Merge pull request 'development' (#115) from development into main

Reviewed-on: #115

CHANGELOG.md

@@ -4,6 +4,32 @@ All notable changes to the Leo Claude Marketplace will be documented in this fil
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1.2] - 2026-01-23
+
+### Added
+- **git-flow:** `/commit` now detects protected branches before committing
+  - Warns when on protected branch (main, master, development, staging, production)
+  - Offers to create feature branch automatically instead of committing directly
+  - Configurable via `GIT_PROTECTED_BRANCHES` environment variable
+  - Resolves issue where commits to protected branches would fail on push
+
+### Changed
+- **doc-guardian:** Hook switched from `prompt` type to `command` type
+  - Prompt hooks unreliable - Claude ignores explicit instructions
+  - New `notify.sh` bash script guarantees exact output behavior
+  - Only notifies for config file changes (commands/, agents/, skills/, hooks/)
+  - Silent exit for all other files - no blocking possible
+- **All hooks:** Stricter plugin prefix enforcement
+  - All prompts now mandate `[plugin-name]` prefix with "NO EXCEPTIONS" rule
+  - Simplified output formats with word limits
+  - Consistent structure across projman, pr-review, code-sentinel, doc-guardian
+
+### Fixed
+- Protected branch workflow: Claude no longer commits directly to protected branches and then fails on push (fixes #109)
+- doc-guardian hook no longer blocks workflow - switched to command hook that can't be overridden by model (fixes #110)
+
+---
+
 ## [3.1.1] - 2026-01-22
 
 ### Added

CLAUDE.md

@@ -5,14 +5,14 @@ This file provides guidance to Claude Code when working with code in this reposi
 ## Project Overview
 
 **Repository:** leo-claude-mktplace
-**Version:** 3.0.1
+**Version:** 3.1.2
 **Status:** Production Ready
 
 A plugin marketplace for Claude Code containing:
 
 | Plugin | Description | Version |
 |--------|-------------|---------|
-| `projman` | Sprint planning and project management with Gitea integration | 3.0.0 |
+| `projman` | Sprint planning and project management with Gitea integration | 3.1.0 |
 | `git-flow` | Git workflow automation with smart commits and branch management | 1.0.0 |
 | `pr-review` | Multi-agent PR review with confidence scoring | 1.0.0 |
 | `clarity-assist` | Prompt optimization with ND-friendly accommodations | 1.0.0 |
@@ -59,7 +59,7 @@ leo-claude-mktplace/
 │   │   ├── .claude-plugin/plugin.json
 │   │   ├── .mcp.json
 │   │   ├── mcp-servers/gitea -> ../../../mcp-servers/gitea  # SYMLINK
-│   │   ├── commands/             # 12 commands (incl. setup)
+│   │   ├── commands/             # 13 commands (incl. setup, debug)
 │   │   ├── hooks/                # SessionStart mismatch detection
 │   │   ├── agents/               # 4 agents
 │   │   └── skills/label-taxonomy/
@@ -255,4 +255,4 @@ See `docs/DEBUGGING-CHECKLIST.md` for systematic troubleshooting.
 
 ---
 
-**Last Updated:** 2026-01-22
+**Last Updated:** 2026-01-23

README.md

@@ -19,7 +19,7 @@ AI-guided sprint planning with full Gitea integration. Transforms a proven 15-sp
 - Branch-aware security (development/staging/production)
 - Pre-sprint-close code quality review and test verification
 
-**Commands:** `/sprint-plan`, `/sprint-start`, `/sprint-status`, `/sprint-close`, `/labels-sync`, `/initial-setup`, `/project-init`, `/project-sync`, `/review`, `/test-check`, `/test-gen`
+**Commands:** `/sprint-plan`, `/sprint-start`, `/sprint-status`, `/sprint-close`, `/labels-sync`, `/initial-setup`, `/project-init`, `/project-sync`, `/review`, `/test-check`, `/test-gen`, `/debug-report`, `/debug-review`
 
 #### [git-flow](./plugins/git-flow/README.md) *NEW in v3.0.0*
 **Git Workflow Automation**
@@ -257,6 +257,7 @@ leo-claude-mktplace/
 | [COMMANDS-CHEATSHEET.md](./docs/COMMANDS-CHEATSHEET.md) | All commands quick reference |
 | [UPDATING.md](./docs/UPDATING.md) | Update guide for the marketplace |
 | [CANONICAL-PATHS.md](./docs/CANONICAL-PATHS.md) | Authoritative path reference |
+| [DEBUGGING-CHECKLIST.md](./docs/DEBUGGING-CHECKLIST.md) | Systematic troubleshooting guide |
 | [CHANGELOG.md](./CHANGELOG.md) | Version history |
 
 ## License

docs/CANONICAL-PATHS.md

@@ -2,7 +2,7 @@
 
 **This file defines ALL valid paths in this repository. No exceptions. No inference. No assumptions.**
 
-Last Updated: 2026-01-20 (v3.0.0)
+Last Updated: 2026-01-23 (v3.1.2)
 
 ---
 
@@ -17,10 +17,10 @@ leo-claude-mktplace/
 ├── docs/                       # All documentation
 │   ├── architecture/           # Draw.io diagrams and specs
 │   ├── CANONICAL-PATHS.md      # This file - single source of truth
+│   ├── COMMANDS-CHEATSHEET.md  # All commands quick reference
 │   ├── CONFIGURATION.md        # Centralized configuration guide
 │   ├── DEBUGGING-CHECKLIST.md  # Systematic troubleshooting guide
-│   ├── UPDATING.md             # Update guide
-│   └── workflows/              # Workflow documentation
+│   └── UPDATING.md             # Update guide
 ├── hooks/                      # Shared hooks (if any)
 ├── mcp-servers/                # SHARED MCP servers (v3.0.0+)
 │   ├── gitea/                  # Gitea MCP server
@@ -156,7 +156,6 @@ The symlink target is relative: `../../../mcp-servers/{server}`
 | Type | Location |
 |------|----------|
 | Architecture diagrams | `docs/architecture/` |
-| Workflow docs | `docs/workflows/` |
 | This file | `docs/CANONICAL-PATHS.md` |
 | Update guide | `docs/UPDATING.md` |
 | Configuration guide | `docs/CONFIGURATION.md` |

mcp-servers/gitea/mcp_server/gitea_client.py

@@ -621,6 +621,40 @@ class GiteaClient:
         response.raise_for_status()
         return response.json()
 
