@react-vault/create-app 0.1.0

package/claude-toolkit/skills/bfsi-feature/scripts/scaffold.mjs

@@ -0,0 +1,136 @@
+#!/usr/bin/env node
+/**
+ * BFSI feature scaffolder.
+ *
+ * Reads templates from references/templates/ and writes a complete feature module.
+ *
+ * Usage: node scaffold.mjs <FeatureName> --variant=rtk|tanstack [--no-i18n]
+ */
+import { argv, exit, cwd } from 'node:process';
+import { mkdir, readFile, writeFile, access } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const TEMPLATES_DIR = join(__dirname, '..', 'references', 'templates');
+
+const log = (msg) => console.error(`[bfsi-feature] ${msg}`);
+const die = (msg) => {
+  log(`error: ${msg}`);
+  exit(2);
+};
+
+function parseArgs(args) {
+  const positional = args.filter((a) => !a.startsWith('--'));
+  const flags = Object.fromEntries(
+    args
+      .filter((a) => a.startsWith('--'))
+      .map((a) => {
+        const [k, v = 'true'] = a.replace(/^--/, '').split('=');
+        return [k, v];
+      }),
+  );
+  return { positional, flags };
+}
+
+function toKebab(s) {
+  return s.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
+}
+
+async function exists(p) {
+  try {
+    await access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function render(templateName, vars) {
+  const tplPath = join(TEMPLATES_DIR, templateName);
+  if (!(await exists(tplPath))) {
+    log(`warning: template missing: ${templateName} (skipping)`);
+    return null;
+  }
+  let content = await readFile(tplPath, 'utf8');
+  for (const [k, v] of Object.entries(vars)) {
+    content = content.replaceAll(`{{${k}}}`, v);
+  }
+  return content;
+}
+
+async function writeIfTemplate(templateName, dest, vars) {
+  const content = await render(templateName, vars);
+  if (content === null) return false;
+  await mkdir(dirname(dest), { recursive: true });
+  await writeFile(dest, content, 'utf8');
+  log(`wrote ${dest}`);
+  return true;
+}
+
+async function main() {
+  const { positional, flags } = parseArgs(argv.slice(2));
+  const Name = positional[0];
+
+  if (!Name) die('feature name is required');
+  if (!/^[A-Z][A-Za-z0-9]+$/.test(Name)) die('feature name must be PascalCase');
+
+  const variant = flags.variant || 'rtk';
+  if (!['rtk', 'tanstack'].includes(variant)) {
+    die(`unknown variant: ${variant} (expected rtk or tanstack)`);
+  }
+
+  const kebab = toKebab(Name);
+  const root = cwd();
+  const featureDir = join(root, 'src', 'features', Name);
+
+  if (await exists(featureDir)) {
+    die(`feature directory already exists: ${featureDir}`);
+  }
+
+  const vars = {
+    Name,
+    name: Name.charAt(0).toLowerCase() + Name.slice(1),
+    kebab,
+    NAME: Name.toUpperCase(),
+  };
+
+  // Generate files (templates may not all exist yet — that's OK in v0.1)
+  const apiTemplate = variant === 'rtk' ? 'api.rtk.ts.tpl' : 'api.tanstack.ts.tpl';
+  await writeIfTemplate(apiTemplate, join(featureDir, 'api.ts'), vars);
+  await writeIfTemplate('schema.ts.tpl', join(featureDir, 'schema.ts'), vars);
+  await writeIfTemplate('types.ts.tpl', join(featureDir, 'types.ts'), vars);
+  await writeIfTemplate('constants.ts.tpl', join(featureDir, 'constants.ts'), vars);
+  await writeIfTemplate('routes.tsx.tpl', join(featureDir, 'routes.tsx'), vars);
+  await writeIfTemplate('index.ts.tpl', join(featureDir, 'index.ts'), vars);
+  await writeIfTemplate(
+    'containers.list.tsx.tpl',
+    join(featureDir, 'containers', `${Name}List.tsx`),
+    vars,
+  );
+  await writeIfTemplate(
+    'containers.form.tsx.tpl',
+    join(featureDir, 'containers', `${Name}Form.tsx`),
+    vars,
+  );
+  await writeIfTemplate(
+    'components.table.tsx.tpl',
+    join(featureDir, 'components', `${Name}Table.tsx`),
+    vars,
+  );
+  await writeIfTemplate(
+    'tests.schema.test.ts.tpl',
+    join(featureDir, '__tests__', 'schema.test.ts'),
+    vars,
+  );
+
+  log(`done: feature "${Name}" scaffolded under src/features/${Name}/`);
+  log(`variant: ${variant}`);
+  log(`next: pnpm typecheck && pnpm lint --filter ${kebab}`);
+}
+
+main().catch((err) => {
+  log(`unexpected error: ${err.message}`);
+  exit(2);
+});

package/claude-toolkit/skills/bfsi-form/SKILL.md

@@ -0,0 +1,73 @@
+---
+name: bfsi-form
+description: Creates a React Hook Form + Zod form with BFSI-secure defaults (no autocomplete on PII fields, paste prevention on sensitive inputs, audit on submit, error masking). Use when the user types /bfsi-form, asks to "create a form", "add a form to this page", "build a KYC form", or "scaffold a transfer form".
