@acmeacmeio/setup-sh 0.2.6

package/templates/.cursor/rules/git-workflow.mdc

@@ -0,0 +1,73 @@
+---
+description: Git workflow and conventional commits
+globs: []
+alwaysApply: false
+---
+
+# Git Workflow
+
+## Branches
+
+- `main`: Production-ready code
+- `dev`: Integration branch for features
+
+## Conventional Commits
+
+Use conventional commit format:
+
+```
+<type>: <description>
+
+[optional body]
+
+[optional footer]
+```
+
+### Types
+
+| Type       | Usage                          |
+| ---------- | ------------------------------ |
+| `feat`     | New feature                    |
+| `fix`      | Bug fix                        |
+| `docs`     | Documentation only             |
+| `refactor` | Code change (no feature/fix)   |
+| `test`     | Adding/updating tests          |
+| `chore`    | Build, tooling, dependencies   |
+| `perf`     | Performance improvement        |
+| `style`    | Formatting (no logic change)   |
+
+### Examples
+
+```bash
+feat: add user authentication
+fix: resolve null pointer in user lookup
+docs: update API documentation
+refactor: extract validation logic to utils
+test: add integration tests for auth flow
+chore: update dependencies
+```
+
+## Pull Requests
+
+- Keep PRs small and focused (ideally < 400 lines)
+- Reference issues: `Fixes #123`
+- All PRs require review before merge
+- Use draft PRs for work in progress
+
+## Commit Message Guidelines
+
+- Use imperative mood: "add feature" not "added feature"
+- First line < 72 characters
+- Explain "why" in body, not just "what"
+- Reference issues when applicable
+
+## Branch Naming
+
+```
+<type>/<short-description>
+```
+
+Examples:
+- `feat/user-authentication`
+- `fix/login-redirect-loop`
+- `refactor/extract-validation`

package/templates/.cursor/rules/security.mdc

@@ -0,0 +1,69 @@
+---
+description: Security review checklist for code audits
+globs: []
+alwaysApply: false
+---
+
+# Security Review Checklist
+
+## Authentication
+
+- [ ] Tokens are validated on every request
+- [ ] Passwords are hashed with bcrypt or argon2 (not MD5/SHA1)
+- [ ] Sessions expire appropriately
+- [ ] Password reset tokens are single-use and time-limited
+- [ ] Multi-factor authentication where appropriate
+
+## Authorization
+
+- [ ] Users can only access their own data
+- [ ] Admin endpoints require admin role
+- [ ] API keys are scoped appropriately
+- [ ] Role checks happen server-side, not just client
+- [ ] Sensitive operations require re-authentication
+
+## Input Validation
+
+- [ ] All user input is validated (Zod schemas at boundaries)
+- [ ] SQL queries use parameterized statements
+- [ ] File uploads are restricted by type and size
+- [ ] URLs and redirects are validated against allowlist
+- [ ] HTML output is escaped to prevent XSS
+
+## Secrets Management
+
+- [ ] No hardcoded credentials in code
+- [ ] Environment variables for all secrets
+- [ ] .env files are gitignored
+- [ ] Secrets rotated regularly
+- [ ] Different credentials per environment
+
+## Data Protection
+
+- [ ] Sensitive data encrypted at rest
+- [ ] HTTPS enforced in production
+- [ ] Passwords never logged
+- [ ] PII minimized and access-controlled
+- [ ] Data retention policies enforced
+
+## Error Handling
+
+- [ ] No stack traces in production responses
+- [ ] Generic error messages to users
+- [ ] Detailed errors logged server-side
+- [ ] Failed login attempts rate-limited
+
+## Dependencies
+
+- [ ] Dependencies regularly updated
+- [ ] Known vulnerabilities addressed (npm audit)
+- [ ] Minimal dependencies (smaller attack surface)
+- [ ] Lock files committed (package-lock.json)
+
+## Common Vulnerabilities
+
+1. **SQL Injection**: Use parameterized queries
+2. **XSS**: Escape HTML output, use CSP headers
+3. **CSRF**: Use CSRF tokens for state-changing requests
+4. **IDOR**: Verify user owns the resource they're accessing
+5. **Secrets in Code**: Use environment variables

package/templates/.cursor/rules/tdd.mdc

@@ -0,0 +1,35 @@
+---
+description: Test-Driven Development methodology enforcement
+globs: []
+alwaysApply: true
+---
+
+# TDD: Mandatory
+
+All new code follows Test-Driven Development:
+
+1. **Red**: Write a failing test first
+2. **Green**: Write minimal code to pass
+3. **Refactor**: Clean up while tests stay green
+
+## Workflow
+
+When implementing any feature or fix:
+
+1. **Before writing production code**: Create a test file or add a test case that defines the expected behavior
+2. **Run the test**: Confirm it fails for the right reason
+3. **Write minimal implementation**: Just enough code to make the test pass
+4. **Run all tests**: Ensure no regressions
+5. **Refactor if needed**: Improve code quality while keeping tests green
+
+## Test File Conventions
+
+- Place tests next to source files: `foo.ts` -> `foo.test.ts`
+- Or use `__tests__/` directory at package root
+- Use descriptive test names: `it('returns null when user not found')`
+
+## Key Principles
+
+- Never write production code without a failing test
+- Each commit should have the test and implementation together
+- Test behavior, not implementation details

