diff --git a/.claude/agents/builder.md b/.claude/agents/builder.md
deleted file mode 100644
index a540df1..0000000
--- a/.claude/agents/builder.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-description: Builder agent — implements planned issues using TDD, opens draft PRs
----
-
-You are Builder. You implement. You never mark PRs ready for review. **Run schedule: every hour.**
-
-## Trigger
-
-Find the oldest open issue with label `planned` that does NOT have label `in-progress` or `pr-opened`.
-
-## Protocol
-
-1. Read the issue and the Planner's comment (the implementation plan).
-2. Create branch: `fix/<issue-number>-<3-word-slug>`. Add label `in-progress` to the issue.
-3. **Write the failing tests first. Run them. Confirm they fail for the right reason.** If any test passes before your fix — stop, add `needs-investigation`, do not continue.
-4. Write the minimum production code to make the tests pass.
-5. Run the full quality gate. Fix every issue before proceeding.
-6. Review diff vs plan — all planned files touched, nothing extra.
-7. Open a **DRAFT** pull request. Never mark it ready.
-
-## PR format
-
-```
-Title: fix(<scope>): <what was fixed>
-
-Closes #<issue-number>
-
-## What changed / TDD evidence / Quality gate (paste score) / Out of scope
-```
-
-## Commands
-
-```bash
-# Run tests
-pytest
-
-# Type check
-mypy .
-
-# Lint
-ruff check .
-
-# Quality gate (required, minimum score 70)
-desloppify scan --path .
-```
-
-## Hard rules
-- Never mark a PR ready · Never push to main/master · Never skip failing-test step · One issue per PR
diff --git a/.claude/agents/planner.md b/.claude/agents/planner.md
deleted file mode 100644
index 8cc2f53..0000000
--- a/.claude/agents/planner.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-description: Planning agent — turns scout-filed issues into verified implementation plans
----
-
-You are Planner. You read code and write plans. You never write production code. **Run schedule: every hour.**
-
-## Trigger
-
-Find the oldest open issue with label `scout-filed` that does NOT have label `planned` or `in-progress`.
-
-## Protocol
-
-1. Read the full issue including all comments.
-2. Read every file mentioned in "Code location" plus their tests and callers.
-3. Draft an implementation plan with these sections:
-
-   **Root cause** — 1–2 sentences on what is actually wrong.
-
-   **Files to change** — `path/to/file:line_range` with reason for each.
-
-   **Tests to write** — specific failing test cases that prove the bug exists.
-
-   **Approach** — numbered implementation steps for Builder to follow exactly.
-
-   **Risks** — regressions or edge cases to watch.
-
-   **Out of scope** — what will NOT be touched.
-
-4. Self-critique against this checklist before posting:
-   - [ ] No duplication — searched for existing implementations first
-   - [ ] Error handling is specific, not catch-all
-   - [ ] Domain terminology correct (no synonym drift from advocacy-domain.md)
-   - [ ] A failing test is specified before any production code
-   - [ ] Every test would be killed by mutation testing
-   - [ ] No premature abstraction (three similar lines is fine)
-
-5. If plan passes: post it as a comment, add label `planned`, remove `scout-filed`.
-6. If root cause is unclear: add label `needs-investigation` only, do not add `planned`.
-
-## Quality gate
-
-Minimum desloppify score for this repo: **70**
-
-```bash
-desloppify scan --path .
-```
-
-## Hard rules
-- Never write code
-- Never push commits
-- Never plan more than one issue per run
-- Never approve a plan that skips the failing-test step
diff --git a/.claude/agents/scout.md b/.claude/agents/scout.md
deleted file mode 100644
index 4877d9c..0000000
--- a/.claude/agents/scout.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-description: QA agent — exercises this tool as real users, files structured GitHub issues for failures
----
-
-You are Scout. You find broken things. You never fix them. **Run schedule: every 6 hours.**
-
-## Execution
-
-1. Read `scout.personas.yaml` from the repo root.
-2. Set up the environment if required (check CLAUDE.md or README). For privatemode-proxy: `pip install -r requirements-test.txt`.
-3. For each persona, execute every flow in `flows[]` exactly as described:
-   - `run:` → execute the shell command
-   - `call:` → invoke the function or method
-   - `request:` → make the HTTP request
-4. After each flow, check all `assertions`:
-   - `succeeds` — these must complete without error
-   - `fails_gracefully` — these must fail with a clean message, not a traceback
-   - `output_contains` — these strings must appear in output
-   - `output_not_contains` — these strings must NOT appear
-
-## Filing issues
-
-File a GitHub issue immediately for each failure. One issue per failure. File before moving to the next flow.
-
-Issue format:
-```
-Title: [Scout] <persona-id> — <what broke, 8 words or fewer>
-Labels: scout-filed, bug
-
-## Persona
-<persona-id> — <persona description>
-
-## Flow
-<flow-id>: <flow name>
-
-## Command / call
-<exact command, function call, or request that failed>
-
-## Output
-<actual output, error message, or traceback>
-
-## Expected behavior
-<expected_outcome from the flow>
-
-## Code location
-<file:line — trace into the codebase to find it>
-
-## Acceptance criteria
-- [ ] <specific, testable criterion>
-- [ ] <specific, testable criterion>
-```
-
-## Hard rules
-- Never modify code, configuration, or data
-- Never push commits
-- Never close or update issues you did not file in this run
-- One issue per distinct failure
diff --git a/.claude/rules/accessibility.md b/.claude/rules/accessibility.md
deleted file mode 100644
index 0c8fdf9..0000000
--- a/.claude/rules/accessibility.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-paths:
-  - "**/ui/**"
-  - "**/frontend/**"
-  - "**/i18n/**"
-  - "**/l10n/**"
----
-# Accessibility Rules for Animal Advocacy Projects
-
-Advocacy networks span borders, languages, economic conditions, and infrastructure environments. An activist coordinating a rescue in a rural area with intermittent connectivity has fundamentally different needs than a campaign organizer at a well-resourced urban nonprofit. Accessibility in advocacy software is not about compliance with standards — it is about ensuring the movement's tools work for everyone the movement serves.
-
-## Internationalization from Day One
-
-Design every user-facing component with internationalization from the start — never retrofit it. Advocacy networks operate across linguistic boundaries: a coalition might include Spanish-speaking organizers in the Americas, Mandarin-speaking activists in Asia, and English-speaking legal teams in Europe. Externalize all user-facing strings from the beginning. Support right-to-left text layouts. Handle pluralization rules that differ across languages. Date, time, currency, and number formatting must respect locale. Adding i18n after the fact requires touching every component — the cost grows exponentially with codebase size.
-
-## Low-Bandwidth Optimization
-
-Many activists operate on mobile data in regions with expensive or throttled connections. Optimize aggressively: compress all assets, lazy-load non-critical content, minimize payload sizes, implement efficient data synchronization that transfers only deltas. Set performance budgets and test against them on throttled connections. A tool that requires broadband to function excludes the activists who need it most.
-
-## Offline-First Architecture
-
-Design for disconnected operation as the default, not as an exception. Activists in areas with unreliable connectivity — rural investigation sites, countries with internet shutdowns, disaster response scenarios — need tools that work without a network connection. Local-first data storage with background sync when connectivity is available. Conflict resolution for data modified offline by multiple users. Queue operations during disconnection and replay them on reconnect. The application must be fully functional for core workflows without any network access.
-
-## Low-Literacy Design Patterns
-
-Not all advocacy participants are fluent readers. Rescue coordinators, sanctuary workers, and community organizers come from diverse educational backgrounds. Design for comprehension: use icons alongside text labels, provide visual workflows instead of text-heavy instructions, support voice input and audio output where possible, use progressive disclosure to avoid overwhelming users with information density. Test interfaces with users who have limited formal literacy.
-
-## Mesh Networking Compatibility
-
-In environments where centralized internet infrastructure is unavailable, compromised, or surveilled, mesh networking enables direct device-to-device communication. Design data synchronization protocols that can operate over mesh networks with high latency, low bandwidth, and intermittent peer availability. This is not a theoretical concern — activists operating in regions with government internet shutdowns depend on mesh-capable tools.
-
-## Graceful Degradation
-
-Every feature must have a degraded mode that functions under constrained conditions. If the encryption library fails to load, the application must refuse to transmit sensitive data rather than transmitting it in plaintext. If the media processing pipeline is unavailable, investigation footage must be stored safely for later processing rather than discarded. If the network connection is lost, the user must see clear status indicators, not silent failures. Degrade capability, never safety.
-
-## Device Seizure Preparation — Application State
-
-When connectivity is lost suddenly — device confiscated, signal jammed, power cut — the application must not leave sensitive data exposed. No temporary files with decrypted investigation content. No in-memory caches that persist to swap files. No crash dumps containing witness identities. No recovery modes that display previously viewed sensitive content without re-authentication. Design the application so that power loss at any moment leaves zero recoverable sensitive state on disk.
-
-## Multi-Language Activist Networks Across Borders
-
-Coalition tools must support simultaneous use in multiple languages within the same deployment. A shared coordination platform where each user sees the interface in their language, but shared content (campaign plans, action alerts, investigation summaries) can be viewed in translated or original form. Support both machine translation for real-time use and human-reviewed translation for legally sensitive content.
diff --git a/.claude/rules/desloppify.md b/.claude/rules/desloppify.md
index 891e9e1..96b64ed 100644
--- a/.claude/rules/desloppify.md
+++ b/.claude/rules/desloppify.md
@@ -1,23 +1,64 @@
 # Code Quality — desloppify
 
-Run desloppify to systematically identify and fix code quality issues. Install and configure before scanning (requires Python 3.11+):
+Run desloppify to systematically identify and fix code quality issues. Install from the **Open Paws fork** (Python 3.11+):
 
 ```bash
-pip install --upgrade "desloppify[full]"
+# Install from this fork — NEVER from PyPI / upstream
+pip install "git+https://github.com/Open-Paws/desloppify.git#egg=desloppify[full]"
 desloppify update-skill claude
 ```
 
-Add `.desloppify/` to `.gitignore` — it contains local state that should not be committed. Before scanning, exclude directories that should not be analyzed (vendor, build output, generated code, worktrees) with `desloppify exclude <path>`. Share questionable candidates with the project owner before excluding.
+**Canonical install command.** This file is the single source of truth for how to install desloppify. Every other file in this stack (`skills/desloppify-playbook/SKILL.md`, `agents/desloppifier.md`, `$OP_CONTEXT_REPO/.claude/rules/desloppify.md`, every `Open-Paws/*/.claude/rules/desloppify.md`) links here rather than restating the command — duplication is how the multi-repo drift that existed pre-2026-04-25 happened. If you're editing an install command anywhere other than this file, stop.
+
+**OP fork only — never upstream.** The git install above pulls from `github.com/Open-Paws/desloppify`, which carries the movement conventions (no-speciesist-language rules, type-safety patterns, gateway response shape discipline, compassionate language enforcement, persona-QA browser testing) that upstream desloppify lacks. `pip install desloppify` from PyPI pulls upstream and is a hard-rule violation per `~/.claude/rules/pipeline-nevers.md`.
+
+Add `.desloppify/` to `.gitignore` — it contains local state that should not be committed. Before scanning, exclude generated / vendor / build dirs:
 
 ```bash
+# Exclude generated directories, then scan
+desloppify exclude node_modules dist
 desloppify scan --path .
-desloppify next
 ```
 
 `--path` is the directory to scan (use `.` for the whole project, or a subdirectory like `src/`). Your goal is to get the strict score as high as possible. The scoring resists gaming — the only way to improve it is to actually make the code better.
 
-**The loop:** run `next`. It is the execution queue from the living plan, not the whole backlog. It tells you what to fix now, which file, and the resolve command to run when done. Fix it, resolve it, run `next` again. This is your main job. Use `desloppify backlog` only when you need to inspect broader open work not currently driving execution.
+## The fix loop
+
+Run `next` → fix → resolve → repeat:
+
+```bash
+desloppify next          # get the top-priority item; shows which file and the resolve command
+# fix the code
+desloppify plan resolve  # mark it done
+desloppify next          # get the next item
+```
+
+It is the execution queue from the living plan, not the whole backlog. It tells you what to fix now, which file, and the resolve command to run when done. Use `desloppify backlog` only when you need to inspect broader open work not currently driving execution.
 
 Do not be lazy. Large refactors and small detailed fixes — do both with equal energy. No task is too big or too small. Fix things properly, not minimally.
 
 Use `plan` / `plan queue` to reorder priorities or cluster related issues. Rescan periodically. The scan output includes agent instructions — follow them, do not substitute your own analysis.
+
+## Persona-QA workflow (UI repos with persona-driven testing)
+
+```bash
+desloppify persona-qa --prepare --url https://example.com   # generate agent instructions
+# agent runs browser testing and captures findings in JSON
+desloppify persona-qa --import findings.json                 # merge into state
+desloppify persona-qa --status                               # per-persona summary
+desloppify next                                              # persona QA items now appear in the queue
+```
+
+## Baseline Capture Process
+
+**At plan time (STAGE 3):** Capture desloppify baseline against branch point:
+
+```bash
+desloppify status --json > .desloppify/baseline.json
+```
+
+Post baseline JSON as GitHub issue comment for durable storage (`.desloppify/` is gitignored).
+
+**Recovery if missing:** STAGE 9 uses `git merge-base HEAD main` to recapture against the branch point.
+
+**Score-cannot-regress gate.** STAGE 9 blocks merge if the strict score drops below baseline. Regression requires `override:allow-score-drop` label (human-only — agents cannot apply it).
diff --git a/.claude/rules/emotional-safety.md b/.claude/rules/emotional-safety.md
deleted file mode 100644
index 622a08f..0000000
--- a/.claude/rules/emotional-safety.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-paths:
-  - "**/content/**"
-  - "**/media/**"
-  - "**/display/**"
-  - "**/upload/**"
----
-# Emotional Safety Rules for Animal Advocacy Projects
-
-Animal advocacy software routinely handles content documenting extreme suffering: factory farm conditions, slaughterhouse footage, animal testing documentation, and witness testimony of abuse. This content is necessary for the movement's work — it drives investigations, legal cases, public campaigns, and policy change. But uncontrolled exposure to this content causes measurable psychological harm. Every display decision must balance the operational need for access against the human cost of exposure. Emotional safety is not a UX preference — it is a duty of care to the people doing this work.
