standard_id-google 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77c483758db0802e58687b5c8ed4465ed8d4c5ecb1bd4af9f7078b6ed12d236b
-  data.tar.gz: '00569352c386b2b28c6cfacbdda6640f2bcaa287af315c2d15820726bc7a89be'
+  metadata.gz: 48adde03a7f835aa201d6874ff53cdf949b5cc92a123e42a3481421ff8d3ebb3
+  data.tar.gz: 52a7009ce1d2015890d8f56f461e49f307250feca184f80953eecadf13ef16a8
 SHA512:
-  metadata.gz: 528bb72eb448ce2f3c4078d64b31d9d91ab6602cd176279ead86226849c295a25494af7cb4a8b0703260f90b47bf5a77d094b5b137eef5506c4e46158052f7d7
-  data.tar.gz: 4cf122d55787bf6fa36902023afab87c4540c0a9824899447a7b0e81ce4082f9ca3a0f92d0f1d970067c61f7a52ab9638c97a7d7bd2fd3d5cd1d6f44a113c8a6
+  metadata.gz: 8865520036b8f389c0acd3d02607370ffa0b19822750e934cb04d2ac3d01cbf2d1c530627e76e01aadf5a1aa72ac5b095d4299d960067599e3196611855d7e30
+  data.tar.gz: c326578aecf2141db5e4f4d476242fafcda37699394121f1d7a7e14d1ff4af6cb4ff2f8cd4ff92950baef55cfad270155930f81acfcaeaf4972916a18d990ef8

data/.claude/hooks/enforce-worktree.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# Enforce worktree-only file modifications for Claude Code
+#
+# Runs on PreToolUse for Edit, Write, and NotebookEdit tools.
+# Blocks all file modifications in the main checkout — changes must
+# happen inside a git worktree (.worktrees/<name>/).
+#
+# Exit codes:
+#   0 — allow (in a worktree, CI, or non-git path)
+#   2 — block (in main checkout)
+#
+# No programmatic bypass — this is intentional. If the hook itself has a bug,
+# a human must fix it manually (edit the file or remove from settings.json).
+#
+# Note: This hook covers Edit, Write, and NotebookEdit tools. Bash tool writes
+# (echo/sed/tee/cp) are not intercepted — the CLAUDE.md instruction is the
+# enforcement layer for those. Covering Bash reliably would require parsing
+# arbitrary shell commands, which is brittle.
+
+# Guard: jq required for JSON parsing
+if ! command -v jq >/dev/null 2>&1; then
+  exit 0
+fi
+
+# Skip in CI environments
+if [[ "${CI:-}" == "true" ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
+  exit 0
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(printf '%s' "$INPUT" | jq -r '.tool_name // ""') || exit 0
+
+# Extract file path based on tool (NotebookEdit uses notebook_path, not file_path)
+case "$TOOL_NAME" in
+  Edit|Write)
+    FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""') || exit 0
+    ;;
+  NotebookEdit)
+    FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.notebook_path // .tool_input.file_path // ""') || exit 0
+    ;;
+  *)
+    exit 0
+    ;;
+esac
+
+if [[ -z "$FILE_PATH" ]]; then
+  exit 0
+fi
+
+# Find an existing directory to run git commands in
+if [[ -d "$FILE_PATH" ]]; then
+  CHECK_DIR="$FILE_PATH"
+elif [[ -e "$FILE_PATH" ]]; then
+  CHECK_DIR=$(dirname "$FILE_PATH")
+else
+  # File doesn't exist yet — walk up to find an existing directory
+  CHECK_DIR=$(dirname "$FILE_PATH")
+  while [[ ! -d "$CHECK_DIR" ]] && [[ "$CHECK_DIR" != "/" ]]; do
+    CHECK_DIR=$(dirname "$CHECK_DIR")
+  done
+fi
+
+if [[ ! -d "$CHECK_DIR" ]]; then
+  exit 0
+fi
+
+# Check if we're inside a git repository at all
+GIT_DIR=$(cd "$CHECK_DIR" && git rev-parse --git-dir 2>/dev/null) || exit 0
+
+# Make relative paths absolute
+if [[ "$GIT_DIR" != /* ]]; then
+  GIT_DIR=$(cd "$CHECK_DIR" && cd "$GIT_DIR" && pwd) || exit 0
+fi
+
+# If git-dir contains /worktrees/, we're in a worktree — allow
+if [[ "$GIT_DIR" == *".git/worktrees/"* ]]; then
+  exit 0
+fi
+
+# We're in the main checkout — block
+echo "❌ Blocked: Cannot modify files in the main checkout." >&2
+echo "   Create a worktree first: /worktree or /start <issue>" >&2
+echo "   File: $FILE_PATH" >&2
+exit 2

