claude-code-pilot 2.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (514) hide show
  1. package/README.md +76 -97
  2. package/bin/install.js +267 -250
  3. package/manifest.json +5 -18
  4. package/package.json +5 -7
  5. package/src/agents/build-error-resolver.md +114 -0
  6. package/src/agents/ccp-advisor-researcher.md +104 -0
  7. package/src/agents/ccp-assumptions-analyzer.md +105 -0
  8. package/{gsd/agents/gsd-codebase-mapper.md → src/agents/ccp-codebase-mapper.md} +7 -7
  9. package/{gsd/agents/gsd-debugger.md → src/agents/ccp-debugger.md} +125 -8
  10. package/{gsd/agents/gsd-executor.md → src/agents/ccp-executor.md} +31 -20
  11. package/{gsd/agents/gsd-integration-checker.md → src/agents/ccp-integration-checker.md} +2 -2
  12. package/{gsd/agents/gsd-nyquist-auditor.md → src/agents/ccp-nyquist-auditor.md} +3 -3
  13. package/{gsd/agents/gsd-phase-researcher.md → src/agents/ccp-phase-researcher.md} +127 -13
  14. package/{gsd/agents/gsd-plan-checker.md → src/agents/ccp-plan-checker.md} +57 -21
  15. package/{gsd/agents/gsd-planner.md → src/agents/ccp-planner.md} +61 -23
  16. package/{gsd/agents/gsd-project-researcher.md → src/agents/ccp-project-researcher.md} +33 -6
  17. package/{gsd/agents/gsd-research-synthesizer.md → src/agents/ccp-research-synthesizer.md} +11 -11
  18. package/{gsd/agents/gsd-roadmapper.md → src/agents/ccp-roadmapper.md} +39 -10
  19. package/src/agents/ccp-ui-auditor.md +439 -0
  20. package/src/agents/ccp-ui-checker.md +300 -0
  21. package/src/agents/ccp-ui-researcher.md +357 -0
  22. package/{gsd/agents/gsd-verifier.md → src/agents/ccp-verifier.md} +81 -15
  23. package/src/agents/cpp-build-resolver.md +90 -0
  24. package/src/agents/cpp-reviewer.md +72 -0
  25. package/src/agents/database-reviewer.md +91 -0
  26. package/{ecc → src}/agents/doc-updater.md +1 -1
  27. package/src/agents/docs-lookup.md +68 -0
  28. package/src/agents/flutter-reviewer.md +243 -0
  29. package/src/agents/gan-evaluator.md +209 -0
  30. package/src/agents/gan-generator.md +131 -0
  31. package/src/agents/gan-planner.md +99 -0
  32. package/src/agents/go-build-resolver.md +94 -0
  33. package/src/agents/go-reviewer.md +76 -0
  34. package/src/agents/harness-optimizer.md +35 -0
  35. package/src/agents/java-build-resolver.md +153 -0
  36. package/src/agents/java-reviewer.md +92 -0
  37. package/src/agents/kotlin-build-resolver.md +118 -0
  38. package/src/agents/kotlin-reviewer.md +159 -0
  39. package/src/agents/loop-operator.md +36 -0
  40. package/src/agents/opensource-forker.md +198 -0
  41. package/src/agents/opensource-packager.md +249 -0
  42. package/src/agents/opensource-sanitizer.md +188 -0
  43. package/src/agents/performance-optimizer.md +446 -0
  44. package/src/agents/planner.md +212 -0
  45. package/src/agents/python-reviewer.md +98 -0
  46. package/src/agents/pytorch-build-resolver.md +120 -0
  47. package/src/agents/refactor-cleaner.md +85 -0
  48. package/src/agents/rust-build-resolver.md +148 -0
  49. package/src/agents/rust-reviewer.md +94 -0
  50. package/src/agents/typescript-reviewer.md +112 -0
  51. package/src/available-rules/README.md +80 -0
  52. package/src/available-rules/cpp/coding-style.md +44 -0
  53. package/src/available-rules/cpp/hooks.md +39 -0
  54. package/src/available-rules/cpp/patterns.md +51 -0
  55. package/src/available-rules/cpp/security.md +51 -0
  56. package/src/available-rules/cpp/testing.md +44 -0
  57. package/src/available-rules/csharp/coding-style.md +72 -0
  58. package/src/available-rules/csharp/hooks.md +25 -0
  59. package/src/available-rules/csharp/patterns.md +50 -0
  60. package/src/available-rules/csharp/security.md +58 -0
  61. package/src/available-rules/csharp/testing.md +46 -0
  62. package/src/available-rules/java/coding-style.md +114 -0
  63. package/src/available-rules/java/hooks.md +18 -0
  64. package/src/available-rules/java/patterns.md +146 -0
  65. package/src/available-rules/java/security.md +100 -0
  66. package/src/available-rules/java/testing.md +131 -0
  67. package/src/available-rules/kotlin/hooks.md +17 -0
  68. package/src/available-rules/rust/coding-style.md +151 -0
  69. package/src/available-rules/rust/hooks.md +16 -0
  70. package/src/available-rules/rust/patterns.md +168 -0
  71. package/src/available-rules/rust/security.md +141 -0
  72. package/src/available-rules/rust/testing.md +154 -0
  73. package/src/commands/ccp/add-backlog.md +76 -0
  74. package/{gsd/commands-gsd → src/commands/ccp}/add-phase.md +3 -3
  75. package/{gsd/commands-gsd → src/commands/ccp}/add-tests.md +5 -5
  76. package/{gsd/commands-gsd → src/commands/ccp}/add-todo.md +4 -4
  77. package/src/commands/ccp/aside.md +165 -0
  78. package/{gsd/commands-gsd → src/commands/ccp}/audit-milestone.md +3 -3
  79. package/src/commands/ccp/audit-uat.md +24 -0
  80. package/src/commands/ccp/autonomous.md +41 -0
  81. package/src/commands/ccp/build-fix.md +67 -0
  82. package/{gsd/commands-gsd → src/commands/ccp}/check-todos.md +3 -3
  83. package/{ecc/commands → src/commands/ccp}/checkpoint.md +12 -7
  84. package/{gsd/commands-gsd → src/commands/ccp}/cleanup.md +3 -3
  85. package/src/commands/ccp/code-review.md +45 -0
  86. package/{gsd/commands-gsd → src/commands/ccp}/complete-milestone.md +9 -9
  87. package/src/commands/ccp/context-budget.md +30 -0
  88. package/src/commands/ccp/cpp-build.md +174 -0
  89. package/src/commands/ccp/cpp-review.md +133 -0
  90. package/src/commands/ccp/cpp-test.md +252 -0
  91. package/{gsd/commands-gsd → src/commands/ccp}/debug.md +14 -9
  92. package/src/commands/ccp/discuss-phase.md +64 -0
  93. package/src/commands/ccp/do.md +30 -0
  94. package/src/commands/ccp/docs-update.md +48 -0
  95. package/src/commands/ccp/docs.md +32 -0
  96. package/src/commands/ccp/e2e.md +365 -0
  97. package/src/commands/ccp/eval.md +125 -0
  98. package/{ecc/commands → src/commands/ccp}/evolve.md +5 -5
  99. package/src/commands/ccp/execute-phase.md +59 -0
  100. package/src/commands/ccp/fast.md +30 -0
  101. package/src/commands/ccp/forensics.md +56 -0
  102. package/src/commands/ccp/go-build.md +184 -0
  103. package/src/commands/ccp/go-review.md +149 -0
  104. package/src/commands/ccp/go-test.md +269 -0
  105. package/src/commands/ccp/gradle-build.md +71 -0
  106. package/src/commands/ccp/harness-audit.md +76 -0
  107. package/{gsd/commands-gsd → src/commands/ccp}/health.md +3 -3
  108. package/{gsd/commands-gsd → src/commands/ccp}/help.md +5 -5
  109. package/{gsd/commands-gsd → src/commands/ccp}/insert-phase.md +3 -3
  110. package/src/commands/ccp/kotlin-build.md +175 -0
  111. package/src/commands/ccp/kotlin-review.md +141 -0
  112. package/src/commands/ccp/kotlin-test.md +313 -0
