@girardmedia/bootspring 1.1.0

package/skills/patterns/security/validation.md

@@ -0,0 +1,268 @@
+# Input Validation & Security Patterns
+
+Battle-tested patterns for secure input handling.
+
+## Zod Schema Validation
+
+```typescript
+// lib/validations/user.ts
+import { z } from 'zod'
+
+export const CreateUserSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  name: z.string()
+    .min(1, 'Name is required')
+    .max(100, 'Name too long')
+    .regex(/^[a-zA-Z\s'-]+$/, 'Invalid characters in name'),
+  password: z.string()
+    .min(8, 'Password must be at least 8 characters')
+    .regex(/[A-Z]/, 'Password must contain uppercase letter')
+    .regex(/[a-z]/, 'Password must contain lowercase letter')
+    .regex(/[0-9]/, 'Password must contain number')
+    .regex(/[^A-Za-z0-9]/, 'Password must contain special character'),
+  age: z.number()
+    .int('Age must be a whole number')
+    .min(13, 'Must be at least 13 years old')
+    .max(120, 'Invalid age')
+    .optional()
+})
+
+export const UpdateProfileSchema = z.object({
+  name: z.string().min(1).max(100).optional(),
+  bio: z.string().max(500).optional(),
+  website: z.string().url().optional().or(z.literal(''))
+})
+
+export type CreateUserInput = z.infer<typeof CreateUserSchema>
+export type UpdateProfileInput = z.infer<typeof UpdateProfileSchema>
+```
+
+## Server Action with Validation
+
+```typescript
+// actions/user.ts
+'use server'
+
+import { CreateUserSchema } from '@/lib/validations/user'
+import { prisma } from '@/lib/db'
+
+type ActionResult =
+  | { success: true; data: { id: string } }
+  | { success: false; error: string; fieldErrors?: Record<string, string[]> }
+
+export async function createUser(formData: FormData): Promise<ActionResult> {
+  // Parse and validate
+  const raw = {
+    email: formData.get('email'),
+    name: formData.get('name'),
+    password: formData.get('password'),
+    age: formData.get('age') ? Number(formData.get('age')) : undefined
+  }
+
+  const result = CreateUserSchema.safeParse(raw)
+
+  if (!result.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      fieldErrors: result.error.flatten().fieldErrors
+    }
+  }
+
+  // Hash password before storing
+  const hashedPassword = await hashPassword(result.data.password)
+
+  const user = await prisma.user.create({
+    data: {
+      ...result.data,
+      password: hashedPassword
+    }
+  })
+
+  return { success: true, data: { id: user.id } }
+}
+```
+
+## Sanitizing User Input
+
+```typescript
+// lib/sanitize.ts
+import DOMPurify from 'isomorphic-dompurify'
+
+// Sanitize HTML content (for rich text)
+export function sanitizeHtml(dirty: string): string {
+  return DOMPurify.sanitize(dirty, {
+    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br', 'ul', 'ol', 'li'],
+    ALLOWED_ATTR: ['href', 'target', 'rel']
+  })
+}
+
+// Strip all HTML (for plain text fields)
+export function stripHtml(input: string): string {
+  return DOMPurify.sanitize(input, { ALLOWED_TAGS: [] })
+}
+
+// Sanitize for SQL-safe strings (use with parameterized queries)
+export function escapeString(input: string): string {
+  return input
+    .replace(/\\/g, '\\\\')
+    .replace(/'/g, "\\'")
+    .replace(/"/g, '\\"')
+}
+
+// URL validation and sanitization
+export function sanitizeUrl(url: string): string | null {
+  try {
+    const parsed = new URL(url)
+    // Only allow http/https
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+      return null
+    }
+    return parsed.toString()
+  } catch {
+    return null
+  }
+}
+```
+
+## Rate Limiting
+
+```typescript
+// lib/rate-limit.ts
+import { Ratelimit } from '@upstash/ratelimit'
+import { Redis } from '@upstash/redis'
+
+// Using Upstash Redis for serverless
+const redis = new Redis({
+  url: process.env.UPSTASH_REDIS_REST_URL!,
+  token: process.env.UPSTASH_REDIS_REST_TOKEN!
+})
+
+// Different rate limiters for different purposes
+export const authLimiter = new Ratelimit({
+  redis,
+  limiter: Ratelimit.slidingWindow(5, '1 m'), // 5 attempts per minute
+  prefix: 'ratelimit:auth'
+})
+
+export const apiLimiter = new Ratelimit({
+  redis,
+  limiter: Ratelimit.slidingWindow(100, '1 m'), // 100 requests per minute
+  prefix: 'ratelimit:api'
+})
+
+// Usage in API route
+export async function POST(request: Request) {
+  const ip = request.headers.get('x-forwarded-for') ?? 'anonymous'
+
+  const { success, limit, remaining, reset } = await authLimiter.limit(ip)
+
+  if (!success) {
+    return new Response('Too many requests', {
+      status: 429,
+      headers: {
+        'X-RateLimit-Limit': limit.toString(),
+        'X-RateLimit-Remaining': remaining.toString(),
+        'X-RateLimit-Reset': reset.toString()
+      }
+    })
+  }
+
+  // Continue with handler...
+}
+```
+
+## CSRF Protection
+
+```typescript
+// lib/csrf.ts
+import { cookies } from 'next/headers'
+import { randomBytes, createHmac } from 'crypto'
+
+const SECRET = process.env.CSRF_SECRET!
+
+export async function generateCsrfToken(): Promise<string> {
+  const token = randomBytes(32).toString('hex')
+  const signature = createHmac('sha256', SECRET).update(token).digest('hex')
+  const fullToken = `${token}.${signature}`
+
+  const cookieStore = await cookies()
+  cookieStore.set('csrf-token', fullToken, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: 60 * 60 // 1 hour
+  })
+
+  return token // Only return the token part to the client
+}
+
+export async function validateCsrfToken(clientToken: string): Promise<boolean> {
+  const cookieStore = await cookies()
+  const cookieToken = cookieStore.get('csrf-token')?.value
+
+  if (!cookieToken) return false
+
+  const [storedToken, storedSignature] = cookieToken.split('.')
+  const expectedSignature = createHmac('sha256', SECRET)
+    .update(storedToken)
+    .digest('hex')
+
+  return (
+    storedToken === clientToken &&
+    storedSignature === expectedSignature
+  )
+}
+```
+
+## Security Headers Middleware
+
+```typescript
+// middleware.ts
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+
+export function middleware(request: NextRequest) {
+  const response = NextResponse.next()
+
+  // Security headers
+  response.headers.set('X-Frame-Options', 'DENY')
+  response.headers.set('X-Content-Type-Options', 'nosniff')
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
+  response.headers.set('X-XSS-Protection', '1; mode=block')
+
+  // Content Security Policy
+  response.headers.set(
+    'Content-Security-Policy',
+    [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: https:",
+      "font-src 'self'",
+      "connect-src 'self' https://api.stripe.com",
+      "frame-ancestors 'none'"
+    ].join('; ')
+  )
+
+  return response
+}
+```
+
+## Environment Variable Validation
+
+```typescript
+// lib/env.ts
+import { z } from 'zod'
+
+const envSchema = z.object({
+  DATABASE_URL: z.string().url(),
+  STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
+  STRIPE_WEBHOOK_SECRET: z.string().startsWith('whsec_'),
+  NEXT_PUBLIC_URL: z.string().url(),
+  NODE_ENV: z.enum(['development', 'production', 'test'])
+})
+
+// Validate at build/startup time
+export const env = envSchema.parse(process.env)
+```

