@h1dr0n/skill-pool 0.1.0

package/skills/common/skills/brainstorming/dynamic-questioning.md

@@ -0,0 +1,350 @@
+# Dynamic Question Generation
+
+> **PRINCIPLE:** Questions are not about gathering data—they are about **revealing architectural consequences**.
+>
+> Every question must connect to a concrete implementation decision that affects cost, complexity, or timeline.
+
+---
+
+## 🧠 Core Principles
+
+### 1. Questions Reveal Consequences
+
+A good question is not "What color do you want?" but:
+
+```markdown
+❌ BAD: "What authentication method?"
+✅ GOOD: "Should users sign up with email/password or social login?
+
+   Impact:
+   - Email/Pass → Need password reset, hashing, 2FA infrastructure
+   - Social → OAuth providers, user profile mapping, less control
+
+   Trade-off: Security vs. Development time vs. User friction"
+```
+
+### 2. Context Before Content
+
+First understand **where** this request fits:
+
+| Context | Question Focus |
+|---------|----------------|
+| **Greenfield** (new project) | Foundation decisions: stack, hosting, scale |
+| **Feature Addition** | Integration points, existing patterns, breaking changes |
+| **Refactor** | Why refactor? Performance? Maintainability? What's broken? |
+| **Debug** | Symptoms → Root cause → Reproduction path |
+
+### 3. Minimum Viable Questions
+
+**PRINCIPLE:** Each question must eliminate a fork in the implementation road.
+
+```
+Before Question:
+├── Path A: Do X (5 min)
+├── Path B: Do Y (15 min)
+└── Path C: Do Z (1 hour)
+
+After Question:
+└── Path Confirmed: Do X (5 min)
+```
+
+If a question doesn't reduce implementation paths → **DELETE IT**.
+
+### 4. Questions Generate Data, Not Assumptions
+
+```markdown
+❌ ASSUMPTION: "User probably wants Stripe for payments"
+✅ QUESTION: "Which payment provider fits your needs?
+
+   Stripe → Best documentation, 2.9% + $0.30, US-centric
+   LemonSqueezy → Merchant of Record, 5% + $0.50, global taxes
+   Paddle → Complex pricing, handles EU VAT, enterprise focus"
+```
+
+---
+
+## 📋 Question Generation Algorithm
+
+```
+INPUT: User request + Context (greenfield/feature/refactor/debug)
+│
+├── STEP 1: Parse Request
+│   ├── Extract domain (ecommerce, auth, realtime, cms, etc.)
+│   ├── Extract features (explicit and implied)
+│   └── Extract scale indicators (users, data volume, frequency)
+│
+├── STEP 2: Identify Decision Points
+│   ├── What MUST be decided before coding? (blocking)
+│   ├── What COULD be decided later? (deferable)
+│   └── What has ARCHITECTURAL impact? (high-leverage)
+│
+├── STEP 3: Generate Questions (Priority Order)
+│   ├── P0: Blocking decisions (cannot proceed without answer)
+│   ├── P1: High-leverage (affects >30% of implementation)
+│   ├── P2: Medium-leverage (affects specific features)
+│   └── P3: Nice-to-have (edge cases, optimization)
+│
+└── STEP 4: Format Each Question
+    ├── What: Clear question
+    ├── Why: Impact on implementation
+    ├── Options: Trade-offs (not just A vs B)
+    └── Default: What happens if user doesn't answer
+```
+
+---
+
+## 🎯 Domain-Specific Question Banks
+
+### E-Commerce
+
+| Question | Why It Matters | Trade-offs |
+|----------|----------------|------------|
+| **Single or Multi-vendor?** | Multi-vendor → Commission logic, vendor dashboards, split payments | +Revenue, -Complexity |
+| **Inventory Tracking?** | Needs stock tables, reservation logic, low-stock alerts | +Accuracy, -Development time |
+| **Digital or Physical Products?** | Digital → Download links, no shipping | Physical → Shipping APIs, tracking |
+| **Subscription or One-time?** | Subscription → Recurring billing, dunning, proration | +Revenue, -Complexity |
+
+### Authentication
+
+| Question | Why It Matters | Trade-offs |
+|----------|----------------|------------|
+| **Social Login Needed?** | OAuth providers vs. password reset infrastructure | +UX, -Control |
