Classify, gate, and review changes. Use when landing a PR, releasing, or amending rules. Do not use for failure triage; use night-market-debugging-playbook.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Classify, gate, and review changes. Use when landing a PR, releasing, or amending rules. Do not use for failure triage; use night-market-debugging-playbook.
Night Market Change Control
Every change to this repo passes through a fixed law stack, a
classification step, and a gauntlet of automated gates. This skill tells
you which class your change is, which gates it must pass, and which
rules are non-negotiable because a past incident made them so. Nothing
here may be routed around: if a gate fails, fix the cause, never the
gate.
Jargon used below: a "gate" is any automated check that can block a
commit, PR, or release. An "ADR" is an Architecture Decision Record in
docs/adr/. The "Iron Law" is constitution rule 3: no implementation
without a failing test first.
The law stack
When two documents conflict, the higher one wins.
Rank
Source
Contents
1
CONSTITUTION.md
10 immutable rules, override and amendment process
A skill, hook, or agent instruction that says "skip rule N" without an
explicit user grant or a merged amendment is itself a defect
(CONSTITUTION.md, Override mechanism section).
The ten constitution rules
One line each. Where a rule was written in blood, the incident column
names the blood.
#
Rule
Motivating incident
1
Disclose AI involvement in every PR; never strip real or add fake AI attribution
Enforced by hook plugins/imbue/hooks/vow_no_ai_attribution.py
2
AI commits over 200 changed lines need a spec, ADR, or plan doc first (lockfiles, fixtures, snapshots excluded)
Size = scrutiny principle; see the unbloat incident under non-negotiables
3
Iron Law TDD: failing test before implementation for plugin Python. Skills and prose need structural tests (test_skill_<name>.py)
Design principle, no single incident
4
One identity leak ("As a large language model") in any committed artifact is an automatic revert
Pattern catalog in scribe slop-detector
5
Quality claims ("fast", "production-ready") need in-repo evidence or deletion
Design principle
6
No bypassing gates: no --no-verify, no SKIP=hook, no unauthorized force push, no bare suppression comments without a stated reason
Live examples in git branch -a: ai-slop-1.9.4, bugfixes-1.9.5,
discussions-fix-1.9.14. Never delete backup/unbloat-* branches.
They are the recovery points for past deletion campaigns
(backup/unbloat-20260328 is how the 2026-03-28 over-deletion was
undone).
2. Local gates before committing
make lint # ruff format + ruff check --fix + bandit
make typecheck # per-plugin strict mypy (all plugins)
make test# per-plugin pytest via scripts/run-plugin-tests.sh
make validate-all # plugin structure validation
Plugin tests MUST run per plugin (make <plugin>-test or
make -C plugins/<plugin> test). Root pytest excludes plugins/* to
avoid import-path collisions.
3. The pre-commit gauntlet
git commit runs .pre-commit-config.yaml hooks in this order
(verified 2026-07-02):
The typecheck gate runs --all deliberately. It used to run
--changed, and a global mirrors-mypy hook silently disabled 13 error
codes. Both were fixed in 1.9.12 (CHANGELOG). Do not weaken either
setting.
4. PR flow
Run in this order (all are sanctum slash commands):
/sanctum:prepare-pr updates docs, runs tests, drafts the PR.
/sanctum:pr-review reviews scope, requirements, and code.
/sanctum:validate-pr builds and executes a diff-derived test
plan, and proves revert-tests are genuine guards.
/sanctum:fix-pr and /sanctum:resolve-threads handle feedback.
For plugin-touching changes, add abstract:plugin-review at the
matching tier:
Tier
When
Scope
Time
branch
Default during work
Affected and related plugins
~2 min
pr
Before merge
Affected and related plugins
~5 min
release
Before version bump
Every plugin
~15 min
5. Release
Bump the ecosystem version. .claude-plugin/marketplace.json is
the source of truth; the bumper fans it out to every plugin's
plugin.json, metadata.json, openpackage.yml, pyproject.toml,
and __init__.py:
Or use the sanctum:version-updates skill, which runs a
git-workspace-review preflight first.
Move [Unreleased] entries in CHANGELOG.md into a dated version
section (Keep a Changelog 1.1.0, SemVer). Never rewrite or de-slop
historical entries.
