@paulduvall/claude-dev-toolkit 0.0.1-alpha.2 → 0.0.1-alpha.21

package/commands/experiments/xpolicy.md

@@ -0,0 +1,115 @@
+---
+description: Generate, validate, and test IAM policies with automated policy creation and best practices enforcement
+tags: [iam, security, policies, aws, compliance, validation]
+---
+
+Manage IAM policies and security configurations based on the arguments provided in $ARGUMENTS.
+
+First, examine the current AWS and IAM setup:
+!find . -name "*.tf" -o -name "*.yml" -o -name "*.yaml" | xargs grep -l "iam\|IAM" 2>/dev/null | head -5
+!ls -la iam/ policies/ security/ terraform/ 2>/dev/null | head -3
+!which aws 2>/dev/null && aws --version || echo "AWS CLI not available"
+!aws sts get-caller-identity 2>/dev/null || echo "AWS credentials not configured"
+
+Based on $ARGUMENTS, perform the appropriate IAM policy operation:
+
+## 1. Policy Generation
+
+If generating IAM policies (--generate, --service, --resource, --template):
+!find . -name "*.json" | xargs grep -l "Version.*2012-10-17" 2>/dev/null | head -5
+!aws iam list-roles --max-items 5 2>/dev/null || echo "IAM access not available"
+!find . -name "*.tf" | xargs grep -l "aws_iam" 2>/dev/null | head -3
+
+Generate IAM policies:
+- Role-specific policy generation
+- Service-based policy templates
+- Resource-scoped policy creation
+- Custom policy from specifications
+- Template-based policy generation
+
+## 2. Policy Validation
+
+If validating policies (--validate, --lint, --syntax-check, --compliance):
+!find . -name "*.json" -o -name "*.yml" -o -name "*.yaml" | head -10
+!python -c "import json; print('JSON validation available')" 2>/dev/null || echo "Python JSON not available"
+!which jq 2>/dev/null && echo "jq available for JSON processing" || echo "jq not available"
+
+Validate policy configurations:
+- JSON/YAML syntax validation
+- Policy logic and structure checking
+- Best practice compliance validation
+- Security vulnerability detection
+- Regulatory compliance assessment
+
+## 3. Policy Testing and Simulation
+
+If testing policies (--test, --simulate, --dry-run, --permissions-test):
+!aws iam simulate-principal-policy --help 2>/dev/null | head -1 || echo "AWS IAM simulation not available"
+!find . -name "*test*" | grep -i iam | head -3 2>/dev/null
+!python -c "import boto3; print('AWS SDK available')" 2>/dev/null || echo "AWS SDK not available"
+
+Test policy functionality:
+- Policy simulation and evaluation
+- Permission testing and verification
+- Access control validation
+- Scenario-based testing
+- Integration testing with AWS services
+
+## 4. Policy Analysis and Security
+
+If analyzing policies (--analyze, --permissions, --vulnerabilities, --least-privilege):
+!grep -r "\*" . --include="*.json" | grep -i "action\|resource" | head -5 2>/dev/null
+!aws iam get-account-authorization-details 2>/dev/null | head -10 || echo "IAM account details not accessible"
+!pip list | grep -E "(boto3|botocore)" 2>/dev/null || echo "AWS Python SDK not installed"
+
+Analyze security posture:
+- Permission scope and effectiveness analysis
+- Overprivileged policy identification
+- Least privilege compliance checking
+- Security vulnerability assessment
+- Policy optimization recommendations
+
+## 5. Policy Management and Deployment
+
+If managing policies (--deploy, --attach, --version, --rollback):
+!aws iam list-policies --scope Local --max-items 5 2>/dev/null || echo "IAM policy listing not available"
+!find . -name "*.tf" | xargs grep -l "aws_iam_policy" 2>/dev/null | head -3
+!ls -la terraform/ cloudformation/ iac/ 2>/dev/null | head -3
+
+Manage policy lifecycle:
+- Policy deployment and attachment
+- Version control and rollback
+- Policy lifecycle management
+- Automated policy updates
+- Compliance monitoring and reporting
+
+Think step by step about IAM policy requirements and provide:
+
+1. **Security Assessment**:
+   - Current IAM policy configuration review
+   - Permission scope and access analysis
+   - Security vulnerability identification
+   - Compliance gap assessment
+
+2. **Policy Strategy**:
+   - Least privilege principle implementation
+   - Role-based access control design
+   - Resource-specific permission scoping
+   - Conditional access policy creation
+
+3. **Implementation Plan**:
+   - Policy generation and validation
+   - Testing and simulation framework
+   - Deployment and rollback procedures
+   - Monitoring and compliance tracking
+
+4. **Security Optimization**:
+   - Policy optimization recommendations
+   - Security hardening measures
+   - Compliance alignment strategies
+   - Continuous security improvement
+
+Generate comprehensive IAM policy management with security validation, compliance checking, testing framework, and deployment automation.
+
+If no specific operation is provided, perform IAM security assessment and recommend policy improvements based on current configuration and security best practices.
+

