ada-agent 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +256 -0
- package/bench/README.md +88 -0
- package/bench/swebench.mjs +242 -0
- package/bin/ada-server.mjs +6 -0
- package/bin/ada.mjs +7 -0
- package/docs/agent-loop.svg +66 -0
- package/docs/architecture.md +139 -0
- package/docs/architecture.svg +73 -0
- package/docs/connectors.md +48 -0
- package/docs/integrations.md +59 -0
- package/docs/login-flow.svg +56 -0
- package/docs/orchestration.md +45 -0
- package/package.json +64 -0
- package/skills/accessibility/SKILL.md +23 -0
- package/skills/add-logging/SKILL.md +23 -0
- package/skills/add-metrics/SKILL.md +23 -0
- package/skills/adr/SKILL.md +24 -0
- package/skills/aesthetic-direction/SKILL.md +24 -0
- package/skills/agent-loop/SKILL.md +23 -0
- package/skills/alerting/SKILL.md +23 -0
- package/skills/alpha-compositing/SKILL.md +23 -0
- package/skills/android-compose/SKILL.md +23 -0
- package/skills/angular-module/SKILL.md +23 -0
- package/skills/ansible-playbook/SKILL.md +24 -0
- package/skills/api-docs/SKILL.md +24 -0
- package/skills/app-store-prep/SKILL.md +23 -0
- package/skills/architecture-diagram/SKILL.md +21 -0
- package/skills/architecture-doc/SKILL.md +24 -0
- package/skills/audit-log/SKILL.md +23 -0
- package/skills/authz-review/SKILL.md +23 -0
- package/skills/aws-lambda/SKILL.md +24 -0
- package/skills/bash-script/SKILL.md +23 -0
- package/skills/batch/SKILL.md +23 -0
- package/skills/bisect/SKILL.md +23 -0
- package/skills/bounding-box/SKILL.md +24 -0
- package/skills/branch-cleanup/SKILL.md +23 -0
- package/skills/bundle-analyze/SKILL.md +23 -0
- package/skills/cache/SKILL.md +23 -0
- package/skills/call-graph/SKILL.md +23 -0
- package/skills/canvas-debug/SKILL.md +23 -0
- package/skills/cdn-setup/SKILL.md +23 -0
- package/skills/changelog/SKILL.md +24 -0
- package/skills/cherry-pick/SKILL.md +23 -0
- package/skills/ci-setup/SKILL.md +23 -0
- package/skills/cleanup/SKILL.md +23 -0
- package/skills/cli-tool/SKILL.md +23 -0
- package/skills/cloudformation/SKILL.md +23 -0
- package/skills/code-examples/SKILL.md +24 -0
- package/skills/code-review/SKILL.md +23 -0
- package/skills/color-palette/SKILL.md +24 -0
- package/skills/color-space/SKILL.md +24 -0
- package/skills/comment-why/SKILL.md +23 -0
- package/skills/commit/SKILL.md +26 -0
- package/skills/complexity-audit/SKILL.md +23 -0
- package/skills/component/SKILL.md +23 -0
- package/skills/component-library/SKILL.md +23 -0
- package/skills/connect-github/SKILL.md +20 -0
- package/skills/connect-mcp/SKILL.md +21 -0
- package/skills/connect-postgres/SKILL.md +20 -0
- package/skills/connect-remote/SKILL.md +23 -0
- package/skills/connect-slack/SKILL.md +20 -0
- package/skills/contract-audit/SKILL.md +25 -0
- package/skills/contributing/SKILL.md +23 -0
- package/skills/cpp-raii/SKILL.md +23 -0
- package/skills/cron-job/SKILL.md +23 -0
- package/skills/cv-preprocess/SKILL.md +24 -0
- package/skills/dark-mode/SKILL.md +24 -0
- package/skills/dashboard/SKILL.md +23 -0
- package/skills/dashboard-ui/SKILL.md +23 -0
- package/skills/data-export/SKILL.md +23 -0
- package/skills/data-validation/SKILL.md +23 -0
- package/skills/dataframe/SKILL.md +23 -0
- package/skills/db-index/SKILL.md +24 -0
- package/skills/dead-code/SKILL.md +23 -0
- package/skills/debug/SKILL.md +24 -0
- package/skills/deck-review/SKILL.md +24 -0
- package/skills/dedupe/SKILL.md +23 -0
- package/skills/dedupe-deps/SKILL.md +23 -0
- package/skills/dependency-audit/SKILL.md +23 -0
- package/skills/dependency-update/SKILL.md +23 -0
- package/skills/deploy/SKILL.md +23 -0
- package/skills/design-system/SKILL.md +24 -0
- package/skills/design-tokens/SKILL.md +24 -0
- package/skills/diagram-as-code/SKILL.md +24 -0
- package/skills/diff-explain/SKILL.md +23 -0
- package/skills/django-view/SKILL.md +23 -0
- package/skills/doc-lint/SKILL.md +24 -0
- package/skills/docker-compose/SKILL.md +23 -0
- package/skills/dockerize/SKILL.md +23 -0
- package/skills/docstrings/SKILL.md +23 -0
- package/skills/dotfiles/SKILL.md +23 -0
- package/skills/dpi-scaling/SKILL.md +23 -0
- package/skills/e2e-test/SKILL.md +23 -0
- package/skills/embeddings/SKILL.md +23 -0
- package/skills/empty-states/SKILL.md +23 -0
- package/skills/env-setup/SKILL.md +23 -0
- package/skills/erc20/SKILL.md +24 -0
- package/skills/error-tracking/SKILL.md +23 -0
- package/skills/estimate/SKILL.md +23 -0
- package/skills/etl-pipeline/SKILL.md +24 -0
- package/skills/eval-harness/SKILL.md +23 -0
- package/skills/exif-orientation/SKILL.md +23 -0
- package/skills/explain-code/SKILL.md +23 -0
- package/skills/express-middleware/SKILL.md +23 -0
- package/skills/extract-function/SKILL.md +23 -0
- package/skills/faq/SKILL.md +24 -0
- package/skills/fastapi-endpoint/SKILL.md +23 -0
- package/skills/favicon/SKILL.md +23 -0
- package/skills/feature-engineering/SKILL.md +23 -0
- package/skills/few-shot/SKILL.md +23 -0
- package/skills/find-owner/SKILL.md +23 -0
- package/skills/firmware-driver/SKILL.md +23 -0
- package/skills/fix-flaky-tests/SKILL.md +23 -0
- package/skills/flutter-widget/SKILL.md +23 -0
- package/skills/font-rendering/SKILL.md +23 -0
- package/skills/form-validation/SKILL.md +23 -0
- package/skills/format/SKILL.md +23 -0
- package/skills/game-loop/SKILL.md +23 -0
- package/skills/gas-optimize/SKILL.md +25 -0
- package/skills/gdpr-review/SKILL.md +24 -0
- package/skills/github-actions/SKILL.md +23 -0
- package/skills/glossary/SKILL.md +24 -0
- package/skills/go-idioms/SKILL.md +23 -0
- package/skills/gpu-profile/SKILL.md +23 -0
- package/skills/graphify/SKILL.md +21 -0
- package/skills/graphql-resolver/SKILL.md +23 -0
- package/skills/grpc-service/SKILL.md +23 -0
- package/skills/guardrails/SKILL.md +23 -0
- package/skills/healthcheck/SKILL.md +23 -0
- package/skills/heisenbug/SKILL.md +23 -0
- package/skills/helm-chart/SKILL.md +24 -0
- package/skills/hero-section/SKILL.md +23 -0
- package/skills/html-email/SKILL.md +24 -0
- package/skills/html-form/SKILL.md +23 -0
- package/skills/html-sanitize/SKILL.md +23 -0
- package/skills/html-table/SKILL.md +23 -0
- package/skills/html-to-pdf/SKILL.md +23 -0
- package/skills/http-client/SKILL.md +23 -0
- package/skills/i18n/SKILL.md +23 -0
- package/skills/i2c-spi/SKILL.md +23 -0
- package/skills/image-decode/SKILL.md +24 -0
- package/skills/image-memory/SKILL.md +24 -0
- package/skills/image-perf/SKILL.md +24 -0
- package/skills/image-pipeline/SKILL.md +24 -0
- package/skills/image-upload/SKILL.md +24 -0
- package/skills/infra-cost/SKILL.md +24 -0
- package/skills/input-validation/SKILL.md +23 -0
- package/skills/issue-template/SKILL.md +23 -0
- package/skills/java-streams/SKILL.md +23 -0
- package/skills/k8s-manifest/SKILL.md +23 -0
- package/skills/kotlin-coroutines/SKILL.md +23 -0
- package/skills/landing-page/SKILL.md +24 -0
- package/skills/laravel-controller/SKILL.md +23 -0
- package/skills/lazy-load/SKILL.md +23 -0
- package/skills/license-check/SKILL.md +23 -0
- package/skills/license-header/SKILL.md +23 -0
- package/skills/lint-fix/SKILL.md +23 -0
