@eltonssouza/development-utility-kit 1.0.0

package/.claude/skills/api-integration-test/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: api-integration-test
+description: Use to validate that backend and frontend talk correctly BEFORE the production gate. Triggers on phrases like "test the integration", "validate that the front is calling the API", "spin everything up and test the flow", "smoke test", "verify that the screen actually works", "open the browser and test", "do the quick E2E". This skill brings up the backend (mvn spring-boot:run or docker compose), brings up the frontend (ng serve), hits the endpoints with curl, opens a headless browser via Chrome MCP, runs the main flows, validates the console has no errors, and validates the network has no failing requests. It does not replace prd-ready-check (which is the formal gate); it serves to shorten the feedback loop during implementation. Do NOT use for unit tests (use auto-test-guard) nor for the final production gate (use prd-ready-check). PT triggers: 'testa a integração', 'valida que o front tá chamando a API', 'sobe tudo e testa', 'smoke test', 'verifica se a tela funciona', 'abre o browser e testa', 'faz o E2E rápido'.
+---
+
+# API Integration Test — End-to-End Validation
+
+Skill that invokes the `api-integration-test` agent. Always reply in **American English**.
+
+---
+
+## When to trigger
+
+- "test the integration", "validate that the front is calling the API"
+- "spin everything up and test the flow", "smoke test"
+- "verify that the screen actually works", "open the browser and test"
+- "do the quick E2E"
+- PT: "testa a integração", "sobe tudo e testa", "verifica se a tela funciona", "faz o E2E rápido"
+
+## 2. When NOT to trigger
+
+## Prerequisites
+
+- `gate-keeper` (auto-test-guard) has run and returned GREEN on the current code.
+- Backend and frontend code compile locally without errors.
+- Docker (or local Postgres/Redis) is available for dependent services.
+- Chrome MCP extension is installed and connected (for browser validation).
+
+---
+
+## Do NOT use for
+
+- Unit or integration tests — use `gate-keeper` (auto-test-guard skill).
+- The final production gate — use `prd-ready-check`.
+- Writing test code — use `qa-engineer` / `backend-developer` / `frontend-developer`.
+
+1. `navigate` to each main screen.
+2. `read_console_messages` — assert zero errors.
+3. `read_network_requests` — assert zero unexpected 4xx/5xx, zero asset 404.
+4. Run minimum CRUD flow: create → list → edit → delete.
+
+## Dispatch
+
+```
+Task(
+  subagent_type: "api-integration-test",
+  description: "Boot backend and frontend, fire curl against main endpoints, open browser via Chrome MCP, validate console and network. Report OK/FAIL per check.",
+  prompt: "<full user message + list of endpoints and flows to validate>"
+)
+```
+
+1. **Never "prove it's OK" by reading code only** — must boot and observe live.
+2. **Zero console errors** is a hard requirement.
+3. **Tear down processes on exit** (even on failure — use `trap`).
+4. **Document tested URLs, methods, responses** in the report.
+5. **Failure returns to specialist**, not to human — dispatch `backend-developer` or `frontend-developer` based on which side failed.
+
+## Handoff
+
+The `api-integration-test` agent (`.claude/agents/api-integration-test.md`, model: sonnet) owns the complete execution contract:
+- Boot sequence (backend, frontend, dependent services).
+- Curl smoke test scripts and per-endpoint assertions.
+- Chrome MCP browser flows and console/network validation.
+- Final integration report format and failure handling.

