ada-agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +256 -0
  3. package/bench/README.md +88 -0
  4. package/bench/swebench.mjs +242 -0
  5. package/bin/ada-server.mjs +6 -0
  6. package/bin/ada.mjs +7 -0
  7. package/docs/agent-loop.svg +66 -0
  8. package/docs/architecture.md +139 -0
  9. package/docs/architecture.svg +73 -0
  10. package/docs/connectors.md +48 -0
  11. package/docs/integrations.md +59 -0
  12. package/docs/login-flow.svg +56 -0
  13. package/docs/orchestration.md +45 -0
  14. package/package.json +64 -0
  15. package/skills/accessibility/SKILL.md +23 -0
  16. package/skills/add-logging/SKILL.md +23 -0
  17. package/skills/add-metrics/SKILL.md +23 -0
  18. package/skills/adr/SKILL.md +24 -0
  19. package/skills/aesthetic-direction/SKILL.md +24 -0
  20. package/skills/agent-loop/SKILL.md +23 -0
  21. package/skills/alerting/SKILL.md +23 -0
  22. package/skills/alpha-compositing/SKILL.md +23 -0
  23. package/skills/android-compose/SKILL.md +23 -0
  24. package/skills/angular-module/SKILL.md +23 -0
  25. package/skills/ansible-playbook/SKILL.md +24 -0
  26. package/skills/api-docs/SKILL.md +24 -0
  27. package/skills/app-store-prep/SKILL.md +23 -0
  28. package/skills/architecture-diagram/SKILL.md +21 -0
  29. package/skills/architecture-doc/SKILL.md +24 -0
  30. package/skills/audit-log/SKILL.md +23 -0
  31. package/skills/authz-review/SKILL.md +23 -0
  32. package/skills/aws-lambda/SKILL.md +24 -0
  33. package/skills/bash-script/SKILL.md +23 -0
  34. package/skills/batch/SKILL.md +23 -0
  35. package/skills/bisect/SKILL.md +23 -0
  36. package/skills/bounding-box/SKILL.md +24 -0
  37. package/skills/branch-cleanup/SKILL.md +23 -0
  38. package/skills/bundle-analyze/SKILL.md +23 -0
  39. package/skills/cache/SKILL.md +23 -0
  40. package/skills/call-graph/SKILL.md +23 -0
  41. package/skills/canvas-debug/SKILL.md +23 -0
  42. package/skills/cdn-setup/SKILL.md +23 -0
  43. package/skills/changelog/SKILL.md +24 -0
  44. package/skills/cherry-pick/SKILL.md +23 -0
  45. package/skills/ci-setup/SKILL.md +23 -0
  46. package/skills/cleanup/SKILL.md +23 -0
  47. package/skills/cli-tool/SKILL.md +23 -0
  48. package/skills/cloudformation/SKILL.md +23 -0
  49. package/skills/code-examples/SKILL.md +24 -0
  50. package/skills/code-review/SKILL.md +23 -0
  51. package/skills/color-palette/SKILL.md +24 -0
  52. package/skills/color-space/SKILL.md +24 -0
  53. package/skills/comment-why/SKILL.md +23 -0
  54. package/skills/commit/SKILL.md +26 -0
  55. package/skills/complexity-audit/SKILL.md +23 -0
  56. package/skills/component/SKILL.md +23 -0
  57. package/skills/component-library/SKILL.md +23 -0
  58. package/skills/connect-github/SKILL.md +20 -0
  59. package/skills/connect-mcp/SKILL.md +21 -0
  60. package/skills/connect-postgres/SKILL.md +20 -0
  61. package/skills/connect-remote/SKILL.md +23 -0
  62. package/skills/connect-slack/SKILL.md +20 -0
  63. package/skills/contract-audit/SKILL.md +25 -0
  64. package/skills/contributing/SKILL.md +23 -0
  65. package/skills/cpp-raii/SKILL.md +23 -0
  66. package/skills/cron-job/SKILL.md +23 -0
  67. package/skills/cv-preprocess/SKILL.md +24 -0
  68. package/skills/dark-mode/SKILL.md +24 -0
  69. package/skills/dashboard/SKILL.md +23 -0
  70. package/skills/dashboard-ui/SKILL.md +23 -0
  71. package/skills/data-export/SKILL.md +23 -0
  72. package/skills/data-validation/SKILL.md +23 -0
  73. package/skills/dataframe/SKILL.md +23 -0
  74. package/skills/db-index/SKILL.md +24 -0
  75. package/skills/dead-code/SKILL.md +23 -0
  76. package/skills/debug/SKILL.md +24 -0
  77. package/skills/deck-review/SKILL.md +24 -0
  78. package/skills/dedupe/SKILL.md +23 -0
  79. package/skills/dedupe-deps/SKILL.md +23 -0
  80. package/skills/dependency-audit/SKILL.md +23 -0
  81. package/skills/dependency-update/SKILL.md +23 -0
  82. package/skills/deploy/SKILL.md +23 -0
  83. package/skills/design-system/SKILL.md +24 -0
  84. package/skills/design-tokens/SKILL.md +24 -0
  85. package/skills/diagram-as-code/SKILL.md +24 -0
  86. package/skills/diff-explain/SKILL.md +23 -0
  87. package/skills/django-view/SKILL.md +23 -0
  88. package/skills/doc-lint/SKILL.md +24 -0
  89. package/skills/docker-compose/SKILL.md +23 -0
  90. package/skills/dockerize/SKILL.md +23 -0
  91. package/skills/docstrings/SKILL.md +23 -0
  92. package/skills/dotfiles/SKILL.md +23 -0
  93. package/skills/dpi-scaling/SKILL.md +23 -0
  94. package/skills/e2e-test/SKILL.md +23 -0
  95. package/skills/embeddings/SKILL.md +23 -0
  96. package/skills/empty-states/SKILL.md +23 -0
  97. package/skills/env-setup/SKILL.md +23 -0
  98. package/skills/erc20/SKILL.md +24 -0
  99. package/skills/error-tracking/SKILL.md +23 -0
  100. package/skills/estimate/SKILL.md +23 -0
  101. package/skills/etl-pipeline/SKILL.md +24 -0
  102. package/skills/eval-harness/SKILL.md +23 -0
  103. package/skills/exif-orientation/SKILL.md +23 -0
  104. package/skills/explain-code/SKILL.md +23 -0
  105. package/skills/express-middleware/SKILL.md +23 -0
  106. package/skills/extract-function/SKILL.md +23 -0
  107. package/skills/faq/SKILL.md +24 -0
  108. package/skills/fastapi-endpoint/SKILL.md +23 -0
  109. package/skills/favicon/SKILL.md +23 -0
  110. package/skills/feature-engineering/SKILL.md +23 -0
  111. package/skills/few-shot/SKILL.md +23 -0
  112. package/skills/find-owner/SKILL.md +23 -0
  113. package/skills/firmware-driver/SKILL.md +23 -0
  114. package/skills/fix-flaky-tests/SKILL.md +23 -0
  115. package/skills/flutter-widget/SKILL.md +23 -0
  116. package/skills/font-rendering/SKILL.md +23 -0
  117. package/skills/form-validation/SKILL.md +23 -0
  118. package/skills/format/SKILL.md +23 -0
  119. package/skills/game-loop/SKILL.md +23 -0
  120. package/skills/gas-optimize/SKILL.md +25 -0
  121. package/skills/gdpr-review/SKILL.md +24 -0
  122. package/skills/github-actions/SKILL.md +23 -0
  123. package/skills/glossary/SKILL.md +24 -0
  124. package/skills/go-idioms/SKILL.md +23 -0
  125. package/skills/gpu-profile/SKILL.md +23 -0
  126. package/skills/graphify/SKILL.md +21 -0
  127. package/skills/graphql-resolver/SKILL.md +23 -0
  128. package/skills/grpc-service/SKILL.md +23 -0
  129. package/skills/guardrails/SKILL.md +23 -0
  130. package/skills/healthcheck/SKILL.md +23 -0
  131. package/skills/heisenbug/SKILL.md +23 -0
  132. package/skills/helm-chart/SKILL.md +24 -0
  133. package/skills/hero-section/SKILL.md +23 -0
  134. package/skills/html-email/SKILL.md +24 -0
