@dedesfr/prompter 0.8.0 → 0.8.1

package/skills/code-review/references/universal-patterns.md

@@ -0,0 +1,495 @@
+````markdown
+# Universal Code Review Detection Patterns
+
+Cross-language patterns for identifying common issues. Organized by category with language-specific examples.
+
+---
+
+## Security Issues
+
+### Injection Flaws
+
+**SQL Injection:**
+```python
+# ❌ Bad: String concatenation in query
+cursor.execute("SELECT * FROM users WHERE id = " + user_id)
+
+# ✅ Good: Parameterized query
+cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
+```
+
+```javascript
+// ❌ Bad: Template literal in query
+db.query(`SELECT * FROM users WHERE id = ${userId}`);
+
+// ✅ Good: Parameterized query
+db.query("SELECT * FROM users WHERE id = $1", [userId]);
+```
+
+```go
+// ❌ Bad: String formatting in query
+db.Query(fmt.Sprintf("SELECT * FROM users WHERE id = %s", id))
+
+// ✅ Good: Parameterized query
+db.Query("SELECT * FROM users WHERE id = $1", id)
+```
+
+**Command Injection:**
+```python
+# ❌ Bad: User input in shell command
+os.system("ls " + user_input)
+subprocess.run(f"grep {pattern} file.txt", shell=True)
+
+# ✅ Good: Use list form, avoid shell=True
+subprocess.run(["grep", pattern, "file.txt"])
+```
+
+```javascript
+// ❌ Bad: User input in exec
+const { exec } = require("child_process");
+exec("ls " + userInput);
+
+// ✅ Good: Use execFile with arguments
+const { execFile } = require("child_process");
+execFile("ls", [userInput]);
+```
+
+### Hardcoded Secrets
+
+```python
+# ❌ Bad: Hardcoded credentials
+API_KEY = "sk-1234567890abcdef"
+db_password = "supersecret123"
+```
+
+```javascript
+// ❌ Bad: Secrets in source code
+const stripe = require("stripe")("sk_live_xxx");
+```
+
+```go
+// ❌ Bad: Embedded credentials
+const apiKey = "AIzaSy..."
+```
+
+**Detection patterns (all languages):**
+- Strings matching: `password`, `secret`, `api_key`, `token`, `credential`
+- Base64-encoded strings assigned to auth variables
+- Connection strings with embedded passwords
+- Private keys or certificates in source
+
+**✅ Good: Use environment variables or secret managers**
+
+### XSS (Cross-Site Scripting)
+
+```javascript
+// ❌ Bad: innerHTML with user data
+element.innerHTML = userInput;
+
+// ✅ Good: Use textContent or sanitize
+element.textContent = userInput;
+```
+
+```python
+# ❌ Bad: Jinja2 with |safe on user input
+{{ user_comment|safe }}
+
+# ✅ Good: Auto-escaped (default)
+{{ user_comment }}
+```
+
+### Mass Assignment / Over-posting
+
+```python
+# ❌ Bad: Using all request data to create object
+user = User(**request.data)
+
+# ✅ Good: Whitelist fields
+user = User(name=data["name"], email=data["email"])
+```
+
+```javascript
+// ❌ Bad: Spreading request body into model
+const user = await User.create(req.body);
+
+// ✅ Good: Pick specific fields
+const { name, email } = req.body;
+const user = await User.create({ name, email });
+```
+
+```csharp
+// ❌ Bad: Binding all properties
+public IActionResult Create([FromBody] User user)
+
+// ✅ Good: Use DTO or [Bind] attribute
+public IActionResult Create([Bind("Name,Email")] User user)
+```
+
+---
+
+## Performance Anti-patterns
+
+### N+1 Query Problem
+
+```python
+# ❌ Bad: N+1 in Django
+posts = Post.objects.all()
+for post in posts:
+    print(post.author.name)  # Query per post!
+
+# ✅ Good: select_related / prefetch_related
+posts = Post.objects.select_related("author").all()
+```
+
+```ruby
+# ❌ Bad: N+1 in Rails
+@posts = Post.all
+@posts.each { |p| p.author.name }  # N+1!
