@acmeacmeio/setup-sh 0.2.6

package/templates/.claude/skills/api-design/SKILL.md

@@ -0,0 +1,77 @@
+# API Design Skill
+
+## REST + Zod Patterns
+
+### Route Structure
+
+| Method | Path           | Purpose  |
+| ------ | -------------- | -------- |
+| GET    | /resources     | List all |
+| GET    | /resources/:id | Get one  |
+| POST   | /resources     | Create   |
+| PUT    | /resources/:id | Replace  |
+| PATCH  | /resources/:id | Update   |
+| DELETE | /resources/:id | Delete   |
+
+### Validation with Zod
+
+```typescript
+import { z } from "zod";
+
+// Define schemas
+const CreateUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  role: z.enum(["user", "admin"]).default("user"),
+});
+
+// Infer types from schemas
+type CreateUserInput = z.infer<typeof CreateUserSchema>;
+
+// Validate at controller boundary
+app.post("/users", async (req, res) => {
+  const result = CreateUserSchema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({
+      error: "Validation failed",
+      details: result.error.flatten(),
+    });
+  }
+  // result.data is fully typed
+  const user = await userService.create(result.data);
+  return res.status(201).json({ data: user });
+});
+```
+
+### Response Format
+
+**Success (single)**
+
+```json
+{ "data": { "id": "123", "name": "John" } }
+```
+
+**Success (list)**
+
+```json
+{ "data": [...], "total": 100, "page": 1, "pageSize": 20 }
+```
+
+**Error**
+
+```json
+{ "error": "Validation failed", "field": "email", "code": "INVALID_EMAIL" }
+```
+
+### HTTP Status Codes
+
+| Code | Usage                     |
+| ---- | ------------------------- |
+| 200  | Success (GET, PUT, PATCH) |
+| 201  | Created (POST)            |
+| 204  | No content (DELETE)       |
+| 400  | Validation error          |
+| 401  | Unauthorized              |
+| 403  | Forbidden                 |
+| 404  | Not found                 |
+| 500  | Internal error            |

package/templates/.claude/skills/security-review/SKILL.md

@@ -0,0 +1,65 @@
+# Security Review Skill
+
+## Security Audit Checklist
+
+### Authentication
+
+- [ ] Tokens are validated on every request
+- [ ] Passwords are hashed with bcrypt or argon2 (not MD5/SHA1)
+- [ ] Sessions expire appropriately
+- [ ] Password reset tokens are single-use and time-limited
+- [ ] Multi-factor authentication where appropriate
+
+### Authorization
+
+- [ ] Users can only access their own data
+- [ ] Admin endpoints require admin role
+- [ ] API keys are scoped appropriately
+- [ ] Role checks happen server-side, not just client
+- [ ] Sensitive operations require re-authentication
+
+### Input Validation
+
+- [ ] All user input is validated (Zod schemas at boundaries)
+- [ ] SQL queries use parameterized statements
+- [ ] File uploads are restricted by type and size
+- [ ] URLs and redirects are validated against allowlist
+- [ ] HTML output is escaped to prevent XSS
+
+### Secrets Management
+
+- [ ] No hardcoded credentials in code
+- [ ] Environment variables for all secrets
+- [ ] .env files are gitignored
+- [ ] Secrets rotated regularly
+- [ ] Different credentials per environment
+
+### Data Protection
+
+- [ ] Sensitive data encrypted at rest
+- [ ] HTTPS enforced in production
+- [ ] Passwords never logged
+- [ ] PII minimized and access-controlled
+- [ ] Data retention policies enforced
+
+### Error Handling
+
+- [ ] No stack traces in production responses
+- [ ] Generic error messages to users
+- [ ] Detailed errors logged server-side
+- [ ] Failed login attempts rate-limited
+
+### Dependencies
+
+- [ ] Dependencies regularly updated
+- [ ] Known vulnerabilities addressed (npm audit)
+- [ ] Minimal dependencies (smaller attack surface)
+- [ ] Lock files committed (package-lock.json)
+
+## Common Vulnerabilities
+
+1. **SQL Injection**: Use parameterized queries
+2. **XSS**: Escape HTML output, use CSP headers
+3. **CSRF**: Use CSRF tokens for state-changing requests
+4. **IDOR**: Verify user owns the resource they're accessing
+5. **Secrets in Code**: Use environment variables