  135. package/skills/html-form/SKILL.md +23 -0
  136. package/skills/html-sanitize/SKILL.md +23 -0
  137. package/skills/html-table/SKILL.md +23 -0
  138. package/skills/html-to-pdf/SKILL.md +23 -0
  139. package/skills/http-client/SKILL.md +23 -0
  140. package/skills/i18n/SKILL.md +23 -0
  141. package/skills/i2c-spi/SKILL.md +23 -0
  142. package/skills/image-decode/SKILL.md +24 -0
  143. package/skills/image-memory/SKILL.md +24 -0
  144. package/skills/image-perf/SKILL.md +24 -0
  145. package/skills/image-pipeline/SKILL.md +24 -0
  146. package/skills/image-upload/SKILL.md +24 -0
  147. package/skills/infra-cost/SKILL.md +24 -0
  148. package/skills/input-validation/SKILL.md +23 -0
  149. package/skills/issue-template/SKILL.md +23 -0
  150. package/skills/java-streams/SKILL.md +23 -0
  151. package/skills/k8s-manifest/SKILL.md +23 -0
  152. package/skills/kotlin-coroutines/SKILL.md +23 -0
  153. package/skills/landing-page/SKILL.md +24 -0
  154. package/skills/laravel-controller/SKILL.md +23 -0
  155. package/skills/lazy-load/SKILL.md +23 -0
  156. package/skills/license-check/SKILL.md +23 -0
  157. package/skills/license-header/SKILL.md +23 -0
  158. package/skills/lint-fix/SKILL.md +23 -0
  159. package/skills/llm-cost/SKILL.md +23 -0
  160. package/skills/lockfile-fix/SKILL.md +23 -0
  161. package/skills/low-power/SKILL.md +23 -0
  162. package/skills/makefile/SKILL.md +23 -0
  163. package/skills/man-page/SKILL.md +24 -0
  164. package/skills/mcp-server/SKILL.md +23 -0
  165. package/skills/memory-leak/SKILL.md +23 -0
  166. package/skills/mermaid-diagram/SKILL.md +23 -0
  167. package/skills/meta-tags/SKILL.md +23 -0
  168. package/skills/micro-interactions/SKILL.md +23 -0
  169. package/skills/migration/SKILL.md +23 -0
  170. package/skills/migration-guide/SKILL.md +24 -0
  171. package/skills/mkdocs-setup/SKILL.md +24 -0
  172. package/skills/mobile-permissions/SKILL.md +23 -0
  173. package/skills/mock-api/SKILL.md +23 -0
  174. package/skills/modernize/SKILL.md +23 -0
  175. package/skills/monorepo-setup/SKILL.md +23 -0
  176. package/skills/motion-design/SKILL.md +23 -0
  177. package/skills/n-plus-one/SKILL.md +23 -0
  178. package/skills/naming-review/SKILL.md +23 -0
  179. package/skills/nextjs-route/SKILL.md +23 -0
  180. package/skills/nginx-config/SKILL.md +23 -0
  181. package/skills/ocr-debug/SKILL.md +24 -0
  182. package/skills/onboard/SKILL.md +23 -0
  183. package/skills/onboarding-map/SKILL.md +23 -0
  184. package/skills/open-pr/SKILL.md +24 -0
  185. package/skills/openapi/SKILL.md +23 -0
  186. package/skills/opencv-debug/SKILL.md +24 -0
  187. package/skills/orm-model/SKILL.md +23 -0
  188. package/skills/owasp-check/SKILL.md +24 -0
  189. package/skills/page-transitions/SKILL.md +23 -0
  190. package/skills/pagination/SKILL.md +23 -0
  191. package/skills/perf-optimize/SKILL.md +23 -0
  192. package/skills/perf-profile/SKILL.md +23 -0
  193. package/skills/physics/SKILL.md +23 -0
  194. package/skills/pitch-deck/SKILL.md +24 -0
  195. package/skills/pixel-diff/SKILL.md +23 -0
  196. package/skills/ponytail/SKILL.md +46 -0
  197. package/skills/postmortem/SKILL.md +24 -0
  198. package/skills/pptx-deck/SKILL.md +23 -0
  199. package/skills/pptx-export/SKILL.md +23 -0
  200. package/skills/pptx-from-markdown/SKILL.md +23 -0
  201. package/skills/pptx-template/SKILL.md +24 -0
  202. package/skills/pr-review/SKILL.md +24 -0
  203. package/skills/precommit/SKILL.md +23 -0
  204. package/skills/pricing-page/SKILL.md +23 -0
  205. package/skills/project-overview/SKILL.md +22 -0
  206. package/skills/prompt-template/SKILL.md +23 -0
  207. package/skills/property-test/SKILL.md +23 -0
  208. package/skills/protobuf/SKILL.md +23 -0
  209. package/skills/py-async/SKILL.md +23 -0
  210. package/skills/py-typing/SKILL.md +23 -0
  211. package/skills/query-optimize/SKILL.md +23 -0
  212. package/skills/rag-pipeline/SKILL.md +23 -0
  213. package/skills/rails-resource/SKILL.md +23 -0
  214. package/skills/rate-limit/SKILL.md +23 -0
  215. package/skills/react-hooks/SKILL.md +23 -0
  216. package/skills/react-native-screen/SKILL.md +23 -0
  217. package/skills/react-perf/SKILL.md +23 -0
  218. package/skills/readme/SKILL.md +24 -0
  219. package/skills/rebase/SKILL.md +24 -0
  220. package/skills/refactor/SKILL.md +23 -0
  221. package/skills/regression-test/SKILL.md +23 -0
  222. package/skills/release-notes/SKILL.md +24 -0
  223. package/skills/rename-symbol/SKILL.md +23 -0
  224. package/skills/repro/SKILL.md +23 -0
  225. package/skills/resolve-conflicts/SKILL.md +23 -0
  226. package/skills/responsive/SKILL.md +23 -0
  227. package/skills/rest-endpoint/SKILL.md +23 -0
  228. package/skills/retro/SKILL.md +23 -0
  229. package/skills/rtos-task/SKILL.md +23 -0
  230. package/skills/runbook/SKILL.md +25 -0
  231. package/skills/rust-borrow/SKILL.md +23 -0
  232. package/skills/rust-unsafe-audit/SKILL.md +23 -0
  233. package/skills/sanitize/SKILL.md +23 -0
  234. package/skills/schema-design/SKILL.md +23 -0
  235. package/skills/screenshot-debug/SKILL.md +22 -0
  236. package/skills/scroll-animation/SKILL.md +23 -0
  237. package/skills/secret-scan/SKILL.md +23 -0
  238. package/skills/security-audit/SKILL.md +23 -0
  239. package/skills/security-review/SKILL.md +23 -0
  240. package/skills/seed-data/SKILL.md +23 -0
  241. package/skills/self-review/SKILL.md +23 -0
  242. package/skills/semantic-html/SKILL.md +23 -0
  243. package/skills/semver-bump/SKILL.md +24 -0
  244. package/skills/shader/SKILL.md +23 -0
  245. package/skills/shader-debug/SKILL.md +23 -0
  246. package/skills/simplify-conditionals/SKILL.md +23 -0
  247. package/skills/sitemap/SKILL.md +23 -0
  248. package/skills/skeleton-loader/SKILL.md +23 -0
  249. package/skills/slide-charts/SKILL.md +24 -0
  250. package/skills/slide-outline/SKILL.md +23 -0
  251. package/skills/snapshot-update/SKILL.md +23 -0
  252. package/skills/solidity-contract/SKILL.md +25 -0
  253. package/skills/speaker-notes/SKILL.md +23 -0
  254. package/skills/spike/SKILL.md +23 -0
  255. package/skills/split-file/SKILL.md +23 -0
  256. package/skills/spring-controller/SKILL.md +23 -0
  257. package/skills/sprite-anim/SKILL.md +23 -0
  258. package/skills/sql-report/SKILL.md +23 -0
  259. package/skills/squash/SKILL.md +24 -0
  260. package/skills/ssl-setup/SKILL.md +23 -0
  261. package/skills/stacktrace/SKILL.md +23 -0
  262. package/skills/static-site/SKILL.md +24 -0
  263. package/skills/structured-logging/SKILL.md +23 -0
