merge: main into feat-1.17.0-inline-db-mutation-hook (bump to 1.23.0)

Absorbs PR #28 (1.21.0 atomic-design ownership hooks),
PR #32 (1.22.0 DOJ-4571 cross-cutting hooks), and
PR #29 (gemini-review multi-model). Bumps this PR's version
label from 1.20.0 → 1.23.0 to land on top of the new main.

Conflict resolution: version-only on package.json, plugin.json,
marketplace.json, README.md. CHANGELOG.md: renamed [1.20.0] entry
to [1.23.0] (in-place), kept [1.22.0] and [1.21.0] from main intact,
updated parallel-version-coordination note.

Tests: 320 / 320 passing (297 manifest + 23 cross-cutting).

Created by Claude Code on behalf of @lapc506

Author: lapc506

.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
   "name": "make-no-mistakes",
-  "version": "1.20.0",
+  "version": "1.23.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, and stash secrets via OS-native prompts. One plugin to make no mistakes.",
   "owner": {
     "name": "Luis Andres Pena Castillo",
@@ -11,7 +11,7 @@
     {
       "name": "make-no-mistakes",
       "description": "Dev lifecycle orchestrator: disciplined Linear issue execution with worktree isolation, PR review with Greptile gating, team release sync, E2E test generation and execution, test suite previewer, security pentesting, MoSCoW + RICE prioritization, cross-platform secret stash via OS-native GUI prompts (zenity / kdialog / osascript / Get-Credential), and session management. 18 commands, 6 auto-activating skills, 2 specialized agents.",
-      "version": "1.20.0",
+      "version": "1.23.0",
       "author": {
         "name": "Luis Andres Pena Castillo",
         "email": "lapc506@users.noreply.github.com"

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "make-no-mistakes",
-  "version": "1.20.0",
+  "version": "1.23.0",
   "description": "The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, manage sessions, stash secrets, and enforce manifest-driven tool-call hooks. One plugin to make no mistakes.",
   "author": {
     "name": "Luis Andres Pena Castillo",

CHANGELOG.md

@@ -18,7 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [1.20.0] - 2026-05-29
+## [1.23.0] - 2026-05-29
 
