@heytherevibin/skillforge 0.2.1

package/skills/mysql-patterns/SKILL.md

@@ -0,0 +1,411 @@
+---
+name: mysql-patterns
+description: MySQL and MariaDB schema, query, indexing, transaction, replication, and connection-pool patterns for production backends.
+---
+
+# MySQL Patterns
+
+Use this skill when working on MySQL or MariaDB schema design, migrations,
+slow-query investigation, queue-style transactions, connection pools, or
+production database configuration. Prefer exact version checks before applying a
+feature-specific pattern because MySQL and MariaDB have diverged in several SQL
+details.
+
+## Activation
+
+- Designing MySQL or MariaDB tables, indexes, and constraints
+- Reviewing migrations before they run on large production tables
+- Debugging slow queries, lock waits, deadlocks, or connection exhaustion
+- Adding keyset pagination, upserts, full-text search, JSON columns, or queues
+- Configuring application connection pools, read replicas, TLS, or slow logs
+
+## Version Check
+
+Start by identifying the engine and version:
+
+```sql
+SELECT VERSION();
+SHOW VARIABLES LIKE 'version_comment';
+```
+
+Keep MySQL and MariaDB guidance separate when syntax differs:
+
+- MySQL documents row aliases as the replacement for `VALUES(col)` in
+  `ON DUPLICATE KEY UPDATE`; `VALUES(col)` is deprecated there.
+- MariaDB documents `VALUES(col)` as the supported way to reference inserted
+  values in `ON DUPLICATE KEY UPDATE`; use it for cross-engine compatibility.
+- `SKIP LOCKED` is appropriate for queue-like work only. It skips locked rows
+  and can return an inconsistent view, so do not use it for general accounting
+  or integrity-sensitive reads.
+
+## Schema Defaults
+
+```sql
+CREATE TABLE orders (
+    id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+    account_id BIGINT UNSIGNED NOT NULL,
+    status VARCHAR(32) NOT NULL,
+    total DECIMAL(15, 2) NOT NULL,
+    created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+    deleted_at DATETIME NULL,
+    PRIMARY KEY (id),
+    KEY idx_orders_account_status_created (account_id, status, created_at),
+    KEY idx_orders_active (account_id, deleted_at)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+```
+
+Default choices:
+
+| Use Case | Prefer | Avoid |
+| --- | --- | --- |
+| Surrogate primary keys | `BIGINT UNSIGNED AUTO_INCREMENT` | `INT` for tables that can grow beyond 2B rows |
+| UUID lookup keys | `BINARY(16)` with conversion helpers | `VARCHAR(36)` primary keys on hot tables |
+| Money and exact quantities | `DECIMAL(p, s)` | `FLOAT` or `DOUBLE` |
+| User-facing text | `utf8mb4` tables and indexes | MySQL `utf8` / `utf8mb3` defaults |
+| Application timestamps | `DATETIME` with UTC managed by the app | Assuming `DATETIME` stores time zone metadata |
+| Soft deletes | `deleted_at DATETIME NULL` plus scoped indexes | Filtering soft-deleted rows without an index |
+| Extensible status values | lookup table or constrained `VARCHAR` | `ENUM` when values change often |
+
+## Indexing
+
+Composite index order usually follows equality predicates first, then range or
+sort columns:
+
+```sql
+CREATE INDEX idx_orders_account_status_created
+    ON orders (account_id, status, created_at);
+
+SELECT id, total
+FROM orders
+WHERE account_id = ?
+  AND status = 'pending'
+  AND created_at >= ?
+ORDER BY created_at DESC
+LIMIT 50;
+```
+
+Use `EXPLAIN` before adding or changing an index:
+
+```sql
+EXPLAIN
+SELECT id, total
+FROM orders
+WHERE account_id = 123 AND status = 'pending'
+ORDER BY created_at DESC
+LIMIT 50;
+```
+
+Signals to investigate:
+
+| Field | Risk Signal |
+| --- | --- |
+| `type` | `ALL` on a large table |
+| `key` | `NULL` when a selective predicate exists |
+| `rows` | Very high row estimate for an interactive path |
+| `Extra` | `Using temporary`, `Using filesort`, or broad `Using where` |
+
+Avoid adding indexes blindly. Each index increases write cost, migration time,
+backup size, and buffer-pool pressure.