data/.claude/settings.json

@@ -0,0 +1,24 @@
+{
+  "permissions": {
+    "allow": [
+      "Skill(worktree)",
+      "Skill(start)",
+      "Bash(git worktree:*)",
+      "Bash(git stash:*)"
+    ]
+  },
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write|NotebookEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/enforce-worktree.sh",
+            "timeout": 10
+          }
+        ]
+      }
+    ]
+  }
+}

data/.claude/skills/publish-gem/SKILL.md

@@ -0,0 +1,211 @@
+---
+name: publish-gem
+description: "Publish a Ruby gem to RubyGems.org via CI. Use when the user says 'publish gem', 'push gem', 'release gem', or '/publish-gem'. Handles version bump, changelog, build verification, PR, tagging, and CI-driven publish."
+---
+
+# Publish Gem Skill
+
+Prepare and publish a Ruby gem to RubyGems.org via GitHub Actions trusted publishing.
+
+Publishing is done by CI (not locally) — pushing a version tag triggers the `release.yml` workflow which builds the gem, creates a GitHub Release, and pushes to RubyGems via OIDC. This skill handles everything up to and including the tag push.
+
+## Usage
+
+```
+/publish-gem              # Full release flow
+/publish-gem --dry-run    # Verify everything, stop before PR creation
+```
+
+## Workflow
+
+### 1. Verify Context
+
+Confirm we're in a gem project:
+
+```bash
+# Check current branch
+git branch --show-current
+
+# Must have a .gemspec file
+ls *.gemspec
+```
+
+**Blockers:**
+- No `.gemspec` found — stop, not a gem project
+- Multiple `.gemspec` files found — ask the user which one to build
+
+**Branch handling:**
+- If not on `main`, switch automatically: `git checkout main` (publishing from non-main is almost never intentional). If the user explicitly requested publishing from a non-main branch, warn and ask for confirmation before switching.
+- After switching (or if already on `main`), always sync with remote:
+  ```bash
+  git pull --rebase origin main
+  ```
+- If the rebase fails due to conflicts, stop and ask the user to resolve them before proceeding
+- After syncing, verify the working tree is clean (`git status --porcelain`). Warn if dirty — the build may include uncommitted changes.
+- Clean up any stale `.gem` files in the working directory before proceeding:
+  ```bash
+  rm -f *.gem
+  ```
+
+### 2. Extract Gem Metadata
+
+Read the gemspec to extract key details:
+
+```bash
+# Get gem name and version
+ruby -e "spec = Gem::Specification.load(Dir['*.gemspec'].first); puts \"#{spec.name} #{spec.version}\""
+```
+
+Also read and display:
+- Current version from the gemspec
+- CHANGELOG.md entry for this version (if exists)
+- `spec.files` count to verify packaging
+
+### 3. Pre-Publish Checks
+
+```bash
+# Check if this version is already published on RubyGems.org
+gem info -r <gem_name> -v <version>
+
+# Check if CHANGELOG.md exists when gemspec references it
+ruby -e "spec = Gem::Specification.load(Dir['*.gemspec'].first); puts spec.metadata['changelog_uri']"
+test -f CHANGELOG.md && echo "CHANGELOG.md found" || echo "CHANGELOG.md missing"
+```
+
+**Blockers:**
+- Version already published — ask the user what version to bump to (suggest next patch/minor/major). If the user declines, abort the publish.
+
+**Warnings:**
+- Gemspec `changelog_uri` is set but `CHANGELOG.md` does not exist locally — warn the user. This will result in a broken link on RubyGems.org.
+- CHANGELOG.md has no entry for the version being published — warn the user. The `release.yml` workflow will fail if no changelog entry exists for the version.
+
+### 4. Version Bump (if needed)
+
+When the current version is already published, or the user requests a bump:
+
+1. Update `lib/<gem_name>/version.rb` with the new version
+2. Run `bundle install` to sync `Gemfile.lock`
+
+**Critical:** Always run `bundle install` after changing the version to keep `Gemfile.lock` in sync. Skipping this causes CI failures.
