@event4u/agent-config 2.25.0 → 2.26.0

package/.agent-src/skills/api-endpoint/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: api-endpoint
-description: "Use when the user says "create endpoint", "new API route", or "add controller". Creates a complete endpoint with Controller, FormRequest, Resource, route, and OpenAPI docs."
+description: "Use when creating an API endpoint or HTTP route handler — detects the project stack and routes to the matching carve-out (laravel-api-endpoint, nextjs-patterns, symfony-workflow)."
 source: package
 domain: engineering
 ---
@@ -9,178 +9,82 @@ domain: engineering
 
 ## When to use
 
-Use this skill when the user asks to create a new API endpoint, REST route, or controller action.
-
+Use this skill when the user asks to create a new API endpoint, REST route, or HTTP handler.
 
 Do NOT use when:
-- Modifying existing endpoints (use `code-refactoring` skill)
-- API design decisions (use `api-design` skill)
-
-## Procedure: Create an API endpoint
-
-1. **Read project docs** — Check `./agents/` and `AGENTS.md` for controller conventions, resource patterns, routing.
-2. **Create route** — Add to the correct `routes/api.php` or module route file.
-3. **Create controller** — Thin controller, delegate logic to service.
-4. **Create FormRequest** — Validate all input at the boundary.
-5. **Create Resource** — Transform model output via API Resource.
-6. **Verify** — Run PHPStan, run tests, confirm response shape matches conventions.
-
-## Laravel projects
-
-### What to generate
-
-1. **Controller** — Single Action (invokable). Read `agents/docs/controller.md` and `../../../docs/guidelines/php/controllers.md`.
-2. **FormRequest** — Validation rules, `authorize()` via policies. Read `../../../docs/guidelines/php/validations.md`.
-3. **Resource** — JSON response transformation. Read `agents/docs/api-resources.md`.
-4. **Route** — Add to the correct versioned route file.
-5. **Policy** — If authorization is needed.
-6. **Filter classes** — If it's a list endpoint with filtering. Read `agents/docs/query-filter.md` (if it exists).
-
-### Conventions
-
-- Controllers are thin — delegate to Services.
-- **Every controller MUST return an API Resource** — never raw arrays, models, or `response()->json()`.
-- Controllers type-hint the return value as the Resource class (e.g. `): ProjectResource`).
-- Use `Resource::make()` for single items, `Resource::collection()` for lists.
-- Use method injection on `__invoke()` for new controllers.
-- Use DTOs for data transfer between layers.
-
-### Show endpoint example
-
-```php
-declare(strict_types=1);
-
-namespace App\Http\Controllers\v1\Project;
-
-use App\Http\Controllers\Controller;
-use App\Http\Requests\v1\Projects\ShowProjectRequest;
-use App\Http\Resources\v1\Project\ProjectResource;
-use App\Models\ExternalCustomerDatabase\Project\Project;
-use App\OpenApi\Schema\Request\ShowResourceRequestSchema;
-use App\OpenApi\Schema\Response\ResourceNotFoundResponse;
-use App\OpenApi\Schema\Response\ShowResourceResponseSchema;
-
-class ShowProjectController extends Controller
-{
-    #[ShowResourceRequestSchema(path: '/projects/{id}', version: '1', resource: ProjectResource::class)]
-    #[ShowResourceResponseSchema(ProjectResource::class, wrapInDataObject: false)]
-    #[ResourceNotFoundResponse(ProjectResource::class)]
-    public function __invoke(ShowProjectRequest $request, Project $project): ProjectResource
-    {
-        return ProjectResource::make($project);
-    }
-}
-```
-
-### Create endpoint with service injection
-
-```php
-class CreateCustomerController extends Controller
-{
-    #[CreateCustomerRequestSchema(path: '/customers', version: '1', resource: CustomerResource::class)]
-    #[CreateResourceResponseSchema(resource: CreatedCustomerResource::class, wrapInDataObject: false)]
-    #[ValidationErrorResponse]
-    public function __invoke(
-        CreateCustomerRequest $request,
-        CustomerModelService $customerService,
-    ): CustomerResource {
-        $result = $customerService->create(CreateCustomerDTO::fromRequest($request));
-
-        return CreatedCustomerResource::make($result);
-    }
-}
-```
-
-### FormRequest example
-
-```php
-declare(strict_types=1);
-
-namespace App\Http\Requests\v1\Projects;
-
-use Illuminate\Foundation\Http\FormRequest;
-
-class ShowProjectRequest extends FormRequest
