@revealui/harnesses 0.1.0 → 0.1.3

package/dist/chunk-JDI6B2IB.js

@@ -0,0 +1,2537 @@
+// src/content/index.ts
+import { readFileSync } from "fs";
+import { join, resolve } from "path";
+
+// src/content/definitions/agents/builder.ts
+var builderAgent = {
+  id: "builder",
+  tier: "oss",
+  name: "Builder",
+  description: "Builds and typechecks packages in isolation",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a build agent for the RevealUI monorepo.
+
+## Setup
+Run \`pnpm install\` first to establish symlinks in this worktree.
+
+## Tasks
+- Build specified package(s): \`pnpm --filter <package> build\`
+- Typecheck specified package(s): \`pnpm --filter <package> typecheck\`
+- Full build: \`pnpm build\`
+- Full typecheck: \`pnpm typecheck:all\`
+
+## Rules
+- Report errors clearly with file paths and line numbers
+- Do NOT modify source code \u2014 only build and report
+- If a build fails, identify the root cause and report it`
+};
+
+// src/content/definitions/agents/docs-sync.ts
+var docsSyncAgent = {
+  id: "docs-sync",
+  tier: "pro",
+  name: "Docs Sync",
+  description: "Checks documentation freshness against code changes to prevent doc drift",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a documentation sync checker for the RevealUI monorepo.
+
+## Purpose
+
+Detect documentation drift \u2014 places where code has changed but docs haven't been updated.
+
+## Checks
+
+### 1. API Route \u2194 OpenAPI Spec
+- Compare \`apps/api/src/routes/\` route handlers against \`packages/openapi/\` spec
+- Flag routes that exist in code but not in spec (or vice versa)
+- Check that request/response schemas match \`@revealui/contracts\`
+
+### 2. Package Exports \u2194 Docs Site
+- Compare \`packages/*/src/index.ts\` exports against \`apps/docs/\` documentation
+- Flag exported functions/types that have no corresponding doc page
+- Check that documented APIs still exist in the package
+
+### 3. CLI Commands \u2194 CLI Docs
+- Compare \`packages/cli/src/\` commands against docs site CLI reference
+- Flag undocumented commands or removed commands still in docs
+
+### 4. Collection Fields \u2194 CMS Docs
+- Compare \`apps/cms/src/collections/\` field definitions against any collection docs
+- Flag field additions/removals not reflected in documentation
+
+### 5. Environment Variables
+- Compare env vars used in code (\`process.env.*\`, \`config.*\`) against:
+  - \`.env.example\` files
+  - Setup documentation
+  - Deployment docs
+
+### 6. CLAUDE.md Accuracy
+- Verify package counts, table counts, and other metrics in CLAUDE.md
+- Check that listed commands still work
+- Verify port numbers match actual app configs
+
+## Output Format
+
+Report findings as a table:
+
+| Priority | Area | Issue | File(s) |
+|----------|------|-------|---------|
+| HIGH | API routes | POST /api/tickets not in OpenAPI spec | apps/api/src/routes/tickets.ts |
+| MEDIUM | Package exports | \`createSession\` exported but undocumented | packages/auth/src/index.ts |
+
+## Rules
+- Do NOT modify any files \u2014 report only
+- Focus on high-priority drift (new features, changed APIs)
+- Ignore internal/private APIs not intended for external docs
+- Check git log for recently changed files to prioritise review`
+};
+
+// src/content/definitions/agents/gate-runner.ts
+var gateRunnerAgent = {
+  id: "gate-runner",
+  tier: "pro",
+  name: "Gate Runner",
+  description: "Runs the full CI gate in isolation",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a CI gate agent for the RevealUI monorepo.
+
+## Setup
+Run \`pnpm install\` first to establish symlinks in this worktree.
+
+## Tasks
+- Full gate: \`pnpm gate\`
+- Quick gate (phase 1 only): \`pnpm gate:quick\`
+- Gate without build: \`pnpm gate --no-build\`
+
+## Gate Phases
+1. **Quality** (parallel): Biome lint (hard fail), audits (warn)
+2. **Type checking** (serial): \`pnpm -r typecheck\` across all packages
+3. **Test + Build** (parallel): Vitest (warn), turbo build (hard fail)
+
+## Rules
+- Report which phase failed and the specific error(s)
+- Biome, typecheck, and build are hard failures \u2014 must be fixed
+- Tests are warn-only \u2014 report but don't block
+- Do NOT modify source code \u2014 only run the gate and report`
+};
+
+// src/content/definitions/agents/linter.ts
+var linterAgent = {
+  id: "linter",
+  tier: "oss",
+  name: "Linter",
+  description: "Lint and format code in isolation",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a lint/format agent for the RevealUI monorepo.
+
+## Setup
+Run \`pnpm install\` first to establish symlinks in this worktree.
+
+## Tasks
+- Biome check: \`biome check .\`
+- Biome fix: \`biome check --write .\`
+- Full lint: \`pnpm lint\`
+- Auto-fix: \`pnpm lint:fix\`
+- Format: \`pnpm format\`
+
+## Rules
+- Biome is the sole linter \u2014 fix all Biome errors
+- Follow the unused declarations policy in \`.claude/rules/unused-declarations.md\`
+- Report remaining warnings that cannot be auto-fixed
+- Do NOT suppress lint rules without justification`
+};
+
+// src/content/definitions/agents/security-reviewer.ts
+var securityReviewerAgent = {
+  id: "security-reviewer",
+  tier: "pro",
+  name: "Security Reviewer",
+  description: "Reviews code for security vulnerabilities, hardcoded secrets, and auth issues",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a security reviewer for the RevealUI monorepo (Business Operating System Software).
+
+## Scope
+
+Audit the codebase for security issues across these categories:
+
+### 1. Hardcoded Secrets
+- API keys, tokens, passwords in source code (not .env files)
+- Credentials in test fixtures that look production-like
+- Base64-encoded secrets or obfuscated credentials
+
+### 2. Auth & Session Security
+- Session cookie configuration (httpOnly, secure, sameSite, domain)
+- Password hashing (must use bcrypt, never plaintext)
+- Rate limiting on auth endpoints
+- Brute force protection bypass paths
+
+### 3. Input Validation
+- SQL injection via raw queries (should use Drizzle ORM parameterised queries)
+- XSS in rendered content (especially Lexical rich text output)
+- Path traversal in file upload/serve paths
+- SSRF in user-provided URLs
+
+### 4. RBAC/ABAC Policy
+- Missing access control checks on API routes
+- Privilege escalation paths (user \u2192 admin)
+- Tenant isolation (multi-site data leakage)
+
+### 5. CSP & Headers
+- Content-Security-Policy completeness
+- CORS misconfiguration (check allowed origins)
+- Missing security headers (HSTS, X-Frame-Options, etc.)
+
+### 6. Dependency Security
+- Known vulnerabilities in direct dependencies
+- Supabase boundary violations (imports outside permitted paths)
+
+## Architecture Context
+
+- **Auth**: Session-only (no JWT). \`revealui-session\` cookie across \`.revealui.com\`.
+- **Dual-DB**: NeonDB (REST content) + Supabase (vectors/auth). Strict import boundary.
+- **Tiers**: free, pro, max, enterprise. License checks via \`isLicensed()\`.
+- **API**: Hono on port 3004. CMS calls API cross-origin (CORS configured).
+
+## Rules
+- Use AST-based analysis over regex for code-shape checks (see .claude/rules/code-analysis-policy.md)
+- Report findings with severity (critical/high/medium/low), file path, and line number
+- Suggest specific fixes, not just descriptions
+- Do NOT modify source code \u2014 report only
+- Prioritise critical and high severity findings`
+};
+
+// src/content/definitions/agents/tester.ts
+var testerAgent = {
+  id: "tester",
+  tier: "oss",
+  name: "Tester",
+  description: "Runs tests for packages in isolation",
+  isolation: "worktree",
+  tools: [],
+  content: `You are a test agent for the RevealUI monorepo.
+
+## Setup
+Run \`pnpm install\` first to establish symlinks in this worktree.
+
+## Tasks
+- Test specified package(s): \`pnpm --filter <package> test\`
+- Test with coverage: \`pnpm --filter <package> test:coverage\`
+- Full test suite: \`pnpm test\`
+- Integration tests: \`pnpm test:integration\`
+
+## Rules
+- Report test failures with file paths, test names, and error messages
+- Do NOT modify source code \u2014 only test and report
+- If tests fail, identify the root cause and suggest fixes
+- Report coverage numbers when running with coverage`
+};
+
+// src/content/definitions/agents/index.ts
+var agents = [
+  builderAgent,
+  docsSyncAgent,
+  gateRunnerAgent,
+  linterAgent,
+  securityReviewerAgent,
+  testerAgent
+];
+
+// src/content/definitions/commands/audit.ts
+var auditCommand = {
+  id: "audit",
+  tier: "oss",
+  name: "Audit",
+  description: "Audit the codebase for avoidable `any` types and production console statements. Use when asked to check code quality, before a release, or after a large refactor.",
+  disableModelInvocation: false,
+  content: `Run code quality audits on the RevealUI monorepo.
+
+Execute these audit commands in sequence:
+
+1. \`pnpm audit:any\` \u2014 Find avoidable \`any\` types across the codebase
+2. \`pnpm audit:console\` \u2014 Find production \`console.*\` statements that should use the logger
+
+Report findings as a summary table with package name and count. If issues are found, suggest fixes.
+
+Target: 0 avoidable \`any\` types, 0 production console statements.`
+};
+
+// src/content/definitions/commands/gate.ts
+var gateCommand = {
+  id: "gate",
+  tier: "oss",
+  name: "Gate",
+  description: "Run the full CI gate (Biome lint, typecheck, Vitest, turbo build) before pushing. Only invoke when explicitly asked to run the gate or verify before a push.",
+  disableModelInvocation: true,
+  content: `Run the CI gate to validate the monorepo before pushing.
+
+Execute \`pnpm gate\` in the RevealUI monorepo root. This runs the full CI pipeline:
+1. Biome lint check
+2. TypeScript type checking across all packages
+3. Vitest test suite
+4. Turbo build
+
+If the full gate takes too long, run \`pnpm gate:quick\` for phase 1 only (lint + typecheck).
+
+Report any failures with the specific package and error details.`
+};
+
+// src/content/definitions/commands/new-package.ts
+var newPackageCommand = {
+  id: "new-package",
+  tier: "oss",
+  name: "New Package",
+  description: "Scaffold a new @revealui/* package with package.json, tsconfig.json, tsup.config.ts, and src/index.ts. Only invoke when explicitly asked to create a new package.",
+  disableModelInvocation: true,
+  argumentHint: "<package-name>",
+  content: `Scaffold a new package in the RevealUI monorepo.
