Merge pull request 'development' (#119 ) from development into main

Reviewed-on: #119
Merge pull request 'feat(netbox): add platform and primary_ip params to device tools' (#118 ) from feat/netbox-device-update-params into development
2026-01-23 19:47:39 +00:00 · 2026-01-23 19:47:10 +00:00 · 2026-01-23 14:46:09 -05:00 · 2026-01-23 17:50:25 +00:00 · 2026-01-23 17:49:57 +00:00 · 2026-01-23 12:46:18 -05:00
32 changed files with 927 additions and 409 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,32 @@ All notable changes to the Leo Claude Marketplace will be documented in this fil
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## [3.1.2] - 2026-01-23
 ### Added
 - **git-flow:** `/commit` now detects protected branches before committing
  - Warns when on protected branch (main, master, development, staging, production)
  - Offers to create feature branch automatically instead of committing directly
  - Configurable via `GIT_PROTECTED_BRANCHES` environment variable
  - Resolves issue where commits to protected branches would fail on push
 ### Changed
 - **doc-guardian:** Hook switched from `prompt` type to `command` type
  - Prompt hooks unreliable - Claude ignores explicit instructions
  - New `notify.sh` bash script guarantees exact output behavior
  - Only notifies for config file changes (commands/, agents/, skills/, hooks/)
  - Silent exit for all other files - no blocking possible
 - **All hooks:** Stricter plugin prefix enforcement
  - All prompts now mandate `[plugin-name]` prefix with "NO EXCEPTIONS" rule
  - Simplified output formats with word limits
  - Consistent structure across projman, pr-review, code-sentinel, doc-guardian
 ### Fixed
 - Protected branch workflow: Claude no longer commits directly to protected branches and then fails on push (fixes #109)
 - doc-guardian hook no longer blocks workflow - switched to command hook that can't be overridden by model (fixes #110)
 ---
 ## [3.1.1] - 2026-01-22
 ### Added
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,18 +1,58 @@
 # CLAUDE.md
 This file provides guidance to Claude Code when working with code in this repository.
 ## ⛔ MANDATORY BEHAVIOR RULES - READ FIRST
 **These rules are NON-NEGOTIABLE. Violating them wastes the user's time and money.**
 ### 1. WHEN USER ASKS YOU TO CHECK SOMETHING - CHECK EVERYTHING
 - Search ALL locations, not just where you think it is
 - Check cache directories: `~/.claude/plugins/cache/`
 - Check installed: `~/.claude/plugins/marketplaces/`
 - Check source: `~/claude-plugins-work/`
 - **NEVER say "no" or "that's not the issue" without exhaustive verification**
 ### 2. WHEN USER SAYS SOMETHING IS WRONG - BELIEVE THEM
 - The user knows their system better than you
 - Investigate thoroughly before disagreeing
 - If user suspects cache, CHECK THE CACHE
 - If user suspects a file, READ THE FILE
 - **Your confidence is often wrong. User's instincts are often right.**
 ### 3. NEVER SAY "DONE" WITHOUT VERIFICATION
 - Run the actual command/script to verify
 - Show the output to the user
 - Check ALL affected locations
 - **"Done" means VERIFIED WORKING, not "I made changes"**
 ### 4. SHOW EXACTLY WHAT USER ASKS FOR
 - If user asks for messages, show the MESSAGES
 - If user asks for code, show the CODE
 - If user asks for output, show the OUTPUT
 - **Don't interpret or summarize unless asked**
 ### 5. AFTER PLUGIN UPDATES - ALWAYS CLEAR CACHE
 ```bash
 rm -rf ~/.claude/plugins/cache/leo-claude-mktplace/
 ./scripts/verify-hooks.sh
 ```
 **FAILURE TO FOLLOW THESE RULES = WASTED USER TIME = UNACCEPTABLE**
 ---
 ## Project Overview
 **Repository:** leo-claude-mktplace
-**Version:** 3.0.1
+**Version:** 3.1.2
 **Status:** Production Ready
 A plugin marketplace for Claude Code containing:
 | Plugin | Description | Version |
 |--------|-------------|---------|
-| `projman` | Sprint planning and project management with Gitea integration | 3.0.0 |
+| `projman` | Sprint planning and project management with Gitea integration | 3.1.0 |
 | `git-flow` | Git workflow automation with smart commits and branch management | 1.0.0 |
 | `pr-review` | Multi-agent PR review with confidence scoring | 1.0.0 |
 | `clarity-assist` | Prompt optimization with ND-friendly accommodations | 1.0.0 |
@@ -59,7 +99,7 @@ leo-claude-mktplace/
 │   │   ├── .claude-plugin/plugin.json
 │   │   ├── .mcp.json
 │   │   ├── mcp-servers/gitea -> ../../../mcp-servers/gitea  # SYMLINK
-│   │   ├── commands/             # 12 commands (incl. setup)
+│   │   ├── commands/             # 13 commands (incl. setup, debug)
 │   │   ├── hooks/                # SessionStart mismatch detection
 │   │   ├── agents/               # 4 agents
 │   │   └── skills/label-taxonomy/
@@ -255,4 +295,4 @@ See `docs/DEBUGGING-CHECKLIST.md` for systematic troubleshooting.
 ---
-**Last Updated:** 2026-01-22
+**Last Updated:** 2026-01-23
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ AI-guided sprint planning with full Gitea integration. Transforms a proven 15-sp
 - Branch-aware security (development/staging/production)
 - Pre-sprint-close code quality review and test verification
-**Commands:** `/sprint-plan`, `/sprint-start`, `/sprint-status`, `/sprint-close`, `/labels-sync`, `/initial-setup`, `/project-init`, `/project-sync`, `/review`, `/test-check`, `/test-gen`
+**Commands:** `/sprint-plan`, `/sprint-start`, `/sprint-status`, `/sprint-close`, `/labels-sync`, `/initial-setup`, `/project-init`, `/project-sync`, `/review`, `/test-check`, `/test-gen`, `/debug-report`, `/debug-review`
 #### [git-flow](./plugins/git-flow/README.md) *NEW in v3.0.0*
 **Git Workflow Automation**
@@ -257,6 +257,7 @@ leo-claude-mktplace/
 | [COMMANDS-CHEATSHEET.md](./docs/COMMANDS-CHEATSHEET.md) | All commands quick reference |
 | [UPDATING.md](./docs/UPDATING.md) | Update guide for the marketplace |
 | [CANONICAL-PATHS.md](./docs/CANONICAL-PATHS.md) | Authoritative path reference |
 | [DEBUGGING-CHECKLIST.md](./docs/DEBUGGING-CHECKLIST.md) | Systematic troubleshooting guide |
 | [CHANGELOG.md](./CHANGELOG.md) | Version history |
 ## License
--- a/docs/CANONICAL-PATHS.md
+++ b/docs/CANONICAL-PATHS.md
@@ -2,7 +2,7 @@
 **This file defines ALL valid paths in this repository. No exceptions. No inference. No assumptions.**
-Last Updated: 2026-01-20 (v3.0.0)
+Last Updated: 2026-01-23 (v3.1.2)
 ---
@@ -17,10 +17,10 @@ leo-claude-mktplace/
 ├── docs/                       # All documentation
 │   ├── architecture/           # Draw.io diagrams and specs
 │   ├── CANONICAL-PATHS.md      # This file - single source of truth
 │   ├── COMMANDS-CHEATSHEET.md  # All commands quick reference
 │   ├── CONFIGURATION.md        # Centralized configuration guide
 │   ├── DEBUGGING-CHECKLIST.md  # Systematic troubleshooting guide
-│   ├── UPDATING.md             # Update guide
+│   └── UPDATING.md             # Update guide
 │   └── workflows/              # Workflow documentation
 ├── hooks/                      # Shared hooks (if any)
 ├── mcp-servers/                # SHARED MCP servers (v3.0.0+)
 │   ├── gitea/                  # Gitea MCP server
@@ -156,7 +156,6 @@ The symlink target is relative: `../../../mcp-servers/{server}`
 | Type | Location |
 |------|----------|
 | Architecture diagrams | `docs/architecture/` |
 | Workflow docs | `docs/workflows/` |
 | This file | `docs/CANONICAL-PATHS.md` |
 | Update guide | `docs/UPDATING.md` |
 | Configuration guide | `docs/CONFIGURATION.md` |
--- a/mcp-servers/gitea/mcp_server/gitea_client.py
+++ b/mcp-servers/gitea/mcp_server/gitea_client.py
@@ -621,6 +621,40 @@ class GiteaClient:
        response.raise_for_status()
        return response.json()
    def create_org_label(
        self,
        org: str,
        name: str,
        color: str,
        description: Optional[str] = None
    ) -> Dict:
        """
        Create a new label at the organization level.
        Organization labels are shared across all repositories in the org.
        Use this for workflow labels (Type, Priority, Complexity, Effort, etc.)