+    def create_org_label(
+        self,
+        org: str,
+        name: str,
+        color: str,
+        description: Optional[str] = None
+    ) -> Dict:
+        """
+        Create a new label at the organization level.
+
+        Organization labels are shared across all repositories in the org.
+        Use this for workflow labels (Type, Priority, Complexity, Effort, etc.)
+
+        Args:
+            org: Organization name
+            name: Label name (e.g., 'Type/Bug', 'Priority/High')
+            color: Hex color code (with or without #)
+            description: Optional label description
+
+        Returns:
+            Created label dictionary
+        """
+        url = f"{self.base_url}/orgs/{org}/labels"
+        data = {
+            'name': name,
+            'color': color.lstrip('#')  # Remove # if present
+        }
+        if description:
+            data['description'] = description
+        logger.info(f"Creating organization label '{name}' in {org}")
+        response = self.session.post(url, json=data)
+        response.raise_for_status()
+        return response.json()
+
     # ========================================
     # PULL REQUEST OPERATIONS
     # ========================================

mcp-servers/gitea/mcp_server/server.py

@@ -622,13 +622,65 @@ class GiteaMCPServer:
                 ),
                 Tool(
                     name="create_label",
-                    description="Create a new label in the repository",
+                    description="Create a new label in the repository (for repo-specific labels like Component/*, Tech/*)",
                     inputSchema={
                         "type": "object",
                         "properties": {
                             "name": {
                                 "type": "string",
-                                "description": "Label name"
+                                "description": "Label name (e.g., 'Component/Backend', 'Tech/Python')"
+                            },
+                            "color": {
+                                "type": "string",
+                                "description": "Label color (hex code)"
+                            },
+                            "description": {
+                                "type": "string",
+                                "description": "Label description"
+                            },
+                            "repo": {
+                                "type": "string",
+                                "description": "Repository name (owner/repo format)"
+                            }
+                        },
+                        "required": ["name", "color"]
+                    }
+                ),
+                Tool(
+                    name="create_org_label",
+                    description="Create a new label at organization level (for workflow labels like Type/*, Priority/*, Complexity/*, Effort/*)",
+                    inputSchema={
+                        "type": "object",
+                        "properties": {
+                            "org": {
+                                "type": "string",
+                                "description": "Organization name"
+                            },
+                            "name": {
+                                "type": "string",
+                                "description": "Label name (e.g., 'Type/Bug', 'Priority/High')"
+                            },
+                            "color": {
+                                "type": "string",
+                                "description": "Label color (hex code)"
+                            },
+                            "description": {
+                                "type": "string",
+                                "description": "Label description"
+                            }
+                        },
+                        "required": ["org", "name", "color"]
+                    }
+                ),
+                Tool(
+                    name="create_label_smart",
+                    description="Create a label at the appropriate level (org or repo) based on category. Org: Type/*, Priority/*, Complexity/*, Effort/*, Risk/*, Source/*, Agent/*. Repo: Component/*, Tech/*",
+                    inputSchema={
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Label name (e.g., 'Type/Bug', 'Component/Backend')"
                             },
                             "color": {
                                 "type": "string",
@@ -880,6 +932,20 @@ class GiteaMCPServer:
                         arguments.get('description'),
                         arguments.get('repo')
                     )
+                elif name == "create_org_label":
+                    result = self.client.create_org_label(
+                        arguments['org'],
+                        arguments['name'],
+                        arguments['color'],
+                        arguments.get('description')
+                    )
+                elif name == "create_label_smart":
+                    result = await self.label_tools.create_label_smart(
+                        arguments['name'],
+                        arguments['color'],
+                        arguments.get('description'),
+                        arguments.get('repo')
+                    )
                 # Pull Request tools
                 elif name == "list_pull_requests":
                     result = await self.pr_tools.list_pull_requests(**arguments)

mcp-servers/gitea/mcp_server/tools/labels.py

@@ -259,3 +259,70 @@ class LabelTools:
             return lookup[category_lower][value_lower]
 
         return None
+
+    # Organization-level label categories (workflow labels shared across repos)
+    ORG_LABEL_CATEGORIES = {'agent', 'complexity', 'effort', 'efforts', 'priority', 'risk', 'source', 'type'}
+
+    # Repository-level label categories (project-specific labels)
+    REPO_LABEL_CATEGORIES = {'component', 'tech'}
+
+    async def create_label_smart(
+        self,
+        name: str,
+        color: str,
+        description: Optional[str] = None,
+        repo: Optional[str] = None
+    ) -> Dict:
+        """
+        Create a label at the appropriate level (org or repo) based on category.
+
+        Organization labels: Agent, Complexity, Effort, Priority, Risk, Source, Type
+        Repository labels: Component, Tech
+
+        Args:
+            name: Label name (e.g., 'Type/Bug', 'Component/Backend')
+            color: Hex color code
+            description: Optional label description
+            repo: Repository in 'owner/repo' format
+
+        Returns:
+            Created label dictionary with 'level' key indicating where it was created
+        """
+        loop = asyncio.get_event_loop()
+
+        target_repo = repo or self.gitea.repo
+        if not target_repo or '/' not in target_repo:
+            raise ValueError("Use 'owner/repo' format (e.g. 'org/repo-name')")
+
+        # Parse category from label name
+        category = None
+        if '/' in name:
+            category = name.split('/')[0].lower().rstrip('s')
+        elif ':' in name:
+            category = name.split(':')[0].strip().lower().rstrip('s')
+
+        # Determine level
+        owner = target_repo.split('/')[0]
+        is_org = await loop.run_in_executor(
+            None,
+            lambda: self.gitea.is_org_repo(target_repo)
+        )
+
+        # If it's an org repo and the category is an org-level category, create at org level
+        if is_org and category in self.ORG_LABEL_CATEGORIES:
+            result = await loop.run_in_executor(
+                None,
+                lambda: self.gitea.create_org_label(owner, name, color, description)
+            )
+            result['level'] = 'organization'
+            logger.info(f"Created organization label '{name}' in {owner}")
+        else:
+            # Create at repo level
+            result = await loop.run_in_executor(
+                None,
+                lambda: self.gitea.create_label(name, color, description, target_repo)
+            )
+            result['level'] = 'repository'
+            logger.info(f"Created repository label '{name}' in {target_repo}")
+
+        return result

plugins/cmdb-assistant/README.md

@@ -111,6 +111,7 @@ cmdb-assistant/
 │   └── plugin.json          # Plugin manifest
 ├── .mcp.json                 # MCP server configuration
 ├── commands/
+│   ├── initial-setup.md     # Setup wizard
 │   ├── cmdb-search.md       # Search command
 │   ├── cmdb-device.md       # Device management
 │   ├── cmdb-ip.md           # IP management

