agent-workflow-kit-cli 1.3.1 → 1.3.3

package/dist/cli/commands/add.js

@@ -11,7 +11,7 @@ import { analyzeModule } from "../../core/analyzer.js";
 import { updateGitignore } from "./init.js";
 export async function runAdd(stack, options) {
     const targetStack = stack.toLowerCase();
-    const validStacks = ["spring-boot", "react-ts", "fastapi", "python-ai"];
+    const validStacks = ["spring-boot", "react-ts", "next-js", "nestjs", "express", "fastapi", "python-ai", "dotnet", "golang", "rust"];
     if (!validStacks.includes(targetStack)) {
         console.error(chalk.red(`Error: Invalid stack '${stack}'. Supported stacks are: ${validStacks.join(", ")}`));
         process.exit(1);
@@ -40,7 +40,9 @@ export async function runAdd(stack, options) {
     // 3. Write or Update AGENTS.md and/or GEMINI.md in the target directory
     const geminiPath = path.join(targetDir, "GEMINI.md");
     const agentsPath = path.join(targetDir, "AGENTS.md");
+    const globalRules = await readStaticTemplateFile("common/GLOBAL_RULES.md").catch(() => "");
     const moduleAgentsContent = await renderTemplate("common/AGENTS.md.hbs", {
+        globalRules,
         stackContent,
     });
     if (options.agent === "antigravity" || options.agent === "both") {

package/dist/cli/commands/doctor.js

@@ -96,10 +96,17 @@ npx agent-workflow-kit-cli doctor || exit 1
                 console.log(chalk.gray(`Running: ${cmd} ${args.join(" ")}`));
                 await execa(cmd, args, { cwd, stdio: "inherit" });
             }
-            else if (stack === "react-ts") {
+            else if (stack === "react-ts" ||
+                stack === "next-js" ||
+                stack === "nestjs" ||
+                stack === "express") {
                 console.log(chalk.gray("Running: npx tsc --noEmit"));
                 await execa("npx", ["tsc", "--noEmit"], { cwd, stdio: "inherit" });
             }
+            else if (stack === "dotnet") {
+                console.log(chalk.gray("Running: dotnet build"));
+                await execa("dotnet", ["build"], { cwd, stdio: "inherit" });
+            }
             console.log(chalk.green(`✔️ ${stack} validation passed!`));
         }
         catch (err) {

package/dist/cli/commands/init.js

@@ -183,7 +183,9 @@ export async function runInit(options) {
     }
     if (modules.length === 0) {
         console.log(chalk.yellow("No standard stacks detected automatically. Creating general agent guidelines at root."));
+        const globalRules = await readStaticTemplateFile("common/GLOBAL_RULES.md").catch(() => "");
         const finalAgentsContent = await renderTemplate("common/AGENTS.md.hbs", {
+            globalRules,
             stackContent: "",
         });
         if (options.agent === "antigravity" || options.agent === "both") {
@@ -219,7 +221,9 @@ export async function runInit(options) {
             const targetFileName = isAntigravity ? "GEMINI.md" : "AGENTS.md";
             monorepoContent += `- **${mod.name}** (${mod.stacks.join(", ")}): Stack rules and guidelines are located at [${mod.name}/${targetFileName}](file:///${mod.dir.replace(/\\/g, "/")}/${targetFileName})\n`;
         }
+        const globalRules = await readStaticTemplateFile("common/GLOBAL_RULES.md").catch(() => "");
         const rootAgentsContent = await renderTemplate("common/AGENTS.md.hbs", {
+            globalRules,
             stackContent: monorepoContent.trim(),
         });
         const rootGeminiPath = path.join(cwd, "GEMINI.md");
@@ -276,7 +280,9 @@ export async function runInit(options) {
         // Render agent files for this module
         const geminiPath = path.join(mod.dir, "GEMINI.md");
         const agentsPath = path.join(mod.dir, "AGENTS.md");
+        const globalRules = await readStaticTemplateFile("common/GLOBAL_RULES.md").catch(() => "");
         const moduleAgentsContent = await renderTemplate("common/AGENTS.md.hbs", {
+            globalRules,
             stackContent,
         });
         if (options.agent === "antigravity" || options.agent === "both") {