package/.claude/skills/auto-test-guard/SKILL.md

@@ -0,0 +1,237 @@
+---
+name: auto-test-guard
+description: Use ALWAYS at the end of every implemented task/feature to (1) AUTOMATICALLY GENERATE missing tests for the new code, (2) RUN the project's full regression suite, and (3) VALIDATE the senior+ quality gate (coverage >= 85%, PIT mutation score >= 70%, SpotBugs/SonarLint with no CRITICAL/HIGH, OWASP dependency-check with no CVSS >= 7.0). Triggers when the user says "run the tests", "generate the tests", "make sure nothing broke", "validate the task", "run the regression", "test everything", "full suite", "check that I didn't break anything", "end of task", "auto-test", "create tests for this feature", "validate the senior+ gate" — OR when a task/sprint finishes inside run-sprint and run-sprint. Generates JUnit 5 + Mockito + Testcontainers (backend), Jest + Testing Library (frontend), and Playwright (E2E) for the new code; then executes mvn verify (test + jacoco + pitest) + spotbugs + owasp + npm test + playwright across the WHOLE project. DO NOT use to audit technical debt (use test-coverage-auditor). DO NOT use as the final production gate (use prd-ready-check, which assumes this skill already passed). PT triggers: 'roda os testes', 'gera os testes', 'garante que nada quebrou', 'valida a tarefa', 'roda a regressão', 'testa tudo', 'suite completa', 'confere se não quebrei nada', 'fim de tarefa', 'cria testes pra essa feature'.
+---
+
+# Auto-Test Guard — Generate tests + run full regression + senior+ gate
+
+> **Subagent dispatch (mandatory).** Do NOT execute this skill inline in the calling session. Use the Task tool with `subagent_type: "gate-keeper"` so the gate runs in the Sonnet subagent declared in `.claude/agents/gate-keeper.md`. Test-writing delegations to `backend-developer` / `frontend-developer` MUST also use the Task tool with the matching `subagent_type`. Inline execution bills the parent (Opus) and violates the routing matrix in CLAUDE.md.
+
+You are the automated testing safety net — operating at the **senior+** level.
+
+Your mission, in one line: **every completed task ships with automated tests generated for the new code, a green regression suite across the whole project, AND the senior+ quality gate approved** (coverage >= 85%, mutation score >= 70%, clean static analysis, no high-risk CVEs). If any item fails — test, threshold, lint, security — the task **is not done**.
+
+Principle: *"senior+ quality is non-negotiable; debt becomes an ADR with a deadline, never silent tolerance."* The difference vs. `test-coverage-auditor`: **this skill writes, executes, and validates the gate**; the other audits what was missing.
+
+---
+
+## Step 0 — Stack pre-resolution (NON-NEGOTIABLE, per ADR-026 Layer 1)
+
+**Runs BEFORE every other phase in this skill.** Determines which stack pack must be injected into the prompt of every downstream agent spawned by this skill (`qa-engineer`, `backend-developer`, `frontend-developer`, `gate-keeper`). Without this step, downstream agents fall back to baked-in defaults (e.g. JUnit 5 + Maven assumptions) that may not match the project's actual stack (e.g. JUnit 4, Gradle, pytest, vitest, etc.).
+
+### 0.a — Invoke `stack-resolver`
+
+```
+Task(
+  subagent_type="stack-resolver",
+  description="resolve stack for project",
+  prompt="Resolve the stack for the project at the current working directory. Read CLAUDE.md > Project Identity, identify primary stack (lang + framework + major version), check whether the matching pack exists under .claude/stacks/<lang>/<framework>-<major>.md, and emit the canonical STACK CONTEXT block as your output."
+)
+```
+
+### 0.b — Parse the resolver output
+
+The resolver's first line is the marker:
+
+- `[STACK: <lang>/<framework>-<major> | PACK: loaded]` — extract the full **STACK CONTEXT** block (versions, build commands, test runners, coverage tooling, lint commands, static analysis plugins, dependency scanners) from the body and keep it in memory for Steps 3.2 onward. Proceed to Step 1.
+- `[STACK: <lang>/<framework>-<major> | PACK: none]` — the project's declared stack has no pack yet. **Stop the gate** and dispatch the `create-stack-pack` skill:
+  ```
+  Skill(name="create-stack-pack")
+  ```
+  Once the pack has been generated and committed, **repeat Step 0.a**. Do NOT proceed — running `gate-keeper` with stale defaults will run the wrong commands and produce a false GREEN.
