Add team Claude Code setup, Python tooling, and shell improvements

.editorconfig

@@ -0,0 +1,33 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.go]
+indent_style = tab
+indent_size = 4
+
+[*.{tf,tfvars}]
+indent_style = space
+indent_size = 2
+
+[*.{yaml,yml}]
+indent_style = space
+indent_size = 2
+
+[*.{json,toml}]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab

.github/workflows/shellcheck.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses: ludeeus/action-shellcheck@2.0.0
         with:
           scandir: '.'
           severity: warning

README.md

@@ -25,9 +25,10 @@ Most dotfiles repos are either too minimal to be useful or too personal to adapt
 | **ZSH** | Clean config via [zinit](https://github.com/zdharma-continuum/zinit) — no oh-my-zsh |
 | **Prompt** | [Starship](https://starship.rs) — shows Git, K8s context, AWS profile, Terraform workspace |
 | **Plugins** | zsh-autosuggestions, zsh-syntax-highlighting, zsh-completions |
-| **Tools** | eza (ls), bat (cat), ripgrep (grep), zoxide (cd), fzf |
+| **Tools** | eza (ls), bat (cat), ripgrep (grep), zoxide (cd), fzf, pyenv (Python versions) |
 | **Git** | Sensible defaults, global gitignore, local identity override |
 | **Claude Code** | Full hierarchical global config — rules, commands, skills, agents, memory, hooks |
+| **Team setup** | Project template with shared hooks, MCP config, security rules, local override pattern |
 
 ## Install
 
@@ -55,21 +56,29 @@ cat > ~/.gitconfig.local << EOF
   email = your@email.com
 EOF
 
-# Machine-specific env vars, paths, secrets — optional
-touch ~/.zshrc.local
+# Machine-specific env vars, paths, secrets
+# A template is provided — copy and fill in what you need:
+cp ~/.dotfiles/zsh/.zshrc.local.template ~/.zshrc.local
+
+# AWS profiles — copy the sample and fill in your accounts:
+mkdir -p ~/.aws
+cp ~/.dotfiles/aws/config.sample ~/.aws/config
 ```
 
 ## Structure
 
 ```
 dotfiles/
 ├── zsh/
-│   ├── .zshrc                  # zinit + starship, no oh-my-zsh
-│   ├── .aliases                # k8s, aws, git, docker, terraform
-│   └── starship.toml           # prompt: git, k8s context, aws profile
+│   ├── .zshrc                  # zinit + starship + pyenv, no oh-my-zsh
+│   ├── .aliases                # k8s, aws, git, docker, terraform + h() search
+│   ├── starship.toml           # prompt: git, k8s, aws, terraform, go, python
+│   └── .zshrc.local.template   # copy to ~/.zshrc.local for machine-specific config
 ├── git/
 │   ├── .gitconfig              # defaults, identity via ~/.gitconfig.local
 │   └── .gitignore_global       # .DS_Store, .env, .terraform, secrets
+├── aws/
+│   └── config.sample           # copy to ~/.aws/config, fill in your profiles/roles
 ├── claude/
 │   ├── CLAUDE.md               # global instructions
 │   ├── settings.json           # permissions + hooks (gofmt on save, notifications)
@@ -78,20 +87,30 @@ dotfiles/
 │   │   └── infra.md            # Terraform, K8s, AWS rules
 │   ├── commands/
 │   │   ├── commit.md           # /commit — staged diff → commit message
-│   │   └── review.md           # /review — branch diff review
+│   │   ├── review.md           # /review — branch diff review
+│   │   └── standup.md          # /standup — daily standup from git log + open PRs
 │   ├── skills/
 │   │   ├── infra-context.md    # auto: apply infra rules when touching infra files
 │   │   ├── secret-guard.md     # auto: flag secrets in every session
 │   │   └── go-conventions.md   # auto: apply Go rules when editing .go files
 │   ├── agents/
-│   │   └── infra-reviewer.md   # specialized infra review agent
+│   │   ├── infra-reviewer.md   # specialized infra review agent
+│   │   └── pr-reviewer.md      # PR review via gh with CRITICAL/WARNING/INFO output
 │   ├── memory/
 │   │   └── README.md           # how Claude uses persistent memory across sessions
 │   └── project-template/       # copy into new repos as .claude/
-│       ├── CLAUDE.md
-│       ├── settings.json
+│       ├── CLAUDE.md           # team-ready template with conventions, CI/CD, reviewers
+│       ├── settings.json       # shared hooks: secret protection + auto-format
+│       ├── settings.local.json.template  # copy → settings.local.json (gitignored)
+│       ├── .mcp.json           # GitHub MCP server for PR/issue access
+│       ├── .gitignore          # ensures settings.local.json is never committed
 │       ├── rules/
+│       │   ├── project-rules.md  # branching, dependencies
+│       │   ├── testing.md        # test structure and requirements
+│       │   └── security.md       # secrets, IAM, K8s security rules
 │       └── commands/
+│           └── ship.md           # /ship — pre-PR checklist
+├── .editorconfig               # consistent indentation across editors/tools
 └── install.sh                  # one-click or modular bootstrap
 ```
 
@@ -104,6 +123,39 @@ This repo sets up the **global** layer (`~/.claude/`). For each new project, cop
 project/.claude/    ← per-project: committed to git, extends the global layer
 ```
 
