docs: comprehensive tutorial updates with SDK and Frontend chapters

New chapters:
- Chapter 32: SDK Development Tutorial
- Chapter 33: Frontend Development Tutorial

Major fixes:
- Chapter 11: Restored stdio transport with MCP Sampling support
- Chapter 9: Fixed JSON-RPC line number references
- Appendix A: Added anyhow prohibition, LazyLock/OnceLock guidance
- Appendix B: Complete rewrite matching current CLAUDE.md
- Appendix D: Added COROS provider, Recipe Management (7 tools)
- Appendix H: Added ProtocolError variants (24 total)

Line number updates across 15+ chapters to match current codebase.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: jfarcand

src/SUMMARY.md

@@ -52,6 +52,8 @@
 - [SDK CLI Usage](./chapter-29-sdk-cli-usage.md)
 - [Performance](./chapter-30-performance.md)
 - [Adding New Tools](./chapter-31-adding-new-tools.md)
+- [SDK Development](./chapter-32-sdk-development.md)
+- [Frontend Development](./chapter-33-frontend-development.md)
 
 # Appendices
 

src/appendix-a-rust-idioms.md

@@ -19,6 +19,40 @@ let data = fetch_data()?; // Returns early if error
 pub struct DbError(String);
 ```
 
+### Structured Error Types (REQUIRED)
+
+**CRITICAL**: Pierre prohibits `anyhow::anyhow!()` macro in all production code. All errors MUST use structured error types.
+
+**Correct patterns**:
+```rust
+// GOOD: Using structured error types
+return Err(AppError::not_found(format!("User {user_id}")));
+return Err(DatabaseError::ConnectionFailed { source: e.to_string() }.into());
+
+// GOOD: Mapping external errors to structured types
+external_lib_call().map_err(|e| AppError::internal(format!("API failed: {e}")))?;
+
+// GOOD: Adding context to structured errors
+database_operation().context("Failed to fetch user profile")?;
+```
+
+**Prohibited patterns (ZERO TOLERANCE)**:
+```rust
+// ❌ FORBIDDEN: Using anyhow::anyhow!()
+return Err(anyhow::anyhow!("User not found"));
+
+// ❌ FORBIDDEN: In map_err closures
+.map_err(|e| anyhow!("Failed: {e}"))?;
+
+// ❌ FORBIDDEN: In ok_or_else
+.ok_or_else(|| anyhow!("Not found"))?;
+```
+
+**Why structured errors?**
+- Enable type-safe error handling and proper HTTP status code mapping
+- Support better error messages, logging, and debugging
+- Make error handling testable and maintainable
+
 ## Option and Result Patterns
 
 **`Option::is_some_and`**: Check Some and condition in one call.
@@ -84,12 +118,33 @@ use zeroize::Zeroize;
 secret.zeroize(); // Overwrite with zeros
 ```
 
-**`OnceLock`**: Thread-safe lazy static initialization.
+**`LazyLock`**: Thread-safe lazy static initialization (Rust 1.80+, preferred).
 ```rust
-static CONFIG: OnceLock<Config> = OnceLock::new();
-CONFIG.get_or_init(|| Config::load());
+use std::sync::LazyLock;
+
+// Initialization function runs once on first access
+static CONFIG: LazyLock<Config> = LazyLock::new(|| Config::load());
+
+// Usage - always initialized
+let cfg = &*CONFIG; // Deref to get &Config
 ```
 
+**`OnceLock`**: Thread-safe one-time initialization with runtime values.
+```rust
+use std::sync::OnceLock;
+
+// When you need to set the value dynamically at runtime
+static RUNTIME_CONFIG: OnceLock<Config> = OnceLock::new();
+
+fn initialize(config: Config) {
+    RUNTIME_CONFIG.get_or_init(|| config);
+}
+```
+
+**When to use which**:
+- `LazyLock`: Initialization is known at compile time (replaces `lazy_static!`)
+- `OnceLock`: Initialization depends on runtime values or must be deferred
+
 ## Memory Allocation Guidance
 
 ### When to Use Each Smart Pointer
@@ -224,7 +279,9 @@ let activities_ref = activities.clone(); // Cheap
 ## Key Takeaways
 
 1. **Error propagation**: Use `?` operator for clean error handling.
-2. **Trait objects**: `Arc<dyn Trait>` for shared polymorphism.
-3. **Async traits**: `#[async_trait]` macro enables async methods in traits.
-4. **Type safety**: Enums and `#[must_use]` prevent common mistakes.
-5. **Secure memory**: `zeroize` crate for cryptographic key cleanup.
+2. **Structured errors**: `anyhow!()` is forbidden in production code. Use `AppError`, `DatabaseError`, `ProviderError` enums.
+3. **Trait objects**: `Arc<dyn Trait>` for shared polymorphism.
+4. **Async traits**: `#[async_trait]` macro enables async methods in traits.
+5. **Type safety**: Enums and `#[must_use]` prevent common mistakes.
+6. **Secure memory**: `zeroize` crate for cryptographic key cleanup.
+7. **Lazy statics**: Use `std::sync::LazyLock` (Rust 1.80+) for compile-time-known lazy initialization, `OnceLock` for runtime values.

src/appendix-b-claude-md.md

@@ -1,56 +1,234 @@
 <!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
 <!-- Copyright (c) 2025 Pierre Fitness Intelligence -->
 
-# Appendix B: CLAUDE.md Compliance Checklist
+# Appendix B: CLAUDE.md Compliance Reference
 
-Quick checklist for CLAUDE.md code standards compliance.
+Comprehensive reference for Pierre codebase standards from `.claude/CLAUDE.md`.
 
