ai-sprint-kit 1.1.0

package/templates/.claude/skills/memory/references/learning-format.md

@@ -0,0 +1,74 @@
+# Learning Log Format
+
+## Entry Structure
+
+```markdown
+## [YYYY-MM-DD] - [Category]
+
+**Context**: Brief description of what happened
+**Mistake**: What went wrong or was suboptimal
+**Lesson**: What to do differently
+**Prevention**: How to avoid in future
+```
+
+## Categories
+
+| Category | Use For |
+|----------|---------|
+| Security | Auth bugs, exposed secrets, injection issues |
+| Performance | N+1 queries, slow algorithms, memory leaks |
+| Testing | Test gaps, flaky tests, coverage issues |
+| Architecture | Design decisions that didn't scale |
+| Process | Workflow improvements, communication |
+| Dependencies | Package issues, version conflicts |
+
+## Example Entries
+
+### Security
+```markdown
+## 2025-12-24 - Security
+
+**Context**: Implemented user registration
+**Mistake**: Initially stored plain text passwords
+**Lesson**: Always hash passwords with bcrypt (cost 12+)
+**Prevention**: Add security checklist to implementation workflow
+```
+
+### Performance
+```markdown
+## 2025-12-24 - Performance
+
+**Context**: Built posts API with author info
+**Mistake**: Used N+1 query pattern (1 post query + N author queries)
+**Lesson**: Use eager loading / JOIN for related data
+**Prevention**: Review queries for N+1 before completing
+```
+
+### Testing
+```markdown
+## 2025-12-24 - Testing
+
+**Context**: Deployed new payment feature
+**Mistake**: Didn't test edge case where amount = 0
+**Lesson**: Always test boundary conditions (0, negative, max)
+**Prevention**: Create edge case checklist for payments
+```
+
+## When to Add Entries
+
+Add to learning.md when:
+- A bug was introduced and fixed
+- A security issue was found
+- Tests failed unexpectedly
+- Performance degraded
+- A refactor was needed due to poor initial design
+- External dependencies caused issues
+- A code review caught something significant
+
+## Best Practices
+
+- Be specific about what went wrong
+- Include enough context to understand later
+- Focus on prevention, not blame
+- Keep entries concise (4 lines max)
+- Add immediately after incident (don't batch)

package/templates/.claude/skills/planning/SKILL.md

@@ -0,0 +1,72 @@
+---
+name: planning
+description: Architecture and implementation planning methodology. Activate when creating feature plans, system designs, or implementation roadmaps. Provides phase-based approach with research, analysis, design, and documentation workflows.
+license: MIT
+---
+
+# Planning Methodology
+
+Structured approach to technical planning with research, analysis, and documentation.
+
+## When to Use
+
+- Planning new feature implementations
+- Architecting system designs
+- Evaluating technical approaches
+- Creating implementation roadmaps
+- Breaking down complex requirements
+
+## Core Principles
+
+- **YAGNI** - Don't plan what you don't need
+- **KISS** - Simple plans are better plans
+- **DRY** - Reference existing patterns
+- **Security-First** - Security in every decision
+
+## Workflow
+
+### Phase 1: Context Gathering
+```
+1. Check ai_context/memory/learning.md (avoid past mistakes)
+2. Read ai_context/codebase/structure.md (project layout)
+3. Review existing patterns in codebase
+4. Research external solutions if needed
+```
+
+### Phase 2: Analysis
+Load: `references/research-phase.md`
+
+### Phase 3: Design
+Load: `references/solution-design.md`
+
+### Phase 4: Documentation
+Load: `references/plan-templates.md`
+
+## Output Structure
+
+Plans saved to: `ai_context/plans/{timestamp}-{name}/`
+
+```
+{timestamp}-{name}/
+├── plan.md           # Main plan document
+├── phase-01-*.md     # Phase breakdowns
+└── decisions.md      # Key decisions
+```
+
+## Quality Gates
+
+Before completing a plan:
+- [ ] Checked learning.md first
+- [ ] Security addressed in each phase
+- [ ] Success criteria defined
+- [ ] Risks identified with mitigations
+- [ ] Dependencies mapped
+- [ ] Unresolved questions listed
+
+## Date Handling
+
+Always use bash for timestamps:
+```bash
+date "+%y%m%d-%H%M"    # For folders: 251225-1430
+date "+%Y-%m-%d"       # For docs: 2025-12-25
+```