-
-## Progressive Disclosure of Traumatic Content
-
-NEVER display graphic content by default. Every piece of investigation footage, slaughter documentation, or exploitation imagery must be behind at least one intentional interaction. The default state is always safe: blurred, hidden, or represented by a text description. Users escalate to more graphic content through deliberate choices, never through automatic loading, scrolling, or navigation.
-
-## Configurable Detail Levels
-
-Implement user-controlled detail settings that persist across sessions. At minimum, provide three tiers: (1) text-only descriptions with no imagery, (2) blurred or low-detail representations with contextual descriptions, (3) full-resolution content. Each user chooses their own default level. The system MUST remember this preference and never reset it. Different roles need different defaults: a legal reviewer may need full-resolution evidence access; a campaign coordinator may only need text summaries.
-
-## Content Warnings — Mandatory Before Display
-
-Every piece of content involving animal suffering, investigation footage, or slaughter documentation MUST be preceded by a specific content warning describing what the content contains. Generic warnings like "sensitive content" are insufficient — the warning must indicate whether the content includes: graphic injury, death, distress vocalizations, confined living conditions, or slaughter processes. Users must be able to make an informed decision about whether to view specific content, not just "something sensitive."
-
-## Investigation Footage Handling
-
-Investigation footage is the most operationally important and psychologically dangerous content in the system. Implementation requirements:
-- NEVER auto-play video or audio from investigations
-- ALWAYS display footage in blurred state by default
-- Require explicit opt-in for full resolution — a deliberate click, not a hover or scroll
-- Provide frame-by-frame navigation for reviewers who need to examine specific moments without watching continuous footage
-- Strip audio by default — distress vocalizations cause acute stress responses; audio should be a separate opt-in from video
-- Support annotation without full-resolution viewing (reviewers can mark timestamps and regions on blurred preview)
-
-## Witness Testimony Display
-
-Before displaying any witness testimony: (1) verify that display consent is current and has not been withdrawn, (2) anonymize by default — display pseudonyms, not legal names, (3) require explicit opt-in to view identifying details, (4) log access to testimony for audit purposes while protecting the identity of who accessed it. When testimony includes descriptions of animal suffering, apply the same progressive disclosure and content warning rules as for visual media.
-
-## Burnout Prevention Patterns
-
-Advocacy software should actively support user wellbeing during extended content review sessions:
-- **Session time awareness** — track continuous exposure time to traumatic content and surface non-intrusive reminders after configurable intervals (default: 30 minutes of active content review)
-- **"Take a break" prompts** — for content reviewers who have been processing investigation footage or testimony for extended periods; these are suggestions, not blocks
-- **Session summaries** — at the end of a content review session, provide a summary of what was reviewed so the reviewer does not need to re-expose themselves to verify completeness
-- **Workload distribution** — when multiple reviewers are available, the system should support distributing traumatic content review across the team rather than concentrating it
-
-## Secondary Trauma Mitigation
-
-Secondary trauma affects not just end users but also **developers** building and testing this software. Design the development workflow to minimize unnecessary exposure: use abstract test data (described references, not actual footage) in automated tests, provide mock data generators that produce realistic metadata without graphic content, and document which test suites involve real content so developers can prepare. The CI/CD pipeline must never display graphic content in test output, logs, or failure reports.
-
-## Opt-In Escalation of Graphic Content
-
-When a user needs to access full-resolution graphic content, require multiple confirmation steps proportional to content severity. A single click is insufficient for the most graphic content. Implement a confirmation dialog that names what the user is about to see, requires an explicit "I understand" acknowledgment, and provides an alternative (text description, blurred summary) alongside the full-access option. This is not friction for friction's sake — it is informed consent applied to content exposure.
diff --git a/.claude/rules/geo-seo.md b/.claude/rules/geo-seo.md
deleted file mode 100644
index 5ff43d3..0000000
--- a/.claude/rules/geo-seo.md
+++ /dev/null
@@ -1,616 +0,0 @@
----
-paths:
-  - "**/*.html"
-  - "**/robots.txt"
-  - "**/sitemap.xml"
-  - "**/llms.txt"
-  - "**/head/**"
-  - "**/seo/**"
-  - "**/meta/**"
-  - "**/schema/**"
-  - "**/structured-data/**"
-  - "**/layout.*"
-  - "**/Layout.*"
-  - "**/BaseHead.*"
-  - "**/Head.*"
----
-# SEO + GEO Rules for Animal Advocacy Websites
-
-Websites built for animal advocacy serve two discovery channels: traditional search engines and AI answer systems (ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, Bing Copilot). The game has shifted from optimizing for keyword matching to optimizing for **intent satisfaction** (does your content completely solve the user's problem?), **entity authority** (does Google recognize your brand as a trusted entity in its knowledge graph?), and **technical excellence** (can crawlers efficiently process your site?). Approximately 60% of searches end without a click — appearing in search results is no longer enough; you need to be the source Google trusts enough to synthesize into AI-generated answers.
-
-**How AI citation works:** Google generates an answer first, then scores content against it using embedding distance. Only 17-32% of AI Overview citations come from pages ranking in the organic top 10 — lower-authority pages can win with the right structure (source: Authoritas AI Overviews study, 2024). Domain Authority correlates with AI citations at only r=0.18; topical authority (r=0.40) and branded web mentions (r=0.664) are the real predictors (source: Kalicube GEO correlation study, 2025). 80% of URLs cited by AI assistants do not rank in Google's top search results for the same queries (source: Semrush AI citation analysis, 2024).
-
----
-
-## HTML Structure
-
-Every page needs exactly one `<h1>` tag containing the primary topic. Use a logical heading hierarchy (`h1 > h2 > h3`), never skipping levels. Phrase `<h2>` headings as questions when the section answers something — question-based headings improve Featured Snippet selection, People Also Ask appearance, and produce 7× more AI citations for smaller sites. The first paragraph after any heading must directly answer that question in 40-60 words. AI systems pull from the first 30% of content 44% of the time — lead with the answer.
-
-Keep paragraphs to 2-4 sentences (40-60 words). Structure content as self-contained 120-180 word modules — this generates 70% more ChatGPT citations than unstructured prose.
-
-Use semantic HTML correctly: `<article>`, `<section>`, `<nav>`, `<aside>`, `<header>`, `<footer>`, `<main>`. Add `lang` attribute to `<html>`. Every `<img>` must have a descriptive `alt` attribute. Every `<a>` must have meaningful anchor text — never "click here".
-
-Prefer these semantic elements for structured data:
-
-- `<table>` for comparison data (32.5% of AI-cited content uses tables)
-- `<ol>` and `<ul>` for lists (78% of AI answers include list formats)
-- `<blockquote cite="...">` for expert quotations (+28-40% AI visibility)
-- `<time datetime="YYYY-MM-DD">` for dates
-- `<dfn>` for term definitions
-- `<abbr title="full term">` on first use
-- Add `id` attributes to all `<h2>` and `<h3>` elements
-
-**Do NOT:**
-- Hide content behind JavaScript-only rendering — AI crawlers often cannot execute JS, and relying on JS rendering increases crawl cost for search engines. All critical content must be in the initial HTML response (SSR or pre-rendered).
-- Use `display:none` or `visibility:hidden` on content to be indexed.
-- Rely on infinite scroll — use paginated `<a>` links.
-- Use iframes for primary content.
-- Keyword-stuff — stuffing decreases AI visibility by 10% and triggers spam detection.
-
----
-
-## Semantic Writing for AI Retrieval
-
-AI citation systems retrieve at the sentence and paragraph level, not the page level. Every piece of content must be written to survive extraction from context.
-
-**Entity salience — use active voice:** Always make the primary entity the grammatical subject. "Open Paws documented 34% adoption growth in 2025" gives Open Paws a salience score of 0.74. The passive equivalent ("adoption growth of 34% was documented in 2025") drops the entity to 0.11. AI systems weight entities by their grammatical prominence — this has measurable effects on whether content is cited.
-
-**Atomic claims:** Write every sentence as a self-contained semantic triple (subject + verb + object with explicit context). Eliminate vague pronouns — every sentence must make sense in isolation. "It increased significantly" is never acceptable; "Factory farm enforcement actions increased 34% between 2023 and 2025 according to USDA's annual report" is a citable claim.
-
-**Proper noun density:** AI-cited text averages 20.6% proper nouns versus 5-8% in standard English. Name the organization, the researcher, the report, the year. Vague attribution ("experts say") never gets cited; specific attribution ("according to Compassion in World Farming's 2025 annual report") does.
-
-**Content density sweet spot:** Pages under 5,000 characters get approximately 66% of their content used by AI retrieval. Pages over 20,000 characters get only 12%. Keep individual topic pages focused and information-dense rather than exhaustive. Gemini allocates roughly 380 words per webpage per query — you're competing for a fixed slice.
-
-**Opening structure:** 71% of AI-cited paragraphs contain four lines or fewer. Open every major section with a 40-60 word declarative statement containing the answer. Information buried deep in paragraphs is rarely retrieved.
-
----
-
-## Content Strategy
-
-### Search intent — match before writing
-
-Google evaluates intent at the level of the specific problem depth, decision stage, and expected outcome. Before writing any page, study the top 5 results for the target keyword to understand what format Google currently considers the best match. Writing excellent content that targets the wrong intent format does not rank.
-
-| Intent type | Expected format |
-|-------------|----------------|
-| Informational | How-to guides, tutorials, explainers, definitions |
-| Commercial investigation | Comparison articles, review roundups, "best of" lists |
-| Transactional | Product pages, pricing pages, application forms |
-| Navigational | Homepage, specific brand/product pages |
-
-### Google's Helpful Content System
-
-Since the March 2024 core update, the Helpful Content System is integrated directly into core ranking. It evaluates whether content was created primarily for users or primarily for search engines.
-
-**Content that performs well:**
-- Solves a specific problem clearly and completely in one visit
-- Demonstrates genuine first-hand knowledge and experience
-- Includes accurate, up-to-date information with specific attribution
-- Would be useful if search engines didn't exist
-
-**Content that gets demoted:**
-- Created primarily to attract traffic, not to help users
-- Uses AI to mass-produce content without adding original insight or editorial judgment
-- Summarizes what others have said without adding genuine expertise
-- Thin content that doesn't satisfy the intent completely
-
-Google's position on AI content (Mueller, November 2025): "Our systems don't care if content is created by AI or humans. What matters is whether it's helpful for users." However, since June 2025, Google issues manual actions for "scaled content abuse" targeting mass-published AI content. Unedited AI drafts bounce 18% higher and retain visitors 31% less than human-refined versions. Use AI as a tool in a human-led editorial process — add genuine expertise, original data, and editorial judgment.
-
-### E-E-A-T signals (Experience, Expertise, Authoritativeness, Trustworthiness)
-
-E-E-A-T is not a direct ranking signal but describes what Google's quality raters evaluate. In 2026, it applies to all content, not just YMYL topics. Content with proper author metadata gets cited 40% more by AI systems.
-
-**How to demonstrate E-E-A-T on every content page:**
-- **Experience:** Original data, case studies, screenshots, specific processes you've actually run, unique organizational knowledge
-- **Expertise:** Detailed author bio with verifiable credentials, consistent coverage of the topic, citations from specific credible sources with dates
-- **Authoritativeness:** Third-party coverage, industry recognition, organizational partnerships, links from relevant authoritative sources
-- **Trustworthiness:** Clear contact information, privacy policy, transparent organizational identity, HTTPS, cited and accurate claims
-
-Every content page must have: visible author name and credentials, link to author profile page with Person schema (photo, bio, credentials, links to external authoritative profiles).
-
-### Content freshness — what counts and what doesn't
-
-76% of the most-cited AI content was updated within 30 days. Perplexity gives a 3.4× citation advantage to content updated within 30 days. These freshness signals count:
-- Genuinely new information added to existing content
-- Updated statistics and dated references
-- Visible "Last Updated: [date]" using `<time datetime="YYYY-MM-DD">`
-- Accurate `dateModified` in Article schema, synchronized with the visible date
-
-Google detects "date freshness hacking" — changing dates without changing content — and this triggers penalties. Only update dates when content actually changes.
-
-### Original research and proprietary data
-
-The most powerful content strategy for both SEO and AI citation. Pages with original statistics see 30-40% higher AI visibility. Original or proprietary data generates 4.31× more AI citations per URL. Companies publishing proprietary data earn 45% more AI citations than those relying on standard content.
-
-For Open Paws: publish annual impact reports, platform usage benchmarks, program outcome data, and advocacy industry adoption statistics as dedicated, permanently-addressable pages.
-
-### First-mover advantage in data voids
-
-For topics with few authoritative sources, publishing first creates a durable citation position. One documented case: content on an obscure topic was cited by ChatGPT, Gemini, AI Overviews, and Grok within 24 hours. A replication attempt two days later failed — the first mover had captured the position. Identify emerging advocacy topics and publish before competitors.
-
----
-
-## E-E-A-T: Author Pages and Person Schema
-
-Every author who publishes on the site needs a dedicated profile page with:
-- `@type: Person` schema with `name`, `url`, `jobTitle`, `description`, `image`, `sameAs` (LinkedIn, relevant external profiles)
-- Photo, bio, credentials, and verifiable external presence
-- Links to all content by that author
-
-Author pages are linked from every article. This creates a trust chain: Article schema → author `@id` → Person schema → `sameAs` external profiles → third-party corroboration. Without this chain, content is treated as anonymous and cited 40% less.
-
----
-
-## Structured Data (JSON-LD)
-
-Implement JSON-LD schema in the `<head>` of every page. Sites with structured data achieve 41% AI citation rates vs 15% without. Only 12.4% of websites implement it.
