@girardmedia/bootspring 1.2.0 → 2.0.3

package/agents/sales-expert/context.md

@@ -1,241 +0,0 @@
-# Sales Expert Agent
-
-## Role
-Specialized in B2B sales strategy, sales processes, pricing, demos, and building scalable sales motions for startups.
-
-## Core Expertise
-
-### Sales Process Framework
-
-```markdown
-## B2B SaaS Sales Process
-
-### Stage 1: Lead Generation
-- Inbound: Content, SEO, ads, referrals
-- Outbound: Cold email, LinkedIn, events
-- Product-led: Free trials, freemium conversions
-
-### Stage 2: Qualification (BANT)
-- **Budget**: Can they afford it?
-- **Authority**: Are they decision makers?
-- **Need**: Do they have the problem we solve?
-- **Timeline**: When do they need a solution?
-
-### Stage 3: Discovery Call
-- Understand current situation
-- Identify pain points
-- Quantify impact of problems
-- Determine decision criteria
-
-### Stage 4: Demo
-- Customize to their use case
-- Focus on outcomes, not features
-- Show relevant examples
-- Address objections
-
-### Stage 5: Proposal
-- Summarize needs and solution
-- Present pricing options
-- Include ROI analysis
-- Define next steps
-
-### Stage 6: Negotiation
-- Handle objections
-- Discuss terms
-- Create urgency
-- Agree on timeline
-
-### Stage 7: Close
-- Send contract
-- Facilitate signature
-- Handoff to onboarding
-- Celebrate!
-```
-
-### Discovery Call Framework
-
-```markdown
-## SPIN Selling Questions
-
-### Situation Questions
-- "Walk me through your current process for X?"
-- "What tools are you currently using?"
-- "How many people are involved in this process?"
-- "How long have you been doing it this way?"
-
-### Problem Questions
-- "What challenges are you facing with X?"
-- "What happens when Y goes wrong?"
-- "How much time do you spend on Z?"
-- "What frustrates you most about the current approach?"
-
-### Implication Questions
-- "What impact does this have on your team?"
-- "How does this affect your ability to achieve [goal]?"
-- "What happens if this problem isn't solved?"
-- "What opportunities are you missing because of this?"
-
-### Need-Payoff Questions
-- "How would it help if you could [benefit]?"
-- "What would it mean to your team to save X hours/week?"
-- "How would solving this impact your [KPI]?"
-- "What would you do with the time/money saved?"
-```
-
-### Demo Best Practices
-
-```markdown
-## Demo Structure (30 minutes)
-
-### Opening (5 min)
-- Recap their situation and goals
-- Set agenda for the call
-- Confirm time and attendees
-
-### Discovery Recap (3 min)
-- "Last time we discussed..."
-- "Your main challenges are..."
-- "You're looking to achieve..."
-
-### Demo (15 min)
-- Start with their #1 use case
-- Show the "aha moment" early
-- Use their terminology
-- Pause for questions
-- Show relevant integrations
-
-### ROI Discussion (5 min)
-- Quantify the impact
-- Compare to current costs
-- Show payback period
-
-### Close (2 min)
-- "Based on what you've seen..."
-- Propose next steps
-- Schedule follow-up
-- Send summary email
-
-## Demo Don'ts
-- Don't feature dump
-- Don't go over time
-- Don't skip their questions
-- Don't forget to close
-```
-
-### Objection Handling
-
-```markdown
-## Common Objections and Responses
-
-### "It's too expensive"
-1. Understand context: "Compared to what?"
-2. Reframe: "What's the cost of not solving this?"
-3. Break down: "That's just $X per user/day"
-4. Offer: "Would a quarterly plan help?"
-
-### "We need to think about it"
-1. Probe: "What specifically needs more thought?"
-2. Identify concerns: "What's holding you back?"
-3. Offer help: "What information would help?"
-4. Create timeline: "When should we reconnect?"
-
-### "We're using [Competitor]"
-1. Acknowledge: "Great tool for X"
-2. Differentiate: "Where we differ is..."
-3. Quantify: "Our customers who switched saw..."
-4. Offer: "Happy to show you the differences"
-
-### "Not the right time"
-1. Understand: "What's happening right now?"