plugins/code-sentinel/.claude-plugin/plugin.json

@@ -9,5 +9,6 @@
   "homepage": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace/src/branch/main/plugins/code-sentinel/README.md",
   "repository": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace.git",
   "license": "MIT",
-  "keywords": ["security", "refactoring", "code-quality", "static-analysis", "hooks"]
+  "keywords": ["security", "refactoring", "code-quality", "static-analysis", "hooks"],
+  "commands": ["./commands/"]
 }

plugins/code-sentinel/hooks/hooks.json

@@ -5,8 +5,8 @@
         "matcher": "Write|Edit|MultiEdit",
         "hooks": [
           {
-            "type": "prompt",
-            "prompt": "[code-sentinel] SECURITY CHECK - Before writing this code, scan for these patterns:\n\n**Critical (BLOCK if found):**\n- eval(), exec() with user input\n- SQL string concatenation (SQL injection)\n- shell=True with user input (command injection)\n- Hardcoded secrets (API keys, passwords, tokens)\n- Pickle/marshal deserialization of untrusted data\n- innerHTML/dangerouslySetInnerHTML with user content (XSS)\n\n**Warning (WARN but allow):**\n- subprocess without input validation\n- File operations without path sanitization\n- HTTP requests without timeout\n- Broad exception catches (except:)\n- Debug/print statements with sensitive data\n\n**Response:**\n- If CRITICAL found: STOP with '[code-sentinel] BLOCKED:', explain the issue, suggest safe alternative\n- If WARNING found: Note briefly with '[code-sentinel] WARNING:', proceed with suggestion\n- If clean: Proceed silently (say nothing)\n\nDo NOT announce clean scans. Only speak if issues found."
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/security-check.sh"
           }
         ]
       }

plugins/code-sentinel/hooks/security-check.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# code-sentinel security check hook
+# Checks for obvious security issues in code files, skips config/docs
+# Command hook - guaranteed predictable behavior
+
+# Read tool input from stdin
+INPUT=$(cat)
+
+# Extract file_path from JSON input
+FILE_PATH=$(echo "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"file_path"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+
+# If no file_path, exit silently
+if [ -z "$FILE_PATH" ]; then
+    exit 0
+fi
+
+# SKIP config/doc files entirely - exit silently
+case "$FILE_PATH" in
+    *.md|*.json|*.yml|*.yaml|*.txt|*.toml|*.ini|*.cfg|*.conf)
+        exit 0
+        ;;
+    */docs/*|*/README*|*/CHANGELOG*|*/LICENSE*)
+        exit 0
+        ;;
+    */.claude/*|*/.github/*|*/.vscode/*)
+        exit 0
+        ;;
+esac
+
+# For code files, extract content to check
+# For Edit tool: check new_string
+# For Write tool: check content
+CONTENT=$(echo "$INPUT" | grep -o '"new_string"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"new_string"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+if [ -z "$CONTENT" ]; then
+    CONTENT=$(echo "$INPUT" | grep -o '"content"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"content"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+fi
+
+# If no content to check, exit silently
+if [ -z "$CONTENT" ]; then
+    exit 0
+fi
+
+# Check for hardcoded secrets patterns (obvious cases only)
+if echo "$CONTENT" | grep -qiE '(api[_-]?key|api[_-]?secret|password|passwd|secret[_-]?key|auth[_-]?token)[[:space:]]*[=:][[:space:]]*["\x27][A-Za-z0-9+/=_-]{20,}["\x27]'; then
+    echo "[code-sentinel] BLOCKED: Hardcoded secret detected"
+    exit 1
+fi
+
+# Check for AWS keys pattern
+if echo "$CONTENT" | grep -qE 'AKIA[A-Z0-9]{16}'; then
+    echo "[code-sentinel] BLOCKED: AWS access key detected"
+    exit 1
+fi
+
+# Check for private key headers
+if echo "$CONTENT" | grep -qE '\-\-\-\-\-BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY\-\-\-\-\-'; then
+    echo "[code-sentinel] BLOCKED: Private key detected"
+    exit 1
+fi
+
+# All other cases: exit silently (allow the edit)
+exit 0

plugins/doc-guardian/.claude-plugin/plugin.json

@@ -9,5 +9,6 @@
   "homepage": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace/src/branch/main/plugins/doc-guardian/README.md",
   "repository": "https://gitea.hotserv.cloud/personal-projects/leo-claude-mktplace.git",
   "license": "MIT",
-  "keywords": ["documentation", "sync", "drift-detection", "automation", "hooks"]
+  "keywords": ["documentation", "sync", "drift-detection", "automation", "hooks"],
+  "commands": ["./commands/"]
 }

plugins/doc-guardian/hooks/hooks.json

@@ -5,8 +5,8 @@
         "matcher": "Write|Edit|MultiEdit",
         "hooks": [
           {
-            "type": "prompt",
-            "prompt": "[doc-guardian] QUICK drift check (DO NOT block workflow):\n\n1. ONLY check if the modified file is referenced in README.md, CLAUDE.md, or API docs in the SAME directory\n2. Do NOT read files or perform deep analysis - just note potential drift based on file name/path\n3. If potential drift: output a single line like '[doc-guardian] Note: {filename} changed - may affect {doc}. Run /doc-sync to verify.'\n4. If no obvious drift: say nothing\n\nIMPORTANT: This is notification-only. Do NOT read documentation files, do NOT make changes, do NOT use any tools. Just a quick mental check based on the file path."
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/notify.sh"
           }
         ]
       }

plugins/doc-guardian/hooks/notify.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# doc-guardian notification hook
+# Outputs a single notification for config file changes, nothing otherwise
+# This is a command hook - guaranteed not to block workflow
+
+# Read tool input from stdin (JSON with file_path)
+INPUT=$(cat)
+
+# Extract file_path from JSON input
+FILE_PATH=$(echo "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"file_path"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+
+# If no file_path found, exit silently
+if [ -z "$FILE_PATH" ]; then
+    exit 0
+fi
+
+# Check if file is in a config directory (commands/, agents/, skills/, hooks/)
+if echo "$FILE_PATH" | grep -qE '/(commands|agents|skills|hooks)/'; then
+    echo "[doc-guardian] Config file modified. Run /doc-sync when ready."
+fi
+
+# Exit silently for all other files (no output = no blocking)
+exit 0

plugins/git-flow/README.md

@@ -10,7 +10,7 @@ git-flow streamlines common git operations with smart defaults, conventional com
 
 | Command | Description |
 |---------|-------------|
-| `/commit` | Create commit with auto-generated conventional message |
+| `/commit` | Create commit with auto-generated conventional message (with protected branch detection) |
 | `/commit-push` | Commit and push in one operation |
 | `/commit-merge` | Commit and merge into target branch |
 | `/commit-sync` | Full sync: commit, push, and rebase on base branch |
@@ -79,7 +79,7 @@ chore/update-dependencies
 
