@wipal/agent-team 1.0.0

package/.claude/skills/domain/backend/api-design/SKILL.md

@@ -0,0 +1,121 @@
+---
+name: api-design
+description: |
+  RESTful API design patterns and best practices. Use when designing APIs,
+  creating endpoints, implementing authentication, versioning APIs, writing
+  API documentation, or when user mentions "API", "endpoint", "REST", "route",
+  "controller". Ensures consistent, intuitive, well-documented APIs.
+version: 1.0.0
+category: backend
+tags:
+  - api
+  - rest
+  - http
+  - backend
+depends_on:
+  - code-review
+recommends:
+  - security
+  - database-design
+used_by:
+  - security
+  - security-architecture
+---
+
+# Skill: API Design
+
+## Core Principle
+**APIs should be intuitive, consistent, and well-documented.** Developers should understand your API without reading docs.
+
+## Hard Rules
+
+1. **NEVER use verbs in URLs** - `/getUsers` → `/users`
+2. **NEVER return HTML errors** - Always JSON
+3. **ALWAYS use plural nouns** - `/users` not `/user`
+4. **ALWAYS return consistent error format** - Same structure everywhere
+5. **ALWAYS version APIs** - `/api/v1/...`
+
+## HTTP Methods
+
+| Method | Purpose | Idempotent |
+|--------|---------|------------|
+| GET | Retrieve | Yes |
+| POST | Create | No |
+| PUT | Replace | Yes |
+| PATCH | Update | No |
+| DELETE | Remove | Yes |
+
+## Resource Naming
+
+```text
+✅ GOOD:
+GET    /users
+GET    /users/{id}
+POST   /users
+GET    /users/{id}/orders
+
+❌ BAD:
+GET    /getUsers
+POST   /createUser
+GET    /user-order/{id}
+```
+
+## Status Codes
+
+| Code | When |
+|------|------|
+| 200 | Success |
+| 201 | Created |
+| 204 | Deleted (no content) |
+| 400 | Bad request |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+| 404 | Not found |
+| 422 | Validation error |
+| 500 | Server error |
+
+## Error Response Format
+
+```json
+{
+  "error": {
+    "code": "VALIDATION_ERROR",
+    "message": "Validation failed",
+    "details": [
+      { "field": "email", "message": "Invalid email" }
+    ]
+  }
+}
+```
+
+## Common Mistakes
+
+| ❌ Mistake | ✅ Fix |
+|------------|--------|
+| `/getUsers` | `/users` with GET |
+| No versioning | `/api/v1/users` |
+| HTML errors | JSON error format |
+| No pagination | `?page=1&limit=20` |
+| Inconsistent naming | Stick to conventions |
+
+## Pagination
+
+```json
+{
+  "data": [...],
+  "pagination": {
+    "page": 1,
+    "limit": 20,
+    "total": 100
+  }
+}
+```
+
+## Quick Checklist
+
+- [ ] Uses nouns, not verbs
+- [ ] Plural resource names
+- [ ] Consistent error format
+- [ ] API versioned
+- [ ] Pagination for lists
+- [ ] Proper status codes

