docs: remove all em dashes and fix remaining positioning leads

.archgate/adrs/ARCH-006-dependency-policy.rules.ts

@@ -16,7 +16,7 @@ export default {
         try {
           pkg = await ctx.readJSON("package.json");
         } catch {
-          return; // No package.json — nothing to check
+          return; // No package.json, nothing to check
         }
 
         const deps = Object.keys(pkg.dependencies ?? {});

.archgate/adrs/ARCH-009-platform-detection-helper.rules.ts

@@ -20,7 +20,7 @@ export default {
           for (const m of fileMatches) {
             ctx.report.violation({
               message:
-                "Do not access process.platform directly — use isWindows(), isMacOS(), isLinux(), or getPlatformInfo() from src/helpers/platform.ts instead.",
+                "Do not access process.platform directly. Use isWindows(), isMacOS(), isLinux(), or getPlatformInfo() from src/helpers/platform.ts instead.",
               file: m.file,
               line: m.line,
               fix: 'Import { isWindows } from "../helpers/platform" (or the appropriate helper) and use it instead of process.platform',

ASSURANCE-CASE.md

@@ -19,8 +19,8 @@ Archgate is a CLI tool that enforces Architecture Decision Records (ADRs) as exe
 Archgate does **not**:
 
 - Modify source code or project files during checks
-- Store credentials on disk — authentication tokens are managed by the OS credential manager (macOS Keychain, Windows Credential Manager, Linux secret service)
-- Send telemetry or source code to external servers (telemetry is opt-in, anonymized, and contains only usage counts — see [Telemetry docs](https://cli.archgate.dev/reference/telemetry/))
+- Store credentials on disk. Authentication tokens are managed by the OS credential manager (macOS Keychain, Windows Credential Manager, Linux secret service)
+- Send telemetry or source code to external servers (telemetry is opt-in, anonymized, and contains only usage counts; see [Telemetry docs](https://cli.archgate.dev/reference/telemetry/))
 - Require network access for core functionality (`archgate check` is fully offline)
 
