@ryuenn3123/agentic-senior-core 2.0.5 → 2.0.8

package/.agent-context/skills/backend/errors.md

@@ -1,138 +1,138 @@
-# Error Handling & Recovery
-
-**Tier:** ADVANCE | **Source:** awesome-copilot (typed errors) + antigravity (recovery patterns) + minimax (error boundary)
-
-## Rule: Never Swallow Errors
-
- **WRONG:**
-```javascript
-try {
-  const payment = await processPayment();
-} catch (err) {
-  console.log('oops');  // <- Error lost, no recovery
-}
-```
-
- **CORRECT:**
-```javascript
-try {
-  const payment = await processPayment();
-} catch (err) {
-  if (err instanceof PaymentDeclinedError) {
-    // KNOWN: Card declined, user can try again with different card
-    throw err;
-  } else if (err instanceof NetworkTimeoutError) {
-    // MAYBE TEMPORARY: Retry with exponential backoff
-    return await retryWithBackoff(() => processPayment());
-  } else {
-    // UNKNOWN: Log + alert ops team
-    logger.error({ err, context: { customerId, amount } });
-    throw new InternalServerError('Payment processing failed');
-  }
-}
-```
-
----
-
-## Typed Error Codes
-
-Instead of generic "Error", use specific, typed errors:
-
-### Node.js + Custom Error Classes
-
-```javascript
-class ApplicationError extends Error {
-  constructor(code, message, statusCode = 500, details = {}) {
-    super(message);
-    this.code = code;  // Machine-readable
-    this.statusCode = statusCode;  // HTTP status
-    this.details = details;
-  }
-}
-
-class PaymentDeclinedError extends ApplicationError {
-  constructor(reason) {
-    super('PAYMENT_DECLINED', `Card declined: ${reason}`, 402, { reason });
-  }
-}
-
-// Usage in service:
-if (customer.balance < amount) {
-  throw new PaymentDeclinedError('Insufficient funds');
-}
-
-// Transport layer catches and responds:
-app.post('/payments/charge', async (req, res) => {
-  try {
-    const result = await paymentService.charge(req.body);
-    res.json(result);
-  } catch (err) {
-    if (err instanceof ApplicationError) {
-      res.status(err.statusCode).json({
-        error: err.code,
-        message: err.message,
-        details: err.details
-      });
-    } else {
-      res.status(500).json({ error: 'INTERNAL_SERVER_ERROR' });
-    }
-  }
-});
-```
-
----
-
-## Correlation IDs (Debug Multi-Service Requests)
-
-When requests span multiple services, trace them with correlation IDs:
-
-```javascript
-// Transport layer: Generate or receive correlation ID
-app.use((req, res, next) => {
-  req.correlationId = req.headers['x-correlation-id'] || generateUUID();
-  res.setHeader('x-correlation-id', req.correlationId);
-  next();
-});
-
-// Service layer: Attach to all logs
-logger.info({
-  message: 'Processing payment',
-  correlationId: req.correlationId,
-  customerId,
-  amount
-});
-
-// Logs across all services will have same correlationId
-```
-
----
-
-## Retry Strategy
-
-```javascript
-async function retryWithBackoff(fn, maxAttempts = 3) {
-  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      if (attempt === maxAttempts) throw err;
-      if (!(err instanceof NetworkTimeoutError)) throw err;
-      
-      const delay = Math.pow(2, attempt - 1) * 1000;  // 1s, 2s, 4s
-      await sleep(delay);
-    }
-  }
-}
-```
-
----
-
-## Checklist
-
-- [ ] All caught errors are typed (not generic `Error`)
-- [ ] All errors have machine-readable code
-- [ ] Production errors logged with context (correlationId, userId)
-- [ ] Retry logic only for transient failures (timeouts, 5xx)
-- [ ] User-level errors have helpful messages (no SQL/stack traces)
-- [ ] Critical errors alert ops (Slack, PagerDuty)
+# Error Handling & Recovery
+
+**Tier:** ADVANCE | **Source:** awesome-copilot (typed errors) + antigravity (recovery patterns) + minimax (error boundary)
+
+## Rule: Never Swallow Errors
+
+ **WRONG:**
+```javascript
+try {
+  const payment = await processPayment();
+} catch (err) {
+  console.log('oops');  // <- Error lost, no recovery
+}
+```
