feat: v3.5.0 — sync from Claude Code v2.1.120→v2.1.128 + agent memory checklist

Six practices incorporated. Three security-monitoring entries created.

New domain rule:
- domain/plugin-distribution.md — covers ${CLAUDE_PLUGIN_DATA} persistent state
  (v2.1.126), CLAUDE_CODE_PLUGIN_SEED_DIR multi-dir layered overlays (base +
  corporate + personal), managed marketplace governance (strictKnownMarketplaces,
  blockedMarketplaces, allowManagedPermissionRulesOnly, pluginTrustMessage),
  reserved server names (workspace v2.1.128), lifecycle hygiene (claude plugin
  prune, --plugin-dir .zip)
- dotforge metrics.yml/inbox migration to ${CLAUDE_PLUGIN_DATA} documented as
  candidate but explicitly out of scope this release

Skill/docs/agent updates:
- skills/reset-project/SKILL.md: new Step 5b suggesting `claude project purge`
  post-reset (v2.1.126+) to drop orphaned transcripts/manifests; verifies CLI
  availability before suggesting, never runs automatically
- docs/usage-guide.md: new "Layered distribution (multi-seed)" subsection +
  PR review tip (/resume accepts PR URLs, v2.1.122+)
- docs/security-checklist.md: new "--dangerously-skip-permissions tradeoffs
  (v2.1.121+)" subsection — flag now bypasses prompts for .claude/{skills,
  agents,commands} writes; explicit warning against pairing with unverified
  prompt sources (injection vector to template files)
- agents/{architect,code-reviewer,implementer,security-auditor}.md: appended
  Memory persistence section with concrete checklist on when to write to
  agent-memory. Targets agent-memory-underused finding from /forge insights
  2026-04-21 (≤2 entries per agent across 5 months)

Inbox processing:
- 6 accept → active/ incorporated_in ['3.5.0']
- 1 reject: tradingbot-session-changes (auto-stub)
- inbox now empty

metrics.yml: 4 monitoring (plugin-data-variable, claude-project-purge,
skip-permissions-claude-paths, agent-memory-underused), 2 not-applicable.

Verified against CC v2.1.128. Watch-upstream pass surfaced additional v2.1.120-
128 deltas (PostToolUse.updatedToolOutput for all tools, Setup hook event,
alwaysLoad MCP, claude ultrareview, ${CLAUDE_EFFORT}, missing settings fields)
captured separately for next cycle.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: luiseiman

.claude/rules/domain/plugin-distribution.md

@@ -0,0 +1,52 @@
+---
+globs: "**/.claude-plugin/**,**/plugin.json,**/install.sh,**/.mcp.json"
+description: "Plugin distribution: persistent state, seed dirs, marketplace policy, reserved names"
+domain: claude-code-engineering
+last_verified: 2026-05-05
+---
+
+# Plugin Distribution
+
+## Persistent state — `${CLAUDE_PLUGIN_DATA}` (v2.1.126+)
+
+- Plugin-scoped directory for state that must survive plugin updates/reinstalls
+- Available in hooks, skills, commands as the env var `${CLAUDE_PLUGIN_DATA}`
+- Use for: accumulated metrics, last-processed IDs, capture inboxes, manifests of managed projects
+- NEVER store secrets here — sandbox env-scrub does NOT cover plugin data dirs
+- Distinct from `${CLAUDE_PLUGIN_ROOT}` (read-only plugin install dir)
+
+For dotforge specifically: candidates to migrate are `practices/metrics.yml` (counters), `.forge/manifest.json` (registry), and post-session captures that currently land in `practices/inbox/` (which dirties git status). Migration is a multi-commit project — pilot one (e.g. `inbox/`) before others.
+
+## Multi-seed distribution — `CLAUDE_CODE_PLUGIN_SEED_DIR`
+
+- Accepts multiple directories separated by platform delimiter (`:` Unix, `;` Windows)
+- Layered overlay pattern: `seed1` (base) `:` `seed2` (corporate) `:` `seed3` (personal)
+- Use for: enterprise overlays on top of public template, personal preferences on top of team config
+- Later seeds override earlier ones for files with the same path
+
+## Marketplace governance (managed settings)
+
+- `strictKnownMarketplaces` — allowlist of marketplace sources (exact match, supports github/git/url/npm/file/directory/hostPattern)
+- `blockedMarketplaces` — denylist
+- `allowedChannelPlugins` — restricts which plugins can listen on `--channels`
+- `allowManagedPermissionRulesOnly` — locks projects to managed-only permission rules
+- `pluginTrustMessage` — custom warning shown on plugin trust prompts
+
+## Reserved names
+
+- `workspace` — reserved as MCP server name since v2.1.128. Plugins/projects using this name skipped with warning at startup. Audit `.mcp.json` and `mcp/` configs in dotforge stacks before declaring server names.
+
+## Lifecycle hygiene
+
+- `claude plugin prune` (v2.1.121+) — removes orphaned auto-installed dependencies
+- `plugin uninstall --prune` — cascades dependency cleanup
+- `--plugin-dir` accepts `.zip` archives (v2.1.128+) — alternative distribution path
+
+## When to plugin vs `.claude/`
+
+| Need | Use |
+|------|-----|
+| One-project customization, quick experiment | `.claude/` standalone |
+| Shared with team, versioned, namespaced skills | Plugin |
+| Enterprise governance (marketplace allowlist) | Plugin via managed settings |
+| State that must survive updates | Plugin + `${CLAUDE_PLUGIN_DATA}` |