 ### 1.2 Threat Categories
@@ -83,32 +83,32 @@ Archgate does **not**:
                     └─────────────┘
 ```
 
-**Boundary 1 — Rule Sandbox:** `.rules.ts` files are untrusted code. They execute within a restricted context that blocks dangerous APIs and scopes file access to the project root.
+**Boundary 1, Rule Sandbox:** `.rules.ts` files are untrusted code. They execute within a restricted context that blocks dangerous APIs and scopes file access to the project root.
 
-**Boundary 2 — CLI Process:** The CLI itself runs with the user's permissions. It reads project files and manages its own cache directory (`~/.archgate/`). Authentication tokens are delegated to the OS credential manager. It does not require elevated privileges.
+**Boundary 2, CLI Process:** The CLI itself runs with the user's permissions. It reads project files and manages its own cache directory (`~/.archgate/`). Authentication tokens are delegated to the OS credential manager. It does not require elevated privileges.
 
-**Boundary 3 — Network:** Network access is only used for binary downloads (install/upgrade), plugin installation (authenticated), and optional anonymized telemetry. No analytics services are contacted. Core functionality (`archgate check`) is fully offline.
+**Boundary 3, Network:** Network access is only used for binary downloads (install/upgrade), plugin installation (authenticated), and optional anonymized telemetry. No analytics services are contacted. Core functionality (`archgate check`) is fully offline.
 
 ## 3. Secure Design Principles Applied
 
 ### 3.1 Least Privilege
 
-- **Rule sandbox is read-only.** The `RuleContext` API exposes `readFile`, `readJSON`, `grep`, `grepFiles`, and `glob` — all read-only operations. Rules cannot write files, spawn processes, or access the network.
-- **CI jobs use minimal permissions.** The documented CI configuration requests only `contents: read` — no secrets, deployment keys, or write permissions ([Security guide](https://cli.archgate.dev/guides/security/)).
-- **Credentials are delegated to the OS.** Authentication tokens are stored in the operating system's credential manager (macOS Keychain, Windows Credential Manager, Linux secret service) — never written to disk as plain-text files.
+- **Rule sandbox is read-only.** The `RuleContext` API exposes `readFile`, `readJSON`, `grep`, `grepFiles`, and `glob`, all read-only operations. Rules cannot write files, spawn processes, or access the network.
+- **CI jobs use minimal permissions.** The documented CI configuration requests only `contents: read`, with no secrets, deployment keys, or write permissions ([Security guide](https://cli.archgate.dev/guides/security/)).
+- **Credentials are delegated to the OS.** Authentication tokens are stored in the operating system's credential manager (macOS Keychain, Windows Credential Manager, Linux secret service). They are never written to disk as plain-text files.
 
 ### 3.2 Defense in Depth
 
 Two independent layers protect against malicious rules:
 
-1. **Static analysis security scanner** — Before any `.rules.ts` file is executed, the CLI parses its AST and rejects files containing dangerous patterns:
+1. **Static analysis security scanner.** Before any `.rules.ts` file is executed, the CLI parses its AST and rejects files containing dangerous patterns:
    - Imports of `node:fs`, `child_process`, `net`, `http`, `vm`, and other system modules
    - Bun-specific APIs: `Bun.spawn()`, `Bun.write()`, `Bun.file()`, `Bun.$`
    - Network access: `fetch()`
    - Code generation: `eval()`, `new Function()`
    - Obfuscation patterns: computed property access (`Bun[variable]`), `globalThis` assignment, dynamic `import()`
 
-2. **Runtime sandbox** — Even if a pattern bypasses the static scanner, the `RuleContext` API enforces path scoping (blocks `../`, absolute paths, and symlinks) and a 30-second timeout per rule.
+2. **Runtime sandbox.** Even if a pattern bypasses the static scanner, the `RuleContext` API enforces path scoping (blocks `../`, absolute paths, and symlinks) and a 30-second timeout per rule.
 
 ### 3.3 Input Validation
 
@@ -124,7 +124,7 @@ Two independent layers protect against malicious rules:
 
 ### 3.5 Minimal Attack Surface
 
-- **Minimal dependencies.** The project follows [ARCH-006 (Dependency Policy)](/.archgate/adrs/ARCH-006-dependency-policy.md): prefer Bun built-ins over third-party packages. All runtime dependencies are bundled into the compiled binary — the npm package has zero runtime `dependencies`.
+- **Minimal dependencies.** The project follows [ARCH-006 (Dependency Policy)](/.archgate/adrs/ARCH-006-dependency-policy.md): prefer Bun built-ins over third-party packages. All runtime dependencies are bundled into the compiled binary. The npm package has zero runtime `dependencies`.
 - **No daemon or server mode.** The CLI runs as a short-lived process. The MCP server uses stdio transport (no network listener).
 - **No shell execution.** The CLI never spawns shell commands. Git operations use `git ls-files` via Bun's process API with explicit arguments (no shell interpolation).
 
@@ -150,11 +150,11 @@ Two independent layers protect against malicious rules:
 
