agy-superpowers 5.0.7 → 5.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/template/agent/rules/superpowers.md +54 -0
- package/template/agent/skills/api-design/SKILL.md +193 -0
- package/template/agent/skills/app-store-optimizer/SKILL.md +127 -0
- package/template/agent/skills/auth-and-identity/SKILL.md +167 -0
- package/template/agent/skills/backend-developer/SKILL.md +148 -0
- package/template/agent/skills/community-manager/SKILL.md +115 -0
- package/template/agent/skills/content-marketer/SKILL.md +111 -0
- package/template/agent/skills/conversion-optimizer/SKILL.md +142 -0
- package/template/agent/skills/copywriter/SKILL.md +114 -0
- package/template/agent/skills/cto-architect/SKILL.md +133 -0
- package/template/agent/skills/customer-success-manager/SKILL.md +126 -0
- package/template/agent/skills/data-analyst/SKILL.md +147 -0
- package/template/agent/skills/devops-engineer/SKILL.md +117 -0
- package/template/agent/skills/email-infrastructure/SKILL.md +164 -0
- package/template/agent/skills/frontend-developer/SKILL.md +172 -0
- package/template/agent/skills/frontend-developer/references/react-nextjs.md +343 -0
- package/template/agent/skills/frontend-developer/references/react-rules/_sections.md +46 -0
- package/template/agent/skills/frontend-developer/references/react-rules/_template.md +28 -0
- package/template/agent/skills/frontend-developer/references/react-rules/advanced-event-handler-refs.md +55 -0
- package/template/agent/skills/frontend-developer/references/react-rules/advanced-init-once.md +42 -0
- package/template/agent/skills/frontend-developer/references/react-rules/advanced-use-latest.md +39 -0
- package/template/agent/skills/frontend-developer/references/react-rules/async-api-routes.md +38 -0
- package/template/agent/skills/frontend-developer/references/react-rules/async-defer-await.md +80 -0
- package/template/agent/skills/frontend-developer/references/react-rules/async-dependencies.md +51 -0
- package/template/agent/skills/frontend-developer/references/react-rules/async-parallel.md +28 -0
- package/template/agent/skills/frontend-developer/references/react-rules/async-suspense-boundaries.md +99 -0
- package/template/agent/skills/frontend-developer/references/react-rules/bundle-barrel-imports.md +59 -0
- package/template/agent/skills/frontend-developer/references/react-rules/bundle-conditional.md +31 -0
- package/template/agent/skills/frontend-developer/references/react-rules/bundle-defer-third-party.md +49 -0
- package/template/agent/skills/frontend-developer/references/react-rules/bundle-dynamic-imports.md +35 -0
- package/template/agent/skills/frontend-developer/references/react-rules/bundle-preload.md +50 -0
- package/template/agent/skills/frontend-developer/references/react-rules/client-event-listeners.md +74 -0
- package/template/agent/skills/frontend-developer/references/react-rules/client-localstorage-schema.md +71 -0
- package/template/agent/skills/frontend-developer/references/react-rules/client-passive-event-listeners.md +48 -0
- package/template/agent/skills/frontend-developer/references/react-rules/client-swr-dedup.md +56 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-batch-dom-css.md +107 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-cache-function-results.md +80 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-cache-property-access.md +28 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-cache-storage.md +70 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-combine-iterations.md +32 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-early-exit.md +50 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-flatmap-filter.md +60 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-hoist-regexp.md +45 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-index-maps.md +37 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-length-check-first.md +49 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-min-max-loop.md +82 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-set-map-lookups.md +24 -0
- package/template/agent/skills/frontend-developer/references/react-rules/js-tosorted-immutable.md +57 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-activity.md +26 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-animate-svg-wrapper.md +47 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-conditional-render.md +40 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-content-visibility.md +38 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-hoist-jsx.md +46 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-hydration-no-flicker.md +82 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-hydration-suppress-warning.md +30 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-resource-hints.md +85 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-script-defer-async.md +68 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-svg-precision.md +28 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rendering-usetransition-loading.md +75 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-defer-reads.md +39 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-dependencies.md +45 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-derived-state-no-effect.md +40 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-derived-state.md +29 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-functional-setstate.md +74 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-lazy-state-init.md +58 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-memo-with-default-value.md +38 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-memo.md +44 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-move-effect-to-event.md +45 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-no-inline-components.md +82 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-simple-expression-in-memo.md +35 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-split-combined-hooks.md +64 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-transitions.md +40 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-use-deferred-value.md +59 -0
- package/template/agent/skills/frontend-developer/references/react-rules/rerender-use-ref-transient-values.md +73 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-after-nonblocking.md +73 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-auth-actions.md +96 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-cache-lru.md +41 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-cache-react.md +76 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-dedup-props.md +65 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-hoist-static-io.md +142 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-parallel-fetching.md +83 -0
- package/template/agent/skills/frontend-developer/references/react-rules/server-serialization.md +38 -0
- package/template/agent/skills/frontend-developer/references/svelte-sveltekit.md +220 -0
- package/template/agent/skills/frontend-developer/references/vanilla.md +275 -0
- package/template/agent/skills/frontend-developer/references/vue-nuxt.md +289 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/_index.md +154 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/animation-class-based-technique.md +254 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/animation-state-driven-technique.md +291 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-async.md +97 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-data-flow.md +307 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-fallthrough-attrs.md +174 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-keep-alive.md +137 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-slots.md +216 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-suspense.md +228 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-teleport.md +108 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-transition-group.md +128 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/component-transition.md +125 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/composables.md +290 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/directives.md +162 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/perf-avoid-component-abstraction-in-lists.md +159 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/perf-v-once-v-memo-directives.md +182 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/perf-virtualize-large-lists.md +187 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/plugins.md +166 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/reactivity.md +344 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/render-functions.md +201 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/sfc.md +310 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/state-management.md +135 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/best-practices/updated-hook-performance.md +187 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/_index.md +23 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-beforeenter-no-param-trigger.md +167 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-beforerouteenter-no-this.md +176 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-guard-async-await-pattern.md +227 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-navigation-guard-infinite-loop.md +187 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-navigation-guard-next-deprecated.md +150 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-param-change-no-lifecycle.md +181 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-simple-routing-cleanup.md +209 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/router/router-use-vue-router-for-production.md +183 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/_index.md +29 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/async-component-testing.md +163 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/teleport-testing-complexity.md +158 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-async-await-flushpromises.md +175 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-browser-vs-node-runners.md +208 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-component-blackbox-approach.md +144 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-composables-helper-wrapper.md +238 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-e2e-playwright-recommended.md +242 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-no-snapshot-only.md +197 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-pinia-store-setup.md +228 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-suspense-async-components.md +229 -0
