@a13xu/lucid 1.11.0 → 1.13.0

package/build/index.js

@@ -21,6 +21,7 @@ import { handleGetContext, GetContextSchema, handleGetRecent, GetRecentSchema, }
 import { handleReward, RewardSchema, handlePenalize, PenalizeSchema, handleShowRewards, ShowRewardsSchema, } from "./tools/reward.js";
 import { handleGetCodingRules, handleCheckCodeQuality, CheckCodeQualitySchema, } from "./tools/coding-guard.js";
 import { handlePlanCreate, PlanCreateSchema, handlePlanList, PlanListSchema, handlePlanGet, PlanGetSchema, handlePlanUpdateTask, PlanUpdateTaskSchema, } from "./tools/plan.js";
+import { UpdateLucidSchema, handleUpdateLucid, checkForUpdatesOnStartup, getCurrentVersion, } from "./tools/updater.js";
 import { GenerateComponentSchema, handleGenerateComponent, ScaffoldPageSchema, handleScaffoldPage, SeoMetaSchema, handleSeoMeta, AccessibilityAuditSchema, handleAccessibilityAudit, ApiClientSchema, handleApiClient, TestGeneratorSchema, handleTestGenerator, ResponsiveLayoutSchema, handleResponsiveLayout, SecurityScanSchema, handleSecurityScan, DesignTokensSchema, handleDesignTokens, PerfHintsSchema, handlePerfHints, } from "./tools/webdev/index.js";
 // ---------------------------------------------------------------------------
 // Init DB
@@ -54,7 +55,7 @@ else {
 // ---------------------------------------------------------------------------
 // MCP Server
 // ---------------------------------------------------------------------------
-const server = new Server({ name: "lucid", version: "1.11.0" }, { capabilities: { tools: {} } });
+const server = new Server({ name: "lucid", version: "1.13.0" }, { capabilities: { tools: {} } });
 // ---------------------------------------------------------------------------
 // Tool definitions
 // ---------------------------------------------------------------------------
@@ -393,6 +394,23 @@ server.setRequestHandler(ListToolsRequestSchema, async () => ({
                 required: ["task_id", "status"],
             },
         },
+        // ── Updater ──────────────────────────────────────────────────────────────
+        {
+            name: "update_lucid",
+            description: "Check for a newer version of Lucid on npm and update automatically. " +
+                "For global npm installs: runs npm install -g @a13xu/lucid@latest. " +
+                "For local source installs: shows git pull + npm run build instructions. " +
+                "After updating, restart Claude Code to load the new version.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    force: {
+                        type: "boolean",
+                        description: "Force reinstall even if already on latest version (default false)",
+                    },
+                },
+            },
+        },
         // ── Web Dev Skills ───────────────────────────────────────────────────────
         {
             name: "generate_component",
@@ -654,6 +672,10 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
             case "plan_update_task":
                 text = handlePlanUpdateTask(stmts, PlanUpdateTaskSchema.parse(args));
                 break;
+            // Updater
+            case "update_lucid":
+                text = await handleUpdateLucid(UpdateLucidSchema.parse(args));
+                break;
             // Web Dev Skills
             case "generate_component":
                 text = handleGenerateComponent(GenerateComponentSchema.parse(args));
@@ -703,4 +725,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 // ---------------------------------------------------------------------------
 const transport = new StdioServerTransport();
 await server.connect(transport);
-console.error("[lucid] Server started on stdio.");
+console.error(`[lucid] Server v${getCurrentVersion()} started on stdio.`);
+// Non-blocking — logs to stderr if update is available
+checkForUpdatesOnStartup().catch(() => { });

