@malamute/ai-rules 1.0.0

package/configs/_shared/.claude/rules/performance.md

@@ -0,0 +1,226 @@
+---
+paths:
+  - "**/*.ts"
+  - "**/*.js"
+  - "**/*.py"
+  - "**/*.cs"
+---
+
+# Performance Rules
+
+## Database
+
+### N+1 Query Problem
+```typescript
+// Bad - N+1 queries
+const users = await db.users.findAll();
+for (const user of users) {
+  user.posts = await db.posts.findByUserId(user.id); // N queries!
+}
+
+// Good - eager loading
+const users = await db.users.findAll({
+  include: [{ model: Post }],
+});
+
+// Good - batch loading
+const users = await db.users.findAll();
+const userIds = users.map(u => u.id);
+const posts = await db.posts.findByUserIds(userIds);
+```
+
+### Missing Indexes
+```sql
+-- Add indexes for:
+-- 1. Foreign keys
+-- 2. Columns used in WHERE clauses
+-- 3. Columns used in ORDER BY
+-- 4. Columns used in JOIN conditions
+
+CREATE INDEX idx_posts_user_id ON posts(user_id);
+CREATE INDEX idx_users_email ON users(email);
+```
+
+### Select Only Needed Fields
+```typescript
+// Bad - select *
+const users = await db.query('SELECT * FROM users');
+
+// Good - select specific fields
+const users = await db.query('SELECT id, name, email FROM users');
+```
+
+### Pagination
+```typescript
+// Always paginate large datasets
+const users = await db.users.findAll({
+  limit: 20,
+  offset: (page - 1) * 20,
+});
+```
+
+## Caching
+
+### Cache Expensive Operations
+```typescript
+// Cache database queries
+const cacheKey = `user:${userId}`;
+let user = await cache.get(cacheKey);
+if (!user) {
+  user = await db.users.findById(userId);
+  await cache.set(cacheKey, user, { ttl: 3600 });
+}
+
+// Invalidate on update
+await db.users.update(userId, data);
+await cache.delete(`user:${userId}`);
+```
+
+### Memoization
+```typescript
+// Memoize pure functions
+const memoize = <T>(fn: (...args: any[]) => T): ((...args: any[]) => T) => {
+  const cache = new Map();
+  return (...args) => {
+    const key = JSON.stringify(args);
+    if (!cache.has(key)) {
+      cache.set(key, fn(...args));
+    }
+    return cache.get(key);
+  };
+};
+```
+
+## Frontend
+
+### Avoid Unnecessary Re-renders
+```typescript
+// React - use memo for expensive components
+const ExpensiveList = React.memo(({ items }) => {
+  return items.map(item => <Item key={item.id} {...item} />);
+});
+
+// Use useMemo for expensive calculations
+const sortedItems = useMemo(
+  () => items.sort((a, b) => a.name.localeCompare(b.name)),
+  [items]
+);
+
+// Use useCallback for stable function references
+const handleClick = useCallback(() => {
+  doSomething(id);
+}, [id]);
+```
+
+### Angular - OnPush Change Detection
+```typescript
+@Component({
+  changeDetection: ChangeDetectionStrategy.OnPush,
+})
+export class MyComponent {
+  // Only re-renders when inputs change
+}
+```
+
+### Lazy Loading
+```typescript
+// React - lazy load routes
+const Dashboard = React.lazy(() => import('./Dashboard'));
+
+// Angular - lazy load modules
+{ path: 'admin', loadChildren: () => import('./admin/admin.module') }
+```
+
+### Virtual Scrolling for Large Lists
+```typescript
+// Use virtualization for 100+ items
+// React: react-window, react-virtualized
+// Angular: @angular/cdk/scrolling
+```
+
+## Async Operations
+
+### Don't Block the Event Loop
+```typescript
+// Bad - blocking in async context
+async function processData() {
+  const result = heavySyncComputation(); // Blocks!
+  return result;
+}
+
+// Good - offload to worker or break up
+async function processData() {
+  return new Promise(resolve => {
+    setImmediate(() => {
+      const result = heavySyncComputation();
+      resolve(result);
+    });
+  });
+}
+```
+
+### Parallel Execution
+```typescript
+// Bad - sequential
+const user = await getUser(id);
+const posts = await getPosts(id);
+const comments = await getComments(id);
+
+// Good - parallel when independent
+const [user, posts, comments] = await Promise.all([
+  getUser(id),
+  getPosts(id),
+  getComments(id),
+]);
+```
+
+### Streaming for Large Data
+```typescript
+// Bad - load all in memory
+const allData = await db.query('SELECT * FROM huge_table');
+res.json(allData);
+
+// Good - stream
+const stream = db.queryStream('SELECT * FROM huge_table');
+stream.pipe(res);
+```
+
+## Memory
+
+### Avoid Memory Leaks
+```typescript
+// Clean up subscriptions
+useEffect(() => {
+  const subscription = observable.subscribe();
+  return () => subscription.unsubscribe(); // Cleanup!
+}, []);
+
+// Remove event listeners
+useEffect(() => {
+  window.addEventListener('resize', handler);
+  return () => window.removeEventListener('resize', handler);
+}, []);
+```
+
+### Limit Collection Sizes
+```typescript
+// Use LRU cache with max size
+const cache = new LRUCache({ max: 500 });
+
+// Limit array growth
+if (items.length > MAX_ITEMS) {
+  items.shift(); // Remove oldest
+}
+```
+
+## Quick Checklist
+
+- [ ] Database queries use indexes
+- [ ] No N+1 queries
+- [ ] Large lists are paginated
+- [ ] Expensive operations cached
+- [ ] Frontend components use memoization
+- [ ] Change detection optimized (Angular OnPush)
+- [ ] Large lists use virtual scrolling
+- [ ] Async operations run in parallel when possible
+- [ ] No memory leaks (subscriptions cleaned up)

