@nano-step/skill-manager 5.6.0 → 5.6.2

package/skills/pr-code-reviewer/checklists/consumer-search-matrix.md

@@ -0,0 +1,339 @@
+# Consumer Search Matrix
+
+When reviewing PRs, use this matrix to determine WHAT to search and WHERE.
+
+## Quick Reference
+
+| Change Type | Search Repos | Search Patterns | Severity |
+|-------------|--------------|-----------------|----------|
+| API response field removed/renamed | tradeit, tradeit-admin, tradeit-extension | `.{fieldName}`, `{fieldName}:`, `data.{fieldName}` | 🔴 CRITICAL |
+| API endpoint path changed | All frontend repos | `/api/v2/{path}`, network/*.js | 🔴 CRITICAL |
+| Database column removed | From by-database.md readers | `{column_name}`, `{camelCaseName}` | 🔴 CRITICAL |
+| Redis key pattern changed | tradeit-backend, tradeit-socket-server | Exact key string, key prefix | 🟡 WARNING |
+| External URL pattern changed | tradeit, tradeit-admin | Field name holding URL | 🔴 CRITICAL |
+| Middleware removed | Same repo | `httpContext.get()`, middleware name | 🟡 WARNING |
+| Socket event changed | tradeit-socket-server, tradeit | `socket.on()`, `socket.emit()` | 🔴 CRITICAL |
+| Enum/constant changed | All repos importing enums | Enum name, literal value | 🟡 WARNING |
+
+---
+
+## 1. API Response Field Changes
+
+### Detection
+- Diff shows field removed/renamed in `res.success()` or return statement
+- Controller response shape changed
+- Service return value modified
+
+### Search Scope
+
+**tradeit-backend changes → Search:**
+| Repo | Location | Pattern |
+|------|----------|---------|
+| tradeit | `network/*.js` | Response destructuring |
+| tradeit | `composables/*.js` | Data field access |
+| tradeit | `components/**/*.vue` | Template bindings |
+| tradeit-admin | `api/*.js`, `services/*.js` | API consumers |
+| tradeit-extension | `src/background/*.js` | Extension API calls |
+
+### Search Patterns
+```bash
+# Field removed: "imgURL"
+grep -rn "\.imgURL" tradeit/
+grep -rn "imgURL:" tradeit/
+grep -rn "item\.imgURL" tradeit/
+grep -rn "data\.imgURL" tradeit/
+
+# Destructuring pattern
+grep -rn "{ imgURL" tradeit/
+grep -rn "{ .*imgURL.*}" tradeit/
+```
+
+### Critical Fields (NEVER remove without migration)
+
+**User Data** (`/api/v2/user/data`):
+- `balance`, `storeBalance`, `steamId`, `email`
+- `firstTradeBonus`, `stripeAccountId`
+- `likedItemMap`, `likedAssetMap`
+- `currencyPreference`, `tickets`
+
+**Inventory** (`/api/v2/inventory/*`):
+- `items[]`, `reserveAssetIds`, `tradeAwayAssetIds`
+- `assetId`, `imgURL`, `price`, `name`
+- `chartData`, `appId`, `groupId`
+
+**Trade** (`/api/v2/trade/*`):
+- `success`, `message`, `tradesInfo`
+- `trades[]`, `tradeId`, `status`
+
+**Insight** (`/api/v2/insight/*`):
+- `chartData`, `stockData`, `marketContent`
+- `sections`, `stats`
+
+---
+
+## 2. API Endpoint Path Changes
+
+### Detection