package/build/tools/init.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { resolve, join } from "path";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from "fs";
+import { fileURLToPath } from "url";
 import { indexProject } from "../indexer/project.js";
 import { saveAdminConfig, loadAdminConfig, isAdminConfigured, sendTestAlert, } from "../security/alerts.js";
 export const InitProjectSchema = z.object({
@@ -28,6 +29,7 @@ export const InitProjectSchema = z.object({
     projectName: z.string().optional(),
 });
 const LUCID_MARKER = "Lucid: call sync_file";
+const LUCID_UPDATE_MARKER = "lucid-update-check";
 const LUCID_HOOK = {
     matcher: "Write|Edit|NotebookEdit",
     hooks: [
@@ -37,7 +39,27 @@ const LUCID_HOOK = {
         },
     ],
 };
-function installHook(dir) {
+// SessionStart hook: checks npm registry and notifies if update is available.
+// Uses only Node.js built-in https module — no external dependencies required.
+const LUCID_UPDATE_HOOK = {
+    hooks: [
+        {
+            type: "command",
+            command: `node -e "const h=require('https');` +
+                `h.get('https://registry.npmjs.org/@a13xu/lucid/latest',` +
+                `function(r){var d='';r.on('data',function(c){d+=c});` +
+                `r.on('end',function(){` +
+                `try{var v=JSON.parse(d).version;` +
+                `var s=require('child_process').execSync(` +
+                `'npm list -g @a13xu/lucid --depth=0 2>/dev/null',{encoding:'utf8'});` +
+                `var m=s.match(/lucid@([\\d.]+)/);` +
+                `if(m&&m[1]&&v!==m[1])` +
+                `console.log('[Lucid] Update available: v'+m[1]+' → v'+v+'. Call update_lucid().')}` +
+                `catch(e){}})}).on('error',function(){})" 2>/dev/null || true`,
+        },
+    ],
+};
+function installHooks(dir) {
     const claudeDir = join(dir, ".claude");
     const settingsPath = join(claudeDir, "settings.json");
     let settings = {};
@@ -50,20 +72,34 @@ function installHook(dir) {
         }
     }
     const hooks = (settings["hooks"] ?? {});
+    let changed = false;
+    // ── PostToolUse: sync_file reminder ──────────────────────────────────────
     const postToolUse = hooks["PostToolUse"] ?? [];
-    // Detectează atât formatul vechi cât și cel nou
-    const alreadyInstalled = postToolUse.some((h) => {
+    const syncAlreadyInstalled = postToolUse.some((h) => {
         const cmd = h.command ?? h.hooks?.[0]?.command ?? "";
         return cmd.includes(LUCID_MARKER);
     });
-    if (alreadyInstalled) {
+    if (!syncAlreadyInstalled) {
+        hooks["PostToolUse"] = [...postToolUse, LUCID_HOOK];
+        changed = true;
+    }
+    // ── SessionStart: version check ───────────────────────────────────────────
+    const sessionStart = hooks["SessionStart"] ?? [];
+    const updateAlreadyInstalled = sessionStart.some((h) => {
+        const cmd = h.command ?? h.hooks?.[0]?.command ?? "";
+        return cmd.includes(LUCID_UPDATE_MARKER);
+    });
+    if (!updateAlreadyInstalled) {
+        hooks["SessionStart"] = [...sessionStart, LUCID_UPDATE_HOOK];
+        changed = true;
+    }
+    if (!changed) {
         return { installed: false, reason: "already installed" };
     }
-    hooks["PostToolUse"] = [...postToolUse, LUCID_HOOK];
     settings["hooks"] = hooks;
     mkdirSync(claudeDir, { recursive: true });
     writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
-    return { installed: true, reason: "hook added to .claude/settings.json" };
+    return { installed: true, reason: "hooks added to .claude/settings.json" };
 }
 // ---------------------------------------------------------------------------
 // Adaugă instrucțiune în CLAUDE.md
@@ -110,13 +146,26 @@ export async function handleInitProject(stmts, input) {
     }
     // ── Hook PostToolUse ──────────────────────────────────────────────────────
     lines.push(``);
-    const hookResult = installHook(dir);
+    const hookResult = installHooks(dir);
     if (hookResult.installed) {
-        lines.push(`🔗 Claude Code hook installed (.claude/settings.json)`);
-        lines.push(`   After every Write/Edit, you will see a reminder to call sync_file().`);
+        lines.push(`🔗 Claude Code hooks installed (.claude/settings.json)`);
+        lines.push(`   PostToolUse: reminder to call sync_file() after every Write/Edit`);
+        lines.push(`   SessionStart: auto-check for Lucid updates on session start`);
     }
     else {
-        lines.push(`🔗 Hook: ${hookResult.reason}`);
+        lines.push(`🔗 Hooks: ${hookResult.reason}`);
+    }
+    // ── Skills ────────────────────────────────────────────────────────────────
+    const skillsResult = installSkills(dir);
+    if (skillsResult.installed.length > 0) {
+        lines.push(`📚 Skills installed in .claude/skills/:`);
+        for (const s of skillsResult.installed) {
+            lines.push(`   • /${s}`);
+        }
+        lines.push(`   Invoke with /<skill-name> in Claude Code.`);
+    }
+    else if (skillsResult.skipped.length > 0) {
+        lines.push(`📚 Skills: already installed (${skillsResult.skipped.length} skill(s))`);
     }
     // ── CLAUDE.md injection ───────────────────────────────────────────────────
     const injected = injectClaudeMdInstruction(dir);
@@ -200,6 +249,34 @@ export async function handleInitProject(stmts, input) {
     lines.push(`Use recall() to query accumulated project knowledge.`);
     return lines.join("\n");
 }
+// ---------------------------------------------------------------------------
+// Instalează Lucid skills în .claude/skills/ al proiectului
+// ---------------------------------------------------------------------------
+const PACKAGE_ROOT = join(fileURLToPath(new URL(".", import.meta.url)), "../..");
+function installSkills(projectDir) {
+    const skillsSource = join(PACKAGE_ROOT, "skills");
+    const result = { installed: [], skipped: [] };
+    if (!existsSync(skillsSource))
+        return result;
+    const skillDirs = readdirSync(skillsSource, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name);
+    for (const skillName of skillDirs) {
+        const srcSkillMd = join(skillsSource, skillName, "SKILL.md");
+        if (!existsSync(srcSkillMd))
+            continue;
+        const destDir = join(projectDir, ".claude", "skills", skillName);
+        const destFile = join(destDir, "SKILL.md");
+        if (existsSync(destFile)) {
+            result.skipped.push(skillName);
+            continue;
+        }
+        mkdirSync(destDir, { recursive: true });
+        writeFileSync(destFile, readFileSync(srcSkillMd, "utf-8"), "utf-8");
+        result.installed.push(skillName);
+    }
+    return result;
+}
 function buildChannelSummary(cfg) {
     const channels = [];
     if (cfg.adminEmail && cfg.smtpHost)

