@malamute/ai-rules 1.0.0 → 1.3.0

package/configs/_shared/rules/devops/ci-cd.md

@@ -0,0 +1,262 @@
+---
+paths:
+  - ".github/workflows/**"
+  - ".gitlab-ci.yml"
+  - "azure-pipelines.yml"
+  - "Jenkinsfile"
+  - ".circleci/**"
+---
+
+# CI/CD Best Practices
+
+## Pipeline Principles
+
+- **Fast feedback**: Run quick checks first (lint, type-check)
+- **Fail fast**: Stop pipeline on first failure
+- **Parallelization**: Run independent jobs in parallel
+- **Caching**: Cache dependencies between runs
+- **Artifacts**: Pass build outputs between jobs
+
+## GitHub Actions
+
+### Basic Pipeline
+
+```yaml
+# .github/workflows/ci.yml
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run lint
+
+  test:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm test -- --coverage
+      - uses: codecov/codecov-action@v3
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: build
+          path: dist/
+```
+
+### Nx Monorepo Pipeline
+
+```yaml
+name: CI (Nx)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - run: npm ci
+
+      - uses: nrwl/nx-set-shas@v4
+
+      # Run affected commands
+      - run: npx nx affected -t lint --parallel=3
+      - run: npx nx affected -t test --parallel=3 --coverage
+      - run: npx nx affected -t build --parallel=3
+```
+
+### Deploy Pipeline
+
+```yaml
+# .github/workflows/deploy.yml
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          docker build -t myapp:${{ github.sha }} .
+
+      - name: Login to Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker tag myapp:${{ github.sha }} ghcr.io/${{ github.repository }}:${{ github.sha }}
+          docker tag myapp:${{ github.sha }} ghcr.io/${{ github.repository }}:latest
+          docker push ghcr.io/${{ github.repository }} --all-tags
+
+      - name: Deploy to production
+        run: |
+          # kubectl, ssh, or cloud CLI deployment
+          echo "Deploying ${{ github.sha }}"
+```
+
+## Branch Protection
+
+Configure in GitHub Settings:
+
+- Require PR reviews before merging
+- Require status checks (CI must pass)
+- Require branches to be up to date
+- Enforce linear history (squash or rebase)
+- Restrict force pushes
+
+## Secrets Management
+
+```yaml
+# Reference secrets (never hardcode!)
+env:
+  DATABASE_URL: ${{ secrets.DATABASE_URL }}
+  API_KEY: ${{ secrets.API_KEY }}
+
+# Use environments for different configs
+jobs:
+  deploy:
+    environment: production  # Uses production secrets
+```
+
+## Caching Strategies
+
+```yaml
+# Node.js
+- uses: actions/setup-node@v4
+  with:
+    cache: 'npm'  # Built-in caching
+
+# Custom cache
+- uses: actions/cache@v4
+  with:
+    path: |
+      ~/.npm
+      node_modules
+    key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+    restore-keys: |
+      ${{ runner.os }}-node-
+
+# Docker layer caching
+- uses: docker/build-push-action@v5
+  with:
+    cache-from: type=gha
+    cache-to: type=gha,mode=max
+```
+
+## Matrix Builds
+
+```yaml
+jobs:
+  test:
+    strategy:
+      matrix:
+        node: [18, 20, 22]
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+```
+
+## Release Automation
+
+```yaml
+# .github/workflows/release.yml
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+          files: |
+            dist/*.zip
+```
+
+## Quality Gates
+
+| Check | Tool | Threshold |
+|-------|------|-----------|
+| Lint | ESLint/Ruff | 0 errors |
+| Type check | TypeScript/mypy | 0 errors |
+| Unit tests | Jest/pytest | 100% pass |
+| Coverage | Codecov | ≥80% |
+| Security | Snyk/Dependabot | 0 critical |
+| Build | Framework CLI | Success |
+
+## Anti-patterns
+
+- Running all tests on every commit (use affected)
+- Not caching dependencies
+- Hardcoding secrets
+- Not using concurrency limits
+- Deploying without approval gates
+- Missing rollback strategy
+- No artifact retention policy

