npm - @tinkcarlos/skillora - Versions diffs - 0.2.0 - Mend

@tinkcarlos/skillora 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (234) hide show

package/.claude/skills/code-review/references/infrastructure-review.md ADDED Viewed

@@ -0,0 +1,453 @@
+# Infrastructure Review Guide
+> Comprehensive guide for reviewing Docker, Kubernetes, Terraform, CI/CD, and infrastructure as code.
+## Table of Contents
+- [Docker Review](#docker-review)
+- [Kubernetes Review](#kubernetes-review)
+- [Terraform/IaC Review](#terraformiac-review)
+- [CI/CD Pipeline Review](#cicd-pipeline-review)
+- [Security Checklist](#security-checklist)
+---
+## Docker Review
+### Dockerfile Best Practices
+| Check | Bad | Good |
+|-------|-----|------|
+| **Base Image** | `FROM ubuntu:latest` | `FROM ubuntu:22.04` |
+| **User** | Running as root | `USER nonroot` |
+| **Multi-stage** | Single fat image | Multi-stage build |
+| **Layer Cache** | COPY before deps | COPY deps first, then code |
+| **Secrets** | ARG PASSWORD=xxx | Use secrets management |
+### Common Dockerfile Bugs
+```dockerfile
+# 🔴 BUG: Using latest tag (non-reproducible builds)
+FROM node:latest
+# ✅ FIX: Pin specific version
+FROM node:20.10.0-alpine3.18
+# 🔴 BUG: Running as root
+FROM python:3.11
+# ✅ FIX: Create non-root user
+FROM python:3.11
+RUN useradd -m appuser
+USER appuser
+# 🔴 BUG: Secrets in build args
+ARG DATABASE_PASSWORD
+ENV DB_PASS=$DATABASE_PASSWORD
+# ✅ FIX: Use runtime secrets
+# Pass at runtime: docker run -e DB_PASS=$(cat /secrets/db)
+# 🔴 BUG: Not cleaning up in same layer
+RUN apt-get update
+RUN apt-get install -y curl
+RUN apt-get clean
+# ✅ FIX: Single layer with cleanup
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+# 🔴 BUG: Copying everything before installing deps (cache invalidation)
+COPY . /app
+RUN npm install
+# ✅ FIX: Copy package files first
+COPY package*.json /app/
+RUN npm install
+COPY . /app
+```
+### Docker Compose Issues
+```yaml
+# 🔴 BUG: No resource limits
+services:
+  app:
+    image: myapp
+# ✅ FIX: Set resource limits
+services:
+  app:
+    image: myapp
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+        reservations:
+          memory: 256M
+# 🔴 BUG: Hardcoded secrets
+services:
+  db:
+    environment:
+      POSTGRES_PASSWORD: supersecret
+# ✅ FIX: Use environment files or secrets
+services:
+  db:
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    # Or use Docker secrets
+    secrets:
+      - db_password
+```
+---
+## Kubernetes Review
+### Deployment Checklist
+| Check | Why | Example |
+|-------|-----|---------|
+| **Resource Limits** | Prevent noisy neighbors | `resources.limits` |
+| **Liveness Probe** | Restart unhealthy pods | `livenessProbe` |
+| **Readiness Probe** | Route only to ready pods | `readinessProbe` |
+| **Replicas** | High availability | `replicas: 3` |
+| **PodDisruptionBudget** | Safe updates | `minAvailable: 2` |
+| **Anti-Affinity** | Spread across nodes | `podAntiAffinity` |
+### Common Kubernetes Bugs
+```yaml
+# 🔴 BUG: No resource limits (can crash node)
+apiVersion: apps/v1
+kind: Deployment
+spec:
+  containers:
+  - name: app
+    image: myapp
+# ✅ FIX: Always set limits
+spec:
+  containers:
+  - name: app
+    image: myapp
+    resources:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "500m"
+# 🔴 BUG: No health checks (dead pods keep receiving traffic)
+spec:
+  containers:
+  - name: app
+    image: myapp
+# ✅ FIX: Add liveness and readiness probes
+spec:
+  containers:
+  - name: app
+    image: myapp