+- Route definition changed in `routes/*.js`
+- HTTP method changed (GET→POST)
+- Path parameter renamed
+
+### Search Scope
+```bash
+# Search all frontend repos for API path
+grep -rn "/api/v2/insight" tradeit/network/
+grep -rn "/api/v2/insight" tradeit-admin/
+grep -rn "insight" tradeit/network/*.js
+```
+
+### Network File Mapping
+
+| Backend Route File | Frontend Network File |
+|-------------------|----------------------|
+| `routes/user.js` | `network/userNetwork.js` |
+| `routes/inventory.js` | `network/inventoryNetwork.js` |
+| `routes/trade.js` | `network/tradeNetwork.js` |
+| `routes/sell.js` | `network/sellNetwork.js` |
+| `routes/insight.js` | `network/insightNetwork.js` |
+| `routes/meta.js` | `network/metaNetwork.js` |
+| `routes/steam.js` | `network/steamNetwork.js` |
+| `routes/stripe.js` | `network/paymentNetwork.js` |
+| `routes/giveaway.js` | `network/giveawayNetwork.js` |
+| `routes/skinCollection.js` | `network/skinCollectionNetwork.js` |
+| `routes/coupons.js` | `network/couponNetwork.js` |
+| `routes/oauth2.js` | `network/oauth2Network.js` |
+| `routes/guessGame.js` | `network/guessGameNetwork.js` |
+| `routes/invest.js` | `network/investNetwork.js` |
+
+---
+
+## 3. Database Schema Changes
+
+### Detection
+- SQL query column list changed
+- Migration file added
+- Repository method modified
+
+### Search Scope (from by-database.md)
+
+| Table | Owner (Write) | Readers (Search These) |
+|-------|---------------|------------------------|
+| `item_prices` | pricing-manager | tradeit-backend, tradeit-service |
+| `trades` | tradeit-backend | tradeit-service, tradeit-admin-backend |
+| `users` | tradeit-backend | ALL services |
+| `items_meta` | bymykel-scraper | tradeit-backend, pricing-manager |
+| `pro_players` | pro-settings-scraper | tradeit-backend |
+
+### Search Patterns
+```bash
+# Column "stable_price" removed
+grep -rn "stable_price" tradeit-backend/server/repository/
+grep -rn "stablePrice" tradeit-backend/server/  # camelCase version
+grep -rn "stablePrice" tradeit/  # frontend usage
+```
+
+---
+
+## 4. Redis Key Changes
+
+### Detection
+- Redis key pattern changed in `redis/*.js`
+- Key prefix modified
+- TTL changed significantly
+
+### Search Scope
+| Repo | Redis Usage |
+|------|-------------|
+| tradeit-backend | Session, cache, pubsub, queue |
+| tradeit-socket-server | Pubsub, real-time state |
+| pricing-manager | Price cache |
+| tradeit-inventory-server | Inventory cache |
+
+### Common Key Patterns
+```javascript
+// Inventory cache
+`cinv:${steamId}:${gameId}:compressed`
+`sinv:${steamId}:${gameId}`
+
+// User data
+`ud:${steamId}`
+`steamLevel:${steamId}`
+
+// Insight cache
+`insight_chart:${gameId}:${slug}`
+`insight_chart_item_details:${gameId}:${itemId}`
+```
+
+---
+
+## 5. External URL Pattern Changes
+
+### Detection
+- URL template changed (CDN, Steam, etc.)