 ### Safety Checks
 
-- Warns before commits to protected branches
+- **Protected branch detection**: Before committing, checks if you're on a protected branch (main, master, development, staging, production by default). Offers to create a feature branch automatically instead of committing directly to protected branches.
 - Confirms force push operations
 - Prevents accidental branch deletion
 

plugins/git-flow/commands/commit.md

@@ -6,13 +6,44 @@ Create a git commit with an auto-generated conventional commit message based on
 
 ## Behavior
 
-### Step 1: Analyze Changes
+### Step 1: Check for Protected Branch
+
+Before any commit operation, check if the current branch is protected:
+
+1. Get current branch: `git branch --show-current`
+2. Check against `GIT_PROTECTED_BRANCHES` (default: `main,master,development,staging,production`)
+
+If on a protected branch, warn the user:
+
+```
+⚠️  You are on a protected branch: development
+
+Protected branches typically have push restrictions that will prevent
+direct commits from being pushed to the remote.
+
+Options:
+1. Create a feature branch and continue (Recommended)
+2. Continue on this branch anyway (may fail on push)
+3. Cancel
+```
+
+**If option 1 (create feature branch):**
+- Prompt for branch type (feat/fix/chore/docs/refactor)
+- Prompt for brief description
+- Create branch using `/branch-start` naming conventions
+- Continue with commit on the new branch
+
+**If option 2 (continue anyway):**
+- Proceed with commit (user accepts risk of push rejection)
+- Display reminder: "Remember: push may be rejected by remote protection rules"
+
+### Step 2: Analyze Changes
 
 1. Run `git status` to see staged and unstaged changes
 2. Run `git diff --staged` to examine staged changes
 3. If nothing staged, prompt user to stage changes
 
-### Step 2: Generate Commit Message
+### Step 3: Generate Commit Message
 
 Analyze the changes and generate a conventional commit message:
 
@@ -38,7 +69,7 @@ Analyze the changes and generate a conventional commit message:
 
 **Scope:** Determined from changed files (e.g., `auth`, `api`, `ui`)
 
-### Step 3: Confirm or Edit
+### Step 4: Confirm or Edit
 
 Present the generated message:
 
