autoworkflow 3.1.5 → 3.5.0

package/.claude/skills/sea-orm.md

@@ -0,0 +1,382 @@
+# SeaORM Skill
+
+## Setup and Migrations
+\`\`\`bash
+# Install sea-orm-cli
+cargo install sea-orm-cli
+
+# Initialize migration directory
+sea-orm-cli migrate init
+
+# Create migration
+sea-orm-cli migrate generate create_users
+
+# Run migrations
+sea-orm-cli migrate up
+
+# Generate entities from database
+sea-orm-cli generate entity -o src/entities --with-serde both
+\`\`\`
+
+## Entity Definition
+\`\`\`rust
+// src/entities/user.rs
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel, Serialize, Deserialize)]
+#[sea_orm(table_name = "users")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    #[sea_orm(unique)]
+    pub email: String,
+    pub name: String,
+    #[serde(skip_serializing)]
+    pub password_hash: String,
+    pub is_active: bool,
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(has_many = "super::post::Entity")]
+    Posts,
+    #[sea_orm(has_one = "super::profile::Entity")]
+    Profile,
+}
+
+impl Related<super::post::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Posts.def()
+    }
+}
+
+impl Related<super::profile::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Profile.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
+
+// src/entities/post.rs
+#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel, Serialize, Deserialize)]
+#[sea_orm(table_name = "posts")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub title: String,
+    #[sea_orm(column_type = "Text")]
+    pub content: String,
+    pub published: bool,
+    pub author_id: Uuid,
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::AuthorId",
+        to = "super::user::Column::Id"
+    )]
+    Author,
+    #[sea_orm(has_many = "super::comment::Entity")]
+    Comments,
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Author.def()
+    }
+}
+\`\`\`
+
+## Database Connection
+\`\`\`rust
+use sea_orm::{Database, DatabaseConnection, ConnectOptions};
+use std::time::Duration;
+
+pub async fn create_connection() -> Result<DatabaseConnection, DbErr> {
+    let database_url = std::env::var("DATABASE_URL")
+        .expect("DATABASE_URL must be set");
+
+    let mut opts = ConnectOptions::new(database_url);
+    opts.max_connections(100)
+        .min_connections(5)
+        .connect_timeout(Duration::from_secs(10))
+        .idle_timeout(Duration::from_secs(300))
+        .sqlx_logging(true)
+        .sqlx_logging_level(log::LevelFilter::Debug);
+
+    Database::connect(opts).await
+}
+\`\`\`
+
+## CRUD Operations
+\`\`\`rust
+use sea_orm::*;
+use crate::entities::{user, post};
+use crate::entities::prelude::{User, Post};
+
+pub struct UserRepository {
+    db: DatabaseConnection,
+}
+
+impl UserRepository {
+    pub fn new(db: DatabaseConnection) -> Self {
+        Self { db }
+    }
+
+    // Create
+    pub async fn create(&self, email: &str, name: &str, password: &str) -> Result<user::Model, AppError> {
+        let password_hash = hash_password(password)?;
+
+        let new_user = user::ActiveModel {
+            id: Set(Uuid::new_v4()),
+            email: Set(email.to_string()),
+            name: Set(name.to_string()),
+            password_hash: Set(password_hash),
+            is_active: Set(true),
+            created_at: Set(Utc::now()),
+            updated_at: Set(Utc::now()),
+        };
+
+        new_user.insert(&self.db).await.map_err(AppError::from)
+    }
+
+    // Find by ID
+    pub async fn find_by_id(&self, id: Uuid) -> Result<Option<user::Model>, AppError> {
+        User::find_by_id(id)
+            .one(&self.db)
+            .await
+            .map_err(AppError::from)
+    }
+
+    // Find by email
+    pub async fn find_by_email(&self, email: &str) -> Result<Option<user::Model>, AppError> {
+        User::find()
+            .filter(user::Column::Email.eq(email))
+            .one(&self.db)
+            .await
+            .map_err(AppError::from)
+    }
+
+    // List with pagination
+    pub async fn list(&self, page: u64, per_page: u64) -> Result<(Vec<user::Model>, u64), AppError> {
+        let paginator = User::find()
+            .filter(user::Column::IsActive.eq(true))
+            .order_by_desc(user::Column::CreatedAt)
+            .paginate(&self.db, per_page);
+
+        let total = paginator.num_items().await?;
+        let users = paginator.fetch_page(page - 1).await?;
+
+        Ok((users, total))
+    }
+
+    // Update
+    pub async fn update(&self, id: Uuid, name: Option<String>, email: Option<String>) -> Result<user::Model, AppError> {
+        let user = User::find_by_id(id)
+            .one(&self.db)
+            .await?