+
+### 5. Update CHANGELOG.md
+
+If the `[Unreleased]` section in CHANGELOG.md has content:
+1. Rename `[Unreleased]` to `[<version>] - <today's date>` (format: YYYY-MM-DD)
+2. Add a new empty `[Unreleased]` section above it
+
+If `[Unreleased]` is empty, warn the user and ask if they want to proceed without changelog entries for this version.
+
+### 6. Run Tests
+
+```bash
+bundle exec rspec
+```
+
+**Blockers:**
+- Tests fail — stop and ask the user to fix. Do not proceed with a failing test suite.
+
+### 7. Build Verification
+
+```bash
+gem build <name>.gemspec
+```
+
+Verify the `.gem` file was created, show its size, then clean up:
+
+```bash
+rm <name>-<version>.gem
+```
+
+### 8. Release Summary
+
+Present a summary before proceeding:
+
+```
+## Release Summary
+
+Name:     <gem_name>
+Version:  <version>
+Files:    <file count> files in gem
+Registry: https://rubygems.org (published by CI via trusted publisher)
+
+Changelog:
+  <first few lines of the version's CHANGELOG entry>
+
+Next steps:
+  1. Create version bump PR
+  2. Merge PR (manual)
+  3. Tag release → CI publishes to RubyGems + creates GitHub Release
+```
+
+If `--dry-run` was passed, stop here.
+
+### 9. Create Version Bump PR
+
+Commit the version bump, changelog, and lockfile on a branch and open a PR:
+
+```bash
+git checkout -b chore/release-v<version>
+git add lib/<gem_name>/version.rb Gemfile.lock CHANGELOG.md
+git commit -m "chore: Release v<version>"
+git push -u origin chore/release-v<version>
+gh pr create --title "chore: Release v<version>" --body "$(cat <<'EOF'
+## Release v<version>
+
+<changelog entry for this version>
+
+After merging, Claude will tag `v<version>` which triggers CI to:
+- Create a GitHub Release with changelog notes
+- Build and publish the gem to RubyGems.org via trusted publisher
+EOF
+)"
+```
+
+Tell the user to review and merge the PR, then let you know when it's merged.
+
+### 10. Tag the Release (after PR merge)
+
+When the user confirms the PR is merged:
+
+```bash
+# Sync main — use reset to avoid divergent branch issues from squash merge
+git checkout main
+git fetch origin main
+git reset --hard origin/main
+
+# Tag the merged commit
+git tag -a v<version> -m "Release v<version>"
+git push origin v<version>
+
+# Clean up the bump branch locally
+# -D needed because squash merge doesn't preserve individual commits in main's history
+git branch -D chore/release-v<version>
+# Remote branch may already be deleted by GitHub's auto-delete setting — ignore errors
+git push origin --delete chore/release-v<version> 2>/dev/null || true
+```
+
+The tag push triggers `release.yml` which:
+1. Verifies the tag version matches `version.rb`
+2. Waits for CI to pass
+3. Extracts changelog notes and creates a GitHub Release
+4. Builds the gem and publishes to RubyGems.org via OIDC trusted publisher
+
+### 11. Output
+
+Report:
+1. RubyGems URL: `https://rubygems.org/gems/<name>` (available after CI completes)
+2. Git tag created: `v<version>`
+3. GitHub Release + RubyGems publish: triggered by CI — link: `https://github.com/<owner>/<repo>/actions`
+4. Remind: allow a few minutes for CI to complete, then the gem will appear on RubyGems and the GitHub Release will be created
+
+## Error Handling
+
+| Error | Solution |
+|-------|----------|
+| `gem build` fails | Fix gemspec errors and retry |
+| Tests fail | Fix tests before proceeding |
+| Tag already exists | Version was previously tagged — skip tagging |
+| Tag push fails | Likely a permissions issue — report and continue |
+| Remote branch already deleted | GitHub auto-deleted it — ignore the error |
+| User declines version bump | Abort the publish |
+| CI publish fails | Check the Actions tab — common causes: trusted publisher not configured on RubyGems.org, `rubygems` environment not set up in GitHub repo settings, or version mismatch between tag and version.rb |