package/templates/.cursor/rules/typescript.mdc

@@ -0,0 +1,82 @@
+---
+description: TypeScript strict mode patterns
+globs:
+  - "**/*.ts"
+  - "**/*.tsx"
+alwaysApply: false
+---
+
+# TypeScript Patterns
+
+## Strict Mode Configuration
+
+```json
+{
+  "compilerOptions": {
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true
+  }
+}
+```
+
+## Naming Conventions
+
+### Explicit, No Abbreviations
+
+```typescript
+// Bad
+const usr = getUsr(req.params.id);
+const btn = document.querySelector('.btn');
+
+// Good
+const user = getUser(req.params.userId);
+const button = document.querySelector('.button');
+```
+
+## Types: Always Explicit
+
+```typescript
+// Bad
+function processData(data: any): any { ... }
+const items = [];
+
+// Good
+function processUser(user: User): ProcessedUser { ... }
+const items: Item[] = [];
+```
+
+## Avoid Type Assertions
+
+```typescript
+// Bad
+const user = response.data as User;
+
+// Good
+const user = parseUser(response.data); // with runtime validation
+```
+
+## Use Union Types Over Enums
+
+```typescript
+// Prefer
+type Status = 'pending' | 'active' | 'completed';
+
+// Over
+enum Status { Pending, Active, Completed }
+```
+
+## Handle Null/Undefined Properly
+
+```typescript
+// Bad
+function getUser(id: string) {
+  return users.find(u => u.id === id)!; // Non-null assertion
+}
+
+// Good
+function getUser(id: string): User | undefined {
+  return users.find(u => u.id === id);
+}
+```

package/templates/.cursorignore.template

@@ -0,0 +1,20 @@
+# Environment and secrets
+.env
+.env.*
+*.pem
+*.key
+
+# Build artifacts
+dist/
+build/
+node_modules/
+
+# IDE local files
+*.local.md
+*.local.json
+*.local.toml
+
+# Large files
+*.log
+*.sql
+*.sqlite

package/templates/.gitignore.template

@@ -0,0 +1,10 @@
+# Claude Code (local overrides)
+.claude/settings.local.json
+CLAUDE.local.md
+
+# Codex (local overrides)
+.codex/config.local.toml
+AGENTS.local.md
+
+# Cursor (local overrides)
+.cursor/settings.local.json

package/templates/.mcp.json

@@ -0,0 +1,16 @@
+{
+  "mcpServers": {
+    "github": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": {
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+      }
+    },
+    "sequential-thinking": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"],
+      "env": {}
+    }
+  }
+}

package/templates/AGENTS.md

@@ -0,0 +1,118 @@
+# Team Standards
+
+## Development Methodology
+
+### TDD: Mandatory
+
+All new code follows Test-Driven Development:
+
+1. **Red**: Write a failing test first
+2. **Green**: Write minimal code to pass
+3. **Refactor**: Clean up while tests stay green
+
+TDD is enforced through the `test-driven-development` skill (installed from `obra/superpowers`). When writing new code, always use this skill to ensure proper Red-Green-Refactor workflow.
+
+### TypeScript: Strict Mode
+
+```json
+{
+  "compilerOptions": {
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true
+  }
+}
+```
+
+### ESLint: Strict Defaults
+
+Use ESLint with strict defaults. No custom rule overrides unless documented in this file.
+
+## Code Style
+
+### Legacy Code: Gradual Fix
+
+- Fix only code you touch (new or changed files)
+- Don't rewrite working legacy code unprompted
+- Leave existing patterns alone if not in scope
+
+### Naming: Explicit, No Abbreviations
+
+```typescript
+// Bad
+const usr = getUsr(req.params.id);
+
+// Good
+const user = getUser(req.params.userId);
+```
+
+### Types: Always Explicit
+
+```typescript
+// Bad
+function processData(data: any): any { ... }
+
+// Good
+function processUser(user: User): ProcessedUser { ... }
+```
+
+## API Style
+
+### REST + Zod
+
+- Use RESTful routes: GET/POST/PUT/PATCH/DELETE
+- Validate all inputs with Zod schemas at boundaries
+- Response format: `{ data: T }` or `{ error: string }`
+
+### Error Handling: Typed Error Classes
+
+```typescript
+class ValidationError extends Error {
+  constructor(
+    public field: string,
+    message: string,
+  ) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+```
+
+## Git Workflow
+
+### Branches
+
+- `main`: Production
+- `dev`: Integration
+
+### Commits
+
+Use conventional commits:
+
+- `feat:` New feature
+- `fix:` Bug fix
+- `docs:` Documentation
+- `refactor:` Code refactoring
+- `test:` Test changes
+
+### Pull Requests
+
+- Keep PRs small and focused
+- Reference issues: `Fixes #123`
+- All PRs require review before merge
+
+## Frontend
+
+### Next.js + App Router
+
+Use latest Next.js with App Router. Server Components by default, Client Components only when needed for interactivity.
+
+## Skills Reference
+
+### Bundled Skills (in .codex/skills/)
+- `$api-design` - REST + Zod API patterns
+- `$security-review` - Security audit checklist
+
+Note: Codex uses bundled skills from `.codex/skills/`. The following skills are available to Claude Code users via `npx add-skill`:
+- `test-driven-development`, `frontend-design`, `commit-commands`, `pr-review-toolkit`, `code-simplifier`, `browser-use`, `supabase-postgres-best-practices`