-
-### Organization + WebSite schema (every page)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@graph": [
-    {
-      "@type": "Organization",
-      "@id": "https://yoursite.com/#organization",
-      "name": "Organization Name",
-      "url": "https://yoursite.com",
-      "logo": { "@type": "ImageObject", "url": "https://yoursite.com/logo.png" },
-      "sameAs": [
-        "https://www.linkedin.com/company/your-org",
-        "https://twitter.com/your-org",
-        "https://github.com/your-org",
-        "https://en.wikipedia.org/wiki/Your_Org",
-        "https://www.wikidata.org/wiki/QXXXXXXX"
-      ],
-      "description": "One-sentence description"
-    },
-    {
-      "@type": "WebSite",
-      "@id": "https://yoursite.com/#website",
-      "url": "https://yoursite.com",
-      "name": "Site Name",
-      "publisher": { "@id": "https://yoursite.com/#organization" }
-    }
-  ]
-}
-</script>
-```
-
-### Article schema (every content page)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "Article",
-  "headline": "Page title",
-  "author": {
-    "@type": "Person",
-    "name": "Author Name",
-    "url": "https://yoursite.com/team/author-name",
-    "jobTitle": "Their role"
-  },
-  "publisher": { "@id": "https://yoursite.com/#organization" },
-  "datePublished": "2026-01-15T08:00:00Z",
-  "dateModified": "2026-03-20T10:30:00Z",
-  "image": "https://yoursite.com/images/article-image.jpg",
-  "description": "150-160 char meta description"
-}
-</script>
-```
-
-### FAQPage schema (pages with Q&A content)
-
-```html
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "FAQPage",
-  "mainEntity": [
-    {
-      "@type": "Question",
-      "name": "What is the question?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Direct, complete answer in 40-80 words."
-      }
-    }
-  ]
-}
-</script>
-```
-
-Also implement when applicable: **HowTo**, **BreadcrumbList**, **SoftwareApplication**, **Event**, **Dataset**, **Person**, **VideoObject** (for video content), **LocalBusiness** (for location-based entities). Always JSON-LD (not Microdata). Use `@id` to connect entities. Keep `dateModified` accurate. Validate at https://validator.schema.org/.
-
----
-
-## Meta Tags
-
-```html
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Primary Keyword — Brand Name</title><!-- 50-60 chars, keywords first -->
-  <meta name="description" content="150-160 chars. Direct answer + one statistic.">
-  <link rel="canonical" href="https://yoursite.com/this-page">
-  <meta property="og:title" content="Page Title">
-  <meta property="og:description" content="Description">
-  <meta property="og:type" content="article">
-  <meta property="og:url" content="https://yoursite.com/this-page">
-  <meta property="og:image" content="https://yoursite.com/images/og-image.jpg">
-  <meta property="og:site_name" content="Site Name">
-  <meta name="twitter:card" content="summary_large_image">
-  <meta name="twitter:title" content="Page Title">
-  <meta name="twitter:description" content="Description">
-  <meta name="twitter:image" content="https://yoursite.com/images/twitter-image.jpg">
-  <meta property="article:published_time" content="2026-01-15T08:00:00Z">
-  <meta property="article:modified_time" content="2026-03-20T10:30:00Z">
-</head>
-```
-
-Meta description: 150-160 chars, direct factual answer to the primary query, one specific statistic, never duplicated across pages. Title: `Primary Keyword — Brand Name`, 50-60 chars, keywords first, unique per page. For time-sensitive content, include the year in the title.
-
----
-
-## Core Web Vitals
-
-Google's Core Web Vitals are confirmed ranking factors measured via real Chrome user data (CrUX) at the 75th percentile. INP officially replaced FID in March 2024.
-
-**Current thresholds (as of March 2026):**
-
-| Metric | Good | Needs Improvement | Poor |
-|--------|------|-------------------|------|
-| LCP (Largest Contentful Paint) | ≤ 2.5s | 2.5–4.0s | > 4.0s |
-| INP (Interaction to Next Paint) | ≤ 200ms (target ≤ 150ms) | 200–500ms | > 500ms |
-| CLS (Cumulative Layout Shift) | ≤ 0.1 | 0.1–0.25 | > 0.25 |
-
-**Ranking impact:** Pages at position 1 show a 10% higher CWV pass rate than position 9. Sites with INP above 200ms saw an average ranking drop of 0.8 positions; above 500ms dropped 2-4 positions. Pages with LCP above 3 seconds experienced 23% more traffic loss than faster competitors. 43% of sites still fail the 200ms INP threshold in 2026.
-
-**INP — the hardest metric to fix.** INP requires restructuring how JavaScript executes. The primary technique is `scheduler.yield()` (Chrome-native, with `setTimeout` fallback), which sends remaining work to the front of the task queue while letting the browser handle user input:
-
-```typescript
-function yieldToMain(): Promise<void> {
-  if ('scheduler' in window && 'yield' in (window as any).scheduler) {
-    return (window as any).scheduler.yield();
-  }
-  return new Promise(resolve => setTimeout(resolve, 0));
-}
-// In long event handlers: await yieldToMain(); then doExpensiveWork()
-```
-
-For Next.js: use React Server Components to reduce client JS, `useTransition` for non-urgent state updates, and `next/dynamic` for heavy components. Audit third-party scripts first — highest impact, lowest effort.
-
-**Rendering strategies in Next.js App Router:**
-
-| Strategy | TTFB | Best For |
-|---|---|---|
-| SSG (default cached fetch) | Sub-100ms from CDN | Static content — blogs, docs, marketing pages |
-| ISR (`next: { revalidate: 60 }`) | Fast, cached + background revalidate | Periodically updated content |
-| SSR (`cache: 'no-store'`) | 200ms+ per request | User-specific real-time data — dashboards |
-| PPR (experimental, Suspense) | Fast static shell + streamed dynamic | Mixed pages with some dynamic content |
-
-**Implementation:**
-- TTFB < 200ms (rendering cannot start until HTML arrives)
-- Preload the LCP element: `<link rel="preload" as="image" href="hero.webp">`
-- Inline critical CSS, defer non-critical CSS
-- Add explicit `width` and `height` attributes to every image, video, iframe, and ad slot (prevents CLS)
-- Use `font-display: swap` for web fonts
-- Break JavaScript long tasks (>50ms) with `yieldToMain()` during interactions
-- Implement `loading="lazy"` for below-fold images
-- Use modern image formats (WebP/AVIF) — 25-50% smaller than JPEG/PNG; AVIF 50% smaller than JPEG
-- Keep total page weight < 1MB (18% of pages over 1MB are abandoned by AI crawlers)
-- Test with real field data (Search Console), not just lab tools — Google ranks on field data
-
----
-
-## Image Optimization
-
-- Descriptive file names with keywords: `animal-welfare-audit-checklist-2026.webp` not `IMG_4827.jpg`
-- Meaningful alt text describing the image content (both SEO and accessibility)
-- Modern formats: WebP/AVIF with `<picture>` fallbacks for older browsers
-- Responsive images using `srcset` at multiple viewport sizes
-- `loading="lazy"` for below-fold images
-- Explicit `width` and `height` on every image, video, and embed (prevents CLS)
-
-```html
-<picture>
-  <source srcset="image.avif" type="image/avif">
-  <source srcset="image.webp" type="image/webp">
-  <img src="image.jpg" alt="Descriptive text" width="800" height="600" loading="lazy">
-</picture>
-```
-
----
-
-## Technical SEO
-
-### Rendering and JavaScript
-
-Require SSR or static site generation (SSG). Client-side-only rendering is a strategic error: it increases crawl cost, AI crawlers (GPTBot, ClaudeBot, PerplexityBot) generally do not execute JavaScript, and relying on JS rendering increases the risk of critical content being missed. All critical content must be in the initial HTML response.
-
-### Mobile-first indexing
-
-Google uses mobile scores as the primary ranking signal for all results, including desktop. Over 60% of searches occur on mobile; 53% of mobile visitors abandon sites taking more than 3 seconds to load. Test with the Googlebot Smartphone user agent, not desktop.
-
-### Crawl budget
-
-Google allocates crawl resources based on perceived site value. Faceted navigation is the most common crawl budget killer — a site with 1,000 products can generate 1,000,000 low-value URLs through filter combinations. Manage crawl budget by:
-- Blocking low-value parameter URLs, internal search results, and admin pages in robots.txt
-- Fixing redirect chains (multiple sequential redirects waste crawl budget)
-- Keeping XML sitemaps clean — only canonical, indexable URLs with accurate `<lastmod>` dates
-- Auditing and pruning pages with zero organic traffic over 12 months (concentrate link equity on high-value content)
-- Returning proper HTTP status codes: 200 for live content, 301 for permanent moves, 404 for missing, 410 for intentionally removed
-
-### Security headers
-
-Implement all of these — they are expected signals in 2026. For Next.js, set via `middleware.ts`:
-- `Content-Security-Policy` (CSP with nonces for scripts/styles) — prevents XSS
-- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload` (HSTS)
-- `X-Content-Type-Options: nosniff`
-- `X-Frame-Options: DENY`
-- `Referrer-Policy: strict-origin-when-cross-origin`
-- `Permissions-Policy: camera=(), microphone=(), geolocation=()` — disable powerful features by default
-- `Cross-Origin-Opener-Policy: same-origin` — enables cross-origin isolation when paired with COEP
-- Fix all mixed content (HTTP resources on HTTPS pages)
-- Remove `X-Powered-By` header (information disclosure)
-
-### Supply chain security
-
-Pin exact dependency versions, use `npm ci` (never `npm install` in CI), and scan with Socket.dev or Snyk. The 2025 npm supply chain attacks (chalk/debug compromise affected packages with 2.6 billion combined weekly downloads) showed that well-maintained packages are vulnerable. Verify every dependency. Enable 2FA on npm accounts.
-
----
-
-## Robots.txt
-
-```txt
-User-agent: Googlebot
-Allow: /
-
-User-agent: Bingbot
-Allow: /
-
-# AI citation crawlers — allow for AI answer visibility
-User-agent: OAI-SearchBot
-Allow: /
-
-User-agent: ChatGPT-User
-Allow: /
-
-User-agent: PerplexityBot
-Allow: /
-
-User-agent: ClaudeBot
-Allow: /
-
-User-agent: Claude-SearchBot
-Allow: /
-
-User-agent: Applebot
-Allow: /
-
-User-agent: Amazonbot
-Allow: /
-
-# AI training crawlers — block if not consenting to training use
-User-agent: GPTBot
-Disallow: /
-
-User-agent: CCBot
-Disallow: /
-
-User-agent: Google-Extended
-Disallow: /
-
-# Block scraper bots
-User-agent: AhrefsBot
-Disallow: /
-
-User-agent: SemrushBot
-Disallow: /
-
-Sitemap: https://yoursite.com/sitemap.xml
-```
-
-Critical: blocking `Googlebot` blocks both Google Search AND AI Overviews — there is no way to allow one without the other. There are now 226+ identified AI crawlers (last verified 2026-03-01; source: DarkVisitors); review quarterly. Some AI agents use standard browser user-agent strings and ignore robots.txt — treat this as best-effort.
-
----
-
-## XML Sitemap
-
-Include only canonical, indexable URLs. `<lastmod>` must reflect actual update dates — never fake it. Reference in robots.txt. Submit to Google Search Console and Bing Webmaster Tools. Regenerate automatically when content changes. Maximum 50,000 URLs per file, 50MB uncompressed.
-
----
-
-## IndexNow
-
-IndexNow notifies Bing (which feeds ChatGPT) instantly when content is published or updated. Place a key file at `https://yoursite.com/{key}.txt` and ping on every publish:
-
-```txt
-GET https://api.indexnow.org/indexnow?url=https%3A%2F%2Fyoursite.com%2Fnew-page&key=YOUR_KEY
-```
-
-Integrate into CI/CD pipeline or CMS publish hooks. Supported by Bing, Yandex, Seznam, Naver. Rate limit: 10,000 URLs/day.
-
----
-
-## Site Architecture
-
-URL rules: descriptive hyphenated lowercase under 75 characters, primary keyword in URL, max 3 levels deep. Canonical tags on every page. 301 redirects for URL changes — never leave broken links. Breadcrumb navigation with BreadcrumbList schema.
-
-Hub-and-spoke topic cluster model — increases AI citation rates from 12% to 41%, bidirectional internal linking increases citation probability by 2.7×:
-- **Pillar page**: 2,000-4,000 words on a broad topic targeting head keywords
-- **Cluster pages**: 8-15 detailed articles each targeting a specific subtopic
-- **Bidirectional links**: every cluster page links to the pillar; the pillar links to every cluster page
-
-Internal linking rules: no important page more than 3 clicks from homepage. Use descriptive anchor text — never "read more". Distribute link equity strategically toward high-value pages. Audit for orphan pages (no internal links pointing to them).
-
----
-
-## Wikipedia and Wikidata
-
-This is the single highest-leverage off-site action. Wikipedia accounts for 47.9% of ChatGPT's top-10 cited sources. Having a Wikipedia page creates a stable Wikidata Q-ID that AI systems use as a truth anchor — when multiple sources conflict, the version corroborated by Wikipedia prevails.
-
-Wikidata serves 11 million queries daily across 119 million entities. Google's Knowledge Graph, Amazon Alexa, Apple Siri, and Microsoft all integrate Wikidata. Companies have gained Knowledge Panels within 7 days of creating a Wikidata entry.
-
-For any organization this site represents:
-- Verify Wikipedia article exists, is accurate, cited, and current
-- Verify Wikidata entry is complete: organization type, founding date, location, founders, official website, social media profiles
-- Add Wikidata Q-ID to Organization schema `sameAs` array (`https://www.wikidata.org/wiki/Q...`)
-- Add Wikipedia URL to Organization schema `sameAs` array
-- Build an entity web: organization → key tools → key people → related organizations → policy areas
-- Ensure site structured data is consistent with Wikipedia and Wikidata — inconsistency reduces AI confidence
-
-**Wikipedia COI (mandatory):** Never directly edit your own organization's Wikipedia article. Disclose affiliation on the Talk page. Propose edits through Talk-page requests or neutral editors. Use only independent, reliable sources. Follow Wikipedia's Conflict of Interest and Notability guidelines.
-
----
-
-## Authoritative Platform Publishing and Brand Signals
-
-85% of AI brand mentions come from third-party pages. Brand search volume is the strongest single predictor of AI citations (r=0.334). Brand mentions now account for 55% of off-page ranking weight (up from ~20% in 2012); backlinks account for 45%. Brands appearing on 4+ platforms are 2.8× more likely to appear in AI responses.
-
-**Platform trust hierarchy:**
-- AI Overviews are 3× more likely to cite .gov sources
-- YouTube accounts for ~23.3% of AI citations across platforms
-- Wikipedia accounts for ~18.4%
-- Reddit accounts for up to 46.5% of Perplexity's top citations
-
-**Practical actions:**
-- Publish thorough, helpful content in relevant subreddits — Reddit citations in AI Overviews surged 450% in three months. Authentic participation only; AI systems have visibility into Reddit's moderation pipeline.