+
+ **CORRECT:**
+```javascript
+try {
+  const payment = await processPayment();
+} catch (err) {
+  if (err instanceof PaymentDeclinedError) {
+    // KNOWN: Card declined, user can try again with different card
+    throw err;
+  } else if (err instanceof NetworkTimeoutError) {
+    // MAYBE TEMPORARY: Retry with exponential backoff
+    return await retryWithBackoff(() => processPayment());
+  } else {
+    // UNKNOWN: Log + alert ops team
+    logger.error({ err, context: { customerId, amount } });
+    throw new InternalServerError('Payment processing failed');
+  }
+}
+```
+
+---
+
+## Typed Error Codes
+
+Instead of generic "Error", use specific, typed errors:
+
+### Node.js + Custom Error Classes
+
+```javascript
+class ApplicationError extends Error {
+  constructor(code, message, statusCode = 500, details = {}) {
+    super(message);
+    this.code = code;  // Machine-readable
+    this.statusCode = statusCode;  // HTTP status
+    this.details = details;
+  }
+}
+
+class PaymentDeclinedError extends ApplicationError {
+  constructor(reason) {
+    super('PAYMENT_DECLINED', `Card declined: ${reason}`, 402, { reason });
+  }
+}
+
+// Usage in service:
+if (customer.balance < amount) {
+  throw new PaymentDeclinedError('Insufficient funds');
+}
+
+// Transport layer catches and responds:
+app.post('/payments/charge', async (req, res) => {
+  try {
+    const result = await paymentService.charge(req.body);
+    res.json(result);
+  } catch (err) {
+    if (err instanceof ApplicationError) {
+      res.status(err.statusCode).json({
+        error: err.code,
+        message: err.message,
+        details: err.details
+      });
+    } else {
+      res.status(500).json({ error: 'INTERNAL_SERVER_ERROR' });
+    }
+  }
+});
+```
+
+---
+
+## Correlation IDs (Debug Multi-Service Requests)
+
+When requests span multiple services, trace them with correlation IDs:
+
+```javascript
+// Transport layer: Generate or receive correlation ID
+app.use((req, res, next) => {
+  req.correlationId = req.headers['x-correlation-id'] || generateUUID();
+  res.setHeader('x-correlation-id', req.correlationId);
+  next();
+});
+
+// Service layer: Attach to all logs
+logger.info({
+  message: 'Processing payment',
+  correlationId: req.correlationId,
+  customerId,
+  amount
+});
+
+// Logs across all services will have same correlationId
+```
+
+---
+
+## Retry Strategy
+
+```javascript
+async function retryWithBackoff(fn, maxAttempts = 3) {
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      if (attempt === maxAttempts) throw err;
+      if (!(err instanceof NetworkTimeoutError)) throw err;
+      
+      const delay = Math.pow(2, attempt - 1) * 1000;  // 1s, 2s, 4s
+      await sleep(delay);
+    }
+  }
+}
+```
+
+---
+
+## Checklist
+
+- [ ] All caught errors are typed (not generic `Error`)
+- [ ] All errors have machine-readable code
+- [ ] Production errors logged with context (correlationId, userId)
+- [ ] Retry logic only for transient failures (timeouts, 5xx)
+- [ ] User-level errors have helpful messages (no SQL/stack traces)
+- [ ] Critical errors alert ops (Slack, PagerDuty)
 - Keep retry and rollback behavior explicit.

package/.agent-context/skills/backend/validation.md

@@ -1,117 +1,117 @@
-# Input Validation & Parameterized Queries
-
-**Tier:** ADVANCE | **Source:** awesome-copilot (boundaries) + antigravity (security halt) + minimax (validation patterns)
-
-## Why Validation at Boundaries Matters
-
-Rule: **All external input is untrusted.** Validate at API entry point before touching business logic or database.
-
-Common vulnerabilities when skipped:
-- SQL injection: Unparameterized queries with user input
-- Type confusion: String input treated as number
-- Business logic bypass: Missing eligibility checks
-- Data corruption: Invalid state transitions
-
-**SECURITY HALT:** If you find unvalidated input directly in database queries, stop feature development. Fix first.