package/commands/experiments/xproduct.md

@@ -0,0 +1,98 @@
+---
+description: Product management and strategic planning tools for feature development and product lifecycle management
+tags: [product-management, strategy, backlog, features, roadmap, metrics]
+---
+
+# `/xproduct` - Product Management & Strategy
+
+Product management and strategic planning tools for feature development and product lifecycle management.
+
+## Usage
+
+```bash
+/xproduct --backlog           # Manage product backlog with priorities
+/xproduct --stories           # Create and manage user stories
+/xproduct --features          # Feature flag management
+/xproduct --feedback          # Integrate user feedback
+/xproduct --metrics           # Track product KPIs
+/xproduct --roadmap           # Product roadmap planning
+```
+
+## Options
+
+### `--backlog`
+Manage and prioritize product backlog items.
+
+**Examples:**
+```bash
+/xproduct --backlog           # View current backlog
+/xproduct --backlog --add "User authentication feature"
+/xproduct --backlog --prioritize high
+/xproduct --backlog --estimate
+```
+
+### `--stories`
+Create and manage user stories with acceptance criteria.
+
+**Examples:**
+```bash
+/xproduct --stories           # List all user stories
+/xproduct --stories --create "As a user, I want to..."
+/xproduct --stories --template
+/xproduct --stories --acceptance
+```
+
+### `--features`
+Manage feature flags and feature rollouts.
+
+**Examples:**
+```bash
+/xproduct --features          # List all feature flags
+/xproduct --features --create "new-dashboard"
+/xproduct --features --toggle "beta-feature"
+/xproduct --features --rollout 25
+```
+
+### `--feedback`
+Integrate and analyze user feedback.
+
+**Examples:**
+```bash
+/xproduct --feedback          # View feedback summary
+/xproduct --feedback --collect
+/xproduct --feedback --analyze
+/xproduct --feedback --prioritize
+```
+
+### `--metrics`
+Track and analyze product KPIs and metrics.
+
+**Examples:**
+```bash
+/xproduct --metrics           # View metrics dashboard
+/xproduct --metrics --kpi "user-retention"
+/xproduct --metrics --funnel "conversion"
+/xproduct --metrics --cohort
+```
+
+### `--roadmap`
+Create and manage product roadmaps.
+
+**Examples:**
+```bash
+/xproduct --roadmap           # View current roadmap
+/xproduct --roadmap --quarter Q1
+/xproduct --roadmap --milestone "v2.0"
+/xproduct --roadmap --dependencies
+```
+
+## Integration
+
+- **Specifications**: Links user stories to SpecDriven AI requirements
+- **Testing**: Integrates with `/xtest` for feature validation
+- **Analytics**: Works with `/xanalytics` for product insights
+- **Planning**: Coordinates with `/xplanning` for development planning
+
+## Output
+
+Product management artifacts, roadmaps, user stories, and KPI reports.