-{
-    public function authorize(): bool
-    {
-        return $this->user()->can('view', $this->route('project'));
-    }
-
-    /** @return array<string, mixed> */
-    public function rules(): array
-    {
-        return [];
-    }
-}
-```
-
-### List endpoint with CollectionFormRequest
-
-For list endpoints, extend `CollectionFormRequest` which provides `perPage`, `page`, and `orderBy` rules:
-
-```php
-use App\Contracts\Http\Requests\CollectionFormRequest;
-
-class ListProjectsRequest extends CollectionFormRequest
-{
-    public string $model = Project::class;
-
-    /** @return array<string, mixed> */
-    public function rules(): array
-    {
-        return [
-            ...parent::rules(),
-            'status' => ['sometimes', 'string'],
-        ];
-    }
-}
-```
-
-### File locations
-
-| Component | Path |
+- Modifying existing endpoints — use the code-refactoring skill.
+- API design decisions (versioning, deprecation, contract shape) — use [`api-design`](../api-design/SKILL.md).
+
+## Stack routing
+
+Detect the stack, then hand off to the matching carve-out skill for the framework-specific procedure (file layout, validation primitive, response-shaping convention).
+
+| Detected stack | Carve-out skill |
 |---|---|
-| Controller | `app/Http/Controllers/v{N}/{Domain}/{Action}{Entity}Controller.php` |
-| FormRequest | `app/Http/Requests/v{N}/{Domain}/{Action}{Entity}Request.php` |
-| Resource | `app/Http/Resources/v{N}/{Domain}/{Entity}Resource.php` |
-| Route | `routes/api/v{N}/{domain}.php` |
-| Policy | `app/Policies/{Entity}Policy.php` |
+| Laravel (`artisan` + `composer.json` with `laravel/framework`) | [`laravel-api-endpoint`](../laravel-api-endpoint/SKILL.md) |
+| Symfony (`bin/console` + `composer.json` with `symfony/framework-bundle`) | [`symfony-workflow`](../symfony-workflow/SKILL.md) |
+| Next.js (`next` in `package.json`) | [`nextjs-patterns`](../nextjs-patterns/SKILL.md) |
+| Express / Fastify / NestJS / plain Node | follow project conventions in `agents/` + `package.json scripts` |
+| FastAPI / Django / Flask | follow project conventions in `agents/` + `pyproject.toml` |
+| Go (`net/http`, `gin`, `echo`, `fiber`) | follow project conventions in `agents/` + `go.mod` |
+| Rust (`axum`, `actix-web`, `rocket`) | follow project conventions in `agents/` + `Cargo.toml` |
+
+If the project doc folder (`agents/`) has an endpoint-creation guide, that is the source of truth — read it before generating code.
+
+## Procedure: Create an API endpoint (stack-neutral)
+
+1. **Read project docs** — Check `./agents/` and `AGENTS.md` for endpoint conventions, routing layout, response shape.
+2. **Detect stack** and route to the carve-out per the table above.
+3. **Plan the endpoint** — method, path, request shape, response shape, auth requirement, idempotency.
+4. **Create the route registration** in the project's routing surface (route file, decorator-annotated handler, file-based router).
+5. **Create the request handler / controller** — thin; delegate business logic to a service / use-case.
+6. **Validate input at the boundary** via the framework's validation primitive (FormRequest, Zod, class-validator, Pydantic, struct-tag validators, etc.) — never inline ad-hoc `if` checks.
+7. **Authorize the action** via the framework's authz primitive (Policy, voter, guard, middleware, route dependency).
+8. **Shape the response** through a transformer / serializer / DTO — never return raw ORM entities.
+9. **Document** the endpoint (OpenAPI annotations / generated spec / project doc).
+10. **Verify** — run the project type-checker + targeted tests + smoke probe (`curl` / Bruno / Postman / integration test).
+
+## Conventions (apply on every stack)
+
+- **One handler, one responsibility** — prefer single-purpose handlers over multi-action controllers when the framework supports it.
+- **No business logic in the handler** — delegate to a service / use-case layer.
+- **Validate at the boundary** — never trust raw request data inside the handler.
+- **Authorize every state-changing action** — no unprotected mutating endpoints.
+- **Shape responses through a transformer** — DTO, serializer, API resource, response model — never expose raw ORM entities.
+- **Version the API surface** explicitly (`/v1/`, header, content-type) — don't rely on implicit versioning.
 
