ai-squad 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/README.md +131 -0
  2. package/dist/index.d.ts +2 -0
  3. package/dist/index.js +1013 -0
  4. package/package.json +49 -0
  5. package/sections/opencode/agents/identity/adversarial-reviewer.md +98 -0
  6. package/sections/opencode/agents/identity/architect.md +122 -0
  7. package/sections/opencode/agents/identity/docs-writer.md +53 -0
  8. package/sections/opencode/agents/identity/fullstack-dev.md +79 -0
  9. package/sections/opencode/agents/identity/memory-keeper.md +192 -0
  10. package/sections/opencode/agents/identity/po.md +102 -0
  11. package/sections/opencode/agents/identity/qa.md +90 -0
  12. package/sections/opencode/agents/identity/reviewer.md +84 -0
  13. package/sections/opencode/agents/identity/teamlead.md +101 -0
  14. package/sections/opencode/agents/identity/ux-ui.md +87 -0
  15. package/sections/opencode/agents/standards/generic.md +36 -0
  16. package/sections/opencode/agents/standards/nextjs.md +29 -0
  17. package/sections/opencode/agents/standards/python.md +217 -0
  18. package/sections/opencode/agents/standards/react.md +130 -0
  19. package/sections/opencode/agents/standards/typescript.md +30 -0
  20. package/sections/opencode/agents/workflow/context.md +24 -0
  21. package/sections/opencode/agents/workflow/memory.md +32 -0
  22. package/sections/opencode/agents/workflow/sessions.md +38 -0
  23. package/sections/opencode/agents/workflow/tasks.md +40 -0
  24. package/sections/opencode/config/agents.md +11 -0
  25. package/sections/opencode/context/nextjs/architecture.md +13 -0
  26. package/sections/opencode/context/nextjs/conventions.md +20 -0
  27. package/sections/opencode/context/nextjs/stack.md +14 -0
  28. package/sections/opencode/context/python/architecture.md +13 -0
  29. package/sections/opencode/context/python/conventions.md +19 -0
  30. package/sections/opencode/context/python/stack.md +14 -0
  31. package/sections/opencode/workflow/context.md +14 -0
  32. package/sections/opencode/workflow/memory.md +12 -0
  33. package/sections/opencode/workflow/sessions.md +20 -0
  34. package/sections/opencode/workflow/state.md +20 -0
  35. package/sections/opencode/workflow/tasks.md +13 -0
  36. package/sections/shared/frontmatter/adversarial-reviewer.yaml +7 -0
  37. package/sections/shared/frontmatter/architect.yaml +7 -0
  38. package/sections/shared/frontmatter/docs-writer.yaml +7 -0
  39. package/sections/shared/frontmatter/fullstack-dev.yaml +7 -0
  40. package/sections/shared/frontmatter/memory-keeper.yaml +7 -0
  41. package/sections/shared/frontmatter/po.yaml +7 -0
  42. package/sections/shared/frontmatter/qa.yaml +7 -0
  43. package/sections/shared/frontmatter/reviewer.yaml +7 -0
  44. package/sections/shared/frontmatter/teamlead.yaml +8 -0
  45. package/sections/shared/frontmatter/ux-ui.yaml +7 -0
  46. package/sections/shared/memory/conventions.md +10 -0
  47. package/sections/shared/memory/decisions.md +13 -0
  48. package/sections/shared/memory/patterns.md +12 -0
  49. package/sections/shared/task-template.md +44 -0
@@ -0,0 +1,217 @@
1
+ # Python Standards
2
+
3
+ When working on `${PROJECT_NAME}` with Python, follow these conventions unless project context overrides.