- package/template/agent/skills/frontend-developer/references/vue-rules/testing/testing-vitest-recommended-for-vue.md +204 -0
- package/template/agent/skills/game-design/SKILL.md +194 -0
- package/template/agent/skills/game-developer/SKILL.md +175 -0
- package/template/agent/skills/growth-hacker/SKILL.md +122 -0
- package/template/agent/skills/i18n-localization/SKILL.md +126 -0
- package/template/agent/skills/influencer-marketer/SKILL.md +141 -0
- package/template/agent/skills/mobile-developer/SKILL.md +194 -0
- package/template/agent/skills/mobile-developer/references/android-native.md +396 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-accessibility.md +36 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-architecture.md +52 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-coroutines.md +139 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-data-layer.md +51 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-emulator-skill.md +108 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-gradle-logic.md +126 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-retrofit.md +142 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-testing.md +102 -0
- package/template/agent/skills/mobile-developer/references/android-rules/android-viewmodel.md +43 -0
- package/template/agent/skills/mobile-developer/references/android-rules/coil-compose.md +74 -0
- package/template/agent/skills/mobile-developer/references/android-rules/compose-navigation.md +422 -0
- package/template/agent/skills/mobile-developer/references/android-rules/compose-performance-audit.md +199 -0
- package/template/agent/skills/mobile-developer/references/android-rules/compose-ui.md +49 -0
- package/template/agent/skills/mobile-developer/references/android-rules/gradle-build-performance.md +346 -0
- package/template/agent/skills/mobile-developer/references/android-rules/kotlin-concurrency-expert.md +169 -0
- package/template/agent/skills/mobile-developer/references/android-rules/rxjava-to-coroutines-migration.md +101 -0
- package/template/agent/skills/mobile-developer/references/android-rules/xml-to-compose-migration.md +338 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-best-practices.md +52 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-checks-migration.md +134 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-cli-app-best-practices.md +123 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-doc-validation.md +45 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-matcher-best-practices.md +106 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-modern-features.md +241 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-package-maintenance.md +75 -0
- package/template/agent/skills/mobile-developer/references/flutter-rules/dart-test-fundamentals.md +124 -0
- package/template/agent/skills/mobile-developer/references/flutter.md +291 -0
- package/template/agent/skills/mobile-developer/references/ios-native.md +358 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/accessibility-patterns.md +215 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/animation-advanced.md +403 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/animation-basics.md +284 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/animation-transitions.md +326 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/charts-accessibility.md +135 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/charts.md +602 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/image-optimization.md +203 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/latest-apis.md +464 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/layout-best-practices.md +266 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/liquid-glass.md +416 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/list-patterns.md +394 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/macos-scenes.md +318 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/macos-views.md +357 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/macos-window-styling.md +303 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/performance-patterns.md +403 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/scroll-patterns.md +293 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/sheet-navigation-patterns.md +363 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/state-management.md +417 -0
- package/template/agent/skills/mobile-developer/references/ios-rules/view-structure.md +389 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/_sections.md +86 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/_template.md +28 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/animation-derived-value.md +53 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/animation-gesture-detector-press.md +95 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/animation-gpu-properties.md +65 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/design-system-compound-components.md +66 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/fonts-config-plugin.md +71 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/imports-design-system-folder.md +68 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/js-hoist-intl.md +61 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-callbacks.md +44 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-function-references.md +132 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-images.md +53 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-inline-objects.md +97 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-item-expensive.md +94 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-item-memo.md +82 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-item-types.md +104 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/list-performance-virtualize.md +67 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/monorepo-native-deps-in-app.md +46 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/monorepo-single-dependency-versions.md +63 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/navigation-native-navigators.md +188 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/react-compiler-destructure-functions.md +50 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/react-compiler-reanimated-shared-values.md +48 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/react-state-dispatcher.md +91 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/react-state-fallback.md +56 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/react-state-minimize.md +65 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/rendering-no-falsy-and.md +74 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/rendering-text-in-text-component.md +36 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/scroll-position-no-state.md +82 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/state-ground-truth.md +80 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-expo-image.md +66 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-image-gallery.md +104 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-measure-views.md +78 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-menus.md +174 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-native-modals.md +77 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-pressable.md +61 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-safe-area-scroll.md +65 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-scrollview-content-inset.md +45 -0
- package/template/agent/skills/mobile-developer/references/react-native-rules/ui-styling.md +87 -0
- package/template/agent/skills/mobile-developer/references/react-native.md +345 -0
- package/template/agent/skills/monetization-strategist/SKILL.md +119 -0
- package/template/agent/skills/paid-acquisition-specialist/SKILL.md +119 -0
- package/template/agent/skills/product-manager/SKILL.md +105 -0
- package/template/agent/skills/real-time-features/SKILL.md +194 -0
- package/template/agent/skills/retention-specialist/SKILL.md +123 -0
- package/template/agent/skills/saas-architect/SKILL.md +139 -0
- package/template/agent/skills/security-engineer/SKILL.md +133 -0
- package/template/agent/skills/seo-specialist/SKILL.md +130 -0
- package/template/agent/skills/subscription-billing/SKILL.md +179 -0
- package/template/agent/skills/ux-designer/SKILL.md +128 -0
package/package.json
CHANGED
|
@@ -14,6 +14,8 @@ All skills are symlinked into `.agent/skills/` and are automatically available.