- package/skills/llm-cost/SKILL.md +23 -0
- package/skills/lockfile-fix/SKILL.md +23 -0
- package/skills/low-power/SKILL.md +23 -0
- package/skills/makefile/SKILL.md +23 -0
- package/skills/man-page/SKILL.md +24 -0
- package/skills/mcp-server/SKILL.md +23 -0
- package/skills/memory-leak/SKILL.md +23 -0
- package/skills/mermaid-diagram/SKILL.md +23 -0
- package/skills/meta-tags/SKILL.md +23 -0
- package/skills/micro-interactions/SKILL.md +23 -0
- package/skills/migration/SKILL.md +23 -0
- package/skills/migration-guide/SKILL.md +24 -0
- package/skills/mkdocs-setup/SKILL.md +24 -0
- package/skills/mobile-permissions/SKILL.md +23 -0
- package/skills/mock-api/SKILL.md +23 -0
- package/skills/modernize/SKILL.md +23 -0
- package/skills/monorepo-setup/SKILL.md +23 -0
- package/skills/motion-design/SKILL.md +23 -0
- package/skills/n-plus-one/SKILL.md +23 -0
- package/skills/naming-review/SKILL.md +23 -0
- package/skills/nextjs-route/SKILL.md +23 -0
- package/skills/nginx-config/SKILL.md +23 -0
- package/skills/ocr-debug/SKILL.md +24 -0
- package/skills/onboard/SKILL.md +23 -0
- package/skills/onboarding-map/SKILL.md +23 -0
- package/skills/open-pr/SKILL.md +24 -0
- package/skills/openapi/SKILL.md +23 -0
- package/skills/opencv-debug/SKILL.md +24 -0
- package/skills/orm-model/SKILL.md +23 -0
- package/skills/owasp-check/SKILL.md +24 -0
- package/skills/page-transitions/SKILL.md +23 -0
- package/skills/pagination/SKILL.md +23 -0
- package/skills/perf-optimize/SKILL.md +23 -0
- package/skills/perf-profile/SKILL.md +23 -0
- package/skills/physics/SKILL.md +23 -0
- package/skills/pitch-deck/SKILL.md +24 -0
- package/skills/pixel-diff/SKILL.md +23 -0
- package/skills/ponytail/SKILL.md +46 -0
- package/skills/postmortem/SKILL.md +24 -0
- package/skills/pptx-deck/SKILL.md +23 -0
- package/skills/pptx-export/SKILL.md +23 -0
- package/skills/pptx-from-markdown/SKILL.md +23 -0
- package/skills/pptx-template/SKILL.md +24 -0
- package/skills/pr-review/SKILL.md +24 -0
- package/skills/precommit/SKILL.md +23 -0
- package/skills/pricing-page/SKILL.md +23 -0
- package/skills/project-overview/SKILL.md +22 -0
- package/skills/prompt-template/SKILL.md +23 -0
- package/skills/property-test/SKILL.md +23 -0
- package/skills/protobuf/SKILL.md +23 -0
- package/skills/py-async/SKILL.md +23 -0
- package/skills/py-typing/SKILL.md +23 -0
- package/skills/query-optimize/SKILL.md +23 -0
- package/skills/rag-pipeline/SKILL.md +23 -0
- package/skills/rails-resource/SKILL.md +23 -0
- package/skills/rate-limit/SKILL.md +23 -0
- package/skills/react-hooks/SKILL.md +23 -0
- package/skills/react-native-screen/SKILL.md +23 -0
- package/skills/react-perf/SKILL.md +23 -0
- package/skills/readme/SKILL.md +24 -0
- package/skills/rebase/SKILL.md +24 -0
- package/skills/refactor/SKILL.md +23 -0
- package/skills/regression-test/SKILL.md +23 -0
- package/skills/release-notes/SKILL.md +24 -0
- package/skills/rename-symbol/SKILL.md +23 -0
- package/skills/repro/SKILL.md +23 -0
- package/skills/resolve-conflicts/SKILL.md +23 -0
- package/skills/responsive/SKILL.md +23 -0
- package/skills/rest-endpoint/SKILL.md +23 -0
- package/skills/retro/SKILL.md +23 -0
- package/skills/rtos-task/SKILL.md +23 -0
- package/skills/runbook/SKILL.md +25 -0
- package/skills/rust-borrow/SKILL.md +23 -0
- package/skills/rust-unsafe-audit/SKILL.md +23 -0
- package/skills/sanitize/SKILL.md +23 -0
- package/skills/schema-design/SKILL.md +23 -0
- package/skills/screenshot-debug/SKILL.md +22 -0
- package/skills/scroll-animation/SKILL.md +23 -0
- package/skills/secret-scan/SKILL.md +23 -0
- package/skills/security-audit/SKILL.md +23 -0
- package/skills/security-review/SKILL.md +23 -0
- package/skills/seed-data/SKILL.md +23 -0
- package/skills/self-review/SKILL.md +23 -0
- package/skills/semantic-html/SKILL.md +23 -0
- package/skills/semver-bump/SKILL.md +24 -0
- package/skills/shader/SKILL.md +23 -0
- package/skills/shader-debug/SKILL.md +23 -0
- package/skills/simplify-conditionals/SKILL.md +23 -0
- package/skills/sitemap/SKILL.md +23 -0
- package/skills/skeleton-loader/SKILL.md +23 -0
- package/skills/slide-charts/SKILL.md +24 -0
- package/skills/slide-outline/SKILL.md +23 -0
- package/skills/snapshot-update/SKILL.md +23 -0
- package/skills/solidity-contract/SKILL.md +25 -0
- package/skills/speaker-notes/SKILL.md +23 -0
- package/skills/spike/SKILL.md +23 -0
- package/skills/split-file/SKILL.md +23 -0
- package/skills/spring-controller/SKILL.md +23 -0
- package/skills/sprite-anim/SKILL.md +23 -0
- package/skills/sql-report/SKILL.md +23 -0
- package/skills/squash/SKILL.md +24 -0
- package/skills/ssl-setup/SKILL.md +23 -0
- package/skills/stacktrace/SKILL.md +23 -0
- package/skills/static-site/SKILL.md +24 -0
- package/skills/structured-logging/SKILL.md +23 -0
- package/skills/svelte-store/SKILL.md +23 -0
- package/skills/swiftui-view/SKILL.md +23 -0
- package/skills/tailwind-theme/SKILL.md +24 -0
- package/skills/tcp-server/SKILL.md +23 -0
- package/skills/tdd/SKILL.md +23 -0
- package/skills/terraform-module/SKILL.md +24 -0
- package/skills/test-coverage/SKILL.md +23 -0
- package/skills/texture-debug/SKILL.md +23 -0
- package/skills/threat-model/SKILL.md +23 -0
- package/skills/thumbnail/SKILL.md +24 -0
- package/skills/todo-scan/SKILL.md +23 -0
- package/skills/tool-definition/SKILL.md +23 -0
- package/skills/trace-flow/SKILL.md +23 -0
- package/skills/tracing/SKILL.md +23 -0
- package/skills/train-model/SKILL.md +24 -0
- package/skills/tree-shake/SKILL.md +23 -0
- package/skills/ts-generics/SKILL.md +23 -0
- package/skills/ts-strict/SKILL.md +23 -0
- package/skills/tui-app/SKILL.md +23 -0
- package/skills/tutorial/SKILL.md +24 -0
- package/skills/type-tighten/SKILL.md +23 -0
- package/skills/typography/SKILL.md +24 -0
- package/skills/ui-bug-repro/SKILL.md +23 -0
- package/skills/ui-polish/SKILL.md +24 -0
- package/skills/ui-review/SKILL.md +24 -0
- package/skills/vendor/SKILL.md +23 -0
- package/skills/visual-diff-ci/SKILL.md +24 -0
- package/skills/visual-regression/SKILL.md +23 -0
- package/skills/vue-composition/SKILL.md +23 -0
- package/skills/web-component/SKILL.md +23 -0
- package/skills/web-fonts/SKILL.md +24 -0
- package/skills/web3-frontend/SKILL.md +25 -0
- package/skills/webgl-debug/SKILL.md +23 -0
- package/skills/webhook/SKILL.md +23 -0
- package/skills/websocket/SKILL.md +23 -0
- package/skills/write-tests/SKILL.md +19 -0
- package/src/client/agent.ts +803 -0
- package/src/client/background.ts +39 -0
- package/src/client/checkpoint.ts +48 -0
- package/src/client/cli.ts +1253 -0
- package/src/client/compaction.ts +86 -0
- package/src/client/extensions.ts +83 -0
- package/src/client/hooks.ts +40 -0
- package/src/client/image.ts +26 -0
- package/src/client/lsp.ts +0 -0
- package/src/client/mcp.ts +276 -0
- package/src/client/models-dev.ts +52 -0
- package/src/client/pkg.ts +41 -0
- package/src/client/platform.ts +94 -0
- package/src/client/prompts.ts +47 -0
- package/src/client/render.ts +138 -0
- package/src/client/session.ts +107 -0
- package/src/client/settings.ts +86 -0
