@soleri/core 9.14.0 → 9.14.4

package/dist/knowledge-packs/knowledge-packs/starter/architecture/soleri-pack.json

@@ -1,10 +0,0 @@
-{
-  "id": "starter-architecture",
-  "name": "Architecture Starter Pack",
-  "version": "1.0.0",
-  "description": "Clean architecture, DDD patterns, API design, error handling — foundational architecture patterns and anti-patterns.",
-  "domains": ["architecture"],
-  "vault": {
-    "dir": "vault"
-  }
-}

package/dist/knowledge-packs/knowledge-packs/starter/architecture/vault/patterns.json

@@ -1,137 +0,0 @@
-[
-  {
-    "id": "arch-001",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Dependency Inversion via Interfaces",
-    "description": "High-level modules should not depend on low-level modules. Both should depend on abstractions. Define interfaces for external dependencies (databases, APIs, file systems) and inject implementations. This enables testing and swapping implementations without changing business logic.",
-    "severity": "warning",
-    "tags": ["solid", "dependency-injection", "clean-architecture"]
-  },
-  {
-    "id": "arch-002",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Error Boundaries at Layer Edges",
-    "description": "Catch and translate errors at the boundary between architectural layers. Database errors become domain errors. HTTP errors become user-facing messages. Each layer speaks its own error language. Never let implementation details leak through error messages.",
-    "severity": "warning",
-    "tags": ["error-handling", "layers", "boundaries"]
-  },
-  {
-    "id": "arch-003",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Command Query Separation",
-    "description": "Functions should either change state (command) or return data (query), never both. Commands return void or a simple status. Queries are side-effect free. This makes code predictable, testable, and easier to reason about.",
-    "severity": "suggestion",
-    "tags": ["cqs", "clean-code", "functional"]
-  },
-  {
-    "id": "arch-004",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Idempotent Operations",
-    "description": "Design operations to be safely retryable. Use unique request IDs for deduplication. Make database writes idempotent with UPSERT or conditional INSERT. This is critical for distributed systems where network failures cause retries.",
-    "severity": "warning",
-    "tags": ["idempotency", "distributed-systems", "reliability"]
-  },
-  {
-    "id": "arch-005",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Graceful Degradation",
-    "description": "When an external dependency fails, degrade gracefully instead of crashing. Return cached data, empty results, or reduced functionality. Log the failure for monitoring. The system should remain useful even when parts are down.",
-    "severity": "warning",
-    "tags": ["resilience", "fault-tolerance", "reliability"]
-  },
-  {
-    "id": "arch-006",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Configuration as Data",
-    "description": "Express variation through configuration, not code branches. Feature flags, policy objects, and declarative config files are easier to audit, test, and change than if/else chains. Logic in config, not code.",
-    "severity": "suggestion",
-    "tags": ["configuration", "data-driven", "clean-code"]
-  },
-  {
-    "id": "arch-007",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Reversible Migrations",
-    "description": "Every database migration must have a corresponding rollback. Test both up and down paths. Prefer additive changes (add column, add table) over destructive ones (drop column, rename). Make breaking schema changes in multiple steps: add new → migrate data → remove old.",
-    "severity": "warning",
-    "tags": ["database", "migrations", "schema"]
-  },
-  {
-    "id": "arch-008",
-    "type": "anti-pattern",
-    "domain": "architecture",
-    "title": "God Object",