+disable-model-invocation: true
+argument-hint: <FormName> [--fields "name:type,..."]
+allowed-tools: Read Write Edit Glob Grep
+---
+
+# BFSI Form Scaffold
+
+Generates a `react-hook-form` + `zod` form with BFSI-secure defaults wired into shadcn/ui's `<Form>` primitives.
+
+## What it adds
+
+```
+<TargetFile>.tsx
+└── <FormName>Form               # Container component
+    ├── useFormWithZod()         # from @react-vault/ui
+    ├── audit-wrapped onSubmit   # via useAuditedAction
+    ├── PIIMaskedDisplay         # auto-wrap for fields matching PII pattern
+    └── BFSI defaults:
+        ├── autocomplete="off" on PII fields
+        ├── onPaste guards on sensitive inputs
+        ├── inputMode + pattern for known formats (PAN, Aadhaar, mobile)
+        ├── error messages from i18n keys (never raw)
+        └── submit disabled while !isDirty || !isValid || isSubmitting
+```
+
+## Workflow
+
+### Step 1: Determine field set
+
+If `--fields` is provided, parse it (`name:type` comma-separated, e.g. `pan:string,amount:number,date:date`).
+Otherwise, ask the user (via prompt in chat) which fields they need.
+
+### Step 2: Build the Zod schema
+
+For each field, choose a base from BFSI presets:
+
+- `pan` → `z.string().regex(/^[A-Z]{5}[0-9]{4}[A-Z]$/, t('error.pan_invalid'))`
+- `aadhaar` → `z.string().regex(/^\d{12}$/).refine(verhoeff)`
+- `mobile` → `z.string().regex(/^[6-9]\d{9}$/)`
+- `email` → `z.string().email()`
+- `amount` → `z.number().positive().multipleOf(0.01)`
+- `account_number` → `z.string().regex(/^\d{9,18}$/)`
+- `ifsc` → `z.string().regex(/^[A-Z]{4}0[A-Z0-9]{6}$/)`
+- `date` → `z.coerce.date()`
+
+If a field name doesn't match a preset, fall back to `z.string().min(1)` and flag it for review.
+
+### Step 3: Generate the form component
+
+Use the template at `references/templates/form.tsx.tpl`. Imports from `@react-vault/ui` and `@react-vault/core`. Submit handler uses `useAuditedAction("<feature>.<form>.submitted")`.
+
+### Step 4: Add i18n keys
+
+Add label/placeholder/error keys to the project's translation files (en.json + hi.json placeholder).
+
+### Step 5: Verify
+
+Run `pnpm typecheck` on the new file. If `useFormWithZod` import fails, the project doesn't have `@react-vault/ui` installed — tell the user to install it.
+
+## Conventions
+
+- **Never** capture card numbers or CVVs in a regular form. Use `<PCITokenizedCardInput>` from `@react-vault/ui` which embeds a PCI-compliant iframe.