- package/src/client/skill-router.ts +79 -0
- package/src/client/skills.ts +199 -0
- package/src/client/snapshot.ts +56 -0
- package/src/client/telemetry.ts +24 -0
- package/src/client/todos.ts +23 -0
- package/src/client/tools.ts +756 -0
- package/src/client/tui-mode.ts +41 -0
- package/src/client/tui.ts +224 -0
- package/src/sdk/index.ts +36 -0
- package/src/selfcheck.ts +364 -0
- package/src/server/config.ts +58 -0
- package/src/server/credentials.ts +89 -0
- package/src/server/identity.ts +58 -0
- package/src/server/index.ts +113 -0
- package/src/server/oauth.ts +93 -0
- package/src/server/providers/adapter.ts +25 -0
- package/src/server/providers/anthropic.ts +189 -0
- package/src/server/providers/openai-compat.ts +76 -0
- package/src/server/providers/registry.ts +31 -0
- package/src/server/router.ts +29 -0
- package/src/server/sse.ts +20 -0
- package/src/shared/types.ts +20 -0
- package/tsconfig.json +15 -0
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: format
|
|
3
|
+
description: Run the project formatter and apply consistent style across changed files
|
|
4
|
+
category: review
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Format
|
|
8
|
+
|
|
9
|
+
Use this to apply the project's canonical code style — run the configured formatter so style is consistent and never a review topic.
|
|
10
|
+
|
|
11
|
+
1. Detect the project's formatter from config (e.g. `prettier`, `black`/`ruff format`, `gofmt`/`goimports`, `rustfmt`, `.editorconfig`) and its run command.
|
|
12
|
+
2. Prefer the project script (`npm run format`, `make fmt`) over a global binary so the pinned version and config are used.
|
|
13
|
+
3. Run the formatter in write mode, scoped to changed files when possible to keep the diff tight.
|
|
14
|
+
4. Inspect the resulting diff to confirm only whitespace/style changed and no logic was touched.
|
|
15
|
+
5. Run a `--check`/`--diff` pass to verify the tree is now clean, then run the test suite.
|
|
16
|
+
6. Commit formatting on its own so functional diffs aren't buried under style churn.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Use the project's pinned formatter and config — never impose your own style preferences.
|
|
20
|
+
- Don't reformat untouched files unless that's the explicit task; mass reformatting destroys blame and bloats reviews.
|
|
21
|
+
- If no formatter is configured, match the surrounding file's existing style instead of introducing one.
|
|
22
|
+
- Keep formatting commits separate from logic commits for a clean, reviewable history.
|
|
23
|
+
- A formatter must be idempotent — if a second run produces a diff, the config or version is mismatched; resolve that.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: game-loop
|
|
3
|
+
description: Set up a fixed-timestep game loop with decoupled update and render
|
|
4
|
+
category: gamedev
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Game Loop
|
|
8
|
+
|
|
9
|
+
Reach for this when frame-rate-independent simulation matters: physics, networking, or deterministic gameplay that must behave the same at 30 and 144 fps.
|
|
10
|
+
|
|
11
|
+
1. Pick a fixed simulation step (e.g. `dt = 1/60`) for update; keep rendering uncapped or vsync-bound separately.
|
|
12
|
+
2. Each frame, measure real elapsed time and add it to an accumulator: `accumulator += frameTime`.
|
|
13
|
+
3. Run `while (accumulator >= dt) { update(dt); accumulator -= dt; }` so simulation advances in fixed chunks.
|
|
14
|
+
4. Compute interpolation alpha = `accumulator / dt` and render between previous and current state to avoid stutter.
|
|
15
|
+
5. Clamp `frameTime` to a max (e.g. 0.25s) before accumulating to prevent the "spiral of death" after a stall.
|
|
16
|
+
6. Keep input sampling at the top of the frame; apply input inside `update`, not render.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Never pass a variable wall-clock delta into physics — that breaks determinism and collision.
|
|
20
|
+
- Cap accumulated time so a debugger pause or GC stall does not trigger hundreds of catch-up updates.
|
|
21
|
+
- Store previous and current state explicitly so render interpolation has both endpoints.
|
|
22
|
+
- Use a monotonic clock (`performance.now`, `std::chrono::steady_clock`), never system wall time.
|
|
23
|
+
- Decouple render rate from update rate; do not block rendering on the simulation loop.
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: gas-optimize
|
|
3
|
+
description: Reduce a contract's gas cost by measuring hotspots and applying proven storage/logic optimizations
|
|
4
|
+
category: web3
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Gas Optimize
|
|
8
|
+
|
|
9
|
+
Reach for this after a contract is correct and tested, to cut deployment and per-call gas. Measure first — never optimize blind.
|
|
10
|
+
|
|
11
|
+
1. Baseline: run `forge test --gas-report` (or `hardhat-gas-reporter`) and `forge snapshot` to capture current costs per function.
|
|
12
|
+
2. Attack storage — the biggest lever: pack variables into single 32-byte slots, shrink types where safe, cache `storage` reads in `memory`/local vars inside loops, and use `immutable`/`constant` for fixed values.
|
|
13
|
+
3. Tighten loops: cache `array.length`, avoid repeated SLOADs, prefer `unchecked` increments where overflow is impossible (post-0.8).
|
|
14
|
+
4. Trim logic: replace `require`-strings with custom errors, use `calldata` over `memory` for read-only external args, mark functions `external`, and short-circuit cheap conditions first.
|
|
15
|
+
5. Tune the compiler: set the `optimizer` runs to match usage (low runs = cheaper deploy, high runs = cheaper calls); consider Yul/inline assembly only as a last resort.
|
|
16
|
+
6. Re-measure after each change with `forge snapshot --diff`; keep changes that help, revert those that don't.
|
|
17
|
+
7. Re-run the full test suite — confirm optimizations changed cost, not behavior.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- Always measure before and after; an "obvious" optimization can cost more after compiler optimization.
|
|
21
|
+
- Never sacrifice safety for gas — keep reentrancy guards, overflow checks, and access control intact.
|
|
22
|
+
- Only use `unchecked` when you can prove the arithmetic cannot overflow/underflow.
|
|
23
|
+
- Storage (SSTORE/SLOAD) dominates cost; optimize slot packing and read caching before micro-tweaks.
|
|
24
|
+
- Avoid assembly unless the gas win is large, tested, and commented — it removes safety nets.
|
|
25
|
+
- Watch the storage-layout: reordering variables can break upgradeable/proxy contracts.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: gdpr-review
|
|
3
|
+
description: Review how the codebase collects, stores, and shares PII for GDPR compliance
|
|
4
|
+
category: compliance
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# GDPR Review
|
|
8
|
+
|
|
9
|
+
Use when auditing a feature or service that touches personal data, or before shipping anything that collects user information into the EU/EEA scope.
