Closed both session follow-ups: (1) oracle.arjtech.in + mirofish-oracl…
Decision
Closed both session follow-ups: (1) oracle.arjtech.in + mirofish-oracle.arjtech.in 502s resolved via traefik.enable=false earlier in session (now return 404 no-route, clean); (2) wired validate-traefik-labels.sh into a PostToolUse hook traefik-label-guard.py matching Write|Edit on docker-compose*.yml/.yaml. Hook is advisory (non-blocking stderr), skips retired/archived paths. Cascade updated: hooks-registry.md now lists the new hook with its trigger + closure context.
Rationale
AJ’s exact ask: “add a setup-curator check for traefik.enable=true + required co-labels, future regressions are impossible.” The standalone validator I built earlier was insufficient — it could catch issues at audit time but not at write time. The PostToolUse hook fires automatically on every docker-compose edit, catches the 2 exact failure modes that caused today’s incident (missing traefik.docker.network, unknown cert resolver like mytlschallenge), and surfaces findings in stderr so future Claude sessions self-correct in the same turn. Non-blocking design chosen over blocking because false-positives would stall legitimate edits; Claude-reading-stderr-and-fixing is faster-feedback than Claude-retrying-blocked-edits. Tested end-to-end: clean file silent, broken file surfaces both failure types, irrelevant file silent.
Alternatives Rejected
Outcome
Pending