4
+
5
+ ## Language Features
6
+
7
+ **DO:**
8
+ - Target Python ≥ 3.12 for all new projects — 3.13 is the stability baseline, 3.14 for performance/concurrency
9
+ - Use `X | Y` union syntax (never `Union[X, Y]` or `Optional[X]`)
10
+ - Use `match`/`case` structural pattern matching for complex branching on data shapes
11
+ - Use deferred annotations — no `from __future__ import annotations` in 3.14+
12
+ - Use `except*` for ExceptionGroups when concurrent code can raise multiple errors
13
+
14
+ **DON'T:**
15
+ - Don't use `Optional[X]` — use `X | None`
16
+ - Don't use `from __future__ import annotations` — it's superseded in 3.14+
17
+ - Don't rely on GIL-based thread safety in free-threaded Python 3.14+
18
+
19
+ ## Type Hints
20
+
21
+ **DO:**
22
+ - Use `Protocol` for structural subtyping — duck typing with static checking
23
+ - Use `TypeIs` (3.13+) over `TypeGuard` — narrows in both branches
24
+ - Use `@override` decorator (3.12+) on methods that override parent methods
25
+ - Use `Literal["GET", "POST"]` for constrained string/int values
26
+ - Use `Final` for constants and non-overridable methods
27
+ - Use Pydantic `BaseModel` at system boundaries — API inputs, config files, DB records. Runtime validation, serialization, JSON schema
28
+ - Use `dataclass(frozen=True)` for internal immutable data containers — zero runtime overhead
29
+ - Use `TypedDict` for dict-shaped data — type-check dict keys at zero runtime cost
30
+ - Run `mypy --strict` in CI — catches `Any` leakage, untyped defs, incomplete types
31
+ - Consider running both mypy and pyright — they catch different error classes
32
+
33
+ **DON'T:**
34
+ - Don't use `Any` — it disables type checking. Use `object`, `Protocol`, or a `Union` instead
35
+ - Don't use raw `dict` for structured data — use `TypedDict`, `dataclass`, or Pydantic
36
+ - Don't use `dataclass` for external data validation — it does NOT validate at runtime
37
+ - Don't annotate `self` or `cls` in method signatures
38
+ - Don't use `# type: ignore` without a specific error code — use `# type: ignore[attr-defined]`
39
+
40
+ ## Tooling
41
+
42
+ **DO:**
43
+ - Use `uv` for package management — `uv init`, `uv add`, `uv lock`, `uv sync --frozen` in CI
44
+ - Use Ruff for linting and formatting — `ruff check . --fix && ruff format .`
45
+ - Configure everything in `pyproject.toml` — Ruff, mypy, pytest, coverage, build settings
46
+ - Use pre-commit hooks — Ruff + mypy, catch issues in seconds not CI minutes
47
+ - In CI: `uv sync --frozen && ruff check . && mypy --strict src/ && pytest -n auto --cov`
48
+
49
+ **DON'T:**
50
+ - Don't install tools globally — use `uv add --dev` and `uv run <tool>`
51
+ - Don't keep `setup.py`, `setup.cfg`, `.flake8`, `mypy.ini`, `pytest.ini` — migrate to `pyproject.toml`
52
+ - Don't use pip directly in new projects — `uv add` is the standard
53
+ - Don't split configuration across multiple files
54
+
55
+ ## Project Structure
56
+
57
+ **DO:**
58
+ - Use the src layout — `src/my_package/` with sibling `tests/`, prevents accidental imports
59
+ - Put all metadata in `pyproject.toml` — `[project]`, `[build-system]`, `[tool.*]`
60
+ - Use `requires-python = ">=3.12"` in pyproject.toml
61
+ - Separate integration tests from unit tests — `tests/integration/` with its own `conftest.py`
62
+ - Keep `__init__.py` minimal — import key symbols, avoid heavy computation at import time
63
+
64
+ **DON'T:**
65
+ - Don't put test code in the package directory — shipped wheels should not include tests
66
+ - Don't use `setup.py` — it's deprecated for configuration
67
+ - Don't do heavy work at module import time — lazy-load expensive resources
68
+ - Don't use `from module import *` — pollutes namespace, breaks static analysis
69
+
70
+ ## Code Style
71
+
72
+ **DO:**
73
+ - Follow PEP 8 — 4-space indentation, 100-char lines, snake_case for functions/variables, PascalCase for classes, UPPER_CASE for constants
74
+ - Use imperative verbs for functions (`get_user`, `calculate_total`, `validate_email`), noun phrases for classes (`UserProfile`, `EmailValidator`)
75
+ - Use `is_` / `has_` prefixes for boolean functions/properties
76
+ - Use single leading underscore `_internal` for internal/private module members
77
+ - Extract named constants for magic values — `TIMEOUT_SECONDS = 15`, not inline `15`
78
+
79
+ **DON'T:**
80
+ - Don't use single-letter variables except in comprehensions/loops (`i`, `k`, `v` only for trivial scopes)
81
+ - Don't shadow builtins — never name variables `list`, `dict`, `id`, `type`, `str`, `input`
82
+ - Don't use mixedCase — Python uses snake_case
83
+ - Don't name modules with hyphens — use underscores (`my_package`, not `my-package`)
84
+ - Don't use magic numbers — extract named constants
85
+
86
+ ## Data Structures
87
+
88
+ | Use Case | Tool | Reason |
89
+ |---|---|---|
90
+ | API/DB models, untrusted input | **Pydantic BaseModel** | Runtime validation + serialization |