-    "description": "Avoid classes or modules that know too much or do too much. A 2000-line service class with 30 methods violates single responsibility. Split by cohesion: group related data and behavior together. If a change to feature A requires modifying the same file as feature B, they should be separate modules.",
-    "severity": "warning",
-    "tags": ["solid", "cohesion", "refactoring"]
-  },
-  {
-    "id": "arch-009",
-    "type": "anti-pattern",
-    "domain": "architecture",
-    "title": "Premature Abstraction",
-    "description": "Don't abstract before you have three concrete examples of the same pattern. One-off helpers and single-use base classes add indirection without value. Wait for the pattern to emerge from real usage, then extract. Three similar lines are better than a premature abstraction.",
-    "severity": "suggestion",
-    "tags": ["abstraction", "yagni", "clean-code"]
-  },
-  {
-    "id": "arch-010",
-    "type": "anti-pattern",
-    "domain": "architecture",
-    "title": "Circular Dependencies",
-    "description": "When module A imports B and B imports A, you have a circular dependency. This signals tangled responsibilities and makes code hard to test and refactor. Fix by extracting shared types into a third module, or inverting the dependency with an interface.",
-    "severity": "warning",
-    "tags": ["dependencies", "coupling", "modules"]
-  },
-  {
-    "id": "arch-011",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "API Versioning Strategy",
-    "description": "Version APIs from day one using URL path (/v1/) or headers. Never break existing consumers. Deprecate old versions with sunset dates. New versions can change behavior; existing versions are frozen. Document breaking changes in changelogs.",
-    "severity": "warning",
-    "tags": ["api-design", "versioning", "backwards-compatibility"]
-  },
-  {
-    "id": "arch-012",
-    "type": "anti-pattern",
-    "domain": "architecture",
-    "title": "Shared Mutable State Without Synchronization",
-    "description": "Accessing shared mutable state from multiple concurrent contexts (threads, async operations, workers) without synchronization leads to race conditions. Use immutable data structures, message passing, or explicit synchronization primitives.",
-    "severity": "critical",
-    "tags": ["concurrency", "race-conditions", "state"]
-  },
-  {
-    "id": "arch-013",
-    "type": "rule",
-    "domain": "architecture",
-    "title": "Validate at System Boundaries Only",
-    "description": "Validate input at the edge of your system (HTTP handlers, CLI parsers, message consumers). Internal functions trust their callers. This avoids redundant validation scattered throughout the codebase and keeps business logic clean.",
-    "severity": "suggestion",
-    "tags": ["validation", "boundaries", "clean-code"]
-  },
-  {
-    "id": "arch-014",
-    "type": "pattern",
-    "domain": "architecture",
-    "title": "Repository Pattern for Data Access",
-    "description": "Encapsulate data access behind a repository interface. The repository exposes domain-oriented methods (findByEmail, listActive) instead of raw queries. This decouples business logic from storage implementation and makes testing trivial with in-memory implementations.",
-    "severity": "suggestion",
-    "tags": ["repository", "data-access", "clean-architecture"]
-  },
-  {
-    "id": "arch-015",
-    "type": "anti-pattern",
-    "domain": "architecture",
-    "title": "Feature Flags as Permanent Conditionals",
-    "description": "Feature flags are temporary. If a flag has been active for more than one release cycle, either remove the old path or make the new behavior permanent. Accumulated flags create combinatorial complexity that is impossible to test exhaustively.",
-    "severity": "suggestion",
-    "tags": ["feature-flags", "technical-debt", "complexity"]
-  }
-]

