ai-sprint-kit 1.1.0

package/templates/.claude/commands/test.md

@@ -0,0 +1,352 @@
+---
+description: Generate and run automated tests with coverage analysis
+argument-hint: [optional: specific file or feature to test]
+---
+
+## Command: /test
+
+Generate comprehensive test suites and run them with coverage analysis. Ensures >80% code coverage with focus on critical paths.
+
+## Usage
+
+```
+/test
+/test src/auth/
+/test "payment processing"
+```
+
+## Workflow
+
+### 1. Analyze Codebase
+- Identify untested code
+- Find critical paths (auth, payments, data mutations)
+- Check existing test patterns
+
+### 2. Generate Tests
+- **Unit tests** (70% of suite)
+- **Integration tests** (20%)
+- **E2E tests** (10%)
+
+### 3. Run Test Suite
+- Execute all tests
+- Generate coverage report
+- Identify gaps
+
+### 4. Security Tests
+- SQL injection prevention
+- XSS prevention
+- Auth bypass attempts
+- CSRF protection
+- Rate limiting
+
+## Test Generation
+
+### Unit Tests
+```typescript
+// Generated for: calculateDiscount function
+describe('calculateDiscount', () => {
+  it('calculates 10% discount correctly', () => {
+    expect(calculateDiscount(100, 10)).toBe(90);
+  });
+
+  it('handles zero discount', () => {
+    expect(calculateDiscount(100, 0)).toBe(100);
+  });
+
+  it('throws on invalid percentage', () => {
+    expect(() => calculateDiscount(100, 150)).toThrow();
+  });
+
+  it('handles decimal prices', () => {
+    expect(calculateDiscount(99.99, 20)).toBeCloseTo(79.99, 2);
+  });
+});
+```
+
+### Integration Tests
+```typescript
+// Generated for: POST /api/users endpoint
+describe('POST /api/users', () => {
+  it('creates user with valid data', async () => {
+    const response = await request(app)
+      .post('/api/users')
+      .send({
+        email: 'test@example.com',
+        password: 'SecurePass123!'
+      });
+
+    expect(response.status).toBe(201);
+    expect(response.body).toHaveProperty('id');
+    expect(response.body.email).toBe('test@example.com');
+  });
+
+  it('rejects invalid email', async () => {
+    const response = await request(app)
+      .post('/api/users')
+      .send({
+        email: 'invalid-email',
+        password: 'SecurePass123!'
+      });
+
+    expect(response.status).toBe(400);
+    expect(response.body.error).toContain('email');
+  });
+
+  it('requires strong password', async () => {
+    const response = await request(app)
+      .post('/api/users')
+      .send({
+        email: 'test@example.com',
+        password: '123'
+      });
+
+    expect(response.status).toBe(400);
+  });
+});
+```
+
+### Security Tests
+```typescript
+describe('Security: SQL Injection', () => {
+  it('prevents SQL injection in search', async () => {
+    const malicious = "'; DROP TABLE users; --";
+
+    const response = await request(app)
+      .get(`/api/search?q=${encodeURIComponent(malicious)}`);
+
+    expect(response.status).toBe(200);
+
+    // Verify database still intact
+    const users = await db.users.count();
+    expect(users).toBeGreaterThan(0);
+  });
+});
+
+describe('Security: XSS Prevention', () => {
+  it('sanitizes HTML input', async () => {
+    const xss = '<script>alert("xss")</script>';
+
+    const response = await request(app)
+      .post('/api/comments')
+      .send({ text: xss });
+
+    const comment = await db.comments.findUnique({
+      where: { id: response.body.id }
+    });
+
+    expect(comment.text).not.toContain('<script>');
+  });
+});
+
+describe('Security: Authentication', () => {
+  it('rejects unauthenticated requests', async () => {
+    const response = await request(app)
+      .get('/api/private-data');
+
+    expect(response.status).toBe(401);
+  });
+
+  it('rejects expired tokens', async () => {
+    const expiredToken = generateExpiredToken();
+
+    const response = await request(app)
+      .get('/api/private-data')
+      .set('Authorization', `Bearer ${expiredToken}`);
+
+    expect(response.status).toBe(401);
+  });
+});
+```
+
+### E2E Tests
+```typescript
+// Generated with Playwright
+test('complete checkout flow', async ({ page }) => {
+  // Login
+  await page.goto('/login');