  113. package/{ecc/commands → src/commands/ccp}/learn.md +7 -2
  114. package/{gsd/commands-gsd → src/commands/ccp}/list-phase-assumptions.md +2 -2
  115. package/src/commands/ccp/manager.md +39 -0
  116. package/{gsd/commands-gsd → src/commands/ccp}/map-codebase.md +7 -7
  117. package/src/commands/ccp/milestone-summary.md +51 -0
  118. package/{ecc/commands → src/commands/ccp}/model-route.md +6 -1
  119. package/{gsd/commands-gsd → src/commands/ccp}/new-milestone.md +8 -8
  120. package/{gsd/commands-gsd → src/commands/ccp}/new-project.md +8 -8
  121. package/src/commands/ccp/next.md +24 -0
  122. package/src/commands/ccp/note.md +34 -0
  123. package/src/commands/ccp/orchestrate.md +232 -0
  124. package/{gsd/commands-gsd → src/commands/ccp}/pause-work.md +3 -3
  125. package/{gsd/commands-gsd → src/commands/ccp}/plan-milestone-gaps.md +5 -5
  126. package/{gsd/commands-gsd → src/commands/ccp}/plan-phase.md +9 -7
  127. package/src/commands/ccp/plan.md +115 -0
  128. package/src/commands/ccp/plant-seed.md +28 -0
  129. package/src/commands/ccp/pr-branch.md +25 -0
  130. package/src/commands/ccp/profile-user.md +46 -0
  131. package/{gsd/commands-gsd → src/commands/ccp}/progress.md +3 -3
  132. package/src/commands/ccp/prompt-optimize.md +39 -0
  133. package/src/commands/ccp/prune.md +25 -0
  134. package/src/commands/ccp/python-review.md +298 -0
  135. package/{ecc/commands → src/commands/ccp}/quality-gate.md +7 -2
  136. package/{gsd/commands-gsd → src/commands/ccp}/quick.md +10 -8
  137. package/src/commands/ccp/refactor-clean.md +85 -0
  138. package/{gsd/commands-gsd → src/commands/ccp}/remove-phase.md +3 -3
  139. package/{gsd/commands-gsd → src/commands/ccp}/research-phase.md +17 -12
  140. package/{ecc/commands → src/commands/ccp}/resume-session.md +9 -8
  141. package/{gsd/commands-gsd → src/commands/ccp}/resume-work.md +3 -3
  142. package/src/commands/ccp/review-backlog.md +61 -0
  143. package/src/commands/ccp/review.md +37 -0
  144. package/src/commands/ccp/rules-distill.md +12 -0
  145. package/src/commands/ccp/rust-build.md +188 -0
  146. package/src/commands/ccp/rust-review.md +143 -0
  147. package/src/commands/ccp/rust-test.md +309 -0
  148. package/{ecc/commands → src/commands/ccp}/save-session.md +2 -1
  149. package/src/commands/ccp/secure-phase.md +35 -0
  150. package/src/commands/ccp/session-report.md +19 -0
  151. package/{ecc/commands → src/commands/ccp}/sessions.md +39 -34
  152. package/src/commands/ccp/set-profile.md +12 -0
  153. package/{gsd/commands-gsd → src/commands/ccp}/settings.md +5 -5
  154. package/src/commands/ccp/setup-pm.md +81 -0
  155. package/{kit/commands → src/commands/ccp}/setup-refresh.md +4 -3
  156. package/{kit/commands → src/commands/ccp}/setup.md +67 -40
  157. package/src/commands/ccp/ship.md +23 -0
  158. package/src/commands/ccp/skill-create.md +172 -0
  159. package/src/commands/ccp/skill-health.md +51 -0
  160. package/src/commands/ccp/stats.md +18 -0
  161. package/src/commands/ccp/tdd.md +329 -0
  162. package/src/commands/ccp/test-coverage.md +74 -0
  163. package/src/commands/ccp/thread.md +127 -0
  164. package/{kit/commands → src/commands/ccp}/tool-guide.md +2 -1
  165. package/src/commands/ccp/ui-phase.md +34 -0
  166. package/src/commands/ccp/ui-review.md +32 -0
  167. package/src/commands/ccp/update-codemaps.md +77 -0
  168. package/src/commands/ccp/update-docs.md +89 -0
  169. package/{gsd/commands-gsd → src/commands/ccp}/update.md +5 -5
  170. package/{gsd/commands-gsd → src/commands/ccp}/validate-phase.md +3 -3
  171. package/{gsd/commands-gsd → src/commands/ccp}/verify-work.md +5 -5
  172. package/{ecc/commands → src/commands/ccp}/verify.md +5 -0
  173. package/src/commands/ccp/workstreams.md +68 -0
  174. package/{ecc → src}/examples/CLAUDE.md +4 -4
  175. package/{ecc → src}/examples/django-api-CLAUDE.md +5 -5
  176. package/{ecc → src}/examples/go-microservice-CLAUDE.md +6 -6
  177. package/{ecc → src}/examples/rust-api-CLAUDE.md +4 -4
  178. package/{ecc → src}/examples/saas-nextjs-CLAUDE.md +8 -8
  179. package/{gsd/hooks/gsd-context-monitor.js → src/hooks/ccp-context-monitor.js} +3 -3
  180. package/src/hooks/ccp-prompt-guard.js +96 -0
  181. package/{gsd/hooks/gsd-statusline.js → src/hooks/ccp-statusline.js} +7 -7
  182. package/src/hooks/ccp-workflow-guard.js +94 -0
  183. package/src/hooks/config-protection.js +141 -0
  184. package/{kit → src}/hooks/kit-check-update.js +7 -4
  185. package/src/hooks/mcp-health-check.js +620 -0
  186. package/{ecc/scripts → src}/hooks/run-with-flags-shell.sh +1 -1
  187. package/{ecc/scripts → src}/hooks/run-with-flags.js +74 -13
  188. package/src/hooks/session-end-marker.js +29 -0
  189. package/{ecc/scripts → src}/hooks/session-end.js +83 -40
  190. package/{ecc/scripts → src}/hooks/session-start.js +76 -10
  191. package/{ecc/scripts → src}/lib/hook-flags.js +8 -4
  192. package/{ecc/scripts → src}/lib/project-detect.js +2 -1
  193. package/{ecc/scripts → src}/lib/session-manager.d.ts +5 -1
  194. package/{ecc/scripts → src}/lib/session-manager.js +202 -92
  195. package/{ecc/scripts → src}/lib/utils.d.ts +23 -1
  196. package/{ecc/scripts → src}/lib/utils.js +91 -3
  197. package/{gsd/get-shit-done/bin/gsd-tools.cjs → src/pilot/bin/ccp-tools.cjs} +257 -86
  198. package/{gsd/get-shit-done → src/pilot}/bin/lib/commands.cjs +1 -1
  199. package/src/pilot/bin/lib/config.cjs +444 -0
  200. package/src/pilot/bin/lib/core.cjs +1190 -0
  201. package/src/pilot/bin/lib/init.cjs +1281 -0
  202. package/src/pilot/bin/lib/model-profiles.cjs +67 -0
  203. package/{gsd/get-shit-done → src/pilot}/bin/lib/phase.cjs +2 -2
  204. package/src/pilot/bin/lib/security.cjs +382 -0
  205. package/{gsd/get-shit-done → src/pilot}/bin/lib/state.cjs +1 -1
  206. package/src/pilot/bin/lib/uat.cjs +282 -0
  207. package/{gsd/get-shit-done → src/pilot}/bin/lib/verify.cjs +10 -10
  208. package/{gsd/get-shit-done → src/pilot}/references/continuation-format.md +16 -16
  209. package/{gsd/get-shit-done → src/pilot}/references/decimal-phase-calculation.md +5 -5
  210. package/{gsd/get-shit-done → src/pilot}/references/git-integration.md +5 -5
  211. package/{gsd/get-shit-done → src/pilot}/references/git-planning-commit.md +4 -4
  212. package/src/pilot/references/mcp-servers.json +153 -0
  213. package/{gsd/get-shit-done → src/pilot}/references/model-profile-resolution.md +2 -2
  214. package/{gsd/get-shit-done → src/pilot}/references/model-profiles.md +20 -20
  215. package/{gsd/get-shit-done → src/pilot}/references/phase-argument-parsing.md +4 -4
  216. package/{gsd/get-shit-done → src/pilot}/references/planning-config.md +15 -15
  217. package/{gsd/get-shit-done → src/pilot}/references/ui-brand.md +5 -5
