feat: Migrate from agent markdown files to Skills, Rules, and Sub-Agents

Replace the manual "read .claude/agents/*.md" workflow with native
Claude Code features for a more efficient, scalable development experience:

- **Skills** (.claude/skills/): 7 auto-discovered slash commands
  (/requirements, /architecture, /frontend, /backend, /qa, /deploy, /help)
  with forked sub-agents for heavy tasks and inline execution for interactive ones
- **Rules** (.claude/rules/): 4 modular rule files (general, frontend, backend,
  security) auto-applied based on file context
- **Sub-Agents** (.claude/agents/): Lightweight configs for frontend-dev,
  backend-dev, and qa-engineer with model, tool, and turn limit settings
- **Context Engineering**: Layered context loading, context isolation via
  forked skills, built-in context recovery after compaction, and
  "always read, never guess" rules to prevent hallucinated code references
- **CLAUDE.md**: Auto-loaded project context replacing PROJECT_CONTEXT.md
- **Feature tracking**: features/INDEX.md as persistent state across sessions
- **Production guides**: docs/production/ for error tracking, security,
  performance, database optimization, and rate limiting
- **Init Mode**: /requirements detects empty PRD and bootstraps full project
  setup (PRD + all feature specs) from a single project description

Removed: 6 monolithic agent files, PROJECT_CONTEXT.md, HOW_TO_USE_AGENTS.md,
TEMPLATE_CHANGELOG.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/production/security-headers.md

@@ -0,0 +1,64 @@
+# Security Headers Configuration
+
+Protect against XSS, Clickjacking, MIME sniffing, and other common web attacks.
+
+## Setup
+
+Add security headers to `next.config.ts`:
+
+```typescript
+import type { NextConfig } from 'next'
+
+const nextConfig: NextConfig = {
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'origin-when-cross-origin',
+          },
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=31536000; includeSubDomains',
+          },
+        ],
+      },
+    ]
+  },
+}
+
+export default nextConfig
+```
+
+## What Each Header Does
+
+| Header | Protection |
+|--------|-----------|
+| X-Frame-Options: DENY | Prevents your site from being embedded in iframes (clickjacking) |
+| X-Content-Type-Options: nosniff | Prevents browsers from guessing content types (MIME sniffing) |
+| Referrer-Policy | Controls how much URL info is sent to other sites |
+| Strict-Transport-Security | Forces HTTPS connections |
+
+## Verify After Deployment
+1. Open Chrome DevTools
+2. Go to Network tab
+3. Click on any request to your site
+4. Check Response Headers section
+5. Verify all 4 headers are present
+
+## Advanced (Optional)
+**Content-Security-Policy (CSP)** - The most powerful header, but can break your app if misconfigured. Only add after thorough testing:
+```
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
+```
+Start with report-only mode first: `Content-Security-Policy-Report-Only`