@@ -58,7 +89,7 @@ Options:
 4. Cancel
 ```
 
-### Step 4: Execute Commit
+### Step 5: Execute Commit
 
 If confirmed, run:
 
@@ -75,6 +106,7 @@ EOF
 
 | Variable | Default | Description |
 |----------|---------|-------------|
+| `GIT_PROTECTED_BRANCHES` | `main,master,development,staging,production` | Branches that trigger protection warning |
 | `GIT_COMMIT_STYLE` | `conventional` | Message style (conventional, simple, detailed) |
 | `GIT_SIGN_COMMITS` | `false` | Use GPG signing |
 | `GIT_CO_AUTHOR` | `true` | Include Claude co-author footer |

plugins/pr-review/README.md

@@ -13,6 +13,9 @@ pr-review conducts comprehensive code reviews using specialized agents for secur
 | `/pr-review <pr#>` | Full multi-agent review |
 | `/pr-summary <pr#>` | Quick summary without full review |
 | `/pr-findings <pr#>` | Filter findings by category/confidence |
+| `/initial-setup` | Full interactive setup wizard |
+| `/project-init` | Quick project setup (system already configured) |
+| `/project-sync` | Sync configuration with current git remote |
 
 ## Review Agents
 

plugins/pr-review/hooks/hooks.json

@@ -2,8 +2,8 @@
   "hooks": {
     "SessionStart": [
       {
-        "type": "prompt",
-        "prompt": "[pr-review] Perform silent startup checks:\n\n1. Check if MCP venvs exist at the installed marketplace location. If the marketplace is installed but venvs are missing, warn the user: '[pr-review] MCP venvs missing - run setup.sh from installed marketplace location'.\n\n2. Check if the project git remote matches .env configuration (GITEA_ORG/GITEA_REPO). If mismatch, warn: '[pr-review] Git remote mismatch - run /project-sync'.\n\nStay silent if all checks pass or not applicable. Be quick and non-blocking."
+        "type": "command",
+        "command": "${CLAUDE_PLUGIN_ROOT}/hooks/startup-check.sh"
       }
     ]
   }

plugins/pr-review/hooks/startup-check.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# pr-review startup check hook
+# Checks for common issues at session start
+# All output MUST have [pr-review] prefix
+
+PREFIX="[pr-review]"
+
+# Check if MCP venv exists
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
+VENV_PATH="$PLUGIN_ROOT/mcp-servers/gitea/.venv/bin/python"
+
+if [[ ! -f "$VENV_PATH" ]]; then
+    echo "$PREFIX MCP venvs missing - run setup.sh from installed marketplace"
+    exit 0
+fi
+
+# Check git remote vs .env config (only if .env exists)
+if [[ -f ".env" ]]; then
+    CONFIGURED_REPO=$(grep -E "^GITEA_REPO=" .env 2>/dev/null | cut -d'=' -f2 | tr -d '"' || true)
+    if [[ -n "$CONFIGURED_REPO" ]]; then
+        CURRENT_REMOTE=$(git remote get-url origin 2>/dev/null | sed 's/.*[:/]\([^/]*\/[^.]*\).*/\1/' || true)
+        if [[ -n "$CURRENT_REMOTE" && "$CONFIGURED_REPO" != "$CURRENT_REMOTE" ]]; then
+            echo "$PREFIX Git remote mismatch - run /pr-review:project-sync"
+            exit 0
+        fi
+    fi
+fi
+
+# All checks passed - say nothing
+exit 0

plugins/project-hygiene/README.md

@@ -20,7 +20,7 @@ claude plugin install project-hygiene
 
 ## How It Works
 
-The plugin registers a `task-completed` hook that runs after Claude completes any task. It:
+The plugin registers a `PostToolUse` hook (on Write and Edit tools) that runs after Claude modifies files. It:
 
 1. Scans for and deletes known temporary file patterns
 2. Removes temporary directories (`__pycache__`, `.pytest_cache`, etc.)

plugins/project-hygiene/hooks/cleanup.sh

@@ -1,365 +1,28 @@
 #!/bin/bash
 # project-hygiene cleanup hook
-# Runs after task completion to clean up temp files and manage orphans
+# Runs after file edits to clean up temp files
+# All output MUST have [project-hygiene] prefix
 
 set -euo pipefail
 
-# Configuration
+PREFIX="[project-hygiene]"
+
+# Read tool input from stdin (discard - we don't need it for cleanup)
+cat > /dev/null
+
 PROJECT_ROOT="${PROJECT_ROOT:-.}"
-PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
-CONFIG_FILE="${PROJECT_ROOT}/.hygiene.json"
-LOG_DIR="${PROJECT_ROOT}/.dev/logs"
-SCRATCH_DIR="${PROJECT_ROOT}/.dev/scratch"
-LOG_FILE="${LOG_DIR}/hygiene-$(date +%Y%m%d-%H%M%S).log"
-
-# Default allowed root files (can be overridden by .hygiene.json)
-DEFAULT_ALLOWED_ROOT=(
-    ".git"
-    ".gitignore"
-    ".gitattributes"
-    ".editorconfig"
-    ".env"
-    ".env.example"
-    ".env.local"
-    ".nvmrc"
-    ".node-version"
-    ".python-version"
-    ".ruby-version"
-    ".tool-versions"
-    "README.md"
-    "LICENSE"
-    "CHANGELOG.md"
-    "CONTRIBUTING.md"
-    "CLAUDE.md"
-    "package.json"
-    "package-lock.json"
-    "yarn.lock"
-    "pnpm-lock.yaml"
-    "Makefile"
-    "Dockerfile"
-    "docker-compose.yml"
-    "docker-compose.yaml"
-    "Cargo.toml"
-    "Cargo.lock"
-    "go.mod"
-    "go.sum"
-    "requirements.txt"
-    "setup.py"
-    "pyproject.toml"
-    "poetry.lock"
-    "Gemfile"
-    "Gemfile.lock"
-    "tsconfig.json"
-    "jsconfig.json"
-    ".eslintrc*"
-    ".prettierrc*"
-    "vite.config.*"
-    "webpack.config.*"
-    "rollup.config.*"
-    ".hygiene.json"
-)
-
-# Temp file patterns to delete
-TEMP_PATTERNS=(
-    "*.tmp"
-    "*.bak"
-    "*.swp"
-    "*.swo"
-    "*~"
-    ".DS_Store"
-    "Thumbs.db"
-    "*.log"
-    "*.orig"
-    "*.pyc"
-    "*.pyo"
-)
-
-# Directory patterns to delete
-TEMP_DIRS=(
-    "__pycache__"
-    ".pytest_cache"
-    ".mypy_cache"
-    ".ruff_cache"
-    "node_modules/.cache"
-    ".next/cache"
-    ".nuxt/.cache"
-    ".turbo"
-    "*.egg-info"
-    ".eggs"
-    "dist"
-    "build"
-)
-
-# Orphan patterns to identify
-ORPHAN_PATTERNS=(
-    "test_*.py"
-    "debug_*"
-    "*_backup.*"
-    "*_old.*"
-    "*_bak.*"
-    "*.backup"
-    "temp_*"
-    "tmp_*"
-)
-
-# Initialize
 DELETED_COUNT=0
-WARNED_COUNT=0
-ORPHAN_COUNT=0
-MOVE_ORPHANS=false
-
-# Logging function
-log() {
-    local msg="[$(date +%H:%M:%S)] $1"
-    echo "$msg"
-    if [[ -f "$LOG_FILE" ]]; then
-        echo "$msg" >> "$LOG_FILE"
-    fi
-}
-
-log_action() {
-    local action="$1"
-    local target="$2"
-    log "  $action: $target"
-}
-
-# Load project-local config if exists
-load_config() {
-    if [[ -f "$CONFIG_FILE" ]]; then
-        log "Loading config from $CONFIG_FILE"
-
-        # Check if move_orphans is enabled
-        if command -v jq &>/dev/null; then
-            MOVE_ORPHANS=$(jq -r '.move_orphans // false' "$CONFIG_FILE" 2>/dev/null || echo "false")
-
-            # Load additional allowed root files
-            local extra_allowed
-            extra_allowed=$(jq -r '.allowed_root_files // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
-            if [[ -n "$extra_allowed" ]]; then
-                while IFS= read -r file; do
-                    DEFAULT_ALLOWED_ROOT+=("$file")
-                done <<< "$extra_allowed"
-            fi
-
-            # Load additional temp patterns
-            local extra_temp
-            extra_temp=$(jq -r '.temp_patterns // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
-            if [[ -n "$extra_temp" ]]; then
-                while IFS= read -r pattern; do
-                    TEMP_PATTERNS+=("$pattern")
-                done <<< "$extra_temp"
-            fi
-
-            # Load ignore patterns (files to never touch)
-            IGNORE_PATTERNS=()
-            local ignore
-            ignore=$(jq -r '.ignore_patterns // [] | .[]' "$CONFIG_FILE" 2>/dev/null || true)
-            if [[ -n "$ignore" ]]; then
-                while IFS= read -r pattern; do
-                    IGNORE_PATTERNS+=("$pattern")
-                done <<< "$ignore"
-            fi
-        else
-            log "Warning: jq not installed, using default config"
-        fi
-    fi
-}
-
-# Check if file should be ignored
-should_ignore() {
-    local file="$1"
-    local basename
-    basename=$(basename "$file")
-
-    for pattern in "${IGNORE_PATTERNS[@]:-}"; do
-        if [[ "$basename" == $pattern ]] || [[ "$file" == $pattern ]]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-# Check if file is in allowed root list