  218. package/{gsd/get-shit-done → src/pilot}/references/verification-patterns.md +1 -1
  219. package/{gsd/get-shit-done → src/pilot}/templates/DEBUG.md +1 -1
  220. package/{gsd/get-shit-done → src/pilot}/templates/UAT.md +3 -3
  221. package/src/pilot/templates/UI-SPEC.md +100 -0
  222. package/{gsd/get-shit-done → src/pilot}/templates/VALIDATION.md +1 -1
  223. package/src/pilot/templates/claude-md.md +122 -0
  224. package/{gsd/get-shit-done → src/pilot}/templates/codebase/architecture.md +2 -2
  225. package/{gsd/get-shit-done → src/pilot}/templates/codebase/structure.md +13 -13
  226. package/{gsd/get-shit-done → src/pilot}/templates/context.md +4 -4
  227. package/src/pilot/templates/copilot-instructions.md +7 -0
  228. package/{gsd/get-shit-done → src/pilot}/templates/debug-subagent-prompt.md +4 -4
  229. package/src/pilot/templates/dev-preferences.md +21 -0
  230. package/{gsd/get-shit-done → src/pilot}/templates/discovery.md +2 -2
  231. package/src/pilot/templates/discussion-log.md +63 -0
  232. package/{gsd/get-shit-done → src/pilot}/templates/phase-prompt.md +12 -12
  233. package/{gsd/get-shit-done → src/pilot}/templates/planner-subagent-prompt.md +7 -7
  234. package/{gsd/get-shit-done → src/pilot}/templates/project.md +1 -1
  235. package/{gsd/get-shit-done → src/pilot}/templates/research.md +2 -2
  236. package/{gsd/get-shit-done → src/pilot}/templates/state.md +2 -2
  237. package/{gsd/get-shit-done → src/pilot}/templates/summary-complex.md +1 -1
  238. package/{gsd/get-shit-done → src/pilot}/workflows/add-phase.md +11 -11
  239. package/{gsd/get-shit-done → src/pilot}/workflows/add-tests.md +15 -15
  240. package/{gsd/get-shit-done → src/pilot}/workflows/add-todo.md +7 -7
  241. package/{gsd/get-shit-done → src/pilot}/workflows/audit-milestone.md +24 -16
  242. package/src/pilot/workflows/audit-uat.md +109 -0
  243. package/src/pilot/workflows/autonomous.md +891 -0
  244. package/{gsd/get-shit-done → src/pilot}/workflows/check-todos.md +10 -10
  245. package/{gsd/get-shit-done → src/pilot}/workflows/cleanup.md +3 -3
  246. package/{gsd/get-shit-done → src/pilot}/workflows/complete-milestone.md +19 -16
  247. package/{gsd/get-shit-done → src/pilot}/workflows/diagnose-issues.md +9 -4
  248. package/{gsd/get-shit-done → src/pilot}/workflows/discovery-phase.md +8 -8
  249. package/src/pilot/workflows/discuss-phase-assumptions.md +653 -0
  250. package/{gsd/get-shit-done → src/pilot}/workflows/discuss-phase.md +407 -49
  251. package/src/pilot/workflows/do.md +104 -0
  252. package/src/pilot/workflows/docs-update.md +1165 -0
  253. package/src/pilot/workflows/execute-phase.md +821 -0
  254. package/{gsd/get-shit-done → src/pilot}/workflows/execute-plan.md +79 -28
  255. package/src/pilot/workflows/fast.md +105 -0
  256. package/src/pilot/workflows/forensics.md +265 -0
  257. package/{gsd/get-shit-done → src/pilot}/workflows/health.md +34 -11
  258. package/src/pilot/workflows/help.md +767 -0
  259. package/{gsd/get-shit-done → src/pilot}/workflows/insert-phase.md +10 -10
  260. package/{gsd/get-shit-done → src/pilot}/workflows/list-phase-assumptions.md +4 -4
  261. package/src/pilot/workflows/manager.md +362 -0
  262. package/{gsd/get-shit-done → src/pilot}/workflows/map-codebase.md +27 -17
  263. package/src/pilot/workflows/milestone-summary.md +223 -0
  264. package/{gsd/get-shit-done → src/pilot}/workflows/new-milestone.md +135 -33
  265. package/{gsd/get-shit-done → src/pilot}/workflows/new-project.md +152 -79
  266. package/src/pilot/workflows/next.md +97 -0
  267. package/src/pilot/workflows/node-repair.md +92 -0
  268. package/src/pilot/workflows/note.md +156 -0
  269. package/src/pilot/workflows/pause-work.md +177 -0
  270. package/{gsd/get-shit-done → src/pilot}/workflows/plan-milestone-gaps.md +10 -11
  271. package/src/pilot/workflows/plan-phase.md +859 -0
  272. package/src/pilot/workflows/plant-seed.md +169 -0
  273. package/src/pilot/workflows/pr-branch.md +129 -0
  274. package/src/pilot/workflows/profile-user.md +452 -0
  275. package/{gsd/get-shit-done → src/pilot}/workflows/progress.md +95 -34
  276. package/{gsd/get-shit-done → src/pilot}/workflows/quick.md +33 -21
  277. package/{gsd/get-shit-done → src/pilot}/workflows/remove-phase.md +14 -14
  278. package/{gsd/get-shit-done → src/pilot}/workflows/research-phase.md +18 -10
  279. package/{gsd/get-shit-done → src/pilot}/workflows/resume-project.md +37 -18
  280. package/src/pilot/workflows/review.md +244 -0
  281. package/src/pilot/workflows/secure-phase.md +164 -0
  282. package/src/pilot/workflows/session-report.md +146 -0
  283. package/{gsd/get-shit-done → src/pilot}/workflows/set-profile.md +7 -7
  284. package/{gsd/get-shit-done → src/pilot}/workflows/settings.md +75 -22
  285. package/src/pilot/workflows/ship.md +228 -0
  286. package/src/pilot/workflows/stats.md +60 -0
  287. package/{gsd/get-shit-done → src/pilot}/workflows/transition.md +57 -17
  288. package/src/pilot/workflows/ui-phase.md +302 -0
  289. package/src/pilot/workflows/ui-review.md +165 -0
  290. package/{gsd/get-shit-done → src/pilot}/workflows/update.md +88 -58
  291. package/{gsd/get-shit-done → src/pilot}/workflows/validate-phase.md +24 -17
  292. package/{gsd/get-shit-done → src/pilot}/workflows/verify-phase.md +26 -15
  293. package/{gsd/get-shit-done → src/pilot}/workflows/verify-work.md +89 -37
  294. package/{ecc → src}/rules/common/agents.md +1 -0
  295. package/src/rules/common/code-review.md +124 -0
  296. package/{ecc → src}/rules/common/coding-style.md +21 -0
  297. package/src/rules/zh/README.md +108 -0
  298. package/src/rules/zh/agents.md +50 -0
  299. package/src/rules/zh/code-review.md +124 -0
  300. package/src/rules/zh/coding-style.md +48 -0
  301. package/src/rules/zh/development-workflow.md +44 -0
  302. package/src/rules/zh/git-workflow.md +24 -0
  303. package/src/rules/zh/hooks.md +30 -0
  304. package/src/rules/zh/patterns.md +31 -0
  305. package/src/rules/zh/performance.md +55 -0
  306. package/src/rules/zh/security.md +29 -0
  307. package/src/rules/zh/testing.md +29 -0
  308. package/src/skills/agentic-engineering/SKILL.md +63 -0
  309. package/src/skills/ai-first-engineering/SKILL.md +51 -0
  310. package/src/skills/ai-regression-testing/SKILL.md +385 -0
  311. package/src/skills/api-design/SKILL.md +523 -0
  312. package/src/skills/architecture-decision-records/SKILL.md +179 -0
  313. package/src/skills/autonomous-agent-harness/SKILL.md +267 -0
  314. package/src/skills/autonomous-loops/SKILL.md +610 -0
  315. package/src/skills/backend-patterns/SKILL.md +598 -0
  316. package/src/skills/benchmark/SKILL.md +87 -0
