@luanpdd/kit-mcp 1.35.0 → 1.36.0

package/gates/skill-must-include.md

@@ -1,71 +1,71 @@
----
-id: skill-must-include
-stage: pre-verify
-blocking: true
-description: Valida que skills supabase-* contêm strings obrigatórias verbatim — anti-pattern prevention (RLS (select), search_path, getAll/setAll, etc.).
----
-
-# Skill must-include gate
-
-**When to run:** pre-verify.
-
-## Check
-
-```bash
-#!/usr/bin/env bash
-# PT-BR: cada skill deve incluir strings obrigatórias verbatim para prevenir anti-patterns
-# Portable: bash 3.2+ (macOS default), sem associative arrays
-set -e
-
-VIOLATIONS=0
-
-check_skill() {
-  local skill="$1"
-  local required="$2"   # strings separadas por |
-  local file="kit/skills/$skill/SKILL.md"
-
-  if [ ! -f "$file" ]; then
-    echo "FAIL: $file — skill ausente"
-    VIOLATIONS=$((VIOLATIONS + 1))
-    return
-  fi
-
-  # PT-BR: testa cada string (separada por |)
-  local IFS='|'
-  for str in $required; do
-    if ! grep -qF "$str" "$file"; then
-      echo "FAIL: $file — must-include ausente: '$str'"
-      VIOLATIONS=$((VIOLATIONS + 1))
-    fi
-  done
-}
-
-check_skill "supabase-rls-policies"        "(select auth.uid())|user_metadata|TO authenticated"
-check_skill "supabase-database-functions"  "set search_path = ''|SECURITY INVOKER"
-check_skill "supabase-auth-ssr"            "getAll|setAll|auth-helpers-nextjs|@supabase/ssr"
-check_skill "supabase-realtime"            "broadcast|private: true|realtime.broadcast_changes|removeChannel"
-check_skill "supabase-edge-functions"      "npm:|jsr:|Deno.serve|EdgeRuntime.waitUntil|/tmp"
-check_skill "supabase-declarative-schema"  "supabase/schemas/|supabase stop|supabase db diff -f"
-check_skill "supabase-migrations"          "YYYYMMDDHHmmss|RLS|granular"
-check_skill "supabase-postgres-style"      "snake_case|ISO 8601|lowercase"
-check_skill "supabase-storage"             "signed URL|storage.objects|multi-tenant"
-check_skill "supabase-pgvector-rag"        "HNSW|IVFFlat|<=>|RAG with permissions"
-check_skill "supabase-cron-queues"         "pg_cron|pgmq|pg_net"
-
-if [ "$VIOLATIONS" -gt 0 ]; then
-  echo "Total violations: $VIOLATIONS"
-  exit 1
-fi
-
-echo "✓ Todas as skills supabase-* contêm must-include strings"
-exit 0
-```
-
-## Verdict
-
-- **passed** — todas as 11 skills têm strings obrigatórias
-- **block** — pelo menos uma skill faltando string crítica (anti-pattern prevention quebrada)
-
-## Notes
-
-Anti-pitfall A7 da v1.8: skills devem prevenir ativamente os anti-patterns Supabase mais críticos. Sem este gate, refator de skill pode acidentalmente remover a regra principal (ex: `(select auth.uid())` wrapper que previne 1000× degradação). Strings como `WARNING user_metadata`, `set search_path = ''`, `NEVER use auth-helpers-nextjs` são as primeiras coisas que LLM lê — devem estar lá.
+---
+id: skill-must-include
+stage: pre-verify
+blocking: true
+description: Valida que skills supabase-* contêm strings obrigatórias verbatim — anti-pattern prevention (RLS (select), search_path, getAll/setAll, etc.).
+---
+
+# Skill must-include gate
+
+**When to run:** pre-verify.
+
+## Check
+
+```bash
+#!/usr/bin/env bash
+# PT-BR: cada skill deve incluir strings obrigatórias verbatim para prevenir anti-patterns
+# Portable: bash 3.2+ (macOS default), sem associative arrays
+set -e
+
+VIOLATIONS=0
+
+check_skill() {
+  local skill="$1"
+  local required="$2"   # strings separadas por |
+  local file="kit/skills/$skill/SKILL.md"
+
+  if [ ! -f "$file" ]; then
+    echo "FAIL: $file — skill ausente"
+    VIOLATIONS=$((VIOLATIONS + 1))
+    return
+  fi
+
+  # PT-BR: testa cada string (separada por |)
+  local IFS='|'
+  for str in $required; do
+    if ! grep -qF "$str" "$file"; then
+      echo "FAIL: $file — must-include ausente: '$str'"
+      VIOLATIONS=$((VIOLATIONS + 1))
+    fi
+  done
+}
+
+check_skill "supabase-rls-policies"        "(select auth.uid())|user_metadata|TO authenticated"
+check_skill "supabase-database-functions"  "set search_path = ''|SECURITY INVOKER"
+check_skill "supabase-auth-ssr"            "getAll|setAll|auth-helpers-nextjs|@supabase/ssr"
+check_skill "supabase-realtime"            "broadcast|private: true|realtime.broadcast_changes|removeChannel"
+check_skill "supabase-edge-functions"      "npm:|jsr:|Deno.serve|EdgeRuntime.waitUntil|/tmp"
+check_skill "supabase-declarative-schema"  "supabase/schemas/|supabase stop|supabase db diff -f"
+check_skill "supabase-migrations"          "YYYYMMDDHHmmss|RLS|granular"
+check_skill "supabase-postgres-style"      "snake_case|ISO 8601|lowercase"
+check_skill "supabase-storage"             "signed URL|storage.objects|multi-tenant"
+check_skill "supabase-pgvector-rag"        "HNSW|IVFFlat|<=>|RAG with permissions"
+check_skill "supabase-cron-queues"         "pg_cron|pgmq|pg_net"
+
+if [ "$VIOLATIONS" -gt 0 ]; then
+  echo "Total violations: $VIOLATIONS"
+  exit 1
+fi
+
+echo "✓ Todas as skills supabase-* contêm must-include strings"
+exit 0
+```
+
+## Verdict
+
+- **passed** — todas as 11 skills têm strings obrigatórias
+- **block** — pelo menos uma skill faltando string crítica (anti-pattern prevention quebrada)
+
+## Notes
+
+Anti-pitfall A7 da v1.8: skills devem prevenir ativamente os anti-patterns Supabase mais críticos. Sem este gate, refator de skill pode acidentalmente remover a regra principal (ex: `(select auth.uid())` wrapper que previne 1000× degradação). Strings como `WARNING user_metadata`, `set search_path = ''`, `NEVER use auth-helpers-nextjs` são as primeiras coisas que LLM lê — devem estar lá.

