@neuravim/aiden 0.12.0

package/package.json

@@ -0,0 +1,85 @@
+{
+  "name": "@neuravim/aiden",
+  "version": "0.12.0",
+  "description": "AI-Driven Engineering - CLI framework for AI-assisted development",
+  "type": "module",
+  "bin": {
+    "aiden": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsx src/cli/index.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:ci": "tsx tests/ci-runner.ts",
+    "test:e2e": "AIDEN_E2E=1 bunx vitest run tests/e2e/ --timeout 300000",
+    "lint": "eslint src/ --quiet",
+    "lint:ci": "eslint src/ --quiet --format compact",
+    "format": "prettier --write src/",
+    "format:check": "prettier --check src/",
+    "typecheck": "tsc --noEmit",
+    "prepare": "husky"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "ai",
+    "cli",
+    "agents",
+    "developer-tools",
+    "claude",
+    "gemini",
+    "copilot",
+    "orchestration",
+    "enterprise"
+  ],
+  "license": "AGPL-3.0-only",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/neuravim/aiden"
+  },
+  "homepage": "https://aiden.neuravim.tech",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "handlebars": "^4.7.8",
+    "js-yaml": "^4.1.0",
+    "ora": "^8.1.0",
+    "semver": "^7.6.0",
+    "zod": "^3.23.8"
+  },
+  "lint-staged": {
+    "src/**/*.{ts,tsx}": [
+      "prettier --write",
+      "eslint --quiet --fix"
+    ],
+    "src/**/*.{json,md,yaml,yml}": [
+      "prettier --write"
+    ]
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.14.0",
+    "@types/semver": "^7.5.0",
+    "@typescript-eslint/eslint-plugin": "^7.13.0",
+    "@typescript-eslint/parser": "^7.13.0",
+    "eslint": "^8.57.0",
+    "husky": "^9.1.7",
+    "lint-staged": "^16.4.0",
+    "prettier": "^3.3.0",
+    "tsup": "^8.1.0",
+    "tsx": "^4.15.0",
+    "typescript": "^5.5.0",
+    "vitest": "^1.6.0"
+  }
+}

package/templates/aiden.config.yaml

@@ -0,0 +1,46 @@
+# AIDEN - Project configuration
+# Documentation: https://github.com/Anas-ZAHOURI/aiden#configuration
+
+project: my-project
+provider: claude-code        # claude-code | gemini | copilot | auto
+mode: standard               # flash | standard | enterprise
+lang: en                     # language for artifacts
+
+# Providers (optional - defaults are sensible)
+# providers:
+#   claude-code:
+#     enabled: true
+#     command: claude
+#     model: claude-sonnet-4-6
+#     maxTokens: 100000
+#     costPer1k: 0.003
+#   gemini:
+#     enabled: true
+#     command: gemini
+#     model: gemini-2.5-pro
+#     maxTokens: 1000000
+#     costPer1k: 0.001
+
+# Routing (optional)
+# routing:
+#   strategy: prefer          # auto | prefer | fixed | cost-optimized
+#   fallback: [gemini, claude-code]
+
+# Token budget (optional)
+# budget:
+#   monthlyLimit: 500000
+#   alertAt: 80
+#   perFeature:
+#     flash: 5000
+#     standard: 20000
+#     enterprise: 100000
+
+# Hooks (optional)
+# hooks:
+#   on_phase_end:
+#     - command: npm test
+#       onFailure: block
+
+# Enterprise rules (optional)
+# rules:
+#   - coding-standards.md

package/templates/rules/coding-standards.md

@@ -0,0 +1,29 @@
+# Mandatory coding standards
+
+## TypeScript
+- Strict mode enabled
+- No `any` unless justified with a comment
+- Interfaces for all public types
+- JSDoc for exported functions
+
+## Tests
+- Minimum coverage: 80%
+- Unit tests mandatory for all business logic
+- Integration tests for API endpoints
+- Mocking: prefer dependency injection over module mocking
+
+## Git
+- Commit convention: Conventional Commits
+- Branches: feature/<slug>, fix/<slug>, refactor/<slug>
+- PR: max 400 changed lines (split otherwise)
+
+## Security
+- No secrets in code (use env vars)
+- Validate user inputs (zod or joi)
+- Sanitize HTML outputs
+- CORS configured explicitly
+
+## Architecture
+- Clean Architecture: domain -> application -> infrastructure
+- No business logic in controllers
+- Repository pattern for data access

