@runchr/gstack-antigravity 0.1.1 → 0.1.3

package/.agents/skills/gstack/canary/SKILL.md.tmpl

@@ -0,0 +1,220 @@
+---
+name: canary
+version: 1.0.0
+description: |
+  Post-deploy canary monitoring. Watches the live app for console errors,
+  performance regressions, and page failures using the browse daemon. Takes
+  periodic screenshots, compares against pre-deploy baselines, and alerts
+  on anomalies. Use when: "monitor deploy", "canary", "post-deploy check",
+  "watch production", "verify deploy".
+allowed-tools:
+  - Bash
+  - Read
+  - Write
+  - Glob
+  - AskUserQuestion
+---
+
+{{PREAMBLE}}
+
+{{BROWSE_SETUP}}
+
+{{BASE_BRANCH_DETECT}}
+
+# /canary — Post-Deploy Visual Monitor
+
+You are a **Release Reliability Engineer** watching production after a deploy. You've seen deploys that pass CI but break in production — a missing environment variable, a CDN cache serving stale assets, a database migration that's slower than expected on real data. Your job is to catch these in the first 10 minutes, not 10 hours.
+
+You use the browse daemon to watch the live app, take screenshots, check console errors, and compare against baselines. You are the safety net between "shipped" and "verified."
+
+## User-invocable
+When the user types `/canary`, run this skill.
+
+## Arguments
+- `/canary <url>` — monitor a URL for 10 minutes after deploy
+- `/canary <url> --duration 5m` — custom monitoring duration (1m to 30m)
+- `/canary <url> --baseline` — capture baseline screenshots (run BEFORE deploying)
+- `/canary <url> --pages /,/dashboard,/settings` — specify pages to monitor
+- `/canary <url> --quick` — single-pass health check (no continuous monitoring)
+
+## Instructions
+
+### Phase 1: Setup
+
+```bash
+source <(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null || echo "SLUG=unknown")
+mkdir -p .gstack/canary-reports
+mkdir -p .gstack/canary-reports/baselines
+mkdir -p .gstack/canary-reports/screenshots
+```
+
+Parse the user's arguments. Default duration is 10 minutes. Default pages: auto-discover from the app's navigation.
+
+### Phase 2: Baseline Capture (--baseline mode)
+
+If the user passed `--baseline`, capture the current state BEFORE deploying.
+
+For each page (either from `--pages` or the homepage):
+
+```bash
+$B goto <page-url>
+$B snapshot -i -a -o ".gstack/canary-reports/baselines/<page-name>.png"
+$B console --errors
+$B perf
+$B text
+```
+
+Collect for each page: screenshot path, console error count, page load time from `perf`, and a text content snapshot.
+
+Save the baseline manifest to `.gstack/canary-reports/baseline.json`:
+
+```json
+{
+  "url": "<url>",
+  "timestamp": "<ISO>",
+  "branch": "<current branch>",
+  "pages": {
+    "/": {
+      "screenshot": "baselines/home.png",
+      "console_errors": 0,
+      "load_time_ms": 450
+    }
+  }
+}
+```
+
+Then STOP and tell the user: "Baseline captured. Deploy your changes, then run `/canary <url>` to monitor."
+
+### Phase 3: Page Discovery
+
+If no `--pages` were specified, auto-discover pages to monitor:
+
+```bash
+$B goto <url>
+$B links
+$B snapshot -i
+```
+
+Extract the top 5 internal navigation links from the `links` output. Always include the homepage. Present the page list via AskUserQuestion:
+
+- **Context:** Monitoring the production site at the given URL after a deploy.
+- **Question:** Which pages should the canary monitor?
+- **RECOMMENDATION:** Choose A — these are the main navigation targets.
+- A) Monitor these pages: [list the discovered pages]
+- B) Add more pages (user specifies)
+- C) Monitor homepage only (quick check)
+
+### Phase 4: Pre-Deploy Snapshot (if no baseline exists)
+
+If no `baseline.json` exists, take a quick snapshot now as a reference point.
+
+For each page to monitor:
+
+```bash
+$B goto <page-url>
+$B snapshot -i -a -o ".gstack/canary-reports/screenshots/pre-<page-name>.png"
+$B console --errors
+$B perf
+```
+
+Record the console error count and load time for each page. These become the reference for detecting regressions during monitoring.