-### OpenAPI documentation
+## Stack-specific procedures
 
-Controllers use PHP 8 attributes for OpenAPI spec generation from `App\OpenApi\Schema\`:
+For Laravel projects (the most fully-fleshed-out carve-out in this package), see [`laravel-api-endpoint`](../laravel-api-endpoint/SKILL.md) — covers single-action controllers, `FormRequest`, `Resource`, `Policy`, `CollectionFormRequest`, OpenAPI attributes, and the versioned route layout.
 
-- `ShowResourceRequestSchema`, `ListResourceRequestSchema`, `CreateResourceRequestSchema`
-- `ShowResourceResponseSchema`, `ListResourceResponseSchema`, `CreateResourceResponseSchema`
-- `ResourceNotFoundResponse`, `ValidationErrorResponse`
+For other stacks, read the matching carve-out from the table above and combine with the project's `agents/` docs.
 
 ## Output format
 
-1. Generated files — controller, route registration, FormRequest, Resource, Policy
-2. Test file with happy path and validation error cases
-3. Summary of created files and their locations
+1. Generated files — route registration, handler, request validator, response shaper, authorization rule.
+2. Test file with happy path and validation-error cases (using the project's test framework).
+3. Summary of created files and their locations.
 
 ## Gotcha
 
-- Don't forget to register the route — creating the controller without the route is a common miss.
+- Don't forget to register the route — creating the handler without the route is a common miss.
 - Always check if a similar endpoint already exists — duplicates cause confusion.
-- FormRequest validation rules must match the OpenAPI schema — keep them in sync.
-- The model tends to forget the `return` type on Resource `toArray()` methods.
+- Validation rules must match the documented contract (OpenAPI / schema / typed client) — keep them in sync.
+- Response shapes are part of the public contract — adding a field is additive; renaming or removing is breaking.
 
 ## Do NOT
 
-- Do NOT put business logic in controllers — delegate to services.
-- Do NOT skip FormRequest validation — every controller needs a FormRequest.
-- Do NOT return raw Eloquent models — always use API Resources.
-- Do NOT create routes without proper authorization (Policy in FormRequest or middleware).
-- Do NOT create multi-action controllers — only single-action with `__invoke()`.
-- Do NOT use `response()->json()` — use `Resource::make()`.
+- Do NOT put business logic in the handler — delegate to services / use-cases.
+- Do NOT skip request validation — every handler validates at the boundary via the framework's primitive.
+- Do NOT return raw ORM entities — always go through a transformer / serializer / response model.
+- Do NOT create unprotected state-changing endpoints — authorize every mutation.
+- Do NOT improvise framework idioms — read the carve-out (`laravel-api-endpoint`, `nextjs-patterns`, etc.) for the stack-correct shape.
 
 ## Auto-trigger keywords
 
 - create endpoint
 - new API route
+- route handler
 - controller creation
-- form request
-- API resource
+- REST endpoint
+- add endpoint

package/.agent-src/skills/api-testing/SKILL.md

@@ -151,6 +151,17 @@ expect($data['title'])->toBeString();
 expect($data['total'])->toBeString(); // Money as string, not float
 ```
 
+When a failing test dumps the full JSON body, narrow the diagnosis with `jq` or `grep`
+instead of scrolling the whole payload:
+
+```bash
+# Extract only the failing assertion path
+echo "$RESPONSE_JSON" | jq '.data.status, .errors'
+
+# Targeted log scan
+rg --json 'API call failed' storage/logs/laravel.log | jq -r '.data.lines.text'
+```
+
 ## External service mocking
 