-
----
-
-## Layer 1: HTTP Request Validation
-
-Validate shape, type, required fields **before** touching service layer.
-
-### Node.js + Zod (Type-Safe)
-
-```javascript
-import { z } from 'zod';
-
-const chargeSchema = z.object({
-  amount: z.number().min(50).max(100000),
-  customerId: z.string().uuid(),
-  cardToken: z.string().min(10).max(1000),
-});
-
-app.post('/payments/charge', async (req, res) => {
-  // Validate shape + types
-  const parsed = chargeSchema.safeParse(req.body);
-  if (!parsed.success) {
-    return res.status(400).json({
-      error: 'Invalid request',
-      details: parsed.error.errors
-    });
-  }
-
-  // Now safe to pass to service
-  const result = await paymentService.charge(parsed.data);
-  res.json(result);
-});
-```
-
-### Python + Pydantic
-
-```python
-from pydantic import BaseModel, Field
-
-class ChargeRequest(BaseModel):
-    amount: float = Field(..., ge=50, le=100000)
-    customer_id: str = Field(..., min_length=36, max_length=36)
-    card_token: str = Field(..., min_length=10, max_length=1000)
-
-@app.post("/payments/charge")
-async def charge_payment(req: ChargeRequest):
-    result = await payment_service.charge(req.dict())
-    return result
-```
-
----
-
-## Layer 2: SQL Query Parameterization
-
-###  WRONG (SQL Injection)
-
-```javascript
-const customerId = req.body.customerId;
-const query = `SELECT * FROM customers WHERE id = '${customerId}'`;
-// Input: '; DROP TABLE customers; --'
-```
-
-###  CORRECT (Parameterized)
-
-```javascript
-await db.one(
-  'SELECT * FROM customers WHERE id = $1',
-  [customerId]  // Parameterized
-);
-```
-
----
-
-## Layer 3: Business Logic Validation
-
-```javascript
-async charge({ amount, customerId, cardToken }) {
-  // Already validated: amount in range, customerId is UUID
-
-  // Now validate business rules
-  const customer = await customerRepo.findById(customerId);
-  if (!customer) throw new NotFoundError('Customer');
-  if (customer.status !== 'active') throw new BusinessError('Account suspended');
-  if (customer.dailyLimit && customer.dailySpent + amount > customer.dailyLimit) {
-    throw new BusinessError('Daily limit exceeded');
-  }
-
-  // Safe to proceed
-}
-```
-
----
-
-## Checklist
-
-- [ ] All route handlers validate request shape (Zod/Pydantic)
-- [ ] All database queries use parameterized statements
-- [ ] All external API responses validated before use
-- [ ] Business rules checked in Service layer
-- [ ] Error messages safe (no SQL leaked to client)
-- [ ] Tests cover invalid inputs
+# Input Validation & Parameterized Queries
+
+**Tier:** ADVANCE | **Source:** awesome-copilot (boundaries) + antigravity (security halt) + minimax (validation patterns)
+
+## Why Validation at Boundaries Matters
+
+Rule: **All external input is untrusted.** Validate at API entry point before touching business logic or database.
+
+Common vulnerabilities when skipped:
+- SQL injection: Unparameterized queries with user input
+- Type confusion: String input treated as number
+- Business logic bypass: Missing eligibility checks
+- Data corruption: Invalid state transitions
+
+**SECURITY HALT:** If you find unvalidated input directly in database queries, stop feature development. Fix first.
+
+---
+
+## Layer 1: HTTP Request Validation
+
+Validate shape, type, required fields **before** touching service layer.