+- `[STACK: unknown | ...]` or no marker — the resolver could not parse `Project Identity`. Report this back to the caller and ask the user to populate `## Project Identity` in `CLAUDE.md`. Do not proceed.
+
+### 0.c — Capture the STACK CONTEXT for downstream injection
+
+Store the entire STACK CONTEXT block returned by the resolver. It will be **prepended to every downstream Task prompt** spawned by this skill — `qa-engineer`, `backend-developer`, `frontend-developer`, and the recursive `gate-keeper` self-dispatch (when applicable).
+
+> Stage 0 runs before any of the flows described in Section 1 onward and before the example in Section 8 — those examples assume `<STACK CONTEXT>` has already been captured.
+
+---
+
+## 1. When it triggers
+
+### 1.1. Automatically (inside pipelines)
+
+This skill is **always invoked via `Task(subagent_type="gate-keeper", ...)`**, never inline. The orchestrator (`run-sprint` skill or `sprint-runner` agent) spawns this agent so the senior+ gate runs on the Sonnet model and isolates token cost from the orchestrator session. The orchestrator is responsible for prepending the STACK CONTEXT (captured in its own Step 0) to the prompt of this dispatch.
+
+- **`run-sprint`** — spawns at the end of **each task** in the sprint, before marking it complete.
+- **`run-sprint`** — spawns right after Stage 3 (Implementation), before entering Stage 4 (Integration).
+
+This is the hard line: **no task is "done" without going through here**.
+
+### 1.1.1. Sub-spawn rules (inside this skill)
+
+When generating tests, this skill MAY further spawn the agents below. Every prompt MUST be prefixed with the STACK CONTEXT captured in Step 0.c:
+
+- `Task(subagent_type="backend-developer", prompt="""<STACK CONTEXT>\n\n---\n\nwrite integration test for <class> covering <scenarios> using the test infra declared in STACK CONTEXT""")` — non-trivial integration test details.
+- `Task(subagent_type="frontend-developer", prompt="""<STACK CONTEXT>\n\n---\n\nwrite spec for <component> covering <scenarios> using the test runner declared in STACK CONTEXT""")` — non-trivial component test details.
+- `Task(subagent_type="qa-engineer", prompt="""<STACK CONTEXT>\n\n---\n\nwrite E2E for user story <slug> using the E2E runner declared in STACK CONTEXT""")` — E2E scenarios.
+
+Every spawned agent's first output line MUST be `[STACK: <lang>/<framework>-<major> | PACK: loaded]` (ADR-026 Layer 3 post-hoc validation). If absent, re-invoke once with an enforcing reminder.
+
+Bash for build/test/coverage runs uses the commands declared in the STACK CONTEXT pack — deterministic execution, not authoring.
+
+### 1.2. Explicitly by the user
+
+Triggers: "run the tests", "generate tests for task X", "test everything", "validate the regression", "check that I didn't break anything", "full suite", "auto-test", "safety net", "run the auto-test-guard", "validate the senior+ gate".
+
+### 1.3. When it does NOT trigger
+
+- **Trivial fix to documentation, comment, typo in README** -> doesn't change behavior, skip.
+- **Pure formatting change** (prettier, spotless) -> run lint only, no need for the full suite.
+- **WIP/draft branch** -> the user is explicit: "not ready yet". Run only at the end.
+
+---
+
+## 2. Required inputs
+
+- Project type (`CLAUDE.md` -> `> **Project type**:` block).
+- STACK CONTEXT (captured in Step 0.c).
+- Scope of the latest task: obtain via `git status` + `git diff --name-only HEAD~1..HEAD` (or against base branch if there's no commit yet).
+- List of new/modified files in the source paths declared in STACK CONTEXT (e.g. backend source dir, frontend app dir).
+
+---
+
+## 3. Step by step
+
+### 3.1. Detect the task scope
+
+```bash
+# Inside the project
+git diff --name-only HEAD~1..HEAD 2>/dev/null \
+ || git diff --name-only --cached \
+ || git status --porcelain | awk '{print $2}'
+```
+
+Split into three lists, using the source paths declared in the STACK CONTEXT pack:
+
+- **backend_changed** — backend source files + migration files (paths per STACK CONTEXT)
+- **frontend_changed** — frontend source files excluding spec files (paths per STACK CONTEXT)
+- **e2e_flow** — inferred from the BDD user stories of the current plan (if any) and from the screens/endpoints touched
+
+If no production file changed, **stop** and report: "nothing new to test; running only the existing suite + senior+ gate".
+
+### 3.2. Generate backend tests
+