package/build/tools/updater.d.ts

@@ -0,0 +1,11 @@
+import { z } from "zod";
+export declare function getCurrentVersion(): string;
+export declare function checkForUpdatesOnStartup(): Promise<void>;
+export declare const UpdateLucidSchema: z.ZodObject<{
+    force: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    force?: boolean | undefined;
+}, {
+    force?: boolean | undefined;
+}>;
+export declare function handleUpdateLucid(args: z.infer<typeof UpdateLucidSchema>): Promise<string>;

package/build/tools/updater.js

@@ -0,0 +1,133 @@
+import { z } from "zod";
+import { join } from "path";
+import { readFileSync, existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { execSync } from "child_process";
+// ---------------------------------------------------------------------------
+// Package root resolution
+// ---------------------------------------------------------------------------
+// build/tools/updater.js → ../../ = package root
+const PACKAGE_ROOT = join(fileURLToPath(new URL(".", import.meta.url)), "../..");
+export function getCurrentVersion() {
+    try {
+        const pkg = JSON.parse(readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"));
+        return pkg.version ?? "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+// ---------------------------------------------------------------------------
+// npm registry check
+// ---------------------------------------------------------------------------
+async function fetchLatestVersion() {
+    try {
+        const res = await fetch("https://registry.npmjs.org/@a13xu/lucid/latest", { signal: AbortSignal.timeout(5000) });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return data.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function compareVersions(a, b) {
+    const pa = a.split(".").map(Number);
+    const pb = b.split(".").map(Number);
+    for (let i = 0; i < 3; i++) {
+        const diff = (pa[i] ?? 0) - (pb[i] ?? 0);
+        if (diff !== 0)
+            return diff;
+    }
+    return 0;
+}
+// ---------------------------------------------------------------------------
+// Install method detection
+// ---------------------------------------------------------------------------
+function detectInstallMethod() {
+    // If the package root is inside node_modules, it's npm-installed
+    if (PACKAGE_ROOT.includes("node_modules")) {
+        return "global-npm";
+    }
+    // Check if there's a .git folder — local source checkout
+    if (existsSync(join(PACKAGE_ROOT, ".git"))) {
+        return "local-source";
+    }
+    return "global-npm";
+}
+// ---------------------------------------------------------------------------
+// Startup check (non-blocking — call from index.ts without await)
+// ---------------------------------------------------------------------------
+export async function checkForUpdatesOnStartup() {
+    const current = getCurrentVersion();
+    const latest = await fetchLatestVersion();
+    if (latest && compareVersions(latest, current) > 0) {
+        console.error(`[lucid] ⬆️  Update available: v${current} → v${latest}. ` +
+            `Call update_lucid() to update, or: npm install -g @a13xu/lucid@latest`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Schema & handler
+// ---------------------------------------------------------------------------
+export const UpdateLucidSchema = z.object({
+    force: z
+        .boolean()
+        .optional()
+        .describe("Force reinstall even if already on latest version"),
+});
+// Example call:
+//   handleUpdateLucid({ force: false })
+export async function handleUpdateLucid(args) {
+    const current = getCurrentVersion();
+    const lines = [`🔍 Checking for updates... (current: v${current})`];
+    const latest = await fetchLatestVersion();
+    if (!latest) {
+        return lines.concat("❌ Could not reach npm registry. Check your internet connection.").join("\n");
+    }
+    lines.push(`📦 Latest on npm: v${latest}`);
+    const upToDate = compareVersions(latest, current) <= 0;
+    if (upToDate && !args.force) {
+        lines.push(`✅ Lucid is up to date.`);
+        return lines.join("\n");
+    }
+    if (upToDate && args.force) {
+        lines.push(`⚠️  Already on v${latest}, reinstalling (force=true)...`);
+    }
+    else {
+        lines.push(`🔄 Updating v${current} → v${latest}...`);
+    }
+    const method = detectInstallMethod();
+    if (method === "local-source") {
+        lines.push(``);
+        lines.push(`📁 Local source installation detected (${PACKAGE_ROOT}).`);
+        lines.push(`Run these commands to update:`);
+        lines.push(`  cd "${PACKAGE_ROOT}"`);
+        lines.push(`  git pull`);
+        lines.push(`  npm run build`);
+        lines.push(`Then restart Claude Code.`);
+        return lines.join("\n");
+    }
+    // Global npm install
+    try {
+        lines.push(`Running: npm install -g @a13xu/lucid@${latest}`);
+        execSync(`npm install -g @a13xu/lucid@${latest}`, {
+            timeout: 120_000,
+            stdio: "pipe",
+        });
+        lines.push(`✅ Updated to v${latest}`);
+        lines.push(``);
+        lines.push(`⚠️  Restart Claude Code to load the new version:`);
+        lines.push(`   • VS Code: Cmd/Ctrl+Shift+P → "Restart Claude Code"`);
+        lines.push(`   • CLI: exit and re-run \`claude\``);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        lines.push(`❌ Auto-update failed: ${msg}`);
+        lines.push(`   Run manually: npm install -g @a13xu/lucid@${latest}`);
+        if (process.platform !== "win32") {
+            lines.push(`   Or with sudo: sudo npm install -g @a13xu/lucid@${latest}`);
+        }
+    }
+    return lines.join("\n");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@a13xu/lucid",
-  "version": "1.11.0",
+  "version": "1.13.0",
   "description": "Token-efficient memory, code indexing, and validation for Claude Code agents — SQLite + FTS5, TF-IDF + Qdrant retrieval, AST skeleton pruning, diff-aware context, Logic Guardian drift detection",
   "type": "module",
   "bin": {
@@ -9,6 +9,7 @@
   "files": [
     "build/**/*.js",
     "build/**/*.d.ts",
+    "skills/**/*.md",
     "README.md"
   ],
   "scripts": {