data/.claude/skills/start/SKILL.md

@@ -0,0 +1,185 @@
+---
+name: start
+description: "Start working on Linear issues. Use when the user says 'start working on', 'pick up issue', 'work on RAR-123', or wants to begin development on Linear issues. Handles status updates, branch creation, and context gathering."
+---
+
+# Start Skill
+
+Begin working on Linear issues with proper setup: update status, create branches, gather context, and track progress.
+
+## Prerequisites
+
+This skill requires the Linear MCP server to be configured. If Linear tools (`mcp__linear__*`) are not available, the skill will warn and offer to proceed with git-only setup (branch creation without status updates).
+
+## Scope
+
+This skill sets up local development for Linear issues. It does **NOT**:
+- Merge PRs to main (merging is a human decision)
+- Delete branches or worktrees automatically
+- Close or complete Linear issues
+
+## Usage
+
+```
+/start <issue-identifiers...>   # Start specific issues (e.g., /start RAR-123 RAR-124)
+/start --mine                    # Show my assigned issues ready to start
+/start --backlog                 # Show backlog issues for a team
+```
+
+## Workflow
+
+> **Note:** MCP tool calls shown below use pseudocode syntax for readability.
+> Actual invocation uses Claude's tool use API with the `mcp__linear__*` tools.
+
+### 1. Parse Input and Fetch Issues
+
+**If specific identifiers provided:**
+
+Fetch each issue using Linear MCP:
+
+```
+mcp__linear__get_issue(id: "RAR-123", includeRelations: true)
+```
+
+**If `--mine` flag:**
+
+```
+mcp__linear__list_issues(assignee: "me", state: "Todo", limit: 10)
+```
+
+**If `--backlog` flag (with optional `--team` and `--project` filters):**
+
+```
+mcp__linear__list_issues(
+  team: "<from --team flag, default: Rarebit>",
+  project: "<from --project flag, if provided>",
+  state: "Backlog",
+  limit: 10
+)
+```
+
+Present the issues and let the user select which to work on.
+
+### 2. Pre-Work Checks
+
+Before starting, verify:
+
+**Check for blockers:**
+
+```
+# From get_issue with includeRelations: true
+# Look at the blocking/blockedBy relations
+```
+
+If blocked:
+```
+Warning: RAR-123 is blocked by:
+  - RAR-120: "Set up middleware" (In Progress)
+
+Options:
+1. Start anyway (work may be blocked)
+2. Start the blocking issue instead
+3. Cancel
+```
+
+**Check issue readiness:**
+- Has description/acceptance criteria?
+- Has assigned estimate?
+
+If missing context, warn but allow proceeding.
+
+### 3. Update Issue Status
+
+**Skip this step if `--no-status` flag is provided.**
+
+Update each issue to "In Progress":
+
+```
+mcp__linear__save_issue(
+  id: "<issue-uuid>",
+  stateId: "<in-progress-state-id>"
+)
+```
+
+The workflow should not block on Linear failures — local development can proceed.
+
+### 4. Set Up Worktree
+
+**Always create a worktree** to isolate this work from any other state in the repo. This prevents changes from different sessions bleeding into unrelated PRs.
+
+```bash