package/commands/experiments/xreadiness.md

@@ -0,0 +1,75 @@
+# xreadiness - AI Development Readiness
+
+Assess and improve AI development readiness across team, process, and technical dimensions.
+
+## Usage
+
+```bash
+/xreadiness --assess             # Run comprehensive readiness assessment
+/xreadiness --baseline           # Establish baseline metrics
+/xreadiness --capabilities       # Assess AI development capabilities
+/xreadiness --gaps               # Identify readiness gaps
+/xreadiness --report             # Generate readiness report
+```
+
+## Examples
+
+```bash
+# Run full AI readiness assessment
+/xreadiness --assess
+
+# Establish baseline measurements
+/xreadiness --baseline
+
+# Evaluate current AI capabilities
+/xreadiness --capabilities
+
+# Identify improvement gaps
+/xreadiness --gaps
+
+# Generate executive readiness report
+/xreadiness --report
+```
+
+## Expected Outputs
+
+- **assess**: Readiness score (0-100) with specific improvement areas identified
+- **baseline**: Baseline measurements for future comparison and progress tracking
+- **capabilities**: Capability matrix showing strengths and development needs
+- **gaps**: Prioritized list of gaps with remediation recommendations
+- **report**: Executive summary with roadmap for AI readiness improvement
+
+## Readiness Dimensions
+
+### Technical Readiness
+- SpecDriven AI implementation maturity
+- Test automation and CI/CD pipeline quality
+- Code quality and architectural compliance
+- Security and compliance posture
+
+### Process Readiness
+- TDD adoption and discipline
+- Specification management practices
+- Development workflow optimization
+- Quality assurance processes
+
+### Team Readiness
+- AI development skills and training
+- Tool proficiency and adoption
+- Collaboration and knowledge sharing
+- Change management capability
+
+## Readiness Levels
+
+- **Level 1 (0-20)**: Basic - Ad-hoc development, minimal AI integration
+- **Level 2 (21-40)**: Repeatable - Some AI practices, inconsistent application
+- **Level 3 (41-60)**: Defined - Established AI processes, growing adoption
+- **Level 4 (61-80)**: Managed - Mature AI practices, metrics-driven improvement
+- **Level 5 (81-100)**: Optimizing - Advanced AI integration, continuous innovation
+
+## Integration
+
+- Works with `/xmaturity` for development maturity assessment
+- Integrates with `/xspec` for SpecDriven AI methodology tracking
+- Supports `/xobservable` for readiness metrics monitoring
+- Links to `/xplanning` for readiness improvement roadmaps

package/commands/experiments/xred.md

@@ -0,0 +1,55 @@
+---
+description: Write failing tests first following TDD Red phase principles with specification traceability
+tags: [tdd, testing, red-phase, specifications, traceability]
+---
+
+# /xred — Write Failing Tests First
+
+Write failing tests for specifications following TDD Red phase principles.
+
+Think step by step:
+1. Check for SpecDriven AI project structure (specs/ directory)
+2. Validate specification existence when using --spec option
+3. Create failing tests with proper traceability to specifications
+4. Verify tests fail for the right reason before proceeding
+
+## Usage
+
+```bash
+/xred --spec <spec-id>       # Create test for specific requirement
+/xred --component <name>     # Create test for new component
+```
+
+## Implementation Steps
+
+When creating failing tests:
+
+1. **For specification-based tests (--spec)**:
+   - Check if SpecDriven AI project structure exists (specs/ directory)
+   - If not found, suggest running `!xsetup --env` to initialize
+   - Validate that the specified requirement exists in @specs/specifications/
+   - Read specification content to understand requirements
+   - Create or update test file with failing test linked to specification
+   - Verify test fails for correct reason (not due to syntax errors)
+
+2. **For component tests (--component)**:
+   - Create basic test structure for new component
+   - Include import test and basic functionality test
+   - Ensure tests fail initially to satisfy TDD Red phase
+   - Provide guidance for next steps in TDD cycle
+
+3. **Error handling**:
+   - Validate all required arguments are provided
+   - Check for existing tests to avoid duplicates
+   - Ensure proper test file structure and naming conventions
+   - Verify Python test execution environment is available
+
+## Expected Outputs
+
+- Test files in specs/tests/ directory with proper structure
+- Failing tests that guide implementation requirements
+- Clear traceability between tests and specifications
+- Verification that tests fail for the right reasons
+- Guidance for next steps in TDD workflow
+
+Use $ARGUMENTS to handle command-line parameters and `!` prefix for any system commands needed for test execution verification.

