cfsa-antigravity 1.0.0 → 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 RepairYourTech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,54 @@
+# CFSA Antigravity
+
+> Constraint-First Specification Architecture — production-grade from line one
+
+A pipeline that turns a raw idea into exhaustively specified, test-driven, production-quality code through progressive gates. Stack-agnostic. Agent-agnostic. Cross-platform. Every line of code is production-grade from the moment it's written.
+
+## Quick Install
+
+```bash
+npx cfsa-antigravity init
+```
+
+This installs the `.agent/` folder, `docs/` structure, and agent config files into your project.
+
+## CLI
+
+| Command | Description |
+|---------|-------------|
+| `cfsa-antigravity init` | Install the pipeline into your project |
+| `cfsa-antigravity status` | Check installation + unfilled placeholders |
+| `cfsa-antigravity init --force` | Overwrite existing installation |
+| `cfsa-antigravity init --dry-run` | Preview what would be installed |
+| `cfsa-antigravity init --path ./dir` | Install into specific directory |
+
+## Get Started
+
+```
+/ideate
+```
+
+The pipeline tells you what to run next at every step. You never have to guess.
+
+## Documentation
+
+| Document | Contents |
+|----------|----------|
+| [Pipeline Guide](docs/README.md) | Full walkthrough — every command, every stage |
+| [Kit Architecture](docs/kit-architecture.md) | How the kit's internals work |
+
+## Five Principles
+
+1. **Constraints before decisions** — map what's decided before presenting options
+2. **Exhaustive iteration over shallow speed** — no ambiguity moves forward
+3. **Work shifted left** — design decisions made in spec, not in code
+4. **Progressive decision locking** — each stage locks decisions for downstream
+5. **TDD as the implementation contract** — Red → Green → Refactor, every slice
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for how to set up, make changes, and submit PRs.
+
+## License
+
+[MIT](LICENSE)

package/package.json

@@ -1,34 +1,48 @@
 {
-    "name": "cfsa-antigravity",
-    "version": "1.0.0",
-    "description": "CFSA Pipeline — Constraint-First Specification Architecture for AI agents. Production-grade from line one.",
-    "bin": {
-        "cfsa-antigravity": "./bin/cli.mjs"
-    },
-    "files": [
-        "bin/",
-        "template/"
-    ],
-    "keywords": [
-        "ai",
-        "agent",
-        "cfsa",
-        "specification",
-        "pipeline",
-        "tdd",
-        "antigravity",
-        "production",
-        "workflows",
-        "skills"
-    ],
-    "author": "RepairYourTech",
-    "license": "MIT",
-    "repository": {
-        "type": "git",
-        "url": "https://github.com/RepairYourTech/cfsa-antigravity"
-    },
-    "homepage": "https://github.com/RepairYourTech/cfsa-antigravity#readme",
-    "engines": {
-        "node": ">=18.0.0"
-    }
+  "name": "cfsa-antigravity",
+  "version": "2.0.0",
+  "description": "CFSA Pipeline — Constraint-First Specification Architecture for AI agents. Production-grade from line one.",
+  "scripts": {
+    "changeset": "changeset",
+    "version": "changeset version",
+    "build": "./scripts/build-template.sh",
+    "check": "./scripts/check-template-integrity.sh",
+    "prepare": "husky || true"
+  },
+  "bin": {
+    "cfsa-antigravity": "./bin/cli.mjs"
+  },
+  "files": [
+    "bin/",
+    "template/"
+  ],
+  "keywords": [
+    "ai",
+    "agent",
+    "cfsa",
+    "specification",
+    "pipeline",
+    "tdd",
+    "antigravity",
+    "production",
+    "workflows",
+    "skills"
+  ],
+  "author": "RepairYourTech",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/RepairYourTech/cfsa-antigravity"
+  },
+  "homepage": "https://github.com/RepairYourTech/cfsa-antigravity#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@changesets/changelog-github": "^0.6.0",
+    "@changesets/cli": "^2.30.0",
+    "@commitlint/cli": "^20.4.4",
+    "@commitlint/config-conventional": "^20.4.4",
+    "husky": "^9.1.7"
+  }
 }

