npm - @codemieai/code - Versions diffs - 0.0.33 → 0.0.34 - Mend

@codemieai/code 0.0.33 → 0.0.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

package/dist/agents/plugins/claude/plugin/claude-templates/templates/guides/security/security-practices.md.template CHANGED Viewed

@@ -1,170 +1,295 @@
+---
 # Security Practices
-## Quick Summary
+<!--
+GENERATION INSTRUCTIONS:
+1. Find auth middleware/guards and extract flow
+2. Scan for role/permission checks and document model
+3. Locate validation schemas at API boundaries
+4. Check for security middleware (helmet, cors, rate-limit)
+5. Find secrets loading pattern (env, vault, etc.)
+6. Identify security-sensitive operations and their protections
+7. Output: 150-300 lines max
+-->
+**Project**: [Extract from config]
+**Auth Method**: [Detect: JWT | Session | OAuth2 | API Key | None]
+**Auth Library**: [Detect: passport, jose, next-auth, etc.]
-Security patterns for [PROJECT_NAME]: authentication, authorization, input validation, and secrets management.
+---
-**Category**: Security
-**Complexity**: High
-**Prerequisites**: OWASP Top 10, [AUTH_METHOD]
+## Authentication Flow
----
+<!-- Extract actual auth implementation -->
-## 🚨 SIZE LIMIT WARNING
+### How Auth Works
-**This generated guide MUST be 200-400 lines maximum.**
+```
+[Request] → [Auth Middleware] → [Token/Session Validation] → [User Context]
+                  │
+                  ▼ (on failure)
+             401 Unauthorized
+```
-**When filling this template**:
-- ✅ Code examples: 5-15 lines (NEVER > 20)
-- ✅ ONE example per pattern
-- ✅ Use file:line references, not full code
-- ✅ Use tables for multiple patterns
-- ❌ NO multiple examples for same pattern
-- ❌ NO verbose explanations
-- ❌ NO copying entire functions
+### Implementation
-**Validate line count after generation**: `wc -l [this-file]`
-**If > 400 lines**: Condense immediately before continuing!
+```[lang]
+// Source: [file:lines]
+[Extract auth middleware/guard usage]
+```
----
+### Token/Session Details
-## Authentication
+| Aspect | Value |
+|--------|-------|
+| Type | `[JWT / Session / API Key]` |
+| Storage | `[Header: Bearer / Cookie / Query]` |
+| Expiration | `[duration or config location]` |
+| Refresh | `[mechanism if exists]` |
-### Pattern
+### Protect a Route
-```[language]
-# Source: [file:lines]
-[auth_pattern]
+```[lang]
+// Apply auth to new endpoints like this:
+[Extract exact syntax for protecting routes]
 ```
-**Method**: [JWT / OAuth2 / API Key / Session]
-**Token Storage**: [Where tokens are stored]
-**Expiration**: [Token lifetime]
 ---
 ## Authorization
-### Pattern
+<!-- Find permission/role checking patterns -->
-```[language]
-# Source: [file:lines]
-[authz_pattern]
+### Permission Model
+**Type**: [RBAC | ABAC | Simple roles | Custom]
+| Role/Permission | Access Level | Defined In |
+|-----------------|--------------|------------|
+| `[role/permission]` | [What it allows] | `[file:line]` |
+| `[role/permission]` | [What it allows] | `[file:line]` |
+### Enforce Permissions
+```[lang]
+// Source: [file:lines]
+[Extract authorization check pattern]
 ```
-**Roles**: [List roles and permissions]
+### Check User Permissions
+```[lang]
+// How to check permissions in code:
+[Extract permission checking syntax]
+```
 ---
 ## Input Validation
-### Pattern
+<!-- Find validation at API boundaries -->
+### Validation Layer
-```[language]
-# Source: [file:lines]
-[validation_pattern]
+**Library**: `[Zod / Joi / class-validator / Pydantic / etc.]`
+**Applied At**: `[Middleware / Decorator / Controller]`