+## Team setup
+
+The `claude/project-template/` is designed for teams. Copy it into a repo once — every team member gets the same Claude behavior automatically:
+
+```bash
+cp -r ~/.dotfiles/claude/project-template/ my-repo/.claude
+cd my-repo
+# Edit .claude/CLAUDE.md with your project context
+# Edit .claude/.mcp.json with your GitHub token env var name
+git add .claude/
+git commit -m "add Claude Code team config"
+```
+
+Each team member then creates their local override (never committed):
+
+```bash
+cp .claude/settings.local.json.template .claude/settings.local.json
+# Edit with machine-specific paths and AWS profiles
+```
+
+**What the team config gives you:**
+
+| Feature | How |
+|---|---|
+| Secret file protection | `PreToolUse` hook blocks writes to `.env`, `*.key`, `*.pem` |
+| Auto-format on save | `PostToolUse` hooks run gofmt, terraform fmt, shellcheck |
+| GitHub PR/issue access | `.mcp.json` with GitHub MCP server |
+| Security rules | `.claude/rules/security.md` — IAM, K8s, secrets |
+| Testing standards | `.claude/rules/testing.md` — table tests, boundary testing |
+| PR review | `/pr-reviewer <number>` — CRITICAL/WARNING/INFO output via gh |
+| Standup summary | `/standup` — git log + open PRs formatted for standup |
+| Local overrides | `settings.local.json` (gitignored) for per-dev machine config |
+
 ## Prompt preview
 
 ```

aws/config.sample

@@ -0,0 +1,33 @@
+# =============================================================================
+# ~/.aws/config — sample (copy to ~/.aws/config, never commit real credentials)
+# Use IRSA or instance profiles in AWS — not access keys.
+# =============================================================================
+
+[default]
+region = us-east-1
+output = json
+
+# --- Assume-role profile (recommended for humans) ----------------------------
+# [profile dev]
+# role_arn = arn:aws:iam::123456789012:role/YourRoleName
+# source_profile = default
+# region = us-east-1
+
+# [profile staging]
+# role_arn = arn:aws:iam::234567890123:role/YourRoleName
+# source_profile = default
+# region = us-east-1
+
+# [profile prod]
+# role_arn = arn:aws:iam::345678901234:role/YourRoleName
+# source_profile = default
+# region = us-east-1
+# mfa_serial = arn:aws:iam::123456789012:mfa/your-username
+
+# --- SSO (if your org uses AWS IAM Identity Center) --------------------------
+# [profile sso-dev]
+# sso_start_url = https://your-org.awsapps.com/start
+# sso_region = us-east-1
+# sso_account_id = 123456789012
+# sso_role_name = DeveloperAccess
+# region = us-east-1

claude/agents/pr-reviewer.md

@@ -0,0 +1,69 @@
+# PR Reviewer
+
+You are a senior engineer reviewing a pull request on this codebase.
+
+## How to use
+
+Called with a PR number:
+```
+/pr-reviewer 42
+```
+
+Or the current branch:
+```
+/pr-reviewer
+```
+
+## What to do
+
+1. Fetch the PR diff and description:
+   ```bash
+   gh pr view <number> --json title,body,additions,deletions,files
+   gh pr diff <number>
+   ```
+   If no number given, use the current branch: `gh pr view`.
+
+2. Read any files changed that are relevant for context.
+
+3. Review with these priorities, in order:
+
+   **CRITICAL** — must fix before merge:
+   - Security issues (secrets, injection, auth bypass, excessive permissions)
+   - Data loss or corruption risk
+   - Breaking changes without migration path
+
+   **WARNING** — should fix:
+   - Missing tests for new behavior
+   - Error paths not handled
+   - Infra changes without resource limits or tags
+
+   **INFO** — optional / nitpick:
+   - Style inconsistencies
+   - Naming that could be clearer
+   - Missing comments on non-obvious logic
+
+4. Output format:
+   ```
+   ## PR #<n>: <title>
+
+   **Summary**: <one sentence of what this does>
+
+   ### CRITICAL
+   - <file>:<line> — <issue> → <fix>
+
+   ### WARNING
+   - <file>:<line> — <issue>
+
+   ### INFO
+   - <file>:<line> — <suggestion>
+
+   ### Verdict
+   APPROVE / REQUEST CHANGES / NEEDS DISCUSSION
+   ```
+
+## Rules
+
+- Never approve PRs that have CRITICAL issues
+- Be specific — always cite file and line
+- Explain *why* something is an issue, not just that it is
+- Skip nitpicks if there are real issues to focus on

claude/commands/standup.md

@@ -0,0 +1,31 @@
+# Standup
+
+Generate a concise standup summary from recent git activity.
+
+```bash
+git log --oneline --since="yesterday" --author="$(git config user.name)" 2>/dev/null \
+  || git log --oneline -10
+```
+
+Also check for open PRs:
+```bash
+gh pr list --author "@me" --state open --json number,title,reviewDecision 2>/dev/null || true
+```
+
+And any PRs awaiting your review:
+```bash
+gh pr list --reviewer "@me" --state open --json number,title,author 2>/dev/null || true
+```
+
+Then produce:
+
+**Yesterday / Since last standup:**
+- <bullet per meaningful commit, grouped by theme — skip merge commits>
+
+**Today:**
+- <infer from in-progress work or open PRs>
+
+**Blockers:**
+- <list any PRs waiting on review, or none>
+
+Keep it short — this is a standup, not a report. Three bullets max per section.

claude/project-template/.gitignore

@@ -0,0 +1,2 @@
+# Claude Code — local overrides are machine-specific, never commit them
+.claude/settings.local.json

claude/project-template/.mcp.json

@@ -0,0 +1,15 @@
+{
+  "mcpServers": {
+    "github": {
+      "command": "docker",
+      "args": [
+        "run", "-i", "--rm",
+        "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
+        "ghcr.io/github/github-mcp-server"
+      ],
+      "env": {
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+      }
+    }
+  }
+}