  317. package/src/skills/blueprint/SKILL.md +90 -0
  318. package/src/skills/browser-qa/SKILL.md +81 -0
  319. package/src/skills/bun-runtime/SKILL.md +84 -0
  320. package/src/skills/claude-api/SKILL.md +337 -0
  321. package/src/skills/codebase-onboarding/SKILL.md +233 -0
  322. package/src/skills/coding-standards/SKILL.md +530 -0
  323. package/src/skills/content-hash-cache-pattern/SKILL.md +161 -0
  324. package/src/skills/context-budget/SKILL.md +135 -0
  325. package/{ecc → src}/skills/continuous-learning-v2/SKILL.md +6 -6
  326. package/{ecc → src}/skills/continuous-learning-v2/agents/observer-loop.sh +1 -1
  327. package/{ecc → src}/skills/continuous-learning-v2/agents/observer.md +1 -1
  328. package/src/skills/cost-aware-llm-pipeline/SKILL.md +183 -0
  329. package/src/skills/cpp-coding-standards/SKILL.md +723 -0
  330. package/src/skills/cpp-testing/SKILL.md +324 -0
  331. package/src/skills/database-migrations/SKILL.md +429 -0
  332. package/src/skills/deep-research/SKILL.md +155 -0
  333. package/src/skills/deployment-patterns/SKILL.md +427 -0
  334. package/src/skills/design-system/SKILL.md +82 -0
  335. package/src/skills/django-patterns/SKILL.md +734 -0
  336. package/src/skills/django-security/SKILL.md +593 -0
  337. package/src/skills/django-tdd/SKILL.md +729 -0
  338. package/src/skills/django-verification/SKILL.md +469 -0
  339. package/src/skills/docker-patterns/SKILL.md +364 -0
  340. package/src/skills/documentation-lookup/SKILL.md +90 -0
  341. package/src/skills/e2e-testing/SKILL.md +326 -0
  342. package/src/skills/eval-harness/SKILL.md +270 -0
  343. package/src/skills/exa-search/SKILL.md +103 -0
  344. package/src/skills/flutter-dart-code-review/SKILL.md +435 -0
  345. package/src/skills/frontend-patterns/SKILL.md +642 -0
  346. package/src/skills/gan-style-harness/SKILL.md +278 -0
  347. package/src/skills/git-workflow/SKILL.md +715 -0
  348. package/src/skills/golang-patterns/SKILL.md +674 -0
  349. package/src/skills/golang-testing/SKILL.md +720 -0
  350. package/src/skills/hexagonal-architecture/SKILL.md +276 -0
  351. package/src/skills/iterative-retrieval/SKILL.md +211 -0
  352. package/src/skills/java-coding-standards/SKILL.md +147 -0
  353. package/src/skills/jpa-patterns/SKILL.md +151 -0
  354. package/src/skills/kotlin-coroutines-flows/SKILL.md +284 -0
  355. package/src/skills/kotlin-exposed-patterns/SKILL.md +719 -0
  356. package/src/skills/kotlin-ktor-patterns/SKILL.md +689 -0
  357. package/src/skills/kotlin-patterns/SKILL.md +711 -0
  358. package/src/skills/kotlin-testing/SKILL.md +824 -0
  359. package/src/skills/laravel-patterns/SKILL.md +415 -0
  360. package/src/skills/laravel-plugin-discovery/SKILL.md +229 -0
  361. package/src/skills/laravel-security/SKILL.md +285 -0
  362. package/src/skills/laravel-tdd/SKILL.md +283 -0
  363. package/src/skills/laravel-verification/SKILL.md +179 -0
  364. package/src/skills/mcp-server-patterns/SKILL.md +67 -0
  365. package/src/skills/nextjs-turbopack/SKILL.md +44 -0
  366. package/src/skills/nuxt4-patterns/SKILL.md +100 -0
  367. package/src/skills/opensource-pipeline/SKILL.md +255 -0
  368. package/src/skills/perl-patterns/SKILL.md +504 -0
  369. package/src/skills/perl-security/SKILL.md +503 -0
  370. package/src/skills/perl-testing/SKILL.md +475 -0
  371. package/src/skills/postgres-patterns/SKILL.md +147 -0
  372. package/src/skills/project-flow-ops/SKILL.md +111 -0
  373. package/src/skills/project-guidelines-example/SKILL.md +349 -0
  374. package/src/skills/prompt-optimizer/SKILL.md +397 -0
  375. package/src/skills/python-patterns/SKILL.md +750 -0
  376. package/src/skills/python-testing/SKILL.md +816 -0
  377. package/src/skills/pytorch-patterns/SKILL.md +396 -0
  378. package/src/skills/regex-vs-llm-structured-text/SKILL.md +220 -0
  379. package/src/skills/repo-scan/SKILL.md +78 -0
  380. package/src/skills/rules-distill/SKILL.md +264 -0
  381. package/src/skills/rules-distill/scripts/scan-rules.sh +58 -0
  382. package/src/skills/rules-distill/scripts/scan-skills.sh +129 -0
  383. package/src/skills/rust-patterns/SKILL.md +499 -0
  384. package/src/skills/rust-testing/SKILL.md +500 -0
  385. package/src/skills/safety-guard/SKILL.md +69 -0
  386. package/src/skills/search-first/SKILL.md +161 -0
  387. package/src/skills/security-review/SKILL.md +495 -0
  388. package/src/skills/security-review/cloud-infrastructure-security.md +361 -0
  389. package/src/skills/security-scan/SKILL.md +165 -0
  390. package/src/skills/springboot-patterns/SKILL.md +314 -0
  391. package/src/skills/springboot-security/SKILL.md +272 -0
  392. package/src/skills/springboot-tdd/SKILL.md +158 -0
  393. package/src/skills/springboot-verification/SKILL.md +231 -0
  394. package/src/skills/swift-concurrency-6-2/SKILL.md +216 -0
  395. package/src/skills/tdd-workflow/SKILL.md +410 -0
  396. package/src/skills/token-budget-advisor/SKILL.md +133 -0
  397. package/{ecc/skills/verification-loop-SKILL.md → src/skills/verification-loop/SKILL.md} +1 -1
  398. package/src/skills/workspace-surface-audit/SKILL.md +125 -0
  399. package/ecc/scripts/hooks/session-end-marker.js +0 -15
  400. package/gsd/LICENSE +0 -21
  401. package/gsd/commands-gsd/discuss-phase.md +0 -90
  402. package/gsd/commands-gsd/execute-phase.md +0 -41
  403. package/gsd/commands-gsd/join-discord.md +0 -18
  404. package/gsd/commands-gsd/reapply-patches.md +0 -123
  405. package/gsd/commands-gsd/set-profile.md +0 -34
  406. package/gsd/get-shit-done/bin/lib/config.cjs +0 -169
  407. package/gsd/get-shit-done/bin/lib/core.cjs +0 -492
  408. package/gsd/get-shit-done/bin/lib/init.cjs +0 -710
  409. package/gsd/get-shit-done/workflows/execute-phase.md +0 -459
  410. package/gsd/get-shit-done/workflows/help.md +0 -489
  411. package/gsd/get-shit-done/workflows/pause-work.md +0 -122
  412. package/gsd/get-shit-done/workflows/plan-phase.md +0 -560
  413. package/gsd/hooks/gsd-check-update.js +0 -81
  414. package/kit/CLAUDE.md +0 -43
  415. package/kit/commands/kit/update.md +0 -46
  416. package/kit/mcp.json +0 -10
  417. package/kit/rules/code-style.md +0 -24
  418. /package/{ecc → src}/agents/architect.md +0 -0
  419. /package/{ecc → src}/agents/code-reviewer.md +0 -0
  420. /package/{ecc → src}/agents/e2e-runner.md +0 -0
  421. /package/{ecc → src}/agents/security-reviewer.md +0 -0
  422. /package/{ecc → src}/agents/tdd-guide.md +0 -0
  423. /package/{ecc/rules → src/available-rules}/golang/coding-style.md +0 -0
  424. /package/{ecc/rules → src/available-rules}/golang/hooks.md +0 -0
  425. /package/{ecc/rules → src/available-rules}/golang/patterns.md +0 -0
  426. /package/{ecc/rules → src/available-rules}/golang/security.md +0 -0