+            .ok_or(AppError::NotFound)?;
+
+        let mut active: user::ActiveModel = user.into();
+
+        if let Some(n) = name {
+            active.name = Set(n);
+        }
+        if let Some(e) = email {
+            active.email = Set(e);
+        }
+        active.updated_at = Set(Utc::now());
+
+        active.update(&self.db).await.map_err(AppError::from)
+    }
+
+    // Delete
+    pub async fn delete(&self, id: Uuid) -> Result<DeleteResult, AppError> {
+        User::delete_by_id(id)
+            .exec(&self.db)
+            .await
+            .map_err(AppError::from)
+    }
+}
+\`\`\`
+
+## Relationships and Eager Loading
+\`\`\`rust
+// Find user with posts
+pub async fn find_user_with_posts(&self, id: Uuid) -> Result<Option<(user::Model, Vec<post::Model>)>, AppError> {
+    User::find_by_id(id)
+        .find_with_related(Post)
+        .all(&self.db)
+        .await
+        .map(|results| results.into_iter().next())
+        .map_err(AppError::from)
+}
+
+// Find posts with authors
+pub async fn find_posts_with_authors(&self) -> Result<Vec<(post::Model, Option<user::Model>)>, AppError> {
+    Post::find()
+        .filter(post::Column::Published.eq(true))
+        .find_also_related(User)
+        .order_by_desc(post::Column::CreatedAt)
+        .all(&self.db)
+        .await
+        .map_err(AppError::from)
+}
+
+// Custom select with partial fields
+#[derive(FromQueryResult, Serialize)]
+pub struct UserSummary {
+    pub id: Uuid,
+    pub email: String,
+    pub name: String,
+}
+
+pub async fn list_summaries(&self) -> Result<Vec<UserSummary>, AppError> {
+    User::find()
+        .select_only()
+        .column(user::Column::Id)
+        .column(user::Column::Email)
+        .column(user::Column::Name)
+        .filter(user::Column::IsActive.eq(true))
+        .into_model::<UserSummary>()
+        .all(&self.db)
+        .await
+        .map_err(AppError::from)
+}
+\`\`\`
+
+## Complex Queries
+\`\`\`rust
+use sea_orm::{QueryOrder, QuerySelect, Condition};
+
+// Complex filtering
+pub async fn search_users(
+    &self,
+    query: Option<&str>,
+    is_active: Option<bool>,
+    page: u64,
+    per_page: u64,
+) -> Result<Vec<user::Model>, AppError> {
+    let mut condition = Condition::all();
+
+    if let Some(q) = query {
+        condition = condition.add(
+            Condition::any()
+                .add(user::Column::Name.contains(q))
+                .add(user::Column::Email.contains(q))
+        );
+    }
+
+    if let Some(active) = is_active {
+        condition = condition.add(user::Column::IsActive.eq(active));
+    }
+
+    User::find()
+        .filter(condition)
+        .order_by_desc(user::Column::CreatedAt)
+        .offset((page - 1) * per_page)
+        .limit(per_page)
+        .all(&self.db)
+        .await
+        .map_err(AppError::from)
+}
+
+// Aggregate query with raw SQL
+use sea_orm::{FromQueryResult, Statement};
+
+#[derive(FromQueryResult)]
+pub struct UserStats {
+    pub user_id: Uuid,
+    pub post_count: i64,
+    pub comment_count: i64,
+}
+
+pub async fn get_user_stats(&self, user_id: Uuid) -> Result<UserStats, AppError> {
+    UserStats::find_by_statement(Statement::from_sql_and_values(
+        DbBackend::Postgres,
+        r#"
+        SELECT
+            u.id as user_id,
+            COUNT(DISTINCT p.id) as post_count,
+            COUNT(DISTINCT c.id) as comment_count
+        FROM users u
+        LEFT JOIN posts p ON p.author_id = u.id
+        LEFT JOIN comments c ON c.user_id = u.id
+        WHERE u.id = $1
+        GROUP BY u.id
+        "#,
+        [user_id.into()],
+    ))
+    .one(&self.db)
+    .await?