+| **Role-Based Permissions?** | RBAC tables, policy enforcement, admin UI | +Security, -Development time |
+| **2FA Required?** | TOTP/SMI infrastructure, backup codes, recovery flow | +Security, -UX friction |
+| **Email Verification?** | Verification tokens, email service, resend logic | +Security, -Sign-up friction |
+
+### Real-time
+
+| Question | Why It Matters | Trade-offs |
+|----------|----------------|------------|
+| **WebSocket or Polling?** | WS → Server scaling, connection management | Polling → Simpler, higher latency |
+| **Expected Concurrent Users?** | <100 → Single server, >1000 → Redis pub/sub, >10k → specialized infra | +Scale, -Complexity |
+| **Message Persistence?** | History tables, storage costs, pagination | +UX, -Storage |
+| **Ephemeral or Durable?** | Ephemeral → In-memory, Durable → Database write before emit | +Reliability, -Latency |
+
+### Content/CMS
+
+| Question | Why It Matters | Trade-offs |
+|----------|----------------|------------|
+| **Rich Text or Markdown?** | Rich Text → Sanitization, XSS risks | Markdown → Simple, no WYSIWYG |
+| **Draft/Publish Workflow?** | Status field, scheduled jobs, versioning | +Control, -Complexity |
+| **Media Handling?** | Upload endpoints, storage, optimization | +Features, -Development time |
+| **Multi-language?** | i18n tables, translation UI, fallback logic | +Reach, -Complexity |
+
+---
+
+## 📐 Dynamic Question Template
+
+```markdown
+Based on your request for [DOMAIN] [FEATURE]:
+
+## 🔴 CRITICAL (Blocking Decisions)
+
+### 1. **[DECISION POINT]**
+
+**Question:** [Clear, specific question]
+
+**Why This Matters:**
+- [Explain architectural consequence]
+- [Affects: cost / complexity / timeline / scale]
+
+**Options:**
+| Option | Pros | Cons | Best For |
+|--------|------|------|----------|
+| A | [Advantage] | [Disadvantage] | [Use case] |
+| B | [Advantage] | [Disadvantage] | [Use case] |
+
+**If Not Specified:** [Default choice + rationale]
+
+---
+
+## 🟡 HIGH-LEVERAGE (Affects Implementation)
+
+### 2. **[DECISION POINT]**
+[Same format]
+
+---
+
+## 🟢 NICE-TO-HAVE (Edge Cases)
+
+### 3. **[DECISION POINT]**
+[Same format]
+```
+
+---
+
+## 🔄 Iterative Questioning
+
+### First Pass (3-5 Questions)
+Focus on **blocking decisions**. Don't proceed without answers.
+
+### Second Pass (After Initial Implementation)
+As patterns emerge, ask:
+- "This feature implies [X]. Should we handle [edge case] now or defer?"
+- "We're using [Pattern A]. Should [Feature B] follow the same pattern?"
+
+### Third Pass (Optimization)
+When functionality works:
+- "Performance bottleneck at [X]. Optimize now or acceptable for now?"
+- "Refactor [Y] for maintainability or ship as-is?"
+
+---
+
+## 🎭 Example: Full Question Generation
+
+```
+USER REQUEST: "Build an Instagram clone"
+
+STEP 1: Parse
+├── Domain: Social Media
+├── Features: Photo sharing, engagement (likes/comments), user profiles
+├── Implied: Feed, following, authentication
+└── Scale: Potentially high (social apps go viral)
+
+STEP 2: Decision Points
+├── Blocking: Storage strategy, authentication method, feed type
+├── High-leverage: Real-time notifications, data model complexity
+└── Deferable: Analytics, advanced search, reels/video
+
+STEP 3: Generate Questions (Priority)
+
+P0 (Blocking):
+1. Storage Strategy → Affects architecture, cost, speed
+2. Feed Algorithm → Affects database queries, complexity
+3. Auth Method → Affects dev time, UX, security
+
+P1 (High-leverage):
+4. Real-time Notifications → WebSocket vs polling
+5. Media Processing → Client-side vs server-side optimization
+
+P2 (Deferable):
+6. Story/Reels → Major feature creep, defer to v2
+7. DM/Chat → Separate subsystem, defer to v2
+
+STEP 4: Format Output
+```
+
+---
+
+## 📊 Generated Output (Example)
+
+```
+Based on your Instagram clone request:
+
+## 🔴 CRITICAL DECISIONS (Cannot Proceed Without Answers)
+
+### 1. **Photo Storage Strategy**
+
+**Question:** Where will user photos be stored and served?