package/template/.agent/kit-sync.md

@@ -9,7 +9,7 @@
 
 # Kit Sync State
 
-upstream: https://github.com/RepairYourTech/Anti-MVP-Vibe-Pipeline
+upstream: https://github.com/RepairYourTech/cfsa-antigravity
 last_synced_commit: FIRST_SYNC_PENDING
 last_synced_at: FIRST_SYNC_PENDING
 kit_version: main

package/template/.agent/skill-library/MANIFEST.md

@@ -75,6 +75,8 @@ When a stack key matches a value pattern (case-insensitive), install the listed
 | `API_LAYER` | `*trpc*` | `stack/api/trpc` | `trpc` |
 | `API_LAYER` | `*graphql*` | `stack/api/graphql` | `graphql` |
 
+> **`{{API_DESIGN_SKILL}}` provision**: When `API_LAYER` is set, bootstrap fills `{{API_DESIGN_SKILL}}` with the matching API skill name (e.g., `trpc`, `graphql`). When `API_LAYER` is not set (REST is the default API style), `{{API_DESIGN_SKILL}}` defaults to `api-design-principles` (pre-installed). This replaces the former hardcoded `rest-api-design` reference.
+
 ### ORM / Data Layer
 
 | Stack Key | Value Pattern | Library Path | Installed As |
@@ -164,7 +166,7 @@ Note: `DESIGN_DIRECTION` does not copy a skill from the library — it fills pla
 |-----------|--------------|-------------|-------------|
 | `OBSERVABILITY` | `*opentelemetry*` OR `*otel*` | `stack/observability/opentelemetry` | `opentelemetry` |
 | `OBSERVABILITY` | `*distributed-tracing*` OR `*jaeger*` OR `*zipkin*` | `stack/observability/distributed-tracing` | `distributed-tracing` |
-| `OBSERVABILITY` | `*structured-logging*` OR `*pino*` OR `*winston*` | `stack/observability/logging-best-practices` | `logging-best-practices` |
+| `OBSERVABILITY` | `*structured-logging*` OR `*pino*` OR `*winston*` | Pre-installed: `.agent/skills/logging-best-practices` | `logging-best-practices` (pre-installed) |
 | `OBSERVABILITY` | `*python*` | `stack/observability/python-observability` | `python-observability` |
 | `OBSERVABILITY` | `*datadog*` | `stack/observability/datadog` | `datadog` |
 | `OBSERVABILITY` | `*prometheus*` OR `*grafana*` | `stack/observability/prometheus-grafana` | `prometheus-grafana` |
@@ -232,6 +234,7 @@ Note: `DESIGN_DIRECTION` does not copy a skill from the library — it fills pla
 | Stack Key | Value Pattern | Library Path | Installed As |
 |-----------|--------------|-------------|-------------|
 | `MOBILE_FRAMEWORK` | `*expo*` OR `*react-native*` OR `*react native*` | `stack/mobile/react-native` | `react-native` |
+| `MOBILE_FRAMEWORK` | `*expo*` | `stack/mobile/expo-react-native` | `expo-react-native` |
 | `MOBILE_FRAMEWORK` | `*flutter*` | `stack/mobile/flutter` | `flutter` |
 | `MOBILE_FRAMEWORK` | `*swiftui*` OR `*swift*` | `stack/mobile/swiftui` | `swiftui` |
 | `MOBILE_FRAMEWORK` | `*kotlin*` OR `*compose*` OR `*jetpack*` | `stack/mobile/kotlin-compose` | `kotlin-compose` |
@@ -261,10 +264,8 @@ Note: `DESIGN_DIRECTION` does not copy a skill from the library — it fills pla
 
 | Stack Key | Value Pattern | Library Path | Installed As |
 |-----------|--------------|-------------|-------------|
-| `GAME_ENGINE` | `*godot*` | `stack/engines/godot` | `godot` |
-| `GAME_ENGINE` | `*unity*` | `stack/engines/unity` | `unity` |
-| `GAME_ENGINE` | `*unreal*` OR `*ue5*` | `stack/engines/unreal` | `unreal` |
-| `GAME_ENGINE` | `*bevy*` | `stack/engines/bevy` | `bevy` |
+| `GAME_ENGINE` | `*godot*` | `stack/gamedev/godot` | `godot` |
+| `GAME_ENGINE` | `*unity*` | `stack/gamedev/unity` | `unity` |
 