 ```php

package/.agent-src/skills/code-refactoring/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: code-refactoring
-description: "Use when the user says "refactor this", "rename class", or "move method". Safely refactors PHP code — finds all callers, updates downstream dependencies, and verifies with quality tools."
+description: "Use when the user says 'refactor this', 'rename class', or 'move method'. Safely refactors code in any language — finds all callers, updates downstream dependencies, verifies via quality tools."
 source: package
 domain: engineering
 ---
@@ -20,7 +20,7 @@ Do NOT use when:
 ## Before refactoring
 
 1. **Read the agent docs** — check `agents/docs/` and `agents/contexts/` for the area you're refactoring.
-   For modules, also read `app/Modules/{Module}/agents/`. See the `project-docs` skill for the mapping.
+   For modules, also read the project's module-docs directory (path varies by stack — Laravel: `app/Modules/{Module}/agents/`; Nx: `apps/{app}/docs/`; mono-repo: per-package `docs/`). See the `project-docs` skill for the mapping.
 2. **Understand the scope** — what exactly needs to change and why?
 3. **Find ALL references** — use `codebase-retrieval` and `view` with `search_query_regex` to find every
    caller, implementation, test, and configuration that references the code being changed.
@@ -34,34 +34,35 @@ Do NOT use when:
 - Rename, extract, move, or restructure the target code.
 - Keep the change minimal and focused.
 
-### Step 2: Update all downstream deps
+### Step 2: Update all downstream dependencies
 
 For each affected file (from the impact analysis):
 
 - **Callers**: Update method calls, constructor arguments, imports.
 - **Interfaces / abstract methods**: Update all implementations to match new signatures.
 - **Subclasses**: Update overridden methods.
-- **Type hints / PHPDoc**: Update type references.
+- **Type hints / annotations**: Update type references (PHPDoc, TypeScript types, Python type hints, Go generics, Rust generics).
 - **Config / bindings**: Update service container bindings, route references, etc.
-- **Imports**: Add or update `use` statements.
+- **Imports**: Add or update import statements (`use` for PHP, `import` for JS/TS/Python, `import` blocks for Go, `use` for Rust).
 
-### Step 3: Update API layer (if controllers/endpoints are affected)
+### Step 3: Update API layer (if request handlers / endpoints are affected)
 
-When refactoring touches controllers, requests, resources, or routes:
+When refactoring touches handlers, route registrations, request validators, or response shapers, walk the stack-appropriate boundary. Use the carve-out skill for the project's framework if one exists; otherwise consult the table below for what to check on each stack.
 
-| Component | What to check and update |
+| Layer | What to check and update |
 |---|---|
-| **Controller** | `__invoke()` signature, injected services, return type |
-| **FormRequest** | `authorize()`, `rules()`, validated field names |
-| **Resource** | `toArray()` field mapping, conditional fields, nested resources |
-| **OpenAPI Schema Attributes** | Request schemas (`ShowResourceRequestSchema`, `CreateResourceRequestSchema`, etc.) |
-| **OpenAPI Response Attributes** | Response schemas (`ShowResourceResponseSchema`, `CreateResourceResponseSchema`, etc.) |
-| **OpenAPI Error Attributes** | `ResourceNotFoundResponse`, `ValidationErrorResponse` |
-| **Custom Request Schemas** | Extended schema classes in `app/OpenApi/Schema/Request/v{N}/` |
-| **Route definition** | Route file in `routes/api/v{N}/`, route name, URL path, HTTP method |
-| **Route model binding** | Parameter name in route must match variable name in controller |
-| **Version inheritance** | If v1 extends v2 (or vice versa), check both versions |
-| **Module routes** | Module routes in `app/Modules/*/Routes/api.php` with version prefix |
+| **Route registration** | Route file / decorator / file-based-router entry — name, URL, HTTP method, parameter binding |
+| **Handler / Controller** | Entry signature, injected dependencies, return type |
+| **Request validator** | Validation rule definitions, allowlisted fields (FormRequest, Zod schema, class-validator DTO, Pydantic model, struct tags) |
+| **Response shaper** | Field mapping in the transformer (API Resource, serializer, DTO mapper, response model) |
+| **API contract** | OpenAPI annotations, generated spec, typed client (regenerate if generated) |
+| **Authorization rule** | Policy / voter / guard / middleware / route dependency that protects the route |
+| **Module routes** | Module-local routing surface (Laravel `app/Modules/*/Routes/`, Nx `apps/*/src/routes`, mono-repo per-package routes) |
+
+Carve-out routing:
+- Laravel: [`laravel-api-endpoint`](../laravel-api-endpoint/SKILL.md)
+- Next.js: [`nextjs-patterns`](../nextjs-patterns/SKILL.md)
+- Symfony: [`symfony-workflow`](../symfony-workflow/SKILL.md)
 
