@dedesfr/prompter 0.8.23 → 1.0.0

package/skills/code-review/references/universal-patterns.md

@@ -1,495 +0,0 @@
-````markdown
-# Universal Code Review Detection Patterns
-
-Cross-language patterns for identifying common issues. Organized by category with language-specific examples.
-
----
-
-## Security Issues
-
-### Injection Flaws
-
-**SQL Injection:**
-```python
-# ❌ Bad: String concatenation in query
-cursor.execute("SELECT * FROM users WHERE id = " + user_id)
-
-# ✅ Good: Parameterized query
-cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
-```
-
-```javascript
-// ❌ Bad: Template literal in query
-db.query(`SELECT * FROM users WHERE id = ${userId}`);
-
-// ✅ Good: Parameterized query
-db.query("SELECT * FROM users WHERE id = $1", [userId]);
-```
-
-```go
-// ❌ Bad: String formatting in query
-db.Query(fmt.Sprintf("SELECT * FROM users WHERE id = %s", id))
-
-// ✅ Good: Parameterized query
-db.Query("SELECT * FROM users WHERE id = $1", id)
-```
-
-**Command Injection:**
-```python
-# ❌ Bad: User input in shell command
-os.system("ls " + user_input)
-subprocess.run(f"grep {pattern} file.txt", shell=True)
-
-# ✅ Good: Use list form, avoid shell=True
-subprocess.run(["grep", pattern, "file.txt"])
-```
-
-```javascript
-// ❌ Bad: User input in exec
-const { exec } = require("child_process");
-exec("ls " + userInput);
-
-// ✅ Good: Use execFile with arguments
-const { execFile } = require("child_process");
-execFile("ls", [userInput]);
-```
-
-### Hardcoded Secrets
-
-```python
-# ❌ Bad: Hardcoded credentials
-API_KEY = "sk-1234567890abcdef"
-db_password = "supersecret123"
-```
-
-```javascript
-// ❌ Bad: Secrets in source code
-const stripe = require("stripe")("sk_live_xxx");
-```
-
-```go
-// ❌ Bad: Embedded credentials
-const apiKey = "AIzaSy..."
-```
-
-**Detection patterns (all languages):**
-- Strings matching: `password`, `secret`, `api_key`, `token`, `credential`
-- Base64-encoded strings assigned to auth variables
-- Connection strings with embedded passwords
-- Private keys or certificates in source
-
-**✅ Good: Use environment variables or secret managers**
-
-### XSS (Cross-Site Scripting)
-
-```javascript
-// ❌ Bad: innerHTML with user data
-element.innerHTML = userInput;
-
-// ✅ Good: Use textContent or sanitize
-element.textContent = userInput;
-```
-
-```python
-# ❌ Bad: Jinja2 with |safe on user input
-{{ user_comment|safe }}
-
-# ✅ Good: Auto-escaped (default)
-{{ user_comment }}
-```
-
-### Mass Assignment / Over-posting
-
-```python
-# ❌ Bad: Using all request data to create object
-user = User(**request.data)
-
-# ✅ Good: Whitelist fields
-user = User(name=data["name"], email=data["email"])
-```
-
-```javascript
-// ❌ Bad: Spreading request body into model
-const user = await User.create(req.body);
-
-// ✅ Good: Pick specific fields
-const { name, email } = req.body;
-const user = await User.create({ name, email });
-```
-
-```csharp
-// ❌ Bad: Binding all properties
-public IActionResult Create([FromBody] User user)
-
-// ✅ Good: Use DTO or [Bind] attribute
-public IActionResult Create([Bind("Name,Email")] User user)
-```
-
----
-
-## Performance Anti-patterns
-
-### N+1 Query Problem
-
-```python
-# ❌ Bad: N+1 in Django
-posts = Post.objects.all()
-for post in posts:
-    print(post.author.name)  # Query per post!
-
-# ✅ Good: select_related / prefetch_related
-posts = Post.objects.select_related("author").all()
-```
-
-```ruby
-# ❌ Bad: N+1 in Rails
-@posts = Post.all
-@posts.each { |p| p.author.name }  # N+1!
-
-# ✅ Good: Eager loading
-@posts = Post.includes(:author).all
-```
-
-```javascript
-// ❌ Bad: N+1 in Sequelize
-const posts = await Post.findAll();
-for (const post of posts) {
-  const author = await post.getAuthor(); // N+1!