package/skills/lucid-audit/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: lucid-audit
+description: Run after writing or modifying code — validates logic correctness (Logic Guardian 5 passes) and code quality (25 Golden Rules) before marking work as done.
+argument-hint: "[file path or 'all']"
+---
+
+# Lucid Code Audit
+
+Run this skill BEFORE marking any implementation as complete. It runs two complementary validators:
+
+- **Logic Guardian** (`validate_file`) — detects LLM drift: logic inversions, null propagation, off-by-one, copy-paste mistakes
+- **Code Quality Guard** (`check_code_quality`) — detects structural issues: file/function size, vague naming, deep nesting, prop explosion, inline styles
+
+## Steps
+
+### 1. Validate logic correctness
+```
+validate_file(path="<file you wrote or modified>")
+```
+Fix any 🔴 CRITICAL issues before continuing.
+
+### 2. Validate code quality
+```
+check_code_quality(path="<same file>")
+```
+Fix any 🔴 HIGH severity issues. Address 🟠 MEDIUM where practical.
+
+### 3. If unsure about a snippet before writing it to disk
+```
+check_drift(code="<your code>", language="typescript")
+```
+
+### 4. Get the full 5-pass mental checklist
+```
+get_checklist()
+```
+Use this when changes are complex or involve critical business logic.
+
+## Severity guide
+
+| Icon | Level | Action |
+|---|---|---|
+| 🔴 | Critical/High | Fix immediately — do not ship |
+| 🟠 | Medium/Warning | Fix if not risky refactor |
+| 🔵 | Low/Info | Note for future cleanup |
+
+## What each tool catches
+
+| Tool | Catches |
+|---|---|
+| `validate_file` | Logic inversions, silent exceptions, null propagation, type confusion, stale closures |
+| `check_code_quality` | Files >500 lines, functions >100 lines, vague names, nesting >4 levels, dead code, React/Vue component anti-patterns |
+| `check_drift` | Same as validate_file but on inline snippets — use before writing |

package/skills/lucid-context/SKILL.md

@@ -0,0 +1,35 @@
+---
+name: lucid-context
+description: Use before starting any coding task — retrieves minimal relevant context via Lucid's TF-IDF retrieval, then rewards or penalizes based on usefulness.
+argument-hint: "[what you are working on]"
+---
+
+# Lucid Context Retrieval
+
+Use this skill at the START of every coding task to get only the relevant files instead of reading the whole codebase.
+
+## Steps
+
+1. **Call `get_context`** with a concise description of what you're working on:
+   ```
+   get_context(query="<what you are working on>", maxTokens=4000)
+   ```
+
+2. **Review the returned skeletons/files.** If they are relevant → call `reward()`. If they missed important files → call `penalize()` and note what was missing.
+
+3. **Start coding** using the context you received.
+
+## Tips
+
+- Use `dirs` to narrow scope: `get_context(query="...", dirs=["src/api"])`
+- Use `get_recent(hours=2)` after a git pull or when resuming a session to see what changed
+- Use `grep_code(pattern="...")` to locate specific function usages without reading full files
+- After finishing, call `sync_file(path="<modified file>")` to keep the knowledge graph current
+
+## When to reward vs penalize
+
+| Situation | Action |
+|---|---|
+| Context included the files that helped solve the task | `reward()` |
+| Context missed key files you had to find manually | `penalize(note="missed: src/utils/auth.ts")` |
+| Context was partially useful | No action needed |