+
+## Query Patterns
+
+### Upsert
+
+Cross-engine-compatible form:
+
+```sql
+INSERT INTO user_settings (user_id, setting_key, setting_value)
+VALUES (?, ?, ?)
+ON DUPLICATE KEY UPDATE
+    setting_value = VALUES(setting_value),
+    updated_at = CURRENT_TIMESTAMP;
+```
+
+MySQL row-alias form:
+
+```sql
+INSERT INTO user_settings (user_id, setting_key, setting_value)
+VALUES (?, ?, ?) AS new
+ON DUPLICATE KEY UPDATE
+    setting_value = new.setting_value,
+    updated_at = CURRENT_TIMESTAMP;
+```
+
+Use the row-alias form only after confirming the target is MySQL. Use
+`VALUES(col)` for MariaDB or mixed MySQL/MariaDB fleets.
+
+### Keyset Pagination
+
+```sql
+SELECT id, name, created_at
+FROM products
+WHERE (created_at, id) < (?, ?)
+ORDER BY created_at DESC, id DESC
+LIMIT 50;
+```
+
+Back it with an index that matches the cursor:
+
+```sql
+CREATE INDEX idx_products_created_id ON products (created_at, id);
+```
+
+Do not use deep `OFFSET` pagination on large tables; it makes the server scan
+and discard rows before returning the page.
+
+### JSON Fields
+
+Use JSON columns for extension data, not for fields that need heavy relational
+filtering or constraints.
+
+```sql
+CREATE TABLE events (
+    id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
+    payload JSON NOT NULL,
+    event_type VARCHAR(64)
+        GENERATED ALWAYS AS (JSON_UNQUOTE(JSON_EXTRACT(payload, '$.type'))) STORED,
+    KEY idx_events_type (event_type)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+```
+
+For frequently queried JSON paths, expose a generated column and index that
+column. Keep foreign keys, ownership, tenancy, and lifecycle fields relational.
+
+### Full-Text Search
+
+```sql
+ALTER TABLE articles ADD FULLTEXT KEY ft_articles_title_body (title, body);
+
+SELECT id, title, MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE) AS score
+FROM articles
+WHERE MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE)
+ORDER BY score DESC
+LIMIT 20;
+```
+
+Use external search when you need typo tolerance, complex ranking, cross-table
+facets, or language-specific analysis beyond built-in full-text behavior.
+
+## Transactions
+
+Keep transactions short and lock rows in a consistent order:
+
+```sql
+START TRANSACTION;
+
+SELECT id, balance
+FROM accounts
+WHERE id IN (?, ?)
+ORDER BY id
+FOR UPDATE;
+
+UPDATE accounts SET balance = balance - ? WHERE id = ?;
+UPDATE accounts SET balance = balance + ? WHERE id = ?;
+
+COMMIT;
+```
+
+Deadlock and lock-wait checklist:
+
+- Lock rows in a deterministic order across code paths.
+- Do external API calls before opening the transaction, not inside it.
+- Add indexes for predicates used in `UPDATE`, `DELETE`, and locking reads.
+- On deadlock, roll back and retry the whole transaction with a bounded retry
+  budget.
+- Capture `SHOW ENGINE INNODB STATUS\G` soon after a deadlock; it is overwritten
+  by later events.
+
+Queue-style worker claim:
+
+```sql
+START TRANSACTION;
+
+SELECT id
+FROM jobs
+WHERE status = 'pending'
+ORDER BY created_at
+LIMIT 1
+FOR UPDATE SKIP LOCKED;
+
+UPDATE jobs
+SET status = 'processing', started_at = CURRENT_TIMESTAMP
+WHERE id = ?;
+
+COMMIT;
+```
+
+Use `SKIP LOCKED` only for queue-like workloads where skipping a locked row is
+acceptable. It is not a replacement for normal transactional consistency.
