@mikulgohil/ai-kit 2.1.0 → 2.2.0

package/README.md

@@ -224,7 +224,7 @@ Period summaries, budget progress with alerts, per-project cost breakdown, week-
 | Context setup per conversation | 5-10 min | **0 min** (auto-loaded) |
 | Code review cycles per PR | 2-4 rounds | **1-2 rounds** |
 | Component creation time | 30-60 min | **10-15 min** |
-| New developer onboarding | 1-2 weeks | **2-3 days** |
+| New developer onboarding | 1-2 weeks | **1 hour** |
 | Security issues caught | At PR review or production | **At development time** |
 | Knowledge retention | Lost when developers leave | **Logged in decisions & mistakes** |
 | AI tool switching cost | Start over from scratch | **Zero — same rules, 5+ tools** |

package/agents/kit-code-reviewer.md

@@ -54,6 +54,20 @@ You are a senior code reviewer for Next.js, React, and Sitecore XM Cloud project
 - GraphQL queries are efficient and scoped
 - Experience Editor compatibility maintained
 
+## Confidence-Gated Review
+
+Before delivering findings, assess your confidence in each category (0–100%) based on the context you have available.
+
+- **≥ 80% confidence**: Report findings normally.
+- **< 80% confidence**: State the gap explicitly and ask a targeted clarifying question before reporting. Example: *"I need to see the full type definition for `CartItem` before completing the TypeScript review — can you share `src/types/cart.ts`?"*
+
+This prevents false positives caused by partial context.
+
+**Always declare confidence at the top of your review:**
+```
+Confidence: Correctness 95% | React 88% | TypeScript 91% | Security 72% (need to see auth middleware) | Accessibility 85%
+```
+
 ## Output Format
 Rate each category: PASS / WARN / FAIL
 Provide specific line references for issues.

package/agents/kit-database-reviewer.md

@@ -0,0 +1,65 @@
+---
+name: kit-database-reviewer
+description: Data layer review agent — audits GraphQL queries, API data fetching, ORM patterns, and Sitecore Experience Edge access for correctness, performance, and security.
+tools: Read, Glob, Grep, Bash
+---
+
+# Database & Data Layer Reviewer
+
+You are a data layer specialist for Next.js and Sitecore XM Cloud projects. Review GraphQL queries, REST data fetching, caching strategies, and data access patterns for correctness, performance, and security.
+
+## Review Scope
+
+### GraphQL / Experience Edge (Sitecore)
+- Query efficiency — avoid over-fetching; request only the fields consumed by the component
+- Fragment reuse — check for duplicated field selections that should be shared fragments
+- Pagination — verify `first`/`after` cursor patterns on list fields; never unbounded queries
+- Null safety — all nullable fields must be handled; check that `?.` or fallbacks are present in consumers
+- Schema alignment — field names and types must match the current Experience Edge schema
+- Caching headers — verify `cache-control` / `revalidate` is set appropriately for the data type
+
+### Next.js Data Fetching
+- Server Component vs Client Component fetch placement — data fetching belongs in Server Components; avoid waterfall fetches in children
+- `fetch` caching — confirm `cache: 'no-store'` vs `revalidate` is intentional and documented
+- Parallel fetching — use `Promise.all` / `Promise.allSettled` for independent fetches; flag sequential `await` chains
+- Error handling — every fetch must have an error boundary or explicit error handling; no bare `await fetch()` without `.ok` check
+- Sensitive data leakage — confirm no server-only data (credentials, internal IDs) reaches client components via props
+
+### ORM / Database Patterns (if applicable)
+- N+1 detection — flag loops that call the database per iteration; suggest batch queries
+- Index usage — for raw SQL or Prisma, flag `WHERE` clauses on non-indexed columns in large tables
+- Transaction scope — writes that should be atomic must be wrapped in a transaction
+- Connection pooling — no new database connections created inside request handlers
+
+### Security
+- Injection — parameterized queries only; no string interpolation in query bodies
+- Authorization — verify that data access checks (role, ownership) happen before the query, not after
+- Exposed internals — IDs, internal references, or admin-only fields must not appear in public GraphQL queries
+- Rate limiting — flag data endpoints with no rate limiting that could be abused
+
+## Review Process
+
+1. **Identify all data access points** — search for `fetch(`, `useQuery`, `gql`, `graphql`, `prisma.`, SQL queries
+2. **Map fetch-to-render** — trace where the data lands and whether it could be fetched higher in the tree
+3. **Check field selection** — compare fields requested vs fields used in the rendering component
+4. **Verify error paths** — confirm every fetch has handled loading, error, and empty states
+5. **Flag security concerns** — auth checks, injection risk, data exposure
+
+## Confidence-Gated Review
+
+Before delivering findings, assess your confidence in each area (0–100%).
+
+- **≥ 80%**: Report findings normally.
+- **< 80%**: State the gap and ask a targeted clarifying question. Example: *"I need to see the Experience Edge schema for the `Article` type before auditing field selection — can you run `ai-kit export` or share the schema file?"*
+
+Declare confidence at the top of your review:
+```
+Confidence: GraphQL efficiency 90% | Caching 85% | Security 70% (need to see auth middleware) | N+1 detection 92%
+```
+
+## Output Format
+
+Rate each area: PASS / WARN / FAIL  
+Provide specific file and line references for issues.  
+For WARN/FAIL items, include a concrete fix recommendation.  
+End with a **Data Layer Score** (0–100) with a one-line rationale.