  427. /package/{ecc/rules → src/available-rules}/golang/testing.md +0 -0
  428. /package/{ecc/rules → src/available-rules}/kotlin/coding-style.md +0 -0
  429. /package/{ecc/rules → src/available-rules}/kotlin/patterns.md +0 -0
  430. /package/{ecc/rules → src/available-rules}/kotlin/security.md +0 -0
  431. /package/{ecc/rules → src/available-rules}/kotlin/testing.md +0 -0
  432. /package/{ecc/rules → src/available-rules}/perl/coding-style.md +0 -0
  433. /package/{ecc/rules → src/available-rules}/perl/hooks.md +0 -0
  434. /package/{ecc/rules → src/available-rules}/perl/patterns.md +0 -0
  435. /package/{ecc/rules → src/available-rules}/perl/security.md +0 -0
  436. /package/{ecc/rules → src/available-rules}/perl/testing.md +0 -0
  437. /package/{ecc/rules → src/available-rules}/php/coding-style.md +0 -0
  438. /package/{ecc/rules → src/available-rules}/php/hooks.md +0 -0
  439. /package/{ecc/rules → src/available-rules}/php/patterns.md +0 -0
  440. /package/{ecc/rules → src/available-rules}/php/security.md +0 -0
  441. /package/{ecc/rules → src/available-rules}/php/testing.md +0 -0
  442. /package/{ecc/rules → src/available-rules}/python/coding-style.md +0 -0
  443. /package/{ecc/rules → src/available-rules}/python/hooks.md +0 -0
  444. /package/{ecc/rules → src/available-rules}/python/patterns.md +0 -0
  445. /package/{ecc/rules → src/available-rules}/python/security.md +0 -0
  446. /package/{ecc/rules → src/available-rules}/python/testing.md +0 -0
  447. /package/{ecc/rules → src/available-rules}/swift/coding-style.md +0 -0
  448. /package/{ecc/rules → src/available-rules}/swift/hooks.md +0 -0
  449. /package/{ecc/rules → src/available-rules}/swift/patterns.md +0 -0
  450. /package/{ecc/rules → src/available-rules}/swift/security.md +0 -0
  451. /package/{ecc/rules → src/available-rules}/swift/testing.md +0 -0
  452. /package/{ecc/rules → src/available-rules}/typescript/coding-style.md +0 -0
  453. /package/{ecc/rules → src/available-rules}/typescript/hooks.md +0 -0
  454. /package/{ecc/rules → src/available-rules}/typescript/patterns.md +0 -0
  455. /package/{ecc/rules → src/available-rules}/typescript/security.md +0 -0
  456. /package/{ecc/rules → src/available-rules}/typescript/testing.md +0 -0
  457. /package/{ecc → src}/contexts/dev.md +0 -0
  458. /package/{ecc → src}/contexts/research.md +0 -0
  459. /package/{ecc → src}/contexts/review.md +0 -0
  460. /package/{ecc → src}/examples/user-CLAUDE.md +0 -0
  461. /package/{ecc/scripts → src}/hooks/check-hook-enabled.js +0 -0
  462. /package/{ecc/scripts → src}/hooks/evaluate-session.js +0 -0
  463. /package/{ecc/scripts → src}/hooks/pre-compact.js +0 -0
  464. /package/{ecc/scripts → src}/hooks/suggest-compact.js +0 -0
  465. /package/{ecc/scripts → src}/lib/package-manager.d.ts +0 -0
  466. /package/{ecc/scripts → src}/lib/package-manager.js +0 -0
  467. /package/{ecc/scripts → src}/lib/resolve-formatter.js +0 -0
  468. /package/{ecc/scripts → src}/lib/session-aliases.d.ts +0 -0
  469. /package/{ecc/scripts → src}/lib/session-aliases.js +0 -0
  470. /package/{ecc/scripts → src}/lib/shell-split.js +0 -0
  471. /package/{gsd/get-shit-done → src/pilot}/bin/lib/frontmatter.cjs +0 -0
  472. /package/{gsd/get-shit-done → src/pilot}/bin/lib/milestone.cjs +0 -0
  473. /package/{gsd/get-shit-done → src/pilot}/bin/lib/roadmap.cjs +0 -0
  474. /package/{gsd/get-shit-done → src/pilot}/bin/lib/template.cjs +0 -0
  475. /package/{gsd/get-shit-done → src/pilot}/references/checkpoints.md +0 -0
  476. /package/{gsd/get-shit-done → src/pilot}/references/questioning.md +0 -0
  477. /package/{gsd/get-shit-done → src/pilot}/references/tdd.md +0 -0
  478. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/concerns.md +0 -0
  479. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/conventions.md +0 -0
  480. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/integrations.md +0 -0
  481. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/stack.md +0 -0
  482. /package/{gsd/get-shit-done → src/pilot}/templates/codebase/testing.md +0 -0
  483. /package/{gsd/get-shit-done → src/pilot}/templates/config.json +0 -0
  484. /package/{gsd/get-shit-done → src/pilot}/templates/continue-here.md +0 -0
  485. /package/{gsd/get-shit-done → src/pilot}/templates/milestone-archive.md +0 -0
  486. /package/{gsd/get-shit-done → src/pilot}/templates/milestone.md +0 -0
  487. /package/{gsd/get-shit-done → src/pilot}/templates/requirements.md +0 -0
  488. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/ARCHITECTURE.md +0 -0
  489. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/FEATURES.md +0 -0
  490. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/PITFALLS.md +0 -0
  491. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/STACK.md +0 -0
  492. /package/{gsd/get-shit-done → src/pilot}/templates/research-project/SUMMARY.md +0 -0
  493. /package/{gsd/get-shit-done → src/pilot}/templates/retrospective.md +0 -0
  494. /package/{gsd/get-shit-done → src/pilot}/templates/roadmap.md +0 -0
  495. /package/{gsd/get-shit-done → src/pilot}/templates/summary-minimal.md +0 -0
  496. /package/{gsd/get-shit-done → src/pilot}/templates/summary-standard.md +0 -0
  497. /package/{gsd/get-shit-done → src/pilot}/templates/summary.md +0 -0
  498. /package/{gsd/get-shit-done → src/pilot}/templates/user-setup.md +0 -0
  499. /package/{gsd/get-shit-done → src/pilot}/templates/verification-report.md +0 -0
  500. /package/{ecc → src}/rules/common/development-workflow.md +0 -0
  501. /package/{ecc → src}/rules/common/git-workflow.md +0 -0
  502. /package/{ecc → src}/rules/common/hooks.md +0 -0
  503. /package/{ecc → src}/rules/common/patterns.md +0 -0
  504. /package/{ecc → src}/rules/common/performance.md +0 -0
  505. /package/{ecc → src}/rules/common/security.md +0 -0
  506. /package/{ecc → src}/rules/common/testing.md +0 -0
  507. /package/{ecc → src}/skills/continuous-learning-v2/agents/start-observer.sh +0 -0
  508. /package/{ecc → src}/skills/continuous-learning-v2/config.json +0 -0
  509. /package/{ecc → src}/skills/continuous-learning-v2/hooks/observe.sh +0 -0
  510. /package/{ecc → src}/skills/continuous-learning-v2/scripts/detect-project.sh +0 -0
  511. /package/{ecc → src}/skills/continuous-learning-v2/scripts/instinct-cli.py +0 -0
  512. /package/{ecc → src}/skills/continuous-learning-v2/scripts/test_parse_instinct.py +0 -0
  513. /package/{ecc → src}/skills/strategic-compact/SKILL.md +0 -0
  514. /package/{ecc → src}/skills/strategic-compact/suggest-compact.sh +0 -0
@@ -0,0 +1,161 @@
1
+ ---
2
+ name: search-first
3
+ description: Research-before-coding workflow. Search for existing tools, libraries, and patterns before writing custom code. Invokes the researcher agent.