  264. package/skills/svelte-store/SKILL.md +23 -0
  265. package/skills/swiftui-view/SKILL.md +23 -0
  266. package/skills/tailwind-theme/SKILL.md +24 -0
  267. package/skills/tcp-server/SKILL.md +23 -0
  268. package/skills/tdd/SKILL.md +23 -0
  269. package/skills/terraform-module/SKILL.md +24 -0
  270. package/skills/test-coverage/SKILL.md +23 -0
  271. package/skills/texture-debug/SKILL.md +23 -0
  272. package/skills/threat-model/SKILL.md +23 -0
  273. package/skills/thumbnail/SKILL.md +24 -0
  274. package/skills/todo-scan/SKILL.md +23 -0
  275. package/skills/tool-definition/SKILL.md +23 -0
  276. package/skills/trace-flow/SKILL.md +23 -0
  277. package/skills/tracing/SKILL.md +23 -0
  278. package/skills/train-model/SKILL.md +24 -0
  279. package/skills/tree-shake/SKILL.md +23 -0
  280. package/skills/ts-generics/SKILL.md +23 -0
  281. package/skills/ts-strict/SKILL.md +23 -0
  282. package/skills/tui-app/SKILL.md +23 -0
  283. package/skills/tutorial/SKILL.md +24 -0
  284. package/skills/type-tighten/SKILL.md +23 -0
  285. package/skills/typography/SKILL.md +24 -0
  286. package/skills/ui-bug-repro/SKILL.md +23 -0
  287. package/skills/ui-polish/SKILL.md +24 -0
  288. package/skills/ui-review/SKILL.md +24 -0
  289. package/skills/vendor/SKILL.md +23 -0
  290. package/skills/visual-diff-ci/SKILL.md +24 -0
  291. package/skills/visual-regression/SKILL.md +23 -0
  292. package/skills/vue-composition/SKILL.md +23 -0
  293. package/skills/web-component/SKILL.md +23 -0
  294. package/skills/web-fonts/SKILL.md +24 -0
  295. package/skills/web3-frontend/SKILL.md +25 -0
  296. package/skills/webgl-debug/SKILL.md +23 -0
  297. package/skills/webhook/SKILL.md +23 -0
  298. package/skills/websocket/SKILL.md +23 -0
  299. package/skills/write-tests/SKILL.md +19 -0
  300. package/src/client/agent.ts +803 -0
  301. package/src/client/background.ts +39 -0
  302. package/src/client/checkpoint.ts +48 -0
  303. package/src/client/cli.ts +1253 -0
  304. package/src/client/compaction.ts +86 -0
  305. package/src/client/extensions.ts +83 -0
  306. package/src/client/hooks.ts +40 -0
  307. package/src/client/image.ts +26 -0
  308. package/src/client/lsp.ts +0 -0
  309. package/src/client/mcp.ts +276 -0
  310. package/src/client/models-dev.ts +52 -0
  311. package/src/client/pkg.ts +41 -0
  312. package/src/client/platform.ts +94 -0
  313. package/src/client/prompts.ts +47 -0
  314. package/src/client/render.ts +138 -0
  315. package/src/client/session.ts +107 -0
  316. package/src/client/settings.ts +86 -0
  317. package/src/client/skill-router.ts +79 -0
  318. package/src/client/skills.ts +199 -0
  319. package/src/client/snapshot.ts +56 -0
  320. package/src/client/telemetry.ts +24 -0
  321. package/src/client/todos.ts +23 -0
  322. package/src/client/tools.ts +756 -0
  323. package/src/client/tui-mode.ts +41 -0
  324. package/src/client/tui.ts +224 -0
  325. package/src/sdk/index.ts +36 -0
  326. package/src/selfcheck.ts +364 -0
  327. package/src/server/config.ts +58 -0
  328. package/src/server/credentials.ts +89 -0
  329. package/src/server/identity.ts +58 -0
  330. package/src/server/index.ts +113 -0
  331. package/src/server/oauth.ts +93 -0
  332. package/src/server/providers/adapter.ts +25 -0
  333. package/src/server/providers/anthropic.ts +189 -0
  334. package/src/server/providers/openai-compat.ts +76 -0
  335. package/src/server/providers/registry.ts +31 -0
  336. package/src/server/router.ts +29 -0
  337. package/src/server/sse.ts +20 -0
  338. package/src/shared/types.ts +20 -0
  339. package/tsconfig.json +15 -0
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: react-native-screen
3
+ description: Add a React Native screen and wire it into the navigation stack
4
+ category: mobile
5
+ ---
6
+
7
+ # React Native Screen
8
+
9
+ Use this when adding a new screen to a React Native app and registering it with React Navigation so it can be pushed, linked, and typed.
10
+
11
+ 1. Create the screen component (e.g. `screens/DetailsScreen.tsx`) as a function component that destructures `navigation` and `route` from props.
12
+ 2. Register it on the navigator: add a `<Stack.Screen name="Details" component={DetailsScreen} />` in the stack where it belongs.
13
+ 3. Extend the param list type (`type RootStackParamList = { Details: { id: string } }`) and type props with `NativeStackScreenProps<RootStackParamList, 'Details'>`.
14
+ 4. Navigate in with `navigation.navigate('Details', { id })`; read inputs via `route.params` and go back with `navigation.goBack()`.
15
+ 5. Wrap content in `SafeAreaView` (or `useSafeAreaInsets`) and set `options={{ title }}` so the header and notches render correctly.
16
+ 6. Add a deep-link path under `linking.config.screens` if the screen should be reachable by URL, then test push + back + deep link on device.
17
+
18
+ ## Rules
19
+ - Keep navigation param payloads small and serializable — pass IDs, not whole objects or functions.
20
+ - Don't call `navigation.navigate` during render; do it in an effect or an event handler.
21
+ - Use `useFocusEffect`/`useIsFocused` for work that should run when the screen gains focus, not `useEffect` alone.
22
+ - Type the param list once and reuse it everywhere to catch wrong-param navigations at compile time.
23
+ - Account for the header height and safe-area insets so content isn't clipped under the notch or status bar.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: react-perf
3
+ description: Diagnose and eliminate needless React re-renders with memoization
4
+ category: frameworks
5
+ ---
6
+
7
+ # React Perf
8
+
9
+ Use when a component tree re-renders too often or feels janky, and you need to find and cut the wasted work — measure first, optimize second.
10
+
11
+ 1. Profile with the React DevTools Profiler (or `<Profiler>`) to find which components re-render and why; don't guess.
12
+ 2. Identify the trigger: a new object/array/function prop created each render, an over-broad context, or state lifted too high.
13
+ 3. Stabilize prop identities with `useMemo` (values) and `useCallback` (functions) so memoized children actually skip renders.
14
+ 4. Wrap pure leaf/list components in `React.memo`; for lists, ensure stable `key`s that aren't array indices.
15
+ 5. Split or scope context, or lift state down, so a frequently-changing value doesn't re-render the whole subtree.
16
+ 6. Re-profile to confirm the render count dropped; remove any memoization that didn't move the needle.
