@massu/core 0.1.1 → 0.4.0

package/commands/massu-push-light.md

@@ -0,0 +1,207 @@
+---
+name: massu-push-light
+description: Fast pre-push verification (~90s) - patterns, security, types, hooks, tests, build
+allowed-tools: Bash(*)
+disable-model-invocation: true
+---
+name: massu-push-light
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9 enforced.
+
+# Massu Push Light: Fast Pre-Push Verification
+
+## Objective
+
+Run fast verification checks (~90 seconds total) before pushing to catch the most common issues without the overhead of full builds or E2E tests.
+
+---
+
+## CHECKS TO RUN
+
+Execute these checks in order. **STOP on first failure.**
+
+### 1. Pattern Scanner (~5s)
+```bash
+bash scripts/massu-pattern-scanner.sh
+```
+**Catches:** Code pattern violations, ESM import issues, config anti-patterns, hardcoded prefixes
+
+### 2. Generalization Scanner (~5s)
+```bash
+bash scripts/massu-generalization-scanner.sh
+```
+**Catches:** Hardcoded project names, /Users/ paths, Supabase IDs, API endpoints
+
+### 3. Security Scanner (~5s)
+```bash
+bash scripts/massu-security-scanner.sh
+```
+**Catches:** Hardcoded secrets, unsafe patterns, @ts-ignore usage
+
+### 4. TypeScript Check (~30s)
+```bash
+cd packages/core && npx tsc --noEmit
+```
+**Catches:** Type errors, missing imports, interface mismatches
+
+### 5. Hook Compilation (~5s)
+```bash
+cd packages/core && npm run build:hooks
+```
+**Catches:** Hook compilation failures, invalid imports in hooks
+
+### 6. Unit Tests (~30s)
+```bash
+npm test
+```
+**Catches:** Regressions, broken logic, handler errors
+
+### 7. Build (~20s)
+```bash
+npm run build
+```
+**Catches:** Build failures, compilation errors
+
+---
+
+## EXECUTION
+
+Run all checks and report results:
+
+```bash
+echo "=============================================="
+echo "MASSU PUSH LIGHT - Fast Pre-Push Verification"
+echo "=============================================="
+echo ""
+
+FAILED=0
+
+echo "[1/7] Pattern Scanner..."
+if bash scripts/massu-pattern-scanner.sh > /tmp/pattern-scanner.log 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - see /tmp/pattern-scanner.log"
+  FAILED=1
+fi
+
+echo "[2/7] Generalization Scanner..."
+if bash scripts/massu-generalization-scanner.sh > /tmp/gen-scanner.log 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - see /tmp/gen-scanner.log"
+  FAILED=1
+fi
+
+echo "[3/7] Security Scanner..."
+if bash scripts/massu-security-scanner.sh > /tmp/security-scanner.log 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - see /tmp/security-scanner.log"
+  FAILED=1
+fi
+
+echo "[4/7] TypeScript Check..."
+if cd packages/core && npx tsc --noEmit 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL"
+  FAILED=1
+fi
+
+echo "[5/7] Hook Compilation..."
+if cd packages/core && npm run build:hooks > /dev/null 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - Hook compilation error"
+  FAILED=1
+fi
+
+echo "[6/7] Unit Tests..."
+if npm test > /dev/null 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - Tests failing"
+  FAILED=1
+fi
+
+echo "[7/7] Build..."