 ### 4.3 Information Disclosure
 
-| Risk                 | Countermeasure                                                                                                                                                                                                                                                                                              |
-| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Credential leakage   | Authentication tokens are stored in the OS credential manager (macOS Keychain, Windows Credential Manager, Linux secret service) — never written to disk as plain text. Tokens are never logged. Plugin install passes credentials via authenticated git URLs (not command-line arguments visible in `ps`). |
-| Source code exposure | Rules are read-only. `archgate check` output contains only violation messages (file paths and line numbers), not file contents.                                                                                                                                                                             |
-| Error messages       | Error output uses `logError()` (ARCH-002) which writes structured messages to stderr. Stack traces are only shown with `--verbose`.                                                                                                                                                                         |
+| Risk                 | Countermeasure                                                                                                                                                                                                                                                                                             |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Credential leakage   | Authentication tokens are stored in the OS credential manager (macOS Keychain, Windows Credential Manager, Linux secret service), never written to disk as plain text. Tokens are never logged. Plugin install passes credentials via authenticated git URLs (not command-line arguments visible in `ps`). |
+| Source code exposure | Rules are read-only. `archgate check` output contains only violation messages (file paths and line numbers), not file contents.                                                                                                                                                                            |
+| Error messages       | Error output uses `logError()` (ARCH-002) which writes structured messages to stderr. Stack traces are only shown with `--verbose`.                                                                                                                                                                        |
 
 ### 4.4 Availability
 
@@ -171,7 +171,7 @@ Two independent layers protect against malicious rules:
 - **CI pipeline** runs on every pull request: lint (Oxlint), typecheck (tsc --build), format check (Oxfmt), test suite (Bun test), ADR compliance check (`archgate check`), and build verification.
 - **OpenSSF Scorecard** runs weekly via GitHub Actions, publishing results to the GitHub Security tab.
 - **GitHub Security Advisories** are enabled for responsible vulnerability disclosure.
-- **Pinned dependencies** — all GitHub Actions use commit SHA pins, not mutable tags.
+- **Pinned dependencies.** All GitHub Actions use commit SHA pins, not mutable tags.
 
 ### 5.2 Manual Verification
 
@@ -181,8 +181,8 @@ Two independent layers protect against malicious rules:
 
 ## 6. References
 
-- [SECURITY.md](SECURITY.md) — Vulnerability reporting policy
-- [Security Guide](https://cli.archgate.dev/guides/security/) — Full trust model and CI best practices
-- [OpenSSF Scorecard](https://securityscorecards.dev/viewer/?uri=github.com/archgate/cli) — Automated security analysis
-- [ARCH-006: Dependency Policy](/.archgate/adrs/ARCH-006-dependency-policy.md) — Minimal dependency governance
-- [CII Best Practices Badge](https://www.bestpractices.dev/projects/9981) — OpenSSF Best Practices compliance
+- [SECURITY.md](SECURITY.md): Vulnerability reporting policy
+- [Security Guide](https://cli.archgate.dev/guides/security/): Full trust model and CI best practices
+- [OpenSSF Scorecard](https://securityscorecards.dev/viewer/?uri=github.com/archgate/cli): Automated security analysis
+- [ARCH-006: Dependency Policy](/.archgate/adrs/ARCH-006-dependency-policy.md): Minimal dependency rules
+- [CII Best Practices Badge](https://www.bestpractices.dev/projects/9981): OpenSSF Best Practices compliance

CONTRIBUTING.md

@@ -6,7 +6,7 @@ Thank you for your interest in contributing to Archgate CLI! We welcome all kind
 
 ## Architecture Decision Records (ADRs)
 
-Archgate dogfoods itself — the CLI is governed by its own ADRs in `.archgate/adrs/`. **Before writing any code, read the ADRs that apply to the area you're changing.**
+Archgate dogfoods itself. The CLI is governed by its own ADRs in `.archgate/adrs/`. **Before writing any code, read the ADRs that apply to the area you're changing.**
 
 ### Quick reference
 
@@ -29,7 +29,7 @@ bun run src/cli.ts adr list
 bun run src/cli.ts adr show ARCH-001
 ```
 
