@torus-engineering/tas-kit 1.10.0 → 1.12.0

package/{.claude → .tas}/rules/common/code-review.md

@@ -22,6 +22,15 @@ Before requesting review, ensure:
 - Merge conflicts are resolved
 - Branch is up to date with target branch
 
+## Review Criteria (priority order)
+
+1. **Security** — injection, auth bypass, data exposure, OWASP Top 10
+2. **Architecture** — violations of SAD, ADR decisions, layer boundaries
+3. **Correctness** — logic errors, edge cases, null handling
+4. **Conventions** — naming, structure, commit/branch format per CLAUDE.md
+5. **Test coverage** — missing tests for new logic
+6. **Performance** — obvious inefficiencies (N+1, unbounded loops, large allocations)
+
 ## Review Checklist
 
 Before marking code complete:
@@ -36,6 +45,23 @@ Before marking code complete:
 - [ ] Tests exist for new functionality
 - [ ] Test coverage meets 80% minimum
 
+## Output Format
+
+Findings grouped by severity, skip empty categories:
+
+```
+### Critical
+- `file.cs:42` — issue + suggested fix
+
+### High
+- `file.cs:15` — issue + suggested fix
+
+### Medium / Low
+- `file.cs:8` — issue
+```
+
+Every finding MUST reference specific `file:line` + propose fix. No general comments.
+
 ## Security Review Triggers
 
 **STOP and use security-reviewer agent when:**
@@ -59,16 +85,16 @@ Before marking code complete:
 
 ## Agent Usage
 
-Use these agents for code review:
+Use these agents for specialized concerns:
 
 | Agent | Purpose |
 |-------|---------|
-| **code-reviewer** | General code quality, patterns, best practices |
 | **security-reviewer** | Security vulnerabilities, OWASP Top 10 |
 | **typescript-reviewer** | TypeScript/JavaScript specific issues |
 | **python-reviewer** | Python specific issues |
-| **go-reviewer** | Go specific issues |
-| **rust-reviewer** | Rust specific issues |
+| **csharp-reviewer** | C#/.NET specific issues |
+
+General code review runs inline in main session reading this rule.
 
 ## Review Workflow
 
@@ -120,5 +146,3 @@ This rule works with:
 
 - [testing.md](testing.md) - Test coverage requirements
 - [security.md](security.md) - Security checklist
-- [git-workflow.md](git-workflow.md) - Commit standards
-- [agents.md](agents.md) - Agent delegation

package/.tas/rules/common/post-implementation-review.md

@@ -0,0 +1,51 @@
+# Post-Implementation Review (Isolated Agent)
+
+After implementing or fixing, run review through **independent Agent** — don't use current session to avoid reviewer bias from implementation process.
+
+## How to use
+
+Call `Agent` tool with following prompt (replace placeholders `{}`):
+
+```
+You are code reviewer. No context from previous session — review completely objectively.
+
+Artifact: {path-to-artifact-file}
+Changed files: {list of files just changed}
+Stack: {stack from CLAUDE.md}
+
+Execute:
+1. Hygiene scan: leftover debug code (console.log, debugger, print), hardcoded secrets,
+   large commented-out blocks (>5 lines).
+1b. Silent failure scan — find following patterns:
+   - Swallowed exceptions: empty catch {}, catch only logs but continues like no error
+   - Silent async failures: fire-and-forget (unawaited task/Promise), async void (.NET),
+     .catch(() => {}) with no handling
+   - Null blindspots: .FirstOrDefault() used directly without null-check (.NET),
+     missing optional chaining on deeply nested object access (TS/JS),
+     dict.get() result used as non-None (Python)
+   - Error propagation wrong: HTTP calls don't check status before parse,
+     function returns bool/null when error instead of throwing (caller ignores result)
+   - Config reads don't check existence
+2. Run tests: detect test runner (package.json → npm test / *.csproj → dotnet test /
+   pytest.ini → python -m pytest), report results.
+3. Inline general review (this agent, read .tas/rules/common/code-review.md):
+   Focus: naming, architecture, error handling, DRY, function size, nesting depth.
+3b. Parallel specialized agents — launch simultaneously:
+   - security-reviewer: read .tas/rules/common/security.md.
+     Focus: OWASP Top 10, injection, hardcoded secrets, auth/authz.
+   - {lang_agent}: read .tas/rules/[stack]/coding-style.md + .tas/rules/[stack]/patterns.md.
+     Focus: async/await, null handling, type safety, stack-specific anti-patterns.
+   - database-reviewer (only when {db_agent} = database-reviewer AND scope touches schema/migrations/queries):
+     Focus: schema correctness, migration safety, missing indexes, N+1 patterns, data integrity.
+4. Synthesize findings: Critical / High / Medium / Low with file:line and specific fix.
+
+Return full Review Summary.
+```
+
+## Gate Rule
+
+| Result | Action |
+|---|---|
+| Has **Critical** or **High** or **Medium** | List findings, **STOP**, require fix before continuing |
+| Only **Low** | List suggestions, ask if user wants to fix, then continue |
+| No findings | Continue normally |