-- Create and maintain YouTube content with transcripts enabled (transcripts become crawlable text)
-- Maintain active LinkedIn organization page with substantive posts
-- Publish documentation, datasets, and reports on GitHub as Markdown
-- Submit data to Our World in Data and relevant academic/government databases
-- Monitor unlinked brand mentions (60% of online mentions are unlinked) and convert high-authority ones to backlinks — close rates typically above 30%
-
----
-
-## Link Building
-
-Backlinks remain the #2 ranking factor but their nature has changed. Topical relevance between linking and linked domains (r=0.4) now outweighs raw domain authority. Natural anchor text distribution: ~40-50% branded, ~20-30% generic, ~15-25% partial match, ~5-10% exact match. Sites with anchor text diversity below 30% saw average ranking drops of 15 positions in the March 2026 spam update.
-
-**What works:**
-- **Digital PR:** Original research, industry surveys, data-driven reports that journalists cover editorially. Content built on original data sees 156% more link acquisition than generic how-to content.
-- **Unlinked brand mention conversion:** Monitor with Google Alerts or Ahrefs Alerts. Outreach to convert to links.
-- **Broken link building:** Find broken links on high-authority pages, create superior replacement content, outreach.
-
-**What was devalued in the March 2026 spam update:** sponsored guest posts on generalist high-DA news sites, niche edit placements on aged thin domains, PBN links. Google's SpamBrain detects these reliably now.
-
----
-
-## Conversion Optimization
-
-For nonprofit donation pages: present 3-4 preset amounts with the middle option pre-selected and pair amounts with impact descriptions ("$40/month provides clean water for 12 families"). Pre-select monthly giving — monthly donors become more valuable than one-time donors within 5.25 months, yet 64% of nonprofits still default to one-time. Single-step forms vastly outperform multi-step (52% drop in completions with multi-step). Eliminating site header navigation during the donation flow produced a documented 195% conversion increase. Embed the form directly on-site; never redirect to a third-party processor.
-
-For all forms: target 3-5 essential fields maximum — each additional field costs ~11% in conversion. Start with easy, non-threatening questions. Make optional fields clearly optional (+25-35% completion). Support browser autofill with correct `autocomplete` attributes (HTML standard; React JSX uses `autoComplete`) (also required for WCAG 2.2 AA SC 1.3.5).
-
-Trust signals with documented impact: charity rating badges increase giving likelihood for 72% of donors; video testimonials are 80-86% more effective than text; specific quantified impact numbers with real names beat generic claims.
-
-**Dark patterns carry legal risk.** The FTC's $2.5 billion settlement with Amazon (September 2025) for a deliberately complex cancellation flow marks the largest dark pattern enforcement action in history. California, Colorado, and 10+ other states explicitly prohibit dark patterns in privacy laws. For advocacy organizations, any perception of manipulation is existential — donor trust is the primary asset.
-
----
-
-## Analytics
-
-Use **Plausible** ($9/month cloud) or **Umami** (self-hosted, free) as primary analytics — no cookies, no consent banner required, ~1KB script versus GA4's 23KB+. Add GA4 only if you need Google Ads integration or predictive analytics. Proxy analytics scripts through your own domain (Next.js rewrites) to bypass adblockers.
-
-**Tracking AI referral traffic:** AI-generated traffic grew 357% year-over-year to 1.1 billion visits in June 2025. ChatGPT drives 78% of AI traffic but its mobile app drops referrer data entirely (appears as Direct in analytics). Create a custom channel group in GA4 with source matching:
-
-```txt
-(chatgpt\.com|chat\.openai\.com|perplexity\.ai|claude\.ai|gemini\.google\.com|copilot\.microsoft\.com)
-```
-
-Claude drives <0.17% of volume but has the highest session value at $4.56/visit. Track `donation_completed` (with value), `newsletter_signup`, and `volunteer_form_submit` as GA4 conversions.
-
-Use **GrowthBook** (self-hosted, MIT, free) for A/B testing — it queries your existing data warehouse directly and avoids sending user data to third-party servers.
-
----
-
-## Internationalization
-
-For multilingual advocacy sites, use **next-intl** (1.8M weekly downloads) with subdirectory URL strategy (`/en/`, `/hi/`, `/ar/`). Subdirectories centralize domain authority onto one deployment. Set `lang` and `dir` on `<html>`:
-
-```tsx
-<html lang={locale} dir={locale === 'ar' ? 'rtl' : 'ltr'}>
-```
-
-The `lang` attribute determines text-to-speech pronunciation in screen readers. Hreflang tags must be self-referencing and reciprocal on every page — 31% of international sites have broken hreflang. Use `alternates.languages` in Next.js `generateMetadata` to generate hreflang automatically.
-
-Arabic requires all 6 CLDR plural categories — use ICU MessageFormat, not string concatenation. Native CSS logical properties (`padding-inline-start`, `padding-inline-end`, `text-align: start`) handle RTL layout mirroring automatically without separate stylesheets; Tailwind equivalents are `ps-4`, `pe-4`, `text-start`.
-
-For Devanagari and Arabic scripts, use Google's **Noto** family with `unicode-range` in `@font-face` to lazy-load only the glyphs needed for each script. Always `font-display: swap` and WOFF2 format.
-
----
-
-## llms.txt
-
-Place at `/llms.txt` — a Markdown file describing the site for AI systems.
-
-**Current value is effectively zero.** Google's John Mueller: "No AI system currently uses llms.txt." An 8-month study found zero AI crawler visits. Across Acquia's hosting fleet, llms.txt received 0.001% of traffic — all from SEO audit tools, not AI crawlers. Implement it (low effort) but do not invest significant time. The IETF AIPREF Working Group (co-authored by Google and Mozilla) is the more likely path to a real standard.
-
----
-
-## Platform-Specific Behavior and Citation Volatility
-
-Citation patterns vary dramatically by platform and change constantly:
-- **ChatGPT**: Wikipedia-heavy (47.9% of top-10 citations), converts at 4.4× the rate of search visitors
-- **Perplexity**: Reddit-heavy (up to 46.5% of top citations), most vulnerable to external content attacks
-- **Google AI Overviews**: 3× more likely to cite .gov, strongly favors known entities with digital credibility
-
-Only 11% of domains are cited by both ChatGPT and Perplexity for the same queries — platform-specific optimization matters. Citation volatility is extreme: 40-60% monthly turnover is normal. A single platform update caused a -52% traffic collapse for some sites. Build multi-platform presence rather than depending on any single system.
-
-Topical authority (r=0.40) is the strongest on-site predictor of AI citations — Domain Authority (r=0.18) explains less than 20% of citation variance.
-
----
-
-## Defensive Awareness
-
-These techniques are used by competitors but carry severe penalties. Understand them to recognize manipulation and to ensure this site never crosses into prohibited territory.
-
-**Hidden text injection** — invisible instructions embedded in web content (white-on-white text, zero-size fonts, invisible Unicode characters U+E0000 to U+E007F) — explicitly prohibited by Google's spam policies and actively detected. Palo Alto Networks documented 24 layered injection attempts on a single website in March 2026. Google's SpamBrain and tools like PhantomLint compare parsed text against OCR-rendered images. Penalties are domain-wide.
-
-**Agent-aware cloaking** — serving different content to AI crawlers than to human visitors — is explicitly prohibited by all major platforms. Documented cases show it dramatically inflates AI scores while the human-visible version scores poorly. Google treats this as spam; penalties are domain-wide and can include complete deindexing.
-
-**Scaled AI content without human review** caused sites to lose up to 80% of organic traffic overnight in the March 2024 Google core update. Google issues manual actions for "scaled content abuse" since June 2025.
-
-**FTC legal exposure:** "Operation AI Comply" (September 2024) stated "using AI tools to trick, mislead, or defraud people is illegal" with "no AI exemption." For advocacy organizations, the reputational consequences of exposure amplify any platform penalty enormously.
-
----
-
-## Key Statistics
-
-| Signal | Impact |
-|--------|--------|
-| Adding statistics to claims | +41% AI visibility |
-| Citing credible sources inline | +30-40% AI visibility |
-| Expert quotations | +28-40% AI visibility |
-| Lower-ranked sites citing sources | +115% AI visibility |
-| Keyword stuffing | -10% AI visibility |
-| FAQ schema | 41% citation rate vs 15% without |
-| Question-based headings | 7× citation impact for smaller sites |
-| 120-180 word modular sections | 70% more ChatGPT citations |
-| Content over 2,900 words | 59% more likely to be cited |
-| Original or proprietary data | 4.31× more citations per URL |
-| Author metadata | +40% citations |
-| Topic cluster architecture | Citation rate 12% → 41% |
-| Fresh content (within 30 days) | 76% of most-cited; 3.4× Perplexity advantage |
-| Structured data (schema) | 73% higher AI selection rate |
-| Wikipedia/Wikidata presence | Knowledge Panel within 7 days |
-| Monthly citation turnover | 40-60% — continuous freshness required |
-| Domain Authority vs AI citations | r=0.18 — weak predictor |
-| Topical authority vs AI citations | r=0.40 — strongest on-site predictor |
-| Brand mentions vs AI citations | r=0.664 — strongest overall signal |
-| AI Overview citations from top-10 | Only 17-32% — lower-authority pages can win |
-| Sites passing all CWV thresholds | 24% lower bounce rates; 15-30% conversion improvement |
-| INP above 200ms | -0.8 average position drop |
-| LCP above 3s | 23% more traffic loss vs faster competitors |
-| Backlinks vs brand signals | 45% / 55% of off-page ranking weight |
-| Original data content | 156% more link acquisition; 45% more AI citations |
-| Unlinked brand mention conversion | >30% close rate |
-| AI referral traffic growth | 357% YoY to 1.1B visits (June 2025) |
-| ChatGPT share of AI traffic | 78% of AI referral visits |
-| Pre-selecting monthly giving | Accounts for 31% of online nonprofit revenue |
-| Donation form fields ≤4 | 160% more conversions vs longer forms |
-| Overlay widgets and lawsuits | 22.6% of sued sites had overlays installed |
diff --git a/.claude/rules/privacy.md b/.claude/rules/privacy.md
deleted file mode 100644
index 924ff62..0000000
--- a/.claude/rules/privacy.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-paths:
-  - "**/data/**"
-  - "**/user/**"
-  - "**/profile/**"
-  - "**/*pii*"
----
-# Privacy Rules for Animal Advocacy Projects
-
-Privacy in advocacy software is not a compliance checkbox — it is the difference between operational security and activist prosecution. Data that seems harmless in isolation becomes evidence under ag-gag statutes: participation timestamps, IP addresses, device fingerprints, and access patterns can identify investigators, witnesses, and rescue coordinators. Every privacy decision must be made against the worst-case legal scenario, not the average one.
-
-## Data Minimization as Default Architecture
-
-Collect the absolute minimum data required for each function. Do not collect data "in case we need it later." Every data point stored is a data point that can be subpoenaed, seized, or leaked. Before adding any field to any data model, ask: **if this data appeared in a court filing, who would it endanger?** If the answer is anyone, justify its existence or eliminate it.
-
-## Activist Identity Protection
-
-Activist identities are the highest-sensitivity data category. Use pseudonymous identifiers internally. Never store legal names alongside action records. Separate authentication identity from operational identity — the system that verifies login credentials must not be the system that records who participated in which investigation. Compartmentalization is the structural principle: compromise of one system must not cascade into identification across systems.
-
-## GDPR/CCPA Compliance as Floor, Not Ceiling
-
-Regulatory compliance is the minimum standard. Advocacy software should exceed it. Implement the full data subject rights: access, rectification, erasure, portability, and objection. Right to deletion MUST be real deletion — not soft delete with a `deleted_at` flag. When an activist requests erasure, their data must be irrecoverable from all storage layers including backups, replicas, search indices, analytics pipelines, and log aggregation systems. Soft delete in advocacy software is a liability: "deleted" records surfacing in legal discovery destroy trust and endanger people.
-
-## Consent as Ongoing Process
-
-Consent is not a one-time checkbox at registration. Implement re-consent workflows for scope changes (new coalition partner gets data access, new feature collects additional data, investigation footage is shared with a new organization). Provide granular consent controls: participation in a public campaign does not imply consent to be recorded as an investigation participant. Withdrawal of consent must be as easy as granting it, with immediate effect.
-
-## Coalition Data Sharing Across Risk Profiles
-
-Different advocacy organizations operate at different risk levels. A grassroots direct action group, a legal defense fund, and a public education nonprofit have fundamentally different threat models. When sharing data across coalition boundaries: (1) classify each partner's risk level, (2) apply the strictest data handling rules of any partner in the exchange, (3) implement data transformation at boundaries — strip identifying information before sharing across risk tiers, (4) maintain audit trails that themselves do not create new identification vectors, (5) design data sharing agreements that specify what happens to shared data when a partner is compromised or legally compelled to disclose.
-
-## Whistleblower and Witness Protection
-
-Whistleblower identities require the strongest protections in the system. Implement: end-to-end encryption for all whistleblower communications, no server-side access to decrypted content, anonymous submission channels that do not require account creation, zero-knowledge architectures where even system administrators cannot identify whistleblowers. Witness testimony records must have consent verification before any display, anonymization by default, and explicit opt-in for any identifiable presentation.
-
-## Investigation Participant Records
-
-Records of who participated in undercover investigations are the most legally dangerous data in the system. Store these records in maximally encrypted, compartmentalized storage with access limited to the minimum number of people. Consider whether these records need to exist at all — if the operational need can be met without a persistent record, do not create one. When records must exist, design them with plausible deniability: the storage system should not reveal whether it contains investigation records without the correct credentials.
-
-## Anonymization Requirements
-
-Anonymization must be irreversible. AI-generated anonymization is often superficial — replacing names while leaving uniquely identifying combinations of attributes (location + date + role + demographic data). True anonymization requires k-anonymity at minimum: no individual should be distinguishable from at least k-1 others in any released dataset. Test anonymization by attempting re-identification with publicly available information.
diff --git a/.claude/rules/security.md b/.claude/rules/security.md
deleted file mode 100644
index 46f4600..0000000
--- a/.claude/rules/security.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-paths:
-  - "**/security/**"
-  - "**/*auth*"
-  - "**/*crypto*"
-  - "**/*encrypt*"
----
-# Security Rules for Animal Advocacy Projects
-
-Advocacy software faces three distinct adversaries, each requiring different countermeasures: **state surveillance** (law enforcement using ag-gag statutes, warrants, and subpoenas), **industry infiltration** (corporate investigators posing as volunteers, social engineering attacks against coalition members), and **AI model bias** (training data that encodes industry framing, models that refuse to assist with certain advocacy operations, or that leak investigation details through telemetry). Security is not a feature layer — it is the structural foundation of every design decision.