+  await page.fill('[name="email"]', 'test@example.com');
+  await page.fill('[name="password"]', 'password');
+  await page.click('button[type="submit"]');
+
+  // Add to cart
+  await page.goto('/products');
+  await page.click('[data-testid="add-to-cart-1"]');
+
+  // Checkout
+  await page.goto('/checkout');
+  await page.fill('[name="cardNumber"]', '4242424242424242');
+  await page.fill('[name="expiry"]', '12/25');
+  await page.fill('[name="cvc"]', '123');
+  await page.click('button[type="submit"]');
+
+  // Verify success
+  await expect(page).toHaveURL('/order-confirmation');
+  await expect(page.locator('h1')).toContainText('Order Confirmed');
+});
+```
+
+## Running Tests
+
+### Commands
+```bash
+# Run all tests
+npm test
+
+# Run with coverage
+npm test -- --coverage
+
+# Run specific file
+npm test -- users.test.ts
+
+# Watch mode
+npm test -- --watch
+
+# Run E2E
+npm run test:e2e
+```
+
+## Coverage Report
+
+```
+## Test Coverage Report
+
+**Overall Coverage: 87.3%** ✅
+
+### By Category
+- Statements: 88.1%
+- Branches: 82.4%
+- Functions: 91.2%
+- Lines: 87.3%
+
+### Critical Paths (100% Required)
+✅ Authentication: 100%
+✅ Payment Processing: 100%
+✅ Data Mutations: 98.5%
+
+### Areas Needing Attention
+⚠️  utils/legacy.ts: 45% (below threshold)
+⚠️  api/webhooks.ts: 67% (below threshold)
+
+### Security Tests
+✅ SQL Injection: 15 tests passing
+✅ XSS Prevention: 12 tests passing
+✅ Auth Bypass: 8 tests passing
+✅ CSRF Protection: 6 tests passing
+
+### Test Execution
+- Total tests: 1,247
+- Passed: 1,245
+- Failed: 2
+- Duration: 12.3s
+
+### Failed Tests
+❌ api/users.test.ts:45 - should handle concurrent requests
+❌ e2e/checkout.test.ts:89 - should process payment
+
+### Recommendations
+1. Fix failing tests immediately
+2. Increase coverage in utils/legacy.ts
+3. Add integration tests for webhooks
+4. Consider performance benchmarks
+```
+
+## Success Criteria
+
+Tests are successful when:
+- ✅ Overall coverage ≥80%
+- ✅ Critical paths 100% covered
+- ✅ All tests pass
+- ✅ No flaky tests
+- ✅ Security tests included
+- ✅ Fast execution (<30s)
+
+## Integration with Other Commands
+
+**/code** → **/test**
+- After generating code, run /test to create test suite
+
+**/test** → **/review**
+- After tests pass, run /review for quality check
+
+**/test** → **/secure**
+- Security tests complement security scanning
+
+## Test Quality
+
+### Good Tests
+- ✅ Fast (<100ms for unit tests)
+- ✅ Isolated (no dependencies)
+- ✅ Repeatable (same result every time)
+- ✅ Clear (obvious what's being tested)
+- ✅ Focused (one thing per test)
+
+### Bad Tests
+- ❌ Slow (wait for timeouts)
+- ❌ Flaky (random failures)
+- ❌ Testing implementation details
+- ❌ Multiple assertions unrelated
+- ❌ No clear failure message
+
+## Common Test Patterns
+
+### API Testing
+```typescript
+describe('GET /api/products', () => {
+  it('returns paginated products', async () => {
+    const response = await request(app)
+      .get('/api/products?page=1&limit=10');
+
+    expect(response.status).toBe(200);
+    expect(response.body.products).toHaveLength(10);
+    expect(response.body).toHaveProperty('total');
+    expect(response.body).toHaveProperty('page');
+  });
+});
+```
+
+### Database Testing
+```typescript
+beforeEach(async () => {
+  await db.migrate.latest();
+  await db.seed.run();
+});
+
+afterEach(async () => {
+  await db.migrate.rollback();
+});
+
+test('creates user in database', async () => {
+  const user = await createUser({
+    email: 'test@example.com',
+    password: 'password'
+  });
+
+  const found = await db.users.findUnique({
+    where: { id: user.id }
+  });
+
+  expect(found.email).toBe('test@example.com');
+});
+```
+
+### Async Testing
+```typescript
+test('async operation succeeds', async () => {
+  const result = await fetchData();
+  expect(result).toBeDefined();
+});
+
+test('async operation fails', async () => {
+  await expect(fetchInvalidData()).rejects.toThrow('Not found');
+});
+```
+
+## Remember
+
+**Testing is mandatory:**
+- Production code requires tests
+- >80% coverage enforced
+- Security tests critical
+- Regression tests prevent bugs
+
+**Test early, test often.**