4
+ origin: ECC
5
+ ---
6
+
7
+ # /search-first — Research Before You Code
8
+
9
+ Systematizes the "search for existing solutions before implementing" workflow.
10
+
11
+ ## Trigger
12
+
13
+ Use this skill when:
14
+ - Starting a new feature that likely has existing solutions
15
+ - Adding a dependency or integration
16
+ - The user asks "add X functionality" and you're about to write code
17
+ - Before creating a new utility, helper, or abstraction
18
+
19
+ ## Workflow
20
+
21
+ ```
22
+ ┌─────────────────────────────────────────────┐
23
+ │ 1. NEED ANALYSIS │
24
+ │ Define what functionality is needed │
25
+ │ Identify language/framework constraints │
26
+ ├─────────────────────────────────────────────┤
27
+ │ 2. PARALLEL SEARCH (researcher agent) │
28
+ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
29
+ │ │ npm / │ │ MCP / │ │ GitHub / │ │
30
+ │ │ PyPI │ │ Skills │ │ Web │ │
31
+ │ └──────────┘ └──────────┘ └──────────┘ │
32
+ ├─────────────────────────────────────────────┤
33
+ │ 3. EVALUATE │
34
+ │ Score candidates (functionality, maint, │
35
+ │ community, docs, license, deps) │
36
+ ├─────────────────────────────────────────────┤
37
+ │ 4. DECIDE │
38
+ │ ┌─────────┐ ┌──────────┐ ┌─────────┐ │
39
+ │ │ Adopt │ │ Extend │ │ Build │ │
40
+ │ │ as-is │ │ /Wrap │ │ Custom │ │
41
+ │ └─────────┘ └──────────┘ └─────────┘ │
42
+ ├─────────────────────────────────────────────┤
43
+ │ 5. IMPLEMENT │
44
+ │ Install package / Configure MCP / │
45
+ │ Write minimal custom code │
46
+ └─────────────────────────────────────────────┘
47
+ ```
48
+
49
+ ## Decision Matrix
50
+
51
+ | Signal | Action |
52
+ |--------|--------|
53
+ | Exact match, well-maintained, MIT/Apache | **Adopt** — install and use directly |
54
+ | Partial match, good foundation | **Extend** — install + write thin wrapper |
55
+ | Multiple weak matches | **Compose** — combine 2-3 small packages |
56
+ | Nothing suitable found | **Build** — write custom, but informed by research |
57
+
58
+ ## How to Use
59
+
60
+ ### Quick Mode (inline)
61
+
62
+ Before writing a utility or adding functionality, mentally run through:
63
+
64
+ 0. Does this already exist in the repo? → `rg` through relevant modules/tests first
65
+ 1. Is this a common problem? → Search npm/PyPI
66
+ 2. Is there an MCP for this? → Check `~/.claude/settings.json` and search
67
+ 3. Is there a skill for this? → Check `~/.claude/skills/`
68
+ 4. Is there a GitHub implementation/template? → Run GitHub code search for maintained OSS before writing net-new code
69
+
70
+ ### Full Mode (agent)
71
+
72
+ For non-trivial functionality, launch the researcher agent:
73
+
74
+ ```
75
+ Task(subagent_type="general-purpose", prompt="
76
+ Research existing tools for: [DESCRIPTION]
77
+ Language/framework: [LANG]
78
+ Constraints: [ANY]
79
+
80
+ Search: npm/PyPI, MCP servers, Claude Code skills, GitHub
81
+ Return: Structured comparison with recommendation
82
+ ")
83
+ ```
84
+
85
+ ## Search Shortcuts by Category
86
+
87
+ ### Development Tooling
88
+ - Linting → `eslint`, `ruff`, `textlint`, `markdownlint`
89
+ - Formatting → `prettier`, `black`, `gofmt`
90
+ - Testing → `jest`, `pytest`, `go test`
91
+ - Pre-commit → `husky`, `lint-staged`, `pre-commit`
92
+
93
+ ### AI/LLM Integration
94
+ - Claude SDK → Context7 for latest docs
95
+ - Prompt management → Check MCP servers
96
+ - Document processing → `unstructured`, `pdfplumber`, `mammoth`
97
+
98
+ ### Data & APIs
99
+ - HTTP clients → `httpx` (Python), `ky`/`got` (Node)
100
+ - Validation → `zod` (TS), `pydantic` (Python)
101
+ - Database → Check for MCP servers first
102
+
103
+ ### Content & Publishing
104
+ - Markdown processing → `remark`, `unified`, `markdown-it`
105
+ - Image optimization → `sharp`, `imagemin`
106
+
107
+ ## Integration Points
108
+
109
+ ### With planner agent
110
+ The planner should invoke researcher before Phase 1 (Architecture Review):
111
+ - Researcher identifies available tools
112
+ - Planner incorporates them into the implementation plan
113
+ - Avoids "reinventing the wheel" in the plan
114
+
115
+ ### With architect agent
116
+ The architect should consult researcher for:
117
+ - Technology stack decisions
118
+ - Integration pattern discovery
119
+ - Existing reference architectures
120
+
121
+ ### With iterative-retrieval skill
122
+ Combine for progressive discovery:
123
+ - Cycle 1: Broad search (npm, PyPI, MCP)
124
+ - Cycle 2: Evaluate top candidates in detail
125
+ - Cycle 3: Test compatibility with project constraints
126
+
127
+ ## Examples
128
+
129
+ ### Example 1: "Add dead link checking"
130
+ ```
131
+ Need: Check markdown files for broken links
132
+ Search: npm "markdown dead link checker"
133
+ Found: textlint-rule-no-dead-link (score: 9/10)
134
+ Action: ADOPT — npm install textlint-rule-no-dead-link
135
+ Result: Zero custom code, battle-tested solution
136
+ ```
137
+
138
+ ### Example 2: "Add HTTP client wrapper"
139
+ ```
140
+ Need: Resilient HTTP client with retries and timeout handling
141
+ Search: npm "http client retry", PyPI "httpx retry"
142
+ Found: got (Node) with retry plugin, httpx (Python) with built-in retry
143
+ Action: ADOPT — use got/httpx directly with retry config
144
+ Result: Zero custom code, production-proven libraries
145
+ ```
146
+
147
+ ### Example 3: "Add config file linter"
148
+ ```
149
+ Need: Validate project config files against a schema
150
+ Search: npm "config linter schema", "json schema validator cli"
151
+ Found: ajv-cli (score: 8/10)
152
+ Action: ADOPT + EXTEND — install ajv-cli, write project-specific schema
153
+ Result: 1 package + 1 schema file, no custom validation logic
154
+ ```
155
+
156
+ ## Anti-Patterns
157
+
158
+ - **Jumping to code**: Writing a utility without checking if one exists
159
+ - **Ignoring MCP**: Not checking if an MCP server already provides the capability
160
+ - **Over-customizing**: Wrapping a library so heavily it loses its benefits
161
+ - **Dependency bloat**: Installing a massive package for one small feature
@@ -0,0 +1,495 @@
1
+ ---
2
+ name: security-review
3
+ description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
4
+ origin: ECC
5
+ ---
6
+
7
+ # Security Review Skill
8
+
9
+ This skill ensures all code follows security best practices and identifies potential vulnerabilities.