+- Conditional URL logic removed
+- Domain changed
+
+### Example: imgURL Change (PR #1101)
+```javascript
+// BEFORE (conditional)
+imgURL: iconUrl 
+  ? `https://steamcommunity-a.akamaihd.net/economy/image/${iconUrl}/140fx140f` 
+  : `${process.env.TRADEIT_API_URL}static/img/items-webp-256/${groupId}.webp`
+
+// AFTER (always Steam CDN)
+imgURL: `https://steamcommunity-a.akamaihd.net/economy/image/${iconUrl}/256fx256f`
+```
+
+### Search for URL consumers
+```bash
+# Find all imgURL usages
+grep -rn "imgURL" tradeit/composables/
+grep -rn "imgURL" tradeit/components/
+grep -rn "\.imgURL" tradeit/
+
+# Found 30+ usages in PR #1101 review
+```
+
+---
+
+## 6. Middleware/Context Changes
+
+### Detection
+- Middleware removed from `index.js`
+- `httpContext.set()` removed
+- Request context field removed
+
+### Search Scope (same repo)
+```bash
+# Analytics middleware removed
+grep -rn "httpContext.get('analytics')" server/
+grep -rn "analyticsService" server/
+```
+
+### Common Context Keys
+- `analytics` - Analytics instance
+- `mysqlConnection` - DB connection
+- `requestId` - Request tracking
+- `logger` - Request-scoped logger
+
+---
+
+## 7. Socket Event Changes
+
+### Detection
+- Event name changed in emit/on calls
+- Event payload structure changed
+- Channel/room changed
+
+### Search Scope
+| Change In | Search |
+|-----------|--------|
+| tradeit-backend | tradeit-socket-server, tradeit |
+| tradeit-socket-server | tradeit, tradeit-admin |
+
+### Common Events
+```javascript
+// Trade events
+'trade:created', 'trade:updated', 'trade:completed'
+
+// Inventory events
+'inventory:updated', 'inventory:reserved'
+
+// User events
+'user:balance', 'user:notification'
+```
+
+---
+
+## 8. Enum/Constant Changes
+
+### Detection
+- Value changed in `config/enums.js`
+- Constant renamed
+- New enum value added (usually safe)
+
+### Search Scope
+```bash
+# CSGO_GAME_ID changed
+grep -rn "CSGO_GAME_ID" tradeit-backend/
+grep -rn "730" tradeit-backend/  # literal value
+grep -rn "CSGO_GAME_ID" tradeit/
+```
+
+### Critical Enums
+- `CSGO_GAME_ID`, `RUST_GAME_ID`, `DOTA2_GAME_ID`
+- `TradeStatus`, `BotTradeItemStatus`
+- `configurationKeys`
+- `CsgoSlugType`, `InsightRootSlug`
+
+---
+
+## Automated Search Commands
+
+### For PR Review
+```bash
+# 1. Get changed files
+git diff --name-only base..head
+
+# 2. For each changed controller, find response fields
+grep -A5 "res.success" server/controllers/{file}.js
+
+# 3. Search frontend for field usage
+for field in $(extract_fields); do
+  grep -rn "\.${field}" ../tradeit/
+  grep -rn "${field}:" ../tradeit/
+done
+
+# 4. Search other backend repos
+for repo in tradeit-service tradeit-admin-backend; do
+  grep -rn "{pattern}" ../${repo}/
+done
+```
+
+### GitHub Search (for remote repos)
+```bash
+# Search across organization
+gh search code "imgURL" --owner zengamingx --language javascript
+
+# Search specific repo
+gh search code "imgURL" --repo zengamingx/tradeit
+```
+
+---
+
+## Severity Guide
+
+| Severity | Meaning | Action |
+|----------|---------|--------|
+| 🔴 CRITICAL | Will crash/break functionality | Block PR, require fix |
+| 🟡 WARNING | May cause issues, needs verification | Request changes, verify |
+| 🟢 SAFE | Low risk, informational | Note in review |
+
+### Auto-Block Triggers
+- Response field removed without frontend update
+- API path changed without network file update
+- Database column removed with active readers
+- Middleware removed with active consumers
+
+---
+
+## Cross-Repo Search Checklist
+
+When reviewing a PR, check these boxes:
+
+```markdown
+## Consumer Search Completed
+
+- [ ] Searched tradeit frontend for API field usage
+- [ ] Searched tradeit-admin for admin API usage
+- [ ] Searched tradeit-extension for extension usage
+- [ ] Checked by-database.md for DB table readers
+- [ ] Searched Redis key consumers (if applicable)
+- [ ] Searched socket event subscribers (if applicable)
+- [ ] Verified enum/constant consumers (if applicable)
+
+## Findings
+| Consumer | File | Impact |
+|----------|------|--------|
+| ... | ... | ... |
+```

package/skills/pr-code-reviewer/checklists/database.md

@@ -0,0 +1,382 @@
+# Database Checklist
+
+Comprehensive review checklist for database-related changes (MySQL, Redis, migrations).