91
+ | Internal data containers | **dataclass(frozen=True)** | Zero overhead, immutability |
92
+ | Dict-shaped data (JSON configs) | **TypedDict** | Type-check keys at zero cost |
93
+ | Priority queues | **heapq** | O(log n) push/pop |
94
+ | FIFO/LIFO queues | **deque** | O(1) both ends |
95
+ | Membership testing | **set** | O(1) vs O(n) for list |
96
+
97
+ **DON'T:**
98
+ - Don't use `list` as a queue — `list.pop(0)` is O(n), use `deque`
99
+ - Don't use `list` for membership testing in hot loops — use `set`
100
+ - Don't use raw `dict` for structured data with known keys
101
+ - Don't use `NamedTuple` for large or mutable records — use `dataclass`
102
+
103
+ ## Error Handling
104
+
105
+ **DO:**
106
+ - Catch specific exceptions — `except ValueError`, never `except Exception` or bare `except:`
107
+ - Create a custom exception hierarchy — one base exception per library/app
108
+ - Chain exceptions with `raise ... from ...` — preserve the original cause
109
+ - Use context managers for resource management — `with open(...) as f:`, `with transaction():`
110
+ - Use `try`/`else` for code that runs only on success
111
+ - Use `finally` for cleanup that MUST run
112
+ - Log exceptions with `logger.exception()` — automatically includes traceback
113
+ - Use assertions for programming errors (bugs), exceptions for runtime errors
114
+
115
+ **DON'T:**
116
+ - Don't catch and silently ignore — `except Exception: pass` is a bug. If you must suppress, log it
117
+ - Don't use bare `except:` — catches `KeyboardInterrupt` and `SystemExit`
118
+ - Don't use exceptions for control flow — exceptions are for exceptional cases
119
+ - Don't raise `Exception` directly — raise a specific type or custom exception
120
+ - Don't lose the traceback — use `raise` (re-raise) or `raise NewError(...) from original`
121
+ - Don't use `assert` for input validation — assertions disappear with `python -O`
122
+
123
+ ## Testing
124
+
125
+ **DO:**
126
+ - Use pytest — configure in `pyproject.toml` under `[tool.pytest.ini_options]`
127
+ - Centralize shared fixtures in `conftest.py` — auto-available to tests in that directory and below
128
+ - Choose fixture scopes: `function` for mutable/cheap, `session` for expensive/read-only resources
129
+ - Use `@pytest.mark.parametrize` with `ids` for readable multi-input tests
130
+ - Follow Arrange-Act-Assert — structure every test into these three clear phases
131
+ - One logical assertion per test — `test_apply_discount` tests discount, not inventory + email
132
+ - In CI: `pytest -n auto --cov=src/ --cov-report=xml --cov-fail-under=85 --strict-markers -ra`
133
+ - Install: `pytest-cov`, `pytest-xdist`, `pytest-mock`, `pytest-randomly`, `pytest-asyncio`
134
+
135
+ **DON'T:**
136
+ - Don't use `for` loops inside a single test — use `@parametrize`, loops hide which input failed
137
+ - Don't let tests depend on execution order — each test must set up everything through fixtures
138
+ - Don't skip `--strict-markers` — a typo'd marker becomes a silent no-op without it
139
+ - Don't mock what you don't own — mock your own adapters, not the external library directly
140
+ - Don't test implementation details — test behavior, not internal method calls
141
+
142
+ ## Performance & Async
143
+
144
+ **DO:**
145
+ - Use `async`/`await` for I/O-bound work — network calls, file I/O, database queries. Not CPU-bound
146
+ - Prefer AnyIO over raw asyncio — fixes cancellation bugs, provides structured concurrency
147
+ - Use structured concurrency — `async with anyio.create_task_group() as tg:`
148
+ - Use `anyio.to_thread.run_sync()` for CPU-bound work in async contexts
149
+ - Use generators for large datasets — `yield` items one at a time instead of building lists in memory
150
+ - Profile before optimizing — use `cProfile` or `py-spy` to find actual bottlenecks
151
+
152
+ **DON'T:**
153
+ - Don't call blocking I/O inside `async def` — use async equivalents or `run_sync`
154
+ - Don't create tasks without tracking them — unhandled task exceptions silently vanish in asyncio
155
+ - Don't use `time.sleep()` in async code — use `await anyio.sleep()`
156
+ - Don't use `asyncio.shield()` — it's a footgun, use AnyIO cancel scopes instead
157
+ - Don't eagerly load large datasets into memory — use generators or lazy evaluation
158
+
159
+ ## Security
160
+
161
+ **DO:**
162
+ - Never use `eval()`, `exec()`, or `compile()` on untrusted input
163
+ - Use `secrets` module for cryptographic randomness — `secrets.token_hex()`, not `random.random()`
164
+ - Validate and sanitize all user input at boundaries — use Pydantic models for API inputs
165
+ - Use parameterized queries for SQL — never string interpolation. SQLAlchemy/psycopg handle this
166
+ - Check dependencies for vulnerabilities — run `uv pip check` or `pip-audit` regularly
167
+ - Use `secrets.compare_digest()` for comparing tokens — constant-time comparison