10
+
11
+ ## When to Activate
12
+
13
+ - Implementing authentication or authorization
14
+ - Handling user input or file uploads
15
+ - Creating new API endpoints
16
+ - Working with secrets or credentials
17
+ - Implementing payment features
18
+ - Storing or transmitting sensitive data
19
+ - Integrating third-party APIs
20
+
21
+ ## Security Checklist
22
+
23
+ ### 1. Secrets Management
24
+
25
+ #### ❌ NEVER Do This
26
+ ```typescript
27
+ const apiKey = "sk-proj-xxxxx" // Hardcoded secret
28
+ const dbPassword = "password123" // In source code
29
+ ```
30
+
31
+ #### ✅ ALWAYS Do This
32
+ ```typescript
33
+ const apiKey = process.env.OPENAI_API_KEY
34
+ const dbUrl = process.env.DATABASE_URL
35
+
36
+ // Verify secrets exist
37
+ if (!apiKey) {
38
+ throw new Error('OPENAI_API_KEY not configured')
39
+ }
40
+ ```
41
+
42
+ #### Verification Steps
43
+ - [ ] No hardcoded API keys, tokens, or passwords
44
+ - [ ] All secrets in environment variables
45
+ - [ ] `.env.local` in .gitignore
46
+ - [ ] No secrets in git history
47
+ - [ ] Production secrets in hosting platform (Vercel, Railway)
48
+
49
+ ### 2. Input Validation
50
+
51
+ #### Always Validate User Input
52
+ ```typescript
53
+ import { z } from 'zod'
54
+
55
+ // Define validation schema
56
+ const CreateUserSchema = z.object({
57
+ email: z.string().email(),
58
+ name: z.string().min(1).max(100),
59
+ age: z.number().int().min(0).max(150)
60
+ })
61
+
62
+ // Validate before processing
63
+ export async function createUser(input: unknown) {
64
+ try {
65
+ const validated = CreateUserSchema.parse(input)
66
+ return await db.users.create(validated)
67
+ } catch (error) {
68
+ if (error instanceof z.ZodError) {
69
+ return { success: false, errors: error.errors }
70
+ }
71
+ throw error
72
+ }
73
+ }
74
+ ```
75
+
76
+ #### File Upload Validation
77
+ ```typescript
78
+ function validateFileUpload(file: File) {
79
+ // Size check (5MB max)
80
+ const maxSize = 5 * 1024 * 1024
81
+ if (file.size > maxSize) {
82
+ throw new Error('File too large (max 5MB)')
83
+ }
84
+
85
+ // Type check
86
+ const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
87
+ if (!allowedTypes.includes(file.type)) {
88
+ throw new Error('Invalid file type')
89
+ }
90
+
91
+ // Extension check
92
+ const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
93
+ const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
94
+ if (!extension || !allowedExtensions.includes(extension)) {
95
+ throw new Error('Invalid file extension')
96
+ }
97
+
98
+ return true
99
+ }
100
+ ```
101
+
102
+ #### Verification Steps
103
+ - [ ] All user inputs validated with schemas
104
+ - [ ] File uploads restricted (size, type, extension)
105
+ - [ ] No direct use of user input in queries
106
+ - [ ] Whitelist validation (not blacklist)
107
+ - [ ] Error messages don't leak sensitive info
108
+
109
+ ### 3. SQL Injection Prevention
110
+
111
+ #### ❌ NEVER Concatenate SQL
112
+ ```typescript
113
+ // DANGEROUS - SQL Injection vulnerability
114
+ const query = `SELECT * FROM users WHERE email = '${userEmail}'`
115
+ await db.query(query)
116
+ ```
117
+
118
+ #### ✅ ALWAYS Use Parameterized Queries
119
+ ```typescript
120
+ // Safe - parameterized query
121
+ const { data } = await supabase
122
+ .from('users')
123
+ .select('*')
124
+ .eq('email', userEmail)
125
+
126
+ // Or with raw SQL
127
+ await db.query(
128
+ 'SELECT * FROM users WHERE email = $1',
129
+ [userEmail]
130
+ )
131
+ ```
132
+
133
+ #### Verification Steps
134
+ - [ ] All database queries use parameterized queries
135
+ - [ ] No string concatenation in SQL
136
+ - [ ] ORM/query builder used correctly
137
+ - [ ] Supabase queries properly sanitized
138
+
139
+ ### 4. Authentication & Authorization
140
+
141
+ #### JWT Token Handling
142
+ ```typescript
143
+ // ❌ WRONG: localStorage (vulnerable to XSS)
144
+ localStorage.setItem('token', token)
145
+
146
+ // ✅ CORRECT: httpOnly cookies
147
+ res.setHeader('Set-Cookie',
148
+ `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
149
+ ```
150
+
151
+ #### Authorization Checks
152
+ ```typescript
153
+ export async function deleteUser(userId: string, requesterId: string) {
154
+ // ALWAYS verify authorization first
155
+ const requester = await db.users.findUnique({
156
+ where: { id: requesterId }
157
+ })
158
+
159
+ if (requester.role !== 'admin') {
160
+ return NextResponse.json(
161
+ { error: 'Unauthorized' },
162
+ { status: 403 }
163
+ )
164
+ }
165
+
166
+ // Proceed with deletion
167
+ await db.users.delete({ where: { id: userId } })
168
+ }
169
+ ```
170
+
171
+ #### Row Level Security (Supabase)
172
+ ```sql
173
+ -- Enable RLS on all tables
174
+ ALTER TABLE users ENABLE ROW LEVEL SECURITY;
175
+
176
+ -- Users can only view their own data
177
+ CREATE POLICY "Users view own data"
178
+ ON users FOR SELECT
179
+ USING (auth.uid() = id);
180
+
181
+ -- Users can only update their own data
182
+ CREATE POLICY "Users update own data"
183
+ ON users FOR UPDATE
184
+ USING (auth.uid() = id);
185
+ ```
186
+
187
+ #### Verification Steps
188
+ - [ ] Tokens stored in httpOnly cookies (not localStorage)
189
+ - [ ] Authorization checks before sensitive operations
190
+ - [ ] Row Level Security enabled in Supabase
191
+ - [ ] Role-based access control implemented
192
+ - [ ] Session management secure
193
+
194
+ ### 5. XSS Prevention
195
+
196
+ #### Sanitize HTML
197
+ ```typescript
198
+ import DOMPurify from 'isomorphic-dompurify'
199
+
200
+ // ALWAYS sanitize user-provided HTML
201
+ function renderUserContent(html: string) {
202
+ const clean = DOMPurify.sanitize(html, {
203
+ ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
204
+ ALLOWED_ATTR: []
205
+ })
206
+ return <div dangerouslySetInnerHTML={{ __html: clean }} />
207
+ }
208
+ ```
209
+
210
+ #### Content Security Policy
211
+ ```typescript
212
+ // next.config.js
213
+ const securityHeaders = [
214
+ {
215
+ key: 'Content-Security-Policy',
216
+ value: `
217
+ default-src 'self';
218
+ script-src 'self' 'unsafe-eval' 'unsafe-inline';
219
+ style-src 'self' 'unsafe-inline';
220
+ img-src 'self' data: https:;
221
+ font-src 'self';
222
+ connect-src 'self' https://api.example.com;
223
+ `.replace(/\s{2,}/g, ' ').trim()
224
+ }
225
+ ]
226
+ ```
227
+
228
+ #### Verification Steps
229
+ - [ ] User-provided HTML sanitized
230
+ - [ ] CSP headers configured
231
+ - [ ] No unvalidated dynamic content rendering
232
+ - [ ] React's built-in XSS protection used
233
+
234
+ ### 6. CSRF Protection
235
+
236
+ #### CSRF Tokens
237
+ ```typescript
238
+ import { csrf } from '@/lib/csrf'
239
+
240
+ export async function POST(request: Request) {
241
+ const token = request.headers.get('X-CSRF-Token')
242
+
243
+ if (!csrf.verify(token)) {
244
+ return NextResponse.json(
245
+ { error: 'Invalid CSRF token' },
246
+ { status: 403 }
247
+ )
248
+ }
249
+
250
+ // Process request
251
+ }
252
+ ```
253
+
254
+ #### SameSite Cookies
255
+ ```typescript
256
+ res.setHeader('Set-Cookie',
257