 ### Added
 - **Six new `inline-db-mutation-*` rules extending the scripts-not-DB
@@ -104,7 +104,145 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   Moodle-flavoured `ssh-db-mutation` rule; this release simply expands
   the enforcement surface).
 - **Parallel-version coordination:** originally claimed `1.17.0`; bumped
-  to `1.20.0` after rebasing onto main (which had absorbed 1.17.0–1.19.0).
+  to `1.20.0` after rebasing onto main (which had absorbed 1.17.0–1.19.0),
+  then to `1.23.0` after PR #28 (1.21.0), #32 (1.22.0), and #29 merged
+  during the rebase window. Used `git merge origin/main --no-edit` per
+  policy memory `reference_use_merge_not_rebase_after_team_releases.md`
+  (preserves original commit history and avoids re-pushing a rewritten
+  branch onto the reviewer's diff).
+
+## [1.22.0] - 2026-05-29
+
+### Added
+
+- **Cure 4b cross-cutting PreToolUse hooks (DOJ-4571).** Three generalized
+  hooks distributed via the toolkit so every consumer repo inherits
+  cross-cutting defenses, parametrized via a per-repo opt-in config file at
+  `.claude/config/cross-cutting-hooks.json`. File absence → all three hooks
+  no-op (full backward compatibility). Hooks live in
+  `hooks/cross-cutting/` alongside the existing manifest-driven rules:
+
+  - `pre-write-no-cleartext-secret-in-config.sh` — blocks Write/Edit/
+    MultiEdit of JSON/YAML/TOML/env config files that introduce
+    `${...KEY|SECRET|TOKEN|PASSWORD|...}` placeholders without the
+    cure-shape `_FILE` / `_PATH` suffix. Generalized from DOJ-4554's
+    openclaw.json-specific version (PR #266 in
+    `dojo-agent-openclaw-plugin`).
+  - `pre-write-cross-repo-schema-ownership.sh` — blocks new SQL
+    migrations for tables not owned by this repo, per a config-driven
+    `owned_tables` allowlist + `migration_paths` glob. Empty allowlist
+    blocks every migration in the configured paths (the gateway pattern,
+    where the repo has no migration pipeline). Generalized from
+    DOJ-4554's `pre-write-plugin-side-migration.sh`.
+  - `pre-write-version-bump-discipline.sh` — blocks multi-step version
+    bumps on any pinned dependency by delegating to a per-repo validator
+    script. Each entry in the `version_bumps` array names a file
+    pattern, version-extraction regex, and validator script. Old version
+    is read from the git HEAD blob; new version from the proposed
+    content; both via bash native `=~` matching (avoids sed-delimiter
+    clashes with regexes containing `/`).
+
+- **Per-surface `defer_to_local_hook` flag (belt-and-braces).** Repos
+  that already have a tighter Cure 4a hook for one of these surfaces
+  (currently only `dojo-agent-openclaw-plugin`) set
+  `defer_to_local_hook: true` on the matching config block. The 4b hook
+  emits an info-stderr and fail-opens; the 4a hook owns enforcement.
+  Lets the config block stay live (visible, documented, ready for the
+  day 4a is retired) without firing the looser 4b version.
+
+- **Schema:** `schemas/cross-cutting-hooks.schema.json` (JSON Schema for
+  editor autocomplete + CI validation).
+
+- **Bypass markers:** three comment leaders accepted (`#`, `//`, `--`)
+  so the marker fits whichever syntax the target file uses. Trailing
+  terminator class extended to include backslash so JSON-serialized
+  embedded newlines (`marker\n...`) don't break detection.
+
+- **Tests:** `hooks/cross-cutting/tests/test-cross-cutting.sh` — 23
+  hermetic fixtures (≥7 per hook) spinning up isolated git repos per
+  case; wired into `npm run test-hooks` after the manifest-rules block.
+  Total runner now reports 248/248 passing.
+
+- **Docs:** `hooks/cross-cutting/README.md` — opt-in walkthrough,
+  surface semantics, bypass markers, belt-and-braces with local 4a
+  hooks, three-layer rollback (per-surface disable /
+  `CLAUDE_DISABLE_PLUGIN_HOOKS` / plugin pin), fail-open invariants.
+
+### Changed
+
+- `hooks/hooks.json` description updated to surface the new
+  `hooks/cross-cutting/` directory alongside `hooks/rules/` and
+  `hooks/atomic/`.
+- `hooks/hooks.json` PreToolUse `Write|Edit|MultiEdit|NotebookEdit`
+  block now registers the 3 cross-cutting scripts AFTER `pre-edit.sh`
+  and alongside `hooks/atomic/pre-atomic.sh` (manifest-driven rules run
+  first; atomic-design and cross-cutting hooks layer on as siblings).
+- `package.json` `files[]` adds `schemas/` and `references/` so the
+  JSON Schemas and example configs ship in the npm package (also
+  benefits `schemas/atomic-design-rules.schema.json` and
+  `references/atomic-design-rules.example.json` from 1.21.0).
+
+### Notes
+
+- Originally targeted `1.20.0` (per the parallel-version note in 1.21.0);
+  PR #28 landed first as 1.21.0, so this rebases onto 1.22.0 to preserve
+  monotonic ordering. No semantic content change vs. the originally
+  proposed 1.20.0.
+- Two review fixes from PR #32 (dojo-code-reviewer): replaced GNU-only
+  `sed ... //I` with explicit bracket-class spelling (BSD sed
+  compatibility on macOS); switched HIGH_IMPACT_RE / CURE_RE from
+  quad-backslash escaping to single-quote-plus-interpolation convention.
+- Consumer-repo opt-in (config files in `dojo-os` and
+  `dojo-agent-openclaw-plugin`) lands in sibling PRs after `1.22.0`
+  publishes. Per DOJ-4571 belt-and-braces decision,
+  `dojo-agent-openclaw-plugin` keeps its existing 4a hooks AND opts in
+  with `defer_to_local_hook: true` on all three surfaces; `dojo-os`
+  opts in with the 4b hooks owning enforcement.
+- Refs: DOJ-4571 (this work), DOJ-4554 (Cure 4a foundation), DOJ-4064
+  (4-cure thesis), DOJ-4524 (the persistence-freeze incident the
+  schema-ownership hook prevents), DOJ-4208 (the cleartext-key incident
+  the cleartext-secret hook prevents), DOJ-4061 (the gateway-version-bump
+  chain the version-bump hook prevents).
+
+## [1.21.0] - 2026-05-29
+
+### Added
+- **Recovered atomic-design ownership-drift hooks** — the code listed in the
+  1.14.0 entry was never actually shipped (changelog entry existed without
+  corresponding source). This release lands the real implementation:
+  - `hooks/atomic/pre-atomic.sh` — PreToolUse enforcement for atomic-design
+    pillar ownership: blocks writes to junk-drawer folders, enforces
+    canonical folder names (singular/plural), detects cross-pillar imports
+    that bypass declared `shared_pillars`, and warns when an atom file
+    contains state/effect/query hooks (Brad Frost stateless-atom rule).
+  - `hooks/atomic/post-atomic-drift.sh` — PostToolUse drift telemetry scoped
+    to the pillar of the file just written: organism count cap, root-flat
+    cap, and duplicate-basename detection across pillars.
+  - `schemas/atomic-design-rules.schema.json` — JSON Schema for the
+    per-repo `.atomic-design-rules.json` config (pillars, canonical_folders,
+    junk_drawers, drift_thresholds, exempt_markers).
+  - `references/atomic-design-rules.example.json` — starter config that
+    reflects the post-DOJ-3946 canonical pillar taxonomy (2026-05-14 audit
+    outcome: 9 pillars, `course/` and `courses/` absorbed into `pathways`).
+  - `commands/atomic-rules-init.md` — `/atomic-rules-init` slash command for
+    bootstrapping atomic-design rules in a target repo.
+  - `hooks/atomic/README.md` — operator documentation for both hooks.
+  - Wired into `hooks/hooks.json` so consumers get enforcement on plugin
+    install with no additional setup beyond placing a config at the repo
+    root.
+- New section in `skills/spec-recommend/SKILL.md` + anti-examples block
+  documenting the recovered atomic-design lineage.
+
+### Notes
+- Pillar taxonomy in `references/atomic-design-rules.example.json` matches
+  the canonical 9-pillar list established by the DOJ-3946 council in the
+  2026-05-14 audit (pathways, launchpad, community, projects, marketplace,
+  hackathons, events, agent, dojo-score, plus platform as the shared pillar).
+  The example only enumerates a subset; consumers configure their own list.
+- **Parallel-version coordination:** version `1.20.0` was originally
+  reserved for the DOJ-4571 Cure 4b cross-repo hooks PR. PR #28
+  (this release) landed first as `1.21.0`; DOJ-4571 followed as
+  `1.22.0` to preserve monotonic ordering. See `[1.22.0]` above.
 