+See [`resources/backend-tests.md`](resources/backend-tests.md) — universal rules per architectural layer (controller, service, repository, domain), naming convention, validation cases, error-response assertions, mutant-killer mindset. **The concrete test framework, assertion library, and integration-test infra come from the STACK CONTEXT pack** (e.g. JUnit 5 + Mockito + Testcontainers for Java/Spring; pytest + httpx for FastAPI; Jest + supertest for Node). Spawn `backend-developer` for non-trivial cases, with STACK CONTEXT prepended.
+
+### 3.3. Generate frontend tests
+
+See [`resources/frontend-tests.md`](resources/frontend-tests.md) — universal matrix per component type, state, a11y selectors, coverage targets. **The concrete test runner and component-testing library come from the STACK CONTEXT pack** (e.g. Jest + Testing Library for Angular/React; vitest for Vite-based apps). Spawn `frontend-developer` for non-trivial cases, with STACK CONTEXT prepended.
+
+### 3.4. Generate E2E test (Playwright)
+
+See [`resources/e2e-tests.md`](resources/e2e-tests.md) — Playwright spec template, 1-test-per-BDD-user-story rule, stable selectors, real-login policy, Chrome MCP console capture. Spawn `qa-engineer` for the spec, with STACK CONTEXT prepended.
+
+### 3.5. Run the FULL regression suite + senior+ gate
+
+See [`resources/run-suite.md`](resources/run-suite.md) — the 8-stage execution order. The **concrete commands** for each stage (build, test, coverage, mutation, static analysis, dependency scan, lint, prod build, E2E) come from the STACK CONTEXT pack. Stop at the first red.
+
+### 3.6. Senior+ gate — REQUIRED thresholds
+
+See [`resources/senior-gate.md`](resources/senior-gate.md) — complete threshold table for coverage, mutation, static analysis, CVEs, lint, E2E and browser console. **Thresholds are universal (ADR-007); the tools that produce the numbers come from the STACK CONTEXT pack.**
+
+### 3.7. Initial setup (first time on the project)
+
+See [`resources/initial-setup.md`](resources/initial-setup.md) — plugin/config bootstrap. The exact files and plugins to add depend on the STACK CONTEXT pack (e.g. `pom.xml` + JaCoCo/PIT/SpotBugs/OWASP DC for Java/Maven; `package.json` + jest/vitest coverage config + `npm audit` for Node; `pyproject.toml` + coverage.py + bandit + pip-audit for Python). Install without asking — it's a standard senior+ technical decision; record as a `tech-lead` ADR.
+
+### 3.8. Execution report
+
+See [`resources/execution-report.md`](resources/execution-report.md) — exact markdown block format with tests-generated / files-created / regression-suite / senior+ gate table / GREEN-or-RED verdict. Include the resolved stack at the top of the report.
+
+---
+
+## 4. If it breaks — fix it, don't mask
+
+If any test fails (new or old) or any gate threshold fails:
+
+1. **NEVER** mark the task as done.
+2. **NEVER** comment/`@Disable`/`.skip()` to "make it pass".
+3. **NEVER** lower the coverage threshold, mutation score, or accept a high CVE without an explicit ADR.
+4. Classify the failure:
+ - **New test failing** -> real bug in the new code -> send back to `backend-developer` / `frontend-developer` (with STACK CONTEXT prepended) to fix.
+ - **Old test failing** -> the new task **broke regression** -> fixing the regression is part of the task, period.
+ - **Surviving mutant** -> weak test -> reinforce with boundary assertions, negative conditions, swapped returns.
+ - **HIGH/CRITICAL CVE in the dependency scanner declared in STACK CONTEXT** -> bump the lib OR record a suppression with **a justifying ADR** (rare: only if confirmed false positive).
+ - **CRITICAL static-analysis finding** -> fix the flagged code, no exception.
+5. **You decide the fix and hand it back to the specialist**, do not ask the human.
+6. When fixing, **rerun the suite from scratch** using the STACK CONTEXT commands. Don't assume that just rerunning the specific test is enough.
+
+---
+
+## 5. Required outputs
+
+1. **New test files** committed (even if the task hasn't made the final commit yet — they're part of the diff).
+2. **Green suite + green senior+ gate** across the whole project.
+
+```markdown
+### Auto-test guard — <HH:MM>
+- Stack: <lang>/<framework>-<major> (pack: loaded)
+- Task: <title>
+- Tests generated: N (backend), M (frontend), K (E2E)
+- Suite: OK build, OK test, OK coverage, OK mutation, OK static analysis, OK dep scan, OK E2E
+- Coverage: backend=X% (mutation Y%), frontend=Z%
+- Vulnerabilities: 0 high/critical
+```
+
+---
+
+## 6. Interface with other skills
+
+| Skill | Role |
+|---|---|