 ### Security
 
@@ -353,7 +354,7 @@ When the project includes a surface type, install the listed skills.
 | `api` | `surface/api/api-caching` | `api-caching` |
 | `api` | `surface/api/api-documentation-openapi` | `api-documentation-openapi` |
 | `api` | `surface/api/webhook-design` | `webhook-design` |
-| `api` | `surface/api/rest-api-design` | `rest-api-design` |
+| `api` | Pre-installed: `.agent/skills/api-design-principles` | `api-design-principles` (pre-installed) |
 | `api` | `surface/api/api-security-checklist` | `api-security-checklist` |
 | `api` | `stack/security/input-sanitization` | `input-sanitization` |
 
@@ -411,7 +412,7 @@ These skills are NOT auto-installed. Install via `/find-skills` or manually copy
 | `meta/mcp-builder` | Building MCP servers |
 | `meta/tmux-processes` | Long-lived process management via tmux |
 | `meta/using-tmux-for-interactive-commands` | Interactive CLI tools via tmux |
-| `meta/brand-guidelines` | Brand color and typography application |
+| Pre-installed: `.agent/skills/brand-guidelines` | Brand color and typography application (pre-installed) |
 | `meta/product-marketing-context` | Marketing context document generator — run first before any SEO or CRO skill |
 
 ---
@@ -467,14 +468,23 @@ To add a new skill to the library:
 | `EMAIL` | Email service | Resend |
 | `QUEUE` | Job queue | Inngest, BullMQ |
 | `REALTIME` | Realtime communication | Socket.io |
-| `SEARCH` | Search engine | Meilisearch |
+| `SEARCH` | Search engine | Meilisearch, Algolia, Typesense, Elasticsearch |
 | `CMS` | Content management | Payload CMS, WordPress, Shopify |
-| `STORAGE` | File/object storage | AWS S3 |
+| `STORAGE` | File/object storage | AWS S3, Cloudflare R2, Google Cloud Storage |
 | `CI_CD` | CI/CD pipeline | GitHub Actions, Terraform |
-| `MOBILE_FRAMEWORK` | Mobile framework | Expo, React Native |
+| `MOBILE_FRAMEWORK` | Mobile framework | Expo, React Native, Flutter, SwiftUI, Kotlin/Compose |
 | `LANGUAGE` | Programming language | TypeScript, Python, Rust, Go, C/C++, Java, Kotlin, JavaScript, GDScript, Bash |
+| `MESSAGE_BROKER` | Message broker/queue | Kafka, RabbitMQ, NATS, AWS SQS |
+| `NOTIFICATIONS` | Notification service | Twilio, FCM, SendGrid |
+| `BROWSER_EXTENSION` | Browser extension framework | WXT, Plasmo, Chrome Extension |
+| `VSCODE_EXTENSION` | VS Code extension | VS Code Extension |
+| `FEATURE_FLAGS` | Feature flag service | LaunchDarkly, PostHog, Flagsmith |
+| `DATABASE_ANALYTICS` | Analytics database | ClickHouse |
 | `3D_FRAMEWORK` | 3D rendering | Three.js, React Three Fiber |
 | `GAME_ENGINE` | Game engine | Godot, Unity |
 | `SECURITY` | Security focus area | OWASP, Crypto, CSP/CORS, Dependency Auditing, Input Sanitization |
 | `SECURITY_SKILLS` | Accumulated list of all provisioned security skills (comma-separated, auto-filled by bootstrap) | e.g., `owasp-web-security,csp-cors-headers,input-sanitization,dependency-auditing` |
+| `API_DESIGN_SKILL` | API design skill for the project's API style (auto-filled by bootstrap, defaults to `api-design-principles`) | `api-design-principles`, `trpc`, `graphql` |
 | `DESIGN_DIRECTION` | Confirmed visual design direction | Minimal/Functional, Editorial, Luxury/Refined, Playful/Expressive, Technical/Brutalist, Cinematic/Immersive, or Hybrid |
+| `CDN_ASSETS` | CDN provider for static assets (no skill provisioned — handled by `HOSTING_SKILL`) | Cloudflare, AWS CloudFront, Vercel Edge |
+| `BACKEND_RUNTIME` | Backend runtime environment (no skill provisioned — handled by `LANGUAGE_SKILL` and `BACKEND_FRAMEWORK_SKILL`) | Node.js, Bun, Deno, Python |

