@famgia/omnify-ai-guides 2.0.15

package/dist/knowledge/claude-rules/php-standards.md.stub

@@ -0,0 +1,305 @@
+---
+paths:
+  - "{{LARAVEL_ROOT}}app/**/*.php"
+---
+
+# PHP Standards & Best Practices
+
+> **PHP 8+ features** and coding standards for Laravel projects.
+
+## 🔵 Strict Types
+
+**Always declare strict types at the top of PHP files.**
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services;
+
+// ... class definition
+```
+
+| Rule | Description |
+| ---- | ----------- |
+| `declare(strict_types=1)` | Required in all PHP files |
+| Place at very top | Before namespace declaration |
+
+---
+
+## 🔵 Constructor Property Promotion (PHP 8.0+)
+
+**Use constructor promotion for dependency injection.**
+
+```php
+// ❌ OLD STYLE: Verbose
+class UserService
+{
+    private UserRepository $repository;
+    private CacheManager $cache;
+    
+    public function __construct(UserRepository $repository, CacheManager $cache)
+    {
+        $this->repository = $repository;
+        $this->cache = $cache;
+    }
+}
+
+// ✅ PHP 8.0+: Constructor promotion
+class UserService
+{
+    public function __construct(
+        private readonly UserRepository $repository,
+        private readonly CacheManager $cache
+    ) {}
+}
+```
+
+| Modifier | Usage |
+| -------- | ----- |
+| `private readonly` | Immutable dependencies (preferred) |
+| `private` | Mutable internal state |
+| `protected readonly` | For extension by subclasses |
+
+---
+
+## 🔵 PHP 8+ Features
+
+### Named Arguments
+
+```php
+// ✅ Clear intent
+$this->checkEmailLockout(
+    email: $request->email,
+    checkOnly: true
+);
+
+// Use when function has many optional parameters
+```
+
+### Nullsafe Operator
+
+```php
+// ❌ OLD STYLE
+$country = $user->address ? ($user->address->country ? $user->address->country->name : null) : null;
+
+// ✅ PHP 8.0+: Nullsafe operator
+$country = $user->address?->country?->name;
+```
+
+### Union Types
+
+```php
+public function process(int|string $id): Response|RedirectResponse
+{
+    // ...
+}
+```
+
+### Match Expression
+
+```php
+// ❌ OLD: switch statement
+switch ($status) {
+    case 'active': return 'Active';
+    case 'inactive': return 'Inactive';
+    default: return 'Unknown';
+}
+
+// ✅ PHP 8.0+: match expression
+return match($status) {
+    'active' => 'Active',
+    'inactive' => 'Inactive',
+    default => 'Unknown',
+};
+```
+
+---
+
+## 🔵 Constants Organization
+
+**Use dedicated Constants classes instead of magic values.**
+
+```php
+// ❌ BAD: Magic strings scattered in code
+if ($user->role === 'admin') { ... }
+Cache::get('user:' . $id);
+session()->get('2fa:user_id');
+
+// ✅ GOOD: Constants in dedicated class
+namespace App\Constants;
+
+class TwoFactorConstants
+{
+    public const ENABLED = true;
+    public const CODE_LENGTH = 6;
+    public const EXPIRY_MINUTES = 5;
+    
+    // Session keys
+    public const SESSION_USER_ID = '2fa:user_id';
+    public const SESSION_EMAIL = '2fa:email';
+}
+
+// Usage
+use App\Constants\TwoFactorConstants;
+
+if (TwoFactorConstants::ENABLED) {
+    $code = Str::random(TwoFactorConstants::CODE_LENGTH);
+    session()->put(TwoFactorConstants::SESSION_USER_ID, $user->id);
+}
+```
+
+| Location | Purpose |
+| -------- | ------- |
+| `app/Constants/` | Application-wide constants |
+| Class constants | Domain-specific constants |
+| `config/*.php` | Environment-dependent values |
+
+---
+
+## 🔵 PHPDoc Standards
+
+### Method Documentation
+
+```php
+/**
+ * Get user's authorization for a service.
+ *
+ * @param User $user The user to check
+ * @param Service $service The service being accessed
+ *
+ * @return array{
+ *     organization_id: int,
+ *     organization_slug: string,
+ *     role: string,
+ *     level: int
+ * }|null Returns null if user has no access
+ *
+ * @throws AuthorizationException When service is inactive
+ */
+public function getUserAuthorization(User $user, Service $service): ?array
+{
+    // ...
+}
+```
+
+### Array Shape Documentation
+
+```php
+/**
+ * @return array{
+ *     id: int,
+ *     name: string,
+ *     email: string,
+ *     roles: string[]
+ * }
+ */
+public function toArray(): array
+```
+
+### When to Document
+
+| Document | Don't Document |
+| -------- | -------------- |
+| Complex return types | Obvious getters/setters |
+| Array shapes | Simple CRUD methods |
+| Exception conditions | Self-explanatory code |
+| Business logic | Framework conventions |
+
+---
+
+## 🔵 Code Complexity Limits
+
+### Method Guidelines
+
+| Metric | Limit | Action if exceeded |
+| ------ | ----- | ------------------ |
+| Lines per method | Max 50 | Extract to helper/service |
+| Parameters | Max 4 | Use DTO or config object |
+| Cyclomatic complexity | Max 10 | Split into smaller methods |
+| Nesting depth | Max 3 | Early return pattern |
+
+### Class Guidelines
+
+| Metric | Limit | Action if exceeded |
+| ------ | ----- | ------------------ |
+| Public methods | Max 10 | Split class (SRP violation) |
+| Dependencies | Max 5 | Facade or aggregate service |
+| Lines per class | Max 500 | Extract sub-classes |
+
+### Early Return Pattern
+
+```php
+// ❌ BAD: Deep nesting
+public function process($user)
+{
+    if ($user) {
+        if ($user->isActive()) {
+            if ($user->hasPermission('edit')) {
+                // do something
+            }
+        }
+    }
+}
+
+// ✅ GOOD: Early returns
+public function process($user)
+{
+    if (!$user) {
+        return;
+    }
+    
+    if (!$user->isActive()) {
+        return;
+    }
+    
+    if (!$user->hasPermission('edit')) {
+        return;
+    }
+    
+    // do something
+}
+```
+
+---
+
+## 🔵 Interface & Trait Naming
+
+```php
+// Interfaces: suffix with Interface
+interface PaymentGatewayInterface
+{
+    public function charge(int $amount): PaymentResult;
+}
+
+// Traits: suffix with Trait (optional but recommended)
+trait HasApiTokens
+{
+    // ...
+}
+
+// Or descriptive name without suffix
+trait Searchable
+{
+    public function scopeSearch(Builder $query, string $term): Builder
+    {
+        // ...
+    }
+}
+```
+
+---
+
+## Quick Reference
+
+| Category | Rule |
+| -------- | ---- |
+| **Strict** | `declare(strict_types=1)` at top |
+| **Constructor** | Use property promotion with `readonly` |
+| **Nullsafe** | `$obj?->prop?->value` instead of null checks |
+| **Match** | Prefer `match` over `switch` |
+| **Constants** | Use `App\Constants\*` classes |
+| **Complexity** | Max 50 lines/method, 4 params, 10 complexity |
+| **Nesting** | Max 3 levels, use early returns |
+| **PHPDoc** | Document complex types and exceptions |