package/templates/.claude/skills/planning/references/plan-templates.md

@@ -0,0 +1,81 @@
+# Plan Templates
+
+## Main Plan (plan.md)
+
+```markdown
+# Plan: [Feature Name]
+
+**Created:** YYYY-MM-DD
+**Status:** Draft
+
+## Context
+[Problem statement, current state, why needed]
+
+## Decision
+[Chosen approach with brief rationale]
+
+## Phases Overview
+1. Phase 1: [Name] - [One-line goal]
+2. Phase 2: [Name] - [One-line goal]
+
+## Key Decisions
+| Decision | Options | Choice | Rationale |
+|----------|---------|--------|-----------|
+
+## Security Considerations
+- [ ] Requirement 1
+
+## Success Criteria
+- [ ] Criterion 1
+
+## Risks
+| Risk | Impact | Mitigation |
+|------|--------|------------|
+
+## Dependencies
+- [Dependency 1]
+
+## Unresolved Questions
+- [ ] Question 1
+```
+
+## Phase Document (phase-XX-*.md)
+
+```markdown
+# Phase N: [Name]
+
+## Objective
+[Clear, measurable goal]
+
+## Prerequisites
+- [Dependency from previous phases]
+
+## Implementation Steps
+1. Step 1: [Description]
+
+## Files to Create/Modify
+- `path/file.ts` - [Purpose]
+
+## Tests Required
+- [ ] Test case 1
+
+## Security Checklist
+- [ ] Input validation
+- [ ] No hardcoded secrets
+
+## Success Criteria
+- [ ] Criterion 1
+```
+
+## Naming Convention
+
+```
+ai_context/plans/
+└── YYMMDD-HHMM-feature-name/
+    ├── plan.md
+    ├── phase-01-setup.md
+    ├── phase-02-core.md
+    └── phase-03-testing.md
+```
+
+Get timestamp: `date "+%y%m%d-%H%M"`

package/templates/.claude/skills/planning/references/research-phase.md

@@ -0,0 +1,62 @@
+# Research Phase
+
+## Research Strategy
+
+### 1. Understand Requirements
+- What problem are we solving?
+- What are the constraints?
+- Who are the stakeholders?
+
+### 2. Analyze Existing Code
+- Read ai_context/codebase/overview.md
+- Identify relevant patterns
+- Note integration points
+
+### 3. Research External Solutions
+- Check official documentation
+- Review GitHub examples
+- Consider trade-offs
+
+## Research Sources (Priority Order)
+
+1. Existing codebase patterns
+2. ai_context/memory/decisions.md
+3. Official documentation (via context7 MCP)
+4. Web search (via exa or WebSearch)
+5. GitHub repositories
+
+## Research Output
+
+Document findings with:
+- Key findings (bullet points)
+- Trade-offs (table format)
+- Recommendations
+- Sources/links
+
+## Token Efficiency
+
+- Use context7 MCP for library docs (token-optimized)
+- Use exa MCP for web search (cleaner results)
+- Avoid fetching entire websites
+- Summarize findings concisely
+
+## Example Research Output
+
+```markdown
+## Research: Authentication Options
+
+### Key Findings
+- JWT stateless, good for scaling
+- Sessions simpler but need shared storage
+- OAuth delegates to providers
+
+### Trade-offs
+| Option | Pros | Cons |
+|--------|------|------|
+| JWT | Stateless, scalable | Token size, revocation |
+| Sessions | Simple, revocable | Shared storage needed |
+| OAuth | No password storage | Third-party dependency |
+
+### Recommendation
+JWT with refresh tokens - balances security and scalability.
+```

package/templates/.claude/skills/planning/references/solution-design.md

@@ -0,0 +1,66 @@
+# Solution Design
+
+## Design Process
+
+### 1. Define Architecture
+- High-level components
+- Data flow
+- Integration points
+
+### 2. Identify Decisions
+- Technology choices
+- Pattern selections
+- Trade-offs
+
+### 3. Plan Phases
+- Break into implementable chunks
+- Define dependencies
+- Set milestones
+
+## Architecture Documentation
+
+Use simple diagrams (ASCII or Mermaid):
+
+```
+┌─────────────┐     ┌─────────────┐
+│   Client    │────▶│   API       │
+└─────────────┘     └──────┬──────┘
+                          │
+                    ┌─────▼─────┐
+                    │   DB      │
+                    └───────────┘
+```
+
+## Decision Framework
+
+For each decision document:
+1. What are the options?
+2. What are the trade-offs?
+3. What constraints apply?
+4. What's the recommendation?
+
+## Phase Planning Guidelines
+
+Each phase should be:
+- Independently deployable
+- Testable in isolation
+- < 1 day of implementation
+- Have clear success criteria
+
+## Security by Design
+
+Every design must address:
+- Authentication requirements
+- Authorization model
+- Data protection
+- Input validation strategy
+- Error handling approach
+
+## Design Checklist
+
+- [ ] Components identified
+- [ ] Data flow documented
+- [ ] Decisions justified
+- [ ] Phases are small (<1 day each)
+- [ ] Security addressed
+- [ ] Dependencies mapped