+
+# ✅ Good: Eager loading
+@posts = Post.includes(:author).all
+```
+
+```javascript
+// ❌ Bad: N+1 in Sequelize
+const posts = await Post.findAll();
+for (const post of posts) {
+  const author = await post.getAuthor(); // N+1!
+}
+
+// ✅ Good: Include association
+const posts = await Post.findAll({ include: "author" });
+```
+
+```go
+// ❌ Bad: N+1 in GORM
+var posts []Post
+db.Find(&posts)
+for _, post := range posts {
+    db.First(&post.Author, post.AuthorID) // N+1!
+}
+
+// ✅ Good: Preload
+db.Preload("Author").Find(&posts)
+```
+
+### Blocking Operations in Async Context
+
+```javascript
+// ❌ Bad: Synchronous file read in async server
+const data = fs.readFileSync("/large/file.json");
+
+// ✅ Good: Async version
+const data = await fs.promises.readFile("/large/file.json");
+```
+
+```python
+# ❌ Bad: Blocking call in async function
+async def handler():
+    data = requests.get(url)  # Blocks event loop!
+
+# ✅ Good: Use async HTTP client
+async def handler():
+    async with aiohttp.ClientSession() as session:
+        data = await session.get(url)
+```
+
+### Inefficient Algorithms
+
+```python
+# ❌ Bad: O(n²) lookup
+for item in items:
+    if item in large_list:  # O(n) per check
+        process(item)
+
+# ✅ Good: O(n) with set
+large_set = set(large_list)
+for item in items:
+    if item in large_set:  # O(1) per check
+        process(item)
+```
+
+```javascript
+// ❌ Bad: Repeated array.includes in loop (O(n²))
+items.forEach((item) => {
+  if (largeArray.includes(item)) process(item);
+});
+
+// ✅ Good: Use Set (O(n))
+const largeSet = new Set(largeArray);
+items.forEach((item) => {
+  if (largeSet.has(item)) process(item);
+});
+```
+
+### Missing Pagination
+
+```python
+# ❌ Bad: Loading all records
+users = User.objects.all()
+
+# ✅ Good: Paginate
+users = User.objects.all()[:25]  # or use Paginator
+```
+
+```javascript
+// ❌ Bad: No limit
+const users = await db.query("SELECT * FROM users");
+
+// ✅ Good: Paginate
+const users = await db.query("SELECT * FROM users LIMIT $1 OFFSET $2", [limit, offset]);
+```
+
+---
+
+## Error Handling
+
+### Swallowed Exceptions
+
+```python
+# ❌ Bad: Silent catch
+try:
+    process_data()
+except Exception:
+    pass
+
+# ✅ Good: Log or handle
+try:
+    process_data()
+except Exception as e:
+    logger.error("Processing failed", exc_info=e)
+    raise
+```
+
+```javascript
+// ❌ Bad: Empty catch
+try {
+  await processData();
+} catch (e) {}
+
+// ✅ Good: Handle the error
+try {
+  await processData();
+} catch (e) {
+  logger.error("Processing failed", e);
+  throw;
+}
+```
+
+```go
+// ❌ Bad: Ignoring error
+result, _ := doSomething()
+
+// ✅ Good: Handle the error
+result, err := doSomething()
+if err != nil {
+    return fmt.Errorf("doSomething failed: %w", err)
+}
+```
+
+### Overly Broad Exception Catching
+
+```python
+# ❌ Bad: Catching everything
+except Exception:
+except BaseException:
+
+# ✅ Good: Specific exceptions
+except (ValueError, KeyError) as e:
+```
+
+```java
+// ❌ Bad: Catching generic Exception
+catch (Exception e) { }
+
+// ✅ Good: Specific exception types
+catch (IOException | ParseException e) { }
+```
+
+### Missing Error Handling for I/O
+
+```python
+# ❌ Bad: No error handling for file I/O
+data = open("config.json").read()
+
+# ✅ Good: Handle potential errors
+try:
+    with open("config.json") as f:
+        data = f.read()
+except FileNotFoundError:
+    data = default_config
+```
+
+---
+
+## Architecture Issues
+
+### God Object / Fat Controller
+
+**Detection:** Class or function with >200 lines, >10 methods, or >5 dependencies.
