@buivietphi/skill-mobile-mt 1.2.0 → 1.4.0

package/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: skill-mobile-mt
 description: "Master Senior Mobile Engineer. Patterns from 30+ production repos (200k+ GitHub stars: Ignite, Expensify, Mattermost, Immich, AppFlowy, Now in Android, TCA). Use when: building mobile features, fixing mobile bugs, reviewing mobile code, mobile architecture, React Native, Flutter, iOS Swift, Android Kotlin, mobile performance, mobile security audit, mobile code review, app release. Two modes: (1) default = pre-built production patterns, (2) 'project' = reads current project and adapts."
-version: "1.2.0"
+version: "1.4.0"
 author: buivietphi
 priority: high
 user-invocable: true
@@ -48,9 +48,12 @@ allowed-tools:
 10. [Quality Gate](#quality-gate)
 11. [Build & Deploy Gates](#build--deploy-gates)
 12. [Smart Loading](#smart-loading)
-13. [Hard Bans](#hard-bans)
-14. [Mobile Anti-Patterns](#mobile-anti-patterns)
-15. [Reference Files](#reference-files)
+13. [Grounding Protocol (Anti-Hallucination)](#grounding-protocol-anti-hallucination)
+14. [Docs-First Protocol (Always Use Latest)](#docs-first-protocol-always-use-latest)
+15. [Security Protocol](#security-protocol)
+16. [Hard Bans](#hard-bans)
+17. [Mobile Anti-Patterns](#mobile-anti-patterns)
+18. [Reference Files](#reference-files)
 
 ---
 
@@ -101,8 +104,12 @@ USER REQUEST                    → ACTION (Read tool required)
                                   Read: shared/anti-patterns.md
                                   then: scan for all violations
 
-"Add package/library"           → Read: shared/version-management.md
-                                  then: check SDK compat FIRST → suggest version
+"Add package/library"           → Docs-First Protocol (below) + Read: shared/version-management.md
+                                  then: WebSearch official docs → check SDK compat → install
+
+"Setup/configure X library"     → Docs-First Protocol (below)
+                                  then: WebSearch "[library] [version] setup guide [year]"
+                                  then: follow official docs, NOT memory
 
 "Platform UI / guidelines"      → Read: shared/platform-excellence.md
                                   then: apply iOS 18+ vs Android 15+ native patterns
@@ -119,6 +126,13 @@ USER REQUEST                    → ACTION (Read tool required)
 
 "Build error / runtime crash"   → Read: shared/error-recovery.md
                                   then: apply matching fix pattern
+
+"Offline / cache / sync"        → Read: shared/offline-first.md
+                                  then: implement local-first architecture
+
+"On-device AI / ML / inference" → Read: shared/on-device-ai.md
+                                  then: choose Core ML / TFLite / llama.cpp per platform
+
 ```
 
 **⛔ NEVER start coding without identifying the task type first.**
@@ -728,6 +742,322 @@ FOR UI CHANGES:
 
 ---
 
+## Grounding Protocol (Anti-Hallucination)
+
+**Every answer MUST be grounded in verifiable sources. NEVER answer from "memory" or "intuition".**
+
+### Source Hierarchy (use in order)
+
+```
+PRIORITY 1: PROJECT CODE (highest trust)
+  → Read the actual file → cite file:line
+  → "Based on src/services/authService.ts:42, your project uses axios with interceptor"
+
+PRIORITY 2: SKILL REFERENCE FILES
+  → Read shared/*.md or platform/*.md → cite which file
+  → "Per react-native/react-native.md, use FlatList instead of ScrollView for lists"
+
+PRIORITY 3: OFFICIAL DOCS (via WebSearch)
+  → Search official docs → cite URL
+  → "Per React Native docs: https://reactnative.dev/docs/flatlist"
+
+PRIORITY 4: PRODUCTION REPOS (from architecture-intelligence.md)
+  → Cite which repo the pattern comes from
+  → "Ignite (19.7k stars) uses this folder structure for features"
+