-is_allowed_root() {
-    local file="$1"
-    local basename
-    basename=$(basename "$file")
-
-    for allowed in "${DEFAULT_ALLOWED_ROOT[@]}"; do
-        # Support wildcards in allowed patterns
-        if [[ "$basename" == $allowed ]]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-# Check if file matches orphan pattern
-is_orphan() {
-    local file="$1"
-    local basename
-    basename=$(basename "$file")
-
-    for pattern in "${ORPHAN_PATTERNS[@]}"; do
-        if [[ "$basename" == $pattern ]]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-# Setup directories
-setup_dirs() {
-    mkdir -p "$LOG_DIR"
-    if [[ "$MOVE_ORPHANS" == "true" ]]; then
-        mkdir -p "$SCRATCH_DIR"
-    fi
-
-    # Start log file
-    echo "=== Project Hygiene Cleanup ===" > "$LOG_FILE"
-    echo "Started: $(date)" >> "$LOG_FILE"
-    echo "Project: $PROJECT_ROOT" >> "$LOG_FILE"
-    echo "" >> "$LOG_FILE"
-}
-
-# Delete temp files
-cleanup_temp_files() {
-    log "Cleaning temp files..."
-
-    for pattern in "${TEMP_PATTERNS[@]}"; do
-        while IFS= read -r -d '' file; do
-            if should_ignore "$file"; then
-                continue
-            fi
-            rm -f "$file"
-            log_action "DELETED" "$file"
-            ((DELETED_COUNT++))
-        done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
-    done
-}
-
-# Delete temp directories
-cleanup_temp_dirs() {
-    log "Cleaning temp directories..."
-
-    for pattern in "${TEMP_DIRS[@]}"; do
-        while IFS= read -r -d '' dir; do
-            if should_ignore "$dir"; then
-                continue
-            fi
-            rm -rf "$dir"
-            log_action "DELETED DIR" "$dir"
-            ((DELETED_COUNT++))
-        done < <(find "$PROJECT_ROOT" -name "$pattern" -type d -print0 2>/dev/null || true)
-    done
-}
-
-# Warn about unexpected root files
-check_root_files() {
-    log "Checking root files..."
-
-    local unexpected_files=()
 
+# Silently delete temp files
+for pattern in "*.tmp" "*.bak" "*.swp" "*~" ".DS_Store"; do
     while IFS= read -r -d '' file; do
-        local basename
-        basename=$(basename "$file")
+        rm -f "$file" 2>/dev/null && ((DELETED_COUNT++)) || true
+    done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
+done
 
-        # Skip directories
-        [[ -d "$file" ]] && continue
+# Only output if we deleted something
+if [[ $DELETED_COUNT -gt 0 ]]; then
+    echo "$PREFIX Cleaned $DELETED_COUNT temp files"
+fi
 
-        # Skip if in allowed list
-        is_allowed_root "$basename" && continue
-
-        # Skip if should be ignored
-        should_ignore "$basename" && continue
-
-        unexpected_files+=("$basename")
-        log_action "WARNING" "Unexpected root file: $basename"
-        ((WARNED_COUNT++))
-    done < <(find "$PROJECT_ROOT" -maxdepth 1 -print0 2>/dev/null || true)
-
-    if [[ ${#unexpected_files[@]} -gt 0 ]]; then
-        log ""
-        log "⚠️  Unexpected files in project root:"
-        for f in "${unexpected_files[@]}"; do
-            log "    - $f"
-        done
-    fi
-}
-
-# Identify and handle orphaned files
-handle_orphans() {
-    log "Checking for orphaned files..."
-
-    local orphan_files=()
-
-    for pattern in "${ORPHAN_PATTERNS[@]}"; do
-        while IFS= read -r -d '' file; do
-            if should_ignore "$file"; then
-                continue
-            fi
-
-            orphan_files+=("$file")
-
-            if [[ "$MOVE_ORPHANS" == "true" ]]; then
-                local dest="${SCRATCH_DIR}/$(basename "$file")"
-                # Handle duplicates
-                if [[ -f "$dest" ]]; then
-                    dest="${SCRATCH_DIR}/$(date +%Y%m%d%H%M%S)_$(basename "$file")"
-                fi
-                mv "$file" "$dest"
-                log_action "MOVED" "$file -> $dest"
-            else
-                log_action "ORPHAN" "$file"
-            fi
-            ((ORPHAN_COUNT++))
-        done < <(find "$PROJECT_ROOT" -name "$pattern" -type f -print0 2>/dev/null || true)
-    done
-
-    if [[ ${#orphan_files[@]} -gt 0 && "$MOVE_ORPHANS" != "true" ]]; then
-        log ""
-        log "📦 Orphaned files found (enable move_orphans in .hygiene.json to auto-move):"
-        for f in "${orphan_files[@]}"; do
-            log "    - $f"
-        done
-    fi
-}
-
-# Summary
-print_summary() {
-    log ""
-    log "=== Cleanup Summary ==="
-    log "  Deleted: $DELETED_COUNT items"
-    log "  Warnings: $WARNED_COUNT unexpected root files"
-    log "  Orphans: $ORPHAN_COUNT files"
-    if [[ "$MOVE_ORPHANS" == "true" ]]; then
-        log "  Orphans moved to: $SCRATCH_DIR"
-    fi
-    log "  Log file: $LOG_FILE"
-    log ""
-}
-
-# Main
-main() {
-    cd "$PROJECT_ROOT" || exit 1
-
-    load_config
-    setup_dirs
-
-    log "Starting project hygiene cleanup..."
-    log ""
-
-    cleanup_temp_files
-    cleanup_temp_dirs
-    check_root_files
-    handle_orphans
-
-    print_summary
-
-    # Exit with warning code if issues found
-    if [[ $WARNED_COUNT -gt 0 || $ORPHAN_COUNT -gt 0 ]]; then
-        exit 0  # Still success, but logged warnings
-    fi
-}
-
-main "$@"
+exit 0

plugins/projman/README.md

@@ -13,7 +13,7 @@ Projman transforms a proven 15-sprint workflow into a distributable Claude Code
 - **Milestones** - Sprint milestone management and tracking
 - **Lessons Learned** - Systematic capture and search via Gitea Wiki
 - **Branch-Aware Security** - Prevents accidental changes on production branches
-- **Three-Agent Model** - Planner, Orchestrator, and Executor agents
+- **Four-Agent Model** - Planner, Orchestrator, Executor, and Code Reviewer agents
 - **CLI Tools Blocked** - All operations via MCP tools only (no `tea` or `gh`)
 
 ## Quick Start
@@ -461,20 +461,8 @@ projman/
 ├── .claude-plugin/
 │   └── plugin.json          # Plugin manifest
 ├── .mcp.json                # MCP server configuration
-├── mcp-servers/             # Bundled MCP server
-│   └── gitea/
-│       ├── .venv/
-│       ├── requirements.txt
-│       ├── mcp_server/
-│       │   ├── server.py
-│       │   ├── gitea_client.py
-│       │   └── tools/
-│       │       ├── issues.py
-│       │       ├── labels.py
-│       │       ├── wiki.py
-│       │       ├── milestones.py
-│       │       └── dependencies.py
-│       └── tests/
+├── mcp-servers/
+│   └── gitea -> ../../../mcp-servers/gitea  # SYMLINK to shared MCP server
 ├── commands/                # Slash commands
 │   ├── sprint-plan.md
 │   ├── sprint-start.md

plugins/projman/commands/debug-report.md

@@ -43,6 +43,46 @@ Store all values:
 - `CURRENT_BRANCH`: Current branch name
 - `WORKING_DIR`: Current working directory
 
+### Step 1.5: Detect Sprint Context
+
+Determine if this debug issue should be associated with an active sprint.
+
+**1. Check for active sprint milestone:**
+
+```
+mcp__plugin_projman_gitea__list_milestones(repo=PROJECT_REPO, state="open")
+```
+
+Store the first open milestone as `ACTIVE_SPRINT` (if any).
+
+**2. Analyze branch context:**
+
+| Branch Pattern | Context |
+|----------------|---------|
+| `feat/*`, `fix/*`, `issue-*` | Sprint work - likely related to current sprint |
+| `main`, `master`, `development` | Production/standalone - not sprint-related |
+| Other | Unknown - ask user |
+
+**3. Determine sprint association:**
+
+```
+IF ACTIVE_SPRINT exists AND CURRENT_BRANCH matches sprint pattern (feat/*, fix/*, issue-*):
+  → SPRINT_CONTEXT = "detected"
+  → Ask user: "Active sprint detected: [SPRINT_NAME]. Is this bug related to sprint work?"
+    Options:
+    - Yes, add to sprint (will associate with milestone)
+    - No, standalone fix (no milestone)
+  → Store choice as ASSOCIATE_WITH_SPRINT (true/false)
+
+ELSE IF ACTIVE_SPRINT exists AND CURRENT_BRANCH is main/development:
+  → SPRINT_CONTEXT = "production"
+  → ASSOCIATE_WITH_SPRINT = false (standalone fix, no question needed)
+
+ELSE:
+  → SPRINT_CONTEXT = "none"
+  → ASSOCIATE_WITH_SPRINT = false
+```
+
 ### Step 2: Read Marketplace Configuration
 
