@torus-engineering/tas-kit 1.11.1 → 1.13.0

package/{.claude → .tas}/rules/common/code-review.md

@@ -22,6 +22,15 @@ Before requesting review, ensure:
 - Merge conflicts are resolved
 - Branch is up to date with target branch
 
+## Review Criteria (priority order)
+
+1. **Security** — injection, auth bypass, data exposure, OWASP Top 10
+2. **Architecture** — violations of SAD, ADR decisions, layer boundaries
+3. **Correctness** — logic errors, edge cases, null handling
+4. **Conventions** — naming, structure, commit/branch format per CLAUDE.md
+5. **Test coverage** — missing tests for new logic
+6. **Performance** — obvious inefficiencies (N+1, unbounded loops, large allocations)
+
 ## Review Checklist
 
 Before marking code complete:
@@ -36,6 +45,23 @@ Before marking code complete:
 - [ ] Tests exist for new functionality
 - [ ] Test coverage meets 80% minimum
 
+## Output Format
+
+Findings grouped by severity, skip empty categories:
+
+```
+### Critical
+- `file.cs:42` — issue + suggested fix
+
+### High
+- `file.cs:15` — issue + suggested fix
+
+### Medium / Low
+- `file.cs:8` — issue
+```
+
+Every finding MUST reference specific `file:line` + propose fix. No general comments.
+
 ## Security Review Triggers
 
 **STOP and use security-reviewer agent when:**
@@ -59,16 +85,16 @@ Before marking code complete:
 
 ## Agent Usage
 
-Use these agents for code review:
+Use these agents for specialized concerns:
 
 | Agent | Purpose |
 |-------|---------|
-| **code-reviewer** | General code quality, patterns, best practices |
 | **security-reviewer** | Security vulnerabilities, OWASP Top 10 |
 | **typescript-reviewer** | TypeScript/JavaScript specific issues |
 | **python-reviewer** | Python specific issues |
-| **go-reviewer** | Go specific issues |
-| **rust-reviewer** | Rust specific issues |
+| **csharp-reviewer** | C#/.NET specific issues |
+
+General code review runs inline in main session reading this rule.
 
 ## Review Workflow
 
@@ -120,5 +146,3 @@ This rule works with:
 
 - [testing.md](testing.md) - Test coverage requirements
 - [security.md](security.md) - Security checklist
-- [git-workflow.md](git-workflow.md) - Commit standards
-- [agents.md](agents.md) - Agent delegation

package/{.claude/rules/common/post-review-agent.md → .tas/rules/common/post-implementation-review.md}