168
+ - Use `.env` files for local secrets — and `.gitignore` them. Use a secrets manager in production
169
+ - Never log secrets, tokens, or passwords — redact sensitive fields from logs
170
+
171
+ **DON'T:**
172
+ - Don't use `pickle` on untrusted data — arbitrary code execution. Use JSON, msgpack, or protobuf
173
+ - Don't use `subprocess` with `shell=True` — shell injection risk. Pass args as a list, `shell=False`
174
+ - Don't hardcode secrets in source code — use environment variables or a secrets manager
175
+ - Don't use `yaml.load()` without `SafeLoader` — `yaml.load()` can execute arbitrary code, use `yaml.safe_load()`
176
+ - Don't construct SQL queries with string formatting — `f"SELECT * FROM users WHERE id = {user_id}"`
177
+ - Don't skip TLS verification — `verify=False` in requests is a security hole
178
+ - Don't expose stack traces to users — catch and handle exceptions at the API boundary
179
+
180
+ ## Anti-Patterns
181
+
182
+ **DO:**
183
+ - Use `pathlib.Path` instead of `os.path` — cleaner, cross-platform, object-oriented
184
+ - Use f-strings instead of `.format()` or `%` formatting
185
+ - Use `is` for `None`/`True`/`False` comparison — `x is None`, not `x == None`
186
+ - Use `isinstance()` instead of `type()` for type checks — respects inheritance
187
+ - Use `enumerate()` instead of `range(len(...))`
188
+ - Use `zip()` for parallel iteration — not index-based loops
189
+ - Default to immutability — `dataclass(frozen=True)`, `frozenset`
190
+
191
+ **DON'T:**
192
+ - Don't use mutable default arguments — `def f(lst=[])` is a classic trap, use `def f(lst=None): lst = lst or []`
193
+ - Don't catch and swallow exceptions silently — `except: pass` is a bug
194
+ - Don't use `from module import *` — pollutes namespace, hides origins
195
+ - Don't use `global` — pass state explicitly or restructure
196
+ - Don't use `if len(x) > 0` — just `if x:` (truthiness check)
197
+ - Don't compare `None` with `==` — use `is None` / `is not None`
198
+ - Don't put multiple statements on one line with `;` — one statement per line
199
+ - Don't use list comprehensions with side effects — they're for building lists, not `[print(x) for x in items]`
200
+ - Don't use `pip install` globally — always in a virtual environment managed by uv
201
+
202
+ ## Dependencies
203
+
204
+ **DO:**
205
+ - Use uv: `uv init`, `uv add`, `uv lock`, `uv sync --frozen` in CI
206
+ - Commit your lock file — `uv.lock` (or `poetry.lock`) to version control for deterministic builds
207
+ - List only direct dependencies — let the resolver figure out transitive deps
208
+ - Separate dev from production dependencies — `uv add --dev pytest ruff mypy pre-commit`
209
+ - Pin Python version — `requires-python = ">=3.12"` in pyproject.toml
210
+ - Update dependencies intentionally — `uv lock --upgrade` as a deliberate step with testing
211
+
212
+ **DON'T:**
213
+ - Don't use `requirements.txt` as source of truth in new projects — use `pyproject.toml [project.dependencies]`
214
+ - Don't pin transitive dependencies in your input file — only list packages you import
215
+ - Don't keep unbounded dependency ranges — prefer `"django>=4.2,<6.0"` over unbounded `"django"`
216
+ - Don't ignore `uv pip check` warnings — broken dependency constraints cause runtime failures
217
+ - Don't skip dependency updates for months — stale deps accumulate CVEs
@@ -0,0 +1,130 @@
1
+ # React Standards
2
+
3
+ When working on `${PROJECT_NAME}` with React, follow these conventions unless project context overrides.
4
+
5
+ ## Server Components (React 19+)
6
+
7
+ **DO:**
8
+ - Default to Server Components — only add `"use client"` when you need interactivity, state, effects, or browser APIs
9
+ - Use `async/await` directly in Server Components for data fetching — no `useEffect`, no `useState` for loading state
10
+ - Wrap async Server Components in `<Suspense>` boundaries with meaningful fallbacks
11
+ - Keep sensitive logic server-only: database access, API keys, private env vars, filesystem reads
12
+ - Fetch data in parallel at the component level — Server Components don't waterfall
13
+
14
+ **DON'T:**
15
+ - Do NOT use `useState`, `useEffect`, or browser APIs in Server Components
16
+ - Do NOT import a Server Component into a Client Component — pass data as children or props instead
17
+ - Do NOT use browser-locked libraries (`window`, `document`) in Server Components — wrap in a Client Component
18
+
19
+ ## Hooks
20
+
21
+ **DO:**
22
+ - Rely on the React Compiler for automatic memoization — write clean code, let the compiler optimize
23
+ - Use `useCallback` only when: (1) child is wrapped in `React.memo`, (2) every prop is memoized, (3) the function reference change causes measurable re-renders
24
+ - Use the updater function pattern to avoid stale closures: `setCount(prev => prev + 1)`
25
+ - Use `useRef` for values that should not trigger re-renders