+| `run-sprint` | **Calls this skill at the end of each task.** If this returns RED, the sprint does not advance. `run-sprint` is responsible for prepending STACK CONTEXT to the dispatch. |
+| `run-sprint` | Calls in Stage 3 (at the end of implementation) before moving on to integration. |
+| `backend-developer` | This skill **delegates writing complex backend tests** here when it needs detail specific to the test infra declared in STACK CONTEXT. |
+| `frontend-developer` | This skill **delegates writing frontend tests** here when it needs detail specific to the test runner declared in STACK CONTEXT. |
+| `stack-resolver` | Invoked in Step 0 to resolve the active stack pack. |
+| `create-stack-pack` | Invoked from Step 0.b when the project's declared stack has no pack yet. |
+| `api-integration-test` | **Real** integration validation (curl + Chrome MCP in dev environment). This skill handles **automated** tests; the other handles **automatable exploratory** tests in a real environment. |
+| `test-coverage-auditor` | Complementary. This one generates+runs+validates the gate; the other **audits** what was left without an automated test and what became "recurring manual". |
+| `prd-ready-check` | Assumes this skill **already ran** and went green. If it didn't run, the gate automatically returns NO-GO. |
+
+---
+
+## 7. Inviolable rules
+
+1. **Stage 0 (Stack pre-resolution) is non-skippable.** No Task dispatch or `Bash` run happens before STACK CONTEXT is captured. Pack missing -> `create-stack-pack` first.
+2. **Every downstream Task dispatch carries STACK CONTEXT as the first block of its prompt.** No exceptions.
+3. **Task without green suite + green senior+ gate = task not done.** No exceptions.
+4. **NEVER delete, disable (`@Disabled`/`.skip()`), comment out, or move a test to make the gate pass — NON-NEGOTIABLE.** A red test is fixed (production code or the test itself, the latter with an ADR) or reported as a real failure. Disabling requires a formal ADR + deadline to reactivate. Deleting a test to "go green" is a silent gate bypass — the hook `block-test-deletion.sh` enforces this at the filesystem level.
+5. **Never generate a "just-passing" test** (without real assertions or duplicating the code under test). A test that can't break = a useless test.
+6. **Never generate a test without naming the behavior** in descriptive English.
+7. **The suite runs across the WHOLE project**, not just the touched modules. Regression catches what you didn't anticipate.
+8. **Chrome MCP for E2E console**: zero console errors is a requirement, not optional.
+9. **Once coverage goes up, never down.** If the task lowered %, the reason goes into `tech-debt.md` P0 with a deadline.
+10. **Mutation score never goes down.** Surviving mutant = weak test to fix, not debt.
+11. **HIGH/CRITICAL CVE never passes.** Bump the lib or record a suppression with an ADR.
+12. **You decide and hand it back to the specialist** — never ask the human if "it can pass anyway".
+13. **English** in test names and descriptions.
+
+---
+
+## 8. Example interaction (inside `run-sprint`)
+
+**Context**: `run-sprint` just implemented the "create-product-backend" task. Assume Step 0 already resolved the stack as `java/spring-boot-4` with pack loaded; STACK CONTEXT is in memory. (Stage 0 runs before this example.)
+
+**This skill**:
+1. `git diff --name-only` -> detects 6 new files in the backend source dir declared in STACK CONTEXT.
+2. For each class, generates the corresponding test file using the test infra from STACK CONTEXT. `qa-engineer` / `backend-developer` spawns receive STACK CONTEXT prepended.
+3. Runs the build+test+coverage command from STACK CONTEXT -> **124/124 OK** | coverage 87% | mutation 73%.
+4. Runs the static-analysis command from STACK CONTEXT -> **OK 0 critical**.
+5. Runs the dependency-scan command from STACK CONTEXT -> **OK 0 CVE >= 7.0**.
+6. Runs the frontend test command from STACK CONTEXT -> **87/87 OK** | coverage 89%.
+7. Runs the E2E command from STACK CONTEXT (Playwright) -> **12/12 OK**, clean console.
+8. Returns **GREEN** -> `run-sprint` marks the task as done.
+
+---
+
+## 9. When NOT to use this skill
+
+- **Audit of technical debt / recurring manual** -> `test-coverage-auditor`.
+- **Bring up backend+frontend and click through real screens** -> `api-integration-test`.
+- **Final release gate to PRD** -> `prd-ready-check`.
+- **Write a specific complex test that was already requested in isolation** -> `backend-developer` or `frontend-developer` directly.
+- **Project still without scaffolding** -> `bootstrap-*` first.
+

