@ojokesusu/lintasai 1.1.2

package/templates/split-agents/FRONTEND.md

@@ -0,0 +1,141 @@
+# TEMPLATE: `<project>-frontend/AGENTS.md`
+
+> Template ini di-deploy oleh AI saat split repo migration.
+> Customization: replace `<project>` dengan nama project user.
+
+```markdown
+# AGENTS.md - <project>-frontend
+
+> Repo ini: Frontend UI only (Next.js SPA mode atau React Vite).
+> Audience AI: Claude Code untuk Frontend Staff (4 orang yang akses repo `<project>-frontend` + `<project>-shared`).
+>
+> Privileges Frontend Staff:
+> - DAPAT edit data (CRUD: SELECT / INSERT / UPDATE / DELETE) di DB lewat API backend
+> - TIDAK punya DDL (CREATE TABLE / ALTER / DROP) — DDL = domain Backend staff + owner
+
+## Scope Kamu (AI)
+
+Kamu di repo `<project>-frontend`. Kamu BOLEH:
+- Edit UI components, pages, layouts (di `src/app/`, `src/components/`)
+- Call API backend via fetch/axios (CRUD data lewat endpoint yang sudah ada)
+- Import types dari `@<project>/shared` (auto-installed npm dep)
+- Styling (Tailwind, CSS modules)
+- Update copy/teks UI sesuai brief dari staff content
+
+Kamu TIDAK BOLEH:
+- Bikin endpoint API (itu di `<project>-backend`, kamu tidak akses)
+- Direct database query (Prisma) — termasuk dilarang DDL apapun
+- Modify `@<project>/shared` (cuma owner / Backend staff yang publish version baru)
+- Implement business logic (validation, calculation, workflow rules)
+- Akses `.env` yang berisi `DATABASE_URL` atau API SECRET
+- Hardcode URL backend; selalu pakai env var
+
+## Stack
+- Next.js (lihat STACK_VERSIONS.md untuk versi terbaru) atau React Vite (frontend only)
+- TailwindCSS + Shadcn/ui untuk component primitives
+- TypeScript strict mode
+- React Query / SWR untuk data fetching
+- React Hook Form + Zod (validasi client-side, schema dari `@<project>/shared`)
+
+## Workflow
+
+Saat staff non-programmer prompt kamu:
+
+1. Baca prompt, identify TASK ID (e.g., `TASK-101`)
+2. Kalau prompt vague, tanya 1-2 clarifying question (max 2!)
+3. Cek `@<project>/shared` types yang relevan untuk endpoint yang dipakai
+4. Bikin/edit komponen + page
+5. Call API via fetch ke backend URL (`NEXT_PUBLIC_API_URL` env var)
+6. Test di localhost (`npm run dev`)
+7. Open PR ke `main`, kasih link preview Vercel ke staff
+8. Tunggu approval owner sebelum merge
+
+## API URL
+
+```ts
+const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3001'
+```
+
+- Local dev: `http://localhost:3001` (backend dev server)
+- Staging: `https://api-staging.<project>.id`
+- Production: `https://api.<project>.id`
+
+## Style Guide
+
+- Format: Prettier auto, no manual semicolon decisions
+- Naming: `camelCase` untuk function, `PascalCase` untuk Component
+- File: `kebab-case` untuk page route, `PascalCase` untuk component file
+- Komentar: minimal, hanya kalau non-obvious (kenapa, bukan apa)
+- Komponen: prefer functional component + hooks, hindari class component
+- State: lokal pakai `useState`, server state pakai React Query
+
+## Tools
+
+- Storybook: `npm run storybook` (UI dev tanpa app context)
+- Vitest: `npm test` (unit test komponen)
+- Playwright: `npm run e2e` (end-to-end di staging)
+- Vercel preview: per PR auto-deploy, link auto-comment di PR
+
+## Project-Specific Rules
+
+<!-- Owner: tambahkan rules spesifik project di sini -->
+<!-- Contoh: design tokens, brand color, accessibility level, dst. -->
+
+## Session Start Auto-Check (Anti-Stale Context)
+
+Saat AI Claude Code session pertama tiap hari di repo ini, AI WAJIB execute pre-flight check:
+
+### Check 1: @<project>/shared version
+
+```bash
+# Compare local version vs registry latest
+LOCAL=$(node -p "require('./node_modules/@<project>/shared/package.json').version")
+REMOTE=$(npm view @<project>/shared version --registry=https://npm.pkg.github.com 2>/dev/null || echo "?")
+
+if [ "$LOCAL" != "$REMOTE" ]; then
+  echo "⚠️ @<project>/shared outdated: local $LOCAL vs remote $REMOTE"
+  echo "Run: npm install @<project>/shared@latest"
+fi
+```
+
+Action kalau outdated:
+- Suggest npm install ke staff
+- Atau auto-run kalau staff approve
+
+### Check 2: Backend API spec (Swagger)
+
+```bash
+curl -s --max-time 5 https://api-staging.<project>.id/docs/openapi.json > /tmp/api-spec.json 2>/dev/null
+if [ $? -eq 0 ]; then
+  ENDPOINTS=$(jq -r '.paths | keys | length' /tmp/api-spec.json 2>/dev/null)
+  echo "✅ Swagger spec cached: $ENDPOINTS endpoints available"
+else
+  echo "⚠️ Swagger spec unreachable. Frontend AI tidak punya context API terbaru."
+fi
+```
+
+Use spec untuk:
+- Validate API endpoint sebelum suggest fetch
+- Check request/response shape
+- Detect endpoint baru yang belum dipakai
+- Refuse suggest endpoint yang tidak exist (forward escalation ke backend tim)
+
+### Check 3: Discord context (optional)
+
+Kalau ada Discord MCP atau webhook reader configured:
+- Scan #akses-deps channel untuk last 24h
+- Look for backend publish notifications
+- Highlight relevant updates ke staff
+
+### Logging
+
+Output check result di awal response sesi:
+
+```
+[Session pre-flight]
+- @<project>/shared: v1.2.0 ✅ (latest)
+- Swagger API: 47 endpoints cached ✅
+- Last backend publish: 2 hours ago (via Discord)
+Ready untuk task.
+```
+```