VERSION

@@ -1 +1 @@
-3.4.1
+3.5.0

agents/architect.md

@@ -63,3 +63,12 @@ Only record decisions with lasting impact. Skip trivial or one-off choices.
 - Never propose a technology switch without cost/effort analysis
 - Keep total output under 5K tokens — summarize, don't dump raw analysis
 - If the caller needs follow-up, they will use SendMessage — do not start a new context
+
+## Memory persistence
+
+Before returning, ask yourself: *Did I discover a non-obvious pattern, a recurring tradeoff in this codebase, or a constraint a future architect would benefit from knowing?* If yes, append a dated entry to `.claude/agent-memory/architect.md` with:
+- One-line title
+- Key recurring/false-positive findings (use `**Recurring:**` or `**False positive:**` prefix)
+- A short note on context (which subsystem, why it matters)
+
+Skip persistence for: routine validations, single-use answers, work the caller already understood.

agents/code-reviewer.md

@@ -82,3 +82,12 @@ Do NOT report:
 - Run `git diff` or `git diff --staged` to see actual changes when available
 - Keep total output under 5K tokens — summarize, don't dump raw diffs
 - If the caller needs follow-up, they will use SendMessage — do not start a new context
+
+## Memory persistence
+
+Before returning, ask yourself: *Did I find a recurring issue (same bug class twice), a false-positive pattern in my own heuristics, or an idiom this codebase uses that a future review should respect?* If yes, append a dated entry to `.claude/agent-memory/code-reviewer.md` with:
+- One-line title
+- Bullets prefixed with `**Recurring:**` or `**False positive:**` (matches existing entries in this project)
+- The why — one sentence on what makes it a pattern, not a one-off
+
+Skip persistence for: clean reviews, project-specific style nits without broader implication.

agents/implementer.md

@@ -71,3 +71,12 @@ Always conclude with:
 - Use project conventions (check CLAUDE.md for stack preferences)
 - Keep total output under 5K tokens — summarize changes, don't echo full files
 - If the caller needs follow-up, they will use SendMessage — do not start a new context
+
+## Memory persistence
+
+Before returning, ask yourself: *Did I hit a non-obvious build/test gotcha, an environment quirk, or a workaround that future implementers would re-discover?* If yes, append a dated entry to `.claude/agent-memory/implementer.md` with:
+- One-line title (the symptom)
+- Cause and fix in 2-3 lines
+- Optional: link to commit or file:line that documents the fix
+
+Skip persistence for: standard implementation tasks where the spec was clear and execution routine.