        Args:
            org: Organization name
            name: Label name (e.g., 'Type/Bug', 'Priority/High')
            color: Hex color code (with or without #)
            description: Optional label description
        Returns:
            Created label dictionary
        """
        url = f"{self.base_url}/orgs/{org}/labels"
        data = {
            'name': name,
            'color': color.lstrip('#')  # Remove # if present
        }
        if description:
            data['description'] = description
        logger.info(f"Creating organization label '{name}' in {org}")
        response = self.session.post(url, json=data)
        response.raise_for_status()
        return response.json()
    # ========================================
    # PULL REQUEST OPERATIONS
    # ========================================
--- a/mcp-servers/gitea/mcp_server/server.py
+++ b/mcp-servers/gitea/mcp_server/server.py
@@ -622,13 +622,65 @@ class GiteaMCPServer:
                ),
                Tool(
                    name="create_label",
-                    description="Create a new label in the repository",
+                    description="Create a new label in the repository (for repo-specific labels like Component/*, Tech/*)",
                    inputSchema={
                        "type": "object",
                        "properties": {
                            "name": {
                                "type": "string",
-                                "description": "Label name"
+                                "description": "Label name (e.g., 'Component/Backend', 'Tech/Python')"
                            },
                            "color": {
                                "type": "string",
                                "description": "Label color (hex code)"
                            },
                            "description": {
                                "type": "string",
                                "description": "Label description"
                            },
                            "repo": {
                                "type": "string",
                                "description": "Repository name (owner/repo format)"
                            }
                        },
                        "required": ["name", "color"]
                    }
                ),
                Tool(
                    name="create_org_label",
                    description="Create a new label at organization level (for workflow labels like Type/*, Priority/*, Complexity/*, Effort/*)",
                    inputSchema={
                        "type": "object",
                        "properties": {
                            "org": {
                                "type": "string",
                                "description": "Organization name"
                            },
                            "name": {
                                "type": "string",
                                "description": "Label name (e.g., 'Type/Bug', 'Priority/High')"
                            },
                            "color": {
                                "type": "string",
                                "description": "Label color (hex code)"
                            },
                            "description": {
                                "type": "string",
                                "description": "Label description"
                            }
                        },
                        "required": ["org", "name", "color"]
                    }
                ),
                Tool(
                    name="create_label_smart",
                    description="Create a label at the appropriate level (org or repo) based on category. Org: Type/*, Priority/*, Complexity/*, Effort/*, Risk/*, Source/*, Agent/*. Repo: Component/*, Tech/*",
                    inputSchema={
                        "type": "object",
                        "properties": {
                            "name": {
                                "type": "string",
                                "description": "Label name (e.g., 'Type/Bug', 'Component/Backend')"
                            },
                            "color": {
                                "type": "string",
@@ -880,6 +932,20 @@ class GiteaMCPServer:
                        arguments.get('description'),
                        arguments.get('repo')
                    )
                elif name == "create_org_label":
                    result = self.client.create_org_label(
                        arguments['org'],
                        arguments['name'],
                        arguments['color'],
                        arguments.get('description')
                    )
                elif name == "create_label_smart":
                    result = await self.label_tools.create_label_smart(
                        arguments['name'],
                        arguments['color'],
                        arguments.get('description'),
                        arguments.get('repo')
                    )
                # Pull Request tools
                elif name == "list_pull_requests":
                    result = await self.pr_tools.list_pull_requests(**arguments)
--- a/mcp-servers/gitea/mcp_server/tools/labels.py
+++ b/mcp-servers/gitea/mcp_server/tools/labels.py
@@ -259,3 +259,101 @@ class LabelTools:
            return lookup[category_lower][value_lower]
        return None
    # Organization-level label categories (workflow labels shared across repos)
    ORG_LABEL_CATEGORIES = {'agent', 'complexity', 'effort', 'efforts', 'priority', 'risk', 'source', 'type'}
    # Repository-level label categories (project-specific labels)
    REPO_LABEL_CATEGORIES = {'component', 'tech'}
    async def create_label_smart(
        self,
        name: str,
        color: str,
        description: Optional[str] = None,
        repo: Optional[str] = None
    ) -> Dict:
        """
        Create a label at the appropriate level (org or repo) based on category.
        Skips if label already exists (checks both org and repo levels).
        Organization labels: Agent, Complexity, Effort, Priority, Risk, Source, Type
        Repository labels: Component, Tech
        Args:
            name: Label name (e.g., 'Type/Bug', 'Component/Backend')
            color: Hex color code
            description: Optional label description
            repo: Repository in 'owner/repo' format
        Returns:
            Created label dictionary with 'level' key, or 'skipped' if already exists
        """
        loop = asyncio.get_event_loop()
        target_repo = repo or self.gitea.repo
        if not target_repo or '/' not in target_repo:
            raise ValueError("Use 'owner/repo' format (e.g. 'org/repo-name')")
        owner = target_repo.split('/')[0]
        is_org = await loop.run_in_executor(
            None,
            lambda: self.gitea.is_org_repo(target_repo)
        )
        # Fetch existing labels to check for duplicates
        existing_labels = await self.get_labels(target_repo)
        all_existing = existing_labels.get('organization', []) + existing_labels.get('repository', [])
        existing_names = [label['name'].lower() for label in all_existing]
        # Normalize the new label name for comparison
        name_normalized = name.lower()
        # Also check for format variations (Type/Bug vs Type: Bug)
        name_variations = [name_normalized]
        if '/' in name:
            name_variations.append(name.replace('/', ': ').lower())
            name_variations.append(name.replace('/', ':').lower())
        elif ': ' in name:
            name_variations.append(name.replace(': ', '/').lower())
        elif ':' in name:
            name_variations.append(name.replace(':', '/').lower())
        # Check if label already exists in any format
        for variation in name_variations:
            if variation in existing_names:
                logger.info(f"Label '{name}' already exists (found as '{variation}'), skipping")
                return {
                    'name': name,
                    'skipped': True,
                    'reason': f"Label already exists",
                    'level': 'existing'
                }
        # Parse category from label name
        category = None
        if '/' in name:
            category = name.split('/')[0].lower().rstrip('s')
        elif ':' in name:
            category = name.split(':')[0].strip().lower().rstrip('s')
        # If it's an org repo and the category is an org-level category, create at org level
        if is_org and category in self.ORG_LABEL_CATEGORIES:
            result = await loop.run_in_executor(
                None,
                lambda: self.gitea.create_org_label(owner, name, color, description)
            )
            result['level'] = 'organization'
            result['skipped'] = False
            logger.info(f"Created organization label '{name}' in {owner}")
        else:
            # Create at repo level
            result = await loop.run_in_executor(
                None,
                lambda: self.gitea.create_label(name, color, description, target_repo)
            )
            result['level'] = 'repository'
            result['skipped'] = False
            logger.info(f"Created repository label '{name}' in {target_repo}")
        return result
--- a/mcp-servers/netbox/mcp_server/server.py
+++ b/mcp-servers/netbox/mcp_server/server.py
@@ -326,7 +326,13 @@ TOOL_DEFINITIONS = {
            'status': {'type': 'string', 'description': 'Device status'},
            'rack': {'type': 'integer', 'description': 'Rack ID'},
            'position': {'type': 'number', 'description': 'Position in rack'},
-            'serial': {'type': 'string', 'description': 'Serial number'}
+            'serial': {'type': 'string', 'description': 'Serial number'},
            'platform': {'type': 'integer', 'description': 'Platform ID'},