package/skills/patterns/testing/vitest.md

@@ -0,0 +1,307 @@
+# Vitest Testing Patterns
+
+Battle-tested patterns for testing with Vitest in Next.js.
+
+## Setup Configuration
+
+```typescript
+// vitest.config.ts
+import { defineConfig } from 'vitest/config'
+import react from '@vitejs/plugin-react'
+import path from 'path'
+
+export default defineConfig({
+  plugins: [react()],
+  test: {
+    environment: 'jsdom',
+    globals: true,
+    setupFiles: ['./vitest.setup.ts'],
+    include: ['**/*.test.{ts,tsx}'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html'],
+      exclude: ['node_modules/', '*.config.*']
+    }
+  },
+  resolve: {
+    alias: {
+      '@': path.resolve(__dirname, './src')
+    }
+  }
+})
+```
+
+```typescript
+// vitest.setup.ts
+import '@testing-library/jest-dom/vitest'
+import { cleanup } from '@testing-library/react'
+import { afterEach, vi } from 'vitest'
+
+afterEach(() => {
+  cleanup()
+})
+
+// Mock next/navigation
+vi.mock('next/navigation', () => ({
+  useRouter: () => ({
+    push: vi.fn(),
+    replace: vi.fn(),
+    back: vi.fn()
+  }),
+  usePathname: () => '/',
+  useSearchParams: () => new URLSearchParams()
+}))
+```
+
+## Unit Testing Functions
+
+```typescript
+// lib/utils.test.ts
+import { describe, it, expect } from 'vitest'
+import { formatPrice, calculateDiscount, validateEmail } from './utils'
+
+describe('formatPrice', () => {
+  it('formats cents to dollars', () => {
+    expect(formatPrice(1000)).toBe('$10.00')
+    expect(formatPrice(1599)).toBe('$15.99')
+  })
+
+  it('handles zero', () => {
+    expect(formatPrice(0)).toBe('$0.00')
+  })
+})
+
+describe('calculateDiscount', () => {
+  it('applies percentage discount', () => {
+    expect(calculateDiscount(100, 10)).toBe(90)
+    expect(calculateDiscount(50, 50)).toBe(25)
+  })
+
+  it('returns original price for zero discount', () => {
+    expect(calculateDiscount(100, 0)).toBe(100)
+  })
+})
+
+describe('validateEmail', () => {
+  it('accepts valid emails', () => {
+    expect(validateEmail('user@example.com')).toBe(true)
+    expect(validateEmail('user+tag@domain.co.uk')).toBe(true)
+  })
+
+  it('rejects invalid emails', () => {
+    expect(validateEmail('invalid')).toBe(false)
+    expect(validateEmail('no@domain')).toBe(false)
+    expect(validateEmail('')).toBe(false)
+  })
+})
+```
+
+## Testing React Components
+
+```typescript
+// components/button.test.tsx
+import { describe, it, expect, vi } from 'vitest'
+import { render, screen, fireEvent } from '@testing-library/react'
+import { Button } from './button'
+
+describe('Button', () => {
+  it('renders with children', () => {
+    render(<Button>Click me</Button>)
+    expect(screen.getByText('Click me')).toBeInTheDocument()
+  })
+
+  it('calls onClick when clicked', () => {
+    const handleClick = vi.fn()
+    render(<Button onClick={handleClick}>Click</Button>)
+
+    fireEvent.click(screen.getByText('Click'))
+    expect(handleClick).toHaveBeenCalledTimes(1)
+  })
+
+  it('is disabled when loading', () => {
+    render(<Button loading>Submit</Button>)
+    expect(screen.getByRole('button')).toBeDisabled()
+  })
+
+  it('applies variant classes', () => {
+    render(<Button variant="destructive">Delete</Button>)
+    expect(screen.getByRole('button')).toHaveClass('bg-red-500')
+  })
+})
+```
+
+## Testing Async Components
+
+```typescript
+// components/user-profile.test.tsx
+import { describe, it, expect, vi } from 'vitest'
+import { render, screen, waitFor } from '@testing-library/react'
+import { UserProfile } from './user-profile'
+
+// Mock the fetch function
+vi.mock('@/lib/api', () => ({
+  fetchUser: vi.fn()
+}))
+
+import { fetchUser } from '@/lib/api'
+