package/templates/.claude/commands/validate.md

@@ -0,0 +1,238 @@
+---
+description: Run comprehensive validation (tests + review + security + coverage)
+argument-hint: [optional: path or scope]
+---
+
+## Command: /validate
+
+Run all validation checks in one command: tests, code review, security scan, and coverage analysis.
+
+## Usage
+
+```
+/validate
+/validate src/
+/validate --strict
+```
+
+## Workflow
+
+### 0. Initialize Context
+```bash
+# Get real-world timestamp
+date "+%y%m%d-%H%M"
+```
+
+Check `ai_context/memory/learning.md` for known validation issues.
+
+### 1. Run Tests
+- Execute test suite
+- Check coverage >= 80%
+- Identify failing tests
+
+### 2. Code Quality Review
+- Run linter
+- Check type safety
+- Analyze complexity
+- Identify code smells
+
+### 3. Security Scan
+- SAST scanning
+- Secret detection
+- Dependency vulnerabilities
+- OWASP Top 10 compliance
+
+### 4. Generate Report
+Save to: `ai_context/reports/validate-{timestamp}.md`
+
+## Validation Checks
+
+### Testing (Tester Agent)
+- [ ] All tests pass
+- [ ] Coverage >= 80%
+- [ ] No flaky tests
+- [ ] Critical paths tested
+- [ ] Security tests included
+
+### Code Quality (Reviewer Agent)
+- [ ] No linting errors
+- [ ] Types complete
+- [ ] Functions < 50 lines
+- [ ] No code smells
+- [ ] Documentation present
+
+### Security (Security Agent)
+- [ ] No hardcoded secrets
+- [ ] Input validation present
+- [ ] SQL injection prevented
+- [ ] XSS prevented
+- [ ] Dependencies secure
+- [ ] OWASP Top 10 compliant
+
+## Report Format
+
+```markdown
+# Validation Report
+
+**Date:** {use bash: date "+%Y-%m-%d"}
+**Scope:** {files validated}
+**Status:** Pass / Fail
+
+## Summary
+
+| Category | Status | Issues |
+|----------|--------|--------|
+| Tests    | ✅/❌   | X      |
+| Coverage | ✅/❌   | X%     |
+| Quality  | ✅/❌   | X      |
+| Security | ✅/❌   | X      |
+
+## Test Results
+
+- Total: X tests
+- Passed: X
+- Failed: X
+- Coverage: X%
+
+## Code Quality
+
+### Issues Found
+- [severity] [file:line] - [description]
+
+### Recommendations
+- [specific improvements]
+
+## Security Scan
+
+### Vulnerabilities
+- [Critical] X issues
+- [High] X issues
+- [Medium] X issues
+- [Low] X issues
+
+### Secrets Detected
+- None / [file:line] - [type]
+
+### Dependency Vulnerabilities
+- [package] - [CVE] - [severity]
+
+## Quality Gates
+
+- [ ] Tests: All passing
+- [ ] Coverage: >= 80%
+- [ ] Quality: No critical issues
+- [ ] Security: No critical vulnerabilities
+- [ ] Secrets: None detected
+
+## Verdict
+
+**PASS** - Ready for deployment
+or
+**FAIL** - Issues must be fixed
+
+## Next Steps
+
+1. [Required actions]
+2. [Recommended improvements]
+```
+
+## Exit Codes
+
+- `0` - All validations pass
+- `1` - Test failures
+- `2` - Quality issues (critical)
+- `3` - Security vulnerabilities (critical)
+- `4` - Coverage below threshold
+
+## Options
+
+### --strict
+Fail on any warning-level issue:
+```
+/validate --strict
+```
+
+### --fix
+Auto-fix fixable issues:
+```
+/validate --fix
+```
+
+### --coverage N
+Set custom coverage threshold:
+```
+/validate --coverage 90
+```
+
+## Agent Delegation
+
+`/validate` orchestrates multiple agents:
+
+1. **Tester Agent** - Run tests, check coverage
+2. **Reviewer Agent** - Code quality analysis
+3. **Security Agent** - Security scanning
+
+Results are aggregated into single report.
+
+## Integration
+
+### Pre-Commit
+```bash
+# Run before each commit
+/validate || exit 1
+```
+
+### CI/CD Pipeline
+```yaml
+- name: Validate
+  run: |
+    /validate --strict
+    if [ $? -ne 0 ]; then
+      echo "Validation failed"
+      exit 1
+    fi
+```
+
+## Memory Integration
+
+Before validation:
+- Check `ai_context/memory/learning.md` for recurring issues
+
+After validation:
+- Update `ai_context/memory/learning.md` with new patterns
+- Save report to `ai_context/reports/validate-{timestamp}.md`
+
+## Common Issues
+
+### Low Coverage
+- Identify untested code
+- Generate missing tests with `/test`
+
+### Security Vulnerabilities
+- Fix immediately with `/code`
+- Re-run `/secure` to verify
+
+### Code Quality
+- Refactor with `/code`
+- Re-run `/review` to verify
+
+## Success Criteria
+
+Validation passes when:
+- ✅ All tests pass
+- ✅ Coverage >= 80%
+- ✅ No critical quality issues
+- ✅ No critical security vulnerabilities
+- ✅ No secrets detected
+- ✅ Dependencies secure
+
+## Remember
+
+**Validation is the last gate before deployment.**
+
+Run `/validate` before:
+- Committing code
+- Creating pull requests
+- Deploying to any environment
+
+A passing validation means code is production-ready.