+
+### Phase 5: Continuous Monitoring Loop
+
+Monitor for the specified duration. Every 60 seconds, check each page:
+
+```bash
+$B goto <page-url>
+$B snapshot -i -a -o ".gstack/canary-reports/screenshots/<page-name>-<check-number>.png"
+$B console --errors
+$B perf
+```
+
+After each check, compare results against the baseline (or pre-deploy snapshot):
+
+1. **Page load failure** — `goto` returns error or timeout → CRITICAL ALERT
+2. **New console errors** — errors not present in baseline → HIGH ALERT
+3. **Performance regression** — load time exceeds 2x baseline → MEDIUM ALERT
+4. **Broken links** — new 404s not in baseline → LOW ALERT
+
+**Alert on changes, not absolutes.** A page with 3 console errors in the baseline is fine if it still has 3. One NEW error is an alert.
+
+**Don't cry wolf.** Only alert on patterns that persist across 2 or more consecutive checks. A single transient network blip is not an alert.
+
+**If a CRITICAL or HIGH alert is detected**, immediately notify the user via AskUserQuestion:
+
+```
+CANARY ALERT
+════════════
+Time:     [timestamp, e.g., check #3 at 180s]
+Page:     [page URL]
+Type:     [CRITICAL / HIGH / MEDIUM]
+Finding:  [what changed — be specific]
+Evidence: [screenshot path]
+Baseline: [baseline value]
+Current:  [current value]
+```
+
+- **Context:** Canary monitoring detected an issue on [page] after [duration].
+- **RECOMMENDATION:** Choose based on severity — A for critical, B for transient.
+- A) Investigate now — stop monitoring, focus on this issue
+- B) Continue monitoring — this might be transient (wait for next check)
+- C) Rollback — revert the deploy immediately
+- D) Dismiss — false positive, continue monitoring
+
+### Phase 6: Health Report
+
+After monitoring completes (or if the user stops early), produce a summary:
+
+```
+CANARY REPORT — [url]
+═════════════════════
+Duration:     [X minutes]
+Pages:        [N pages monitored]
+Checks:       [N total checks performed]
+Status:       [HEALTHY / DEGRADED / BROKEN]
+
+Per-Page Results:
+─────────────────────────────────────────────────────
+  Page            Status      Errors    Avg Load
+  /               HEALTHY     0         450ms
+  /dashboard      DEGRADED    2 new     1200ms (was 400ms)
+  /settings       HEALTHY     0         380ms
+
+Alerts Fired:  [N] (X critical, Y high, Z medium)
+Screenshots:   .gstack/canary-reports/screenshots/
+
+VERDICT: [DEPLOY IS HEALTHY / DEPLOY HAS ISSUES — details above]
+```
+
+Save report to `.gstack/canary-reports/{date}-canary.md` and `.gstack/canary-reports/{date}-canary.json`.
+
+Log the result for the review dashboard:
+
+```bash
+source <(~/.claude/skills/gstack/bin/gstack-slug 2>/dev/null)
+mkdir -p ~/.gstack/projects/$SLUG
+```
+
+Write a JSONL entry: `{"skill":"canary","timestamp":"<ISO>","status":"<HEALTHY/DEGRADED/BROKEN>","url":"<url>","duration_min":<N>,"alerts":<N>}`
+
+### Phase 7: Baseline Update
+
+If the deploy is healthy, offer to update the baseline:
+
+- **Context:** Canary monitoring completed. The deploy is healthy.
+- **RECOMMENDATION:** Choose A — deploy is healthy, new baseline reflects current production.
+- A) Update baseline with current screenshots
+- B) Keep old baseline
+
+If the user chooses A, copy the latest screenshots to the baselines directory and update `baseline.json`.
+
+## Important Rules
+
+- **Speed matters.** Start monitoring within 30 seconds of invocation. Don't over-analyze before monitoring.
+- **Alert on changes, not absolutes.** Compare against baseline, not industry standards.
+- **Screenshots are evidence.** Every alert includes a screenshot path. No exceptions.
+- **Transient tolerance.** Only alert on patterns that persist across 2+ consecutive checks.
+- **Baseline is king.** Without a baseline, canary is a health check. Encourage `--baseline` before deploying.
+- **Performance thresholds are relative.** 2x baseline is a regression. 1.5x might be normal variance.
+- **Read-only.** Observe and report. Don't modify code unless the user explicitly asks to investigate and fix.

package/.agents/skills/gstack/careful/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: careful
+version: 0.1.0
+description: |
+  Safety guardrails for destructive commands. Warns before rm -rf, DROP TABLE,
+  force-push, git reset --hard, kubectl delete, and similar destructive operations.
+  User can override each warning. Use when touching prod, debugging live systems,
+  or working in a shared environment. Use when asked to "be careful", "safety mode",
+  "prod mode", or "careful mode".
+allowed-tools:
+  - Bash
+  - Read
+hooks:
+  PreToolUse:
+    - matcher: "Bash"
+      hooks:
+        - type: command
+          command: "bash ${CLAUDE_SKILL_DIR}/bin/check-careful.sh"
+          statusMessage: "Checking for destructive commands..."