+    livenessProbe:
+      httpGet:
+        path: /health
+        port: 8080
+      initialDelaySeconds: 30
+      periodSeconds: 10
+    readinessProbe:
+      httpGet:
+        path: /ready
+        port: 8080
+      initialDelaySeconds: 5
+      periodSeconds: 5
+# 🔴 BUG: Secrets in plain text
+apiVersion: v1
+kind: ConfigMap
+data:
+  DATABASE_PASSWORD: "supersecret"
+# ✅ FIX: Use Secrets (and encrypt at rest)
+apiVersion: v1
+kind: Secret
+type: Opaque
+data:
+  DATABASE_PASSWORD: c3VwZXJzZWNyZXQ=  # base64 encoded
+# 🔴 BUG: Using latest tag
+spec:
+  containers:
+  - name: app
+    image: myapp:latest
+# ✅ FIX: Pin specific version
+spec:
+  containers:
+  - name: app
+    image: myapp:v1.2.3
+    imagePullPolicy: IfNotPresent
+```
+### Security Context
+```yaml
+# ✅ GOOD: Hardened security context
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    fsGroup: 2000
+  containers:
+  - name: app
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+```
+---
+## Terraform/IaC Review
+### Common Terraform Issues
+| Issue | Problem | Fix |
+|-------|---------|-----|
+| **No state locking** | Concurrent updates corrupt state | Use S3+DynamoDB backend |
+| **Secrets in code** | Credentials exposed | Use variables + secrets manager |
+| **No versioning** | Breaking provider changes | Pin provider versions |
+| **Large blast radius** | One change affects everything | Separate state files |
+### Terraform Bug Patterns
+```hcl
+# 🔴 BUG: Hardcoded secrets
+resource "aws_db_instance" "main" {
+  password = "supersecret"
+}
+# ✅ FIX: Use variables and secrets manager
+variable "db_password" {
+  type      = string
+  sensitive = true
+}
+resource "aws_db_instance" "main" {
+  password = var.db_password
+}
+# 🔴 BUG: No provider version pinning
+provider "aws" {
+  region = "us-east-1"
+}
+# ✅ FIX: Pin provider version
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+# 🔴 BUG: Public S3 bucket
+resource "aws_s3_bucket" "data" {
+  bucket = "my-data"
+  acl    = "public-read"
+}
+# ✅ FIX: Private with explicit policy
+resource "aws_s3_bucket" "data" {
+  bucket = "my-data"
+}
+resource "aws_s3_bucket_public_access_block" "data" {
+  bucket = aws_s3_bucket.data.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+# 🔴 BUG: Overly permissive security group
+resource "aws_security_group" "web" {
+  ingress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+# ✅ FIX: Least privilege
+resource "aws_security_group" "web" {
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+```
+---
+## CI/CD Pipeline Review
+### Pipeline Security Checklist
+| Check | Risk | Mitigation |
+|-------|------|------------|
+| **Secrets in logs** | Credential exposure | Mask secrets |
+| **Untrusted code** | Supply chain attack | Pin action versions |
+| **Excessive permissions** | Lateral movement | Least privilege |
+| **No approval gates** | Accidental deploy | Require approval |
+### GitHub Actions Issues
+```yaml
+# 🔴 BUG: Using latest action version
+- uses: actions/checkout@master
+# ✅ FIX: Pin to specific version (SHA preferred)
+- uses: actions/checkout@v4
+# Or better: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+# 🔴 BUG: Secrets in command output
+- run: echo "Token: ${{ secrets.API_TOKEN }}"
+# ✅ FIX: Mask secrets (done automatically for secrets.*)
+# But be careful with derived values
+# 🔴 BUG: Running arbitrary PR code with secrets
+on: pull_request_target  # Dangerous!
+jobs:
+  build:
+    env:
+      DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}  # Untrusted code!