package/templates/.codex/config.toml

@@ -0,0 +1,31 @@
+# ACME-SOUL Codex Configuration
+# Generated by @acmeacmeio/setup-sh
+
+# Model and approval settings
+model = "gpt-4.1"
+approval_policy = "on-failure"
+
+# Sandbox mode: "workspace-write" allows writing to workspace but restricts system access
+# Other options: "off", "workspace-read", "full"
+sandbox_mode = "workspace-write"
+
+# Feature flags
+[features]
+shell_snapshot = true
+
+# MCP Servers Configuration
+# Note: Codex integrates MCP servers directly in config.toml
+[mcpServers.github]
+command = "npx"
+args = ["-y", "@modelcontextprotocol/server-github"]
+
+[mcpServers.github.env]
+GITHUB_PERSONAL_ACCESS_TOKEN = "${GITHUB_TOKEN}"
+
+[mcpServers.sequential-thinking]
+command = "npx"
+args = ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+
+# Notification hooks (Codex only supports post-execution notify hooks)
+# [hooks]
+# notify = ["your-notification-command"]

package/templates/.codex/skills/api-design/SKILL.md

@@ -0,0 +1,77 @@
+# API Design Skill
+
+## REST + Zod Patterns
+
+### Route Structure
+
+| Method | Path           | Purpose  |
+| ------ | -------------- | -------- |
+| GET    | /resources     | List all |
+| GET    | /resources/:id | Get one  |
+| POST   | /resources     | Create   |
+| PUT    | /resources/:id | Replace  |
+| PATCH  | /resources/:id | Update   |
+| DELETE | /resources/:id | Delete   |
+
+### Validation with Zod
+
+```typescript
+import { z } from "zod";
+
+// Define schemas
+const CreateUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  role: z.enum(["user", "admin"]).default("user"),
+});
+
+// Infer types from schemas
+type CreateUserInput = z.infer<typeof CreateUserSchema>;
+
+// Validate at controller boundary
+app.post("/users", async (req, res) => {
+  const result = CreateUserSchema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({
+      error: "Validation failed",
+      details: result.error.flatten(),
+    });
+  }
+  // result.data is fully typed
+  const user = await userService.create(result.data);
+  return res.status(201).json({ data: user });
+});
+```
+
+### Response Format
+
+**Success (single)**
+
+```json
+{ "data": { "id": "123", "name": "John" } }
+```
+
+**Success (list)**
+
+```json
+{ "data": [...], "total": 100, "page": 1, "pageSize": 20 }
+```
+
+**Error**
+
+```json
+{ "error": "Validation failed", "field": "email", "code": "INVALID_EMAIL" }
+```
+
+### HTTP Status Codes
+
+| Code | Usage                     |
+| ---- | ------------------------- |
+| 200  | Success (GET, PUT, PATCH) |
+| 201  | Created (POST)            |
+| 204  | No content (DELETE)       |
+| 400  | Validation error          |
+| 401  | Unauthorized              |
+| 403  | Forbidden                 |
+| 404  | Not found                 |
+| 500  | Internal error            |