17
+
18
+ ## Rules
19
+ - Never optimize without a before/after measurement — memoization has its own cost.
20
+ - `React.memo` is useless if you pass it a freshly-created object/callback each render; fix the parent first.
21
+ - Inline `{}`/`[]`/`() => {}` in JSX create new references every render — hoist or memoize them.
22
+ - A `useMemo`/`useCallback` with wrong deps reintroduces the bug or causes stale closures; keep deps honest.
23
+ - Heavy work in render belongs in `useMemo` or out of the component; effects don't make render faster.
@@ -0,0 +1,24 @@
1
+ ---
2
+ name: readme
3
+ description: Write or refresh a README covering what the project is, why it exists, install, and usage
4
+ category: docs
5
+ ---
6
+
7
+ # Readme
8
+
9
+ Reach for this when a repo has no README, a stale one, or a wall of text nobody reads. The goal is a doc that gets a newcomer from clone to running in minutes.
10
+
11
+ 1. Skim the codebase to confirm what the project actually does: entry points, package manifest (`package.json`, `pyproject.toml`, `Cargo.toml`), and any existing docs.
12
+ 2. Open with a one-line description and a short "why" — the problem it solves, who it's for.
13
+ 3. Write an Install section with the exact commands you verified work (clone, dependency install, build).
14
+ 4. Write a Usage section with a minimal copy-pasteable example that produces visible output.
15
+ 5. Add Configuration (env vars, flags, config files) only if the project needs it — link don't inline long tables.
16
+ 6. Add short sections as warranted: Requirements/prerequisites, Development/contributing, License.
17
+ 7. Run the install and usage commands yourself; fix the README to match reality before finishing.
18
+
19
+ ## Rules
20
+ - Lead with what it does and why, not a logo or badge wall.
21
+ - Every command must be one you actually ran or verified — no aspirational steps.
22
+ - Keep it scannable: headings, short paragraphs, fenced code blocks with language hints.
23
+ - Don't document internals or every flag; link to deeper docs instead of bloating the README.
24
+ - Match the project's existing tone and the real install method (npm vs pnpm, pip vs uv).
@@ -0,0 +1,24 @@
1
+ ---
2
+ name: rebase
3
+ description: Clean up branch history with interactive rebase without rewriting shared commits
4
+ category: git
5
+ ---
6
+
7
+ # Rebase
8
+
9
+ Use this to tidy a feature branch's history — reorder, reword, fixup, or drop commits, or replay onto an updated base — while keeping commits that others have already pulled intact.
10
+
11
+ 1. Confirm the branch is yours and unshared, or that collaborators agree to a force-push; never rewrite history on `main`/shared branches.
12
+ 2. Snapshot a safety net: note the current SHA (`git rev-parse HEAD`) or create a backup branch (`git branch backup/<name>`) so you can recover.
13
+ 3. Update the base first: `git fetch origin` then `git rebase origin/main` (or `git rebase -i origin/main` to also clean history in one pass).
14
+ 4. In interactive mode pick actions per line — `reword`, `squash`/`fixup`, `edit`, `drop`, reorder — keeping the oldest commit at the top.
15
+ 5. Resolve any conflicts as they surface: fix files, `git add`, then `git rebase --continue`; use `git rebase --abort` to bail back to the pre-rebase state.
16
+ 6. Verify the result: `git log --oneline origin/main..HEAD` and run tests, since rebasing can silently break a previously-working intermediate state.
17
+ 7. Publish with `git push --force-with-lease` (safer than `--force`: it refuses if the remote moved unexpectedly).
18
+
19
+ ## Rules
20
+ - Only rebase commits that exist solely on your local/feature branch; rebasing pushed-and-pulled commits breaks teammates.
21
+ - Always force-push with `--force-with-lease`, never plain `--force`.
22
+ - Keep a backup branch or recorded SHA before starting; `git reflog` is your fallback if you skipped that.
23
+ - Resolve conflicts commit-by-commit — don't blindly `git checkout --theirs/--ours` without understanding each.
24
+ - If a rebase gets messy, `git rebase --abort` and reconsider rather than fighting it.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: refactor
3
+ description: Make a safe, behavior-preserving refactor with tests green at every step
4
+ category: refactoring
5
+ ---
6
+
7
+ # Refactor
8
+
9
+ Reach for this when you want to improve structure, names, or design without changing observable behavior. The contract: every commit compiles and passes tests.
10
+
11
+ 1. Establish a baseline — run the test suite and confirm it is green before touching anything.
12
+ 2. If coverage is thin around the target code, add characterization tests that pin current behavior first.
13
+ 3. Make one small structural change at a time (extract, rename, move, inline); avoid mixing in behavior changes.
14
+ 4. Re-run the relevant tests after each change; if red, revert that step rather than debugging forward.
15
+ 5. Commit each green step separately with a message describing the structural move.
16
+ 6. When done, diff against the start and verify no public API, output, or side effect changed.
17
+
18
+ ## Rules
19
+ - Never refactor and fix a bug or add a feature in the same commit — split them.
20
+ - If the suite is too slow, run a fast subset per step and the full suite before pushing.
21
+ - Keep the diff reviewable; a refactor PR with logic changes hiding inside is a trap.
22
+ - If tests are missing and can't be added cheaply, say so and proceed with extra caution, not silently.
23
+ - Prefer mechanical, tool-assisted transforms (IDE/LSP rename, AST codemods) over hand edits.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: regression-test
3
+ description: Reproduce a reported bug as a failing test before fixing it, so it can never silently return
4
+ category: testing
5
+ ---
6
+
7
+ # Regression Test
8
+
9
+ Use when fixing a reported bug: capture it as a failing test first so the fix is proven and the bug stays dead.
10
+
11
+ 1. Reproduce the bug manually and nail down the exact inputs, state, and steps that trigger it.
12
+ 2. Write a test that reproduces it at the lowest practical level (unit if possible, integration/E2E if it needs the stack).
13
+ 3. Run the test and confirm it FAILS, demonstrating the bug — the failure should match the reported symptom.
14
+ 4. Implement the fix and run the test until it passes; confirm the failure mode is genuinely gone.
15
+ 5. Run the surrounding suite to make sure the fix didn't break anything else.
16
+ 6. Commit the test together with the fix, referencing the bug/issue id so the link is permanent.
17
+
18
+ ## Rules
19
+ - Write the failing test before the fix; a fix without a failing test first proves nothing about the bug.
20
+ - The test must fail for the bug's actual reason — verify it goes red on unfixed code, not on a setup error.
21
+ - Reproduce at the narrowest level that still captures the bug; reserve E2E for bugs that only appear there.
22
+ - Name the test after the bug/symptom (and issue id) so future readers know why it exists.
23
+ - Keep the regression test even if it overlaps existing tests; it documents a specific past failure.
@@ -0,0 +1,24 @@
1
+ ---
2
+ name: release-notes
3
+ description: Generate release notes from commits since the last tag
4
+ category: git
5
+ ---
6
+
7
+ # Release Notes
8
+
9
+ Use this to draft a changelog for a new release by collecting and grouping the commits made since the previous tag.
10
+
11
+ 1. Find the last release point: `git describe --tags --abbrev=0` gives the most recent tag to diff against.
12
+ 2. Collect the commits: `git log <last-tag>..HEAD --oneline --no-merges` (or `--pretty=format:'- %s (%h) @%an'` for richer lines).
13
+ 3. Group by type: bucket commits into Features / Fixes / Performance / Docs / Breaking Changes — Conventional Commit prefixes (`feat:`, `fix:`) make this mechanical.
14
+ 4. Surface breaking changes prominently: scan for `BREAKING CHANGE` in bodies (`git log <last-tag>..HEAD --grep='BREAKING'`) and call them out at the top.
15
+ 5. Enrich with PR/issue links where useful and credit contributors (`git shortlog -sn <last-tag>..HEAD`).