-}
-
-// ✅ Good: Include association
-const posts = await Post.findAll({ include: "author" });
-```
-
-```go
-// ❌ Bad: N+1 in GORM
-var posts []Post
-db.Find(&posts)
-for _, post := range posts {
-    db.First(&post.Author, post.AuthorID) // N+1!
-}
-
-// ✅ Good: Preload
-db.Preload("Author").Find(&posts)
-```
-
-### Blocking Operations in Async Context
-
-```javascript
-// ❌ Bad: Synchronous file read in async server
-const data = fs.readFileSync("/large/file.json");
-
-// ✅ Good: Async version
-const data = await fs.promises.readFile("/large/file.json");
-```
-
-```python
-# ❌ Bad: Blocking call in async function
-async def handler():
-    data = requests.get(url)  # Blocks event loop!
-
-# ✅ Good: Use async HTTP client
-async def handler():
-    async with aiohttp.ClientSession() as session:
-        data = await session.get(url)
-```
-
-### Inefficient Algorithms
-
-```python
-# ❌ Bad: O(n²) lookup
-for item in items:
-    if item in large_list:  # O(n) per check
-        process(item)
-
-# ✅ Good: O(n) with set
-large_set = set(large_list)
-for item in items:
-    if item in large_set:  # O(1) per check
-        process(item)
-```
-
-```javascript
-// ❌ Bad: Repeated array.includes in loop (O(n²))
-items.forEach((item) => {
-  if (largeArray.includes(item)) process(item);
-});
-
-// ✅ Good: Use Set (O(n))
-const largeSet = new Set(largeArray);
-items.forEach((item) => {
-  if (largeSet.has(item)) process(item);
-});
-```
-
-### Missing Pagination
-
-```python
-# ❌ Bad: Loading all records
-users = User.objects.all()
-
-# ✅ Good: Paginate
-users = User.objects.all()[:25]  # or use Paginator
-```
-
-```javascript
-// ❌ Bad: No limit
-const users = await db.query("SELECT * FROM users");
-
-// ✅ Good: Paginate
-const users = await db.query("SELECT * FROM users LIMIT $1 OFFSET $2", [limit, offset]);
-```
-
----
-
-## Error Handling
-
-### Swallowed Exceptions
-
-```python
-# ❌ Bad: Silent catch
-try:
-    process_data()
-except Exception:
-    pass
-
-# ✅ Good: Log or handle
-try:
-    process_data()
-except Exception as e:
-    logger.error("Processing failed", exc_info=e)
-    raise
-```
-
-```javascript
-// ❌ Bad: Empty catch
-try {
-  await processData();
-} catch (e) {}
-
-// ✅ Good: Handle the error
-try {
-  await processData();
-} catch (e) {
-  logger.error("Processing failed", e);
-  throw;
-}
-```
-
-```go
-// ❌ Bad: Ignoring error
-result, _ := doSomething()
-
-// ✅ Good: Handle the error
-result, err := doSomething()
-if err != nil {
-    return fmt.Errorf("doSomething failed: %w", err)
-}
-```
-
-### Overly Broad Exception Catching
-
-```python
-# ❌ Bad: Catching everything
-except Exception:
-except BaseException:
-
-# ✅ Good: Specific exceptions
-except (ValueError, KeyError) as e:
-```
-
-```java
-// ❌ Bad: Catching generic Exception
-catch (Exception e) { }
-
-// ✅ Good: Specific exception types
-catch (IOException | ParseException e) { }
-```
-
-### Missing Error Handling for I/O
-
-```python
-# ❌ Bad: No error handling for file I/O
-data = open("config.json").read()
-
-# ✅ Good: Handle potential errors
-try:
-    with open("config.json") as f:
-        data = f.read()
-except FileNotFoundError:
-    data = default_config
-```
-
----
-
-## Architecture Issues
-
-### God Object / Fat Controller
-
-**Detection:** Class or function with >200 lines, >10 methods, or >5 dependencies.
-
-```python
-# ❌ Bad: Controller doing everything
-class UserView(APIView):
-    def post(self, request):
-        # Validates, creates user, sends email, creates token,
-        # logs event, syncs to CRM... all in one method
-
-# ✅ Good: Delegate to service layer
-class UserView(APIView):
-    def post(self, request):
-        serializer = UserSerializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        user = UserService.register(serializer.validated_data)
-        return Response(UserSerializer(user).data, status=201)
-```
-
-### Business Logic in Wrong Layer
-
-**Detection:** Database queries in views/templates, HTTP concerns in models/services.