+
+```python
+# ❌ Bad: Controller doing everything
+class UserView(APIView):
+    def post(self, request):
+        # Validates, creates user, sends email, creates token,
+        # logs event, syncs to CRM... all in one method
+
+# ✅ Good: Delegate to service layer
+class UserView(APIView):
+    def post(self, request):
+        serializer = UserSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        user = UserService.register(serializer.validated_data)
+        return Response(UserSerializer(user).data, status=201)
+```
+
+### Business Logic in Wrong Layer
+
+**Detection:** Database queries in views/templates, HTTP concerns in models/services.
+
+```javascript
+// ❌ Bad: DB query in React component
+function UserList() {
+  const users = await db.query("SELECT * FROM users"); // Wrong layer!
+}
+
+// ✅ Good: API call from component, query in backend
+function UserList() {
+  const users = await fetch("/api/users").then((r) => r.json());
+}
+```
+
+### Circular Dependencies
+
+**Detection:** Module A imports B, B imports A.
+
+```python
+# ❌ Bad: Circular import
+# file: models.py
+from .services import UserService
+
+# file: services.py
+from .models import User  # Circular!
+```
+
+**Fix:** Move shared types to a separate module, use dependency injection, or use lazy imports.
+
+---
+
+## Code Quality
+
+### Missing Type Annotations
+
+```python
+# ❌ Bad: No types
+def process(data, options):
+    return data
+
+# ✅ Good: Type hints
+def process(data: dict[str, Any], options: ProcessOptions) -> Result:
+    return Result(data)
+```
+
+```javascript
+// TypeScript: ❌ Bad - any type
+function process(data: any): any { }
+
+// ✅ Good: Specific types
+function process(data: Record<string, unknown>): Result { }
+```
+
+### Deprecated API Usage
+
+**Detection patterns:**
+- Functions/methods marked with `@deprecated` decorators
+- Import of known deprecated modules
+- Usage of APIs removed in newer language versions
+- Compiler/linter warnings about deprecation
+
+### Dead Code
+
+**Detection patterns:**
+- Functions never called (no references)
+- Unreachable code after `return`, `throw`, `break`
+- Commented-out code blocks (>5 lines)
+- Unused imports/variables
+- Feature flags always evaluating to same value
+
+### Code Duplication
+
+**Detection:**
+- Identical or near-identical blocks (>10 lines) across files
+- Repeated patterns that could be extracted into a shared utility
+- Copy-pasted logic with minor variations
+
+---
+
+## Resource Management
+
+### Resource Leaks
+
+```python
+# ❌ Bad: Unclosed file handle
+f = open("data.txt")
+data = f.read()
+# f never closed if exception occurs
+
+# ✅ Good: Context manager
+with open("data.txt") as f:
+    data = f.read()
+```
+
+```go
+// ❌ Bad: Unclosed response body
+resp, _ := http.Get(url)
+// resp.Body never closed
+
+// ✅ Good: Defer close
+resp, err := http.Get(url)
+if err != nil { return err }
+defer resp.Body.Close()
+```
+
+```java
+// ❌ Bad: Unclosed connection
+Connection conn = DriverManager.getConnection(url);
+// conn never closed
+
+// ✅ Good: Try-with-resources
+try (Connection conn = DriverManager.getConnection(url)) {
+    // use connection
+}
+```
+
+### Missing Connection Pooling
+
+**Detection:** Database or HTTP connections created per request instead of shared pool.