+
+## Connection Pools
+
+SQLAlchemy example:
+
+```python
+from sqlalchemy import create_engine
+
+engine = create_engine(
+    "mysql+mysqlconnector://app:secret@db.internal/app",
+    pool_size=10,
+    max_overflow=5,
+    pool_timeout=30,
+    pool_recycle=240,
+    pool_pre_ping=True,
+    connect_args={"connect_timeout": 5},
+)
+```
+
+Node.js `mysql2` example:
+
+```javascript
+import mysql from 'mysql2/promise';
+
+const pool = mysql.createPool({
+  host: process.env.DB_HOST,
+  user: process.env.DB_USER,
+  password: process.env.DB_PASSWORD,
+  database: process.env.DB_NAME,
+  waitForConnections: true,
+  connectionLimit: 10,
+  queueLimit: 0,
+  enableKeepAlive: true,
+  keepAliveInitialDelay: 30000,
+});
+
+const [rows] = await pool.execute(
+  'SELECT id, total FROM orders WHERE account_id = ? LIMIT 50',
+  [accountId],
+);
+```
+
+Keep application pool recycling below the server `wait_timeout`. If the server
+uses `wait_timeout = 300`, a `pool_recycle` around 240 seconds is coherent;
+`pool_pre_ping` still helps recover from network and failover events.
+
+## Diagnostics
+
+Useful first-pass commands:
+
+```sql
+SHOW FULL PROCESSLIST;
+SHOW ENGINE INNODB STATUS\G;
+SHOW VARIABLES LIKE 'slow_query_log';
+SHOW VARIABLES LIKE 'long_query_time';
+```
+
+Enable the slow log in a controlled environment:
+
+```sql
+SET GLOBAL slow_query_log = 'ON';
+SET GLOBAL long_query_time = 1;
+SET GLOBAL log_queries_not_using_indexes = 'ON';
+```
+
+Use `EXPLAIN ANALYZE` only when it is safe to execute the query. It runs the
+statement and can be expensive on production-sized data.
+
+## Replication
+
+Read replicas can lag. Do not route read-your-own-write paths, checkout flows,
+permission checks, or idempotency-key reads to a replica immediately after a
+write.
+
+```sql
+-- MySQL legacy terminology, still common in existing fleets
+SHOW SLAVE STATUS\G;
+
+-- Newer terminology where supported
+SHOW REPLICA STATUS\G;
+```
+
+Check the engine/version before standardizing on one command. Monitor replica
+SQL thread health, IO thread health, and lag, not just whether the TCP
+connection is alive.
+
+## Security
+
+```sql
+CREATE USER 'app'@'%' IDENTIFIED BY 'use-a-secret-manager';
+GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'app'@'%';
+
+ALTER USER 'app'@'%' REQUIRE SSL;
+
+SELECT user, host
+FROM mysql.user
+WHERE user = '';
+
+DROP USER IF EXISTS ''@'localhost';
+DROP USER IF EXISTS ''@'%';
+```
+
+Security review points:
+
+- Do not grant `ALL PRIVILEGES` or `*.*` to application users.
+- Require TLS for application users when traffic crosses hosts or networks.
+- Store credentials in the platform secret manager, not in examples, scripts, or
+  repository files.
+- Separate migration/admin users from runtime application users.
+- Audit public network exposure and bind addresses before tuning performance.
+
+## Configuration
+
+Example starting point for a dedicated database host:
+
+```ini
+[mysqld]
+innodb_buffer_pool_size = 4G
+innodb_flush_log_at_trx_commit = 1
+sync_binlog = 1
+
+max_connections = 300
+thread_cache_size = 50
+
+wait_timeout = 300
+interactive_timeout = 300
+innodb_lock_wait_timeout = 10
+
+slow_query_log = ON
+long_query_time = 1
+log_queries_not_using_indexes = ON
+
+log_bin = mysql-bin
+binlog_format = ROW
+binlog_expire_logs_seconds = 604800
+```
+
+Treat configuration values as a prompt for review, not a universal preset. Size
+memory, connections, log retention, and durability settings from workload,
+hardware, backup policy, and recovery objectives.
+
+## Anti-Patterns
+
+| Anti-Pattern | Risk | Better Pattern |
+| --- | --- | --- |
+| `SELECT *` in hot paths | Over-fetching and brittle clients | Select explicit columns |
+| Deep `OFFSET` pagination | Linear scans and slow pages | Keyset pagination |
+| No index on foreign-key joins | Slow joins and lock-heavy deletes | Index FK columns intentionally |
+| Long transactions | Lock waits and large undo history | Commit small units of work |
+| Direct DML against `mysql.user` | Grant-table corruption risk | Use `CREATE USER`, `ALTER USER`, `DROP USER` |
+| Application user with admin grants | High blast radius | Least-privilege runtime user |
+| Pool recycle above `wait_timeout` | Stale pooled connections | Recycle below timeout and pre-ping |
+| Replica reads after writes | Stale user-facing state | Pin read-after-write flows to primary |
+
+## Output Expectations
+
+When this skill is used for review, return:
+
+1. Engine/version assumptions.