+if npm run build > /dev/null 2>&1; then
+  echo "  PASS"
+else
+  echo "  FAIL - Build error"
+  FAILED=1
+fi
+
+echo ""
+echo "=============================================="
+if [ $FAILED -eq 0 ]; then
+  echo "ALL CHECKS PASSED - Safe to push"
+  echo "=============================================="
+else
+  echo "CHECKS FAILED - Fix issues before pushing"
+  echo "=============================================="
+  exit 1
+fi
+```
+
+---
+
+## WHEN TO USE
+
+- **Before every `git push`** - Catches ~90% of CI failures
+- **After significant changes** - Quick sanity check
+- **Before creating PR** - Ensure clean state
+
+## WHEN TO USE FULL VERIFICATION INSTEAD
+
+Use `/massu-push` (full) when:
+- Making config schema changes
+- Modifying tool registration patterns
+- Changing core infrastructure
+- Before major releases
+
+---
+
+## WHAT THIS DOESN'T CHECK
+
+| Skipped Check | Why | Risk Level |
+|---------------|-----|------------|
+| Full integration tests | Can take 5+ minutes | Medium |
+| Coverage report | Takes extra time | Low |
+| Migration validation | Takes extra time | Low (run for migration changes) |
+
+---
+
+## OUTPUT FORMAT
+
+```
+==============================================
+MASSU PUSH LIGHT - Fast Pre-Push Verification
+==============================================
+
+[1/7] Pattern Scanner...         PASS
+[2/7] Generalization Scanner...  PASS
+[3/7] Security Scanner...        PASS
+[4/7] TypeScript Check...        PASS
+[5/7] Hook Compilation...        PASS
+[6/7] Unit Tests...              PASS
+[7/7] Build...                   PASS
+
+==============================================
+ALL CHECKS PASSED - Safe to push
+==============================================
+```
+
+---
+
+## FAILURE RECOVERY
+
+| Check Failed | How to Fix |
+|--------------|------------|
+| Pattern Scanner | Run `bash scripts/massu-pattern-scanner.sh` to see details |
+| Generalization Scanner | Run `bash scripts/massu-generalization-scanner.sh` for details |
+| Security Scanner | Run `bash scripts/massu-security-scanner.sh` for details |
+| TypeScript | Run `cd packages/core && npx tsc --noEmit` for full error output |
+| Hook Compilation | Run `cd packages/core && npm run build:hooks` for error details |
+| Unit Tests | Run `npm test` to see failing tests |
+| Build | Run `npm run build` for full error output |

package/commands/massu-push.md

@@ -0,0 +1,434 @@
+---
+name: massu-push
+description: Full verification gate (all tests, regression detection, security) before remote push
+allowed-tools: Bash(*), Read(*), Edit(*), Grep(*), Glob(*)
+---
+name: massu-push
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+
+# CS Push: Full Verification Gate Before Remote Push
+
+## Workflow Position
+
+```
+/massu-create-plan -> /massu-plan -> /massu-loop -> /massu-commit -> /massu-push
+(CREATE)           (AUDIT)        (IMPLEMENT)   (COMMIT)        (PUSH)
+```
+
+**This command is step 5 of 5 in the standard workflow.**
+
+---
+
+## Objective
+
+Execute COMPREHENSIVE verification including ALL tests and security checks before pushing to remote. This is the final gate - code MUST pass every check before leaving your machine.
+
+**Philosophy**: Commit often (quality checks), push verified (full checks + security + regression).
+
+---
+
+## START NOW
+
+**Step 0: Write AUTHORIZED_COMMAND to session state (CR-35)**
+
+Update `session-state/CURRENT.md` to include `AUTHORIZED_COMMAND: massu-push`.