 ## [1.19.0] - 2026-05-26
 
@@ -278,6 +416,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [1.14.0] - 2026-05-14
 
+> **Note:** The source files described in this entry were never actually
+> committed in 1.14.0 — only the version bump and keyword changes landed.
+> The implementation was recovered and shipped in **1.21.0** (see entry
+> above). Treat this entry as the intent record; treat 1.21.0 as the
+> shipped record.
+
 ### Added
 - Atomic-design enforcement hooks: `hooks/atomic/pre-atomic.sh`,
   `hooks/atomic/post-atomic-drift.sh` — per-repo PreToolUse + PostToolUse
@@ -455,7 +599,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Product Owner Extension (SPOPC) roadmap section in README
   ([PR #4](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/pull/4)).
 
-[Unreleased]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/compare/v1.14.0...HEAD
+[Unreleased]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/compare/v1.21.0...HEAD
+[1.21.0]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/releases/tag/v1.21.0
 [1.14.0]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/releases/tag/v1.14.0
 [1.12.0]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/releases/tag/v1.12.0
 [1.11.0]: https://github.com/DojoCodingLabs/make-no-mistakes-toolkit/releases/tag/v1.11.0

README.md

@@ -1,6 +1,6 @@
 # make-no-mistakes
 
-**Version: 1.20.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
+**Version: 1.23.0** · [CHANGELOG](./CHANGELOG.md) · [Marketplace](https://github.com/DojoCodingLabs/make-no-mistakes-toolkit)
 
 The disciplined dev lifecycle — implement issues, review PRs, sync releases, test E2E, and manage sessions. One plugin to make no mistakes.
 