+    .ok_or(AppError::NotFound)
+}
+\`\`\`
+
+## Transactions
+\`\`\`rust
+use sea_orm::TransactionTrait;
+
+pub async fn create_user_with_profile(
+    &self,
+    email: &str,
+    name: &str,
+    password: &str,
+    bio: &str,
+) -> Result<(user::Model, profile::Model), AppError> {
+    self.db.transaction::<_, (user::Model, profile::Model), AppError>(|txn| {
+        Box::pin(async move {
+            // Create user
+            let user = user::ActiveModel {
+                id: Set(Uuid::new_v4()),
+                email: Set(email.to_string()),
+                name: Set(name.to_string()),
+                password_hash: Set(hash_password(password)?),
+                is_active: Set(true),
+                created_at: Set(Utc::now()),
+                updated_at: Set(Utc::now()),
+            }
+            .insert(txn)
+            .await?;
+
+            // Create profile
+            let profile = profile::ActiveModel {
+                id: Set(Uuid::new_v4()),
+                user_id: Set(user.id),
+                bio: Set(bio.to_string()),
+            }
+            .insert(txn)
+            .await?;
+
+            Ok((user, profile))
+        })
+    })
+    .await
+    .map_err(|e| match e {
+        TransactionError::Connection(e) => AppError::Database(e),
+        TransactionError::Transaction(e) => e,
+    })
+}
+\`\`\`
+
+## ✅ DO
+- Use \`Set()\` to set values in ActiveModel
+- Use \`NotSet\` for optional fields in updates
+- Use \`.paginate()\` for pagination
+- Use \`find_with_related()\` for eager loading
+- Use transactions for multi-step operations
+- Use \`FromQueryResult\` for custom query results
+
+## ❌ DON'T
+- Don't forget to derive \`DeriveEntityModel\` for entities
+- Don't use \`.unwrap()\` - handle \`DbErr\` properly
+- Don't load relationships separately when you can use \`find_with_related\`
+- Don't forget to define \`Relation\` enum for relationships

package/.claude/skills/security.md

@@ -0,0 +1,167 @@
+# Security Skill
+
+## Input Validation
+\`\`\`typescript
+// ✅ ALWAYS validate with Zod
+import { z } from 'zod';
+
+const userSchema = z.object({
+  email: z.string().email().max(255),
+  name: z.string().min(1).max(100).trim(),
+  age: z.number().int().min(0).max(150).optional()
+});
+
+const result = userSchema.safeParse(input);
+if (!result.success) throw new ValidationError(result.error);
+\`\`\`
+
+## SQL Injection Prevention
+\`\`\`typescript
+// ❌ NEVER: String concatenation
+db.query(\`SELECT * FROM users WHERE id = '\${userId}'\`);
+
+// ✅ ALWAYS: Parameterized queries or ORM
+await prisma.user.findUnique({ where: { id: userId } });
+\`\`\`
+
+## XSS Prevention
+\`\`\`tsx
+// ❌ NEVER with user content
+<div dangerouslySetInnerHTML={{ __html: userInput }} />
+
+// ✅ React auto-escapes
+<div>{userInput}</div>
+
+// ✅ If HTML needed, sanitize
+import DOMPurify from 'dompurify';
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />
+\`\`\`
+
+## CORS Configuration
+\`\`\`typescript
+// Express with cors middleware
+import cors from 'cors';
+
+// ❌ DON'T: Allow all origins in production
+app.use(cors()); // Allows everything
+
+// ✅ DO: Whitelist specific origins
+app.use(cors({