16
+ 6. Write the notes top-down: highlights first, then grouped lists, then a full commit/PR reference; tag the release and attach.
17
+ 7. For a fully-automated draft, `gh release create <tag> --generate-notes` uses GitHub's auto-generated notes as a starting point.
18
+
19
+ ## Rules
20
+ - Diff from the actual last tag, not an arbitrary date — `git describe --tags --abbrev=0` is the source of truth.
21
+ - Exclude merge commits (`--no-merges`) so the list reads as real changes.
22
+ - Lead with breaking changes and user-facing features; bury internal/chore commits or omit them.
23
+ - Rewrite terse commit subjects into user-readable lines — release notes are for humans, not a raw `git log` dump.
24
+ - Verify the tag/range covers exactly the intended release; an off-by-one tag drops or duplicates entries.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: rename-symbol
3
+ description: Rename a variable, function, type, or file safely across the whole project
4
+ category: refactoring
5
+ ---
6
+
7
+ # Rename Symbol
8
+
9
+ Use when a name is misleading, stale, or inconsistent. The goal is a complete rename with zero dangling references and no accidental collateral hits.
10
+
11
+ 1. Prefer a language-aware rename (LSP/IDE "rename symbol") so only real references change, not text matches.
12
+ 2. If renaming by search, scope it: match word boundaries and the correct case, and review every hit before applying.
13
+ 3. Update all sites — definitions, call sites, imports/exports, type annotations, and string references (DI keys, serialized names, configs).
14
+ 4. Check dynamic/reflective uses: JSON keys, ORM column maps, reflection, templates, docs, and comments.
15
+ 5. Build and run tests to catch missed or wrongly-changed references.
16
+ 6. Grep once more for the old name to confirm only intentional leftovers remain.
17
+
18
+ ## Rules
19
+ - Beware short or common names (`id`, `data`) — text search will over-match; use semantic rename only.
20
+ - Renaming a serialized field, DB column, env var, or public API name is a behavior change, not a pure refactor — flag it.
21
+ - Keep the rename in its own commit so the diff is auditable.
22
+ - If a public/exported symbol must keep backward compatibility, add an alias/deprecation rather than breaking callers.
23
+ - Don't forget filenames and the imports that reference them when renaming modules.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: repro
3
+ description: Build a minimal, reliable reproduction of a bug before attempting to fix it
4
+ category: debugging
5
+ ---
6
+
7
+ # Repro
8
+
9
+ Use when a bug is reported vaguely or only happens "sometimes." A minimal repro turns a fuzzy report into a concrete, debuggable artifact — and often reveals the cause by itself.
10
+
11
+ 1. Capture the original conditions: inputs, environment, versions, and the exact observed failure.
12
+ 2. Get it failing once on your machine, however ugly — full app, real data, whatever it takes.
13
+ 3. Strip it down: remove unrelated code, mock external services, shrink the input toward the smallest case that still fails.
14
+ 4. Pin nondeterminism — fix random seeds, freeze clocks, force single-threaded, hardcode the offending input — until it fails every run.
15
+ 5. Turn it into a runnable script or a failing test that anyone can execute with one command.
16
+ 6. Confirm the repro fails for the right reason (same error/trace), not a new unrelated one.
17
+
18
+ ## Rules
19
+ - A repro you can't run on demand isn't done — "it happened in prod once" is a lead, not a repro.
20
+ - Remove things one at a time; if the failure disappears, you just found a clue about the cause.
21
+ - Keep the input as small as possible — a 3-line case beats a 300-line dump for finding the bug.
22
+ - Prefer a failing test over a throwaway script so the repro stays as a regression guard after the fix.
23
+ - If you genuinely can't reproduce, add logging in the real environment to capture the conditions next time it fires.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: resolve-conflicts
3
+ description: Work through merge or rebase conflicts safely without losing either side's intent
4
+ category: git
5
+ ---
6
+
7
+ # Resolve Conflicts
8
+
9
+ Use this when a merge, rebase, cherry-pick, or stash pop stops with conflicts. The goal is a result that preserves the intent of both sides, not just one that compiles.
10
+
11
+ 1. See the lay of the land: `git status` lists conflicted files; `git diff` shows the conflict markers in context.
12
+ 2. Understand both sides before editing: `git log --merge -p <file>` or `git show :1:<file>`/`:2:`/`:3:` to inspect base, ours, and theirs.
13
+ 3. Edit each file to a correct merged result — delete the `<<<<<<<`, `=======`, `>>>>>>>` markers and reconcile the logic, not just pick a side.
14
+ 4. Mark resolved: `git add <file>` per file. To take one side wholesale use `git checkout --ours <file>` or `--theirs <file>` (note: in a rebase, ours/theirs are swapped vs a merge).
15
+ 5. Continue the operation: `git merge --continue` / `git rebase --continue` / `git cherry-pick --continue`. To bail out, use the matching `--abort`.
16
+ 6. Verify before trusting: build and run tests, since a conflict resolution can be syntactically clean but semantically wrong.
17
+
18
+ ## Rules
19
+ - Read both sides' intent before resolving; a merge that drops one side's logic is a silent bug.
20
+ - Remember ours/theirs is inverted during rebase (you're replaying your commits onto theirs) — verify with `git diff` rather than guessing.
21
+ - Always run the test suite after resolving; clean markers do not mean correct behavior.
22
+ - Use `git merge --abort` (or rebase/cherry-pick `--abort`) to get back to a known-good state instead of half-fixing.
23
+ - Enable `git config rerere.enabled true` to auto-reuse recorded resolutions on repeated conflicts (e.g. long rebases).
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: responsive
3
+ description: Make a layout adapt cleanly across mobile, tablet, and desktop breakpoints
4
+ category: frontend
5
+ ---
6
+
7
+ # Responsive
8
+
9
+ Use when a layout breaks, overflows, or looks cramped at some viewport sizes and needs to flex across breakpoints.
10
+
11
+ 1. Identify the breakpoints from the existing system (Tailwind/CSS vars/theme) rather than inventing new ones, and design mobile-first — base styles target the smallest screen.
12
+ 2. Reach for intrinsic layout first: flexbox, CSS grid, `gap`, `minmax`, `clamp()`, and `%`/`fr` units before adding media queries.
13
+ 3. Layer `min-width` media queries (or container queries when the component must adapt to its parent, not the viewport) to progressively enhance toward larger screens.
14
+ 4. Make media fluid: `max-width: 100%` on images, responsive `srcset`/`sizes`, and `aspect-ratio` to prevent layout shift.
15
+ 5. Handle text and spacing: fluid type via `clamp()`, wrap/scroll long content, and ensure tap targets are at least ~44px on touch.
16
+ 6. Test at real breakpoints and in between (narrow, tablet, wide, and the awkward sizes), checking for overflow, clipped content, and horizontal scroll.
17
+
18
+ ## Rules
19
+ - Write mobile-first: unconditional base styles, then `min-width` queries that add, not undo.
20
+ - Avoid fixed pixel widths/heights on containers; let content and the grid dictate size.
21
+ - Never cause horizontal scroll — watch for fixed widths, large images, and `100vw` + padding.
22
+ - Use container queries when a reusable component lives in varying-width slots.
23
+ - Don't hide content on small screens to "fix" layout unless it's genuinely redundant.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: rest-endpoint
3
+ description: Scaffold a REST endpoint with handler, input validation, and tests
4
+ category: api
5
+ ---
6
+
7
+ # Rest Endpoint
8
+
9
+ Reach for this when adding a new HTTP route (GET/POST/PUT/PATCH/DELETE) that needs a handler, validated input, and coverage.
10
+
11
+ 1. Find the existing routing layer and copy the nearest sibling endpoint's structure (router registration, file layout, naming).
12
+ 2. Define request/response shapes: path params, query params, and body — derive types from the validation schema, don't hand-write both.
13
+ 3. Validate input at the boundary (e.g. zod/pydantic/joi) and return 400 with field-level errors on failure before any business logic.