package/templates/.claude/skills/quality-assurance/SKILL.md

@@ -0,0 +1,79 @@
+---
+name: quality-assurance
+description: Testing methodology and code review standards. Activate when generating tests, reviewing code quality, or performing security analysis. Combines testing and review for production-grade validation.
+license: MIT
+---
+
+# Quality Assurance
+
+Combined testing and review standards for production-grade code.
+
+## When to Use
+
+**Testing:**
+- Generating unit/integration/e2e tests
+- Analyzing test coverage
+- Creating security tests
+
+**Reviewing:**
+- Reviewing code quality
+- Security analysis
+- Performance review
+
+## Core Principles
+
+- **80% Minimum Coverage** - Non-negotiable
+- **Security-First** - Always test security
+- **Constructive** - Actionable feedback
+- **No Nitpicking** - Focus on meaningful issues
+
+## Before Starting
+
+```
+1. Read ai_context/memory/learning.md (past issues)
+2. Check existing test patterns in codebase
+3. Review related code coverage reports
+```
+
+## Testing Strategy
+
+Load: `references/testing-strategy.md`
+
+## Review Checklist
+
+Load: `references/review-checklist.md`
+
+## Security Checklist
+
+Load: `references/security-checklist.md`
+
+## Output Structure
+
+```
+ai_context/reports/
+├── YYMMDD-HHMM-test-{feature}.md
+├── YYMMDD-HHMM-review-{feature}.md
+└── YYMMDD-HHMM-security-{scope}.md
+```
+
+## Quality Gates
+
+**Testing:**
+- [ ] >80% overall coverage
+- [ ] Critical paths 100%
+- [ ] All tests pass
+- [ ] Security tests included
+
+**Reviewing:**
+- [ ] Security analysis complete
+- [ ] OWASP Top 10 checked
+- [ ] Actionable suggestions
+- [ ] Severity levels assigned
+
+## Push Back Protocol
+
+When feedback is unclear or incorrect:
+1. Ask for clarification
+2. Verify technically before implementing
+3. Push back with reasoning if wrong
+4. Never just agree to be agreeable

package/templates/.claude/skills/quality-assurance/references/review-checklist.md

@@ -0,0 +1,72 @@
+# Review Checklist
+
+## Severity Levels
+
+| Level | Meaning | Action |
+|-------|---------|--------|
+| 🔴 Critical | Security/data issue | Must fix immediately |
+| 🟠 High | Bug or performance | Fix before merge |
+| 🟡 Medium | Maintainability | Should fix |
+| 🟢 Low | Suggestion | Nice to have |
+
+## Review Categories
+
+### 1. Security (Critical Priority)
+- [ ] No hardcoded secrets
+- [ ] Input validation on all user inputs
+- [ ] Output encoding (XSS prevention)
+- [ ] Parameterized queries (SQL injection)
+- [ ] Proper auth/authz checks
+- [ ] OWASP Top 10 compliance
+
+### 2. Logic & Correctness
+- [ ] Code does what it's supposed to
+- [ ] Edge cases handled
+- [ ] Error handling comprehensive
+- [ ] Race conditions prevented
+
+### 3. Performance
+- [ ] No N+1 queries
+- [ ] Efficient algorithms
+- [ ] Appropriate data structures
+- [ ] Caching where applicable
+
+### 4. Maintainability
+- [ ] Functions < 50 lines
+- [ ] Single responsibility
+- [ ] Clear naming
+- [ ] Low coupling
+
+### 5. Testing
+- [ ] Tests exist and pass
+- [ ] Coverage > 80%
+- [ ] Security tests included
+
+## Code Smells to Flag
+
+- ❌ Long methods (>50 lines)
+- ❌ Long parameter lists (>4 params)
+- ❌ Duplicated code
+- ❌ Dead code
+- ❌ Magic numbers
+- ❌ Deep nesting (>3 levels)
+
+## Review Report Format
+
+```markdown
+## Summary
+**Assessment:** [Excellent/Good/Needs Work/Critical]
+**Recommendation:** [Ship/Fix Critical/Refactor]
+
+## Critical Issues
+[Must fix before merge]
+
+## High Priority
+[Should fix before merge]
+
+## Suggestions
+[Nice to have improvements]
+
+## Positive Observations
+[What's done well]
+```

package/templates/.claude/skills/quality-assurance/references/security-checklist.md