@@ -1,49 +1,51 @@
-# Post-Implementation Review (Isolated Agent)
-
-After implementing or fixing, run review through **independent Agent** — don't use current session to avoid reviewer bias from implementation process.
-
-## How to use
-
-Call `Agent` tool with following prompt (replace placeholders `{}`):
-
-```
-You are code reviewer. No context from previous session — review completely objectively.
-
-Artifact: {path-to-artifact-file}
-Changed files: {list of files just changed}
-Stack: {stack from CLAUDE.md}
-
-Execute:
-1. Hygiene scan: leftover debug code (console.log, debugger, print), hardcoded secrets,
-   large commented-out blocks (>5 lines).
-1b. Silent failure scan — find following patterns:
-   - Swallowed exceptions: empty catch {}, catch only logs but continues like no error
-   - Silent async failures: fire-and-forget (unawaited task/Promise), async void (.NET),
-     .catch(() => {}) with no handling
-   - Null blindspots: .FirstOrDefault() used directly without null-check (.NET),
-     missing optional chaining on deeply nested object access (TS/JS),
-     dict.get() result used as non-None (Python)
-   - Error propagation wrong: HTTP calls don't check status before parse,
-     function returns bool/null when error instead of throwing (caller ignores result)
-   - Config reads don't check existence
-2. Run tests: detect test runner (package.json → npm test / *.csproj → dotnet test /
-   pytest.ini → python -m pytest), report results.
-3. Parallel review — launch simultaneously:
-   - code-reviewer: read .tas/checklists/code-review.md + .claude/rules/common/code-review.md.
-     Focus: naming, architecture, error handling, DRY, function size, nesting depth.
-   - security-reviewer: read .claude/rules/common/security.md.
-     Focus: OWASP Top 10, injection, hardcoded secrets, auth/authz.
-   - {lang_agent}: read .claude/rules/[stack]/coding-style.md + .claude/rules/[stack]/patterns.md.
-     Focus: async/await, null handling, type safety, stack-specific anti-patterns.
-4. Synthesize findings: Critical / High / Medium / Low with file:line and specific fix.
-
-Return full Review Summary.
-```
-
-## Gate Rule
-
-| Result | Action |
-|---|---|
-| Has **Critical** or **High** | List findings, **STOP**, require fix before continuing |
-| Only **Medium** / **Low** | List suggestions, ask if user wants to fix, then continue |
-| No findings | Continue normally |
+# Post-Implementation Review (Isolated Agent)
+
+After implementing or fixing, run review through **independent Agent** — don't use current session to avoid reviewer bias from implementation process.
+
+## How to use
+
+Call `Agent` tool with following prompt (replace placeholders `{}`):
+
+```
+You are code reviewer. No context from previous session — review completely objectively.
+
+Artifact: {path-to-artifact-file}
+Changed files: {list of files just changed}
+Stack: {stack from CLAUDE.md}
+
+Execute:
+1. Hygiene scan: leftover debug code (console.log, debugger, print), hardcoded secrets,
+   large commented-out blocks (>5 lines).
+1b. Silent failure scan — find following patterns:
+   - Swallowed exceptions: empty catch {}, catch only logs but continues like no error
+   - Silent async failures: fire-and-forget (unawaited task/Promise), async void (.NET),
+     .catch(() => {}) with no handling
+   - Null blindspots: .FirstOrDefault() used directly without null-check (.NET),
+     missing optional chaining on deeply nested object access (TS/JS),
+     dict.get() result used as non-None (Python)
+   - Error propagation wrong: HTTP calls don't check status before parse,
+     function returns bool/null when error instead of throwing (caller ignores result)
+   - Config reads don't check existence
+2. Run tests: detect test runner (package.json → npm test / *.csproj → dotnet test /
+   pytest.ini → python -m pytest), report results.
+3. Inline general review (this agent, read .tas/rules/common/code-review.md):
+   Focus: naming, architecture, error handling, DRY, function size, nesting depth.
+3b. Parallel specialized agents — launch simultaneously:
+   - security-reviewer: read .tas/rules/common/security.md.
+     Focus: OWASP Top 10, injection, hardcoded secrets, auth/authz.
+   - {lang_agent}: read .tas/rules/[stack]/coding-style.md + .tas/rules/[stack]/patterns.md.
+     Focus: async/await, null handling, type safety, stack-specific anti-patterns.
+   - database-reviewer (only when {db_agent} = database-reviewer AND scope touches schema/migrations/queries):
+     Focus: schema correctness, migration safety, missing indexes, N+1 patterns, data integrity.
+4. Synthesize findings: Critical / High / Medium / Low with file:line and specific fix.
+
+Return full Review Summary.
+```
+
+## Gate Rule
+
+| Result | Action |
+|---|---|
+| Has **Critical** or **High** or **Medium** | List findings, **STOP**, require fix before continuing |
+| Only **Low** | List suggestions, ask if user wants to fix, then continue |
+| No findings | Continue normally |