package/dist/cli/index.js

@@ -19,11 +19,11 @@ export function runCli() {
     program
         .name("agent-workflow-kit")
         .description("Generate AI coding workflows/rules/templates for Codex and Antigravity")
-        .version("1.3.1");
+        .version("1.3.2");
     program
         .command("init")
         .description("Initialize agent guidelines and skills for the repository")
-        .option("--stack <stack>", "Specify target stack: auto | spring-boot | react-ts | fastapi", "auto")
+        .option("--stack <stack>", "Specify target stack: auto | spring-boot | react-ts | next-js | nestjs | express | fastapi | dotnet", "auto")
         .option("--agent <agent>", "Specify target agent profile: both | codex | antigravity", "both")
         .option("--dry-run", "Output actions to console without writing any files", false)
         .action(async (options) => {

package/dist/core/analyzer.js

@@ -356,22 +356,36 @@ async function analyzeSpringBoot(dir) {
 async function analyzeReactTs(dir) {
     let packageManager = "npm";
     let runCommand = "npm run";
+    let executeCommand = "npx";
+    let lockFile = "package-lock.json";
     try {
         const hasYarnLock = await fs.stat(path.join(dir, "yarn.lock")).then((s) => s.isFile()).catch(() => false);
         const hasPnpmLock = await fs.stat(path.join(dir, "pnpm-lock.yaml")).then((s) => s.isFile()).catch(() => false);
+        const hasBunLockb = await fs.stat(path.join(dir, "bun.lockb")).then((s) => s.isFile()).catch(() => false);
+        const hasBunLock = await fs.stat(path.join(dir, "bun.lock")).then((s) => s.isFile()).catch(() => false);
         if (hasYarnLock) {
             packageManager = "yarn";
             runCommand = "yarn";
+            executeCommand = "yarn dlx";
+            lockFile = "yarn.lock";
         }
         else if (hasPnpmLock) {
             packageManager = "pnpm";
             runCommand = "pnpm";
+            executeCommand = "pnpm dlx";
+            lockFile = "pnpm-lock.yaml";
+        }
+        else if (hasBunLockb || hasBunLock) {
+            packageManager = "bun";
+            runCommand = "bun run";
+            executeCommand = "bunx";
+            lockFile = hasBunLockb ? "bun.lockb" : "bun.lock";
         }
     }
     catch {
         // Use default
     }
-    return { packageManager, runCommand };
+    return { packageManager, runCommand, executeCommand, lockFile };
 }
 /**
  * Analyzes FastAPI project details.
@@ -439,6 +453,42 @@ async function analyzePythonAi(dir) {
     }
     return { packageManager, runCommand, hasGpuLibraries, hasHardwareLibraries };
 }
+/**
+ * Analyzes Next.js project details.
+ */
+async function analyzeNextJs(dir) {
+    const ctx = await analyzeReactTs(dir);
+    return {
+        packageManager: ctx.packageManager,
+        runCommand: ctx.runCommand,
+        executeCommand: ctx.executeCommand,
+        lockFile: ctx.lockFile,
+    };
+}
+/**
+ * Analyzes NestJS project details.
+ */
+async function analyzeNestJs(dir) {
+    const ctx = await analyzeReactTs(dir);
+    return {
+        packageManager: ctx.packageManager,
+        runCommand: ctx.runCommand,
+        executeCommand: ctx.executeCommand,
+        lockFile: ctx.lockFile,
+    };
+}
+/**
+ * Analyzes Express.js project details.
+ */
+async function analyzeExpress(dir) {
+    const ctx = await analyzeReactTs(dir);
+    return {
+        packageManager: ctx.packageManager,
+        runCommand: ctx.runCommand,
+        executeCommand: ctx.executeCommand,
+        lockFile: ctx.lockFile,
+    };
+}
 /**
  * Entry point to analyze module configurations.
  */
@@ -451,12 +501,177 @@ export async function analyzeModule(dir, stacks) {
         else if (stack === "react-ts") {
             context["react-ts"] = await analyzeReactTs(dir);
         }
+        else if (stack === "next-js") {
+            context["next-js"] = await analyzeNextJs(dir);
+        }
+        else if (stack === "nestjs") {
+            context["nestjs"] = await analyzeNestJs(dir);
+        }
+        else if (stack === "express") {
+            context["express"] = await analyzeExpress(dir);
+        }
         else if (stack === "fastapi") {
             context["fastapi"] = await analyzeFastApi(dir);
         }
         else if (stack === "python-ai") {
             context["python-ai"] = await analyzePythonAi(dir);
         }
+        else if (stack === "dotnet") {
+            context["dotnet"] = await analyzeDotnet(dir);
+        }
+        else if (stack === "golang") {
+            context["golang"] = await analyzeGolang(dir);
+        }
+        else if (stack === "rust") {
+            context["rust"] = await analyzeRust(dir);
+        }
     }
     return context;
 }
+/**
+ * Analyzes dotnet project details.
+ */
+async function analyzeDotnet(dir) {
+    let solutionName = path.basename(dir);
