "image": "https://yoursite.com/images/article-image.jpg",
-  "description": "150-160 char meta description"
-}
-</script>
-```
-
-### FAQPage schema (pages with Q&A content)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "FAQPage",
-  "mainEntity": [
-    {
-      "@type": "Question",
-      "name": "What is the question?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Direct, complete answer in 40-80 words."
-      }
-    }
-  ]
-}
-</script>
-```
-
-Also implement when applicable: **HowTo**, **BreadcrumbList**, **SoftwareApplication**, **Event**, **Dataset**, **Person**, **VideoObject** (for video content), **LocalBusiness** (for location-based entities). Always JSON-LD (not Microdata). Use `@id` to connect entities. Keep `dateModified` accurate. Validate at https://validator.schema.org/.
-
----
-
-## Meta Tags
-
-```html
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Primary Keyword — Brand Name</title><!-- 50-60 chars, keywords first -->
-  <meta name="description" content="150-160 chars. Direct answer + one statistic.">
-  <link rel="canonical" href="https://yoursite.com/this-page">
-  <meta property="og:title" content="Page Title">
-  <meta property="og:description" content="Description">
-  <meta property="og:type" content="article">
-  <meta property="og:url" content="https://yoursite.com/this-page">
-  <meta property="og:image" content="https://yoursite.com/images/og-image.jpg">
-  <meta property="og:site_name" content="Site Name">
-  <meta name="twitter:card" content="summary_large_image">
-  <meta name="twitter:title" content="Page Title">
-  <meta name="twitter:description" content="Description">
-  <meta name="twitter:image" content="https://yoursite.com/images/twitter-image.jpg">
-  <meta property="article:published_time" content="2026-01-15T08:00:00Z">
-  <meta property="article:modified_time" content="2026-03-20T10:30:00Z">
-</head>
-```
-
-Meta description: 150-160 chars, direct factual answer to the primary query, one specific statistic, never duplicated across pages. Title: `Primary Keyword — Brand Name`, 50-60 chars, keywords first, unique per page. For time-sensitive content, include the year in the title.
-
----
-
-## Core Web Vitals
-
-Google's Core Web Vitals are confirmed ranking factors measured via real Chrome user data (CrUX) at the 75th percentile. INP officially replaced FID in March 2024.
-
-**Current thresholds (as of March 2026):**
-
-| Metric | Good | Needs Improvement | Poor |
-|--------|------|-------------------|------|
-| LCP (Largest Contentful Paint) | ≤ 2.5s | 2.5–4.0s | > 4.0s |
-| INP (Interaction to Next Paint) | ≤ 200ms (target ≤ 150ms) | 200–500ms | > 500ms |
-| CLS (Cumulative Layout Shift) | ≤ 0.1 | 0.1–0.25 | > 0.25 |
-
-**Ranking impact:** Pages at position 1 show a 10% higher CWV pass rate than position 9. Sites with INP above 200ms saw an average ranking drop of 0.8 positions; above 500ms dropped 2-4 positions. Pages with LCP above 3 seconds experienced 23% more traffic loss than faster competitors. 43% of sites still fail the 200ms INP threshold in 2026.
-
-**INP — the hardest metric to fix.** INP requires restructuring how JavaScript executes. The primary technique is `scheduler.yield()` (Chrome-native, with `setTimeout` fallback), which sends remaining work to the front of the task queue while letting the browser handle user input:
-
-```typescript
-function yieldToMain(): Promise<void> {
-  if ('scheduler' in window && 'yield' in (window as any).scheduler) {
-    return (window as any).scheduler.yield();
-  }
-  return new Promise(resolve => setTimeout(resolve, 0));
-}
-// In long event handlers: await yieldToMain(); then doExpensiveWork()
-```
-
-For Next.js: use React Server Components to reduce client JS, `useTransition` for non-urgent state updates, and `next/dynamic` for heavy components. Audit third-party scripts first — highest impact, lowest effort.
-
-**Rendering strategies in Next.js App Router:**
-
-| Strategy | TTFB | Best For |
-|---|---|---|
-| SSG (default cached fetch) | Sub-100ms from CDN | Static content — blogs, docs, marketing pages |
-| ISR (`next: { revalidate: 60 }`) | Fast, cached + background revalidate | Periodically updated content |
-| SSR (`cache: 'no-store'`) | 200ms+ per request | User-specific real-time data — dashboards |
-| PPR (experimental, Suspense) | Fast static shell + streamed dynamic | Mixed pages with some dynamic content |
-
-**Implementation:**
-- TTFB < 200ms (rendering cannot start until HTML arrives)
-- Preload the LCP element: `<link rel="preload" as="image" href="hero.webp">`
-- Inline critical CSS, defer non-critical CSS
-- Add explicit `width` and `height` attributes to every image, video, iframe, and ad slot (prevents CLS)
-- Use `font-display: swap` for web fonts
-- Break JavaScript long tasks (>50ms) with `yieldToMain()` during interactions
-- Implement `loading="lazy"` for below-fold images
-- Use modern image formats (WebP/AVIF) — 25-50% smaller than JPEG/PNG; AVIF 50% smaller than JPEG
-- Keep total page weight < 1MB (18% of pages over 1MB are abandoned by AI crawlers)
-- Test with real field data (Search Console), not just lab tools — Google ranks on field data
-
----
-
-## Image Optimization
-
-- Descriptive file names with keywords: `animal-welfare-audit-checklist-2026.webp` not `IMG_4827.jpg`
-- Meaningful alt text describing the image content (both SEO and accessibility)
-- Modern formats: WebP/AVIF with `<picture>` fallbacks for older browsers
-- Responsive images using `srcset` at multiple viewport sizes
-- `loading="lazy"` for below-fold images
-- Explicit `width` and `height` on every image, video, and embed (prevents CLS)
-
-```html
-<picture>
-  <source srcset="image.avif" type="image/avif">
-  <source srcset="image.webp" type="image/webp">
-  <img src="image.jpg" alt="Descriptive text" width="800" height="600" loading="lazy">
-</picture>
-```
-
----
-
-## Technical SEO
-
-### Rendering and JavaScript
-
-Require SSR or static site generation (SSG). Client-side-only rendering is a strategic error: it increases crawl cost, AI crawlers (GPTBot, ClaudeBot, PerplexityBot) generally do not execute JavaScript, and relying on JS rendering increases the risk of critical content being missed. All critical content must be in the initial HTML response.
-
-### Mobile-first indexing
-
-Google uses mobile scores as the primary ranking signal for all results, including desktop. Over 60% of searches occur on mobile; 53% of mobile visitors abandon sites taking more than 3 seconds to load. Test with the Googlebot Smartphone user agent, not desktop.
-
-### Crawl budget
-
-Google allocates crawl resources based on perceived site value. Faceted navigation is the most common crawl budget killer — a site with 1,000 products can generate 1,000,000 low-value URLs through filter combinations. Manage crawl budget by:
-- Blocking low-value parameter URLs, internal search results, and admin pages in robots.txt
-- Fixing redirect chains (multiple sequential redirects waste crawl budget)
-- Keeping XML sitemaps clean — only canonical, indexable URLs with accurate `<lastmod>` dates
-- Auditing and pruning pages with zero organic traffic over 12 months (concentrate link equity on high-value content)
-- Returning proper HTTP status codes: 200 for live content, 301 for permanent moves, 404 for missing, 410 for intentionally removed
-
-### Security headers
-
-Implement all of these — they are expected signals in 2026. For Next.js, set via `middleware.ts`:
-- `Content-Security-Policy` (CSP with nonces for scripts/styles) — prevents XSS
-- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload` (HSTS)
-- `X-Content-Type-Options: nosniff`
-- `X-Frame-Options: DENY`
-- `Referrer-Policy: strict-origin-when-cross-origin`
-- `Permissions-Policy: camera=(), microphone=(), geolocation=()` — disable powerful features by default
-- `Cross-Origin-Opener-Policy: same-origin` — enables cross-origin isolation when paired with COEP
-- Fix all mixed content (HTTP resources on HTTPS pages)
-- Remove `X-Powered-By` header (information disclosure)
-
-### Supply chain security
-
-Pin exact dependency versions, use `npm ci` (never `npm install` in CI), and scan with Socket.dev or Snyk. The 2025 npm supply chain attacks (chalk/debug compromise affected packages with 2.6 billion combined weekly downloads) showed that well-maintained packages are vulnerable. Verify every dependency. Enable 2FA on npm accounts.
-
----
-
-## Robots.txt
-
-```txt
-User-agent: Googlebot
-Allow: /
-
-User-agent: Bingbot
-Allow: /
-
-# AI citation crawlers — allow for AI answer visibility
-User-agent: OAI-SearchBot
-Allow: /
-
-User-agent: ChatGPT-User
-Allow: /
-
-User-agent: PerplexityBot
-Allow: /
-
-User-agent: ClaudeBot
-Allow: /
-
-User-agent: Claude-SearchBot
-Allow: /
-
-User-agent: Applebot
-Allow: /
-
-User-agent: Amazonbot
-Allow: /
-
-# AI training crawlers — block if not consenting to training use
-User-agent: GPTBot
-Disallow: /
-
-User-agent: CCBot
-Disallow: /
-
-User-agent: Google-Extended
-Disallow: /
-
-# Block scraper bots
-User-agent: AhrefsBot
-Disallow: /
-
-User-agent: SemrushBot
-Disallow: /
-
-Sitemap: https://yoursite.com/sitemap.xml
-```
-
-Critical: blocking `Googlebot` blocks both Google Search AND AI Overviews — there is no way to allow one without the other. There are now 226+ identified AI crawlers (last verified 2026-03-01; source: DarkVisitors); review quarterly. Some AI agents use standard browser user-agent strings and ignore robots.txt — treat this as best-effort.
-
----
-
-## XML Sitemap
-
-Include only canonical, indexable URLs. `<lastmod>` must reflect actual update dates — never fake it. Reference in robots.txt. Submit to Google Search Console and Bing Webmaster Tools. Regenerate automatically when content changes. Maximum 50,000 URLs per file, 50MB uncompressed.
-
----
-
-## IndexNow
-
-IndexNow notifies Bing (which feeds ChatGPT) instantly when content is published or updated. Place a key file at `https://yoursite.com/{key}.txt` and ping on every publish:
-
-```txt
-GET https://api.indexnow.org/indexnow?url=https%3A%2F%2Fyoursite.com%2Fnew-page&key=YOUR_KEY
-```
-
-Integrate into CI/CD pipeline or CMS publish hooks. Supported by Bing, Yandex, Seznam, Naver. Rate limit: 10,000 URLs/day.
-
----
-
-## Site Architecture
-
-URL rules: descriptive hyphenated lowercase under 75 characters, primary keyword in URL, max 3 levels deep. Canonical tags on every page. 301 redirects for URL changes — never leave broken links. Breadcrumb navigation with BreadcrumbList schema.
-
-Hub-and-spoke topic cluster model — increases AI citation rates from 12% to 41%, bidirectional internal linking increases citation probability by 2.7×:
-- **Pillar page**: 2,000-4,000 words on a broad topic targeting head keywords
-- **Cluster pages**: 8-15 detailed articles each targeting a specific subtopic
-- **Bidirectional links**: every cluster page links to the pillar; the pillar links to every cluster page
-
-Internal linking rules: no important page more than 3 clicks from homepage. Use descriptive anchor text — never "read more". Distribute link equity strategically toward high-value pages. Audit for orphan pages (no internal links pointing to them).
-
----
-
-## Wikipedia and Wikidata
-
-This is the single highest-leverage off-site action. Wikipedia accounts for 47.9% of ChatGPT's top-10 cited sources. Having a Wikipedia page creates a stable Wikidata Q-ID that AI systems use as a truth anchor — when multiple sources conflict, the version corroborated by Wikipedia prevails.
-
-Wikidata serves 11 million queries daily across 119 million entities. Google's Knowledge Graph, Amazon Alexa, Apple Siri, and Microsoft all integrate Wikidata. Companies have gained Knowledge Panels within 7 days of creating a Wikidata entry.
-
-For any organization this site represents:
-- Verify Wikipedia article exists, is accurate, cited, and current
-- Verify Wikidata entry is complete: organization type, founding date, location, founders, official website, social media profiles
-- Add Wikidata Q-ID to Organization schema `sameAs` array (`https://www.wikidata.org/wiki/Q...`)
-- Add Wikipedia URL to Organization schema `sameAs` array
-- Build an entity web: organization → key tools → key people → related organizations → policy areas
-- Ensure site structured data is consistent with Wikipedia and Wikidata — inconsistency reduces AI confidence
-
-**Wikipedia COI (mandatory):** Never directly edit your own organization's Wikipedia article. Disclose affiliation on the Talk page. Propose edits through Talk-page requests or neutral editors. Use only independent, reliable sources. Follow Wikipedia's Conflict of Interest and Notability guidelines.
-
----
-
-## Authoritative Platform Publishing and Brand Signals
-
-85% of AI brand mentions come from third-party pages. Brand search volume is the strongest single predictor of AI citations (r=0.334). Brand mentions now account for 55% of off-page ranking weight (up from ~20% in 2012); backlinks account for 45%. Brands appearing on 4+ platforms are 2.8× more likely to appear in AI responses.
-
-**Platform trust hierarchy:**
-- AI Overviews are 3× more likely to cite .gov sources
-- YouTube accounts for ~23.3% of AI citations across platforms
-- Wikipedia accounts for ~18.4%
-- Reddit accounts for up to 46.5% of Perplexity's top citations
-
-**Practical actions:**
-- Publish thorough, helpful content in relevant subreddits — Reddit citations in AI Overviews surged 450% in three months. Authentic participation only; AI systems have visibility into Reddit's moderation pipeline.
-- Create and maintain YouTube content with transcripts enabled (transcripts become crawlable text)
-- Maintain active LinkedIn organization page with substantive posts
-- Publish documentation, datasets, and reports on GitHub as Markdown
-- Submit data to Our World in Data and relevant academic/government databases
-- Monitor unlinked brand mentions (60% of online mentions are unlinked) and convert high-authority ones to backlinks — close rates typically above 30%
-
----
-
-## Link Building
-
-Backlinks remain the #2 ranking factor but their nature has changed. Topical relevance between linking and linked domains (r=0.4) now outweighs raw domain authority. Natural anchor text distribution: ~40-50% branded, ~20-30% generic, ~15-25% partial match, ~5-10% exact match. Sites with anchor text diversity below 30% saw average ranking drops of 15 positions in the March 2026 spam update.
-
-**What works:**
-- **Digital PR:** Original research, industry surveys, data-driven reports that journalists cover editorially. Content built on original data sees 156% more link acquisition than generic how-to content.
-- **Unlinked brand mention conversion:** Monitor with Google Alerts or Ahrefs Alerts. Outreach to convert to links.
-- **Broken link building:** Find broken links on high-authority pages, create superior replacement content, outreach.