|
|
10
|
+
|
|
11
|
+
1. Inventory PII: grep for fields and patterns (email, name, phone, IP, address, `user_id`, device IDs, geolocation, cookies) and list every place personal data enters the system.
|
|
12
|
+
2. Trace data flow for each item — where it is stored (DB tables, logs, caches, analytics, third-party SaaS), how long, and who it is shared with.
|
|
13
|
+
3. Check the legal basis and consent: is collection tied to a stated purpose, is consent recorded and revocable, and is data minimized to what the purpose needs.
|
|
14
|
+
4. Verify data-subject rights are implementable: export (portability), deletion/erasure, and rectification — confirm a delete actually purges across DB, backups policy, logs, and downstream processors.
|
|
15
|
+
5. Check protection controls: encryption at rest/in transit, access scoping, and that PII is not leaking into logs, error traces, URLs, or analytics events.
|
|
16
|
+
6. Confirm cross-border transfers and sub-processors have a lawful mechanism, and that retention/auto-expiry is enforced in code, not just documented.
|
|
17
|
+
7. Report findings ranked by risk with concrete file/line references and a remediation per gap.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- Flag any PII written to plaintext logs, analytics, or third-party trackers without consent — this is a common and serious leak.
|
|
21
|
+
- "Soft delete" (a flag) does not satisfy erasure; verify the data is truly removed or anonymized.
|
|
22
|
+
- Pseudonymized data is still personal data if it can be re-linked; treat reversible hashing/IDs as PII.
|
|
23
|
+
- Do not assume backups are out of scope — note the retention and deletion policy for them.
|
|
24
|
+
- You are reviewing engineering controls, not giving legal advice; recommend legal/DPO sign-off for basis and contracts.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: github-actions
|
|
3
|
+
description: Author or fix a GitHub Actions workflow with correct triggers, jobs, caching, and permissions
|
|
4
|
+
category: ci-cd
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# GitHub Actions
|
|
8
|
+
|
|
9
|
+
Use when creating a new `.github/workflows/*.yml` or debugging one that fails, misfires, or runs too often.
|
|
10
|
+
|
|
11
|
+
1. Set the right triggers in `on:` (`push`, `pull_request`, `workflow_dispatch`, `schedule`) and scope branches/paths to avoid noise.
|
|
12
|
+
2. Define jobs with a pinned `runs-on` image; use a `matrix` only when you genuinely test multiple versions.
|
|
13
|
+
3. Pin actions to a tag or SHA (`actions/checkout@v4`), set up the runtime, and cache deps with `actions/cache` or the setup action's built-in cache.
|
|
14
|
+
4. Grant least-privilege `permissions:` (default read; add `contents: write` / `id-token: write` only where needed).
|
|
15
|
+
5. Store credentials in repo/org Secrets and reference via `${{ secrets.X }}`; never echo them.
|
|
16
|
+
6. Validate by pushing to a branch and reading the run logs; when fixing, reproduce the failing step and inspect its exact output.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Pin third-party actions by SHA or major tag — floating `@master` is a supply-chain risk.
|
|
20
|
+
- Set explicit `permissions:` per workflow or job; the broad default token is too powerful.
|
|
21
|
+
- Add `concurrency:` with `cancel-in-progress` to kill superseded runs on the same ref.
|
|
22
|
+
- Don't print secrets to logs and don't expose them to PRs from forks.
|
|
23
|
+
- When debugging, read the failing job's logs first — guessing at YAML wastes runs.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: glossary
|
|
3
|
+
description: Build a glossary of domain and project terms so docs and code use one shared, unambiguous vocabulary.
|
|
4
|
+
category: docs
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Glossary
|
|
8
|
+
|
|
9
|
+
Use when a project has overloaded or insider terms ("tenant", "job", "account") that mean different things to different people — a glossary fixes the canonical meaning.
|
|
10
|
+
|
|
11
|
+
1. Harvest terms from code identifiers, docs, schemas, and onboarding questions; flag any word used two ways.
|
|
12
|
+
2. For each term write a one-sentence definition in plain language, then add nuance only if needed.
|
|
13
|
+
3. Note synonyms and explicitly call out "not to be confused with" near-misses.
|
|
14
|
+
4. Add a tiny concrete example or the canonical code/type it maps to (`Order → orders table, OrderEntity`).
|
|
15
|
+
5. Sort alphabetically with stable anchors so terms are deep-linkable from other docs.
|
|
16
|
+
6. Cross-link related terms and link the glossary from the docs landing page and CONTRIBUTING.
|
|
17
|
+
7. Assign an owner and review on schema/domain changes so definitions track reality.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- One canonical definition per term — if a word legitimately means two things, that's two entries with disambiguators.
|
|
21
|
+
- Define in plain words; don't define a term using three other undefined terms.
|
|
22
|
+
- Tie each term to its concrete artifact (table, type, endpoint) where one exists.
|
|
23
|
+
- Keep entries short; a glossary is a lookup, not an essay.
|
|
24
|
+
- Update the glossary in the same PR that renames or repurposes a domain term.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: go-idioms
|
|
3
|
+
description: Apply idiomatic Go for error handling, context propagation, and interface design
|
|
4
|
+
category: languages
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Go Idioms
|
|
8
|
+
|
|
9
|
+
Use this when reviewing or refactoring Go that fights the language — swallowed errors, missing context, or fat interfaces.
|
|
10
|
+
|
|
11
|
+
1. Handle every error explicitly at the call site: return it wrapped with `fmt.Errorf("doing X: %w", err)` so callers can `errors.Is`/`errors.As` it; never discard with `_` unless intentional and commented.
|
|
12
|
+
2. Thread `context.Context` as the first parameter through any call that does I/O or can block, and honor cancellation (`ctx.Err()`, `<-ctx.Done()`).
|
|
13
|
+
3. Define interfaces where they're consumed, keep them small (one or two methods), and accept interfaces but return concrete types.
|
|
14
|
+
4. Use `defer` for cleanup (close, unlock) right after acquiring the resource; prefer `sync.Mutex` zero-value over pointers and don't copy locks.
|
|
15
|
+
5. Replace sentinel-error string matching with typed errors or `errors.Is`, and use `errors.Join` to aggregate when needed.
|
|
16
|
+
6. Run `go vet`, `gofmt`/`goimports`, and `staticcheck`; fix shadowed `err`, unchecked returns, and ineffective assignments.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Wrap errors with `%w` (not `%v`) when callers may need to inspect the cause; add context, don't just rethrow.
|
|
20
|
+
- Don't start goroutines you can't stop — every goroutine needs a clear exit path tied to a context or channel close.
|
|
21
|
+
- Avoid `interface{}`/`any` in APIs; use concrete types or generics. Empty interfaces push type errors to runtime.
|
|
22
|
+
- Name things tersely and idiomatically (`r io.Reader`, not `reader`), and return early instead of nesting `if/else`.
|
|
23
|
+
- Don't panic across package boundaries — return errors; reserve `panic` for truly unrecoverable programmer bugs.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: gpu-profile
|
|
3
|
+
description: Profile GPU frame time and find the draw-call or fill-rate bottleneck behind dropped frames and jank
|
|
4
|
+
category: graphics
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# GPU Profile
|
|
8
|
+
|
|
9
|
+
Reach for this when the frame rate drops or stutters and you need to find whether the GPU, the draw-call count, or the CPU submit is the bottleneck.
|
|
10
|
+
|
|
11
|
+
1. Measure first, don't guess: get a stable frame-time number (ms/frame, not just FPS) from the browser/engine profiler or a GPU timer query. One slow frame vs sustained slowness point to different causes.
|
|
12
|
+
2. Split CPU vs GPU: if CPU time per frame (JS/submit) already exceeds your budget, the GPU is starved — optimize the submit side. If CPU is cheap but frame time is high, you're GPU-bound; continue.
|
|
13
|
+
3. For GPU-bound, separate vertex/draw-call cost from fill-rate: shrink the canvas to a tiny size and re-measure. If it speeds up dramatically, you're fill-rate/overdraw bound (fragment shader, blending, big textures); if not, you're geometry/draw-call bound.
|
|
14
|
+
4. For draw-call bound, count draw calls per frame and batch: merge meshes, instance repeated geometry, atlas textures, and sort by material to cut state changes. Thousands of tiny draws is the classic cause.
|
|
15
|
+
5. For fill-rate bound, reduce overdraw (sort opaque front-to-back, cut large transparent layers), lower the heaviest fragment shader cost, shrink/compress textures, and cap devicePixelRatio.
|
|
16
|
+
6. Confirm the fix against the same frame-time metric under the same scene, and watch for a moved bottleneck (fixing fill-rate can expose a draw-call wall).