package/templates/skills/adr-enforcer/instructions.md

@@ -0,0 +1,66 @@
+# ADR Enforcer
+
+## For Planner Agent
+
+For every significant technical decision in the spec, generate an Architecture Decision Record (ADR) in MADR format. A decision is "significant" if it involves:
+
+- Choice of technology, framework, or library
+- Architectural pattern selection (e.g., event-driven vs. request-response)
+- Data model design decisions
+- API design trade-offs
+- Security or compliance approach
+
+### MADR format
+
+```markdown
+# NNNN — <Decision Title>
+
+## Status
+Proposed | Accepted | Deprecated | Superseded
+
+## Context
+<What is the issue that we're seeing that is motivating this decision?>
+
+## Decision
+<What is the change that we're proposing and/or doing?>
+
+## Consequences
+
+### Positive
+- <Good outcome>
+
+### Negative
+- <Trade-off or downside>
+
+## Alternatives Considered
+
+### <Alternative 1>
+- Pros: ...
+- Cons: ...
+- Reason rejected: ...
+```
+
+Use `NNNN` as placeholder — DocOps will assign the final number.
+
+### Output marker
+
+For each ADR generated, emit:
+
+```
+ADR_GENERATED:
+- title: <decision title>
+- status: proposed
+- alternatives: <number of alternatives considered>
+```
+
+## For DocOps Agent
+
+Collect all ADRs generated by the Planner:
+
+1. Assign sequential numbers based on existing ADRs in the configured `outputDir` (default: `.aiden/adrs/`)
+2. Use the numbering format `NNNN` (e.g., `0001`, `0002`)
+3. Name files as `NNNN-kebab-case-title.md`
+4. Verify each ADR has all required sections: Status, Context, Decision, Consequences, Alternatives
+5. Add a date field and link to the feature that prompted the decision
+
+Emit `ADR_GENERATED` for each finalized ADR with the assigned number.

package/templates/skills/adr-enforcer/skill.yaml

@@ -0,0 +1,14 @@
+name: adr-enforcer
+version: 1.0.0
+description: Enforce Architecture Decision Records in MADR format
+agents:
+  - planner
+  - docops
+modes:
+  - enterprise
+priority: 15
+enabled: true
+config:
+  outputDir: .aiden/adrs
+  numberingFormat: "NNNN"
+  template: madr

package/templates/skills/adversarial-review/instructions.md

@@ -0,0 +1,33 @@
+# Adversarial Review
+
+You are now operating in **adversarial review mode**. Your goal is to find problems, not to validate.
+
+## Mindset
+
+Adopt a cynical, skeptical perspective. Assume things WILL go wrong. Your job is to find out HOW before production does.
+
+## Review Checklist
+
+For every technical decision in the spec, brief, or code:
+
+1. **Challenge the decision**: Why was this approach chosen? What alternatives were dismissed? Were they dismissed for the right reasons?
+2. **Single points of failure**: Identify any component whose failure would cascade across the system.
+3. **Cross-agent coherence**: Does the analyst's risk assessment match the planner's stories? Does the dev's implementation address the planner's constraints?
+4. **Optimism bias**: Are estimates realistic? Is the happy path over-emphasized? Are error paths fully handled?
+5. **Hidden dependencies**: Are there implicit assumptions about infrastructure, external APIs, or user behavior?
+6. **Security attack surface**: What new attack vectors does this feature introduce?
+7. **Scalability concerns**: Will this approach work at 10x the current load? 100x?
+
+## Output Format
+
+For each finding, report:
+
+```
+ADVERSARIAL_FINDING:
+- severity: critical | major | minor
+- category: architecture | security | coherence | optimism | dependency | scalability
+- description: <what's wrong>
+- recommendation: <what to do about it>
+```
+
+Expect to find **at least 5 issues**. If you find fewer than 3, you're not looking hard enough.

package/templates/skills/adversarial-review/skill.yaml

@@ -0,0 +1,11 @@
+name: adversarial-review
+version: 1.0.0
+description: Adversarial review of decisions and architecture — challenges assumptions, finds single points of failure
+agents:
+  - analyst
+  - qa
+modes:
+  - standard
+  - enterprise
+priority: 80
+enabled: true