package/dist/knowledge-packs/knowledge-packs/starter/design/soleri-pack.json

@@ -1,10 +0,0 @@
-{
-  "id": "starter-design",
-  "name": "Frontend & Design Starter Pack",
-  "version": "1.0.0",
-  "description": "React patterns, accessibility, performance, component composition — essential frontend and UI design patterns.",
-  "domains": ["frontend", "accessibility"],
-  "vault": {
-    "dir": "vault"
-  }
-}

package/dist/knowledge-packs/knowledge-packs/starter/design/vault/patterns.json

@@ -1,137 +0,0 @@
-[
-  {
-    "id": "fe-001",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Composition Over Inheritance in Components",
-    "description": "Build components by composing smaller, focused pieces rather than extending base components. Use children, render props, or slots for flexibility. A Card component with CardHeader, CardBody, CardFooter slots is more reusable than a monolithic Card with 15 props.",
-    "severity": "warning",
-    "tags": ["react", "composition", "components"]
-  },
-  {
-    "id": "fe-002",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Controlled Components for Forms",
-    "description": "Prefer controlled components (state-driven) over uncontrolled (DOM-driven) for form inputs. This gives you validation on every keystroke, conditional rendering, and predictable state. Use uncontrolled only for simple, isolated forms where performance is critical.",
-    "severity": "suggestion",
-    "tags": ["react", "forms", "state"]
-  },
-  {
-    "id": "fe-003",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Semantic HTML Before ARIA",
-    "description": "Use native HTML elements for their intended purpose before reaching for ARIA attributes. A <button> is better than a <div role='button'>. A <nav> is better than <div aria-label='navigation'>. Native elements get keyboard handling, focus management, and screen reader support for free.",
-    "severity": "warning",
-    "tags": ["accessibility", "html", "aria", "wcag"]
-  },
-  {
-    "id": "fe-004",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Error Boundaries for Resilient UI",
-    "description": "Wrap major UI sections in error boundaries so a crash in one component doesn't take down the entire page. Show a meaningful fallback UI with a retry option. Log errors to your monitoring service. Place boundaries at route level and around third-party components.",
-    "severity": "warning",
-    "tags": ["react", "error-handling", "resilience"]
-  },
-  {
-    "id": "fe-005",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Lazy Loading for Route-Level Code Splitting",
-    "description": "Use dynamic imports (React.lazy, import()) for route-level components. This reduces initial bundle size and improves first paint. Combine with Suspense for loading states. Only eagerly load the routes users are most likely to visit first.",
-    "severity": "suggestion",
-    "tags": ["performance", "code-splitting", "react"]
-  },
-  {
-    "id": "fe-006",
-    "type": "pattern",
-    "domain": "accessibility",
-    "title": "Focus Management on Navigation",
-    "description": "When the user navigates to a new page or opens a modal, move focus to the appropriate element. After route change, focus the main heading or skip-to-content link. In modals, trap focus within the modal and restore it on close.",
-    "severity": "warning",
-    "tags": ["accessibility", "focus", "keyboard", "wcag"]
-  },
-  {
-    "id": "fe-007",
-    "type": "pattern",
-    "domain": "accessibility",
-    "title": "Color Contrast Minimum 4.5:1",
-    "description": "Ensure text has at least 4.5:1 contrast ratio against its background (WCAG AA). Large text (18px+ bold or 24px+ regular) needs 3:1 minimum. Use semantic design tokens that guarantee compliant pairs. Test with a contrast checker tool.",
-    "severity": "warning",
-    "tags": ["accessibility", "contrast", "wcag", "design-tokens"]