+
+---
+
+## 1. MySQL Query Safety
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Named parameters | `:paramName` | Prevents SQL injection, readable |
+| No string concatenation | `WHERE id = ${id}` | SQL injection |
+| Parameterized IN clauses | `WHERE id IN (:ids)` | Injection protection |
+| LIMIT on SELECT | `LIMIT 1000` | Memory protection |
+
+### Detection Patterns
+
+```javascript
+// CRITICAL: SQL injection via concatenation
+await mysql.query(`SELECT * FROM users WHERE id = ${userId}`)
+await mysql.query(`SELECT * FROM items WHERE name LIKE '%${search}%'`)
+
+// SECURE: Named parameters
+await mysql.query('SELECT * FROM users WHERE id = :userId', { userId })
+await mysql.query('SELECT * FROM items WHERE name LIKE :search', { search: `%${search}%` })
+
+// CRITICAL: Unbounded query
+await mysql.query('SELECT * FROM items WHERE status = :status', { status })
+
+// SECURE: With limit
+await mysql.query('SELECT * FROM items WHERE status = :status LIMIT 1000', { status })
+
+// WARNING: Dynamic column names (can't parameterize)
+await mysql.query(`SELECT ${columns} FROM items`)  // Validate columns first!
+
+// SECURE: Whitelist columns
+const allowedColumns = ['id', 'name', 'price']
+const safeColumns = columns.filter(c => allowedColumns.includes(c))
+await mysql.query(`SELECT ${safeColumns.join(',')} FROM items`)
+```
+
+---
+
+## 2. Transactions
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Multi-table ops in transaction | `START TRANSACTION` | Data consistency |
+| ROLLBACK in catch | `catch { ROLLBACK }` | Cleanup on error |
+| Connection released | `finally { release() }` | Connection pool |
+| Deadlock handling | Retry on deadlock | Resilience |
+
+### Detection Patterns
+
+```javascript
+// CRITICAL: Multi-table without transaction
+await mysql.query('INSERT INTO orders ...')
+await mysql.query('UPDATE inventory SET quantity = quantity - 1 ...')
+await mysql.query('INSERT INTO order_items ...')
+// If any fails, data is inconsistent!
+
+// SECURE: With transaction
+const connection = await mysql.getConnection()
+try {
+  await connection.query('START TRANSACTION')
+  await connection.query('INSERT INTO orders ...')
+  await connection.query('UPDATE inventory SET quantity = quantity - 1 ...')
+  await connection.query('INSERT INTO order_items ...')
+  await connection.query('COMMIT')
+} catch (e) {
+  await connection.query('ROLLBACK')
+  throw e
+} finally {
+  connection.release()
+}
+
+// WARNING: No deadlock handling
+try {
+  await runTransaction()
+} catch (e) {
+  throw e  // Deadlock causes permanent failure
+}
+
+// SECURE: Retry on deadlock
+const MAX_RETRIES = 3
+for (let i = 0; i < MAX_RETRIES; i++) {
+  try {
+    await runTransaction()
+    break
+  } catch (e) {
+    if (e.code === 'ER_LOCK_DEADLOCK' && i < MAX_RETRIES - 1) {
+      await sleep(100 * (i + 1))  // Exponential backoff
+      continue
+    }
+    throw e
+  }
+}
+```
+
+---
+
+## 3. Schema Changes
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Column removal has migration | Check readers first | Breaking change |
+| Index added for new WHERE | `CREATE INDEX` | Query performance |
+| NOT NULL has default | `DEFAULT value` | Existing rows |
+| Foreign key has ON DELETE | `ON DELETE CASCADE/SET NULL` | Referential integrity |
+
+### Detection Patterns
+
+```sql
+-- CRITICAL: Removing column without checking readers
+ALTER TABLE items DROP COLUMN stable_price;
+-- Search all repos for 'stable_price' first!
+
+-- WARNING: Adding NOT NULL without default
+ALTER TABLE users ADD COLUMN verified BOOLEAN NOT NULL;
+-- Fails if table has existing rows!
+
+-- SECURE: With default
+ALTER TABLE users ADD COLUMN verified BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- WARNING: Missing index on frequently queried column
+SELECT * FROM items WHERE status = 'active' AND game_id = 730;
+-- If no index on (status, game_id), full table scan!
