100xprism 2.3.1

package/shell/check-update.sh

@@ -0,0 +1,212 @@
+#!/usr/bin/env bash
+# check-update.sh — daily version check + cache for 100xprism
+#
+# Usage:
+#   check-update.sh --silent       Refresh cache only. No output.
+#   check-update.sh --notify       Show banner + prompt if update available.
+#   check-update.sh --claude-hook  Inject session notice if update available.
+
+set -euo pipefail
+
+REPO_DIR="${HUNDRED_X_REPO_OVERRIDE:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
+STATE_DIR="$HOME/.100xprism"
+CACHE_FILE="$STATE_DIR/update-cache"
+FLAG="${1:-}"
+
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+mkdir -p "$STATE_DIR"
+
+# ── Cache helpers ─────────────────────────────────────────────────────────────
+
+_cache_get() {
+  local key="$1"
+  if [[ ! -f "$CACHE_FILE" ]]; then
+    echo ""
+    return
+  fi
+  grep "^${key}=" "$CACHE_FILE" 2>/dev/null | cut -d= -f2- || true
+}
+
+_cache_set() {
+  local key="$1" value="$2"
+  touch "$CACHE_FILE"
+  local tmp
+  tmp="$(mktemp)"
+  grep -v "^${key}=" "$CACHE_FILE" > "$tmp" 2>/dev/null || true
+  echo "${key}=${value}" >> "$tmp"
+  mv "$tmp" "$CACHE_FILE"
+}
+
+# ── Version check ─────────────────────────────────────────────────────────────
+
+_refresh_cache() {
+  local now
+  now="$(date +%s)"
+  local last_check
+  last_check="$(_cache_get last_check)"
+  last_check="${last_check:-0}"
+
+  local age=$(( now - last_check ))
+  if (( age < 86400 )); then
+    return  # Cache is fresh — skip network call
+  fi
+
+  cd "$REPO_DIR"
+
+  # Fetch with timeout; on failure, update timestamp only to avoid retry storm
+  if ! git fetch origin main --quiet 2>/dev/null; then
+    _cache_set last_check "$now"
+    return
+  fi
+
+  local local_sha remote_sha
+  local_sha="$(git rev-parse HEAD 2>/dev/null || echo "unknown")"
+  remote_sha="$(git rev-parse origin/main 2>/dev/null || echo "unknown")"
+
+  local has_update="false"
+  local changelog=""
+
+  if [[ "$local_sha" != "$remote_sha" && "$local_sha" != "unknown" ]]; then
+    has_update="true"
+    changelog="$(git log --oneline "${local_sha}..origin/main" 2>/dev/null | head -5 | tr '\n' '|' | sed 's/|$//')"
+  fi
+
+  _cache_set last_check  "$now"
+  _cache_set has_update  "$has_update"
+  _cache_set local_sha   "$local_sha"
+  _cache_set remote_sha  "$remote_sha"
+  _cache_set changelog   "$changelog"
+
+  # Clear snooze when no update
+  if [[ "$has_update" == "false" ]]; then
+    _cache_set snoozed_until "0"
+  fi
+}
+
+_fetch_release_notes() {
+  # Try GitHub Releases API first (requires gh CLI)
+  if command -v gh >/dev/null 2>&1; then
+    local notes
+    notes=$(gh release view --repo rajitsaha/100xprism --json body -q .body 2>/dev/null | head -20 || true)
+    if [[ -n "$notes" ]]; then
+      echo "$notes"
+      return
+    fi
+  fi
+  # Fallback: format cached commit messages
+  local changelog
+  changelog="$(_cache_get changelog)"
+  IFS='|' read -ra _lines <<< "$changelog"
+  for _line in "${_lines[@]}"; do
+    [[ -z "$_line" ]] && continue