|
|
|
14
14
|
|
|
15
15
|
## Available Skills
|
|
16
16
|
|
|
17
|
+
### Development Workflow
|
|
18
|
+
|
|
17
19
|
| Skill | When to Use |
|
|
18
20
|
|---|---|
|
|
19
21
|
| `brainstorming` | Before ANY creative work — adding features, building components, modifying behavior |
|
|
@@ -29,6 +31,57 @@ All skills are symlinked into `.agent/skills/` and are automatically available.
|
|
|
29
31
|
| `finishing-a-development-branch` | When tasks complete — merge / PR / discard |
|
|
30
32
|
| `dispatching-parallel-agents` | When running concurrent subagent workflows |
|
|
31
33
|
| `writing-skills` | When creating new skills |
|
|
34
|
+
| `using-superpowers` | When starting any conversation — find and use skills |
|
|
35
|
+
|
|
36
|
+
### Technical Roles
|
|
37
|
+
|
|
38
|
+
| Skill | When to Use |
|
|
39
|
+
|---|---|
|
|
40
|
+
| `frontend-developer` | Web UI, component architecture, React/Vue/Svelte/Vanilla. Has `react-rules/` (66 Vercel rules) and `vue-rules/` (44 antfu rules) |
|
|
41
|
+
| `backend-developer` | APIs, server-side logic, database schemas |
|
|
42
|
+
| `mobile-developer` | Mobile apps — React Native, Flutter, iOS, Android. Has `react-native-rules/` (38), `flutter-rules/` (8), `android-rules/` (17), `ios-rules/` (19) |
|
|
43
|
+
| `game-developer` | Mobile game features, architecture decisions |
|
|
44
|
+
| `game-design` | Game mechanics, core loops, progression, monetization |
|
|
45
|
+
| `cto-architect` | System design, tech debt, scaling, architecture |
|
|
46
|
+
| `saas-architect` | Multi-tenant SaaS architecture, tenant isolation |
|
|
47
|
+
| `devops-engineer` | CI/CD, infrastructure, deployment, monitoring |
|
|
48
|
+
| `security-engineer` | App security, auth, GDPR, security audits |
|
|
49
|
+
|
|
50
|
+
### Business & Growth
|
|
51
|
+
|
|
52
|
+
| Skill | When to Use |
|
|
53
|
+
|---|---|
|
|
54
|
+
| `product-manager` | Product requirements, feature prioritization, roadmap |
|
|
55
|
+
| `data-analyst` | Metrics, funnels, cohort analysis, A/B tests |
|
|
56
|
+
| `growth-hacker` | User acquisition, viral loops, activation funnels |
|
|
57
|
+
| `monetization-strategist` | Pricing, freemium, IAP, unit economics |
|
|
58
|
+
| `conversion-optimizer` | Landing pages, trial-to-paid, onboarding, CRO |
|
|
59
|
+
| `retention-specialist` | Onboarding flows, churn reduction, re-engagement |
|
|
60
|
+
| `customer-success-manager` | User support, feedback loops, NPS/CSAT |
|
|
61
|
+
| `app-store-optimizer` | ASO, keyword strategy, screenshots, ratings |
|
|
62
|
+
| `ux-designer` | UI design, wireframes, user research, IA |
|
|
63
|
+
| `copywriter` | Landing copy, app descriptions, email sequences |
|
|
64
|
+
|
|
65
|
+
### Marketing & Content
|
|
66
|
+
|
|
67
|
+
| Skill | When to Use |
|
|
68
|
+
|---|---|
|
|
69
|
+
| `content-marketer` | Content strategy, SEO content, social media |
|
|
70
|
+
| `seo-specialist` | Technical SEO, keywords, backlinks, organic search |
|
|
71
|
+
| `community-manager` | Discord, Reddit, Slack community management |
|
|
72
|
+
| `influencer-marketer` | UGC, creator partnerships, affiliate programs |
|
|
73
|
+
| `paid-acquisition-specialist` | Meta Ads, Google Ads, Apple Search Ads, ROAS |
|
|
74
|
+
|
|
75
|
+
### Infrastructure & Integration
|
|
76
|
+
|
|
77
|
+
| Skill | When to Use |
|
|
78
|
+
|---|---|
|
|
79
|
+
| `api-design` | REST/GraphQL APIs, versioning, rate limiting |
|
|
80
|
+
| `auth-and-identity` | Auth, SSO/SAML/OIDC, RBAC, session management |
|
|
81
|
+
| `subscription-billing` | Stripe, IAP, trials, dunning flows |
|
|
82
|
+
| `email-infrastructure` | Transactional email, SPF/DKIM/DMARC, deliverability |
|
|
83
|
+
| `real-time-features` | WebSockets, SSE, live collaboration, presence |
|
|
84
|
+
| `i18n-localization` | Internationalization, translations, localized ASO |
|
|
32
85
|
|
|
33
86
|
## How to Read a Skill (Antigravity)
|
|
34
87
|
|
|
@@ -50,3 +103,4 @@ Example: `.agent/skills/brainstorming/SKILL.md`
|
|
|
50
103
|
- **TDD always**: Write failing tests first, then code
|
|
51
104
|
- **Systematic over ad-hoc**: Follow the skill process, don't guess
|
|
52
105
|
- **Evidence over claims**: Verify before declaring success
|
|
106
|
+
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: api-design
|
|
3
|
+
description: Use when designing REST or GraphQL APIs, defining versioning strategy, implementing rate limiting, pagination, or writing API documentation
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# API Design Lens
|
|
7
|
+
|
|
8
|
+
> **Philosophy:** An API is a contract. Breaking it breaks your users' production systems.