+    const projectNames = [];
+    const testProjects = [];
+    let dotnetVersion = "8.0";
+    try {
+        const entries = await fs.readdir(dir, { withFileTypes: true });
+        // Find .sln file
+        const slnFile = entries.find(e => e.isFile() && e.name.endsWith(".sln"));
+        if (slnFile) {
+            solutionName = path.parse(slnFile.name).name;
+        }
+        // Find all .csproj files (recursively)
+        const csprojFiles = await findCsprojFiles(dir);
+        for (const file of csprojFiles) {
+            const projName = path.parse(file).name;
+            try {
+                const content = await fs.readFile(file, "utf8");
+                if (content.includes("Microsoft.NET.Test.Sdk") || projName.toLowerCase().includes("test")) {
+                    testProjects.push(projName);
+                }
+                else {
+                    projectNames.push(projName);
+                }
+                // Try to parse TargetFramework
+                const match = content.match(/<TargetFramework>net([\d\.]+)<\/TargetFramework>/);
+                if (match && match[1]) {
+                    dotnetVersion = match[1];
+                }
+            }
+            catch {
+                projectNames.push(projName);
+            }
+        }
+    }
+    catch {
+        // Keep defaults
+    }
+    return {
+        solutionName,
+        projectNames,
+        dotnetVersion,
+        testProjects,
+    };
+}
+async function findCsprojFiles(dir) {
+    const files = [];
+    async function traverse(currentDir) {
+        if (files.length >= 20)
+            return;
+        try {
+            const entries = await fs.readdir(currentDir, { withFileTypes: true });
+            for (const entry of entries) {
+                if (files.length >= 20)
+                    return;
+                const fullPath = path.join(currentDir, entry.name);
+                if (entry.isDirectory()) {
+                    if (entry.name.startsWith(".") ||
+                        entry.name === "node_modules" ||
+                        entry.name === "bin" ||
+                        entry.name === "obj" ||
+                        entry.name === "target" ||
+                        entry.name === "build" ||
+                        entry.name === "dist") {
+                        continue;
+                    }
+                    await traverse(fullPath);
+                }
+                else if (entry.isFile() && entry.name.endsWith(".csproj")) {
+                    files.push(fullPath);
+                }
+            }
+        }
+        catch {
+            // Ignore
+        }
+    }
+    await traverse(dir);
+    return files;
+}
+async function analyzeGolang(dir) {
+    let goVersion = "1.22";
+    let moduleName = path.basename(dir);
+    try {
+        const goModPath = path.join(dir, "go.mod");
+        const content = await fs.readFile(goModPath, "utf8");
+        const lines = content.split("\n");
+        for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed.startsWith("module ")) {
+                moduleName = trimmed.replace("module ", "").trim();
+            }
+            else if (trimmed.startsWith("go ")) {
+                goVersion = trimmed.replace("go ", "").trim();
+            }
+        }
+    }
+    catch {
+        // Keep default
+    }
+    return { goVersion, moduleName };
+}
+async function analyzeRust(dir) {
+    let projectName = path.basename(dir);
+    let rustEdition = "2021";
+    let isWorkspace = false;
+    try {
+        const cargoTomlPath = path.join(dir, "Cargo.toml");
+        const content = await fs.readFile(cargoTomlPath, "utf8");
+        if (content.includes("[workspace]")) {
+            isWorkspace = true;
+        }
+        // Very basic parsing for name and edition
+        const lines = content.split("\n");
+        let inPackageSection = false;
+        for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed.startsWith("[package]")) {
+                inPackageSection = true;
+            }
+            else if (trimmed.startsWith("[")) {
+                inPackageSection = false;
+            }
+            if (inPackageSection) {
+                if (trimmed.startsWith("name")) {
+                    const match = trimmed.match(/name\s*=\s*"(.*)"/);
+                    if (match && match[1]) {
+                        projectName = match[1];
+                    }
+                }
+                else if (trimmed.startsWith("edition")) {
+                    const match = trimmed.match(/edition\s*=\s*"(.*)"/);
+                    if (match && match[1]) {
+                        rustEdition = match[1];
+                    }
+                }
+            }
+        }
+    }
+    catch {
+        // Keep default
+    }
+    return { projectName, rustEdition, isWorkspace };
+}

