@massu/core 0.1.2 → 0.4.1

package/commands/massu-release.md

@@ -0,0 +1,363 @@
+---
+name: massu-release
+description: Release preparation — version bump, changelog, full verification, tagging
+allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*)
+---
+name: massu-release
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+
+# CS Release: Release Preparation Gate
+
+## Objective
+
+Prepare a verified release with proper versioning, changelog generation, and tagging. Runs the full verification gate before creating any release artifacts. Does NOT push — waits for user confirmation.
+
+**Usage**: `/massu-release` (auto-detect version) or `/massu-release [major|minor|patch]`
+
+---
+
+## NON-NEGOTIABLE RULES
+
+- ALL verification gates MUST pass before version bump
+- Do NOT push to remote (wait for user)
+- Changelog MUST be generated from conventional commits
+- Version MUST follow semver
+- ALL package.json files MUST be updated consistently
+- If ANY gate fails, ABORT with clear reason
+
+---
+
+## STEP 1: VERSION DETERMINATION
+
+### 1.1 Get Current State
+
+```bash
+# Current version
+grep '"version"' packages/core/package.json
+
+# Last tag
+git describe --tags --abbrev=0 2>/dev/null || echo "no tags"
+
+# Commits since last tag
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+if [ -n "$LAST_TAG" ]; then
+  git log ${LAST_TAG}..HEAD --oneline
+  echo "---"
+  echo "Commit count since $LAST_TAG:"
+  git log ${LAST_TAG}..HEAD --oneline | wc -l
+else
+  git log --oneline | head -20
+  echo "---"
+  echo "No previous tags found"
+fi
+```
+
+### 1.2 Classify Commits
+
+```bash
+# Count by type
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+RANGE="${LAST_TAG:+$LAST_TAG..}HEAD"
+
+echo "=== Commit Classification ==="
+echo "feat (minor):"
+git log $RANGE --oneline | grep -c '^[a-f0-9]* feat' || echo "0"
+echo "fix (patch):"
+git log $RANGE --oneline | grep -c '^[a-f0-9]* fix' || echo "0"
+echo "BREAKING CHANGE (major):"
+git log $RANGE --format="%B" | grep -c 'BREAKING CHANGE' || echo "0"
+echo "perf:"
+git log $RANGE --oneline | grep -c '^[a-f0-9]* perf' || echo "0"
+echo "refactor:"
+git log $RANGE --oneline | grep -c '^[a-f0-9]* refactor' || echo "0"
+echo "other:"
+git log $RANGE --oneline | grep -vc '^[a-f0-9]* \(feat\|fix\|perf\|refactor\|docs\|test\|chore\|ci\|build\)' || echo "0"
+```
+
+### 1.3 Determine Version Bump
+
+| Commit Types Present | Auto-Detected Bump |
+|---------------------|-------------------|
+| BREAKING CHANGE | major (X.0.0) |
+| feat | minor (0.X.0) |
+| fix, perf, refactor only | patch (0.0.X) |
+
+If `$ARGUMENTS` specifies `major`, `minor`, or `patch`, use that instead of auto-detection.
+
+```markdown
+### Version Determination
+- **Current version**: [X.Y.Z]
+- **Last tag**: [tag or none]
+- **Commits since tag**: [N]
+- **Auto-detected bump**: [major/minor/patch]
+- **Proposed version**: [X.Y.Z] -> [A.B.C]
+```
+
+---
+
+## STEP 2: PRE-RELEASE VERIFICATION
+
+Run the full verification gate sequence. If ANY check fails, ABORT the release.