+
+-- SECURE: Add composite index
+CREATE INDEX idx_items_status_game ON items(status, game_id);
+
+-- WARNING: Foreign key without ON DELETE
+ALTER TABLE order_items ADD FOREIGN KEY (order_id) REFERENCES orders(id);
+-- What happens when order deleted?
+
+-- SECURE: Specify behavior
+ALTER TABLE order_items ADD FOREIGN KEY (order_id) REFERENCES orders(id) ON DELETE CASCADE;
+```
+
+---
+
+## 4. Query Performance
+
+### WARNING - Should Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| No SELECT * | List specific columns | Network, memory |
+| Indexes used | EXPLAIN shows index | Query speed |
+| No N+1 queries | Query in loop | Performance |
+| Pagination for large results | LIMIT + OFFSET | Memory |
+
+### Detection Patterns
+
+```javascript
+// WARNING: SELECT * (fetches all columns)
+await mysql.query('SELECT * FROM items WHERE id = :id', { id })
+
+// SECURE: Specific columns
+await mysql.query('SELECT id, name, price FROM items WHERE id = :id', { id })
+
+// CRITICAL: N+1 query pattern
+const users = await mysql.query('SELECT * FROM users')
+for (const user of users) {
+  const orders = await mysql.query('SELECT * FROM orders WHERE user_id = :userId', { userId: user.id })
+  // N+1 queries!
+}
+
+// SECURE: JOIN or batch query
+const usersWithOrders = await mysql.query(`
+  SELECT u.*, o.* FROM users u
+  LEFT JOIN orders o ON o.user_id = u.id
+`)
+
+// Or batch:
+const userIds = users.map(u => u.id)
+const orders = await mysql.query('SELECT * FROM orders WHERE user_id IN (:userIds)', { userIds })
+
+// WARNING: No pagination
+const items = await mysql.query('SELECT * FROM items')  // Could be millions!
+
+// SECURE: Paginated
+const items = await mysql.query('SELECT * FROM items LIMIT :limit OFFSET :offset', { limit: 100, offset: page * 100 })
+```
+
+---
+
+## 5. Redis Operations
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| TTL on all cache keys | `setEx()` not `set()` | Memory leak |
+| Key naming consistent | `prefix:${id}:suffix` | Maintainability |
+| Large values compressed | JSON.stringify + compress | Memory |
+| Pipeline for batch ops | `multi()...exec()` | Performance |
+
+### Detection Patterns
+
+```javascript
+// CRITICAL: No TTL - memory leak
+await redis.set(`cache:${userId}`, JSON.stringify(data))
+
+// SECURE: With TTL
+await redis.setEx(`cache:${userId}`, 3600, JSON.stringify(data))
+
+// WARNING: Inconsistent key patterns
+await redis.get(`user_${userId}`)      // underscore
+await redis.get(`user:${otherId}`)     // colon
+await redis.get(`USER:${anotherId}`)   // uppercase
+
+// SECURE: Consistent pattern with constants
+const KEYS = {
+  user: (id) => `user:${id}`,
+  inventory: (steamId, gameId) => `inv:${steamId}:${gameId}`,
+}
+await redis.get(KEYS.user(userId))
+
+// WARNING: Multiple individual operations
+for (const key of keys) {
+  await redis.get(key)  // N round trips!
+}
+
+// SECURE: Pipeline
+const pipeline = redis.pipeline()
+for (const key of keys) {
+  pipeline.get(key)
+}
+const results = await pipeline.exec()
+
+// WARNING: Large value without compression
+const largeData = { items: [...thousandsOfItems] }
+await redis.setEx(key, 3600, JSON.stringify(largeData))  // Could be MBs!