commands/atomic-rules-init.md

@@ -0,0 +1,165 @@
+---
+description: Scaffold a .atomic-design-rules.json at the current repo root so the make-no-mistakes atomic-design hooks (PreToolUse ownership enforcement + PostToolUse drift telemetry) start enforcing for this repo. No-op if the file already exists.
+priority: 60
+---
+
+# Atomic Rules Init
+
+Bootstrap atomic-design ownership enforcement for the current repo by writing
+a `.atomic-design-rules.json` at the repo root. The make-no-mistakes plugin
+hooks (`hooks/atomic/pre-atomic.sh` and `hooks/atomic/post-atomic-drift.sh`)
+read this file at every Edit/Write/MultiEdit/NotebookEdit call. If the file
+is absent, the hooks are a no-op — installing the plugin is always safe.
+
+This command produces a STARTER config based on what it can infer from the
+current repo. You will refine it before committing.
+
+---
+
+## Step 1: Sanity-check the repo
+
+Run these commands in parallel:
+
+```bash
+# Find repo root
+git rev-parse --show-toplevel
+
+# Detect the components root by checking the two most common conventions
+ls -d src/components 2>/dev/null || ls -d components 2>/dev/null || echo "no components root found"
+
+# Check if a config already exists
+test -f .atomic-design-rules.json && echo "EXISTS" || echo "MISSING"
+```
+
+If the config already exists, STOP and tell the user. Do not overwrite.
+
+If no components root is found, ask the user to clarify before proceeding.
+
+---
+
+## Step 2: Detect candidate pillars
+
+Run:
+
+```bash
+# Each first-level subfolder under the components root is a pillar candidate
+ls -d $COMPONENTS_ROOT/*/ 2>/dev/null | xargs -n1 basename
+```
+
+For each candidate, ask the user:
+- Slug (kebab-case; default = folder name)
+- Owner (Slack handle or Linear team; required so violation messages name a reviewer)
+- Whether this is a SHARED pillar (importable by any other pillar)
+- Optional `max_organisms` override
+
+Stop after the user has confirmed at least one pillar. The starter config
+can list as few as one pillar; more can be added later.
+
+---
+
+## Step 3: Detect junk drawers (heuristic)
+
+Run:
+
+```bash
+# Folders directly under components root that have > 5 loose files and
+# no atomic subfolders are likely junk drawers.
+for d in $COMPONENTS_ROOT/*/; do
+  loose=$(find "$d" -maxdepth 1 -type f \( -name '*.tsx' -o -name '*.ts' \) 2>/dev/null | wc -l)
+  has_atomic=$(ls -d "$d"{atoms,molecules,organisms,templates} 2>/dev/null | wc -l)
+  if [ "$loose" -gt 5 ] && [ "$has_atomic" -eq 0 ]; then
+    echo "candidate junk drawer: $d (loose=$loose)"
+  fi
+done
+```
+
+Surface candidates to the user and ask which to mark as junk drawers.
+
+---
+
+## Step 4: Detect plural/singular drift
+
+Run:
+
+```bash
+# Pairs of folders that differ only by a trailing 's' are drift candidates.
+ls -d $COMPONENTS_ROOT/*/ | xargs -n1 basename | sort -u > /tmp/pillar-list
+for name in $(cat /tmp/pillar-list); do
+  plural="${name}s"
+  if grep -qx "$plural" /tmp/pillar-list; then
+    echo "drift pair: $name <-> $plural"
+  fi
+done
+```
+
+For each pair, ask the user which form is canonical, then add a
+`canonical_folders` entry.
+
+---
+
+## Step 5: Write the config
+
+Compose the JSON using the schema at:
+`make-no-mistakes-toolkit/schemas/atomic-design-rules.schema.json`
+
+Reference example:
+`make-no-mistakes-toolkit/references/atomic-design-rules.example.json`
+
+Minimum viable starter (replace placeholders with what you gathered above):
+
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/DojoCodingLabs/make-no-mistakes-toolkit/main/schemas/atomic-design-rules.schema.json",
+  "version": 1,
+  "components_root": "src/components",
+  "pillars": [
+    { "slug": "platform", "folder": "platform", "owner": "@platform-team" }
+  ],
+  "shared_pillars": ["platform"],
+  "atomic_levels": {
+    "atoms": {
+      "folder": "atoms",
+      "forbid_content_patterns": [
+        "use(State|Reducer|Effect|LayoutEffect|Query|Mutation|InfiniteQuery)\\b",
+        "useContext\\b"
+      ],
+      "forbid_message": "Atoms must be stateless. Move state to a molecule or organism."
+    }
+  },
+  "drift_thresholds": {
+    "max_organisms_per_pillar": 100,
+    "max_root_files_per_pillar": 5,
+    "public_prefix_stale_days": 30
+  }
+}
+```
+
+Write it via the standard Write tool. Then print:
+
+> Created .atomic-design-rules.json. The atomic-design hooks will now
+> enforce on every Edit/Write/MultiEdit/NotebookEdit. To bypass for a
+> single file, add `// @atomic-exempt: <reason>` to its content.
+> Kill switch: `CLAUDE_DISABLE_PLUGIN_HOOKS=1`.
+
+---
+
+## Step 6: Quick verification
+
+Suggest the user run a known-violating Edit so they can see the hook fire:
+
+> Try editing a file in a junk drawer or under `*/atoms/*` with a
+> `useState` import. The hook should block the write and explain why.
+
+Do NOT actually perform the edit. The user owns that test.
+
+---
+
+## Boundaries
+
+- This command writes ONE file. Do not modify CLAUDE.md, AGENTS.md, or any
+  other repo file. Pillar enforcement starts from the JSON alone.
+- Do NOT commit. Show the user the diff via `git status`/`git diff` and
+  let them decide.
+- If the user asks for a more sophisticated setup (e.g. importing
+  pillars from a Linear team mapping), defer to a manual PR — this
+  command intentionally produces a clean starter.