package/gates/sync-idempotent.md

@@ -1,62 +1,62 @@
----
-id: sync-idempotent
-stage: pre-verify
-blocking: false
-description: Valida que `kit sync claude-code` rodado 2× consecutivos produz `.claude/` byte-idêntico (anti-pitfall A1 — drift kit/ ↔ .claude/).
----
-
-# Sync idempotent gate
-
-**When to run:** pre-verify (non-blocking — warn em vez de bloquear).
-
-## Check
-
-```bash
-#!/usr/bin/env bash
-# PT-BR: roda sync 2× e compara — output deve ser byte-idêntico
-set -e
-
-TMPDIR=$(mktemp -d -t kit-mcp-sync-test-XXXXXX)
-trap "rm -rf $TMPDIR" EXIT
-
-# PT-BR: copia projeto root para tmpdir (sem node_modules)
-mkdir -p "$TMPDIR/project"
-cp -r kit "$TMPDIR/project/"
-cp package.json "$TMPDIR/project/" 2>/dev/null || true
-
-# PT-BR: 1ª execução
-node bin/cli.js sync install claude-code --project-root "$TMPDIR/project" >/dev/null 2>&1 || {
-  echo "WARN: primeira sync falhou — gate inconclusivo"
-  exit 0
-}
-
-# PT-BR: snapshot do output
-SNAPSHOT1=$(find "$TMPDIR/project/.claude" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum)
-
-# PT-BR: 2ª execução
-node bin/cli.js sync install claude-code --project-root "$TMPDIR/project" >/dev/null 2>&1
-
-# PT-BR: snapshot 2
-SNAPSHOT2=$(find "$TMPDIR/project/.claude" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum)
-
-if [ "$SNAPSHOT1" != "$SNAPSHOT2" ]; then
-  echo "FAIL: sync não-idempotente — output diverge entre execuções"
-  echo "Snapshot 1: $SNAPSHOT1"
-  echo "Snapshot 2: $SNAPSHOT2"
-  exit 1
-fi
-
-echo "✓ Sync idempotente — duas execuções produzem .claude/ byte-idêntico"
-exit 0
-```
-
-## Verdict
-
-- **passed** — `.claude/` byte-idêntico entre 2 execuções
-- **warn** — drift detectado (não-blocking; investigar)
-
-## Notes
-
-Anti-pitfall A1 da v1.8: drift entre `kit/` canonical e `.claude/` stubs após adicionar 19+ items multiplicados por 8 IDE targets. Sync deve ser idempotente — qualquer fonte de não-determinismo (timestamps, ordering aleatório, hash de tempo de geração) precisa ser eliminada. Este gate detecta divergência cedo, antes de chegar em produção.
-
-**Por que non-blocking:** o gate roda CLI completo + I/O — pode falhar por razões ambientais (permissions, espaço em disco) que não são bugs de sync. Falha vira warn para revisão manual.
+---
+id: sync-idempotent
+stage: pre-verify
+blocking: false
+description: Valida que `kit sync claude-code` rodado 2× consecutivos produz `.claude/` byte-idêntico (anti-pitfall A1 — drift kit/ ↔ .claude/).
+---
+
+# Sync idempotent gate
+
+**When to run:** pre-verify (non-blocking — warn em vez de bloquear).
+
+## Check
+
+```bash
+#!/usr/bin/env bash
+# PT-BR: roda sync 2× e compara — output deve ser byte-idêntico
+set -e
+
+TMPDIR=$(mktemp -d -t kit-mcp-sync-test-XXXXXX)
+trap "rm -rf $TMPDIR" EXIT
+
+# PT-BR: copia projeto root para tmpdir (sem node_modules)
+mkdir -p "$TMPDIR/project"
+cp -r kit "$TMPDIR/project/"
+cp package.json "$TMPDIR/project/" 2>/dev/null || true
+
+# PT-BR: 1ª execução
+node bin/cli.js sync install claude-code --project-root "$TMPDIR/project" >/dev/null 2>&1 || {
+  echo "WARN: primeira sync falhou — gate inconclusivo"
+  exit 0
+}
+
+# PT-BR: snapshot do output
+SNAPSHOT1=$(find "$TMPDIR/project/.claude" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum)
+
+# PT-BR: 2ª execução
+node bin/cli.js sync install claude-code --project-root "$TMPDIR/project" >/dev/null 2>&1
+
+# PT-BR: snapshot 2
+SNAPSHOT2=$(find "$TMPDIR/project/.claude" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum)
+
+if [ "$SNAPSHOT1" != "$SNAPSHOT2" ]; then
+  echo "FAIL: sync não-idempotente — output diverge entre execuções"
+  echo "Snapshot 1: $SNAPSHOT1"
+  echo "Snapshot 2: $SNAPSHOT2"
+  exit 1
+fi
+
+echo "✓ Sync idempotente — duas execuções produzem .claude/ byte-idêntico"
+exit 0
+```
+
+## Verdict
+
+- **passed** — `.claude/` byte-idêntico entre 2 execuções
+- **warn** — drift detectado (não-blocking; investigar)
+
+## Notes
+
+Anti-pitfall A1 da v1.8: drift entre `kit/` canonical e `.claude/` stubs após adicionar 19+ items multiplicados por 8 IDE targets. Sync deve ser idempotente — qualquer fonte de não-determinismo (timestamps, ordering aleatório, hash de tempo de geração) precisa ser eliminada. Este gate detecta divergência cedo, antes de chegar em produção.
+
+**Por que non-blocking:** o gate roda CLI completo + I/O — pode falhar por razões ambientais (permissions, espaço em disco) que não são bugs de sync. Falha vira warn para revisão manual.