+
+Arguments: $ARGUMENTS (package name, e.g., "analytics")
+
+Create the following structure at \`packages/<name>/\`:
+
+1. \`package.json\` with:
+   - name: \`@revealui/<name>\`
+   - version: \`0.1.0\`
+   - type: \`module\`
+   - exports, main, types pointing to \`dist/\`
+   - scripts: build, dev, lint, test, typecheck
+   - publishConfig.access: \`public\` (or \`"private": true\` for Pro packages)
+   - engines.node: \`>=24.13.0\`
+
+2. \`tsconfig.json\` extending \`@revealui/dev/tsconfig\`
+
+3. \`tsup.config.ts\` with entry \`src/index.ts\`, dts, format esm
+
+4. \`src/index.ts\` with a placeholder export
+
+5. \`README.md\` with package name and description
+
+After scaffolding, remind the user to:
+- Run \`pnpm install\` to link the new package
+- Add \`workspace:*\` references from consuming packages
+- Create a changeset with \`pnpm changeset\``
+};
+
+// src/content/definitions/commands/stripe-best-practices.ts
+var stripeBestPracticesCommand = {
+  id: "stripe-best-practices",
+  tier: "pro",
+  name: "Stripe Best Practices",
+  description: "Apply when working on Stripe billing, payments, webhooks, subscriptions, or checkout flows (apps/api/src/routes/billing.ts, packages/services).",
+  disableModelInvocation: false,
+  content: `Apply Stripe best practices when implementing or reviewing payment code in this project:
+
+## Webhook Handling
+- Always verify webhook signatures using \`stripe.webhooks.constructEvent()\` with the raw request body (never parsed JSON)
+- Use idempotency keys for all mutating API calls (charges, subscriptions, refunds)
+- Return 200 immediately after signature verification; process asynchronously if needed
+- Handle all relevant events: \`checkout.session.completed\`, \`customer.subscription.deleted\`, \`customer.subscription.updated\`, \`invoice.payment_failed\`
+
+## Subscription Management
+- Store \`customer.id\`, \`subscription.id\`, and \`subscription.status\` in your DB \u2014 not just price/product IDs
+- Use \`subscription.status\` to gate access: only \`active\` and \`trialing\` grant access
+- Handle \`past_due\` gracefully \u2014 show dunning UI, don't immediately revoke access
+- Use \`cancel_at_period_end: true\` for user-initiated cancellations (preserves access until period end)
+
+## Checkout & Billing Portal
+- Use \`metadata\` on checkout sessions to pass internal IDs (userId, planId) through to webhooks
+- Always set \`client_reference_id\` to your internal user ID
+- Use Stripe Billing Portal for plan changes and cancellations \u2014 don't build your own
+
+## Security
+- Never log full Stripe objects \u2014 they may contain PII
+- Never expose secret keys client-side; all Stripe API calls must be server-side
+- Use restricted API keys scoped to minimum permissions for each service
+- Validate that webhook events reference resources owned by your users before acting
+
+## Error Handling
+- Retry on \`rate_limit_error\` and network errors with exponential backoff
+- On \`card_error\` and \`invalid_request_error\`, surface Stripe's \`message\` to the user (it's user-safe)
+- Log \`stripe_error\` codes for debugging; never expose raw error objects to clients
+
+## RevealUI-Specific
+- Webhook endpoint: \`apps/cms\` at \`/api/webhooks/stripe\` (NOT the API endpoint)
+- Stripe service: \`packages/services/src/stripe/\`
+- Billing routes: \`apps/api/src/routes/billing.ts\`
+- Price IDs are managed via \`pnpm stripe:seed\` \u2014 see \`scripts/setup/seed-stripe.ts\``
+};
+
+// src/content/definitions/commands/index.ts
+var commands = [
+  auditCommand,
+  gateCommand,
+  newPackageCommand,
+  stripeBestPracticesCommand
+];
+
+// src/content/definitions/preambles/index.ts
+var preambles = [
+  {
+    tier: 1,
+    name: "Identity",
+    description: "Always injected \u2014 core project identity and structure",
+    ruleIds: ["monorepo"]
+  },
+  {
+    tier: 2,
+    name: "Architecture",
+    description: "Project-wide technical context \u2014 database, styling, formatting, config patterns",
+    ruleIds: ["database", "biome", "tailwind", "parameterization"]
+  },
+  {
+    tier: 3,
+    name: "Domain",
+    description: "Feature-area specific policies \u2014 analysis standards, code hygiene",
+    ruleIds: ["code-analysis-policy", "unused-declarations"]
+  },
+  {
+    tier: 4,
+    name: "Task",
+    description: "Injected per-operation \u2014 skill routing, agent dispatch",
+    ruleIds: ["skills-usage", "agent-dispatch"]
+  }
+];
+
+// src/content/definitions/rules/agent-dispatch.ts
+var agentDispatchRule = {
+  id: "agent-dispatch",
+  tier: "pro",
+  name: "Agent Profile Dispatch",
+  description: "When to spawn specialized agent profiles from .claude/agents/",
+  scope: "project",
+  preambleTier: 4,
+  tags: ["agents", "coordination"],
+  content: `# Agent Profile Dispatch
+
+Profiles live in \`.claude/agents/\`. Spawn them via the Agent tool when a task is
+too large or specialized for the current session.
+
+## Profiles
+
+| Profile | When to spawn |
+|---------|--------------|
+| \`gate-runner\` | Running the full CI gate (\`pnpm gate\`), verifying the repo is clean before a push or release |
+| \`security-reviewer\` | Auditing auth flows, reviewing security-sensitive PRs, checking new API routes for vulnerabilities |
+| \`builder\` | Large feature implementation spanning multiple packages that would pollute the current session context |
+| \`tester\` | Writing test suites, achieving coverage targets, fixing batches of failing tests |
+| \`docs-sync\` | Updating public docs, syncing API reference, writing changelogs, keeping MASTER_PLAN in sync |
+| \`linter\` | Bulk lint fixes, unused declaration sweeps, \`any\` type removal, Biome cleanup across the monorepo |
+
+## Rules
+
+1. Don't spawn a profile for work that takes under 15 minutes in the current session.
+2. Check the workboard before spawning \u2014 another agent may already own that area.
+3. Always give spawned agents:
+   - Current phase from \`~/projects/revealui-jv/docs/MASTER_PLAN.md\`
+   - Relevant workboard state
+   - The specific task and acceptance criteria
+4. Spawned agents report findings back to the parent. Only the parent updates MASTER_PLAN.md.
+5. Spawned agents must not create plan files outside MASTER_PLAN.md (see \`planning.md\`).`
+};
+
+// src/content/definitions/rules/biome.ts
+var biomeRule = {
+  id: "biome",
+  tier: "oss",
+  name: "Biome Conventions",
+  description: "Biome 2 linter/formatter rules and suppression protocol",
+  scope: "project",
+  preambleTier: 2,
+  tags: ["lint", "format", "quality"],
+  content: `# Biome Conventions
+
+## Overview
+
+Biome 2 is the sole linter and formatter for this monorepo.
+
+## Commands
+
+- \`pnpm lint\` \u2014 check all files with Biome (\`biome check .\`)
+- \`pnpm format\` \u2014 format all files with Biome (\`biome format --write .\`)
+- \`pnpm lint:fix\` \u2014 auto-fix with Biome (\`biome check --write .\`)
+- \`biome check .\` \u2014 lint + format check (per-package)
+- \`biome check --write .\` \u2014 auto-fix (used by lint-staged)
+
+## Lint-Staged
+
+Pre-commit hook runs \`biome check --write\` on staged \`*.{ts,tsx,js,jsx}\` files via Husky + lint-staged.
+
+## Key Rules
+
+- No unused variables or imports (auto-removed on format)
+- No \`console.*\` in production code (use \`@revealui/utils\` logger instead)
+- No \`any\` types (use \`unknown\` + type guards)
+- Consistent import ordering (auto-sorted)
+- Single quotes for strings
+- Trailing commas
+- Semicolons always
+- 2-space indentation (tabs in Biome config, spaces in output)
+
+## Suppressing Rules
+
+- Use \`// biome-ignore <rule>: <reason>\` for specific lines
+- Avoid blanket suppressions \u2014 prefer fixing the code
+- Document why a suppression is needed in the comment
+
+## Unused Variables \u2014 Special Protocol
+
+**Before suppressing any unused variable or import warning, read \`.claude/rules/unused-declarations.md\`.**
+
+The mandatory decision tree there must be followed. Unused declarations frequently indicate incomplete implementations that need to be finished, not suppressed. Silencing the warning without completing the code creates permanent dead stubs.
+
+TL;DR: implement first, suppress only as a last resort.`
+};
+
+// src/content/definitions/rules/code-analysis-policy.ts
+var codeAnalysisPolicyRule = {
+  id: "code-analysis-policy",
+  tier: "oss",
+  name: "Code Analysis Policy",
+  description: "Prefer AST-based analysis over regex for security and architecture checks",
+  scope: "project",
+  preambleTier: 3,
+  tags: ["security", "analysis"],
+  content: `# Code Analysis Policy
+
+Use AST-based or structural analysis for code-policy and security checks whenever the rule depends on syntax, identifiers, or code shape.
+
+## Prefer AST-Based Analysis For
+
+- security gate checks over application code
+- architecture and boundary rules
+- auth/password handling checks
+- response/body serialization checks
+- import-policy enforcement beyond simple path inventory
+
+## Regex Is Acceptable Only For
+
+- broad inventory scans over raw text
+- committed secret patterns
+- literal token/URL/key detection
+- quick warning-level heuristics that are explicitly marked approximate
+
+## Do Not Use Regex As Source Of Truth For
+
+- whether a value is stored in plaintext
+- whether a secret is hardcoded in executable code
+- whether a boundary rule is violated by code structure
+- whether a security-sensitive value reaches a sink
+
+## Working Rule
+
+If a check can be expressed against the TypeScript/JavaScript AST with reasonable effort, use AST analysis first.
+
+If regex is still used:
+
+- document it as heuristic-only
+- keep it warning-level unless independently verified
+- add a follow-up to migrate it to AST/structural analysis`
+};
+
+// src/content/definitions/rules/database.ts
+var databaseRule = {
+  id: "database",
+  tier: "oss",
+  name: "Database Conventions",
+  description: "Dual-database architecture (NeonDB + Supabase) boundaries and query patterns",
+  scope: "project",
+  preambleTier: 2,
+  tags: ["database", "architecture", "drizzle"],
+  content: `# Database Conventions
+
+## Dual-Database Architecture
+
+RevealUI uses **two databases with strictly separated responsibilities**:
+
+| Database | Client | Purpose |
+|----------|--------|---------|
+| **NeonDB** (PostgreSQL) | \`@neondatabase/serverless\` | REST content: collections, users, sessions, orders, products |
+| **Supabase** | \`@supabase/supabase-js\` | Vector embeddings, real-time auth, AI memory storage |
+
+## Boundary Rule
+
+**\`@supabase/supabase-js\` must only be imported inside designated vector/auth modules:**
+
+### Allowed paths for Supabase imports
+- \`packages/db/src/vector/\` \u2014 vector schema and queries
+- \`packages/db/src/auth/\` \u2014 Supabase auth helpers
+- \`packages/auth/src/\` \u2014 authentication implementation
+- \`packages/ai/src/\` \u2014 AI memory and embedding storage
+- \`packages/services/src/supabase/\` \u2014 Supabase service integrations
+- \`apps/*/src/lib/supabase/\` \u2014 app-level Supabase utilities
+
+### Forbidden: Supabase imports in
+- \`packages/core/\` \u2014 CMS engine must be DB-agnostic
+- \`packages/contracts/\` \u2014 contracts are schema-only
+- \`packages/config/\` \u2014 config must not hardcode DB client
+- \`apps/cms/src/collections/\` \u2014 collection hooks use Drizzle/Neon only
+- \`apps/cms/src/routes/\` \u2014 REST routes use Neon only
+
+## Schema Organization
+
+\`\`\`
+packages/db/src/schema/
+\u251C\u2500\u2500 accounts.ts       # NeonDB: user accounts
+\u251C\u2500\u2500 agents.ts         # NeonDB: AI agent definitions
+\u251C\u2500\u2500 api-keys.ts       # NeonDB: API key management
+\u251C\u2500\u2500 cms.ts            # NeonDB: CMS collections, media
+\u251C\u2500\u2500 gdpr.ts           # NeonDB: GDPR consent, deletion
+\u251C\u2500\u2500 licenses.ts       # NeonDB: license keys, tiers
+\u251C\u2500\u2500 pages.ts          # NeonDB: pages, navigation
+\u251C\u2500\u2500 sites.ts          # NeonDB: multi-tenant sites
+\u251C\u2500\u2500 tickets.ts        # NeonDB: support tickets
+\u251C\u2500\u2500 users.ts          # NeonDB: user management, sessions
+\u251C\u2500\u2500 vector.ts         # Supabase: embeddings, AI memory
+\u251C\u2500\u2500 rest.ts           # NeonDB: REST schema barrel
+\u251C\u2500\u2500 index.ts          # Combined schema export
+\u2514\u2500\u2500 ...               # 30+ schema files total
+\`\`\`
+
+## Query Patterns
+
+### NeonDB (Drizzle ORM)
+\`\`\`ts
+import { db } from '@revealui/db'
+import { posts } from '@revealui/db/schema'
+
+const results = await db.select().from(posts).where(eq(posts.status, 'published'))
+\`\`\`
+
+### Supabase (vector/auth only)
+\`\`\`ts
+// Only in designated modules (packages/db/src/vector/, packages/ai/src/)
+import { createSupabaseClient } from '@revealui/db/vector'
+
+const { data } = await supabase.rpc('match_documents', { query_embedding: embedding })
+\`\`\`
+
+## Enforcement
+
+The \`pnpm validate:structure\` script checks for Supabase imports outside permitted paths.