+    echo "• ${_line#* }"
+  done
+}
+
+# ── Snooze helpers ────────────────────────────────────────────────────────────
+
+_is_snoozed() {
+  local snoozed_until
+  snoozed_until="$(_cache_get snoozed_until)"
+  snoozed_until="${snoozed_until:-0}"
+  local now
+  now="$(date +%s)"
+  (( now < snoozed_until )) && return 0 || return 1
+}
+
+_snooze() {
+  local until=$(( $(date +%s) + 86400 ))
+  _cache_set snoozed_until "$until"
+}
+
+# ── Output modes ──────────────────────────────────────────────────────────────
+
+_do_silent() {
+  _refresh_cache
+}
+
+_do_notify() {
+  # Read from cache only — no network call (that's _do_silent's job)
+  local has_update
+  has_update="$(_cache_get has_update)"
+  [[ "$has_update" == "true" ]] || return 0
+  _is_snoozed && return 0
+
+  # Only show prompt if stdin is a terminal
+  [[ -t 0 ]] || return 0
+
+  local local_sha remote_sha changelog
+  local_sha="$(_cache_get local_sha)"
+  remote_sha="$(_cache_get remote_sha)"
+  changelog="$(_cache_get changelog)"
+
+  local short_local="${local_sha:0:7}"
+  local short_remote="${remote_sha:0:7}"
+
+  echo ""
+  # shellcheck disable=SC2059
+  printf "${YELLOW}╔══════════════════════════════════════════════════════╗${NC}\n"
+  # shellcheck disable=SC2059
+  printf "${YELLOW}║${NC}  %-52s${YELLOW}║${NC}\n" "100x Dev update available: $short_local → $short_remote"
+
+  local _notes
+  _notes="$(_fetch_release_notes)"
+  while IFS= read -r _note; do
+    [[ -z "$_note" ]] && continue
+    _note="${_note:0:50}"
+    # shellcheck disable=SC2059
+    printf "${YELLOW}║${NC}  %-52s${YELLOW}║${NC}\n" "$_note"
+  done <<< "$_notes"
+
+  # shellcheck disable=SC2059
+  printf "${YELLOW}╚══════════════════════════════════════════════════════╝${NC}\n"
+  echo ""
+
+  read -rp "Update now? (Y/n): " _confirm
+  _confirm="${_confirm:-Y}"
+  if [[ "$_confirm" =~ ^[Yy]$ ]]; then
+    bash "$REPO_DIR/update.sh"
+  else
+    _snooze
+    echo -e "${CYAN}Reminder snoozed for 24h. Run \`100x-update\` when ready.${NC}"
+  fi
+}
+
+_do_claude_hook() {
+  local has_update
+  has_update="$(_cache_get has_update)"
+  [[ "$has_update" == "true" ]] || return 0
+  _is_snoozed && return 0
+
+  local local_sha remote_sha changelog
+  local_sha="$(_cache_get local_sha)"
+  remote_sha="$(_cache_get remote_sha)"
+  changelog="$(_cache_get changelog)"
+
+  local short_local="${local_sha:0:7}"
+  local short_remote="${remote_sha:0:7}"
+
+  echo "> 100x Dev update available ($short_local → $short_remote)"
+  local _notes
+  _notes="$(_fetch_release_notes)"
+  while IFS= read -r _note; do
+    [[ -z "$_note" ]] && continue
+    echo "  ${_note:0:60}"
+  done <<< "$_notes"
+  echo "> Run \`100x-update\` in your terminal to upgrade."
+}
+
+# ── Dispatch ──────────────────────────────────────────────────────────────────
+
+case "$FLAG" in
+  --silent)      _do_silent      ;;
+  --notify)      _do_notify      ;;
+  --claude-hook) _do_claude_hook ;;
+  *)
+    echo "Usage: check-update.sh [--silent|--notify|--claude-hook]" >&2
+    exit 1
+    ;;
+esac