package/{.claude → .tas}/rules/common/project-status.md

@@ -1,80 +1,80 @@
-# project-status.yaml — Update Convention
-
-File `project-status.yaml` ở project root là index tổng hợp trạng thái dự án.
-Commands cập nhật file này sau mỗi thay đổi artifact hoặc status.
-
-## Luôn cập nhật
-
-```yaml
-last_updated: YYYY-MM-DD   # ngày hiện tại, mỗi lần có thay đổi
-```
-
-## Artifacts (docs đơn lẻ)
-
-Cập nhật khi tạo mới hoặc thay đổi version:
-
-```yaml
-artifacts:
-  prd:
-    file: docs/prd.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"           # tăng minor khi update nội dung, major khi thay đổi lớn
-    requirements_count: N    # chỉ dành cho PRD — đếm số FR-xxx
-
-  sad:
-    file: docs/sad.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"
-
-  design_spec:
-    file: docs/design-spec.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"
-
-  security_report:
-    file: docs/security-report.md
-    status: "Critical findings present" | "Clean"
-    last_updated: YYYY-MM-DD
-```
-
-## Epics / Features / Stories
-
-Cập nhật khi tạo mới hoặc status thay đổi:
-
-```yaml
-epics:
-  Epic-001:
-    path: docs/epics/{code}-Epic-001-{slug}/
-    status: Draft | Active | Done
-    title: "..."
-    effort: S | M | L | XL
-    features:
-      Feature-001:
-        status: New | In Progress | Ready To Verify | Verified | Done
-        title: "..."
-        stories:
-          Story-001:
-            status: New | Committed | In Progress | Deploy Test | Verify Test | Done
-            title: "..."
-            plan_status: pending | completed
-```
-
-## ADRs
-
-```yaml
-adrs:
-  ADR-001:
-    file: docs/adr/ADR-001-{slug}.md
-    status: Proposed | Accepted | Deprecated | Superseded
-    title: "..."
-```
-
-## Quy tắc
-
-- Chỉ cập nhật key liên quan đến thay đổi vừa xảy ra — không rewrite toàn bộ file
-- Nếu key chưa tồn tại: thêm mới
-- Nếu key đã tồn tại: cập nhật giá trị
-- Version: minor (+0.1) khi update nội dung; major (+1.0) khi thay đổi cấu trúc lớn
+# project-status.yaml — Update Convention
+
+File `project-status.yaml` at project root is aggregate index of project status.
+Commands update this file after each artifact or status change.
+
+## Always update
+
+```yaml
+last_updated: YYYY-MM-DD   # current date, each time there's a change
+```
+
+## Artifacts (individual docs)
+
+Update when creating new or changing version:
+
+```yaml
+artifacts:
+  prd:
+    file: docs/prd.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"           # increment minor when updating content, major for large changes
+    requirements_count: N    # only for PRD — count of FR-xxx
+
+  sad:
+    file: docs/sad.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"
+
+  design_spec:
+    file: docs/design-spec.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"
+
+  security_report:
+    file: docs/security-report.md
+    status: "Critical findings present" | "Clean"
+    last_updated: YYYY-MM-DD
+```
+
+## Epics / Features / Stories
+
+Update when creating new or changing status:
+
+```yaml
+epics:
+  Epic-001:
+    path: docs/epics/{code}-Epic-001-{slug}/
+    status: Draft | Active | Done
+    title: "..."
+    effort: S | M | L | XL
+    features:
+      Feature-001:
+        status: New | In Progress | Ready To Verify | Verified | Done
+        title: "..."
+        stories:
+          Story-001:
+            status: New | Committed | In Progress | Deploy Test | Verify Test | Done
+            title: "..."
+            plan_status: pending | completed
+```
+
+## ADRs
+
+```yaml
+adrs:
+  ADR-001:
+    file: docs/adr/ADR-001-{slug}.md
+    status: Proposed | Accepted | Deprecated | Superseded
+    title: "..."
+```
+
+## Rules
+
+- Only update key related to change just occurred — don't rewrite entire file
+- If key doesn't exist yet: add new
+- If key exists: update value
+- Version: minor (+0.1) when updating content; major (+1.0) when large structure change