+---
+<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
+<!-- Regenerate: bun run gen:skill-docs -->
+
+# /careful — Destructive Command Guardrails
+
+Safety mode is now **active**. Every bash command will be checked for destructive
+patterns before running. If a destructive command is detected, you'll be warned
+and can choose to proceed or cancel.
+
+```bash
+mkdir -p ~/.gstack/analytics
+echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}'  >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
+```
+
+## What's protected
+
+| Pattern | Example | Risk |
+|---------|---------|------|
+| `rm -rf` / `rm -r` / `rm --recursive` | `rm -rf /var/data` | Recursive delete |
+| `DROP TABLE` / `DROP DATABASE` | `DROP TABLE users;` | Data loss |
+| `TRUNCATE` | `TRUNCATE orders;` | Data loss |
+| `git push --force` / `-f` | `git push -f origin main` | History rewrite |
+| `git reset --hard` | `git reset --hard HEAD~3` | Uncommitted work loss |
+| `git checkout .` / `git restore .` | `git checkout .` | Uncommitted work loss |
+| `kubectl delete` | `kubectl delete pod` | Production impact |
+| `docker rm -f` / `docker system prune` | `docker system prune -a` | Container/image loss |
+
+## Safe exceptions
+
+These patterns are allowed without warning:
+- `rm -rf node_modules` / `.next` / `dist` / `__pycache__` / `.cache` / `build` / `.turbo` / `coverage`
+
+## How it works
+
+The hook reads the command from the tool input JSON, checks it against the
+patterns above, and returns `permissionDecision: "ask"` with a warning message
+if a match is found. You can always override the warning and proceed.
+
+To deactivate, end the conversation or start a new one. Hooks are session-scoped.

package/.agents/skills/gstack/careful/SKILL.md.tmpl

@@ -0,0 +1,57 @@
+---
+name: careful
+version: 0.1.0
+description: |
+  Safety guardrails for destructive commands. Warns before rm -rf, DROP TABLE,
+  force-push, git reset --hard, kubectl delete, and similar destructive operations.
+  User can override each warning. Use when touching prod, debugging live systems,
+  or working in a shared environment. Use when asked to "be careful", "safety mode",
+  "prod mode", or "careful mode".
+allowed-tools:
+  - Bash
+  - Read
+hooks:
+  PreToolUse:
+    - matcher: "Bash"
+      hooks:
+        - type: command
+          command: "bash ${CLAUDE_SKILL_DIR}/bin/check-careful.sh"
+          statusMessage: "Checking for destructive commands..."
+---
+
+# /careful — Destructive Command Guardrails
+
+Safety mode is now **active**. Every bash command will be checked for destructive
+patterns before running. If a destructive command is detected, you'll be warned
+and can choose to proceed or cancel.
+
+```bash
+mkdir -p ~/.gstack/analytics
+echo '{"skill":"careful","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}'  >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
+```
+
+## What's protected
+
+| Pattern | Example | Risk |
+|---------|---------|------|
+| `rm -rf` / `rm -r` / `rm --recursive` | `rm -rf /var/data` | Recursive delete |
+| `DROP TABLE` / `DROP DATABASE` | `DROP TABLE users;` | Data loss |
+| `TRUNCATE` | `TRUNCATE orders;` | Data loss |
+| `git push --force` / `-f` | `git push -f origin main` | History rewrite |
+| `git reset --hard` | `git reset --hard HEAD~3` | Uncommitted work loss |
+| `git checkout .` / `git restore .` | `git checkout .` | Uncommitted work loss |
+| `kubectl delete` | `kubectl delete pod` | Production impact |
+| `docker rm -f` / `docker system prune` | `docker system prune -a` | Container/image loss |
+
+## Safe exceptions
+
+These patterns are allowed without warning:
+- `rm -rf node_modules` / `.next` / `dist` / `__pycache__` / `.cache` / `build` / `.turbo` / `coverage`
+
+## How it works
+
+The hook reads the command from the tool input JSON, checks it against the
+patterns above, and returns `permissionDecision: "ask"` with a warning message
+if a match is found. You can always override the warning and proceed.
+
+To deactivate, end the conversation or start a new one. Hooks are session-scoped.

package/.agents/skills/gstack/careful/bin/check-careful.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# check-careful.sh — PreToolUse hook for /careful skill
+# Reads JSON from stdin, checks Bash command for destructive patterns.
+# Returns {"permissionDecision":"ask","message":"..."} to warn, or {} to allow.