            'primary_ip4': {'type': 'integer', 'description': 'Primary IPv4 address ID'},
            'primary_ip6': {'type': 'integer', 'description': 'Primary IPv6 address ID'},
            'asset_tag': {'type': 'string', 'description': 'Asset tag'},
            'description': {'type': 'string', 'description': 'Description'},
            'comments': {'type': 'string', 'description': 'Comments'}
        },
        'required': ['name', 'device_type', 'role', 'site']
    },
@@ -335,7 +341,17 @@ TOOL_DEFINITIONS = {
        'properties': {
            'id': {'type': 'integer', 'description': 'Device ID'},
            'name': {'type': 'string', 'description': 'New name'},
-            'status': {'type': 'string', 'description': 'New status'}
+            'status': {'type': 'string', 'description': 'New status'},
            'platform': {'type': 'integer', 'description': 'Platform ID'},
            'primary_ip4': {'type': 'integer', 'description': 'Primary IPv4 address ID'},
            'primary_ip6': {'type': 'integer', 'description': 'Primary IPv6 address ID'},
            'serial': {'type': 'string', 'description': 'Serial number'},
            'asset_tag': {'type': 'string', 'description': 'Asset tag'},
            'site': {'type': 'integer', 'description': 'Site ID'},
            'rack': {'type': 'integer', 'description': 'Rack ID'},
            'position': {'type': 'number', 'description': 'Position in rack'},
            'description': {'type': 'string', 'description': 'Description'},
            'comments': {'type': 'string', 'description': 'Comments'}
        },
        'required': ['id']
    },
--- a/plugins/claude-config-maintainer/hooks/enforce-rules.sh
+++ b/plugins/claude-config-maintainer/hooks/enforce-rules.sh
@@ -0,0 +1,68 @@
 #!/bin/bash
 # claude-config-maintainer: enforce mandatory behavior rules
 # Checks if CLAUDE.md has the rules, adds them if missing
 PREFIX="[claude-config-maintainer]"
 # Find CLAUDE.md in current directory or parent
 CLAUDE_MD=""
 if [ -f "./CLAUDE.md" ]; then
    CLAUDE_MD="./CLAUDE.md"
 elif [ -f "../CLAUDE.md" ]; then
    CLAUDE_MD="../CLAUDE.md"
 fi
 # If no CLAUDE.md found, exit silently
 if [ -z "$CLAUDE_MD" ]; then
    exit 0
 fi
 # Check if mandatory rules exist
 if grep -q "MANDATORY BEHAVIOR RULES" "$CLAUDE_MD" 2>/dev/null; then
    # Rules exist, all good
    exit 0
 fi
 # Rules missing - add them
 RULES='## ⛔ MANDATORY BEHAVIOR RULES - READ FIRST
 **These rules are NON-NEGOTIABLE. Violating them wastes the user'\''s time and money.**
 ### 1. WHEN USER ASKS YOU TO CHECK SOMETHING - CHECK EVERYTHING
 - Search ALL locations, not just where you think it is
 - Check cache directories: `~/.claude/plugins/cache/`
 - Check installed: `~/.claude/plugins/marketplaces/`
 - Check source directories
 - **NEVER say "no" or "that'\''s not the issue" without exhaustive verification**
 ### 2. WHEN USER SAYS SOMETHING IS WRONG - BELIEVE THEM
 - The user knows their system better than you
 - Investigate thoroughly before disagreeing
 - **Your confidence is often wrong. User'\''s instincts are often right.**
 ### 3. NEVER SAY "DONE" WITHOUT VERIFICATION
 - Run the actual command/script to verify
 - Show the output to the user
 - **"Done" means VERIFIED WORKING, not "I made changes"**
 ### 4. SHOW EXACTLY WHAT USER ASKS FOR
 - If user asks for messages, show the MESSAGES
 - If user asks for code, show the CODE
 - **Do not interpret or summarize unless asked**
 **FAILURE TO FOLLOW THESE RULES = WASTED USER TIME = UNACCEPTABLE**
 ---
 '
 # Create temp file with rules + existing content
 {
    head -1 "$CLAUDE_MD"
    echo ""
    echo "$RULES"
    tail -n +2 "$CLAUDE_MD"
 } > "${CLAUDE_MD}.tmp"
 mv "${CLAUDE_MD}.tmp" "$CLAUDE_MD"
 echo "$PREFIX Added mandatory behavior rules to CLAUDE.md"
--- a/plugins/claude-config-maintainer/hooks/hooks.json
+++ b/plugins/claude-config-maintainer/hooks/hooks.json
@@ -0,0 +1,10 @@
 {
  "hooks": {
    "SessionStart": [
      {
        "type": "command",
        "command": "${CLAUDE_PLUGIN_ROOT}/hooks/enforce-rules.sh"
      }
    ]
  }
 }
--- a/plugins/cmdb-assistant/README.md
+++ b/plugins/cmdb-assistant/README.md
@@ -111,6 +111,7 @@ cmdb-assistant/
 │   └── plugin.json          # Plugin manifest
 ├── .mcp.json                 # MCP server configuration
 ├── commands/
 │   ├── initial-setup.md     # Setup wizard
 │   ├── cmdb-search.md       # Search command
 │   ├── cmdb-device.md       # Device management
 │   ├── cmdb-ip.md           # IP management
--- a/plugins/code-sentinel/.claude-plugin/plugin.json
+++ b/plugins/code-sentinel/.claude-plugin/plugin.json
@@ -9,5 +9,6 @@
  "homepage": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace/src/branch/main/plugins/code-sentinel/README.md",
  "repository": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace.git",
  "license": "MIT",
-  "keywords": ["security", "refactoring", "code-quality", "static-analysis", "hooks"]
+  "keywords": ["security", "refactoring", "code-quality", "static-analysis", "hooks"],
  "commands": ["./commands/"]
 }
--- a/plugins/code-sentinel/hooks/hooks.json
+++ b/plugins/code-sentinel/hooks/hooks.json
@@ -5,8 +5,8 @@
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
-            "type": "prompt",
+            "type": "command",
-            "prompt": "[code-sentinel] SECURITY CHECK - Before writing this code, scan for these patterns:\n\n**Critical (BLOCK if found):**\n- eval(), exec() with user input\n- SQL string concatenation (SQL injection)\n- shell=True with user input (command injection)\n- Hardcoded secrets (API keys, passwords, tokens)\n- Pickle/marshal deserialization of untrusted data\n- innerHTML/dangerouslySetInnerHTML with user content (XSS)\n\n**Warning (WARN but allow):**\n- subprocess without input validation\n- File operations without path sanitization\n- HTTP requests without timeout\n- Broad exception catches (except:)\n- Debug/print statements with sensitive data\n\n**Response:**\n- If CRITICAL found: STOP with '[code-sentinel] BLOCKED:', explain the issue, suggest safe alternative\n- If WARNING found: Note briefly with '[code-sentinel] WARNING:', proceed with suggestion\n- If clean: Proceed silently (say nothing)\n\nDo NOT announce clean scans. Only speak if issues found."
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/security-check.sh"
          }
        ]
      }
--- a/plugins/code-sentinel/hooks/security-check.sh
+++ b/plugins/code-sentinel/hooks/security-check.sh
@@ -0,0 +1,62 @@
 #!/bin/bash
 # code-sentinel security check hook
 # Checks for obvious security issues in code files, skips config/docs
 # Command hook - guaranteed predictable behavior
 # Read tool input from stdin
 INPUT=$(cat)
 # Extract file_path from JSON input
 FILE_PATH=$(echo "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"file_path"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 # If no file_path, exit silently
 if [ -z "$FILE_PATH" ]; then
    exit 0
 fi
 # SKIP config/doc files entirely - exit silently
 case "$FILE_PATH" in
    *.md|*.json|*.yml|*.yaml|*.txt|*.toml|*.ini|*.cfg|*.conf)
        exit 0
        ;;
    */docs/*|*/README*|*/CHANGELOG*|*/LICENSE*)
        exit 0
        ;;
    */.claude/*|*/.github/*|*/.vscode/*)
        exit 0
        ;;
 esac
 # For code files, extract content to check
 # For Edit tool: check new_string
 # For Write tool: check content
 CONTENT=$(echo "$INPUT" | grep -o '"new_string"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"new_string"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 if [ -z "$CONTENT" ]; then
    CONTENT=$(echo "$INPUT" | grep -o '"content"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"content"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 fi
 # If no content to check, exit silently
 if [ -z "$CONTENT" ]; then
    exit 0
 fi
 # Check for hardcoded secrets patterns (obvious cases only)
 if echo "$CONTENT" | grep -qiE '(api[_-]?key|api[_-]?secret|password|passwd|secret[_-]?key|auth[_-]?token)[[:space:]]*[=:][[:space:]]*["\x27][A-Za-z0-9+/=_-]{20,}["\x27]'; then
    echo "[code-sentinel] BLOCKED: Hardcoded secret detected"
    exit 1
 fi
 # Check for AWS keys pattern
 if echo "$CONTENT" | grep -qE 'AKIA[A-Z0-9]{16}'; then
    echo "[code-sentinel] BLOCKED: AWS access key detected"
    exit 1
 fi
 # Check for private key headers
 if echo "$CONTENT" | grep -qE '\-\-\-\-\-BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY\-\-\-\-\-'; then
    echo "[code-sentinel] BLOCKED: Private key detected"
    exit 1
 fi
 # All other cases: exit silently (allow the edit)
 exit 0
--- a/plugins/doc-guardian/.claude-plugin/plugin.json
+++ b/plugins/doc-guardian/.claude-plugin/plugin.json
@@ -9,5 +9,6 @@
  "homepage": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace/src/branch/main/plugins/doc-guardian/README.md",
  "repository": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace.git",
  "license": "MIT",
-  "keywords": ["documentation", "sync", "drift-detection", "automation", "hooks"]
+  "keywords": ["documentation", "sync", "drift-detection", "automation", "hooks"],
  "commands": ["./commands/"]
 }
--- a/plugins/doc-guardian/hooks/hooks.json
+++ b/plugins/doc-guardian/hooks/hooks.json
@@ -5,8 +5,8 @@
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
-            "type": "prompt",
+            "type": "command",
-            "prompt": "[doc-guardian] QUICK drift check (DO NOT block workflow):\n\n1. ONLY check if the modified file is referenced in README.md, CLAUDE.md, or API docs in the SAME directory\n2. Do NOT read files or perform deep analysis - just note potential drift based on file name/path\n3. If potential drift: output a single line like '[doc-guardian] Note: {filename} changed - may affect {doc}. Run /doc-sync to verify.'\n4. If no obvious drift: say nothing\n\nIMPORTANT: This is notification-only. Do NOT read documentation files, do NOT make changes, do NOT use any tools. Just a quick mental check based on the file path."