package/templates/.claude/settings.json

@@ -0,0 +1,27 @@
+{
+  "version": "1.0.0",
+  "framework": "ai-sprint",
+  "statusLine": {
+    "type": "command",
+    "command": ".claude/statusline.sh",
+    "padding": 0
+  },
+  "security": {
+    "enableSAST": true,
+    "enableSecretDetection": true,
+    "enableDependencyCheck": true
+  },
+  "agents": {
+    "defaultModel": "sonnet",
+    "plannerModel": "opus"
+  },
+  "approvalGates": {
+    "deployment": true,
+    "infrastructureChanges": true,
+    "securityFixes": false
+  },
+  "testing": {
+    "minimumCoverage": 80,
+    "autoRunTests": true
+  }
+}

package/templates/.claude/skills/codebase-context/SKILL.md

@@ -0,0 +1,68 @@
+---
+name: codebase-context
+description: Efficient codebase understanding using scanned context. Activate when starting work on existing projects or after major code changes. Reads ai_context/codebase/ documents for project structure and compressed code overview.
+license: MIT
+---
+
+# Codebase Context
+
+Understand existing codebases efficiently using ai_context/codebase/ documents.
+
+## When to Use
+
+**Starting work on existing project:**
+1. Check if `ai_context/codebase/` exists
+2. Read structure.md for project layout
+3. Read overview.md for compressed codebase
+
+**After major changes:**
+- Run `/scan` to refresh context
+
+## Context Files
+
+Located in `ai_context/codebase/`:
+
+| File | Purpose | When to Read |
+|------|---------|--------------|
+| `structure.md` | Directory tree | First - understand layout |
+| `overview.md` | Compressed code | Second - understand patterns |
+| `repomix-output.xml` | Token-efficient format | For detailed AI queries |
+| `scan-metadata.json` | Scan statistics | Check freshness |
+
+## Reading Strategy
+
+Load: `references/reading-context.md`
+
+## Refresh Triggers
+
+Load: `references/refresh-triggers.md`
+
+## Quick Start
+
+```bash
+# Check if context exists
+ls ai_context/codebase/
+
+# Read structure first (fast overview)
+cat ai_context/codebase/structure.md
+
+# Then read overview (comprehensive)
+cat ai_context/codebase/overview.md
+```
+
+## Token Efficiency
+
+| Task | Best Source |
+|------|-------------|
+| Project structure | structure.md |
+| How feature works | overview.md |
+| Find all API routes | repomix-output.xml |
+| Check specific file | Read file directly |
+
+## Integration
+
+Before planning or implementing:
+1. Check if codebase context exists
+2. Read structure for project layout
+3. Reference patterns from overview
+4. Refresh with `/scan` if stale (>1 day)