package/dist/core/awos/intelligence.js

@@ -141,23 +141,41 @@ export async function buildRepositoryContext(workspaceRoot) {
     }
     // Determine default architecture style based on stack
     let architecture = "layered";
-    if (mainStack === "spring-boot") {
+    if (mainStack === "spring-boot" || mainStack === "dotnet") {
         architecture = "clean-architecture";
     }
-    else if (mainStack === "react-ts") {
+    else if (mainStack === "react-ts" || mainStack === "next-js") {
         architecture = "feature-first";
     }
+    else if (mainStack === "nestjs") {
+        architecture = "module-driven";
+    }
+    else if (mainStack === "express") {
+        architecture = "layered";
+    }
     else if (mainStack === "fastapi") {
         architecture = "vertical-slice";
     }
     // Testing strategy defaults
     const frameworks = [];
-    if (mainStack === "react-ts")
+    if (mainStack === "react-ts") {
         frameworks.push("vitest", "testing-library");
-    else if (mainStack === "spring-boot")
+    }
+    else if (mainStack === "next-js") {
+        frameworks.push("jest", "playwright");
+    }
+    else if (mainStack === "nestjs" || mainStack === "express") {
+        frameworks.push("jest", "supertest");
+    }
+    else if (mainStack === "spring-boot") {
         frameworks.push("junit", "mockito");
-    else if (mainStack === "fastapi")
+    }
+    else if (mainStack === "fastapi") {
         frameworks.push("pytest");
+    }
+    else if (mainStack === "dotnet") {
+        frameworks.push("xunit", "moq");
+    }
     const testing = {
         frameworks,
         coverageGoal: 80,
@@ -167,12 +185,18 @@ export async function buildRepositoryContext(workspaceRoot) {
     if (mainStack === "spring-boot") {
         validationLibraries.push("jakarta.validation");
     }
-    else if (mainStack === "react-ts") {
+    else if (mainStack === "react-ts" || mainStack === "next-js" || mainStack === "express") {
         validationLibraries.push("zod");
     }
+    else if (mainStack === "nestjs") {
+        validationLibraries.push("class-validator");
+    }
     else if (mainStack === "fastapi") {
         validationLibraries.push("pydantic");
     }
+    else if (mainStack === "dotnet") {
+        validationLibraries.push("fluentvalidation");
+    }
     const registry = await loadAWOSPlugins(workspaceRoot);
     let context = {
         stack: mainStack,