+CI runs this as part of phase 1 (warn-only \u2014 violations are flagged but don't block builds).
+
+To check locally:
+\`\`\`bash
+pnpm validate:structure
+\`\`\`
+
+## Migration Guidance
+
+When adding new features:
+1. **Content/REST data** \u2192 add to \`packages/db/src/schema/\` + use Drizzle
+2. **AI/vector data** \u2192 add to \`packages/db/src/vector/\` + use Supabase client
+3. **Never mix** both DB clients in the same module`
+};
+
+// src/content/definitions/rules/monorepo.ts
+var monorepoRule = {
+  id: "monorepo",
+  tier: "oss",
+  name: "Monorepo Conventions",
+  description: "pnpm workspace, Turborepo, package structure, and publishing conventions",
+  scope: "project",
+  preambleTier: 1,
+  tags: ["monorepo", "pnpm", "turborepo"],
+  content: `# Monorepo Conventions
+
+## Structure
+- Apps live in \`apps/\` \u2014 deployable services (Next.js, Hono, Vite)
+- Packages live in \`packages/\` \u2014 shared libraries consumed by apps
+- Scripts live in \`scripts/\` \u2014 CLI tools, automation, CI gates
+
+## Package Manager
+- pnpm 10 with workspace protocol
+- Internal deps use \`workspace:*\` (never hardcoded versions)
+- Run \`pnpm install:clean\` (suppresses Node deprecation warnings)
+- \`preinstall\` script enforces pnpm-only (\`npx only-allow pnpm\`)
+
+## Turborepo
+- \`turbo run build --parallel\` for parallel builds
+- \`turbo run test --concurrency=15\` for parallel tests
+- Package-level \`turbo.json\` for task overrides (rare)
+- Cache stored in \`.turbo/\` (gitignored)
+
+## Package Conventions
+- Every package has: \`build\`, \`dev\`, \`lint\`, \`test\`, \`typecheck\` scripts
+- Build output goes to \`dist/\` via tsup
+- Source in \`src/\`, tests in \`src/__tests__/\` or \`__tests__/\`
+- Entry point: \`src/index.ts\` \u2192 \`dist/index.js\`
+- Use \`exports\` field in package.json for subpath exports
+- Include \`files: ["dist", "README.md"]\` for publishing
+
+## Dependency Rules
+- Use \`syncpack\` for version alignment (\`pnpm deps:check\`, \`pnpm deps:fix\`)
+- Use \`catalog:\` for shared devDependencies (e.g., \`"zod": "catalog:"\`)
+- pnpm overrides in root package.json for security patches
+- \`onlyBuiltDependencies\` whitelist for native modules
+
+## CI Gate
+- \`pnpm gate\` runs the full CI pipeline locally: lint \u2192 typecheck \u2192 test \u2192 build
+- \`pnpm gate:quick\` runs phase 1 only (fast feedback)
+- Must pass before pushing (enforced by Husky pre-push hook)
+
+## Adding a New Package
+1. Create \`packages/<name>/\` with package.json, tsconfig.json, tsup.config.ts
+2. Name: \`@revealui/<name>\`
+3. Add \`workspace:*\` references from consuming packages
+4. Register in turbo pipeline (automatic via conventions)
+5. Add to CI if needed
+
+## Publishing
+- OSS packages: \`publishConfig.access: "public"\`, MIT license
+- Pro packages: \`publishConfig.access: "public"\`, commercial license (source-available on npm)
+- Use changesets for versioning: \`pnpm changeset\` \u2192 \`pnpm changeset:version\` \u2192 \`pnpm changeset:publish\`
+
+## Import Conventions
+- Use package names (\`@revealui/core\`) not relative paths between packages
+- Use \`~/\` alias within apps (maps to \`src/*\`)
+- Use ES Modules (\`import\`/\`export\`) everywhere`
+};
+
+// src/content/definitions/rules/parameterization.ts
+var parameterizationRule = {
+  id: "parameterization",
+  tier: "oss",
+  name: "Parameterization Conventions",
+  description: "Never hardcode config values \u2014 extract, type, default, and make overridable",
+  scope: "project",
+  preambleTier: 2,
+  tags: ["config", "patterns"],
+  content: `# Parameterization Conventions
+
+## Core Rule
+
+**Never hardcode configuration values inline.** All tunable constants (TTLs, limits, lengths, thresholds, intervals) must be:
+
+1. **Extracted** into a named config object or constant at module scope
+2. **Typed** with an explicit interface
+3. **Defaulted** with sensible production values
+4. **Overridable** via an exported \`configure*()\` function or constructor parameter
+
+## Pattern
+
+\`\`\`ts
+export interface ModuleConfig {
+  /** TTL in milliseconds (default: 5 minutes) */
+  ttlMs: number
+  /** Max entries before forced cleanup (default: 10_000) */
+  maxEntries: number
+}
+
+const DEFAULT_CONFIG: ModuleConfig = {
+  ttlMs: 5 * 60 * 1000,
+  maxEntries: 10_000,
+}
+
+let config: ModuleConfig = { ...DEFAULT_CONFIG }
+
+export function configureModule(overrides: Partial<ModuleConfig>): void {
+  config = { ...DEFAULT_CONFIG, ...overrides }
+}
+\`\`\`
+
+## Why
+
+- Tests need fast TTLs and small limits
+- Deployments may need different thresholds than development
+- \`Math.random()\` is not cryptographically secure \u2014 use \`crypto.randomInt()\` for security-sensitive values (OTPs, tokens, nonces)
+
+## Applies To
+
+- Rate limit windows and thresholds
+- Cache TTLs and max sizes
+- OTP/token lengths and expiry times
+- Retry counts and backoff intervals
+- Batch sizes and concurrency limits
+
+## Does NOT Apply To
+
+- Structural constants (HTTP status codes, header names, URL paths)
+- Type discriminants and enum values
+- Schema definitions (use contracts)`
+};
+
+// src/content/definitions/rules/skills-usage.ts
+var skillsUsageRule = {
+  id: "skills-usage",
+  tier: "pro",
+  name: "Skill Auto-Use Guidelines",
+  description: "When to proactively invoke skills vs wait for explicit user request",
+  scope: "project",
+  preambleTier: 4,
+  tags: ["skills", "automation"],
+  content: `# Skill Auto-Use Guidelines
+
+When the Skill tool is available, proactively invoke the following skills in these situations:
+
+## Always invoke automatically (no user prompt needed)
+
+- \`/vercel-react-best-practices\` \u2014 before completing any PR that touches React components or hooks
+- \`/stripe-best-practices\` \u2014 any time you write or modify billing, payment, webhook, or Stripe code
+- \`/next-best-practices\` \u2014 when implementing features in apps/cms or apps/marketing
+- \`/next-cache-components\` \u2014 when adding 'use cache', cache profiles, or PPR to a Next.js route
+- \`/vercel-composition-patterns\` \u2014 when adding new components to @revealui/presentation
+- \`/web-design-guidelines\` \u2014 when asked to review a UI, page, or component for quality
+- \`/review\` \u2014 when the user asks for a code review, asks to "check" or "look at" code
+- \`/add-tests\` \u2014 when the user asks to write tests or add coverage for a specific file
+- \`/audit\` \u2014 before any release or after a large refactor touching multiple packages
+- \`/turborepo\` \u2014 when modifying turbo.json, pipeline configuration, or monorepo task dependencies
+
+## Only invoke on explicit user request (disable-model-invocation: true)
+
+- \`/gate\` \u2014 user must explicitly ask to run the gate
+- \`/sync-lts\` \u2014 user must explicitly ask to sync or backup
+- \`/new-package\` \u2014 user must explicitly ask to scaffold a package
+- \`/new-professional-project\` \u2014 user must explicitly ask to create a project
+- \`/vercel-deploy\` \u2014 user must explicitly ask to deploy
+- \`/deploy-check\` \u2014 user must explicitly ask for pre-deploy check
+- \`/db-migrate\` \u2014 user must explicitly ask to create or apply database migrations
+- \`/preflight\` \u2014 user must explicitly ask to run the preflight checklist
+
+## When in doubt
+
+If a skill's description matches the current task, prefer invoking it over not invoking it.
+The overhead of loading a skill is low; missing relevant guidance has higher cost.`
+};
+
+// src/content/definitions/rules/tailwind.ts
+var tailwindRule = {
+  id: "tailwind",
+  tier: "oss",
+  name: "Tailwind CSS v4 Conventions",
+  description: "Tailwind v4 syntax rules, v3\u2192v4 migration gotchas, and shared config patterns",
+  scope: "project",
+  preambleTier: 2,
+  tags: ["css", "tailwind", "styling"],
+  content: `# Tailwind CSS v4 Conventions
+
+## Version
+
+RevealUI uses **Tailwind CSS v4** (\`^4.1.18\`). All new code must use v4 patterns.
+
+## Current State
+
+The shared config in \`packages/dev/src/tailwind/\` uses a **v3 compatibility pattern** (JS config file + JS plugins). This works because Tailwind v4 auto-detects \`tailwind.config.ts\` and falls back to v3 behavior. Migration to native v4 CSS config is deferred to Phase 2.
+
+## v4 Gotchas (Must Know)
+
+### Import Syntax
+\`\`\`css
+/* CORRECT (v4) */
+@import "tailwindcss";
+
+/* WRONG (v3 \u2014 deprecated) */
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+\`\`\`
+
+### Custom Utilities
+\`\`\`css
+/* CORRECT (v4) */
+@utility my-util {
+  /* styles */
+}
+
+/* WRONG (v3) */
+@layer utilities {
+  .my-util { /* styles */ }
+}
+@layer components {
+  .my-component { /* styles */ }
+}
+\`\`\`
+
+### CSS Variable Syntax
+\`\`\`html
+<!-- CORRECT (v4) \u2014 parentheses -->
+<div class="bg-(--brand-color)">
+
+<!-- WRONG (v3) \u2014 square brackets -->
+<div class="bg-[--brand-color]">
+\`\`\`
+
+### Important Modifier
+\`\`\`html
+<!-- CORRECT (v4) \u2014 at the end -->
+<div class="bg-red-500!">
+
+<!-- WRONG (v3) \u2014 at the start -->
+<div class="bg-!red-500">
+\`\`\`
+
+### Default Behavior Changes
+- **Border/ring color**: now \`currentColor\` (was \`gray-200\` in v3)
+- **Ring width**: default is \`1px\` (was \`3px\` in v3)
+- **\`hover:\`**: only applies on devices that support hover (no-touch)
+- **Stacked variants**: apply left-to-right (reversed from v3)
+- **\`space-*\` / \`divide-*\`**: selectors changed \u2014 prefer \`gap\` with flex/grid
+
+### Transform Utilities
+\`\`\`html
+<!-- CORRECT (v4) -->
+<div class="scale-none rotate-none translate-none">
+
+<!-- WRONG (v3) -->
+<div class="transform-none">
+\`\`\`
+
+### Prefix Syntax
+\`\`\`css
+/* v4 prefix */
+@import "tailwindcss" prefix(tw);
+/* Classes use tw:bg-red-500 */
+\`\`\`
+
+### CSS Modules / Component Styles
+Use \`@reference\` to access theme variables in CSS modules or component \`<style>\` blocks.
