claude-code-pilot 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (110) hide show
  1. package/README.md +11 -11
  2. package/bin/install.js +20 -2
  3. package/manifest.json +5 -1
  4. package/package.json +18 -6
  5. package/src/agents/a11y-architect.md +141 -0
  6. package/src/agents/code-architect.md +71 -0
  7. package/src/agents/code-explorer.md +69 -0
  8. package/src/agents/code-simplifier.md +47 -0
  9. package/src/agents/comment-analyzer.md +45 -0
  10. package/src/agents/csharp-reviewer.md +101 -0
  11. package/src/agents/dart-build-resolver.md +201 -0
  12. package/src/agents/pr-test-analyzer.md +45 -0
  13. package/src/agents/silent-failure-hunter.md +50 -0
  14. package/src/agents/type-design-analyzer.md +41 -0
  15. package/src/available-rules/README.md +3 -1
  16. package/src/available-rules/dart/coding-style.md +159 -0
  17. package/src/available-rules/dart/hooks.md +66 -0
  18. package/src/available-rules/dart/patterns.md +261 -0
  19. package/src/available-rules/dart/security.md +135 -0
  20. package/src/available-rules/dart/testing.md +215 -0
  21. package/src/available-rules/web/coding-style.md +105 -0
  22. package/src/available-rules/web/design-quality.md +72 -0
  23. package/src/available-rules/web/hooks.md +129 -0
  24. package/src/available-rules/web/patterns.md +88 -0
  25. package/src/available-rules/web/performance.md +73 -0
  26. package/src/available-rules/web/security.md +66 -0
  27. package/src/available-rules/web/testing.md +64 -0
  28. package/src/commands/ccp/ai-integration-phase.md +36 -0
  29. package/src/commands/ccp/audit-fix.md +33 -0
  30. package/src/commands/ccp/code-review-fix.md +52 -0
  31. package/src/commands/ccp/eval-review.md +32 -0
  32. package/src/commands/ccp/extract_learnings.md +22 -0
  33. package/src/commands/ccp/import.md +37 -0
  34. package/src/commands/ccp/ingest-docs.md +42 -0
  35. package/src/commands/ccp/intel.md +179 -0
  36. package/src/commands/ccp/plan-review-convergence.md +58 -0
  37. package/src/commands/ccp/scan.md +26 -0
  38. package/src/commands/ccp/sketch-wrap-up.md +31 -0
  39. package/src/commands/ccp/sketch.md +54 -0
  40. package/src/commands/ccp/spec-phase.md +62 -0
  41. package/src/commands/ccp/spike-wrap-up.md +31 -0
  42. package/src/commands/ccp/spike.md +51 -0
  43. package/src/commands/ccp/ultraplan-phase.md +33 -0
  44. package/src/hooks/ccp-read-injection-scanner.js +152 -0
  45. package/src/hooks/kit-check-update.js +59 -7
  46. package/src/hooks/run-with-flags-shell.sh +1 -0
  47. package/src/hooks/run-with-flags.js +48 -1
  48. package/src/hooks/session-end.js +88 -1
  49. package/src/lib/hook-flags.js +14 -0
  50. package/src/pilot/references/agent-contracts.md +79 -0
  51. package/src/pilot/references/ai-evals.md +156 -0
  52. package/src/pilot/references/ai-frameworks.md +186 -0
  53. package/src/pilot/references/doc-conflict-engine.md +91 -0
  54. package/src/pilot/references/gate-prompts.md +100 -0
  55. package/src/pilot/references/gates.md +70 -0
  56. package/src/pilot/references/mandatory-initial-read.md +2 -0
  57. package/src/pilot/references/project-skills-discovery.md +19 -0
  58. package/src/pilot/references/revision-loop.md +97 -0
  59. package/src/pilot/references/sketch-interactivity.md +41 -0
  60. package/src/pilot/references/sketch-theme-system.md +94 -0