package/templates/skills/api-design-restful/instructions.md

@@ -0,0 +1,74 @@
+# RESTful API Design Standards
+
+## For Planner Agent
+
+When designing API endpoints in the spec:
+
+1. **Resource naming**: Use plural nouns (`/users`, `/orders`), kebab-case for multi-word (`/order-items`)
+2. **Hierarchy**: Nest sub-resources max 2 levels deep (`/users/:id/orders`, not deeper)
+3. **Versioning**: Use URL prefix strategy by default (`/api/v1/...`)
+4. **Document each endpoint**: method, path, request body schema, response schema, status codes, error cases
+
+Include an API design section in the spec with endpoint inventory and schema definitions.
+
+## For Dev Agent
+
+Implement API endpoints following RESTful standards:
+
+### URL conventions
+- Use plural nouns for collections: `GET /api/v1/users`
+- Use resource ID for single items: `GET /api/v1/users/:id`
+- Use verbs only for actions that are not CRUD: `POST /api/v1/users/:id/activate`
+- Version prefix: `/api/v1/` (configurable via `versioningStrategy`)
+
+### HTTP methods and status codes
+| Method | Success | Created | No Content | Not Found | Conflict |
+|--------|---------|---------|------------|-----------|----------|
+| GET    | 200     | —       | —          | 404       | —        |
+| POST   | —       | 201     | —          | —         | 409      |
+| PUT    | 200     | —       | 204        | 404       | 409      |
+| PATCH  | 200     | —       | 204        | 404       | —        |
+| DELETE | —       | —       | 204        | 404       | —        |
+
+### Error format (RFC 7807)
+All errors MUST use the Problem Details format:
+```json
+{
+  "type": "https://api.example.com/errors/validation",
+  "title": "Validation Error",
+  "status": 422,
+  "detail": "The 'email' field is not a valid email address",
+  "instance": "/api/v1/users"
+}
+```
+
+### Pagination (cursor-based by default)
+```json
+{
+  "data": [...],
+  "pagination": {
+    "cursor": "eyJpZCI6MTAwfQ==",
+    "hasMore": true,
+    "pageSize": 25
+  }
+}
+```
+- Maximum page size: configurable (`maxPageSize`, default 100)
+- Default page size: 25
+- Include `Link` headers for discoverability
+
+### Headers
+- `Content-Type: application/json` on all responses
+- `Location` header on 201 responses with the new resource URL
+- `X-Request-Id` for traceability
+- Cache headers (`Cache-Control`, `ETag`) for GET responses where appropriate
+
+### Output Format
+
+```
+API_VIOLATION:
+- rule: naming | method | status-code | error-format | pagination | header | versioning
+- endpoint: <METHOD /path>
+- description: <what violates the standard>
+- fix: <corrected implementation>
+```

package/templates/skills/api-design-restful/skill.yaml

@@ -0,0 +1,16 @@
+name: api-design-restful
+version: 1.0.0
+description: Enforce RESTful API design standards and conventions
+agents:
+  - planner
+  - dev
+modes:
+  - standard
+  - enterprise
+priority: 10
+enabled: true
+config:
+  versioningStrategy: url-prefix
+  paginationStyle: cursor
+  errorFormat: rfc7807
+  maxPageSize: 100

package/templates/skills/changelog-gen/instructions.md

@@ -0,0 +1,59 @@
+# Changelog Generator
+
+## For DocOps Agent
+
+Generate changelog entries following the [Keep a Changelog](https://keepachangelog.com/) format for every completed feature.
+
+### Categories
+
+Classify each change into one of the standard categories:
+
+- **Added**: New features or capabilities
+- **Changed**: Changes to existing functionality
+- **Deprecated**: Features that will be removed in future versions
+- **Removed**: Features that were removed
+- **Fixed**: Bug fixes
+- **Security**: Vulnerability fixes or security improvements
+
+### Rules
+
+1. Write entries from the user's perspective, not the developer's
+2. Each entry is a single line starting with `- ` (markdown list item)
+3. Use past tense: "Added user authentication" not "Add user authentication"
+4. Include breaking changes with a `**BREAKING:**` prefix when `includeBreaking` is enabled
+5. Group related changes under a single entry when they form a coherent feature
+6. Reference the feature slug or issue ID in parentheses at the end: `(feat/user-auth)`
+
+### Output Format
+
+For each entry, emit:
+
+```
+CHANGELOG_ENTRY:
+- category: Added | Changed | Deprecated | Removed | Fixed | Security
+- description: <user-facing description of the change>
+- breaking: true | false
+- feature: <feature slug>
+```
+
+### Full changelog section format
+
+When assembling the final output, produce a section like:
+
+```markdown
+## [Unreleased]
+
+### Added
+- Description of added feature (feat/feature-slug)
+
+### Changed
+- Description of change (feat/feature-slug)
+
+### Fixed
+- Description of fix (feat/feature-slug)
+
+### Security
+- Description of security fix (feat/feature-slug)
+```
+
+Only include categories that have entries. Maintain chronological order within each category (newest first).