package/.tas/rules/common/stack-detection.md

@@ -0,0 +1,29 @@
+# Stack Detection
+
+Read `CLAUDE.md` at root, find `## Tech Stack` section, determine following variables for use in agent prompts and rule file lookups.
+
+## lang_agent — Backend
+
+| Tech Stack contains | lang_agent |
+|---|---|
+| `.NET` / `C#` | `csharp-reviewer` |
+| `Node.js` / `TypeScript` / `NestJS` / `Express` | `typescript-reviewer` |
+| `Python` / `FastAPI` / `Django` / `Flask` | `python-reviewer` |
+
+**Frontend addition:** if Tech Stack contains `React` → add `typescript-reviewer` to lang_agent (if not already).
+
+## infra_agent and db_agent — Optional
+
+| Tech Stack contains | Variable | Value |
+|---|---|---|
+| `AWS` (Infrastructure) | `infra_agent` | `aws-reviewer` |
+| `MySQL` / `PostgreSQL` / `MSSQL` / `SQL Server` / `SQLite` | `db_agent` | `database-reviewer` |
+
+## Rules directory by stack
+
+| lang_agent | Rules directory |
+|---|---|
+| `csharp-reviewer` | `.tas/rules/csharp/` |
+| `typescript-reviewer` | `.tas/rules/typescript/` |
+| `python-reviewer` | `.tas/rules/python/` |
+| Frontend / React | `.tas/rules/web/` |

package/.tas/rules/common/story-done.md

@@ -0,0 +1,30 @@
+# Definition of Done
+
+Workflow gate used by `/tas-dev` Step 5 — verify each item before marking Story complete.
+
+## Code
+
+- [ ] Code implemented per acceptance criteria
+- [ ] Follows conventions in CLAUDE.md
+- [ ] Each public method has doc comment (XML doc / JSDoc / docstring)
+
+## Testing
+
+- [ ] Unit tests pass (happy path + edge cases + negative cases)
+- [ ] No regression on existing tests
+
+## Review
+
+- [ ] Code review passed (per `.tas/rules/common/code-review.md`)
+- [ ] If `auto_review = true`, passed automated review
+
+## Documentation
+
+- [ ] Technical notes in Story updated
+- [ ] If API changes, corresponding docs updated
+
+## Status
+
+- [ ] Story status updated in Story file
+- [ ] `project-status.yaml` updated
+- [ ] Commit message follows correct format