+
+**Step 0.1: Workflow State Tracking**
+
+Write a transition entry to `.massu/workflow-log.md`:
+```
+| [timestamp] | VERIFY | DEPLOY | /massu-push | [session-id] |
+```
+
+---
+
+## NON-NEGOTIABLE RULES
+
+- **ALL tests must pass** - vitest, full suite
+- **ALL security checks must pass** - npm audit, secrets scan
+- **Zero violations** - Pattern scanner, type check
+- **Do NOT push if ANY check fails**
+- **Document ALL test failures before fixing**
+- **Regression detection MANDATORY** - Compare against main branch
+- **FIX ALL ISSUES ENCOUNTERED (CR-9)** - Pre-existing or not
+
+---
+
+## CRITICAL: DUAL VERIFICATION REQUIREMENT
+
+**Push completion requires BOTH verification gates to pass.**
+
+| Verification | What It Checks | Required for Push |
+|--------------|----------------|-------------------|
+| **Code Quality** | Build, types, patterns, tests pass | YES |
+| **Plan Coverage** | ALL plan items implemented (if from plan) | YES |
+
+**Code Quality: PASS + Plan Coverage: FAIL = DO NOT PUSH**
+
+---
+
+## CRITICAL: REGRESSION DETECTION
+
+**Before pushing, verify no existing tests have regressed.**
+
+### Regression Detection Protocol
+
+#### Step 1: Establish Baseline
+```bash
+# If on main branch, compare against parent commit instead
+CURRENT_BRANCH=$(git branch --show-current)
+if [ "$CURRENT_BRANCH" = "main" ]; then
+  # Compare against parent commit
+  git stash -q 2>/dev/null || true
+  git checkout HEAD~1 -q
+  npm test 2>&1 | tee /tmp/baseline-tests.txt
+  git checkout - -q
+  git stash pop -q 2>/dev/null || true
+else
+  # Compare against main branch
+  git stash -q 2>/dev/null || true
+  git checkout main -q
+  npm test 2>&1 | tee /tmp/baseline-tests.txt
+  git checkout - -q
+  git stash pop -q 2>/dev/null || true
+fi
+```
+
+#### Step 2: Run Tests on Current Branch
+```bash
+npm test 2>&1 | tee /tmp/current-tests.txt
+```
+
+#### Step 3: Compare Results
+```bash
+# Parse vitest output: "Tests  N passed (N)" or "Tests  N failed | N passed (N)"
+BASELINE_PASS=$(grep -oP 'Tests\s+\K\d+(?=\s+passed)' /tmp/baseline-tests.txt || echo 0)
+BASELINE_FAIL=$(grep -oP '\K\d+(?=\s+failed)' /tmp/baseline-tests.txt || echo 0)
+
+CURRENT_PASS=$(grep -oP 'Tests\s+\K\d+(?=\s+passed)' /tmp/current-tests.txt || echo 0)
+CURRENT_FAIL=$(grep -oP '\K\d+(?=\s+failed)' /tmp/current-tests.txt || echo 0)
+
+echo "Baseline: $BASELINE_PASS passed, $BASELINE_FAIL failed"
+echo "Current:  $CURRENT_PASS passed, $CURRENT_FAIL failed"
+```
+
+#### Step 4: Gate Decision
+| Scenario | Action |
+|----------|--------|
+| No regressions | PASS - Continue to push |
+| Regressions found | FAIL - Fix before push |
+| New test failures | Investigate - may be new test or bug |
+
+```markdown
+### Regression Detection Report
+
+| Metric | Value |
+|--------|-------|
+| Baseline (main) passing tests | [N] |
+| Current branch passing tests | [N] |
+| Regressions (was passing, now failing) | [N] |
+
+**REGRESSION GATE: PASS / FAIL**
+```
+
+---
+
+## VERIFICATION TIERS
+
+### Tier 1: Quick Checks (should already pass from massu-commit)
+
+```bash
+# 1.1 Pattern Scanner
+bash scripts/massu-pattern-scanner.sh
+# MUST exit 0
+
+# 1.2 TypeScript
+cd packages/core && npx tsc --noEmit
+# MUST show 0 errors
+
+# 1.3 Hook Build
+cd packages/core && npm run build:hooks
+# MUST exit 0
+
+# 1.4 Generalization Compliance (VR-GENERIC)
+bash scripts/massu-generalization-scanner.sh
+# MUST exit 0
+```
+
+**Gate Check:**
+```markdown
+### Tier 1: Quick Checks
+| Check | Command | Result | Status |
+|-------|---------|--------|--------|
+| Pattern Scanner | massu-pattern-scanner.sh | Exit [X] | PASS/FAIL |
+| TypeScript | tsc --noEmit | [X] errors | PASS/FAIL |
+| Hook Build | build:hooks | Exit [X] | PASS/FAIL |
+| Generalization | massu-generalization-scanner.sh | Exit [X] | PASS/FAIL |
+
+**Tier 1 Status: PASS/FAIL**
+```
+
+---
+
+### Tier 2: Full Test Suite (CRITICAL)
+
+#### 2.0 Regression Detection (MANDATORY FIRST)
+
+Run the regression detection protocol above before the full test suite.