+
+### Tier 1: Quick Checks
+
+```bash
+# 1.1 Pattern Scanner
+bash scripts/massu-pattern-scanner.sh
+# MUST exit 0
+
+# 1.2 TypeScript
+cd packages/core && npx tsc --noEmit
+# MUST show 0 errors
+
+# 1.3 Hook Build
+cd packages/core && npm run build:hooks
+# MUST exit 0
+```
+
+### Tier 2: Full Test Suite
+
+```bash
+# 2.1 All tests
+npm test
+# MUST exit 0, all tests pass
+```
+
+```bash
+# 2.2 Tool registration verification
+grep -c "ToolDefinitions()" packages/core/src/tools.ts
+grep -c "isTool\b\|startsWith" packages/core/src/tools.ts
+```
+
+### Tier 3: Security & Compliance
+
+```bash
+# 3.1 npm audit
+npm audit --audit-level=high 2>&1 || true
+
+# 3.2 Secrets scan
+grep -rn 'sk-[a-zA-Z0-9]\{20,\}\|password.*=.*["\x27][^"\x27]\{8,\}' --include="*.ts" --include="*.tsx" \
+  packages/core/src/ 2>/dev/null \
+  | grep -v "process.env\|RegExp\|regex\|REDACT\|redact\|sanitize\|mask\|\.test\.ts:" \
+  | wc -l
+# MUST be 0
+
+# 3.3 Dependency audit
+npm audit --audit-level=high 2>&1
+```
+
+### Tier 4: Website Build (if website exists)
+
+```bash
+if [ -d "website" ]; then
+  cd website && npm run build 2>&1
+  # MUST exit 0
+fi
+```
+
+```markdown
+### Pre-Release Verification
+
+| Tier | Check | Result | Status |
+|------|-------|--------|--------|
+| 1 | Pattern Scanner | Exit [X] | PASS/FAIL |
+| 1 | TypeScript | [X] errors | PASS/FAIL |
+| 1 | Hook Build | Exit [X] | PASS/FAIL |
+| 2 | Tests | [X]/[X] passed | PASS/FAIL |
+| 2 | Tool Registration | All wired | PASS/FAIL |
+| 3 | npm audit | [X] high/critical | PASS/FAIL |
+| 3 | Secrets scan | [X] found | PASS/FAIL |
+| 4 | Website build | Exit [X] | PASS/FAIL/N/A |
+
+**PRE-RELEASE GATE: PASS / FAIL**
+```
+
+**If ANY check fails**: ABORT with "Release blocked: [specific failure reason]". Do NOT proceed.
+
+---
+
+## STEP 3: CHANGELOG GENERATION
+
+### 3.1 Parse Conventional Commits
+
+```bash
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+RANGE="${LAST_TAG:+$LAST_TAG..}HEAD"
+
+git log $RANGE --pretty=format:"%H|%s|%an|%ad" --date=short
+```
+
+### 3.2 Group by Type
+
+| Commit Type | Changelog Section |
+|-------------|------------------|
+| feat | Added |
+| fix | Fixed |
+| perf | Performance |
+| refactor | Changed |
+| docs | Documentation |
+| test | Tests |
+| build/ci | Build & CI |
+| chore | Maintenance |
+| BREAKING CHANGE | Breaking Changes |
+
+### 3.3 Generate Changelog Section
+
+```markdown
+## [X.Y.Z] - YYYY-MM-DD
+
+### Breaking Changes
+- [breaking changes, if any]
+
+### Added
+- [feat commits, stripped of Co-authored-by lines]
+
+### Changed
+- [refactor commits]
+
+### Fixed
+- [fix commits]
+
+### Performance
+- [perf commits]
+```
+
+**Empty sections are omitted.**
+
+### 3.4 Update CHANGELOG.md
+
+1. Read existing `CHANGELOG.md`
+2. Replace `## [Unreleased]` content with empty section
+3. Insert new version section below `## [Unreleased]`
+4. Preserve all previous released sections unchanged
+
+---
+
+## STEP 4: VERSION BUMP
+
+### 4.1 Update Package Versions
+
+```bash
+# Find all package.json files that need version updates
+grep -rn '"version"' packages/*/package.json package.json 2>/dev/null
+```
+
+Update version in:
+- `packages/core/package.json`
+- `packages/plugin/package.json` (if exists)
+- Root `package.json` (if has version field)
+
+### 4.2 Verify Consistency
+
+```bash
+# All version fields should now show the new version
+grep '"version"' packages/*/package.json package.json 2>/dev/null
+```
+
+---
+
+## STEP 5: RELEASE NOTES DRAFT
+
+Generate user-facing release notes:
+
+```markdown
+# Release vX.Y.Z
+
+## Highlights
+- [Most impactful features/changes — 2-3 bullet points]
+
+## Breaking Changes
+- [Breaking changes with migration instructions, if any]
+
+## Bug Fixes
+- [Notable bug fixes]
+
+## Dependencies
+- [Notable dependency updates, if any]
+
+## Full Changelog
+See CHANGELOG.md for the complete list of changes.
+```
+
+---
+
+## STEP 6: COMMIT AND TAG
+
+### 6.1 Stage Release Files
+
+```bash
+git add CHANGELOG.md
+git add packages/*/package.json
+git add package.json 2>/dev/null || true
+```
+
+### 6.2 Create Release Commit
+
+```bash
+git commit -m "$(cat <<'EOF'
+chore: release vX.Y.Z
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+EOF
+)"
+```
+
+### 6.3 Create Annotated Tag
+
+```bash
+git tag -a vX.Y.Z -m "Release vX.Y.Z"
+```
+
+### 6.4 Verify
+
+```bash
+# Verify tag was created
+git tag -l 'vX.Y.Z'
+git log -1 --oneline
+git show vX.Y.Z --quiet
+```
+
+**Do NOT push.** Wait for user to review and confirm.