  61. package/src/pilot/references/sketch-tooling.md +45 -0
  62. package/src/pilot/references/sketch-variant-patterns.md +81 -0
  63. package/src/pilot/references/thinking-models-debug.md +44 -0
  64. package/src/pilot/references/thinking-models-execution.md +50 -0
  65. package/src/pilot/references/thinking-models-planning.md +62 -0
  66. package/src/pilot/references/thinking-models-research.md +50 -0
  67. package/src/pilot/references/thinking-models-verification.md +55 -0
  68. package/src/pilot/templates/AI-SPEC.md +246 -0
  69. package/src/pilot/templates/spec.md +307 -0
  70. package/src/pilot/workflows/ai-integration-phase.md +284 -0
  71. package/src/pilot/workflows/audit-fix.md +175 -0
  72. package/src/pilot/workflows/code-review-fix.md +497 -0
  73. package/src/pilot/workflows/eval-review.md +155 -0
  74. package/src/pilot/workflows/extract_learnings.md +242 -0
  75. package/src/pilot/workflows/import.md +246 -0
  76. package/src/pilot/workflows/ingest-docs.md +328 -0
  77. package/src/pilot/workflows/plan-review-convergence.md +329 -0
  78. package/src/pilot/workflows/scan.md +102 -0
  79. package/src/pilot/workflows/sketch-wrap-up.md +285 -0
  80. package/src/pilot/workflows/sketch.md +360 -0
  81. package/src/pilot/workflows/spec-phase.md +262 -0
  82. package/src/pilot/workflows/spike-wrap-up.md +306 -0
  83. package/src/pilot/workflows/spike.md +452 -0
  84. package/src/pilot/workflows/ultraplan-phase.md +189 -0
  85. package/src/skills/accessibility/SKILL.md +146 -0
  86. package/src/skills/agent-eval/SKILL.md +145 -0
  87. package/src/skills/agent-introspection-debugging/SKILL.md +153 -0
  88. package/src/skills/android-clean-architecture/SKILL.md +339 -0
  89. package/src/skills/api-connector-builder/SKILL.md +120 -0
  90. package/src/skills/code-tour/SKILL.md +236 -0
  91. package/src/skills/compose-multiplatform-patterns/SKILL.md +299 -0
  92. package/src/skills/csharp-testing/SKILL.md +321 -0
  93. package/src/skills/dart-flutter-patterns/SKILL.md +563 -0
  94. package/src/skills/dashboard-builder/SKILL.md +108 -0
  95. package/src/skills/dotnet-patterns/SKILL.md +321 -0
  96. package/src/skills/frontend-design/SKILL.md +145 -0
  97. package/src/skills/frontend-slides/SKILL.md +184 -0
  98. package/src/skills/frontend-slides/STYLE_PRESETS.md +330 -0
  99. package/src/skills/gateguard/SKILL.md +121 -0
  100. package/src/skills/github-ops/SKILL.md +144 -0
  101. package/src/skills/hookify-rules/SKILL.md +128 -0
  102. package/src/skills/knowledge-ops/SKILL.md +154 -0
  103. package/src/skills/liquid-glass-design/SKILL.md +279 -0
  104. package/src/skills/nestjs-patterns/SKILL.md +230 -0
  105. package/src/skills/security-bounty-hunter/SKILL.md +99 -0
  106. package/src/skills/swift-actor-persistence/SKILL.md +143 -0
  107. package/src/skills/swift-protocol-di-testing/SKILL.md +190 -0
  108. package/src/skills/swiftui-patterns/SKILL.md +259 -0
  109. package/src/skills/terminal-ops/SKILL.md +109 -0
  110. package/src/skills/ui-demo/SKILL.md +465 -0
@@ -0,0 +1,230 @@
1
+ ---
2
+ name: nestjs-patterns
3
+ description: NestJS architecture patterns for modules, controllers, providers, DTO validation, guards, interceptors, config, and production-grade TypeScript backends.
4
+ origin: ECC
5
+ ---
6
+
7
+ # NestJS Development Patterns
8
+
9
+ Production-grade NestJS patterns for modular TypeScript backends.