+
+#### 2.1 All Tests (vitest)
+```bash
+npm test
+# MUST exit 0, all tests pass
+```
+
+Capture output:
+- Total tests
+- Passed tests
+- Failed tests
+- Skipped tests
+
+**If tests fail:**
+1. Document ALL failures
+2. Fix each failure
+3. Re-run ALL tests (not just failed ones)
+
+#### 2.2 Tool Registration Verification (if new tools in this push)
+
+```bash
+# List new/modified tool files
+git diff origin/main..HEAD --name-only | grep "tools\|tool"
+
+# For EACH new tool, verify registration
+grep "getToolDefinitions\|isToolName\|handleToolCall" packages/core/src/tools.ts
+```
+
+**Gate Check:**
+```markdown
+### Tier 2: Test Suite
+| Check | Command | Passed | Failed | Status |
+|-------|---------|--------|--------|--------|
+| Regression Detection | Compare vs main | 0 regressions | 0 | PASS/FAIL |
+| All Tests | npm test | [X]/[Y] | 0 | PASS/FAIL |
+| Tool Registration | grep tools.ts | All registered | 0 | PASS/FAIL |
+
+**Tier 2 Status: PASS/FAIL**
+```
+
+---
+
+### Tier 3: Security & Compliance
+
+#### 3.1 npm Audit
+```bash
+npm audit --audit-level=high
+# MUST have 0 high/critical vulnerabilities
+```
+
+**Vulnerability Handling:**
+- **Critical/High**: MUST fix before push
+- **Moderate**: Document and create ticket
+- **Low**: Informational only
+
+#### 3.2 Secrets Scan
+```bash
+# Check for staged secret files
+git diff --cached --name-only | grep -E '\.(env|pem|key|secret)' && echo "FAIL" || echo "PASS"
+
+# Check for hardcoded credentials in source
+grep -rn 'sk-[a-zA-Z0-9]\{20,\}\|password.*=.*["\x27][^"\x27]\{8,\}' --include="*.ts" --include="*.tsx" \
+  packages/core/src/ 2>/dev/null \
+  | grep -v "process.env" \
+  | grep -v 'RegExp\|regex\|REDACT\|redact\|sanitize\|mask' \
+  | grep -v '\.test\.ts:' \
+  | wc -l
+# MUST be 0
+```
+
+#### 3.3 License Compliance (if deps changed)
+```bash
+# Check if package.json or package-lock.json changed
+git diff origin/main..HEAD --name-only | grep -E 'package(-lock)?\.json' && \
+  npm audit --audit-level=high 2>&1 || true
+```
+
+#### 3.3 Plan Coverage (if from plan)
+```markdown
+### Plan Coverage Verification
+
+| Item # | Description | Status | Proof |
+|--------|-------------|--------|-------|
+| P1-001 | [desc] | DONE | [evidence] |
+| ... | ... | ... | ... |
+
+**Coverage: X/X items = 100%**
+```
+
+**Gate Check:**
+```markdown
+### Tier 3: Security & Compliance
+| Check | Command | Result | Status |
+|-------|---------|--------|--------|
+| npm audit | npm audit --audit-level=high | [X] vulns | PASS/FAIL |
+| Secrets Scan | grep check | [X] found | PASS/FAIL |
+| Plan Coverage | item-by-item | [X]/[X] = [X]% | PASS/FAIL |
+
+**Tier 3 Status: PASS/FAIL**
+```
+
+---
+
+## EXECUTION FLOW
+
+### Phase 1: Pre-Flight Verification
+
+```bash
+# Verify we're on a branch and have commits to push
+git status
+git log origin/main..HEAD --oneline
+```
+
+If no commits to push, abort with message.
+
+### Phase 2: Run All Tiers
+
+Run Tier 1, Tier 2, and Tier 3 in order. Stop at first tier failure.