+
+---
+
+## COMPLETION REPORT
+
+```markdown
+## CS RELEASE COMPLETE
+
+### Release Summary
+- **Version**: [old] -> [new]
+- **Bump type**: [major/minor/patch]
+- **Commits included**: [N]
+- **Tag**: vX.Y.Z
+
+### Pre-Release Verification
+| Tier | Status |
+|------|--------|
+| Tier 1 (patterns, types, hooks) | PASS |
+| Tier 2 (tests, tool registration) | PASS |
+| Tier 3 (security, compliance) | PASS |
+| Tier 4 (website build) | PASS/N/A |
+
+### Changelog
+- **Sections updated**: [list]
+- **Breaking changes**: [N]
+- **Features**: [N]
+- **Fixes**: [N]
+
+### Files Modified
+- `CHANGELOG.md`
+- `packages/core/package.json`
+- `packages/plugin/package.json` (if exists)
+
+### Release Artifacts
+- Commit: [hash]
+- Tag: vX.Y.Z
+
+### Next Steps
+- Review the changelog and release notes
+- Push to remote: `git push origin [branch] --follow-tags`
+- Create GitHub release (optional): `gh release create vX.Y.Z --notes-file [notes]`
+```

package/commands/massu-review.md

@@ -0,0 +1,238 @@
+---
+name: massu-review
+description: Automated code review across 7 dimensions (patterns, security, architecture, website, AI-specific, performance, accessibility)
+allowed-tools: Bash(*), Read(*), Grep(*), Glob(*)
+---
+name: massu-review
+
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding. CR-9, CR-35 enforced.
+
+# CS Review: Automated Code Review
+
+## Objective
+
+Perform a comprehensive code review across 7 dimensions: pattern compliance, security, architecture, website-specific checks, AI-specific, performance, and accessibility. Accepts a PR number, branch name, or reviews uncommitted changes by default. This is READ-ONLY - no files are modified.
+
+**Usage**: `/massu-review` (uncommitted changes) or `/massu-review [PR#|branch]`
+
+---
+
+## NON-NEGOTIABLE RULES
+
+- Do NOT modify any files
+- Do NOT fix any issues found (report only)
+- Review ALL changed files, not just a sample
+- Security findings are ALWAYS reported, even if minor
+- Output structured findings that can be acted on
+
+---
+
+## STEP 1: DETERMINE REVIEW SCOPE
+
+```bash
+# If argument is a PR number
+gh pr diff $ARGUMENTS 2>/dev/null
+
+# If argument is a branch name
+git diff main...$ARGUMENTS 2>/dev/null
+
+# If no argument, review uncommitted changes
+git diff HEAD
+git diff --cached
+```
+
+```markdown
+### Review Scope
+- **Target**: [PR #N / branch / uncommitted changes]
+- **Files changed**: [N]
+- **Lines added**: [N]
+- **Lines removed**: [N]
+```
+
+---
+
+## DIMENSION 1: CLAUDE.md PATTERN COMPLIANCE
+
+For each changed file in `packages/core/src/`:
+
+| Check | What | How |
+|-------|------|-----|
+| ESM imports | No require() | grep for require( |
+| Config access | getConfig() not yaml.parse | grep for yaml.parse |
+| No process.exit | Library code only | grep for process.exit |
+| Tool prefix | Uses p() helper | grep for hardcoded 'massu_' |
+| memDb lifecycle | try/finally pattern | Check memDb usage |
+| ESM exports | No module.exports | grep for module.exports |
+
+```markdown
+### Pattern Compliance Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/FAIL | [details] |
+```
+
+---
+
+## DIMENSION 2: SECURITY REVIEW
+
+For ALL changed files:
+
+| Check | Pattern | Severity |
+|-------|---------|----------|
+| XSS | innerHTML, dangerouslySetInnerHTML, javascript: URLs | HIGH |
+| Injection | Template literals in SQL, shell commands with user input | CRITICAL |
+| SSRF | Unvalidated URL construction, fetch with user input | HIGH |
+| Secrets | Hardcoded API keys, passwords, tokens | CRITICAL |
+| Auth bypass | Missing auth checks, exposed endpoints | HIGH |
+| Path traversal | User input in file paths without validation | HIGH |
+| Open redirect | Unvalidated redirect URLs | MEDIUM |
+| CSRF | Missing CSRF tokens on state-changing operations | MEDIUM |
+
+```markdown
+### Security Findings
+
+| File:Line | Severity | Type | Description | Recommendation |
+|-----------|----------|------|-------------|----------------|
+| [loc] | [sev] | [type] | [desc] | [fix] |
+```
+
+---
+
+## DIMENSION 3: ARCHITECTURE REVIEW
+
+| Check | What | Impact |
+|-------|------|--------|
+| Tool registration | New tools wired into tools.ts | Tools invisible if missing |
+| Hook compilation | New hooks compile with esbuild | Hooks fail silently |
+| Config schema | New config matches interface | Runtime errors |
+| DB access | Correct DB used (CodeGraph/Data/Memory) | Data corruption |