26
+ - Clean up every subscription, timer, and event listener in `useEffect` return
27
+
28
+ **DON'T:**
29
+ - Do NOT wrap every function in `useCallback` "just in case" — 90% can be removed without regression
30
+ - Do NOT compute derived state with `useEffect` + `useState` — compute it during render
31
+ - Do NOT use `useEffect` for data fetching in Server Components — `async/await` is the pattern
32
+ - Do NOT forget dependency arrays — stale closures cause subtle bugs
33
+ - Do NOT use `index` as `key` when items can be reordered, added, or removed — use stable unique IDs
34
+
35
+ ## State Management
36
+
37
+ **DO:**
38
+ - Use `useState` for component-local UI state
39
+ - Use `useReducer` for complex local state with interdependent transitions
40
+ - Use Zustand for shared global state — selector-based subscriptions, ~1KB, no providers
41
+ - Use TanStack Query (React Query) for server state — caching, background refetching, eliminates boilerplate
42
+ - Use Context API for rarely-changing global values (theme, locale, auth status) — split by update frequency
43
+ - Keep state as close to where it's used as possible — lift up only when multiple components need it
44
+
45
+ **DON'T:**
46
+ - Do NOT use Context API for high-frequency updates — all consumers re-render on every change
47
+ - Do NOT duplicate server state in client state — TanStack Query is the source of truth for API data
48
+ - Do NOT choose Redux by default for new projects — Zustand covers 90% of use cases with less boilerplate
49
+ - Do NOT store derived values in state — compute them during render
50
+
51
+ ## Components
52
+
53
+ **DO:**
54
+ - Follow Single Responsibility — each component should have one reason to change
55
+ - Use Compound Components for related components that share implicit state via Context
56
+ - Extract business logic and data transforms into pure utility functions outside components
57
+ - Extract reusable stateful logic into custom hooks
58
+ - Use Error Boundaries wrapping major sections to prevent cascading crashes
59
+ - Organize by feature, not by type: `features/auth/LoginForm.tsx` over `components/LoginForm.tsx`
60
+
61
+ **DON'T:**
62
+ - Do NOT put business logic in view components — components should orchestrate, hooks should compute
63
+ - Do NOT deeply nest components without extracting — deep nesting hurts readability and testing
64
+ - Do NOT use `index.ts` barrel exports excessively — they can cause circular dependencies
65
+ - Do NOT create unnecessary wrapper `<div>`s — use fragments (`<>...</>`)
66
+ - Do NOT forget to handle loading, empty, and error states in every data-dependent component
67
+
68
+ ## TypeScript
69
+
70
+ **DO:**
71
+ - Use generic components for reusable UI patterns: `function List<T>({ items }: { items: T[] })`
72
+ - Use `ComponentPropsWithoutRef<'button'>` to extend native HTML element props
73
+ - Use explicit event types: `React.ChangeEvent<HTMLInputElement>`, `React.MouseEvent<HTMLButtonElement>`
74
+ - Export props interfaces alongside components: `export interface ButtonProps { ... }`
75
+ - Enable `strict: true` in `tsconfig.json`
76
+
77
+ **DON'T:**
78
+ - Do NOT use `React.FC` as default typing — it implicitly adds `children`, prefer explicit prop types
79
+ - Do NOT use `any` — use `unknown` and narrow types properly
80
+ - Do NOT duplicate component types for different data shapes — use one generic component
81
+ - Do NOT cast DOM events unnecessarily — use the proper handler types
82
+
83
+ ## Performance
84
+
85
+ **DO:**
86
+ - Enable the React Compiler — highest-impact, lowest-effort optimization (30-60% re-render reduction)
87
+ - Route-based code splitting with `lazy` + `Suspense` — highest impact per effort
88
+ - Virtualize large lists (50+ items) with `react-window` or `@tanstack/react-virtual`
89
+ - Split contexts by update frequency — never bundle unrelated state in one context
90
+ - Use `useDeferredValue` and `useTransition` for non-urgent updates
91
+ - Optimize images: WebP/AVIF, responsive sizes, lazy loading, explicit dimensions
92
+
93
+ **DON'T:**
94
+ - Do NOT wrap everything in `React.memo` — only memoize components that re-render frequently with identical props
95
+ - Do NOT use expensive CSS properties in animations — prefer `transform` and `opacity` (GPU-composited)
96
+ - Do NOT ship Moment.js (300KB) — use `date-fns` or native `Intl.DateTimeFormat`
97
+ - Do NOT skip memory leak prevention — always clean up timers, intervals, and listeners
98
+
99
+ ## Accessibility
100
+
101
+ **DO:**
102
+ - Use semantic HTML first: `<button>`, `<nav>`, `<main>`, `<form>` — they have built-in keyboard, role, and state support
103
+ - Follow the First Rule of ARIA: if a native element does what you need, use it — don't add ARIA to semantic elements
104
+ - Provide visible focus indicators — never remove `outline` without a custom replacement