+# ✅ FIX: Use pull_request event (no secrets access)
+on: pull_request
+# Or separate build from deploy with approval
+# 🔴 BUG: Overly permissive permissions
+permissions: write-all
+# ✅ FIX: Least privilege
+permissions:
+  contents: read
+  packages: write
+```
+### Pipeline Best Practices
+```yaml
+# ✅ GOOD: Complete secure pipeline example
+name: CI/CD
+on:
+  push:
+    branches: [main]
+  pull_request:
+permissions:
+  contents: read
+  packages: write
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm test
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build
+        run: npm run build
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: build
+          path: dist/
+  deploy:
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    environment: production  # Requires approval
+    steps:
+      - name: Deploy
+        run: |
+          # Deploy logic here
+```
+---
+## Security Checklist
+### Infrastructure Security Review
+```markdown
+## Infrastructure Security Checklist
+### Secrets Management
+- [ ] No secrets in code/configs
+- [ ] Secrets encrypted at rest
+- [ ] Secrets rotated regularly
+- [ ] Secrets accessed via secure mechanism (vault, secrets manager)
+### Network Security
+- [ ] Security groups follow least privilege
+- [ ] Network segmentation implemented
+- [ ] TLS/HTTPS enforced
+- [ ] Private subnets for databases
+### Access Control
+- [ ] Service accounts have minimal permissions
+- [ ] No root/admin credentials in automation
+- [ ] MFA required for human access
+- [ ] Audit logging enabled
+### Container Security
+- [ ] Base images from trusted registry
+- [ ] Images scanned for vulnerabilities
+- [ ] Containers run as non-root
+- [ ] Read-only root filesystem where possible
+### CI/CD Security
+- [ ] Action/plugin versions pinned
+- [ ] Secrets masked in logs
+- [ ] Approval gates for production
+- [ ] Branch protection enabled
+### Compliance
+- [ ] Resource tagging for cost/ownership
+- [ ] Backup policies defined
+- [ ] Disaster recovery tested
+- [ ] Logging and monitoring in place
+```

package/.claude/skills/code-review/references/iteration-review.md ADDED Viewed

@@ -0,0 +1,264 @@
+# Version Iteration Review Guide
+> Review focus for "optimization and extension": balancing new and old, ensuring seamless upgrades.
+## Overview
+Version iterations are like upgrading a bridge while traffic flows. Review with focus on backward compatibility and zero-downtime changes.
+**Target Bug Rate**: <0.2% (historical baseline helps)
+---
+## Critical Review Areas
+### 1. Backward Compatibility
+| Aspect | Check | Breaking Change Signs |
+|--------|-------|----------------------|
+| **API Contracts** | Field names, types unchanged | Renamed fields, removed endpoints |
+| **Database Schema** | Migrations reversible | Column drops, type changes |
+| **Config Format** | Old config still works | Required new fields |
+| **State/Storage** | Data migration handled | localStorage format change |
+| **Dependencies** | Major version bumps | Breaking API changes |
+### 2. Regression Prevention
+```markdown
+## Regression Checklist
+### Test Verification
+- [ ] All existing tests pass
+- [ ] No test files deleted/skipped
+- [ ] Snapshot tests reviewed if changed
+- [ ] Coverage not decreased
+### Performance Baseline
+- [ ] Load times not increased
+- [ ] Memory usage stable
+- [ ] Query times not degraded
+- [ ] Bundle size not bloated
+### Feature Parity
+- [ ] All existing features work
+- [ ] No functionality removed
+- [ ] Edge cases still handled
+- [ ] Error states preserved
+```
+### 3. Migration Safety
+| Migration Type | Safety Requirements | Red Flags |
+|----------------|---------------------|-----------|
+| **Database** | Rollback tested, zero downtime | `DROP COLUMN`, blocking locks |
+| **Data** | Idempotent, resumable | One-shot scripts |
+| **Config** | Default values, gradual rollout | Required immediate changes |
+| **API** | Versioned, deprecation period | Immediate breaking changes |
+### 4. Deployment Strategy
+```markdown
+## Deployment Safety
+### Pre-Deployment
+- [ ] Feature flags configured
+- [ ] Canary deployment ready
+- [ ] Rollback procedure documented
+- [ ] Monitoring dashboards ready
+### Deployment
+- [ ] Gradual rollout (10% → 50% → 100%)
