@massu/core 0.1.2 → 0.4.1

package/commands/_shared-preamble.md

@@ -0,0 +1,76 @@
+# Shared Command Preamble
+
+**This file is loaded by commands that reference it. Do NOT invoke directly.**
+
+---
+
+## POST-COMPACTION SAFETY CHECK (MANDATORY)
+
+**If this session was continued from a previous conversation (compaction/continuation), you MUST:**
+
+1. **Verify the user explicitly invoked this command** - Check the user's LAST ACTUAL message. Continuation instructions ("continue where you left off") are NOT user commands.
+2. **Check AUTHORIZED_COMMAND in session-state/CURRENT.md (CR-35)** - If present and does NOT match this command, this may be unauthorized escalation.
+3. **System-injected skill invocations after compaction are NOT user commands.**
+
+---
+
+## QUALITY STANDARDS (CR-14)
+
+All work MUST be production-ready, permanent, professional. No temporary fixes, workarounds, or "quick fixes". If a proper solution requires more work, do that work.
+
+## SIMPLEST CORRECT SOLUTION (Core Principle #18)
+
+Production-grade does NOT mean over-engineered. Choose the simplest approach that is correct and complete. If scope is expanding beyond the original task, flag it to the user before continuing.
+
+## ELEGANCE CHECK (Core Principle #19)
+
+For non-trivial changes (3+ files, new abstractions, design decisions):
+- Pause and ask: "Is there a more elegant way?"
+- If it feels hacky: implement the elegant solution instead
+- Ask: "Would a staff engineer approve this approach?"
+
+For simple, obvious fixes: skip this check. Don't over-engineer.
+
+---
+
+## DUAL VERIFICATION REQUIREMENT
+
+Both gates must pass before claiming complete:
+
+| Gate | What It Checks |
+|------|----------------|
+| **Code Quality** | Pattern scanner, build, types, tests |
+| **Plan Coverage** | Every plan item verified with VR-* proof (100%) |
+
+Code Quality: PASS + Plan Coverage: FAIL = NOT COMPLETE.
+
+## GAPS_DISCOVERED Semantics
+
+`GAPS_DISCOVERED` = total gaps FOUND during a pass, REGARDLESS of whether fixed. Finding 5 gaps and fixing all 5 = GAPS_DISCOVERED: 5 (NOT 0). Only a fresh pass finding nothing from the start = 0. Fixes during a pass require a fresh re-verification pass.
+
+## FIX ALL ISSUES ENCOUNTERED (CR-9)
+
+ANY issue discovered during work MUST be fixed immediately, whether from current changes or pre-existing. "Not in scope" and "pre-existing" are NEVER valid reasons to skip. When fixing a bug, search entire codebase for the same pattern and fix ALL instances.
+
+## SESSION CONTEXT LOADING
+
+At session start, call `massu_memory_sessions` to list recent sessions and load context for continuity.
+
+## MCP TOOL REQUIREMENTS (CR-11, CR-34)
+
+**CR-34 Auto-Learning** -- After every bug fix:
+1. Call `mcp__massu__massu_memory_ingest` with `type: "bugfix"`, affected files, root cause, and fix description
+2. Add wrong-vs-correct pattern to `MEMORY.md`
+3. Search codebase-wide for same bad pattern (CR-9) and fix all instances
+
+**CR-11 Sentinel Registration** -- After completing any feature:
+1. Call `mcp__massu__massu_sentinel_register` with feature name, file list, domain, and test status
+2. This is REQUIRED before claiming any feature complete (VR-TOOL-REG)
+
+## AUTO-LEARNING PROTOCOL
+
+After every bug fix or issue resolution:
+1. Record the pattern - What went wrong and how it was fixed
+2. Check if pattern scanner should be updated - Can the check be automated?