+```[lang]
+// Source: [file:lines]
+[Extract validation schema example]
+```
+### Sanitization
+```[lang]
+// Source: [file:lines] - if explicit sanitization exists
+[Extract sanitization pattern or note "handled by validation library"]
 ```
-**Rules**:
-- ✅ Validate all input at boundaries
-- ✅ Use validation library/framework
-- ✅ Whitelist (not blacklist)
-- ❌ Trust user input
+### Rules
+- ✅ Validate at `[detected boundary - controller/middleware]`
+- ✅ Use schemas from `[validation path]`
+- ❌ Never trust: query params, body, headers, path params
 ---
 ## Secrets Management
-### Environment Variables
+<!-- Find how secrets are loaded and used -->
+### Loading Pattern
+```[lang]
+// Source: [file:lines]
+[Extract secrets/config loading]
+```
+### Secret Variables
+| Variable | Purpose | Required |
+|----------|---------|----------|
+| `[SECRET_KEY/JWT_SECRET]` | [Token signing] | Yes |
+| `[DATABASE_URL]` | [DB connection] | Yes |
+| `[API_KEY_*]` | [External services] | Varies |
+### Access Secrets
-```bash
-# NEVER commit these
-[SECRET_KEY]=[use env var]
-[API_KEY]=[use secrets manager in prod]
-[DB_PASSWORD]=[use secrets manager in prod]
+```[lang]
+// Always access secrets via:
+[Extract config/env access pattern - never hardcode]
 ```
-**Rules**:
-- ✅ Environment variables for dev
-- ✅ Secrets manager for production
-- ✅ Rotate regularly
-- ❌ Hardcode in code
-- ❌ Commit to git
-- ❌ Log secrets
+### Rules
+- ✅ Load from `[env / secrets manager / vault]`
+- ✅ Access via `[config module pattern]`
+- ❌ Hardcode in source code
+- ❌ Commit `.env` files
+- ❌ Log secret values
 ---
-## SQL Injection Prevention
+## Security Middleware
+<!-- Find security-related middleware/headers -->
-```[language]
-# Good: Parameterized
-[good_sql_example]
+### Configured Protections
-# Bad: String interpolation
-[bad_sql_example]
+| Protection | Implementation | Source |
+|------------|----------------|--------|
+| Security Headers | `[helmet / manual / framework]` | `[file:line]` |
+| CORS | `[cors config location]` | `[file:line]` |
+| Rate Limiting | `[rate-limit implementation]` | `[file:line]` |
+| CSRF | `[csrf protection or N/A]` | `[file:line]` |
+### Headers Set
+```[lang]
+// Source: [file:lines]
+[Extract security headers configuration]
+```
+### CORS Configuration
+```[lang]
+// Source: [file:lines]
+[Extract CORS config - allowed origins, methods]
+```
+### Rate Limiting
+```[lang]
+// Source: [file:lines]
+[Extract rate limit configuration]
 ```
-**Rule**: ALWAYS use parameterized queries
+**Limits**: `[X requests per Y time window]`
+---
+## SQL Injection Prevention
+<!-- Verify ORM/query builder or parameterized queries -->
+**Protection**: `[ORM: name | Query Builder: name | Parameterized queries]`
+```[lang]
+// ✅ Safe - Source: [file:lines]
+[Extract parameterized query example]
+// ❌ NEVER - vulnerable to injection
+[Show anti-pattern if found, or generic example]
+```
 ---
 ## XSS Prevention
-```[language]
-# Source: [file:lines]
-[xss_prevention]
+<!-- Find output encoding/escaping -->
+**Protection**: `[Framework auto-escaping | Manual escaping | CSP]`
+```[lang]
+// Source: [file:lines]
+[Extract output escaping or template rendering pattern]
 ```
-**Rules**:
-- ✅ Escape output
-- ✅ Use framework defaults
-- ✅ Content Security Policy headers
-- ❌ Trust user content
+**Content Security Policy**: `[Configured / Not configured]`
 ---
-## Security Headers
+## File Upload Security
-```[language]
-# Source: [file:lines]
-[security_headers]
+<!-- If file uploads exist, document protections -->