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Profile in milliseconds per frame; FPS hides how close you are to the next dropped-frame threshold.
|
|
20
|
+
- The resize-the-canvas test is the fastest way to tell fill-rate from geometry bound — use it before optimizing.
|
|
21
|
+
- Draw-call count and state changes, not triangle count, are usually the wall on modern GPUs — batch and instance.
|
|
22
|
+
- Always disable browser/devtools overlays and run a release build when measuring; debug layers distort timings.
|
|
23
|
+
- Re-measure after each change; optimizing the non-bottleneck buys nothing and bottlenecks move.
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: graphify
|
|
3
|
+
description: Turn code, data, or relationships into a clear visual graph (Mermaid/Graphviz), then render it.
|
|
4
|
+
category: docs
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Graphify
|
|
8
|
+
|
|
9
|
+
Use when a relationship, flow, hierarchy, or dependency would land better as a picture than prose.
|
|
10
|
+
|
|
11
|
+
1. Identify the **nodes** (entities) and **edges** (relationships), and what each edge means — calls, depends-on, contains, flows-to.
|
|
12
|
+
2. Pick the graph type that fits: flowchart (a process), sequence (interactions over time), ER (a data model), class (types), state (modes), or a dependency graph (modules/packages).
|
|
13
|
+
3. Express it as code — prefer **Mermaid** (renders on GitHub and most viewers) in a fenced ` ```mermaid ` block; use Graphviz/DOT or D2 when you need precise layout control.
|
|
14
|
+
4. Keep it legible: ≤ ~15 nodes per view, short labels, group with subgraphs, `LR` direction for wide flows and `TB` for hierarchies.
|
|
15
|
+
5. Put it in a doc (e.g. `docs/<name>.md`) or render to SVG/PNG (`mmdc -i in.mmd -o out.svg`, `dot -Tsvg`) and link it.
|
|
16
|
+
|
|
17
|
+
## Rules
|
|
18
|
+
- One graph = one idea. If it needs a legend longer than the graph, split it.
|
|
19
|
+
- Derive nodes/edges from the actual code/data — don't invent structure.
|
|
20
|
+
- Label edges with the relationship, not just bare arrows.
|
|
21
|
+
- Re-render after edits so the committed image matches its source.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: graphql-resolver
|
|
3
|
+
description: Add a GraphQL resolver and its schema type, wired into the existing graph
|
|
4
|
+
category: api
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Graphql Resolver
|
|
8
|
+
|
|
9
|
+
Use when exposing new data or a mutation through GraphQL — you need a schema type plus the resolver that backs it.
|
|
10
|
+
|
|
11
|
+
1. Add or extend the SDL type (or code-first type) — define fields, nullability, and arguments; reuse existing scalars and enums.
|
|
12
|
+
2. Wire the field into the root `Query`/`Mutation` (or parent type) so the schema actually exposes it.
|
|
13
|
+
3. Implement the resolver, pulling shared services and the request `context` (auth, loaders) rather than instantiating clients inline.
|
|
14
|
+
4. Use a DataLoader (or equivalent batching) for any field that fetches per-parent to avoid N+1 queries.
|
|
15
|
+
5. Enforce auth/authorization inside the resolver or via a directive/middleware — never assume the gateway did it.
|
|
16
|
+
6. Regenerate typed bindings if the project uses codegen, then add a resolver test covering one success and one error/forbidden case.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Keep schema and resolver in sync; if codegen exists, run it and commit the generated output.
|
|
20
|
+
- Return GraphQL errors via the framework's error type (with extensions/codes), not by throwing raw strings.
|
|
21
|
+
- Batch with DataLoader for list-of-parents fields; a naive resolver silently becomes an N+1.
|
|
22
|
+
- Make nullability deliberate — non-null fields that can fail will null out the whole parent.
|
|
23
|
+
- Don't over-fetch: select only the columns/fields the resolver actually returns.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: grpc-service
|
|
3
|
+
description: Define a gRPC service from proto through generated stubs to a working server and client
|
|
4
|
+
category: networking
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# gRPC Service
|
|
8
|
+
|
|
9
|
+
Reach for this when adding RPC between services and you want a typed contract, code-gen, and streaming. Best when both ends are yours.
|
|
10
|
+
|
|
11
|
+
1. Write a `.proto` (`syntax = "proto3";`) with a `package`, a `service` block, and `rpc` methods; give every method a dedicated request and response message (never reuse one message for both).
|
|
12
|
+
2. Pick the right method shape per call: unary, server-streaming (`returns (stream X)`), client-streaming (`(stream X)`), or bidi.
|
|
13
|
+
3. Generate stubs with `protoc` (or `buf generate`) for your language, and check generated code into the build, not the repo unless that's the convention.
|
|
14
|
+
4. Implement the server: bind the service to a server object, register interceptors for auth/logging, and serve on a port with a health check (`grpc.health.v1`).
|
|
15
|
+
5. Build the client with a channel/stub, set per-call deadlines (`context` timeout / `CallOptions`), and handle the typed status codes.
|
|
16
|
+
6. Test with `grpcurl -plaintext host:port list` and a real client call before wiring callers.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Never renumber or reuse field tags; mark removed fields `reserved`. Tag numbers are the wire contract, not the field names.
|
|
20
|
+
- Always set a deadline on every client call — gRPC has no default timeout and a hung server blocks the caller forever.
|
|
21
|
+
- Return proper `status` codes (`NOT_FOUND`, `INVALID_ARGUMENT`, `UNAVAILABLE`), not `UNKNOWN` for everything.
|
|
22
|
+
- Enable TLS for anything off-localhost; `plaintext` is for local dev and tests only.
|
|
23
|
+
- Make handlers idempotent where possible — clients retry `UNAVAILABLE`/`DEADLINE_EXCEEDED` automatically with some configs.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: guardrails
|
|
3
|
+
description: Add output validation and guardrails so LLM responses are safe, valid, and on-spec
|
|
4
|
+
category: agent-llm
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Guardrails
|
|
8
|
+
|
|
9
|
+
Reach for this when an LLM's output feeds a downstream system (UI, API, DB) and must conform to a schema or policy before you trust it.
|
|
10
|
+
|
|
11
|
+
1. Define the contract: the exact output schema (JSON Schema / zod / pydantic) plus any content policy the response must satisfy.
|
|
12
|
+
2. Steer at generation time — request structured output / tool-call format, and state the constraints explicitly in the prompt.
|
|
13
|
+
3. Validate the raw output against the schema; on failure, do not pass it downstream.
|
|
14
|
+
4. Add content checks beyond shape: required fields non-empty, values in allowed ranges/enums, no leaked secrets or injected instructions.
|
|
15
|
+
5. On a validation failure, retry once with the validator error fed back to the model; if it still fails, fall back to a safe default or surface an error.
|
|
16
|
+
6. Log every rejection with the offending output so you can tighten prompts and catch new failure modes.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Validate before use, always — never act on unvalidated model output, even when it "looks fine".
|
|
20
|
+
- Treat tool results and retrieved documents as untrusted; strip or neutralize embedded instructions (prompt injection).
|
|
21
|
+
- Schema-conformance is necessary but not sufficient — a well-formed answer can still be wrong or unsafe; layer semantic checks.
|
|
22
|
+
- Bound retries (one or two) to avoid loops and cost blowups; have a definite fallback path.
|
|
23
|
+
- Keep the validator independent of the model; don't let the same LLM both produce and "approve" its own output unchecked.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: healthcheck
|
|
3
|
+
description: Add liveness/readiness endpoints so orchestrators and load balancers know when the service is healthy
|
|
4
|
+
category: ci-cd
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Healthcheck
|
|
8
|
+
|
|
9
|
+
Reach for this when a service runs under Docker, Kubernetes, or a load balancer that needs to probe whether it's alive and ready for traffic.