+describe('UserProfile', () => {
+  it('shows loading state initially', () => {
+    vi.mocked(fetchUser).mockImplementation(() => new Promise(() => {}))
+
+    render(<UserProfile userId="123" />)
+    expect(screen.getByText('Loading...')).toBeInTheDocument()
+  })
+
+  it('displays user data after loading', async () => {
+    vi.mocked(fetchUser).mockResolvedValue({
+      name: 'John Doe',
+      email: 'john@example.com'
+    })
+
+    render(<UserProfile userId="123" />)
+
+    await waitFor(() => {
+      expect(screen.getByText('John Doe')).toBeInTheDocument()
+      expect(screen.getByText('john@example.com')).toBeInTheDocument()
+    })
+  })
+
+  it('shows error state on failure', async () => {
+    vi.mocked(fetchUser).mockRejectedValue(new Error('Failed'))
+
+    render(<UserProfile userId="123" />)
+
+    await waitFor(() => {
+      expect(screen.getByText('Error loading profile')).toBeInTheDocument()
+    })
+  })
+})
+```
+
+## Testing Server Actions
+
+```typescript
+// actions/posts.test.ts
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { createPost, deletePost } from './posts'
+import { prisma } from '@/lib/db'
+import { auth } from '@/lib/auth'
+
+vi.mock('@/lib/db', () => ({
+  prisma: {
+    post: {
+      create: vi.fn(),
+      delete: vi.fn(),
+      findUnique: vi.fn()
+    }
+  }
+}))
+
+vi.mock('@/lib/auth', () => ({
+  auth: vi.fn()
+}))
+
+vi.mock('next/cache', () => ({
+  revalidatePath: vi.fn()
+}))
+
+describe('createPost', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('creates post for authenticated user', async () => {
+    vi.mocked(auth).mockResolvedValue({ userId: 'user-123' })
+    vi.mocked(prisma.post.create).mockResolvedValue({
+      id: 'post-1',
+      title: 'Test Post',
+      authorId: 'user-123'
+    })
+
+    const formData = new FormData()
+    formData.set('title', 'Test Post')
+
+    const result = await createPost(formData)
+
+    expect(result.success).toBe(true)
+    expect(prisma.post.create).toHaveBeenCalledWith({
+      data: expect.objectContaining({
+        title: 'Test Post',
+        authorId: 'user-123'
+      })
+    })
+  })
+
+  it('returns error for unauthenticated user', async () => {
+    vi.mocked(auth).mockResolvedValue({ userId: null })
+
+    const formData = new FormData()
+    formData.set('title', 'Test')
+
+    const result = await createPost(formData)
+
+    expect(result.success).toBe(false)
+    expect(result.error).toBe('Not authenticated')
+  })
+})
+```
+
+## Testing Hooks
+
+```typescript
+// hooks/use-debounce.test.ts
+import { describe, it, expect, vi } from 'vitest'
+import { renderHook, act } from '@testing-library/react'
+import { useDebounce } from './use-debounce'
+
+describe('useDebounce', () => {
+  beforeEach(() => {
+    vi.useFakeTimers()
+  })
+
+  afterEach(() => {
+    vi.useRealTimers()
+  })
+
+  it('returns initial value immediately', () => {
+    const { result } = renderHook(() => useDebounce('hello', 500))
+    expect(result.current).toBe('hello')
+  })
+
+  it('debounces value changes', () => {
+    const { result, rerender } = renderHook(
+      ({ value }) => useDebounce(value, 500),
+      { initialProps: { value: 'hello' } }
+    )
+
+    rerender({ value: 'world' })
+    expect(result.current).toBe('hello') // Still old value
+
+    act(() => {
+      vi.advanceTimersByTime(500)
+    })
+
+    expect(result.current).toBe('world') // Now updated
+  })
+})
+```
+
+## Running Tests
+
+```bash
+# Run all tests
+npm test
+
+# Watch mode
+npm test -- --watch
+
+# Coverage report
+npm test -- --coverage
+
+# Run specific file
+npm test -- button.test.tsx
+
+# Run tests matching pattern
+npm test -- --grep "createPost"
+```