 ### Step 4: Update tests — with user approval
 
@@ -89,19 +90,24 @@ When refactoring touches controllers, requests, resources, or routes:
 - Do NOT delete tests — adapt them to the new code structure.
 - Do NOT reduce test coverage — if you split a class, split the test too.
 
-### Step 5: Verify with quality tools
+### Step 5: Verify with the project's quality tools
 
-Run quality tools after each significant step — do NOT batch everything to the end:
+Run the project's type-checker and linter after each significant step — do NOT batch everything to the end. The exact command set depends on the stack; resolve via `quality-tools` skill or the project's `Taskfile.yml` / `package.json scripts` / `composer.json scripts` / `Makefile`.
 
-- Run PHPStan: `vendor/bin/phpstan analyse` (see `quality-tools` skill for detection).
-- If PHPStan finds new errors from the refactoring → fix immediately before continuing.
-- Run Rector + ECS: `vendor/bin/rector process && vendor/bin/ecs check --fix`.
-- Run PHPStan again after Rector (Rector can introduce issues).
+| Stack | Typical pipeline |
+|---|---|
+| Laravel / PHP | `vendor/bin/phpstan analyse` → `vendor/bin/rector process` → `vendor/bin/ecs check --fix` → re-run PHPStan |
+| TypeScript | `tsc --noEmit` → `eslint --fix` → `prettier --write` |
+| Python | `mypy` (or `pyright`) → `ruff check --fix` → `ruff format` |
+| Go | `go vet ./...` → `golangci-lint run --fix` → `gofmt -w` |
+| Rust | `cargo check` → `cargo clippy --fix` → `cargo fmt` |
+
+If auto-fixers can rewrite types (Rector for PHP, `eslint --fix` for TS), re-run the type-checker after them — auto-fixers can introduce new errors.
 
 ### Step 6: Run tests
 
-- Run tests related to the changed code first (`php artisan test --filter=...`).
-- Then run the full test suite (`php artisan test`).
+- Run tests related to the changed code first (`php artisan test --filter=...`, `pnpm test -- <pattern>`, `pytest -k <pattern>`, `go test ./{path}/...`, `cargo test {pattern}`).
+- Then run the full test suite (`php artisan test`, `pnpm test`, `pytest`, `go test ./...`, `cargo test`).
 - All tests must pass before the refactoring is considered complete.
 
 ### Step 7: Update documentation
@@ -142,9 +148,9 @@ After the code changes are verified, update all affected documentation:
 1. Update controller + request + resource + OpenAPI schemas + route → present test changes →
    update docs (`agents/docs/controller.md`, `agents/docs/api-resources.md`) → run PHPStan → run tests.
 
-### Replace impl (e.g. switch service)
-1. Create new impl → update binding → find all direct references → update → present test
-   changes → update docs → run PHPStan → run tests → remove old impl.
+### Replace implementation (e.g. switch service)
+1. Create new implementation → update binding → find all direct references → update → present test
+   changes → update docs → run PHPStan → run tests → remove old implementation.
 
 ### Move/restructure module
 1. Move files → update namespaces → update `ModuleServiceProvider` if needed → update module routes →

package/.agent-src/skills/code-review/SKILL.md

@@ -37,68 +37,73 @@ Use this skill when:
 