+
+### PostCSS Plugin
+\`\`\`js
+// v4 \u2014 new package name
+{ plugins: { '@tailwindcss/postcss': {} } }
+
+// v3 \u2014 old (still works but deprecated)
+{ plugins: { tailwindcss: {} } }
+\`\`\`
+
+### Vite Plugin (preferred over PostCSS for Vite apps)
+\`\`\`js
+import tailwindcss from '@tailwindcss/vite'
+export default { plugins: [tailwindcss()] }
+\`\`\`
+
+## Theme Configuration (v4 native)
+
+In v4, theme tokens go in CSS, not JS:
+
+\`\`\`css
+@import "tailwindcss";
+
+@theme {
+  --color-brand: #ea580c;
+  --font-sans: "Inter", sans-serif;
+  --breakpoint-xs: 475px;
+  --breakpoint-3xl: 1920px;
+}
+\`\`\`
+
+## RevealUI Shared Config
+
+| File | Purpose |
+|------|---------|
+| \`packages/dev/src/tailwind/tailwind.config.ts\` | Shared v3-compat config (fonts, plugins, screens) |
+| \`packages/dev/src/tailwind/create-config.ts\` | Helper to merge shared + app configs |
+| \`packages/dev/src/tailwind/postcss.config.ts\` | PostCSS config with \`@tailwindcss/postcss\` |
+| \`packages/dev/src/tailwind/styles.css\` | Base CSS (\`@import "tailwindcss"\`) |
+
+### Consumer Pattern (current \u2014 v3 compat)
+\`\`\`ts
+// apps/cms/tailwind.config.ts
+import { createTailwindConfig } from 'dev/tailwind/create-config'
+export default createTailwindConfig({
+  content: ['./src/**/*.{ts,tsx}'],
+  // app-specific overrides
+})
+\`\`\`
+
+## Rules for New Code
+
+1. **Never use \`@tailwind\` directives** \u2014 use \`@import "tailwindcss"\` instead
+2. **Never use \`@layer utilities\` or \`@layer components\`** for custom utilities \u2014 use \`@utility\`
+3. **Use \`bg-(--var)\` syntax** for CSS variables, not \`bg-[--var]\`
+4. **Important goes at the end**: \`bg-red-500!\` not \`!bg-red-500\`
+5. **Prefer \`gap\`** over \`space-*\` / \`divide-*\` for spacing in flex/grid
+6. **No \`transform-none\`** \u2014 use \`scale-none\`, \`rotate-none\`, \`translate-none\`
+7. **Don't add new v3 JS plugins** \u2014 if a v4 CSS equivalent exists, use that
+8. **Content paths are auto-detected** in v4 \u2014 only add manual paths for edge cases`
+};
+
+// src/content/definitions/rules/unused-declarations.ts
+var unusedDeclarationsRule = {
+  id: "unused-declarations",
+  tier: "oss",
+  name: "Unused Declarations Policy",
+  description: "Never suppress unused warnings without determining if code is incomplete \u2014 implement first",
+  scope: "project",
+  preambleTier: 3,
+  tags: ["lint", "quality", "policy"],
+  content: `# Unused Declarations Policy
+
+## Core Rule
+
+**NEVER suppress an unused variable/import warning without first determining if the code is incomplete.**
+
+Unused declarations in this codebase frequently signal incomplete implementations \u2014 stubs, scaffolded functions, planned integrations \u2014 not dead code. Suppressing the warning without completing the code leads to permanent placeholders that silently rot.
+
+---
+
+## Mandatory Decision Tree
+
+When you encounter an \`no-unused-vars\`, \`noUnusedVariables\`, or \`noUnusedFunctionParameters\` warning, you MUST follow this decision tree **before taking any action**:
+
+\`\`\`
+1. Is the declaration a stub or placeholder?
+   \u2514\u2500 Signs: empty function body, \`// TODO\`, \`throw new Error('not implemented')\`,
+             adjacent commented-out code, file has <10 lines of real logic,
+             variable name matches a feature that exists elsewhere in the codebase
+   \u2514\u2500 Action: IMPLEMENT the missing functionality. Do not suppress.
+
+2. Is the declaration an intentionally-created side-effect resource?
+   \u2514\u2500 Signs: infrastructure-as-code (Pulumi/CDK), event listener registration,
+             DB migration runner, resource that must exist but isn't referenced
+   \u2514\u2500 Action: Rename with \`_\` prefix to signal intentional non-use.
+              Add a comment explaining WHY it exists.
+
+3. Is the import used only as a type (TypeScript)?
+   \u2514\u2500 Signs: import is from a types package, used only in \`type X = ...\` expressions
+   \u2514\u2500 Action: Change to \`import type { ... }\` \u2014 Biome will no longer flag it.
+
+4. Is the parameter required by a callback signature you don't control?
+   \u2514\u2500 Signs: Express/Hono middleware \`(req, res, next)\`, event handler \`(event, context)\`,
+             interface implementation where all params are mandated
+   \u2514\u2500 Action: Prefix with \`_\` (e.g. \`_req\`, \`_event\`). Add a comment if non-obvious.
+
+5. Is it genuinely dead code with no planned use?
+   \u2514\u2500 Signs: feature was removed, import was replaced, duplicate of another symbol
+   \u2514\u2500 Action: DELETE the declaration entirely. Per the Legacy Code Removal Policy,
+              no grace periods \u2014 remove it and all call sites in the same change.
+\`\`\`
+
+---
+
+## What "Implement" Means
+
+When you determine a declaration is incomplete (case 1), the required steps are:
+
+1. **Search the codebase** for related implementations, types, interfaces, and tests that reveal intent.
+2. **Check the plan file** at \`~/.claude/plans/\` for any documented phase covering this feature.
+3. **Check for contracts** in \`packages/contracts/src/\` \u2014 the schema often describes the expected behavior.
+4. **Implement the function/class/module** based on what the surrounding code expects.
+5. **Run \`pnpm gate:quick\`** after implementing to verify no new errors were introduced.
+
+Do NOT:
+- Add \`// biome-ignore lint/correctness/noUnusedVariables: TODO implement\`
+- Rename to \`_variable\` just to silence the warning when the variable should be used
+- Delete a stub that represents planned functionality without implementing it first
+
+---
+
+## Examples
+
+### Wrong \u2014 suppressing an incomplete stub
+\`\`\`ts
+// biome-ignore lint/correctness/noUnusedVariables: TODO
+const semanticMemory = new SemanticMemory()
+\`\`\`
+
+### Right \u2014 implement it
+\`\`\`ts
+const semanticMemory = new SemanticMemory()
+await semanticMemory.store('key', content, embedding)
+\`\`\`
+
+---
+
+### Wrong \u2014 deleting a planned integration
+\`\`\`ts
+// Was: import { ProceduralMemory } from './procedural-memory.js'
+// Deleted because "unused"
+\`\`\`
+
+### Right \u2014 implement the module it was waiting for
+\`\`\`ts
+// packages/ai/src/memory/memory/procedural-memory.ts
+export class ProceduralMemory { ... }
+// Then use it where the original import was
+\`\`\`
+
+---
+
+### Wrong \u2014 renaming away the signal
+\`\`\`ts
+// Original: const routeTableAssoc = new aws.ec2.RouteTableAssociation(...)
+// "Fixed": const _routeTableAssoc = new aws.ec2.RouteTableAssociation(...)
+// No comment explaining why
+\`\`\`
+
+### Right \u2014 rename AND document
+\`\`\`ts
+// Route table association must exist for subnet routing to function.
+// The variable is not referenced after creation; AWS manages the association.
+const _routeTableAssoc = new aws.ec2.RouteTableAssociation(...)
+\`\`\`
+
+---
+
+## Verification Step After Any Lint Fix
+
+After resolving any unused declaration warning, run:
+
+\`\`\`bash
+# Confirm the fix compiles
+pnpm --filter <package> typecheck
+
+# Confirm Biome is clean on the changed file
+node_modules/.bin/biome check <file>
+
+# If the declaration was a stub that you implemented, run the tests
+pnpm --filter <package> test
+\`\`\`
+
+Never move to the next task without completing this verification.
+
+---
+
+## Relationship to Gate Verification Rule
+
+This policy works in conjunction with the gate verification rule: complete the implementation \u2192 verify with lint/type/test \u2192 then move on. The gate catches regressions; this policy prevents incomplete code from silently accumulating.`
+};
+
+// src/content/definitions/rules/index.ts
+var rules = [
+  agentDispatchRule,
+  biomeRule,
+  codeAnalysisPolicyRule,
+  databaseRule,
+  monorepoRule,
+  parameterizationRule,
+  skillsUsageRule,
+  tailwindRule,
+  unusedDeclarationsRule
+];
+
+// src/content/definitions/skills/db-migrate.ts
+var dbMigrateSkill = {
+  id: "db-migrate",
+  tier: "pro",
+  name: "Database Migration",
+  description: "Create and apply Drizzle ORM migrations with dual-DB boundary checks (NeonDB vs Supabase)",
+  disableModelInvocation: true,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# Database Migration Workflow
+
+Guide for creating and applying Drizzle ORM migrations in the RevealUI dual-database architecture.
+
+## Pre-Flight Checks
+
+Before creating a migration:
+
+1. **Identify the target database**:
+   - **NeonDB** (REST content): users, sessions, collections, products, orders, licenses, pages, sites, tickets, agents, api-keys, GDPR
+   - **Supabase** (vectors/auth): embeddings, AI memory storage, real-time auth
+   - If unsure, check \`packages/db/src/schema/rest.ts\` (NeonDB) vs \`packages/db/src/schema/vector.ts\` (Supabase)
+
+2. **Check existing schema** for conflicts:
+   \`\`\`bash
+   # View current schema files
+   ls packages/db/src/schema/
+
+   # Check for table name conflicts
+   grep -r "export const.*pgTable" packages/db/src/schema/
+   \`\`\`
+
+3. **Verify contracts alignment** \u2014 new tables/columns should have corresponding Zod schemas:
+   \`\`\`bash
+   ls packages/contracts/src/
+   \`\`\`
+
+## Migration Steps
+
+### Step 1: Modify Schema
+
+Edit the appropriate schema file in \`packages/db/src/schema/\`:
+
+- Follow existing patterns (see adjacent schema files)
+- Use Drizzle's \`pgTable\`, column types, and relations
+- Add indexes for frequently queried columns
+- Add \`createdAt\`/\`updatedAt\` timestamps with defaults
+
+### Step 2: Generate Migration
+
+\`\`\`bash
+cd packages/db
+pnpm drizzle-kit generate
+\`\`\`
+
+Review the generated SQL in \`packages/db/drizzle/\` \u2014 check for:
+- Destructive changes (DROP TABLE, DROP COLUMN)
+- Data loss risks (column type changes without USING clause)
+- Missing indexes on foreign keys
+
+### Step 3: Apply Migration (Development Only)
+
+\`\`\`bash
+# Development database ONLY \u2014 never production
+pnpm db:migrate
+\`\`\`
+
+**NEVER run \`drizzle-kit push\`** \u2014 always use \`drizzle-kit migrate\` (the PreToolUse hook blocks \`push\`).
+
+### Step 4: Verify
+
+\`\`\`bash
+# Typecheck the db package
+pnpm --filter @revealui/db typecheck
+
+# Run db tests
+pnpm --filter @revealui/db test
+
+# If schema changes affect contracts, update and test those too
+pnpm --filter @revealui/contracts typecheck
+pnpm --filter @revealui/contracts test
+\`\`\`
+
+### Step 5: Update Contracts (if needed)
+
+If you added new tables or columns that are exposed via the API:
+
+1. Add/update Zod schema in \`packages/contracts/src/\`
+2. Export from \`packages/contracts/src/index.ts\`
+3. Update any API routes that use the new schema
+
+## Dual-DB Boundary Rules
+
+| If your change touches... | Put it in... | Client |
+|---------------------------|-------------|--------|
+| Content, users, sessions, products, orders | \`packages/db/src/schema/\` (NeonDB barrel) | Drizzle ORM |
+| Vector embeddings, AI memory | \`packages/db/src/schema/vector.ts\` | Supabase client |
+| Real-time auth helpers | \`packages/db/src/auth/\` | Supabase client |
+
+**Never mix** NeonDB and Supabase operations in the same module.
+
+## Rollback
+
+If a migration needs to be reverted:
+
+1. Create a new migration that undoes the changes (Drizzle doesn't have built-in rollback)
+2. Never manually edit the migration journal (\`_journal.json\`)
+3. Document the rollback reason in the migration file comment`
+};
+
+// src/content/definitions/skills/preflight.ts
+var preflightSkill = {
+  id: "preflight",
+  tier: "oss",
+  name: "Preflight Check",
+  description: "Run the 15-check pre-launch preflight and interpret results with context-aware fix suggestions",
+  disableModelInvocation: true,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# Preflight Check
+
+Run the full pre-launch preflight checklist and interpret results.