+2. Highest-risk correctness, lock, security, and migration issues.
+3. Exact SQL or code changes for the safe path.
+4. Validation plan: `EXPLAIN`, migration dry run, lock/deadlock check, and
+   rollback criteria.
+5. Any MySQL/MariaDB syntax differences that affect the recommendation.
+
+## Related
+
+- Skill: `postgres-patterns` - PostgreSQL-specific schema and query patterns
+- Skill: `database-migrations` - migration planning and rollout safety
+- Skill: `backend-patterns` - API and service-layer patterns
+- Skill: `security-review` - secret handling, auth, and least privilege
+- Agent: `database-reviewer` - broader database review workflow

package/skills/nanoclaw-repl/SKILL.md

@@ -0,0 +1,32 @@
+---
+name: nanoclaw-repl
+description: Operate and extend NanoClaw v2, the toolset's zero-dependency session-aware REPL built on claude -p.
+---
+
+# NanoClaw REPL
+
+Use this skill when running or extending `scripts/claw.js`.
+
+## Capabilities
+
+- persistent markdown-backed sessions
+- model switching with `/model`
+- dynamic skill loading with `/load`
+- session branching with `/branch`
+- cross-session search with `/search`
+- history compaction with `/compact`
+- export to md/json/txt with `/export`
+- session metrics with `/metrics`
+
+## Operating Guidance
+
+1. Keep sessions task-focused.
+2. Branch before high-risk changes.
+3. Compact after major milestones.
+4. Export before sharing or archival.
+
+## Extension Rules
+
+- keep zero external runtime dependencies
+- preserve markdown-as-database compatibility
+- keep command handlers deterministic and local

package/skills/nestjs-patterns/SKILL.md

@@ -0,0 +1,229 @@
+---
+name: nestjs-patterns
+description: NestJS architecture patterns for modules, controllers, providers, DTO validation, guards, interceptors, config, and production-grade TypeScript backends.
+---
+
+# NestJS Development Patterns
+
+Production-grade NestJS patterns for modular TypeScript backends.
+
+## When to Activate
+
+- Building NestJS APIs or services
+- Structuring modules, controllers, and providers
+- Adding DTO validation, guards, interceptors, or exception filters
+- Configuring environment-aware settings and database integrations
+- Testing NestJS units or HTTP endpoints
+
+## Project Structure
+
+```text
+src/
+├── app.module.ts
+├── main.ts
+├── common/
+│   ├── filters/
+│   ├── guards/
+│   ├── interceptors/
+│   └── pipes/
+├── config/
+│   ├── configuration.ts
+│   └── validation.ts
+├── modules/
+│   ├── auth/
+│   │   ├── auth.controller.ts
+│   │   ├── auth.module.ts
+│   │   ├── auth.service.ts
+│   │   ├── dto/
+│   │   ├── guards/
+│   │   └── strategies/
+│   └── users/
+│       ├── dto/
+│       ├── entities/
+│       ├── users.controller.ts
+│       ├── users.module.ts
+│       └── users.service.ts
+└── prisma/ or database/
+```
+
+- Keep domain code inside feature modules.
+- Put cross-cutting filters, decorators, guards, and interceptors in `common/`.
+- Keep DTOs close to the module that owns them.
+
+## Bootstrap and Global Validation
+
+```ts
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule, { bufferLogs: true });
+
+  app.useGlobalPipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+      transformOptions: { enableImplicitConversion: true },
+    }),
+  );
+
+  app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));
+  app.useGlobalFilters(new HttpExceptionFilter());
+
+  await app.listen(process.env.PORT ?? 3000);
+}
+bootstrap();
+```
+
+- Always enable `whitelist` and `forbidNonWhitelisted` on public APIs.
+- Prefer one global validation pipe instead of repeating validation config per route.