 ## Review checklist
 
+The checks below are stack-agnostic. For framework-specific conventions (PSR-12 + `declare(strict_types=1)`, FormRequest, single-action `__invoke`, API Resources, Pest, Blade escaping, Eloquent N+1) defer to the carve-outs:
+- PHP / Laravel → [`laravel`](../laravel/SKILL.md), [`laravel-validation`](../laravel-validation/SKILL.md), [`eloquent`](../eloquent/SKILL.md), [`pest-testing`](../pest-testing/SKILL.md), [`blade-ui`](../blade-ui/SKILL.md), [`php-coder`](../php-coder/SKILL.md)
+- Symfony → [`symfony-workflow`](../symfony-workflow/SKILL.md)
+- Next.js / TS → [`nextjs-patterns`](../nextjs-patterns/SKILL.md), [`react-shadcn-ui`](../react-shadcn-ui/SKILL.md)
+
 ### Code quality
 
 | Check | What to look for |
 |---|---|
-| **Strict types** | `declare(strict_types=1)` in new files, typed properties/params/returns |
-| **PSR-12** | Coding style, line length ≤120, trailing commas, Yoda comparisons |
-| **Naming** | Clear, descriptive names. `camelCase` vars, `snake_case` array keys, `UPPER_SNAKE` constants |
+| **Type discipline** | New code is fully typed in the project's idiom (PHP typed properties + `declare(strict_types=1)`, TS strict, Python type hints, Go / Rust by construction). |
+| **Style conformance** | Matches the project's formatter / linter output — no reformatting battles, no out-of-band style. |
+| **Naming** | Clear, descriptive names; matches the dominant casing in the surrounding code (camelCase / snake_case / PascalCase per the language's idiom). |
 | **Early returns** | No deep nesting. Guard clauses at the top. |
-| **Single responsibility** | Each class/method does one thing. Controllers are thin. |
-| **No magic** | No magic properties on models (use getters/setters). No `$request->input()` without FormRequest. |
-| **PHPDoc** | Only where type hints are insufficient (generics, complex arrays). No redundant docblocks. |
+| **Single responsibility** | Each class / module / function does one thing. HTTP handlers stay thin. |
+| **No magic** | No reach-through to globals (`app()`, `$_GET`, ambient context). No untyped data shapes leaking out of the I/O boundary. |
+| **Doc comments** | Only where the type system is insufficient (generics, complex shapes). No redundant docblocks. |
 
 ### Architecture
 
 | Check | What to look for |
 |---|---|
-| **Layer separation** | Business logic in services, not controllers. Models have no business logic. |
-| **Single-action controllers** | New controllers use `__invoke()`. No multi-action controllers. |
-| **FormRequest** | Every controller has a dedicated FormRequest. No inline `$request->validate()`. |
-| **API Resources** | Controllers return Resources, never raw models or `response()->json()`. |
-| **DTOs** | Structured data transfer between layers, not raw arrays. |
-| **Dependency injection** | Constructor injection, no `new Service()` or `app()` calls in business logic. |
+| **Layer separation** | Business logic in services / use-cases, not in HTTP handlers. Domain models stay I/O-free. |
+| **Handler shape** | New handlers follow the framework's recommended shape (Laravel single-action `__invoke`, Next.js route handler, Express handler-per-route). See the stack carve-out. |
+| **Input validation** | Validated at the request boundary via the framework's primitive (Laravel `FormRequest`, Zod / class-validator, Pydantic, struct-tag validators). No ad-hoc inline `if` checks. |
+| **Response shaping** | Returns through a transformer / serializer / DTO. Never returns raw ORM entities. |
+| **DTOs / value objects** | Structured data between layers, not raw associative arrays / `any` / `dict[str, Any]`. |
+| **Dependency injection** | Constructor injection (or framework-idiomatic equivalent). No service-locator calls in business logic. |
 
 ### Database & Performance
 
 | Check | What to look for |
 |---|---|
-| **N+1 queries** | Relationship access in loops without eager loading |
-| **Missing indexes** | New columns used in WHERE/JOIN without index |
-| **Unbounded queries** | `Model::all()` or queries without pagination/limit |
-| **Raw SQL** | Parameterized queries only. No string concatenation with user input. |
-| **Migrations** | Reversible (has `down()`). Correct connection. Correct table prefix. |
-| **Money** | Uses `decimal` or `Math` helper, never `float` |
+| **N+1 queries** | Relationship / association access in loops without eager / batch loading. |
+| **Missing indexes** | New columns used in `WHERE` / `JOIN` without a supporting index. |
+| **Unbounded queries** | Full-table reads (`Model::all()`, `SELECT *` without `LIMIT`, unpaged list endpoints). |
+| **Raw SQL** | Parameterised queries only. No string concatenation with user input. |
+| **Migrations** | Reversible. Targets the right connection / schema. Idempotent where the platform supports it. |
+| **Money / precision** | Uses an exact-precision type (PHP `decimal` / `Math` helper, TS bigint / decimal lib, Python `Decimal`), never `float`. |
 