10
+
11
+ ## When to Activate
12
+
13
+ - Building NestJS APIs or services
14
+ - Structuring modules, controllers, and providers
15
+ - Adding DTO validation, guards, interceptors, or exception filters
16
+ - Configuring environment-aware settings and database integrations
17
+ - Testing NestJS units or HTTP endpoints
18
+
19
+ ## Project Structure
20
+
21
+ ```text
22
+ src/
23
+ ├── app.module.ts
24
+ ├── main.ts
25
+ ├── common/
26
+ │ ├── filters/
27
+ │ ├── guards/
28
+ │ ├── interceptors/
29
+ │ └── pipes/
30
+ ├── config/
31
+ │ ├── configuration.ts
32
+ │ └── validation.ts
33
+ ├── modules/
34
+ │ ├── auth/
35
+ │ │ ├── auth.controller.ts
36
+ │ │ ├── auth.module.ts
37
+ │ │ ├── auth.service.ts
38
+ │ │ ├── dto/
39
+ │ │ ├── guards/
40
+ │ │ └── strategies/
41
+ │ └── users/
42
+ │ ├── dto/
43
+ │ ├── entities/
44
+ │ ├── users.controller.ts
45
+ │ ├── users.module.ts
46
+ │ └── users.service.ts
47
+ └── prisma/ or database/
48
+ ```
49
+
50
+ - Keep domain code inside feature modules.
51
+ - Put cross-cutting filters, decorators, guards, and interceptors in `common/`.
52
+ - Keep DTOs close to the module that owns them.
53
+
54
+ ## Bootstrap and Global Validation
55
+
56
+ ```ts
57
+ async function bootstrap() {
58
+ const app = await NestFactory.create(AppModule, { bufferLogs: true });
59
+
60
+ app.useGlobalPipes(
61
+ new ValidationPipe({
62
+ whitelist: true,
63
+ forbidNonWhitelisted: true,
64
+ transform: true,
65
+ transformOptions: { enableImplicitConversion: true },
66
+ }),
67
+ );
68
+
69
+ app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));
70
+ app.useGlobalFilters(new HttpExceptionFilter());
71
+
72
+ await app.listen(process.env.PORT ?? 3000);
73
+ }
74
+ bootstrap();
75
+ ```
76
+
77
+ - Always enable `whitelist` and `forbidNonWhitelisted` on public APIs.
78
+ - Prefer one global validation pipe instead of repeating validation config per route.
79
+
80
+ ## Modules, Controllers, and Providers
81
+
82
+ ```ts
83
+ @Module({
84
+ controllers: [UsersController],
85
+ providers: [UsersService],
86
+ exports: [UsersService],
87
+ })
88
+ export class UsersModule {}
89
+
90
+ @Controller('users')
91
+ export class UsersController {
92
+ constructor(private readonly usersService: UsersService) {}
93
+
94
+ @Get(':id')
95
+ getById(@Param('id', ParseUUIDPipe) id: string) {
96
+ return this.usersService.getById(id);
97
+ }
98
+
99
+ @Post()
100
+ create(@Body() dto: CreateUserDto) {
101
+ return this.usersService.create(dto);
102
+ }
103
+ }
104
+
105
+ @Injectable()
106
+ export class UsersService {
107
+ constructor(private readonly usersRepo: UsersRepository) {}
108
+
109
+ async create(dto: CreateUserDto) {
110
+ return this.usersRepo.create(dto);
111
+ }
112
+ }
113
+ ```
114
+
115
+ - Controllers should stay thin: parse HTTP input, call a provider, return response DTOs.
116
+ - Put business logic in injectable services, not controllers.
117
+ - Export only the providers other modules genuinely need.
118
+
119
+ ## DTOs and Validation
120
+
121
+ ```ts
122
+ export class CreateUserDto {
123
+ @IsEmail()
124
+ email!: string;
125
+
126
+ @IsString()
127
+ @Length(2, 80)
128
+ name!: string;
129
+
130
+ @IsOptional()
131
+ @IsEnum(UserRole)
132
+ role?: UserRole;
133
+ }
134
+ ```
135
+
136
+ - Validate every request DTO with `class-validator`.