105
+ - Use `aria-label` or `aria-labelledby` for interactive elements without visible text labels
106
+ - Use live regions for dynamic content: `<div aria-live="polite">`
107
+ - Test with keyboard-only navigation
108
+
109
+ **DON'T:**
110
+ - Do NOT use `div` or `span` for interactive controls — use `<button>`, `<input>`, `<select>`
111
+ - Do NOT use ARIA when HTML semantics suffice — "No ARIA is better than bad ARIA"
112
+ - Do NOT use color alone to convey information — supplement with icons, text, or patterns
113
+ - Do NOT skip `alt` text on images — `alt=""` for decorative, descriptive text for informational
114
+ - Do NOT trap focus without an escape mechanism (Escape key to close modals)
115
+
116
+ ## Security
117
+
118
+ **DO:**
119
+ - Let JSX auto-escape dynamic content — curly braces `{}` are safe against XSS by default
120
+ - Sanitize HTML with DOMPurify before using `dangerouslySetInnerHTML`
121
+ - Validate URLs before rendering in `<a href>`: only allow `http:` and `https:` protocols
122
+ - Store tokens in HTTP-only cookies, not localStorage
123
+ - Implement Content Security Policy (CSP) headers to restrict script sources
124
+
125
+ **DON'T:**
126
+ - Do NOT use `dangerouslySetInnerHTML` on raw user input without DOMPurify sanitization
127
+ - Do NOT use direct DOM manipulation to inject content — `ref.current.innerHTML = userContent`
128
+ - Do NOT expose API keys, secrets, or sensitive config in client-side code — everything in bundles is public
129
+ - Do NOT use `eval()` or `new Function()` with user-supplied input
130
+ - Do NOT ship source maps in production
@@ -0,0 +1,30 @@
1
+ # TypeScript Standards
2
+
3
+ When working on `${PROJECT_NAME}`, follow these TypeScript conventions unless `${PROJECT_NAME}`'s context docs say otherwise.
4
+
5
+ ## Configuration
6
+
7
+ - Enable `strict: true` in `tsconfig.json` — no exceptions
8
+ - Use `noUncheckedIndexedAccess` to catch undefined access
9
+ - Prefer `es2022` or later as the compile target
10
+
11
+ ## Types
12
+
13
+ - Prefer `interface` over `type` for object shapes — interfaces are extensible and produce better error messages
14
+ - Use `type` for unions, intersections, and mapped types
15
+ - Explicit return types on all exported functions — it catches accidental contract changes
16
+ - Never use `any` without a comment explaining why it's unavoidable
17
+ - Use `unknown` instead of `any` when the type is genuinely unknown
18
+ - Use `const` assertions (`as const`) for literal types and tuple inference
19
+
20
+ ## Style
21
+
22
+ - Prefer `as` casting over angle-bracket syntax — it's unambiguous with JSX
23
+ - Use optional chaining (`?.`) and nullish coalescing (`??`) over verbose null checks
24
+ - Prefer `readonly` arrays and properties where mutation isn't needed
25
+ - Use template literal types for string patterns when applicable
26
+
27
+ ## Exports
28
+
29
+ - Named exports only — no default exports (they break IDE auto-imports and refactoring)
30
+ - Export prop interfaces alongside their components
@@ -0,0 +1,24 @@
1
+ # Context Documentation
2
+
3
+ ${AGENT_NAME}, always ground yourself in `${PROJECT_NAME}`'s documented context before writing code.
4
+
5
+ ## Required Reading
6
+
7
+ Before implementing anything, read these files in order:
8
+
9
+ 1. **`.agent/context/project/stack.md`** — The tech stack. Languages, frameworks, databases, third-party services. This is the source of truth for what the project uses. Don't guess.
10
+
11
+ 2. **`.agent/context/project/conventions.md`** — Project-specific conventions. File naming, directory structure, import ordering, formatting rules. Follow these exactly.
12
+
13
+ 3. **`.agent/context/project/architecture.md`** — High-level architecture. Component tree, data flow, API surface, deployment topology. Understand the system before changing it.
14
+
15
+ ## How to Use Context
16
+
17
+ - Treat these files as ground truth — they override your default assumptions
18
+ - If context and a standards section conflict, context wins (it's project-specific)
19
+ - When you notice something missing from these docs, flag it to the user; don't silently diverge
20
+ - If conventions say "use kebab-case for files," use kebab-case — don't improvise with camelCase because you prefer it
21
+
22
+ ## Cross-Referencing
23
+
24
+ When context refers to patterns (e.g. "error handling follows the Result pattern"), check `.agent/memory/decisions.md` for the rationale behind those patterns.
@@ -0,0 +1,32 @@
1
+ # Memory Management
2
+
3
+ ${AGENT_NAME}, consult project memory before making decisions in `${PROJECT_NAME}`.
4
+
5
+ ## Before You Start
6
+
7
+ Read these files before beginning any work:
8
+
9
+ 1. **`.agent/memory/decisions.md`** — Architectural decisions and their rationale. Every non-trivial choice made in the project should be recorded here with date, context, and reasoning.