14
+ 4. Implement the handler: call the service/data layer, never inline DB queries in the route if the codebase separates them.
15
+ 5. Map errors to status codes deliberately — 404 not-found, 409 conflict, 422 unprocessable, 401/403 auth — and avoid leaking internals in 500s.
16
+ 6. Register the route and write tests: happy path, one validation-failure case, and one auth/not-found case.
17
+
18
+ ## Rules
19
+ - Match the project's existing conventions (status codes, error envelope, casing) over any external "best practice".
20
+ - Validate and parse untrusted input before it reaches business logic; reject unknown fields if the codebase does.
21
+ - Keep handlers thin — orchestration only; push logic into services so it's unit-testable.
22
+ - Use the correct verb and idempotency: POST creates, PUT/PATCH update, DELETE is idempotent.
23
+ - Never return raw exception messages or stack traces to clients.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: retro
3
+ description: Write a sprint or project retrospective that turns observations into committed action items
4
+ category: productivity
5
+ ---
6
+
7
+ # Retro
8
+
9
+ Use this at the end of a sprint, milestone, or project to capture what happened and convert it into concrete changes — a retro without owned action items is just venting.
10
+
11
+ 1. Set the window and gather inputs: the goals for the period, what shipped, plus signals from git log, merged PRs, closed issues, and CI history.
12
+ 2. Sort observations into three buckets: what went well (keep), what went poorly (stop), and what to try (start).
13
+ 3. For each "went poorly" item, dig one level past the symptom to a plausible cause rather than restating the complaint.
14
+ 4. Pull the highest-leverage themes — focus on the few that recur or hurt most, not an exhaustive list.
15
+ 5. Convert each theme into an action item with a clear owner, a concrete next step, and a check-back date.
16
+ 6. Write it up: a short summary, the keep/stop/start lists, and a table of action items (action, owner, due).
17
+
18
+ ## Rules
19
+ - Keep it blameless — describe systems and decisions, not individuals' failures.
20
+ - Every "went poorly" should map to at least one action item or an explicit "accept and move on".
21
+ - Action items need an owner and a date; "the team should" with no owner is not an action item.
22
+ - Ground claims in evidence (PRs, incidents, metrics) instead of vibes where you can.
23
+ - Cap it: 3-5 action items the team will actually do beats 20 that get ignored.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: rtos-task
3
+ description: Create an RTOS task with the right stack, priority, and inter-task communication
4
+ category: gamedev
5
+ ---
6
+
7
+ # RTOS Task
8
+
9
+ Use when adding a task/thread under an RTOS (FreeRTOS, Zephyr, ThreadX) and wiring it into the scheduler safely.
10
+
11
+ 1. Define the task function as an infinite loop that blocks on something (queue, semaphore, delay) — never a tight spin.
12
+ 2. Size the stack from worst-case call depth plus ISR/printf usage; start generous, then measure the high-water mark.
13
+ 3. Assign priority by deadline urgency, not importance; keep most tasks at the same level to avoid starvation.
14
+ 4. Use queues or message buffers for data hand-off and semaphores/notifications for signaling between tasks/ISRs.
15
+ 5. Block with `vTaskDelayUntil` (or equivalent) for periodic work so the period does not drift with execution time.
16
+ 6. From ISRs use only the `FromISR` APIs and yield if a higher-priority task was woken.
17
+
18
+ ## Rules
19
+ - Never busy-wait in a task; block on a primitive so lower-priority tasks and idle/sleep can run.
20
+ - Protect shared state with a mutex (with priority inheritance), not by disabling interrupts for long spans.
21
+ - Keep ISRs short: defer work to a task via a queue or task notification, call only `FromISR` variants.
22
+ - Validate stack high-water marks and enable stack-overflow checking during bring-up — overflow corrupts silently.
23
+ - Beware priority inversion and unbounded blocking; prefer mutexes with inheritance over plain binary semaphores for locking.
@@ -0,0 +1,25 @@
1
+ ---
2
+ name: runbook
3
+ description: Write an operational runbook an on-call engineer can follow at 3am to detect, diagnose, and resolve an incident.
4
+ category: docs
5
+ ---
6
+
7
+ # Runbook
8
+
9
+ Use when a recurring operational procedure (deploy rollback, failover, disk-full, cert rotation) needs to be executable by someone tired, paged, and unfamiliar with the system.
10
+
11
+ 1. State the trigger up front: the exact alert name, symptom, or condition that means "run this" — so on-call knows they're in the right doc.
12
+ 2. List prerequisites: required access/roles, tools, dashboards, and the blast radius / who to notify before acting.
13
+ 3. Add a fast diagnosis section — concrete commands and dashboard links to confirm the problem and rule out look-alikes.
14
+ 4. Write resolution as numbered, copy-pasteable steps with the *expected output* after each, so they can tell if it worked.
15
+ 5. Include a verification step ("service healthy when X") and a rollback/abort path if the fix makes things worse.
16
+ 6. End with escalation: who/what team to page, and how to capture state for the postmortem.
17
+ 7. Date the last test/review and note who owns it.
18
+
19
+ ## Rules
20
+ - Every command must be copy-pasteable and parameterized with `<placeholders>`, never with real prod values inline.
21
+ - Show expected output / success signal after risky steps — silence isn't confirmation.
22
+ - Always give an abort/rollback path; a runbook with no exit is a trap.
23
+ - Link the live dashboard/log query, don't paste a stale screenshot.
24
+ - Test the runbook in a drill; an untested runbook is a guess. Mark it `UNTESTED` until then.
25
+ - Keep it dumb-simple — assume zero context and high stress.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: rust-borrow
3
+ description: Diagnose and fix Rust borrow-checker and lifetime errors without resorting to clone-everything
4
+ category: languages
5
+ ---
6
+
7
+ # Rust Borrow
8
+
9
+ Use this when `cargo build` rejects code with E0499/E0502/E0515/E0597 or lifetime mismatches and you want a clean fix, not a clone band-aid.
10
+
11
+ 1. Read the error code and the borrow spans: the compiler points at where a value is borrowed, where it's used, and where the conflict happens — note the lifetimes involved.
12
+ 2. For "cannot borrow as mutable while borrowed as immutable", shorten the immutable borrow's scope (let it end before the mutation) or split into separate statements so NLL can release it.
13
+ 3. For "returns a value referencing data owned by the current function" (E0515), return an owned type (`String`, `Vec<T>`) or restructure so the caller owns the data.
14
+ 4. Resolve aliasing conflicts by splitting borrows: use `split_at_mut`, indices instead of references, or restructure into smaller functions that borrow disjoint fields.
15
+ 5. Add explicit lifetime parameters only when the compiler can't infer them; tie output lifetimes to the correct input, and prefer `'_` elision where it applies.
16
+ 6. When shared ownership is genuinely needed, reach for `Rc`/`Arc` (+ `RefCell`/`Mutex` for interior mutability) — deliberately, not reflexively.
17
+
18
+ ## Rules
19
+ - `.clone()` to silence the borrow checker is a smell; use it only when the copy cost is acceptable and ownership truly must split — otherwise restructure.
20
+ - Prefer narrowing scopes and splitting borrows over adding lifetime annotations; most errors are scope problems, not lifetime problems.
21
+ - Don't reach for `unsafe` to bypass the checker — it converts a compile error into undefined behavior.
22
+ - Avoid `Rc<RefCell<...>>` as a default; it moves borrow errors to runtime panics. Use it only when the ownership graph is genuinely shared.
23
+ - Keep functions small — many borrow conflicts dissolve when you extract code so borrows don't overlap.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: rust-unsafe-audit
3
+ description: Review Rust unsafe blocks for soundness and document the invariants they rely on
4
+ category: languages
5
+ ---
6
+
7
+ # Rust Unsafe Audit
8
+
9
+ Use this when auditing `unsafe` code for undefined behavior — raw pointer derefs, FFI, transmutes, or hand-rolled data structures.