+
+---
+
+## Severity Classification
+
+| Severity     | Emoji | Universal Criteria                                                |
+| ------------ | ----- | ----------------------------------------------------------------- |
+| Critical     | 🔴     | Security vulnerabilities, data loss risks, crashes, auth bypasses |
+| Warning      | 🟠     | Performance issues, design flaws, error handling gaps              |
+| Optimization | 🟡     | Efficiency improvements, code duplication, missing caching         |
+| Quality      | 🔵     | Best practices, conventions, modern syntax, documentation          |
+
+## Detection Priority by Language
+
+| Language       | Top Issues to Check                                                  |
+| -------------- | -------------------------------------------------------------------- |
+| Python         | Type hints, injection, N+1 (Django/SQLAlchemy), async misuse         |
+| JavaScript/TS  | XSS, any types, blocking event loop, missing await, memory leaks     |
+| PHP            | SQL injection, XSS, mass assignment, type safety, deprecated APIs    |
+| Go             | Ignored errors, goroutine leaks, unclosed readers, race conditions   |
+| Rust           | Unsafe blocks, unwrap() abuse, clone() overhead, lifetime issues     |
+| Java           | Resource leaks, broad catches, null safety, generics misuse          |
+| Ruby           | N+1 (Rails), mass assignment, SQL injection, missing strong params   |
+| C#             | Over-posting, async void, IDisposable leaks, null reference          |
+| Swift          | Force unwrap abuse, retain cycles, main thread violations            |
+| Kotlin         | Platform types, coroutine scope leaks, null safety bypass            |
+
+````

package/skills/meeting-notes/SKILL.md

@@ -0,0 +1,159 @@
+---
+name: meeting-notes
+description: Transform raw meeting notes, transcripts, or informal notes into a structured, actionable to-do list ready for AI agent execution. Automatically extracts tasks, categorizes by priority and context, and formats output for direct copy-paste into Claude or other AI agents. Use this skill whenever a user pastes meeting notes, a transcript, a brain dump, or unstructured notes and wants tasks extracted — even if they just say "here are my meeting notes" or "can you turn this into tasks". Also triggers when users want to organize action items from a meeting, sync-up, standup, retrospective, or planning session.
+---
+
+# Meeting Notes → Structured To-Do List
+
+Convert raw, informal meeting notes into a clean, actionable task list formatted for direct execution by an AI agent. Each output task is self-contained — the agent executing it should never need to reference the original notes.
+
+## Step 1: Accept Input
+
+Accept notes in any format:
+- Pasted plain text or markdown
+- A file path (read the file)
+- A transcript with speaker labels
+- Bullet-pointed jottings or a brain dump
+
+If the user hasn't provided notes yet, ask: "Please paste your meeting notes or provide a file path."
+
+---
+
+## Step 2: Check for Project Context (If in a Repo)
+
+Before extracting tasks, check whether you're inside a project repository. This context helps align output with the project's conventions.
+
+1. Look for `CLAUDE.md` or `prompter/CLAUDE.md` — project guidelines, naming conventions, tech stack
+2. Look for `AGENTS.md` — workflow context and existing structure
+3. Check for existing task files: `TODO.md`, `tasks.md`, `.taskmaster/`, or similar
+4. Run `git log --oneline -10` to understand current work in flight
+
+Use this context to:
+- Align task titles with project conventions (e.g., `feat(auth):` prefixes, snake_case names)
+- Flag tasks that likely duplicate existing in-progress work
+- Reference specific files or modules from the repo when the notes mention them
+
+If no repo context is found, proceed with general formatting.
+
+---
+
+## Step 3: Extract Tasks
+
+Scan the notes for everything that implies work to be done.
+
+**Extract these:**
+- Explicit action items: "we need to…", "John will…", "TODO:", "action item:"
+- Decisions requiring implementation: "we decided to X — someone needs to build it"
+- Open questions needing resolution: "TBD", "to figure out", "need to check"
+- Implicit commitments: "before the release", "I'll handle it", "by next week"
+
+**Skip these:**
+- Background context with no next step
+- Already-completed work: "we shipped X last week"
+- Opinions with no concrete follow-through
+
+For each task, capture:
+- **Title** — short imperative verb phrase: "Set up CI pipeline for mobile builds"
+- **Description** — what needs to happen, with enough context for execution without the notes
+- **Owner** — who's responsible (leave blank if not mentioned)
+- **Priority** — see Priority Guide below
+- **Category** — see Categories below
+- **Due date** — only if explicitly mentioned
+
+### Priority Guide
+
+| Priority | Signals |
+|----------|---------|
+| **High** | "blocker", "urgent", "ASAP", "before launch", "critical", deadline within ~1 week |
+| **Medium** | "should", "this sprint", "next week", general items with no urgency signal |
+| **Low** | "nice to have", "eventually", "backlog", "when we get to it", open questions with no deadline |
+
+### Categories
+
+Choose the best fit:
+- **Development** — coding, implementation, bug fixes
+- **Design** — UI/UX, wireframes, visual assets
+- **Research** — investigation, spikes, discovery
+- **DevOps/Infra** — CI/CD, deployments, infrastructure
+- **Product** — requirements, roadmap, stakeholder decisions
+- **Testing/QA** — test writing, QA passes, review
+- **Documentation** — docs, READMEs, guides
+- **Communication** — follow-up emails, meetings to schedule
+- **Admin/Other** — anything else
+
+---
+
+## Step 4: Format Output
+
+Produce two blocks.