package/.claude/skills/auto-test-guard/resources/backend-tests.md

@@ -0,0 +1,20 @@
+# Backend tests (auto-test-guard)
+
+For each **new or modified class** in `backend/src/main/java`:
+
+| Layer | Required test | Tool | Structure |
+|---|---|---|---|
+| `domain/` (entities, VOs, domain services) | Invariant and behavior tests | Pure JUnit 5 | `backend/src/test/java/<package>/<Class>Test.java` |
+| `application/` (use cases, services, mappers) | Unit tests with port mocks | JUnit 5 + Mockito | `backend/src/test/java/<package>/<Class>Test.java` |
+| `infrastructure/` (JPA adapters, HTTP clients) | Integration tests with Testcontainers | JUnit 5 + Testcontainers (Postgres) | `backend/src/test/java/<package>/<Class>IT.java` |
+| `web/` (controllers, @ControllerAdvice) | `@WebMvcTest` + `MockMvc` | Spring Test | `backend/src/test/java/<package>/<Controller>Test.java` |
+
+Rules:
+
+- **Descriptive English naming** in the test method: `@DisplayName("should return 404 when product does not exist")`, method `shouldReturn404WhenProductDoesNotExist()`.
+- **Given / When / Then** in comments (or using `// given`, `// when`, `// then`).
+- **Bean Validation**: for each `@NotBlank`, `@NotNull`, `@Email`, `@Size` on the request DTO, a negative case.
+- **ProblemDetail**: controller tests validate `application/problem+json` with the RFC 9457 fields.
+- **No `Thread.sleep`**, no silent `@Disabled`.
+- **Delegate** detailed implementation via `Task(subagent_type="backend-developer", ...)` if the tests are complex — but the responsibility for **deciding what to test** is `auto-test-guard`'s.
+- **Mutant-killer**: when generating a test, think "what mutation does this test catch?" — boundary, negation, swapped return, inverted conditional. Each surviving mutant is a weak test.

package/.claude/skills/auto-test-guard/resources/e2e-tests.md

@@ -0,0 +1,24 @@
+# E2E tests (auto-test-guard)
+
+For each new **BDD user story** in the current plan, create a file `frontend/e2e/<slug>.spec.ts` (or `e2e/` at the root, depending on the project):
+
+```ts
+import { test, expect } from '@playwright/test';
+
+test.describe('<feature slug>', () => {
+  test('<Given/When/Then of the user story>', async ({ page }) => {
+    // given
+    // when
+    // then
+  });
+});
+```
+
+Rules:
+
+- **1 E2E test per critical BDD user story** (not per screen).
+- Use the **real login** of the dev environment (or authenticated fixture). No mocks.
+- **Stable selector**: role/label/text, never CSS class.
+- Assert against the **final backend state** when possible (e.g., after creating a product, navigate to the listing and see the item).
+- Happy path + 1 expected error scenario per user story.
+- During E2E execution, use **Chrome MCP** to capture browser console errors (`mcp__Claude_in_Chrome__read_console_messages`). Any console error = NO-GO.

package/.claude/skills/auto-test-guard/resources/execution-report.md

@@ -0,0 +1,49 @@
+# Execution report (auto-test-guard §3.8)
+
+At the end of every run, print a block exactly in this format:
+
+```
+## Auto-Test Guard — Task: <title>
+
+### Tests generated
+- Backend: N new files (domain: A, application: B, web: C, infra: D)
+- Frontend: M new files (component: X, service: Y, guard: Z)
+- E2E: K new Playwright scenarios
+
+### Files created
+- backend/src/test/java/.../ProductServiceTest.java
+- frontend/src/app/features/product/product.component.spec.ts
+- frontend/e2e/create-product.spec.ts
+- ...
+
+### Regression suite — FULL PROJECT
+- mvn verify (test+jacoco+pit): N/N OK
+- spotbugs:check: OK 0 critical / 0 high
+- owasp dependency-check: OK 0 CVE >= 7.0
+- npm test: M/M OK
+- npm audit (high): OK
+- eslint: OK 0 errors / 0 warnings
+- mvn package: OK
+- ng build prod: OK bundle: N KB gzipped
+- playwright: K/K OK 0 console errors
+
+### Senior+ gate
+| Metric | Value | Threshold | Status |
+|--------------------|---------|-----------|--------|
+| Back coverage (L)  | 87.3%   | >= 85%    | OK |
+| Back coverage (B)  | 82.1%   | >= 80%    | OK |
+| PIT mutation       | 73.5%   | >= 70%    | OK |
+| Front coverage S   | 89.4%   | >= 85%    | OK |
+| Front coverage B   | 81.0%   | >= 80%    | OK |
+| SpotBugs           | 0/0     | 0 C / 0 H | OK |
+| OWASP              | 0       | < CVSS 7  | OK |
+| npm audit          | 0       | 0 H / 0 C | OK |
+
+### Result: GREEN — task done
+OR
+### Result: RED — task NOT done
+#### Failures
+- <file>:<line> <class>#<test> -> <short cause> -> <next action>
+- Mutation: 12 mutants survived in ProductService -> reinforce boundary tests
+- OWASP: CVE-2024-XXXX in lib Y (CVSS 8.1) -> bump lib Y to v3.2.1
+```