+
+## Run
+
+\`\`\`bash
+pnpm preflight
+\`\`\`
+
+This runs 15 checks covering lint, types, tests, build, security, and structure.
+
+## Interpreting Results
+
+### Hard Failures (must fix before launch)
+
+| Check | What It Means | Common Fix |
+|-------|--------------|------------|
+| **Biome lint** | Code style or correctness violation | \`pnpm lint:fix\` then review remaining |
+| **TypeScript** | Type errors across workspaces | \`pnpm typecheck:all\` to see full list |
+| **Build** | Compilation failure in one or more packages | Check \`dist/\` output, tsup config |
+| **Tests** | Unit/integration test failures | \`pnpm test\` to see which tests fail |
+
+### Warn-Only (should fix, won't block)
+
+| Check | What It Means | Common Fix |
+|-------|--------------|------------|
+| **\`any\` audit** | Avoidable \`any\` types found | \`pnpm audit:any\` \u2014 use \`unknown\` + type guards |
+| **Console audit** | \`console.*\` in production code | \`pnpm audit:console\` \u2014 use \`@revealui/utils\` logger |
+| **Structure** | Supabase boundary violations or package issues | \`pnpm validate:structure\` |
+| **Security** | CSP, CORS, or header issues | Check \`packages/security/\` |
+| **Dependencies** | Version mismatches across workspaces | \`pnpm deps:check\` then \`pnpm deps:fix\` |
+
+## After Preflight
+
+If all hard checks pass:
+
+1. Run \`pnpm gate\` for the full CI gate (superset of preflight)
+2. Check for uncommitted changes: \`git status\`
+3. Review the deployment checklist: \`/deploy-check\`
+
+If checks fail, fix in priority order:
+1. Build failures (blocks everything)
+2. Type errors (blocks CI)
+3. Test failures (blocks confidence)
+4. Lint issues (blocks merge)
+5. Warn-only items (fix before release)`
+};
+
+// src/content/definitions/skills/revealui-conventions.ts
+var revealuiConventionsSkill = {
+  id: "revealui-conventions",
+  tier: "oss",
+  name: "RevealUI Conventions",
+  description: "RevealUI coding conventions for any code task \u2014 writing, editing, reviewing, creating,\nfixing, refactoring, changing, adding, or updating TypeScript, React, CSS, or config files.\nCovers TypeScript strict mode, ES Modules, Biome formatting, Tailwind v4 syntax,\nconventional commits, monorepo workspace protocol, feature gating, parameterization,\nand unused declaration policy.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI Conventions
+
+Follow these conventions for ALL code in the RevealUI monorepo.
+
+## TypeScript
+
+- Always use strict mode (\`strict: true\` in tsconfig)
+- Use ES Modules (\`import\`/\`export\`), never CommonJS (\`require\`)
+- Prefer \`interface\` over \`type\` for object shapes (unless union/intersection needed)
+- Use explicit return types on exported functions
+- Avoid \`any\` \u2014 use \`unknown\` and narrow with type guards
+- Use \`as const\` for literal objects and arrays when appropriate
+- Prefer \`satisfies\` over \`as\` for type assertions when possible
+- Use optional chaining (\`?.\`) and nullish coalescing (\`??\`) over manual checks
+- Async/await over \`.then()\` chains
+
+## Git
+
+### Commit Messages
+- Use conventional commits: \`type(scope): description\`
+- Types: feat, fix, refactor, docs, test, chore, ci, perf
+- Scope is optional, use package name for monorepos (e.g., \`feat(core): add parser\`)
+- Description in imperative mood, lowercase, no period
+- Keep subject line under 72 characters
+
+### Branch Naming
+- Feature: \`feat/<short-description>\`
+- Bugfix: \`fix/<short-description>\`
+- Chore: \`chore/<short-description>\`
+
+### Identity
+- RevealUI Studio <founder@revealui.com>
+
+## Monorepo
+
+### Structure
+- Apps live in \`apps/\` \u2014 deployable services (Next.js, Hono, Vite)
+- Packages live in \`packages/\` \u2014 shared libraries consumed by apps
+- Scripts live in \`scripts/\` \u2014 CLI tools, automation, CI gates
+
+### Package Manager
+- pnpm 10 with workspace protocol
+- Internal deps use \`workspace:*\` (never hardcoded versions)
+- Run \`pnpm install:clean\` (suppresses Node deprecation warnings)
+- \`preinstall\` script enforces pnpm-only (\`npx only-allow pnpm\`)
+
+### Turborepo
+- \`turbo run build --parallel\` for parallel builds
+- \`turbo run test --concurrency=15\` for parallel tests
+- Package-level \`turbo.json\` for task overrides (rare)
+- Cache stored in \`.turbo/\` (gitignored)
+
+### Package Conventions
+- Every package has: \`build\`, \`dev\`, \`lint\`, \`test\`, \`typecheck\` scripts
+- Build output goes to \`dist/\` via tsup
+- Source in \`src/\`, tests in \`src/__tests__/\` or \`__tests__/\`
+- Entry point: \`src/index.ts\` \u2192 \`dist/index.js\`
+- Use \`exports\` field in package.json for subpath exports
+- Include \`files: ["dist", "README.md"]\` for publishing
+
+### Dependency Rules
+- Use \`syncpack\` for version alignment (\`pnpm deps:check\`, \`pnpm deps:fix\`)
+- Use \`catalog:\` for shared devDependencies (e.g., \`"zod": "catalog:"\`)
+- pnpm overrides in root package.json for security patches
+
+### CI Gate
+- \`pnpm gate\` runs the full CI pipeline locally: lint \u2192 typecheck \u2192 test \u2192 build
+- \`pnpm gate:quick\` runs phase 1 only (fast feedback)
+- Must pass before pushing (enforced by Husky pre-push hook)
+
+### Adding a New Package
+1. Create \`packages/<name>/\` with package.json, tsconfig.json, tsup.config.ts
+2. Name: \`@revealui/<name>\`
+3. Add \`workspace:*\` references from consuming packages
+4. Register in turbo pipeline (automatic via conventions)
+
+### Publishing
+- OSS packages: \`publishConfig.access: "public"\`, MIT license
+- Pro packages: \`"private": true\` (not published to npm)
+- Use changesets for versioning: \`pnpm changeset\` \u2192 \`pnpm changeset:version\` \u2192 \`pnpm changeset:publish\`
+
+### Import Conventions
+- Use package names (\`@revealui/core\`) not relative paths between packages
+- Use \`~/\` alias within apps (maps to \`src/*\`)
+- Use ES Modules (\`import\`/\`export\`) everywhere
+
+## Biome
+
+Biome 2 is the sole linter and formatter for this monorepo.
+
+### Commands
+- \`pnpm lint\` \u2014 check all files (\`biome check .\`)
+- \`pnpm format\` \u2014 format all files (\`biome format --write .\`)
+- \`pnpm lint:fix\` \u2014 auto-fix (\`biome check --write .\`)
+
+### Key Rules
+- No unused variables or imports (auto-removed on format)
+- No \`console.*\` in production code (use \`@revealui/utils\` logger)
+- No \`any\` types (use \`unknown\` + type guards)
+- Consistent import ordering (auto-sorted)
+- Single quotes for strings
+- Trailing commas
+- Semicolons always
+- 2-space indentation
+
+### Suppressing Rules
+- Use \`// biome-ignore <rule>: <reason>\` for specific lines
+- Avoid blanket suppressions \u2014 prefer fixing the code
+- Document why a suppression is needed
+
+## Tailwind v4
+
+RevealUI uses **Tailwind CSS v4** (\`^4.1.18\`). Key syntax changes from v3:
+
+### Must-Know Gotchas
+
+\`\`\`css
+/* CORRECT (v4) */
+@import "tailwindcss";
+
+/* WRONG (v3) */
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+\`\`\`
+
+\`\`\`css
+/* CORRECT (v4) */
+@utility my-util { /* styles */ }
+
+/* WRONG (v3) */
+@layer utilities { .my-util { /* styles */ } }
+\`\`\`
+
+\`\`\`html
+<!-- CORRECT (v4) \u2014 parentheses for CSS vars -->
+<div class="bg-(--brand-color)">
+
+<!-- WRONG (v3) \u2014 square brackets -->
+<div class="bg-[--brand-color]">
+\`\`\`
+
+\`\`\`html
+<!-- CORRECT (v4) \u2014 important at the end -->
+<div class="bg-red-500!">
+
+<!-- WRONG (v3) \u2014 important at the start -->
+<div class="bg-!red-500">
+\`\`\`
+
+### Rules for New Code
+1. Never use \`@tailwind\` directives \u2014 use \`@import "tailwindcss"\`
+2. Never use \`@layer utilities\` or \`@layer components\` \u2014 use \`@utility\`
+3. Use \`bg-(--var)\` syntax for CSS variables, not \`bg-[--var]\`
+4. Important goes at the end: \`bg-red-500!\` not \`!bg-red-500\`
+5. Prefer \`gap\` over \`space-*\` / \`divide-*\` for spacing in flex/grid
+6. No \`transform-none\` \u2014 use \`scale-none\`, \`rotate-none\`, \`translate-none\`
+
+## Parameterization
+
+**Never hardcode configuration values inline.** All tunable constants (TTLs, limits, lengths, thresholds, intervals) must be:
+
+1. **Extracted** into a named config object or constant at module scope
+2. **Typed** with an explicit interface
+3. **Defaulted** with sensible production values
+4. **Overridable** via an exported \`configure*()\` function or constructor parameter
+
+### Pattern
+
+\`\`\`ts
+export interface ModuleConfig {
+  /** TTL in milliseconds (default: 5 minutes) */
+  ttlMs: number
+  /** Max entries before forced cleanup (default: 10_000) */
+  maxEntries: number
+}
+
+const DEFAULT_CONFIG: ModuleConfig = {
+  ttlMs: 5 * 60 * 1000,
+  maxEntries: 10_000,
+}
+
+let config: ModuleConfig = { ...DEFAULT_CONFIG }
+
+export function configureModule(overrides: Partial<ModuleConfig>): void {
+  config = { ...DEFAULT_CONFIG, ...overrides }
+}
+\`\`\`
+
+### Applies To
+- Rate limit windows and thresholds
+- Cache TTLs and max sizes
+- OTP/token lengths and expiry times
+- Retry counts and backoff intervals
+- Batch sizes and concurrency limits
+
+### Does NOT Apply To
+- Structural constants (HTTP status codes, header names, URL paths)
+- Type discriminants and enum values
+- Schema definitions (use contracts)
+
+## Unused Declarations
+
+**NEVER suppress an unused variable/import warning without first determining if the code is incomplete.**
+
+### Mandatory Decision Tree
+
+\`\`\`
+1. Stub or placeholder?
+   \u2192 IMPLEMENT the missing functionality. Do not suppress.
+
+2. Intentional side-effect resource?
+   \u2192 Rename with \`_\` prefix. Add a comment explaining WHY.
+
+3. Type-only import?
+   \u2192 Change to \`import type { ... }\`.
+
+4. Required callback parameter?
+   \u2192 Prefix with \`_\` (e.g. \`_req\`). Comment if non-obvious.
+
+5. Genuinely dead code?
+   \u2192 DELETE entirely. No grace periods.