package/gates/verify-phase-goal.md

@@ -1,34 +1,34 @@
----
-id: verify-phase-goal
-stage: post-verify
-blocking: true
-description: Reverse-verify the phase goal against the codebase, not just task completion.
----
-
-# Verify phase goal gate
-
-**When to run:** after all plans in a phase have committed their SUMMARY.md.
-
-## Check
-
-Spawn the `verifier` agent with:
-- phase goal (from `ROADMAP.md`)
-- phase requirement IDs (from PLAN frontmatters)
-- phase dir path
-
-The verifier checks `must_haves` against the actual codebase and cross-references
-every requirement ID against `REQUIREMENTS.md`. It writes `*-VERIFICATION.md`.
-
-## Verdict
-
-- **passed** — every must-have verified → proceed to `update_roadmap`
-- **human_needed** — automated checks pass but some items need human eyes →
-  persist as `*-HUMAN-UAT.md` and ask the user to test or approve
-- **gaps_found** — at least one must-have unverified → propose
-  `/planejar-fase {X} --gaps` and stop the auto-chain
-
-## Notes
-
-This gate is opinionated: phase completeness is measured against the **goal**,
-not the task list. A phase whose every task is checked but whose goal is half-built
-must not be marked complete.
+---
+id: verify-phase-goal
+stage: post-verify
+blocking: true
+description: Reverse-verify the phase goal against the codebase, not just task completion.
+---
+
+# Verify phase goal gate
+
+**When to run:** after all plans in a phase have committed their SUMMARY.md.
+
+## Check
+
+Spawn the `verifier` agent with:
+- phase goal (from `ROADMAP.md`)
+- phase requirement IDs (from PLAN frontmatters)
+- phase dir path
+
+The verifier checks `must_haves` against the actual codebase and cross-references
+every requirement ID against `REQUIREMENTS.md`. It writes `*-VERIFICATION.md`.
+
+## Verdict
+
+- **passed** — every must-have verified → proceed to `update_roadmap`
+- **human_needed** — automated checks pass but some items need human eyes →
+  persist as `*-HUMAN-UAT.md` and ask the user to test or approve
+- **gaps_found** — at least one must-have unverified → propose
+  `/planejar-fase {X} --gaps` and stop the auto-chain
+
+## Notes
+
+This gate is opinionated: phase completeness is measured against the **goal**,
+not the task list. A phase whose every task is checked but whose goal is half-built
+must not be marked complete.