-
-```javascript
-// ❌ Bad: DB query in React component
-function UserList() {
-  const users = await db.query("SELECT * FROM users"); // Wrong layer!
-}
-
-// ✅ Good: API call from component, query in backend
-function UserList() {
-  const users = await fetch("/api/users").then((r) => r.json());
-}
-```
-
-### Circular Dependencies
-
-**Detection:** Module A imports B, B imports A.
-
-```python
-# ❌ Bad: Circular import
-# file: models.py
-from .services import UserService
-
-# file: services.py
-from .models import User  # Circular!
-```
-
-**Fix:** Move shared types to a separate module, use dependency injection, or use lazy imports.
-
----
-
-## Code Quality
-
-### Missing Type Annotations
-
-```python
-# ❌ Bad: No types
-def process(data, options):
-    return data
-
-# ✅ Good: Type hints
-def process(data: dict[str, Any], options: ProcessOptions) -> Result:
-    return Result(data)
-```
-
-```javascript
-// TypeScript: ❌ Bad - any type
-function process(data: any): any { }
-
-// ✅ Good: Specific types
-function process(data: Record<string, unknown>): Result { }
-```
-
-### Deprecated API Usage
-
-**Detection patterns:**
-- Functions/methods marked with `@deprecated` decorators
-- Import of known deprecated modules
-- Usage of APIs removed in newer language versions
-- Compiler/linter warnings about deprecation
-
-### Dead Code
-
-**Detection patterns:**
-- Functions never called (no references)
-- Unreachable code after `return`, `throw`, `break`
-- Commented-out code blocks (>5 lines)
-- Unused imports/variables
-- Feature flags always evaluating to same value
-
-### Code Duplication
-
-**Detection:**
-- Identical or near-identical blocks (>10 lines) across files
-- Repeated patterns that could be extracted into a shared utility
-- Copy-pasted logic with minor variations
-
----
-
-## Resource Management
-
-### Resource Leaks
-
-```python
-# ❌ Bad: Unclosed file handle
-f = open("data.txt")
-data = f.read()
-# f never closed if exception occurs
-
-# ✅ Good: Context manager
-with open("data.txt") as f:
-    data = f.read()
-```
-
-```go
-// ❌ Bad: Unclosed response body
-resp, _ := http.Get(url)
-// resp.Body never closed
-
-// ✅ Good: Defer close
-resp, err := http.Get(url)
-if err != nil { return err }
-defer resp.Body.Close()
-```
-
-```java
-// ❌ Bad: Unclosed connection
-Connection conn = DriverManager.getConnection(url);
-// conn never closed
-
-// ✅ Good: Try-with-resources
-try (Connection conn = DriverManager.getConnection(url)) {
-    // use connection
-}
-```
-
-### Missing Connection Pooling
-
-**Detection:** Database or HTTP connections created per request instead of shared pool.
-
----
-
-## Severity Classification
-
-| Severity     | Emoji | Universal Criteria                                                |
-| ------------ | ----- | ----------------------------------------------------------------- |
-| Critical     | 🔴     | Security vulnerabilities, data loss risks, crashes, auth bypasses |
-| Warning      | 🟠     | Performance issues, design flaws, error handling gaps              |
-| Optimization | 🟡     | Efficiency improvements, code duplication, missing caching         |
-| Quality      | 🔵     | Best practices, conventions, modern syntax, documentation          |
-
-## Detection Priority by Language
-
-| Language       | Top Issues to Check                                                  |
-| -------------- | -------------------------------------------------------------------- |
-| Python         | Type hints, injection, N+1 (Django/SQLAlchemy), async misuse         |
-| JavaScript/TS  | XSS, any types, blocking event loop, missing await, memory leaks     |
-| PHP            | SQL injection, XSS, mass assignment, type safety, deprecated APIs    |
-| Go             | Ignored errors, goroutine leaks, unclosed readers, race conditions   |
-| Rust           | Unsafe blocks, unwrap() abuse, clone() overhead, lifetime issues     |
-| Java           | Resource leaks, broad catches, null safety, generics misuse          |
-| Ruby           | N+1 (Rails), mass assignment, SQL injection, missing strong params   |
-| C#             | Over-posting, async void, IDisposable leaks, null reference          |
-| Swift          | Force unwrap abuse, retain cycles, main thread violations            |
-| Kotlin         | Platform types, coroutine scope leaks, null safety bypass            |
-
-````

package/skills/design-md/README.md

@@ -1,34 +0,0 @@
-# Stitch Design System Documentation Skill
-
-## Install
-
-```bash
-npx skills add google-labs-code/stitch-skills --skill design-md --global
-```
-
-## Example Prompt
-
-```text
-Analyze my Furniture Collection project's Home screen and generate a comprehensive DESIGN.md file documenting the design system.
