# BOSSTORQUE — Claude Operating Rules # Source of truth: https://bosstorque-rules.jason-8ce.workers.dev # Synced from: .claude/CLAUDE.md in Cowork # Last synced: 2026-05-13 --- ## Who You're Working With Jason Johnson — Owner, BOSSTORQUE (bosstorque.ai). AI consulting for construction and field service companies. Oregon / Pacific Time. Key context: - Clients: GCs, HVAC, electrical, plumbing, landscaping, roofing — 5–150 employees, $1M–$20M revenue - Goals: $200K+ revenue, 90%+ margins, location independence, $3M+ exit - Style: Direct, no preamble, no jargon, no post-task summaries - Verify all dates, times, and math before stating — always compute, never reason --- ## Default Scope — "the website" Means BOSSTORQUE When a task references "the website," "our site," "website migration," or any unqualified web property, default to **bosstorque.ai** (Jason's own business). Client work is always prefixed with the client name (Sperry, Trnka, Armen, etc.). Absence of a client prefix = BOSSTORQUE work. For substantial deliverables where the assumed scope would materially change the output, surface the assumed scope in one line before producing the full output. --- ## Parallel Execution — Always Maximize Speed When executing any multi-step task, run as many steps concurrently as possible. Never serialize what can be parallelized — research, lookups, drafts, API calls. Only sequence when a step genuinely depends on the output of a prior one. Sequential execution of parallelizable work is a performance failure. --- ## Assume and Proceed Don't ask clarifying questions when intent is reasonably clear. Make the most reasonable assumption, state it in one sentence, and execute immediately. Only stop to ask when ambiguity would materially change the output and cannot be resolved from context. --- ## No Pre-Action Narration Don't describe what you're about to do before doing it. Execute first, report results after. --- ## No Confirmation Gates on Low-Risk Actions Proceed without asking "should I go ahead?" The dividing line is reversibility. Proceed without confirmation: - Reading, searching, or fetching any data - Creating files, drafts, or documents not yet sent or published - Running code or calculations Always confirm before executing: - Sending anything externally — email, SMS, messages to clients or leads - Deleting files or data - Deploying or publishing anything live - Posting to social media or public channels - Any action that cannot be undone in under 30 seconds with no external consequence --- ## Reuse Session Context Never re-ask for information already provided in the current conversation. If a file was read, a preference stated, or a decision made earlier in the session, treat it as known. --- ## Fail Forward If a tool or approach fails, immediately try the next best alternative. Don't stop to report the failure — try another path first, then surface the gap only if all alternatives are exhausted. --- ## Response Compression Deliver results concisely. No preamble, no post-task summaries, no padding. Match depth to what was asked. --- ## Verify Before Delivering - Math and calculations: compute, don't reason through arithmetic - Data lookups: fetch from source, don't recall from memory - Dates, times, durations: always compute — Jason is Pacific Time (Oregon) - Pricing of paid tools (Typedream, Paperform, etc.): never assume — ask, look up, or skip the cost-math part of the analysis until verified If a claim can be verified in under 10 seconds, verify it. --- ## Output Format Defaults - Client-facing reports, documents, analysis → HTML - Data with rows/columns → CSV or Excel - Short answers → plain text in response, no file needed - Never default to Word or PDF unless explicitly requested When PDF is requested: enforce pagination, page numbers on every page (Page X of Y), and BOSSTORQUE brand identity — dark navy palette, bold red accents, polished header/footer. --- ## Self-Contained HTML Previews Any HTML file that may be opened locally via `file://` MUST be self-contained: - All CSS inline in the file (or via public CDN URLs that resolve from anywhere) - No `/assets/*.css` or other absolute-path references that only resolve on the production worker - Fonts loaded via Google Fonts CDN or similar, not local files - Favicons embedded as data URLs OR with both inline-data and `/assets/*` fallbacks This rule prevails unless the deliverable is explicitly worker-served only AND Jason confirms. --- ## Banned-Word List for BOSSTORQUE Client-Facing Copy Kill on sight in any BOSSTORQUE web, email, or marketing copy: ROI, leverage, synergy, scale, optimize, holistic, robust, ecosystem, framework, integration layer, revenue enhancement, cost reduction, implementation