package/templates/.codex/skills/security-review/SKILL.md

@@ -0,0 +1,65 @@
+# Security Review Skill
+
+## Security Audit Checklist
+
+### Authentication
+
+- [ ] Tokens are validated on every request
+- [ ] Passwords are hashed with bcrypt or argon2 (not MD5/SHA1)
+- [ ] Sessions expire appropriately
+- [ ] Password reset tokens are single-use and time-limited
+- [ ] Multi-factor authentication where appropriate
+
+### Authorization
+
+- [ ] Users can only access their own data
+- [ ] Admin endpoints require admin role
+- [ ] API keys are scoped appropriately
+- [ ] Role checks happen server-side, not just client
+- [ ] Sensitive operations require re-authentication
+
+### Input Validation
+
+- [ ] All user input is validated (Zod schemas at boundaries)
+- [ ] SQL queries use parameterized statements
+- [ ] File uploads are restricted by type and size
+- [ ] URLs and redirects are validated against allowlist
+- [ ] HTML output is escaped to prevent XSS
+
+### Secrets Management
+
+- [ ] No hardcoded credentials in code
+- [ ] Environment variables for all secrets
+- [ ] .env files are gitignored
+- [ ] Secrets rotated regularly
+- [ ] Different credentials per environment
+
+### Data Protection
+
+- [ ] Sensitive data encrypted at rest
+- [ ] HTTPS enforced in production
+- [ ] Passwords never logged
+- [ ] PII minimized and access-controlled
+- [ ] Data retention policies enforced
+
+### Error Handling
+
+- [ ] No stack traces in production responses
+- [ ] Generic error messages to users
+- [ ] Detailed errors logged server-side
+- [ ] Failed login attempts rate-limited
+
+### Dependencies
+
+- [ ] Dependencies regularly updated
+- [ ] Known vulnerabilities addressed (npm audit)
+- [ ] Minimal dependencies (smaller attack surface)
+- [ ] Lock files committed (package-lock.json)
+
+## Common Vulnerabilities
+
+1. **SQL Injection**: Use parameterized queries
+2. **XSS**: Escape HTML output, use CSP headers
+3. **CSRF**: Use CSRF tokens for state-changing requests
+4. **IDOR**: Verify user owns the resource they're accessing
+5. **Secrets in Code**: Use environment variables

package/templates/.cursor/commands/auto.md

@@ -0,0 +1,55 @@
+# Intent Router
+
+Automatically classify user intent and route to the appropriate workflow.
+
+## Available Commands
+
+- `fix-issue` - Fix a GitHub issue following TDD workflow
+- `review` - Run code review checklist
+- `clean-copy` - Restructure commits into clean history
+- `code-simplifier` - Simplify code for clarity and maintainability
+
+## Task
+
+Classify the request and determine the best workflow.
+
+### Classification Process
+
+1. **Extract key intent** from the natural language request
+2. **Match against available commands** - find the best matching workflow
+3. **Extract arguments** - pull out issue numbers, branch names, or other parameters
+4. **Determine confidence** - how well does this match?
+
+### Confidence Guidelines
+
+- **0.9-1.0**: Exact trigger phrase match
+- **0.7-0.9**: Clear intent, slightly different wording
+- **0.5-0.7**: Probable match, some ambiguity
+- **Below 0.5**: Ask user to clarify
+
+### If Low Confidence
+
+If confidence is below 0.7, present options to the user:
+
+```
+I'm not sure which workflow you want. Did you mean:
+
+1. fix-issue - Fix a GitHub issue with TDD
+2. review - Review code changes
+3. clean-copy - Restructure commits
+4. code-simplifier - Simplify and clean up code
+
+Please choose or rephrase your request.
+```
+
+### Examples
+
+| Input                   | Match      | Confidence |
+| ----------------------- | ---------- | ---------- |
+| "fix issue #123"        | fix-issue  | 0.95       |
+| "I need to fix bug 456" | fix-issue  | 0.85       |
+| "review my changes"     | review     | 0.90       |
+| "clean up my commits"   | clean-copy      | 0.85       |
+| "simplify this code"    | code-simplifier | 0.90       |
+| "clean up this function"| code-simplifier | 0.80       |
+| "help me code"          | -               | 0.30       |