package/templates/bootspring.config.js

@@ -0,0 +1,83 @@
+/**
+ * Bootspring Configuration
+ * Copy this file to your project root and customize
+ */
+module.exports = {
+  // Project information
+  project: {
+    name: 'My Project',
+    description: 'A modern web application',
+    version: '0.1.0'
+  },
+
+  // Technology stack
+  stack: {
+    framework: 'nextjs',      // nextjs, remix, astro
+    language: 'typescript',   // typescript, javascript
+    database: 'postgresql',   // postgresql, mysql, mongodb
+    hosting: 'vercel'         // vercel, aws, railway
+  },
+
+  // Enabled plugins
+  plugins: {
+    auth: {
+      enabled: true,
+      provider: 'clerk',      // clerk, nextauth, auth0, supabase
+      features: ['social_login', 'email_password']
+    },
+    payments: {
+      enabled: false,
+      provider: 'stripe',     // stripe, paddle, lemonsqueezy
+      features: ['checkout', 'subscriptions']
+    },
+    database: {
+      enabled: true,
+      provider: 'prisma',     // prisma, drizzle, typeorm
+      features: ['migrations', 'transactions']
+    },
+    testing: {
+      enabled: true,
+      provider: 'vitest',     // vitest, jest, playwright
+      features: ['unit', 'integration']
+    },
+    security: {
+      enabled: true,
+      features: ['input_validation', 'rate_limiting']
+    },
+    ai: {
+      enabled: false,
+      provider: 'anthropic',  // anthropic, openai, google
+      features: ['streaming', 'tool_use']
+    }
+  },
+
+  // Dashboard settings
+  dashboard: {
+    port: 3456,
+    autoOpen: false
+  },
+
+  // Context generation options
+  context: {
+    includeEnvVars: true,
+    includeTechStack: true,
+    includePlugins: true,
+    customSections: []
+  },
+
+  // Quality gate settings
+  quality: {
+    preCommit: {
+      enabled: true,
+      checks: ['lint', 'typecheck']
+    },
+    prePush: {
+      enabled: true,
+      checks: ['test', 'build']
+    },
+    preDeploy: {
+      enabled: true,
+      checks: ['security', 'coverage']
+    }
+  }
+};

package/templates/mcp.json

@@ -0,0 +1,9 @@
+{
+  "mcpServers": {
+    "bootspring": {
+      "command": "npx",
+      "args": ["bootspring", "mcp"],
+      "env": {}
+    }
+  }
+}