 ### Security
 
 | Check | What to look for |
 |---|---|
-| **Authorization** | Policy check in FormRequest or middleware. No unprotected endpoints. |
-| **Input validation** | All user input validated via FormRequest rules. |
-| **Mass assignment** | No `$model->fill($request->all())` without `$fillable`/`$guarded`. |
-| **SQL injection** | No raw queries with unescaped user input. |
-| **XSS** | Blade output escaped (`{{ }}` not `{!! !!}`) unless intentional. |
-| **Sensitive data** | No secrets, tokens, or passwords in code or logs. |
+| **Authorization** | Authz check at every state-changing endpoint (Laravel Policy, Symfony voter, NestJS guard, framework middleware). No unprotected mutating routes. |
+| **Input validation** | All user input validated at the boundary via the framework's primitive. |
+| **Mass assignment** | No bulk-binding raw request payloads to ORM entities without an explicit allow-list (`$fillable` / `$guarded` in Laravel, DTO mapping in TS / Python). |
+| **Injection** | No raw queries / command lines / template strings with unescaped user input. |
+| **Output encoding** | Template output is escaped by default; raw / unescaped output is intentional and reviewed (Blade `{{ }}` vs `{!! !!}`, React `dangerouslySetInnerHTML`, Jinja `\|safe`). |
+| **Sensitive data** | No secrets, tokens, or passwords in code, logs, or error responses. |
 
 ### Tests
 
 | Check | What to look for |
 |---|---|
-| **Coverage** | New code paths have tests. Bug fixes have regression tests. |
-| **Test quality** | Tests verify behavior, not implementation details. |
-| **Pest syntax** | Correct Pest conventions. No `readonly`/`final` on test classes. |
-| **Seeders** | Test data via seeders (or factories where allowed). |
+| **Coverage** | New code paths have tests. Bug fixes have regression tests (RED → GREEN). |
+| **Test quality** | Tests verify behaviour, not implementation details. |
+| **Framework idiom** | Correct conventions for the project's test framework (Pest / PHPUnit, Jest / Vitest, pytest, `go test`, `cargo test`) — see the stack carve-out for specifics. |
+| **Test data** | Provisioned via the project's idiom (seeders, factories, fixtures, builders). |
 | **Assertions** | Meaningful assertions. Not just "no exception thrown". |
-| **Flaky risks** | Time-dependent tests use `travel()`. No reliance on execution speed. |
+| **Flaky risks** | Time-dependent tests freeze the clock (`travel()`, `jest.useFakeTimers()`, `freezegun`). No reliance on execution speed. |
 
 ## Before creating a PR
 
-1. Run quality pipeline: PHPStan → Rector → ECS → PHPStan (see `quality-tools` skill for commands)
-2. Run tests: `make test` (or project equivalent)
+1. Run the project's quality pipeline (see the stack carve-out for the exact commands — PHP: `quality-tools`).
+2. Run tests via the project's runner (`make test`, `npm test`, `pytest`, `go test ./...`, or the project's wrapper script).
 3. Ensure CI passes on the branch.
-4. Self-review the diff: `git diff origin/main..HEAD`
+4. Self-review the diff: `git diff origin/main..HEAD`.
 
 ## Receiving feedback
 
@@ -114,7 +119,7 @@ When receiving code review feedback, follow this sequence:
 6. **IMPLEMENT** — One item at a time, test each.
 
 If **any item is unclear**, STOP — do not implement anything yet. Items may be related;
-partial understanding → wrong impl.
+partial understanding leads to wrong implementation.
 