+\`\`\`
+
+### Verification After Any Lint Fix
+
+\`\`\`bash
+pnpm --filter <package> typecheck
+node_modules/.bin/biome check <file>
+pnpm --filter <package> test   # if you implemented a stub
+\`\`\`
+
+## Feature Gating
+
+### Tier Model
+
+| Tier | Code String | Distribution |
+|------|-------------|-------------|
+| Free | \`'free'\` | MIT, open source |
+| Pro | \`'pro'\` | Source-available, commercially licensed |
+| Max | \`'max'\` | Extended Pro features |
+| Enterprise (Forge) | \`'enterprise'\` | White-label, multi-tenant, self-hosted |
+
+### Runtime Checks
+
+\`\`\`ts
+import { isLicensed, isFeatureEnabled } from '@revealui/core'
+
+if (isLicensed('pro')) { /* Pro+ feature */ }
+if (isFeatureEnabled('ai')) { /* AI feature (requires Pro) */ }
+\`\`\`
+
+### Package Boundaries
+- **OSS**: \`@revealui/core\`, \`contracts\`, \`db\`, \`auth\`, \`presentation\`, \`router\`, \`config\`, \`utils\`, \`cli\`, \`setup\`, \`sync\`, \`dev\`, \`test\`
+- **Pro**: \`@revealui/ai\`, \`mcp\`, \`editors\`, \`services\`, \`harnesses\`
+
+### Rules
+1. OSS packages must never import from Pro packages
+2. Pro packages may import from OSS packages
+3. Public tests must not hard-require Pro package source paths
+4. Feature gates use \`isLicensed()\` / \`isFeatureEnabled()\`, not environment variables`
+};
+
+// src/content/definitions/skills/revealui-db.ts
+var revealuiDbSkill = {
+  id: "revealui-db",
+  tier: "pro",
+  name: "RevealUI Database",
+  description: "RevealUI database conventions for any task involving database, schema, query, migration,\nDrizzle ORM, Supabase, NeonDB, PostgreSQL, vectors, embeddings, or data modeling.\nEnforces dual-database architecture boundaries and import restrictions.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# Database Conventions
+
+## Dual-Database Architecture
+
+RevealUI uses **two databases with strictly separated responsibilities**:
+
+| Database | Client | Purpose |
+|----------|--------|---------|
+| **NeonDB** (PostgreSQL) | \`@neondatabase/serverless\` | REST content: collections, users, sessions, orders, products |
+| **Supabase** | \`@supabase/supabase-js\` | Vector embeddings, real-time auth, AI memory storage |
+
+## Boundary Rule
+
+**\`@supabase/supabase-js\` must only be imported inside designated vector/auth modules:**
+
+### Allowed paths for Supabase imports
+- \`packages/db/src/vector/\` \u2014 vector schema and queries
+- \`packages/db/src/auth/\` \u2014 Supabase auth helpers
+- \`packages/auth/src/\` \u2014 authentication implementation
+- \`packages/ai/src/\` \u2014 AI memory and embedding storage
+- \`packages/services/src/supabase/\` \u2014 Supabase service integrations
+- \`apps/*/src/lib/supabase/\` \u2014 app-level Supabase utilities
+
+### Forbidden: Supabase imports in
+- \`packages/core/\` \u2014 CMS engine must be DB-agnostic
+- \`packages/contracts/\` \u2014 contracts are schema-only
+- \`packages/config/\` \u2014 config must not hardcode DB client
+- \`apps/cms/src/collections/\` \u2014 collection hooks use Drizzle/Neon only
+- \`apps/cms/src/routes/\` \u2014 REST routes use Neon only
+
+## Schema Organization
+
+\`\`\`
+packages/db/src/schema/
+\u251C\u2500\u2500 collections/    # NeonDB: content collections
+\u251C\u2500\u2500 users/          # NeonDB: user management
+\u251C\u2500\u2500 commerce/       # NeonDB: products, orders, pricing
+\u251C\u2500\u2500 sessions/       # NeonDB: auth sessions
+\u251C\u2500\u2500 vector/         # Supabase: embeddings, similarity search
+\u2514\u2500\u2500 auth/           # Supabase: auth state
+\`\`\`
+
+## Query Patterns
+
+### NeonDB (Drizzle ORM)
+\`\`\`ts
+import { db } from '@revealui/db'
+import { posts } from '@revealui/db/schema'
+
+const results = await db.select().from(posts).where(eq(posts.status, 'published'))
+\`\`\`
+
+### Supabase (vector/auth only)
+\`\`\`ts
+// Only in designated modules (packages/db/src/vector/, packages/ai/src/)
+import { createSupabaseClient } from '@revealui/db/vector'
+
+const { data } = await supabase.rpc('match_documents', { query_embedding: embedding })
+\`\`\`
+
+## Enforcement
+
+The \`pnpm validate:structure\` script checks for Supabase imports outside permitted paths.
+CI runs this as part of phase 1 (warn-only \u2014 violations are flagged but don't block builds).
+
+To check locally:
+\`\`\`bash
+pnpm validate:structure
+\`\`\`
+
+## Migration Guidance
+
+When adding new features:
+1. **Content/REST data** \u2192 add to \`packages/db/src/schema/\` + use Drizzle
+2. **AI/vector data** \u2192 add to \`packages/db/src/vector/\` + use Supabase client
+3. **Never mix** both DB clients in the same module`
+};
+
+// src/content/definitions/skills/revealui-debugging.ts
+var revealuiDebuggingSkill = {
+  id: "revealui-debugging",
+  tier: "pro",
+  name: "RevealUI Debugging",
+  description: "Systematic debugging workflow for RevealUI. Use when encountering any bug, test failure,\nunexpected behavior, error, or broken functionality. Prevents shotgun debugging.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI Debugging Workflow
+
+When something breaks, follow this process. Do not skip steps.
+
+## The Process
+
+### 1. Reproduce
+
+- Get the exact error message, stack trace, or unexpected output
+- Find the minimal reproduction case
+- Confirm it reproduces consistently (not flaky)
+- If it only fails under \`turbo run test\`, see \`$revealui-testing\` for concurrency triage
+
+### 2. Hypothesize
+
+- Form ONE specific hypothesis about the root cause
+- Write it down before changing any code
+- Base it on evidence (error message, stack trace, git blame), not intuition
+
+### 3. Validate
+
+- Design a test or check that confirms/refutes your hypothesis
+- Run it
+- If refuted, form a new hypothesis \u2014 do not stack unrelated fixes
+
+### 4. Fix Narrowly
+
+- Change the minimum code to fix the root cause
+- Do not refactor surrounding code
+- Do not fix adjacent issues you noticed along the way (file them separately)
+
+### 5. Verify
+
+- Run the original failing test/scenario
+- Run \`pnpm --filter <package> test\` to check for regressions
+- Run \`npx biome check --write <file>\` on changed files
+
+### 6. Commit
+
+- One commit for the fix
+- Format: \`fix(scope): description of what was broken\`
+
+## Anti-Patterns
+
+- Changing multiple things at once ("shotgun debugging")
+- Fixing symptoms instead of root causes
+- Adding try/catch blocks to silence errors
+- Increasing timeouts to hide race conditions
+- Reverting to "known good" without understanding what broke
+- Asking "does this fix it?" without a hypothesis
+
+## Common RevealUI Debugging Paths
+
+| Symptom | First Check |
+|---------|------------|
+| Import error | Package built? \`pnpm --filter <pkg> build\` |
+| Type error across packages | \`pnpm typecheck:all\` \u2014 check \`workspace:*\` versions |
+| Test passes alone, fails in gate | Concurrency pressure \u2014 see \`$revealui-testing\` |
+| Supabase error in unexpected path | Import boundary violation \u2014 see \`$revealui-db\` |
+| Biome error after edit | Run \`npx biome check --write <file>\` |`
+};
+
+// src/content/definitions/skills/revealui-review.ts
+var revealuiReviewSkill = {
+  id: "revealui-review",
+  tier: "pro",
+  name: "RevealUI Code Review",
+  description: "Code review checklist for RevealUI. Use when reviewing code, completing a feature,\nchecking quality, or before committing. Invoke explicitly with $revealui-review.",
+  disableModelInvocation: true,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI Code Review
+
+Run this checklist before committing or claiming work is complete.
+
+## Automated Checks
+
+Run each command and confirm clean output:
+
+\`\`\`bash
+# 1. Biome lint + format
+pnpm lint
+
+# 2. TypeScript \u2014 all packages
+pnpm typecheck:all
+
+# 3. Tests \u2014 affected packages
+pnpm --filter <package> test
+
+# 4. Quick gate (lint + typecheck + structure)
+pnpm gate:quick
+\`\`\`
+
+## Manual Checks
+
+### Type Safety
+- [ ] No \`any\` types (use \`unknown\` + type guards)
+- [ ] No \`as\` casts where \`satisfies\` works
+- [ ] Exported functions have explicit return types
+- [ ] \`import type\` used for type-only imports
+
+### Code Quality
+- [ ] No \`console.*\` in production code (use \`@revealui/utils\` logger)
+- [ ] No hardcoded config values (use parameterization pattern)
+- [ ] No unused variables/imports (follow decision tree if flagged)
+- [ ] Single responsibility \u2014 each file does one thing
+
+### Architecture
+- [ ] No Supabase imports outside permitted paths
+- [ ] No cross-package relative imports (use \`@revealui/<name>\`)
+- [ ] Internal deps use \`workspace:*\`
+- [ ] OSS packages don't import from Pro packages
+
+### Tailwind v4
+- [ ] \`bg-(--var)\` not \`bg-[--var]\` for CSS variables
+- [ ] \`bg-red-500!\` not \`!bg-red-500\` for important
+- [ ] \`@import "tailwindcss"\` not \`@tailwind\`
+- [ ] \`@utility\` not \`@layer utilities\`
+- [ ] \`gap\` preferred over \`space-*\`
+
+### Git
+- [ ] Conventional commit: \`type(scope): description\`
+- [ ] Subject under 72 characters, imperative mood
+- [ ] Identity: RevealUI Studio <founder@revealui.com>
+- [ ] No secrets in committed files`
+};
+
+// src/content/definitions/skills/revealui-safety.ts
+var revealuiSafetySkill = {
+  id: "revealui-safety",
+  tier: "oss",
+  name: "RevealUI Safety",
+  description: "RevealUI safety guardrails for any code task \u2014 editing, writing, creating, fixing,\nrefactoring, changing, adding, updating, or removing files. Protects credentials,\nenforces import boundaries, ensures code quality, and verifies work before completion.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI Safety
+
+Follow these rules for ALL code changes in the RevealUI monorepo.
+
+## Protected Files \u2014 Ask Before Editing
+
+- \`.env*\` files (\`.env\`, \`.env.local\`, \`.env.production\`, etc.)
+- Lock files: \`pnpm-lock.yaml\`, \`package-lock.json\`, \`yarn.lock\`
+- Database schema files in \`packages/db/src/schema/\` \u2014 changes require migration planning
+
+## Protected Paths \u2014 Never Edit
+
+- \`/mnt/c/\`, \`/mnt/e/\` \u2014 Windows mounts (read-only)
+- System/credential directories: \`/etc/\`, \`~/.ssh/\`, \`~/.gnupg/\`, \`~/.aws/\`
+
+## Import Boundaries
+
+\`@supabase/supabase-js\` is ONLY allowed in:
+
+- \`packages/db/src/vector/\`, \`packages/db/src/auth/\`
+- \`packages/auth/src/\`, \`packages/ai/src/\`
+- \`packages/services/src/supabase/\`
+- \`apps/*/src/lib/supabase/\`
+
+FORBIDDEN in: \`packages/core/\`, \`packages/contracts/\`, \`packages/config/\`, \`apps/cms/src/collections/\`, \`apps/cms/src/routes/\`
+
+## Code Quality
+
+- Never use \`any\` \u2014 use \`unknown\` + type guards
+- Never add \`console.*\` in production code \u2014 use \`@revealui/utils\` logger
+- Never hardcode API keys, tokens, passwords, or secrets
+- Use \`crypto.randomInt()\` for security-sensitive values, not \`Math.random()\`
+
+## Static Analysis
+
+- For security and architecture validation scripts, prefer AST-based analysis over regex when the rule depends on syntax or code shape
+- Use regex only for heuristic inventory scans (for example obvious secret patterns), not as the source of truth for code-security conclusions
+
+## After Every Edit
+
+Run \`npx biome check --write <file>\` on each file you edit before moving on.