package/.claude/skills/domain/backend/database-design/SKILL.md

@@ -0,0 +1,156 @@
+---
+name: database-design
+description: |
+  Database schema design patterns and best practices. Use when designing
+  schemas, creating migrations, optimizing queries, adding indexes, or when
+  user mentions "database", "schema", "table", "migration", "index", "SQL",
+  "Prisma", "TypeORM". Ensures performant, maintainable data models.
+version: 1.0.0
+category: backend
+tags:
+  - database
+  - sql
+  - schema
+  - optimization
+depends_on:
+  - code-review
+recommends:
+  - security
+  - performance-engineering
+used_by:
+  - api-design
+  - security-architecture
+---
+
+# Skill: Database Design
+
+## Core Principle
+**Design for performance, maintainability, and data integrity.** A bad schema haunts you forever.
+
+## Hard Rules
+
+1. **NEVER use SELECT \*** - Specify columns explicitly
+2. **NEVER store secrets unencrypted** - Encrypt PII
+3. **ALWAYS use migrations** - No manual schema changes
+4. **ALWAYS index foreign keys** - Join performance
+5. **ALWAYS use appropriate data types** - Don't store numbers as strings
+
+## Naming Conventions
+
+```sql
+-- Tables: snake_case, plural
+users, orders, order_items
+
+-- Columns: snake_case
+user_id, created_at, is_active
+
+-- Primary keys
+id SERIAL PRIMARY KEY
+-- or
+user_id UUID PRIMARY KEY
+
+-- Foreign keys: {table}_id
+user_id REFERENCES users(id)
+
+-- Indexes: idx_{table}_{columns}
+CREATE INDEX idx_users_email ON users(email);
+```
+
+## Index Strategy
+
+### When to Index
+- Primary keys (automatic)
+- Foreign keys (always)
+- WHERE clause columns
+- ORDER BY columns
+- JOIN conditions
+
+### Index Types
+
+| Type | Use Case |
+|------|----------|
+| B-tree | Default, equality/range |
+| Unique | Email, username |
+| Partial | `WHERE is_active = true` |
+| Composite | Multi-column queries |
+| GIN | JSONB, arrays, full-text |
+
+## Common Mistakes
+
+| ❌ Mistake | ✅ Fix |
+|------------|--------|
+| SELECT * | Specify columns |
+| No migrations | Use migration tool |
+| Missing FK indexes | `CREATE INDEX ON orders(user_id)` |
+| N+1 queries | Use JOIN or include |
+| Storing arrays as strings | Use proper array/JSONB |
+
+## N+1 Query Fix
+
+```typescript
+// ❌ Bad: N+1 queries
+for (const order of orders) {
+  order.items = await prisma.orderItem.findMany({
+    where: { orderId: order.id }
+  });
+}
+
+// ✅ Good: Use include
+const orders = await prisma.order.findMany({
+  include: { items: true }
+});
+```
+
+## Migration Template
+
+```sql
+-- Up: 20250226_create_users.sql
+BEGIN;
+
+CREATE TABLE users (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    email VARCHAR(255) NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_users_email ON users(email);
+
+COMMIT;
+
+-- Down: 20250226_create_users_down.sql
+BEGIN;
+DROP TABLE IF EXISTS users;
+COMMIT;
+```
+
+## Prisma Schema Example
+
+```prisma
+model User {
+  id        String   @id @default(uuid())
+  email     String   @unique
+  orders    Order[]
+  createdAt DateTime @default(now()) @map("created_at")
+
+  @@map("users")
+}
+
+model Order {
+  id        String   @id @default(uuid())
+  userId    String   @map("user_id")
+  user      User     @relation(fields: [userId], references: [id])
+  items     OrderItem[]
+
+  @@index([userId])
+  @@map("orders")
+}
+```
+
+## Quick Checklist
+
+- [ ] Uses migrations
+- [ ] Foreign keys indexed
+- [ ] Appropriate data types
+- [ ] No SELECT *
+- [ ] N+1 queries avoided
+- [ ] Secrets encrypted