@@ -0,0 +1,70 @@
+# Security Checklist
+
+## Authentication
+- [ ] Proper auth on all protected endpoints
+- [ ] Session management secure
+- [ ] Password hashing (bcrypt, argon2)
+- [ ] Secure token storage (httpOnly cookies)
+- [ ] Token expiration and rotation
+
+## Authorization
+- [ ] Role-based access control
+- [ ] Resource ownership verified
+- [ ] No privilege escalation
+- [ ] Least privilege principle
+
+## Input Validation
+- [ ] All inputs validated
+- [ ] Type checking
+- [ ] Length limits
+- [ ] Format validation
+- [ ] Sanitization before use
+
+## Injection Prevention
+- [ ] SQL injection (parameterized queries)
+- [ ] XSS (output encoding)
+- [ ] Command injection (avoid shell)
+- [ ] Path traversal (validate paths)
+
+## Data Protection
+- [ ] No hardcoded secrets
+- [ ] Sensitive data encrypted
+- [ ] HTTPS enforced
+- [ ] Proper error messages (no leaks)
+- [ ] PII handled properly
+
+## OWASP Top 10
+
+1. **Broken Access Control** - Verify auth on every endpoint
+2. **Cryptographic Failures** - Use TLS 1.2+, strong algorithms
+3. **Injection** - Parameterize all queries
+4. **Insecure Design** - Threat model early
+5. **Security Misconfiguration** - Secure defaults
+6. **Vulnerable Components** - Keep dependencies updated
+7. **Authentication Failures** - Strong password policies
+8. **Data Integrity Failures** - Verify signatures
+9. **Logging Failures** - Log security events
+10. **SSRF** - Validate URLs, whitelist hosts
+
+## Quick Security Test Cases
+
+```typescript
+// SQL Injection
+test('prevents SQL injection', async () => {
+  const malicious = "'; DROP TABLE users; --";
+  await expect(search(malicious)).resolves.not.toThrow();
+});
+
+// XSS
+test('sanitizes output', async () => {
+  const xss = '<script>alert("xss")</script>';
+  const result = await saveComment(xss);
+  expect(result.text).not.toContain('<script>');
+});
+
+// Auth bypass
+test('rejects unauthenticated requests', async () => {
+  const response = await request(app).get('/api/private');
+  expect(response.status).toBe(401);
+});
+```

package/templates/.claude/skills/quality-assurance/references/testing-strategy.md

@@ -0,0 +1,85 @@
+# Testing Strategy
+
+## Test Pyramid
+
+```
+E2E Tests (10%)      ← High cost, slow, brittle
+    ↑
+Integration (20%)    ← Medium cost, moderate speed
+    ↑
+Unit Tests (70%)     ← Low cost, fast, reliable
+```
+
+## Coverage Requirements
+
+| Category | Minimum |
+|----------|---------|
+| Overall | 80% |
+| Critical paths (auth, payments) | 100% |
+| Business logic | 95% |
+| Utils/helpers | 90% |
+| UI components | 70% |
+
+## Unit Test Pattern
+
+```typescript
+describe('calculateTotal', () => {
+  it('sums items correctly', () => {
+    expect(calculateTotal([10, 20, 30])).toBe(60);
+  });
+
+  it('handles empty array', () => {
+    expect(calculateTotal([])).toBe(0);
+  });
+
+  it('throws on invalid input', () => {
+    expect(() => calculateTotal(null)).toThrow();
+  });
+});
+```
+
+## Integration Test Pattern
+
+```typescript
+describe('POST /api/users', () => {
+  it('creates user with valid data', async () => {
+    const response = await request(app)
+      .post('/api/users')
+      .send({ email: 'test@example.com', password: 'Secure123' });
+
+    expect(response.status).toBe(201);
+    expect(response.body).toHaveProperty('id');
+  });
+
+  it('rejects invalid email', async () => {
+    const response = await request(app)
+      .post('/api/users')
+      .send({ email: 'invalid', password: 'Secure123' });
+
+    expect(response.status).toBe(400);
+  });
+});
+```
+
+## Security Tests Required
+
+- [ ] Input validation
+- [ ] SQL injection prevention
+- [ ] XSS prevention
+- [ ] Authentication bypass
+- [ ] Authorization checks
+- [ ] Rate limiting
+
+## Test Quality
+
+**Good tests are:**
+- Fast (< 100ms for unit)
+- Isolated (no dependencies between tests)
+- Repeatable (same result every time)
+- Self-validating (clear pass/fail)
+
+**Avoid:**
+- Testing implementation details
+- Flaky tests
+- Tests without assertions
+- Manual setup requirements