package/{.claude → .tas}/rules/common/project-status.md

@@ -1,80 +1,80 @@
-# project-status.yaml — Update Convention
-
-File `project-status.yaml` at project root is aggregate index of project status.
-Commands update this file after each artifact or status change.
-
-## Always update
-
-```yaml
-last_updated: YYYY-MM-DD   # current date, each time there's a change
-```
-
-## Artifacts (individual docs)
-
-Update when creating new or changing version:
-
-```yaml
-artifacts:
-  prd:
-    file: docs/prd.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"           # increment minor when updating content, major for large changes
-    requirements_count: N    # only for PRD — count of FR-xxx
-
-  sad:
-    file: docs/sad.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"
-
-  design_spec:
-    file: docs/design-spec.md
-    status: Draft | Review | Approved
-    last_updated: YYYY-MM-DD
-    version: "1.0"
-
-  security_report:
-    file: docs/security-report.md
-    status: "Critical findings present" | "Clean"
-    last_updated: YYYY-MM-DD
-```
-
-## Epics / Features / Stories
-
-Update when creating new or changing status:
-
-```yaml
-epics:
-  Epic-001:
-    path: docs/epics/{code}-Epic-001-{slug}/
-    status: Draft | Active | Done
-    title: "..."
-    effort: S | M | L | XL
-    features:
-      Feature-001:
-        status: New | In Progress | Ready To Verify | Verified | Done
-        title: "..."
-        stories:
-          Story-001:
-            status: New | Committed | In Progress | Deploy Test | Verify Test | Done
-            title: "..."
-            plan_status: pending | completed
-```
-
-## ADRs
-
-```yaml
-adrs:
-  ADR-001:
-    file: docs/adr/ADR-001-{slug}.md
-    status: Proposed | Accepted | Deprecated | Superseded
-    title: "..."
-```
-
-## Rules
-
-- Only update key related to change just occurred — don't rewrite entire file
-- If key doesn't exist yet: add new
-- If key exists: update value
-- Version: minor (+0.1) when updating content; major (+1.0) when large structure change
+# project-status.yaml — Update Convention
+
+File `project-status.yaml` at project root is aggregate index of project status.
+Commands update this file after each artifact or status change.
+
+## Always update
+
+```yaml
+last_updated: YYYY-MM-DD   # current date, each time there's a change
+```
+
+## Artifacts (individual docs)
+
+Update when creating new or changing version:
+
+```yaml
+artifacts:
+  prd:
+    file: docs/prd.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"           # increment minor when updating content, major for large changes
+    requirements_count: N    # only for PRD — count of FR-xxx
+
+  sad:
+    file: docs/sad.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"
+
+  design_spec:
+    file: docs/design-spec.md
+    status: Draft | Review | Approved
+    last_updated: YYYY-MM-DD
+    version: "1.0"
+
+  security_report:
+    file: docs/security-report.md
+    status: "Critical findings present" | "Clean"
+    last_updated: YYYY-MM-DD
+```
+
+## Epics / Features / Stories
+
+Update when creating new or changing status:
+
+```yaml
+epics:
+  Epic-001:
+    path: docs/epics/{code}-Epic-001-{slug}/
+    status: Draft | Active | Done
+    title: "..."
+    effort: S | M | L | XL
+    features:
+      Feature-001:
+        status: New | In Progress | Ready To Verify | Verified | Done
+        title: "..."
+        stories:
+          Story-001:
+            status: New | Committed | In Progress | Deploy Test | Verify Test | Done
+            title: "..."
+            plan_status: pending | completed
+```
+
+## ADRs
+
+```yaml
+adrs:
+  ADR-001:
+    file: docs/adr/ADR-001-{slug}.md
+    status: Proposed | Accepted | Deprecated | Superseded
+    title: "..."
+```
+
+## Rules
+
+- Only update key related to change just occurred — don't rewrite entire file
+- If key doesn't exist yet: add new
+- If key exists: update value
+- Version: minor (+0.1) when updating content; major (+1.0) when large structure change

package/{.claude → .tas}/rules/common/stack-detection.md

@@ -1,29 +1,29 @@
-# Stack Detection
-
-Read `CLAUDE.md` at root, find `## Tech Stack` section, determine following variables for use in agent prompts and rule file lookups.
-
-## lang_agent — Backend
-
-| Tech Stack contains | lang_agent |
-|---|---|
-| `.NET` / `C#` | `csharp-reviewer` |
-| `Node.js` / `TypeScript` / `NestJS` / `Express` | `typescript-reviewer` |
-| `Python` / `FastAPI` / `Django` / `Flask` | `python-reviewer` |
-
-**Frontend addition:** if Tech Stack contains `React` → add `typescript-reviewer` to lang_agent (if not already).
-
-## infra_agent and db_agent — Optional
-
-| Tech Stack contains | Variable | Value |
-|---|---|---|
-| `AWS` (Infrastructure) | `infra_agent` | `aws-reviewer` |
-| `MySQL` / `PostgreSQL` / `MSSQL` / `SQL Server` / `SQLite` | `db_agent` | `database-reviewer` |
-
-## Rules directory by stack
-
-| lang_agent | Rules directory |
-|---|---|
-| `csharp-reviewer` | `.claude/rules/csharp/` |
-| `typescript-reviewer` | `.claude/rules/typescript/` |
-| `python-reviewer` | `.claude/rules/python/` |
-| Frontend / React | `.claude/rules/web/` |
+# Stack Detection
+
+Read `CLAUDE.md` at root, find `## Tech Stack` section, determine following variables for use in agent prompts and rule file lookups.
+
+## lang_agent — Backend
+
+| Tech Stack contains | lang_agent |
+|---|---|
+| `.NET` / `C#` | `csharp-reviewer` |
+| `Node.js` / `TypeScript` / `NestJS` / `Express` | `typescript-reviewer` |
+| `Python` / `FastAPI` / `Django` / `Flask` | `python-reviewer` |
+
+**Frontend addition:** if Tech Stack contains `React` → add `typescript-reviewer` to lang_agent (if not already).
+
+## infra_agent and db_agent — Optional
+
+| Tech Stack contains | Variable | Value |
+|---|---|---|
+| `AWS` (Infrastructure) | `infra_agent` | `aws-reviewer` |
+| `MySQL` / `PostgreSQL` / `MSSQL` / `SQL Server` / `SQLite` | `db_agent` | `database-reviewer` |
+
+## Rules directory by stack
+
+| lang_agent | Rules directory |
+|---|---|
+| `csharp-reviewer` | `.tas/rules/csharp/` |
+| `typescript-reviewer` | `.tas/rules/typescript/` |
+| `python-reviewer` | `.tas/rules/python/` |
+| Frontend / React | `.tas/rules/web/` |