package/.claude/skills/domain/backend/performance-be/SKILL.md

@@ -0,0 +1,210 @@
+---
+name: performance-be
+description: |
+  Backend performance optimization patterns. Use when: optimizing database queries,
+  improving API response times, handling high load, or when user mentions "slow",
+  "performance", "optimize", "N+1", "caching", "latency". Fast backends = happy users.
+version: 1.0.0
+category: backend
+tags:
+  - performance
+  - optimization
+  - caching
+  - database
+depends_on:
+  - database-design
+  - api-design
+recommends: []
+used_by: []
+---
+
+# Skill: Performance BE
+
+## Core Principle
+**Measure before optimizing.** Profile, identify bottlenecks, then fix. Premature optimization is waste.
+
+## Performance Metrics
+
+| Metric | Target | What |
+|--------|--------|------|
+| **Response Time** | < 200ms | P95 latency |
+| **Throughput** | 1000+ RPS | Requests per second |
+| **Error Rate** | < 0.1% | Failed requests |
+| **DB Query Time** | < 50ms | P95 query time |
+
+## Hard Rules
+
+1. **NEVER use SELECT \*** - Specify columns
+2. **NEVER N+1 queries** - Use JOINs or includes
+3. **ALWAYS index foreign keys** - Critical for joins
+4. **ALWAYS paginate lists** - No unbounded queries
+5. **ALWAYS cache expensive operations** - Within reason
+
+## N+1 Query Fix
+
+```typescript
+// ❌ Bad: N+1 queries
+async function getOrdersWithItems() {
+  const orders = await prisma.order.findMany();
+
+  for (const order of orders) {
+    order.items = await prisma.orderItem.findMany({
+      where: { orderId: order.id }
+    });
+  }
+
+  return orders;
+}
+
+// ✅ Good: Single query with include
+async function getOrdersWithItems() {
+  return prisma.order.findMany({
+    include: { items: true }
+  });
+}
+```
+
+## Database Optimization
+
+### Indexing
+
+```sql
+-- Index foreign keys
+CREATE INDEX idx_orders_user_id ON orders(user_id);
+
+-- Composite index for common queries
+CREATE INDEX idx_orders_status_created ON orders(status, created_at DESC);
+
+-- Partial index for active records
+CREATE INDEX idx_users_active ON users(email) WHERE is_active = true;
+```
+
+### Query Optimization
+
+```typescript
+// ❌ Bad: Unbounded query
+const orders = await prisma.order.findMany();
+
+// ✅ Good: Paginated
+const orders = await prisma.order.findMany({
+  take: 20,
+  skip: (page - 1) * 20,
+  orderBy: { createdAt: 'desc' },
+});
+
+// ✅ Good: Select only needed fields
+const users = await prisma.user.findMany({
+  select: { id: true, name: true, email: true },
+});
+```
+
+## Caching Strategies
+
+### Redis Patterns
+
+```typescript
+import { Redis } from 'ioredis';
+
+const redis = new Redis();
+
+// Cache-aside pattern
+async function getUser(id: string) {
+  // 1. Check cache
+  const cached = await redis.get(`user:${id}`);
+  if (cached) return JSON.parse(cached);
+
+  // 2. Fetch from DB
+  const user = await prisma.user.findUnique({ where: { id } });
+
+  // 3. Cache result
+  if (user) {
+    await redis.setex(`user:${id}`, 3600, JSON.stringify(user));
+  }
+
+  return user;
+}
+
+// Invalidate on update
+async function updateUser(id: string, data: UpdateData) {
+  const user = await prisma.user.update({ where: { id }, data });
+  await redis.del(`user:${id}`);
+  return user;
+}
+```
+
+### Cache Headers
+
+```typescript
+// Static assets
+app.get('/static/*', (req, res) => {
+  res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+});
+
+// API responses
+app.get('/api/products', (req, res) => {
+  res.setHeader('Cache-Control', 'private, max-age=60, stale-while-revalidate=300');
+});
+```
+
+## Common Mistakes
+
+| ❌ Mistake | ✅ Fix |
+|------------|--------|
+| SELECT * | Specify columns |
+| N+1 queries | Use JOIN/include |
+| No pagination | Add limit/offset |
+| Missing indexes | Index FKs, WHERE columns |
+| No caching | Add Redis cache |
+| Sync operations | Use async |
+
+## Connection Pooling
+
+```typescript
+// Prisma connection pool
+const prisma = new PrismaClient({
+  datasources: {
+    db: {
+      url: process.env.DATABASE_URL,
+    },
+  },
+  // Connection pool settings
+  __internal: {
+    engine: {
+      connectionLimit: 10,
+    },
+  },
+});
+```
+
+## Performance Checklist
+
+### Database
+- [ ] Foreign keys indexed
+- [ ] N+1 queries eliminated
+- [ ] Queries use indexes (EXPLAIN ANALYZE)
+- [ ] Pagination implemented
+- [ ] Connection pooling configured
+
+### API
+- [ ] Response times < 200ms P95
+- [ ] Caching implemented
+- [ ] Compression enabled
+- [ ] Rate limiting configured
+
+### Monitoring
+- [ ] P95/P99 latency tracked
+- [ ] Slow query logging
+- [ ] Error rate monitored
+
+## Profiling
+
+```sql
+-- PostgreSQL query analysis
+EXPLAIN ANALYZE SELECT * FROM orders WHERE user_id = '123';
+
+-- Find slow queries
+SELECT query, mean_exec_time
+FROM pg_stat_statements
+ORDER BY mean_exec_time DESC
+LIMIT 10;
+```