|
|
9
|
+
> Design APIs for the client's needs, not the server's convenience.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Core Instincts
|
|
14
|
+
|
|
15
|
+
- **API contracts are forever** — breaking changes in v1 are unforgivable; version aggressively
|
|
16
|
+
- **Design for the consumer** — the client's workflow, not the server's data model, drives resource design
|
|
17
|
+
- **Idempotency is non-negotiable** — safe to retry = safe to build reliable systems on top of
|
|
18
|
+
- **Errors must be informative** — vague errors waste developer hours
|
|
19
|
+
- **Consistency over cleverness** — a boring, predictable API is a beloved API
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
## REST Resource Design Rules
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
Resource naming:
|
|
27
|
+
✅ /users/{id}/projects (noun, plural, hierarchical)
|
|
28
|
+
❌ /getProjectsForUser/{id} (verb, confusing)
|
|
29
|
+
❌ /user-projects/{userId} (mixed conventions)
|
|
30
|
+
|
|
31
|
+
HTTP verbs:
|
|
32
|
+
GET /resources → list (paginated)
|
|
33
|
+
GET /resources/{id} → get one
|
|
34
|
+
POST /resources → create
|
|
35
|
+
PUT /resources/{id} → full replace (idempotent)
|
|
36
|
+
PATCH /resources/{id} → partial update
|
|
37
|
+
DELETE /resources/{id} → delete (idempotent)
|
|
38
|
+
|
|
39
|
+
Idempotency:
|
|
40
|
+
GET, PUT, DELETE = always idempotent
|
|
41
|
+
POST = not idempotent by default → use Idempotency-Key header
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## HTTP Status Codes (Precise Usage)
|
|
47
|
+
|
|
48
|
+
| Status | Use when | Body |
|
|
49
|
+
|--------|----------|------|
|
|
50
|
+
| 200 | Success, returns data | Resource |
|
|
51
|
+
| 201 | Created | Resource + `Location` header |
|
|
52
|
+
| 204 | Success, no body | Empty |
|
|
53
|
+
| 400 | Malformed request / validation failure | Error with field details |
|
|
54
|
+
| 401 | Missing or invalid auth | Error |
|
|
55
|
+
| 403 | Auth valid, no permission | Error (don't reveal resource existence) |
|
|
56
|
+
| 404 | Resource not found | Error |
|
|
57
|
+
| 409 | Conflict (duplicate, state clash) | Error with conflict detail |
|
|
58
|
+
| 422 | Valid format, business rule violation | Error with reason |
|
|
59
|
+
| 429 | Rate limited | Error + `Retry-After` header |
|
|
60
|
+
| 500 | Unexpected server error | Generic error (log full details server-side) |
|
|
61
|
+
|
|
62
|
+
---
|
|
63
|
+
|
|
64
|
+
## Error Response Standard (RFC 7807 / Problem Details)
|
|
65
|
+
|
|
66
|
+
```json
|
|
67
|
+
{
|
|
68
|
+
"type": "https://docs.myapp.com/errors/validation-failed",
|
|
69
|
+
"title": "Validation Failed",
|
|
70
|
+
"status": 422,
|
|
71
|
+
"detail": "One or more fields are invalid",
|
|
72
|
+
"errors": [
|
|
73
|
+
{ "field": "email", "message": "Must be a valid email address" },
|
|
74
|
+
{ "field": "name", "message": "Required" }
|
|
75
|
+
],
|
|
76
|
+
"requestId": "01HX7Y3Z..."
|
|
77
|
+
}
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
**Always include `requestId`** — allows support to find logs immediately.
|
|
81
|
+
|
|
82
|
+
---
|
|
83
|
+
|
|
84
|
+
## Pagination
|
|
85
|
+
|
|
86
|
+
```
|
|
87
|
+
Offset-based (simple, less scalable):
|
|
88
|
+
GET /users?page=2&limit=20
|
|
89
|
+
✅ Good for: admin UIs, small datasets
|
|
90
|
+
❌ Bad for: large datasets (OFFSET N scans N rows)
|
|
91
|
+
|
|
92
|
+
Cursor-based (scalable, real-time safe):
|
|
93
|
+
GET /users?cursor=eyJpZCI6MTIzfQ&limit=20
|
|
94
|
+
Response: { data: [...], nextCursor: "eyJpZCI6MTQzfQ", hasMore: true }
|
|
95
|
+
✅ Good for: feeds, large datasets, infinite scroll
|
|
96
|
+
❌ Bad for: jump-to-page UI
|
|
97
|
+
|
|
98
|
+
Default recommendation: Cursor-based with opaque base64 cursors.
|
|
99
|
+
Expose total count only when necessary (expensive for large tables).
