@hailer/mcp 1.1.12 → 1.1.13

package/.opencode/commands/app-squad.md

@@ -1,135 +0,0 @@
----
-description: Design and build a Hailer app with UI Designer and Giuseppe
-argument-hint: "app description"
-allowed-tools: Task, Bash, Read
----
-# App Squad
-
-Sequential pipeline with data discovery, design, build, and test loop.
-
-**Agents:**
-1. **Kenji** - Discovers real workflow/insight schemas, field IDs, column names
-2. **UI Designer** - Creates design spec (layout, components, aesthetic direction)
-3. **Giuseppe** - Builds the app from the design spec + real schema data
-4. **Tanya** - Build verification and tests (loop trigger)
-
-**Goal:** $ARGUMENTS
-
-## Protocol
-
-### Step 1: Gather Context
-
-Before spawning agents, determine:
-- Does `workspace/` exist? If yes, this is a Hailer project.
-- Does `apps/` directory exist? Create if needed.
-- What workflows/data will the app use?
-
-If context is unclear, use AskUserQuestion:
-- What data should the app display?
-- Authenticated or public app?
-- Any specific layout preferences?
-
-### Step 2: Data Discovery (Kenji)
-
-**CRITICAL: Giuseppe MUST NOT guess IDs or column names.** Kenji looks them up first.
-
-Spawn Kenji to discover the actual schema data the app will need:
-
-```
-Task(subagent_type="agent-kenji-data-reader", prompt='{"task":"app_data_discovery","description":"Look up all schema data needed for this app: $ARGUMENTS","gather":["workflow IDs and names","field IDs, labels, and types for each workflow","phase IDs and names","insight IDs and their column names (if the app uses insights)","any ActivityLink field targets"],"output":"Return a structured JSON with all IDs, field definitions, insight columns, and phase maps. This will be passed directly to the app builder."}')
-```
-
-Wait for result. Save the **schema data** output - this is passed to both UI Designer and Giuseppe.
-
-### Step 3: Design (UI Designer)
-
-Spawn UI Designer with the schema data so it knows what real fields/columns exist:
-
-```
-Task(subagent_type="agent-ui-designer", prompt="Design a Hailer app: $ARGUMENTS.\n\nAvailable data schema:\n[PASTE KENJI'S SCHEMA OUTPUT]\n\nOutput a design spec with: tone, signature element, layout structure, key components, and data flow. Reference actual field IDs and column names from the schema. Format as structured JSON that Giuseppe can consume.")
-```
-
-Wait for result. Save the design spec output.
-
-### Step 4: Build-Test Loop
-
-**Set:** `iteration = 1`
-
-#### Step 4a: Giuseppe (Build)
-
-**Before spawning Giuseppe, enable builder mode:**
-```
-Bash: node .claude/hooks/app-edit-guard.cjs --agent-on
-```
-
-Spawn Giuseppe with BOTH the design spec AND the schema data:
-
-```
-Task(subagent_type="agent-giuseppe-app-builder", prompt="Build this Hailer app using the following design spec and schema data:\n\n## Design Spec\n[PASTE FULL DESIGN SPEC FROM STEP 3]\n\n## Schema Data (from Kenji - use these EXACT IDs)\nSchema data from Kenji: [PASTE KENJI'S SCHEMA OUTPUT FROM STEP 2 - Kenji already ran in Step 2 and returned all IDs. The orchestrator doesn't need to read workspace/ directly.]\n\nApp goal: $ARGUMENTS\n\n[IF iteration > 1: Previous build failed. Here are the errors to fix:\n[PASTE TANYA'S BUILD/TEST ERRORS]\nFix these specific issues while keeping the rest of the app intact.]\n\nIMPORTANT: Use the EXACT field IDs, workflow IDs, insight IDs, and column names from the schema data above. Do NOT guess or invent any IDs.\n\nFollow the design spec for layout, components, and aesthetic. Use @hailer/app-sdk with Chakra UI and Hailer Design System.")