+
+### Block 1: Summary Table
+
+A markdown table for quick scanning:
+
+```
+| # | Task | Owner | Priority | Category | Due |
+|---|------|-------|----------|----------|-----|
+| 1 | Set up CI pipeline for mobile builds | @alice | High | DevOps/Infra | Mar 22 |
+| 2 | ... |
+```
+
+### Block 2: AI-Agent-Ready Task List
+
+Each task as a standalone, copy-pasteable prompt block. The goal is that someone can paste any single block directly into an AI agent and it will know exactly what to do — no additional context needed.
+
+Use this template for each task:
+
+---
+
+**TASK [N] · [Priority] · [Category]**
+**[Title]**
+
+> **Context:** [1–2 sentences explaining why this task exists and what decision or discussion led to it]
+
+**What to do:**
+- [Concrete imperative step 1]
+- [Concrete imperative step 2]
+- [Add more as needed]
+
+**Assignee:** [owner or "Unassigned"]
+**Due:** [date or "Not specified"]
+
+---
+
+**Writing good task blocks — the key principles:**
+- The title is an imperative verb phrase, not a noun phrase ("Fix the auth bug" not "Auth bug fix")
+- The Context block carries the *why*, so the agent understands the goal, not just the mechanics
+- "What to do" steps are concrete and specific — name files, tools, systems, and outputs by name when the notes mention them
+- Self-contained means: no pronouns without antecedents, no references to "the meeting", no unexplained abbreviations
+
+---
+
+## Step 5: Validate Against Project Context (If Applicable)
+
+If you gathered project context in Step 2, do a final pass before printing output:
+
+1. **Naming alignment** — rewrite task titles to match project conventions
+2. **Duplicate detection** — if a task matches something in git history or existing task files, flag it: `⚠️ Possible duplicate: [reference]`
+3. **File/module references** — replace vague references ("the auth module") with actual repo paths when you can identify them
+4. **Missing context** — if a task needs project knowledge not present in the notes, flag it: `ℹ️ Context needed: [what's unclear]`
+
+---
+
+## Step 6: Present and Offer to Save
+
+1. Print the Summary Table
+2. Print the AI-Agent-Ready Task List
+3. Offer to save to a file (default: `meeting-tasks-YYYY-MM-DD.md`)
+
+If the user wants changes — reordering, reprioritization, a missing task, merging two tasks — iterate quickly.
+
+---
+
+## Edge Cases
+
+- **No clear tasks found** — Tell the user and ask whether to extract implicit decisions or discussion points that might need follow-up
+- **Very long meeting (many items)** — Ask if they want to filter by owner, topic, or priority tier
+- **Ambiguous owner** — Write "Unassigned"; never guess
+- **Conflicting priority signals** — Use the most urgent signal
+- **Non-English notes** — Process and output in the same language

package/skills/meeting-notes/evals/evals.json

@@ -0,0 +1,23 @@
+{
+  "skill_name": "meeting-notes-to-todo",
+  "evals": [
+    {
+      "id": 1,
+      "prompt": "hey can you turn these into a task list?\n\n---\nProduct sync – March 18 2026\nAttendees: Sarah (PM), Dev (backend), Mia (design), Tom (QA)\n\nWe talked about the upcoming v2.1 release. Launch is March 28.\n\n- Sarah said the onboarding flow redesign needs to be done before we release. Mia is handling the wireframes, needs to be done by March 21 so dev can implement.\n- Dev mentioned the payment webhook is still broken on sandbox. He'll fix it this week, it's a blocker.\n- Tom hasn't started regression testing yet – needs to start by March 24 at the latest or we'll miss the launch window.\n- We need to write release notes before launch. Sarah said she'll draft them but needs input from dev on what changed technically.\n- Someone (nobody claimed it) needs to update the docs for the new API endpoints. Mia suggested we do a quick loom video too.\n- The analytics dashboard is broken in Safari – not a launch blocker but should be fixed soon. Dev will look into it after the release.\n- Sarah wants a go/no-go meeting on March 26. She'll send the invite.\n---\n\ncan you make each task ready to paste into claude so it can do the work?",
+      "expected_output": "A summary table with all 7+ tasks, each with owner, priority, and due date where specified. Followed by individual AI-agent-ready task blocks — each self-contained with context, concrete steps, assignee, and due date. High priority on the payment webhook fix and Mia's wireframes due to blockers/deadline. Go/no-go meeting invite should be a Communication task.",