package/dist/knowledge/claude-rules/react-components.md.stub

@@ -0,0 +1,67 @@
+---
+paths:
+  - "{{TYPESCRIPT_BASE}}/**/*.tsx"
+---
+
+# React + Ant Design Rules
+
+## Core Patterns
+
+### Service Layer (API calls)
+
+```typescript
+// services/user.ts
+export const userService = {
+  list: (params?: UserListParams) => 
+    api.get("/api/users", { params }).then(r => r.data),
+  create: (input: UserCreate) => 
+    api.post("/api/users", input).then(r => r.data.data),
+};
+```
+
+### TanStack Query
+
+```typescript
+const { data, isLoading } = useQuery({
+  queryKey: queryKeys.users.list(filters),
+  queryFn: () => userService.list(filters),
+});
+
+const mutation = useMutation({
+  mutationFn: userService.create,
+  onSuccess: () => {
+    queryClient.invalidateQueries({ queryKey: queryKeys.users.all });
+    message.success(t("messages.created"));
+  },
+  onError: (error) => form.setFields(getFormErrors(error)),
+});
+```
+
+## ⚠️ Enum Usage (CRITICAL)
+
+```typescript
+// ✅ CORRECT - Import generated Enum
+import { PostStatus, PostStatusValues } from "@omnify/enum/PostStatus";
+
+// ✅ Use Enum values
+if (status === PostStatus.Pending) { ... }
+
+// ❌ WRONG - Inline union types
+newFilter.status = status as "pending" | "approved";
+```
+
+## Ant Design Static Method Warning
+
+```typescript
+// ❌ Wrong - No context
+import { message } from "antd";
+message.success("Done");
+
+// ✅ Correct - Use App.useApp()
+const { message } = App.useApp();
+message.success("Done");
+```
+
+## Full Documentation
+
+See @.claude/omnify/guides/react/ for complete patterns.