+set -euo pipefail
+
+# Read stdin (JSON with tool_input)
+INPUT=$(cat)
+
+# Extract the "command" field value from tool_input
+# Try grep/sed first (handles 99% of cases), fall back to Python for escaped quotes
+CMD=$(printf '%s' "$INPUT" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*:[[:space:]]*"//;s/"$//' || true)
+
+# Python fallback if grep returned empty (e.g., escaped quotes in command)
+if [ -z "$CMD" ]; then
+  CMD=$(printf '%s' "$INPUT" | python3 -c 'import sys,json; print(json.loads(sys.stdin.read()).get("tool_input",{}).get("command",""))' 2>/dev/null || true)
+fi
+
+# If we still couldn't extract a command, allow
+if [ -z "$CMD" ]; then
+  echo '{}'
+  exit 0
+fi
+
+# Normalize: lowercase for case-insensitive SQL matching
+CMD_LOWER=$(printf '%s' "$CMD" | tr '[:upper:]' '[:lower:]')
+
+# --- Check for safe exceptions (rm -rf of build artifacts) ---
+if printf '%s' "$CMD" | grep -qE 'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)' 2>/dev/null; then
+  SAFE_ONLY=true
+  RM_ARGS=$(printf '%s' "$CMD" | sed -E 's/.*rm\s+(-[a-zA-Z]+\s+)*//;s/--recursive\s*//')
+  for target in $RM_ARGS; do
+    case "$target" in
+      */node_modules|node_modules|*/\.next|\.next|*/dist|dist|*/__pycache__|__pycache__|*/\.cache|\.cache|*/build|build|*/\.turbo|\.turbo|*/coverage|coverage)
+        ;; # safe target
+      -*)
+        ;; # flag, skip
+      *)
+        SAFE_ONLY=false
+        break
+        ;;
+    esac
+  done
+  if [ "$SAFE_ONLY" = true ]; then
+    echo '{}'
+    exit 0
+  fi
+fi
+
+# --- Destructive pattern checks ---
+WARN=""
+PATTERN=""
+
+# rm -rf / rm -r / rm --recursive
+if printf '%s' "$CMD" | grep -qE 'rm\s+(-[a-zA-Z]*r|--recursive)' 2>/dev/null; then
+  WARN="Destructive: recursive delete (rm -r). This permanently removes files."
+  PATTERN="rm_recursive"
+fi
+
+# DROP TABLE / DROP DATABASE
+if [ -z "$WARN" ] && printf '%s' "$CMD_LOWER" | grep -qE 'drop\s+(table|database)' 2>/dev/null; then
+  WARN="Destructive: SQL DROP detected. This permanently deletes database objects."
+  PATTERN="drop_table"
+fi
+
+# TRUNCATE
+if [ -z "$WARN" ] && printf '%s' "$CMD_LOWER" | grep -qE '\btruncate\b' 2>/dev/null; then
+  WARN="Destructive: SQL TRUNCATE detected. This deletes all rows from a table."
+  PATTERN="truncate"
+fi
+
+# git push --force / git push -f
+if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+push\s+.*(-f\b|--force)' 2>/dev/null; then
+  WARN="Destructive: git force-push rewrites remote history. Other contributors may lose work."
+  PATTERN="git_force_push"
+fi
+
+# git reset --hard
+if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+reset\s+--hard' 2>/dev/null; then
+  WARN="Destructive: git reset --hard discards all uncommitted changes."
+  PATTERN="git_reset_hard"
+fi
+
+# git checkout . / git restore .
+if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'git\s+(checkout|restore)\s+\.' 2>/dev/null; then
+  WARN="Destructive: discards all uncommitted changes in the working tree."
+  PATTERN="git_discard"
+fi
+
+# kubectl delete
+if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'kubectl\s+delete' 2>/dev/null; then
+  WARN="Destructive: kubectl delete removes Kubernetes resources. May impact production."
+  PATTERN="kubectl_delete"
+fi
+
+# docker rm -f / docker system prune
+if [ -z "$WARN" ] && printf '%s' "$CMD" | grep -qE 'docker\s+(rm\s+-f|system\s+prune)' 2>/dev/null; then
+  WARN="Destructive: Docker force-remove or prune. May delete running containers or cached images."
+  PATTERN="docker_destructive"
+fi
+
+# --- Output ---
+if [ -n "$WARN" ]; then
+  # Log hook fire event (pattern name only, never command content)
+  mkdir -p ~/.gstack/analytics 2>/dev/null || true
+  echo '{"event":"hook_fire","skill":"careful","pattern":"'"$PATTERN"'","ts":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","repo":"'$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")'"}' >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
+
+  WARN_ESCAPED=$(printf '%s' "$WARN" | sed 's/"/\\"/g')
+  printf '{"permissionDecision":"ask","message":"[careful] %s"}\n' "$WARN_ESCAPED"
+else
+  echo '{}'
+fi