package/templates/split-agents/SHARED.md

@@ -0,0 +1,82 @@
+# TEMPLATE: `<project>-shared/AGENTS.md`
+
+> Template ini di-deploy oleh AI saat split repo migration.
+> Customization: replace `<project>` dengan nama project user.
+
+```markdown
+# AGENTS.md - <project>-shared
+
+> Repo ini: TypeScript types + Zod schemas saja. No logic.
+> Audience AI: Owner + backend delegate (saat publish version baru).
+> Staff frontend = READ-ONLY (mereka cuma install sebagai npm dep).
+
+## Scope Kamu (AI)
+
+Kamu di repo `<project>-shared`. Kamu BOLEH:
+- Tambah/update TypeScript type definitions
+- Tambah/update Zod validation schemas
+- Update version di `package.json` saat ada change
+- Update `README.md` dengan example usage
+
+Kamu TIDAK BOLEH:
+- Implement actual logic (cuma type signatures + schemas)
+- Import package eksternal selain Zod + TypeScript native
+- Side effect (no fetch, no DB, no file I/O, no env access)
+- Bikin React component (itu domain frontend)
+- Bikin Prisma model (itu domain backend)
+
+## Stack
+- TypeScript strict mode
+- Zod untuk runtime validation
+- `tsup` atau `rollup` untuk build (output dual ESM + CJS)
+- npm publish atau GitHub Packages (private)
+
+## Workflow Update
+
+Saat update:
+
+1. Edit `src/types/` atau `src/schemas/`
+2. Run `npm run build` -> `dist/` ter-generate
+3. Run `npm test` -> pastikan schema parse contoh data dengan benar
+4. Bump version di `package.json` (semantic versioning, lihat rules bawah)
+5. Tag git: `git tag v1.X.Y`
+6. Push tag -> GitHub Actions auto-publish ke npm/GitHub Packages
+7. Notify backend + frontend tim: `@<project>/shared v1.X.Y published`
+8. Backend + frontend update dep version di `package.json` mereka
+
+## Versioning Rules (Semver)
+
+- `patch` (1.0.X): bug fix di type definition, no breaking, no rename
+- `minor` (1.X.0): tambah type baru, backward compatible (existing field tetap)
+- `major` (X.0.0): breaking change (rename field, hapus type, ubah enum)
+  - HARUS coordinate dengan tim sebelum publish
+  - HARUS ada migration note di `CHANGELOG.md`
+
+## Output Structure
+
+```
+dist/
+  index.js          <- compiled JS (CJS)
+  index.mjs         <- compiled JS (ESM)
+  index.d.ts        <- TypeScript definition (yang frontend AI baca)
+  schemas/
+    user.js
+    user.d.ts
+  types/
+    api.d.ts
+```
+
+## Folder Convention
+
+```
+src/
+  index.ts          <- barrel export semua type & schema
+  types/            <- pure TypeScript type (interface, type alias)
+  schemas/          <- Zod schema (runtime validatable)
+  utils/            <- type guard, helper type (no runtime logic)
+```
+
+## Project-Specific Rules
+
+<!-- Owner: tambahkan rules spesifik project di sini -->
+```