+- **Never** persist form drafts of PII fields to localStorage. Use `sessionStorage` with the `secureStorage` wrapper from `@react-vault/core/storage`.
+- **Submit handler returns a Promise.** Errors thrown inside it are caught by the form, surfaced via toast, and audited as `<form>.submission_failed`.
+
+## References
+
+- Templates: [`references/templates/`](references/templates/)
+- Validation regex catalogue: [`references/validation-regex.md`](references/validation-regex.md)
+- shadcn/ui Form primer: https://ui.shadcn.com/docs/components/form

package/claude-toolkit/skills/bfsi-form/references/validation-regex.md

@@ -0,0 +1,50 @@
+# BFSI Validation Regex Catalogue
+
+All regex patterns used by the `bfsi-form` skill. Keep this file as the single source of truth — the `@react-vault/core/pii` module imports from here.
+
+## Identity
+
+| Field           | Regex                           | Notes                                                  |
+| --------------- | ------------------------------- | ------------------------------------------------------ |
+| PAN             | `^[A-Z]{5}[0-9]{4}[A-Z]$`       | Permanent Account Number (Income Tax India)            |
+| Aadhaar         | `^\d{12}$`                      | 12 digits + Verhoeff checksum (see `aadhaar.verhoeff`) |
+| Passport        | `^[A-Z][0-9]{7}$`               | Indian passport                                        |
+| Voter ID        | `^[A-Z]{3}\d{7}$`               | EPIC number                                            |
+| Driving Licence | `^[A-Z]{2}\d{2} ?\d{4} ?\d{7}$` | State-prefix + sequence                                |
+
+## Contact
+
+| Field          | Regex                                    | Notes                  |
+| -------------- | ---------------------------------------- | ---------------------- |
+| Mobile (India) | `^[6-9]\d{9}$`                           | 10 digits starting 6-9 |
+| Email          | RFC 5322 lite (use `z.string().email()`) | Don't roll your own    |
+| Pincode        | `^\d{6}$`                                | Indian postal code     |
+
+## Banking
+
+| Field          | Regex                                         | Notes                                   |
+| -------------- | --------------------------------------------- | --------------------------------------- |
+| Account Number | `^\d{9,18}$`                                  | Bank-specific; widest common range      |
+| IFSC           | `^[A-Z]{4}0[A-Z0-9]{6}$`                      | 4 alphas + `0` + 6 alphanumeric         |
+| MICR           | `^\d{9}$`                                     | Magnetic Ink Character Recognition code |
+| UPI VPA        | `^[a-zA-Z0-9.\-_]{2,256}@[a-zA-Z]{2,64}$`     | virtual payment address                 |
+| SWIFT/BIC      | `^[A-Z]{4}[A-Z]{2}[A-Z0-9]{2}([A-Z0-9]{3})?$` | 8 or 11 chars                           |
+| GSTIN          | `^\d{2}[A-Z]{5}\d{4}[A-Z][A-Z\d][Z][A-Z\d]$`  | Goods and Services Tax ID               |
+
+## Money
+
+| Field      | Pattern                                  | Notes                                                                           |
+| ---------- | ---------------------------------------- | ------------------------------------------------------------------------------- |
+| Amount (₹) | `z.number().positive().multipleOf(0.01)` | NEVER use float math — always paise as integer for internal, format for display |
+| Percentage | `z.number().min(0).max(100)`             | Interest rates, ratios                                                          |
+
+## Card data — DO NOT USE
+
+There are no regex patterns for card numbers, CVVs, expiry dates in this catalogue. **All card data must flow through `<PCITokenizedCardInput>` which uses a PCI-compliant iframe.** A bare `<input>` capturing card data brings your app into PCI-DSS scope — never worth it.
+
+## Implementation notes
+
+- All regex patterns are case-sensitive unless noted.
+- For "uppercase-or-lowercase" inputs, normalise to uppercase in the schema's `.transform()` step — don't make the regex case-insensitive.
+- For visual readability (e.g. account number with spaces), add a `display` mapper that formats; never store the formatted version.