package/template/.agent/skill-library/stack/auth/lucia/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: lucia
+description: "Lucia auth patterns covering session management, database adapters, OAuth integration, password hashing, and middleware. Use when implementing authentication with Lucia."
+version: 1.0.0
+source: self
+date_added: "2026-03-14"
+---
+
+# Lucia
+
+Lightweight, session-based auth library. No magic — you own the user table, session table, and auth logic. Lucia handles session tokens and cookie management.
+
+## When to Use
+
+- Want full control over auth without a third-party service
+- Building with Astro, SvelteKit, Next.js, or Express
+- Need session-based auth (not JWT-based)
+- Want to store users/sessions in your own database
+
+## When NOT to Use
+
+- Want a managed auth service with pre-built UI (use Clerk or Auth.js)
+- Need JWT-based authentication (Lucia uses opaque session tokens)
+- Want OAuth without writing the callback handler yourself
+
+## Setup
+
+### Installation
+
+```bash
+npm install lucia
+npm install @lucia-auth/adapter-drizzle  # or adapter-prisma, adapter-mongoose, etc.
+```
+
+### Database Schema (Drizzle Example)
+
+```typescript
+// db/schema.ts
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+
+export const userTable = pgTable('user', {
+  id: text('id').primaryKey(), // Generate with generateIdFromEntropySize(10)
+  email: text('email').notNull().unique(),
+  hashedPassword: text('hashed_password'),
+  name: text('name'),
+});
+
+export const sessionTable = pgTable('session', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().references(() => userTable.id),
+  expiresAt: timestamp('expires_at', { withTimezone: true, mode: 'date' }).notNull(),
+});
+```
+
+### Lucia Instance
+
+```typescript
+// lib/auth.ts
+import { Lucia } from 'lucia';
+import { DrizzlePostgreSQLAdapter } from '@lucia-auth/adapter-drizzle';
+import { db } from './db';
+import { sessionTable, userTable } from './db/schema';
+
+const adapter = new DrizzlePostgreSQLAdapter(db, sessionTable, userTable);
+
+export const lucia = new Lucia(adapter, {
+  sessionCookie: {
+    attributes: {
+      secure: process.env.NODE_ENV === 'production',
+    },
+  },
+  getUserAttributes: (attributes) => ({
+    email: attributes.email,
+    name: attributes.name,
+  }),
+});
+
+// Type augmentation
+declare module 'lucia' {
+  interface Register {
+    Lucia: typeof lucia;
+    DatabaseUserAttributes: { email: string; name: string };
+  }
+}
+```
+
+## Sign-Up Flow
+
+```typescript
+import { generateIdFromEntropySize } from 'lucia';
+import { hash } from '@node-rs/argon2';
+
+async function signUp(email: string, password: string, name: string) {
+  const userId = generateIdFromEntropySize(10); // 16-char random ID
+  const hashedPassword = await hash(password, {
+    memoryCost: 19456,
+    timeCost: 2,
+    outputLen: 32,
+    parallelism: 1,
+  });
+
+  await db.insert(userTable).values({ id: userId, email, hashedPassword, name });
+
+  const session = await lucia.createSession(userId, {});
+  const sessionCookie = lucia.createSessionCookie(session.id);
+  return sessionCookie; // Set this as a response cookie
+}
+```
+
+## Sign-In Flow
+
+```typescript
+import { verify } from '@node-rs/argon2';
+
+async function signIn(email: string, password: string) {
+  const user = await db.query.userTable.findFirst({ where: eq(userTable.email, email) });
+  if (!user || !user.hashedPassword) {
+    throw new Error('Invalid email or password');