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@refs/remotes/origin/@@')
+DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+git fetch origin "$DEFAULT_BRANCH"
+git worktree add .worktrees/<identifier> -b <branch-name> "origin/$DEFAULT_BRANCH"
+```
+
+**`--no-worktree` flag:** If the user explicitly passes `--no-worktree`, check the current state:
+- On the default branch with a clean working tree → fall back to a simple branch:
+  ```bash
+  DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@refs/remotes/origin/@@')
+  DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+  git fetch origin "$DEFAULT_BRANCH"
+  git checkout -b <branch-name> "origin/$DEFAULT_BRANCH"
+  ```
+- Otherwise → **stop and report why**:
+  _"Cannot skip worktree: working tree has uncommitted changes (or is on a feature branch). Stash or commit your changes first, switch to the default branch, then re-run with `--no-worktree`."_
+
+> **Note:** The previous version of this skill offered stash and branch-switch workflows. Those paths have been removed in favor of always using worktrees. If you prefer to stash instead, run `git stash push -m "WIP"` manually before `/start`.
+
+See `/worktree` skill for full worktree conventions.
+
+**Branch name format:**
+
+Use Linear's `gitBranchName` field if available, or generate:
+`{identifier}/{short-description}` (e.g., `rar-123/add-feature-name`)
+
+**Worktree naming:** `.worktrees/<identifier>` (e.g., `.worktrees/rar-123`)
+
+### 5. Display Issue Context
+
+```
+Starting: RAR-123
+Issue: <title>
+URL: https://linear.app/...
+
+Description:
+<full description>
+
+Acceptance Criteria:
+- [ ] ...
+
+Branch: <branch-name>
+```
+
+### 6. Create Initial Todo List
+
+Based on the issue description, create a todo list to track progress.
+
+## Flags Reference
+
+| Flag | Description |
+|------|-------------|
+| `--mine` | List my assigned issues in Todo state |
+| `--backlog` | List team backlog issues |
+| `--no-worktree` | Skip worktree if on the default branch + clean; stops with error otherwise |
+| `--no-status` | Skip status update (just create branch) |
+| `--team <name>` | Filter by team (default: Rarebit) |
+| `--project <name>` | Filter by project |
+
+## Error Handling
+
+| Error | Solution |
+|-------|----------|
+| Linear MCP unavailable | Warn and offer to proceed with just git setup |
+| Issue not found | Verify identifier, check team access |
+| Issue already in progress | Ask if user wants to continue anyway |
+| Issue is done/canceled | Warn and suggest reopening or selecting different issue |
+| Status update fails | Offer to continue with local setup, retry, or cancel |
+| Branch already exists | Offer to checkout existing or create with suffix |
+| Worktree already exists | Offer to use existing worktree or create with suffix |
+
+## Integration with Other Skills
+
+- After completing work, create a PR with `gh pr create`, or use `/publish-gem` when ready to release
+- The branch naming convention ensures the Linear issue can be auto-detected from the branch