package/commands/experiments/xrisk.md

@@ -0,0 +1,128 @@
+---
+description: Comprehensive risk assessment and mitigation across technical, security, and operational domains
+tags: [risk, assessment, mitigation, security, operations, compliance, monitoring]
+---
+
+Identify, assess, and mitigate project risks based on the arguments provided in $ARGUMENTS.
+
+First, examine the project environment for risk indicators:
+!find . -name "*.log" | head -5 2>/dev/null || echo "No log files found"
+!git log --grep="fix\|bug\|error" --oneline | head -10 2>/dev/null || echo "No error patterns in git history"
+!find . -name "requirements.txt" -o -name "package.json" -o -name "go.mod" | head -3
+
+Based on $ARGUMENTS, perform the appropriate risk assessment operation:
+
+## 1. Risk Assessment and Identification
+
+If assessing risks (--assess, --identify):
+!find . -name "*.py" -o -name "*.js" -o -name "*.ts" | wc -l
+!grep -r "TODO\|FIXME\|HACK" . --include="*.py" --include="*.js" | wc -l 2>/dev/null || echo "0"
+!docker --version 2>/dev/null || echo "Docker not available"
+
+Identify and assess project risks:
+- Analyze codebase for technical debt indicators
+- Scan for security vulnerabilities and exposures
+- Evaluate architectural and design risks
+- Assess operational and process risks
+- Identify compliance and regulatory risks
+
+## 2. Technical Risk Analysis
+
+If analyzing technical risks (--technical):
+!find . -name "*.py" -exec grep -l "eval\|exec\|pickle" {} \; 2>/dev/null | head -5
+!find . -name "package-lock.json" -o -name "requirements.txt" | head -2
+!grep -r "password\|secret\|key" . --include="*.py" --include="*.js" | grep -v test | head -5 2>/dev/null
+
+Analyze technical risk factors:
+- Code quality and maintainability issues
+- Dependency vulnerabilities and outdated packages
+- Architecture scalability limitations
+- Performance bottlenecks and resource constraints
+- Integration complexity and failure points
+
+## 3. Security Risk Assessment
+
+If assessing security risks (--security):
+!find . -name "*.py" -exec grep -l "subprocess\|os\.system\|shell=True" {} \; 2>/dev/null | head -5
+!npm audit --audit-level high 2>/dev/null || python -m safety check 2>/dev/null || echo "No security scanners available"
+!find . -name ".env*" -o -name "*secret*" -o -name "*key*" | head -5
+
+Evaluate security risk exposure:
+- Authentication and authorization vulnerabilities
+- Data protection and privacy compliance gaps
+- Input validation and injection attack vectors
+- Dependency security vulnerabilities
+- Infrastructure and deployment security risks
+
+## 4. Operational Risk Evaluation
+
+If evaluating operational risks (--operational):
+!find . -name "Dockerfile" -o -name "docker-compose.yml" | head -3
+!ls -la .github/workflows/ 2>/dev/null || echo "No CI/CD workflows found"
+!find . -name "*backup*" -o -name "*disaster*" | head -3 2>/dev/null
+
+Assess operational risk factors:
+- Deployment and release process risks
+- Infrastructure and service dependencies
+- Monitoring and alerting coverage gaps
+- Backup and recovery procedure adequacy
+- Team knowledge and key person dependencies
+
+## 5. Risk Mitigation Planning
+
+If planning mitigation (--mitigate, --contingency):
+!find . -name "*test*" | wc -l
+!git log --since="30 days ago" --grep="fix\|patch" --oneline | wc -l 2>/dev/null || echo "0"
+!find . -name "*monitor*" -o -name "*alert*" | head -3
+
+Develop risk mitigation strategies:
+- Preventive measures and controls
+- Detection and monitoring capabilities
+- Response and recovery procedures
+- Risk transfer and insurance options
+- Contingency planning and alternatives
+
+## 6. Risk Monitoring and Tracking
+
+If monitoring risks (--monitor, --track):
+!ps aux | grep -E "(monitor|alert)" | head -3
+!find . -name "*.log" -newer +7 2>/dev/null | head -5
+!uptime
+
+Monitor and track risk indicators:
+- Automated risk detection and alerting
+- Key risk indicator (KRI) monitoring
+- Trend analysis and pattern recognition
+- Risk register updates and maintenance
+- Stakeholder reporting and communication
+
+Think step by step about risk management requirements and provide:
+
+1. **Risk Identification and Assessment**:
+   - Technical debt and code quality risks
+   - Security vulnerabilities and compliance gaps
+   - Operational process and infrastructure risks
+   - Business and market risks
+
+2. **Risk Analysis and Prioritization**:
+   - Risk probability and impact evaluation
+   - Risk interdependencies and cascading effects
+   - Risk timeline and maturation analysis
+   - Cost-benefit analysis of mitigation options
+
+3. **Mitigation Strategy Development**:
+   - Preventive controls and safeguards
+   - Detective monitoring and alerting
+   - Response procedures and recovery plans
+   - Risk transfer and acceptance decisions
+
+4. **Risk Monitoring and Reporting**:
+   - Key risk indicator tracking
+   - Risk register maintenance
+   - Stakeholder communication
+   - Continuous risk assessment updates
+
+Generate comprehensive risk assessment with prioritized mitigation strategies, monitoring procedures, and stakeholder reporting.
+
+If no specific operation is provided, perform comprehensive risk scan and provide prioritized risk assessment with immediate action recommendations.
+