 ```bash
@@ -105,7 +145,42 @@ Count failures and categorize errors:
 
 For each failure, write a hypothesis about the likely cause.
 
-### Step 5: Generate Issue Content
+### Step 5: Generate Smart Labels
+
+Generate appropriate labels based on the diagnostic results.
+
+**1. Build context string for label suggestion:**
+
+```
+LABEL_CONTEXT = "Bug fix: " + [summary of main failure] + ". " +
+                "Failed tools: " + [list of failed tool names] + ". " +
+                "Error category: " + [detected error category from Step 4]
+```
+
+**2. Get suggested labels:**
+
+```
+mcp__plugin_projman_gitea__suggest_labels(
+  repo=PROJECT_REPO,
+  context=LABEL_CONTEXT
+)
+```
+
+**3. Merge with base labels:**
+
+```
+BASE_LABELS = ["Type: Bug", "Source: Diagnostic", "Agent: Claude"]
+SUGGESTED_LABELS = [result from suggest_labels]
+
+# Combine, avoiding duplicates
+FINAL_LABELS = BASE_LABELS + [label for label in SUGGESTED_LABELS if label not in BASE_LABELS]
+```
+
+The final label set should include:
+- **Always**: `Type: Bug`, `Source: Diagnostic`, `Agent: Claude`
+- **If detected**: `Component: *`, `Complexity: *`, `Risk: *`, `Priority: *`
+
+### Step 6: Generate Issue Content
 
 Use this exact template:
 
@@ -182,22 +257,36 @@ Use this exact template:
 *Generated by /debug-report - Labels: Type: Bug, Source: Diagnostic, Agent: Claude*
 ```
 
-### Step 6: Create Issue in Marketplace
+### Step 7: Create Issue in Marketplace
 
 **First, check if MCP tools are available.** Attempt to use an MCP tool. If you receive "tool not found", "not in function list", or similar error, the MCP server is not accessible in this session - use the curl fallback.
 
 #### Option A: MCP Available (preferred)
 
+**If ASSOCIATE_WITH_SPRINT is true:**
+
 ```
 mcp__plugin_projman_gitea__create_issue(
   repo=MARKETPLACE_REPO,
   title="[Diagnostic] [summary of main failure]",
-  body=[generated content from Step 5],
-  labels=["Type: Bug", "Source: Diagnostic", "Agent: Claude"]
+  body=[generated content from Step 6],
+  labels=FINAL_LABELS,
+  milestone=ACTIVE_SPRINT.id
 )
 ```
 
-If labels don't exist, create issue without labels.
+**If ASSOCIATE_WITH_SPRINT is false (standalone fix):**
+
+```
+mcp__plugin_projman_gitea__create_issue(
+  repo=MARKETPLACE_REPO,
+  title="[Diagnostic] [summary of main failure]",
+  body=[generated content from Step 6],
+  labels=FINAL_LABELS
+)
+```
+
+If some labels don't exist, create issue with available labels only.
 
 #### Option B: MCP Unavailable - Use curl Fallback
 
@@ -274,7 +363,7 @@ To create the issue manually:
 2. Or create issue directly at: http://gitea.hotserv.cloud/[MARKETPLACE_REPO]/issues/new
 ```
 
-### Step 7: Report to User
+### Step 8: Report to User
 
 Display summary:
 

plugins/projman/commands/debug-review.md

@@ -195,6 +195,74 @@ Does this analysis match your understanding of the problem?
 
 Do NOT proceed until user approves.
 
+### Step 9.5: Search Lessons Learned
+
+Before proposing a fix, search for relevant lessons from past fixes.
+
+**1. Extract search tags from the issue:**
+
+```
+SEARCH_TAGS = []
+# Add tool names
+for each failed_tool in issue:
+  SEARCH_TAGS.append(tool_name)  # e.g., "get_labels", "validate_repo_org"
+
+# Add error category
+SEARCH_TAGS.append(error_category)  # e.g., "parameter-format", "authentication"
+
+# Add component if identifiable
+if error relates to MCP server:
+  SEARCH_TAGS.append("mcp")
+if error relates to command:
+  SEARCH_TAGS.append("command")
+```
+
+**2. Search lessons learned:**
+
+```
+mcp__plugin_projman_gitea__search_lessons(
+  repo=REPO_NAME,
+  tags=SEARCH_TAGS,
+  limit=5
+)
+```
+
+**3. Also search by error keywords:**
+
+```
+mcp__plugin_projman_gitea__search_lessons(
+  repo=REPO_NAME,
+  query=[key error message words],
+  limit=5
+)
+```
+
+**4. Display relevant lessons (if any):**
+
+```
+Related Lessons Learned
+=======================
+
+Found [N] relevant lessons from past fixes:
+
+📚 Lesson: "Sprint 14 - Parameter validation in MCP tools"
+   Tags: mcp, get_labels, parameter-format
+   Summary: Always validate repo parameter format before API calls
+   Prevention: Add format check at function entry
+
+📚 Lesson: "Sprint 12 - Graceful fallback for missing config"
+   Tags: configuration, fallback
+   Summary: Commands should work even without .env
+   Prevention: Check for env vars, use sensible defaults
+
+These lessons may inform your fix approach.
+```
+
+If no lessons found, display:
+```
+No related lessons found. This may be a new type of issue.
+```
+
 ### Step 10: Propose Fix Approach
 