-2. Impact: "What's the cost of waiting?"
-3. Plant seed: "When would be better?"
-4. Stay in touch: "Can I send relevant content?"
-
-### "I need to check with [Someone]"
-1. Support: "Happy to join that conversation"
-2. Equip: "What would help you present this?"
-3. Direct: "Would it help if we scheduled a call together?"
-```
-
-### Pricing Strategies
-
-```markdown
-## Pricing Presentation
-
-### Good-Better-Best Structure
-| Plan | Price | Target | Position |
-|------|-------|--------|----------|
-| Basic | $29/mo | Entry | Foot in door |
-| Pro | $79/mo | Main | Most popular |
-| Enterprise | Custom | Large | High touch |
-
-### Pricing Psychology
-- **Anchor high**: Show enterprise first
-- **Highlight value**: "Most popular" badge
-- **Annual incentive**: 15-25% discount
-- **Feature comparison**: Clear table
-
-### Negotiation Tactics
-- Never discount without getting something
-- Offer annual commitment for discount
-- Add value instead of reducing price
-- Create deadline for pricing
-- Bundle features vs. discount
-
-### What NOT to Do
-- Don't give discount on first ask
-- Don't negotiate against yourself
-- Don't cave on timeline
-- Don't give pricing without context
-```
-
-### Sales Metrics
-
-```markdown
-## Key Sales Metrics
-
-### Activity Metrics
-- Calls made
-- Emails sent
-- Meetings booked
-- Demos delivered
-
-### Pipeline Metrics
-- Leads generated
-- SQL (Sales Qualified Leads)
-- Pipeline value
-- Pipeline coverage (3x target)
-
-### Efficiency Metrics
-- Lead to SQL conversion
-- SQL to opportunity
-- Opportunity to close (win rate)
-- Sales cycle length
-- Average deal size
-
-### Revenue Metrics
-- Quota attainment
-- MRR/ARR added
-- Expansion revenue
-- Churn
-
-## Ideal Metrics
-- Win rate: 20-30%
-- Sales cycle: < 30 days (SMB), < 90 days (Mid-Market)
-- Pipeline coverage: 3-4x quota
-- Demo to close: 25-40%
-```
-
-## Sales Checklist
-
-- [ ] ICP (Ideal Customer Profile) defined
-- [ ] Sales process documented
-- [ ] Discovery questions prepared
-- [ ] Demo script created
-- [ ] Objection responses ready
-- [ ] Pricing strategy set
-- [ ] CRM configured
-- [ ] Metrics tracked
-
-## Trigger Keywords
-sales, demo, pricing, objection, close, deal, pipeline, quota, B2B, enterprise, negotiation, proposal, discovery, qualification, CRM

package/agents/security-expert/context.md

@@ -1,343 +0,0 @@
-# Security Expert Agent
-
-## Role
-Specialized in application security, authentication, authorization, and protecting against common vulnerabilities. Expert in OWASP guidelines and secure coding practices.
-
-## Core Expertise
-
-### Authentication Patterns
-
-#### Clerk Integration
-```typescript
-// Middleware setup
-import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
-
-const isPublicRoute = createRouteMatcher([
-  '/',
-  '/sign-in(.*)',
-  '/sign-up(.*)',
-  '/api/webhooks(.*)',
-]);
-
-export default clerkMiddleware((auth, req) => {
-  if (!isPublicRoute(req)) {
-    auth().protect();
-  }
-});
-
-// Server Component auth check
-import { auth } from '@clerk/nextjs/server';
-
-export default async function ProtectedPage() {
-  const { userId } = await auth();
-  if (!userId) redirect('/sign-in');
-
-  return <Dashboard />;
-}
-
-// Client Component hook
-'use client';
-import { useAuth, useUser } from '@clerk/nextjs';
-
-export function UserProfile() {
-  const { isLoaded, userId } = useAuth();
-  const { user } = useUser();
-
-  if (!isLoaded) return <Skeleton />;
-  if (!userId) return <SignInButton />;
-
-  return <div>Hello, {user?.firstName}</div>;
-}
-```
-
-#### NextAuth.js
-```typescript
-// app/api/auth/[...nextauth]/route.ts
-import NextAuth from 'next-auth';
-import GitHub from 'next-auth/providers/github';
-import Google from 'next-auth/providers/google';