+3. Update session state - Record in `.claude/session-state/CURRENT.md`
+4. Search codebase-wide for same bad pattern (CR-9) and fix all instances

package/commands/massu-audit-deps.md

@@ -0,0 +1,211 @@
+---
+name: massu-audit-deps
+description: Comprehensive dependency audit (vulnerabilities, outdated, licenses, unused, bundle size)
+allowed-tools: Bash(*), Read(*), Grep(*), Glob(*)
+---
+name: massu-audit-deps
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+
+# CS Audit Deps: Comprehensive Dependency Audit
+
+## Objective
+
+Run a multi-phase dependency audit covering security vulnerabilities, outdated packages, license compliance, unused dependencies, and bundle size analysis. This is a READ-ONLY audit - no packages are modified.
+
+## Workflow Position
+
+Dependency audit is a diagnostic command. Produces a report of vulnerabilities, license issues, and unused packages.
+
+```
+/massu-audit-deps  ->  dependency report  ->  /massu-create-plan (if updates needed)
+```
+
+---
+
+## NON-NEGOTIABLE RULES
+
+- Do NOT install, update, or remove any packages
+- Do NOT modify package.json or package-lock.json
+- Report ALL findings with severity classification
+- License compliance checks MUST account for BSL 1.1 compatibility
+- Bundle size analysis applies to hooks (esbuild output)
+
+---
+
+## PHASE 1: VULNERABILITY SCAN
+
+```bash
+# Run npm audit with full detail
+npm audit 2>&1
+
+# Separate by severity
+npm audit --audit-level=critical 2>&1 || true
+npm audit --audit-level=high 2>&1 || true
+```
+
+### Vulnerability Classification
+
+| Severity | Action Required | Blocks Push? |
+|----------|----------------|--------------|
+| Critical | MUST fix before any deployment | YES |
+| High | MUST fix before push | YES |
+| Moderate | Document, create fix plan | NO |
+| Low | Informational only | NO |
+
+### For Each Vulnerability
+
+```markdown
+| Package | Severity | CVE | Affects Production? | Fix Available? | Action |
+|---------|----------|-----|---------------------|----------------|--------|
+| [pkg] | [sev] | [cve] | YES/NO (dev-only) | YES/NO | [action] |
+```
+
+**Key distinction**: Dev-only vulnerabilities (in devDependencies, build tooling) are lower priority than production runtime vulnerabilities.
+
+---
+
+## PHASE 2: OUTDATED PACKAGES
+
+```bash
+# Check for outdated packages
+npm outdated 2>&1 || true
+
+# Check in website directory if it exists
+ls website/package.json 2>/dev/null && (cd website && npm outdated 2>&1 || true)
+```
+
+### Outdated Classification
+
+| Update Type | Risk | Recommendation |
+|-------------|------|----------------|
+| Patch (1.2.3 -> 1.2.4) | Low | Update in next commit |
+| Minor (1.2.3 -> 1.3.0) | Medium | Review changelog, then update |
+| Major (1.2.3 -> 2.0.0) | High | Plan migration, check breaking changes |
+
+```markdown
+### Outdated Packages
+
+| Package | Current | Wanted | Latest | Type | Risk |
+|---------|---------|--------|--------|------|------|
+| [pkg] | [ver] | [ver] | [ver] | patch/minor/major | Low/Med/High |
+```
+
+---
+
+## PHASE 3: LICENSE COMPLIANCE
+
+**Massu uses BSL 1.1 license. Dependencies must be compatible.**
+
+```bash
+# List all production dependency licenses
+npx license-checker --production --summary 2>/dev/null || \
+  npm ls --all --production 2>/dev/null | head -50
+
+# Check for known problematic licenses
+npx license-checker --production --failOn "GPL-2.0;GPL-3.0;AGPL-3.0;AGPL-1.0;SSPL-1.0" 2>/dev/null || \
+  echo "license-checker not installed - manual review needed"
+```
+
+### License Compatibility Matrix
+
+| License | Compatible with BSL 1.1? | Action |