package/templates/.env.example

@@ -0,0 +1,199 @@
+# =============================================================================
+# .env.example — SaaS CLI Credential Template
+# Generated by 100xprism  |  https://github.com/rajitatudemy/100xprism
+#
+# INSTRUCTIONS:
+#   1. Copy this file:   cp .env.example .env
+#   2. Fill in only the services you use
+#   3. NEVER commit .env to git — it is in .gitignore
+#   4. Run `/connect` in Claude Code to authenticate all services
+# =============================================================================
+
+# =============================================================================
+# VERSION CONTROL & ISSUE TRACKING
+# =============================================================================
+
+# GitHub — https://github.com/settings/tokens
+# Scopes: repo, workflow, packages, admin:org (as needed)
+GITHUB_TOKEN=
+
+# Jira / Atlassian — https://id.atlassian.com/manage-profile/security/api-tokens
+JIRA_URL=https://your-org.atlassian.net
+JIRA_USER_EMAIL=
+JIRA_API_TOKEN=
+JIRA_PROJECT_KEY=
+
+# Linear — https://linear.app/settings/api
+LINEAR_API_KEY=
+
+# =============================================================================
+# CLOUD PLATFORMS
+# =============================================================================
+
+# AWS — https://console.aws.amazon.com/iam/home#/security_credentials
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=us-east-1
+# Optional: assume-role or named profile
+# AWS_PROFILE=
+
+# Google Cloud Platform — https://console.cloud.google.com/iam-admin/serviceaccounts
+GCP_PROJECT_ID=
+GCP_REGION=us-central1
+# Path to your service account JSON key file
+GOOGLE_APPLICATION_CREDENTIALS=
+
+# Azure — https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps
+AZURE_CLIENT_ID=
+AZURE_CLIENT_SECRET=
+AZURE_TENANT_ID=
+AZURE_SUBSCRIPTION_ID=
+
+# DigitalOcean — https://cloud.digitalocean.com/account/api/tokens
+DIGITALOCEAN_ACCESS_TOKEN=
+
+# =============================================================================
+# DEPLOYMENT & HOSTING
+# =============================================================================
+
+# Vercel — https://vercel.com/account/tokens
+VERCEL_TOKEN=
+VERCEL_ORG_ID=
+VERCEL_PROJECT_ID=
+
+# Netlify — https://app.netlify.com/user/applications#personal-access-tokens
+NETLIFY_AUTH_TOKEN=
+NETLIFY_SITE_ID=
+
+# Railway — https://railway.app/account/tokens
+RAILWAY_TOKEN=
+
+# Heroku — https://dashboard.heroku.com/account (API Key section)
+HEROKU_API_KEY=
+
+# Fly.io — https://fly.io/user/personal_access_tokens
+FLY_API_TOKEN=
+
+# Render — https://dashboard.render.com/u/settings#api-keys
+RENDER_API_KEY=
+
+# =============================================================================
+# DATABASE / BACKEND-AS-A-SERVICE
+# =============================================================================
+
+# Supabase — https://supabase.com/dashboard/account/tokens
+SUPABASE_ACCESS_TOKEN=
+SUPABASE_PROJECT_REF=
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_ANON_KEY=
+SUPABASE_SERVICE_ROLE_KEY=
+SUPABASE_DB_PASSWORD=
+
+# PlanetScale — https://app.planetscale.com/[org]/settings/service-tokens
+PLANETSCALE_SERVICE_TOKEN=
+PLANETSCALE_SERVICE_TOKEN_ID=
+PLANETSCALE_ORG=
+PLANETSCALE_DB=
+
+# Firebase (Google) — run: firebase login:ci
+FIREBASE_TOKEN=
+FIREBASE_PROJECT_ID=
+FIREBASE_API_KEY=
+
+# MongoDB Atlas — https://cloud.mongodb.com programmatic API keys
+MONGODB_ATLAS_PUBLIC_KEY=
+MONGODB_ATLAS_PRIVATE_KEY=
+MONGODB_ATLAS_ORG_ID=
+MONGODB_ATLAS_PROJECT_ID=
+MONGODB_URI=
+
+# =============================================================================
+# PAYMENTS
+# =============================================================================
+
+# Stripe — https://dashboard.stripe.com/apikeys
+# Use sk_test_... for development, sk_live_... for production
+STRIPE_SECRET_KEY=
+STRIPE_PUBLISHABLE_KEY=
+STRIPE_WEBHOOK_SECRET=
+# Optional: Stripe restricted key for specific operations
+# STRIPE_RESTRICTED_KEY=
+
+# =============================================================================
+# CDN / EDGE / DNS
+# =============================================================================
+
+# Cloudflare — https://dash.cloudflare.com/profile/api-tokens
+CLOUDFLARE_API_TOKEN=
+CLOUDFLARE_ACCOUNT_ID=
+CLOUDFLARE_ZONE_ID=
+
+# =============================================================================
+# DEVOPS & INFRASTRUCTURE
+# =============================================================================
+
+# Docker Hub — https://hub.docker.com/settings/security (use Access Token, not password)
+DOCKER_USERNAME=
+DOCKER_TOKEN=
+# Optional: private registry URL (leave blank for Docker Hub)
+# DOCKER_REGISTRY=
+
+# Terraform Cloud — https://app.terraform.io/app/settings/tokens
+TF_TOKEN_app_terraform_io=
+TF_WORKSPACE=
+TF_ORGANIZATION=
+
+# Sentry — https://sentry.io/settings/account/api/auth-tokens/
+SENTRY_AUTH_TOKEN=
+SENTRY_ORG=
+SENTRY_PROJECT=
+# Optional: self-hosted Sentry URL (leave blank for sentry.io)
+# SENTRY_URL=
+
+# Datadog — https://app.datadoghq.com/organization-settings/api-keys
+DD_API_KEY=
+DD_APP_KEY=
+DD_SITE=datadoghq.com
+
+# =============================================================================
+# COMMUNICATION & PRODUCTIVITY
+# =============================================================================
+
+# Slack — https://api.slack.com/apps → your app → OAuth & Permissions
+SLACK_BOT_TOKEN=
+SLACK_SIGNING_SECRET=
+SLACK_TEAM_ID=
+# Optional: specific channel ID for notifications
+# SLACK_CHANNEL_ID=
+
+# Notion — https://www.notion.so/my-integrations
+NOTION_TOKEN=
+NOTION_DATABASE_ID=
+
+# =============================================================================
+# PACKAGE REGISTRIES
+# =============================================================================
+
+# npm — https://www.npmjs.com/settings/[username]/tokens
+NPM_TOKEN=
+
+# PyPI — https://pypi.org/manage/account/token/
+PYPI_TOKEN=
+# Defaults to __token__ when using PYPI_TOKEN
+# PYPI_USERNAME=__token__
+
+# GitHub Packages (uses GITHUB_TOKEN above, already set)
+
+# Homebrew — increases API rate limits for `brew` commands
+HOMEBREW_GITHUB_API_TOKEN=
+
+# =============================================================================
+# APP / ENVIRONMENT CONFIG (project-specific — add your own below)
+# =============================================================================
+
+NODE_ENV=development
+PORT=3000
+# DATABASE_URL=
+# REDIS_URL=
+# JWT_SECRET=
+# SESSION_SECRET=