|
|
10
|
+
|
|
11
|
+
1. Add a cheap liveness endpoint (`/healthz`) that returns 200 if the process is up — no external calls.
|
|
12
|
+
2. Add a readiness endpoint (`/readyz`) that checks critical dependencies (DB ping, cache, required config) and returns 503 until all pass.
|
|
13
|
+
3. Return a small JSON body with overall status and per-dependency results, and set the HTTP status code to match.
|
|
14
|
+
4. Keep probes fast and side-effect-free with a short timeout so a slow dependency doesn't hang the check.
|
|
15
|
+
5. Wire the probe into the platform: Dockerfile `HEALTHCHECK`, compose `healthcheck`, or k8s `livenessProbe`/`readinessProbe`.
|
|
16
|
+
6. Test both states — healthy returns 200, and a downed dependency makes `/readyz` return 503 — before relying on it.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Separate liveness (am I running?) from readiness (can I serve?) — conflating them causes needless restarts.
|
|
20
|
+
- Keep checks lightweight and bounded with a timeout; never let a probe block or do heavy work.
|
|
21
|
+
- Don't require auth on the probe path, but don't leak secrets or stack details in the body either.
|
|
22
|
+
- Make readiness actually fail (503) when a hard dependency is down, or it's decorative.
|
|
23
|
+
- Match the HTTP status to reality — orchestrators key off the code, not the JSON.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: heisenbug
|
|
3
|
+
description: Debug intermittent timing and concurrency bugs that vanish under observation
|
|
4
|
+
category: debugging
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Heisenbug
|
|
8
|
+
|
|
9
|
+
Use when a bug appears only sometimes — flaky tests, race conditions, ordering-dependent failures — and disappears the moment you add a log or a breakpoint. These are timing and shared-state bugs; treat them differently from deterministic ones.
|
|
10
|
+
|
|
11
|
+
1. Quantify the flakiness: loop the failing case hundreds of times to get a failure rate you can track as you investigate.
|
|
12
|
+
2. Hunt for shared mutable state crossing threads/tasks/processes, and for any code that assumes an order events don't guarantee.
|
|
13
|
+
3. Suspect the usual sources: missing await/synchronization, check-then-act races, unprotected shared variables, reliance on iteration/map order, or wall-clock timing.
|
|
14
|
+
4. Make the race more likely instead of less — add jitter/delays, increase concurrency, randomize scheduling, shrink timeouts — so it fails almost every run.
|
|
15
|
+
5. Once it fails reliably, fix the cause: add proper locking/atomics, await the dependency, make the operation idempotent, or remove the shared state.
|
|
16
|
+
6. Verify by running the original loop thousands of times with zero failures, then remove any artificial delays you added.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Adding a log or debugger changes timing and can hide the bug — prefer post-hoc capture (record then inspect) over live stepping.
|
|
20
|
+
- A "fix" that just lowers the failure rate is not a fix; a real fix makes it impossible, not rare.
|
|
21
|
+
- Don't paper over flakiness with retries or longer sleeps — that hides a race that will resurface under load.
|
|
22
|
+
- Set a fixed seed for anything random so a failing run is reproducible.
|
|
23
|
+
- Reproduce on the same concurrency/hardware profile as production; single-core or low-load runs may never trigger it.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: helm-chart
|
|
3
|
+
description: Author a Helm chart with templated manifests, values, and helpers
|
|
4
|
+
category: cloud
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Helm Chart
|
|
8
|
+
|
|
9
|
+
Reach for this when a workload needs to ship to multiple environments with varying config — Helm templates the manifests and exposes the knobs through `values.yaml`.
|
|
10
|
+
|
|
11
|
+
1. Scaffold with `helm create <name>` then strip the generated boilerplate you don't need.
|
|
12
|
+
2. Define the chart contract in `Chart.yaml` (`apiVersion: v2`, `version`, `appVersion`) and declare any subchart `dependencies`.
|
|
13
|
+
3. Move all environment-varying values into `values.yaml` with documented defaults; reference them as `.Values.x` in templates.
|
|
14
|
+
4. Templatize `templates/*.yaml`, using `_helpers.tpl` for shared label/name logic and `include` to reuse it.
|
|
15
|
+
5. Render and lint with `helm lint` and `helm template . -f values-prod.yaml` to eyeball the output.
|
|
16
|
+
6. Dry-run against a cluster with `helm install --dry-run --debug` (or `helm upgrade --install`) before going live.
|
|
17
|
+
7. Bump `Chart.yaml` `version` on every change and run `helm dependency update` when subcharts change.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- Quote templated strings (`{{ .Values.x | quote }}`) and use `default`/`required` to fail fast on missing values.
|
|
21
|
+
- Never commit real secrets to `values.yaml`; use `--set`, a secrets plugin, or an external secret store.
|
|
22
|
+
- Keep `appVersion` (the app) distinct from chart `version` (the packaging) and bump them independently.
|
|
23
|
+
- Indent with `nindent`, not hand-counted spaces, to avoid YAML breakage.
|
|
24
|
+
- Provide a `values.schema.json` or sane validation so bad overrides are caught at install time.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: hero-section
|
|
3
|
+
description: Design a striking, conversion-focused hero with one clear message, sharp hierarchy, and a single CTA.
|
|
4
|
+
category: ui-design
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Hero Section
|
|
8
|
+
|
|
9
|
+
Reach for this for the first screen of a landing page — the hero has ~3 seconds to land the value proposition and drive one action.
|
|
10
|
+
|
|
11
|
+
1. Lock the message architecture: one eyebrow/kicker (optional), one headline stating the outcome (not the feature), one subhead clarifying, one primary CTA. Cut everything else.
|
|
12
|
+
2. Build a real type scale with `clamp()` — e.g. headline `clamp(2.5rem, 5vw + 1rem, 5rem)`, tight `line-height: 1.05`, and `letter-spacing: -0.02em` on large display text for an editorial feel.
|
|
13
|
+
3. Establish hierarchy through contrast, not just size: the CTA is the highest-contrast element on screen; the subhead sits in a muted foreground; supporting visuals never out-shout the headline.
|
|
14
|
+
4. Give it breathing room — generous vertical rhythm on an 8px scale, a constrained measure (~60ch) on the subhead, and asymmetry (off-center text + image) to avoid a sterile centered template.
|
|
15
|
+
5. Add one tasteful motion beat on load: staggered fade-rise of headline → subhead → CTA (40–60ms apart, ease-out, ≤400ms total). Subtle, once, never looping.
|
|
16
|
+
6. Engineer for performance and LCP: the headline is real text (not an image), hero media is `priority`/preloaded and properly sized, and the layout is reserved to prevent CLS.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- One primary CTA. A secondary "Learn more" can exist as a quieter ghost/text link, never a competing button.
|
|
20
|
+
- The headline sells the outcome to the user; if it could appear on a competitor's site verbatim, rewrite it.
|
|
21
|
+
- Maintain ≥4.5:1 contrast for headline text over any image/gradient — add a scrim or duotone rather than risk legibility.
|
|
22
|
+
- Don't center everything by reflex; intentional asymmetry and a strong grid read as designed, not default.
|
|
23
|
+
- Hero must be legible and complete above the fold on a 360px phone before you polish desktop.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: html-email
|
|
3
|
+
description: Build a responsive HTML email with inline CSS, table layout, and dark-mode support that survives Outlook/Gmail.
|
|
4
|
+
category: html
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTML Email
|
|
8
|
+
|
|
9
|
+
Reach for this when you need a marketing or transactional email that renders consistently across Gmail, Outlook, and Apple Mail. Email clients strip `<style>`, ignore flexbox/grid, and demand tables.
|
|
10
|
+
|
|
11
|
+
1. Set up the skeleton: `<table role="presentation" width="100%">` outer wrapper centering a `<table width="600">` content table; never use `<div>` for layout.
|
|
12
|
+
2. Add `<!--[if mso]>` conditional comments for Outlook (it uses Word's rendering engine) and a VML fallback for any background image or button.
|
|
13
|
+
3. Write all visual CSS inline on elements (`style="..."`); keep a `<style>` block in `<head>` only for media queries and `:root` color-scheme hints.
|
|
14
|
+
4. Make it fluid: content table `width="600"` with `max-width:600px`, single-column stacking via `@media (max-width:600px){ .col{display:block;width:100%!important} }`.