-
-## Zero-Retention APIs
-
-NEVER send sensitive data to external services that retain inputs. Investigation footage, witness identities, activist communications, and coalition coordination data must only flow through zero-retention API configurations. Verify retention policies contractually, not by assumption. Telemetry to third parties is a data exfiltration vector in adversarial legal discovery — not just a privacy preference.
-
-## Encrypted Local Storage with Plausible Deniability
-
-All locally stored investigation data, evidence, and activist records MUST use encrypted volumes. Design storage so that the existence of sensitive data is deniable under device seizure. Nested encrypted containers where the outer layer contains innocuous data and the inner layer requires a separate key is the standard pattern. A seized device must not reveal what it contains without the correct credentials.
-
-## Supply Chain Verification — Slopsquatting Defense
-
-Approximately **20% of AI-recommended packages do not exist** — they are hallucinated names. Attackers monitor these hallucinated names and register them as real packages containing malicious code. One such package was downloaded 30,000+ times in weeks. **Verify EVERY dependency** exists in its actual registry and has legitimate maintainers before installation. Only 1 in 5 AI-recommended dependency versions are both safe and free from hallucination. In advocacy software, a compromised dependency can exfiltrate investigation data or activist identities.
-
-## Input Validation Against Industry Sabotage
-
-Assume adversarial input on every public-facing surface. Industry actors will probe investigation submission forms, evidence upload endpoints, and public campaign tools. Validate and sanitize all inputs at system boundaries — the "barricade" pattern from defensive programming. AI-generated input validation is weak: 45% of AI-generated code contains OWASP Top 10 vulnerabilities, with 86% failure rate on cross-site scripting defenses.
-
-## Ag-Gag Legal Exposure Vectors
-
-Investigation footage is discoverable evidence under legal proceedings. Design every data flow assuming adversarial legal discovery, not just adversarial hackers. Metadata (timestamps, geolocation, device identifiers) can be more damaging than content. Strip metadata aggressively. Audit logging must protect the identities it records — logs that identify who accessed investigation data become prosecution tools.
-
-## Device Seizure Preparation
-
-Design for the scenario where devices are confiscated without warning. Remote wipe capability for all sensitive data. Encrypted volumes that lock automatically on suspicious conditions (unexpected power loss, extended inactivity, SIM removal). The application must not leak data on unexpected termination — no temporary files with decrypted content, no swap files containing sensitive state, no crash dumps with investigation data.
-
-## Instruction File Integrity — Rules File Backdoor
-
-The "Rules File Backdoor" attack uses hidden Unicode characters in instruction files (`.cursorrules`, `.mdc` files, `CLAUDE.md`) to inject invisible directives that instruct AI to produce malicious output. **Treat ALL instruction files as security-critical artifacts.** Review them for non-printable characters. Diff instruction file changes character-by-character. In advocacy projects, a compromised instruction file could direct the AI to weaken encryption, leak data to external endpoints, or disable safety checks.
-
-## Self-Hosted Inference for Critical Paths
-
-Any code path handling investigation data, witness identities, or legal defense materials should use self-hosted AI inference — not cloud-hosted APIs. Model providers may comply with government data requests. For routine development tasks (formatting, boilerplate, documentation), external APIs are acceptable. For anything touching the three adversaries' interests, self-host.
-
-## MCP Server Security
-
-MCP servers extend agent capabilities but also extend the attack surface. Any MCP server handling sensitive advocacy data MUST be self-hosted. Audit each server's data access patterns, network egress, and data retention before enabling. An MCP server with network access can exfiltrate data regardless of application-level encryption.
-
-
-## Provider Routing for Sensitive Data
-
-When using AI coding assistants with multiple model providers, sensitive advocacy data (investigation content, witness identities, legal defense materials) must NEVER route through free-tier providers that may retain inputs. Free-tier APIs (Google AI Studio, Groq, Mistral, Cohere, OpenRouter free models, Together AI) may retain inputs for training or compliance — assume they do unless contractually guaranteed otherwise. Route sensitive work exclusively through zero-retention providers or self-hosted inference.
diff --git a/.claude/rules/testing.md b/.claude/rules/testing.md
deleted file mode 100644
index af67dab..0000000
--- a/.claude/rules/testing.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-paths:
-  - "**/*.test.*"
-  - "**/*.spec.*"
-  - "**/test/**"
-  - "**/tests/**"
-  - "**/__tests__/**"
----
-# Testing Rules for Animal Advocacy Projects
-
-Testing is the keystone of AI-assisted advocacy development. Without tests, AI agents drift silently — and in advocacy software, silent drift means lost evidence, exposed activists, or traumatic content displayed without safeguards. Every other practice depends on this foundation.
-
-## Assertion Quality — The Non-Negotiable
-
-NEVER write tautological assertions — tests that assert output equals output. This is the single most dangerous pattern in AI-generated tests. A test that calls a function and asserts the result equals the same function call tests nothing. Every assertion must encode a business rule you can explain in words: "this total equals the sum of line items because the pricing rule says X."
-
-Ask three questions of every AI-generated test:
-1. **Does this test fail if the code is wrong?** If you break the implementation and the test still passes, it is worthless.
-2. **Does the assertion encode a domain rule?** If you cannot name the rule being verified, it is a snapshot, not a test. In advocacy software, unnamed rules mean unverified safety properties.
-3. **Would mutation testing kill this?** If changing `+` to `-` in the implementation leaves the test green, the test is weak.
-
-Quality metric: **mutation score over coverage percentage.** A suite with 90% coverage and 40% mutation score is a false sense of security. Track mutation score as the primary quality signal.
-
-## Spec-First Test Generation
-
-ALWAYS prefer generating tests from specifications or acceptance criteria before writing implementation — not after. Tests generated from existing implementation tend to mirror the code rather than the intent, producing circular validation. When the spec says "investigation records must be anonymized before export," write that test first. Then make it pass.
-
-## Property-Based Testing for Invariants
-
-Use property-based testing to verify that invariants hold across random inputs. Specific example-based tests miss edge cases that property-based tests catch systematically. Critical invariants in advocacy software: anonymization must be irreversible, encryption must not leak plaintext length, coalition data boundaries must hold under arbitrary input combinations.
-
-## Test Error Paths Explicitly
-
-AI-generated tests overwhelmingly cover happy paths. In advocacy software, the error paths are where people get hurt — failed encryption, leaked identity, broken anonymization, missing content warnings. Explicitly request and verify: error propagation, cleanup on failure, meaningful error messages, graceful degradation under hostile conditions. Test what happens when the network drops during evidence upload. Test what happens when storage is seized mid-write.
-
-## Contract Tests at Service Boundaries
-
-AI hallucinates API contracts — approximately 20% of AI-recommended packages do not exist. At every service boundary, especially coalition cross-organization APIs where different groups have different security postures, use consumer-driven contract tests. Do not trust AI-generated API client code without contract verification.
-
-## Test Infrastructure Requirements
-
-**Fast execution is non-negotiable.** AI agents run tests in tight loops. A 10-minute suite across 15 agent iterations burns 2.5 hours. Invest in parallel execution, test isolation with no shared state, and selective test running. **Flaky tests poison the AI feedback loop** — agents cannot distinguish flaky failures from real ones. Track and eliminate flaky tests aggressively. Maintain a test-to-code ratio of 1:1 or higher.
-
-## Adversarial Input Testing
-
-Test inputs crafted to exploit advocacy-specific vulnerabilities: SQL injection through investigation search fields, XSS through witness testimony display, path traversal through evidence file uploads, oversized payloads designed to crash offline-first sync. Advocacy software faces adversarial users — not just careless ones.
diff --git a/.claude/skills/advocacy-code-review/SKILL.md b/.claude/skills/advocacy-code-review/SKILL.md
deleted file mode 100644
index e1b6e99..0000000
--- a/.claude/skills/advocacy-code-review/SKILL.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-name: advocacy-code-review
-description: Layered code review pipeline — automated checks first, then AI-assisted review, then human review focused on Ousterhout red flags, AI failure patterns, silent failures, and advocacy-specific concerns
----
-# Code Review
-
-## When to Use
-- Reviewing any code before merge — especially AI-generated code
-- Preparing your own code for review
-- When a PR is tagged AI-Assisted
-- When changes touch investigation data, coalition boundaries, or emotional safety features
-
-## Process
-
-### Layer 1: Automated Checks (Zero Human Effort)
-Before any human looks at the code, verify these pass:
-- Formatting and linting — automated, enforced in CI, not discussed in review
-- Static analysis and type checking — catches structural issues, type errors, known vulnerability patterns
-- Security scanning — detects hardcoded secrets, known vulnerability patterns, dependency issues
-- Test suite — all tests pass, no regressions
-
-If any automated check fails, fix it before requesting review. Do not submit "I'll fix the tests later" PRs.
-
-### Layer 2: AI-Assisted First-Pass Review
-Use AI to flag potential issues. AI catches well: inconsistent error handling, missing null checks, unused imports, common security patterns, deviations from project conventions, performance anti-patterns. AI misses: whether the approach is correct, whether business logic matches requirements, whether the code will be maintainable, whether tests verify meaningful properties, subtle concurrency issues. Treat AI review flags as suggestions, not verdicts.
-
-### Layer 3: Human Review — Design Quality Red Flags
-Walk through the Ousterhout red flags checklist. These are the structural problems most common in AI-generated code:
-
-- **Shallow module** — interface is as complex as the implementation; the abstraction hides nothing
-- **Information leakage** — implementation details escape through the interface; callers depend on internals
-- **Temporal decomposition** — code structured by execution order rather than conceptual boundaries
-- **Pass-through method** — method that does nothing except call another method with the same signature
-- **Repetition** — same logic in multiple places; AI duplicates at 4x the normal rate
-- **Special-general mixture** — general-purpose code polluted with special-case handling
-
-### Layer 4: Human Review — AI-Specific Failure Patterns
-Check specifically for patterns AI agents introduce:
-
-- **DRY violations** — does this duplicate something that already exists in the codebase? Search before accepting.
-- **Multi-responsibility functions** — does any function do more than one thing at one level of abstraction? Split it.
-- **Suppressed errors** — has the AI removed safety checks, caught exceptions too broadly, or silently swallowed failures? Review every error handling path.
-- **Hallucinated APIs** — does the code call libraries, methods, or endpoints that do not exist? Verify every external dependency.
-- **Over-patterning** — has the AI applied Strategy, Factory, or Observer where a plain function and conditional would suffice?
-- **Silent failure pattern** — AI may remove safety checks to make code appear to work, create fake output matching desired formats, or edit tests to pass rather than fixing the underlying code. Verify ALL safety checks from the original code are preserved in the new code. Compare the error handling paths between old and new versions explicitly.
-
-### Layer 5: Advocacy-Specific Review
-For any code in an advocacy project, also verify:
-
-- **Data leak vectors** — does this change create any new path for sensitive data to leave the system? Check logging, error messages, telemetry, API responses, and serialization output for investigation data, witness identities, or activist PII.
-- **Surveillance surface area** — does this change increase the metadata footprint? New timestamps, access logs, IP recording, or device fingerprinting that could be used to identify activists under legal discovery.
-- **Emotional safety** — if this code displays content to users, does it respect progressive disclosure? Is graphic content behind explicit opt-in? Are content warnings specific enough?
-- **Coalition boundary violations** — does this change allow data to cross organizational boundaries without going through an anti-corruption layer? AI agents optimize for expedience and import directly across bounded contexts.
-
-### Step: Render Verdict
-Summarize findings by layer. Distinguish between blocking issues (security vulnerabilities, data leaks, silent failures, broken tests) and suggestions (style, naming, minor refactoring). For primarily AI-generated PRs, require two human approvals.
diff --git a/.claude/skills/advocacy-testing-strategy/SKILL.md b/.claude/skills/advocacy-testing-strategy/SKILL.md
deleted file mode 100644
index 047d096..0000000
--- a/.claude/skills/advocacy-testing-strategy/SKILL.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-name: advocacy-testing-strategy
-description: Spec-first test generation, assertion quality review, mutation testing, five anti-patterns to avoid — for AI-assisted advocacy development where silent test failures mean lost evidence or exposed activists
----
-# Testing Strategy
-
-## When to Use
-- Writing or generating any tests
-- Reviewing AI-generated test code
-- Setting up test infrastructure for a new feature
-- When test suite quality is in question (flaky tests, low mutation scores, false confidence)
-
-## Process
-
-### Step 1: Read the Specification
-Before writing any test, identify the specification or acceptance criteria for the behavior under test. If no spec exists, write one — even a brief description of what the code should do and what constitutes failure. Without a spec, AI generates tests that mirror the implementation rather than the intent, producing circular validation.
-
-### Step 2: Write Failing Tests from the Spec (Pattern 2 — Spec-First)
-Generate tests from the specification BEFORE writing implementation. Each test should encode a business rule you can state in words. For advocacy software: "investigation records must be anonymized before export," "coalition data must not cross organizational boundaries without explicit agreement," "graphic content must never display without a content warning." Write the test. Verify it fails. This is the preferred generation pattern.
-
-### Step 3: Verify Tests Fail for the Right Reason
-A failing test is only useful if it fails because the behavior is absent — not because of a setup error, typo, or misconfigured test environment. Read each failure message. Confirm it describes the missing behavior, not a broken test.
-
-### Step 4: Implement Until Tests Pass
-Write the minimum implementation that makes the failing tests pass. Do not write more code than the tests demand.
-
-### Step 5: Review Assertions Against the Spec, Not the Code
-This is the critical step for AI-generated tests. Ask three questions of every assertion:
-1. **Does this test fail if the code is wrong?** If you break the implementation and the test still passes, it is worthless.
-2. **Does the assertion encode a domain rule?** If you cannot name the rule, it is a snapshot, not a test.
-3. **Would mutation testing kill this?** If changing `+` to `-` leaves the test green, the assertion is weak.