+
+**Why This Matters:**
+- Affects: Monthly hosting costs, page load speed, CDN complexity
+- High-volume social apps: 1000 users × 10 photos × 2MB = 20GB storage
+
+**Options:**
+| Option | Cost | Speed | Complexity | Best For |
+|--------|------|-------|------------|----------|
+| **Cloudinary** | $89/mo (25GB) | Fast (CDN) | Low | MVP, rapid launch |
+| **AWS S3 + CloudFront** | $0.023/GB | Fast (CDN) | Medium | Production, cost-optimized |
+| **Supabase Storage** | Free tier 1GB | Medium | Low | Small scale, simple |
+| **Local Storage** | Server cost | Slow | Low | Development only |
+
+**If Not Specified:** Cloudinary (balanced for MVP)
+
+---
+
+### 2. **Feed Algorithm Choice**
+
+**Question:** How should the main feed work?
+
+**Why This Matters:**
+- Affects: Database query complexity, caching strategy, development time
+- Algorithmic feeds require ML infrastructure, ranking signals
+
+**Options:**
+| Option | Complexity | Database Impact | Best For |
+|--------|------------|-----------------|----------|
+| **Chronological** | Low | Simple query | Early stage, transparency |
+| **Follow-Only** | Medium | JOIN with pagination | Most social apps |
+| **Algorithmic** | High | Pre-computed feed tables | Instagram competitor |
+
+**If Not Specified:** Follow-Only (balanced for social app)
+
+---
+
+### 3. **Authentication Approach**
+
+**Question:** How do users sign up and login?
+
+**Why This Matters:**
+- Affects: Development time (2-5 hours), security posture, UX friction
+
+**Options:**
+| Option | Dev Time | Security | UX | Best For |
+|--------|----------|----------|-----|----------|
+| **Email/Password** | 4-5 hrs | High (if 2FA) | Medium | Full control needed |
+| **Social Only** | 1-2 hrs | Provider-dependent | Smooth | B2C, rapid launch |
+| **Magic Link** | 2-3 hrs | Medium | Very smooth | Security-focused |
+| **Clerk/Auth0** | 1 hr | High | Smooth | Fastest to market |
+
+**If Not Specified:** Clerk (fastest for MVP)
+
+---
+
+## 🟡 HIGH-LEVERAGE (Affects Architecture)
+
+### 4. **Real-time Notifications**
+
+**Question:** Do users need instant notifications for likes/comments?