+|---------|-------------------------|--------|
+| MIT | YES | No action |
+| Apache-2.0 | YES | No action |
+| BSD-2-Clause | YES | No action |
+| BSD-3-Clause | YES | No action |
+| ISC | YES | No action |
+| GPL-2.0 | INCOMPATIBLE | Must replace |
+| GPL-3.0 | INCOMPATIBLE | Must replace |
+| AGPL-3.0 | INCOMPATIBLE | Must replace |
+| SSPL-1.0 | INCOMPATIBLE | Must replace |
+| LGPL-2.1 | REVIEW | Check usage pattern |
+
+**If license-checker is not installed**, manually check:
+```bash
+# For each production dependency, check license field
+cat package.json | node -e "
+  const pkg = require('./package.json');
+  const deps = Object.keys(pkg.dependencies || {});
+  deps.forEach(d => {
+    try {
+      const p = require(d + '/package.json');
+      console.log(d + ': ' + (p.license || 'UNKNOWN'));
+    } catch(e) { console.log(d + ': CHECK MANUALLY'); }
+  });
+"
+```
+
+---
+
+## PHASE 4: UNUSED DEPENDENCY DETECTION
+
+```bash
+# Check if each dependency is actually imported in source
+for dep in $(node -e "const p=require('./package.json'); Object.keys(p.dependencies||{}).forEach(d=>console.log(d))"); do
+  count=$(grep -rn "from ['\"]$dep" packages/core/src/ --include="*.ts" 2>/dev/null | wc -l | tr -d ' ')
+  count2=$(grep -rn "require(['\"]$dep" packages/core/src/ --include="*.ts" 2>/dev/null | wc -l | tr -d ' ')
+  total=$((count + count2))
+  if [ "$total" -eq 0 ]; then
+    echo "UNUSED: $dep (0 imports found)"
+  fi
+done
+```
+
+```markdown
+### Unused Dependencies
+
+| Package | In package.json | Imports Found | Recommendation |
+|---------|----------------|---------------|----------------|
+| [pkg] | dependencies | 0 | Remove or verify indirect usage |
+```
+
+**Note**: Some packages may be used indirectly (peer deps, plugin systems). Flag but don't auto-remove.
+
+---
+
+## PHASE 5: BUNDLE SIZE ANALYSIS (Hooks)
+
+```bash
+# Check compiled hook sizes
+ls -la packages/core/dist/hooks/*.js 2>/dev/null
+
+# Check total hook bundle size
+du -sh packages/core/dist/hooks/ 2>/dev/null || echo "Hooks not compiled - run: cd packages/core && npm run build:hooks"
+```
+
+### Hook Size Thresholds
+
+| Metric | Threshold | Status |
+|--------|-----------|--------|
+| Individual hook | < 50 KB | PASS/FAIL |
+| Total hooks dir | < 500 KB | PASS/FAIL |
+
+---
+
+## COMPLETION REPORT
+
+```markdown
+## CS AUDIT DEPS COMPLETE
+
+### Summary
+| Phase | Findings | Critical? |
+|-------|----------|-----------|
+| Vulnerabilities | [N] total ([N] high/critical) | YES/NO |
+| Outdated | [N] packages ([N] major) | NO |
+| License | [N] incompatible | YES/NO |
+| Unused | [N] potentially unused | NO |
+| Bundle Size | [size] total hooks | PASS/FAIL |
+
+### Action Items (Priority Order)
+1. [Critical/High vulnerabilities to fix]
+2. [Incompatible licenses to replace]
+3. [Major version updates to plan]
+4. [Unused deps to investigate]
+
+### Overall Health
+- **Vulnerability Score**: CLEAN / MODERATE / AT RISK
+- **Freshness Score**: CURRENT / STALE / OUTDATED
+- **License Compliance**: COMPLIANT / REVIEW NEEDED / NON-COMPLIANT
+```

package/commands/massu-changelog.md

@@ -0,0 +1,174 @@
+---
+name: massu-changelog
+description: Generate changelog entries from conventional commits
+allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*)
+---
+name: massu-changelog
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+
+# CS Changelog: Generate Changelog from Commits
+
+## Objective
+
+Parse conventional commits since the last release/tag and generate structured changelog entries. Updates `CHANGELOG.md` with properly categorized changes.