+
+## Before Claiming Done
+
+1. Run \`pnpm gate:quick\` and confirm no new errors
+2. Review \`git diff\` for unintended changes
+3. Ensure conventional commit format: \`type(scope): description\`
+4. Git identity: RevealUI Studio <founder@revealui.com>
+
+## Known Limitation
+
+These rules are advisory. Unlike Claude Code (which enforces via lifecycle hooks), Codex has no hook system. If working on sensitive files, explicitly invoke \`$revealui-safety\` to load these rules.`
+};
+
+// src/content/definitions/skills/revealui-tdd.ts
+var revealuiTddSkill = {
+  id: "revealui-tdd",
+  tier: "pro",
+  name: "RevealUI TDD",
+  description: "Test-driven development workflow for RevealUI. Use when implementing any feature,\nfixing bugs, adding functionality, or writing new code. Enforces write-test-first,\nred-green-refactor cycle. Works with Vitest and React Testing Library.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI TDD Workflow
+
+Follow this cycle for every code change. No exceptions.
+
+## The Cycle
+
+1. **Write a failing test** \u2014 describe the expected behavior
+2. **Run it** \u2014 confirm it fails for the right reason
+3. **Write minimal implementation** \u2014 just enough to pass
+4. **Run it** \u2014 confirm it passes
+5. **Refactor** \u2014 clean up, then run tests again
+6. **Commit** \u2014 one commit per cycle
+
+## Commands
+
+\`\`\`bash
+# Run tests for a specific package
+pnpm --filter @revealui/<package> test
+
+# Run a specific test file
+pnpm --filter @revealui/<package> test -- <file>
+
+# Run with coverage
+pnpm --filter @revealui/<package> test -- --coverage
+\`\`\`
+
+## Test File Conventions
+
+- Unit/integration: \`*.test.ts\` in \`src/__tests__/\` or adjacent to source
+- E2E: \`*.e2e.ts\` in \`packages/test/\`
+- Use \`@revealui/test\` for shared fixtures, mocks, and utilities
+
+## What to Test
+
+- Public API surface of each module
+- Error paths and edge cases
+- Integration points between packages
+
+## What NOT to Test
+
+- Private implementation details
+- Third-party library internals
+- Type-only code (interfaces, type aliases)
+
+## Repo-Specific Patterns
+
+For concurrency tuning, flaky test triage, and Pro/OSS test boundaries, see the \`$revealui-testing\` skill.
+
+## Anti-Patterns
+
+- Writing implementation before the test
+- Writing tests that pass immediately (test must fail first)
+- Testing implementation details instead of behavior
+- Skipping the refactor step
+- Large commits with multiple features`
+};
+
+// src/content/definitions/skills/revealui-testing.ts
+var revealuiTestingSkill = {
+  id: "revealui-testing",
+  tier: "oss",
+  name: "RevealUI Testing",
+  description: "RevealUI monorepo testing rules and failure-triage guidance. Use when changing tests,\nfixing flaky suites, adjusting Vitest config, debugging Turbo test failures, handling\nReact Testing Library warnings, or deciding between scoped timeouts, worker limits,\nand test refactors in this repo.",
+  disableModelInvocation: false,
+  skipFrontmatter: false,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {},
+  content: `# RevealUI Testing
+
+Use this skill after the generic \`vitest\` and \`react-testing-library\` skills when the work is specific to this monorepo.
+
+## Use This For
+
+- \`pnpm test\` or \`pnpm gate --phase=3 --no-build\` failures
+- Turbo fan-out flakiness that does not reproduce in isolated package runs
+- Vitest worker/concurrency tuning in \`packages/*\` or \`apps/*\`
+- React Testing Library \`act(...)\` warnings in this repo
+- optional Pro package boundaries in tests
+- deciding whether a failure is a real regression, test debt, or runner pressure
+
+## Repo Rules
+
+### 1. Prefer Narrow Fixes
+
+Default order:
+
+1. fix the test or component contract if behavior is actually wrong
+2. fix stale selectors, bad async assertions, or missing \`await\`
+3. add a scoped timeout to the single slow test or suite
+4. cap workers for the package if the failure only happens under Turbo fan-out
+5. only then consider broader runner changes
+
+Do not raise global Vitest timeouts just to get green runs.
+
+### 2. Treat \u201CPasses Alone, Fails Under Turbo\u201D as Concurrency Pressure First
+
+If a package passes in isolation but flakes during \`turbo run test\`, assume resource pressure before assuming product logic broke.
+
+Preferred fix order:
+
+- specific test timeout for known cold imports or expensive setup
+- package-level \`fileParallelism: false\` and \`maxWorkers: 1\` for packages with heavy imports, database mocks, or expensive startup
+- lower Turbo concurrency in the gate if the machine is getting killed or saturated
+
+This repo already needed that pattern in packages like \`packages/test\` and \`packages/db\`.
+
+### 3. Package-Level Vitest Caps Are Acceptable Here
+
+If a package repeatedly flakes only under monorepo fan-out, it is acceptable to cap that package\u2019s internal Vitest concurrency.
+
+Typical pattern:
+
+\`\`\`ts
+test: {
+  fileParallelism: false,
+  maxWorkers: 1,
+}
+\`\`\`
+
+Use this for:
+
+- import-smoke suites
+- packages with heavy module initialization
+- DB/client/process orchestration tests
+
+Do not apply it repo-wide by default.
+
+### 4. Fix \`act(...)\` Warnings, Don\u2019t Ignore Them
+
+Common fixes in this repo:
+
+- use \`await user.click(...)\` instead of \`fireEvent.click(...)\` when the interaction is user-level
+- use \`findBy*\` or \`waitFor\` when the click triggers async state
+- assert on the post-update UI state, not just the callback
+- wrap hook state updates in \`act(...)\` only when there is no better user-facing path
+
+If a warning remains, explain why the pattern is intentional before adding an ignore.
+
+### 5. Prefer \`userEvent\`, Use \`fireEvent\` Sparingly
+
+Default to \`@testing-library/user-event\` for:
+
+- clicks
+- typing
+- keyboard navigation
+- focus/blur behavior
+
+Keep \`fireEvent\` for narrow low-level cases like synthetic events or very small DOM-only transitions.
+
+### 6. Optional Pro Packages Must Stay Optional in Public Tests
+
+Public repo tests must not hard-require private sibling source trees or Pro package source paths.
+
+Allowed patterns:
+
+- dynamic import with graceful skip/fallback
+- separate Pro-only test config/suite
+- package docs that clearly mark Pro-only flows
+
+Disallowed patterns:
+
+- static imports to missing Pro source
+- default OSS test runs that silently depend on adjacent private repos
+
+### 7. Keep OSS and Pro Test Surfaces Honest
+
+If a test is Pro-only:
+
+- move it into a Pro-specific directory or config
+- exclude it from default OSS test runs
+- do not leave it mixed into the default suite with hidden assumptions
+
+### 8. Distinguish Noise from Failure
+
+Not all stderr is actionable failure in this repo.
+
+Usually acceptable:
+
+- intentional error-path logs in tests exercising failure branches
+- expected jsdom limitations
+- known parser warnings from fixture-driven negative tests
+
+Actionable:
+
+- \`act(...)\` warnings
+- \`MaxListenersExceededWarning\`
+- timeouts that only vanish with broad global increases
+- tests that only pass because of local private package availability
+
+## Working Pattern
+
+When triaging a red test lane:
+
+1. rerun the failing package or file directly
+2. decide whether it is reproducible in isolation
+3. if yes, fix the test/component/implementation
+4. if no, treat it as concurrency pressure and tune narrowly
+5. rerun the package
+6. rerun the gate phase that exposed it
+
+Do not keep stacking unrelated fixes without re-verifying the exact failing lane.
+
+## Gate-Specific Guidance
+
+- \`pnpm gate --phase=3 --no-build\` is the fastest useful repro for test/build instability
+- if a gate hang appears, inspect shared process helpers before changing many tests
+- Turbo warnings about missing outputs are configuration debt, not test correctness
+- a warning-level test check in the gate still deserves cleanup if it hides real regressions
+
+## What Not To Do
+
+- don\u2019t inflate all test timeouts
+- don\u2019t disable assertions just to remove flakes
+- don\u2019t mix Pro-only tests back into OSS-default suites
+- don\u2019t silence \`act(...)\` or listener warnings when the underlying fix is small
+- don\u2019t assume a package is stable because it passed alone once`
+};
+
+// src/content/definitions/skills/tailwind-4-docs.ts
+var tailwind4DocsSkill = {
+  id: "tailwind-4-docs",
+  tier: "oss",
+  name: "Tailwind CSS v4 Documentation",
+  description: "Agent-optimized access to Tailwind CSS v4 documentation for answering questions, selecting utilities/variants, configuring Tailwind v4, and avoiding v3\u2192v4 migration pitfalls.",
+  disableModelInvocation: false,
+  skipFrontmatter: true,
+  filePatterns: [],
+  bashPatterns: [],
+  references: {
+    gotchas: `# Tailwind CSS v4 Gotchas (Quick Scan)
+
+- Browser support is modern-only: Safari 16.4+, Chrome 111+, Firefox 128+.
+- PostCSS plugin moved to \`@tailwindcss/postcss\`.
+- CLI moved to \`@tailwindcss/cli\`.
+- Vite plugin \`@tailwindcss/vite\` is recommended.
+- Import Tailwind with \`@import "tailwindcss";\` (no \`@tailwind\` directives).
+- Prefix syntax is \`@import "tailwindcss" prefix(tw);\` and classes use \`tw:\` at the start.
+- Important modifier goes at the end: \`bg-red-500!\`.
+- Utility renames and removals: see \`references/docs/upgrade-guide.mdx\` for the full list.
+- Default border and ring color now use \`currentColor\`; ring width default is 1px.
+- \`space-*\` and \`divide-*\` selectors changed; use flex/grid with \`gap\` if layouts break.
+- Custom utilities should use \`@utility\` instead of \`@layer utilities\` or \`@layer components\`.
+- Stacked variants apply left-to-right (reverse order from v3).
+- Arbitrary CSS variable syntax is \`bg-(--brand-color)\` (not \`bg-[--brand-color]\`).
+- Transform reset uses \`scale-none\`, \`rotate-none\`, \`translate-none\` (not \`transform-none\`).
+- \`hover:\` now only applies on devices that support hover; override if needed.
+- CSS modules and component \`<style>\` blocks need \`@reference\` to access theme vars.`
+  },
+  content: `# Tailwind CSS v4 Documentation Skill
+
+## Purpose
+
+Agent-optimized access to Tailwind CSS v4 documentation for answering questions, selecting utilities/variants, configuring Tailwind v4, and avoiding v3\u2192v4 migration pitfalls.