-ADR compliance is enforced automatically — `bun run validate` includes an ADR check step that verifies your changes against every rule. **Pull requests that violate an ADR will not pass CI.**
+ADR compliance is enforced automatically. `bun run validate` includes an ADR check step that verifies your changes against every rule. **Pull requests that violate an ADR will not pass CI.**
 
 ## Quick Start
 
@@ -199,8 +199,8 @@ git rebase --signoff HEAD~N  # where N is the number of commits to sign
 
 ## Guidelines
 
-- **Read the ADRs first** — all code changes must comply with the project's Architecture Decision Records
-- **Sign your commits** — all commits must include a `Signed-off-by` line (see DCO section above)
+- **Read the ADRs first**: all code changes must comply with the project's Architecture Decision Records
+- **Sign your commits**: all commits must include a `Signed-off-by` line (see DCO section above)
 - Follow the existing code style and conventions
 - Write clear, descriptive commit messages using [Conventional Commits](https://www.conventionalcommits.org/)
 - Add tests for new functionality when applicable

README.md

@@ -13,16 +13,16 @@
 
 ---
 
-AI agents write code fast, but they don't know your rules. Archgate turns your team's decisions into executable checks — a lint step for architecture, conventions, and AI output. Your agents read the rules before writing code, and `archgate check` blocks what slips through. In CI, in pre-commit hooks, and inside every major AI coding tool.
+AI agents write code fast, but they don't know your rules. Archgate turns your team's decisions into executable checks: a lint step for architecture, conventions, and AI output. Your agents read the rules before writing code, and `archgate check` blocks what slips through. In CI, in pre-commit hooks, and inside every major AI coding tool.
 
 **Write an ADR once. Enforce it everywhere.**
 
 ## How it works
 
 Archgate has two layers:
 
-1. **ADRs as documents** — markdown files with YAML frontmatter stored in `.archgate/adrs/`. Each ADR records a decision: what was decided, why, and what to do and not do.
-2. **ADRs as rules** — each ADR can have a companion `.rules.ts` file that exports automated checks. Archgate runs these checks against your codebase and reports violations.
+1. **ADRs as documents**: markdown files with YAML frontmatter stored in `.archgate/adrs/`. Each ADR records a decision: what was decided, why, and what to do and not do.
+2. **ADRs as rules**: each ADR can have a companion `.rules.ts` file that exports automated checks. Archgate runs these checks against your codebase and reports violations.
 
 ```
 .archgate/
@@ -33,7 +33,7 @@ Archgate has two layers:
     └── ARCH-002-error-handling.rules.ts
 ```
 
-When a rule is violated, `archgate check` reports the file, line, and which ADR was broken. Exit code 1 means violations — wire it into CI and it blocks merges automatically.
+When a rule is violated, `archgate check` reports the file, line, and which ADR was broken. Exit code 1 means violations. Wire it into CI and it blocks merges automatically.
 
 **The CLI is free and open source.** Writing ADRs, enforcing rules, running checks in CI, and wiring up pre-commit hooks all work without an account or subscription.
 
@@ -64,7 +64,7 @@ Each ADR can have a companion `.rules.ts` file that exports automated checks. Se
 
 ## Supercharge with AI plugins
 
-> **Make your AI agent architecture-aware.** With the optional editor plugins, your AI coding agent reads ADRs before writing code, validates changes against your rules, and captures new architectural patterns back into ADRs — automatically.
+> **Make your AI agent architecture-aware.** With the optional editor plugins, your AI coding agent reads ADRs before writing code, validates changes against your rules, and captures new architectural patterns back into ADRs, automatically.
 >
 > Plugins are available for [**Claude Code**](https://cli.archgate.dev/guides/claude-code-plugin/) and [**Cursor**](https://cli.archgate.dev/guides/cursor-integration/).
 >
@@ -73,11 +73,11 @@ Each ADR can have a companion `.rules.ts` file that exports automated checks. Se
 > archgate init              # installs the plugin automatically
 > ```
 >
-> **[Get started with plugins](https://cli.archgate.dev/guides/claude-code-plugin/)** — the CLI works fully without them, but plugins close the loop between decisions and code.
+> **[Get started with plugins](https://cli.archgate.dev/guides/claude-code-plugin/)**. The CLI works fully without them, but plugins close the loop between decisions and code.
 
 ## Documentation
 
-Full documentation is available at **[cli.archgate.dev](https://cli.archgate.dev)** — including guides for writing ADRs, writing rules, CI integration, editor plugin setup, and the complete CLI reference.
+Full documentation is available at **[cli.archgate.dev](https://cli.archgate.dev)**, including guides for writing ADRs, writing rules, CI integration, editor plugin setup, and the complete CLI reference.
 
 ## Contributing