-
-**What was devalued in the March 2026 spam update:** sponsored guest posts on generalist high-DA news sites, niche edit placements on aged thin domains, PBN links. Google's SpamBrain detects these reliably now.
-
----
-
-## Conversion Optimization
-
-For nonprofit donation pages: present 3-4 preset amounts with the middle option pre-selected and pair amounts with impact descriptions ("$40/month provides clean water for 12 families"). Pre-select monthly giving — monthly donors become more valuable than one-time donors within 5.25 months, yet 64% of nonprofits still default to one-time. Single-step forms vastly outperform multi-step (52% drop in completions with multi-step). Eliminating site header navigation during the donation flow produced a documented 195% conversion increase. Embed the form directly on-site; never redirect to a third-party processor.
-
-For all forms: target 3-5 essential fields maximum — each additional field costs ~11% in conversion. Start with easy, non-threatening questions. Make optional fields clearly optional (+25-35% completion). Support browser autofill with correct `autocomplete` attributes (HTML standard; React JSX uses `autoComplete`) (also required for WCAG 2.2 AA SC 1.3.5).
-
-Trust signals with documented impact: charity rating badges increase giving likelihood for 72% of donors; video testimonials are 80-86% more effective than text; specific quantified impact numbers with real names beat generic claims.
-
-**Dark patterns carry legal risk.** The FTC's $2.5 billion settlement with Amazon (September 2025) for a deliberately complex cancellation flow marks the largest dark pattern enforcement action in history. California, Colorado, and 10+ other states explicitly prohibit dark patterns in privacy laws. For advocacy organizations, any perception of manipulation is existential — donor trust is the primary asset.
-
----
-
-## Analytics
-
-Use **Plausible** ($9/month cloud) or **Umami** (self-hosted, free) as primary analytics — no cookies, no consent banner required, ~1KB script versus GA4's 23KB+. Add GA4 only if you need Google Ads integration or predictive analytics. Proxy analytics scripts through your own domain (Next.js rewrites) to bypass adblockers.
-
-**Tracking AI referral traffic:** AI-generated traffic grew 357% year-over-year to 1.1 billion visits in June 2025. ChatGPT drives 78% of AI traffic but its mobile app drops referrer data entirely (appears as Direct in analytics). Create a custom channel group in GA4 with source matching:
-
-```txt
-(chatgpt\.com|chat\.openai\.com|perplexity\.ai|claude\.ai|gemini\.google\.com|copilot\.microsoft\.com)
-```
-
-Claude drives <0.17% of volume but has the highest session value at $4.56/visit. Track `donation_completed` (with value), `newsletter_signup`, and `volunteer_form_submit` as GA4 conversions.
-
-Use **GrowthBook** (self-hosted, MIT, free) for A/B testing — it queries your existing data warehouse directly and avoids sending user data to third-party servers.
-
----
-
-## Internationalization
-
-For multilingual advocacy sites, use **next-intl** (1.8M weekly downloads) with subdirectory URL strategy (`/en/`, `/hi/`, `/ar/`). Subdirectories centralize domain authority onto one deployment. Set `lang` and `dir` on `<html>`:
-
-```tsx
-<html lang={locale} dir={locale === 'ar' ? 'rtl' : 'ltr'}>
-```
-
-The `lang` attribute determines text-to-speech pronunciation in screen readers. Hreflang tags must be self-referencing and reciprocal on every page — 31% of international sites have broken hreflang. Use `alternates.languages` in Next.js `generateMetadata` to generate hreflang automatically.
-
-Arabic requires all 6 CLDR plural categories — use ICU MessageFormat, not string concatenation. Native CSS logical properties (`padding-inline-start`, `padding-inline-end`, `text-align: start`) handle RTL layout mirroring automatically without separate stylesheets; Tailwind equivalents are `ps-4`, `pe-4`, `text-start`.
-
-For Devanagari and Arabic scripts, use Google's **Noto** family with `unicode-range` in `@font-face` to lazy-load only the glyphs needed for each script. Always `font-display: swap` and WOFF2 format.
-
----
-
-## llms.txt
-
-Place at `/llms.txt` — a Markdown file describing the site for AI systems.
-
-**Current value is effectively zero.** Google's John Mueller: "No AI system currently uses llms.txt." An 8-month study found zero AI crawler visits. Across Acquia's hosting fleet, llms.txt received 0.001% of traffic — all from SEO audit tools, not AI crawlers. Implement it (low effort) but do not invest significant time. The IETF AIPREF Working Group (co-authored by Google and Mozilla) is the more likely path to a real standard.
-
----
-
-## Platform-Specific Behavior and Citation Volatility
-
-Citation patterns vary dramatically by platform and change constantly:
-- **ChatGPT**: Wikipedia-heavy (47.9% of top-10 citations), converts at 4.4× the rate of search visitors
-- **Perplexity**: Reddit-heavy (up to 46.5% of top citations), most vulnerable to external content attacks
-- **Google AI Overviews**: 3× more likely to cite .gov, strongly favors known entities with digital credibility
-
-Only 11% of domains are cited by both ChatGPT and Perplexity for the same queries — platform-specific optimization matters. Citation volatility is extreme: 40-60% monthly turnover is normal. A single platform update caused a -52% traffic collapse for some sites. Build multi-platform presence rather than depending on any single system.
-
-Topical authority (r=0.40) is the strongest on-site predictor of AI citations — Domain Authority (r=0.18) explains less than 20% of citation variance.
-
----
-
-## Defensive Awareness
-
-These techniques are used by competitors but carry severe penalties. Understand them to recognize manipulation and to ensure this site never crosses into prohibited territory.
-
-**Hidden text injection** — invisible instructions embedded in web content (white-on-white text, zero-size fonts, invisible Unicode characters U+E0000 to U+E007F) — explicitly prohibited by Google's spam policies and actively detected. Palo Alto Networks documented 24 layered injection attempts on a single website in March 2026. Google's SpamBrain and tools like PhantomLint compare parsed text against OCR-rendered images. Penalties are domain-wide.
-
-**Agent-aware cloaking** — serving different content to AI crawlers than to human visitors — is explicitly prohibited by all major platforms. Documented cases show it dramatically inflates AI scores while the human-visible version scores poorly. Google treats this as spam; penalties are domain-wide and can include complete deindexing.
-
-**Scaled AI content without human review** caused sites to lose up to 80% of organic traffic overnight in the March 2024 Google core update. Google issues manual actions for "scaled content abuse" since June 2025.
-
-**FTC legal exposure:** "Operation AI Comply" (September 2024) stated "using AI tools to trick, mislead, or defraud people is illegal" with "no AI exemption." For advocacy organizations, the reputational consequences of exposure amplify any platform penalty enormously.
-
----
-
-## Key Statistics
-
-| Signal | Impact |
-|--------|--------|
-| Adding statistics to claims | +41% AI visibility |
-| Citing credible sources inline | +30-40% AI visibility |
-| Expert quotations | +28-40% AI visibility |
-| Lower-ranked sites citing sources | +115% AI visibility |
-| Keyword stuffing | -10% AI visibility |
-| FAQ schema | 41% citation rate vs 15% without |
-| Question-based headings | 7× citation impact for smaller sites |
-| 120-180 word modular sections | 70% more ChatGPT citations |
-| Content over 2,900 words | 59% more likely to be cited |
-| Original or proprietary data | 4.31× more citations per URL |
-| Author metadata | +40% citations |
-| Topic cluster architecture | Citation rate 12% → 41% |
-| Fresh content (within 30 days) | 76% of most-cited; 3.4× Perplexity advantage |
-| Structured data (schema) | 73% higher AI selection rate |
-| Wikipedia/Wikidata presence | Knowledge Panel within 7 days |
-| Monthly citation turnover | 40-60% — continuous freshness required |
-| Domain Authority vs AI citations | r=0.18 — weak predictor |
-| Topical authority vs AI citations | r=0.40 — strongest on-site predictor |
-| Brand mentions vs AI citations | r=0.664 — strongest overall signal |
-| AI Overview citations from top-10 | Only 17-32% — lower-authority pages can win |
-| Sites passing all CWV thresholds | 24% lower bounce rates; 15-30% conversion improvement |
-| INP above 200ms | -0.8 average position drop |
-| LCP above 3s | 23% more traffic loss vs faster competitors |
-| Backlinks vs brand signals | 45% / 55% of off-page ranking weight |
-| Original data content | 156% more link acquisition; 45% more AI citations |
-| Unlinked brand mention conversion | >30% close rate |
-| AI referral traffic growth | 357% YoY to 1.1B visits (June 2025) |
-| ChatGPT share of AI traffic | 78% of AI referral visits |
-| Pre-selecting monthly giving | Accounts for 31% of online nonprofit revenue |
-| Donation form fields ≤4 | 160% more conversions vs longer forms |
-| Overlay widgets and lawsuits | 22.6% of sued sites had overlays installed |
diff --git a/.claude/rules/git-identity.md b/.claude/rules/git-identity.md
new file mode 100644
index 000000000..9fb8a57dc
--- /dev/null
+++ b/.claude/rules/git-identity.md
@@ -0,0 +1,56 @@
+# Git Commit Identity
+
+Loaded every session. Governs the author identity on every commit, push, and PR the pipeline creates.
+
+## The Rule
+
+**Commits are authored by the GitHub account `gh auth status` shows as active — not by Sam.** Current active account: `OpenGaryBot` (id `276612211`). Sam's personal account `stuckvgn` has been logged out of every auth surface on this machine (gh keyring, Git Credential Manager, Windows Credential Manager, git config, env vars) and must not reappear as a commit author, committer, or co-author.
+
+Sam is moving to bot-driven automation. Authorship is part of the contract — audit trails, signed-commit policies, branch-protection rules, and future revocation all assume the bot identity is stable and distinct from his.
+
+## Required git config
+
+Before any commit in any repo, `user.name` and `user.email` must match the active gh account. Use the privacy-preserving noreply email — not a personal address — so the commits expose no extra PII and verify as "from GitHub" on the profile.
+
+```
+Name:  Original Gary
+Email: 276612211+OpenGaryBot@users.noreply.github.com
+```
+
+Set globally once:
+
+```bash
+git config --global user.name "Original Gary"
+git config --global user.email "276612211+OpenGaryBot@users.noreply.github.com"
+```
+
+Or per-repo on first touch (same two lines without `--global`). If the bot identity ever rotates, re-derive from `gh api user -q '.id, .name, .login'` — never hardcode without cross-checking.
+
+## Never under Sam's identity
+
+- Never `git commit --author="Sam ..."`.
+- Never set `user.email` to `sam@openpaws.ai` for automation commits.
+- Never add `Co-Authored-By: Sam Tucker-Davis` or similar trailers.
+- Never push with credentials belonging to `stuckvgn` even if they briefly reappear in some credential store.
+
+If Sam genuinely needs to be the committer — e.g. a hand-authored fix he asks you to land verbatim — he'll say so explicitly. Default is always the bot.
+
+## Tool-attribution is a separate concern
+
+AI-tool attribution (`Co-Authored-By: Claude`, "Generated with Claude Code" footers) is governed by `~/.claude/settings.json`:
+
+```json
+"attribution": { "commit": "", "pr": "" }
+```
+
+Already neutralized — don't re-enable. For non-Open-Paws repos, `external-contribution-safety.md` adds the additional layer of suppressing all tool and org identity.
+
+## Pre-push verification
+
+Before pushing, confirm:
+
+```bash
+git log -1 --format='%an <%ae>'
+```
+
+Must return `Original Gary <276612211+OpenGaryBot@users.noreply.github.com>`. Anything else — abort the push, fix the config, amend or reset the offending commits, then retry.
diff --git a/.claude/rules/parallelization.md b/.claude/rules/parallelization.md
new file mode 100644
index 000000000..3d278be6f
--- /dev/null
+++ b/.claude/rules/parallelization.md
@@ -0,0 +1,106 @@
+# Wave Parallelization and File Ownership
+
+Loaded every session. Refines the hard-nevers for concurrent agent work. Most of the file-level isolation Sam hand-rolled in earlier CLAUDE.md drafts is now handled by Claude Code's native `isolation: worktree` primitive on write-stage subagents — this file covers what the worktree primitive doesn't.
+
+## What Worktree Isolation Already Handles
+
+These subagents have `isolation: worktree` in their frontmatter and get an automatic fresh git worktree per invocation, so file-level collision between parallel instances is impossible:
+
+- `test-writer` (STAGE 5)
+- `implementer` (STAGE 7)
+- `desloppifier` (STAGE 9)
+
+The `.worktreeinclude` file at repo root (gitignored patterns to copy into each new worktree) handles env files, config secrets, and local state. No hand-rolled file-ownership discipline needed for these agents.
+
+## What Worktree Does NOT Isolate
+
+Shared state that lives outside the git tree stays contentious even with worktree isolation:
+
+- **GitHub issue comments / labels** — two agents both commenting on the same issue produce a race. Use idempotent labels (set, don't increment counters) and use comment headers to de-duplicate.
+- **Branch push contention** — write-stage worktrees all push back to the same branch. Serialize pushes within a wave; a rebase-then-push pattern prevents non-fast-forward rejections.
+- **External APIs** — any coalition-partner API, LLM provider, deployment target. Rate limits are shared.
+- **Database migrations** — any stage touching schema runs serially, never parallel.
+- **Dependency manifest changes** — `package.json`, `Cargo.toml`, `pyproject.toml`. Parallel dep bumps collide in the lockfile.
+- **`.github/workflows/` edits** — workflow changes affect every repo's CI; serialize them.
+
+## Safe-Parallel vs Unsafe-Parallel
+
+| Safe to parallelize | Unsafe — serialize |
+|---|---|
+| Different repos, same wave | Same repo + overlapping file sets (worktree handles this for write-stages; other stages still discipline) |
+| Different components in a monorepo | Migrations (DB schema) |
+| Docs + code + tests (separate agents) | Dependency manifest changes |
+| Read-only agents (scout, plan-reviewer, adversarial, persona-qa, verifier) | Release tagging |
+| Persona QA read-only sweeps | `.github/workflows/` edits |
+
+## Wave Gates
+
+A wave is complete only when **every agent in the wave has written a completion comment** to the issue (or parent orchestration thread). The orchestrator waits for all completions before spawning the next wave. No partial advancement.
+
+In-progress state: issues get the `auto:in-progress` label plus an assignee representing the agent session. **TTL 4 hours of no commits → claim released automatically** by the watchdog workflow. If a wave stalls beyond TTL, the orchestrator re-dispatches to a fresh agent.
+
+## Branch Discipline
+
+One issue = one branch = one PR. Branch naming: `<type>/<issue-number>-<slug>` (e.g. `fix/1234-quest-sync-silent-errors`).