agents/security-auditor.md

@@ -116,3 +116,12 @@ For each pattern, know the safe alternative:
 - Max 20 findings — prioritize by actual exploitability, not theoretical risk
 - Keep total output under 5K tokens — summarize findings, don't dump raw grep output
 - If the caller needs follow-up, they will use SendMessage — do not start a new context
+
+## Memory persistence
+
+Before returning, ask yourself: *Did I find a recurring vulnerability class in this codebase, a false-positive my own heuristics flag often here, or a custom security idiom (e.g., a project-specific token rotation pattern) worth respecting?* If yes, append a dated entry to `.claude/agent-memory/security-auditor.md` with:
+- One-line title
+- Severity context (which vector, what blocks exploit)
+- Bullets prefixed with `**Recurring:**` or `**False positive:**`
+
+Skip persistence for: clean audits, individual high-severity findings already filed in CLAUDE_ERRORS.md.

docs/changelog.md

@@ -4,6 +4,35 @@
 >
 > Historial de versiones. Las entradas usan español/inglés mixto según la evolución del proyecto. Los términos técnicos son universales.
 
+## v3.5.0 (2026-05-05)
+
+### Sync from Claude Code v2.1.120 → v2.1.128 + agent memory checklist
+
+Six practices incorporated. Three security-relevant (`monitoring`), one auto-stub rejected.
+
+#### New domain rule
+
+- **`.claude/rules/domain/plugin-distribution.md`** — covers `${CLAUDE_PLUGIN_DATA}` (v2.1.126+ persistent state for plugins surviving updates), `CLAUDE_CODE_PLUGIN_SEED_DIR` multi-dir layered overlays (base + corporate + personal), managed marketplace governance (`strictKnownMarketplaces`, `blockedMarketplaces`, `allowManagedPermissionRulesOnly`, `pluginTrustMessage`), reserved server names (`workspace` since v2.1.128), and lifecycle hygiene (`claude plugin prune`, `--plugin-dir .zip`).
+- Migration of dotforge's `practices/metrics.yml` and `inbox/` to `${CLAUDE_PLUGIN_DATA}` is documented as a candidate but explicitly out of scope this release (multi-commit work).
+
+#### Skill / docs / agent updates
+
+- `skills/reset-project/SKILL.md` — new Step 5b suggesting `claude project purge $PWD` post-reset (v2.1.126+) to drop orphaned transcripts, task lists, and `~/.claude.json` entry. Verifies CLI availability before suggesting; never runs automatically.
+- `docs/usage-guide.md` — new "Layered distribution (multi-seed)" subsection covering `CLAUDE_CODE_PLUGIN_SEED_DIR` overlay pattern; new "PR review flow tip" noting `/resume` accepts pasted PR URLs (v2.1.122+, GitHub/Enterprise/GitLab/Bitbucket).
+- `docs/security-checklist.md` — new "`--dangerously-skip-permissions` tradeoffs (v2.1.121+)" subsection documenting that the flag now bypasses prompts for `.claude/skills,agents,commands` writes, with explicit warning against pairing with prompts that include unverified content (injection vector that can now write to template files unprompted).
+- `agents/{architect,code-reviewer,implementer,security-auditor}.md` — appended a "Memory persistence" section to each agent prompt with concrete checklist on when (and when not) to write to `.claude/agent-memory/<agent>.md`. Targets the `agent-memory-underused` finding from `/forge insights` 2026-04-21 (≤2 entries per agent across 5 months).
+
+#### Practices
+
+- 6 practices moved `inbox/ → active/`, frontmatter `incorporated_in: ['3.5.0']`.
+- 1 rejected (`tradingbot-session-changes` — auto-stub, summary-only).
+- Inbox: 0 pending.
+- `metrics.yml`: 4 new `monitoring` entries (plugin-data-variable, claude-project-purge, skip-permissions-claude-paths, agent-memory-underused), 2 `not-applicable`.
+
+#### Verified against
+
+- Claude Code v2.1.128 (latest as of 2026-05-04). Watch-upstream pass surfaced additional v2.1.120-128 deltas captured for next cycle (PostToolUse.updatedToolOutput for all tools, Setup hook event, alwaysLoad MCP option, claude ultrareview, ${CLAUDE_EFFORT} placeholder, missing settings fields).
+
 ## v3.4.1 (2026-04-27)
 