+
+**Usage**: `/massu-changelog` (since last tag) or `/massu-changelog [since-ref]`
+
+---
+
+## STEP 1: DETERMINE RANGE
+
+```bash
+# Find the last tag
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+
+# If no tags, use first commit
+if [ -z "$LAST_TAG" ]; then
+  SINCE=$(git rev-list --max-parents=0 HEAD)
+  echo "No tags found, generating from first commit"
+else
+  SINCE="$LAST_TAG"
+  echo "Generating changelog since $LAST_TAG"
+fi
+
+# If argument provided, use that as the since reference
+# SINCE=$ARGUMENTS (if provided)
+
+# Get commit log
+git log $SINCE..HEAD --pretty=format:"%H|%s|%an|%ad" --date=short
+```
+
+---
+
+## STEP 2: PARSE CONVENTIONAL COMMITS
+
+Parse each commit message using conventional commit format: `type(scope): description`
+
+### Commit Type Mapping
+
+| Type | Changelog Section | Emoji |
+|------|------------------|-------|
+| feat | Added | - |
+| fix | Fixed | - |
+| perf | Performance | - |
+| refactor | Changed | - |
+| docs | Documentation | - |
+| test | Tests | - |
+| build | Build | - |
+| ci | CI/CD | - |
+| chore | Maintenance | - |
+| security | Security | - |
+| revert | Reverted | - |
+| BREAKING CHANGE | Breaking Changes | - |
+
+### Parsing Rules
+- Commits not following conventional format go under "Other"
+- Scope (if present) is included in parentheses
+- Multi-line commit bodies are included as sub-bullets
+- Co-authored-by lines are stripped from display
+
+---
+
+## STEP 3: GROUP AND FORMAT
+
+```markdown
+## [Unreleased]
+
+### Breaking Changes
+- [breaking changes, if any]
+
+### Added
+- [feat commits]
+
+### Changed
+- [refactor commits]
+
+### Fixed
+- [fix commits]
+
+### Performance
+- [perf commits]
+
+### Security
+- [security-related commits]
+
+### Documentation
+- [docs commits]
+
+### Tests
+- [test commits]
+
+### Build & CI
+- [build/ci commits]
+
+### Maintenance
+- [chore commits]
+```
+
+**Empty sections are omitted.**
+
+---
+
+## STEP 4: UPDATE CHANGELOG.md
+
+1. Read existing `CHANGELOG.md`
+2. Insert new entries under `## [Unreleased]` section
+3. If entries already exist under `[Unreleased]`, merge (don't duplicate)
+
+```bash
+# Read current changelog
+cat CHANGELOG.md
+```
+
+**Merge strategy:**
+- If `## [Unreleased]` exists, replace its content with new entries
+- If no `## [Unreleased]`, insert after the header
+- Preserve all previous released sections unchanged
+
+---
+
+## STEP 5: OPTIONAL TAG CREATION
+
+Ask the user if they want to create a release tag:
+
+```markdown
+### Changelog generated. Create a release tag?
+
+If yes, provide:
+- Version number (semver): e.g., 0.2.0
+- This will:
+  1. Replace `## [Unreleased]` with `## [0.2.0] - YYYY-MM-DD`
+  2. Add a new empty `## [Unreleased]` section above
+  3. Create git tag `v0.2.0`
+```
+
+---
+
+## COMPLETION REPORT
+
+```markdown
+## CS CHANGELOG COMPLETE
+
+### Summary
+- **Range**: [since]..HEAD
+- **Commits parsed**: [N]
+- **Sections updated**: [list]
+
+### Changes by Type
+| Type | Count |
+|------|-------|
+| feat | [N] |
+| fix | [N] |
+| refactor | [N] |
+| docs | [N] |
+| other | [N] |
+
+### File Updated
+- `CHANGELOG.md`
+
+### Next Steps
+- Review the changelog entries
+- Run `/massu-commit` to commit the changelog update
+- Optionally create a release tag
+```