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
---
|
|
103
|
+
|
|
104
|
+
## Rate Limiting
|
|
105
|
+
|
|
106
|
+
```
|
|
107
|
+
Strategy: Token bucket or sliding window
|
|
108
|
+
|
|
109
|
+
Headers to include:
|
|
110
|
+
X-RateLimit-Limit: 1000 (max requests per window)
|
|
111
|
+
X-RateLimit-Remaining: 847 (requests left)
|
|
112
|
+
X-RateLimit-Reset: 1711234567 (Unix timestamp when window resets)
|
|
113
|
+
Retry-After: 60 (seconds to wait, on 429 only)
|
|
114
|
+
|
|
115
|
+
Recommended limits for SaaS APIs:
|
|
116
|
+
Authenticated: 1000 req/min per user
|
|
117
|
+
Unauthenticated: 60 req/min per IP
|
|
118
|
+
Sensitive (auth endpoints): 5 req/15min per IP
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
---
|
|
122
|
+
|
|
123
|
+
## API Versioning
|
|
124
|
+
|
|
125
|
+
```
|
|
126
|
+
Strategy options:
|
|
127
|
+
URL versioning: /v1/users ← RECOMMENDED (explicit, cacheable)
|
|
128
|
+
Header versioning: Accept: application/vnd.myapp.v1+json (less visible)
|
|
129
|
+
Query param: /users?version=1 (ugly, cache issues)
|
|
130
|
+
|
|
131
|
+
Breaking vs non-breaking changes:
|
|
132
|
+
Non-breaking (safe without versioning):
|
|
133
|
+
✅ Adding new optional fields to response
|
|
134
|
+
✅ Adding new optional request parameters
|
|
135
|
+
✅ Adding new endpoints
|
|
136
|
+
|
|
137
|
+
Breaking (requires new version):
|
|
138
|
+
❌ Removing fields from response
|
|
139
|
+
❌ Changing field types
|
|
140
|
+
❌ Changing endpoint behavior
|
|
141
|
+
❌ Renaming fields
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
---
|
|
145
|
+
|
|
146
|
+
## ❌ Anti-Patterns to Avoid
|
|
147
|
+
|
|
148
|
+
| ❌ NEVER DO | Why | ✅ DO INSTEAD |
|
|
149
|
+
|------------|-----|--------------|
|
|
150
|
+
| Return 200 for errors | Clients parse status codes; 200 failure = broken integrations | Use correct status codes |
|
|
151
|
+
| Expose internal IDs (auto-increment integers) | Enumerable, leaks count of records | UUIDs always |
|
|
152
|
+
| Breaking changes without versioning | Clients' production breaks silently | `/v2/` or deprecation period |
|
|
153
|
+
| Unbounded list endpoints | OOM at scale | Always paginate; default limit 20, max 100 |
|
|
154
|
+
| Verbose errors in production | Leaks internals to attackers | Generic message to client; details in server logs only |
|
|
155
|
+
| Synchronous long-running operations | Timeout at 30s+, bad UX | Accept → 202 Accepted → polling or webhook |
|
|
156
|
+
|
|
157
|
+
---
|
|
158
|
+
|
|
159
|
+
## Questions You Always Ask
|
|
160
|
+
|
|
161
|
+
**When designing a new endpoint:**
|
|
162
|
+
- Is this resource name a noun (not a verb)?
|
|
163
|
+
- What's the idempotency story? Can the client safely retry?
|
|
164
|
+
- What's the pagination strategy? What's the max page size?
|
|
165
|
+
- Is this a breaking change to existing consumers?
|
|
166
|
+
|
|
167
|
+
---
|
|
168
|
+
|
|
169
|
+
## Red Flags
|
|
170
|
+
|
|
171
|
+
**Must fix:**
|
|
172
|
+
- [ ] `200 OK` returned for error responses
|
|
173
|
+
- [ ] No pagination on list endpoints
|
|
174
|
+
- [ ] Auto-increment integer IDs exposed
|
|
175
|
+
- [ ] Breaking API change without version bump
|
|
176
|
+
|
|
177
|
+
**Should fix:**
|
|
178
|
+
- [ ] No rate limiting on public endpoints
|
|
179
|
+
- [ ] Error responses without field-level details
|
|
180
|
+
- [ ] No `requestId` in error responses (prevents support lookup)
|
|
181
|
+
- [ ] No OpenAPI/Swagger spec
|
|
182
|
+
|
|
183
|
+
---
|
|
184
|
+
|
|
185
|
+
## Who to Pair With
|
|
186
|
+
- `backend-developer` — for implementation of API patterns
|
|
187
|
+
- `auth-and-identity` — for auth design on API endpoints
|
|
188
|
+
- `saas-architect` — for multi-tenant API context
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
## Tools
|
|
193
|
+
OpenAPI / Swagger (spec) · Scalar / Stoplight (docs) · Hono / Fastify / Express (Node.js) · Zod / Joi (validation) · `express-rate-limit` / Upstash Rate Limit · Postman / Insomnia (testing)
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: app-store-optimizer
|
|
3
|
+
description: Use when working on App Store / Google Play listing optimization, keyword strategy, screenshots, ratings, or app store A/B testing
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# App Store Optimizer Lens
|
|
7
|
+
|
|
8
|
+
> **Philosophy:** ASO is SEO for app stores. Discoverability + conversion = downloads.