10
+
11
+ 2. **`.agent/memory/conventions.md`** — Discovered conventions that aren't in the formal standards docs. These are patterns the team has settled on through practice (naming choices, file organization, error handling style).
12
+
13
+ ## When Making Decisions
14
+
15
+ - Check `.agent/memory/decisions.md` first — has this already been decided?
16
+ - Reference the relevant past decision by its date/ID when making a new one
17
+ - If your decision reverses or modifies a past decision, explain why
18
+
19
+ ## Recording New Decisions
20
+
21
+ After making a significant architectural choice, append to `.agent/memory/decisions.md`:
22
+
23
+ ```markdown
24
+ ## YYYY-MM-DD: Decision Title
25
+
26
+ **Context:** What situation led to this decision
27
+ **Decision:** What was chosen
28
+ **Alternatives considered:** What else was evaluated and why it wasn't picked
29
+ **Consequences:** What this enables and what it constrains
30
+ ```
31
+
32
+ Keep entries factual. Don't record trivial choices like variable names.
@@ -0,0 +1,38 @@
1
+ # Session Logging
2
+
3
+ ${AGENT_NAME}, log every session so `${PROJECT_NAME}` maintains a traceable history.
4
+
5
+ ## When to Log
6
+
7
+ At the end of each work session — whether you completed tasks or not — write a session log.
8
+
9
+ ## Log Location
10
+
11
+ Write to `.agent/sessions/YYYY-MM-DD.md`. If the file already exists (same-day continuation), append to it rather than overwriting.
12
+
13
+ ## Log Format
14
+
15
+ ```markdown
16
+ # Session: YYYY-MM-DD
17
+
18
+ **Agent:** ${AGENT_NAME}
19
+ **Duration:** Brief estimate if known
20
+
21
+ ## Tasks Worked On
22
+ - TASK-001: What was attempted or completed
23
+ - TASK-002: Another item
24
+
25
+ ## Decisions Made
26
+ - Decision summary and rationale (one line each)
27
+
28
+ ## Problems and Solutions
29
+ - Problem encountered → How it was resolved
30
+ - Open issues carried forward (if any)
31
+ ```
32
+
33
+ ## Guidelines
34
+
35
+ - Keep entries factual and brief — these are logs, not documentation
36
+ - Record problems even if you couldn't solve them; next sessions need to know
37
+ - If nothing was accomplished, log that too (blocked, waiting, research-only)
38
+ - Don't duplicate content already in `.agent/memory/decisions.md` — link to it instead
@@ -0,0 +1,40 @@
1
+ # Task Management
2
+
3
+ ${AGENT_NAME}, use the task system to track your work in `${PROJECT_NAME}`.
4
+
5
+ ## Reading Tasks
6
+
7
+ Task files live in `.agent/tasks/`. At startup, scan the directory for the current task:
8
+
9
+ 1. Look for a file matching `current.md` or `active.md` — that's your active task
10
+ 2. If none found, look for `backlog.md` and pick the next `[ ]` item
11
+ 3. If no tasks exist, ask the user what to work on
12
+
13
+ ## Task File Format
14
+
15
+ Each task file follows this structure:
16
+
17
+ ```markdown
18
+ # ${AGENT_NAME} Tasks
19
+
20
+ ## Active
21
+ - [ ] TASK-001: Brief description of what needs doing
22
+ - Subtask detail if needed
23
+ - Another subtask
24
+
25
+ ## Completed
26
+ - [x] TASK-000: Something already finished
27
+ ```
28
+
29
+ ## Marking Tasks Done
30
+
31
+ When you complete a task:
32
+
33
+ 1. Change `[ ]` to `[x]` in the source file
34
+ 2. Move the completed line to the `## Completed` section
35
+ 3. If there are more tasks in `## Active`, pick the next one
36
+ 4. If the active section is empty, report completion to the user
37
+
38
+ ## Task Naming
39
+
40
+ Use short, imperative descriptions: "Add authentication middleware", "Fix login redirect bug", "Update API types for user endpoint". Prefix with `TASK-NNN` if the project uses numbered tracking.
@@ -0,0 +1,11 @@
1
+ # ${PROJECT_NAME}
2
+
3
+ This project uses AI Squad agents for development. The following agents are available:
4
+
5
+ ${AGENT_LIST}
6
+
7
+ ## Workflow
8
+
9
+ Before starting any task, read the current state and understand the project context.
10
+
11
+ Always follow project conventions and architecture decisions.
@@ -0,0 +1,13 @@
1
+ # Architecture — ${PROJECT_NAME}
2
+
3
+ ## Directory Structure
4
+ Describe the top-level project layout here.
5
+
6
+ ## Data Flow
7
+ Describe how data moves through the system (request → component → database).
8
+
9
+ ## Key Design Decisions
10
+ Add entries here as architectural decisions are made. Reference `.agent/memory/decisions.md` for full ADRs.
11
+
12
+ ## External Services
13
+ List any third-party APIs and how they integrate.