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/notify.sh"
          }
        ]
      }
--- a/plugins/doc-guardian/hooks/notify.sh
+++ b/plugins/doc-guardian/hooks/notify.sh
@@ -0,0 +1,23 @@
 #!/bin/bash
 # doc-guardian notification hook
 # Outputs a single notification for config file changes, nothing otherwise
 # This is a command hook - guaranteed not to block workflow
 # Read tool input from stdin (JSON with file_path)
 INPUT=$(cat)
 # Extract file_path from JSON input
 FILE_PATH=$(echo "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"file_path"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 # If no file_path found, exit silently
 if [ -z "$FILE_PATH" ]; then
    exit 0
 fi
 # Check if file is in a config directory (commands/, agents/, skills/, hooks/)
 if echo "$FILE_PATH" | grep -qE '/(commands|agents|skills|hooks)/'; then
    echo "[doc-guardian] Config file modified. Run /doc-sync when ready."
 fi
 # Exit silently for all other files (no output = no blocking)
 exit 0
--- a/plugins/git-flow/README.md
+++ b/plugins/git-flow/README.md
@@ -10,7 +10,7 @@ git-flow streamlines common git operations with smart defaults, conventional com
 | Command | Description |
 |---------|-------------|
-| `/commit` | Create commit with auto-generated conventional message |
+| `/commit` | Create commit with auto-generated conventional message (with protected branch detection) |
 | `/commit-push` | Commit and push in one operation |
 | `/commit-merge` | Commit and merge into target branch |
 | `/commit-sync` | Full sync: commit, push, and rebase on base branch |
@@ -79,7 +79,7 @@ chore/update-dependencies
 ### Safety Checks
- Warns before commits to protected branches
+- **Protected branch detection**: Before committing, checks if you're on a protected branch (main, master, development, staging, production by default). Offers to create a feature branch automatically instead of committing directly to protected branches.
 - Confirms force push operations
 - Prevents accidental branch deletion
--- a/plugins/git-flow/commands/commit.md
+++ b/plugins/git-flow/commands/commit.md
@@ -6,13 +6,44 @@ Create a git commit with an auto-generated conventional commit message based on
 ## Behavior
-### Step 1: Analyze Changes
+### Step 1: Check for Protected Branch
 Before any commit operation, check if the current branch is protected:
 1. Get current branch: `git branch --show-current`
 2. Check against `GIT_PROTECTED_BRANCHES` (default: `main,master,development,staging,production`)
 If on a protected branch, warn the user:
 ```
 ⚠️  You are on a protected branch: development
 Protected branches typically have push restrictions that will prevent
 direct commits from being pushed to the remote.
 Options:
 1. Create a feature branch and continue (Recommended)
 2. Continue on this branch anyway (may fail on push)
 3. Cancel
 ```
 **If option 1 (create feature branch):**
 - Prompt for branch type (feat/fix/chore/docs/refactor)
 - Prompt for brief description
 - Create branch using `/branch-start` naming conventions
 - Continue with commit on the new branch
 **If option 2 (continue anyway):**
 - Proceed with commit (user accepts risk of push rejection)
 - Display reminder: "Remember: push may be rejected by remote protection rules"
 ### Step 2: Analyze Changes
 1. Run `git status` to see staged and unstaged changes
 2. Run `git diff --staged` to examine staged changes
 3. If nothing staged, prompt user to stage changes
-### Step 2: Generate Commit Message
+### Step 3: Generate Commit Message
 Analyze the changes and generate a conventional commit message:
@@ -38,7 +69,7 @@ Analyze the changes and generate a conventional commit message:
 **Scope:** Determined from changed files (e.g., `auth`, `api`, `ui`)
-### Step 3: Confirm or Edit
+### Step 4: Confirm or Edit
 Present the generated message:
@@ -58,7 +89,7 @@ Options:
 4. Cancel
 ```
-### Step 4: Execute Commit
+### Step 5: Execute Commit
 If confirmed, run:
@@ -75,6 +106,7 @@ EOF
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `GIT_PROTECTED_BRANCHES` | `main,master,development,staging,production` | Branches that trigger protection warning |
 | `GIT_COMMIT_STYLE` | `conventional` | Message style (conventional, simple, detailed) |
 | `GIT_SIGN_COMMITS` | `false` | Use GPG signing |
 | `GIT_CO_AUTHOR` | `true` | Include Claude co-author footer |
--- a/plugins/pr-review/README.md
+++ b/plugins/pr-review/README.md
@@ -13,6 +13,9 @@ pr-review conducts comprehensive code reviews using specialized agents for secur
 | `/pr-review <pr#>` | Full multi-agent review |
 | `/pr-summary <pr#>` | Quick summary without full review |
 | `/pr-findings <pr#>` | Filter findings by category/confidence |
 | `/initial-setup` | Full interactive setup wizard |
 | `/project-init` | Quick project setup (system already configured) |
 | `/project-sync` | Sync configuration with current git remote |
 ## Review Agents
--- a/plugins/pr-review/hooks/hooks.json
+++ b/plugins/pr-review/hooks/hooks.json
@@ -2,8 +2,8 @@
  "hooks": {
    "SessionStart": [
      {
-        "type": "prompt",
+        "type": "command",
-        "prompt": "[pr-review] Perform silent startup checks:\n\n1. Check if MCP venvs exist at the installed marketplace location. If the marketplace is installed but venvs are missing, warn the user: '[pr-review] MCP venvs missing - run setup.sh from installed marketplace location'.\n\n2. Check if the project git remote matches .env configuration (GITEA_ORG/GITEA_REPO). If mismatch, warn: '[pr-review] Git remote mismatch - run /project-sync'.\n\nStay silent if all checks pass or not applicable. Be quick and non-blocking."
+        "command": "${CLAUDE_PLUGIN_ROOT}/hooks/startup-check.sh"
      }
    ]
  }
--- a/plugins/pr-review/hooks/startup-check.sh
+++ b/plugins/pr-review/hooks/startup-check.sh
@@ -0,0 +1,30 @@
 #!/bin/bash
 # pr-review startup check hook
 # Checks for common issues at session start
 # All output MUST have [pr-review] prefix
 PREFIX="[pr-review]"
 # Check if MCP venv exists
 PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
 VENV_PATH="$PLUGIN_ROOT/mcp-servers/gitea/.venv/bin/python"
 if [[ ! -f "$VENV_PATH" ]]; then
    echo "$PREFIX MCP venvs missing - run setup.sh from installed marketplace"
    exit 0
 fi
 # Check git remote vs .env config (only if .env exists)
 if [[ -f ".env" ]]; then
    CONFIGURED_REPO=$(grep -E "^GITEA_REPO=" .env 2>/dev/null | cut -d'=' -f2 | tr -d '"' || true)
    if [[ -n "$CONFIGURED_REPO" ]]; then
        CURRENT_REMOTE=$(git remote get-url origin 2>/dev/null | sed 's/.*[:/]\([^/]*\/[^.]*\).*/\1/' || true)
        if [[ -n "$CURRENT_REMOTE" && "$CONFIGURED_REPO" != "$CURRENT_REMOTE" ]]; then
            echo "$PREFIX Git remote mismatch - run /pr-review:project-sync"
            exit 0
        fi
    fi
 fi
 # All checks passed - say nothing
 exit 0
--- a/plugins/project-hygiene/README.md
+++ b/plugins/project-hygiene/README.md
@@ -20,7 +20,7 @@ claude plugin install project-hygiene
 ## How It Works
-The plugin registers a `task-completed` hook that runs after Claude completes any task. It:
+The plugin registers a `PostToolUse` hook (on Write and Edit tools) that runs after Claude modifies files. It:
 1. Scans for and deletes known temporary file patterns
 2. Removes temporary directories (`__pycache__`, `.pytest_cache`, etc.)
--- a/plugins/project-hygiene/hooks/cleanup.sh
+++ b/plugins/project-hygiene/hooks/cleanup.sh
@@ -1,365 +1,28 @@
 #!/bin/bash
 # project-hygiene cleanup hook
-# Runs after task completion to clean up temp files and manage orphans
+# Runs after file edits to clean up temp files
 # All output MUST have [project-hygiene] prefix
 set -euo pipefail
-# Configuration
+PREFIX="[project-hygiene]"
 # Read tool input from stdin (discard - we don't need it for cleanup)
 cat > /dev/null
 PROJECT_ROOT="${PROJECT_ROOT:-.}"
 PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
 CONFIG_FILE="${PROJECT_ROOT}/.hygiene.json"
 LOG_DIR="${PROJECT_ROOT}/.dev/logs"
 SCRATCH_DIR="${PROJECT_ROOT}/.dev/scratch"
 LOG_FILE="${LOG_DIR}/hygiene-$(date +%Y%m%d-%H%M%S).log"
 # Default allowed root files (can be overridden by .hygiene.json)
 DEFAULT_ALLOWED_ROOT=(
    ".git"
    ".gitignore"
    ".gitattributes"
    ".editorconfig"
    ".env"
    ".env.example"
    ".env.local"
    ".nvmrc"
    ".node-version"
    ".python-version"
    ".ruby-version"
    ".tool-versions"
    "README.md"
    "LICENSE"
    "CHANGELOG.md"
    "CONTRIBUTING.md"
    "CLAUDE.md"
    "package.json"
    "package-lock.json"
    "yarn.lock"
    "pnpm-lock.yaml"
    "Makefile"
    "Dockerfile"
    "docker-compose.yml"
    "docker-compose.yaml"
    "Cargo.toml"
    "Cargo.lock"
    "go.mod"
    "go.sum"
    "requirements.txt"
    "setup.py"
    "pyproject.toml"
    "poetry.lock"
    "Gemfile"
    "Gemfile.lock"
    "tsconfig.json"
    "jsconfig.json"
    ".eslintrc*"
    ".prettierrc*"
    "vite.config.*"
    "webpack.config.*"
    "rollup.config.*"
    ".hygiene.json"
 )
 # Temp file patterns to delete
 TEMP_PATTERNS=(
    "*.tmp"
    "*.bak"
    "*.swp"
    "*.swo"
    "*~"
    ".DS_Store"
    "Thumbs.db"
    "*.log"
    "*.orig"
    "*.pyc"
    "*.pyo"
 )
 # Directory patterns to delete
 TEMP_DIRS=(
    "__pycache__"
    ".pytest_cache"
    ".mypy_cache"
    ".ruff_cache"
    "node_modules/.cache"
    ".next/cache"
    ".nuxt/.cache"
    ".turbo"
    "*.egg-info"
    ".eggs"
    "dist"
    "build"
 )
 # Orphan patterns to identify
 ORPHAN_PATTERNS=(
    "test_*.py"
    "debug_*"
    "*_backup.*"
    "*_old.*"
    "*_bak.*"
    "*.backup"
    "temp_*"
    "tmp_*"
 )
 # Initialize
 DELETED_COUNT=0
 WARNED_COUNT=0
 ORPHAN_COUNT=0
 MOVE_ORPHANS=false
 # Logging function
 log() {
    local msg="[$(date +%H:%M:%S)] $1"
    echo "$msg"
    if [[ -f "$LOG_FILE" ]]; then
        echo "$msg" >> "$LOG_FILE"
    fi
 }
 log_action() {
    local action="$1"
    local target="$2"
    log "  $action: $target"
 }
 # Load project-local config if exists
 load_config() {
    if [[ -f "$CONFIG_FILE" ]]; then
        log "Loading config from $CONFIG_FILE"
        # Check if move_orphans is enabled
        if command -v jq &>/dev/null; then
            MOVE_ORPHANS=$(jq -r '.move_orphans // false' "$CONFIG_FILE" 2>/dev/null || echo "false")
            # Load additional allowed root files
            local extra_allowed
            extra_allowed=$(jq -r '.allowed_root_files // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
            if [[ -n "$extra_allowed" ]]; then
                while IFS= read -r file; do
                    DEFAULT_ALLOWED_ROOT+=("$file")
                done <<< "$extra_allowed"
            fi
            # Load additional temp patterns
            local extra_temp
            extra_temp=$(jq -r '.temp_patterns // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
            if [[ -n "$extra_temp" ]]; then
                while IFS= read -r pattern; do
                    TEMP_PATTERNS+=("$pattern")
                done <<< "$extra_temp"
            fi
            # Load ignore patterns (files to never touch)
            IGNORE_PATTERNS=()
            local ignore
            ignore=$(jq -r '.ignore_patterns // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
            if [[ -n "$ignore" ]]; then
                while IFS= read -r pattern; do
                    IGNORE_PATTERNS+=("$pattern")
                done <<< "$ignore"
            fi
        else
            log "Warning: jq not installed, using default config"
        fi
    fi
 }
 # Check if file should be ignored
 should_ignore() {
    local file="$1"
    local basename
    basename=$(basename "$file")
    for pattern in "${IGNORE_PATTERNS[@]:-}"; do
        if [[ "$basename" == $pattern ]] || [[ "$file" == $pattern ]]; then
            return 0
        fi
    done
    return 1
 }
 # Check if file is in allowed root list
 is_allowed_root() {
    local file="$1"
    local basename
    basename=$(basename "$file")
    for allowed in "${DEFAULT_ALLOWED_ROOT[@]}"; do
        # Support wildcards in allowed patterns
        if [[ "$basename" == $allowed ]]; then
            return 0
        fi
    done
    return 1
 }
 # Check if file matches orphan pattern
 is_orphan() {
    local file="$1"
    local basename
    basename=$(basename "$file")
    for pattern in "${ORPHAN_PATTERNS[@]}"; do
        if [[ "$basename" == $pattern ]]; then
            return 0
        fi
    done
    return 1
 }
 # Setup directories
 setup_dirs() {
    mkdir -p "$LOG_DIR"
    if [[ "$MOVE_ORPHANS" == "true" ]]; then
        mkdir -p "$SCRATCH_DIR"
    fi
    # Start log file
    echo "=== Project Hygiene Cleanup ===" > "$LOG_FILE"
    echo "Started: $(date)" >> "$LOG_FILE"
    echo "Project: $PROJECT_ROOT" >> "$LOG_FILE"
    echo "" >> "$LOG_FILE"
 }
 # Delete temp files
 cleanup_temp_files() {
    log "Cleaning temp files..."
    for pattern in "${TEMP_PATTERNS[@]}"; do
        while IFS= read -r -d '' file; do
            if should_ignore "$file"; then
                continue
            fi
            rm -f "$file"
            log_action "DELETED" "$file"
            ((DELETED_COUNT++))
        done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
    done
 }
 # Delete temp directories
 cleanup_temp_dirs() {
    log "Cleaning temp directories..."
    for pattern in "${TEMP_DIRS[@]}"; do
        while IFS= read -r -d '' dir; do
            if should_ignore "$dir"; then
                continue
            fi
            rm -rf "$dir"
            log_action "DELETED DIR" "$dir"
            ((DELETED_COUNT++))
        done < <(find "$PROJECT_ROOT" -name "$pattern" -type d -print0 2>/dev/null || true)
    done
 }
 # Warn about unexpected root files
 check_root_files() {
    log "Checking root files..."
    local unexpected_files=()
 # Silently delete temp files
 for pattern in "*.tmp" "*.bak" "*.swp" "*~" ".DS_Store"; do
    while IFS= read -r -d '' file; do
-        local basename
+        rm -f "$file" 2>/dev/null && ((DELETED_COUNT++)) || true
-        basename=$(basename "$file")
+    done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
 done
-        # Skip directories
+# Only output if we deleted something
-        [[ -d "$file" ]] && continue
+if [[ $DELETED_COUNT -gt 0 ]]; then
    echo "$PREFIX Cleaned $DELETED_COUNT temp files"
 fi
-        # Skip if in allowed list
+exit 0
        is_allowed_root "$basename" && continue
        # Skip if should be ignored
        should_ignore "$basename" && continue
        unexpected_files+=("$basename")
        log_action "WARNING" "Unexpected root file: $basename"
        ((WARNED_COUNT++))
    done < <(find "$PROJECT_ROOT" -maxdepth 1 -print0 2>/dev/null || true)
    if [[ ${#unexpected_files[@]} -gt 0 ]]; then
        log ""
        log "⚠️  Unexpected files in project root:"
        for f in "${unexpected_files[@]}"; do
            log "    - $f"
        done
    fi
 }
 # Identify and handle orphaned files
 handle_orphans() {
    log "Checking for orphaned files..."
    local orphan_files=()
    for pattern in "${ORPHAN_PATTERNS[@]}"; do
        while IFS= read -r -d '' file; do
            if should_ignore "$file"; then
                continue
            fi
            orphan_files+=("$file")
            if [[ "$MOVE_ORPHANS" == "true" ]]; then
                local dest="${SCRATCH_DIR}/$(basename "$file")"
                # Handle duplicates
                if [[ -f "$dest" ]]; then
                    dest="${SCRATCH_DIR}/$(date +%Y%m%d%H%M%S)_$(basename "$file")"
                fi
                mv "$file" "$dest"
                log_action "MOVED" "$file -> $dest"
            else
                log_action "ORPHAN" "$file"
            fi
            ((ORPHAN_COUNT++))
        done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
    done
    if [[ ${#orphan_files[@]} -gt 0 && "$MOVE_ORPHANS" != "true" ]]; then
        log ""
        log "📦 Orphaned files found (enable move_orphans in .hygiene.json to auto-move):"
        for f in "${orphan_files[@]}"; do
            log "    - $f"
        done
    fi
 }
 # Summary
 print_summary() {
    log ""
    log "=== Cleanup Summary ==="
    log "  Deleted: $DELETED_COUNT items"
    log "  Warnings: $WARNED_COUNT unexpected root files"
    log "  Orphans: $ORPHAN_COUNT files"
    if [[ "$MOVE_ORPHANS" == "true" ]]; then
        log "  Orphans moved to: $SCRATCH_DIR"
    fi
    log "  Log file: $LOG_FILE"
    log ""
 }
 # Main
 main() {
    cd "$PROJECT_ROOT" || exit 1
    load_config
    setup_dirs
    log "Starting project hygiene cleanup..."