package/templates/.cursor/commands/clean-copy.md

@@ -0,0 +1,80 @@
+# Clean Copy
+
+Reimplement the current branch with clean, atomic commits suitable for reviewer comprehension.
+
+## Context
+
+Gather current state:
+
+- **Source branch**: `git branch --show-current`
+- **Git status**: `git status --short`
+- **Commits since main**: `git log main..HEAD --oneline`
+- **Diff stats**: `git diff main...HEAD --stat`
+- **Full diff**: `git diff main...HEAD`
+
+## Task
+
+Create a new branch with restructured commits that tell a clear story.
+
+### Steps
+
+1. **Validate source branch**
+   - Ensure no uncommitted changes
+   - Ensure branch is up to date with main
+
+2. **Analyze the full diff**
+   - Understand the complete intended final state
+   - Identify logical units of change
+
+3. **Create clean branch from main**
+
+   ```bash
+   git checkout main
+   git pull origin main
+   git checkout -b {source_branch}-clean
+   ```
+
+4. **Plan commit storyline**
+   - Break changes into self-contained logical steps
+   - Each commit should represent a single coherent idea
+   - Order commits so each builds on the previous (tutorial-style)
+   - Aim for 3-7 commits typically
+
+5. **Reimplement step-by-step**
+   For each logical unit:
+   - Apply the relevant changes
+   - Write a clear commit message following conventional commits
+   - Use `git commit --no-verify` for intermediate commits (types/tests may not pass until complete)
+
+6. **Verify final state matches source**
+
+   ```bash
+   git diff {source_branch}..HEAD
+   ```
+
+   This diff should be empty. If not, reconcile differences.
+
+7. **Final commit verification**
+   - The final commit must NOT use `--no-verify`
+   - All checks (lint, types, tests) must pass
+
+8. **Create PR**
+   - Follow project PR conventions
+   - Link to original branch or issue
+
+### Rules
+
+- End state must be byte-for-byte identical to source branch
+- Each commit message should explain _why_, not just _what_
+- If the source branch has a linked issue, reference it in the PR
+
+### Example Commit Storyline
+
+For a feature adding user authentication:
+
+1. `feat: add User model and database migration`
+2. `feat: implement password hashing utilities`
+3. `feat: add login/logout API endpoints`
+4. `feat: add session middleware`
+5. `test: add authentication integration tests`
+6. `docs: update API documentation with auth endpoints`

package/templates/.cursor/commands/code-simplifier.md

@@ -0,0 +1,28 @@
+# Code Simplifier
+
+Simplify and refine code for clarity, consistency, and maintainability while preserving all functionality.
+
+## Process
+
+1. Analyze the target code for complexity
+2. Identify simplification opportunities
+3. Propose and implement improvements
+
+## Simplification Strategies
+
+- Extract repeated code into functions
+- Replace complex conditionals with early returns
+- Simplify nested structures
+- Use descriptive names that eliminate need for comments
+- Remove dead code and unused variables
+- Apply SOLID principles where appropriate
+- AVOID nested ternary operators - prefer switch/if-else
+
+## Rules
+
+- NEVER change functionality
+- Preserve all existing tests
+- Make one logical change at a time
+- Explain each simplification clearly
+- Focus on readability over cleverness
+- Choose clarity over brevity

package/templates/.cursor/commands/fix-issue.md

@@ -0,0 +1,28 @@
+# Fix Issue Workflow
+
+When fixing a GitHub issue:
+
+1. **Understand the issue**
+   - Read the issue description and comments
+   - Understand the expected vs actual behavior
+   - Identify affected files and components
+
+2. **Write a failing test**
+   - Create a test that reproduces the issue
+   - Run it to confirm it fails
+   - The test should clearly demonstrate the bug
+
+3. **Implement the fix**
+   - Write minimal code to fix the issue
+   - Keep changes focused on the bug
+   - Don't refactor unrelated code
+
+4. **Verify the fix**
+   - Run the new test to confirm it passes
+   - Run all related tests to ensure no regressions
+   - Run lint and typecheck
+
+5. **Create a PR**
+   - Use conventional commit: `fix: description`
+   - Reference the issue: `Fixes #123`
+   - Include before/after behavior in PR description