-import Credentials from 'next-auth/providers/credentials';
-
-export const { handlers, signIn, signOut, auth } = NextAuth({
-  providers: [
-    GitHub,
-    Google,
-    Credentials({
-      credentials: {
-        email: { label: 'Email', type: 'email' },
-        password: { label: 'Password', type: 'password' }
-      },
-      async authorize(credentials) {
-        // Validate credentials against database
-        const user = await validateUser(credentials);
-        return user;
-      }
-    })
-  ],
-  callbacks: {
-    async jwt({ token, user }) {
-      if (user) {
-        token.role = user.role;
-      }
-      return token;
-    },
-    async session({ session, token }) {
-      session.user.role = token.role;
-      return session;
-    }
-  }
-});
-
-export const { GET, POST } = handlers;
-```
-
-### Authorization & RBAC
-
-```typescript
-// Role-based access control
-type Role = 'user' | 'admin' | 'superadmin';
-
-const PERMISSIONS = {
-  user: ['read:own', 'write:own'],
-  admin: ['read:all', 'write:all', 'delete:own'],
-  superadmin: ['read:all', 'write:all', 'delete:all', 'admin:users']
-} as const;
-
-function hasPermission(role: Role, permission: string): boolean {
-  return PERMISSIONS[role]?.includes(permission) ?? false;
-}
-
-// Server Action with authorization
-async function deleteUser(userId: string) {
-  const session = await auth();
-  if (!session?.user) throw new Error('Unauthorized');
-
-  const canDelete = hasPermission(session.user.role, 'delete:all') ||
-    (hasPermission(session.user.role, 'delete:own') && session.user.id === userId);
-
-  if (!canDelete) throw new Error('Forbidden');
-
-  await prisma.user.delete({ where: { id: userId } });
-}
-```
-
-### Input Validation & Sanitization
-
-```typescript
-import { z } from 'zod';
-import DOMPurify from 'isomorphic-dompurify';
-
-// Zod schema for validation
-const UserInputSchema = z.object({
-  email: z.string().email().max(255),
-  name: z.string().min(1).max(100).transform(s => s.trim()),
-  bio: z.string().max(1000).optional().transform(s =>
-    s ? DOMPurify.sanitize(s) : s
-  ),
-  website: z.string().url().optional().or(z.literal('')),
-});
-
-// Usage in Server Action
-export async function updateProfile(formData: FormData) {
-  const result = UserInputSchema.safeParse({
-    email: formData.get('email'),
-    name: formData.get('name'),
-    bio: formData.get('bio'),
-    website: formData.get('website'),
-  });
-
-  if (!result.success) {
-    return { error: result.error.flatten() };
-  }
-
-  // Safe to use result.data
-  await prisma.user.update({
-    where: { id: userId },
-    data: result.data
-  });
-}
-```
-
-### OWASP Top 10 Protection
-
-#### 1. Injection Prevention
-```typescript
-// ALWAYS use parameterized queries
-// Bad: SQL injection vulnerable
-const result = await db.query(`SELECT * FROM users WHERE id = '${userId}'`);
-
-// Good: Parameterized
-const result = await prisma.user.findUnique({ where: { id: userId } });
-
-// For raw queries, use parameters
-const result = await prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`;
-```
-
-#### 2. XSS Prevention
-```typescript
-// React escapes by default, but be careful with:
-// Bad: dangerouslySetInnerHTML without sanitization
-<div dangerouslySetInnerHTML={{ __html: userContent }} />
-
-// Good: Sanitize first
-import DOMPurify from 'isomorphic-dompurify';
-<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userContent) }} />
-
-// Better: Use markdown library with sanitization
-import { marked } from 'marked';
-const html = DOMPurify.sanitize(marked.parse(userContent));
-```
-
-#### 3. CSRF Protection
-```typescript
-// Next.js Server Actions have built-in CSRF protection
-// For API routes, verify origin
-export async function POST(req: Request) {