data/.claude/skills/worktree/SKILL.md

@@ -0,0 +1,143 @@
+---
+name: worktree
+description: "Create an isolated worktree for new work. Always creates a worktree by default to prevent cross-contamination between sessions. Use at the start of any session, or when the user says 'worktree', 'isolate', 'fresh start', or 'new worktree'."
+---
+
+# Worktree Skill
+
+Creates an isolated worktree for new work. **Always creates a worktree by default** — this prevents changes from different work sessions bleeding into unrelated PRs.
+
+## Why Worktree-by-Default
+
+Every new piece of work gets its own worktree. This eliminates the most common source of cross-contamination: starting new work in a repo that has leftover state from a previous session (uncommitted changes, wrong branch, etc.). The only exception is when the user explicitly opts out.
+
+> **Note:** The previous version of this skill offered a stash-based workflow. That path has been removed in favor of always using worktrees. If you prefer to stash instead, run `git stash push -m "WIP"` manually before invoking `/start` or `/worktree`.
+
+## Why `.worktrees/`
+
+Worktrees are created inside the repo at `.worktrees/<name>` (not under `.claude/worktrees/`). This ensures:
+- Worktrees are accessible inside devcontainers (mounted at `/workspace/.worktrees/`)
+- Consistent convention across all repos in the workspace
+- The `.worktrees/` directory is gitignored in each repo
+
+## Usage
+
+```
+/worktree                          # Create a worktree (always, regardless of state)
+/worktree <name>                   # Create a named worktree directly
+/worktree --stay            # Skip worktree creation, work in current checkout
+```
+
+## Workflow
+
+### Phase 1: Detect Current State
+
+Gather the repo state (for reporting, not for deciding whether to create a worktree):
+
+```bash
+# Current branch
+CURRENT_BRANCH=$(git branch --show-current)
+
+# Default branch
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@refs/remotes/origin/@@')
+DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+
+# Uncommitted changes (staged + unstaged + untracked)
+git status --porcelain
+```
+
+### Phase 2: Decision
+
+**Default behavior:** Always create a worktree. Go straight to Phase 3 → Phase 4. Any uncommitted changes on the current branch are left untouched — the worktree is a separate checkout, so existing work is preserved exactly as-is.
+
+**`--stay` flag:** Skip worktree creation and stay in the current checkout. This is for when the user explicitly wants to continue work on the current branch (e.g., resuming a previous session). If dirty state is detected, inform the user what's there but **do not stop** — the user is consciously choosing to stay. This differs from `/start --no-worktree`, which hard-stops on dirty state because starting new work on an unclean tree risks cross-contamination.
+
+### Phase 3: Fetch Latest
+
+Always fetch the latest default branch, regardless of whether a worktree will be created:
+
+```bash
+git fetch origin "$DEFAULT_BRANCH"
+```
+
+This ensures any new branch or worktree starts from the latest codebase.
+
+### Phase 4: Create Worktree
+
+**Naming convention:**
+
+If a name is provided (e.g., from a Linear issue identifier):
+```bash
+git worktree add .worktrees/<name> -b <branch-name> "origin/$DEFAULT_BRANCH"
+```
+
+If no name is provided, generate one from context:
+- If starting a Linear issue: use the issue identifier (e.g., `swe-123`)
+- If the user described the task: use a short slug (e.g., `fix-auth-timeout`)
+- Fallback: use today's date in `YYYY-MM-DD` format
+
+**Ensure `.worktrees/` is gitignored:**
+
+```bash
+# Check if .worktrees is already in .gitignore
+if ! grep -q '\.worktrees' .gitignore 2>/dev/null; then
+  echo '.worktrees/' >> .gitignore
+fi
+```
+
+### Phase 5: Report
+
+After setup, display:
+
+```
+Worktree created at: .worktrees/<name>
+Branch: <branch-name>
+Based on: origin/$DEFAULT_BRANCH (fetched latest)
+
+Previous state preserved:
+  Branch: <original-branch>
+  Changes: <summary of uncommitted changes left behind, if any>
+
+Working directory: .worktrees/<name>
+```
+
+If `--stay` was used:
+
+```
+Staying in current checkout: <branch>
+  (fetched latest origin/$DEFAULT_BRANCH)
+  <summary of uncommitted changes, if any>
+
+To create a new branch:
+  git checkout -b <branch-name> origin/$DEFAULT_BRANCH
+```
+
+## Integration with /start
+
+The `/start` skill always creates a worktree as part of its workflow. Both skills follow the same conventions:
+- Worktrees go in `.worktrees/`
+- Always fetch latest before creating
+- Naming follows the `<identifier>` convention (e.g., `.worktrees/swe-123`)
+
+**Opt-out flags differ by context:**
+- `/worktree --stay` — "stay in current checkout" (you invoked the worktree tool, you're opting out of its action; dirty state is allowed)
+- `/start --no-worktree` — "don't create a worktree" (you're starting new work, skipping one aspect; dirty state causes a hard stop)
+
+This `/worktree` skill can also be invoked independently when you want to isolate work without picking up a Linear issue.
+
+## Error Handling
+
+| Error | Solution |
+|-------|----------|
+| `.worktrees/<name>` already exists | Offer to reuse existing or create with suffix |
+| Branch name already exists | Check out existing branch in the worktree instead of `-b` |
+| No origin remote | Create worktree from local default branch HEAD |
+| Fetch fails | Warn and create from local default branch HEAD |
+| `.gitignore` is read-only | Warn the user to add `.worktrees/` manually |
+
+## Safety Rules
+
+1. **Never discard uncommitted changes** - the whole point is to preserve them
+2. **Never force-checkout** over dirty state - always worktree instead
+3. **Always fetch before creating** - worktrees should start from latest
+4. **This skill only creates worktrees** - it does not remove or clean up stale ones

data/.ruby-version

@@ -1 +1 @@
-3.4.4
+4.0.1

data/CHANGELOG.md

@@ -1,5 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
 ## [Unreleased]
 