package/templates/.cursor/commands/review.md

@@ -0,0 +1,41 @@
+# Code Review Checklist
+
+Review the code against this checklist:
+
+## Testing
+
+- [ ] Tests cover the changes
+- [ ] Edge cases are tested
+- [ ] Tests are readable and maintainable
+
+## Code Quality
+
+- [ ] No console.log or debug code
+- [ ] No commented-out code
+- [ ] Types are explicit (no `any`)
+- [ ] No hardcoded values that should be config
+- [ ] Follows existing patterns in codebase
+
+## Error Handling
+
+- [ ] Errors are handled appropriately
+- [ ] Error messages are helpful
+- [ ] No silent failures
+
+## Security
+
+- [ ] No credentials or secrets in code
+- [ ] User input is validated
+- [ ] No SQL injection or XSS vulnerabilities
+
+## Performance
+
+- [ ] No obvious performance issues
+- [ ] No unnecessary re-renders (React)
+- [ ] Database queries are efficient
+
+## Documentation
+
+- [ ] Complex logic has comments
+- [ ] Public APIs have documentation
+- [ ] Breaking changes are documented

package/templates/.cursor/hooks.json

@@ -0,0 +1,11 @@
+{
+  "version": 1,
+  "hooks": {
+    "afterFileEdit": [
+      {
+        "command": "npx prettier --write \"$CURSOR_FILEPATH\" && npx eslint --fix \"$CURSOR_FILEPATH\" 2>/dev/null || true",
+        "type": "command"
+      }
+    ]
+  }
+}

package/templates/.cursor/rules/api-design.mdc

@@ -0,0 +1,80 @@
+---
+description: REST API design patterns with Zod validation
+globs: []
+alwaysApply: false
+---
+
+# API Design Patterns
+
+## REST + Zod
+
+### Route Structure
+
+| Method | Path           | Purpose  |
+| ------ | -------------- | -------- |
+| GET    | /resources     | List all |
+| GET    | /resources/:id | Get one  |
+| POST   | /resources     | Create   |
+| PUT    | /resources/:id | Replace  |
+| PATCH  | /resources/:id | Update   |
+| DELETE | /resources/:id | Delete   |
+
+### Validation with Zod
+
+```typescript
+import { z } from "zod";
+
+// Define schemas
+const CreateUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  role: z.enum(["user", "admin"]).default("user"),
+});
+
+// Infer types from schemas
+type CreateUserInput = z.infer<typeof CreateUserSchema>;
+
+// Validate at controller boundary
+app.post("/users", async (req, res) => {
+  const result = CreateUserSchema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({
+      error: "Validation failed",
+      details: result.error.flatten(),
+    });
+  }
+  // result.data is fully typed
+  const user = await userService.create(result.data);
+  return res.status(201).json({ data: user });
+});
+```
+
+### Response Format
+
+**Success (single)**
+```json
+{ "data": { "id": "123", "name": "John" } }
+```
+
+**Success (list)**
+```json
+{ "data": [...], "total": 100, "page": 1, "pageSize": 20 }
+```
+
+**Error**
+```json
+{ "error": "Validation failed", "field": "email", "code": "INVALID_EMAIL" }
+```
+
+### HTTP Status Codes
+
+| Code | Usage                     |
+| ---- | ------------------------- |
+| 200  | Success (GET, PUT, PATCH) |
+| 201  | Created (POST)            |
+| 204  | No content (DELETE)       |
+| 400  | Validation error          |
+| 401  | Unauthorized              |
+| 403  | Forbidden                 |
+| 404  | Not found                 |
+| 500  | Internal error            |