+⛔ PRIORITY 5: AI GENERAL KNOWLEDGE (lowest trust — AVOID)
+  → Only when Priorities 1-4 return nothing
+  → MUST prefix with: "⚠️ Not verified from your project or docs:"
+  → MUST add: "Verify this before using in production"
+```
+
+### Mandatory Rules
+
+```
+RULE 1: READ BEFORE ANSWER
+  ⛔ NEVER suggest code changes to a file you haven't Read
+  ⛔ NEVER reference a function/class without verifying it exists
+  ✅ ALWAYS: Read file → find the code → then suggest fix
+
+RULE 2: VERIFY APIs AND LIBRARIES EXIST
+  ⛔ NEVER suggest an import without verifying the package is installed
+  ⛔ NEVER use a function name without checking it exists in the codebase
+  ✅ Check package.json/pubspec.yaml FIRST → then suggest usage
+  ✅ Grep for the function → confirm it exists → then reference it
+
+RULE 3: CITE YOUR SOURCE
+  Every code suggestion MUST cite where it came from:
+  - "Cloned from src/features/product/productService.ts" (project code)
+  - "Pattern from shared/architecture-intelligence.md" (skill file)
+  - "Per React Navigation v6 docs" (official docs)
+  ⛔ If you can't cite a source → say "I need to verify this first"
+
+RULE 4: SAY "I DON'T KNOW" WHEN YOU DON'T KNOW
+  ✅ "I'm not sure about this API. Let me check the docs."
+  ✅ "I need to read your codebase to answer this correctly."
+  ✅ "This might work but I haven't verified — let me check."
+  ⛔ NEVER confidently state something you haven't verified
+  ⛔ NEVER invent function signatures, API endpoints, or library names
+
+RULE 5: VERSION-SPECIFIC ANSWERS
+  ⛔ NEVER suggest code for "React Native" without knowing the version
+  ⛔ NEVER assume latest version — check package.json first
+  ✅ "Your project uses RN 0.73, so the correct API is..."
+  ✅ "Expo SDK 51 uses expo-router v3, here's the correct import..."
+
+RULE 6: NO PHANTOM PACKAGES
+  Before suggesting ANY npm/pub/pod package:
+  ✅ Verify it exists: check package.json or search npm/pub
+  ✅ Verify it's compatible: check version against project SDK
+  ⛔ NEVER suggest a package name from memory without verification
+  ⛔ NEVER mix up similar packages (e.g., @react-navigation vs react-navigation)
+```
+
+### When Fixing Bugs
+
+```
+GROUNDED BUG FIX PROTOCOL:
+
+1. READ the file with the bug (don't guess from error message alone)
+2. FIND the exact line causing the issue
+3. UNDERSTAND the data flow (what calls this? what does it return?)
+4. VERIFY the fix works with the actual types/interfaces in the project
+5. CHECK side effects (grep for other files using this function)
+6. CITE: "Fix in [file]:[line] — [root cause] — [why fix works]"
+
+⛔ NEVER:
+  - "The error is probably because..." (guess without reading code)
+  - "Try changing X to Y" (without reading the file first)
+  - "This should fix it" (without verifying types match)
+```
+
+### Anti-Hallucination Checklist (run before EVERY response)
+
+```
+Before responding, verify:
+□ Did I READ the relevant files? (not just guess from file names)
+□ Are all function/class names I mentioned REAL? (verified via Grep/Read)
+□ Are all package names I mentioned INSTALLED? (checked package.json)
+□ Are my API suggestions compatible with the project's SDK version?
+□ Did I cite where my solution comes from?
+□ If I'm unsure about something, did I flag it?
+
+If ANY checkbox fails → go back and verify before responding.
+```
+
+---
+
+## Docs-First Protocol (Always Use Latest)
+
+**When setting up, installing, or configuring ANY library/SDK/tool — ALWAYS search official docs FIRST.**
+
+### When This Triggers
+
+```
+TRIGGERS:
+  - "Install X" / "Add X package" / "Setup X"
+  - "Configure X" / "Integrate X"
+  - "How to use X" / "What's the API for X"
+  - "Upgrade from X to Y"
+  - ANY new library, framework feature, or SDK API
+
+⛔ DO NOT answer from memory. Docs change. APIs change. Syntax changes.