-  },
-  {
-    "id": "fe-008",
-    "type": "anti-pattern",
-    "domain": "frontend",
-    "title": "Prop Drilling Through Many Layers",
-    "description": "Passing props through 3+ intermediate components that don't use them is prop drilling. It creates tight coupling and makes refactoring painful. Use React Context for truly global state, or component composition (passing children) to reduce nesting depth.",
-    "severity": "suggestion",
-    "tags": ["react", "state", "composition"]
-  },
-  {
-    "id": "fe-009",
-    "type": "anti-pattern",
-    "domain": "frontend",
-    "title": "Inline Styles Over Design Tokens",
-    "description": "Don't use inline styles or raw hex colors in components. They bypass the design system, create inconsistency, and make theming impossible. Use semantic tokens (bg-surface, text-primary) that resolve to values through the token system.",
-    "severity": "warning",
-    "tags": ["design-tokens", "css", "consistency"]
-  },
-  {
-    "id": "fe-010",
-    "type": "anti-pattern",
-    "domain": "frontend",
-    "title": "useEffect for Derived State",
-    "description": "Don't use useEffect to sync state that can be computed from other state. If fullName = firstName + lastName, compute it during render, not in an effect. Effects for derived state cause extra re-renders and race conditions. Use useMemo for expensive computations.",
-    "severity": "warning",
-    "tags": ["react", "hooks", "performance"]
-  },
-  {
-    "id": "fe-011",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Optimistic UI Updates",
-    "description": "Update the UI immediately on user action before the server confirms. Show the expected outcome with a subtle loading indicator. Roll back on error with a toast notification. This makes the app feel instant even on slow connections.",
-    "severity": "suggestion",
-    "tags": ["ux", "performance", "state"]
-  },
-  {
-    "id": "fe-012",
-    "type": "anti-pattern",
-    "domain": "accessibility",
-    "title": "Click Handlers on Non-Interactive Elements",
-    "description": "Don't add onClick to divs or spans without also adding role='button', tabIndex=0, and keyboard event handlers. Screen readers and keyboard users can't interact with these elements. Use a <button> element instead — it handles all of this natively.",
-    "severity": "warning",
-    "tags": ["accessibility", "keyboard", "html", "wcag"]
-  },
-  {
-    "id": "fe-013",
-    "type": "pattern",
-    "domain": "frontend",
-    "title": "Skeleton Loading States",
-    "description": "Show skeleton placeholders that match the layout of the content being loaded. This reduces perceived load time and prevents layout shift. Use CSS animations for shimmer effects. Skeletons are better than spinners for content-heavy pages.",
-    "severity": "suggestion",
-    "tags": ["ux", "performance", "loading"]
-  },
-  {
-    "id": "fe-014",
-    "type": "rule",
-    "domain": "accessibility",
-    "title": "Every Interactive Element Must Be Keyboard Accessible",
-    "description": "Every element that can be clicked must also be reachable and operable via keyboard. This means focusable (tabindex or native element), visible focus indicator (focus-visible ring), and keyboard activation (Enter/Space for buttons, Enter for links).",
-    "severity": "critical",
-    "tags": ["accessibility", "keyboard", "wcag"]
-  },
-  {
-    "id": "fe-015",
-    "type": "anti-pattern",
-    "domain": "frontend",
-    "title": "Boolean Prop Explosion",
-    "description": "Avoid components with many boolean props like isPrimary, isOutlined, isSmall, isDisabled. Use a variant prop with explicit values instead: variant='primary' | 'outlined' | 'ghost'. This prevents impossible states (isPrimary && isOutlined) and is self-documenting.",
-    "severity": "suggestion",
-    "tags": ["react", "api-design", "components"]
-  }
-]