package/templates/split-agents/TOOLS.md

@@ -0,0 +1,77 @@
+> ⚠️ OPT-IN: File ini hanya dipakai kalau team >20 staff, compliance audit, ATAU kalau pakai 4-repo split (Backend Staff men-jalankan admin scripts dari repo terpisah). Untuk team kecil-sedang dengan 3-repo split default, admin scripts cukup di `<project>-backend/scripts/` (Backend Staff + owner access).
+>
+> Audience: owner + Backend Staff (2 orang) saat 4-repo split aktif. Frontend Staff TIDAK punya akses.
+
+# TEMPLATE: `<project>-tools/AGENTS.md`
+
+> Template ini di-deploy oleh AI saat split repo migration.
+> Customization: replace `<project>` dengan nama project user.
+
+```markdown
+# AGENTS.md - <project>-tools
+
+> Repo ini: Admin scripts, sync tools, migration helpers.
+> Audience AI: Owner ONLY.
+> Staff TIDAK punya akses (repo private, owner-only access).
+
+## Scope Kamu (AI)
+
+Kamu di repo `<project>-tools`. Kamu BOLEH:
+- Bikin script CLI untuk admin tasks
+- Bikin sync script (prod -> staging dengan PII redact)
+- Bikin migration helpers (wrapper di atas `prisma migrate`)
+- Bikin one-time scripts (backfill data, cleanup, dst.)
+- Akses credential owner via `scripts/.env.owner`
+- Akses Supabase MCP untuk owner-level ops
+
+Kamu TIDAK BOLEH:
+- Commit credential ke git (cek `.gitignore` sebelum stage)
+- Jalankan script destructive ke prod tanpa konfirmasi owner eksplisit
+- Print password / secret ke stdout / log file
+- Share script ini ke repo lain (scope owner-only)
+
+## Stack
+- Node.js (ESM, `"type": "module"` di `package.json`)
+- `pg` untuk direct DB access (saat butuh raw SQL di luar Prisma)
+- `@faker-js/faker` untuk generate demo data
+- `dotenv-cli` untuk env management
+- `commander` atau `yargs` untuk CLI argument parsing
+
+## Scripts Library
+
+```
+scripts/
+  sync-prod-to-staging.mjs    <- PII redacted sample sync
+  backup-prod.mjs             <- Snapshot via pg_dump
+  migrate-deploy-prod.mjs     <- Wrapped `prisma migrate deploy`
+  audit-staff-access.mjs      <- Check Supabase user activity log
+  rotate-secrets.mjs          <- Helper rotate API key + push ke Vercel
+  cleanup-orphan-records.mjs  <- One-time cleanup utility
+```
+
+## Security
+
+- Owner credential CUMA di laptop owner (jangan upload ke server shared)
+- `scripts/.env.owner` WAJIB gitignored, JANGAN commit
+- Output log: mask password di `DATABASE_URL` (regex replace sebelum print)
+- Audit log: tiap script run, append ke `logs/owner-actions.log`
+  - Format: `<ISO timestamp> | <script name> | <args summary> | <exit code>`
+- Saat clone repo di laptop baru, fetch `.env.owner` dari password manager (1Password / Bitwarden)
+
+## Workflow
+
+Saat owner prompt untuk bikin script baru:
+
+1. Identifikasi: ini one-time atau reusable?
+2. Kalau one-time: simpan di `scripts/oneoffs/<date>-<desc>.mjs`
+3. Kalau reusable: simpan di `scripts/` dengan `--help` flag + `README.md` entry
+4. WAJIB confirm step sebelum eksekusi destructive op:
+   ```js
+   await confirm('Are you sure? This will delete X rows. [y/N]')
+   ```
+5. WAJIB dry-run mode (`--dry-run` flag) untuk script yang ubah data
+
+## Project-Specific Rules
+
+<!-- Owner: tambahkan rules spesifik project di sini -->
+```