-```
-
-**After Giuseppe completes, disable builder mode:**
-```
-Bash: node .claude/hooks/app-edit-guard.cjs --agent-off
-```
-
-#### Step 4b: Tanya (Build Verification)
-
-Spawn Tanya to verify the build:
-
-```
-Task(subagent_type="agent-tanya-test-runner", prompt="Verify the app build for: $ARGUMENTS.\n\nRun:\n1. TypeScript compilation (tsc --noEmit)\n2. Build (npm run build)\n3. Any existing tests (npm test if configured)\n\nReport: build pass/fail, type errors, test results.")
-```
-
-**If build PASSES:** proceed to Step 5 (report).
-
-**If build FAILS:**
-- Classify errors:
-  - **Code-fixable** (type errors, missing imports, wrong API usage, JSX issues): Giuseppe can handle these
-  - **Infrastructure** (missing dependency/package, wrong Node version, environment config, missing workspace data): escalate immediately to user
-- If only infrastructure errors: skip to Step 5 with clear explanation of what the user needs to fix
-- If code-fixable errors AND `iteration < 3`: increment iteration, go back to **Step 4a** with Tanya's error output
-- If `iteration >= 3`: escalate to user with the remaining errors (see Step 5)
-
-### Step 5: Report
-
-```markdown
-## App Squad Complete
-
-### Loop Summary
-- Build iterations: [count] of 3 max
-- Final build status: PASS / FAIL (escalated)
-
-### Design (UI Designer)
-- Tone: [from spec]
-- Signature element: [from spec]
-- Components: [list]
-
-### Build (Giuseppe)
-- App path: [path]
-- Build status: Pass/Fail
-- Files created: [list]
-- [If multiple iterations: summary of what was fixed each round]
-
-### Verification (Tanya)
-- TypeScript: Pass/Fail
-- Build: Pass/Fail
-- Tests: X passed, X failed
-
-[If ESCALATED:]
-### Remaining Build Errors
-[List errors Giuseppe couldn't resolve in 3 attempts]
-- Suggested manual fixes: [hints based on error types]
-
-### Next Steps
-- Run `npm run dev` to test locally
-- Test inside Hailer iframe
-```
-
-## Notes
-
-- Giuseppe defaults to local dev (localhost:3000). Publishing only when user explicitly asks (loads publish-hailer-app skill)
-- **Kenji runs FIRST** to discover all real IDs - Giuseppe must NEVER guess workflow IDs, field IDs, insight IDs, or column names
-- If the app needs an insight for public data, mention it in the goal - Kenji will look up existing insight columns
-- Build verification catches type errors and compilation issues before the user tries to run
-- Each iteration gives Giuseppe the specific errors to fix, avoiding repeated mistakes

package/.opencode/commands/audit-squad.md

@@ -1,158 +0,0 @@
----
-description: Run parallel security and permissions audit with Svetlana, Permissions Handler, and Gunther
-argument-hint: [files, app name, or blank for full audit]
-allowed-tools: Task, Bash
----
-
-# Audit Squad
-
-Parallel security and permissions audit: code hardening, access control verification, and MCP tool validation.
-
-**Agents:**
-- **Svetlana** - Code review (hardcoded secrets, injection vulnerabilities, insecure patterns, OWASP top 10)
-- **Permissions Handler** - Access control audit (effective permissions, team access levels, permission matrix)
-- **Gunther** - MCP tools security (input validation, data exposure, security best practices)
-
-**Target:** $ARGUMENTS (if blank, use full project scope)
-
-**Scope options:**
-- Specific files or directory path
-- App name (checks that app's code and permissions)
-- Blank for full project audit
-
-## Protocol
-
-### Step 1: Determine Target
-
-If `$ARGUMENTS` has specific files/directories or app name, use those.
-Otherwise, scope is the entire project (workspace/ + apps/ + integrations/).
-
-If `$ARGUMENTS` contains `--code-only`:
-- Remove flag from target
-- Skip Permissions Handler and Gunther in Step 2
-
-If `$ARGUMENTS` contains `--permissions-only`:
-- Remove flag from target
-- Skip Svetlana and Gunther in Step 2
-
-If `$ARGUMENTS` contains `--bg`:
-- Launch all agents in background mode
-
-### Step 2: Launch Audit Agents in Parallel
-
-Spawn all applicable agents simultaneously using multiple Task tool calls in a single message:
-
-**Svetlana:**
-```
-Task(subagent_type="agent-svetlana-code-review", prompt="Security audit of these files: [TARGET]. Focus on: hardcoded secrets, API keys, credentials, injection vulnerabilities (SQL/XSS/Command), insecure crypto usage, missing input validation, OWASP Top 10 issues, unsafe deserialization, missing authentication/authorization checks. Return verdict (PASS/FAIL), critical count, and detailed findings per file.")