+```
+
+### Docs-First Protocol
+
+```
+STEP 1: CHECK PROJECT VERSION
+  Read package.json / pubspec.yaml → get exact version of:
+  - Framework (react-native, expo, flutter)
+  - Target library (if already installed)
+  - Related dependencies
+
+STEP 2: SEARCH OFFICIAL DOCS (WebSearch)
+  Search: "[library name] [version] official documentation [current year]"
+  Examples:
+  - "react-navigation v7 installation guide 2026"
+  - "expo-camera SDK 52 setup documentation"
+  - "riverpod 2.0 getting started flutter"
+
+  ✅ ALWAYS search with the CURRENT YEAR to get latest docs
+  ⛔ NEVER rely on training data — it may be outdated
+
+STEP 3: VERIFY API / SYNTAX
+  From the docs, confirm:
+  - Import path (packages rename, move, split)
+  - Function signatures (params change between versions)
+  - Configuration format (config files change)
+  - Peer dependencies (new requirements)
+  - Breaking changes (v6 → v7 migration)
+
+STEP 4: APPLY WITH CITATION
+  "Per [library] v[X] docs ([URL]):
+   import { X } from '[correct-package]';"
+
+  ⛔ If docs not found → say "I couldn't find current docs, let me try..."
+  ⛔ If conflicting info → use the OFFICIAL source, not blog posts
+```
+
+### Common Outdated Patterns (AI memory traps)
+
+```
+⛔ AI OFTEN GETS WRONG:
+  - React Navigation: v5 syntax vs v6 vs v7 (changed significantly)
+  - Expo Router: file-based routing changed between SDK versions
+  - Firebase: modular v9+ syntax vs old v8 namespaced syntax
+  - Swift: async/await vs completion handlers (iOS 15+ only)
+  - Jetpack Compose: API surface changes rapidly between versions
+  - React Native: New Architecture (Fabric/TurboModules) vs Bridge
+
+✅ ALWAYS WebSearch for the exact version in the project:
+  "react-navigation v7 createStackNavigator" ← correct for v7
+  NOT "react-navigation createStackNavigator" ← could return v4/v5 syntax
+```
+
+### Package Installation Protocol
+
+```
+BEFORE running npm install / flutter pub add / pod install:
+
+1. CHECK if the package exists:
+   → WebSearch "[package name] npm" or "[package name] pub.dev"
+   → Verify it's maintained (last publish date)
+   → Verify it's compatible with project SDK version
+
+2. CHECK the correct install command:
+   → WebSearch "[package name] installation [framework version]"
+   → Some packages need peer dependencies
+   → Some packages need native setup (pod install, gradle sync)
+   → Expo packages: use "npx expo install" NOT "npm install"
+
+3. CHECK for breaking changes:
+   → If upgrading: WebSearch "[package name] migration guide v[old] to v[new]"
+   → Read CHANGELOG for breaking changes
+   → Check if config format changed
+
+4. AFTER install:
+   → Verify import works (no red squiggles)
+   → Run build to check native linking
+   → Test on BOTH platforms (iOS + Android)
+
+⛔ NEVER:
+  - "npm install [package]" without checking version compatibility
+  - Copy import from memory (import paths change between versions)
+  - Assume the API is the same as 6 months ago
+  - Skip native setup steps (pod install, gradle sync)
+```
+
+---
+
+## Security Protocol
+
+**Security is NOT optional. Every feature MUST pass security checks before completion.**
+
+### Security Scan (run on EVERY feature)
+
+```
+BEFORE marking any feature as done, scan for:
+
+1. 🔴 SECRETS & CREDENTIALS
+   □ No hardcoded API keys, tokens, passwords, or secrets