+  origin: ['https://myapp.com', 'https://admin.myapp.com'],
+  methods: ['GET', 'POST', 'PUT', 'DELETE'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  credentials: true, // If using cookies
+  maxAge: 86400 // Cache preflight for 24 hours
+}));
+\`\`\`
+
+## Secure Headers (Helmet.js)
+\`\`\`typescript
+import helmet from 'helmet';
+
+app.use(helmet()); // Applies all defaults
+
+// Or configure individually:
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"], // Avoid if possible
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https://api.myapp.com"],
+    },
+  },
+  hsts: { maxAge: 31536000, includeSubDomains: true },
+  frameguard: { action: 'deny' }, // Prevent clickjacking
+}));
+\`\`\`
+
+## Rate Limiting
+\`\`\`typescript
+import rateLimit from 'express-rate-limit';
+
+// General API rate limiting
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // 100 requests per window
+  message: { error: 'Too many requests, try again later' },
+  standardHeaders: true, // Return rate limit info in headers
+});
+app.use('/api/', apiLimiter);
+
+// Stricter limit for auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5, // 5 attempts per hour
+  skipSuccessfulRequests: true, // Don't count successful logins
+});
+app.use('/api/auth/login', authLimiter);
+\`\`\`
+
+## CSRF Protection
+\`\`\`typescript
+// For traditional forms (not needed for JWT-only APIs)
+import csrf from 'csurf';
+
+app.use(csrf({ cookie: true }));
+
+// Include token in forms
+app.get('/form', (req, res) => {
+  res.render('form', { csrfToken: req.csrfToken() });
+});
+
+// In HTML: <input type="hidden" name="_csrf" value="{{csrfToken}}">
+\`\`\`
+
+## Authentication Patterns
+\`\`\`typescript
+// ✅ Password hashing (12+ rounds)
+const hash = await bcrypt.hash(password, 12);
+
+// ✅ JWT with short expiry + refresh tokens
+const accessToken = jwt.sign({ userId }, ACCESS_SECRET, { expiresIn: '15m' });
+const refreshToken = jwt.sign({ userId }, REFRESH_SECRET, { expiresIn: '7d' });
+
+// ✅ Secure cookie settings
+res.cookie('refreshToken', refreshToken, {
+  httpOnly: true,    // Not accessible via JavaScript
+  secure: true,      // HTTPS only
+  sameSite: 'strict', // CSRF protection
+  maxAge: 7 * 24 * 60 * 60 * 1000 // 7 days
+});
+\`\`\`
+
+## Environment Variables
+\`\`\`typescript
+// ✅ Use a validation library
+import { z } from 'zod';
+
+const envSchema = z.object({
+  DATABASE_URL: z.string().url(),
+  JWT_SECRET: z.string().min(32),
+  NODE_ENV: z.enum(['development', 'production', 'test']),
+});
+
+// Validate at startup - fail fast if missing
+export const env = envSchema.parse(process.env);
+\`\`\`
+
+## ❌ DON'T
+- Store passwords in plain text
+- Expose stack traces in production
+- Trust client-side validation alone
+- Store secrets in code
+- Use * for CORS origin in production
+- Skip rate limiting on auth endpoints
+- Log sensitive data (passwords, tokens)
+
+## ✅ DO
+- Validate ALL input server-side
+- Use environment variables for secrets
+- Implement rate limiting
+- Use HTTPS everywhere
+- Keep dependencies updated
+- Use Helmet for secure headers
+- Configure CORS properly
+- Validate env vars at startup