|
|
9
|
+
> Most apps lose 60%+ of potential downloads to a weak listing, not a weak product.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Core Instincts
|
|
14
|
+
|
|
15
|
+
- **Title keyword is the highest-ranking signal** — include your primary keyword in the title
|
|
16
|
+
- **First 3 screenshots convert or kill** — most users never scroll past them
|
|
17
|
+
- **Ratings velocity > average rating** — a burst of fresh 5-stars beats a stale 4.8
|
|
18
|
+
- **Keyword field is invisible to users but critical to ranking** — use every character
|
|
19
|
+
- **Localize for top markets** — EN + your top 3 markets = 80% of opportunity
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
## Platform Limits (Know These Cold)
|
|
24
|
+
|
|
25
|
+
### iOS App Store
|
|
26
|
+
| Field | Limit | Notes |
|
|
27
|
+
|-------|-------|-------|
|
|
28
|
+
| Title | **30 chars** | Primary keyword weight = 2× |
|
|
29
|
+
| Subtitle | **30 chars** | Secondary keyword, benefit-focused |
|
|
30
|
+
| Keywords | **100 chars** | Comma-separated, no spaces, no repeats from title |
|
|
31
|
+
| Description | **4000 chars** | First **255 chars** shown before "more" |
|
|
32
|
+
| Promo text | **170 chars** | Updates without review; use for time-limited offers |
|
|
33
|
+
| Screenshots | Up to **10** | Sizes vary by device; first 3 drive 80% of conversion |
|
|
34
|
+
| Preview video | **15–30 seconds** | First 3 seconds must hook without sound |
|
|
35
|
+
|
|
36
|
+
### Google Play
|
|
37
|
+
| Field | Limit | Notes |
|
|
38
|
+
|-------|-------|-------|
|
|
39
|
+
| Title | **30 chars** | Keyword-rich |
|
|
40
|
+
| Short description | **80 chars** | Shown in search; make it scannable |
|
|
41
|
+
| Long description | **4000 chars** | First 167 chars auto-expanded; repeat keyword 3–5× |
|
|
42
|
+
| Screenshots | Up to **8** | 16:9 or 9:16 preferred |
|
|
43
|
+
| Feature graphic | **1024 × 500px** | Shown in featured slots |
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## ❌ Anti-Patterns to Avoid
|
|
48
|
+
|
|
49
|
+
| ❌ NEVER DO | Why | ✅ DO INSTEAD |
|
|
50
|
+
|------------|-----|--------------|
|
|
51
|
+
| Title = just the brand name | Zero keyword signal | Brand + primary keyword (e.g., "Todoist: To-Do List & Tasks") |
|
|
52
|
+
| Leave keywords field blank (iOS) | 100 chars of free ranking wasted | Fill every character with non-title keywords |
|
|
53
|
+
| First screenshot = app logo splash | Users bounce, no context | First screenshot = core value prop as hero text |
|
|
54
|
+
| Ask for review on first open | Users hate it, Apple rejects manipulative prompts | Ask after a success action (task completed, streak hit) |
|
|
55
|
+
| Ignore 1-star reviews | Review responses shown publicly; silence = neglect | Respond within 48h; apologize + explain fix |
|
|
56
|
+
| Use keywords that appear in title (iOS) | Apple ignores duplicates | Every keyword field word must be unique |
|
|
57
|
+
| Generic description | No differentiation, no keywords | Keyword-rich first paragraph, benefit bullets |
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## Keyword Research Process
|
|
62
|
+
|
|
63
|
+
1. **Seed keywords** — brainstorm 20–30 relevant terms
|
|
64
|
+
2. **Competitor analysis** — check top 5 competitor titles/subtitles
|
|
65
|
+
3. **Volume + difficulty** — use Sensor Tower / AppTweak / AppFollow to score
|
|
66
|
+
4. **Priority matrix** — High volume + Low difficulty = target first
|
|
67
|
+
5. **Long-tail focus** — easier to rank for "meditation app for anxiety" than "meditation"
|
|
68
|
+
6. **Update every 60–90 days** — track rank changes, iterate
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## Ratings Strategy
|
|
73
|
+
|
|
74
|
+
**When to prompt:** After user completes a meaningful success action, NOT on launch.
|
|
75
|
+
- Good triggers: completed task, reached streak, finished session, saved something
|
|
76
|
+
- Bad triggers: app open, screen view, after onboarding
|
|
77
|
+
|
|
78
|
+
**Target benchmarks:**
|
|
79
|
+
| Metric | Floor | Target |
|
|
80
|
+
|--------|-------|--------|
|
|
81
|
+
| Average rating | > 4.0 | > 4.5 |
|
|
82
|
+
| Review count (for featuring) | > 100 | > 500 |
|
|
83
|
+
| Response rate to 1-star | — | > 80% within 48h |
|
|
84
|
+
|
|
85
|
+
**Recovering from bad ratings:** Respond to every 1-star, release fix quickly, request updated review from resolved users.