 ## Error Handling (Zero Tolerance)
 
-- [ ] **No `anyhow::anyhow!()`**: Use `AppError` or specific error types
-- [ ] **No `unwrap()`**: Use `?` operator or `unwrap_or`
-- [ ] **No `panic!()`**: Return `Result` instead
-- [ ] **Structured errors**: Use `thiserror` with named fields
+### Structured Error Types (REQUIRED)
 
-## Module Organization
+All errors MUST use project-specific error enums:
+
+```rust
+// ✅ GOOD: Structured error types
+return Err(AppError::not_found(format!("User {user_id}")));
+return Err(DatabaseError::ConnectionFailed { source: e.to_string() }.into());
+return Err(ProviderError::RateLimitExceeded {
+    provider: "Strava".to_string(),
+    retry_after_secs: 3600,
+    limit_type: "Daily quota".to_string(),
+});
+
+// ✅ GOOD: Mapping external errors
+external_lib_call().map_err(|e| AppError::internal(format!("API failed: {e}")))?;
+```
+
+### Prohibited Patterns (CI Failure)
+
+```rust
+// ❌ FORBIDDEN: anyhow::anyhow!()
+return Err(anyhow::anyhow!("User not found"));
+
+// ❌ FORBIDDEN: anyhow! macro shorthand
+return Err(anyhow!("Invalid input"));
+
+// ❌ FORBIDDEN: In map_err closures
+.map_err(|e| anyhow!("Failed: {e}"))?;
+
+// ❌ FORBIDDEN: In ok_or_else
+.ok_or_else(|| anyhow!("Not found"))?;
+```
+
+### `unwrap()` and `expect()` Rules
+
+- **`unwrap()`**: Only in tests, static data, or binary `main()`
+- **`expect()`**: Only for documenting invariants that should never fail:
+  ```rust
+  // ✅ OK: Static/compile-time data
+  "127.0.0.1".parse().expect("valid IP literal")
+
+  // ❌ FORBIDDEN: Runtime errors
+  user_input.parse().expect("should be valid") // NO!
+  ```
+
+## Code Style Requirements
+
+### File Headers (REQUIRED)
+
+All code files MUST start with ABOUTME comments:
+
+```rust
+// ABOUTME: Brief description of what this module does
+// ABOUTME: Additional context about the module's responsibility
+```
+
+### Import Style (Enforced by Clippy)
+
+Use `use` imports at the top of the file. Avoid inline qualified paths:
+
+```rust
+// ✅ GOOD: Import at top of file
+use crate::models::User;
+use std::collections::HashMap;
+
+fn example() {
+    let user = User::new();
+    let map = HashMap::new();
+}
+
+// ❌ BAD: Inline qualified paths
+fn example() {
+    let user = crate::models::User::new();  // NO!
+    let map = std::collections::HashMap::new();  // NO!
+}
+```
+
+### Naming Conventions
+
+- **NEVER** use `_` prefix for unused variables (fix the unused variable properly)
+- **NEVER** name things `improved`, `new`, `enhanced` - code naming should be evergreen
+- **NEVER** add placeholder, `dead_code`, or mock code in production
+
+### Comments
 
-- [ ] **Public API in mod.rs**: Re-export public items
-- [ ] **Private implementation**: Keep internals private
-- [ ] **Logical grouping**: Related functionality in same module
-- [ ] **Feature flags**: Conditional compilation for database backends
+- **NEVER** remove existing comments unless provably false
+- Comments should be evergreen - avoid temporal references ("after refactor", "recently changed")
+- Use `///` for public API documentation
+- Use `//` for inline implementation comments
 
-## Documentation
+## Tiered Validation Approach
 
-- [ ] **Doc comments**: `///` for public items
-- [ ] **Examples**: Include usage examples in doc comments
-- [ ] **Error cases**: Document when functions return errors
-- [ ] **Safety**: Document `unsafe` code (if unavoidable)
+### Tier 1: Quick Iteration (during development)
 
-## Testing
+```bash
+cargo fmt
+cargo check --quiet
+cargo test <test_name_pattern> -- --nocapture
+```
 
-- [ ] **Unit tests**: Test individual functions
-- [ ] **Integration tests**: Test component interaction
-- [ ] **Deterministic**: Use seeded RNG for reproducible tests
-- [ ] **No external dependencies**: Use synthetic data, not OAuth
+### Tier 2: Pre-Commit (before committing)
 