+
+### Phase 3: Final Gate & Push
+
+#### All Tiers Must Pass
+
+```markdown
+### PUSH GATE SUMMARY
+| Tier | Description | Status |
+|------|-------------|--------|
+| Tier 1 | Quick Checks (patterns, types, hooks) | PASS/FAIL |
+| Tier 2 | Full Test Suite + Regression | PASS/FAIL |
+| Tier 3 | Security & Compliance | PASS/FAIL |
+
+### DUAL VERIFICATION GATE
+| Gate | Status | Evidence |
+|------|--------|----------|
+| Code Quality | PASS/FAIL | Tiers 1-3 |
+| Plan Coverage | PASS/FAIL | X/X items (if plan) |
+
+**OVERALL: PASS / FAIL**
+```
+
+#### If ALL Pass
+
+```bash
+# Push to remote
+git push origin [current-branch]
+```
+
+#### If ANY Fail
+
+1. **Document ALL failures**
+2. **Fix each failure**
+3. **Re-run ENTIRE verification** (not just failed tiers)
+4. **Do NOT push until all tiers pass**
+
+---
+
+## TIMING EXPECTATIONS
+
+| Phase | Typical Duration |
+|-------|------------------|
+| Tier 1 (Quick) | ~30 seconds |
+| Tier 2 (Tests + Regression) | ~1-2 minutes |
+| Tier 3 (Security) | ~30 seconds |
+| Total | ~2-3 minutes |
+
+---
+
+## ABORT CONDITIONS
+
+Immediately abort and report if:
+- Secrets detected in codebase
+- More than 10% of tests failing (indicates systemic issue)
+- Any HIGH/CRITICAL npm vulnerability with no fix available
+
+```markdown
+## PUSH ABORTED
+
+### Reason
+[SECURITY | TEST_FAILURE | OTHER]
+
+### Details
+[Specific issue]
+
+### Required Action
+[Steps to resolve]
+
+### Do NOT Attempt Push Until Resolved
+```
+
+---
+
+## MANDATORY: PLAN DOCUMENT UPDATE (If Push Completes Plan)
+
+**If this push completes work from a plan document, the plan MUST be updated.**
+
+Before push is considered complete:
+- [ ] Plan document has IMPLEMENTATION STATUS at TOP
+- [ ] All completed items marked with status
+- [ ] Verification evidence recorded
+- [ ] Push commit hash recorded in plan
+
+```markdown
+# IMPLEMENTATION STATUS
+
+**Plan**: [Plan Name]
+**Status**: COMPLETE - PUSHED
+**Last Updated**: [YYYY-MM-DD HH:MM]
+**Push Commit**: [commit hash]
+
+## Final Verification
+
+| Check | Result | Status |
+|-------|--------|--------|
+| Pattern Scanner | Exit 0 | PASS |
+| Type Check | 0 errors | PASS |
+| Tests | All pass | PASS |
+| Push | Successful | PASS |
+```
+
+---
+
+## AUTO-LEARNING PROTOCOL
+
+After pushing, if any issues were fixed during this verification:
+
+1. **Record the pattern** - What went wrong and how it was fixed
+2. **Check if pattern scanner should be updated**
+3. **Update session state**
+
+---
+
+## COMPLETION REPORT
+
+```markdown
+## CS PUSH COMPLETE
+
+### Push Details
+- **Branch**: [branch]
+- **Commits**: [count]
+- **Remote**: origin/[branch]
+
+### Verification Summary
+| Tier | Checks | Status |
+|------|--------|--------|
+| Tier 1 | Patterns, Types, Hooks | PASS |
+| Tier 2 | Tests ([X] passed), Regression (0) | PASS |
+| Tier 3 | npm audit (0 high/critical), Secrets (0) | PASS |
+
+### Dual Verification
+| Gate | Status |
+|------|--------|
+| Code Quality | PASS |
+| Plan Coverage | PASS (X/X = 100%) |
+
+**Push succeeded.**
+```