+- Aadhaar regex alone is not enough — add `.refine(aadhaarVerhoeff)` to validate the checksum digit.

package/claude-toolkit/skills/bfsi-onboarding/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: bfsi-onboarding
+description: Onboards a new developer to a Your Real Company BFSI project. Explains the project structure, key conventions, how features are organised, where security primitives live, and how the Claude toolkit assists day-to-day work. Use when the user is new to the codebase and asks "how does this project work", "where do I start", "give me an overview", "what's the architecture", or "how do I add a feature".
+---
+
+# BFSI Project Onboarding
+
+You are explaining a Your Real Company BFSI React project to a developer who is new to it. Be concise but thorough. Adapt depth based on their background (ask once if unclear: "Are you new to React, or new to this specific BFSI starter?").
+
+## The project at a glance
+
+This project was scaffolded from `@react-vault/react-starter`. It's a **Vite + React + TypeScript SPA** with security, audit, and compliance primitives wired in by default.
+
+Stack:
+
+- **React 18** + **Vite 5** + **TypeScript strict**
+- **Tailwind CSS** + **shadcn/ui** (components owned in `src/components/ui/`)
+- **React Hook Form** + **Zod** for forms
+- **RTK Query** OR **TanStack Query** for data fetching (check `package.json`)
+- **react-router-dom v6** with `<ProtectedRoute>` + `<CanAccess>` guards
+- **react-i18next** for i18n (en + hi default)
+- **Vitest** + **Testing Library** + **Playwright**
+
+## Where things live
+
+```
+src/
+├── app/                    # App.tsx, providers, root layout
+├── features/<Feature>/     # ALL feature code lives here (api, containers, components, tests)
+├── routes/                 # Route config, ProtectedRoute, CanAccess
+├── shared/                 # Cross-feature components (ErrorBoundary, NotFound)
+├── i18n/                   # react-i18next setup + translations
+├── env.ts                  # Zod-validated env vars
+└── main.tsx                # Entry point
+```
+
+Security & audit primitives come from npm packages:
+
+- `@react-vault/core` — encryption, PII utils, audit client, axios factory, auth helpers
+- `@react-vault/ui` — Tailwind + shadcn + BFSI compositions (PIIMaskedDisplay, ConfirmModal, etc.)
+
+## Day-to-day workflows
+
+### Adding a new feature
+
+Use `/bfsi-feature MyFeature` — generates the full directory.
+
+### Adding an endpoint
+
+Use `/bfsi-api-endpoint GET /my-resource --feature MyFeature` — adds typed endpoint with audit.
+
+### Adding a form
+
+Use `/bfsi-form MyForm --fields "pan:string,amount:number"` — generates RHF + Zod form with BFSI defaults.
+
+### Masking a PII field in display
+
+Use `/bfsi-pii-field pan user.pan` — wraps with `<PIIMaskedDisplay>`.
+
+### Before a PR
+
+Run `/bfsi-compliance-check` — runs OWASP + RBI + PCI checklist over the diff.
+Optionally run `/bfsi-review` — spawns full multi-agent review.
+
+### Committing
+
+Use `/bfsi-commit` — generates audit-friendly Conventional Commits message.
+
+## Critical conventions
+
+1. **Container-component split**: containers hold side-effects (API, audit), components are pure JSX.
+2. **All API responses are Zod-parsed**: runtime safety. Never trust the network shape.
+3. **All mutations are audited**: use `useAuditedMutation` (RTK) or wrap with `useAuditedAction` (TanStack).
+4. **All routes are protected**: `<ProtectedRoute permission="...">`. Defaults to authenticated-only if `permission` omitted, but explicit is better.
+5. **PII never enters localStorage**: use `secureStorage` from `@react-vault/core/storage` (memory-first, sessionStorage fallback, encrypted IndexedDB option).
+6. **No card data in HTML inputs**: use `<PCITokenizedCardInput>` from `@react-vault/ui`.
+7. **No `any` types**: types flow from Zod schemas.
+8. **All user-facing strings via `t()`**: never inline. Even error messages.