package/.claude/skills/auto-test-guard/resources/frontend-tests.md

@@ -0,0 +1,18 @@
+# Frontend tests (auto-test-guard)
+
+For each **new or modified component/service/guard** in `frontend/src/app`:
+
+| Type | Test | Tool | File |
+|---|---|---|---|
+| Standalone component | Render + interactions with signals + OnPush | Jest + Testing Library (`@testing-library/angular`) | `<name>.component.spec.ts` |
+| Service | HTTP calls with `HttpTestingController`, error mapping | Jest + Angular HTTP testing | `<name>.service.spec.ts` |
+| Guard / Interceptor | Authorization scenarios, 401/403, redirect | Jest | `<name>.guard.spec.ts` / `<name>.interceptor.spec.ts` |
+| Pipe / Directive | Direct input -> output | Jest | `<name>.pipe.spec.ts` |
+
+Rules:
+
+- **Never use `any`** even in tests. Explicit types.
+- **Signals**: test initial state, after effect, and after reset.
+- **Accessibility**: use `getByRole`, `getByLabelText` (not `getByTestId` when an accessible alternative exists).
+- **Coverage target**: features + core >= **85%** statements, >= **80%** branches.
+- **Delegate** complex component details via `Task(subagent_type="frontend-developer", ...)`, but decide here what needs testing.

package/.claude/skills/auto-test-guard/resources/initial-setup.md

@@ -0,0 +1,108 @@
+# Initial setup (auto-test-guard §3.7) — first time on a project
+
+If the project doesn't yet have PIT, SpotBugs, or OWASP DC configured, **you install** without asking (standard senior+ technical decision) — add to `pom.xml`:
+
+```xml
+<plugins>
+ <!-- JaCoCo: coverage -->
+ <plugin>
+ <groupId>org.jacoco</groupId>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <version>0.8.12</version>
+ <executions>
+ <execution><goals><goal>prepare-agent</goal></goals></execution>
+ <execution><id>report</id><phase>verify</phase><goals><goal>report</goal></goals></execution>
+ <execution>
+ <id>check</id><phase>verify</phase><goals><goal>check</goal></goals>
+ <configuration>
+ <rules>
+ <rule>
+ <element>BUNDLE</element>
+ <limits>
+ <limit><counter>LINE</counter><value>COVEREDRATIO</value><minimum>0.85</minimum></limit>
+ <limit><counter>BRANCH</counter><value>COVEREDRATIO</value><minimum>0.80</minimum></limit>
+ </limits>
+ </rule>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
+ <!-- PIT: mutation testing -->
+ <plugin>
+ <groupId>org.pitest</groupId>
+ <artifactId>pitest-maven-plugin</artifactId>
+ <version>1.17.0</version>
+ <dependencies>
+ <dependency>
+ <groupId>org.pitest</groupId>
+ <artifactId>pitest-junit5-plugin</artifactId>
+ <version>1.2.1</version>
+ </dependency>
+ </dependencies>
+ <configuration>
+ <targetClasses>
+ <param>com.empresa.projeto.domain.*</param>
+ <param>com.empresa.projeto.application.*</param>
+ </targetClasses>
+ <mutationThreshold>70</mutationThreshold>
+ <coverageThreshold>85</coverageThreshold>
+ <outputFormats><outputFormat>HTML</outputFormat><outputFormat>XML</outputFormat></outputFormats>
+ </configuration>
+ <executions>
+ <execution><phase>verify</phase><goals><goal>mutationCoverage</goal></goals></execution>
+ </executions>
+ </plugin>
+
+ <!-- SpotBugs -->
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>4.8.6.4</version>
+ <configuration>
+ <effort>Max</effort>
+ <threshold>Low</threshold>
+ <failOnError>true</failOnError>
+ </configuration>
+ </plugin>
+
+ <!-- OWASP Dependency Check -->
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>10.0.4</version>
+ <configuration>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ <suppressionFiles>
+ <suppressionFile>owasp-suppressions.xml</suppressionFile>
+ </suppressionFiles>
+ </configuration>
+ </plugin>
+</plugins>
+```
+
+For the frontend, update `jest.config.ts`:
+
+```ts
+coverageThreshold: {
+ global: {
+ statements: 85,
+ branches: 80,
+ functions: 85,
+ lines: 85,
+ },
+},
+```
+
+And add to `package.json`:
+
+```json
+"scripts": {
+ "lint": "eslint \"src/**/*.{ts,html}\" --max-warnings 0",
+ "test:coverage": "jest --ci --watchAll=false --coverage",
+ "audit:high": "npm audit --audit-level=high"
+}
+```
+
+Record this initial setup as a **technical ADR** (by the `tech-lead`): "ADR-NNN — Adoption of the senior+ gate (85% coverage, PIT 70%, SpotBugs, OWASP)".