-
-NEVER accept tautological assertions — tests that assert output equals the output of the same function call. This is the single most dangerous pattern in AI-generated tests.
-
-### Step 6: Run Mutation Testing
-Run a mutation testing tool against the test suite. Surviving mutants reveal assertions that look thorough but verify nothing. Feed surviving mutants to the AI and ask it to write tests that kill them. Mutation score is the primary quality metric — not coverage percentage. A suite with 90% coverage and 40% mutation score is a false sense of security.
-
-### Step 7: Fix Weak Tests
-For each surviving mutant, write a targeted test that kills it. This closes the loop between test generation and test quality.
-
-## Five Generation Patterns (Know When to Use Each)
-1. **Implementation-first** — generate tests from existing code. Dangerous: tests mirror code, not intent. Use only when no spec exists and you need characterization tests.
-2. **Spec-first** — generate tests from specification before coding. Preferred pattern. Produces tests that encode intent.
-3. **Edge-case generation** — give the AI a function signature and ask specifically for: empty inputs, boundary values, null/undefined, unicode, timezone boundaries, concurrent access, overflow. AI excels here.
-4. **Characterization tests** — for legacy or AI-generated code that lacks tests: capture current behavior before changing anything. Cover before you change (Feathers).
-5. **Mutation-guided improvement** — run mutation testing, feed surviving mutants to AI, generate targeted tests.
-
-## Five Anti-Patterns to Reject on Sight
-1. **Snapshot trap** — tests that snapshot current output and assert against it. They pass today and break on any correct change. They verify nothing about correctness.
-2. **Mock everything** — over-mocked tests verify that mocks behave as expected, not that real code works. Mock only at system boundaries: external APIs, databases, file systems.
-3. **Happy path only** — AI-generated tests overwhelmingly test the success path. Explicitly request error path, boundary condition, and adversarial input tests. In advocacy software, error paths are where people get hurt.
-4. **Test-after-commit** — writing tests after code is committed defeats the feedback loop. Tests must exist during development.
-5. **Coverage theater** — chasing coverage numbers with meaningless assertions. A line "covered" by a test with no assertion is not tested.
-
-## Advocacy-Specific Testing
-- Contract tests at every service boundary, especially coalition cross-organization APIs where different groups have different security postures
-- Test adversarial inputs: SQL injection through investigation search, XSS through testimony display, path traversal through evidence uploads
-- Verify progressive disclosure: graphic content must not render without explicit opt-in
-- Test offline behavior: what happens when connectivity drops during evidence sync
-- Fast test execution is non-negotiable for AI agent loops — a 10-minute suite across 15 iterations burns 2.5 hours
diff --git a/.claude/skills/geo-seo-audit/SKILL.md b/.claude/skills/geo-seo-audit/SKILL.md
deleted file mode 100644
index 08f76e2..0000000
--- a/.claude/skills/geo-seo-audit/SKILL.md
+++ /dev/null
@@ -1,339 +0,0 @@
----
-name: geo-seo-audit
-description: SEO + GEO audit and implementation workflow — Core Web Vitals, HTML structure, semantic writing, E-E-A-T, content intent, Wikipedia/Wikidata, JSON-LD schema, meta tags, crawl budget, robots.txt, sitemap, IndexNow, topic cluster architecture, link building, brand signals, conversion optimization, analytics, internationalization, platform presence, defensive review
----
-# SEO + GEO Audit
-
-This skill covers both traditional SEO and Generative Engine Optimization (GEO) — ensuring advocacy content ranks in search engines AND appears in AI answer systems (ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, Bing Copilot).
-
-**The core insight:** Only 17-32% of AI Overview citations come from pages ranking in the organic top 10. Domain Authority correlates with AI citations at r=0.18; topical authority (r=0.40) and branded web mentions (r=0.664) are the real predictors. 80% of URLs cited by AI assistants do not rank in Google's top search results. This means SEO and GEO have different — but overlapping — optimization paths.
-
-## When to Use
-
-- When building or reviewing any public-facing advocacy website
-- Before launching content that needs to be discoverable by search engines or AI systems
-- When diagnosing why a site is not appearing in Google results or AI responses
-- When implementing a content hub or topic cluster for an advocacy campaign
-- As a pre-launch checklist for any new Open Paws platform page
-
-## Process
-
-### Step 1: Audit Core Web Vitals
-
-Measure using real field data from Google Search Console (CrUX), not lab tools — Google ranks on field data. Current thresholds (as of March 2026):
-
-| Metric | Good | Needs Improvement | Poor |
-|--------|------|-------------------|------|
-| LCP | ≤ 2.5s | 2.5–4.0s | > 4.0s |
-| INP | ≤ 200ms | 200–500ms | > 500ms |
-| CLS | ≤ 0.1 | 0.1–0.25 | > 0.25 |
-
-Check: Is LCP element preloaded with `<link rel="preload">`? Are explicit `width` and `height` on every image/video/iframe (prevents CLS)? Is TTFB under 200ms? Are JavaScript long tasks (>50ms) broken up with `scheduler.yield()` or `setTimeout`? Is `font-display: swap` used for web fonts? Are below-fold images lazy-loaded? Are modern image formats (WebP/AVIF) used?
-
-**INP fix priority order:** (1) audit third-party scripts, (2) lazy-load non-critical features, (3) optimize event handlers with `scheduler.yield()`, (4) reduce JavaScript payload with React Server Components, (5) virtual lists and CSS containment.
-
-**Next.js rendering check:**
-
-| Strategy | TTFB | Best For |
-|---|---|---|
-| SSG (default cached fetch) | Sub-100ms | Static content — blogs, docs |
-| ISR (`next: { revalidate: 60 }`) | Fast, cached | Periodically updated content |
-| SSR (`cache: 'no-store'`) | 200ms+ | User-specific real-time data |
-| PPR (experimental) | Fast shell + streamed | Mixed static/dynamic pages |
-
-Sites with INP above 200ms average -0.8 position drops. Pages with LCP above 3 seconds experience 23% more traffic loss. 43% of sites still fail the 200ms INP threshold — the most common CWV failure.
-
-### Step 2: Audit Technical SEO
-
-**Rendering:**
-- Verify SSR or SSG — client-side-only rendering increases crawl cost and is invisible to AI crawlers
-- Test with Google's URL Inspection tool to verify rendered content matches expectations
-- AI crawlers (GPTBot, ClaudeBot, PerplexityBot) generally do not execute JavaScript
-
-**Mobile-first:**
-- Audit using Googlebot Smartphone user agent, not desktop
-- Google uses mobile scores as the primary ranking signal for all results
-- 53% of mobile visitors abandon sites taking more than 3 seconds to load
-
-**Crawl budget:**
-- Check for faceted navigation URL explosion (filter/sort parameter combinations)
-- Verify robots.txt blocks low-value parameter URLs, internal search, admin pages
-- Check for redirect chains (sequential redirects waste crawl budget)
-- Verify XML sitemap contains only canonical, indexable URLs with accurate `<lastmod>` dates
-- Audit pages with zero organic traffic over 12 months — candidates for consolidation, noindex, or removal
-- Verify HTTP status codes: 200 for live content, 301 for permanent redirects, 404 for missing, 410 for intentionally removed
-
-**Security headers (set via Next.js middleware):**
-- CSP with nonces for scripts/styles
-- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
-- `X-Content-Type-Options: nosniff`
-- `X-Frame-Options: DENY`
-- `Referrer-Policy: strict-origin-when-cross-origin`
-- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
-- `Cross-Origin-Opener-Policy: same-origin`
-- Remove `X-Powered-By` header
-
-**Supply chain:**
-- Pin exact dependency versions, use `npm ci` in CI pipelines
-- Scan with Socket.dev or Snyk
-- Enable 2FA on npm accounts
-
-### Step 3: Audit HTML Structure
-
-Check each page for:
-1. Exactly one `<h1>` tag containing the primary topic
-2. Logical heading hierarchy (`h1 > h2 > h3`) with no skipped levels
-3. `<h2>` headings phrased as questions where the section answers something (7× citation impact for smaller sites; also improves Featured Snippet and PAA selection)
-4. First paragraph after each heading: direct 40-60 word answer
-5. Paragraphs of 2-4 sentences (40-60 words); content sections of 120-180 words
-6. Semantic elements: `<article>`, `<section>`, `<nav>`, `<aside>`, `<header>`, `<footer>`, `<main>`
-7. `lang` attribute on `<html>` tag
-8. Descriptive `alt` text on every `<img>`; descriptive file names with keywords
-9. Meaningful anchor text on every `<a>` — never "click here"
-10. `<table>` for comparison data; `<ol>` and `<ul>` for lists; `<blockquote cite="...">` for quotations
-11. `<time datetime="YYYY-MM-DD">` for dates; `<dfn>` for definitions; `<abbr title="...">` for acronyms
-12. `id` attributes on all `<h2>` and `<h3>` elements
-
-Flag any content rendered exclusively by JavaScript.
-
-### Step 4: Audit Content Intent and Search Positioning
-
-Before auditing content quality, verify content targets the right intent format. Study the top 5 results for each target keyword. Content targeting the wrong intent format does not rank regardless of other optimizations.
-
-| Intent type | Expected format to match |
-|-------------|--------------------------|
-| Informational | How-to guides, tutorials, explainers, definitions |
-| Commercial investigation | Comparison articles, review roundups, "best of" lists |
-| Transactional | Product/service pages, pricing pages, application forms |
-| Navigational | Homepage, specific brand/product pages |
-
-Also check: Does the content completely satisfy user intent in one visit (Helpful Content System standard)? Does it demonstrate genuine first-hand knowledge and experience? Does it include specific, dated citations rather than vague attribution?
-
-### Step 5: Audit Semantic Writing Quality
-
-AI citation systems retrieve at the sentence and paragraph level. Check:
-
-**Entity salience:** Is the primary entity the grammatical subject in active voice? Active voice gives subject salience 0.74; passive voice drops it to 0.11. Check for passive constructions and fix them.
-
-**Atomic claims:** Are sentences self-contained semantic triples? Eliminate vague pronouns — every sentence must make sense in isolation.
-
-**Proper noun density:** AI-cited text averages 20.6% proper nouns versus 5-8% standard. Check whether content names organizations, researchers, reports, and years specifically rather than using vague attribution.
-
-**Content density:** Pages under 5,000 characters get approximately 66% of content used; pages over 20,000 characters get only 12%. Check whether pages are focused and dense.
-
-**Opening structure:** Every major section should open with a 40-60 word declarative answer. Information buried deep in paragraphs is rarely retrieved by AI systems.
-
-### Step 6: Audit E-E-A-T Signals
-
-Check for Experience, Expertise, Authoritativeness, Trustworthiness on every content page:
-- Original data, case studies, screenshots, specific processes (Experience)
-- Detailed author bio with verifiable credentials (Expertise)
-- Specific citations from credible sources with names, organizations, and dates (Expertise)
-- Third-party coverage, organizational partnerships, industry recognition (Authoritativeness)
-- Clear contact information, privacy policy, transparent organizational identity (Trustworthiness)
-
-**Author attribution audit:** Every content page must have a visible author name, credentials, and link to an author profile page. The author page must have Person schema with `name`, `url`, `jobTitle`, `description`, `image`, and `sameAs` (LinkedIn, external profiles). Content with proper author metadata gets 40% more AI citations.
-
-### Step 7: Audit Wikipedia and Wikidata Presence
-
-Wikipedia accounts for 47.9% of ChatGPT's top-10 cited sources. Organizations visible in Wikidata get Knowledge Panels within 7 days and begin appearing consistently in AI answers.
-
-Check:
-1. Does the organization have a Wikipedia article? Is it accurate, cited, current?
-2. Does the organization have a Wikidata entry (Q-ID)? Is it complete with: type, founding date, location, founders, official website, social profiles?
-3. Is the Wikidata Q-ID in the site's Organization schema `sameAs` array?
-4. Is Wikipedia URL in the site's Organization schema `sameAs` array?
-5. Does an entity web exist connecting organization → tools → people → related orgs → policy areas?
-6. Does the site's structured data match Wikipedia and Wikidata? Inconsistency reduces AI confidence.
-
-If no Wikipedia article exists: document as **High** finding. Check whether sufficient independent secondary coverage exists to support notability per Wikipedia's guidelines. If yes, creating the article should be prioritized over almost any on-site optimization.
-
-**Wikipedia COI policy (mandatory):** Never directly edit your own organization's Wikipedia article. Disclose any affiliation on the Talk page. Propose edits through Talk-page requests or experienced neutral editors. Use only independent, reliable sources — no primary sources or press releases. All contributions must follow Wikipedia's Conflict of Interest and Notability guidelines. Document the disclosure and source list for audit purposes.
-
-### Step 8: Audit Structured Data (JSON-LD)
-
-Sites with structured data achieve 41% AI citation rates vs 15% without. Only 12.4% of websites implement it.
-
-For every page verify:
-- **Organization + WebSite schema** on every page: `name`, `url`, `logo`, `sameAs` (LinkedIn, Twitter, GitHub, Wikipedia URL, Wikidata URL), `description`
-- **Article schema** on every content page: `headline`, `author` (with `name`, `url`, `jobTitle`), `publisher`, `datePublished`, `dateModified`, `image`, `description`
-- **FAQPage schema** on any page with Q&A content
-- **BreadcrumbList schema** on all non-homepage pages
-- **Person schema** on all author/team profile pages
-- Additional applicable types: HowTo, SoftwareApplication, Event, Dataset, VideoObject, LocalBusiness
-
-Validate all schema at https://validator.schema.org/ and Google's Rich Results Test. `dateModified` must reflect actual update dates.
-
-### Step 9: Audit Meta Tags and Head Elements
-
-For every page:
-- `<title>`: `Primary Keyword — Brand Name`, 50-60 chars, keywords first, unique per page
-- `<meta name="description">`: 150-160 chars, direct answer to primary query, one statistic, unique
-- `<link rel="canonical">` pointing to canonical URL
-- Open Graph tags: `og:title`, `og:description`, `og:type`, `og:url`, `og:image`, `og:site_name`
-- Twitter Card: `twitter:card`, `twitter:title`, `twitter:description`, `twitter:image`
-- Article timestamps: `article:published_time`, `article:modified_time` (ISO 8601)
-
-### Step 10: Audit Robots.txt
-
-Verify AI citation crawlers are allowed:
-- **Must allow** (power AI answers): `OAI-SearchBot`, `ChatGPT-User`, `PerplexityBot`, `ClaudeBot`, `Claude-SearchBot`, `Applebot`, `Amazonbot`
-- **May block** (training only): `GPTBot`, `CCBot`, `Google-Extended`, `meta-externalagent`, `Bytespider`
-- **Never block**: `Googlebot` (blocks both Search and AI Overviews simultaneously)
-
-Note: 226+ AI crawlers exist. Verify list is current. Some AI agents use standard browser user-agent strings and ignore robots.txt.