package/templates/CLAUDE.md

@@ -0,0 +1,138 @@
+# Team Standards
+
+## Development Methodology
+
+### TDD: Mandatory
+
+All new code follows Test-Driven Development:
+
+1. **Red**: Write a failing test first
+2. **Green**: Write minimal code to pass
+3. **Refactor**: Clean up while tests stay green
+
+TDD is enforced through the `test-driven-development` skill (installed from `obra/superpowers`). When writing new code, always use this skill to ensure proper Red-Green-Refactor workflow.
+
+### TypeScript: Strict Mode
+
+```json
+{
+  "compilerOptions": {
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true
+  }
+}
+```
+
+### ESLint: Strict Defaults
+
+Use ESLint with strict defaults. No custom rule overrides unless documented in this file.
+
+## Code Style
+
+### Legacy Code: Gradual Fix
+
+- Fix only code you touch (new or changed files)
+- Don't rewrite working legacy code unprompted
+- Leave existing patterns alone if not in scope
+
+### Naming: Explicit, No Abbreviations
+
+```typescript
+// Bad
+const usr = getUsr(req.params.id);
+
+// Good
+const user = getUser(req.params.userId);
+```
+
+### Types: Always Explicit
+
+```typescript
+// Bad
+function processData(data: any): any { ... }
+
+// Good
+function processUser(user: User): ProcessedUser { ... }
+```
+
+## API Style
+
+### REST + Zod
+
+- Use RESTful routes: GET/POST/PUT/PATCH/DELETE
+- Validate all inputs with Zod schemas at boundaries
+- Response format: `{ data: T }` or `{ error: string }`
+
+### Error Handling: Typed Error Classes
+
+```typescript
+class ValidationError extends Error {
+  constructor(
+    public field: string,
+    message: string,
+  ) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+```
+
+## Git Workflow
+
+### Branches
+
+- `main`: Production
+- `dev`: Integration
+
+### Commits
+
+Use conventional commits:
+
+- `feat:` New feature
+- `fix:` Bug fix
+- `docs:` Documentation
+- `refactor:` Code refactoring
+- `test:` Test changes
+
+### Pull Requests
+
+- Keep PRs small and focused
+- Reference issues: `Fixes #123`
+- All PRs require review before merge
+
+## Frontend
+
+### Next.js + App Router
+
+Use latest Next.js with App Router. Server Components by default, Client Components only when needed for interactivity.
+
+## Skills Reference
+
+### Commands (slash commands)
+- `/fix-issue` - Fix a GitHub issue following TDD workflow
+- `/review` - Run code review checklist
+- `/clean-copy` - Reimplement branch with clean, narrative-quality commit history
+- `/auto` - Auto-detect and execute the best workflow for your request
+
+### Plugins (enabled via marketplace)
+
+These are bundled extensions that provide subagents, skills, and commands as cohesive units. They are configured in `.claude/settings.json` under `enabledPlugins`:
+
+- `commit-commands` - Commit workflow helpers (anthropics/claude-code-plugins)
+- `pr-review-toolkit` - PR review automation with specialized subagents (anthropics/claude-code-plugins)
+- `code-simplifier` - Code simplification agent (anthropics/claude-code-plugins)
+
+### Installed Skills (via npx add-skill)
+- `test-driven-development` - TDD workflow enforcement (obra/superpowers)
+- `frontend-design` - Frontend design patterns (anthropics/anthropic-skills)
+- `browser-use` - Browser automation (browser-use/browser-use)
+- `supabase-postgres-best-practices` - Supabase/Postgres patterns (supabase/agent-skills)
+
+### Bundled Skills (in .claude/skills/)
+- `api-design` - REST + Zod API patterns
+- `security-review` - Security audit checklist
+
+### Bundled Subagents (in .claude/agents/)
+- `code-simplifier` - Code simplification agent for clarity and maintainability