+
+Before any write work:
+```bash
+git fetch origin
+git checkout <branch> || git checkout -b <branch>
+git pull --rebase origin <branch>
+```
+
+After:
+```bash
+git add <owned-files-only>      # enforced by hook; never wildcards
+git commit -m "<conventional>"
+git push origin <branch>
+```
+
+## Read-Only Agents Share the Main Tree
+
+Agents without `isolation: worktree` (scout, planner, plan-reviewer, test-reviewer, verifier, adversarial, persona-qa) run in the main checkout. They're read-only by design. If a read-only agent discovers it needs to write, it stops and files a new issue rather than promoting itself to a write-stage.
+
+## Orchestrator cwd preflight — `isolation: worktree` requires a git repo cwd
+
+Before dispatching any subagent with `isolation: worktree` in its frontmatter, the orchestrator MUST be in a cwd that resolves to a git repo. If cwd is outside any git repo (e.g. `$HOME`, a temp dir), the Claude Code harness can't create a fresh worktree and silently degrades to either (a) reusing a stale sibling-agent worktree or (b) operating in the main tree — both of which **break the isolation guarantee** the pipeline's wave-gate semantics rely on.
+
+**Preflight:** `cd "$OP_CONTEXT_REPO"` (or the relevant repo) before the first worktree-isolated dispatch in a session. Verify with `git rev-parse --show-toplevel` — error out if it returns nothing.
+
+This matters specifically for in-session manual orchestration. The autoagent-* GitHub Actions runners (where applicable) always invoke from inside their repo, so the problem doesn't exist there.
+
+## Bootstrap mode — when the pipeline taxonomy isn't wired yet
+
+The pipeline uses labels (`stage:triaged`, `stage:ready-for-plan`, `auto:auto-fixable`, `sensitivity:staff-ok`, etc.) as wave-gate signals — each stage watches for its trigger label on an issue. **On first pipeline run in a repo that hasn't yet had sync-labels applied**, those labels don't exist; label-driven dispatch can't fire.
+
+**Bootstrap-mode substitution:** each stage ends its completion comment with a short explicit sentence stating the next stage, e.g. `Advancing to STAGE 3 (plan).` The orchestrator watches for these sentences instead of labels. This is a first-run-only fallback — once sync-labels lands in a repo, the taxonomy is live and label-based dispatch resumes.
+
+Stage playbooks don't individually repeat this rule; they inherit it from here. If a stage's completion output in the first run doesn't include an "Advancing to STAGE N" (or "Back to STAGE N") sentence, the wave is stalled — orchestrator should re-prompt or kick back.
+
+Exit criteria: bootstrap mode ends when the first `sync-labels --apply` run completes in the repo. From that point the label taxonomy is the canonical signal; bootstrap-mode sentences are redundant.
+
+## Subagent recovery — what to do when a write-stage agent times out mid-run
+
+Write-stage subagents (`test-writer`, `implementer`, `desloppifier`) operate in their own worktrees at `$REPO/.claude/worktrees/agent-<id>/` and may time out or lose connection mid-run with uncommitted work sitting in that worktree. Observed once per pipeline run as of 2026-04-24.
+
+**Recovery procedure** (orchestrator runs):
+
+1. Check the subagent's worktree state: `cd $REPO/.claude/worktrees/agent-*/ && git status --short && git log --oneline -1`
+2. If uncommitted work exists: inspect the diff (`git diff`), run any tests the agent would have run to verify it's functional, then commit from the orchestrator session using the bot identity:
+   ```bash
+   git add <enumerated files>
+   git -c user.name="Original Gary" -c user.email="276612211+OpenGaryBot@users.noreply.github.com" \
+     commit -m "<conventional prefix per pipeline-nevers>: <description>"
+   git push origin <branch>
+   ```
+
+   **Always the bot identity. Never Sam's `stuckvgn` identity.** Per `~/.claude/rules/git-identity.md`. The temptation to "author under Sam so the non-last-pusher branch protection lets him self-approve" is the wrong direction — branch protection is by design, not a bug to route around. If a PR needs to merge but bot-authored commits block via non-last-pusher rule, file a `[process]` issue asking Sam to either approve or re-think the rule. Do not impersonate Sam's identity.
+3. If the subagent left a stale LOCKED worktree after its branch pushed: `git worktree unlock <path>` then `git worktree remove -f <path>` to free the branch for subsequent stages.
+4. Post a completion comment on the issue explaining the rescue (so adversarial and downstream stages have correct context).
+5. Continue the pipeline from the next stage.
+
+Do NOT re-dispatch the same subagent with a fresh invocation if uncommitted work exists — you'll lose it. Rescue first, re-dispatch only if the worktree is genuinely empty.
+
+---
+
+See `/pipeline-reference` for the full 14-stage sequence and per-stage agent assignments.
diff --git a/.claude/rules/pipeline-nevers.md b/.claude/rules/pipeline-nevers.md
new file mode 100644
index 000000000..eafde48a3
--- /dev/null
+++ b/.claude/rules/pipeline-nevers.md
@@ -0,0 +1,43 @@
+# Open Paws Pipeline — Hard Nevers
+
+Loaded every session (no `paths:` frontmatter). Contains the non-negotiable rules that apply to every agent, every stage, every commit, every push, in every Open Paws repo. Full 14-stage pipeline reference lives in `/pipeline-reference` skill — invoke it on demand when you need stage detail.
+
+## The Hard Nevers
+
+- **Never skip the pipeline.** No "this is a tiny fix, let's go direct to PR." Tiny fixes are the highest-risk class because nobody scrutinizes them.
+- **Never fix without an issue first.** File the issue, even for "while I'm here" cleanups. No issue = no work.
+- **Never use wildcard `git add`.** `git add .` / `git add -A` / `git add --all` / `git add *` collide with other agents' owned file sets and silently commit out-of-scope files. Enumerate owned files explicitly. (Enforced by the `~/.claude/hooks/block-dangerous-bash.sh` PreToolUse hook.)
+- **Never write production code before tests.** RED → GREEN. Tests must be mutation-resistant.
+- **Never let the desloppify strict score drop.** Score regression requires a human override label (`override:allow-score-drop`) that agents cannot apply.
+- **Never use upstream desloppify.** Always `github.com/Open-Paws/desloppify` — the fork has movement conventions (no-speciesist-language, type-safety, gateway response discipline) the upstream lacks.
+- **Never scope-creep mid-wave.** Adjacent bugs, refactor opportunities, test gaps → file new issues. Do not fold into the current change.
+- **Never modify a test file during the implementation wave.** Test files are locked; forcing a test green is a pipeline-integrity violation.
+- **Never touch files outside your declared owned set.** Subagents enforce this via `isolation: worktree` (test-writer, implementer, desloppifier); other stages enforce by discipline.
+- **Never merge without adversarial clearance.** STAGE 13 runs LAST, AFTER CI+CodeQL+CodeRabbit+review subagents all green. Only a clean adversarial pass unblocks merge.
+- **Never silently resolve an open decision.** If `$OP_CONTEXT_REPO/decisions.md` or `$OP_CONTEXT_REPO/proposals/` touches the proposed change, file a `[decision]` issue and block. Plans that pick a design choice without surfacing alternatives commit the org to that path invisibly.
+- **Never contradict a settled decision.** `decisions.md` entries are constraints. Relitigating openly is expensive; relitigating silently via implementation is worse. File a reconsideration issue instead.
+- **Never merge to `main` directly.** Branch, PR, review, merge.
+- **Never share a branch between parallel agents.** Each write-stage agent runs in its own worktree.
+
+## Conventional Commits (required)
+
+Prefix every commit: `feat:` `fix:` `refactor:` `test:` `docs:` `chore:` `perf:` `ci:`. Scope matches the component label on the issue. Description is direct and real — per the voice rules in `~/.claude/CLAUDE.md`, profanity is fine when it fits; corporate filler is not.
+
+## Close Issues Via PR Body
+
+`Closes #N` in the PR body links the PR to the issue. Squash merge by default; the issue auto-closes when the PR merges.
+
+## Emergency Overrides (human-only)
+
+- `override:skip-adversarial` — requires human comment with justification
+- `override:allow-score-drop` — requires human comment with numeric delta
+
+Agents cannot apply these labels. If an agent thinks an override is warranted, file a comment requesting human intervention and halt.
+
+## Context-Repo Primacy
+
+If context-repo guidance (`$OP_CONTEXT_REPO/decisions.md`, `priorities.md`, `org-overview.md`) conflicts with any rule or playbook, context-repo wins. This stack is HOW; the context repo is WHY.
+
+---
+
+For the full 14-stage pipeline with wave-gate semantics, file-ownership rules, subagent definitions, and per-stage workflow: `/pipeline-reference`.
diff --git a/.claude/rules/privacy.md b/.claude/rules/privacy.md
deleted file mode 100644
index 924ff6269..000000000
--- a/.claude/rules/privacy.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-paths:
-  - "**/data/**"
-  - "**/user/**"
-  - "**/profile/**"
-  - "**/*pii*"
----
-# Privacy Rules for Animal Advocacy Projects
-
-Privacy in advocacy software is not a compliance checkbox — it is the difference between operational security and activist prosecution. Data that seems harmless in isolation becomes evidence under ag-gag statutes: participation timestamps, IP addresses, device fingerprints, and access patterns can identify investigators, witnesses, and rescue coordinators. Every privacy decision must be made against the worst-case legal scenario, not the average one.
-
-## Data Minimization as Default Architecture
-
-Collect the absolute minimum data required for each function. Do not collect data "in case we need it later." Every data point stored is a data point that can be subpoenaed, seized, or leaked. Before adding any field to any data model, ask: **if this data appeared in a court filing, who would it endanger?** If the answer is anyone, justify its existence or eliminate it.
-
-## Activist Identity Protection
-
-Activist identities are the highest-sensitivity data category. Use pseudonymous identifiers internally. Never store legal names alongside action records. Separate authentication identity from operational identity — the system that verifies login credentials must not be the system that records who participated in which investigation. Compartmentalization is the structural principle: compromise of one system must not cascade into identification across systems.
-
-## GDPR/CCPA Compliance as Floor, Not Ceiling
-
-Regulatory compliance is the minimum standard. Advocacy software should exceed it. Implement the full data subject rights: access, rectification, erasure, portability, and objection. Right to deletion MUST be real deletion — not soft delete with a `deleted_at` flag. When an activist requests erasure, their data must be irrecoverable from all storage layers including backups, replicas, search indices, analytics pipelines, and log aggregation systems. Soft delete in advocacy software is a liability: "deleted" records surfacing in legal discovery destroy trust and endanger people.
-
-## Consent as Ongoing Process
-
-Consent is not a one-time checkbox at registration. Implement re-consent workflows for scope changes (new coalition partner gets data access, new feature collects additional data, investigation footage is shared with a new organization). Provide granular consent controls: participation in a public campaign does not imply consent to be recorded as an investigation participant. Withdrawal of consent must be as easy as granting it, with immediate effect.
-
-## Coalition Data Sharing Across Risk Profiles
-
-Different advocacy organizations operate at different risk levels. A grassroots direct action group, a legal defense fund, and a public education nonprofit have fundamentally different threat models. When sharing data across coalition boundaries: (1) classify each partner's risk level, (2) apply the strictest data handling rules of any partner in the exchange, (3) implement data transformation at boundaries — strip identifying information before sharing across risk tiers, (4) maintain audit trails that themselves do not create new identification vectors, (5) design data sharing agreements that specify what happens to shared data when a partner is compromised or legally compelled to disclose.
-
-## Whistleblower and Witness Protection
-
-Whistleblower identities require the strongest protections in the system. Implement: end-to-end encryption for all whistleblower communications, no server-side access to decrypted content, anonymous submission channels that do not require account creation, zero-knowledge architectures where even system administrators cannot identify whistleblowers. Witness testimony records must have consent verification before any display, anonymization by default, and explicit opt-in for any identifiable presentation.
-
-## Investigation Participant Records
-
-Records of who participated in undercover investigations are the most legally dangerous data in the system. Store these records in maximally encrypted, compartmentalized storage with access limited to the minimum number of people. Consider whether these records need to exist at all — if the operational need can be met without a persistent record, do not create one. When records must exist, design them with plausible deniability: the storage system should not reveal whether it contains investigation records without the correct credentials.
-
-## Anonymization Requirements
-
-Anonymization must be irreversible. AI-generated anonymization is often superficial — replacing names while leaving uniquely identifying combinations of attributes (location + date + role + demographic data). True anonymization requires k-anonymity at minimum: no individual should be distinguishable from at least k-1 others in any released dataset. Test anonymization by attempting re-identification with publicly available information.
diff --git a/.claude/rules/research-methodology.md b/.claude/rules/research-methodology.md
new file mode 100644
index 000000000..9e3b2c2ed
--- /dev/null
+++ b/.claude/rules/research-methodology.md
@@ -0,0 +1,63 @@
+# Research Methodology — Cross-Check Before Acting
+
+Loaded every session. The epistemic rule the overnight optimization loop established the hard way: **single-source claims about Claude Code config field formats or supported values must be cross-checked against concrete examples before they're acted on.**
+
+## Canonical sources for Claude Code config
+
+The authoritative source for Claude Code field names, formats, hook event names, and frontmatter keys is the Anthropic-maintained `plugin-dev` skill bundled with the official plugins marketplace, plus the official docs at `docs.anthropic.com/claude-code/`. Concrete reference material:
+
+- `~/.claude/plugins/marketplaces/claude-plugins-official/plugins/plugin-dev/references/frontmatter-reference.md` — definitive field reference for agents/skills/commands
+- The same plugin's `SKILL.md` and per-component example files — concrete worked examples
+- `~/.claude/cache/changelog.md` — authoritative event/feature additions per release
+
+## Cross-check rule
+
+When a subagent (including `claude-code-guide`) quotes a field name, format, or supported-value list, **do not act on the quote alone.** Open the canonical reference and confirm against a concrete example. If the two disagree, concrete examples in `plugin-dev` win over prose descriptions anywhere else.
+
+**Precedent:** the overnight loop hit this exact failure twice in one session.
+
+- **Iteration 2** — subagent reported `allowed-tools:` as space-separated. Wrong. Concrete examples in `plugin-dev/SKILL.md` show comma-separated. Caught at iteration 8 only after a full re-audit. Six agents had to be re-fixed.
+- **Iteration 6** — subagent reported `PreCompact` / `WorktreeCreate` / `InstructionsLoaded` hooks as nonexistent. Wrong. All documented in `~/.claude/cache/changelog.md`. Caught same iteration only by cross-checking the changelog directly.