package/.tas/rules/common/tdd.md

@@ -0,0 +1,89 @@
+# TDD Workflow Rules
+
+When `use_tdd=true` in `tas.yaml`, enforce strict Red-Green-Refactor cycle.
+No exceptions — every feature starts with test.
+
+## When to Apply
+
+- Implement new feature per Story with clear acceptance criteria
+- Bug fix: write regression test before fixing
+- Refactor: ensure test coverage before changing code
+- DON'T use TDD for: config changes, documentation, pure data migration scripts
+
+## Always / Ask / Never
+
+| | Action |
+|---|---|
+| **Always** | Write test FIRST, run to confirm FAIL, then write code |
+| **Always** | Commit after each successful Green phase |
+| **Always** | Run full test suite after Refactor phase |
+| **Ask** | When acceptance criteria vague — clarify before writing test |
+| **Ask** | When test too hard to write — interface/design may need improvement |
+| **Never** | Write implementation before test (even "just to try") |
+| **Never** | Skip Red phase because "test will obviously fail" |
+| **Never** | Write more than minimal code needed to pass test in Green phase |
+
+## Process
+
+### Red Phase — Write Test First
+
+1. Read acceptance criteria in Story
+2. Write test cases covering each criteria (platform-specific stacks per `/tas-dev`)
+3. Run tests: `npm test` / `yarn test` / `dotnet test` / `python -m pytest`
+4. **Verify**: tests MUST FAIL — if pass immediately → test is wrong, rewrite
+
+### Green Phase — Minimal Code
+
+1. Write minimal code to pass tests
+2. Don't refactor, don't optimize in this phase
+3. Run tests: confirm PASS
+4. **Verify**: all new tests pass, no regression
+
+### Refactor Phase — Clean Up
+
+1. Remove duplication, improve naming, reduce complexity
+2. DON'T change behavior — tests are safety net
+3. Run full test suite after each refactor step
+4. **Verify**: coverage >= 80%, all tests still pass
+5. Commit after successful refactor
+
+## Red Flags
+
+- Test passes on first run before implementation → test doesn't test what it should
+- Test too broad ("everything works") → no value, write more specific test
+- Green phase has too much logic → only write enough to pass, no more
+- Refactor phase makes tests fail → refactor is wrong, roll back step by step
+- Writing multiple tests at once before fixing each → only fix one test at a time
+
+## Verification Checklist
+
+- [ ] Red: test file exists and runs with FAIL output
+- [ ] Green: test output changes from FAIL → PASS after adding implementation
+- [ ] Refactor: `npm test` / `dotnet test` / `pytest` full suite PASS
+- [ ] Coverage report: >= 80% for changed files
+- [ ] No tests skipped or commented out
+
+## Test Naming Convention
+
+```
+{PROJECT}_E{EPIC}_F{FEATURE}_S{STORY}_{TYPE}_{NUMBER}_{MODIFIER}
+```
+
+| TYPE | Meaning | Layer |
+|------|---------|-------|
+| UT | Unit Test | 1 |
+| IT | Integration Test | 1 |
+| API | API Test | 1 |
+| FT | Functional Test | 2 |
+| E2E | End-to-End Test | 3 |
+
+MODIFIER: `H` (Happy), `N` (Negative), `E` (Edge), `S` (Security), `P` (Performance)
+
+## Anti-Rationalization
+
+| Rationalization | Counter |
+|---|---|
+| "Test will obviously fail, no need to run" | Skipping Red phase loses verification point — always run |
+| "Writing test after is faster" | TDD saves more debugging time than time spent writing tests first |
+| "This code is too simple for tests" | Simple today, complex after refactor — tests protect future changes |
+| "Interface not clear, write code first for clarity" | Test hard to write is signal interface needs improvement — Ask, don't skip |

package/{.claude → .tas}/rules/common/testing.md

@@ -19,14 +19,9 @@ MANDATORY workflow:
 
 ## Troubleshooting Test Failures
 
-1. Use **tdd-guide** agent
-2. Check test isolation
-3. Verify mocks are correct
-4. Fix implementation, not tests (unless tests are wrong)
-
-## Agent Support
-
-- **tdd-guide** - Use PROACTIVELY for new features, enforces write-tests-first
+1. Check test isolation
+2. Verify mocks are correct
+3. Fix implementation, not tests (unless tests are wrong)
 