+| Import cycles | No circular dependencies | Build failures |
+| Type safety | No unsafe `as any` casts | Runtime errors |
+
+```markdown
+### Architecture Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/WARN/FAIL | [details] |
+```
+
+---
+
+## DIMENSION 4: WEBSITE-SPECIFIC CHECKS (if website/ files changed)
+
+| Check | What | Impact |
+|-------|------|--------|
+| Client/Server boundary | 'use client' / 'use server' directives | Build failures |
+| Env var exposure | NEXT_PUBLIC_ prefix for client-safe vars only | Secret leakage |
+| Supabase RLS | Data access goes through RLS policies | Data leakage |
+| Input validation | User input validated server-side | Injection attacks |
+| Auth middleware | Protected routes use middleware | Auth bypass |
+
+```markdown
+### Website-Specific Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/WARN/FAIL | [details] |
+```
+
+---
+
+## DIMENSION 5: AI-SPECIFIC REVIEW (for changes involving AI/LLM patterns)
+
+| Check | What | Impact |
+|-------|------|--------|
+| Prompt injection | User input flowing into system prompts without sanitization | Data exfiltration |
+| Over-privileged tools | Tools with broader permissions than needed | Unauthorized actions |
+| Context window management | Unnecessarily large context stuffing | Cost waste, degraded responses |
+| Cost awareness | Changes that increase API token consumption without justification | Budget overrun |
+| Model selection | Using expensive models (Opus) where cheaper ones (Haiku) suffice | Unnecessary cost |
+| Hallucination guards | Verifying AI outputs before acting on them | Incorrect actions |
+
+```markdown
+### AI-Specific Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/WARN/FAIL | [details] |
+```
+
+---
+
+## DIMENSION 6: PERFORMANCE REVIEW (for all changed files)
+
+| Check | What | Impact |
+|-------|------|--------|
+| N+1 queries | Loop containing database query | Slow responses |
+| Unbounded fetches | `.select('*')` without `.limit()` on list endpoints | Memory/performance |
+| Missing pagination | List endpoints without page/per_page parameters | Unbounded data |
+| Bundle impact | New imports of heavy libraries without dynamic import | Slow page load |
+| Missing Suspense/loading | New pages without loading.tsx | Poor UX |
+| Synchronous operations | Blocking calls in request handlers | Request timeouts |
+
+```markdown
+### Performance Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/WARN/FAIL | [details] |
+```
+
+---
+
+## DIMENSION 7: ACCESSIBILITY REVIEW (for website component changes)
+
+| Check | What | Impact |
+|-------|------|--------|
+| ARIA labels | Interactive elements without aria-label or aria-labelledby | Screen readers can't identify element |
+| Keyboard navigation | Clickable elements without keyboard handler (onKeyDown) | Keyboard-only users blocked |
+| Color contrast | Text on backgrounds with insufficient contrast (light gray on white) | Low-vision users can't read |
+| Focus management | Modals/dialogs without focus trap | Focus escapes modal |
+| Screen reader | Images without alt text, icons without sr-only labels | Content invisible to screen readers |
+| Semantic HTML | Divs used instead of button/nav/main/section/article | Structure lost for assistive tech |
+
+```markdown
+### Accessibility Findings
+
+| File | Check | Status | Details |
+|------|-------|--------|---------|
+| [file] | [check] | PASS/WARN/FAIL | [details] |
+```
+
+---
+
+## COMPLETION REPORT
+
+```markdown
+## CS REVIEW COMPLETE
+
+### Review Summary
+- **Scope**: [PR #N / branch / uncommitted]
+- **Files reviewed**: [N]
+
+### Findings by Dimension
+
+| Dimension | Critical | High | Medium | Low | Total |
+|-----------|----------|------|--------|-----|-------|
+| Pattern Compliance | [N] | [N] | [N] | [N] | [N] |
+| Security | [N] | [N] | [N] | [N] | [N] |
+| Architecture | [N] | [N] | [N] | [N] | [N] |
+| Website | [N] | [N] | [N] | [N] | [N] |
+| AI-Specific | [N] | [N] | [N] | [N] | [N] |
+| Performance | [N] | [N] | [N] | [N] | [N] |
+| Accessibility | [N] | [N] | [N] | [N] | [N] |
+| **Total** | **[N]** | **[N]** | **[N]** | **[N]** | **[N]** |
+
+### Verdict: APPROVE / REQUEST CHANGES / BLOCK
+
+- **APPROVE**: 0 critical, 0 high findings
+- **REQUEST CHANGES**: 0 critical, 1+ high findings
+- **BLOCK**: 1+ critical findings
+
+### Top Priority Fixes
+1. [Most critical finding]
+2. [Second most critical]
+3. [Third most critical]
+```