-```
-
-**Permissions Handler:**
-```
-Task(subagent_type="agent-permissions-handler", prompt="Audit access control for the entire project. Map effective permissions: who has access to which apps, which teams have what access levels, which users are admins, workspace-wide versus app-specific permissions. Produce a permission matrix showing [User/Team] → [App] → [Access Level]. Flag any excessive or unclear permissions.")
-```
-
-**Gunther:**
-```
-Task(subagent_type="agent-gunther-mcp-tools", prompt="Security audit of custom MCP tools (if any exist in src/mcp/tools/). Verify: input validation with Zod schemas, no unintended data exposure, proper error handling, rate limiting awareness, secure defaults. Report security posture per tool. If no custom tools exist, report that.")
-```
-
-### Step 3: Categorize and Aggregate Results
-
-Collect results from all agents. Categorize findings into three tiers:
-
-**CRITICAL:**
-- Hardcoded secrets/credentials
-- SQL injection, XSS, command injection vulnerabilities
-- Authentication/authorization bypasses
-- Excessive uncontrolled permissions
-- MCP tools exposing sensitive data
-
-**WARNING:**
-- Weak crypto usage
-- Missing input sanitization
-- Unclear permission delegations
-- Unvalidated MCP tool inputs
-- Missing rate limiting on tools
-
-**INFO:**
-- Best practice improvements
-- Code hardening suggestions
-- Permission clarity recommendations
-
-### Step 4: Report
-
-```markdown
-## Audit Squad Report
-
-### Scope
-[What was audited]
-
-### Overall Security Posture
-[Rating: PASS / WARNING / CRITICAL]
-- Critical findings: X
-- Warnings: X
-- Info items: X
-
-### Svetlana (Code Security Review)
-**Verdict:** PASS / FAIL / WARNINGS
-- Critical: X [list]
-- Warnings: X [list]
-- Info: X [list]
-- Files affected: [grouped summary]
-
-### Permissions Handler (Access Control)
-**Matrix Status:** [OK / EXCESSIVE / UNCLEAR]
-- Total apps: X
-- Total teams: X
-- Users with admin access: X
-- Flagged permissions: [list]
-- [Permission matrix if findings exist]
-
-### Gunther (MCP Tools Security)
-**Status:** [No tools / PASS / WARNINGS / CRITICAL]
-[If tools exist:]
-- Tools audited: X
-- Input validation issues: X
-- Data exposure risks: X
-- Best practice gaps: X
-
-### Findings by Severity
-
-#### CRITICAL (Require Immediate Action)
-[List all critical findings with file/tool and remediation steps]
-
-#### WARNING (Address in Next Sprint)
-[List all warnings with context]
-
-#### INFO (Consider for Hardening)
-[List informational recommendations]
-
-### Remediation Checklist
-- [ ] [Critical issue 1]: [Action]
-- [ ] [Critical issue 2]: [Action]
-- [ ] [Warning 1]: [Action]
-
-### Summary
-[1-2 sentence overall assessment of security posture and next steps]
-```
-
-If any agent fails or times out, report partial results from successful agents, note which failed, and offer to re-run individually.
-
-## Options
-
-| Flag | Effect |
-|------|--------|
-| `--code-only` | Skip permissions and MCP tools (code review only, faster) |
-| `--permissions-only` | Skip code review and MCP tools (permissions matrix only) |
-| `--bg` | Run all agents in background mode |
-
-If `--bg` is present, launch all agents with `run_in_background: true` and tell the user they'll be notified when complete.
-
-## Notes
-
-- Default scope is full project if no arguments provided
-- Svetlana focuses on secrets and injection attacks; general code quality is separate (/review-squad)
-- Permissions Handler is organization-wide - includes team and app-level settings
-- Gunther only validates if custom MCP tools exist in the project
-- Critical findings should block deployment; warnings should be tracked for next sprint