package/configs/_shared/.claude/rules/security.md

@@ -0,0 +1,188 @@
+---
+paths:
+  - "**/*.ts"
+  - "**/*.js"
+  - "**/*.py"
+  - "**/*.cs"
+  - "**/*.java"
+---
+
+# Security Rules (OWASP Top 10)
+
+## 1. Injection Prevention
+
+### SQL Injection
+```typescript
+// Bad - string concatenation
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// Good - parameterized queries
+const query = 'SELECT * FROM users WHERE id = $1';
+await db.query(query, [userId]);
+```
+
+### NoSQL Injection
+```typescript
+// Bad - user input directly in query
+db.users.find({ email: req.body.email });
+
+// Good - validate and sanitize
+const email = validateEmail(req.body.email);
+db.users.find({ email });
+```
+
+### Command Injection
+```typescript
+// Bad - user input in command
+exec(`ls ${userInput}`);
+
+// Good - use safe APIs or sanitize
+exec('ls', [sanitize(userInput)]);
+```
+
+## 2. Authentication
+
+- Never store plain passwords - use bcrypt/argon2
+- Use secure session tokens (cryptographically random)
+- Implement account lockout after failed attempts
+- Use constant-time comparison for secrets
+
+```typescript
+// Bad
+if (password === storedPassword) { }
+
+// Good
+import { timingSafeEqual } from 'crypto';
+if (timingSafeEqual(Buffer.from(a), Buffer.from(b))) { }
+```
+
+## 3. Sensitive Data Exposure
+
+### Never log sensitive data
+```typescript
+// Bad
+logger.info('User login', { email, password });
+
+// Good
+logger.info('User login', { email, password: '[REDACTED]' });
+```
+
+### Never commit secrets
+- Use environment variables
+- Add to `.gitignore`: `.env`, `*.pem`, `credentials.json`
+- Use secret managers in production
+
+### Mask in responses
+```typescript
+// Bad - return full credit card
+{ cardNumber: '4111111111111111' }
+
+// Good - mask sensitive parts
+{ cardNumber: '************1111' }
+```
+
+## 4. XSS Prevention
+
+```typescript
+// Bad - innerHTML with user content
+element.innerHTML = userInput;
+
+// Good - use safe methods
+element.textContent = userInput;
+
+// React/Angular - avoid dangerouslySetInnerHTML / [innerHTML]
+// If needed, sanitize first with DOMPurify
+```
+
+## 5. CSRF Protection
+
+- Use anti-CSRF tokens for state-changing operations
+- Validate `Origin` and `Referer` headers
+- Use `SameSite` cookie attribute
+
+```typescript
+// Set secure cookies
+res.cookie('session', token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+});
+```
+
+## 6. Access Control
+
+```typescript
+// Always check ownership
+async function getDocument(userId: string, docId: string) {
+  const doc = await db.documents.findById(docId);
+
+  // Bad - missing authorization check
+  return doc;
+
+  // Good - verify ownership
+  if (doc.ownerId !== userId) {
+    throw new ForbiddenError();
+  }
+  return doc;
+}
+```
+
+## 7. Security Headers
+
+```typescript
+// Essential headers
+{
+  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+  'X-Content-Type-Options': 'nosniff',
+  'X-Frame-Options': 'DENY',
+  'Content-Security-Policy': "default-src 'self'",
+  'X-XSS-Protection': '1; mode=block',
+}
+```
+
+## 8. Input Validation
+
+- Validate all inputs on server side (never trust client)
+- Use allowlists over denylists
+- Validate type, length, format, range
+
+```typescript
+// Use schema validation
+const schema = z.object({
+  email: z.string().email().max(256),
+  age: z.number().int().min(0).max(150),
+  role: z.enum(['user', 'admin']),
+});
+```
+
+## 9. Error Handling
+
+```typescript
+// Bad - expose internal errors
+catch (error) {
+  res.status(500).json({ error: error.stack });
+}
+
+// Good - generic message, log internally
+catch (error) {
+  logger.error('Database error', { error });
+  res.status(500).json({ error: 'Internal server error' });
+}
+```
+
+## 10. Dependencies
+
+- Keep dependencies updated
+- Audit regularly: `npm audit`, `pip-audit`, `dotnet list package --vulnerable`
+- Remove unused dependencies
+- Pin versions in production
+
+## Quick Checklist
+
+Before committing, verify:
+- [ ] No secrets in code
+- [ ] User inputs validated and sanitized
+- [ ] SQL/NoSQL queries parameterized
+- [ ] Sensitive data not logged
+- [ ] Authorization checks in place
+- [ ] Error messages don't expose internals