package/dist/core/detector.js

@@ -38,16 +38,30 @@ async function detectProjectStackDirect(cwd) {
             }
         }
     }
-    // 2. Detect React + TypeScript (package.json containing react dependency)
+    // 2. Detect Node.js / JavaScript / TypeScript stacks (React, Next.js, NestJS, Express)
     try {
         const pkgPath = path.join(cwd, "package.json");
         const content = await fs.readFile(pkgPath, "utf8");
         const pkgJson = JSON.parse(content);
-        const hasReact = (pkgJson.dependencies && pkgJson.dependencies.react) ||
-            (pkgJson.devDependencies && pkgJson.devDependencies.react);
-        if (hasReact) {
+        const deps = pkgJson.dependencies || {};
+        const devDeps = pkgJson.devDependencies || {};
+        const hasReact = deps.react || devDeps.react;
+        const hasNext = deps.next || devDeps.next;
+        const hasNest = deps["@nestjs/core"] || devDeps["@nestjs/core"];
+        const hasExpress = deps.express || devDeps.express;
+        if (hasNext) {
+            stacks.push("next-js");
+        }
+        else if (hasReact) {
             stacks.push("react-ts");
         }
+        const hasNestConfig = await fs.stat(path.join(cwd, "nest-cli.json")).then((s) => s.isFile()).catch(() => false);
+        if (hasNest || hasNestConfig) {
+            stacks.push("nestjs");
+        }
+        else if (hasExpress) {
+            stacks.push("express");
+        }
     }
     catch {
         // Ignore
@@ -102,6 +116,42 @@ async function detectProjectStackDirect(cwd) {
             }
         }
     }
+    // 4. Detect .NET (files ending in .csproj or .sln, or global.json)
+    try {
+        const entries = await fs.readdir(cwd, { withFileTypes: true });
+        const hasDotnet = entries.some((entry) => entry.isFile() &&
+            (entry.name.endsWith(".csproj") ||
+                entry.name.endsWith(".sln") ||
+                entry.name === "global.json"));
+        if (hasDotnet) {
+            stacks.push("dotnet");
+        }
+    }
+    catch {
+        // Ignore
+    }
+    // 5. Detect Golang (go.mod)
+    try {
+        const goModPath = path.join(cwd, "go.mod");
+        const stat = await fs.stat(goModPath);
+        if (stat.isFile()) {
+            stacks.push("golang");
+        }
+    }
+    catch {
+        // Ignore
+    }
+    // 6. Detect Rust (Cargo.toml)
+    try {
+        const cargoTomlPath = path.join(cwd, "Cargo.toml");
+        const stat = await fs.stat(cargoTomlPath);
+        if (stat.isFile()) {
+            stacks.push("rust");
+        }
+    }
+    catch {
+        // Ignore
+    }
     return stacks;
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-workflow-kit-cli",
-  "version": "1.3.1",
+  "version": "1.3.3",
   "description": "AI-Ready Repository Workflow Generator & Guideline Optimizer for Codex and Antigravity",
   "type": "module",
   "main": "./dist/index.js",

package/templates/common/AGENTS.md.hbs

@@ -1,3 +1,7 @@
+{{{globalRules}}}
+
+---
+
 # Repository Agent Guidelines
 
 This repository implements the `agent-workflow-kit-cli` standards.