+- **Task 5 of the 2026-04-24 consolidation session** — subagent docs we fetched at the time did not list `memory: project` as a supported subagent frontmatter field. Concrete test confirmed it was fully functional: the harness auto-creates per-agent directories at `~/.claude/agent-memory/<agent>/` and injects the path + usage instructions into the subagent's system prompt. **Docs have since caught up — `memory: project` is now first-party documented in `sub-agents.md` (lines 250 + 423-427), so the "undocumented but real" status no longer applies.** The underlying lesson still stands: **absence of documentation ≠ absence of feature. Test concretely before treating something as unsupported.**
+
+Three failures, three different shapes — prose-vs-format, prose-vs-event-list, docs-silent-but-feature-real. The fix is the same in all directions: **never let a research subagent's prose summary be the last word on a Claude Code config detail.**
+
+## Framework research
+
+When surveying external frameworks (metaswarm, barkain, VoltAgent, wshobson, vanzan01, etc.), treat them as **idea sources, not authority sources.** Their patterns may inspire adoptions, but their specific syntax, field names, or hook conventions are not authoritative for our setup. If a framework demonstrates a pattern we want to adopt, the implementation must be re-derived against canonical Claude Code references — not copy-pasted from the framework.
+
+## Tie-breaker
+
+When two sources disagree on a Claude Code detail:
+
+1. Concrete worked example in `plugin-dev/` wins over
+2. Prose description in official docs, which wins over
+3. Subagent summary, which wins over
+4. Framework convention, which wins over
+5. Memory of how it worked in a prior session
+
+Always read down the chain when uncertain. The cost of one extra read is far below the cost of fanning out wrong config to 40+ repos.
+
+## Token cost — measure live, don't estimate
+
+Byte-based estimates of always-loaded token cost are unreliable for markdown-heavy rule files. The overnight loop's `bytes ÷ 4` proxy was off by 2× — real ratio is closer to `bytes ÷ 2.5` for this content (short lines, code spans, tables, YAML frontmatter). **Always use live `/context` output as the source of truth** for always-loaded token cost. Use the proxy for relative comparisons within a single session if you must, but never quote it as an absolute number.
+
+**Concrete numbers, measured post-overnight-loop on 2026-04-24:**
+
+| Metric | Value |
+|---|---:|
+| Always-loaded bytes (rules + CLAUDE.md + skill descriptions) | 41,805 |
+| `bytes ÷ 4` proxy | ~10,450 tokens (wrong, under by ~2×) |
+| `bytes ÷ 2.5` corrected ratio | ~16,700 tokens (closer) |
+| Real `/context` measurement | ~20,700 tokens (authoritative) |
+
+The corrected ratio (`÷ 2.5`) is still a proxy and still underestimates real cost because it doesn't account for the full prompt-frame overhead Claude Code injects (tool schemas, hook definitions, skill metadata, system reminders). The real measurement is always larger than any byte-based estimate. Treat corrected-ratio as an upper bound on "what the rules files themselves cost" and `/context` as the bound on "what actually loads."
+
+## Known optimization candidates (deferred)
+
+These four were evaluated for context-cost reduction in the 2026-04-24 consolidation session and **deliberately deferred**. Don't re-evaluate from scratch; the reasoning below stands until either the always-loaded budget actually pinches or the underlying assumption changes.
+
+- **`rules/README.md` (1.7k tokens)** — index/metadata for the rules dir. Tempting to trim. Deferred because agents reading the rules dir benefit from the index too, not just humans; first on the cut list if real context pressure appears.
+- **`CLAUDE.md` (2.8k tokens)** — already minimized in the consolidation. Identity layer needs to stay discoverable. Don't touch.
+- **`rules/advocacy-domain.md` (2.6k tokens) — path-scoping** — tempting to scope to `**/*.md`/copy/i18n paths. Deferred because the ubiquitous-language dictionary and speciesist-idiom list must fire on any content generation, including user-facing strings inside `.ts`/`.tsx`. False negatives cost more than 2.6k tokens.
+- **`rules/context-repo.md` (2.3k tokens) — path-scoping** — tempting to scope to `**/Open-Paws/context/**`. Deferred because the open-decision escalation rule applies across all Open Paws pipeline work, not just work inside the context repo dir. Path-scoping would silently break the escalation rule for adjacent work.
diff --git a/.claude/rules/security.md b/.claude/rules/security.md
deleted file mode 100644
index 46f460091..000000000
--- a/.claude/rules/security.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-paths:
-  - "**/security/**"
-  - "**/*auth*"
-  - "**/*crypto*"
-  - "**/*encrypt*"
----
-# Security Rules for Animal Advocacy Projects
-
-Advocacy software faces three distinct adversaries, each requiring different countermeasures: **state surveillance** (law enforcement using ag-gag statutes, warrants, and subpoenas), **industry infiltration** (corporate investigators posing as volunteers, social engineering attacks against coalition members), and **AI model bias** (training data that encodes industry framing, models that refuse to assist with certain advocacy operations, or that leak investigation details through telemetry). Security is not a feature layer — it is the structural foundation of every design decision.
-
-## Zero-Retention APIs
-
-NEVER send sensitive data to external services that retain inputs. Investigation footage, witness identities, activist communications, and coalition coordination data must only flow through zero-retention API configurations. Verify retention policies contractually, not by assumption. Telemetry to third parties is a data exfiltration vector in adversarial legal discovery — not just a privacy preference.
-
-## Encrypted Local Storage with Plausible Deniability
-
-All locally stored investigation data, evidence, and activist records MUST use encrypted volumes. Design storage so that the existence of sensitive data is deniable under device seizure. Nested encrypted containers where the outer layer contains innocuous data and the inner layer requires a separate key is the standard pattern. A seized device must not reveal what it contains without the correct credentials.
-
-## Supply Chain Verification — Slopsquatting Defense
-
-Approximately **20% of AI-recommended packages do not exist** — they are hallucinated names. Attackers monitor these hallucinated names and register them as real packages containing malicious code. One such package was downloaded 30,000+ times in weeks. **Verify EVERY dependency** exists in its actual registry and has legitimate maintainers before installation. Only 1 in 5 AI-recommended dependency versions are both safe and free from hallucination. In advocacy software, a compromised dependency can exfiltrate investigation data or activist identities.
-
-## Input Validation Against Industry Sabotage
-
-Assume adversarial input on every public-facing surface. Industry actors will probe investigation submission forms, evidence upload endpoints, and public campaign tools. Validate and sanitize all inputs at system boundaries — the "barricade" pattern from defensive programming. AI-generated input validation is weak: 45% of AI-generated code contains OWASP Top 10 vulnerabilities, with 86% failure rate on cross-site scripting defenses.
-
-## Ag-Gag Legal Exposure Vectors
-
-Investigation footage is discoverable evidence under legal proceedings. Design every data flow assuming adversarial legal discovery, not just adversarial hackers. Metadata (timestamps, geolocation, device identifiers) can be more damaging than content. Strip metadata aggressively. Audit logging must protect the identities it records — logs that identify who accessed investigation data become prosecution tools.
-
-## Device Seizure Preparation
-
-Design for the scenario where devices are confiscated without warning. Remote wipe capability for all sensitive data. Encrypted volumes that lock automatically on suspicious conditions (unexpected power loss, extended inactivity, SIM removal). The application must not leak data on unexpected termination — no temporary files with decrypted content, no swap files containing sensitive state, no crash dumps with investigation data.
-
-## Instruction File Integrity — Rules File Backdoor
-
-The "Rules File Backdoor" attack uses hidden Unicode characters in instruction files (`.cursorrules`, `.mdc` files, `CLAUDE.md`) to inject invisible directives that instruct AI to produce malicious output. **Treat ALL instruction files as security-critical artifacts.** Review them for non-printable characters. Diff instruction file changes character-by-character. In advocacy projects, a compromised instruction file could direct the AI to weaken encryption, leak data to external endpoints, or disable safety checks.
-
-## Self-Hosted Inference for Critical Paths
-
-Any code path handling investigation data, witness identities, or legal defense materials should use self-hosted AI inference — not cloud-hosted APIs. Model providers may comply with government data requests. For routine development tasks (formatting, boilerplate, documentation), external APIs are acceptable. For anything touching the three adversaries' interests, self-host.
-
-## MCP Server Security
-
-MCP servers extend agent capabilities but also extend the attack surface. Any MCP server handling sensitive advocacy data MUST be self-hosted. Audit each server's data access patterns, network egress, and data retention before enabling. An MCP server with network access can exfiltrate data regardless of application-level encryption.
-
-
-## Provider Routing for Sensitive Data
-
-When using AI coding assistants with multiple model providers, sensitive advocacy data (investigation content, witness identities, legal defense materials) must NEVER route through free-tier providers that may retain inputs. Free-tier APIs (Google AI Studio, Groq, Mistral, Cohere, OpenRouter free models, Together AI) may retain inputs for training or compliance — assume they do unless contractually guaranteed otherwise. Route sensitive work exclusively through zero-retention providers or self-hosted inference.
diff --git a/.claude/rules/seven-concerns.md b/.claude/rules/seven-concerns.md
new file mode 100644
index 000000000..75357c28e
--- /dev/null
+++ b/.claude/rules/seven-concerns.md
@@ -0,0 +1,39 @@
+# Seven Concerns — Canonical Index
+
+Loaded every session. Every change — code, docs, config — must address all seven concerns. This file is the canonical index. Each concern points to the rule file with the full text.
+
+## The Seven
+
+1. **Testing** — assertion quality over coverage percentage; every test must fail when the behavior it covers breaks. RED-first TDD, mutation-resistant assertions, error-path coverage.
+   Full rule: [`testing.md`](testing.md). Path-scoped — fires on test files. Skill: `/testing-review`.
+
+2. **Security** — three-adversary threat model (state surveillance, industry infiltration, AI model bias), zero-retention APIs, supply chain verification, encrypted local storage, device seizure preparation, instruction-file integrity, MCP server isolation.
+   Full rule: [`security.md`](security.md). Path-scoped — fires on auth/crypto/encrypt/security paths. Skill: `/security-review`. Org tiers: `$OP_CONTEXT_REPO/handbook/security.md`.
+
+3. **Privacy** — activist identity protection, real deletion (not soft-delete), whistleblower protection, coalition data sharing under strictest partner's policy, consent verification.
+   Full rule: [`privacy.md`](privacy.md). Path-scoped — fires on data-model, profile, PII, consent paths. Skill: `/privacy-review`.
+
+4. **Cost optimization** — model routing (Haiku for cheap, Sonnet for mid, Opus for hard), token budget discipline, prompt cache discipline (target 80%+ hits), 40/30/20/10 budget split, vendor abstraction, self-hosted fallback.
+   Full rule: [`cost-optimization.md`](cost-optimization.md). Always-loaded.
+
+5. **Advocacy domain** — ubiquitous language (Campaign / Investigation / Coalition / Witness / Sanctuary / Rescue / Liberation / Direct Action / Undercover Operation / Ag-Gag / Factory Farm / Slaughterhouse / Companion Animal / Farmed Animal / Evidence), bounded contexts (Investigation Operations / Public Campaigns / Coalition Coordination / Legal Defense), explicit anti-corruption layers between contexts, no speciesist idioms.
+   Full rule: [`advocacy-domain.md`](advocacy-domain.md). Always-loaded.
+
+6. **Accessibility** — internationalization (CLDR plural categories, RTL, lang+dir attributes), low-bandwidth defaults, offline-first capability, low-literacy design, screen-reader correctness, keyboard navigation.
+   Full rule: [`accessibility.md`](accessibility.md). Path-scoped — fires on UI / frontend / i18n / l10n paths. Skill: `/accessibility-review`.
+
+7. **Emotional safety** — progressive disclosure of traumatic content, configurable detail levels, content warnings, burnout prevention for moderators and investigators, opt-in graphic content, secondary trauma awareness.
+   Full rule: [`emotional-safety.md`](emotional-safety.md). Path-scoped — fires on traumatic-content / display / upload / moderation paths. Skill: `/emotional-safety-review`.
+
+## How To Apply
+
+- At plan time, the planner explicitly addresses each of the seven against the proposed change.
+- At review time, the reviewer checks each of the seven was actually addressed (not just acknowledged).
+- For path-scoped concerns (1, 2, 3, 6, 7), the corresponding rule file auto-loads when matching files are touched. The concern still applies even when the rule file doesn't auto-load — the concern is universal; the rule file is a deeper reference.
+- For the always-loaded concerns (4, 5), the rule file content is in context every session.
+
+## Cross-References
+
+- Org-wide tier definitions and threat model: `$OP_CONTEXT_REPO/handbook/security.md`
+- Context repo's view of the seven concerns: `$OP_CONTEXT_REPO/AGENTS.md` §Seven Concerns
+- Pipeline stage where each concern is checked: `/pipeline-reference`
diff --git a/.claude/rules/testing.md b/.claude/rules/testing.md
deleted file mode 100644
index af67dab96..000000000
--- a/.claude/rules/testing.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-paths:
-  - "**/*.test.*"
-  - "**/*.spec.*"
-  - "**/test/**"
-  - "**/tests/**"
-  - "**/__tests__/**"
----
-# Testing Rules for Animal Advocacy Projects
-
-Testing is the keystone of AI-assisted advocacy development. Without tests, AI agents drift silently — and in advocacy software, silent drift means lost evidence, exposed activists, or traumatic content displayed without safeguards. Every other practice depends on this foundation.
-
-## Assertion Quality — The Non-Negotiable
-
-NEVER write tautological assertions — tests that assert output equals output. This is the single most dangerous pattern in AI-generated tests. A test that calls a function and asserts the result equals the same function call tests nothing. Every assertion must encode a business rule you can explain in words: "this total equals the sum of line items because the pricing rule says X."
-
-Ask three questions of every AI-generated test:
-1. **Does this test fail if the code is wrong?** If you break the implementation and the test still passes, it is worthless.
-2. **Does the assertion encode a domain rule?** If you cannot name the rule being verified, it is a snapshot, not a test. In advocacy software, unnamed rules mean unverified safety properties.
-3. **Would mutation testing kill this?** If changing `+` to `-` in the implementation leaves the test green, the test is weak.
-
-Quality metric: **mutation score over coverage percentage.** A suite with 90% coverage and 40% mutation score is a false sense of security. Track mutation score as the primary quality signal.
-
-## Spec-First Test Generation
-
-ALWAYS prefer generating tests from specifications or acceptance criteria before writing implementation — not after. Tests generated from existing implementation tend to mirror the code rather than the intent, producing circular validation. When the spec says "investigation records must be anonymized before export," write that test first. Then make it pass.
-
-## Property-Based Testing for Invariants
-
-Use property-based testing to verify that invariants hold across random inputs. Specific example-based tests miss edge cases that property-based tests catch systematically. Critical invariants in advocacy software: anonymization must be irreversible, encryption must not leak plaintext length, coalition data boundaries must hold under arbitrary input combinations.
-
-## Test Error Paths Explicitly
-
-AI-generated tests overwhelmingly cover happy paths. In advocacy software, the error paths are where people get hurt — failed encryption, leaked identity, broken anonymization, missing content warnings. Explicitly request and verify: error propagation, cleanup on failure, meaningful error messages, graceful degradation under hostile conditions. Test what happens when the network drops during evidence upload. Test what happens when storage is seized mid-write.