-
-### Step 11: Audit XML Sitemap and IndexNow
-
-**Sitemap:**
-- Exists at `/sitemap.xml`
-- Contains only canonical, indexable URLs
-- `<lastmod>` dates reflect actual content update dates (never faked)
-- Referenced in robots.txt
-- Submitted to Google Search Console and Bing Webmaster Tools
-- Auto-regenerates when content changes
-
-**IndexNow:**
-- API key file at `https://yoursite.com/{key}.txt`
-- Ping fires on every publish/update event
-- Integrated in CI/CD pipeline or CMS publish hooks
-
-### Step 12: Audit Site Architecture and Content Freshness
-
-**Architecture:**
-- URL structure: descriptive hyphenated lowercase, under 75 characters, max 3 levels deep, canonical tags, 301 redirects for changed URLs
-- No important page more than 3 clicks from homepage
-- Breadcrumb navigation with BreadcrumbList schema
-- Topic cluster structure: pillar pages + 8-15 cluster pages with bidirectional links?
-- Orphan pages (no internal links pointing to them)?
-
-**Content freshness:**
-- "Last Updated: [date]" visible on every content page using `<time datetime="YYYY-MM-DD">`
-- `dateModified` in Article schema synchronized with visible dates
-- Content genuinely updated (not just date-changed) — Google detects date freshness hacking
-- 76% of most-cited AI content updated within 30 days; Perplexity gives 3.4× advantage to content under 30 days old
-
-**First-mover check:** For emerging advocacy topics with few authoritative sources, is the site publishing before competitors claim citation positions?
-
-### Step 13: Audit Platform Presence and Brand Signals
-
-85% of AI brand mentions come from third-party pages. Brand mentions now account for 55% of off-page ranking weight.
-
-Check:
-1. **Reddit:** Active, authentic presence in relevant subreddits? AI systems have visibility into Reddit's moderation pipeline — inauthentic content carries negative weight.
-2. **YouTube:** Channel with transcripts enabled?
-3. **LinkedIn:** Active organization page with substantive posts?
-4. **GitHub:** Documentation, datasets, or reports published as Markdown?
-5. **Unlinked brand mentions:** Monitor with Google Alerts or Ahrefs. Convert high-authority mentions to backlinks — close rate typically above 30%.
-6. **Cross-platform consistency:** Key facts (founding date, mission, statistics) consistent across site, Wikipedia, Wikidata, LinkedIn, GitHub?
-
-Platform-specific behavior: Only 11% of domains are cited by both ChatGPT and Perplexity for the same queries. Citation volatility is 40-60% monthly. Build multi-platform presence.
-
-### Step 14: Audit Link Profile
-
-Backlinks remain the #2 ranking factor. Topical relevance between linking and linked domains (r=0.4) now outweighs raw domain authority.
-
-Check:
-- Natural anchor text distribution: ~40-50% branded, ~20-30% generic, ~15-25% partial match, ~5-10% exact match. Sites below 30% diversity saw -15 average position drops in March 2026 spam update.
-- Links in editorial context (body content), not footers/sidebars/author bios
-- Top-performing link building tactics: original research/data (156% more links vs generic how-to), digital PR campaigns, unlinked mention conversion
-- Any links from PBNs, sponsored guest posts on generalist sites, or niche edits on thin domains — these were specifically devalued in March 2026
-
-### Step 15: Audit Content Patterns
-
-Check whether content templates implement high-citation patterns:
-
-**Citable paragraph:** every major claim follows `[fact]. [statistic with attribution]. [elaboration]. [Source: Org, Date]`
-
-**FAQ block:** `<h2>` with exact question, 40-60 word direct answer immediately following, FAQPage schema. Also improves Featured Snippet and People Also Ask selection.
-
-**Definition block:** `<section id="what-is-term"><h2>What is [Term]?</h2><p><dfn>[Term]</dfn> is [direct definition].</p></section>`
-
-**Original data:** Pages with proprietary data get 4.31× more citations per URL. Check whether any unique organizational data can become dedicated, permanently-addressable pages.
-
-**VideoObject schema:** If any video content exists, verify VideoObject schema with `name`, `description`, `thumbnailUrl`, `uploadDate`, and `contentUrl`.
-
-### Step 16: Audit Conversion Optimization and Analytics
-
-**Donation page audit:**
-- 3-4 preset amounts with middle pre-selected and impact descriptions?
-- Monthly giving pre-selected? (31% of nonprofit online revenue; 64% of orgs still default one-time)
-- Single-step form? (multi-step forms see 52% drop in completions)
-- Site header navigation removed during donation flow?
-- Form embedded on-site, not redirecting to third-party processor?
-- `autocomplete` attributes on all form fields? (React JSX: `autoComplete`)
-
-**Analytics:**
-- Using cookieless analytics (Plausible or Umami) as primary?
-- AI referral traffic tracked with custom channel group? (ChatGPT 78% of AI traffic; mobile app drops referrer)
-- Key conversion events marked in GA4: `donation_completed` (with value), `newsletter_signup`, `volunteer_form_submit`?
-
-**Internationalization check (if multilingual):**
-- `lang` and `dir` attributes set correctly on `<html>`?
-- Hreflang tags self-referencing and reciprocal on every page?
-- Subdirectory URL strategy (`/en/`, `/hi/`, `/ar/`) for domain authority consolidation?
-- ICU MessageFormat used for plural/gender forms (Arabic requires 6 CLDR plural categories)?
-
-### Step 17: Defensive Review
-
-Check for techniques that would violate platform guidelines:
-
-**Hidden text:** Verify no content is hidden via `display:none`, `visibility:hidden`, white-on-white text, zero-size fonts, negative positioning, or invisible Unicode (U+E0000 to U+E007F). Google's SpamBrain and PhantomLint compare parsed text against OCR-rendered images.
-
-**Agent-aware cloaking:** Verify the server does not serve different content to AI crawlers vs human visitors based on User-Agent detection. Explicitly prohibited; domain-wide penalty risk.
-
-**Scaled AI content:** Verify all published content has meaningful human review. Manual actions issued by Google since June 2025 for "scaled content abuse."
-
-**User-generated content injection:** If the site hosts comments or forum posts, verify they are sanitized before being served to crawlers.
-
-### Findings Report
-
-Document findings by priority:
-
-**Critical (blocks launch)**
-- Primary content rendered JavaScript-only
-- Missing `<h1>` or broken heading hierarchy
-- Missing canonical tags
-- robots.txt blocking AI citation crawlers
-- Missing HTTPS or expired SSL
-- LCP > 4s or page weight > 3MB
-- Agent-aware cloaking detected
-
-**High (implement before significant content investment)**
-- LCP > 2.5s (failing Good threshold)
-- INP > 200ms (43% of sites fail this)
-- No Wikipedia article when sufficient notability sources exist
-- No Wikidata entry
-- Missing structured data (JSON-LD schema)
-- Content siloed with no topic cluster architecture
-- Pages not SSR or SSG
-- Missing `sameAs` links to Wikipedia/Wikidata in Organization schema
-- Content not matching search intent format for target keywords
-
-**Medium (implement in next sprint)**
-- Question-format headings not used
-- Answer-first paragraph pattern not followed
-- Missing entity salience (passive voice, vague pronouns, weak proper noun density)
-- Content density outside optimal range
-- Missing E-E-A-T signals (author attribution, sourcing, experience signals)
-- Missing author profile pages with Person schema
-- Missing IndexNow integration
-- Outdated or inconsistent `dateModified` values
-- No Reddit, YouTube, or LinkedIn presence
-- Key facts inconsistent across platforms
-- Anchor text distribution outside recommended ranges
-- Donation page using multi-step form or missing monthly pre-selection
-- No AI referral traffic tracking in analytics
-- Missing cookieless analytics (relying solely on GA4 with consent banner)
-- Missing hreflang tags on multilingual pages
-
-**Low (optimize over time)**
-- llms.txt not implemented (low current value but zero-cost)
-- Individual content not following citable paragraph pattern
-- Missing comparison tables on decision-relevant pages
-- No proprietary data or original research pages
-- VideoObject schema not implemented for video content
-- Security headers incomplete (CSP, Permissions-Policy, COOP)
-- Supply chain scanning not in CI pipeline
-
-For each finding: the specific page or component affected, what is missing or incorrect, and the exact implementation needed.
diff --git a/.claude/skills/git-workflow/SKILL.md b/.claude/skills/git-workflow/SKILL.md
deleted file mode 100644
index 61121cc..0000000
--- a/.claude/skills/git-workflow/SKILL.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-name: git-workflow
-description: Git workflow for AI-assisted advocacy development — atomic commits per subtask, ephemeral branches, PR curation into reviewable chunks, AI-Assisted tagging
----
-# Git Workflow
-
-## When to Use
-- Before committing, branching, or creating a pull request
-- When reviewing commit history or deciding on merge strategy
-- After an AI agent has generated a batch of changes that need to be broken into logical units
-
-## Process
-
-### Step 1: Create an Ephemeral Branch
-Create a short-lived branch for the current task. Trunk-based development remains the goal — this branch is a safety net, not a long-lived workspace. If the agent has not produced mergeable work within one session, delete the branch and reconsider the approach. Name the branch for the task, not for a feature epic.
-
-### Step 2: Implement One Subtask
-Break the overall task into the smallest logical subtasks. Each subtask is one commit. If the task decomposes into "extract interface, implement adapter, update callers," those are three separate commits. Never let the agent complete an entire multi-step task before committing.
-
-### Step 3: Test Before Committing
-Run the relevant test subset before each commit. Every commit must leave the codebase in a passing state. If tests fail, fix the issue before committing — do not push broken commits to shared branches. For advocacy code handling investigation or evidence data, also verify that no sensitive data has leaked into test output, logs, or error messages.
-
-### Step 4: Write the Commit Message
-Write commit messages that explain WHY, not WHAT — the code shows what changed. First line: 50 characters, imperative mood. Reference the issue or ticket. Add appropriate AI attribution trailers so the team knows which code was agent-generated.
-
-### Step 5: Repeat for Each Subtask
-Continue the cycle: implement one subtask, test, commit. Each commit should be independently understandable. If you read the commit in isolation six months from now, you should know what it does and why.
-
-### Step 6: Curate the Pull Request
-PR curation is the critical human skill in AI-assisted development. AI adoption inflated PR size by 154%. Do not submit the agent's full output as one PR. Split into reviewable chunks:
-- Target under 200 lines changed per PR, ideally under 100
-- Use stacked PRs for large changes (PR1, PR2, PR3 — each independently reviewable)
-- Each PR tells a coherent story with a clear description explaining the reasoning
-
-### Step 7: Tag and Request Review
-- Tag every PR containing AI-generated code as **AI-Assisted**
-- Require two human approvals for primarily AI-generated PRs
-- Call out areas needing close review — especially security boundaries, error handling, and any code touching investigation or coalition data
-
-### Step 8: Track Quality Signals
-- **Code Survival Rate** — how much AI-generated code remains unchanged 48 hours after merge. Low survival means the agent is generating code that humans immediately rewrite.
-- **Suggestion acceptance rate** — healthy range is 25-35%. Higher may indicate over-reliance on AI suggestions without critical review. In advocacy projects, over-reliance means unreviewed security assumptions.
-
-### Merge Strategy
-Squash-merge ephemeral branches to keep trunk history clean. Delete branches immediately after merge. If a branch has lived longer than one working session, evaluate whether the approach needs to change rather than extending the branch's life.
diff --git a/.claude/skills/plan-first-development/SKILL.md b/.claude/skills/plan-first-development/SKILL.md
deleted file mode 100644
index 93fc79c..0000000
--- a/.claude/skills/plan-first-development/SKILL.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-name: plan-first-development
-description: Plan-before-code workflow — read existing code, write spec, decompose into subtasks, implement and test one at a time, comprehension check before committing
----
-# Plan-First Development
-
-## When to Use
-- Starting any significant implementation work
-- Beginning a new coding session
-- When a task involves changes across multiple files or modules
-- When context window usage is approaching 50%
-
-## Process
-
-### Step 1: Read Existing Code
-Before writing anything, read the code relevant to the change. Understand the current structure, naming conventions, existing utilities, and architectural patterns. AI agents generate duplicate functions and violate DRY at 4x the normal rate because they lack full codebase awareness. Searching first prevents this.
-
-### Step 2: Identify What Needs to Change
-State the change in one sentence. If you cannot describe it concisely, the task needs further decomposition. For advocacy projects, also identify: which bounded context is affected (investigation ops, public campaigns, coalition coordination, legal defense), and whether the change crosses context boundaries.
-
-### Step 3: Write a Specification
-Write requirements before implementation. Even a brief spec is better than none. The spec should include: what the code does, what inputs it accepts, what outputs it produces, what error conditions exist, and what security or safety properties it must maintain. For advocacy software, add: what data sensitivity classification applies, what happens under device seizure, and what coalition data boundaries must hold.
-
-This is the "construction prerequisites" principle: problem definition clear, requirements explicit, architecture solid — before writing code.
-
-### Step 4: Break into Subtasks
-Decompose the spec into subtasks small enough that each can complete within half the remaining context window. Each subtask should produce a testable, committable result. If a subtask feels too large, break it further. The decomposition should follow conceptual boundaries, not execution order — temporal decomposition (structuring code by when things happen) is an Ousterhout red flag.
-
-### Step 5: For Each Subtask — Plan, Test, Implement, Verify
-Execute one subtask at a time:
-1. **Plan** — describe what this subtask will do
-2. **Test** — write a failing test that encodes the expected behavior
-3. **Implement** — write the minimum code to make the test pass
-4. **Verify** — run tests, confirm the change works in context
-
-Do not start the next subtask until the current one passes tests and is committed.