137
+ - Use dedicated response DTOs or serializers instead of returning ORM entities directly.
138
+ - Avoid leaking internal fields such as password hashes, tokens, or audit columns.
139
+
140
+ ## Auth, Guards, and Request Context
141
+
142
+ ```ts
143
+ @UseGuards(JwtAuthGuard, RolesGuard)
144
+ @Roles('admin')
145
+ @Get('admin/report')
146
+ getAdminReport(@Req() req: AuthenticatedRequest) {
147
+ return this.reportService.getForUser(req.user.id);
148
+ }
149
+ ```
150
+
151
+ - Keep auth strategies and guards module-local unless they are truly shared.
152
+ - Encode coarse access rules in guards, then do resource-specific authorization in services.
153
+ - Prefer explicit request types for authenticated request objects.
154
+
155
+ ## Exception Filters and Error Shape
156
+
157
+ ```ts
158
+ @Catch()
159
+ export class HttpExceptionFilter implements ExceptionFilter {
160
+ catch(exception: unknown, host: ArgumentsHost) {
161
+ const response = host.switchToHttp().getResponse<Response>();
162
+ const request = host.switchToHttp().getRequest<Request>();
163
+
164
+ if (exception instanceof HttpException) {
165
+ return response.status(exception.getStatus()).json({
166
+ path: request.url,
167
+ error: exception.getResponse(),
168
+ });
169
+ }
170
+
171
+ return response.status(500).json({
172
+ path: request.url,
173
+ error: 'Internal server error',
174
+ });
175
+ }
176
+ }
177
+ ```
178
+
179
+ - Keep one consistent error envelope across the API.
180
+ - Throw framework exceptions for expected client errors; log and wrap unexpected failures centrally.
181
+
182
+ ## Config and Environment Validation
183
+
184
+ ```ts
185
+ ConfigModule.forRoot({
186
+ isGlobal: true,
187
+ load: [configuration],
188
+ validate: validateEnv,
189
+ });
190
+ ```
191
+
192
+ - Validate env at boot, not lazily at first request.
193
+ - Keep config access behind typed helpers or config services.
194
+ - Split dev/staging/prod concerns in config factories instead of branching throughout feature code.
195
+
196
+ ## Persistence and Transactions
197
+
198
+ - Keep repository / ORM code behind providers that speak domain language.
199
+ - For Prisma or TypeORM, isolate transactional workflows in services that own the unit of work.
200
+ - Do not let controllers coordinate multi-step writes directly.
201
+
202
+ ## Testing
203
+
204
+ ```ts
205
+ describe('UsersController', () => {
206
+ let app: INestApplication;
207
+
208
+ beforeAll(async () => {
209
+ const moduleRef = await Test.createTestingModule({
210
+ imports: [UsersModule],
211
+ }).compile();
212
+
213
+ app = moduleRef.createNestApplication();
214
+ app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
215
+ await app.init();
216
+ });
217
+ });
218
+ ```
219
+
220
+ - Unit test providers in isolation with mocked dependencies.
221
+ - Add request-level tests for guards, validation pipes, and exception filters.
222
+ - Reuse the same global pipes/filters in tests that you use in production.
223
+
224
+ ## Production Defaults
225
+
226
+ - Enable structured logging and request correlation ids.
227
+ - Terminate on invalid env/config instead of booting partially.
228
+ - Prefer async provider initialization for DB/cache clients with explicit health checks.
229
+ - Keep background jobs and event consumers in their own modules, not inside HTTP controllers.
230
+ - Make rate limiting, auth, and audit logging explicit for public endpoints.
@@ -0,0 +1,99 @@
1
+ ---
2
+ name: security-bounty-hunter
3
+ description: Hunt for exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities that qualify for real reports instead of noisy local-only findings.