+
+### Node.js + Zod (Type-Safe)
+
+```javascript
+import { z } from 'zod';
+
+const chargeSchema = z.object({
+  amount: z.number().min(50).max(100000),
+  customerId: z.string().uuid(),
+  cardToken: z.string().min(10).max(1000),
+});
+
+app.post('/payments/charge', async (req, res) => {
+  // Validate shape + types
+  const parsed = chargeSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(400).json({
+      error: 'Invalid request',
+      details: parsed.error.errors
+    });
+  }
+
+  // Now safe to pass to service
+  const result = await paymentService.charge(parsed.data);
+  res.json(result);
+});
+```
+
+### Python + Pydantic
+
+```python
+from pydantic import BaseModel, Field
+
+class ChargeRequest(BaseModel):
+    amount: float = Field(..., ge=50, le=100000)
+    customer_id: str = Field(..., min_length=36, max_length=36)
+    card_token: str = Field(..., min_length=10, max_length=1000)
+
+@app.post("/payments/charge")
+async def charge_payment(req: ChargeRequest):
+    result = await payment_service.charge(req.dict())
+    return result
+```
+
+---
+
+## Layer 2: SQL Query Parameterization
+
+###  WRONG (SQL Injection)
+
+```javascript
+const customerId = req.body.customerId;
+const query = `SELECT * FROM customers WHERE id = '${customerId}'`;
+// Input: '; DROP TABLE customers; --'
+```
+
+###  CORRECT (Parameterized)
+
+```javascript
+await db.one(
+  'SELECT * FROM customers WHERE id = $1',
+  [customerId]  // Parameterized
+);
+```
+
+---
+
+## Layer 3: Business Logic Validation
+
+```javascript
+async charge({ amount, customerId, cardToken }) {
+  // Already validated: amount in range, customerId is UUID
+
+  // Now validate business rules
+  const customer = await customerRepo.findById(customerId);
+  if (!customer) throw new NotFoundError('Customer');
+  if (customer.status !== 'active') throw new BusinessError('Account suspended');
+  if (customer.dailyLimit && customer.dailySpent + amount > customer.dailyLimit) {
+    throw new BusinessError('Daily limit exceeded');
+  }
+
+  // Safe to proceed
+}
+```
+
+---
+
+## Checklist
+
+- [ ] All route handlers validate request shape (Zod/Pydantic)
+- [ ] All database queries use parameterized statements
+- [ ] All external API responses validated before use
+- [ ] Business rules checked in Service layer
+- [ ] Error messages safe (no SQL leaked to client)
+- [ ] Tests cover invalid inputs
 - Keep validation deterministic and testable.

package/.agent-context/skills/backend.md

@@ -1,29 +1,29 @@
-# Backend Skill Pack
-
-Default tier: `advance`
-
-## Purpose
-Build backend systems with strict layer separation, typed boundaries, and operational safety.
-
-## In Scope
-- Transport, service, repository, and domain separation
-- Validation at boundaries
-- Error handling and observability
-- Data access and transaction safety
-- API and event contract design
-
-## Must-Have Checks
-- No business logic in transport layer
-- No HTTP objects in application layer
-- No raw SQL in controllers or services
-- All external input validated before business logic
-- Typed errors and explicit failure paths
-
-## Evidence
-- Unit and integration tests
-- API contract docs
-- Validation schemas
-- Release gate output
-
-## Fallback
+# Backend Skill Pack
+
+Default tier: `advance`
+
+## Purpose
+Build backend systems with strict layer separation, typed boundaries, and operational safety.
+
+## In Scope
+- Transport, service, repository, and domain separation
+- Validation at boundaries
+- Error handling and observability
+- Data access and transaction safety
+- API and event contract design
+
+## Must-Have Checks
+- No business logic in transport layer
+- No HTTP objects in application layer
+- No raw SQL in controllers or services
+- All external input validated before business logic
+- Typed errors and explicit failure paths
+
+## Evidence
+- Unit and integration tests
+- API contract docs
+- Validation schemas
+- Release gate output
+
+## Fallback
 - Standard mode is allowed only for legacy compatibility and must be flagged in release evidence.

package/.agent-context/skills/cli/README.md

@@ -1,50 +1,56 @@
-# CLI Engineering Skills
-
-Default tier: `advance`
-
-This domain covers command design, safe mutation workflows, and machine-readable output conventions for automation.
-
-## Topics
-- [Init Flow](init.md) - Deterministic project initialization with explicit write plans
-- [Upgrade Flow](upgrade.md) - Safe upgrades with dry-run, rollback, and compatibility checks
-- [Machine-Readable Output](output.md) - Stable JSON output and deterministic exit semantics
-
-## Operating Model
-- Use `advance` for normal command work.