+
+// SECURE: Compress large values
+const compressed = await compress(JSON.stringify(largeData))
+await redis.setEx(`${key}:compressed`, 3600, compressed)
+```
+
+---
+
+## 6. Redis Key Changes (Breaking)
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Key pattern change | Search all consumers | Breaking change |
+| Key prefix change | Update all services | Data loss |
+| TTL significantly changed | Verify cache strategy | Stale data |
+
+### Consumer Search Required
+
+```bash
+# Key pattern changed from `user:${id}` to `u:${id}`
+grep -rn "user:" tradeit-backend/
+grep -rn "user:" tradeit-socket-server/
+grep -rn "user:" pricing-manager/
+
+# Check by-database.md for Redis consumers
+cat .agents/_indexes/by-database.md | grep "Redis"
+```
+
+### Common Key Patterns (DO NOT CHANGE without migration)
+
+```javascript
+// User data
+`ud:${steamId}`                    // User data cache
+`steamLevel:${steamId}`            // Steam level cache
+
+// Inventory
+`cinv:${steamId}:${gameId}:compressed`  // Compressed inventory
+`sinv:${steamId}:${gameId}`             // Store inventory
+
+// Insight
+`insight_chart:${gameId}:${slug}`       // Chart data cache
+`insight_chart_item_details:${gameId}:${itemId}`
+
+// Session
+`sess:${sessionId}`                // User session
+
+// Queue
+`bull:${queueName}:*`              // Bull queue keys
+```
+
+---
+
+## 7. Migration Safety
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Backward compatible | Old code still works | Zero-downtime deploy |
+| Reversible | Can rollback | Safety |
+| Tested on copy | Run on staging first | Catch issues |
+| Large table handled | pt-online-schema-change | Lock avoidance |
+
+### Detection Patterns
+
+```sql
+-- CRITICAL: Non-backward compatible change
+ALTER TABLE users RENAME COLUMN email TO email_address;
+-- Old code using 'email' will break!
+
+-- SECURE: Add new, migrate, remove old
+ALTER TABLE users ADD COLUMN email_address VARCHAR(255);
+UPDATE users SET email_address = email;
+-- Deploy code that uses both
+-- Later: ALTER TABLE users DROP COLUMN email;
+
+-- WARNING: Large table ALTER without pt-osc
+ALTER TABLE items ADD INDEX idx_price (price);
+-- On 10M+ row table, this locks for minutes!
+
+-- SECURE: Use pt-online-schema-change
+pt-online-schema-change --alter "ADD INDEX idx_price (price)" D=tradeit,t=items
+```
+
+---
+
+## 8. Data Integrity
+
+### CRITICAL - Must Check
+
+| Check | Pattern | Why |
+|-------|---------|-----|
+| Unique constraints | `UNIQUE INDEX` | Prevent duplicates |
+| Foreign keys | `REFERENCES` | Referential integrity |
+| Check constraints | `CHECK (price >= 0)` | Data validation |
+| NOT NULL where required | `NOT NULL` | Prevent nulls |
+
+---
+
+## Quick Checklist
+
+Copy this for PR reviews:
+
+```markdown
+## Database Review
+
+### MySQL Queries
+- [ ] Named parameters used (not string concatenation)
+- [ ] LIMIT on SELECT queries
+- [ ] No SELECT * (specific columns listed)
+- [ ] Indexes exist for WHERE/JOIN columns
+
+### Transactions
+- [ ] Multi-table operations in transaction
+- [ ] ROLLBACK in catch block
+- [ ] Connection released in finally
+- [ ] Deadlock retry logic (if applicable)
+
+### Schema Changes
+- [ ] Column removal checked against all readers
+- [ ] New columns have defaults (if NOT NULL)
+- [ ] Indexes added for new query patterns
+- [ ] Migration is backward compatible
+
+### Redis
+- [ ] TTL on all cache keys (setEx, not set)
+- [ ] Key naming follows conventions
+- [ ] Large values compressed
+- [ ] Pipeline used for batch operations
+
+### Breaking Changes
+- [ ] No column removed without consumer check
+- [ ] No Redis key pattern changed without migration
+- [ ] Schema change tested on staging
+
+### Consumer Search (if schema changed)
+- [ ] Checked by-database.md for table readers
+- [ ] Searched all repos for column name
+- [ ] Searched all repos for Redis key pattern
+```