package/templates/common/GLOBAL_RULES.md

@@ -0,0 +1,101 @@
+# UNIVERSAL GLOBAL RULES (GLOBAL_RULES.md)
+
+NOTICE TO AI AGENT: All source code generated in this project – regardless of language, framework, or architecture (Frontend, Backend, AI Agent) – must strictly adhere to the following 4 pillars of engineering rules. Any violations will result in code rejection.
+
+---
+
+## 🏛️ PILLAR 1: DATABASE & MIGRATION GOVERNANCE
+The main goal is to protect data integrity, prevent data loss in Production environments, and optimize core query performance.
+
+### 1.1 Strict No Auto-Sync in Production
+- **Rule:** Never use properties or commands that automatically synchronize schema changes directly to the database in a Production environment (e.g., `synchronize: true` in TypeORM/Hibernate, `prisma db push`, `sequelize.sync()`, or GORM's `db.AutoMigrate()` running automatically at startup).
+- **Mandatory Solution:** All structural changes (adding columns, modifying types, dropping tables, creating indices) must be written in independent, timestamped migration files (e.g., `YYYYMMDDHHMMSS_migration_name`).
+- **Workflow:** Migration files must be verified locally and executed only via the ORM/Driver CLI tool prior to production deployment.
+
+### 1.2 Strict Indexing Strategy
+- **Prerequisite:** Any column frequently appearing in `WHERE` clauses, `JOIN` conditions, or `ORDER BY` statements in large-scale growing tables (e.g., `user_id`, `status`, `created_at`) must be indexed.
+- **Write Prevention:** Avoid indexing columns indiscriminately. For columns with high-frequency updates (`INSERT`/`UPDATE`/`DELETE`), redundant indices will severely degrade write performance.
+- **Unique Constraints:** Identity fields requiring uniqueness (e.g., `email`, `username`, `phone_number`) must be configured with a `UNIQUE` index at the Database level, not just validated in the Application code.
+
+### 1.3 Eliminate N+1 Query Issues
+- **Issue:** Never query child relations inside loops (`for`, `while`, `forEach`) for a list of records (e.g., fetching 100 courses and looping 100 times to execute SQL to get the instructor for each course).
+- **Solution:** Use Eager Loading (direct SQL `JOIN`s, or pre-fetching methods like `.Include()` in EF Core, `Preload` in GORM, `select_related` / `prefetch_related` in Python) to retrieve all relational data in a single query.
+
+### 1.4 Connection Pool Management
+- All database connections must go through a Connection Pool. The AI Agent must not manually open/close connections per request.
+- You must configure explicit limits: `max_connections` (maximum connections), `idle_timeout` (unused connection release time), and `max_lifetime` to prevent database server resource exhaustion.
+
+---
+
+## 🛡️ PILLAR 2: SECURITY & AUTH HARDENING
+Ensure the system is immune to vulnerabilities listed in the OWASP Top 10.
+
+### 2.1 Zero Hardcoded Secrets
+- **Strict Prohibition:** Never write database connection strings, third-party API Keys (e.g., OpenAI, Stripe), JWT secrets, or system passwords directly into the codebase.
+- **Implementation:** All sensitive values must be loaded into the application via Environment Variables or System Env.
+- **Documentation:** Every project must include a `.env.example` file listing all required environment keys with empty values, guiding others on how to configure the project.
+
+### 2.2 JWT Lifecycle & Storage Standards (JSON Web Token)
+- **Access Token:** Configure a short lifespan (minimum 15 minutes, maximum 1 hour) to reduce the window of vulnerability if the token is compromised.
+- **Refresh Token:** Must have a longer expiration (7 days to 30 days) and must be stored in an `HttpOnly`, `Secure`, `SameSite=Strict` cookie on the client side. Storing Refresh Tokens in `localStorage` or `sessionStorage` is strictly prohibited to prevent account takeover via XSS.
+
+### 2.3 Input Validation & Injection Defense
+- **Mass Assignment Defense (Overposting):** Never map client request objects (e.g., `req.body`) directly to database update statements without filtering. Data must be validated and filtered using DTOs (Data Transfer Objects), Pydantic Schemas, or Struct validations.
+- **SQL Injection Defense:** All database queries must use Parameterized Queries (Prepared Statements). String concatenation to construct dynamic SQL/NoSQL queries is strictly prohibited.
+
+### 2.4 CORS & Rate Limiting
+- **CORS:** Using `Origin: '*'` is strictly prohibited in Production. A whitelist of permitted frontend domains must be explicitly defined.
+- **Rate Limiting:** Sensitive or resource-intensive endpoints (e.g., Login, Register, Forgot Password, Send OTP, LLM AI generation APIs) must be protected by rate-limiting middleware (e.g., maximum 5 requests/minute/IP) to defend against DoS and brute-force attacks.
+
+---
+
+## 🚦 PILLAR 3: OBSERVABILITY & STRUCTURED LOGS
+Transition the system from blind debugging to proactive monitoring using structured log data.
+
+### 3.1 Structured Logging Standards
+- Printing raw text directly to the console (e.g., `console.log()`, `fmt.Println()`, `print()`, or `println!()`) is prohibited in Production.
+- **Mandatory Format:** All logs written to stdout/stderr must use JSON format so that Log Aggregators (ELK Stack, Grafana Loki, Datadog) can automatically parse and index them.
+- **Required fields in every JSON log line:**
+```json
+{
+  "timestamp": "2026-06-13T16:00:00.000Z",
+  "level": "ERROR",
+  "trace_id": "c4b37d89-9821-47d3-b12a-7e61a4b9812f",
+  "context": "PaymentService",
+  "message": "Failed to connect to Stripe payment gateway",
+  "error_details": {
+    "code": "STRIPE_TIMEOUT",
+    "stack": "Error: Timeout after 5000ms at StripeClient.request..."
+  }
+}
+```
+
+### 3.2 Strict Log Levels
+The AI Agent must select the appropriate log level for every event:
+- **DEBUG:** Detailed execution flow tracing during development (must be automatically disabled or hidden in Production).
+- **INFO:** Normal but important system events (e.g., Server started on port 8080, cache cleanup completed).
+- **WARN:** Abnormal situations that do not fail the request (e.g., user entered incorrect password, third-party API responded slowly but succeeded).
+- **ERROR:** Severe errors that terminate request execution and require developer intervention (e.g., database connection loss, invoice file write failure, logic errors).
+
+### 3.3 Masking PII (Personally Identifiable Information)
+- Never print sensitive PII into public log systems.
+- Fields containing passwords, credit card numbers, national IDs/passports, and access/refresh tokens must be masked (e.g., converted to `*`) or omitted from the logged objects.
+
+---
+
+## 📦 PILLAR 4: CONTAINER & CI/CD GUARDRAILS
+Ensure applications can be deployed automatically onto Cloud environments (Kubernetes, AWS, Docker Swarm) efficiently and securely.
+
+### 4.1 Mandatory Multi-Stage Builds
+Every Dockerfile must consist of at least 2 stages:
+- **Stage 1 (Build Stage):** Use a base image containing all necessary tools (SDKs, Compilers, devDependencies) to compile the source code and install packages.
+- **Stage 2 (Production Runtime Stage):** Copy only compiled assets and production dependencies (e.g., `dist` folder, compiled binary, node production modules) from Stage 1. This final image must not contain raw source code or development utilities, minimizing bundle size.
+
+### 4.2 Principle of Least Privilege
+- **No Root User:** Never run container processes using the default `root` user. Running containers as root introduces severe security risks in case of container escape vulnerabilities.
+- **Solution:** Initialize a non-privileged user in the Dockerfile (e.g., `USER node` in Node.js, or `useradd -u 1001 appuser` in Go/Rust) and grant appropriate execution permissions to this user.
+
+### 4.3 Health Check API
+- All backend services must expose a dedicated health check endpoint (e.g., `GET /health` or `GET /ready`).
+- This endpoint must check downstream connectivity (e.g., Database, Redis) and return HTTP Status `503 Service Unavailable` if unhealthy.
+- Use the `HEALTHCHECK` directive in the Dockerfile so orchestrators like Kubernetes can detect failures and automatically restart unhealthy containers (Self-healing).