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Questions You Always Ask
|
|
90
|
+
|
|
91
|
+
**When auditing a listing:**
|
|
92
|
+
- Is the primary keyword in the title?
|
|
93
|
+
- Do the first 3 screenshots tell a complete story without reading any text?
|
|
94
|
+
- Is the keyword field 100% utilized (iOS)?
|
|
95
|
+
- What's the current conversion rate from impression to download? (Benchmark: 3–7%)
|
|
96
|
+
|
|
97
|
+
**When planning ASO strategy:**
|
|
98
|
+
- Which markets are we localizing for?
|
|
99
|
+
- What keywords are competitors ranking for that we're missing?
|
|
100
|
+
- When was the last time we A/B tested screenshots?
|
|
101
|
+
|
|
102
|
+
---
|
|
103
|
+
|
|
104
|
+
## Red Flags
|
|
105
|
+
|
|
106
|
+
**Must fix:**
|
|
107
|
+
- [ ] Title is brand name only (no keyword)
|
|
108
|
+
- [ ] iOS keyword field < 90 characters used
|
|
109
|
+
- [ ] First screenshot is a splash screen or abstract illustration
|
|
110
|
+
- [ ] No response to 1-star reviews
|
|
111
|
+
|
|
112
|
+
**Should fix:**
|
|
113
|
+
- [ ] Description first 255 chars (iOS) / 167 chars (Play) not benefit-focused
|
|
114
|
+
- [ ] No preview video
|
|
115
|
+
- [ ] Listing not localized for top 3 markets
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## Who to Pair With
|
|
120
|
+
- `copywriter` — for listing copy strategy
|
|
121
|
+
- `growth-hacker` — for launch burst strategy (ratings velocity)
|
|
122
|
+
- `conversion-optimizer` — for screenshot A/B testing
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
## Tools
|
|
127
|
+
AppFollow · Sensor Tower · AppTweak · AppFigures · MobileAction · Apple Search Ads Intelligence
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: auth-and-identity
|
|
3
|
+
description: Use when implementing authentication, authorization, SSO/SAML/OIDC, multi-tenant identity, session management, or role-based access control for a SaaS product
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Auth & Identity Lens
|
|
7
|
+
|
|
8
|
+
> **Philosophy:** Authentication proves who you are. Authorization proves what you can do.
|
|
9
|
+
> Mixing them up is the most common source of privilege escalation bugs.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Core Instincts
|
|
14
|
+
|
|
15
|
+
- **AuthN ≠ AuthZ** — always handle them as separate concerns
|
|
16
|
+
- **Every request must be authenticated AND authorized** — auth middleware is not authorization
|
|
17
|
+
- **Tenant context must be established on every request** — after AuthN, before any DB query
|
|
18
|
+
- **Fail closed** — when in doubt, deny; never default to permissive
|
|
19
|
+
- **Never roll your own crypto** — use proven libraries and protocols
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
## Multi-Tenant Auth Flow
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
Request arrives →
|
|
27
|
+
1. Verify token/session (AuthN) → get user_id
|
|
28
|
+
2. Load user + tenant membership → get tenant_id, role
|
|
29
|
+
3. Set tenant context (RLS / app context)
|
|
30
|
+
4. Check permission for this route/resource (AuthZ)
|
|
31
|
+
5. Execute request
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
**Order matters:** If you skip step 3, RLS doesn't know which tenant. If you skip step 4, any authenticated user can do anything.
|
|
35
|
+
|
|
36
|
+
---
|
|
37
|
+
|
|
38
|
+
## Auth Strategy Selection
|
|
39
|
+
|
|
40
|
+
| Method | Best for | Not for |
|
|
41
|
+
|--------|----------|---------|
|
|
42
|
+
| **JWT (stateless)** | Stateless APIs, microservices | When you need instant revocation |
|
|
43
|
+
| **Session cookie** | Web apps, SSR | Mobile-first or API-only |
|
|
44
|
+
| **API key** | Machine-to-machine, developer APIs | User-facing login |
|
|
45
|
+
| **SAML 2.0** | Enterprise SSO (Okta, Azure AD) | Consumer apps |
|
|
46
|
+
| **OIDC / OAuth 2.0** | Social login, federated identity | Internal-only systems |