+
+**Why This Matters:**
+- WebSocket adds infrastructure complexity (Redis pub/sub for scaling)
+- Polling is simpler but higher latency
+
+**Options:**
+| Option | Complexity | Scale Cost | Best For |
+|--------|------------|------------|----------|
+| **WebSocket + Redis** | High | $10+/mo | >1000 concurrent users |
+| **Polling (30s)** | Low | DB queries | <1000 users |
+| **No Real-time** | None | None | MVP, validate first |
+
+**If Not Specified:** Polling for MVP (defer WebSocket until validated)
+
+---
+
+## 🟢 NICE-TO-HAVE (Defer to v2)
+
+### 5. **Video/Reels Support**
+- Major complexity (video processing, streaming infrastructure)
+- Recommendation: Launch with photos only, add video after validation
+
+### 6. **Direct Messaging**
+- Separate subsystem (chat infrastructure different from feed)
+- Recommendation: Use Pusher/Stream for real-time or defer entirely
+
+---
+
+## 📋 Summary
+
+| Decision | Recommendation | If Changed |
+|----------|----------------|------------|
+| Storage | Cloudinary | +3 hrs setup |
+| Feed | Follow-only | +2 hrs query optimization |
+| Auth | Clerk | -3 hrs dev time |
+| Real-time | Polling | +5 hrs WebSocket setup |
+| Video | Defer to v2 | N/A |
+| DM | Defer to v2 | N/A |
+
+**Total Estimated MVP Time:** 15-20 hours with recommendations above
+```
+
+---
+
+## 🎯 Principles Recap
+
+1. **Every question = Architectural decision** → Not data gathering
+2. **Show trade-offs** → User understands consequences
+3. **Prioritize blocking decisions** → Cannot proceed without
+4. **Provide defaults** → If user doesn't answer, we proceed anyway
+5. **Domain-aware** → Ecommerce questions ≠ Auth questions ≠ Real-time questions
+6. **Iterative** → More questions as patterns emerge during implementation

package/skills/common/skills/clean-code.md

@@ -0,0 +1,99 @@
+---
+name: clean-code
+description: Pragmatic coding standards - SRP, DRY, KISS, YAGNI, naming, function design, code structure. Use as general coding guidance.
+---
+
+# Clean Code
+
+## When to Activate
+- Writing new code
+- Refactoring existing code
+- Reviewing code quality
+- Onboarding to coding standards
+
+## Core Principles
+
+| Principle | Meaning | Application |
+|-----------|---------|-------------|
+| **SRP** | Single Responsibility | One reason to change per module |
+| **DRY** | Don't Repeat Yourself | Extract when repetition is real (3+) |
+| **KISS** | Keep It Simple | Simplest solution that works |
+| **YAGNI** | You Aren't Gonna Need It | Don't build for hypothetical futures |
+| **Boy Scout** | Leave it better | Small improvements on each touch |
+
+## Naming
+
+### Rules
+- Names reveal intent: `getUserById` not `getData`
+- Booleans: `isActive`, `hasPermission`, `canDelete`
+- Functions: verb + noun: `calculateTotal`, `validateEmail`
+- Avoid abbreviations unless universally known (URL, HTTP, ID)
+- Searchable names: `MAX_RETRY_COUNT` not `3`
+
+### Anti-patterns
+| Bad | Good | Why |
+|-----|------|-----|
+| `data` | `userProfile` | What data? |
+| `temp` | `swapBuffer` | Purpose unclear |
+| `flag` | `isEnabled` | What flag? |
+| `process()` | `validateAndSave()` | What process? |
+| `x, y` (outside math) | `width, height` | Context lost |
+
+## Function Design
+
+### Rules
+- **Small**: < 50 lines, ideally < 20
+- **Focused**: Does one thing well
+- **Few arguments**: 0-3 parameters, use objects for more
+- **No side effects**: Or name them clearly (`saveAndNotify`)
+- **Return early**: Guard clauses at the top
+
+### Pattern: Guard Clauses
+```
+// BAD: Deep nesting
+function process(user) {
+  if (user) {
+    if (user.isActive) {
+      if (user.hasPermission) {
+        // actual logic buried here
+      }
+    }
+  }
+}
+
+// GOOD: Early returns
+function process(user) {
+  if (!user) return;
+  if (!user.isActive) return;
+  if (!user.hasPermission) return;
+  // actual logic at top level
+}
+```
+
+## Code Structure
+
+### Composition Over Inheritance
+- Prefer small, composable functions
+- Use dependency injection for flexibility
+- Avoid deep inheritance hierarchies
+
+### Immutability
+- Create new objects instead of mutating
+- Use spread/destructuring for updates
+- Const by default, let only when needed
+
+### Error Handling
+- Handle errors explicitly, never silently swallow
+- Use specific exception types
+- Fail fast with clear messages
+- Log context, not just the error message
+
+## Self-Check Before Completing
+
+- [ ] Can I explain each function in one sentence?
+- [ ] Are there any functions > 50 lines?
+- [ ] Are there any files > 800 lines?