 ### No performative agreement
 
@@ -132,7 +137,7 @@ partial understanding → wrong impl.
 **External / Copilot / bot feedback** (less context):
 - Check: Technically correct for THIS codebase?
 - Check: Does it break existing functionality?
-- Check: Is there a reason for the current impl?
+- Check: Is there a reason for the current implementation?
 - Check: Does the reviewer understand the full context?
 - **YAGNI check:** If the reviewer suggests "implementing properly", grep the codebase
   for actual usage. If unused → suggest removing (YAGNI).
@@ -181,7 +186,7 @@ Description and suggested improvement.
 Description.
 ```
 
-Group related findings. Don't repeat what linters/PHPStan already catch — focus on
+Group related findings. Don't repeat what the project's linter / type-checker already catches — focus on
 logic, architecture, and things tools can't detect.
 
 ## Adversarial review
@@ -211,5 +216,5 @@ Focus on the "Code changes / Refactoring" attack questions.
 - Do NOT approve without actually reading the code.
 - Do NOT agree with review comments without verifying them against the codebase.
 - Do NOT use performative language when responding to feedback ("Great point!", "Excellent catch!").
-- Do NOT nitpick style issues that ECS/Rector handle automatically.
+- Do NOT nitpick style issues the project's formatter / auto-refactor (ECS, Prettier, Ruff, gofmt) handles automatically.
 - Do NOT merge without CI passing and quality checks green.

package/.agent-src/skills/context-authoring/SKILL.md

@@ -71,7 +71,7 @@ source when the user is unsure.
 |---|---|
 | `auth-model.md` | Policy classes, Gate definitions, permission seeders, role enums, `@can` directives, middleware |
 | `tenant-boundaries.md` | Base query scopes, connection-switching middleware, tenant-resolution service, global scopes, `.env` vars like `TENANT_*` |
-| `data-sensitivity.md` | Eloquent `$hidden` / `$casts`, Sentry `beforeSend`, logging helpers, API resources, export commands |
+| `data-sensitivity.md` | ORM hidden-field config (Eloquent `$hidden` / `$casts`, Symfony `#[Ignore]`, Prisma `select` defaults, SQLAlchemy `__init__` filters), Sentry `beforeSend`, logging redaction helpers, API serialisers / resources, export commands |
 | `deployment-order.md` | `database/migrations/`, feature-flag config (Pennant / LaunchDarkly), deploy scripts, CI workflow, rollback runbooks in `docs/` |
 | `observability.md` | `config/logging.php`, Sentry init, dashboard links in READMEs, alert rules in Terraform/Grafana dashboards |
 

package/.agent-src/skills/dashboard-design/SKILL.md

@@ -4,8 +4,7 @@ description: "Use when designing monitoring dashboards — visualization selecti
 source: package
 domain: devops
 recommended_for_user_types: [ops, gtm]
-
-
+framework: laravel
 ---
 
 # dashboard-design

package/.agent-src/skills/database/SKILL.md

@@ -14,8 +14,8 @@ domain: engineering
 Use when designing schemas, optimizing queries, adding indexes, or troubleshooting database performance.
 
 Do NOT use when:
-- Writing Eloquent models (use `eloquent` skill)
-- Creating migrations only (use `migration-creator` skill)
+- Writing framework-specific ORM models (use the matching skill — e.g. `eloquent` for Laravel, `symfony-workflow` for Doctrine, framework-native skill for Prisma / TypeORM / SQLAlchemy / GORM / Diesel)
+- Creating migrations only — use the framework-specific migration skill (`laravel-migration` for Laravel, framework-native for others)
 
 ## Procedure: Optimize a query
 
@@ -52,7 +52,12 @@ Re-run `EXPLAIN` and confirm improved plan.
 
 1. **Read migrations** — source of truth
 2. **Read models** — `$table`, `$connection`, `$fillable`, `$casts`, relationships
-3. **Run schema queries** — `php artisan tinker --execute="Schema::getColumnListing('table')"`
+3. **Run schema queries** — use the project's REPL or a raw introspection query:
+   - Laravel: `php artisan tinker --execute="Schema::getColumnListing('table')"`
+   - Symfony / Doctrine: `bin/console doctrine:mapping:info`
+   - Rails: `bin/rails runner "p ActiveRecord::Base.connection.columns('table').map(&:name)"`
+   - Prisma: `npx prisma db pull --print | grep -A20 "model Table"`
+   - Generic SQL: `psql -d mydb -c "\d table"` / `mysql -e "DESCRIBE table"`
 4. **Check project docs** — `agents/docs/` for conventions
 
 | Trap | Reality |