+- [ ] Health checks passing
+- [ ] Error rate monitored
+- [ ] Performance metrics stable
+### Post-Deployment
+- [ ] User feedback collected
+- [ ] Error spikes investigated
+- [ ] Performance regression checked
+- [ ] Documentation updated
+```
+---
+## Common Iteration Mistakes
+### Breaking Changes
+| Mistake | Impact | Prevention |
+|---------|--------|------------|
+| Renamed API field | Client apps break | Add new, deprecate old |
+| Changed response structure | Parse errors | Version the API |
+| Removed endpoint | 404 errors | Deprecation headers first |
+| Changed auth flow | Logout users | Migration period |
+### Database Pitfalls
+| Mistake | Impact | Prevention |
+|---------|--------|------------|
+| Drop column directly | Data loss | 3-phase: stop using → nullable → drop |
+| Add NOT NULL without default | Migration fails | Add default or nullable |
+| Rename column | Running code breaks | Add new, migrate, drop old |
+| Large table migration | Locks, downtime | Batched, off-peak |
+### Performance Regressions
+| Mistake | Impact | Prevention |
+|---------|--------|------------|
+| Added N+1 query | Slow pages | Query monitoring |
+| Larger bundle | Slow load | Bundle analyzer in CI |
+| Removed caching | Higher latency | Cache hit rate monitoring |
+| Added sync I/O | Blocked threads | Async-first pattern |
+---
+## Iteration Review Checklist
+```markdown
+## Version Iteration Review
+### Compatibility Analysis
+- [ ] API changes are additive only
+- [ ] Database migrations are reversible
+- [ ] Config changes have defaults
+- [ ] Client SDK still compatible
+### Change Impact
+- [ ] All changed files reviewed
+- [ ] Dependencies of changed files reviewed
+- [ ] Tests for changed code verified
+- [ ] Documentation updated
+### Risk Assessment
+| Change | Risk Level | Mitigation |
+|--------|------------|------------|
+| | Low/Medium/High | |
+### Deployment Plan
+- [ ] Feature flags for risky changes
+- [ ] Canary deployment configured
+- [ ] Rollback procedure ready
+- [ ] Monitoring alerts configured
+### Post-Release Verification
+- [ ] Smoke tests planned
+- [ ] Error monitoring in place
+- [ ] Performance baseline defined
+- [ ] User feedback channel ready
+```
+---
+## Safe Change Patterns
+### API Changes
+```python
+# 🔴 BAD: Breaking change
+# v1: {"name": "John"}
+# v2: {"full_name": "John"}  # Breaks clients!
+# ✅ GOOD: Additive change with deprecation
+# v2: {"name": "John", "full_name": "John"}  # Both fields
+# Response header: Deprecation: "name field deprecated, use full_name"
+```
+### Database Changes
+```sql
+-- 🔴 BAD: Direct column removal
+ALTER TABLE users DROP COLUMN old_field;
+-- ✅ GOOD: 3-phase removal
+-- Phase 1: Code stops using column
+-- Phase 2: Make nullable
+ALTER TABLE users ALTER COLUMN old_field DROP NOT NULL;
+-- Phase 3: Drop after verification period
+ALTER TABLE users DROP COLUMN old_field;
+```
+### Frontend State Changes
+```typescript
+// 🔴 BAD: Changed localStorage format
+// Old: localStorage.setItem('user', username)
+// New: localStorage.setItem('user', JSON.stringify({name: username}))
+// ✅ GOOD: Migration on read
+function getUser() {
+  const raw = localStorage.getItem('user');
+  if (!raw) return null;
+  try {
+    // Try new format first
+    return JSON.parse(raw);
+  } catch {
+    // Migrate old format
+    const migrated = { name: raw };
+    localStorage.setItem('user', JSON.stringify(migrated));
+    return migrated;
+  }
+}
+```
+---
+## Iteration Review Template
+```markdown
+# Version Iteration Review
+## Change Summary
+- **Version**: v1.x.x → v1.y.y
+- **Type**: Patch / Minor / Major
+- **Breaking Changes**: Yes / No
+- **Migration Required**: Yes / No
+## Changes Reviewed
+### Added
+-
+### Changed
+-
+### Deprecated
+-
+### Removed
+-
+## Compatibility Assessment
+| Aspect | Compatible | Notes |
+|--------|------------|-------|
+| API | ✅/❌ | |
+| Database | ✅/❌ | |
+| Config | ✅/❌ | |
+| Client SDK | ✅/❌ | |
+## Risk Analysis
+| Risk | Probability | Impact | Mitigation |
+|------|-------------|--------|------------|
+| | | | |
+## Deployment Recommendation
+**Ready for Release**: Yes / No
+**Required Before Release**:
+1.
+2.
+**Deployment Strategy**:
+- [ ] Canary
+- [ ] Blue-Green
+- [ ] Rolling
+- [ ] Big Bang
+**Rollback Plan**:
+```