package/configs/_shared/rules/devops/docker.md

@@ -0,0 +1,275 @@
+---
+paths:
+  - "**/Dockerfile"
+  - "**/docker-compose*.yml"
+  - "**/.dockerignore"
+---
+
+# Docker Best Practices
+
+## Dockerfile Principles
+
+### Multi-stage Builds
+
+Always use multi-stage builds to minimize image size:
+
+```dockerfile
+# Stage 1: Build
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# Stage 2: Production
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+USER node
+EXPOSE 3000
+CMD ["node", "dist/main.js"]
+```
+
+### Layer Optimization
+
+Order from least to most frequently changed:
+
+```dockerfile
+# 1. Base image (rarely changes)
+FROM node:20-alpine
+
+# 2. System dependencies (rarely changes)
+RUN apk add --no-cache dumb-init
+
+# 3. App dependencies (changes with package.json)
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production
+
+# 4. App code (changes frequently)
+COPY . .
+
+# 5. Build (if needed)
+RUN npm run build
+```
+
+### Security
+
+```dockerfile
+# Use specific version, not :latest
+FROM node:20.10.0-alpine
+
+# Run as non-root user
+RUN addgroup -g 1001 appgroup && \
+    adduser -u 1001 -G appgroup -s /bin/sh -D appuser
+USER appuser
+
+# Don't expose unnecessary ports
+EXPOSE 3000
+
+# Use read-only filesystem where possible
+# (set in docker-compose or runtime)
+```
+
+## .dockerignore
+
+Always include:
+
+```
+node_modules
+npm-debug.log
+.git
+.gitignore
+.env
+.env.*
+*.md
+.vscode
+.idea
+coverage
+dist
+.nx
+tmp
+```
+
+## Docker Compose
+
+### Development
+
+```yaml
+# docker-compose.yml
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      target: development
+    volumes:
+      - .:/app
+      - /app/node_modules  # Prevent overwriting
+    ports:
+      - "3000:3000"
+    environment:
+      - NODE_ENV=development
+    depends_on:
+      - db
+      - redis
+
+  db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: dev
+      POSTGRES_PASSWORD: dev
+      POSTGRES_DB: app_dev
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+
+  redis:
+    image: redis:7-alpine
+    ports:
+      - "6379:6379"
+
+volumes:
+  postgres_data:
+```
+
+### Production
+
+```yaml
+# docker-compose.prod.yml
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      target: production
+    restart: unless-stopped
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - NODE_ENV=production
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+```
+
+## Framework-Specific Patterns
+
+### Node.js / NestJS / Next.js
+
+```dockerfile
+FROM node:20-alpine AS base
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+FROM base AS deps
+COPY package*.json ./
+RUN npm ci
+
+FROM base AS builder
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+RUN npm run build
+
+FROM base AS runner
+ENV NODE_ENV=production
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 app
+COPY --from=builder --chown=app:nodejs /app/dist ./dist
+COPY --from=builder --chown=app:nodejs /app/node_modules ./node_modules
+USER app
+EXPOSE 3000
+CMD ["node", "dist/main.js"]
+```
+
+### Python / FastAPI
+
+```dockerfile
+FROM python:3.12-slim AS base
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1
+
+FROM base AS builder
+RUN pip install poetry
+WORKDIR /app
+COPY pyproject.toml poetry.lock ./
+RUN poetry export -f requirements.txt --output requirements.txt
+
+FROM base AS runner
+WORKDIR /app
+COPY --from=builder /app/requirements.txt .
+RUN pip install -r requirements.txt
+COPY . .
+RUN useradd -m appuser && chown -R appuser:appuser /app
+USER appuser
+EXPOSE 8000
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
+```
+
+### .NET
+
+```dockerfile
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+WORKDIR /src
+COPY *.csproj ./
+RUN dotnet restore
+COPY . .
+RUN dotnet publish -c Release -o /app/publish
+
+FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS runtime
+WORKDIR /app
+COPY --from=build /app/publish .
+RUN useradd -m appuser && chown -R appuser:appuser /app
+USER appuser
+EXPOSE 8080
+ENTRYPOINT ["dotnet", "App.dll"]
+```
+
+## Health Checks
+
+Always implement health endpoints:
+
+```dockerfile
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:3000/health || exit 1
+```
+
+## Environment Variables
+
+```dockerfile
+# Build-time args
+ARG NODE_ENV=production
+ARG APP_VERSION
+
+# Runtime environment
+ENV NODE_ENV=${NODE_ENV} \
+    APP_VERSION=${APP_VERSION}
+
+# Never put secrets in Dockerfile!
+# Use: docker run -e SECRET=xxx or docker-compose with env_file
+```
+
+## Anti-patterns
+
+- Using `:latest` tag
+- Running as root
+- Copying entire context before installing deps
+- Not using multi-stage builds
+- Hardcoding secrets in Dockerfile
+- Not setting resource limits
+- Missing health checks
+- Not using .dockerignore