-
-### Step 6: Comprehension Check
-After the AI generates code, explain what it does in your own words before committing. This is not optional. AI-assisted developers score 17 percentage points lower on comprehension tests compared to unassisted developers (Anthropic, 2026 study of 52 professional developers). The comprehension gap is equivalent to nearly two letter grades.
-
-Use the **generation-then-comprehension pattern**: generate code, then immediately ask the AI to explain it, then verify your understanding matches. Six usage patterns exist on a spectrum from full delegation (worst comprehension at 50%) to conceptual inquiry (best at 86%). The goal is to stay in the "generate then understand" zone that preserves learning while leveraging AI speed.
-
-If you cannot explain what the code does and why, do not commit it. Read it again. Ask questions. Understanding the code you ship is a non-negotiable professional responsibility — especially in advocacy software where misunderstood code can silently leak data or expose activists.
-
-### Step 7: Commit
-Commit after each completed subtask. Write a commit message explaining the WHY. Then move to the next subtask.
-
-### Context Management
-- Start each session fresh rather than extending a degraded conversation
-- Compact at approximately 50% context usage
-- Break work into chunks that complete within half the context window
-- After two failed fix attempts, clear the conversation and restart with a better prompt incorporating what you learned — do not compound errors
diff --git a/.claude/skills/requirements-interview/SKILL.md b/.claude/skills/requirements-interview/SKILL.md
deleted file mode 100644
index 67f6206..0000000
--- a/.claude/skills/requirements-interview/SKILL.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-name: requirements-interview
-description: Structured stakeholder interview for advocacy projects — gathers purpose, threat model, coalition needs, legal exposure, user safety requirements, and budget constraints one question at a time
----
-# Requirements Interview
-
-## When to Use
-- Starting a new feature or project
-- When requirements are ambiguous or incomplete
-- Before writing a specification or design document
-- When a new coalition partner or user group is introduced
-
-## Process
-
-Ask one question at a time. Use multiple choice when possible. Wait for the answer before proceeding. Do not overwhelm stakeholders with a wall of questions — advocacy stakeholders are often volunteers with limited time.
-
-### Phase 1: Purpose and Users
-1. What are we building? (One sentence describing the core function)
-2. Who are the primary users? (Investigators, campaign organizers, sanctuary staff, legal team, coalition coordinators, public supporters)
-3. What does success look like? (Specific, measurable criteria — not "make it better")
-4. What existing tools or workflows does this replace or augment?
-
-### Phase 2: Threat Modeling
-5. Who are the adversaries for this system?
-   - [ ] Law enforcement (ag-gag statutes, warrants, subpoenas)
-   - [ ] Industry investigators (corporate surveillance, infiltration)
-   - [ ] Hostile public (doxxing, harassment campaigns)
-   - [ ] AI model providers (data retention, content policy restrictions)
-   - [ ] Other: ___
-6. What happens if this system is compromised? (Who is endangered, what evidence is exposed, what legal liability is created)
-7. What happens if a device running this software is seized? (What data is recoverable, what operations are exposed)
-8. What legal jurisdictions apply? (Which ag-gag laws, which data protection regulations, which countries)
-
-### Phase 3: Coalition and Data Boundaries
-9. Which organizations will use this system?
-10. Do organizations have different risk profiles? (A direct action group and a legal defense fund have fundamentally different threat models)
-11. What data crosses organizational boundaries? What must NOT cross those boundaries?
-12. If one coalition partner is legally compelled to disclose data, what is the blast radius to other partners?
-13. What existing data sharing agreements or policies constrain the design?
-
-### Phase 4: User Safety
-14. Does this system handle traumatic content? (Investigation footage, slaughter documentation, witness testimony of abuse)
-15. What progressive disclosure levels are needed? (Text-only, blurred preview, full resolution)
-16. Who reviews traumatic content, and what burnout prevention measures exist?
-17. Does this system handle witness or whistleblower identities? What anonymization requirements apply?
-18. What emotional safety features do users expect? (Content warnings, session time reminders, configurable detail levels)
-
-### Phase 5: Technical Constraints
-19. Budget — what are the hard limits on infrastructure and AI compute costs? (Nonprofit budgets mean every dollar has an alternative use in direct advocacy)
-20. Timeline — what is the deadline and what is driving it? (Legislative session, planned investigation, campaign launch)
-21. Tech stack preferences or constraints? (Existing infrastructure, team skills, self-hosted requirements)
-22. Connectivity constraints? (Offline-first needed, low-bandwidth environments, mesh networking scenarios)
-23. Language and accessibility requirements? (Which languages, low-literacy users, assistive technology support)
-
-### Phase 6: Synthesize
-After gathering answers, synthesize into a specification document containing:
-- **Purpose statement** — one paragraph
-- **User personas** — who uses this, what are their risk profiles
-- **Threat model** — adversaries, attack surfaces, legal exposure
-- **Data boundaries** — what is stored, where, who can access, what crosses org boundaries
-- **Success criteria** — measurable outcomes
-- **Safety requirements** — emotional safety, anonymization, progressive disclosure
-- **Constraints** — budget, timeline, technology, connectivity, language
-- **Open questions** — what still needs clarification before design begins
-
-Present the synthesized spec to the stakeholder for confirmation before proceeding to design.
diff --git a/.claude/skills/security-audit/SKILL.md b/.claude/skills/security-audit/SKILL.md
deleted file mode 100644
index e23d042..0000000
--- a/.claude/skills/security-audit/SKILL.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-name: security-audit
-description: Security audit workflow for advocacy projects — dependency verification, zero-retention compliance, slopsquatting defense, encrypted storage, instruction file integrity, device seizure readiness, ag-gag exposure assessment
----
-# Security Audit
-
-## When to Use
-- Before deploying any change to production
-- When new dependencies are added
-- When code touches investigation data, witness identities, or coalition coordination
-- After AI-generated code has been added to security-sensitive paths
-- Periodically as a scheduled review of the full codebase
-
-## Process
-
-### Step 1: Dependency Audit — Slopsquatting Defense
-Approximately 20% of AI-recommended packages do not exist. Attackers register these hallucinated names as real packages containing malicious code — one was downloaded 30,000+ times in weeks. For EVERY dependency: verify the package exists in its registry, has legitimate maintainers with real commit history, and the version is published. Only 1 in 5 AI-recommended dependency versions are both safe and free from hallucination. In advocacy software, a compromised dependency can exfiltrate investigation data or activist identities.
-
-### Step 2: API Retention Policy Audit
-For every external API: verify the data retention policy contractually, not by assumption. Confirm zero-retention configuration is in effect for all sensitive data flows. Check whether the API retains inputs, logs request metadata, or stores conversation history. Telemetry to third parties is a data exfiltration vector under adversarial legal discovery. Any API handling investigation footage, witness identities, or activist communications must be zero-retention.
-
-### Step 3: Storage Encryption Audit
-Verify all locally stored investigation data, evidence, and activist records use encrypted volumes with plausible deniability — the existence of sensitive data must be deniable under device seizure. Check for temporary files, swap files, crash dumps, or caches containing decrypted content. Verify encryption keys are not stored alongside encrypted data. Test: if the device powers off unexpectedly, is any sensitive data recoverable without credentials?
-
-### Step 4: Input Validation Review
-AI-generated code contains OWASP Top 10 vulnerabilities in 45% of cases — 2.74x more than human code. For every input boundary:
-- Verify SQL injection defenses on all database-facing inputs
-- Verify XSS protection on all content display paths, especially witness testimony and investigation notes
-- Verify path traversal protection on evidence file uploads
-- Verify authentication and authorization checks on every endpoint
-- Assume adversarial input on every public-facing surface — industry actors will probe investigation tools
-
-### Step 5: Instruction File Integrity Check
-The "Rules File Backdoor" attack uses hidden Unicode characters in instruction files to inject invisible directives that make AI agents produce malicious output. Inspect all instruction files for non-printable characters beyond standard whitespace. Diff changes character-by-character, not just visually. Verify no instruction file weakens encryption, disables safety checks, or sends data to external endpoints. Treat instruction files as security-critical artifacts — in advocacy projects, a compromised instruction file could direct the AI to leak investigation data.
-
-### Step 6: MCP Server Audit
-For every MCP server: verify servers handling sensitive advocacy data are self-hosted. Audit each server's data access patterns, network egress, and data retention. MCP extends agent capabilities but also extends the attack surface — check whether any server can exfiltrate data regardless of application-level encryption.
-
-### Step 7: Device Seizure Readiness
-Verify remote wipe capability exists for all sensitive data. Verify encrypted volumes lock automatically on suspicious conditions (unexpected power loss, extended inactivity). Check that the application does not leak data on unexpected termination — no temp files with decrypted content, no swap files with sensitive state, no crash dumps with investigation data. Test: kill the process unexpectedly and examine what remains on disk.
-
-### Step 8: Ag-Gag Exposure Assessment
-Investigation footage is discoverable evidence under legal proceedings:
-- Audit every data flow assuming adversarial legal discovery, not just adversarial hackers
-- Verify metadata stripping on all investigation content (timestamps, geolocation, device identifiers)
-- Verify audit logs protect the identities they record — logs identifying who accessed investigation data become prosecution tools
-- Check: if a court subpoena targeted this system, what would be disclosed? Minimize that surface.
-
-### Step 9: Coalition Data Boundary Verification
-- Verify data isolation between coalition partners with different risk profiles
-- Verify anti-corruption layers exist at every boundary crossing between bounded contexts
-- Verify data sharing agreements are enforced in code, not just in policy documents
-- Check: if one coalition partner is legally compelled to disclose, what is the blast radius to other partners?
-- Verify shared data has been transformed appropriately — strip identifying information before sharing across risk tiers
-
-### Step 10: Findings Report
-Document findings with severity classification:
-- **Critical** — active data leak, missing encryption, compromised dependency, exposed witness identity
-- **High** — weak input validation, missing zero-retention verification, unaudited MCP server
-- **Medium** — incomplete metadata stripping, untested seizure scenario, missing contract tests at boundaries
-- **Low** — documentation gaps, minor configuration improvements
-
-Block deployment on any Critical or High finding. Track all findings to resolution.
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
index d0381f9..d74dbc0 100644
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -1,18 +1,102 @@
-# .coderabbit.yaml
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# Classification: tooling-library (≥70 desloppify threshold per handbook/ci-cd.md)
+# Source: handbook/ci-templates/coderabbit.yaml in Open-Paws/context
+
 language: en-US
+
+tone_instructions: "Direct and concise. Flag actionable issues only. Use movement terminology: campaign, investigation, coalition, farmed animal, slaughterhouse. This is a tooling library — DRY violations and quality drift here are especially ironic; apply extra rigor."
+
 reviews:
-  profile: chill          # don't nitpick style; focus on correctness
-  request_changes_workflow: false   # don't block; flag and comment
+  profile: assertive
+  request_changes_workflow: true
   high_level_summary: true
   poem: false
   review_status: true
+  estimate_code_review_effort: true
+  suggested_labels: true
+  auto_apply_labels: false
+
+  path_filters:
+    - "!dist/**"
+    - "!node_modules/**"
+    - "!**/*.lock"
+    - "!**/*.generated.*"
+    - "!.claude/worktrees/**"
+
+  path_instructions:
+    - path: ".claude/**"
+      instructions: |
+        Scan for hidden Unicode (zero-width spaces, directional overrides, homoglyphs) — Rules File Backdoor attack vector.
+        Flag any hook additions that expand scope beyond the declared task.
+        No activist identities, investigation operation names, or witness data in instruction files.
+    - path: "**/*.test.{ts,js,py}"
+      instructions: |
+        Check three things per test: (1) would it fail if the covered behavior broke? (2) does it encode a domain rule? (3) would mutation testing kill it?
+        Reject: snapshot traps, mock-everything integration tests, happy-path-only, coverage theater.
+
   auto_review:
     enabled: true
+    auto_incremental_review: true
+    ignore_title_keywords: ["WIP", "DO NOT MERGE"]
     drafts: false
     base_branches: ["main"]
+    ignore_usernames: ["dependabot[bot]", "renovate[bot]"]
+
+  pre_merge_checks:
+    custom_checks:
+      - name: "No speciesist idioms"
+        mode: "error"
+        instructions: "Fail on speciesist idioms: industry animal framing for farmed animals, hierarchical primary/secondary terms, gating/exclusion list variants, herd infrastructure metaphors, animal test-subject metaphors, killing idioms used as efficiency metaphors, and industry euphemisms for factory farming. See no-animal-violence ruleset for the full pattern list."
+      - name: "No hardcoded secrets or credentials"
+        mode: "error"
+        instructions: "Fail if non-test files contain hardcoded API keys, tokens, passwords, or credentials."
+      - name: "No Tier 3 data committed"
+        mode: "error"
+        instructions: "Fail if any file contains activist or whistleblower real names combined with contact info or location, legal strategy or case files, or NGO internal financials. These are Tier 3 data per handbook/security.md."
+
+  finishing_touches:
+    unit_tests:
+      enabled: true
+    custom:
+      - name: "fix NAV violations"
+        instructions: "Replace speciesist idioms in changed files per https://github.com/Open-Paws/no-animal-violence"
+
+  tools:
+    semgrep:
+      enabled: true
+      config_file: "semgrep-no-animal-violence.yaml"
+    trufflehog:
+      enabled: true
+    github-checks:
+      enabled: true
+      timeout_ms: 90000
 
 chat:
   auto_reply: true
+  art: false
 
 knowledge_base:
-  opt_out: true           # don't train on our codebase
+  opt_out: false
+  web_search:
+    enabled: false
+  code_guidelines:
+    enabled: true
+    filePatterns:
+      - "**/CLAUDE.md"
+      - "**/AGENTS.md"
+  learnings:
+    scope: local
+  pull_requests:
+    scope: local
+  jira:
+    usage: disabled
+  linear:
+    usage: disabled
+  mcp:
+    usage: disabled
+
+code_generation:
+  unit_tests:
+    path_instructions:
+      - path: "**"
+        instructions: "Every test must fail if the covered behavior breaks. No snapshot tests. Mock only at external API boundaries."
diff --git a/.gitignore b/.gitignore
index 7b47705..570c7d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -101,3 +101,7 @@ build/
 # State files are local only; config.json (suppressions) is tracked
 .desloppify/
 !.desloppify/config.json
+
+# Claude Code agent state — never commit
+.claude/agent-memory/
+.claude/worktrees/