package/templates/docker-compose.md

@@ -0,0 +1,46 @@
+# [Project Name] — Project Instructions
+Last updated: YYYY-MM-DD
+
+## Project Overview
+[One paragraph describing what this project does]
+
+## Tech Stack
+- Services: [api, dashboard, postgres, redis, etc]
+- Orchestration: Docker Compose
+- Testing: [per-service test stacks]
+
+## Key Commands
+```bash
+# Build
+docker build -t [project]-api:local .
+docker build -t [project]-dashboard:local ./dashboard
+
+# Run
+docker compose up -d
+docker compose ps
+docker compose logs -f [service]
+
+# Migrations
+docker compose run --rm migrate
+
+# Stop
+docker compose down
+```
+
+## Health Endpoints
+- API: http://localhost:8000/health
+- Dashboard: http://localhost:3001
+
+## Smoke Test
+```bash
+curl -s http://localhost:8000/health   # Should return {"status":"healthy"}
+curl -s -o /dev/null -w "%{http_code}" http://localhost:3001/  # Should return 200
+```
+
+## Security — Known Exceptions
+<!-- List any accepted audit exceptions here -->
+
+## Conventions
+- Migrations in alembic/ or migrations/
+- Each service has its own Dockerfile
+- Compose file at docker-compose.yml or deploy/docker-compose.yml

package/templates/node-frontend.md

@@ -0,0 +1,56 @@
+# [Project Name] — Project Instructions
+Last updated: YYYY-MM-DD
+
+## Project Overview
+[One paragraph describing what this project does]
+
+## Tech Stack
+- Framework: React + Vite
+- Language: TypeScript
+- Styling: [Tailwind / shadcn / etc]
+- Testing: Vitest + Testing Library
+- E2E: Playwright (optional)
+
+## Key Commands
+```bash
+npm run dev          # Start dev server
+npm run build        # Production build
+npm run test:unit    # Unit tests
+npm run test:coverage # Coverage report
+npm run lint         # ESLint
+```
+
+## Health Endpoints
+- Local: http://localhost:5173
+
+## Security — Known Exceptions
+<!-- List any accepted audit exceptions here, e.g.: -->
+<!-- - undici via Firebase SDK — requires --force to fix, known safe -->
+
+## Conventions
+- Components in src/components/
+- Pages in src/pages/
+- Utilities in src/lib/
+- Tests mirror src/ structure in src/__tests__/
+
+## Common CI Traps
+
+**`opacity-0` breaks Playwright** — `useState(false)` + `useEffect(() => setState(true), [])` to trigger a CSS fade-in is a common pattern, but Playwright's `toBeVisible()` fails on `opacity-0` elements. In a client-only SPA there is no SSR reason to defer visibility — initialize to `true` directly.
+
+```tsx
+// Wrong — form is invisible on first render; Playwright times out
+const [mounted, setMounted] = useState(false);
+useEffect(() => { setMounted(true); }, []);
+
+// Right — immediately visible, no effect needed
+const mounted = true;
+```
+
+**ESLint plugin version skew** — if CI uses a newer eslint plugin version than is pinned locally, errors appear in CI but not on your machine. Pin exact plugin versions in `package.json` to keep CI and local in sync.
+
+```json
+// Pin exact versions, not ranges, for lint plugins
+"eslint-plugin-react-hooks": "5.2.0"
+```
+
+**npm packages not yet published** — never add a package to `dependencies` that doesn't exist on the npm registry yet. Docker builds will fail with a 404 at `npm install` time. Use `file:` paths or vendor the source instead.