+```[lang]
+// Source: [file:lines]
+[Extract file upload validation - type, size, name sanitization]
 ```
-**Required Headers**:
-- `[Header1]`: `[Value]`
-- `[Header2]`: `[Value]`
+| Protection | Implementation |
+|------------|----------------|
+| File type validation | `[how enforced]` |
+| Size limit | `[max size]` |
+| Storage location | `[path - outside webroot?]` |
+| Filename sanitization | `[yes/no, how]` |
 ---
-## HTTPS/TLS
+## Audit Logging
+<!-- Find security event logging -->
+**Logged Events**:
-**Rules**:
-- ✅ HTTPS everywhere in production
-- ✅ Valid TLS certificates
-- ✅ Minimum TLS 1.2+
-- ❌ Plain HTTP for sensitive data
+| Event | Log Level | Source |
+|-------|-----------|--------|
+| Login success/failure | `[level]` | `[file:line]` |
+| Permission denied | `[level]` | `[file:line]` |
+| Password change | `[level]` | `[file:line]` |
+| Sensitive data access | `[level]` | `[file:line]` |
+```[lang]
+// Source: [file:lines]
+[Extract audit log example]
+```
 ---
-## Security Checklist
+## Dependency Security
-- [ ] Authentication on protected endpoints
-- [ ] Authorization checks enforced
-- [ ] All input validated
-- [ ] SQL queries parameterized
-- [ ] Secrets in env vars (not code)
-- [ ] HTTPS in production
-- [ ] Security headers configured
-- [ ] Sensitive data encrypted
-- [ ] Error messages don't leak info
-- [ ] Logging excludes secrets/PII
+<!-- Find vulnerability scanning setup -->
+| Tool | Command | Frequency |
+|------|---------|-----------|
+| `[npm audit / safety / snyk / dependabot]` | `[command]` | `[CI / manual]` |
 ---
-## References
+## Security Anti-Patterns
+<!-- Extract from code review or detected issues -->
-- **Auth Implementation**: `[path/to/auth]`
-- **Validation**: `[path/to/validation]`
-- **OWASP Top 10**: https://owasp.org/www-project-top-ten/
+| ❌ NEVER | ✅ INSTEAD | Risk |
+|----------|-----------|------|
+| `[detected or common anti-pattern]` | `[correct pattern]` | [Risk type] |
+| `[detected or common anti-pattern]` | `[correct pattern]` | [Risk type] |
+| `[detected or common anti-pattern]` | `[correct pattern]` | [Risk type] |
+| Log user passwords/tokens | Log user ID only | Data exposure |
+| Return stack traces to client | Generic error messages | Info leakage |
 ---
+## Quick Reference
+| Security Need | Location | Pattern |
+|---------------|----------|---------|
+| Auth middleware | `[path]` | `[usage syntax]` |
+| Permission check | `[path]` | `[usage syntax]` |
+| Input validation | `[path]` | `[usage syntax]` |
+| Secrets config | `[path]` | `[access pattern]` |
+| Security headers | `[path]` | - |
+| Audit logging | `[path]` | `[log function]` |
+---

package/dist/agents/plugins/claude/plugin/claude-templates/templates/guides/standards/code-quality.md.template CHANGED Viewed

@@ -1,150 +1,186 @@
+---
 # Code Quality Standards
-## Quick Summary
+<!--
+GENERATION INSTRUCTIONS:
+1. Parse linter config for active rules
+2. Extract formatter settings
+3. Scan codebase for consistent patterns
+4. Identify type checking strictness level
+5. Find pre-commit/CI quality gates
+6. Extract actual good/bad examples from codebase
+7. Output: 150-250 lines max
+-->
+**Project**: [Extract from config]
+**Linter**: [Detect tool + config file]
+**Formatter**: [Detect tool + config file]
+**Type Checker**: [Detect tool + config file or N/A]
+---
+## Quality Commands
+<!-- Extract exact commands from package.json, Makefile, pyproject.toml -->
-Code quality standards for [PROJECT_NAME]: linting, formatting, type safety, and naming conventions.