package/tests/Run-Tests.ps1

@@ -0,0 +1,19 @@
+#Requires -Module Pester
+
+$ErrorActionPreference = 'Stop'
+
+# Install Pester kalau belum
+if (-not (Get-Module -ListAvailable -Name Pester | Where-Object { $_.Version.Major -ge 5 })) {
+    Write-Host "Installing Pester 5.x..."
+    Install-Module -Name Pester -MinimumVersion 5.0 -Force -SkipPublisherCheck -Scope CurrentUser
+}
+
+Import-Module Pester -MinimumVersion 5.0
+
+$testsDir = $PSScriptRoot
+$config = New-PesterConfiguration
+$config.Run.Path = $testsDir
+$config.Output.Verbosity = 'Detailed'
+$config.Run.Exit = $true
+
+Invoke-Pester -Configuration $config

package/tests/lib-safety.Tests.ps1

@@ -0,0 +1,66 @@
+#Requires -Module Pester
+
+BeforeAll {
+    $libPath = Join-Path $PSScriptRoot '..\lib\safety.ps1'
+    . $libPath
+    Initialize-SafeProjectPath -ProjectRoot 'C:\test-project'
+}
+
+Describe "Resolve-SafeProjectPath" {
+    It "Should resolve valid relative path" {
+        $result = Resolve-SafeProjectPath -RelativePath 'src/app.ts'
+        $result | Should -Not -BeNullOrEmpty
+        $result | Should -Match 'C:\\test-project'
+    }
+
+    It "Should REJECT absolute path outside project" {
+        { Resolve-SafeProjectPath -RelativePath 'C:\Windows\system32' } | Should -Throw
+    }
+
+    It "Should REJECT path traversal via ..\" {
+        { Resolve-SafeProjectPath -RelativePath '..\..\evil.txt' } | Should -Throw
+    }
+
+    It "Should REJECT prefix collision (proj vs proj-evil)" {
+        Initialize-SafeProjectPath -ProjectRoot 'C:\proj'
+        { Resolve-SafeProjectPath -RelativePath '..\proj-evil\file.txt' } | Should -Throw
+    }
+
+    It "Should handle nested valid path" {
+        # Re-init: test sebelumnya (prefix collision) ganti root ke C:\proj — reset balik.
+        Initialize-SafeProjectPath -ProjectRoot 'C:\test-project'
+        $result = Resolve-SafeProjectPath -RelativePath 'src/lib/utils/format.ts'
+        $result | Should -Match 'C:\\test-project\\src\\lib\\utils'
+    }
+}
+
+Describe "Test-PathHasReparsePoint" {
+    It "Returns false for regular file" {
+        $tempFile = Join-Path $env:TEMP "test-regular-$(Get-Random).txt"
+        Set-Content -Path $tempFile -Value "test" -Force
+        try {
+            Test-PathHasReparsePoint -FullPath $tempFile | Should -BeFalse
+        } finally {
+            Remove-Item -Force $tempFile -ErrorAction SilentlyContinue
+        }
+    }
+
+    It "Handles non-existent path gracefully" {
+        Test-PathHasReparsePoint -FullPath "C:\does-not-exist-$(Get-Random)" | Should -BeFalse
+    }
+}
+
+Describe "Get-FileSha256" {
+    It "Computes correct sha256" {
+        $tempFile = Join-Path $env:TEMP "test-sha-$(Get-Random).txt"
+        # Pakai WriteAllBytes raw supaya tidak ada BOM (PS 5.1 Set-Content -Encoding UTF8 nulis BOM).
+        # Expected hash "2cf24dba..." = SHA-256 dari ASCII "hello" persis (5 byte).
+        [System.IO.File]::WriteAllBytes($tempFile, [System.Text.Encoding]::ASCII.GetBytes("hello"))
+        try {
+            $hash = Get-FileSha256 -FilePath $tempFile
+            $hash | Should -Be "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+        } finally {
+            Remove-Item -Force $tempFile -ErrorAction SilentlyContinue
+        }
+    }
+}