-```
-
-## Skill Structure
-
-This repository follows the **Agent Skills** open standard. Each skill is self-contained with its own logic, workflow, and reference materials.
-
-```text
-design-md/
-├── SKILL.md           — Core instructions & workflow
-├── examples/          — Sample DESIGN.md outputs
-└── README.md          — This file
-```
-
-## How it Works
-
-When activated, the agent follows a structured design analysis pipeline:
-
-1. **Retrieval**: Uses the Stitch MCP Server to fetch project screens, HTML code, and design metadata.
-2. **Extraction**: Identifies design tokens including colors, typography, spacing, and component patterns.
-3. **Translation**: Converts technical CSS/Tailwind values into descriptive, natural design language.
-4. **Synthesis**: Generates a comprehensive DESIGN.md following the semantic design system format.
-5. **Alignment**: Ensures output follows Stitch Effective Prompting Guide principles for optimal screen generation.

package/skills/design-md/SKILL.md

@@ -1,172 +0,0 @@
----
-name: design-md
-description: Analyze Stitch projects and synthesize a semantic design system into DESIGN.md files
-allowed-tools:
-  - "stitch*:*"
-  - "Read"
-  - "Write"
-  - "web_fetch"
----
-
-# Stitch DESIGN.md Skill
-
-You are an expert Design Systems Lead. Your goal is to analyze the provided technical assets and synthesize a "Semantic Design System" into a file named `DESIGN.md`.
-
-## Overview
-
-This skill helps you create `DESIGN.md` files that serve as the "source of truth" for prompting Stitch to generate new screens that align perfectly with existing design language. Stitch interprets design through "Visual Descriptions" supported by specific color values.
-
-## Prerequisites
-
-- Access to the Stitch MCP Server
-- A Stitch project with at least one designed screen
-- Access to the Stitch Effective Prompting Guide: https://stitch.withgoogle.com/docs/learn/prompting/
-
-## The Goal
-
-The `DESIGN.md` file will serve as the "source of truth" for prompting Stitch to generate new screens that align perfectly with the existing design language. Stitch interprets design through "Visual Descriptions" supported by specific color values.
-
-## Retrieval and Networking
-
-To analyze a Stitch project, you must retrieve screen metadata and design assets using the Stitch MCP Server tools:
-
-1. **Namespace discovery**: Run `list_tools` to find the Stitch MCP prefix. Use this prefix (e.g., `mcp_stitch:`) for all subsequent calls.
-
-2. **Project lookup** (if Project ID is not provided):
-   - Call `[prefix]:list_projects` with `filter: "view=owned"` to retrieve all user projects
-   - Identify the target project by title or URL pattern
-   - Extract the Project ID from the `name` field (e.g., `projects/13534454087919359824`)
-
-3. **Screen lookup** (if Screen ID is not provided):
-   - Call `[prefix]:list_screens` with the `projectId` (just the numeric ID, not the full path)
-   - Review screen titles to identify the target screen (e.g., "Home", "Landing Page")
-   - Extract the Screen ID from the screen's `name` field
-
-4. **Metadata fetch**: 
-   - Call `[prefix]:get_screen` with both `projectId` and `screenId` (both as numeric IDs only)
-   - This returns the complete screen object including:
-     - `screenshot.downloadUrl` - Visual reference of the design
-     - `htmlCode.downloadUrl` - Full HTML/CSS source code
-     - `width`, `height`, `deviceType` - Screen dimensions and target platform
-     - Project metadata including `designTheme` with color and style information
-
-5. **Asset download**:
-   - Use `web_fetch` or `read_url_content` to download the HTML code from `htmlCode.downloadUrl`
-   - Optionally download the screenshot from `screenshot.downloadUrl` for visual reference
-   - Parse the HTML to extract Tailwind classes, custom CSS, and component patterns
-
-6. **Project metadata extraction**:
-   - Call `[prefix]:get_project` with the project `name` (full path: `projects/{id}`) to get:
-     - `designTheme` object with color mode, fonts, roundness, custom colors
-     - Project-level design guidelines and descriptions
-     - Device type preferences and layout principles
-
-## Analysis & Synthesis Instructions
-
-### 1. Extract Project Identity (JSON)
-- Locate the Project Title
-- Locate the specific Project ID (e.g., from the `name` field in the JSON)
-
-### 2. Define the Atmosphere (Image/HTML)
-Evaluate the screenshot and HTML structure to capture the overall "vibe." Use evocative adjectives to describe the mood (e.g., "Airy," "Dense," "Minimalist," "Utilitarian").