+9. **Conventional Commits with BFSI types**: see `/bfsi-commit`. `security` and `compliance` are extra types beyond standard set.
+
+## The Claude toolkit
+
+The `.claude/` directory in this project enables a plugin called `toolkit`. Run `/hooks` to see registered hooks (file protection, secret scanner, formatter, PII scanner, etc.). Run `/plugin` to see the toolkit. Run `/bfsi-doctor` to verify everything's wired up.
+
+Hooks may block you from:
+
+- Editing `.env*`, `*.pem`, `credentials.json`, `.git/` files
+- Running `rm -rf`, `git push --force` on protected branches
+- Writing files that contain secret patterns (API keys, tokens)
+- Writing files that introduce PII patterns into logs
+
+These are not personal — they protect every dev from a class of mistake that's expensive in BFSI.
+
+## Getting unstuck
+
+- Architecture questions → ask `bfsi-architect` agent (`@bfsi-architect how should I structure ...`)
+- Security questions → ask `bfsi-security-reviewer`
+- Performance questions → ask `bfsi-performance-reviewer`
+- Test patterns → look at `bfsi-test-pattern` reference skill (it'll auto-load when you ask)
+- Stuck on an error → look at `bfsi-error-message` reference skill
+
+## What NOT to do (common pitfalls)
+
+- ❌ Don't bypass `useAuditedMutation` — every state change is auditable.
+- ❌ Don't put PII in URL search params.
+- ❌ Don't trust client-side permission checks alone — backend re-checks every API call.
+- ❌ Don't use `localStorage` for tokens. Use the auth module's storage strategy.
+- ❌ Don't use `dangerouslySetInnerHTML` without sanitisation.
+- ❌ Don't write your own crypto — use `@react-vault/core/encryption`.
+- ❌ Don't commit to `main` directly — always via PR.

package/claude-toolkit/skills/bfsi-pii-field/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: bfsi-pii-field
+description: Wraps a data field with PII masking (click-to-reveal + audit log) using PIIMaskedDisplay from @react-vault/ui. Use when the user types /bfsi-pii-field, asks to "mask this PAN", "hide the account number", "add masking to Aadhaar", or "make this field a PII field".
+disable-model-invocation: true
+argument-hint: <field-type> <variable-or-prop>
+allowed-tools: Read Edit Grep
+---
+
+# BFSI PII Field
+
+Wraps a value display with `<PIIMaskedDisplay type="pan" value={...} />` from `@react-vault/ui`.
+
+## Supported types
+
+| Type             | Default mask       | Reveal duration |
+| ---------------- | ------------------ | --------------- |
+| `pan`            | `ABCDE****F`       | 30s             |
+| `aadhaar`        | `XXXX XXXX 1234`   | 15s             |
+| `account_number` | `****1234`         | 30s             |
+| `mobile`         | `+91 ******1234`   | 30s             |
+| `email`          | `j***@example.com` | 30s             |
+| `card_last4`     | `**** 1234`        | 60s             |
+| `name`           | initials only      | 60s             |
+| `address`        | first line + `…`   | 60s             |
+| `dob`            | masked, age shown  | never           |
+
+## What it does
+
+Given a JSX expression like:
+
+```tsx
+<td>{user.pan}</td>
+```
+
+Replaces it with:
+
+```tsx
+<td>
+  <PIIMaskedDisplay type="pan" value={user.pan} auditTarget={{ type: 'user', id: user.id }} />
+</td>
+```
+
+This adds:
+
+1. **Click-to-reveal** with audit log entry (`data.pan.revealed`)
+2. **Auto re-mask** after the type-specific duration
+3. **Copy guard** — copying the masked text returns "\*\*\*\*" not the value
+4. **a11y** — `aria-label="masked PAN, click to reveal"`, screen-reader-friendly
+
+## Workflow
+
+### Step 1: Locate the field
+
+If the user gives a variable like `user.pan`, find the occurrences in the current file. If multiple, ask which one.