package/.tas/{checklists → rules/common}/story-done.md

@@ -1,23 +1,30 @@
-# Definition of Done Checklist
+# Definition of Done
+
+Workflow gate used by `/tas-dev` Step 5 — verify each item before marking Story complete.
 
 ## Code
+
 - [ ] Code implemented per acceptance criteria
 - [ ] Follows conventions in CLAUDE.md
-- [ ] Each public method has XML doc comment
+- [ ] Each public method has doc comment (XML doc / JSDoc / docstring)
 
 ## Testing
+
 - [ ] Unit tests pass (happy path + edge cases + negative cases)
 - [ ] No regression on existing tests
 
 ## Review
-- [ ] Code review passed (per code-review checklist)
-- [ ] If auto_review = true, passed automated review
+
+- [ ] Code review passed (per `.tas/rules/common/code-review.md`)
+- [ ] If `auto_review = true`, passed automated review
 
 ## Documentation
+
 - [ ] Technical notes in Story updated
 - [ ] If API changes, corresponding docs updated
 
 ## Status
+
 - [ ] Story status updated in Story file
-- [ ] project-status.yaml updated
+- [ ] `project-status.yaml` updated
 - [ ] Commit message follows correct format

package/{.claude/skills/tas-tdd/SKILL.md → .tas/rules/common/tdd.md}

@@ -1,18 +1,9 @@
----
-name: tas-tdd
-description: |
-  TDD workflow. Auto-invoke when: user implements new feature, writes tests,
-  or when use_tdd=true in tas.yaml. Enforce Red-Green-Refactor cycle
-  with verification gates between each phase.
-allowed-tools: Read, Write, Edit, Bash, Grep
----
-
-# TAS TDD Workflow
+# TDD Workflow Rules
 
 When `use_tdd=true` in `tas.yaml`, enforce strict Red-Green-Refactor cycle.
 No exceptions — every feature starts with test.
 
-## When to Use
+## When to Apply
 
 - Implement new feature per Story with clear acceptance criteria
 - Bug fix: write regression test before fixing
@@ -37,30 +28,7 @@ No exceptions — every feature starts with test.
 ### Red Phase — Write Test First
 
 1. Read acceptance criteria in Story
-2. Write test cases covering each criteria per platform:
-
-   **Mobile (React Native)**:
-   - **Unit Tests (REQUIRED)**: Jest + React Testing Library
-     - Components: `render`, `fireEvent`, `screen` queries
-     - Hooks: `renderHook` from `@testing-library/react-hooks`
-     - Services/API: Jest mocks + MSW
-     - Utils: Pure function testing
-     - Zustand stores: Test actions + selectors
-   - **E2E Tests**: Detox
-
-   **Web (React + Node)**:
-   - **Unit Tests (REQUIRED)**: Vitest/Jest + React Testing Library
-     - Components: `render`, `fireEvent`, `screen` queries
-     - Hooks: `renderHook`
-     - Services: Vitest/Jest mocks + MSW
-     - Backend services: Jest
-   - **E2E Tests**: Playwright (Chromium, Firefox, WebKit)
-
-   **Backend (.NET)**:
-   - **Unit Tests**: xUnit for services, repositories
-   - **Integration Tests**: xUnit + TestServer
-   - **API Tests**: xUnit + WebApplicationFactory
-
+2. Write test cases covering each criteria (platform-specific stacks per `/tas-dev`)
 3. Run tests: `npm test` / `yarn test` / `dotnet test` / `python -m pytest`
 4. **Verify**: tests MUST FAIL — if pass immediately → test is wrong, rewrite
 