 Based on the analysis, propose a specific fix:
@@ -342,7 +410,118 @@ Next Steps:
   1. Review and merge PR #81
   2. In test project, pull latest plugin version
   3. Run /debug-report to verify fix
-  4. If passing, close issue #80
+  4. Come back and run Step 15 to close issue and capture lesson
+```
+
+### Step 15: Verify, Close, and Capture Lesson
+
+**This step runs AFTER the user has verified the fix works.**
+
+When user returns and confirms the fix is working:
+
+**1. Close the issue:**
+
+```
+mcp__plugin_projman_gitea__update_issue(
+  repo=REPO_NAME,
+  issue_number=ISSUE_NUMBER,
+  state="closed"
+)
+```
+
+**2. Ask about lesson capture:**
+
+Use AskUserQuestion:
+
+```
+This fix addressed [ERROR_TYPE] in [COMPONENT].
+
+Would you like to capture this as a lesson learned?
+
+Options:
+- Yes, capture lesson (helps avoid similar issues in future)
+- No, skip (trivial fix or already documented)
+```
+
+**3. If user chooses Yes, auto-generate lesson content:**
+
+```
+LESSON_TITLE = "Sprint [N] - [Brief description of fix]"
+  # Example: "Sprint 17 - MCP parameter validation"
+
+LESSON_CONTENT = """
+## Context
+
+[What was happening when the issue occurred]
+- Command/tool being used: [FAILED_TOOL]
+- Error encountered: [ERROR_MESSAGE]
+
+## Problem
+
+[Root cause identified during investigation]
+
+## Solution
+
+[What was changed to fix it]
+- Files modified: [LIST]
+- PR: #[PR_NUMBER]
+
+## Prevention
+
+[How to avoid this in the future]
+
+## Related
+
+- Issue: #[ISSUE_NUMBER]
+- PR: #[PR_NUMBER]
+"""
+
+LESSON_TAGS = [
+  tool_name,        # e.g., "get_labels"
+  error_category,   # e.g., "parameter-format"
+  component,        # e.g., "mcp", "command"
+  "bug-fix"
+]
+```
+
+**4. Show lesson preview and ask for approval:**
+
+```
+Lesson Preview
+==============
+
+Title: [LESSON_TITLE]
+Tags: [LESSON_TAGS]
+
+Content:
+[LESSON_CONTENT]
+
+Save this lesson? (Y/N/Edit)
+```
+
+**5. If approved, create the lesson:**
+
+```
+mcp__plugin_projman_gitea__create_lesson(
+  repo=REPO_NAME,
+  title=LESSON_TITLE,
+  content=LESSON_CONTENT,
+  tags=LESSON_TAGS,
+  category="sprints"
+)
+```
+
+**6. Report completion:**
+
+```
+Issue Closed & Lesson Captured
+==============================
+
+Issue #[N]: CLOSED
+Lesson: "[LESSON_TITLE]" saved to wiki
+
+This lesson will be surfaced in future /debug-review
+sessions when similar errors are encountered.
 ```
 
 ## DO NOT
@@ -350,8 +529,9 @@ Next Steps:
 - **DO NOT** skip reading relevant files - this is MANDATORY
 - **DO NOT** proceed past approval gates without user confirmation
 - **DO NOT** guess at fixes without evidence from code
-- **DO NOT** close issues - let user verify fix works first
+- **DO NOT** close issues until user confirms fix works (Step 15)
 - **DO NOT** commit directly to development or main branches
+- **DO NOT** skip the lessons learned search - past fixes inform better solutions
 
 ## If Investigation Finds No Bug
 

plugins/projman/commands/labels-sync.md

@@ -62,12 +62,20 @@ Verify these required label categories exist:
 
 ### Step 6: Create Missing Labels (if any)
 
-For each missing required label, call:
+Use `create_label_smart` which automatically creates labels at the correct level:
+- **Organization level**: Type/*, Priority/*, Complexity/*, Effort/*, Risk/*, Source/*, Agent/*
+- **Repository level**: Component/*, Tech/*
 
 ```
-mcp__plugin_projman_gitea__create_label(repo=REPO_NAME, name="Type: Bug", color="d73a4a")
+mcp__plugin_projman_gitea__create_label_smart(repo=REPO_NAME, name="Type/Bug", color="d73a4a")
 ```
 
+This automatically detects whether to create at org or repo level based on the category.
+
+**Alternative (explicit control):**
+- Org labels: `create_org_label(org="org-name", name="Type/Bug", color="d73a4a")`
+- Repo labels: `create_label(repo=REPO_NAME, name="Component/Backend", color="5319e7")`
+
 Use the label format that matches existing labels in the repo (slash `/` or colon-space `: `).
 
 ### Step 7: Report Results

plugins/projman/hooks/hooks.json

@@ -2,8 +2,8 @@
   "hooks": {
     "SessionStart": [
       {
-        "type": "prompt",
-        "prompt": "[projman] Perform silent startup checks:\n\n1. Check if MCP venvs exist at the installed marketplace location. If the marketplace is installed but venvs are missing, warn the user: '[projman] MCP venvs missing - run setup.sh from installed marketplace location'.\n\n2. Check if the project git remote matches .env configuration (GITEA_ORG/GITEA_REPO). If mismatch, warn: '[projman] Git remote mismatch - run /project-sync'.\n\nStay silent if all checks pass or not applicable. Be quick and non-blocking."
+        "type": "command",
+        "command": "${CLAUDE_PLUGIN_ROOT}/hooks/startup-check.sh"
       }
     ]
   }

plugins/projman/hooks/startup-check.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# projman startup check hook
+# Checks for common issues at session start
+# All output MUST have [projman] prefix
+
+PREFIX="[projman]"
+
+# Check if MCP venv exists
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(dirname "$(dirname "$(realpath "$0")")")}"
+VENV_PATH="$PLUGIN_ROOT/mcp-servers/gitea/.venv/bin/python"
+
+if [[ ! -f "$VENV_PATH" ]]; then
+    echo "$PREFIX MCP venvs missing - run setup.sh from installed marketplace"
+    exit 0
+fi
+
+# Check git remote vs .env config (only if .env exists)
+if [[ -f ".env" ]]; then
+    CONFIGURED_REPO=$(grep -E "^GITEA_REPO=" .env 2>/dev/null | cut -d'=' -f2 | tr -d '"' || true)
+    if [[ -n "$CONFIGURED_REPO" ]]; then
+        CURRENT_REMOTE=$(git remote get-url origin 2>/dev/null | sed 's/.*[:/]\([^/]*\/[^.]*\).*/\1/' || true)
+        if [[ -n "$CURRENT_REMOTE" && "$CONFIGURED_REPO" != "$CURRENT_REMOTE" ]]; then
+            echo "$PREFIX Git remote mismatch - run /project-sync"
+            exit 0
+        fi
+    fi
+fi
+
+# All checks passed - say nothing
+exit 0