 ## PR Test Gap Analysis
 

package/.tas/rules/common/token-logging.md

@@ -0,0 +1,36 @@
+# Token Usage Logging
+
+Write `## AI Usage Log` at end of artifact file when TAS command completes.
+
+## Process
+
+1. Identify artifact file: from invocation (if specified) or last `docs/` file Write/Edit in session.
+2. Read this file for format and update rules.
+3. Read artifact file — check if `## AI Usage Log` already exists.
+4. Write or update section. Silent on success — no output to conversation.
+
+DO NOT apply when: user manually edits file or uses non-TAS commands.
+
+## Token Estimation
+
+Estimate from session awareness: character count of each file `Read` ÷ 4 ≈ tokens (English/code), ÷ 2 (Vietnamese).
+Character count of artifact output ÷ 4. Always append `(est.)`. User verifies with `/cost` (CLI) or `/context` (Desktop app).
+
+## Format
+
+```markdown
+---
+
+## AI Usage Log
+
+| # | Date | Command | Input (est.) | Output (est.) |
+|---|------|---------|-------------|---------------|
+| 1 | YYYY-MM-DD | /tas-{name} | ~{N}k | ~{N}k |
+| 2 | YYYY-MM-DD | /tas-{name} (revision) | ~{N}k | ~{N}k |
+| **Total** | | | **~{N}k** | **~{N}k** |
+```
+
+## Update Rules
+
+- **First time**: section doesn't exist → append entire section with first row and Total row
+- **Subsequent**: append new row before Total row, update Total (cumulative)

package/{.claude → .tas}/rules/csharp/api-testing.md

@@ -7,13 +7,13 @@ paths:
 
 # C# API Automation Testing
 
-> Dùng bởi `/tas-api-test`. Extends [csharp/testing.md](./testing.md).
+> Used by `/tas-apitest`. Extends [csharp/testing.md](./testing.md).
 
 ## Tech Stack
 
-| Thành phần | Lựa chọn |
+| Component | Choice |
 |---|---|
-| Framework | xUnit (default) — match project nếu đã dùng MSTest/NUnit |
+| Framework | xUnit (default) — match project if already using MSTest/NUnit |
 | Assertions | FluentAssertions |
 | HTTP | System.Net.Http.HttpClient |
 | Config | Microsoft.Extensions.Configuration + JSON/EnvVars |
@@ -33,7 +33,7 @@ paths:
 
 ```
 tests/ApiTests/
-  appsettings.json          # base (không có secrets thật)
+  appsettings.json          # base (no real secrets)
   appsettings.Test.json     # Test env override
   appsettings.Staging.json  # Staging env override
   .gitignore                # appsettings.*.local.json
@@ -42,7 +42,7 @@ tests/ApiTests/
     TestBase.cs
   v1/
     UsersApiTests.cs
-  v2/                       # APPEND-ONLY: không sửa v1
+  v2/                       # APPEND-ONLY: don't modify v1
     UsersApiTests.cs
 ```
 
@@ -116,18 +116,18 @@ public abstract class TestBase : IAsyncLifetime
 }
 ```
 
-## Test Class Header (bắt buộc)
+## Test Class Header (required)
 
 ```csharp
 // ============================================================
 // {Resource} API Tests — v{N}
 // Spec: {spec-file}  |  Generated: {YYYY-MM-DD}  |  Story: {ID}
-// APPEND-ONLY: không sửa methods đã tồn tại.
+// APPEND-ONLY: don't modify existing methods.
 // ============================================================
 namespace ApiTests.V{N};
 public sealed class {Resource}ApiTests : TestBase
 {
-    // Inline DTOs — không import từ production code
+    // Inline DTOs — don't import from production code
     private sealed record {Resource}Dto(Guid Id, string Name);
     private sealed record ListResponse<T>(IReadOnlyList<T> Data, int Total);
 }
@@ -139,33 +139,33 @@ public sealed class {Resource}ApiTests : TestBase
 {HttpMethod}_{Resource}_Returns{Status}_When{Condition}
 ```
 
-Ví dụ: `GetById_User_Returns200_WhenExists`, `Create_Order_Returns422_WhenEmailInvalid`
+Example: `GetById_User_Returns200_WhenExists`, `Create_Order_Returns422_WhenEmailInvalid`
 
-AC test: comment `// AC: {text}` ngay dưới XML doc.
+AC test: comment `// AC: {text}` right below XML doc.
 
-## XML Doc (bắt buộc trên mỗi test)
+## XML Doc (required on each test)
 