+## [0.2.0] - 2026-04-21
+
+### Added
+
+- Auto-register provider with StandardId via `Rails::Railtie` on `config.after_initialize`, so apps that bundle the gem no longer need an explicit initializer (#27)
+
+## [0.1.2] - 2026-01-13
+
+### Added
+
+- Support nonce and passing custom parameters to Google Sign In (#1)
+
+## [0.1.1] - 2025-12-24
+
+### Fixed
+
+- Thread safety improvements
+
 ## [0.1.0] - 2025-12-20
 
-- Initial release
+### Added
+
+- Initial release of Google Sign In provider plugin for StandardId

data/CLAUDE.md

@@ -0,0 +1,26 @@
+# CLAUDE.md
+
+## Worktree-Only Workflow (Enforced)
+
+**All file modifications are blocked in the main checkout.** A PreToolUse hook (`enforce-worktree.sh`) rejects Edit, Write, and NotebookEdit operations targeting files outside a worktree. There are no opt-outs. Do not use Bash to write files in the main checkout either (e.g., `echo >`, `sed -i`, `tee`, `cp`) — the hook cannot intercept shell commands, so this rule is instruction-enforced.
+
+Before writing any code, create a worktree:
+
+```bash
+DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@refs/remotes/origin/@@')
+DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+git fetch origin "$DEFAULT_BRANCH"
+git worktree add .worktrees/<name> -b <branch-name> "origin/$DEFAULT_BRANCH"
+```
+
+Then work inside `.worktrees/<name>/` for the rest of the session.
+
+**Naming:** Use the Linear issue identifier if available (e.g., `.worktrees/<identifier>`), a task slug (e.g., `.worktrees/fix-auth-timeout`), or today's date (e.g., `.worktrees/2026-04-01`) as fallback.
+
+**The hook allows modifications only when:**
+
+1. The file is inside a git worktree (detected via `git rev-parse --git-dir` returning a path under `.git/worktrees/`)
+2. Running in a CI/automated context where the checkout is already isolated
+**Why this matters:** Working directly on the main checkout causes cross-contamination between sessions — uncommitted changes, wrong branches, and dirty state leak into unrelated work. Worktrees eliminate this entirely.
+
+See the `/worktree` and `/start` skills for full conventions and flags.

data/lib/standard_id/google/providers/google.rb

@@ -9,33 +9,38 @@ module StandardId
       USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v2/userinfo".freeze
       TOKEN_INFO_ENDPOINT = "https://oauth2.googleapis.com/tokeninfo".freeze
       DEFAULT_SCOPE = "openid email profile".freeze
+      AUTHORIZATION_PARAM_DEFAULTS = {
+        scope: DEFAULT_SCOPE
+      }.freeze
 
       class << self
         def provider_name
           "google"
         end
 
-        def authorization_url(state:, redirect_uri:, **options)
-          scope = options[:scope] || DEFAULT_SCOPE
-          prompt = options[:prompt]
+        def supported_authorization_params
+          [:nonce, :login_hint, :prompt, :scope, :access_type, :hd, :response_mode, :include_granted_scopes]
+        end
 
+        def authorization_url(state:, redirect_uri:, **options)
           query = {
             client_id: credentials[:client_id],
             redirect_uri: redirect_uri,
             response_type: "code",
-            scope: scope,
             state: state
           }
 
-          query[:prompt] = prompt if prompt.present?
+          supported_authorization_params.each do |param|
+            query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
+          end
 
-          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
+          "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
         end
 
-        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, **_options)
+        def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options)
           if id_token.present?
             build_response(
-              verify_id_token(id_token: id_token),
+              verify_id_token(id_token: id_token, nonce: nonce),
               tokens: { id_token: id_token }
             )
           elsif access_token.present?
@@ -44,7 +49,7 @@ module StandardId
               tokens: { access_token: access_token }
             )
           elsif code.present?
-            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri)
+            exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, nonce: nonce)
           else
             raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
           end
@@ -61,7 +66,7 @@ module StandardId
           DEFAULT_SCOPE
         end
 
-        def exchange_code_for_user_info(code:, redirect_uri:)
+        def exchange_code_for_user_info(code:, redirect_uri:, nonce: nil)
           raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?
 
           token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
@@ -80,6 +85,11 @@ module StandardId
           access_token = parsed_token["access_token"]
           raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?
 