+
+### Step 2: Determine the type
+
+If not provided, infer from the variable name:
+
+- contains `pan` → `pan`
+- contains `aadhaar` / `uid` → `aadhaar`
+- contains `account` / `acc_no` → `account_number`
+- contains `mobile` / `phone` → `mobile`
+- contains `email` → `email`
+- contains `dob` / `birth` → `dob`
+- otherwise → ask the user.
+
+### Step 3: Determine the audit target
+
+The `auditTarget` prop tells the audit log which resource the field belongs to. Infer from context:
+
+- If the variable is `user.pan`, target = `{ type: 'user', id: user.id }`
+- If it's `kycRecord.aadhaar`, target = `{ type: 'kyc_record', id: kycRecord.id }`
+- Otherwise, ask the user.
+
+### Step 4: Add the import (if missing)
+
+```tsx
+import { PIIMaskedDisplay } from '@react-vault/ui';
+```
+
+### Step 5: Replace + verify
+
+Edit the file. Run `pnpm typecheck` on the changed file. Report success.
+
+## When NOT to use
+
+- **In a `<form>` input field.** Use `<SecureFormField>` instead — that handles paste guards and autocomplete prevention for input, not display.
+- **In exported data.** Exports should use the same mask but emit a `data.<field>.exported` event with a higher severity (don't reveal in CSV without explicit user consent).
+- **In server-rendered HTML.** Masking on the client only is insufficient for SSR contexts — the backend must also mask before sending. Flag this to the user if the file looks like SSR.

package/claude-toolkit/skills/bfsi-test-pattern/SKILL.md

@@ -0,0 +1,179 @@
+---
+name: bfsi-test-pattern
+description: Reference for BFSI testing patterns — security scenarios (auth bypass, injection, race conditions), accessibility tests, audit log assertions, PII masking checks, and form validation edge cases. Auto-loads when the user asks about writing tests, test coverage, security tests, a11y tests, or BFSI-specific test patterns.
+---
+
+# BFSI Testing Patterns
+
+Reference for what to test in a Rsense BFSI project. Goes beyond happy-path unit tests.
+
+## Tools
+
+- **Vitest** for unit + integration tests
+- **@testing-library/react** for component tests
+- **@axe-core/react** for a11y assertions
+- **MSW (Mock Service Worker)** for network mocking
+- **Playwright** for E2E
+
+## The BFSI test pyramid
+
+```
+                  /\
+                 /  \   Playwright E2E (few)
+                /____\
+               /      \
+              / RTL +  \  Integration (some)
+             / MSW      \
+            /____________\
+           /              \
+          /  Vitest unit   \  Unit (many)
+         /__________________\
+```
+
+## Required test categories per feature
+
+For every feature, you need:
+
+### 1. Schema tests (Zod)
+
+```ts
+// src/features/Kyc/__tests__/schema.test.ts
+import { describe, expect, it } from 'vitest';
+import { kycSubmissionSchema } from '../schema';
+
+describe('kycSubmissionSchema', () => {
+  it('accepts valid PAN', () => {
+    expect(() => kycSubmissionSchema.parse({ pan: 'ABCDE1234F', ... })).not.toThrow();
+  });
+  it('rejects malformed PAN', () => {
+    expect(() => kycSubmissionSchema.parse({ pan: 'abcd', ... })).toThrow(/invalid/i);
+  });
+  it('rejects Aadhaar with wrong checksum', () => {
+    expect(() => kycSubmissionSchema.parse({ aadhaar: '123456789012', ... })).toThrow();
+  });
+  it('strips unknown fields (whitelist)', () => {
+    const parsed = kycSubmissionSchema.parse({ pan: 'ABCDE1234F', extra: 'evil', ... });
+    expect(parsed).not.toHaveProperty('extra');
+  });
+});
+```
+
+### 2. Container tests (RTL + MSW)
+
+```ts
+// src/features/Kyc/__tests__/containers.test.tsx
+describe('KycList container', () => {
+  it('renders empty state when no records', async () => { /* ... */ });
+  it('masks PAN in the table by default', async () => {
+    render(<KycList />);
+    await screen.findByText(/loaded/i);