+  }
+
+  const validPassword = await verify(user.hashedPassword, password);
+  if (!validPassword) {
+    throw new Error('Invalid email or password');
+  }
+
+  const session = await lucia.createSession(user.id, {});
+  return lucia.createSessionCookie(session.id);
+}
+```
+
+## Session Validation Middleware
+
+### Next.js
+
+```typescript
+// middleware.ts or lib/auth-middleware.ts
+import { cookies } from 'next/headers';
+
+export async function validateRequest() {
+  const sessionId = (await cookies()).get(lucia.sessionCookieName)?.value ?? null;
+  if (!sessionId) return { user: null, session: null };
+
+  const result = await lucia.validateSession(sessionId);
+
+  if (result.session?.fresh) {
+    const cookie = lucia.createSessionCookie(result.session.id);
+    (await cookies()).set(cookie.name, cookie.value, cookie.attributes);
+  }
+  if (!result.session) {
+    const cookie = lucia.createBlankSessionCookie();
+    (await cookies()).set(cookie.name, cookie.value, cookie.attributes);
+  }
+
+  return result;
+}
+```
+
+### Usage in Server Components
+
+```typescript
+// app/dashboard/page.tsx
+import { validateRequest } from '@/lib/auth-middleware';
+import { redirect } from 'next/navigation';
+
+export default async function DashboardPage() {
+  const { user, session } = await validateRequest();
+  if (!user) redirect('/login');
+
+  return <h1>Welcome, {user.name}</h1>;
+}
+```
+
+## Sign Out
+
+```typescript
+async function signOut() {
+  const { session } = await validateRequest();
+  if (session) {
+    await lucia.invalidateSession(session.id);
+  }
+  const cookie = lucia.createBlankSessionCookie();
+  (await cookies()).set(cookie.name, cookie.value, cookie.attributes);
+}
+```
+
+## OAuth Integration
+
+```typescript
+// Using Arctic for OAuth providers
+import { GitHub } from 'arctic';
+
+const github = new GitHub(
+  process.env.GITHUB_CLIENT_ID!,
+  process.env.GITHUB_CLIENT_SECRET!,
+  null
+);
+
+// 1. Redirect to provider
+async function initiateOAuth() {
+  const state = generateState();
+  const url = github.createAuthorizationURL(state, ['user:email']);
+  // Set state in cookie, redirect to url
+}
+
+// 2. Handle callback
+async function handleOAuthCallback(code: string) {
+  const tokens = await github.validateAuthorizationCode(code);
+  const response = await fetch('https://api.github.com/user', {
+    headers: { Authorization: `Bearer ${tokens.accessToken()}` },
+  });
+  const githubUser = await response.json();
+
+  // Find or create user, then create session
+  const session = await lucia.createSession(user.id, {});
+  return lucia.createSessionCookie(session.id);
+}
+```
+
+## Anti-Patterns
+
+| Don't | Do |
+|-------|-----|
+| Use `bcrypt` for password hashing | Use `@node-rs/argon2` — Argon2id is the current best |
+| Skip the `session.fresh` check | Always refresh session cookies when `fresh === true` |
+| Store session tokens in localStorage | Use httpOnly cookies via `lucia.createSessionCookie()` |
+| Call `validateSession` on every render | Cache the result per-request (e.g., in React `cache()`) |
+| Create sessions without invalidating old ones | Implement session limits or invalidate on password change |
+| Skip type augmentation for `Register` | Always declare `DatabaseUserAttributes` for type safety |
+| Use UUIDs for user IDs | Use `generateIdFromEntropySize()` — shorter, more entropy |
+| Hash passwords with default/weak params | Set explicit Argon2 params (memoryCost ≥ 19456) |