package/dist/index.js

@@ -15,7 +15,7 @@ var GUIDES_DIR = path.join(PACKAGE_ROOT, "guides");
 var DOCS_SCAFFOLDS_DIR = path.join(PACKAGE_ROOT, "docs-scaffolds");
 var AGENTS_DIR = path.join(PACKAGE_ROOT, "agents");
 var CONTEXTS_DIR = path.join(PACKAGE_ROOT, "contexts");
-var VERSION = "2.1.0";
+var VERSION = "2.2.0";
 var SKILL_PREFIX = "kit-";
 var AI_KIT_CONFIG_FILE = "ai-kit.config.json";
 var BACKUP_DIR = ".ai-kit/backups";
@@ -1339,6 +1339,25 @@ function generateHooks(scan, profile = "standard") {
       ]
     });
   }
+  if (profile !== "minimal") {
+    preToolUse.push({
+      matcher: "Edit|Write",
+      hooks: [
+        {
+          type: "command",
+          command: [
+            'if [ -f "$CLAUDE_FILE_PATH" ]; then',
+            '  LINES=$(wc -l < "$CLAUDE_FILE_PATH" 2>/dev/null || echo 0)',
+            '  if [ "$LINES" -gt 150 ]; then',
+            '    echo "\u{1F4D6} Large file ($LINES lines): $CLAUDE_FILE_PATH"',
+            '    echo "   Ensure you have read the full file before editing to avoid missing imports or breaking invariants."',
+            "  fi",
+            "fi"
+          ].join("\n")
+        }
+      ]
+    });
+  }
   if (profile === "strict") {
     preToolUse.push({
       matcher: "Bash(git commit*)",
@@ -1424,6 +1443,65 @@ function generateHooks(scan, profile = "standard") {
       ]
     });
   }
+  if (profile === "strict") {
+    postToolUse.push({
+      matcher: "Edit|Write",
+      hooks: [
+        {
+          type: "command",
+          command: [
+            'if [ -f "$CLAUDE_FILE_PATH" ]; then',
+            '  GUARDS=""',
+            '  case "$CLAUDE_FILE_PATH" in',
+            "    *.ts|*.tsx|*.js|*.jsx|*.mjs)",
+            '      DISABLE=$(grep -c "eslint-disable" "$CLAUDE_FILE_PATH" 2>/dev/null || echo 0)',
+            '      if [ "$DISABLE" -gt 0 ]; then',
+            '        GUARDS="${GUARDS}\\n  \u26A0\uFE0F  eslint-disable: $DISABLE directive(s) found \u2014 weakens linting"',
+            "      fi",
+            '      SUPPRESS=$(grep -cE "@ts-ignore|@ts-nocheck" "$CLAUDE_FILE_PATH" 2>/dev/null || echo 0)',
+            '      if [ "$SUPPRESS" -gt 0 ]; then',
+            '        GUARDS="${GUARDS}\\n  \u26A0\uFE0F  TypeScript suppression: $SUPPRESS @ts-ignore/@ts-nocheck found"',
+            "      fi",
+            "      ;;",
+            "    *tsconfig*.json)",
+            `      if grep -qE '"strict"[[:space:]]*:[[:space:]]*false|"noImplicitAny"[[:space:]]*:[[:space:]]*false' "$CLAUDE_FILE_PATH" 2>/dev/null; then`,
+            '        GUARDS="${GUARDS}\\n  \u26A0\uFE0F  TypeScript strict mode disabled \u2014 this weakens type safety"',
+            "      fi",
+            "      ;;",
+            "  esac",
+            '  if [ -n "$GUARDS" ]; then',
+            '    echo "\u{1F6E1}\uFE0F  Config guard triggered in $CLAUDE_FILE_PATH:"',
+            '    printf "$GUARDS\\n"',
+            '    echo "   Confirm these are intentional before committing."',
+            "  fi",
+            "fi"
+          ].join("\n")
+        }
+      ]
+    });
+  }
+  if (profile === "strict") {
+    postToolUse.push({
+      matcher: "Edit|Write",
+      hooks: [
+        {
+          type: "command",
+          command: [
+            'case "$CLAUDE_FILE_PATH" in',
+            "  *.ts|*.tsx|*.js|*.jsx|*.json|*.yaml|*.yml)",
+            '    CREDS=$(grep -inE "(apikey|api_key|secret_key|access_token|private_key|password|auth_token)[[:space:]]*[:=][[:space:]]*[^$][^[:space:]]{8,}" "$CLAUDE_FILE_PATH" 2>/dev/null | grep -v "process\\.env" | head -3)',
+            '    if [ -n "$CREDS" ]; then',
+            '      echo "\u{1F510} Credential scan \u2014 potential secret detected in $CLAUDE_FILE_PATH:"',
+            '      echo "$CREDS"',
+            '      echo "   Move real secrets to .env and reference via process.env \u2014 never commit credentials."',
+            "    fi",
+            "    ;;",
+            "esac"
+          ].join("\n")
+        }
+      ]
+    });
+  }
   if (profile !== "minimal") {
     postCompact.push({
       matcher: "",
@@ -1464,6 +1542,9 @@ function generateHooks(scan, profile = "standard") {
 function generateSettingsLocal(scan, profile = "standard") {
   const hooks = generateHooks(scan, profile);
   return {
+    env: {
+      CLAUDE_AUTOCOMPACT_PCT_OVERRIDE: "65"
+    },
     hooks
   };
 }
@@ -1683,6 +1764,10 @@ var CONDITIONAL_AGENTS = [
   {
     name: `${SKILL_PREFIX}tdd-guide`,
     condition: (scan) => scan.tools.playwright || !!scan.scripts["test"]
+  },
+  {
+    name: `${SKILL_PREFIX}database-reviewer`,
+    condition: (scan) => scan.cms !== "none" || scan.framework === "nextjs"
   }
 ];
 async function copyAgents(targetDir, scan) {