-
-## Contract Tests at Service Boundaries
-
-AI hallucinates API contracts — approximately 20% of AI-recommended packages do not exist. At every service boundary, especially coalition cross-organization APIs where different groups have different security postures, use consumer-driven contract tests. Do not trust AI-generated API client code without contract verification.
-
-## Test Infrastructure Requirements
-
-**Fast execution is non-negotiable.** AI agents run tests in tight loops. A 10-minute suite across 15 agent iterations burns 2.5 hours. Invest in parallel execution, test isolation with no shared state, and selective test running. **Flaky tests poison the AI feedback loop** — agents cannot distinguish flaky failures from real ones. Track and eliminate flaky tests aggressively. Maintain a test-to-code ratio of 1:1 or higher.
-
-## Adversarial Input Testing
-
-Test inputs crafted to exploit advocacy-specific vulnerabilities: SQL injection through investigation search fields, XSS through witness testimony display, path traversal through evidence file uploads, oversized payloads designed to crash offline-first sync. Advocacy software faces adversarial users — not just careless ones.
diff --git a/.claude/rules/tooling-reference.md b/.claude/rules/tooling-reference.md
new file mode 100644
index 000000000..59231dc60
--- /dev/null
+++ b/.claude/rules/tooling-reference.md
@@ -0,0 +1,100 @@
+# Open Paws Tooling Reference
+
+Loaded every session. Where the Open Paws dev stack lives and what each piece is for. Coverage scope: the integration points that don't have their own dedicated rule. For desloppify usage see `desloppify.md`; for emergency override labels and the pipeline rule set see `pipeline-nevers.md`; for the context repo and the org-wide read test see `context-repo.md`.
+
+## MCP config file locations (three scopes)
+
+Claude Code resolves MCP servers from three scopes, with **local > project > user** precedence (local wins on conflict):
+
+- **Local scope** — per-project, private to this machine. Stored under the `projects` key of `~/.claude.json` (single file, project-keyed). Not committed, not shared.
+- **Project scope** — per-project, shared with the team. Stored in `.mcp.json` at the project root. Committed to the repo.
+- **User scope** — global across all projects for this user. Stored at the top level of `~/.claude.json`.
+
+There is **no `~/.claude/.mcp.json`** — that path does not exist in the Claude Code resolution chain. If a script or doc references it, that reference is wrong.
+
+## CodeRabbit
+
+Per-repo wiring lives in `.coderabbit.yaml` at each repo root.
+
+- Profile: `chill`
+- Auto-review: enabled
+- AST-grep packages sourced from `github.com/Open-Paws/shared-lint-rules`
+- Learnings dashboard: `app.coderabbit.ai/learnings`
+
+Learnings accumulate via natural-language replies on PR threads — **do not** override CodeRabbit by editing prompt configs. Reply in the thread; CodeRabbit incorporates the feedback into future reviews repo-wide.
+
+## Persona QA library
+
+`qa/personas/*.md` per repo, when relevant (UI repos with public-facing surfaces). The persona library is **still being built** — Slingshot has 5 to date; the broader cross-repo archetype taxonomy (clusters like execution / leadership / product-eng / finance / movement / epistemic / Indian-context) is aspirational rather than shipped. Each persona file the `persona-qa` subagent absorbs before navigating the app via Playwright MCP. As personas stabilize they should land in `$OP_CONTEXT_REPO/handbook/personas/` so repos can pick the relevant subset rather than re-author.
+
+## Browser control
+
+**Playwright MCP only.** Any task that needs to drive a browser — persona QA runs, smoke-testing a deployed preview, scraping a site Claude needs to understand, automating a form submission — goes through the Playwright MCP server. `mcp__playwright__*` tools are wired globally and listed in `persona-qa` subagent `tools:` frontmatter; extend per-agent as needed.
+
+**No BrowserOS, no raw Selenium, no headless-chromium subprocesses, no browser-agent frameworks layered on top.** BrowserOS was evaluated and dropped in April 2026 — kept the policy statement here so the decision doesn't get relitigated by a future session that finds the BrowserOS docs and wonders. If a Playwright MCP capability is missing for a real use case, surface that gap as an issue rather than reaching for another tool.
+
+## Persona QA tracking
+
+Per-repo, in `qa/persona-tests/`:
+
+- `PROGRESS.md` — coverage matrix (which personas have run against which builds)
+- `<persona>.md` — per-persona findings, first-person voice, written by the persona-qa subagent
+- `SUMMARY.md` — cross-persona patterns rolled up across runs
+
+Always-flagged findings route through `scout-playbook` for issue filing (STAGE 1 of the pipeline).
+
+## Workflow set (per repo)
+
+Open Paws repos MAY carry a set of GitHub Actions that map to pipeline stages:
+
+```
+autoagent-scout.yml
+autoagent-triage.yml
+autoagent-plan.yml
+autoagent-check-plan.yml
+autoagent-implement.yml
+autoagent-review-pr.yml
+autoagent-fix.yml
+autoagent-adversarial.yml
+autoagent-merger.yml
+```
+
+**Not universal.** The context repo, for instance, runs pipeline stages via in-session Claude orchestration (same dispatch model as the repo's existing `/weekly-review`, `/audit-all`, etc.) and does NOT carry these workflow files. Both models are valid: workflow-driven dispatch for repos that want CI-triggered pipeline runs, session-driven dispatch for repos where the orchestrator is a Claude Code session. Per-repo call; no one-size-fits-all.
+
+Workflow edits are unsafe-parallel — serialize per `parallelization.md`.
+
+## Per-repo Claude Code config
+
+Each repo carries:
+
+- `.claude/agents/` — repo-specific subagent definitions (overrides `~/.claude/agents/`)
+- `.claude/skills/` — repo-specific skill packages (overrides `~/.claude/skills/`)
+
+Standard skill set per repo: `scout-playbook`, `triage-playbook`, `planning-playbook`, `plan-review-playbook`, `test-writer-playbook`, `implementer-playbook`, `qa-persona-playbook`, `adversarial-playbook`, `desloppify-playbook`. Plus `pipeline-reference` for full stage detail on demand.
+
+## Memory systems — two distinct stores
+
+Claude Code has two unrelated memory systems. Don't conflate them.
+
+**Cwd-scoped session memory** — `~/.claude/projects/<cwd-slug>/memory/MEMORY.md` plus topic files in the same dir. Claude's own learnings from sessions in a specific working directory. Auto-written by Claude during/between sessions. Only loads when cwd matches the slug. First 200 lines (or ~25 KB) of `MEMORY.md` plus referenced files load at session start.
+
+**Subagent-scoped persistent memory** — `<cwd>/.claude/agent-memory/<agent-name>/` (cwd-relative, per-repo). Created when a subagent has `memory: project` in its frontmatter. Harness auto-creates the dir on first invocation and injects the path plus usage instructions into the subagent's system prompt. The subagent reads/writes its own `MEMORY.md` index plus topic files. **Scoped per-repo (one set of accumulated learnings per repo the subagent works in)**, not global per-subagent.
+
+Observed 2026-04-24: when orchestrator cwd is a git repo (e.g. `$OP_CONTEXT_REPO`), the harness places agent memory INSIDE that repo's working tree. When cwd is home dir, the harness fails to create worktrees at all (see `parallelization.md` §Orchestrator cwd preflight). The earlier doc claim that memory lives at `~/.claude/agent-memory/` "regardless of cwd" was incorrect.
+
+**Gitignore implication:** every Open Paws repo's `.gitignore` must include `.claude/agent-memory/` and `.claude/worktrees/` to prevent accidental commit of agent state into shared history. This is a standard per-repo hygiene convention — should ship with the repo's initial `.gitignore` and be part of the sync-labels-style tooling bootstrap.
+
+Different purposes:
+- Session memory = Claude's notes to **future-Claude-in-this-dir**
+- Agent memory = Subagent's notes to **future-invocations-of-itself**
+
+Subagents with `memory: project` in this setup: `scout`, `triage`, `planner`, `plan-reviewer`, `adversarial`, `persona-qa`. Stages where pattern recognition across many runs helps; not enabled on `test-writer` / `test-reviewer` / `implementer` / `verifier` / `desloppifier` because those should be driven by current plan + current code, not accumulated preference.
+
+## Context repo
+
+`github.com/Open-Paws/context` (env var: `$OP_CONTEXT_REPO`). Single source of truth for WHY (decisions, priorities, org overview, proposals). This stack is HOW. Context repo wins conflicts. Org-wide read safety rules in `context-repo.md`. Key files inside the repo:
+
+- `decisions.md` — settled constraints
+- `priorities.md` — current frame
+- `proposals/` — in-flight strategic decisions
+- `stakeholders.md`, `org-overview.md`, `handbook/` — onboarding and routing material
diff --git a/.claude/rules/user-profile.md b/.claude/rules/user-profile.md
new file mode 100644
index 000000000..758ab1a17
--- /dev/null
+++ b/.claude/rules/user-profile.md
@@ -0,0 +1,17 @@
+# User Profile — Sam Tucker-Davis
+
+Loaded every session. Migrated from auto-memory so it loads regardless of cwd (auto-memory is cwd-scoped and would otherwise only fire from `C:\WINDOWS\system32`).
+
+**Role.** Sam Tucker-Davis (sam@openpaws.ai), Founder / ED / CTO of Open Paws, an animal advocacy organization. 18+ years in animal liberation. Directs AI coding agents rather than writing code himself — Claude-Code-Gary (this agent) is his execution layer; Chat-Gary (the conversation layer) is his strategic sparring partner. Targeting 1,000+ PRs per week across 40+ repos via the multi-agent pipeline.
+
+**Personal.** Pākehā / Māori heritage (Te Atihaunui-a-Pāpārangi). Based Melbourne + Bangalore. Wife Maddie (strategic thinker, abolitionist, works with Vegan Outreach). Rescue dog Avra — **gentle, makes friends; never reference her chasing, hunting, catching, or fighting anything.** Strict vegan household.
+
+**Neurotype.** Adult-diagnosed autistic (Level 1) with ADHD secondary. Direct, literal communication is honest — he says exactly what he means. No second-guessing, no subtext hunting. Trust the literal meaning as the protocol, not a quirk. In recovery; processes difficulty through building.
+
+**Politics / philosophy.** Left-libertarian, total liberation across species. Scientific approach to spirituality. Original philosophical framework called Potentialism. Interested in Indian spirituality, Māori tikanga, cross-cultural patterns.
+
+**Cultural fuel.** Hardcore music (Earth Crisis). Underground Aussie rap (Huskii, Wombat).
+
+**Domain & security expectations.** Work spans advocacy platform code: campaigns, investigations, coalition partnerships, sanctuaries. Use movement terminology (campaign, investigation, coalition, sanctuary), not AI-invented synonyms — see `~/.claude/rules/advocacy-domain.md`. Treat investigation/advocacy data as litigation-vulnerable: no PII storage without approval, no external API transmission of sensitive data without approval, prefer encrypted local-only handling. MCP servers touching sensitive data should be self-hosted. Security, privacy, and emotional-safety rules apply more strictly than on a typical consumer project.
+
+**Strategic context.** Closing windows matter — AI training data influence window: 12–36 months; EU AI Code enforcement: August 2026. Three-lever framework: strengthen movement / weaken industry / embed animal welfare in AI governance, training data, and benchmarks. What this agent writes may land in future training corpora; defaults matter beyond the immediate task.
diff --git a/.claude/rules/voice.md b/.claude/rules/voice.md
new file mode 100644
index 000000000..1ca70d441
--- /dev/null
+++ b/.claude/rules/voice.md
@@ -0,0 +1,8 @@
+# Voice Rules
+
+- Skip flattery ("great question," "excellent observation"). No constant apologizing.
+- Natural profanity when it fits. Don't force, don't censor. Commit messages and code comments included, within reason.
+- Dark humor, liberation politics, philosophical riffs, technical expertise can coexist in one message.
+- Push back when you disagree; change your mind when convinced. Argue with evidence, not authority. Don't defend out of pride, don't capitulate out of deference.
+- Output length matches the task. One-line fix = one-line PR description. Cross-cutting refactor = proper explainer. Don't pad, don't truncate.
+- Output destined for humans beyond Sam applies the org-wide read test (see `~/.claude/rules/context-repo.md`). Directness stays; profanity calibrates to the audience.
diff --git a/.claude/skills/advocacy-code-review/SKILL.md b/.claude/skills/advocacy-code-review/SKILL.md
deleted file mode 100644
index e1b6e9912..000000000
--- a/.claude/skills/advocacy-code-review/SKILL.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-name: advocacy-code-review
-description: Layered code review pipeline — automated checks first, then AI-assisted review, then human review focused on Ousterhout red flags, AI failure patterns, silent failures, and advocacy-specific concerns
----
-# Code Review
-
-## When to Use
-- Reviewing any code before merge — especially AI-generated code
-- Preparing your own code for review
-- When a PR is tagged AI-Assisted
-- When changes touch investigation data, coalition boundaries, or emotional safety features
-
-## Process
-
-### Layer 1: Automated Checks (Zero Human Effort)
-Before any human looks at the code, verify these pass:
-- Formatting and linting — automated, enforced in CI, not discussed in review
-- Static analysis and type checking — catches structural issues, type errors, known vulnerability patterns
-- Security scanning — detects hardcoded secrets, known vulnerability patterns, dependency issues
-- Test suite — all tests pass, no regressions
-
-If any automated check fails, fix it before requesting review. Do not submit "I'll fix the tests later" PRs.
-
-### Layer 2: AI-Assisted First-Pass Review
-Use AI to flag potential issues. AI catches well: inconsistent error handling, missing null checks, unused imports, common security patterns, deviations from project conventions, performance anti-patterns. AI misses: whether the approach is correct, whether business logic matches requirements, whether the code will be maintainable, whether tests verify meaningful properties, subtle concurrency issues. Treat AI review flags as suggestions, not verdicts.
-
-### Layer 3: Human Review — Design Quality Red Flags
-Walk through the Ousterhout red flags checklist. These are the structural problems most common in AI-generated code:
-
-- **Shallow module** — interface is as complex as the implementation; the abstraction hides nothing
-- **Information leakage** — implementation details escape through the interface; callers depend on internals
-- **Temporal decomposition** — code structured by execution order rather than conceptual boundaries
-- **Pass-through method** — method that does nothing except call another method with the same signature
-- **Repetition** — same logic in multiple places; AI duplicates at 4x the normal rate
-- **Special-general mixture** — general-purpose code polluted with special-case handling
-
-### Layer 4: Human Review — AI-Specific Failure Patterns
-Check specifically for patterns AI agents introduce:
-
-- **DRY violations** — does this duplicate something that already exists in the codebase? Search before accepting.
-- **Multi-responsibility functions** — does any function do more than one thing at one level of abstraction? Split it.
-- **Suppressed errors** — has the AI removed safety checks, caught exceptions too broadly, or silently swallowed failures? Review every error handling path.