 ### New rule — `stacks/trading/rules/backtesting-adr-gate.md`

docs/security-checklist.md

@@ -68,6 +68,15 @@ Claude Code supports 6 permission modes that control when operations require con
 - [ ] Document which permissions are stripped in auto-mode for team awareness
 - [ ] Test critical workflows with auto-mode enabled to verify they still work
 
+### `--dangerously-skip-permissions` tradeoffs (v2.1.121+)
+
+Since v2.1.121/126, this flag bypasses prompts for writes to `.claude/skills/`, `.claude/agents/`, `.claude/commands/`, `.claude/`, `.git/`, `.vscode/`, and shell config files. Catastrophic removals still prompt as a safety net.
+
+- [ ] Use ONLY in trusted automation (CI/CD with vetted prompts, scripted bootstrap)
+- [ ] NEVER pair with prompts that include unverified content (issues, web fetches, untrusted documents) — those become injection vectors that can now write to template files unprompted
+- [ ] In CI, prefer specific allow rules over `--dangerously-skip-permissions` whenever the operation set is bounded
+- [ ] Audit the prompt source before invoking with this flag — anything that lands in `.claude/` shapes the next session's behavior
+
 ---
 
 # Checklist de Seguridad — Pre-deploy

docs/usage-guide.md

@@ -63,6 +63,18 @@ cd ~/Documents/GitHub/dotforge   # or wherever you cloned dotforge
 
 **Cross-platform:** Linux, macOS, WSL, Git Bash. Uses copies as fallback if symlinks are not supported.
 
+### Layered distribution (multi-seed)
+
+Claude Code's `CLAUDE_CODE_PLUGIN_SEED_DIR` accepts multiple directories separated by `:` (Unix) / `;` (Windows). Layer base + corporate + personal overlays:
+
+```bash
+# base = public dotforge | corporate = chaco-digital private overlay | personal = luiseiman tweaks
+export CLAUDE_CODE_PLUGIN_SEED_DIR="$HOME/.dotforge:$HOME/work/cd-overlay:$HOME/.dotforge-personal"
+claude
+```
+
+Later seeds override earlier seeds for files with the same path. Use this for enterprise deployments where a public template + private overlay must coexist without forks.
+
 ### Skill Execution Context
 
 Heavy skills (>150 lines, ~5K+ tokens) use `context: fork` in their frontmatter. This executes the skill in an isolated subagent, preventing it from consuming the main conversation's context window. Skills with `context: fork`: plugin-generator, bootstrap-project, init-project, domain-extract, audit-project.
@@ -226,6 +238,15 @@ Automatic alerts:
 - Score that drops >1.5 points
 - Projects with an old version of dotforge
 
+### PR review flow tip (v2.1.122+)
+
+Pasting a PR URL into the `/resume` search box finds the session that originally created the PR — works for GitHub, GitHub Enterprise, GitLab, Bitbucket. Useful for picking up review feedback without remembering session names.
+
+```
+/resume
+# then paste: https://github.com/luiseiman/repo/pull/123
+```
+
 ### Session analysis
 
 ```

…box/2026-04-21-agent-memory-underused.md …ive/2026-04-21-agent-memory-underused.mdpractices/inbox/2026-04-21-agent-memory-underused.md renamed to practices/active/2026-04-21-agent-memory-underused.md practices/inbox/2026-04-21-agent-memory-underused.md renamed to practices/active/2026-04-21-agent-memory-underused.md

@@ -1,11 +1,11 @@
 ---
 id: agent-memory-underused
 source: session-insights
-status: inbox
+status: active
 captured: 2026-04-21
 tags: [insights, agents, agent-memory, low-priority, needs-more-info]
 tested_in: [dotforge]
-incorporated_in: []
+incorporated_in: ['3.5.0']
 ---
 
 # Agent memory is underused — 1–2 entries per agent across ~5 months