|
|
15
|
+
5. Add dark mode: `<meta name="color-scheme" content="light dark">`, `@media (prefers-color-scheme:dark)` overrides, and dark-friendly logo (transparent PNG).
|
|
16
|
+
6. Use bulletproof buttons (table-cell with padding + bgcolor, not a styled `<a>`), set `alt` on every image, and keep total HTML under ~100KB (Gmail clips beyond 102KB).
|
|
17
|
+
7. Test in Litmus/Email-on-Acid or send to real Gmail + Outlook + iOS before shipping.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- Tables for layout, inline CSS for styling — no flexbox, grid, float, or external stylesheets.
|
|
21
|
+
- Always provide `alt` text and explicit `width`/`height`; many clients block images by default.
|
|
22
|
+
- Use web-safe fonts with a stack fallback; custom `@font-face` fails in Outlook and most clients.
|
|
23
|
+
- Use absolute https URLs for every image and link; no relative paths.
|
|
24
|
+
- Include a plain-text preheader (hidden span) and a working unsubscribe link for deliverability.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: html-form
|
|
3
|
+
description: Build an accessible form with native + custom validation, clear error messaging, and correct input semantics.
|
|
4
|
+
category: html
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTML Form
|
|
8
|
+
|
|
9
|
+
Use for any data-entry UI (signup, checkout, settings). Lean on native HTML form features first; add JS only to enhance, not replace, them.
|
|
10
|
+
|
|
11
|
+
1. Structure with a real `<form>`, every control wrapped by or linked to a `<label for>`; group related fields in `<fieldset>` with a `<legend>`.
|
|
12
|
+
2. Use the right input types and attributes (`type=email/tel/number/date`, `inputmode`, `autocomplete`, `required`, `minlength`, `pattern`) so browsers validate and mobile keyboards adapt.
|
|
13
|
+
3. Validate progressively: native constraints first, then JS via the Constraint Validation API (`setCustomValidity`, `:invalid`); validate on blur/submit, not on every keystroke.
|
|
14
|
+
4. Surface errors accessibly: tie each message to its field with `aria-describedby`, set `aria-invalid="true"`, move focus to the first error, and announce a summary in a live region.
|
|
15
|
+
5. Submit safely: prevent double-submit, show a pending state, handle server errors, and re-validate on the server (client validation is never trusted).
|
|
16
|
+
6. Polish UX: logical tab order, visible focus states, helpful placeholder vs. label distinction, and preserve entered values on failed submit.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Every input needs a programmatically associated `<label>`; placeholders are not labels.
|
|
20
|
+
- Use native validation attributes before reaching for JS; they work without scripts.
|
|
21
|
+
- Errors must be perceivable by screen readers (`aria-describedby` + `aria-invalid`), not color alone.
|
|
22
|
+
- Always re-validate and sanitize on the server — client checks are a UX nicety, not security.
|
|
23
|
+
- Set `autocomplete` and correct `type`/`inputmode` so password managers and mobile keyboards work.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: html-sanitize
|
|
3
|
+
description: Sanitize untrusted/user-supplied HTML to be XSS-safe using an allowlist library, never hand-rolled regex.
|
|
4
|
+
category: html
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTML Sanitize
|
|
8
|
+
|
|
9
|
+
Use whenever you render HTML you didn't author — comments, rich-text input, CMS content, AI output — into a page. Naive insertion is a stored-XSS hole.
|
|
10
|
+
|
|
11
|
+
1. Pick a battle-tested allowlist sanitizer: DOMPurify (browser/Node), sanitize-html (Node), Bleach (Python), or the language's equivalent; never write your own escaper.
|
|
12
|
+
2. Configure a strict allowlist of tags and attributes (e.g., `p, a, strong, em, ul, li, code` + `href`, `title`); deny everything else by default.
|
|
13
|
+
3. Strip dangerous vectors: `<script>`, `<style>`, `<iframe>`, event handlers (`on*`), and `javascript:`/`data:` URLs in `href`/`src`.
|
|
14
|
+
4. Force-harden links: set `rel="noopener noreferrer"` and validate the URL scheme against an allowlist (`https`, `mailto`).
|
|
15
|
+
5. Sanitize server-side as the source of truth (don't trust client-side sanitization alone) and re-sanitize on render, not just on input.
|
|
16
|
+
6. Add a Content-Security-Policy header as defense-in-depth, and test with known XSS payloads (`<img src=x onerror=alert(1)>`, SVG/MathML vectors, mutation-XSS cases).
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Never sanitize HTML with regex or string replacement — parsers and mXSS will defeat it.
|
|
20
|
+
- Allowlist what's permitted; never blocklist "bad" tags (the bad list is infinite).
|
|
21
|
+
- Keep the sanitizer library updated; bypasses are found and patched regularly.
|
|
22
|
+
- For plain text, escape (`< > &`) instead of sanitizing — don't allow any HTML at all.
|
|
23
|
+
- CSP is a backstop, not a substitute for sanitizing the input.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: html-table
|
|
3
|
+
description: Build an accessible, responsive data table with sortable columns, proper headers, and a sensible mobile layout.
|
|
4
|
+
category: html
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTML Table
|
|
8
|
+
|
|
9
|
+
Use for presenting tabular data (dashboards, reports, listings). The goal is correct table semantics plus optional client-side sorting that stays accessible.
|
|
10
|
+
|
|
11
|
+
1. Use real table structure: `<table>` with `<caption>`, `<thead>`, `<tbody>`, and `<th scope="col">` / `<th scope="row">` so screen readers announce header context.
|
|
12
|
+
2. Add sorting on `<th>` headers: a `<button>` inside the header cell, `aria-sort="ascending|descending|none"` reflecting state, sorting `<tbody>` rows in JS (stable sort, type-aware for numbers/dates).
|
|
13
|
+
3. Keep keyboard support: header sort controls are real buttons (focusable, Enter/Space activate); don't trap focus.
|
|
14
|
+
4. Handle overflow responsively: wrap in a scroll container (`overflow-x:auto` with `tabindex="0"` and an `aria-label`), or restructure to stacked cards under a breakpoint with data labels.
|
|
15
|
+
5. Style for scanability: zebra striping via `:nth-child`, sticky `<thead>` for long tables, right-align numeric columns, and clear sort-direction indicators.
|
|
16
|
+
6. For large datasets add pagination or virtualization rather than rendering thousands of rows; announce row counts and sort changes via a polite live region.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Tables are for tabular data only — never for page layout.
|
|
20
|
+
- Always include `scope` on header cells (and `headers`/`id` for complex multi-level headers).
|
|
21
|
+
- Reflect sort state in `aria-sort` and keep the sort control a real `<button>`, not a clickable `<div>`.
|
|
22
|
+
- Provide an accessible name (`<caption>` or `aria-label`) describing what the table contains.
|
|
23
|
+
- For horizontal scroll, make the scroll container keyboard-focusable so it's reachable without a mouse.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: html-to-pdf
|
|
3
|
+
description: Render HTML to a print-quality PDF with correct page breaks, margins, headers/footers, and selectable text.
|
|
4
|
+
category: html
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTML to PDF
|
|
8
|
+
|
|
9
|
+
Use when you need a paginated, print-fidelity PDF (invoice, report, certificate) from HTML/CSS rather than a screenshot.
|
|
10
|
+
|
|
11
|
+
1. Pick the engine: headless Chromium (Playwright/Puppeteer `page.pdf()`) for modern CSS, or WeasyPrint for pure-Python paged-media; both keep text selectable.
|
|
12
|
+
2. Author a print stylesheet with `@page { size: A4; margin: 18mm }` and `@media print` rules; set a base font size in `pt`/`mm`, not `px`.
|
|
13
|
+
3. Control pagination with `break-inside: avoid` on cards/tables, `break-before: page` for new sections, and `orphans`/`widows` for paragraphs.
|
|
14
|
+
4. Add running headers/footers and page numbers via `@page` margin boxes (`content: counter(page)`) or the engine's header/footer template option.
|
|
15
|
+
5. Ensure `printBackground: true` (Chromium) so background colors/images render; embed fonts so they aren't substituted.
|
|
16
|
+
6. Verify output: check pixel-perfect margins, that tables don't split mid-row awkwardly, links remain clickable, and text is selectable (not rasterized).