    log ""
    cleanup_temp_files
    cleanup_temp_dirs
    check_root_files
    handle_orphans
    print_summary
    # Exit with warning code if issues found
    if [[ $WARNED_COUNT -gt 0 || $ORPHAN_COUNT -gt 0 ]]; then
        exit 0  # Still success, but logged warnings
    fi
 }
 main "$@"
--- a/plugins/projman/README.md
+++ b/plugins/projman/README.md
@@ -13,7 +13,7 @@ Projman transforms a proven 15-sprint workflow into a distributable Claude Code
 - **Milestones** - Sprint milestone management and tracking
 - **Lessons Learned** - Systematic capture and search via Gitea Wiki
 - **Branch-Aware Security** - Prevents accidental changes on production branches
- **Three-Agent Model** - Planner, Orchestrator, and Executor agents
+- **Four-Agent Model** - Planner, Orchestrator, Executor, and Code Reviewer agents
 - **CLI Tools Blocked** - All operations via MCP tools only (no `tea` or `gh`)
 ## Quick Start
@@ -461,20 +461,8 @@ projman/
 ├── .claude-plugin/
 │   └── plugin.json          # Plugin manifest
 ├── .mcp.json                # MCP server configuration
-├── mcp-servers/             # Bundled MCP server
+├── mcp-servers/
-│   └── gitea/
+│   └── gitea -> ../../../mcp-servers/gitea  # SYMLINK to shared MCP server
 │       ├── .venv/
 │       ├── requirements.txt
 │       ├── mcp_server/
 │       │   ├── server.py
 │       │   ├── gitea_client.py
 │       │   └── tools/
 │       │       ├── issues.py
 │       │       ├── labels.py
 │       │       ├── wiki.py
 │       │       ├── milestones.py
 │       │       └── dependencies.py
 │       └── tests/
 ├── commands/                # Slash commands
 │   ├── sprint-plan.md
 │   ├── sprint-start.md
--- a/plugins/projman/commands/debug-report.md
+++ b/plugins/projman/commands/debug-report.md
@@ -43,6 +43,46 @@ Store all values:
 - `CURRENT_BRANCH`: Current branch name
 - `WORKING_DIR`: Current working directory
 ### Step 1.5: Detect Sprint Context
 Determine if this debug issue should be associated with an active sprint.
 **1. Check for active sprint milestone:**
 ```
 mcp__plugin_projman_gitea__list_milestones(repo=PROJECT_REPO, state="open")
 ```
 Store the first open milestone as `ACTIVE_SPRINT` (if any).
 **2. Analyze branch context:**
 | Branch Pattern | Context |
 |----------------|---------|
 | `feat/*`, `fix/*`, `issue-*` | Sprint work - likely related to current sprint |
 | `main`, `master`, `development` | Production/standalone - not sprint-related |
 | Other | Unknown - ask user |
 **3. Determine sprint association:**
 ```
 IF ACTIVE_SPRINT exists AND CURRENT_BRANCH matches sprint pattern (feat/*, fix/*, issue-*):
  → SPRINT_CONTEXT = "detected"
  → Ask user: "Active sprint detected: [SPRINT_NAME]. Is this bug related to sprint work?"
    Options:
    - Yes, add to sprint (will associate with milestone)
    - No, standalone fix (no milestone)
  → Store choice as ASSOCIATE_WITH_SPRINT (true/false)
 ELSE IF ACTIVE_SPRINT exists AND CURRENT_BRANCH is main/development:
  → SPRINT_CONTEXT = "production"
  → ASSOCIATE_WITH_SPRINT = false (standalone fix, no question needed)
 ELSE:
  → SPRINT_CONTEXT = "none"
  → ASSOCIATE_WITH_SPRINT = false
 ```
 ### Step 2: Read Marketplace Configuration
 ```bash
@@ -105,7 +145,42 @@ Count failures and categorize errors:
 For each failure, write a hypothesis about the likely cause.
-### Step 5: Generate Issue Content
+### Step 5: Generate Smart Labels
 Generate appropriate labels based on the diagnostic results.
 **1. Build context string for label suggestion:**
 ```
 LABEL_CONTEXT = "Bug fix: " + [summary of main failure] + ". " +
                "Failed tools: " + [list of failed tool names] + ". " +
                "Error category: " + [detected error category from Step 4]
 ```
 **2. Get suggested labels:**
 ```
 mcp__plugin_projman_gitea__suggest_labels(
  repo=PROJECT_REPO,
  context=LABEL_CONTEXT
 )
 ```
 **3. Merge with base labels:**
 ```
 BASE_LABELS = ["Type: Bug", "Source: Diagnostic", "Agent: Claude"]
 SUGGESTED_LABELS = [result from suggest_labels]
 # Combine, avoiding duplicates
 FINAL_LABELS = BASE_LABELS + [label for label in SUGGESTED_LABELS if label not in BASE_LABELS]
 ```
 The final label set should include:
 - **Always**: `Type: Bug`, `Source: Diagnostic`, `Agent: Claude`
 - **If detected**: `Component: *`, `Complexity: *`, `Risk: *`, `Priority: *`
 ### Step 6: Generate Issue Content
 Use this exact template:
@@ -182,22 +257,36 @@ Use this exact template:
 *Generated by /debug-report - Labels: Type: Bug, Source: Diagnostic, Agent: Claude*
 ```
-### Step 6: Create Issue in Marketplace
+### Step 7: Create Issue in Marketplace
 **First, check if MCP tools are available.** Attempt to use an MCP tool. If you receive "tool not found", "not in function list", or similar error, the MCP server is not accessible in this session - use the curl fallback.
 #### Option A: MCP Available (preferred)
 **If ASSOCIATE_WITH_SPRINT is true:**
 ```
 mcp__plugin_projman_gitea__create_issue(
  repo=MARKETPLACE_REPO,
  title="[Diagnostic] [summary of main failure]",
-  body=[generated content from Step 5],
+  body=[generated content from Step 6],
-  labels=["Type: Bug", "Source: Diagnostic", "Agent: Claude"]
+  labels=FINAL_LABELS,
  milestone=ACTIVE_SPRINT.id
 )
 ```
-If labels don't exist, create issue without labels.
+**If ASSOCIATE_WITH_SPRINT is false (standalone fix):**
 ```
 mcp__plugin_projman_gitea__create_issue(
  repo=MARKETPLACE_REPO,
  title="[Diagnostic] [summary of main failure]",
  body=[generated content from Step 6],
  labels=FINAL_LABELS
 )
 ```
 If some labels don't exist, create issue with available labels only.
 #### Option B: MCP Unavailable - Use curl Fallback
@@ -274,7 +363,7 @@ To create the issue manually:
 2. Or create issue directly at: http://gitea.hotserv.cloud/[MARKETPLACE_REPO]/issues/new
 ```
-### Step 7: Report to User
+### Step 8: Report to User
 Display summary:
--- a/plugins/projman/commands/debug-review.md
+++ b/plugins/projman/commands/debug-review.md
@@ -195,6 +195,74 @@ Does this analysis match your understanding of the problem?
 Do NOT proceed until user approves.
 ### Step 9.5: Search Lessons Learned
 Before proposing a fix, search for relevant lessons from past fixes.
 **1. Extract search tags from the issue:**
 ```
 SEARCH_TAGS = []
 # Add tool names
 for each failed_tool in issue:
  SEARCH_TAGS.append(tool_name)  # e.g., "get_labels", "validate_repo_org"
 # Add error category
 SEARCH_TAGS.append(error_category)  # e.g., "parameter-format", "authentication"
 # Add component if identifiable
 if error relates to MCP server:
  SEARCH_TAGS.append("mcp")
 if error relates to command:
  SEARCH_TAGS.append("command")
 ```
 **2. Search lessons learned:**
 ```
 mcp__plugin_projman_gitea__search_lessons(
  repo=REPO_NAME,
  tags=SEARCH_TAGS,
  limit=5
 )
 ```
 **3. Also search by error keywords:**
 ```
 mcp__plugin_projman_gitea__search_lessons(
  repo=REPO_NAME,
  query=[key error message words],
  limit=5
 )
 ```
 **4. Display relevant lessons (if any):**
 ```
 Related Lessons Learned
 =======================
 Found [N] relevant lessons from past fixes:
 📚 Lesson: "Sprint 14 - Parameter validation in MCP tools"
   Tags: mcp, get_labels, parameter-format
   Summary: Always validate repo parameter format before API calls
   Prevention: Add format check at function entry
 📚 Lesson: "Sprint 12 - Graceful fallback for missing config"
   Tags: configuration, fallback
   Summary: Commands should work even without .env
   Prevention: Check for env vars, use sensible defaults
 These lessons may inform your fix approach.