-
-### 3. Map the Color Palette (Tailwind Config/JSON)
-Identify the key colors in the system. For each color, provide:
-- A descriptive, natural language name that conveys its character (e.g., "Deep Muted Teal-Navy")
-- The specific hex code in parentheses for precision (e.g., "#294056")
-- Its specific functional role (e.g., "Used for primary actions")
-
-### 4. Translate Geometry & Shape (CSS/Tailwind)
-Convert technical `border-radius` and layout values into physical descriptions:
-- Describe `rounded-full` as "Pill-shaped"
-- Describe `rounded-lg` as "Subtly rounded corners"
-- Describe `rounded-none` as "Sharp, squared-off edges"
-
-### 5. Describe Depth & Elevation
-Explain how the UI handles layers. Describe the presence and quality of shadows (e.g., "Flat," "Whisper-soft diffused shadows," or "Heavy, high-contrast drop shadows").
-
-## Output Guidelines
-
-- **Language:** Use descriptive design terminology and natural language exclusively
-- **Format:** Generate a clean Markdown file following the structure below
-- **Precision:** Include exact hex codes for colors while using descriptive names
-- **Context:** Explain the "why" behind design decisions, not just the "what"
-
-## Output Format (DESIGN.md Structure)
-
-```markdown
-# Design System: [Project Title]
-**Project ID:** [Insert Project ID Here]
-
-## 1. Visual Theme & Atmosphere
-(Description of the mood, density, and aesthetic philosophy.)
-
-## 2. Color Palette & Roles
-(List colors by Descriptive Name + Hex Code + Functional Role.)
-
-## 3. Typography Rules
-(Description of font family, weight usage for headers vs. body, and letter-spacing character.)
-
-## 4. Component Stylings
-* **Buttons:** (Shape description, color assignment, behavior).
-* **Cards/Containers:** (Corner roundness description, background color, shadow depth).
-* **Inputs/Forms:** (Stroke style, background).
-
-## 5. Layout Principles
-(Description of whitespace strategy, margins, and grid alignment.)
-```
-
-## Usage Example
-
-To use this skill for the Furniture Collection project:
-
-1. **Retrieve project information:**
-   ```
-   Use the Stitch MCP Server to get the Furniture Collection project
-   ```
-
-2. **Get the Home page screen details:**
-   ```
-   Retrieve the Home page screen's code, image, and screen object information
-   ```
-
-3. **Reference best practices:**
-   ```
-   Review the Stitch Effective Prompting Guide at:
-   https://stitch.withgoogle.com/docs/learn/prompting/
-   ```
-
-4. **Analyze and synthesize:**
-   - Extract all relevant design tokens from the screen
-   - Translate technical values into descriptive language
-   - Organize information according to the DESIGN.md structure
-
-5. **Generate the file:**
-   - Create `DESIGN.md` in the project directory
-   - Follow the prescribed format exactly
-   - Ensure all color codes are accurate
-   - Use evocative, designer-friendly language
-
-## Best Practices
-
-- **Be Descriptive:** Avoid generic terms like "blue" or "rounded." Use "Ocean-deep Cerulean (#0077B6)" or "Gently curved edges"
-- **Be Functional:** Always explain what each design element is used for
-- **Be Consistent:** Use the same terminology throughout the document
-- **Be Visual:** Help readers visualize the design through your descriptions
-- **Be Precise:** Include exact values (hex codes, pixel values) in parentheses after natural language descriptions
-
-## Tips for Success
-
-1. **Start with the big picture:** Understand the overall aesthetic before diving into details
-2. **Look for patterns:** Identify consistent spacing, sizing, and styling patterns
-3. **Think semantically:** Name colors by their purpose, not just their appearance
-4. **Consider hierarchy:** Document how visual weight and importance are communicated
-5. **Reference the guide:** Use language and patterns from the Stitch Effective Prompting Guide
-
-## Common Pitfalls to Avoid
-
-- ❌ Using technical jargon without translation (e.g., "rounded-xl" instead of "generously rounded corners")
-- ❌ Omitting color codes or using only descriptive names
-- ❌ Forgetting to explain functional roles of design elements
-- ❌ Being too vague in atmosphere descriptions
-- ❌ Ignoring subtle design details like shadows or spacing patterns