ai-sprint-kit 1.1.0

package/templates/.claude/commands/code.md

@@ -0,0 +1,301 @@
+---
+description: Generate or refactor code with best practices and security
+argument-hint: [what to build or refactor]
+---
+
+## Command: /code
+
+Generate production-grade code or refactor existing code following best practices, security guidelines, and design patterns.
+
+## Usage
+
+```
+/code "implement user authentication with JWT"
+/code "refactor the payment service to use async/await"
+/code "add input validation to all API endpoints"
+/code "optimize database queries in user service"
+```
+
+## Workflow
+
+### 1. Understand Requirements
+- Clarify what needs to be built or refactored
+- Ask questions if requirements unclear
+- Identify affected files and components
+
+### 2. Delegate to Implementer Agent
+- Spawn implementer agent with detailed instructions
+- Agent follows security-first principles
+- Implements with proper error handling
+
+### 3. Code Generation
+- Generate clean, maintainable code
+- Follow YAGNI, KISS, DRY principles
+- Include proper TypeScript types
+- Add necessary error handling
+- Implement input validation
+
+### 4. Security Checklist
+**Automatically enforced:**
+- ✅ No hardcoded secrets
+- ✅ Input validation on all user inputs
+- ✅ Parameterized queries (no SQL injection)
+- ✅ Output encoding (no XSS)
+- ✅ Proper authentication/authorization
+- ✅ Error messages don't leak information
+- ✅ OWASP Top 10 compliance
+
+### 5. Quality Standards
+**Code must be:**
+- ✅ Type-safe (TypeScript/proper types)
+- ✅ Well-structured (clear responsibilities)
+- ✅ Properly tested (test cases generated)
+- ✅ Documented (comments where needed)
+- ✅ Performance-optimized (no N+1 queries)
+
+## Code Generation Principles
+
+### Security-First
+```typescript
+// ✅ Good - Secure
+export async function createUser(data: CreateUserInput) {
+  // Input validation
+  const validated = validateUserInput(data);
+
+  // Parameterized query (no SQL injection)
+  const user = await db.users.create({
+    data: {
+      email: validated.email,
+      password: await hash(validated.password, 10)
+    }
+  });
+
+  return user;
+}
+
+// ❌ Bad - Insecure
+export async function createUser(email, password) {
+  const query = `INSERT INTO users (email, password) VALUES ('${email}', '${password}')`;
+  await db.query(query); // SQL injection!
+  return email;
+}
+```
+
+### Error Handling
+```typescript
+// ✅ Good
+export async function getUser(id: string) {
+  try {
+    const user = await db.users.findUnique({ where: { id } });
+
+    if (!user) {
+      throw new NotFoundError(`User ${id} not found`);
+    }
+
+    return user;
+  } catch (error) {
+    logger.error('Failed to get user', { error, id });
+    throw error;
+  }
+}
+
+// ❌ Bad - No error handling
+export async function getUser(id) {
+  return await db.users.findUnique({ where: { id } });
+}
+```
+
+### Type Safety
+```typescript
+// ✅ Good - Typed
+interface CreateUserInput {
+  email: string;
+  password: string;
+  name?: string;
+}
+
+export async function createUser(data: CreateUserInput): Promise<User> {
+  // Implementation
+}
+
+// ❌ Bad - No types
+export async function createUser(data) {
+  // Implementation
+}
+```
+
+## Examples
+
+### Example 1: API Endpoint
+```
+/code "create REST API endpoint for user registration with email verification"
+```
+
+**Generated:**
+```typescript
+// api/auth/register/route.ts
+import { hash } from 'bcrypt';
+import { z } from 'zod';
+
+const registerSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1)
+});
+
+export async function POST(request: Request) {
+  try {
+    const body = await request.json();
+
+    // Input validation
+    const validated = registerSchema.parse(body);
+
+    // Check if user exists
+    const existing = await db.users.findUnique({
+      where: { email: validated.email }
+    });
+
+    if (existing) {
+      return Response.json(
+        { error: 'Email already registered' },
+        { status: 400 }
+      );
+    }
+
+    // Create user
+    const user = await db.users.create({
+      data: {
+        email: validated.email,
+        password: await hash(validated.password, 10),
+        name: validated.name,
+        verified: false
+      }
+    });
+
+    // Send verification email
+    await sendVerificationEmail(user.email, user.id);
+
+    return Response.json({
+      message: 'Registration successful. Check your email to verify.'
+    }, { status: 201 });
+
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return Response.json(
+        { error: 'Invalid input', details: error.errors },
+        { status: 400 }
+      );
+    }
+
+    logger.error('Registration failed', { error });
+    return Response.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+```
+
+### Example 2: Refactoring
+```
+/code "refactor this callback-based code to use async/await"
+```
+
+**Before:**
+```javascript
+function getUser(id, callback) {
+  db.query('SELECT * FROM users WHERE id = ?', [id], (err, result) => {
+    if (err) return callback(err);
+    callback(null, result);
+  });
+}
+```
+
+**After:**
+```typescript
+async function getUser(id: string): Promise<User> {
+  const user = await db.users.findUnique({
+    where: { id }
+  });
+
+  if (!user) {
+    throw new NotFoundError(`User ${id} not found`);
+  }
+
+  return user;
+}
+```
+
+## Output
+
+### Code Generated
+- Clean, production-ready code
+- Following project conventions
+- With proper error handling
+- Type-safe and secure
+
+### Tests Suggested
+- Unit tests for business logic
+- Integration tests for APIs
+- Edge cases covered
+
+### Documentation Added
+- Function/class comments
+- Usage examples
+- API endpoint docs (if applicable)
+
+## Next Steps
+
+After `/code` completion:
+1. Review generated code
+2. Run `/test` to generate tests
+3. Run `/review` for quality check
+4. Run `/secure` for security scan
+5. Commit changes
+
+## Common Use Cases
+
+### New Features
+```
+/code "add pagination to the products API"
+/code "implement password reset functionality"
+/code "create admin dashboard with user management"
+```
+
+### Refactoring
+```
+/code "convert class components to functional components"
+/code "split this 500-line file into smaller modules"
+/code "replace REST with GraphQL for user API"
+```
+
+### Bug Fixes
+```
+/code "fix the race condition in payment processing"
+/code "resolve memory leak in WebSocket handler"
+```
+
+### Performance
+```
+/code "optimize this N+1 query problem"
+/code "add caching to frequently accessed data"
+/code "implement lazy loading for images"
+```
+
+## Remember
+
+**Code generation follows:**
+- Security-first approach
+- YAGNI, KISS, DRY principles
+- Production-grade quality
+- Comprehensive error handling
+- Type safety
+- Performance optimization
+- Best practices (2025)
+
+**Never generates:**
+- Hardcoded secrets
+- Unsafe SQL queries
+- Unvalidated user inputs
+- Missing error handling
+- Type-unsafe code