 ```
 If no lessons found, display:
 ```
 No related lessons found. This may be a new type of issue.
 ```
 ### Step 10: Propose Fix Approach
 Based on the analysis, propose a specific fix:
@@ -342,7 +410,118 @@ Next Steps:
  1. Review and merge PR #81
  2. In test project, pull latest plugin version
  3. Run /debug-report to verify fix
-  4. If passing, close issue #80
+  4. Come back and run Step 15 to close issue and capture lesson
 ```
 ### Step 15: Verify, Close, and Capture Lesson
 **This step runs AFTER the user has verified the fix works.**
 When user returns and confirms the fix is working:
 **1. Close the issue:**
 ```
 mcp__plugin_projman_gitea__update_issue(
  repo=REPO_NAME,
  issue_number=ISSUE_NUMBER,
  state="closed"
 )
 ```
 **2. Ask about lesson capture:**
 Use AskUserQuestion:
 ```
 This fix addressed [ERROR_TYPE] in [COMPONENT].
 Would you like to capture this as a lesson learned?
 Options:
 - Yes, capture lesson (helps avoid similar issues in future)
 - No, skip (trivial fix or already documented)
 ```
 **3. If user chooses Yes, auto-generate lesson content:**
 ```
 LESSON_TITLE = "Sprint [N] - [Brief description of fix]"
  # Example: "Sprint 17 - MCP parameter validation"
 LESSON_CONTENT = """
 ## Context
 [What was happening when the issue occurred]
 - Command/tool being used: [FAILED_TOOL]
 - Error encountered: [ERROR_MESSAGE]
 ## Problem
 [Root cause identified during investigation]
 ## Solution
 [What was changed to fix it]
 - Files modified: [LIST]
 - PR: #[PR_NUMBER]
 ## Prevention
 [How to avoid this in the future]
 ## Related
 - Issue: #[ISSUE_NUMBER]
 - PR: #[PR_NUMBER]
 """
 LESSON_TAGS = [
  tool_name,        # e.g., "get_labels"
  error_category,   # e.g., "parameter-format"
  component,        # e.g., "mcp", "command"
  "bug-fix"
 ]
 ```
 **4. Show lesson preview and ask for approval:**
 ```
 Lesson Preview
 ==============
 Title: [LESSON_TITLE]
 Tags: [LESSON_TAGS]
 Content:
 [LESSON_CONTENT]
 Save this lesson? (Y/N/Edit)
 ```
 **5. If approved, create the lesson:**
 ```
 mcp__plugin_projman_gitea__create_lesson(
  repo=REPO_NAME,
  title=LESSON_TITLE,
  content=LESSON_CONTENT,
  tags=LESSON_TAGS,
  category="sprints"
 )
 ```
 **6. Report completion:**
 ```
 Issue Closed & Lesson Captured
 ==============================
 Issue #[N]: CLOSED
 Lesson: "[LESSON_TITLE]" saved to wiki
 This lesson will be surfaced in future /debug-review
 sessions when similar errors are encountered.
 ```
 ## DO NOT
@@ -350,8 +529,9 @@ Next Steps:
 - **DO NOT** skip reading relevant files - this is MANDATORY
 - **DO NOT** proceed past approval gates without user confirmation
 - **DO NOT** guess at fixes without evidence from code
- **DO NOT** close issues - let user verify fix works first
+- **DO NOT** close issues until user confirms fix works (Step 15)
 - **DO NOT** commit directly to development or main branches
 - **DO NOT** skip the lessons learned search - past fixes inform better solutions
 ## If Investigation Finds No Bug
--- a/plugins/projman/commands/labels-sync.md
+++ b/plugins/projman/commands/labels-sync.md
@@ -62,12 +62,20 @@ Verify these required label categories exist:
 ### Step 6: Create Missing Labels (if any)
-For each missing required label, call:
+Use `create_label_smart` which automatically creates labels at the correct level:
 - **Organization level**: Type/*, Priority/*, Complexity/*, Effort/*, Risk/*, Source/*, Agent/*
 - **Repository level**: Component/*, Tech/*
 ```
-mcp__plugin_projman_gitea__create_label(repo=REPO_NAME, name="Type: Bug", color="d73a4a")
+mcp__plugin_projman_gitea__create_label_smart(repo=REPO_NAME, name="Type/Bug", color="d73a4a")
 ```
 This automatically detects whether to create at org or repo level based on the category.
 **Alternative (explicit control):**
 - Org labels: `create_org_label(org="org-name", name="Type/Bug", color="d73a4a")`
 - Repo labels: `create_label(repo=REPO_NAME, name="Component/Backend", color="5319e7")`
 Use the label format that matches existing labels in the repo (slash `/` or colon-space `: `).
 ### Step 7: Report Results
--- a/plugins/projman/hooks/hooks.json
+++ b/plugins/projman/hooks/hooks.json
@@ -2,8 +2,8 @@
  "hooks": {
    "SessionStart": [
      {
-        "type": "prompt",
+        "type": "command",
-        "prompt": "[projman] Perform silent startup checks:\n\n1. Check if MCP venvs exist at the installed marketplace location. If the marketplace is installed but venvs are missing, warn the user: '[projman] MCP venvs missing - run setup.sh from installed marketplace location'.\n\n2. Check if the project git remote matches .env configuration (GITEA_ORG/GITEA_REPO). If mismatch, warn: '[projman] Git remote mismatch - run /project-sync'.\n\nStay silent if all checks pass or not applicable. Be quick and non-blocking."
+        "command": "${CLAUDE_PLUGIN_ROOT}/hooks/startup-check.sh"
      }
    ]
  }
--- a/plugins/projman/hooks/startup-check.sh
+++ b/plugins/projman/hooks/startup-check.sh
@@ -0,0 +1,30 @@
 #!/bin/bash
 # projman startup check hook
 # Checks for common issues at session start
 # All output MUST have [projman] prefix
 PREFIX="[projman]"
 # Check if MCP venv exists
 PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
 VENV_PATH="$PLUGIN_ROOT/mcp-servers/gitea/.venv/bin/python"
 if [[ ! -f "$VENV_PATH" ]]; then
    echo "$PREFIX MCP venvs missing - run setup.sh from installed marketplace"
    exit 0
 fi
 # Check git remote vs .env config (only if .env exists)
 if [[ -f ".env" ]]; then
    CONFIGURED_REPO=$(grep -E "^GITEA_REPO=" .env 2>/dev/null | cut -d'=' -f2 | tr -d '"' || true)
    if [[ -n "$CONFIGURED_REPO" ]]; then
        CURRENT_REMOTE=$(git remote get-url origin 2>/dev/null | sed 's/.*[:/]\([^/]*\/[^.]*\).*/\1/' || true)
        if [[ -n "$CURRENT_REMOTE" && "$CONFIGURED_REPO" != "$CURRENT_REMOTE" ]]; then
            echo "$PREFIX Git remote mismatch - run /project-sync"
            exit 0
        fi
    fi
 fi
 # All checks passed - say nothing
 exit 0
--- a/scripts/post-update.sh
+++ b/scripts/post-update.sh
@@ -78,3 +78,8 @@ main() {
 }
 main "$@"
 # Clear plugin cache to ensure fresh hooks are loaded
 echo "Clearing plugin cache..."