-## Security
+```bash
+cargo fmt
+./scripts/architectural-validation.sh
+cargo clippy --all-targets -- -D warnings -D clippy::all -D clippy::pedantic -D clippy::nursery -W clippy::cognitive_complexity
+cargo test <module_pattern> -- --nocapture
+```
 
-- [ ] **Input validation**: Validate all user inputs
-- [ ] **SQL injection prevention**: Use parameterized queries
-- [ ] **Secret management**: Never hardcode secrets
-- [ ] **Secure memory**: `zeroize` for cryptographic keys
+**CRITICAL**: Always use `--all-targets` with clippy. Without it, clippy misses lint errors in `tests/`, `benches/`, and binary crates.
 
-## Performance
+### Tier 3: Full Validation (before PR/merge)
 
-- [ ] **Database pooling**: Reuse connections
-- [ ] **Async operations**: Use `tokio` for I/O
-- [ ] **Minimal cloning**: Only clone when necessary
-- [ ] **Efficient algorithms**: Use appropriate data structures
+```bash
+./scripts/lint-and-test.sh
+```
 
-## Key Takeaways
+Full test suite takes ~13 minutes (647 tests). Only run for PRs/merges.
+
+## Memory and Performance
+
+### Clone Usage Guidelines
+
+Document why each `clone()` is necessary:
+
+```rust
+// ✅ OK: Arc clone (cheap, self-documenting)
+let db_clone = database.clone();
+
+// ✅ OK: Documented clone
+let name = user.name.clone(); // Needed: ownership moves to async task
+tokio::spawn(async move {
+    process(name).await;
+});
+
+// ❌ BAD: Unnecessary clone
+let name = user.name.clone();
+println!("{}", name);  // Should just use &user.name
+```
+
+### Arc Usage
+
+- Only use when actual shared ownership required across threads
+- Document the sharing requirement in comments
+- Prefer `&T` references when data lifetime allows
+- Current count: ~107 Arc usages (appropriate for multi-tenant async architecture)
+
+### Lazy Statics
+
+```rust
+// ✅ GOOD: LazyLock for compile-time-known initialization (Rust 1.80+)
+use std::sync::LazyLock;
+static CONFIG: LazyLock<Config> = LazyLock::new(|| Config::load());
+
+// ✅ GOOD: OnceLock for runtime values
+use std::sync::OnceLock;
+static RUNTIME_CONFIG: OnceLock<Config> = OnceLock::new();
+```
+
+## Testing Requirements
+
+### Test Coverage Policy
+
+NO EXCEPTIONS: All code must have:
+- Unit tests
+- Integration tests
+- End-to-end tests
+
+Only skip with explicit authorization: "I AUTHORIZE YOU TO SKIP WRITING TESTS THIS TIME"
+
+### Test Targeting
+
+```bash
+# By test name (partial match)
+cargo test test_training_load
+
+# By test file
+cargo test --test intelligence_test
+
+# By module path
+cargo test intelligence::
+```
+
+## Security Requirements
+
+- **Input validation**: Validate all user inputs at boundaries
+- **SQL injection prevention**: Use parameterized queries
+- **Secret management**: Never hardcode secrets, use `zeroize` for crypto keys
+- **No `allow(clippy::...)` attributes** except for type conversion casts
+
+## Module Organization
 
-1. **Error handling**: Zero tolerance for `anyhow::anyhow!()` and `unwrap()`.
-2. **Module organization**: Clear public API, private internals.
-3. **Documentation**: Comprehensive doc comments with examples.
-4. **Testing**: Deterministic tests with synthetic data.
-5. **Security**: Input validation, parameterized queries, secret management.
+- Public API defined in `mod.rs` via re-exports
+- Use `pub(crate)` for internal APIs
+- Group related functionality in modules
+- Feature flags for conditional compilation (database backends)
+
+## Commit Protocol
+
+1. Run tiered validation (Tier 2 minimum)
+2. Create atomic commits with clear messages
+3. **NEVER** use `--no-verify` flag
+4. **NEVER** amend commits already pushed to remote
+
+## Key Compliance Checks
+
+| Check | Requirement |
+|-------|-------------|
+| `anyhow!()` macro | ❌ FORBIDDEN in production code |
+| `unwrap()` | Tests/static data/binary main only |
+| `#[allow(clippy::...)]` | Only for cast validations |
+| ABOUTME comments | REQUIRED on all source files |
+| `--all-targets` | REQUIRED with clippy |
+| Structured errors | REQUIRED via `AppError`, etc. |
+
+## Quick Checklist
+
+- [ ] No `anyhow::anyhow!()` in production code
+- [ ] No unwarranted `unwrap()` or `expect()`
+- [ ] ABOUTME comments at top of file
+- [ ] Use imports, not inline qualified paths
+- [ ] Document `clone()` usage when not Arc
+- [ ] Run clippy with `--all-targets`
+- [ ] Tests for all new functionality