package/skills/lucid-plan/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: lucid-plan
+description: Create and track an implementation plan before writing any code — use Lucid's planning tools to define user story, ordered tasks, and test criteria.
+argument-hint: "[feature or task description]"
+---
+
+# Lucid Planning Workflow
+
+Use this skill BEFORE writing code for any non-trivial feature. Plans are persisted in the Lucid DB and survive session restarts.
+
+## Steps
+
+### 1. Create the plan
+```
+plan_create(
+  title="<short title>",
+  description="<what this plan accomplishes>",
+  user_story="As a <user>, I want <goal>, so that <benefit>.",
+  tasks=[
+    { title: "Task 1", description: "...", test_criteria: "How to verify done" },
+    { title: "Task 2", description: "...", test_criteria: "..." },
+  ]
+)
+```
+Returns a `plan_id` and task IDs (format: `planId * 100 + sequence`).
+
+### 2. Work through tasks
+For each task, mark it in progress when you start:
+```
+plan_update_task(task_id=101, status="in_progress")
+```
+
+When done, mark it complete (optionally add a note):
+```
+plan_update_task(task_id=101, status="done", note="Used useFetch instead of axios")
+```
+
+Plan auto-completes when all tasks reach `done`.
+
+### 3. Resume a session — check plan status
+```
+plan_list()                  # see all active plans
+plan_get(plan_id=1)          # see full details + task status
+```
+
+## Task statuses
+
+| Status | When to use |
+|---|---|
+| `pending` | Not started yet |
+| `in_progress` | Currently working on it |
+| `done` | Completed and verified |
+| `blocked` | Waiting on external dependency |
+
+## Tips
+
+- Define `test_criteria` clearly — it becomes your acceptance test
+- Use `plan_get` when resuming to quickly re-orient yourself
+- Keep tasks small (1–4 hours each); use more tasks rather than fewer
+- Notes are append-only — use them to document decisions made during implementation

package/skills/lucid-security/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: lucid-security
+description: Run a full security review on a file or snippet — combines web vulnerability scanning (XSS, injection, secrets) with LLM drift detection before shipping code.
+argument-hint: "[file path or paste code]"
+---
+
+# Lucid Security Review
+
+Run this skill before shipping any code that handles user input, authentication, file access, or external data.
+
+## Steps
+
+### 1. Scan for web security vulnerabilities
+```
+security_scan(
+  code="<file contents or snippet>",
+  language="typescript",    # javascript | typescript | html | vue
+  context="backend"         # frontend | backend | api
+)
+```
+Detects: XSS vectors, eval/new Function, SQL injection via string concat, hardcoded secrets/keys, open redirects, prototype pollution, path traversal, insecure CORS.
+
+### 2. Scan for logic errors (LLM drift)
+```
+validate_file(path="<file path>")
+```
+Catches security-adjacent logic bugs: wrong condition direction, silent exception swallowing, null propagation into auth checks.
+
+### 3. For frontend components — audit accessibility too
+```
+accessibility_audit(code="<template or JSX>", wcag_level="AA", framework="vue")
+```
+
+## Severity guide
+
+| Icon | Severity | Action |
+|---|---|---|
+| 🔴 Critical | XSS, eval, hardcoded secret, SQL injection | Fix before any commit |
+| 🟠 High | Open redirect, path traversal, prototype pollution | Fix before merge |
+| 🟡 Medium | Wildcard CORS, missing CSRF protection | Fix before production |
+| 🔵 Low | console.log, minor info leakage | Fix when convenient |
+
+## Common patterns to watch
+
+| Pattern | Risk |
+|---|---|
+| `element.innerHTML = userInput` | XSS — use `textContent` or DOMPurify |
+| `eval(...)` / `new Function(...)` | Code injection |
+| `const key = "sk-abc123..."` | Hardcoded secret — move to env var |
+| `res.redirect(req.query.url)` | Open redirect — validate against allowlist |
+| `readFile(req.params.filename)` | Path traversal — use `path.resolve` + bounds check |
+| `Access-Control-Allow-Origin: *` | Overly permissive CORS |
+
+## Note
+
+Static scanning finds patterns, not all vulnerabilities. Complement with:
+- Manual code review for business logic flaws
+- DAST (dynamic testing) for runtime issues
+- Dependency audit: `npm audit` / `pip-audit`