package/templates/dotnet/AGENTS.md.hbs

@@ -0,0 +1,53 @@
+## 🗺️ .NET (C#) Development Guide
+
+This project is a .NET (C#) application configured as follows:
+- **Solution Name:** `{{solutionName}}`
+- **.NET Version:** `net{{dotnetVersion}}`
+- **Application Projects:** 
+  {{#each projectNames}}
+  - `{{this}}`
+  {{/each}}
+- **Test Projects:**
+  {{#each testProjects}}
+  - `{{this}}`
+  {{/each}}
+
+---
+
+### 🔄 Agent Development Lifecycle
+The AI Agent must execute all .NET tasks following this 5-step workflow:
+1. **Design & Implementation:** Implement business logic adhering to Clean Architecture / Onion Architecture principles. Maintain Core Logic in decoupled Application/Domain layers.
+2. **Comprehensive Testing:** Write unit tests for Services using xUnit and Moq.
+3. **Code Quality & Verification:** Run build and test execution commands:
+   - Build Check: `dotnet build`
+   - Test Execution: `dotnet test`
+4. **Package Management:** Add new NuGet dependencies using the command: `dotnet add package [package_name]`.
+
+---
+
+### 🏗️ Template Blueprint
+Refer to the detailed rules below:
+- C# coding style, PascalCase, camelCase, and Interface prefixes: `@csharp-style.md`
+- Dependency Injection lifetimes (Transient, Scoped, Singleton) registration: `@dependency-injection.md`
+- API Controller responsibilities and execution dispatch: `@api-structure.md`
+- FluentValidation setups and centralized exception handling middleware: `@error-handling-validation.md`
+- Scaffolding a new API Controller, DTO, and Request Validator: `@SKILL.md`
+
+---
+
+### 🏛️ Strict Development Rules
+
+#### 1. Clean Architecture Layers
+Strictly separate concerns across application boundaries:
+- **Domain:** Houses Entities, Value Objects, and core Domain Logic. Must remain free of external package references.
+- **Application:** Houses Interfaces, DTOs, and Use Cases (Services/Queries/Commands). Depends only on the Domain layer.
+- **Infrastructure:** Houses Data Access (EF Core DbContext) and External Integrations. Depends on the Application layer.
+- **Presentation (API):** Houses Controllers, Filters, and Middlewares. The entrypoint of the execution runtime.
+
+#### 2. Dependency Injection (DI) Registration
+- Inject all downstream services using constructor parameters via interfaces.
+- Never use the Service Locator pattern (e.g., manually resolving dependencies at runtime using `IServiceProvider`).
+
+#### 3. Validation with FluentValidation
+- Validate all incoming request DTOs using validators inheriting from FluentValidation's `AbstractValidator<T>`.
+- Do not write manual validation statements scattered across Controller methods.