package/dist/knowledge/claude-rules/schema-yaml.md.stub

@@ -0,0 +1,83 @@
+---
+paths:
+  - "schemas/**/*.yaml"
+  - "schemas/**/*.yml"
+---
+
+# Omnify Schema Rules
+
+## Schema Workflow
+
+1. Read @.claude/omnify/guides/omnify/schema-guide.md first
+2. Create/edit YAML schema
+3. Run `npx omnify generate`
+4. Validate generated code
+5. Run `php artisan migrate`
+
+## Basic Template
+
+```yaml
+name: ModelName
+kind: object
+
+displayName:
+  ja: モデル名
+  en: Model Name
+
+options:
+  timestamps: true
+
+properties:
+  name:
+    type: String
+    length: 100
+    displayName:
+      ja: 名前
+      en: Name
+```
+
+## ⚠️ CRITICAL: String Defaults
+
+```yaml
+# ❌ WRONG - produces curly quotes
+default: "'cloud'"
+
+# ✅ CORRECT - just the value
+default: cloud
+```
+
+## ⚠️ CRITICAL: DB Functions NOT Allowed
+
+```yaml
+# ❌ WRONG - DB functions
+failed_at:
+  type: Timestamp
+  default: CURRENT_TIMESTAMP  # ERROR!
+
+# ✅ CORRECT - use useCurrent
+failed_at:
+  type: Timestamp
+  useCurrent: true            # = CURRENT_TIMESTAMP
+```
+
+## Property Types
+
+| Type | SQL | TypeScript |
+|------|-----|------------|
+| String | VARCHAR | string |
+| Text | TEXT | string |
+| Int | INT | number |
+| Boolean | BOOLEAN | boolean |
+| DateTime | DATETIME | string |
+
+## Relationships
+
+| Relation | Description |
+|----------|-------------|
+| belongsTo | Foreign key on THIS table |
+| hasMany | Foreign key on OTHER table |
+| belongsToMany | Pivot table |
+
+## Full Documentation
+
+See @.claude/omnify/guides/omnify/schema-guide.md for complete syntax.

package/dist/knowledge/claude-rules/security.md.stub

@@ -0,0 +1,164 @@
+---
+paths:
+  - "{{LARAVEL_ROOT}}app/**/*.php"
+---
+
+# Security Rules
+
+> **Non-negotiable rules** for Laravel security. Violations = vulnerabilities.
+
+## 🔴 Mass Assignment Vulnerability
+
+**ALWAYS define `$fillable` in Models.**
+
+```php
+// ❌ CRITICAL ERROR: No $fillable = mass assignment vulnerability
+class User extends Model
+{
+    // Missing $fillable!
+}
+
+// ❌ DANGEROUS: Using $request->all()
+User::create($request->all());  // Attacker can set is_admin=true
+
+// ✅ CORRECT: Define $fillable explicitly
+class User extends Model
+{
+    protected $fillable = [
+        'name_lastname',
+        'name_firstname',
+        'email',
+        'password',
+    ];
+    
+    // $guarded is alternative but $fillable is preferred (explicit)
+}
+
+// ✅ CORRECT: Use validated data only
+User::create($request->validated());
+```
+
+| Rule                                          | Description                                            |
+| --------------------------------------------- | ------------------------------------------------------ |
+| **Always define `$fillable`**                 | Explicitly list assignable fields                      |
+| **Never use `$request->all()`**               | Use `$request->validated()` or `$request->only([...])` |
+| **Prefer `$fillable` over `$guarded`**        | Whitelist is safer than blacklist                      |
+| **Never put sensitive fields in `$fillable`** | `is_admin`, `role`, `balance` must NOT be fillable     |
+
+---
+
+## 🔴 SQL Injection Prevention
+
+**NEVER use raw user input in queries.**
+
+```php
+// ❌ CRITICAL ERROR: SQL Injection vulnerability
+$email = $request->input('email');
+DB::select("SELECT * FROM users WHERE email = '$email'");  // DANGEROUS!
+
+// ❌ DANGEROUS: String interpolation in whereRaw
+User::whereRaw("email = '$email'")->get();  // DANGEROUS!
+
+// ✅ CORRECT: Use parameter binding
+DB::select("SELECT * FROM users WHERE email = ?", [$email]);
+
+// ✅ CORRECT: Use Query Builder (auto-escapes)
+User::where('email', $email)->get();
+
+// ✅ CORRECT: Parameter binding in whereRaw
+User::whereRaw('email = ?', [$email])->get();
+```
+
+| Rule                             | Description                        |
+| -------------------------------- | ---------------------------------- |
+| **Use Query Builder**            | Eloquent auto-escapes values       |
+| **Use parameter binding**        | `?` placeholders with array values |
+| **Never concatenate user input** | No string interpolation in SQL     |
+| **Validate sort fields**         | Whitelist allowed sort columns     |
+
+```php
+// ✅ CORRECT: Whitelist sort fields to prevent SQL injection
+$allowedSorts = ['id', 'name', 'email', 'created_at'];
+$sortBy = in_array($request->sort_by, $allowedSorts) 
+    ? $request->sort_by 
+    : 'id';
+```
+
+---
+
+## 🔴 XSS Prevention
+
+**Always escape output in Blade templates.**
+
+```php
+// ❌ DANGEROUS: Raw HTML output
+{!! $user->bio !!}  // XSS if bio contains <script>
+
+// ✅ CORRECT: Escaped output (default)
+{{ $user->bio }}  // Auto-escapes HTML entities
+
+// ✅ CORRECT: Only use {!! !!} for trusted HTML
+{!! $trustedHtml !!}  // Only for admin-generated content
+```
+
+---
+
+## 🔴 CSRF Protection
+
+**Never disable CSRF for web routes.**
+
+```php
+// ❌ DANGEROUS: Disabling CSRF
+// In VerifyCsrfToken middleware
+protected $except = ['*'];  // NEVER do this!
+
+// ✅ CORRECT: CSRF is enabled by default for web routes
+// API routes use Sanctum tokens instead
+```
+
+---
+
+## 🔴 Sensitive Data Exposure
+
+**Hide sensitive fields from JSON responses.**
+
+```php
+// ❌ ERROR: Password exposed in API response
+return response()->json($user);  // Includes password!
+
+// ✅ CORRECT: Use $hidden in Model
+class User extends Model
+{
+    protected $hidden = [
+        'password',
+        'remember_token',
+        'two_factor_secret',
+    ];
+}
+
+// ✅ CORRECT: Use Resource to control output
+class UserResource extends JsonResource
+{
+    public function toArray($request): array
+    {
+        return [
+            'id' => $this->id,
+            'name' => $this->name,
+            // password NOT included
+        ];
+    }
+}
+```
+
+---
+
+## Quick Reference
+
+| ❌ Never Do              | ✅ Always Do                       |
+| ----------------------- | --------------------------------- |
+| `$request->all()`       | `$request->validated()`           |
+| Raw SQL with user input | Query Builder / parameter binding |
+| Missing `$fillable`     | Define `$fillable` explicitly     |
+| Missing `$hidden`       | Hide sensitive fields             |
+| Disable CSRF            | Keep CSRF enabled                 |
+| `{!! $userInput !!}`    | `{{ $userInput }}`                |

