optiqor · btwshivam · May 17, 2026 · May 17, 2026 · May 17, 2026
@@ -4,7 +4,9 @@
     { "pattern": "^http://127\\.0\\.0\\.1" },
     { "pattern": "^http://0\\.0\\.0\\.0" },
     { "pattern": "^https://optiqor\\.com" },
-    { "pattern": "^https://optiqor\\.dev" }
+    { "pattern": "^https://optiqor\\.dev" },
+    { "pattern": "^https://www\\.npmjs\\.com/package/@optiqor/" },
+    { "pattern": "^https://github\\.com/optiqor/optiqor-cli/discussions" }
   ],
   "timeout": "10s",
   "retryOn429": true,

@@ -1,12 +1,12 @@
 # cli — Claude Conventions
 
-This is the **open-source** Optiqor CLI (`@optiqor/cli`). It must remain independently auditable as Apache-2.0 OSS — that is the entire reason it lives in a separate repo from the proprietary backend. Strategy reference: [../docs/open_source_cli_playbook.md](../docs/open_source_cli_playbook.md).
+This is the **open-source** Optiqor CLI (`@optiqor/cli`). It must remain independently auditable as Apache-2.0 OSS — that is the entire reason it lives in a separate repo from the proprietary backend. Strategy reference: `docs/open_source_cli_playbook.md` in the Optiqor org monorepo (not public).
 
 ## Stack
 
 - Go 1.23+, single module (`github.com/optiqor/optiqor-cli`)
 - Cobra for command parsing
 - npm wrapper (`@optiqor/cli`) downloads the platform-specific Go binary on `npm install`
 - GoReleaser for cross-platform builds (linux/macos amd64/arm64)

 ## Hard rules
@@ -14,10 +14,10 @@
 These are not preferences. They are conditions for the OSS funnel to work.

 - **No LLM calls.** The CLI is a deterministic rule engine. The Sonnet/Opus/Haiku-driven Apply Fix flow lives in the backend, not here. If you find yourself wanting to call an LLM from the CLI, the answer is "send to the SaaS backend's sandbox endpoint instead."
 - **No telemetry by default.** Zero-config install must not phone home. An opt-in `--share` flag uploads a sanitized analysis to `optiqor.dev/r/<hash>` for sharing — that is the only network egress.
 - **Accuracy disclosure is mandatory in every output.** Every analysis result includes "Sandbox accuracy: ±40%. Install the Optiqor agent for exact numbers (optiqor.dev/get)." Do not remove this. Do not make it dismissible by default. The honesty is the whole pitch.
-- **No proprietary backend code may be imported here.** This repo's `go.mod` must never reference `github.com/optiqor/backend`. The CLI is independently buildable, independently auditable, independently licensable.
+- **No proprietary backend code may be imported here.** This repo's `go.mod` must never reference `github.com/optiqor/optiqor`. The CLI is independently buildable, independently auditable, independently licensable.
 - **`pkg/` is the stable public surface.** External programs may import it. Breaking changes go through semver and a deprecation notice. The Optiqor proprietary backend imports `pkg/rules` (the 30-detector library) and `pkg/parser` (Helm values normaliser) directly — this is *the* mechanism by which the SaaS reuses CLI rule definitions instead of forking them. **New detectors land in `pkg/rules` first; the backend follows automatically via vendored module + golden parity tests.**
 - **`internal/` is private.** Refactor freely. Anything in `internal/` (analyze, render, share, config, render/style) is CLI-side composition that should stay out of the public API surface.
 
 ## Distribution

@@ -9,7 +9,7 @@
 [![npm](https://img.shields.io/npm/v/@optiqor/cli.svg?label=%40optiqor%2Fcli&color=blue)](https://www.npmjs.com/package/@optiqor/cli)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
 [![Go Reference](https://pkg.go.dev/badge/github.com/optiqor/optiqor-cli.svg)](https://pkg.go.dev/github.com/optiqor/optiqor-cli)
-[![CI](https://img.shields.io/github/actions/workflow/status/optiqor/optiqor/ci.yml?branch=main&label=ci)](https://github.com/optiqor/optiqor-cli/actions/workflows/ci.yml)
+[![CI](https://img.shields.io/github/actions/workflow/status/optiqor/optiqor-cli/ci.yml?branch=main&label=ci)](https://github.com/optiqor/optiqor-cli/actions/workflows/ci.yml)
 [![Downloads](https://img.shields.io/npm/dm/@optiqor/cli.svg)](https://www.npmjs.com/package/@optiqor/cli)
 
 ```sh
@@ -87,7 +87,7 @@ sudo mv optiqor /usr/local/bin/
 ```
 
 > [!TIP]
-> All release artifacts are signed with [Cosign](https://docs.sigstore.dev/cosign/overview/). Verification instructions on the [release page](https://github.com/optiqor/optiqor-cli/releases).
+> All release artifacts are signed with [Cosign](https://github.com/sigstore/cosign). Verification instructions on the [release page](https://github.com/optiqor/optiqor-cli/releases).
 
 ### Option 5: Build from source
 

@@ -1,9 +1,9 @@
 # optiqor-cli — repo-local todo
 
 This file tracks CLI-only work. The org-level roadmap that wires both
-repos and the strategy docs is in [../todo.md](../todo.md); items
-here are scoped to what lands inside this repo's `cmd/`, `internal/`,
-or `pkg/`.
+repos and the strategy docs lives in the Optiqor org monorepo (not
+public); items here are scoped to what lands inside this repo's
+`cmd/`, `internal/`, or `pkg/`.
 
 ## Recently shipped
 
@@ -50,5 +50,5 @@ These are conditions for the OSS funnel to work. See [CLAUDE.md](CLAUDE.md) for
 - **No LLM calls.** The CLI is a deterministic rule engine.
 - **No telemetry by default.** Only `--share` egresses (opt-in).
 - **Accuracy disclosure mandatory in every output.** Verbatim string; renderers must include it.
-- **No proprietary backend code imported.** `go.mod` must never reference `github.com/optiqor/backend`.
+- **No proprietary backend code imported.** `go.mod` must never reference `github.com/optiqor/optiqor`.
 - **`pkg/` is the stable public API.** Breaking changes go through semver and a deprecation notice.