+| Action | Command | Description |
+|--------|---------|-------------|
+| Check all | `[combined command if exists]` | Run all quality checks |
+| Lint | `[lint command]` | Check code issues |
+| Lint fix | `[lint fix command]` | Auto-fix issues |
+| Format | `[format command]` | Format code |
+| Type check | `[type check command or N/A]` | Verify types |
-**Category**: Standards
-**Complexity**: Simple
-**Prerequisites**: [LANGUAGE], [LINTER], [FORMATTER]
+**Before committing, run**: `[primary quality command]`
 ---
-## 🚨 SIZE LIMIT WARNING
+## Enforced Rules
-**This generated guide MUST be 200-400 lines maximum.**
+<!-- Extract key rules from linter/formatter config -->
-**When filling this template**:
-- ✅ Code examples: 5-15 lines (NEVER > 20)
-- ✅ ONE example per pattern
-- ✅ Use file:line references, not full code
-- ✅ Use tables for multiple patterns
-- ❌ NO multiple examples for same pattern
-- ❌ NO verbose explanations
-- ❌ NO copying entire functions
+### From Linter (`[config file]`)
-**Validate line count after generation**: `wc -l [this-file]`
-**If > 400 lines**: Condense immediately before continuing!
+| Rule | Setting | Rationale |
+|------|---------|-----------|
+| `[rule-name]` | `[error/warn/value]` | [Brief why] |
+| `[rule-name]` | `[error/warn/value]` | [Brief why] |
+| `[rule-name]` | `[error/warn/value]` | [Brief why] |
+| `[rule-name]` | `[error/warn/value]` | [Brief why] |
+### From Formatter (`[config file]`)
+| Setting | Value |
+|---------|-------|
+| Line length | `[value]` |
+| Indentation | `[tabs/spaces, size]` |
+| Quotes | `[single/double]` |
+| Trailing comma | `[yes/no/es5]` |
+| Semicolons | `[yes/no]` |
 ---
-## Tools
+## Naming Standards
+<!-- Extract from linter rules + analyze codebase patterns -->
-| Tool | Purpose | Config |
-|------|---------|--------|
-| [Linter] | Code quality | `[config_file]` |
-| [Formatter] | Formatting | `[config_file]` |
-| [Type Checker] | Type checking | `[config_file]` |
+| Element | Rule | ✅ Correct | ❌ Wrong |
+|---------|------|-----------|----------|
+| Variables | `[camelCase/snake_case]` | `userName` | `user_name` / `UserName` |
+| Functions | `[camelCase/snake_case]` | `getUserById` | `GetUserById` |
+| Classes | `[PascalCase]` | `UserService` | `userService` |
+| Constants | `[UPPER_SNAKE]` | `MAX_RETRIES` | `maxRetries` |
+| Files | `[kebab/snake/pascal]` | `[actual example]` | `[counter example]` |
+| Boolean vars | `[is/has/should prefix]` | `isActive` | `active` |
 ---
-## Commands
+## Type Safety
-```bash
-# Lint (check)
-[lint_check]
+<!-- Detect type checking level and requirements -->
-# Lint (fix)
-[lint_fix]
+**Strictness**: `[strict / moderate / basic / none]`
+**Config**: `[tsconfig.json / mypy.ini / pyproject.toml section]`
-# Format
-[format]
+### Required Typing
-# Type check
-[type_check]
-```
+```[lang]
+// ✅ Correct - Source: [file:lines]
+[Extract well-typed function example]
----
+// ❌ Missing types - would fail type check
+[Show same function without types]
+```
-## Naming Conventions
+### Type Rules
-| Element | Convention | Example |
-|---------|------------|---------|
-| Variables | [convention] | `[example]` |
-| Functions | [convention] | `[example]` |
-| Classes | [convention] | `[Example]` |
-| Constants | [convention] | `[EXAMPLE]` |