package/dist/knowledge/cursor-rules/antd-deprecations.mdc.stub

@@ -0,0 +1,62 @@
+---
+description: "Ant Design deprecated props - check version before applying! v5.x and v6.x have different APIs"
+globs: ["{{TYPESCRIPT_BASE}}/**/*.tsx", "{{TYPESCRIPT_BASE}}/**/*.ts"]
+alwaysApply: false
+---
+
+# Ant Design Deprecations
+
+## ⚠️ Check Your Version First!
+
+```bash
+# Check package.json for antd version
+grep '"antd"' package.json
+```
+
+- **Ant Design 5.x**: Use `valueStyle`, `bodyStyle`, `headStyle`, `visible`
+- **Ant Design 6.x**: Use `styles={{ ... }}`, `open` (semantic DOM API)
+
+## Ant Design 5.x (Still Valid)
+
+```typescript
+// ✅ CORRECT for Ant Design 5.x
+<Statistic value={100} valueStyle={{ color: 'green' }} />
+<Card bodyStyle={{ padding: 0 }} headStyle={{ background: '#f5f5f5' }}>
+<Modal visible={isOpen}>
+```
+
+## Ant Design 6.x (Semantic DOM API)
+
+```typescript
+// ✅ CORRECT for Ant Design 6.x ONLY
+<Statistic value={100} styles={{ content: { color: 'green' } }} />
+<Card styles={{ body: { padding: 0 }, header: { background: '#f5f5f5' } }}>
+<Modal open={isOpen}>
+```
+
+## Deprecated in Both Versions
+
+| Component    | ❌ Deprecated               | ✅ Use Instead           |
+| ------------ | -------------------------- | ----------------------- |
+| Divider      | `orientation`              | `titlePlacement`        |
+| Modal/Drawer | `visible`                  | `open` (v5.0.0+)        |
+| Select       | `dropdownMatchSelectWidth` | `popupMatchSelectWidth` |
+| DatePicker   | `dropdownClassName`        | `popupClassName`        |
+
+### Semantic Keys by Component
+
+| Component | Keys                                                     |
+| --------- | -------------------------------------------------------- |
+| Statistic | `root`, `header`, `title`, `prefix`, `content`, `suffix` |
+| Card      | `root`, `header`, `title`, `extra`, `body`, `actions`    |
+| Modal     | `root`, `header`, `title`, `body`, `footer`, `mask`      |
+| Drawer    | `root`, `header`, `title`, `body`, `footer`, `mask`      |
+
+### Pattern
+
+```typescript
+<Component
+  styles={{ [semanticKey]: { /* CSSProperties */ } }}
+  classNames={{ [semanticKey]: 'my-class' }}
+/>
+```