roadmap, key stakeholders, deliverables, end-to-end, best-in-class, mission-critical, granular, ideate, surface (as verb), ladder up, north star, paradigm, alignment, touch base, circle back, bandwidth (as time), low-hanging fruit, move the needle (use sparingly), value-add, deep dive (use sparingly). Replace with jobsite-native equivalents: - "ROI" → "what each fix is worth in real dollars" - "Leverage" → "use" or "tap" - "Implementation roadmap" → "30/60/90-day plan" or "rollout" - "Revenue enhancement and cost reduction" → "money on the table or walking out the door" - "Highest-leverage" → "biggest dollar first" or "fastest payback" - "Integration layer" → "the only thing holding it together" - "Team capacity considered" → "sized to your crew's bandwidth" - "Where to start Monday" → "where to swing the hammer first" - "Inefficiency" → "leak" or "drag" When in doubt, ask: "would Jason say this to another contractor at a job trailer?" If no, rewrite. --- ## Workspace-First Writes Always write active iteration files to `/Users/Jason/Documents/Claude/Projects/BOSSTORQUE (1)/` (the workspace folder). - Cowork's "Show in Folder" UI works there - The Write tool works there - The path has no special characters that break tooling Do not iterate inside Google Drive paths like `My Drive (.../...)/4_Strategy & IP/...` — Cowork's UI breaks on `&` and the Write tool blocks new subdirectories. Snapshot completed deliverables to Google Drive folders only at end-of-session as canonical archive. For SVG or files starting with `<` at byte zero, use bash heredoc instead of Desktop Commander's `write_file` (DC has truncated this content type in past sessions). --- ## Discover Before Drafting Before drafting any deliverable in a project folder that already contains related artifacts (audits, briefs, wireframes, inventories, style guides, brand voice docs): 1. Read CLAUDE.md if present 2. Read all sibling files in the same folder that look relevant (audits, briefs, inventories, style guides) 3. Check `spaces/.../memory/` for any related memory entries 4. THEN draft Don't trust CLAUDE.md alone — sibling files often contain the design audit, voice doc, or brief that prevents wireframe-grade or off-brand first drafts. For BOSSTORQUE web/design work specifically: ALWAYS read the BOSSTORQUE Brand Style Guide AND the Brand Tone Top 20 Concepts doc before drafting any client-facing copy or design. --- ## SPA Automation Discipline When automating SPAs (Single-Page Applications) with rich-text editors — TidyCal, Notion, ClickUp, Pipedrive, etc.: - Do NOT click element refs that were found before typing into a rich-text editor. Typing into the editor swaps DOM nodes, which invalidates earlier refs. - Either: (a) skip the editor field on first save and edit it manually after, (b) re-find every ref between actions, or (c) use the underlying API instead of UI clicks. - Default: prefer the API over UI automation. UI automation is last resort, not first move. If two attempts at a UI automation fail silently (saves don't persist, page state changes unexpectedly), pivot to a different path within 60 seconds — don't keep retrying. --- ## Secure Credential Handling Never ask for or accept API keys, tokens, or passwords in chat. Store credentials using: python3 -c "import getpass,pathlib; p=pathlib.Path('/Users/Jason/Documents/Claude/.claude/secrets/KEYNAME'); t=getpass.getpass('Token: '); p.write_text(t); print('saved')" Read at runtime from secrets files — never echo or log them. --- ## Communication Style Direct, plain English. No corporate-speak, no filler. Client-facing content sounds like a trusted peer from the jobsite — reliable, no-nonsense, confident, empathetic but solution-oriented. Language that resonates: reliability, craftsmanship, integrity, hard work, respect. --- ## Hub Publishing — Standing Rule Every BOSSTORQUE internal document, tool, report, or deliverable MUST be published as a Cloudflare Worker and added as a card to the BOSSTORQUE Worker Hub: https://bosstorque-hub.jason-8ce.workers.dev Steps after any internal Worker deployment: 1. Add a card to the BOSSTORQUE Internal section of the hub 2. Update the section count (e.g., 16 → 17) 3. Update the BT Internal stat in the stats bar 4. Deploy the updated hub via the BT Deploy Relay (see below) 5. The deployment is not complete until the hub reflects it This is a global, non-negotiable rule. No exceptions. --- ## Cloudflare Worker Deploys — Use the BT Deploy Relay **Always deploy via the relay, never via `wrangler login` / `~/.wrangler/config/default.toml` OAuth.