package/configs/_shared/.claude/skills/debug/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: debug
+description: Structured debugging workflow for investigating issues
+argument-hint: [error-or-issue-description]
+---
+
+# Debug Skill
+
+You are now in **debug mode**. Investigate the issue systematically.
+
+## Issue
+
+Problem to debug: `$ARGUMENTS`
+
+If no argument, ask: "What issue are you experiencing?"
+
+## Debugging Workflow
+
+### Phase 1: Gather Information
+
+1. **Reproduce the issue**
+   - Ask for exact steps to reproduce
+   - Ask for error messages (full stack trace)
+   - Ask for environment (dev/prod, browser, OS)
+
+2. **Understand expected vs actual behavior**
+   - What should happen?
+   - What actually happens?
+
+### Phase 2: Investigate
+
+1. **Locate the error**
+   - Parse stack trace to find origin
+   - Search codebase for relevant files
+   - Read the failing code
+
+2. **Trace the flow**
+   - Follow data from input to error
+   - Check function calls in sequence
+   - Look for state mutations
+
+3. **Form hypotheses**
+   - List possible causes (ranked by likelihood)
+   - For each hypothesis, identify how to verify
+
+### Phase 3: Verify
+
+For each hypothesis:
+1. Describe what to check
+2. Check it (read code, run command, add log)
+3. Confirm or eliminate
+
+Format:
+```
+Hypothesis: [Description]
+Check: [What to verify]
+Result: [Confirmed/Eliminated] - [Evidence]
+```
+
+### Phase 4: Fix
+
+Once root cause is found:
+1. Explain the root cause clearly
+2. Propose fix(es)
+3. Consider side effects
+4. Implement with user approval
+
+### Phase 5: Prevent
+
+After fixing:
+1. Add test to prevent regression
+2. Consider if similar bugs exist elsewhere
+3. Document if it was a tricky issue
+
+## Output Format
+
+Use this structure as you debug:
+
+```
+## Issue Summary
+[One line description]
+
+## Reproduction
+[Steps or command to reproduce]
+
+## Investigation Log
+[Timestamped notes of what you checked]
+
+## Root Cause
+[Clear explanation of why this happens]
+
+## Fix
+[Code changes with explanation]
+
+## Prevention
+[Test added or recommendation]
+```
+
+## Debugging Tools
+
+Use these as needed:
+- Read files to understand code
+- Grep/search for patterns
+- Run tests to isolate behavior
+- Check git history for recent changes (`git log`, `git blame`)
+- Run the app to reproduce
+
+## Behavior
+
+1. Don't guess - investigate
+2. One hypothesis at a time
+3. Show your reasoning
+4. Ask for more info if needed
+5. Explain findings in simple terms
+
+## Exit
+
+When fixed, ask: "Issue resolved. Want me to add a test to prevent regression?"