 rm -rf ~/.claude/plugins/cache/leo-claude-mktplace/
 echo "Cache cleared"
--- a/scripts/verify-hooks.sh
+++ b/scripts/verify-hooks.sh
@@ -0,0 +1,44 @@
 #!/bin/bash
 # Verify all hooks are command type (not prompt)
 # Run this after any plugin update
 echo "=== HOOK VERIFICATION ==="
 echo ""
 FAILED=0
 # Check ALL hooks.json files in .claude directory
 for f in $(find ~/.claude -name "hooks.json" 2>/dev/null); do
    if grep -q '"type": "prompt"' "$f" || grep -q '"type":"prompt"' "$f"; then
        echo "❌ PROMPT HOOK FOUND: $f"
        FAILED=1
    fi
 done
 # Check cache specifically
 if [ -d ~/.claude/plugins/cache/leo-claude-mktplace ]; then
    echo "❌ CACHE EXISTS: ~/.claude/plugins/cache/leo-claude-mktplace"
    echo "   Run: rm -rf ~/.claude/plugins/cache/leo-claude-mktplace/"
    FAILED=1
 fi
 # Verify installed hooks are command type
 for plugin in doc-guardian code-sentinel projman pr-review project-hygiene; do
    HOOK_FILE=~/.claude/plugins/marketplaces/leo-claude-mktplace/plugins/$plugin/hooks/hooks.json
    if [ -f "$HOOK_FILE" ]; then
        if grep -q '"type": "command"' "$HOOK_FILE" || grep -q '"type":"command"' "$HOOK_FILE"; then
            echo "✓ $plugin: command type"
        else
            echo "❌ $plugin: NOT command type"
            FAILED=1
        fi
    fi
 done
 echo ""
 if [ $FAILED -eq 0 ]; then
    echo "✓ All hooks verified OK"
 else
    echo "❌ ISSUES FOUND - fix before using"
    exit 1
 fi
Author	SHA1	Message	Date
Leo Miranda	ce774bcc6f	Merge pull request 'development' (#119 ) from development into main Reviewed-on: #119	2026-01-23 19:47:39 +00:00
Leo Miranda	52c8371f4a	Merge pull request 'feat(netbox): add platform and primary_ip params to device tools' (#118 ) from feat/netbox-device-update-params into development Reviewed-on: #118	2026-01-23 19:47:10 +00:00
lmiranda	f8d6d42150	feat(netbox): add platform and primary_ip params to device tools Expose additional parameters in dcim_create_device and dcim_update_device MCP tools that were already supported by the backend but not exposed: dcim_create_device: - platform, primary_ip4, primary_ip6, asset_tag, description, comments dcim_update_device: - platform, primary_ip4, primary_ip6, serial, asset_tag, site, rack, position, description, comments This enables setting the platform (OS) and primary IP address when creating or updating devices in NetBox. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 14:46:09 -05:00
Leo Miranda	b3abe863af	Merge pull request 'development' (#117 ) from development into main Reviewed-on: #117	2026-01-23 17:50:25 +00:00
Leo Miranda	469487f6ed	Merge pull request 'fix(labels): add duplicate check before creating labels' (#116 ) from fix/labels-duplicate-check into development Reviewed-on: #116	2026-01-23 17:49:57 +00:00
lmiranda	7a2966367d	feat(claude-config-maintainer): auto-enforce mandatory behavior rules SessionStart hook checks if CLAUDE.md has mandatory rules. If missing, adds them automatically. Rules enforced: - Check everything when user asks - Believe user when they say something's wrong - Never say "done" without verification - Show exactly what user asks for Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:46:18 -05:00
lmiranda	0466b299a7	fix: add mandatory behavior rules and verification - Add MANDATORY BEHAVIOR RULES to CLAUDE.md (read every session) - Rules: check everything, believe user, verify before saying done - post-update.sh now clears plugin cache - verify-hooks.sh checks all locations for prompt hooks These rules prevent wasted user time from AI overconfidence. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:44:27 -05:00
lmiranda	b34304ed57	fix: add cache clearing and hook verification scripts - post-update.sh now clears plugin cache automatically - verify-hooks.sh checks ALL locations for prompt hooks - Prevents cached old hooks from overriding fixed hooks Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:41:33 -05:00
lmiranda	96963531fc	fix(labels): add duplicate check before creating labels create_label_smart now checks if label already exists before creating. - Checks both org and repo labels - Handles format variations (Type/Bug vs Type: Bug) - Returns {skipped: true} if label already exists - Prevents duplicate label creation errors Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:36:00 -05:00
Leo Miranda	4c9a7c55ae	Merge pull request 'development' (#115 ) from development into main Reviewed-on: #115	2026-01-23 17:25:18 +00:00
Leo Miranda	8a75203251	Merge pull request 'fix: hooks command type conversion + org-level labels' (#114 ) from fix/hooks-and-labels-v3.2.0 into development Reviewed-on: #114	2026-01-23 17:24:08 +00:00
lmiranda	da6e81260e	fix(hooks): convert ALL hooks to command type with proper prefixes ALL hooks now use command type (bash scripts) instead of prompt type. Prompt hooks are unreliable - model ignores instructions. Changes: - projman: SessionStart → startup-check.sh with [projman] prefix - pr-review: SessionStart → startup-check.sh with [pr-review] prefix - project-hygiene: cleanup.sh now has [project-hygiene] prefix - doc-guardian: already fixed (notify.sh with [doc-guardian] prefix) - code-sentinel: already fixed (security-check.sh with [code-sentinel] prefix) All hook output now guaranteed to have plugin name prefix. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:18:40 -05:00
lmiranda	e1f1335655	fix(code-sentinel): replace prompt hook with command hook Same fix as doc-guardian - prompt hooks unreliable. Command hook guarantees exact behavior. - Add security-check.sh that skips config/doc files silently - Only checks code files for hardcoded secrets - Outputs with [code-sentinel] prefix Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:16:06 -05:00
lmiranda	b017db83a1	feat(gitea): add organization-level label creation - Add create_org_label() method to gitea_client.py for org-level labels - Add create_label_smart() to labels.py that auto-detects correct level - Register both tools in server.py - Update labels-sync.md to use create_label_smart Label level detection: - Organization: Type/, Priority/, Complexity/, Effort/, Risk/, Source/, Agent/* - Repository: Component/, Tech/ Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 12:15:14 -05:00
lmiranda	bc136fab7e	docs: update CHANGELOG with actual fix for #110 Prompt hook approach didn't work - Claude ignores instructions. Real fix was switching to command hook type. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 11:51:31 -05:00
lmiranda	6c24bcbb91	fix(doc-guardian): replace prompt hook with command hook Prompt hooks are unreliable - Claude ignores instructions and generates verbose analysis despite explicit FORBIDDEN rules. Command hooks guarantee the exact output we want. - Add notify.sh script that only outputs for config file changes - Change hooks.json from prompt type to command type - Script exits silently for non-config files (no blocking) Fixes #110 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 11:48:54 -05:00
lmiranda	11a05799d3	docs: sync documentation with codebase - CLAUDE.md: Update version 3.0.1 → 3.1.2, projman 3.0.0 → 3.1.0, command count 12 → 13 - README.md: Add debug-report/debug-review to projman commands, add DEBUGGING-CHECKLIST.md to docs table - CANONICAL-PATHS.md: Update version, remove non-existent docs/workflows/, add COMMANDS-CHEATSHEET.md - projman/README.md: Fix "Three-Agent" → "Four-Agent", update architecture to show symlink - pr-review/README.md: Add missing setup commands (initial-setup, project-init, project-sync) - cmdb-assistant/README.md: Add initial-setup.md to architecture - project-hygiene/README.md: Fix invalid hook event name (task-completed → PostToolUse) - doc-guardian/plugin.json: Add missing commands field - code-sentinel/plugin.json: Add missing commands field Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 11:25:14 -05:00
Leo Miranda	403271dc0c	Merge pull request 'development' (#112 ) from development into main Reviewed-on: #112	2026-01-23 16:10:12 +00:00
Leo Miranda	cc4abf67b9	Merge pull request 'fix: protected branch detection and non-blocking hooks' (#111 ) from fix/issue-109-110-hooks-and-protected-branch into development Reviewed-on: #111	2026-01-23 16:08:38 +00:00
lmiranda	35cf20e02d	fix: protected branch detection and non-blocking hooks - Add protected branch detection to /commit command (Step 1) - Warn users before committing to protected branches - Offer to create feature branch automatically - Rewrite doc-guardian hook to be truly non-blocking - Enforce strict [plugin-name] prefix in all hook outputs - Add forbidden words list to prevent accidental blocking Fixes #109, #110 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 11:08:00 -05:00
Leo Miranda	5209f82efb	Merge pull request 'development' (#108 ) from development into main Reviewed-on: #108	2026-01-22 23:03:57 +00:00
Leo Miranda	1f55387e9e	Merge pull request 'feat: enhance debug commands with sprint awareness and lessons learned' (#107 ) from feat/debug-commands-enhancements into development Reviewed-on: #107	2026-01-22 23:03:34 +00:00
lmiranda	32bbca73ba	feat: enhance debug commands with sprint awareness and lessons learned Debug Report (/debug-report): - Add Step 1.5: Sprint context detection based on branch and milestone - Add Step 5: Smart labeling via suggest_labels MCP tool - Update issue creation to support milestone association Debug Review (/debug-review): - Add Step 9.5: Search lessons learned before proposing fixes - Add Step 15: Verify, close issue, and optionally capture lesson Hooks: - Simplify doc-guardian hook to be truly non-blocking (15 words max) - Update code-sentinel to skip docs/config files entirely Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-22 18:02:09 -05:00
Leo Miranda	0e6999ea21	Merge pull request 'development' (#106 ) from development into main Reviewed-on: #106	2026-01-22 21:17:18 +00:00
Leo Miranda	6cf3c1830c	Merge pull request 'development' (#104 ) from development into main Reviewed-on: #104	2026-01-22 20:02:06 +00:00