|
|
47
|
+
|
|
48
|
+
**Indie hacker default:** Session cookies for web (HttpOnly, Secure, SameSite=Strict) + JWT for API endpoints.
|
|
49
|
+
|
|
50
|
+
---
|
|
51
|
+
|
|
52
|
+
## JWT Rules
|
|
53
|
+
|
|
54
|
+
```
|
|
55
|
+
Access token:
|
|
56
|
+
- Expiry: 15 minutes (short-lived; compromised → limited damage window)
|
|
57
|
+
- Payload: user_id, tenant_id, role, exp — NO sensitive data
|
|
58
|
+
- Store: Memory (never localStorage) or HttpOnly cookie
|
|
59
|
+
|
|
60
|
+
Refresh token:
|
|
61
|
+
- Expiry: 7–30 days
|
|
62
|
+
- Store: HttpOnly cookie ONLY
|
|
63
|
+
- Rotate on every use (refresh token rotation)
|
|
64
|
+
- Invalidate all refresh tokens on password change/logout all
|
|
65
|
+
|
|
66
|
+
Signing:
|
|
67
|
+
- Algorithm: RS256 (asymmetric, allows public verification) or HS256 (simpler, shared secret)
|
|
68
|
+
- Secret: ≥ 32 random bytes; rotate if compromised (support multiple valid secrets during rotation)
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
---
|
|
72
|
+
|
|
73
|
+
## RBAC Pattern (Role-Based Access Control)
|
|
74
|
+
|
|
75
|
+
```typescript
|
|
76
|
+
// Roles per tenant membership (not global)
|
|
77
|
+
type TenantRole = 'owner' | 'admin' | 'member' | 'viewer';
|
|
78
|
+
|
|
79
|
+
// Permissions defined as capability strings
|
|
80
|
+
const PERMISSIONS = {
|
|
81
|
+
owner: ['billing:manage', 'members:manage', 'data:delete', 'data:write', 'data:read'],
|
|
82
|
+
admin: ['members:manage', 'data:write', 'data:read'],
|
|
83
|
+
member: ['data:write', 'data:read'],
|
|
84
|
+
viewer: ['data:read'],
|
|
85
|
+
} satisfies Record<TenantRole, string[]>;
|
|
86
|
+
|
|
87
|
+
// Check at every protected route/action
|
|
88
|
+
function can(user: User, permission: string): boolean {
|
|
89
|
+
return PERMISSIONS[user.tenantRole]?.includes(permission) ?? false;
|
|
90
|
+
}
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## SSO / SAML Integration (Enterprise)
|
|
96
|
+
|
|
97
|
+
```
|
|
98
|
+
When to build SAML:
|
|
99
|
+
- Enterprise customers require it (Okta, Azure AD, Google Workspace)
|
|
100
|
+
- Single "SAML" request in a deal is worth building immediately
|
|
101
|
+
|
|
102
|
+
Implementation options for indie hackers:
|
|
103
|
+
1. WorkOS — $0 to start, pay per enterprise connection; fastest path
|
|
104
|
+
2. Auth0 / Clerk — SAML add-on; higher cost at scale
|
|
105
|
+
3. Roll your own — samlify / passport-saml; significant complexity
|
|
106
|
+
|
|
107
|
+
SAML Flow:
|
|
108
|
+
User → Your SP (Service Provider) → IdP (Okta/AzureAD) → SAML assertion → SP → Session
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
## ❌ Anti-Patterns to Avoid
|
|
114
|
+
|
|
115
|
+
| ❌ NEVER DO | Why | ✅ DO INSTEAD |
|
|
116
|
+
|------------|-----|--------------|
|
|
117
|
+
| JWT in `localStorage` | XSS attack steals token, unlimited access | `HttpOnly` cookie |
|
|
118
|
+
| Long-lived access tokens (> 1 hour) | Compromised token = long exposure window | 15 min expiry + refresh token rotation |
|
|
119
|
+
| Storing passwords as anything but bcrypt/argon2id | Rainbow table crack in seconds | bcrypt cost ≥12 or argon2id |
|
|
120
|
+
| Checking auth at route level only | Bypassed by internal calls | Check permissions at the service/data layer |
|
|
121
|
+
| Global admin role without per-tenant scope | One compromised admin = all tenants affected | Admin role always scoped to a tenant |
|
|
122
|
+
| No rate limiting on auth endpoints | Brute force, credential stuffing | Max 5 attempts / 15 min per IP |
|
|
123
|
+
| Email as unique identifier across tenants | Same email in multiple tenants = collision | `(email, tenant_id)` composite unique |
|
|
124
|
+
|
|
125
|
+
---
|
|
126
|
+
|
|
127
|
+
## Questions You Always Ask
|
|
128
|
+
|
|
129
|
+
**When designing auth:**
|
|
130
|
+
- Is tenant context established before any DB query happens?
|
|
131
|
+
- Does AuthZ happen at the service layer, not just route middleware?
|
|
132
|
+
- Are refresh tokens rotated on every use?
|
|
133
|
+
- What's the logout flow? Does it invalidate server-side session/refresh token?
|
|
134
|
+
|
|
135
|
+
**When adding a new role or permission:**
|
|
136
|
+
- Is this the least privilege needed for this action?
|
|
137
|
+
- Have we tested that a lower-privileged role cannot access this?
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
## Red Flags
|
|
142
|
+
|
|
143
|
+
**Must fix:**
|
|
144
|
+
- [ ] JWT stored in `localStorage`
|
|
145
|
+
- [ ] No tenant_id in auth context (tenant isolation can't work)
|
|
146
|
+
- [ ] Authorization only checked at route level (not service/data layer)
|
|
147
|
+
- [ ] No rate limiting on `/login`, `/forgot-password`, `/reset-password`
|
|
148
|
+
|
|
149
|
+
**Should fix:**
|
|
150
|
+
- [ ] Refresh tokens not rotated on use
|
|
151
|
+
- [ ] No MFA option for admin/owner roles
|
|
152
|
+
- [ ] Email uniqueness checked globally (not per-tenant)
|
|
153
|
+
|
|
154
|
+
---
|
|
155
|
+
|
|
156
|
+
## Who to Pair With
|
|
157
|
+
- `saas-architect` — for tenant context in data model
|
|
158
|
+
- `security-engineer` — for token storage and auth security audit
|
|
159
|
+
- `backend-developer` — for middleware and session management
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## Tools
|
|
164
|
+
**Hosted auth:** Clerk · Auth0 · Supabase Auth · Firebase Auth
|
|
165
|
+
**Self-hosted:** NextAuth.js / Auth.js · Lucia · Better Auth
|
|
166
|
+
**Enterprise SSO:** WorkOS · Boxyhq (open source)
|
|
167
|
+
**Libraries:** `jose` (JWT) · `bcrypt` / `argon2` (passwords) · `samlify` (SAML)
|