10
+
11
+ 1. Enumerate every `unsafe` block and the specific operation each performs (raw deref, `transmute`, `from_raw`, `get_unchecked`, FFI call) — group by the invariant each requires.
12
+ 2. For each block, write down the safety contract: what must be true (non-null, aligned, valid for the access, unique/aliasing rules, initialized, lifetime outlives use) and confirm a caller or surrounding code guarantees it.
13
+ 3. Add a `// SAFETY:` comment to every `unsafe` block stating why the invariants hold; if you can't write one, the code is suspect.
14
+ 4. Check the aliasing rules specifically: no two `&mut` to the same data, no `&` overlapping a `&mut`, and pointers derived correctly (no provenance violations).
15
+ 5. Run `cargo +nightly miri test` and `cargo test` under ASan/`-Zsanitizer` where possible to catch UB the compiler can't see; fuzz boundary inputs for FFI.
16
+ 6. Minimize the unsafe surface: shrink blocks to the exact unsafe operation, wrap them in a safe abstraction with checked preconditions, and prefer safe std APIs where they exist.
17
+
18
+ ## Rules
19
+ - Every `unsafe` block needs a `// SAFETY:` comment naming the upheld invariant — no exceptions, including in tests.
20
+ - `transmute` is the most dangerous tool here; prefer `as` casts, `from_le_bytes`, `bytemuck`, or explicit `union` access, and verify size/layout/`#[repr]`.
21
+ - A safe public function wrapping unsafe internals must uphold the contract for all possible inputs — validate before the unsafe op, not after.
22
+ - Miri-clean is not proof of soundness, but Miri-dirty is proof of a bug — never ship code Miri flags.
23
+ - Don't widen lifetimes or fabricate `&mut` from `&` to dodge the borrow checker; that's instant UB even if it compiles.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: sanitize
3
+ description: Fix injection, XSS, and path-traversal bugs by parameterizing, encoding, and confining paths
4
+ category: security
5
+ ---
6
+
7
+ # Sanitize
8
+
9
+ Use this to remediate a concrete injection-class bug: SQL/command injection, XSS, or path traversal where untrusted input reaches a dangerous sink.
10
+
11
+ 1. Identify the sink and the injection class: query string, shell command, HTML/JS output, or filesystem path built from user input.
12
+ 2. SQL/NoSQL injection: replace string concatenation with parameterized queries / prepared statements or an ORM binding — never interpolate input into the query.
13
+ 3. Command injection: avoid the shell entirely — use an args array (`execFile`/`subprocess.run([...], shell=False)`); if a shell is unavoidable, allowlist and escape.
14
+ 4. XSS: encode output for its context (HTML body, attribute, JS, URL); render via the framework's auto-escaping; for rich HTML use a vetted sanitizer (DOMPurify) and a strict CSP.
15
+ 5. Path traversal: resolve the canonical path and assert it stays within an allowed base dir; reject `..`, absolute paths, and symlinks that escape; prefer an id-to-path map.
16
+ 6. Add a regression test that feeds the malicious payload and asserts it is now neutralized.
17
+
18
+ ## Rules
19
+ - Fix at the sink with the right primitive (parameterize, encode, confine) — input filtering alone is bypassable.
20
+ - Encode for the exact output context; HTML-escaping does not protect a JS or URL context.
21
+ - Disable shell interpolation by default; pass arguments as a list, not a concatenated string.
22
+ - Canonicalize paths before the boundary check, then verify the result is under the base directory.
23
+ - Keep a regression test per payload so the hole cannot silently reopen.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: schema-design
3
+ description: Design or normalize a database schema with sane keys, types, and relations
4
+ category: database
5
+ ---
6
+
7
+ # Schema Design
8
+
9
+ Use when modeling a new feature's tables or untangling an existing schema that has grown redundant, ambiguous, or hard to query.
10
+
11
+ 1. List the entities and the real-world relationships between them (1:1, 1:many, many:many) before writing any DDL.
12
+ 2. Give every table a stable primary key; pick a surrogate key (auto-int or UUID) unless a natural key is truly immutable and unique.
13
+ 3. Choose the tightest correct type for each column (e.g. `timestamptz` not text dates, `numeric` not float for money, enums/check constraints for fixed sets).
14
+ 4. Normalize to 3NF first (no repeating groups, no transitive deps), then denormalize only where a measured read pattern demands it.
15
+ 5. Add foreign keys with explicit `ON DELETE` behavior, and `NOT NULL` / `UNIQUE` / `CHECK` constraints to encode invariants in the DB, not just the app.
16
+ 6. Resolve many:many with a join table; index the foreign-key columns you will filter or join on.
17
+
18
+ ## Rules
19
+ - Let the database enforce integrity (FKs, constraints) — don't rely solely on application code.
20
+ - Prefer `timestamptz` and store times in UTC; name booleans as `is_`/`has_` flags.
21
+ - Avoid nullable columns that encode meaning; a separate table or status enum is usually clearer.
22
+ - Don't over-index up front — add indexes to match actual query and constraint needs.
23
+ - Use consistent naming (singular vs plural, snake_case) across the whole schema.
@@ -0,0 +1,22 @@
1
+ ---
2
+ name: screenshot-debug
3
+ description: Drive the app to the broken state, capture screenshots, and inspect a visual bug down to the offending element
4
+ category: visual-test
5
+ ---
6
+
7
+ # Screenshot Debug
8
+
9
+ Reach for this when a UI looks wrong ("button overlaps text", "modal off-screen") and you need eyes on the actual render, not the code you imagine it produces.
10
+
11
+ 1. Reproduce the exact state: script the navigation (URL, clicks, form fills, viewport size) that leads to the bug so every capture is identical. Pin viewport and device-pixel-ratio.
12
+ 2. Capture full-page AND a tight element crop (`page.locator(sel).screenshot()`); the crop removes surrounding noise and shows sub-pixel issues.
13
+ 3. Dump the computed state next to the image: `getComputedStyle`, `getBoundingClientRect`, and the DOM subtree HTML — the screenshot shows *what*, these show *why*.
14
+ 4. Toggle one variable at a time (resize viewport, force `:hover`/`:focus`, disable a CSS rule via devtools protocol) and re-shoot to bisect the cause.
15
+ 5. Confirm the fix by re-running the same script and comparing the new screenshot to the broken one in the same dimensions.
16
+
17
+ ## Rules
18
+ - Wait for the network/animations to settle before shooting (`waitForLoadState('networkidle')`, disable CSS transitions) or you capture a transient frame and chase a ghost.
19
+ - Always record the viewport size, DPR, and theme (light/dark) in the filename; "looks fine for me" is usually a different viewport.
20
+ - Screenshot the element, not just the page — a 1px misalignment is invisible at full-page scale.
21
+ - Disable animations and freeze time/`Date.now` for deterministic frames before comparing shots.
22
+ - Keep the repro script in the repo; a bug you can't re-capture on command isn't fixed, it's hidden.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: scroll-animation
3
+ description: Build scroll-triggered and scroll-linked animations (GSAP/Framer Motion) that stay smooth and jank-free.
4
+ category: ui-design
5
+ ---
6
+
7
+ # Scroll Animation
8
+
9
+ Reach for this when content should reveal, pin, or parallax as the user scrolls — done well it adds depth; done badly it stutters and hijacks the page.
10
+
11
+ 1. Decide trigger vs. scrub: reveal-on-enter (fire once when in view) vs. scroll-linked (progress tied to scroll position). Most sections want reveal; reserve scrubbing for hero/storytelling.
12
+ 2. For reveals, prefer the native `IntersectionObserver` (or Framer Motion `whileInView` with `viewport={{ once: true }}`) — cheap and battery-friendly. Add a `rootMargin` so it triggers slightly before the element hits the fold.