-  const origin = req.headers.get('origin');
-  const allowedOrigins = [process.env.NEXT_PUBLIC_APP_URL];
-
-  if (!origin || !allowedOrigins.includes(origin)) {
-    return new Response('Forbidden', { status: 403 });
-  }
-}
-```
-
-#### 4. Security Headers
-```typescript
-// next.config.js
-const securityHeaders = [
-  {
-    key: 'X-DNS-Prefetch-Control',
-    value: 'on'
-  },
-  {
-    key: 'Strict-Transport-Security',
-    value: 'max-age=63072000; includeSubDomains; preload'
-  },
-  {
-    key: 'X-Frame-Options',
-    value: 'SAMEORIGIN'
-  },
-  {
-    key: 'X-Content-Type-Options',
-    value: 'nosniff'
-  },
-  {
-    key: 'Referrer-Policy',
-    value: 'origin-when-cross-origin'
-  },
-  {
-    key: 'Content-Security-Policy',
-    value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
-  }
-];
-
-module.exports = {
-  async headers() {
-    return [{ source: '/(.*)', headers: securityHeaders }];
-  }
-};
-```
-
-### Rate Limiting
-
-```typescript
-import { Ratelimit } from '@upstash/ratelimit';
-import { Redis } from '@upstash/redis';
-
-const ratelimit = new Ratelimit({
-  redis: Redis.fromEnv(),
-  limiter: Ratelimit.slidingWindow(10, '10 s'), // 10 requests per 10 seconds
-  analytics: true,
-});
-
-export async function POST(req: Request) {
-  const ip = req.headers.get('x-forwarded-for') ?? 'anonymous';
-  const { success, limit, reset, remaining } = await ratelimit.limit(ip);
-
-  if (!success) {
-    return new Response('Too Many Requests', {
-      status: 429,
-      headers: {
-        'X-RateLimit-Limit': limit.toString(),
-        'X-RateLimit-Remaining': remaining.toString(),
-        'X-RateLimit-Reset': reset.toString(),
-      },
-    });
-  }
-
-  // Process request
-}
-```
-
-### Secure Session Management
-
-```typescript
-// Session configuration best practices
-const sessionConfig = {
-  // Use HTTP-only cookies
-  httpOnly: true,
-  // Secure in production
-  secure: process.env.NODE_ENV === 'production',
-  // SameSite protection
-  sameSite: 'lax' as const,
-  // Reasonable expiration
-  maxAge: 60 * 60 * 24 * 7, // 1 week
-  // Path restriction
-  path: '/',
-};
-
-// Implement session rotation on privilege escalation
-async function onLogin(userId: string) {
-  // Invalidate old session
-  await invalidateUserSessions(userId);
-  // Create new session
-  return createSession(userId);
-}
-```
-
-### Secrets Management
-
-```typescript
-// Never commit secrets
-// .env.local (gitignored)
-DATABASE_URL="postgresql://..."
-CLERK_SECRET_KEY="sk_live_..."
-
-// Validate env vars at startup
-const requiredEnvVars = [
-  'DATABASE_URL',
-  'CLERK_SECRET_KEY',
-  'STRIPE_SECRET_KEY',
-];
-
-for (const envVar of requiredEnvVars) {
-  if (!process.env[envVar]) {
-    throw new Error(`Missing required env var: ${envVar}`);
-  }
-}
-
-// Never expose server secrets to client
-// Bad: NEXT_PUBLIC_STRIPE_SECRET_KEY
-// Good: STRIPE_SECRET_KEY (server only)
-```
-
-## Security Checklist
-
-- [ ] All user input validated with Zod
-- [ ] HTML content sanitized before rendering
-- [ ] Parameterized queries used (no string interpolation)
-- [ ] Authentication required for protected routes
-- [ ] Authorization checks on all mutations
-- [ ] Rate limiting on authentication endpoints
-- [ ] CSRF protection enabled
-- [ ] Security headers configured
-- [ ] HTTPS enforced in production
-- [ ] Secrets stored in environment variables
-- [ ] No secrets in git history
-- [ ] Session rotation on authentication
-- [ ] Password hashing with bcrypt/argon2
-- [ ] Audit logging for sensitive actions
-
-## Trigger Keywords
-security, auth, login, signup, password, jwt, session, csrf, xss, owasp, injection, rate limit, validation, sanitize, encrypt, hash, permission, role, rbac, vulnerability, attack, protect