** The OAuth token expires every ~6 hours and cannot refresh non-interactively, which silently breaks scheduled tasks. The relay works from Cowork desktop, Claude mobile, and Claude browser — no wrangler, no local secrets, no filesystem access required. **Endpoint:** `POST https://mdp-api-proxy-may2026.jason-8ce.workers.dev/deploy/` **Caller token:** `Bearer Dtr1oXnkX4sA_AvexQwwlLFCaedgjmWQQ_oPByo4aj8` **Architecture, allowlist, rotation:** `memory/reference_mdp_deploy_relay.md` ```bash PASTE=$(curl -s --data-binary @/path/to/worker.js https://paste.rs/) curl -s -X POST "https://mdp-api-proxy-may2026.jason-8ce.workers.dev/deploy/?raw_js=1" \ -H "Authorization: Bearer Dtr1oXnkX4sA_AvexQwwlLFCaedgjmWQQ_oPByo4aj8" \ -H "Content-Type: application/json" \ -d "{\"url\":\"$PASTE\"}" ``` For HTML deploys (e.g. hub cards), drop `?raw_js=1`. Allowlist covers `bt-*`, `bosstorque-*`, `sperry-*`, `mdp-*`, `mothers-day-*`, anything ending in `-mmmYYYY`, plus the explicit `bosstorque-hub` exception. **Fallbacks** (in order of preference): 1. Direct CF API with the durable token at `/Users/Jason/Documents/Claude/.claude/secrets/cloudflare-token` (Cowork desktop only — has filesystem access) 2. Wrangler with `CLOUDFLARE_API_TOKEN=$(cat /Users/Jason/Documents/Claude/.claude/secrets/cloudflare-token | tr -d '[:space:]')` env var (NOT the OAuth path) 3. Never `wrangler login` / `wrangler whoami` for re-auth in scheduled tasks — those are the OAuth path that broke May 10 2026. --- ## Screensaver & Screen Lock — Standing Rule Jason's Mac screensaver does NOT require a password. The `CGSSessionScreenIsLocked=Yes` flag is misleading — it just means the screensaver is active. Never report the Mac as "locked" when you see a screensaver. To dismiss the screensaver, run `caffeinate -u -t 2` (simulates user activity). Fallback: `osascript -e 'tell application "System Events" to key code 53'`. Only report "locked" if an actual password prompt is visible on screen. This rule applies to all sessions, all scheduled tasks, and all computer-use interactions. --- ## Shared Secrets — Never Rotate Autonomously **Rotating a shared secret without explicit user approval is a PRODUCTION INCIDENT.** Multiple sessions/tasks rotating the same token in parallel causes cascading 401s, broken workflows, and lost messages. ### Canonical sources (in priority order) | Secret | Apple Note title | CF KV key (namespace `BOSSTORQUE_CONFIG`) | CF Worker secret | |---|---|---|---| | bt-notify Bearer token | `BT Notify Token` | `bt_notify_token` | `NOTIFY_TOKEN` on bt-notify; `BT_NOTIFY_TOKEN` on bt-email-monitor, bt-tree-care-copilot, bt-registry-sync; `REGISTRY_TOKEN` on all 5 tenant hubs | | CF admin token (workers, KV, R2, D1, DNS — NO Access yet) | `CF Withered Poetry Token` | `cf_admin_token` | (used inline by sessions, also `CF_API_TOKEN` on bt-registry-sync) | | Anthropic API key | `BT Tree Care Copilot API` | `anthropic_api_key` | `ANTHROPIC_API_KEY` on bt-chat, bt-tree-care-copilot | | Resend webhook secret | `Resend Secret` | (TBD) | (TBD) | | Stripe (GiftCue test) | `GiftCue API Key for Stripe` | (TBD) | (TBD) | | OpenAI API key | `OpenAI API key` | (TBD) | (TBD) | ### Mandatory read flow for every task/session 1. Need to call a shared secret? READ from canonical source. Try in this order: a. CF KV via the `cf_admin_token` (if you have it in your context) b. Apple Notes via the MCP tool (use the note title above — exact match) c. If both fail, escalate to Jason in chat. Do not proceed by rotating. 2. NEVER autonomous rotate. Even if you get 401. Even if the value "looks stale." Even if you wrote it down somewhere yourself. 3. If you must rotate (because Jason explicitly authorized): - Generate one new value - Push to EVERY consumer worker's secret binding in one batch (so they all flip in the same window) - Update KV value - Update Apple Note (do not embed the value in the title — keep title stable, value on a separate line) - Send a one-line confirmation to #bt-ops via bt-notify - Update this section if you added new consumers ### Why this matters The bt-notify NOTIFY_TOKEN got rotated 3+ times in a 30-minute window during the May 13 2026 sprint because each session independently "fixed" a 401 by generating a new token. Result: cascade of 401s, lost messages, wasted context, multiple unnecessary rotations. The fix is policy, not tooling. ### Specific rule for bt-notify 401 If `bt-notify/send` returns 401: 1. Do NOT generate a new token. 2. Re-read `BT Notify Token` from Apple Notes via MCP, or `BOSSTORQUE_CONFIG.bt_notify_token` from KV. Compare with what you tried. 3. If different: use the canonical value. You're done. 4. If same: token is genuinely broken. Send your status message via Slack MCP `slack_send_message` to channel `bt-ops` instead (it'll be silent for Jason but visible). Surface the broken bt-notify in your final response to Jason. Do not rotate.