+    // PIIMaskedDisplay shows masked value
+    expect(screen.getByText('ABCDE****F')).toBeInTheDocument();
+    expect(screen.queryByText('ABCDE1234F')).not.toBeInTheDocument();
+  });
+  it('reveals PAN on click and fires audit event', async () => {
+    const audit = vi.spyOn(auditClient, 'record');
+    render(<KycList />);
+    await userEvent.click(screen.getByRole('button', { name: /reveal pan/i }));
+    expect(screen.getByText('ABCDE1234F')).toBeInTheDocument();
+    expect(audit).toHaveBeenCalledWith(expect.objectContaining({
+      event_name: 'data.pan.revealed',
+    }));
+  });
+});
+```
+
+### 3. Permission tests
+
+```ts
+describe('KycList route', () => {
+  it('redirects to /login when unauthenticated', () => { /* ... */ });
+  it('shows 403 when authenticated but lacks kyc.view permission', () => { /* ... */ });
+  it('renders for users with kyc.view', () => { /* ... */ });
+});
+```
+
+### 4. Idempotency tests
+
+```ts
+describe('submitKyc mutation', () => {
+  it('includes Idempotency-Key header', async () => {
+    const spy = vi.spyOn(http, 'post');
+    await store.dispatch(api.endpoints.submitKyc.initiate(payload));
+    expect(spy).toHaveBeenCalledWith(
+      expect.anything(),
+      expect.objectContaining({
+        headers: expect.objectContaining({ 'Idempotency-Key': expect.any(String) }),
+      }),
+    );
+  });
+  it('uses the same key on retry', async () => { /* ... */ });
+});
+```
+
+### 5. A11y tests
+
+```ts
+import { axe } from 'jest-axe';
+
+describe('KycForm a11y', () => {
+  it('has no a11y violations', async () => {
+    const { container } = render(<KycForm />);
+    expect(await axe(container)).toHaveNoViolations();
+  });
+  it('all inputs have labels', () => {
+    render(<KycForm />);
+    expect(screen.getByLabelText(/pan/i)).toBeInTheDocument();
+    expect(screen.getByLabelText(/aadhaar/i)).toBeInTheDocument();
+  });
+  it('error messages are announced (aria-live)', async () => { /* ... */ });
+});
+```
+
+### 6. Security tests
+
+```ts
+describe('KycList security', () => {
+  it('does not log PAN to console', async () => {
+    const logSpy = vi.spyOn(console, 'log');
+    render(<KycList />);
+    await screen.findByText(/loaded/i);
+    const allLogArgs = logSpy.mock.calls.flat().join(' ');
+    expect(allLogArgs).not.toMatch(/[A-Z]{5}\d{4}[A-Z]/); // PAN pattern
+  });
+  it('does not store PAN in localStorage', async () => {
+    render(<KycList />);
+    await screen.findByText(/loaded/i);
+    for (let i = 0; i < localStorage.length; i++) {
+      const key = localStorage.key(i)!;
+      const value = localStorage.getItem(key) || '';
+      expect(value).not.toMatch(/[A-Z]{5}\d{4}[A-Z]/);
+    }
+  });
+  it('does not include PAN in URLs (query / hash)', () => {
+    expect(window.location.search).not.toMatch(/[A-Z]{5}\d{4}[A-Z]/);
+    expect(window.location.hash).not.toMatch(/[A-Z]{5}\d{4}[A-Z]/);
+  });
+});
+```
+
+### 7. E2E (Playwright)
+
+For each route, one E2E that:
+- Logs in
+- Navigates to the route
+- Performs the primary user action
+- Asserts the success state
+- Asserts the audit event was sent (via mocked endpoint or test backend)
+
+## Patterns to copy
+
+When unsure, copy patterns from `src/features/_example/__tests__/`. The example feature is intentionally well-tested as a reference.
+
+## Coverage targets
+
+- Container components: 80%+ statement coverage
+- Schemas (Zod): 100% (cheap and high-value)
+- Pure components: 60%+ (style edge cases caught visually)
+- E2E: one per route
+- Security: every PII-handling component must have category 5 + 6 tests

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export declare function main(): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AA2DA,wBAAsB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAyG1C"}