-- **Hallucinated APIs** — does the code call libraries, methods, or endpoints that do not exist? Verify every external dependency.
-- **Over-patterning** — has the AI applied Strategy, Factory, or Observer where a plain function and conditional would suffice?
-- **Silent failure pattern** — AI may remove safety checks to make code appear to work, create fake output matching desired formats, or edit tests to pass rather than fixing the underlying code. Verify ALL safety checks from the original code are preserved in the new code. Compare the error handling paths between old and new versions explicitly.
-
-### Layer 5: Advocacy-Specific Review
-For any code in an advocacy project, also verify:
-
-- **Data leak vectors** — does this change create any new path for sensitive data to leave the system? Check logging, error messages, telemetry, API responses, and serialization output for investigation data, witness identities, or activist PII.
-- **Surveillance surface area** — does this change increase the metadata footprint? New timestamps, access logs, IP recording, or device fingerprinting that could be used to identify activists under legal discovery.
-- **Emotional safety** — if this code displays content to users, does it respect progressive disclosure? Is graphic content behind explicit opt-in? Are content warnings specific enough?
-- **Coalition boundary violations** — does this change allow data to cross organizational boundaries without going through an anti-corruption layer? AI agents optimize for expedience and import directly across bounded contexts.
-
-### Step: Render Verdict
-Summarize findings by layer. Distinguish between blocking issues (security vulnerabilities, data leaks, silent failures, broken tests) and suggestions (style, naming, minor refactoring). For primarily AI-generated PRs, require two human approvals.
diff --git a/.claude/skills/advocacy-testing-strategy/SKILL.md b/.claude/skills/advocacy-testing-strategy/SKILL.md
deleted file mode 100644
index 047d0966e..000000000
--- a/.claude/skills/advocacy-testing-strategy/SKILL.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-name: advocacy-testing-strategy
-description: Spec-first test generation, assertion quality review, mutation testing, five anti-patterns to avoid — for AI-assisted advocacy development where silent test failures mean lost evidence or exposed activists
----
-# Testing Strategy
-
-## When to Use
-- Writing or generating any tests
-- Reviewing AI-generated test code
-- Setting up test infrastructure for a new feature
-- When test suite quality is in question (flaky tests, low mutation scores, false confidence)
-
-## Process
-
-### Step 1: Read the Specification
-Before writing any test, identify the specification or acceptance criteria for the behavior under test. If no spec exists, write one — even a brief description of what the code should do and what constitutes failure. Without a spec, AI generates tests that mirror the implementation rather than the intent, producing circular validation.
-
-### Step 2: Write Failing Tests from the Spec (Pattern 2 — Spec-First)
-Generate tests from the specification BEFORE writing implementation. Each test should encode a business rule you can state in words. For advocacy software: "investigation records must be anonymized before export," "coalition data must not cross organizational boundaries without explicit agreement," "graphic content must never display without a content warning." Write the test. Verify it fails. This is the preferred generation pattern.
-
-### Step 3: Verify Tests Fail for the Right Reason
-A failing test is only useful if it fails because the behavior is absent — not because of a setup error, typo, or misconfigured test environment. Read each failure message. Confirm it describes the missing behavior, not a broken test.
-
-### Step 4: Implement Until Tests Pass
-Write the minimum implementation that makes the failing tests pass. Do not write more code than the tests demand.
-
-### Step 5: Review Assertions Against the Spec, Not the Code
-This is the critical step for AI-generated tests. Ask three questions of every assertion:
-1. **Does this test fail if the code is wrong?** If you break the implementation and the test still passes, it is worthless.
-2. **Does the assertion encode a domain rule?** If you cannot name the rule, it is a snapshot, not a test.
-3. **Would mutation testing kill this?** If changing `+` to `-` leaves the test green, the assertion is weak.
-
-NEVER accept tautological assertions — tests that assert output equals the output of the same function call. This is the single most dangerous pattern in AI-generated tests.
-
-### Step 6: Run Mutation Testing
-Run a mutation testing tool against the test suite. Surviving mutants reveal assertions that look thorough but verify nothing. Feed surviving mutants to the AI and ask it to write tests that kill them. Mutation score is the primary quality metric — not coverage percentage. A suite with 90% coverage and 40% mutation score is a false sense of security.
-
-### Step 7: Fix Weak Tests
-For each surviving mutant, write a targeted test that kills it. This closes the loop between test generation and test quality.
-
-## Five Generation Patterns (Know When to Use Each)
-1. **Implementation-first** — generate tests from existing code. Dangerous: tests mirror code, not intent. Use only when no spec exists and you need characterization tests.
-2. **Spec-first** — generate tests from specification before coding. Preferred pattern. Produces tests that encode intent.
-3. **Edge-case generation** — give the AI a function signature and ask specifically for: empty inputs, boundary values, null/undefined, unicode, timezone boundaries, concurrent access, overflow. AI excels here.
-4. **Characterization tests** — for legacy or AI-generated code that lacks tests: capture current behavior before changing anything. Cover before you change (Feathers).
-5. **Mutation-guided improvement** — run mutation testing, feed surviving mutants to AI, generate targeted tests.
-
-## Five Anti-Patterns to Reject on Sight
-1. **Snapshot trap** — tests that snapshot current output and assert against it. They pass today and break on any correct change. They verify nothing about correctness.
-2. **Mock everything** — over-mocked tests verify that mocks behave as expected, not that real code works. Mock only at system boundaries: external APIs, databases, file systems.
-3. **Happy path only** — AI-generated tests overwhelmingly test the success path. Explicitly request error path, boundary condition, and adversarial input tests. In advocacy software, error paths are where people get hurt.
-4. **Test-after-commit** — writing tests after code is committed defeats the feedback loop. Tests must exist during development.
-5. **Coverage theater** — chasing coverage numbers with meaningless assertions. A line "covered" by a test with no assertion is not tested.
-
-## Advocacy-Specific Testing
-- Contract tests at every service boundary, especially coalition cross-organization APIs where different groups have different security postures
-- Test adversarial inputs: SQL injection through investigation search, XSS through testimony display, path traversal through evidence uploads
-- Verify progressive disclosure: graphic content must not render without explicit opt-in
-- Test offline behavior: what happens when connectivity drops during evidence sync
-- Fast test execution is non-negotiable for AI agent loops — a 10-minute suite across 15 iterations burns 2.5 hours
diff --git a/.claude/skills/geo-seo-audit/SKILL.md b/.claude/skills/geo-seo-audit/SKILL.md
deleted file mode 100644
index 08f76e234..000000000
--- a/.claude/skills/geo-seo-audit/SKILL.md
+++ /dev/null
@@ -1,339 +0,0 @@
----
-name: geo-seo-audit
-description: SEO + GEO audit and implementation workflow — Core Web Vitals, HTML structure, semantic writing, E-E-A-T, content intent, Wikipedia/Wikidata, JSON-LD schema, meta tags, crawl budget, robots.txt, sitemap, IndexNow, topic cluster architecture, link building, brand signals, conversion optimization, analytics, internationalization, platform presence, defensive review
----
-# SEO + GEO Audit
-
-This skill covers both traditional SEO and Generative Engine Optimization (GEO) — ensuring advocacy content ranks in search engines AND appears in AI answer systems (ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, Bing Copilot).
-
-**The core insight:** Only 17-32% of AI Overview citations come from pages ranking in the organic top 10. Domain Authority correlates with AI citations at r=0.18; topical authority (r=0.40) and branded web mentions (r=0.664) are the real predictors. 80% of URLs cited by AI assistants do not rank in Google's top search results. This means SEO and GEO have different — but overlapping — optimization paths.
-
-## When to Use
-
-- When building or reviewing any public-facing advocacy website
-- Before launching content that needs to be discoverable by search engines or AI systems
-- When diagnosing why a site is not appearing in Google results or AI responses
-- When implementing a content hub or topic cluster for an advocacy campaign
-- As a pre-launch checklist for any new Open Paws platform page
-
-## Process
-
-### Step 1: Audit Core Web Vitals
-
-Measure using real field data from Google Search Console (CrUX), not lab tools — Google ranks on field data. Current thresholds (as of March 2026):
-
-| Metric | Good | Needs Improvement | Poor |
-|--------|------|-------------------|------|
-| LCP | ≤ 2.5s | 2.5–4.0s | > 4.0s |
-| INP | ≤ 200ms | 200–500ms | > 500ms |
-| CLS | ≤ 0.1 | 0.1–0.25 | > 0.25 |
-
-Check: Is LCP element preloaded with `<link rel="preload">`? Are explicit `width` and `height` on every image/video/iframe (prevents CLS)? Is TTFB under 200ms? Are JavaScript long tasks (>50ms) broken up with `scheduler.yield()` or `setTimeout`? Is `font-display: swap` used for web fonts? Are below-fold images lazy-loaded? Are modern image formats (WebP/AVIF) used?
-
-**INP fix priority order:** (1) audit third-party scripts, (2) lazy-load non-critical features, (3) optimize event handlers with `scheduler.yield()`, (4) reduce JavaScript payload with React Server Components, (5) virtual lists and CSS containment.
-
-**Next.js rendering check:**
-
-| Strategy | TTFB | Best For |
-|---|---|---|
-| SSG (default cached fetch) | Sub-100ms | Static content — blogs, docs |
-| ISR (`next: { revalidate: 60 }`) | Fast, cached | Periodically updated content |
-| SSR (`cache: 'no-store'`) | 200ms+ | User-specific real-time data |
-| PPR (experimental) | Fast shell + streamed | Mixed static/dynamic pages |
-
-Sites with INP above 200ms average -0.8 position drops. Pages with LCP above 3 seconds experience 23% more traffic loss. 43% of sites still fail the 200ms INP threshold — the most common CWV failure.
-
-### Step 2: Audit Technical SEO
-
-**Rendering:**
-- Verify SSR or SSG — client-side-only rendering increases crawl cost and is invisible to AI crawlers
-- Test with Google's URL Inspection tool to verify rendered content matches expectations
-- AI crawlers (GPTBot, ClaudeBot, PerplexityBot) generally do not execute JavaScript
-
-**Mobile-first:**
-- Audit using Googlebot Smartphone user agent, not desktop
-- Google uses mobile scores as the primary ranking signal for all results
-- 53% of mobile visitors abandon sites taking more than 3 seconds to load
-
-**Crawl budget:**
-- Check for faceted navigation URL explosion (filter/sort parameter combinations)
-- Verify robots.txt blocks low-value parameter URLs, internal search, admin pages
-- Check for redirect chains (sequential redirects waste crawl budget)
-- Verify XML sitemap contains only canonical, indexable URLs with accurate `<lastmod>` dates
-- Audit pages with zero organic traffic over 12 months — candidates for consolidation, noindex, or removal
-- Verify HTTP status codes: 200 for live content, 301 for permanent redirects, 404 for missing, 410 for intentionally removed
-
-**Security headers (set via Next.js middleware):**
-- CSP with nonces for scripts/styles
-- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
-- `X-Content-Type-Options: nosniff`
-- `X-Frame-Options: DENY`
-- `Referrer-Policy: strict-origin-when-cross-origin`
-- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
-- `Cross-Origin-Opener-Policy: same-origin`
-- Remove `X-Powered-By` header
-
-**Supply chain:**
-- Pin exact dependency versions, use `npm ci` in CI pipelines
-- Scan with Socket.dev or Snyk
-- Enable 2FA on npm accounts
-
-### Step 3: Audit HTML Structure
-
-Check each page for:
-1. Exactly one `<h1>` tag containing the primary topic
-2. Logical heading hierarchy (`h1 > h2 > h3`) with no skipped levels
-3. `<h2>` headings phrased as questions where the section answers something (7× citation impact for smaller sites; also improves Featured Snippet and PAA selection)
-4. First paragraph after each heading: direct 40-60 word answer
-5. Paragraphs of 2-4 sentences (40-60 words); content sections of 120-180 words
-6. Semantic elements: `<article>`, `<section>`, `<nav>`, `<aside>`, `<header>`, `<footer>`, `<main>`
-7. `lang` attribute on `<html>` tag
-8. Descriptive `alt` text on every `<img>`; descriptive file names with keywords
-9. Meaningful anchor text on every `<a>` — never "click here"
-10. `<table>` for comparison data; `<ol>` and `<ul>` for lists; `<blockquote cite="...">` for quotations
-11. `<time datetime="YYYY-MM-DD">` for dates; `<dfn>` for definitions; `<abbr title="...">` for acronyms
-12. `id` attributes on all `<h2>` and `<h3>` elements
-
-Flag any content rendered exclusively by JavaScript.
-
-### Step 4: Audit Content Intent and Search Positioning
-
-Before auditing content quality, verify content targets the right intent format. Study the top 5 results for each target keyword. Content targeting the wrong intent format does not rank regardless of other optimizations.
-
-| Intent type | Expected format to match |
-|-------------|--------------------------|
-| Informational | How-to guides, tutorials, explainers, definitions |
-| Commercial investigation | Comparison articles, review roundups, "best of" lists |
-| Transactional | Product/service pages, pricing pages, application forms |
-| Navigational | Homepage, specific brand/product pages |
-
-Also check: Does the content completely satisfy user intent in one visit (Helpful Content System standard)? Does it demonstrate genuine first-hand knowledge and experience? Does it include specific, dated citations rather than vague attribution?
-
-### Step 5: Audit Semantic Writing Quality
-
-AI citation systems retrieve at the sentence and paragraph level. Check:
-
-**Entity salience:** Is the primary entity the grammatical subject in active voice? Active voice gives subject salience 0.74; passive voice drops it to 0.11. Check for passive constructions and fix them.
-
-**Atomic claims:** Are sentences self-contained semantic triples? Eliminate vague pronouns — every sentence must make sense in isolation.
-
-**Proper noun density:** AI-cited text averages 20.6% proper nouns versus 5-8% standard. Check whether content names organizations, researchers, reports, and years specifically rather than using vague attribution.
-
-**Content density:** Pages under 5,000 characters get approximately 66% of content used; pages over 20,000 characters get only 12%. Check whether pages are focused and dense.
-
-**Opening structure:** Every major section should open with a 40-60 word declarative answer. Information buried deep in paragraphs is rarely retrieved by AI systems.
-
-### Step 6: Audit E-E-A-T Signals
-
-Check for Experience, Expertise, Authoritativeness, Trustworthiness on every content page:
-- Original data, case studies, screenshots, specific processes (Experience)
-- Detailed author bio with verifiable credentials (Expertise)
-- Specific citations from credible sources with names, organizations, and dates (Expertise)
-- Third-party coverage, organizational partnerships, industry recognition (Authoritativeness)
-- Clear contact information, privacy policy, transparent organizational identity (Trustworthiness)
-
-**Author attribution audit:** Every content page must have a visible author name, credentials, and link to an author profile page. The author page must have Person schema with `name`, `url`, `jobTitle`, `description`, `image`, and `sameAs` (LinkedIn, external profiles). Content with proper author metadata gets 40% more AI citations.