Update the docs of record: docs/api-overview.md version
reference, plugin READMEs, and the generated capabilities reference
via /sanctum:sync-capabilities.
Run abstract:plugin-review --tier release.
/sanctum:create-tag pushes a v-prefixed tag. The tag matching
v* triggers .github/workflows/cross-framework-publish.yml
(semver validation, cross-framework build, tarballs, GitHub
release). Pushes to master separately trigger
trust-attestation.yml (full test run plus SLSA attestation).
Landing a change: checklist
Step
Action
Gate satisfied
Classify
Match the change against the classification table
Rule 2, amendment process
Branch
<topic>-<version> off master
Convention
Test first
Failing test before implementation
Rule 3 (Iron Law)
Local gates
make lint && make typecheck && make test
Rule 6
Commit
Plain commit, no bypass flags, honest attribution
Rules 1 and 6
PR
prepare-pr, pr-review, validate-pr; disclose AI involvement
Rule 1
Plugin review
abstract:plugin-review at branch or pr tier
Plugin quality
Merge
All CI checks green, review threads resolved
CI
Non-negotiables
Each row is a settled battle. Re-litigating one requires new evidence
stronger than the incident that settled it.
Non-negotiable
Rationale
Incident
Evidence
Never bypass or weaken a gate
A green gate that skips checks is worse than no gate: it certifies broken code
mirrors-mypy silently disabled 13 error codes; typecheck ran changed-only; bulk ruff ignores hid 73 real violations
CHANGELOG 1.9.12; commit 06b9b1db
No swallowed errors, ever
catch-and-continue in a scanner drops findings silently and reports clean
Scanners B1-B4 returned clean results on malformed input for months
commit 666171c3 (PR #521, issue #575)
Deletion campaigns need a backup branch and a markdown-reference scan
Python import graphs miss scripts referenced only from skills and commands
Tier-3 unbloat deleted 182 files (66K lines); skill-referenced scripts had to be restored
Plugins are independent deployables, and shared code couples their release cycles
tasks_manager consolidated to a shared script, reverted, then differentiated per plugin
commits 054e2679, 29961cd2, d89a55c7
No speculative infrastructure
Unused abstraction is pure carrying cost
LSP proxy landed without a consumer and was reverted in PR #193 review
commit bc318947
Identity leaks are an automatic revert
One leaked phrase proves unreviewed AI text shipped
Constitution rule 4
CONSTITUTION.md
Historical CHANGELOG entries are never edited
The changelog is a record, not prose to polish
Codified as an anti-goal in the slop rules
.claude/rules/slop-scan-for-docs.md (anti-goals)
When NOT to use
A gate is failing and you need to diagnose why: use
night-market-debugging-playbook.
You want the full story behind an incident named above: use
night-market-failure-archaeology.
You need the mechanics of running tests, lint, or the release
scripts (flags, artifacts, environments): use
night-market-operations.
You are judging whether a design fits the architecture: use
night-market-architecture-contract.
You are deciding what evidence a test must provide: use
night-market-validation-and-qa.
Exit Criteria
The change is classified against the classification table, and
any over-200-line AI diff has a spec, ADR, or plan doc committed
before the implementation.
make lint, make typecheck, and make test pass locally, and
no bypass flag (--no-verify, SKIP=, force push) appears in
the branch history.
The branch name matches <topic>-<version> and is based on
master.
The PR description discloses AI involvement (authored,
co-authored, or reviewed).
For a release: marketplace.json, the dated CHANGELOG.md
section, and the pushed v* tag all carry the same version.
Any constitution change is in a PR titled
constitution: amend rule N with repo-owner sign-off.
Provenance and maintenance
Compiled 2026-07-02 against repo v1.9.15 (10 constitution rules, 8
project rules, 17 ADRs). Re-verify volatile facts before relying on
them:
Commit hashes cited above were verified with git log --oneline -1 <hash> on 2026-07-02. Unverified/candidate: the exact count of files
restored after the unbloat incident (commit subjects confirm the
delete and restore, not the restored-file count), and whether
docs/api-overview.md holds a version table or a single version
reference (one version mention verified).