package/dist/knowledge-packs/knowledge-packs/starter/security/soleri-pack.json

@@ -1,10 +0,0 @@
-{
-  "id": "starter-security",
-  "name": "Security Starter Pack",
-  "version": "1.0.0",
-  "description": "OWASP Top 10, auth patterns, input validation, secrets management — essential security patterns and anti-patterns for any codebase.",
-  "domains": ["security"],
-  "vault": {
-    "dir": "vault"
-  }
-}

package/dist/knowledge-packs/knowledge-packs/starter/security/vault/patterns.json

@@ -1,137 +0,0 @@
-[
-  {
-    "id": "sec-001",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Parameterized Queries",
-    "description": "Always use parameterized queries or prepared statements for database access. Never concatenate user input into SQL strings. This prevents SQL injection, the most common and most dangerous web vulnerability.",
-    "severity": "critical",
-    "tags": ["sql-injection", "owasp", "database"]
-  },
-  {
-    "id": "sec-002",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Input Validation at System Boundaries",
-    "description": "Validate and sanitize all input at system boundaries: HTTP handlers, CLI args, file readers, message consumers. Use allowlists over denylists. Validate type, length, format, and range. Reject early, fail loudly.",
-    "severity": "critical",
-    "tags": ["input-validation", "owasp", "boundaries"]
-  },
-  {
-    "id": "sec-003",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Secrets in Environment Variables",
-    "description": "Store secrets (API keys, database passwords, tokens) in environment variables or a secrets manager. Never store them in source code, config files committed to git, or client-side bundles. Use .env files locally with .gitignore protection.",
-    "severity": "critical",
-    "tags": ["secrets", "configuration", "environment"]
-  },
-  {
-    "id": "sec-004",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Principle of Least Privilege",
-    "description": "Grant the minimum permissions necessary for each component, service, or user. Database connections should use read-only credentials when writes are not needed. API tokens should be scoped to required operations only.",
-    "severity": "warning",
-    "tags": ["access-control", "permissions", "zero-trust"]
-  },
-  {
-    "id": "sec-005",
-    "type": "pattern",
-    "domain": "security",
-    "title": "CSRF Protection with Tokens",
-    "description": "Protect state-changing endpoints with CSRF tokens. Use the synchronizer token pattern or double-submit cookie. SameSite cookie attributes provide defense-in-depth but are not sufficient alone.",
-    "severity": "warning",
-    "tags": ["csrf", "owasp", "cookies"]
-  },
-  {
-    "id": "sec-006",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Content Security Policy Headers",
-    "description": "Set Content-Security-Policy headers to prevent XSS by controlling which scripts, styles, and resources can load. Start with a strict policy and relax as needed. Avoid unsafe-inline and unsafe-eval directives.",
-    "severity": "warning",
-    "tags": ["xss", "csp", "headers", "owasp"]
-  },
-  {
-    "id": "sec-007",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Rate Limiting on Authentication Endpoints",
-    "description": "Apply rate limiting to login, password reset, and registration endpoints. Use exponential backoff or sliding window algorithms. Lock accounts after repeated failures. This prevents brute-force and credential stuffing attacks.",
-    "severity": "warning",
-    "tags": ["authentication", "rate-limiting", "brute-force"]
-  },
-  {
-    "id": "sec-008",
-    "type": "anti-pattern",
-    "domain": "security",
-    "title": "Hardcoded Credentials",
-    "description": "Never hardcode passwords, API keys, or tokens in source code. They end up in version control, logs, and error messages. Use environment variables or a secrets manager instead.",
-    "severity": "critical",
-    "tags": ["secrets", "credentials", "owasp"]
-  },
-  {
-    "id": "sec-009",
-    "type": "anti-pattern",
-    "domain": "security",
-    "title": "Rolling Your Own Crypto",
-    "description": "Never implement custom encryption, hashing, or token generation. Use well-tested libraries: bcrypt or argon2 for passwords, AES-256-GCM for encryption, crypto.randomUUID() for tokens. Custom crypto has subtle flaws that attackers exploit.",
-    "severity": "critical",
-    "tags": ["cryptography", "hashing", "encryption"]
-  },
-  {
-    "id": "sec-010",
-    "type": "anti-pattern",
-    "domain": "security",
-    "title": "Verbose Error Messages in Production",
-    "description": "Do not expose stack traces, SQL queries, or internal paths in production error responses. Return generic error messages to users and log details server-side. Information disclosure helps attackers map your system.",
-    "severity": "warning",
-    "tags": ["error-handling", "information-disclosure", "owasp"]
-  },
-  {
-    "id": "sec-011",
-    "type": "anti-pattern",
-    "domain": "security",
-    "title": "Disabling SSL Certificate Verification",
-    "description": "Never disable TLS certificate verification in production. This opens the door to man-in-the-middle attacks. Fix certificate issues at the source: install proper CA certificates, use correct hostnames.",
-    "severity": "critical",
-    "tags": ["tls", "ssl", "mitm"]
-  },
-  {
-    "id": "sec-012",
-    "type": "rule",
-    "domain": "security",
-    "title": "Dependency Audit on Every PR",
-    "description": "Run npm audit or equivalent on every pull request. Block merges with known critical vulnerabilities. Keep dependencies updated since most breaches exploit known vulnerabilities in outdated packages.",
-    "severity": "warning",
-    "tags": ["dependencies", "supply-chain", "ci-cd"]
-  },
-  {
-    "id": "sec-013",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Output Encoding for XSS Prevention",
-    "description": "Encode output based on context: HTML entity encoding for HTML body, JavaScript encoding for script contexts, URL encoding for URL parameters. Use framework auto-escaping (React JSX, template engines) and avoid injecting raw HTML.",
-    "severity": "critical",
-    "tags": ["xss", "encoding", "owasp"]
-  },
-  {
-    "id": "sec-014",
-    "type": "pattern",
-    "domain": "security",
-    "title": "Secure Session Management",
-    "description": "Use HttpOnly, Secure, and SameSite flags on session cookies. Regenerate session IDs after authentication. Set appropriate expiration. Store sessions server-side with cryptographically random identifiers.",
-    "severity": "warning",
-    "tags": ["sessions", "cookies", "authentication"]
-  },
-  {
-    "id": "sec-015",
-    "type": "anti-pattern",
-    "domain": "security",
-    "title": "JWT Stored in localStorage",
-    "description": "Do not store JWTs or sensitive tokens in localStorage because it is accessible to any JavaScript on the page, making XSS attacks devastating. Use HttpOnly cookies instead, or store in memory with refresh token rotation.",
-    "severity": "warning",
-    "tags": ["jwt", "xss", "storage", "authentication"]
-  }
-]