package/.claude/skills/auto-test-guard/resources/run-suite.md

@@ -0,0 +1,48 @@
+# Run FULL regression suite + senior+ gate (auto-test-guard §3.5)
+
+Mandatory order — **stop at the first red**:
+
+```bash
+# 1) Backend - tests + JaCoCo coverage + PIT mutation testing (Pitest)
+cd backend && ./mvnw clean verify
+# -> executes: test + jacoco:report + pitest:mutationCoverage
+# -> fails if: tests red, coverage < threshold, mutation score < 70%
+
+# 2) Backend static analysis
+./mvnw spotbugs:check
+# -> fails if: CRITICAL or HIGH bug
+
+# 3) Dependency security (OWASP)
+./mvnw org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
+# -> fails if: CVE with CVSS >= 7.0 (HIGH or CRITICAL)
+
+# 4) Frontend unit/integration + coverage
+cd ../frontend && npm ci --prefer-offline
+npm test -- --ci --watchAll=false --coverage
+# -> fails if: tests red OR coverage < 85%/80%
+
+# 5) Frontend lint (zero errors, zero warnings on new code)
+npx eslint "src/**/*.{ts,html}" --max-warnings 0
+
+# 6) npm audit (vulnerabilities)
+npm audit --audit-level=high
+# -> fails if: HIGH or CRITICAL vuln
+
+# 7) Production build (catches errors that tests don't)
+./mvnw -f ../backend package -DskipTests
+npm run build -- --configuration=production
+
+# 8) E2E with backend + frontend running
+# (Bring up via docker compose or the 2 processes; then:)
+npx playwright test --project=chromium
+
+# 9) Design anti-pattern gate (Impeccable detector — deterministic, no LLM) — per ADR-010
+# (cwd is frontend/ from step 4; wrapper vendored by scaffold)
+# PHASE WARN (default): report only, never blocks. Establish a baseline first.
+node scripts/impeccable-gate.mjs src --mode=warn
+# PHASE BLOCK (after baseline stable — see PLAN_impeccable-adoption P2):
+#   node scripts/impeccable-gate.mjs src --mode=block --changed-only --base=origin/develop
+#   Default block policy: severity === 'error'. Widen via IMPECCABLE_BLOCK_ANTIPATTERNS.
+```
+
+During E2E, use **Chrome MCP** to capture browser console errors (`mcp__Claude_in_Chrome__read_console_messages`). Any console error = NO-GO.

package/.claude/skills/auto-test-guard/resources/senior-gate.md

@@ -0,0 +1,19 @@
+# Senior+ gate — REQUIRED thresholds (auto-test-guard §3.6)
+
+All must pass. Failure on any one = task NOT done.
+
+| Metric | Threshold | Tool | How to measure |
+|---|---|---|---|
+| Backend coverage (lines) | >= **85%** | JaCoCo | `target/site/jacoco/index.html` or `jacoco.xml` |
+| Backend coverage (branches) | >= **80%** | JaCoCo | Same |
+| Backend mutation score | >= **70%** | PIT (Pitest) | `target/pit-reports/index.html` (focus on `domain/` and `application/`) |
+| Frontend coverage (statements) | >= **85%** | Jest --coverage | `coverage/lcov-report/index.html` |
+| Frontend coverage (branches) | >= **80%** | Jest --coverage | Same |
+| SpotBugs (backend) | 0 CRITICAL, 0 HIGH | SpotBugs Maven plugin | `target/spotbugsXml.xml` |
+| SonarLint/SonarQube (if configured) | 0 CRITICAL, 0 HIGH, 0 unreviewed hotspot | Sonar | Dashboard / `mvn sonar:sonar` |
+| OWASP dependency-check | 0 CVE with CVSS >= 7.0 | OWASP DC plugin | `target/dependency-check-report.html` |
+| npm audit | 0 HIGH, 0 CRITICAL | Npm | `npm audit --audit-level=high` |
+| Frontend ESLint | 0 errors, 0 warnings on new code | ESLint | `eslint --max-warnings 0` |
+| Playwright E2E | 100% green | Playwright | HTML report |
+| Browser console during E2E | 0 errors | Chrome MCP | `read_console_messages` |
+| Design anti-patterns (Impeccable) | WARN baseline → 0 blocking (severity `error` + ids) in changed files at BLOCK | `impeccable detect` via `scripts/impeccable-gate.mjs` | `node scripts/impeccable-gate.mjs src --mode=warn` → `impeccable-report.json` (ADR-010) |