package/skills/lucid-webdev/SKILL.md

@@ -0,0 +1,123 @@
+---
+name: lucid-webdev
+description: Web development code generation tools — generate components, pages, SEO meta, API clients, tests, layouts, design tokens, and analyze accessibility and performance.
+argument-hint: "[component | page | seo | a11y | api | test | layout | security | tokens | perf]"
+---
+
+# Lucid Web Dev Tools
+
+10 tools for common web development tasks. Pick the one that matches what you need:
+
+## Component & Page Generation
+
+### Generate a component
+```
+generate_component(
+  description="user profile card with avatar and edit button",
+  framework="vue",          # react | vue | nuxt
+  styling="tailwind",       # tailwind | css-modules | none
+  typescript=true
+)
+```
+
+### Generate a page scaffold
+```
+scaffold_page(
+  page_name="ProductDetail",
+  framework="nuxt",          # nuxt | next | vue
+  sections=["hero", "specs", "reviews", "cta"],
+  seo_title="Product Detail"
+)
+```
+
+## SEO & Accessibility
+
+### Generate SEO metadata
+```
+seo_meta(
+  title="Buy Widgets — Best Price",
+  description="Shop our range of premium widgets with free delivery.",
+  keywords=["widgets", "buy widgets", "widget shop"],
+  page_type="product",       # article | product | landing | home
+  url="https://example.com/widgets",
+  image_url="https://example.com/og/widgets.jpg"
+)
+```
+Returns: HTML meta tags + Open Graph + Twitter Card + JSON-LD structured data.
+
+### Audit accessibility (WCAG)
+```
+accessibility_audit(
+  code="<your HTML/JSX/Vue snippet>",
+  wcag_level="AA",           # A | AA | AAA
+  framework="vue"            # html | jsx | vue
+)
+```
+Returns: violations with severity (critical/warning/info), WCAG criterion, and corrected code.
+
+## API & Testing
+
+### Generate a typed API client
+```
+api_client(
+  endpoint="/users/:id",
+  method="GET",              # GET | POST | PUT | PATCH | DELETE
+  response_schema="{ id: string; name: string; email: string }",
+  auth="bearer",             # bearer | cookie | apikey | none
+  base_url_var="NEXT_PUBLIC_API_URL"
+)
+```
+
+### Generate tests
+```
+test_generator(
+  code="<your function or component source>",
+  test_framework="vitest",   # vitest | jest | playwright
+  test_type="unit",          # unit | integration | e2e
+  component_framework="vue"  # vue | react | none
+)
+```
+
+## Layout & Design
+
+### Generate a responsive layout
+```
+responsive_layout(
+  description="sidebar left 260px, main content, right panel 240px",
+  framework="tailwind",      # tailwind | css-grid | flexbox
+  breakpoints=["mobile", "tablet", "desktop"],
+  container="sidebar"        # full | centered | sidebar
+)
+```
+
+### Generate design tokens
+```
+design_tokens(
+  brand_name="Acme",
+  primary_color="#6366F1",   # hex or name (blue, green, etc.)
+  mood="minimal",            # minimal | bold | playful | corporate
+  output_format="css-variables"  # css-variables | tailwind-config | json
+)
+```
+
+## Security & Performance
+
+### Scan for security vulnerabilities
+```
+security_scan(
+  code="<your code snippet>",
+  language="typescript",     # javascript | typescript | html | vue
+  context="frontend"         # frontend | backend | api
+)
+```
+Detects: XSS, eval/injection, hardcoded secrets, SQL injection, open redirects, CORS issues.
+
+### Analyze Core Web Vitals issues
+```
+perf_hints(
+  code="<your component or page source>",
+  framework="vue",           # react | vue | nuxt | vanilla
+  context="page"             # component | page | layout
+)
+```
+Detects: missing image dimensions (CLS), render-blocking scripts (FCP), fetch-in-render (TTFB), heavy click handlers (INP), missing useMemo/computed.