@@ -0,0 +1,20 @@
1
+ # Conventions — ${PROJECT_NAME}
2
+
3
+ ## Code Style
4
+ - Use TypeScript strict mode. No `any` without justification.
5
+ - Prefer Server Components unless client interactivity is needed.
6
+ - Use `kebab-case` for files, `PascalCase` for components.
7
+ - Co-locate component tests alongside the component file.
8
+
9
+ ## Routing
10
+ - App Router only. Group routes by feature in `(feature)` folders.
11
+ - `page.tsx` is the route entry; keep it thin.
12
+
13
+ ## Data Fetching
14
+ - Fetch in Server Components when possible.
15
+ - Use React `cache()` for per-request deduplication.
16
+ - Mutations go in Server Actions or API routes.
17
+
18
+ ## State
19
+ - URL search params for shareable UI state.
20
+ - Zustand or Jotai for complex client state (add to stack if used).
@@ -0,0 +1,14 @@
1
+ # Tech Stack — ${PROJECT_NAME}
2
+
3
+ | Category | Technology |
4
+ |----------|------------|
5
+ | Framework | Next.js |
6
+ | Language | TypeScript |
7
+ | Styling | Tailwind CSS |
8
+ | Database | — |
9
+ | Auth | — |
10
+ | Hosting | Vercel |
11
+ | Testing | Vitest + Playwright |
12
+ | Linting | ESLint + Prettier |
13
+
14
+ Fill in the blanks as the project evolves.
@@ -0,0 +1,13 @@
1
+ # Architecture — ${PROJECT_NAME}
2
+
3
+ ## Directory Structure
4
+ Describe the top-level project layout here.
5
+
6
+ ## Data Flow
7
+ Describe how data moves through the system (request → handler → database).
8
+
9
+ ## Key Design Decisions
10
+ Add entries here as architectural decisions are made. Reference `.agent/memory/decisions.md` for full ADRs.
11
+
12
+ ## External Services
13
+ List any third-party APIs and how they integrate.
@@ -0,0 +1,19 @@
1
+ # Conventions — ${PROJECT_NAME}
2
+
3
+ ## Code Style
4
+ - Follow PEP 8. Enforce with ruff and black.
5
+ - Type hints on all function signatures. Run mypy in strict mode.
6
+ - Use `snake_case` for files, functions, and variables.
7
+
8
+ ## Project Layout
9
+ - `src/` layout preferred over flat `app/` layout.
10
+ - Keep modules focused: one concern per module.
11
+
12
+ ## Error Handling
13
+ - Use custom exception classes, not bare `Exception`.
14
+ - Fail loudly in development, gracefully in production.
15
+
16
+ ## Testing
17
+ - pytest with fixtures in `conftest.py`.
18
+ - One test file per source module: `test_<module>.py`.
19
+ - Aim for >80% coverage on business logic.
@@ -0,0 +1,14 @@
1
+ # Tech Stack — ${PROJECT_NAME}
2
+
3
+ | Category | Technology |
4
+ |----------|------------|
5
+ | Language | Python |
6
+ | Package Manager | pip / Poetry |
7
+ | Web Framework | FastAPI / Flask / Django |
8
+ | Database | — |
9
+ | ORM | — |
10
+ | Testing | pytest |
11
+ | Linting | ruff / black / mypy |
12
+ | Hosting | — |
13
+
14
+ Fill in the blanks as the project evolves.
@@ -0,0 +1,14 @@
1
+ # Context Management
2
+
3
+ ## Available Context Docs
4
+ - `stack.md` — tech stack, tools, libraries. Read when choosing dependencies.
5
+ - `conventions.md` — coding conventions. Read before writing code.
6
+ - `architecture.md` — system design and data flow. Read for architectural context.
7
+
8
+ ## When to Read
9
+ At the start of any implementation task, read `stack.md` and `conventions.md`. For system-level changes, also read `architecture.md`.
10
+
11
+ ## Maintenance
12
+ - `stack.md` — updated by `squad-architect` when dependencies change
13
+ - `conventions.md` — updated by `squad-memory-keeper` as new conventions emerge
14
+ - `architecture.md` — updated by `squad-architect` for design changes
@@ -0,0 +1,12 @@
1
+ # Memory Management
2
+
3
+ ## When to Read Memory
4
+ Before starting any task, read `.agent/memory/decisions.md` and `.agent/memory/conventions.md` to understand past decisions and established patterns.
5
+
6
+ ## When to Append
7
+ After making a technical decision, append to `decisions.md`. When a new convention emerges, append to `conventions.md`. Use the format specified in the templates.
8
+
9
+ ## Agent Ownership
10
+ - `decisions.md` — maintained by `squad-architect` and `squad-memory-keeper`
11
+ - `conventions.md` — maintained by `squad-memory-keeper`
12
+ - `patterns.md` — maintained by `squad-architect` (Comprehensive only)