package/tests/rollback.Tests.ps1

@@ -0,0 +1,66 @@
+#Requires -Module Pester
+
+BeforeAll {
+    $libPath = Join-Path $PSScriptRoot '..\lib\rollback.ps1'
+    . $libPath
+}
+
+Describe "rollback.ps1 graceful no-op" {
+    It "Invoke-Rollback function exists" {
+        Get-Command Invoke-Rollback -ErrorAction SilentlyContinue | Should -Not -BeNullOrEmpty
+    }
+
+    It "Get-RollbackPreview function exists" {
+        Get-Command Get-RollbackPreview -ErrorAction SilentlyContinue | Should -Not -BeNullOrEmpty
+    }
+
+    It "Returns no-manifest status when manifest tidak ada" {
+        $tempRoot = Join-Path $env:TEMP "rollback-test-nomanifest-$(Get-Random)"
+        New-Item -ItemType Directory -Path $tempRoot -Force | Out-Null
+        try {
+            $result = Invoke-Rollback -ProjectRoot $tempRoot -Force
+            $result.status | Should -Be 'no-manifest'
+            $result.restored | Should -Be 0
+            $result.skipped | Should -Be 0
+        } finally {
+            Remove-Item -Recurse -Force $tempRoot -ErrorAction SilentlyContinue
+        }
+    }
+
+    It "Should NOT throw saat no-manifest" {
+        $tempRoot = Join-Path $env:TEMP "rollback-test-nothrow-$(Get-Random)"
+        New-Item -ItemType Directory -Path $tempRoot -Force | Out-Null
+        try {
+            { Invoke-Rollback -ProjectRoot $tempRoot -Force } | Should -Not -Throw
+        } finally {
+            Remove-Item -Recurse -Force $tempRoot -ErrorAction SilentlyContinue
+        }
+    }
+}
+
+Describe "Find-ManifestPath multi-location probe" {
+    It "Returns null when no manifest" {
+        $tempRoot = Join-Path $env:TEMP "find-manifest-null-$(Get-Random)"
+        New-Item -ItemType Directory -Path $tempRoot -Force | Out-Null
+        try {
+            $result = Find-ManifestPath -ProjectRoot $tempRoot
+            $result | Should -BeNullOrEmpty
+        } finally {
+            Remove-Item -Recurse -Force $tempRoot -ErrorAction SilentlyContinue
+        }
+    }
+
+    It "Finds manifest at project root" {
+        $tempRoot = Join-Path $env:TEMP "find-manifest-root-$(Get-Random)"
+        New-Item -ItemType Directory -Path $tempRoot -Force | Out-Null
+        try {
+            $manifestPath = Join-Path $tempRoot '.install-manifest.json'
+            Set-Content -Path $manifestPath -Value '{"files":[]}' -Encoding UTF8 -Force
+            $result = Find-ManifestPath -ProjectRoot $tempRoot
+            $result | Should -Not -BeNullOrEmpty
+            $result | Should -Be $manifestPath
+        } finally {
+            Remove-Item -Recurse -Force $tempRoot -ErrorAction SilentlyContinue
+        }
+    }
+}