package/templates/skills/changelog-gen/skill.yaml

@@ -0,0 +1,14 @@
+name: changelog-gen
+version: 1.0.0
+description: Generate Keep a Changelog entries from completed features
+agents:
+  - docops
+modes:
+  - standard
+  - enterprise
+priority: 10
+enabled: true
+config:
+  outputFile: CHANGELOG.md
+  format: keepachangelog
+  includeBreaking: true

package/templates/skills/code-review-strict/instructions.md

@@ -0,0 +1,13 @@
+# Strict Code Review
+
+## For Dev Agent
+- Every function MUST have explicit return types
+- No `any` type allowed, use `unknown` if needed
+- All public APIs must have JSDoc comments
+- Error handling must use custom error classes, not generic Error
+
+## For QA Agent
+- Verify test coverage >= 80% for new code
+- Check for missing edge case tests
+- Validate error messages are user-friendly
+- Ensure no console.log left in production code

package/templates/skills/code-review-strict/skill.yaml

@@ -0,0 +1,8 @@
+name: code-review-strict
+version: 1.0.0
+description: Enforce strict code review standards
+agents:
+  - dev
+  - qa
+priority: 10
+enabled: true

package/templates/skills/compliance-rgpd/instructions.md

@@ -0,0 +1,18 @@
+# RGPD Compliance
+
+## For Analyst Agent
+- Flag any feature that collects, stores, or processes personal data
+- Identify data retention requirements
+- Note if consent mechanisms are needed
+
+## For Dev Agent
+- Personal data must be encrypted at rest and in transit
+- Implement data anonymization for logs
+- Add data deletion endpoints for right-to-erasure compliance
+- Never log personal data (emails, names, IPs) in plain text
+
+## For QA Agent
+- Verify no personal data leaks in error messages
+- Check that data deletion actually removes all traces
+- Validate consent flow completeness
+- Test data export (right to portability)

package/templates/skills/compliance-rgpd/skill.yaml

@@ -0,0 +1,12 @@
+name: compliance-rgpd
+version: 1.0.0
+description: RGPD compliance checks for data handling code
+agents:
+  - analyst
+  - dev
+  - qa
+modes:
+  - standard
+  - enterprise
+priority: 20
+enabled: true

package/templates/skills/dead-code-detector/instructions.md

@@ -0,0 +1,38 @@
+# Dead Code Detector
+
+## For QA Agent
+
+Scan all new and modified files for dead code. Your goal is to keep the codebase lean by identifying code that serves no purpose.
+
+### What to detect
+
+1. **Unused exports**: functions, classes, constants, or types exported but never imported elsewhere in the project
+2. **Unused imports**: imported symbols that are never referenced in the file
+3. **Unreachable code**: statements after `return`, `throw`, `break`, `continue`, or inside always-false conditions
+4. **Unused variables and parameters**: declared but never read (except destructuring rest)
+5. **Dead branches**: conditions that are always true or always false based on type narrowing
+6. **Commented-out code blocks**: large blocks of commented code that should be removed (version control exists)
+
+### Exclusions
+
+Do NOT flag the following as dead code:
+
+- Variables prefixed with `_` (intentional unused marker)
+- Re-exports from barrel `index.ts` files
+- Interface/type declarations that serve as public API contracts
+- Decorator-referenced symbols (e.g., NestJS `@Injectable()` classes)
+
+### Output Format
+
+For each finding, emit:
+
+```
+DEAD_CODE_FINDING:
+- type: unused-export | unused-import | unreachable | unused-variable | dead-branch | commented-code
+- file: <path>
+- line: <line number or range>
+- symbol: <name of the dead symbol>
+- suggestion: <remove | refactor | verify usage>
+```
+
+Summarize with a total count of findings by type at the end of the review.