+- [ ] Is there any copy-pasted code?
+- [ ] Would a new team member understand this?
+- [ ] Are error cases handled?
+- [ ] Are there any magic numbers/strings?

package/skills/common/skills/code-review-checklist.md

@@ -0,0 +1,86 @@
+---
+name: code-review-checklist
+description: Structured code review process - correctness, security, performance, quality, testing. Use when reviewing code changes or PRs.
+---
+
+# Code Review Checklist
+
+## When to Activate
+- Reviewing pull requests
+- After writing or modifying code
+- Before merging to shared branches
+- When security-sensitive code changes
+
+## Review Priority Order
+
+### 1. Correctness (Blocker)
+- [ ] Logic handles all edge cases (null, empty, boundary values)
+- [ ] Error paths are handled explicitly
+- [ ] No off-by-one errors
+- [ ] Race conditions considered in async code
+- [ ] State mutations are intentional and tracked
+
+### 2. Security (Blocker)
+- [ ] No hardcoded secrets (API keys, passwords, tokens)
+- [ ] User input validated and sanitized
+- [ ] No SQL injection (parameterized queries used)
+- [ ] No XSS (output properly escaped)
+- [ ] No path traversal (file paths sanitized)
+- [ ] Auth checks present on protected routes
+- [ ] Sensitive data not logged or exposed in errors
+
+### 3. Performance (Warning)
+- [ ] No N+1 queries (use JOINs or batching)
+- [ ] No unbounded queries (LIMIT applied)
+- [ ] Expensive operations cached where appropriate
+- [ ] No unnecessary re-renders (React) or recomputations
+- [ ] Large data sets paginated
+
+### 4. Code Quality (Info)
+- [ ] Functions < 50 lines, files < 800 lines
+- [ ] Naming is clear and descriptive
+- [ ] No deep nesting (> 4 levels)
+- [ ] DRY - no copy-paste duplication
+- [ ] Single responsibility per function/class
+- [ ] No dead code or commented-out blocks
+
+### 5. Testing (Warning)
+- [ ] New functionality has tests
+- [ ] Edge cases covered
+- [ ] Tests are behavioral, not implementation-coupled
+- [ ] Coverage >= 80%
+- [ ] No flaky tests introduced
+
+## Severity Levels
+
+| Level | Meaning | Action |
+|-------|---------|--------|
+| CRITICAL | Security vulnerability or data loss | **Block** - Must fix |
+| HIGH | Bug or significant quality issue | **Warn** - Should fix |
+| MEDIUM | Maintainability concern | **Info** - Consider fixing |
+| LOW | Style or minor suggestion | **Note** - Optional |
+
+## Review Comment Format
+
+```markdown
+**[SEVERITY]** Brief description
+
+**Problem:** What's wrong and why it matters
+**Suggestion:** How to fix it
+**Example:** Code showing the fix (if helpful)
+```
+
+## AI-Specific Review Checks
+- [ ] No hallucinated imports or APIs
+- [ ] Generated code actually compiles/runs
+- [ ] No over-engineered abstractions for simple problems
+- [ ] Error handling is real, not placeholder
+- [ ] Tests actually test behavior, not just exist
+
+## Verdict
+
+| Verdict | Criteria |
+|---------|----------|
+| **Approve** | No CRITICAL or HIGH issues |
+| **Warning** | Only HIGH issues (merge with caution) |
+| **Block** | CRITICAL issues found |

package/skills/common/skills/plan-writing/SKILL.md

@@ -0,0 +1,152 @@
+---
+name: plan-writing
+description: Structured task planning with clear breakdowns, dependencies, and verification criteria. Use when implementing features, refactoring, or any multi-step work.
+allowed-tools: Read, Glob, Grep
+---
+
+# Plan Writing
+
+> Source: obra/superpowers
+
+## Overview
+This skill provides a framework for breaking down work into clear, actionable tasks with verification criteria.
+
+## Task Breakdown Principles
+
+### 1. Small, Focused Tasks
+- Each task should take 2-5 minutes
+- One clear outcome per task
+- Independently verifiable
+
+### 2. Clear Verification
+- How do you know it's done?