+
+## Modules, Controllers, and Providers
+
+```ts
+@Module({
+  controllers: [UsersController],
+  providers: [UsersService],
+  exports: [UsersService],
+})
+export class UsersModule {}
+
+@Controller('users')
+export class UsersController {
+  constructor(private readonly usersService: UsersService) {}
+
+  @Get(':id')
+  getById(@Param('id', ParseUUIDPipe) id: string) {
+    return this.usersService.getById(id);
+  }
+
+  @Post()
+  create(@Body() dto: CreateUserDto) {
+    return this.usersService.create(dto);
+  }
+}
+
+@Injectable()
+export class UsersService {
+  constructor(private readonly usersRepo: UsersRepository) {}
+
+  async create(dto: CreateUserDto) {
+    return this.usersRepo.create(dto);
+  }
+}
+```
+
+- Controllers should stay thin: parse HTTP input, call a provider, return response DTOs.
+- Put business logic in injectable services, not controllers.
+- Export only the providers other modules genuinely need.
+
+## DTOs and Validation
+
+```ts
+export class CreateUserDto {
+  @IsEmail()
+  email!: string;
+
+  @IsString()
+  @Length(2, 80)
+  name!: string;
+
+  @IsOptional()
+  @IsEnum(UserRole)
+  role?: UserRole;
+}
+```
+
+- Validate every request DTO with `class-validator`.
+- Use dedicated response DTOs or serializers instead of returning ORM entities directly.
+- Avoid leaking internal fields such as password hashes, tokens, or audit columns.
+
+## Auth, Guards, and Request Context
+
+```ts
+@UseGuards(JwtAuthGuard, RolesGuard)
+@Roles('admin')
+@Get('admin/report')
+getAdminReport(@Req() req: AuthenticatedRequest) {
+  return this.reportService.getForUser(req.user.id);
+}
+```
+
+- Keep auth strategies and guards module-local unless they are truly shared.
+- Encode coarse access rules in guards, then do resource-specific authorization in services.
+- Prefer explicit request types for authenticated request objects.
+
+## Exception Filters and Error Shape
+
+```ts
+@Catch()
+export class HttpExceptionFilter implements ExceptionFilter {
+  catch(exception: unknown, host: ArgumentsHost) {
+    const response = host.switchToHttp().getResponse<Response>();
+    const request = host.switchToHttp().getRequest<Request>();
+
+    if (exception instanceof HttpException) {
+      return response.status(exception.getStatus()).json({
+        path: request.url,
+        error: exception.getResponse(),
+      });
+    }
+
+    return response.status(500).json({
+      path: request.url,
+      error: 'Internal server error',
+    });
+  }
+}
+```
+
+- Keep one consistent error envelope across the API.
+- Throw framework exceptions for expected client errors; log and wrap unexpected failures centrally.
+
+## Config and Environment Validation
+
+```ts
+ConfigModule.forRoot({
+  isGlobal: true,
+  load: [configuration],
+  validate: validateEnv,
+});
+```
+
+- Validate env at boot, not lazily at first request.
+- Keep config access behind typed helpers or config services.
+- Split dev/staging/prod concerns in config factories instead of branching throughout feature code.
+
+## Persistence and Transactions
+
+- Keep repository / ORM code behind providers that speak domain language.
+- For Prisma or TypeORM, isolate transactional workflows in services that own the unit of work.
+- Do not let controllers coordinate multi-step writes directly.
+
+## Testing
+
+```ts
+describe('UsersController', () => {
+  let app: INestApplication;
+
+  beforeAll(async () => {
+    const moduleRef = await Test.createTestingModule({
+      imports: [UsersModule],
+    }).compile();
+
+    app = moduleRef.createNestApplication();
+    app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
+    await app.init();
+  });
+});
+```
+
+- Unit test providers in isolation with mocked dependencies.
+- Add request-level tests for guards, validation pipes, and exception filters.
+- Reuse the same global pipes/filters in tests that you use in production.
+
+## Production Defaults
+
+- Enable structured logging and request correlation ids.
+- Terminate on invalid env/config instead of booting partially.
+- Prefer async provider initialization for DB/cache clients with explicit health checks.
+- Keep background jobs and event consumers in their own modules, not inside HTTP controllers.
+- Make rate limiting, auth, and audit logging explicit for public endpoints.