package/templates/skills/dead-code-detector/skill.yaml

@@ -0,0 +1,7 @@
+name: dead-code-detector
+version: 1.0.0
+description: Detect unused exports, imports, unreachable code, and dead variables
+agents:
+  - qa
+priority: 5
+enabled: true

package/templates/skills/dependency-audit/instructions.md

@@ -0,0 +1,43 @@
+# Dependency Audit
+
+## For Analyst Agent
+
+When evaluating the feature request, assess any new dependencies that may be required:
+
+1. **Maturity**: Is the package well-established? Check download counts, GitHub stars, age
+2. **Bundle size**: Will it significantly increase the bundle? Are there lighter alternatives?
+3. **Maintenance**: Is it actively maintained? Last publish date, open issues ratio, bus factor
+4. **Transitive dependencies**: How deep is the dependency tree? Does it pull in large subtrees?
+5. **Alternatives**: List at least one alternative for each new dependency with pros/cons
+
+Include dependency assessment in your analysis output under a `## Dependencies` section.
+
+## For QA Agent
+
+Audit all new and existing dependencies referenced in the changed code:
+
+### Vulnerability checks
+- Flag any dependency with known CVEs at or above the configured `maxSeverity` (default: high)
+- Check for advisories in npm/GitHub advisory database
+- Flag dependencies that are more than 2 major versions behind latest
+
+### License compliance
+- Flag dependencies using blocked licenses (default: GPL-3.0, AGPL-3.0)
+- Verify license compatibility with the project's license
+- Flag dependencies with no declared license
+
+### Stability checks
+- Flag pre-release versions (alpha, beta, rc) in production dependencies
+- Flag dependencies with fewer than 100 weekly downloads
+- Flag dependencies not updated in over 2 years
+
+### Output Format
+
+```
+DEPENDENCY_FINDING:
+- package: <name@version>
+- type: vulnerability | license | stability | size
+- severity: critical | high | medium | low
+- description: <what was found>
+- recommendation: <update | replace | accept-risk | remove>
+```

package/templates/skills/dependency-audit/skill.yaml

@@ -0,0 +1,17 @@
+name: dependency-audit
+version: 1.0.0
+description: Audit dependencies for vulnerabilities, license compliance, and maturity
+agents:
+  - analyst
+  - qa
+modes:
+  - standard
+  - enterprise
+priority: 20
+enabled: true
+config:
+  maxSeverity: high
+  blockedLicenses:
+    - GPL-3.0
+    - AGPL-3.0
+  allowedLicenses: []

package/templates/skills/hipaa-guard/instructions.md

@@ -0,0 +1,62 @@
+# HIPAA Guard
+
+## For Analyst Agent
+
+When analyzing features that involve Protected Health Information (PHI), assess:
+
+1. **PHI identification**: Flag any data field matching configured PHI fields (name, dob, ssn, mrn, address, phone, email, insurance_id)
+2. **Data flow mapping**: Trace where PHI enters, is stored, transmitted, and displayed
+3. **Minimum necessary**: Verify the feature only accesses PHI that is strictly required
+4. **Risk level**: Rate the PHI exposure risk (high/medium/low) based on volume and sensitivity
+
+Include a `## HIPAA Assessment` section in your analysis output.
+
+## For Dev Agent
+
+When implementing features that handle PHI:
+
+### Encryption
+- All PHI at rest MUST be encrypted with AES-256 (or configured algorithm)
+- All PHI in transit MUST use TLS 1.2+
+- Encryption keys MUST be managed via a key management service, never hardcoded
+
+### Access control
+- All PHI access MUST require authentication and authorization
+- Implement role-based access control (RBAC) for PHI endpoints
+- Implement "break-the-glass" emergency access with mandatory audit logging
+
+### Audit logging
+- Log ALL PHI access events: who accessed what, when, from where
+- Log ALL PHI modifications with before/after values (encrypted)
+- Audit logs MUST be retained for minimum 2190 days (6 years) per config
+- Audit logs MUST be tamper-evident (append-only, integrity checks)
+
+### Data handling
+- Never log PHI in plain text — mask or redact in all log outputs
+- Never include PHI in error messages or stack traces
+- Implement data retention policies with automated purge
+- Support patient data export and deletion requests
+
+## For QA Agent
+
+Verify all HIPAA requirements are met in the implementation:
+
+1. PHI fields are encrypted at rest and in transit
+2. Access control is enforced on all PHI endpoints
+3. Audit logging captures all required events
+4. No PHI leaks into logs, error messages, or client-side storage
+5. Break-the-glass mechanism exists for emergency access
+
+### Output Format
+
+```
+HIPAA_FINDING:
+- rule: encryption | access-control | audit-log | data-handling | minimum-necessary
+- severity: critical | high | medium
+- file: <path>
+- line: <line number>
+- description: <what violates HIPAA>
+- remediation: <specific fix>
+```
+
+Any `critical` HIPAA finding MUST cause QA to fail.