+- What can you check/test?
+- What's the expected output?
+
+### 3. Logical Ordering
+- Dependencies identified
+- Parallel work where possible
+- Critical path highlighted
+- **Phase X: Verification is always LAST**
+
+### 4. Dynamic Naming in Project Root
+- Plan files are saved as `{task-slug}.md` in the PROJECT ROOT
+- Name derived from task (e.g., "add auth" → `auth-feature.md`)
+- **NEVER** inside `.claude/`, `docs/`, or temp folders
+
+## Planning Principles (NOT Templates!)
+
+> 🔴 **NO fixed templates. Each plan is UNIQUE to the task.**
+
+### Principle 1: Keep It SHORT
+
+| ❌ Wrong | ✅ Right |
+|----------|----------|
+| 50 tasks with sub-sub-tasks | 5-10 clear tasks max |
+| Every micro-step listed | Only actionable items |
+| Verbose descriptions | One-line per task |
+
+> **Rule:** If plan is longer than 1 page, it's too long. Simplify.
+
+---
+
+### Principle 2: Be SPECIFIC, Not Generic
+
+| ❌ Wrong | ✅ Right |
+|----------|----------|
+| "Set up project" | "Run `npx create-next-app`" |
+| "Add authentication" | "Install next-auth, create `/api/auth/[...nextauth].ts`" |
+| "Style the UI" | "Add Tailwind classes to `Header.tsx`" |
+
+> **Rule:** Each task should have a clear, verifiable outcome.
+
+---
+
+### Principle 3: Dynamic Content Based on Project Type
+
+**For NEW PROJECT:**
+- What tech stack? (decide first)
+- What's the MVP? (minimal features)
+- What's the file structure?
+
+**For FEATURE ADDITION:**
+- Which files are affected?
+- What dependencies needed?
+- How to verify it works?
+
+**For BUG FIX:**
+- What's the root cause?
+- What file/line to change?
+- How to test the fix?
+
+---
+
+### Principle 4: Scripts Are Project-Specific
+
+> 🔴 **DO NOT copy-paste script commands. Choose based on project type.**
+
+| Project Type | Relevant Scripts |
+|--------------|------------------|
+| Frontend/React | `ux_audit.py`, `accessibility_checker.py` |
+| Backend/API | `api_validator.py`, `security_scan.py` |
+| Mobile | `mobile_audit.py` |
+| Database | `schema_validator.py` |
+| Full-stack | Mix of above based on what you touched |
+
+**Wrong:** Adding all scripts to every plan
+**Right:** Only scripts relevant to THIS task
+
+---
+
+### Principle 5: Verification is Simple
+
+| ❌ Wrong | ✅ Right |
+|----------|----------|
+| "Verify the component works correctly" | "Run `npm run dev`, click button, see toast" |
+| "Test the API" | "curl localhost:3000/api/users returns 200" |
+| "Check styles" | "Open browser, verify dark mode toggle works" |
+
+---
+
+## Plan Structure (Flexible, Not Fixed!)
+
+```
+# [Task Name]
+
+## Goal
+One sentence: What are we building/fixing?
+
+## Tasks
+- [ ] Task 1: [Specific action] → Verify: [How to check]
+- [ ] Task 2: [Specific action] → Verify: [How to check]
+- [ ] Task 3: [Specific action] → Verify: [How to check]
+
+## Done When
+- [ ] [Main success criteria]
+```
+
+> **That's it.** No phases, no sub-sections unless truly needed.
+> Keep it minimal. Add complexity only when required.
+
+## Notes
+[Any important considerations]
+```
+
+---
+
+## Best Practices (Quick Reference)
+
+1. **Start with goal** - What are we building/fixing?
+2. **Max 10 tasks** - If more, break into multiple plans
+3. **Each task verifiable** - Clear "done" criteria
+4. **Project-specific** - No copy-paste templates
+5. **Update as you go** - Mark `[x]` when complete
+
+---
+
+## When to Use
+
+- New project from scratch
+- Adding a feature
+- Fixing a bug (if complex)
+- Refactoring multiple files