-
-### Step 7: Audit Wikipedia and Wikidata Presence
-
-Wikipedia accounts for 47.9% of ChatGPT's top-10 cited sources. Organizations visible in Wikidata get Knowledge Panels within 7 days and begin appearing consistently in AI answers.
-
-Check:
-1. Does the organization have a Wikipedia article? Is it accurate, cited, current?
-2. Does the organization have a Wikidata entry (Q-ID)? Is it complete with: type, founding date, location, founders, official website, social profiles?
-3. Is the Wikidata Q-ID in the site's Organization schema `sameAs` array?
-4. Is Wikipedia URL in the site's Organization schema `sameAs` array?
-5. Does an entity web exist connecting organization → tools → people → related orgs → policy areas?
-6. Does the site's structured data match Wikipedia and Wikidata? Inconsistency reduces AI confidence.
-
-If no Wikipedia article exists: document as **High** finding. Check whether sufficient independent secondary coverage exists to support notability per Wikipedia's guidelines. If yes, creating the article should be prioritized over almost any on-site optimization.
-
-**Wikipedia COI policy (mandatory):** Never directly edit your own organization's Wikipedia article. Disclose any affiliation on the Talk page. Propose edits through Talk-page requests or experienced neutral editors. Use only independent, reliable sources — no primary sources or press releases. All contributions must follow Wikipedia's Conflict of Interest and Notability guidelines. Document the disclosure and source list for audit purposes.
-
-### Step 8: Audit Structured Data (JSON-LD)
-
-Sites with structured data achieve 41% AI citation rates vs 15% without. Only 12.4% of websites implement it.
-
-For every page verify:
-- **Organization + WebSite schema** on every page: `name`, `url`, `logo`, `sameAs` (LinkedIn, Twitter, GitHub, Wikipedia URL, Wikidata URL), `description`
-- **Article schema** on every content page: `headline`, `author` (with `name`, `url`, `jobTitle`), `publisher`, `datePublished`, `dateModified`, `image`, `description`
-- **FAQPage schema** on any page with Q&A content
-- **BreadcrumbList schema** on all non-homepage pages
-- **Person schema** on all author/team profile pages
-- Additional applicable types: HowTo, SoftwareApplication, Event, Dataset, VideoObject, LocalBusiness
-
-Validate all schema at https://validator.schema.org/ and Google's Rich Results Test. `dateModified` must reflect actual update dates.
-
-### Step 9: Audit Meta Tags and Head Elements
-
-For every page:
-- `<title>`: `Primary Keyword — Brand Name`, 50-60 chars, keywords first, unique per page
-- `<meta name="description">`: 150-160 chars, direct answer to primary query, one statistic, unique
-- `<link rel="canonical">` pointing to canonical URL
-- Open Graph tags: `og:title`, `og:description`, `og:type`, `og:url`, `og:image`, `og:site_name`
-- Twitter Card: `twitter:card`, `twitter:title`, `twitter:description`, `twitter:image`
-- Article timestamps: `article:published_time`, `article:modified_time` (ISO 8601)
-
-### Step 10: Audit Robots.txt
-
-Verify AI citation crawlers are allowed:
-- **Must allow** (power AI answers): `OAI-SearchBot`, `ChatGPT-User`, `PerplexityBot`, `ClaudeBot`, `Claude-SearchBot`, `Applebot`, `Amazonbot`
-- **May block** (training only): `GPTBot`, `CCBot`, `Google-Extended`, `meta-externalagent`, `Bytespider`
-- **Never block**: `Googlebot` (blocks both Search and AI Overviews simultaneously)
-
-Note: 226+ AI crawlers exist. Verify list is current. Some AI agents use standard browser user-agent strings and ignore robots.txt.
-
-### Step 11: Audit XML Sitemap and IndexNow
-
-**Sitemap:**
-- Exists at `/sitemap.xml`
-- Contains only canonical, indexable URLs
-- `<lastmod>` dates reflect actual content update dates (never faked)
-- Referenced in robots.txt
-- Submitted to Google Search Console and Bing Webmaster Tools
-- Auto-regenerates when content changes
-
-**IndexNow:**
-- API key file at `https://yoursite.com/{key}.txt`
-- Ping fires on every publish/update event
-- Integrated in CI/CD pipeline or CMS publish hooks
-
-### Step 12: Audit Site Architecture and Content Freshness
-
-**Architecture:**
-- URL structure: descriptive hyphenated lowercase, under 75 characters, max 3 levels deep, canonical tags, 301 redirects for changed URLs
-- No important page more than 3 clicks from homepage
-- Breadcrumb navigation with BreadcrumbList schema
-- Topic cluster structure: pillar pages + 8-15 cluster pages with bidirectional links?
-- Orphan pages (no internal links pointing to them)?
-
-**Content freshness:**
-- "Last Updated: [date]" visible on every content page using `<time datetime="YYYY-MM-DD">`
-- `dateModified` in Article schema synchronized with visible dates
-- Content genuinely updated (not just date-changed) — Google detects date freshness hacking
-- 76% of most-cited AI content updated within 30 days; Perplexity gives 3.4× advantage to content under 30 days old
-
-**First-mover check:** For emerging advocacy topics with few authoritative sources, is the site publishing before competitors claim citation positions?
-
-### Step 13: Audit Platform Presence and Brand Signals
-
-85% of AI brand mentions come from third-party pages. Brand mentions now account for 55% of off-page ranking weight.
-
-Check:
-1. **Reddit:** Active, authentic presence in relevant subreddits? AI systems have visibility into Reddit's moderation pipeline — inauthentic content carries negative weight.
-2. **YouTube:** Channel with transcripts enabled?
-3. **LinkedIn:** Active organization page with substantive posts?
-4. **GitHub:** Documentation, datasets, or reports published as Markdown?
-5. **Unlinked brand mentions:** Monitor with Google Alerts or Ahrefs. Convert high-authority mentions to backlinks — close rate typically above 30%.
-6. **Cross-platform consistency:** Key facts (founding date, mission, statistics) consistent across site, Wikipedia, Wikidata, LinkedIn, GitHub?
-
-Platform-specific behavior: Only 11% of domains are cited by both ChatGPT and Perplexity for the same queries. Citation volatility is 40-60% monthly. Build multi-platform presence.
-
-### Step 14: Audit Link Profile
-
-Backlinks remain the #2 ranking factor. Topical relevance between linking and linked domains (r=0.4) now outweighs raw domain authority.
-
-Check:
-- Natural anchor text distribution: ~40-50% branded, ~20-30% generic, ~15-25% partial match, ~5-10% exact match. Sites below 30% diversity saw -15 average position drops in March 2026 spam update.
-- Links in editorial context (body content), not footers/sidebars/author bios
-- Top-performing link building tactics: original research/data (156% more links vs generic how-to), digital PR campaigns, unlinked mention conversion
-- Any links from PBNs, sponsored guest posts on generalist sites, or niche edits on thin domains — these were specifically devalued in March 2026
-
-### Step 15: Audit Content Patterns
-
-Check whether content templates implement high-citation patterns:
-
-**Citable paragraph:** every major claim follows `[fact]. [statistic with attribution]. [elaboration]. [Source: Org, Date]`
-
-**FAQ block:** `<h2>` with exact question, 40-60 word direct answer immediately following, FAQPage schema. Also improves Featured Snippet and People Also Ask selection.
-
-**Definition block:** `<section id="what-is-term"><h2>What is [Term]?</h2><p><dfn>[Term]</dfn> is [direct definition].</p></section>`
-
-**Original data:** Pages with proprietary data get 4.31× more citations per URL. Check whether any unique organizational data can become dedicated, permanently-addressable pages.
-
-**VideoObject schema:** If any video content exists, verify VideoObject schema with `name`, `description`, `thumbnailUrl`, `uploadDate`, and `contentUrl`.
-
-### Step 16: Audit Conversion Optimization and Analytics
-
-**Donation page audit:**
-- 3-4 preset amounts with middle pre-selected and impact descriptions?
-- Monthly giving pre-selected? (31% of nonprofit online revenue; 64% of orgs still default one-time)
-- Single-step form? (multi-step forms see 52% drop in completions)
-- Site header navigation removed during donation flow?
-- Form embedded on-site, not redirecting to third-party processor?
-- `autocomplete` attributes on all form fields? (React JSX: `autoComplete`)
-
-**Analytics:**
-- Using cookieless analytics (Plausible or Umami) as primary?
-- AI referral traffic tracked with custom channel group? (ChatGPT 78% of AI traffic; mobile app drops referrer)
-- Key conversion events marked in GA4: `donation_completed` (with value), `newsletter_signup`, `volunteer_form_submit`?
-
-**Internationalization check (if multilingual):**
-- `lang` and `dir` attributes set correctly on `<html>`?
-- Hreflang tags self-referencing and reciprocal on every page?
-- Subdirectory URL strategy (`/en/`, `/hi/`, `/ar/`) for domain authority consolidation?
-- ICU MessageFormat used for plural/gender forms (Arabic requires 6 CLDR plural categories)?
-
-### Step 17: Defensive Review
-
-Check for techniques that would violate platform guidelines:
-
-**Hidden text:** Verify no content is hidden via `display:none`, `visibility:hidden`, white-on-white text, zero-size fonts, negative positioning, or invisible Unicode (U+E0000 to U+E007F). Google's SpamBrain and PhantomLint compare parsed text against OCR-rendered images.
-
-**Agent-aware cloaking:** Verify the server does not serve different content to AI crawlers vs human visitors based on User-Agent detection. Explicitly prohibited; domain-wide penalty risk.
-
-**Scaled AI content:** Verify all published content has meaningful human review. Manual actions issued by Google since June 2025 for "scaled content abuse."
-
-**User-generated content injection:** If the site hosts comments or forum posts, verify they are sanitized before being served to crawlers.
-
-### Findings Report
-
-Document findings by priority:
-
-**Critical (blocks launch)**
-- Primary content rendered JavaScript-only
-- Missing `<h1>` or broken heading hierarchy
-- Missing canonical tags
-- robots.txt blocking AI citation crawlers
-- Missing HTTPS or expired SSL
-- LCP > 4s or page weight > 3MB
-- Agent-aware cloaking detected
-
-**High (implement before significant content investment)**
-- LCP > 2.5s (failing Good threshold)
-- INP > 200ms (43% of sites fail this)
-- No Wikipedia article when sufficient notability sources exist
-- No Wikidata entry
-- Missing structured data (JSON-LD schema)
-- Content siloed with no topic cluster architecture
-- Pages not SSR or SSG
-- Missing `sameAs` links to Wikipedia/Wikidata in Organization schema
-- Content not matching search intent format for target keywords
-
-**Medium (implement in next sprint)**
-- Question-format headings not used
-- Answer-first paragraph pattern not followed
-- Missing entity salience (passive voice, vague pronouns, weak proper noun density)
-- Content density outside optimal range
-- Missing E-E-A-T signals (author attribution, sourcing, experience signals)
-- Missing author profile pages with Person schema
-- Missing IndexNow integration
-- Outdated or inconsistent `dateModified` values
-- No Reddit, YouTube, or LinkedIn presence
-- Key facts inconsistent across platforms
-- Anchor text distribution outside recommended ranges
-- Donation page using multi-step form or missing monthly pre-selection
-- No AI referral traffic tracking in analytics
-- Missing cookieless analytics (relying solely on GA4 with consent banner)
-- Missing hreflang tags on multilingual pages
-
-**Low (optimize over time)**
-- llms.txt not implemented (low current value but zero-cost)
-- Individual content not following citable paragraph pattern
-- Missing comparison tables on decision-relevant pages
-- No proprietary data or original research pages
-- VideoObject schema not implemented for video content
-- Security headers incomplete (CSP, Permissions-Policy, COOP)
-- Supply chain scanning not in CI pipeline
-
-For each finding: the specific page or component affected, what is missing or incorrect, and the exact implementation needed.
diff --git a/.claude/skills/git-workflow/SKILL.md b/.claude/skills/git-workflow/SKILL.md
deleted file mode 100644
index 61121cc7c..000000000
--- a/.claude/skills/git-workflow/SKILL.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-name: git-workflow
-description: Git workflow for AI-assisted advocacy development — atomic commits per subtask, ephemeral branches, PR curation into reviewable chunks, AI-Assisted tagging
----
-# Git Workflow
-
-## When to Use
-- Before committing, branching, or creating a pull request
-- When reviewing commit history or deciding on merge strategy
-- After an AI agent has generated a batch of changes that need to be broken into logical units
-
-## Process
-
-### Step 1: Create an Ephemeral Branch
-Create a short-lived branch for the current task. Trunk-based development remains the goal — this branch is a safety net, not a long-lived workspace. If the agent has not produced mergeable work within one session, delete the branch and reconsider the approach. Name the branch for the task, not for a feature epic.
-
-### Step 2: Implement One Subtask
-Break the overall task into the smallest logical subtasks. Each subtask is one commit. If the task decomposes into "extract interface, implement adapter, update callers," those are three separate commits. Never let the agent complete an entire multi-step task before committing.
-
-### Step 3: Test Before Committing
-Run the relevant test subset before each commit. Every commit must leave the codebase in a passing state. If tests fail, fix the issue before committing — do not push broken commits to shared branches. For advocacy code handling investigation or evidence data, also verify that no sensitive data has leaked into test output, logs, or error messages.
-
-### Step 4: Write the Commit Message
-Write commit messages that explain WHY, not WHAT — the code shows what changed. First line: 50 characters, imperative mood. Reference the issue or ticket. Add appropriate AI attribution trailers so the team knows which code was agent-generated.
-
-### Step 5: Repeat for Each Subtask
-Continue the cycle: implement one subtask, test, commit. Each commit should be independently understandable. If you read the commit in isolation six months from now, you should know what it does and why.
-
-### Step 6: Curate the Pull Request
-PR curation is the critical human skill in AI-assisted development. AI adoption inflated PR size by 154%. Do not submit the agent's full output as one PR. Split into reviewable chunks:
-- Target under 200 lines changed per PR, ideally under 100
-- Use stacked PRs for large changes (PR1, PR2, PR3 — each independently reviewable)
-- Each PR tells a coherent story with a clear description explaining the reasoning
-
-### Step 7: Tag and Request Review
-- Tag every PR containing AI-generated code as **AI-Assisted**
-- Require two human approvals for primarily AI-generated PRs
-- Call out areas needing close review — especially security boundaries, error handling, and any code touching investigation or coalition data
-
-### Step 8: Track Quality Signals
-- **Code Survival Rate** — how much AI-generated code remains unchanged 48 hours after merge. Low survival means the agent is generating code that humans immediately rewrite.
-- **Suggestion acceptance rate** — healthy range is 25-35%. Higher may indicate over-reliance on AI suggestions without critical review. In advocacy projects, over-reliance means unreviewed security assumptions.