+   □ No secrets in source code, comments, or config files
+   □ .env files in .gitignore (NEVER committed)
+   □ API keys loaded from environment variables or secure config
+
+2. 🔴 TOKEN & AUTH STORAGE
+   □ Auth tokens → SecureStore (Expo) / Keychain (iOS) / EncryptedSharedPreferences (Android)
+   □ ⛔ NEVER AsyncStorage / SharedPreferences / UserDefaults for tokens
+   □ ⛔ NEVER localStorage / sessionStorage for tokens
+   □ Refresh tokens stored separately from access tokens
+   □ Token cleared on logout (all storage locations)
+
+3. 🔴 INPUT VALIDATION
+   □ User input sanitized before display (prevent XSS)
+   □ User input validated before API calls (prevent injection)
+   □ Deep link parameters validated before navigation
+   □ File uploads: validate type, size, content (not just extension)
+   □ Search/filter inputs: debounced + length-limited
+
+4. 🔴 NETWORK SECURITY
+   □ All API calls over HTTPS (never HTTP)
+   □ Certificate pinning for sensitive endpoints (banking, health)
+   □ API responses validated (don't trust server blindly)
+   □ Timeout on all network requests (prevent hanging)
+   □ No sensitive data in URL query parameters (use POST body)
+
+5. 🟠 DATA PROTECTION
+   □ PII (name, email, phone, location) never in logs
+   □ PII never in analytics events without anonymization
+   □ Crash reports don't contain user data
+   □ Cache/temp files cleared on logout
+   □ Clipboard cleared after paste of sensitive data
+
+6. 🟠 AUTHENTICATION FLOW
+   □ Login: rate-limited (prevent brute force)
+   □ 401 response → auto-refresh token OR logout
+   □ Session timeout after inactivity
+   □ Biometric auth: use system APIs (Face ID / fingerprint)
+   □ OAuth: validate redirect URI, use PKCE
+
+7. 🟡 PLATFORM-SPECIFIC
+   iOS:
+   □ App Transport Security (ATS) enabled
+   □ Keychain access groups configured correctly
+   □ Privacy manifest (PrivacyInfo.xcprivacy) for required APIs
+   □ NSCameraUsageDescription / NSLocationUsageDescription set
+
+   Android:
+   □ android:usesCleartextTraffic="false" in manifest
+   □ ProGuard/R8 rules for obfuscation in release
+   □ Exported activities/receivers properly restricted
+   □ Backup rules exclude sensitive data (android:allowBackup)
+```
+
+### Security Non-Negotiables (NEVER bypass)
+
+```
+⛔ ABSOLUTE RULES — no exceptions, no workarounds:
+
+1. NEVER store tokens in plain storage
+   AsyncStorage / SharedPreferences / UserDefaults = ❌ CRITICAL
+   SecureStore / Keychain / EncryptedSharedPreferences = ✅ ONLY
+
+2. NEVER hardcode secrets
+   const API_KEY = "sk-..." = ❌ CRITICAL
+   process.env.API_KEY / Config.API_KEY = ✅ ONLY
+
+3. NEVER log sensitive data
+   console.log(user.password) = ❌ CRITICAL
+   console.log("Login attempt for user:", user.id) = ✅ OK (ID only)
+
+4. NEVER trust deep links
+   navigation.navigate(params.screen) = ❌ CRITICAL (arbitrary navigation)
+   if (ALLOWED_SCREENS.includes(params.screen)) navigate(params.screen) = ✅
+
+5. NEVER disable SSL verification
+   rejectUnauthorized: false = ❌ CRITICAL
+   Proper certificate handling = ✅ ONLY
+
+6. NEVER commit .env files
+   .env in git = ❌ CRITICAL
+   .env in .gitignore + .env.example committed = ✅
+```
+
+### When User Asks to "Skip Security" or "Do It Quick"
+
+```
+✅ Response: "I'll implement it correctly AND quickly. Security doesn't slow down development — it prevents emergency patches later."