package/.claude/skills/domain/backend/security/SKILL.md

@@ -0,0 +1,138 @@
+---
+name: security
+description: |
+  Security best practices for backend development. Use when implementing
+  authentication, authorization, input validation, or when user mentions
+  "security", "auth", "JWT", "password", "encryption", "XSS", "SQL injection",
+  "OWASP", "vulnerability". Security is NOT optional - always apply these rules.
+version: 1.0.0
+category: backend
+tags:
+  - security
+  - authentication
+  - authorization
+  - owasp
+depends_on:
+  - api-design
+recommends:
+  - database-design
+used_by:
+  - security-architecture
+---
+
+# Skill: Security
+
+## Core Principle
+**Security first. Never trust user input.** Every input is an attack vector.
+
+## Hard Rules
+
+1. **NEVER trust user input** - Validate everything
+2. **NEVER store secrets in code** - Use environment variables
+3. **NEVER use MD5/SHA1 for passwords** - Use bcrypt/argon2
+4. **ALWAYS use parameterized queries** - Prevent SQL injection
+5. **ALWAYS use HTTPS** - No exceptions in production
+6. **ALWAYS log security events** - Auth failures, access denied
+
+## OWASP Top 10 (Quick)
+
+| # | Issue | Prevention |
+|---|-------|------------|
+| 1 | Broken Access Control | Check permissions |
+| 2 | Crypto Failures | HTTPS, encrypt secrets |
+| 3 | Injection | Parameterized queries |
+| 4 | Insecure Design | Threat modeling |
+| 5 | Misconfiguration | Harden defaults |
+| 6 | Vulnerable Components | Update deps |
+| 7 | Auth Failures | Strong auth |
+| 8 | Data Integrity | Validate inputs |
+| 9 | Logging Failures | Log security events |
+| 10 | SSRF | Validate URLs |
+
+## Authentication
+
+### Password Handling
+```typescript
+import bcrypt from 'bcrypt';
+
+// Hash password
+const hash = await bcrypt.hash(password, 12);
+
+// Verify password
+const valid = await bcrypt.compare(password, hash);
+```
+
+### JWT Config
+```typescript
+const JWT_CONFIG = {
+  algorithm: 'RS256',
+  expiresIn: '15m',  // Short access token
+};
+```
+
+## Common Mistakes
+
+| ❌ Mistake | ✅ Fix |
+|------------|--------|
+| `SELECT * FROM users WHERE id = ${id}` | Parameterized query |
+| Storing passwords in plain text | bcrypt/argon2 |
+| Hardcoded secrets | Environment variables |
+| No rate limiting | Add rate limiter |
+| Exposing internal errors | Generic error messages |
+
+## SQL Injection Prevention
+
+```typescript
+// ❌ Bad: SQL injection vulnerable
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// ✅ Good: Parameterized (Prisma)
+const user = await prisma.user.findUnique({
+  where: { id: userId }
+});
+
+// ✅ Good: Parameterized (raw)
+const result = await pool.query(
+  'SELECT * FROM users WHERE id = $1',
+  [userId]
+);
+```
+
+## Input Validation
+
+```typescript
+import { z } from 'zod';
+
+const schema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+});
+
+const validate = (schema) => (req, res, next) => {
+  try {
+    req.body = schema.parse(req.body);
+    next();
+  } catch (e) {
+    res.status(400).json({ error: 'Validation failed' });
+  }
+};
+```
+
+## Security Headers
+
+```typescript
+import helmet from 'helmet';
+
+app.use(helmet());
+```
+
+## Quick Checklist
+
+- [ ] Input validated
+- [ ] Parameterized queries
+- [ ] Passwords hashed
+- [ ] HTTPS enabled
+- [ ] Rate limiting
+- [ ] Secrets in env vars
+- [ ] Security headers
+- [ ] Auth events logged