package/templates/node-fullstack.md

@@ -0,0 +1,59 @@
+# [Project Name] — Project Instructions
+Last updated: YYYY-MM-DD
+
+## Project Overview
+[One paragraph describing what this project does]
+
+## Tech Stack
+- Frontend: React + Vite + TypeScript
+- Backend: Node.js + Express/Fastify + TypeScript
+- Database: PostgreSQL
+- Auth: [Firebase / JWT / etc]
+- Testing: Vitest (frontend) + Jest + supertest (backend)
+- E2E: Playwright
+
+## Key Commands
+```bash
+# Frontend (root)
+npm run dev            # Start frontend dev server
+npm run build          # Frontend production build
+npm run test:coverage  # Frontend coverage
+
+# Backend (api/)
+cd api && npm run dev        # Start API server
+cd api && npm run build      # Backend build
+cd api && npm run test:coverage # Backend coverage
+```
+
+## Health Endpoints
+- Local API: http://localhost:3001/health
+- Local Frontend: http://localhost:5173
+- Production API: https://[your-api-url]/health
+- Production Frontend: https://[your-frontend-url]
+
+## Security — Known Exceptions
+<!-- List any accepted audit exceptions here -->
+
+## Conventions
+- API routes in api/src/routes/
+- Frontend components in src/components/
+- Shared types in src/types/ or api/src/types/
+- All routes require auth middleware except /health and /webhooks
+
+## Common CI Traps
+
+**npm packages not yet published** — if a package is listed in `dependencies` but not on the npm registry, Docker builds fail with a 404 at `npm install`. Use `file:` paths for local packages or vendor the source directly into the build context.
+
+```json
+// Wrong — 404 in Docker if package isn't published
+"dependencies": { "@yourorg/internal-pkg": "^0.1.0" }
+
+// Right — reference local source
+"dependencies": { "@yourorg/internal-pkg": "file:./internal-pkg" }
+```
+
+**`opacity-0` breaks Playwright** — `useState(false)` + `useEffect(() => setState(true), [])` for CSS enter-animations makes elements invisible on first render. Playwright's `toBeVisible()` fails. In SPAs initialize to `true` and use CSS `@keyframes` for animations instead.
+
+**ESLint plugin version skew** — CI may use a newer plugin version than is installed locally, causing errors in CI that don't reproduce. Pin exact versions for lint plugins in `package.json`.
+
+**Integration tests silently excluded from gate** — always run both `tests/unit/` and `tests/integration/` in CI. Omitting integration tests means Docker-build failures and DB regressions only surface after merge.

package/templates/python-api.md

@@ -0,0 +1,57 @@
+# [Project Name] — Project Instructions
+Last updated: YYYY-MM-DD
+
+## Project Overview
+[One paragraph describing what this project does]
+
+## Tech Stack
+- Language: Python 3.11+
+- Framework: FastAPI / Flask
+- Database: PostgreSQL / SQLite
+- Testing: pytest + pytest-cov
+- Linting: ruff
+
+## Key Commands
+```bash
+source venv/bin/activate          # Activate virtualenv
+./venv/bin/python -m uvicorn main:app --reload  # Start dev server
+./venv/bin/python -m pytest tests/ -v           # Run tests
+./venv/bin/python -m pytest --cov=. --cov-report=term-missing  # Coverage
+./venv/bin/ruff check . --fix     # Lint + fix
+./venv/bin/ruff format .          # Format
+```
+
+## Health Endpoints
+- Local: http://localhost:8000/health
+- Production: https://[your-api-url]/health
+
+## Security — Known Exceptions
+<!-- List any accepted pip-audit exceptions here -->
+
+## Conventions
+- Routes in routes/ or api/routes/
+- Models in models/
+- Tests in tests/unit/ and tests/integration/
+- All routes require auth except /health
+
+## Common CI Traps
+
+**Integration tests not in the gate** — `pytest tests/unit/` is the default but `tests/integration/` must be added explicitly. If integration tests only run locally, regressions ship silently.
+
+```bash
+# Wrong — misses integration tests
+pytest tests/unit/
+
+# Right — gate both
+pytest tests/unit/ tests/integration/
+```
+
+**Docker builds referencing local packages** — if a package is injected as a dependency but not yet published to a registry, `npm install` / `pip install` will fail in CI with a 404. Fix: vendor the source directly into the build context or use a `file:` path.
+
+```python
+# Wrong — package not on PyPI yet
+deps = {"my-internal-pkg": "^0.1.0"}
+
+# Right — vendor source into container
+shutil.copy(LOCAL_SRC, build_dir / "my_internal_pkg.py")
+```