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Use real paged-media CSS, not viewport hacks; set page size and margins in `@page`.
|
|
20
|
+
- Wait for fonts and images to fully load before generating (`waitUntil: networkidle`) or content clips.
|
|
21
|
+
- Prefer vector/text output over screenshots so the PDF stays small and searchable.
|
|
22
|
+
- Test the exact paper size you'll print (A4 vs Letter differ); don't assume the default.
|
|
23
|
+
- Avoid fixed-height containers for variable content — they overflow or clip across page breaks.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: http-client
|
|
3
|
+
description: Build a robust HTTP client with timeouts, bounded retries, backoff, and connection reuse
|
|
4
|
+
category: networking
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# HTTP Client
|
|
8
|
+
|
|
9
|
+
Use whenever code calls an external HTTP API and must survive flaky networks and slow upstreams. A naive `fetch`/`get` with no timeout is a production incident waiting to happen.
|
|
10
|
+
|
|
11
|
+
1. Set explicit timeouts on every request — connect, read/idle, and a total deadline — so a hung server can't pin a thread or goroutine forever.
|
|
12
|
+
2. Reuse one client/connection pool instance across calls (keep-alive); creating a client per request exhausts sockets.
|
|
13
|
+
3. Retry only idempotent, transient failures (connection errors, 429, 5xx) with exponential backoff + jitter and a hard cap on attempts.
|
|
14
|
+
4. Honor `Retry-After` on 429/503; respect server-provided backoff over your own schedule.
|
|
15
|
+
5. Add a circuit breaker or failure budget so a dead dependency fails fast instead of amplifying load with retries.
|
|
16
|
+
6. Propagate cancellation (context/`AbortSignal`), set a descriptive `User-Agent`, and check status codes explicitly — don't assume 2xx.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Never retry non-idempotent requests (`POST` without an idempotency key) — you'll double-charge, double-send, double-create.
|
|
20
|
+
- Add jitter to backoff; synchronized retries from many clients cause thundering-herd retry storms.
|
|
21
|
+
- Always cap total retries and total elapsed time; unbounded retry loops turn a blip into an outage.
|
|
22
|
+
- Read and close response bodies even on errors, or you leak connections from the pool.
|
|
23
|
+
- Don't log full request/response bodies or auth headers by default — redact secrets.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: i18n
|
|
3
|
+
description: Extract hardcoded strings and set up internationalization with locale-aware formatting
|
|
4
|
+
category: frontend
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# I18n
|
|
8
|
+
|
|
9
|
+
Use when preparing an app for multiple languages: pulling hardcoded copy into message catalogs and wiring up locale switching and formatting.
|
|
10
|
+
|
|
11
|
+
1. Pick or confirm the i18n library that fits the framework (e.g. i18next, react-intl, next-intl, vue-i18n) and set a default locale plus a fallback.
|
|
12
|
+
2. Sweep the UI for user-facing strings and replace each with a translation call keyed by a stable, namespaced id (e.g. `cart.checkout.button`), not the English text.
|
|
13
|
+
3. Externalize all strings into per-locale catalog files; seed the default locale and leave other locales as keys to be translated.
|
|
14
|
+
4. Handle plurals, gender, and variables through the library's interpolation/ICU features — never build sentences by string concatenation.
|
|
15
|
+
5. Use locale-aware formatting (`Intl.NumberFormat`, `Intl.DateTimeFormat`, currency, relative time) for all numbers, dates, and money instead of manual formatting.
|
|
16
|
+
6. Wire a locale provider/switcher, persist the choice, set `<html lang>`/`dir` (including RTL), and lazy-load the active locale's catalog.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- Never concatenate translated fragments; pass variables into a single parameterized message.
|
|
20
|
+
- Use stable semantic keys, not English copy, as ids so wording changes don't break lookups.
|
|
21
|
+
- Keep pluralization in the catalog (ICU/plural rules), not in component conditionals.
|
|
22
|
+
- Format every date, number, and currency via `Intl`/the i18n layer, never hand-rolled.
|
|
23
|
+
- Support RTL: set `dir`, avoid left/right-only CSS, and prefer logical properties (`margin-inline-start`).
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: i2c-spi
|
|
3
|
+
description: Configure I2C or SPI peripheral communication and debug bus-level issues
|
|
4
|
+
category: gamedev
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# I2C / SPI
|
|
8
|
+
|
|
9
|
+
Reach for this when talking to a sensor, EEPROM, or display over I2C or SPI and the link is not working yet.
|
|
10
|
+
|
|
11
|
+
1. From the datasheet get the device address (I2C) or CS pin + SPI mode (CPOL/CPHA) and max clock rate.
|
|
12
|
+
2. Configure pins: I2C needs open-drain SDA/SCL with pull-ups; SPI needs MOSI/MISO/SCK plus a GPIO chip-select.
|
|
13
|
+
3. Set the bus clock below the device max, then do a probe: I2C address ACK scan, or SPI read of a known ID register.
|
|
14
|
+
4. Implement a transfer: I2C start→addr+R/W→data→stop; SPI assert CS→full-duplex byte exchange→deassert CS.
|
|
15
|
+
5. Add per-transfer timeouts and check ACK/error flags; return an error instead of hanging on a missing device.
|
|
16
|
+
6. Verify with a logic analyzer if the first transfer fails — confirm clock, framing, and ACK on the wire.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
- I2C requires pull-up resistors on SDA and SCL; floating lines look like a dead bus.
|
|
20
|
+
- Match SPI mode (CPOL/CPHA) exactly to the device; a wrong mode gives garbage with no error flag.
|
|
21
|
+
- Toggle chip-select per transaction and honor setup/hold timing; sharing CS or wrong polarity corrupts reads.
|
|
22
|
+
- Respect register auto-increment and burst-read rules; many devices need a specific address-then-read sequence.
|
|
23
|
+
- On a stuck I2C bus (SDA held low), clock out up to 9 pulses or power-cycle the device to recover.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: image-decode
|
|
3
|
+
description: Debug image decode/encode failures — wrong format, corruption, bit depth, ICC profile, truncated files
|
|
4
|
+
category: image
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Image Decode
|
|
8
|
+
|
|
9
|
+
Reach for this when an image fails to load, decodes to garbage/partial, or comes out with wrong colors/depth after a round-trip.
|
|
10
|
+
|
|
11
|
+
1. Reproduce and capture the exact error or symptom (exception, truncated render, color shift). Save the raw bytes so you can inspect them independent of your code.
|
|
12
|
+
2. Verify the actual format vs the claimed one: check magic bytes / `file`, not the extension. A `.png` that's really a JPEG (or HTML error page) is a classic decode failure.
|
|
13
|
+
3. Check for truncation/corruption: compare on-disk size to the header's expected size, try decoding with a strict decoder, and re-download/re-export the source if the tail is missing. Enable `ImageFile.LOAD_TRUNCATED_IMAGES` only to confirm truncation, not as a fix.
|
|
14
|
+
4. Inspect bit depth and channel count: 8 vs 16-bit, palette (indexed) vs RGB, grayscale vs RGBA. A stage assuming uint8 on a 16-bit PNG, or RGB on an indexed/CMYK image, decodes to wrong values.
|
|
15
|
+
5. Check ICC color profiles: CMYK JPEGs and wide-gamut PNGs with an embedded profile render wrong if the profile is dropped or not converted to sRGB. Convert explicitly rather than discarding the profile silently.
|
|
16
|
+
6. Test the encode side by round-tripping: decode → re-encode → decode and diff. Lossy re-encoding (JPEG), wrong quality/subsampling, or dropping alpha shows up here.
|
|
17
|
+
7. Lock the fix by decoding into an explicit mode/bit-depth and asserting shape, dtype, and channel count.
|
|
18
|
+
|
|
19
|
+
## Rules
|
|
20
|
+
- Trust magic bytes over file extensions and over the server's Content-Type.
|
|
21
|
+
- CMYK and indexed/palette images are the silent killers — convert to a known mode right after decode.
|
|
22
|
+
- Preserve or explicitly convert ICC profiles; silently dropping one shifts colors without erroring.
|
|
23
|
+
- Distinguish "won't decode" (format/corruption) from "decodes wrong" (depth/profile/mode) before fixing.
|
|
24
|
+
- Re-encoding is often lossy — verify round-trips when the pipeline writes intermediates.
|