@@ -87,7 +55,7 @@ No exceptions — every feature starts with test.
 - Refactor phase makes tests fail → refactor is wrong, roll back step by step
 - Writing multiple tests at once before fixing each → only fix one test at a time
 
-## Verification
+## Verification Checklist
 
 - [ ] Red: test file exists and runs with FAIL output
 - [ ] Green: test output changes from FAIL → PASS after adding implementation
@@ -111,8 +79,6 @@ No exceptions — every feature starts with test.
 
 MODIFIER: `H` (Happy), `N` (Negative), `E` (Edge), `S` (Security), `P` (Performance)
 
----
-
 ## Anti-Rationalization
 
 | Rationalization | Counter |

package/{.claude → .tas}/rules/common/testing.md

@@ -19,14 +19,9 @@ MANDATORY workflow:
 
 ## Troubleshooting Test Failures
 
-1. Use **tdd-guide** agent
-2. Check test isolation
-3. Verify mocks are correct
-4. Fix implementation, not tests (unless tests are wrong)
-
-## Agent Support
-
-- **tdd-guide** - Use PROACTIVELY for new features, enforces write-tests-first
+1. Check test isolation
+2. Verify mocks are correct
+3. Fix implementation, not tests (unless tests are wrong)
 
 ## PR Test Gap Analysis
 

package/{.claude → .tas}/rules/common/token-logging.md

@@ -1,27 +1,36 @@
-# Token Usage Logging
-
-Write `## AI Usage Log` at end of artifact file when TAS command completes.
-
-## Token Estimation
-
-Estimate from session awareness: character count of each file `Read` ÷ 4 ≈ tokens (English/code), ÷ 2 (Vietnamese).
-Character count of artifact output ÷ 4. Always append `(est.)`. User verifies with `/cost` (CLI) or `/context` (Desktop app).
-
-## Format
-
-```markdown
----
-
-## AI Usage Log
-
-| # | Date | Command | Input (est.) | Output (est.) |
-|---|------|---------|-------------|---------------|
-| 1 | YYYY-MM-DD | /tas-{name} | ~{N}k | ~{N}k |
-| 2 | YYYY-MM-DD | /tas-{name} (revision) | ~{N}k | ~{N}k |
-| **Total** | | | **~{N}k** | **~{N}k** |
-```
-
-## Update Rules
-
-- **First time**: section doesn't exist → append entire section with first row and Total row
-- **Subsequent**: append new row before Total row, update Total (cumulative)
+# Token Usage Logging
+
+Write `## AI Usage Log` at end of artifact file when TAS command completes.
+
+## Process
+
+1. Identify artifact file: from invocation (if specified) or last `docs/` file Write/Edit in session.
+2. Read this file for format and update rules.
+3. Read artifact file — check if `## AI Usage Log` already exists.
+4. Write or update section. Silent on success — no output to conversation.
+
+DO NOT apply when: user manually edits file or uses non-TAS commands.
+
+## Token Estimation
+
+Estimate from session awareness: character count of each file `Read` ÷ 4 ≈ tokens (English/code), ÷ 2 (Vietnamese).
+Character count of artifact output ÷ 4. Always append `(est.)`. User verifies with `/cost` (CLI) or `/context` (Desktop app).
+
+## Format
+
+```markdown
+---
+
+## AI Usage Log
+
+| # | Date | Command | Input (est.) | Output (est.) |
+|---|------|---------|-------------|---------------|
+| 1 | YYYY-MM-DD | /tas-{name} | ~{N}k | ~{N}k |
+| 2 | YYYY-MM-DD | /tas-{name} (revision) | ~{N}k | ~{N}k |
+| **Total** | | | **~{N}k** | **~{N}k** |
+```
+
+## Update Rules
+
+- **First time**: section doesn't exist → append entire section with first row and Total row
+- **Subsequent**: append new row before Total row, update Total (cumulative)