+          # If we have an ID token in the response and a nonce was provided, verify it
+          if parsed_token["id_token"].present? && nonce.present?
+            verify_id_token(id_token: parsed_token["id_token"], nonce: nonce)
+          end
+
           tokens = extract_token_payload(parsed_token)
           user_info = fetch_user_info(access_token: access_token)
 
@@ -90,7 +100,7 @@ module StandardId
           raise StandardId::OAuthError, e.message, cause: e
         end
 
-        def verify_id_token(id_token:)
+        def verify_id_token(id_token:, nonce: nil)
           raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
 
           response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)
@@ -99,6 +109,15 @@ module StandardId
 
           token_info = JSON.parse(response.body)
 
+          # Validate nonce if provided (web flow with server-generated nonce)
+          if nonce.present?
+            token_nonce = token_info["nonce"]
+            if token_nonce != nonce
+              raise StandardId::InvalidRequestError,
+                    "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
+            end
+          end
+
           unless token_info["aud"] == credentials[:client_id]
             raise StandardId::InvalidRequestError,
                   "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info["aud"]}"
@@ -186,5 +205,3 @@ module StandardId
     end
   end
 end
-
-StandardId::ProviderRegistry.register(:google, StandardId::Providers::Google)

data/lib/standard_id/google/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module StandardId
+  module Google
+    class Railtie < ::Rails::Railtie
+      config.after_initialize do
+        StandardId::ProviderRegistry.register(:google, StandardId::Providers::Google)
+
+        Rails.logger.debug("[StandardId::Google] registered provider") if Rails.logger
+      end
+    end
+  end
+end

data/lib/standard_id/google/version.rb

@@ -2,6 +2,6 @@
 
 module StandardId
   module Google
-    VERSION = "0.1.1"
+    VERSION = "0.2.0"
   end
 end

data/lib/standard_id/google.rb

@@ -2,3 +2,4 @@ require "active_support/core_ext/numeric/time"
 require "active_support/core_ext/hash/indifferent_access"
 require "standard_id"
 require "standard_id/google/providers/google"
+require "standard_id/google/railtie" if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: standard_id-google
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Jaryl Sim
@@ -43,32 +43,40 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.7
-description: Extracted StandardId::Providers::Apple implementation packaged as a standalone
-  gem so StandardId installations can opt into Sign in with Apple independently.
+description: Extracted StandardId::Providers::Google implementation packaged as a
+  standalone gem so StandardId installations can opt into Sign in with Google independently.
 email:
 - code@jaryl.dev
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".claude/hooks/enforce-worktree.sh"
+- ".claude/settings.json"
+- ".claude/skills/publish-gem/SKILL.md"
+- ".claude/skills/start/SKILL.md"
+- ".claude/skills/worktree/SKILL.md"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-version"
 - CHANGELOG.md
+- CLAUDE.md
 - CODE_OF_CONDUCT.md
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/standard_id/google.rb
 - lib/standard_id/google/providers/google.rb
+- lib/standard_id/google/railtie.rb
 - lib/standard_id/google/version.rb
-homepage: https://github.com/rarebit-one/standard_id_apple
+homepage: https://github.com/rarebit-one/standard_id_google
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/rarebit-one/standard_id_apple
-  source_code_uri: https://github.com/rarebit-one/standard_id_apple
-  changelog_uri: https://github.com/rarebit-one/standard_id_apple/blob/main/CHANGELOG.md
+  homepage_uri: https://github.com/rarebit-one/standard_id_google
+  source_code_uri: https://github.com/rarebit-one/standard_id_google
+  changelog_uri: https://github.com/rarebit-one/standard_id_google/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/rarebit-one/standard_id_google/issues
 rdoc_options: []
 require_paths:
 - lib
@@ -83,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Google Sign In provider plugin for the StandardId engine.
 test_files: []