+
+## Quick Start
+
+1. Check if docs snapshot exists: \`references/docs/\` should contain ~194 MDX files
+2. If missing or stale, initialize: \`python3 scripts/sync_tailwind_docs.py --accept-docs-license\`
+3. Identify the topic category from \`references/docs-index.tsx\`
+4. Load the relevant MDX file from \`references/docs/\`
+5. Always cross-check against \`references/gotchas.md\` for breaking changes
+
+## References
+
+| Path | Description |
+|------|-------------|
+| \`references/docs/\` | Generated MDX docs snapshot (gitignored) |
+| \`references/docs-index.tsx\` | Category and slug mapping (gitignored) |
+| \`references/docs-source.txt\` | Upstream repo, commit, and date (gitignored) |
+| \`references/gotchas.md\` | v4 migration pitfalls and breaking changes (committed) |
+
+## MDX Handling
+
+- Treat \`export const\` statements as metadata
+- Treat JSX callouts (\`<TipInfo>\`, \`<TipBad>\`, \`<TipGood>\`) as guidance
+- Code blocks contain working examples
+
+## Common Entry Points
+
+| Topic | File |
+|-------|------|
+| Migration from v3 | \`upgrade-guide.mdx\` |
+| Configuration | \`adding-custom-styles.mdx\` |
+| Theme | \`theme.mdx\` |
+| Dark mode | \`dark-mode.mdx\` |
+| Responsive | \`responsive-design.mdx\` |
+| Hover/focus/state | \`hover-focus-and-other-states.mdx\` |
+
+## Sync Command
+
+\`\`\`bash
+python3 .claude/skills/tailwind-4-docs/scripts/sync_tailwind_docs.py --accept-docs-license
+\`\`\`
+
+Based on [Lombiq/Tailwind-Agent-Skills](https://github.com/Lombiq/Tailwind-Agent-Skills) (BSD-3-Clause).`
+};
+
+// src/content/definitions/skills/index.ts
+var skills = [
+  dbMigrateSkill,
+  preflightSkill,
+  revealuiConventionsSkill,
+  revealuiDbSkill,
+  revealuiDebuggingSkill,
+  revealuiReviewSkill,
+  revealuiSafetySkill,
+  revealuiTddSkill,
+  revealuiTestingSkill,
+  tailwind4DocsSkill
+];
+
+// src/content/definitions/index.ts
+function buildManifest() {
+  return {
+    version: 1,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    rules,
+    commands,
+    agents,
+    skills,
+    preambles
+  };
+}
+
+// src/content/resolvers/environment.ts
+var NODE_VERSION = (ctx) => ctx.nodeVersion ?? "24";
+var PACKAGE_MANAGER = (ctx) => ctx.packageManager ?? "pnpm 10";
+var STACK = () => "React 19, Next.js 16, Node 24, TypeScript 5.9, Drizzle ORM, Hono, Tailwind v4";
+
+// src/content/resolvers/project.ts
+var PROJECT_NAME = (ctx) => ctx.projectName ?? "RevealUI";
+var PHASE = (ctx) => ctx.phase ?? "Phase 3 \u2014 Launch Preparation";
+var BRANCH_PIPELINE = () => "feature/* \u2192 develop \u2192 test \u2192 main (production)";
+var LICENSE_TIERS = () => "free | pro | max | enterprise";
+
+// src/content/resolvers/index.ts
+var registry = /* @__PURE__ */ new Map([
+  ["PROJECT_NAME", PROJECT_NAME],
+  ["PHASE", PHASE],
+  ["BRANCH_PIPELINE", BRANCH_PIPELINE],
+  ["LICENSE_TIERS", LICENSE_TIERS],
+  ["NODE_VERSION", NODE_VERSION],
+  ["PACKAGE_MANAGER", PACKAGE_MANAGER],
+  ["STACK", STACK]
+]);
+function registerResolver(key, fn) {
+  registry.set(key, fn);
+}
+function resolveTemplate(template, ctx) {
+  return template.replace(/\{\{(\w+)\}\}/g, (_match, key) => {
+    const fn = registry.get(key);
+    return fn ? fn(ctx) : `{{${key}}}`;
+  });
+}
+function listResolvers() {
+  return [...registry.keys()];
+}
+
+// src/content/generators/claude.ts
+function buildFrontmatter(fields) {
+  const lines = ["---"];
+  for (const [key, value] of Object.entries(fields)) {
+    if (value === void 0) continue;
+    if (typeof value === "boolean") {
+      lines.push(`${key}: ${value}`);
+    } else if (value.includes("\n")) {
+      lines.push(`${key}: |`);
+      for (const line of value.split("\n")) {
+        lines.push(`  ${line}`);
+      }
+    } else {
+      lines.push(`${key}: ${value}`);
+    }
+  }
+  lines.push("---");
+  return lines.join("\n");
+}
+var ClaudeCodeGenerator = class {
+  id = "claude-code";
+  outputDir = ".claude";
+  generateRule(rule, ctx) {
+    const content = resolveTemplate(rule.content, ctx);
+    return [
+      {
+        relativePath: `.claude/rules/${rule.id}.md`,
+        content: `${content}
+`
+      }
+    ];
+  }
+  generateCommand(cmd, ctx) {
+    const content = resolveTemplate(cmd.content, ctx);
+    const frontmatter = buildFrontmatter({
+      description: cmd.description,
+      "disable-model-invocation": cmd.disableModelInvocation || void 0,
+      "argument-hint": cmd.argumentHint
+    });
+    return [
+      {
+        relativePath: `.claude/commands/${cmd.id}.md`,
+        content: `${frontmatter}
+
+${content}
+`
+      }
+    ];
+  }
+  generateAgent(agent, ctx) {
+    const content = resolveTemplate(agent.content, ctx);
+    const frontmatter = buildFrontmatter({
+      name: agent.id,
+      description: agent.description,
+      isolation: agent.isolation === "none" ? void 0 : agent.isolation
+    });
+    return [
+      {
+        relativePath: `.claude/agents/${agent.id}.md`,
+        content: `${frontmatter}
+
+${content}
+`
+      }
+    ];
+  }
+  generateSkill(skill, ctx) {
+    const content = resolveTemplate(skill.content, ctx);
+    const files = [];
+    if (skill.skipFrontmatter) {
+      files.push({
+        relativePath: `.claude/skills/${skill.id}/SKILL.md`,
+        content: `${content}
+`
+      });
+    } else {
+      const frontmatter = buildFrontmatter({
+        name: skill.id,
+        description: skill.description,
+        "disable-model-invocation": skill.disableModelInvocation || void 0
+      });
+      files.push({
+        relativePath: `.claude/skills/${skill.id}/SKILL.md`,
+        content: `${frontmatter}
+
+${content}
+`
+      });
+    }
+    for (const [name, refContent] of Object.entries(skill.references)) {
+      files.push({
+        relativePath: `.claude/skills/${skill.id}/references/${name}.md`,
+        content: `${resolveTemplate(refContent, ctx)}
+`
+      });
+    }
+    return files;
+  }
+  generateAll(manifest, ctx) {
+    const files = [];
+    for (const rule of manifest.rules) {
+      files.push(...this.generateRule(rule, ctx));
+    }
+    for (const cmd of manifest.commands) {
+      files.push(...this.generateCommand(cmd, ctx));
+    }
+    for (const agent of manifest.agents) {
+      files.push(...this.generateAgent(agent, ctx));
+    }
+    for (const skill of manifest.skills) {
+      files.push(...this.generateSkill(skill, ctx));
+    }
+    return files;
+  }
+};
+
+// src/content/generators/cursor.ts
+var CursorGenerator = class {
+  id = "cursor";
+  outputDir = ".cursor";
+  generateRule(rule, ctx) {
+    const content = resolveTemplate(rule.content, ctx);
+    return [
+      {
+        relativePath: `.cursor/rules/${rule.id}.mdc`,
+        content: `---
+description: ${rule.description}
+---
+
+${content}
+`
+      }
+    ];
+  }
+  generateCommand(_cmd, _ctx) {
+    return [];
+  }
+  generateAgent(_agent, _ctx) {
+    return [];
+  }
+  generateSkill(_skill, _ctx) {
+    return [];
+  }
+  generateAll(manifest, ctx) {
+    const files = [];
+    for (const rule of manifest.rules) {
+      files.push(...this.generateRule(rule, ctx));
+    }
+    return files;
+  }
+};
+
+// src/content/generators/index.ts
+var generators = /* @__PURE__ */ new Map([
+  ["claude-code", new ClaudeCodeGenerator()],
+  ["cursor", new CursorGenerator()]
+]);
+function getGenerator(id) {
+  return generators.get(id);
+}
+function registerGenerator(generator) {
+  generators.set(generator.id, generator);
+}
+function listGenerators() {
+  return [...generators.keys()];
+}
+
+// src/content/schemas/manifest.ts
+import { z as z6 } from "zod";
+
+// src/content/schemas/agent.ts
+import { z } from "zod";
+var AgentSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  description: z.string().min(1),
+  tier: z.enum(["oss", "pro"]).default("oss"),
+  isolation: z.enum(["worktree", "none"]).default("none"),
+  tools: z.array(z.string()).default([]),
+  content: z.string().min(1)
+});
+
+// src/content/schemas/command.ts
+import { z as z2 } from "zod";
+var CommandSchema = z2.object({
+  id: z2.string().min(1),
+  name: z2.string().min(1),
+  description: z2.string().min(1),
+  tier: z2.enum(["oss", "pro"]).default("oss"),
+  disableModelInvocation: z2.boolean().default(false),
+  argumentHint: z2.string().optional(),
+  content: z2.string().min(1)
+});
+
+// src/content/schemas/preamble.ts
+import { z as z3 } from "zod";
+var PreambleTierSchema = z3.object({
+  tier: z3.number().int().min(1).max(4),
+  name: z3.string().min(1),
+  description: z3.string().min(1),
+  ruleIds: z3.array(z3.string())
+});
+
+// src/content/schemas/rule.ts
+import { z as z4 } from "zod";
+var RuleSchema = z4.object({
+  id: z4.string().min(1),
+  name: z4.string().min(1),
+  description: z4.string().min(1),
+  scope: z4.enum(["global", "project"]),
+  preambleTier: z4.number().int().min(1).max(4).default(2),
+  tier: z4.enum(["oss", "pro"]).default("oss"),
+  tags: z4.array(z4.string()).default([]),
+  content: z4.string().min(1)
+});
+
+// src/content/schemas/skill.ts
+import { z as z5 } from "zod";
+var SkillSchema = z5.object({
+  id: z5.string().min(1),
+  name: z5.string().min(1),
+  description: z5.string().min(1),
+  tier: z5.enum(["oss", "pro"]).default("oss"),
+  disableModelInvocation: z5.boolean().default(false),
+  /** When true, the generator omits YAML frontmatter — the content IS the entire file. */
+  skipFrontmatter: z5.boolean().default(false),
+  filePatterns: z5.array(z5.string()).default([]),
+  bashPatterns: z5.array(z5.string()).default([]),
+  references: z5.record(z5.string(), z5.string()).default({}),
+  content: z5.string().min(1)
+});
+
+// src/content/schemas/manifest.ts
+var ManifestSchema = z6.object({
+  version: z6.literal(1),
+  generatedAt: z6.string().datetime(),
+  rules: z6.array(RuleSchema),
+  commands: z6.array(CommandSchema),
+  agents: z6.array(AgentSchema),
+  skills: z6.array(SkillSchema),
+  preambles: z6.array(PreambleTierSchema)
+});
+
+// src/content/index.ts
+function validateManifest(manifest) {
+  const result = ManifestSchema.safeParse(manifest);
+  if (result.success) {
+    return { valid: true, errors: [] };
+  }
+  return {
+    valid: false,
+    errors: result.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`)
+  };
+}
+function generateContent(generatorId, manifest, ctx) {
+  const generator = getGenerator(generatorId);
+  if (!generator) {
+    throw new Error(
+      `Unknown generator "${generatorId}". Available: ${listGenerators().join(", ")}`
+    );
+  }
+  return generator.generateAll(manifest, ctx);
+}
+function diffContent(generatorId, manifest, ctx, projectRoot) {
+  const files = generateContent(generatorId, manifest, ctx);
+  const entries = [];
+  for (const file of files) {
+    const absolutePath = resolve(join(projectRoot, file.relativePath));
+    let actual;
+    try {
+      actual = readFileSync(absolutePath, "utf-8");
+    } catch {
+    }
+    if (actual === void 0) {
+      entries.push({ relativePath: file.relativePath, status: "added", expected: file.content });
+    } else if (actual === file.content) {
+      entries.push({ relativePath: file.relativePath, status: "unchanged" });
+    } else {
+      entries.push({
+        relativePath: file.relativePath,
+        status: "modified",
+        expected: file.content,
+        actual
+      });
+    }
+  }
+  return entries;
+}
+function listContent(manifest) {
+  const m = manifest ?? buildManifest();
+  return {
+    rules: m.rules.length,
+    commands: m.commands.length,
+    agents: m.agents.length,
+    skills: m.skills.length,
+    preambles: m.preambles.length,
+    total: m.rules.length + m.commands.length + m.agents.length + m.skills.length
+  };
+}
+
+export {
+  buildManifest,
+  registerResolver,
+  resolveTemplate,
+  listResolvers,
+  getGenerator,
+  registerGenerator,
+  listGenerators,
+  AgentSchema,
+  CommandSchema,
+  PreambleTierSchema,
+  RuleSchema,
+  SkillSchema,
+  ManifestSchema,
+  validateManifest,
+  generateContent,
+  diffContent,
+  listContent
+};
+//# sourceMappingURL=chunk-JDI6B2IB.js.map