13
+ 3. For scrubbed/pinned sequences use GSAP ScrollTrigger with `scrub: true` (or a small smoothing number); animate only `transform`/`opacity` and let GSAP batch reads/writes.
14
+ 4. Build the parallax/depth illusion with differential `translateY` on layers via transform — never animate `background-position` or `top` during scroll.
15
+ 5. Stagger grouped reveals (40–80ms) and keep per-element distance small (16–40px rise) — large travel reads as laggy and forces reflow into view.
16
+ 6. Disable scroll effects (or make them instant) under `prefers-reduced-motion`, and lazy-init heavy ScrollTriggers below the fold so first paint stays fast.
17
+
18
+ ## Rules
19
+ - Never block or rubber-band native scroll; smooth-scroll libraries (Lenis) are opt-in and must respect reduced-motion.
20
+ - Keep work off the scroll thread: no layout-triggering properties, no `getBoundingClientRect` per frame in your own handlers — let IO/ScrollTrigger do it.
21
+ - Content must be fully readable with JS disabled or before the observer fires — start visible, animate enhancement, never hide-until-scripted as the only path.
22
+ - Test on a mid-tier phone at 60fps; if you see dropped frames, reduce simultaneous animated elements before tweaking easing.
23
+ - `will-change: transform` only on elements actively animating, and remove it after — leaving it on bloats the compositor.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: secret-scan
3
+ description: Find secrets accidentally committed to the repo, in history and working tree, and remediate
4
+ category: security
5
+ ---
6
+
7
+ # Secret Scan
8
+
9
+ Use this when you suspect (or want to rule out) API keys, tokens, passwords, or private keys committed to a repo.
10
+
11
+ 1. Scan the working tree and full history with a dedicated tool: `gitleaks detect --source . -v` or `trufflehog git file://.`; fall back to grep for high-signal patterns (`AKIA`, `-----BEGIN .* PRIVATE KEY-----`, `xox[baprs]-`, `ghp_`, `sk-`).
12
+ 2. Check `.env*`, config files, CI YAML, notebooks, and test fixtures — secrets hide outside source code.
13
+ 3. For each hit, decide if it is a true credential (live/format-valid) vs a placeholder/example, and confirm whether it is in current files, history, or both.
14
+ 4. For true secrets: rotate/revoke the credential first — assume it is compromised once committed.
15
+ 5. Remove it from current files, move it to env/secret manager, and add the path to `.gitignore`.
16
+ 6. If it must be purged from history, use `git filter-repo` (or BFG), force-push, and notify collaborators to re-clone.
17
+
18
+ ## Rules
19
+ - Rotation comes before history rewriting — scrubbing git history does not un-leak a key that is already public.
20
+ - Treat anything pushed to a remote or a forked/cloned repo as already exposed.
21
+ - Add a pre-commit secret hook (gitleaks/`detect-secrets`) so this does not recur.
22
+ - Do not print full secret values in logs or PRs; redact to a recognizable prefix.
23
+ - Placeholder values (`changeme`, `xxxx`, `your-key-here`) are not findings — verify before alarming.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: security-audit
3
+ description: Scan the codebase for common vulnerabilities and rank findings by exploitability
4
+ category: security
5
+ ---
6
+
7
+ # Security Audit
8
+
9
+ Reach for this when you want a broad first-pass sweep of a repo for security bugs before a release, audit, or handoff.
10
+
11
+ 1. Map the attack surface: enumerate entry points (HTTP routes, CLI args, message consumers, file uploads, deserializers) and where untrusted data enters.
12
+ 2. Grep for dangerous sinks: `eval`, `exec`, `child_process`, raw SQL string concatenation, `dangerouslySetInnerHTML`, `pickle.loads`, `yaml.load`, `os.system`, template rendering with user input.
13
+ 3. Trace tainted data from each entry point to each sink; flag any path where user input reaches a sink without validation or parameterization.
14
+ 4. Check auth/session handling, secrets management, crypto usage (no MD5/SHA1 for passwords, no hardcoded keys/IVs), and CORS/CSRF config.
15
+ 5. Run available scanners (`semgrep --config auto`, `bandit`, `gosec`, `npm audit`) and merge their hits with your manual findings, deduping.
16
+ 6. Rank each finding by severity x exploitability, write a one-line repro/impact, and propose the minimal fix.
17
+
18
+ ## Rules
19
+ - Confirm a real data flow before reporting; a dangerous function alone is not a vuln if input is trusted/constant.
20
+ - Prefer parameterized queries, allowlists, and library escaping over hand-rolled sanitizers.
21
+ - Never paste real secrets or live tokens into the report; redact to last 4 chars.
22
+ - Separate "exploitable now" from "defense-in-depth" so the team fixes the bleeding first.
23
+ - Cite file:line for every finding so it can be verified independently.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: security-review
3
+ description: Review the current diff for security vulnerabilities before it ships
4
+ category: review
5
+ ---
6
+
7
+ # Security Review
8
+
9
+ Reach for this when a change touches auth, input handling, data access, secrets, or anything exposed to untrusted input, and you want a focused security pass before merging.
10
+
11
+ 1. Scope the diff with `git diff` (or `git diff main...HEAD`) and list which files cross a trust boundary (network, user input, file system, env, subprocess).
12
+ 2. Trace each untrusted input to its sink — look for injection (SQL/NoSQL/command/template), path traversal, SSRF, and unsafe deserialization.
13
+ 3. Check authz/authn on every new or changed endpoint, handler, or query: is the caller's identity verified and are they allowed to touch this resource?
14
+ 4. Grep the diff for hardcoded secrets, tokens, keys, and credentials; confirm none are logged or committed.
15
+ 5. Inspect crypto, randomness, and session handling — flag weak hashes, predictable tokens, missing TLS verification, and `eval`-style dynamic execution.
16
+ 6. For each finding, report file:line, the concrete attack, severity, and a minimal fix; verify the fix doesn't break the happy path.
17
+
18
+ ## Rules
19
+ - Only flag issues reachable from untrusted input — don't pad the report with theoretical risks in trusted-only code paths.
20
+ - Assume all external input is hostile, including headers, query params, filenames, and webhook payloads.
21
+ - Never paste a discovered secret into output or logs; reference its location and recommend rotation.
22
+ - Prefer parameterized queries, allowlists, and existing framework escaping over hand-rolled sanitization.
23
+ - Rank findings by exploitability and blast radius, not by how many you found.
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: seed-data
3
+ description: Generate deterministic seed and fixture data for dev and test databases
4
+ category: database
5
+ ---
6
+
7
+ # Seed Data
8
+
9
+ Use when you need realistic, repeatable data to populate a dev database or back a test suite, without hand-writing rows or depending on production dumps.
10
+
11
+ 1. Decide the scope: a small idempotent dev seed (a few records per table) vs. per-test fixtures (minimal data for one scenario).
12
+ 2. Insert in dependency order — parents before children — so foreign keys resolve; reuse the IDs you create downstream.
13
+ 3. Use a faker/factory library or fixed literals; seed any RNG so the data is deterministic and reproducible across runs.
14
+ 4. Make the seed idempotent: upsert or guard with "skip if already present" so re-running doesn't duplicate or crash.
15
+ 5. Cover the edge cases tests actually need (empty strings, nulls, boundary numbers, unicode), not just the happy path.
16
+ 6. Wire it to a single command (e.g. `npm run seed`, `make seed`, a migration's data step) and document how to reset.
17
+
18
+ ## Rules
19
+ - Never point seed scripts at production or use real customer data; keep PII synthetic.
20
+ - Keep seeds idempotent — running twice must leave the same state.
21
+ - Isolate test fixtures per test (transaction rollback or truncate-between) so tests don't bleed state.
22
+ - Seed the smallest dataset that exercises the case; large seeds slow the suite for no gain.
23
+ - Keep seed data in version control and update it when the schema changes.