package/configs/_shared/rules/devops/nx.md

@@ -0,0 +1,194 @@
+---
+paths:
+  - "libs/**/*"
+  - "apps/**/*"
+  - "nx.json"
+  - "project.json"
+  - "*.ts"
+---
+
+# Nx Monorepo Rules
+
+## Project Structure
+
+```
+workspace/
+├── apps/                    # Deployable applications
+│   ├── web/                 # Main app
+│   └── web-e2e/             # E2E tests
+├── libs/                    # Reusable libraries
+│   ├── shared/              # Cross-domain (ui, util)
+│   └── [domain]/            # Domain-specific
+│       ├── feature-*/       # Smart components, pages
+│       ├── ui-*/            # Dumb/presentational components
+│       ├── data-access-*/   # State, API services
+│       └── util-*/          # Pure functions, helpers
+├── nx.json
+└── tsconfig.base.json
+```
+
+## Library Types
+
+| Type | Purpose | Can Import |
+|------|---------|------------|
+| `feature` | Smart components, routing, pages | ui, data-access, util |
+| `ui` | Presentational components | util only |
+| `data-access` | State management, API calls | util only |
+| `util` | Pure functions, types, constants | util only |
+
+## Naming Convention
+
+```
+libs/[scope]/[type]-[name]
+
+# Examples
+libs/users/feature-list        # User list page
+libs/users/ui-avatar           # Avatar component
+libs/users/data-access         # User state/API
+libs/users/util-permissions    # Permission helpers
+libs/shared/ui-button          # Shared button
+libs/shared/util-format        # Format utilities
+```
+
+## Tags & Boundaries
+
+### nx.json
+
+```json
+{
+  "targetDefaults": {
+    "build": { "dependsOn": ["^build"] },
+    "test": { "dependsOn": ["build"] }
+  }
+}
+```
+
+### project.json tags
+
+```json
+{
+  "tags": ["scope:users", "type:feature"]
+}
+```
+
+### .eslintrc.json boundaries
+
+```json
+{
+  "rules": {
+    "@nx/enforce-module-boundaries": [
+      "error",
+      {
+        "depConstraints": [
+          { "sourceTag": "type:feature", "onlyDependOnLibsWithTags": ["type:ui", "type:data-access", "type:util"] },
+          { "sourceTag": "type:ui", "onlyDependOnLibsWithTags": ["type:util"] },
+          { "sourceTag": "type:data-access", "onlyDependOnLibsWithTags": ["type:util"] },
+          { "sourceTag": "type:util", "onlyDependOnLibsWithTags": ["type:util"] },
+          { "sourceTag": "scope:shared", "onlyDependOnLibsWithTags": ["scope:shared"] },
+          { "sourceTag": "scope:users", "onlyDependOnLibsWithTags": ["scope:users", "scope:shared"] }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Dependency Flow
+
+```
+┌─────────────────────────────────────────────┐
+│                   apps/                      │
+│        (can import any lib)                  │
+└─────────────────────────────────────────────┘
+                      │
+                      ▼
+┌─────────────────────────────────────────────┐
+│              feature libs                    │
+│   (pages, smart components, routing)         │
+└─────────────────────────────────────────────┘
+            │                │
+            ▼                ▼
+┌──────────────────┐  ┌──────────────────┐
+│     ui libs      │  │  data-access     │
+│  (presentational)│  │  (state, API)    │
+└──────────────────┘  └──────────────────┘
+            │                │
+            └───────┬────────┘
+                    ▼
+┌─────────────────────────────────────────────┐
+│               util libs                      │
+│    (pure functions, types, constants)        │
+└─────────────────────────────────────────────┘
+```
+
+## Commands Reference
+
+| Command | Description |
+|---------|-------------|
+| `nx affected -t test` | Test affected projects |
+| `nx affected -t build` | Build affected projects |
+| `nx affected -t lint` | Lint affected projects |
+| `nx run-many -t test --all` | Test all projects |
+| `nx graph` | Visualize dependency graph |
+| `nx reset` | Clear cache |
+
+## Generator Commands
+
+| Command | Description |
+|---------|-------------|
+| `nx g @nx/angular:lib [name]` | Generate Angular library |
+| `nx g @nx/angular:component [name]` | Generate component |
+| `nx g @nx/angular:service [name]` | Generate service |
+| `nx g remove [name]` | Remove project |
+| `nx g move --project [name] [dest]` | Move project |
+
+## Import Paths
+
+Always use workspace paths, never relative imports across libs:
+
+```typescript
+// GOOD - workspace path
+import { UserService } from '@myorg/users/data-access';
+import { ButtonComponent } from '@myorg/shared/ui-button';
+
+// BAD - relative cross-lib import
+import { UserService } from '../../../users/data-access/src';
+```
+
+## Anti-patterns
+
+- Never import from `apps/` into `libs/`
+- Never create circular dependencies between libs
+- Never import `feature` into `ui` or `data-access`
+- Never import domain-specific into `shared/` scope
+- Never skip the public API (`index.ts`)
+
+## Caching
+
+Nx caches build/test results. To leverage:
+
+```json
+// nx.json
+{
+  "tasksRunnerOptions": {
+    "default": {
+      "runner": "nx/tasks-runners/default",
+      "options": {
+        "cacheableOperations": ["build", "lint", "test", "e2e"]
+      }
+    }
+  }
+}
+```
+
+## Affected Commands
+
+Always use `affected` in CI:
+
+```bash
+# Only test what changed
+nx affected -t test --base=main --head=HEAD
+
+# Only build what changed
+nx affected -t build --base=main --head=HEAD
+```