package/commands/experiments/xrules.md

@@ -0,0 +1,124 @@
+# `/xrules` - Rules as Code
+
+Define, validate, and enforce development rules and coding standards as executable code.
+
+## Usage
+
+```bash
+/xrules --define <rule>      # Define new rule
+/xrules --validate           # Check compliance
+/xrules --enforce            # Apply rules
+/xrules --report             # Generate report
+/xrules --update <rule>      # Update rule
+```
+
+## Options
+
+### `--define <rule>`
+Define a new development rule with enforcement criteria.
+
+**Examples:**
+```bash
+/xrules --define "max-function-length"
+/xrules --define "naming-conventions"
+/xrules --define "security-standards"
+/xrules --define "test-coverage-minimum"
+```
+
+### `--validate`
+Check compliance against all defined rules.
+
+**Examples:**
+```bash
+/xrules --validate           # Check all rules
+/xrules --validate --rule "max-function-length"
+/xrules --validate --component auth
+/xrules --validate --severity critical
+```
+
+### `--enforce`
+Apply rules and automatically fix violations where possible.
+
+**Examples:**
+```bash
+/xrules --enforce            # Enforce all rules
+/xrules --enforce --rule "formatting"
+/xrules --enforce --auto-fix
+/xrules --enforce --dry-run
+```
+
+### `--report`
+Generate compliance reports and rule violation summaries.
+
+**Examples:**
+```bash
+/xrules --report             # Full compliance report
+/xrules --report --rule "security-standards"
+/xrules --report --format json
+/xrules --report --trend
+```
+
+### `--update <rule>`
+Update existing rule definitions and enforcement criteria.
+
+**Examples:**
+```bash
+/xrules --update "max-function-length"
+/xrules --update --threshold 50
+/xrules --update --severity warning
+/xrules --update --exception "legacy-code"
+```
+
+## Common Rules
+
+### Code Quality Rules
+- **max-function-length**: Limit function length to promote readability
+- **cyclomatic-complexity**: Control code complexity metrics
+- **naming-conventions**: Enforce consistent naming patterns
+- **documentation-required**: Require documentation for public APIs
+
+### Security Rules
+- **no-hardcoded-secrets**: Prevent credential exposure
+- **dependency-security**: Check for vulnerable dependencies
+- **input-validation**: Ensure proper input sanitization
+- **authentication-required**: Enforce authentication patterns
+
+### Testing Rules
+- **test-coverage-minimum**: Require minimum test coverage percentage
+- **test-naming**: Enforce test naming conventions
+- **specification-traceability**: Ensure tests link to specifications
+- **mock-usage**: Control test isolation and mocking
+
+### Architecture Rules
+- **layer-dependencies**: Enforce architectural boundaries
+- **module-coupling**: Limit coupling between modules
+- **design-patterns**: Enforce specific design patterns
+- **api-versioning**: Ensure proper API versioning
+
+## Integration
+
+- **Quality**: Works with `/xquality` for automated enforcement
+- **Testing**: Integrates with `/xtest` for test rule validation
+- **Security**: Coordinates with `/xsecurity` for security rules
+- **Specifications**: Links to `/xspec` for traceability rules
+- **Governance**: Supports `/xgovernance` compliance workflows
+
+## Rule Definition Format
+
+```yaml
+rule:
+  name: "max-function-length"
+  description: "Functions should not exceed 50 lines"
+  severity: "warning"
+  enforcement: "automatic"
+  criteria:
+    max_lines: 50
+    exclude_patterns:
+      - "test_*"
+      - "*_fixture"
+  remediation: "Consider breaking large functions into smaller ones"
+```
+
+## Output
+
+Rule compliance reports, violation summaries, and automated fixes.