+ `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
258
+ ```
259
+
260
+ #### Verification Steps
261
+ - [ ] CSRF tokens on state-changing operations
262
+ - [ ] SameSite=Strict on all cookies
263
+ - [ ] Double-submit cookie pattern implemented
264
+
265
+ ### 7. Rate Limiting
266
+
267
+ #### API Rate Limiting
268
+ ```typescript
269
+ import rateLimit from 'express-rate-limit'
270
+
271
+ const limiter = rateLimit({
272
+ windowMs: 15 * 60 * 1000, // 15 minutes
273
+ max: 100, // 100 requests per window
274
+ message: 'Too many requests'
275
+ })
276
+
277
+ // Apply to routes
278
+ app.use('/api/', limiter)
279
+ ```
280
+
281
+ #### Expensive Operations
282
+ ```typescript
283
+ // Aggressive rate limiting for searches
284
+ const searchLimiter = rateLimit({
285
+ windowMs: 60 * 1000, // 1 minute
286
+ max: 10, // 10 requests per minute
287
+ message: 'Too many search requests'
288
+ })
289
+
290
+ app.use('/api/search', searchLimiter)
291
+ ```
292
+
293
+ #### Verification Steps
294
+ - [ ] Rate limiting on all API endpoints
295
+ - [ ] Stricter limits on expensive operations
296
+ - [ ] IP-based rate limiting
297
+ - [ ] User-based rate limiting (authenticated)
298
+
299
+ ### 8. Sensitive Data Exposure
300
+
301
+ #### Logging
302
+ ```typescript
303
+ // ❌ WRONG: Logging sensitive data
304
+ console.log('User login:', { email, password })
305
+ console.log('Payment:', { cardNumber, cvv })
306
+
307
+ // ✅ CORRECT: Redact sensitive data
308
+ console.log('User login:', { email, userId })
309
+ console.log('Payment:', { last4: card.last4, userId })
310
+ ```
311
+
312
+ #### Error Messages
313
+ ```typescript
314
+ // ❌ WRONG: Exposing internal details
315
+ catch (error) {
316
+ return NextResponse.json(
317
+ { error: error.message, stack: error.stack },
318
+ { status: 500 }
319
+ )
320
+ }
321
+
322
+ // ✅ CORRECT: Generic error messages
323
+ catch (error) {
324
+ console.error('Internal error:', error)
325
+ return NextResponse.json(
326
+ { error: 'An error occurred. Please try again.' },
327
+ { status: 500 }
328
+ )
329
+ }
330
+ ```
331
+
332
+ #### Verification Steps
333
+ - [ ] No passwords, tokens, or secrets in logs
334
+ - [ ] Error messages generic for users
335
+ - [ ] Detailed errors only in server logs
336
+ - [ ] No stack traces exposed to users
337
+
338
+ ### 9. Blockchain Security (Solana)
339
+
340
+ #### Wallet Verification
341
+ ```typescript
342
+ import { verify } from '@solana/web3.js'
343
+
344
+ async function verifyWalletOwnership(
345
+ publicKey: string,
346
+ signature: string,
347
+ message: string
348
+ ) {
349
+ try {
350
+ const isValid = verify(
351
+ Buffer.from(message),
352
+ Buffer.from(signature, 'base64'),
353
+ Buffer.from(publicKey, 'base64')
354
+ )
355
+ return isValid
356
+ } catch (error) {
357
+ return false
358
+ }
359
+ }
360
+ ```
361
+
362
+ #### Transaction Verification
363
+ ```typescript
364
+ async function verifyTransaction(transaction: Transaction) {
365
+ // Verify recipient
366
+ if (transaction.to !== expectedRecipient) {
367
+ throw new Error('Invalid recipient')
368
+ }
369
+
370
+ // Verify amount
371
+ if (transaction.amount > maxAmount) {
372
+ throw new Error('Amount exceeds limit')
373
+ }
374
+
375
+ // Verify user has sufficient balance
376
+ const balance = await getBalance(transaction.from)
377
+ if (balance < transaction.amount) {
378
+ throw new Error('Insufficient balance')
379
+ }
380
+
381
+ return true
382
+ }
383
+ ```
384
+
385
+ #### Verification Steps
386
+ - [ ] Wallet signatures verified
387
+ - [ ] Transaction details validated
388
+ - [ ] Balance checks before transactions
389
+ - [ ] No blind transaction signing
390
+
391
+ ### 10. Dependency Security
392
+
393
+ #### Regular Updates
394
+ ```bash
395
+ # Check for vulnerabilities
396
+ npm audit
397
+
398
+ # Fix automatically fixable issues
399
+ npm audit fix
400
+
401
+ # Update dependencies
402
+ npm update
403
+
404
+ # Check for outdated packages
405
+ npm outdated
406
+ ```
407
+
408
+ #### Lock Files
409
+ ```bash
410
+ # ALWAYS commit lock files
411
+ git add package-lock.json
412
+
413
+ # Use in CI/CD for reproducible builds
414
+ npm ci # Instead of npm install
415
+ ```
416
+
417
+ #### Verification Steps
418
+ - [ ] Dependencies up to date
419
+ - [ ] No known vulnerabilities (npm audit clean)
420
+ - [ ] Lock files committed
421
+ - [ ] Dependabot enabled on GitHub
422
+ - [ ] Regular security updates
423
+
424
+ ## Security Testing
425
+
426
+ ### Automated Security Tests
427
+ ```typescript
428
+ // Test authentication
429
+ test('requires authentication', async () => {
430
+ const response = await fetch('/api/protected')
431
+ expect(response.status).toBe(401)
432
+ })
433
+
434
+ // Test authorization
435
+ test('requires admin role', async () => {
436
+ const response = await fetch('/api/admin', {
437
+ headers: { Authorization: `Bearer ${userToken}` }
438
+ })
439
+ expect(response.status).toBe(403)
440
+ })
441
+
442
+ // Test input validation
443
+ test('rejects invalid input', async () => {
444
+ const response = await fetch('/api/users', {
445
+ method: 'POST',
446
+ body: JSON.stringify({ email: 'not-an-email' })
447
+ })
448
+ expect(response.status).toBe(400)
449
+ })
450
+
451
+ // Test rate limiting
452
+ test('enforces rate limits', async () => {
453
+ const requests = Array(101).fill(null).map(() =>
454
+ fetch('/api/endpoint')
455
+ )
456
+
457
+ const responses = await Promise.all(requests)
458
+ const tooManyRequests = responses.filter(r => r.status === 429)
459
+
460
+ expect(tooManyRequests.length).toBeGreaterThan(0)
461
+ })
462
+ ```
463
+
464
+ ## Pre-Deployment Security Checklist
465
+
466
+ Before ANY production deployment:
467
+
468
+ - [ ] **Secrets**: No hardcoded secrets, all in env vars
469
+ - [ ] **Input Validation**: All user inputs validated
470
+ - [ ] **SQL Injection**: All queries parameterized
471
+ - [ ] **XSS**: User content sanitized
472
+ - [ ] **CSRF**: Protection enabled
473
+ - [ ] **Authentication**: Proper token handling
474
+ - [ ] **Authorization**: Role checks in place
475
+ - [ ] **Rate Limiting**: Enabled on all endpoints
476
+ - [ ] **HTTPS**: Enforced in production
477
+ - [ ] **Security Headers**: CSP, X-Frame-Options configured
478
+ - [ ] **Error Handling**: No sensitive data in errors
479
+ - [ ] **Logging**: No sensitive data logged
480
+ - [ ] **Dependencies**: Up to date, no vulnerabilities
481
+ - [ ] **Row Level Security**: Enabled in Supabase
482
+ - [ ] **CORS**: Properly configured
483
+ - [ ] **File Uploads**: Validated (size, type)
484
+ - [ ] **Wallet Signatures**: Verified (if blockchain)
485
+
486
+ ## Resources
487
+
488
+ - [OWASP Top 10](https://owasp.org/www-project-top-ten/)
489
+ - [Next.js Security](https://nextjs.org/docs/security)
490
+ - [Supabase Security](https://supabase.com/docs/guides/auth)
491
+ - [Web Security Academy](https://portswigger.net/web-security)
492
+
493
+ ---
494
+
495
+ **Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.