-| Files | [convention] | `[example]` |
+| Rule | Required |
+|------|----------|
+| Function parameters | ✅ Always |
+| Function returns | ✅ Always |
+| Variables | `[inferred OK / explicit required]` |
+| `any` / `unknown` | `[forbidden / discouraged / allowed]` |
 ---
-## Type Annotations
+## Code Complexity Limits
-```[language]
-# Source: [file:lines]
-[type_example]
-```
+<!-- Extract from linter config or establish from codebase patterns -->
-**Required**:
-- ✅ All function parameters
-- ✅ All function returns
-- ✅ Public APIs
+| Metric | Limit | Enforced By |
+|--------|-------|-------------|
+| Function length | `[max lines]` | `[rule name or convention]` |
+| File length | `[max lines]` | `[rule name or convention]` |
+| Cyclomatic complexity | `[max value]` | `[rule name or N/A]` |
+| Nesting depth | `[max levels]` | `[rule name or convention]` |
+| Parameters per function | `[max count]` | `[rule name or convention]` |
----
+### Reduce Complexity
-## Imports
+```[lang]
+// ❌ Too complex
+[Extract or create example of deep nesting/long function]
-```[language]
-# Order
-[import_example]
+// ✅ Refactored
+[Show extracted/simplified version]
 ```
-**Order**: Standard library → Third-party → Local
-**Rules**: One per line, sorted, no wildcards
 ---
-## Code Structure
+## Import Organization
-**Guidelines**:
-- Functions < [X] lines
-- Files < [Y] lines
-- One responsibility per function
-- Limit parameters < [Z]
+<!-- Extract from linter rules (import-order, isort, etc.) -->
----
+```[lang]
+// Source: [well-organized file:lines]
-## Comments
+// Group 1: [Built-in/Standard library]
+[imports]
-```[language]
-# Source: [file:lines]
-[docstring_example]
+// Group 2: [External/Third-party packages]
+[imports]
+// Group 3: [Internal/Local modules]
+[imports]
 ```
-**When to Comment**:
-- ✅ Public APIs
-- ✅ Complex algorithms
-- ✅ Non-obvious decisions
-- ❌ Self-explanatory code
+**Rules**:
+- ✅ Sorted alphabetically within groups
+- ✅ One import per line (or `[grouped style if used]`)
+- ❌ Wildcard imports (`import *`)
+- ❌ Unused imports
 ---
-## Pre-Commit Hooks
+## Documentation Standards
-```bash
-# Install
-[install_hooks]
-```
+<!-- Extract from docstring linter rules or conventions -->
-**Checks**: Linting, formatting, type checking
+### Required Documentation
----
+| Element | Required | Format |
+|---------|----------|--------|
+| Public functions | ✅ | `[JSDoc / docstring / etc.]` |
+| Public classes | ✅ | `[format]` |
+| Complex logic | ✅ | Inline comments |
+| Private/internal | Optional | - |
-## Best Practices
+### Format
-| ✅ DO | ❌ DON'T |
-|-------|----------|
-| Descriptive names | Single letters (except i, j, k in loops) |
-| Keep functions small | 100+ line functions |
-| Use type hints | Skip types |
-| Follow conventions | Mix styles |
-| Early returns | Deep nesting |
+```[lang]
+// Source: [file:lines]
+[Extract canonical documentation example]
+```
 ---
-## References
+## Common Violations & Fixes
-- **Config**: `[config_files]`
-- **Linter Docs**: [Link]
+<!-- Extract from common linter errors in codebase or CI logs -->
----
+| Violation | Fix |
+|-----------|-----|
+| `[linter-error-code]`: [description] | [How to fix] |
+| `[linter-error-code]`: [description] | [How to fix] |
+| `[linter-error-code]`: [description] | [How to fix] |
+|