+      "files": []
+    },
+    {
+      "id": 2,
+      "prompt": "here are my notes from today's backend team standup, can you extract the action items and make a proper todo list?\n\nStandup notes 3/18:\n- alice: finished auth refactor PR, waiting on review from bob. also discovered that the session token TTL logic has a bug where it doesn't handle timezone offsets correctly — filed issue #847\n- bob: reviewing alice's PR today. blocked on the redis cluster upgrade because ops team hasn't provisioned the new nodes yet. bob will ping ops (jake) about it\n- carol: working on the data export feature. the CSV generation is done, still need to wire up the S3 upload and add retry logic. estimates 2 more days\n- team decision: we're going to use structured logging (pino) across all new services starting now. carol will add it to the data export service as she finishes. alice will document the convention in the backend README\n- also need to add integration tests for the auth refactor before it can merge — bob mentioned this\n- reminder: sprint review is friday, everyone should have their items demoed or marked done",
+      "expected_output": "A clean task list covering: reviewing alice's PR (bob, high), pinging ops about redis nodes (bob, medium), finishing S3 upload + retry logic for data export (carol, medium), adding pino structured logging to data export service (carol, medium), documenting logging convention in README (alice, medium), adding integration tests for auth refactor (medium, before merge), preparing sprint review items (friday deadline). Summary table plus AI-agent-ready blocks with clear context.",
+      "files": []
+    },
+    {
+      "id": 3,
+      "prompt": "I just got out of a long planning session, my brain is fried. here are my rough notes — lots of things mixed together, some things were just discussed but a few are actual todos. can you sort it all out and give me a clean task list formatted so I can paste each task into claude to work on?\n\n=== planning session notes ===\ntalked about Q2 roadmap. main themes: retention, performance, mobile parity\n\nretention:\n- churn is at 8% which is bad. need to understand why. -> spike: analyze churn data from mixpanel, look at cohorts from jan-mar. who's churning and at what point in lifecycle?\n- idea: add email drip campaign for users who haven't logged in for 7 days. not sure if this is the right move. needs product sign-off from lisa\n- subscription cancellation page — we should add a \"pause instead of cancel\" option. this one is approved and prioritized. design + dev work needed.\n\nperformance:\n- homepage loads in 4.2s on mobile, goal is sub-2s. jake looked at it and thinks it's the hero image and 3 blocking JS scripts. -> optimize hero image (webp, lazy load) and defer non-critical JS\n- database query for user feed is N+1, has been on the backlog forever. now it's causing timeouts on accounts with >1000 connections. urgent fix needed.\n- CDN caching headers are wrong, static assets are being re-fetched every request. quick fix, someone just needs to do it\n\nmobile:\n- ios app is missing the notifications tab that android has. 3 sprints of work estimated.\n- push notifications are broken on ios 17.4+ (regression from last month). super urgent, lots of user complaints\n- android: dark mode looks bad on samsung devices specifically (OLED screens). medium priority, aesthetic issue\n\nother:\n- we never documented the data retention policy after legal asked us to. someone needs to write that doc. probably high priority given compliance.\n- offsite planning in april, need to book venue\n===",
+      "expected_output": "Should separate actual tasks from pure discussion. High-priority items: fix N+1 query, fix iOS push notification regression, write data retention policy doc. Medium: optimize homepage performance, fix CDN caching, pause-vs-cancel feature (design + dev). Low/research: churn analysis spike, email drip campaign (needs sign-off), Samsung dark mode fix. Long-horizon: iOS notifications tab (3 sprints), book offsite venue. Each task should be clearly scoped as an AI-agent-ready block with context and concrete steps.",
+      "files": []
+    }
+  ]
+}