+
+⛔ NEVER skip security checks because:
+  - "It's just a prototype" → Prototypes become production
+  - "We'll fix it later" → Technical debt compounds
+  - "It's internal only" → Internal apps get attacked too
+  - "Just hardcode it for now" → Secrets leak to git history permanently
+```
+
+---
+
 ## Hard Bans
 
 **❌ These will CRASH, LEAK, or get REJECTED from app stores:**
@@ -1035,9 +1365,14 @@ skill-mobile-mt/
 ├── ios/ios-native.md                 ← iOS Swift MVVM + Clean Architecture
 ├── android/android-native.md         ← Android Kotlin + Clean Architecture
 └── shared/
+    │
+    ├── ── CORE (always load) ────────────────────────────────
     ├── code-review.md                ← 🔴 Senior review checklist
     ├── bug-detection.md              ← 🔴 Auto bug scanner
-    ├── prompt-engineering.md         ← 🟡 Auto-think templates
+    ├── prompt-engineering.md         ← 🔴 Auto-think templates
+    │
+    ├── ── ON-DEMAND (load by task) ──────────────────────────
+    ├── architecture-intelligence.md  ← 🟡 Patterns from 30+ production repos
     ├── release-checklist.md          ← 🟡 Before shipping to app store
     ├── common-pitfalls.md            ← 🟡 Problem → Symptoms → Solution
     ├── error-recovery.md             ← 🟡 Fix build/runtime errors
@@ -1046,5 +1381,7 @@ skill-mobile-mt/
     ├── performance-prediction.md     ← 🟡 Predict FPS/memory BEFORE shipping
     ├── platform-excellence.md        ← 🟡 iOS 18+ vs Android 15+ guidelines
     ├── version-management.md         ← 🟡 SDK compatibility matrix
-    └── observability.md              ← 🟡 Sessions as 4th pillar
+    ├── observability.md              ← 🟡 Sessions as 4th pillar
+    │
+    └── offline-first.md              ← 🟢 Local-first + sync patterns
 ```

package/android/android-native.md

@@ -192,6 +192,54 @@ dependencies {
 }
 ```
 
+## Compose Performance Optimization
+
+```kotlin
+// @Stable / @Immutable — tell Compose when to skip recomposition
+// Use when your class isn't a data class but values never change
+@Stable
+class UserState(val id: String, val name: String)
+
+@Immutable
+data class ProductUiModel(val id: String, val price: Double)
+
+// derivedStateOf — compute derived state only when inputs change
+// Prevents recomposition on every scroll position change
+val showFab by remember {
+    derivedStateOf { listState.firstVisibleItemIndex > 0 }
+}
+
+// key() in LazyColumn — stable identity prevents full recomposition
+LazyColumn {
+    items(products, key = { it.id }) { product ->
+        ProductCard(product)  // Only recomposes if THIS product changes
+    }
+}
+
+// Stateless components — pass data + callbacks, not ViewModel
+@Composable
+fun ProductCard(
+    product: Product,       // data only
+    onClick: () -> Unit,    // callback only
+) { /* no ViewModel here */ }
+```
+
+## Baseline Profiles (Startup Optimization)
+
+```kotlin
+// app/src/main/baseline-prof.txt (generated by Macrobenchmark)
+// Speeds up cold start 20-30% by AOT-compiling hot code paths
+
+// build.gradle.kts
+dependencies {
+    implementation("androidx.profileinstaller:profileinstaller:1.3.1")
+}
+
+// Generate with Macrobenchmark:
+// ./gradlew :app:generateBaselineProfile
+// Commit the generated baseline-prof.txt
+```
+
 ## Common Pitfalls
 
 | Pitfall | Fix |
@@ -201,6 +249,8 @@ dependencies {
 | Context leak | `@ApplicationContext`, never Activity |
 | Missing ProGuard | Test release builds |
 | Main thread blocking | `Dispatchers.IO` |
+| Unstable lambdas in Compose | `remember { {} }` or move to ViewModel |
+| List without keys | `items(list, key = { it.id })` |
 
 ---