-
-### Merge Strategy
-Squash-merge ephemeral branches to keep trunk history clean. Delete branches immediately after merge. If a branch has lived longer than one working session, evaluate whether the approach needs to change rather than extending the branch's life.
diff --git a/.claude/skills/plan-first-development/SKILL.md b/.claude/skills/plan-first-development/SKILL.md
deleted file mode 100644
index 93fc79c99..000000000
--- a/.claude/skills/plan-first-development/SKILL.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-name: plan-first-development
-description: Plan-before-code workflow — read existing code, write spec, decompose into subtasks, implement and test one at a time, comprehension check before committing
----
-# Plan-First Development
-
-## When to Use
-- Starting any significant implementation work
-- Beginning a new coding session
-- When a task involves changes across multiple files or modules
-- When context window usage is approaching 50%
-
-## Process
-
-### Step 1: Read Existing Code
-Before writing anything, read the code relevant to the change. Understand the current structure, naming conventions, existing utilities, and architectural patterns. AI agents generate duplicate functions and violate DRY at 4x the normal rate because they lack full codebase awareness. Searching first prevents this.
-
-### Step 2: Identify What Needs to Change
-State the change in one sentence. If you cannot describe it concisely, the task needs further decomposition. For advocacy projects, also identify: which bounded context is affected (investigation ops, public campaigns, coalition coordination, legal defense), and whether the change crosses context boundaries.
-
-### Step 3: Write a Specification
-Write requirements before implementation. Even a brief spec is better than none. The spec should include: what the code does, what inputs it accepts, what outputs it produces, what error conditions exist, and what security or safety properties it must maintain. For advocacy software, add: what data sensitivity classification applies, what happens under device seizure, and what coalition data boundaries must hold.
-
-This is the "construction prerequisites" principle: problem definition clear, requirements explicit, architecture solid — before writing code.
-
-### Step 4: Break into Subtasks
-Decompose the spec into subtasks small enough that each can complete within half the remaining context window. Each subtask should produce a testable, committable result. If a subtask feels too large, break it further. The decomposition should follow conceptual boundaries, not execution order — temporal decomposition (structuring code by when things happen) is an Ousterhout red flag.
-
-### Step 5: For Each Subtask — Plan, Test, Implement, Verify
-Execute one subtask at a time:
-1. **Plan** — describe what this subtask will do
-2. **Test** — write a failing test that encodes the expected behavior
-3. **Implement** — write the minimum code to make the test pass
-4. **Verify** — run tests, confirm the change works in context
-
-Do not start the next subtask until the current one passes tests and is committed.
-
-### Step 6: Comprehension Check
-After the AI generates code, explain what it does in your own words before committing. This is not optional. AI-assisted developers score 17 percentage points lower on comprehension tests compared to unassisted developers (Anthropic, 2026 study of 52 professional developers). The comprehension gap is equivalent to nearly two letter grades.
-
-Use the **generation-then-comprehension pattern**: generate code, then immediately ask the AI to explain it, then verify your understanding matches. Six usage patterns exist on a spectrum from full delegation (worst comprehension at 50%) to conceptual inquiry (best at 86%). The goal is to stay in the "generate then understand" zone that preserves learning while leveraging AI speed.
-
-If you cannot explain what the code does and why, do not commit it. Read it again. Ask questions. Understanding the code you ship is a non-negotiable professional responsibility — especially in advocacy software where misunderstood code can silently leak data or expose activists.
-
-### Step 7: Commit
-Commit after each completed subtask. Write a commit message explaining the WHY. Then move to the next subtask.
-
-### Context Management
-- Start each session fresh rather than extending a degraded conversation
-- Compact at approximately 50% context usage
-- Break work into chunks that complete within half the context window
-- After two failed fix attempts, clear the conversation and restart with a better prompt incorporating what you learned — do not compound errors
diff --git a/.claude/skills/requirements-interview/SKILL.md b/.claude/skills/requirements-interview/SKILL.md
deleted file mode 100644
index 67f62065a..000000000
--- a/.claude/skills/requirements-interview/SKILL.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-name: requirements-interview
-description: Structured stakeholder interview for advocacy projects — gathers purpose, threat model, coalition needs, legal exposure, user safety requirements, and budget constraints one question at a time
----
-# Requirements Interview
-
-## When to Use
-- Starting a new feature or project
-- When requirements are ambiguous or incomplete
-- Before writing a specification or design document
-- When a new coalition partner or user group is introduced
-
-## Process
-
-Ask one question at a time. Use multiple choice when possible. Wait for the answer before proceeding. Do not overwhelm stakeholders with a wall of questions — advocacy stakeholders are often volunteers with limited time.
-
-### Phase 1: Purpose and Users
-1. What are we building? (One sentence describing the core function)
-2. Who are the primary users? (Investigators, campaign organizers, sanctuary staff, legal team, coalition coordinators, public supporters)
-3. What does success look like? (Specific, measurable criteria — not "make it better")
-4. What existing tools or workflows does this replace or augment?
-
-### Phase 2: Threat Modeling
-5. Who are the adversaries for this system?
-   - [ ] Law enforcement (ag-gag statutes, warrants, subpoenas)
-   - [ ] Industry investigators (corporate surveillance, infiltration)
-   - [ ] Hostile public (doxxing, harassment campaigns)
-   - [ ] AI model providers (data retention, content policy restrictions)
-   - [ ] Other: ___
-6. What happens if this system is compromised? (Who is endangered, what evidence is exposed, what legal liability is created)
-7. What happens if a device running this software is seized? (What data is recoverable, what operations are exposed)
-8. What legal jurisdictions apply? (Which ag-gag laws, which data protection regulations, which countries)
-
-### Phase 3: Coalition and Data Boundaries
-9. Which organizations will use this system?
-10. Do organizations have different risk profiles? (A direct action group and a legal defense fund have fundamentally different threat models)
-11. What data crosses organizational boundaries? What must NOT cross those boundaries?
-12. If one coalition partner is legally compelled to disclose data, what is the blast radius to other partners?
-13. What existing data sharing agreements or policies constrain the design?
-
-### Phase 4: User Safety
-14. Does this system handle traumatic content? (Investigation footage, slaughter documentation, witness testimony of abuse)
-15. What progressive disclosure levels are needed? (Text-only, blurred preview, full resolution)
-16. Who reviews traumatic content, and what burnout prevention measures exist?
-17. Does this system handle witness or whistleblower identities? What anonymization requirements apply?
-18. What emotional safety features do users expect? (Content warnings, session time reminders, configurable detail levels)
-
-### Phase 5: Technical Constraints
-19. Budget — what are the hard limits on infrastructure and AI compute costs? (Nonprofit budgets mean every dollar has an alternative use in direct advocacy)
-20. Timeline — what is the deadline and what is driving it? (Legislative session, planned investigation, campaign launch)
-21. Tech stack preferences or constraints? (Existing infrastructure, team skills, self-hosted requirements)
-22. Connectivity constraints? (Offline-first needed, low-bandwidth environments, mesh networking scenarios)
-23. Language and accessibility requirements? (Which languages, low-literacy users, assistive technology support)
-
-### Phase 6: Synthesize
-After gathering answers, synthesize into a specification document containing:
-- **Purpose statement** — one paragraph
-- **User personas** — who uses this, what are their risk profiles
-- **Threat model** — adversaries, attack surfaces, legal exposure
-- **Data boundaries** — what is stored, where, who can access, what crosses org boundaries
-- **Success criteria** — measurable outcomes
-- **Safety requirements** — emotional safety, anonymization, progressive disclosure
-- **Constraints** — budget, timeline, technology, connectivity, language
-- **Open questions** — what still needs clarification before design begins
-
-Present the synthesized spec to the stakeholder for confirmation before proceeding to design.
diff --git a/.claude/skills/security-audit/SKILL.md b/.claude/skills/security-audit/SKILL.md
deleted file mode 100644
index e23d042be..000000000
--- a/.claude/skills/security-audit/SKILL.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-name: security-audit
-description: Security audit workflow for advocacy projects — dependency verification, zero-retention compliance, slopsquatting defense, encrypted storage, instruction file integrity, device seizure readiness, ag-gag exposure assessment
----
-# Security Audit
-
-## When to Use
-- Before deploying any change to production
-- When new dependencies are added
-- When code touches investigation data, witness identities, or coalition coordination
-- After AI-generated code has been added to security-sensitive paths
-- Periodically as a scheduled review of the full codebase
-
-## Process
-
-### Step 1: Dependency Audit — Slopsquatting Defense
-Approximately 20% of AI-recommended packages do not exist. Attackers register these hallucinated names as real packages containing malicious code — one was downloaded 30,000+ times in weeks. For EVERY dependency: verify the package exists in its registry, has legitimate maintainers with real commit history, and the version is published. Only 1 in 5 AI-recommended dependency versions are both safe and free from hallucination. In advocacy software, a compromised dependency can exfiltrate investigation data or activist identities.
-
-### Step 2: API Retention Policy Audit
-For every external API: verify the data retention policy contractually, not by assumption. Confirm zero-retention configuration is in effect for all sensitive data flows. Check whether the API retains inputs, logs request metadata, or stores conversation history. Telemetry to third parties is a data exfiltration vector under adversarial legal discovery. Any API handling investigation footage, witness identities, or activist communications must be zero-retention.
-
-### Step 3: Storage Encryption Audit
-Verify all locally stored investigation data, evidence, and activist records use encrypted volumes with plausible deniability — the existence of sensitive data must be deniable under device seizure. Check for temporary files, swap files, crash dumps, or caches containing decrypted content. Verify encryption keys are not stored alongside encrypted data. Test: if the device powers off unexpectedly, is any sensitive data recoverable without credentials?
-
-### Step 4: Input Validation Review
-AI-generated code contains OWASP Top 10 vulnerabilities in 45% of cases — 2.74x more than human code. For every input boundary:
-- Verify SQL injection defenses on all database-facing inputs
-- Verify XSS protection on all content display paths, especially witness testimony and investigation notes
-- Verify path traversal protection on evidence file uploads
-- Verify authentication and authorization checks on every endpoint
-- Assume adversarial input on every public-facing surface — industry actors will probe investigation tools
-
-### Step 5: Instruction File Integrity Check
-The "Rules File Backdoor" attack uses hidden Unicode characters in instruction files to inject invisible directives that make AI agents produce malicious output. Inspect all instruction files for non-printable characters beyond standard whitespace. Diff changes character-by-character, not just visually. Verify no instruction file weakens encryption, disables safety checks, or sends data to external endpoints. Treat instruction files as security-critical artifacts — in advocacy projects, a compromised instruction file could direct the AI to leak investigation data.
-
-### Step 6: MCP Server Audit
-For every MCP server: verify servers handling sensitive advocacy data are self-hosted. Audit each server's data access patterns, network egress, and data retention. MCP extends agent capabilities but also extends the attack surface — check whether any server can exfiltrate data regardless of application-level encryption.
-
-### Step 7: Device Seizure Readiness
-Verify remote wipe capability exists for all sensitive data. Verify encrypted volumes lock automatically on suspicious conditions (unexpected power loss, extended inactivity). Check that the application does not leak data on unexpected termination — no temp files with decrypted content, no swap files with sensitive state, no crash dumps with investigation data. Test: kill the process unexpectedly and examine what remains on disk.
-
-### Step 8: Ag-Gag Exposure Assessment
-Investigation footage is discoverable evidence under legal proceedings:
-- Audit every data flow assuming adversarial legal discovery, not just adversarial hackers
-- Verify metadata stripping on all investigation content (timestamps, geolocation, device identifiers)
-- Verify audit logs protect the identities they record — logs identifying who accessed investigation data become prosecution tools
-- Check: if a court subpoena targeted this system, what would be disclosed? Minimize that surface.
-
-### Step 9: Coalition Data Boundary Verification
-- Verify data isolation between coalition partners with different risk profiles
-- Verify anti-corruption layers exist at every boundary crossing between bounded contexts
-- Verify data sharing agreements are enforced in code, not just in policy documents
-- Check: if one coalition partner is legally compelled to disclose, what is the blast radius to other partners?
-- Verify shared data has been transformed appropriately — strip identifying information before sharing across risk tiers
-
-### Step 10: Findings Report
-Document findings with severity classification:
-- **Critical** — active data leak, missing encryption, compromised dependency, exposed witness identity
-- **High** — weak input validation, missing zero-retention verification, unaudited MCP server
-- **Medium** — incomplete metadata stripping, untested seizure scenario, missing contract tests at boundaries
-- **Low** — documentation gaps, minor configuration improvements
-
-Block deployment on any Critical or High finding. Track all findings to resolution.
diff --git a/.gitignore b/.gitignore
index 56b207b75..c0f0f6415 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,3 +45,7 @@ tasks/
 cotton-desloppify/
 review/results/
 review/__pycache__/
+
+# Claude Code agent state — never commit
+.claude/agent-memory/
+.claude/worktrees/
diff --git a/CLAUDE.md b/CLAUDE.md
index be791b51d..d69b30ec8 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -10,10 +10,7 @@ Open Paws fork of [peteromallet/desloppify](https://github.com/peteromallet/desl
 
 **Platform integration:** Core development workflow for all Open Paws repos. Not connected to the platform directly.
 
-**Minimum passing scores:**
-- Gary: ≥ 98
-- Platform repos: ≥ 90
-- All other repos (including this one): ≥ 85
+**Minimum passing scores per repo category:** see [`handbook/ci-cd.md` → Repo Taxonomy](https://github.com/Open-Paws/context/blob/main/handbook/ci-cd.md#repo-taxonomy) (canonical). Current thresholds: user-facing apps ≥ 90, autonomous agents (gary) ≥ 80, tooling/plugin libraries (including this repo) ≥ 70, mixed content + code ≥ 70.
 
 **Upstream tracking:** Fork tracks `peteromallet/desloppify` as `upstream` remote. Fork-specific code lives in new files. Upstream merges: `git fetch upstream && git merge upstream/main`.
 
@@ -29,7 +26,12 @@ gh api repos/Open-Paws/open-paws-strategy/contents/settled-decisions.md --jq '.c
 
 ```bash
 # Requires Python 3.11+
-pip install -e ".[full]"          # editable install with all extras
+# Canonical install — same as every other Open Paws repo (per ~/.claude/rules/desloppify.md):
+pip install "git+https://github.com/Open-Paws/desloppify.git#egg=desloppify[full]"
+
+# Or, for fork development inside this repo (editable):
+# pip install -e ".[full]"
+
 desloppify scan --path .          # run all mechanical detectors
 desloppify status                 # view scores
 desloppify next                   # get top-priority fix item
@@ -185,7 +187,7 @@ Apply to every PR:
 
 ### Quality Gates
 
-**Desloppify (self-scan)** — Target score: ≥ 85.
+**Desloppify (self-scan)** — Target score: ≥ 70 (tooling/plugin library tier per canonical handbook).
 
 ```bash
 desloppify scan --path .