 ```csharp
-/// <summary>Verify {METHOD} {path} → {status} khi {condition}. Spec: {ref}</summary>
+/// <summary>Verify {METHOD} {path} → {status} when {condition}. Spec: {ref}</summary>
 [Fact]
 public async Task ...
 ```
 
 ## Coverage Matrix
 
-| Điều kiện | Status | Khi nào |
+| Condition | Status | When |
 |---|---|---|
-| Valid, authenticated | 2xx | Luôn |
-| Không có token | 401 | Endpoint yêu cầu auth |
-| Không đủ quyền | 403 | RBAC / ownership |
-| `{id}` không tồn tại | 404 | Có path param |
-| Required field thiếu/sai | 400/422 | Có request body |
-| Business rule (từ AC) | 4xx | Story có AC tương ứng |
+| Valid, authenticated | 2xx | Always |
+| No token | 401 | Endpoint requires auth |
+| Insufficient permission | 403 | RBAC / ownership |
+| `{id}` doesn't exist | 404 | Has path param |
+| Required field missing/invalid | 400/422 | Has request body |
+| Business rule (from AC) | 4xx | Story has corresponding AC |
 
 ## CI/CD Env Vars
 
 ```
 ASPNETCORE_ENVIRONMENT=Test
-APITEST__AUTH__USERNAME=...   # double __ cho nested key
+APITEST__AUTH__USERNAME=...   # double __ for nested key
 APITEST__AUTH__PASSWORD=...
 ```

package/{.claude → .tas}/rules/csharp/coding-style.md

@@ -5,8 +5,6 @@ paths:
 ---
 # C# Coding Style
 
-> This file extends [common/coding-style.md](../common/coding-style.md) with C#-specific content.
-
 ## Standards
 
 - Follow current .NET conventions and enable nullable reference types

package/{.claude → .tas}/rules/csharp/security.md

@@ -53,6 +53,16 @@ await connection.QueryAsync<Order>(sql, new { customerId });
 - Log detailed exceptions with structured context server-side
 - Do not expose stack traces, SQL text, or filesystem paths in API responses
 
+## Web / API Hardening
+
+- Enforce HTTPS in production (`app.UseHttpsRedirection()`)
+- Enable HSTS (`app.UseHsts()`)
+- Add security headers: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Content-Security-Policy`
+- CORS policy must be restrictive — list allowed origins explicitly, never `AllowAnyOrigin()` in production
+- Anti-forgery token required for state-changing form posts (`[ValidateAntiForgeryToken]`)
+- File upload validation: check size limit, allowed MIME types, sanitize file name, scan for malware before persisting
+- Encrypt PII at rest (column-level encryption, Always Encrypted, or transparent data encryption)
+
 ## References
 
 See skill: `security-review` for broader application security review checklists.

package/{.claude → .tas}/rules/python/coding-style.md

@@ -5,8 +5,6 @@ paths:
 ---
 # Python Coding Style
 
-> This file extends [common/coding-style.md](../common/coding-style.md) with Python specific content.
-
 ## Standards
 
 - Follow **PEP 8** conventions

package/{.claude → .tas}/rules/typescript/coding-style.md

@@ -7,8 +7,6 @@ paths:
 ---
 # TypeScript/JavaScript Coding Style
 
-> This file extends [common/coding-style.md](../common/coding-style.md) with TypeScript/JavaScript specific content.
-
 ## Types and Interfaces
 
 Use types to make public APIs, shared models, and component props explicit, readable, and reusable.