-- Escalate to `expert` when commands mutate user state or require migration safety.
-
-## Above-Line Additions
-- Mandatory dry-run support for mutating commands.
-- Structured error payloads for CI/CD and bots.
-- Explicit rollback plans for upgrade paths.
-- Plug-and-play init presets for common stacks and blueprints.
-
-## Installation and Entry Paths
-
-Choose the path that fits your workflow:
-
-- `agentic-senior-core launch` for a numbered interactive chooser.
-- `npm install -g @fatidaprilian/agentic-senior-core` for a global command.
-- `npm exec --yes @fatidaprilian/agentic-senior-core init` for a one-off run.
-- `npx @fatidaprilian/agentic-senior-core init` for a package-managed local run.
-- GitHub template for zero-install project bootstrap.
-
-## Preset Starts
-
-Use presets when you want fewer choices at the start:
-
-- `frontend-web` - TypeScript + API Next.js + balanced profile.
-- `backend-api` - Python + FastAPI + balanced profile.
-- `fullstack-product` - TypeScript + API Next.js + balanced profile.
-- `platform-governance` - Go + Go service + strict profile.
-- `mobile-react-native` - React Native + mobile app + balanced profile.
-- `mobile-flutter` - Flutter + mobile app + balanced profile.
-- `observability-platform` - Go + observability + strict profile.
-
-Example:
-
-```bash
-agentic-senior-core init --preset frontend-web
-agentic-senior-core init --preset backend-api --ci true
-agentic-senior-core launch
+# CLI Engineering Skills
+
+Default tier: `advance`
+
+This domain covers command design, safe mutation workflows, and machine-readable output conventions for automation.
+
+## Topics
+- [Init Flow](init.md) - Deterministic project initialization with explicit write plans
+- [Upgrade Flow](upgrade.md) - Safe upgrades with dry-run, rollback, and compatibility checks
+- [Machine-Readable Output](output.md) - Stable JSON output and deterministic exit semantics
+- [Safety and Telemetry](safety-telemetry.md) - Operational signal capture and release-facing CLI governance summaries
+
+## Operating Model
+- Use `advance` for normal command work.
+- Escalate to `expert` when commands mutate user state or require migration safety.
+
+## Above-Line Additions
+- Mandatory dry-run support for mutating commands.
+- Structured error payloads for CI/CD and bots.
+- Explicit rollback plans for upgrade paths.
+- Plug-and-play init presets for common stacks and blueprints.
+
+## Installation and Entry Paths
+
+Choose the path that fits your workflow:
+
+- `agentic-senior-core launch` for a numbered interactive chooser.
+- `npm install -g @fatidaprilian/agentic-senior-core` for a global command.
+- `npm exec --yes @fatidaprilian/agentic-senior-core init` for a one-off run.
+- `npx @fatidaprilian/agentic-senior-core init` for a package-managed local run.
+- GitHub template for zero-install project bootstrap.
+
+## Preset Starts
+
+Use presets when you want fewer choices at the start:
+
+- `frontend-web` - TypeScript + API Next.js + balanced profile.
+- `backend-api` - Python + FastAPI + balanced profile.
+- `fullstack-product` - TypeScript + API Next.js + balanced profile.
+- `platform-governance` - Go + Go service + strict profile.
+- `mobile-react-native` - React Native + mobile app + balanced profile.
+- `mobile-flutter` - Flutter + mobile app + balanced profile.
+- `observability-platform` - Go + observability + strict profile.
+- `typescript-nestjs-service` - TypeScript + NestJS module blueprint + balanced profile.
+- `java-enterprise-api` - Java + Spring Boot API + strict profile.
+- `dotnet-enterprise-api` - C# + ASP.NET API + strict profile.
+- `php-laravel-api` - PHP + Laravel API + balanced profile.
+- `kubernetes-platform` - Go + Kubernetes manifests + strict profile.
+
+Example:
+
+```bash
+agentic-senior-core init --preset frontend-web
+agentic-senior-core init --preset backend-api --ci true
+agentic-senior-core launch
 ```