4
+ origin: ECC direct-port adaptation
5
+ version: "1.0.0"
6
+ ---
7
+
8
+ # Security Bounty Hunter
9
+
10
+ Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review.
11
+
12
+ ## When to Use
13
+
14
+ - Scanning a repository for exploitable vulnerabilities
15
+ - Preparing a Huntr, HackerOne, or similar bounty submission
16
+ - Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?"
17
+
18
+ ## How It Works
19
+
20
+ Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope.
21
+
22
+ ## In-Scope Patterns
23
+
24
+ These are the kinds of issues that consistently matter:
25
+
26
+ | Pattern | CWE | Typical impact |
27
+ | --- | --- | --- |
28
+ | SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft |
29
+ | Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access |
30
+ | Remote deserialization or upload-to-RCE paths | CWE-502 | code execution |
31
+ | SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass, data destruction |
32
+ | Command injection in request handlers | CWE-78 | code execution |
33
+ | Path traversal in file-serving paths | CWE-22 | arbitrary file read or write |
34
+ | Auto-triggered XSS | CWE-79 | session theft, admin compromise |
35
+
36
+ ## Skip These
37
+
38
+ These are usually low-signal or out of bounty scope unless the program says otherwise:
39
+
40
+ - Local-only `pickle.loads`, `torch.load`, or equivalent with no remote path
41
+ - `eval()` or `exec()` in CLI-only tooling
42
+ - `shell=True` on fully hardcoded commands
43
+ - Missing security headers by themselves
44
+ - Generic rate-limiting complaints without exploit impact
45
+ - Self-XSS requiring the victim to paste code manually
46
+ - CI/CD injection that is not part of the target program scope
47
+ - Demo, example, or test-only code
48
+
49
+ ## Workflow
50
+
51
+ 1. Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions.
52
+ 2. Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints.
53
+ 3. Run static tooling where it helps, but treat it as triage input only.
54
+ 4. Read the real code path end to end.
55
+ 5. Prove user control reaches a meaningful sink.
56
+ 6. Confirm exploitability and impact with the smallest safe PoC possible.
57
+ 7. Check for duplicates before drafting a report.
58
+
59
+ ## Example Triage Loop
60
+
61
+ ```bash
62
+ semgrep --config=auto --severity=ERROR --severity=WARNING --json
63
+ ```
64
+
65
+ Then manually filter:
66
+
67
+ - drop tests, demos, fixtures, vendored code
68
+ - drop local-only or non-reachable paths
69
+ - keep only findings with a clear network or user-controlled route
70
+
71
+ ## Report Structure
72
+
73
+ ```markdown
74
+ ## Description
75
+ [What the vulnerability is and why it matters]
76
+
77
+ ## Vulnerable Code
78
+ [File path, line range, and a small snippet]
79
+
80
+ ## Proof of Concept
81
+ [Minimal working request or script]
82
+
83
+ ## Impact
84
+ [What the attacker can achieve]
85
+
86
+ ## Affected Version
87
+ [Version, commit, or deployment target tested]
88
+ ```
89
+
90
+ ## Quality Gate
91
+
92
+ Before submitting:
93
+
94
+ - The code path is reachable from a real user or network boundary
95
+ - The input is genuinely user-controlled
96
+ - The sink is meaningful and exploitable
97
+ - The PoC works
98
+ - The issue is not already covered by an advisory, CVE, or open ticket
99
+ - The target is actually in scope for the bounty program
@@ -0,0 +1,143 @@
1
+ ---
2
+ name: swift-actor-persistence
3
+ description: Thread-safe data persistence in Swift using actors — in-memory cache with file-backed storage, eliminating data races by design.
4
+ origin: ECC
5
+ ---
6
+
7
+ # Swift Actors for Thread-Safe Persistence
8
+
9
+ Patterns for building thread-safe data persistence layers using Swift actors. Combines in-memory caching with file-backed storage, leveraging the actor model to eliminate data races at compile time.
10
+
11
+ ## When to Activate
12
+
13
+ - Building a data persistence layer in Swift 5.5+
14
+ - Need thread-safe access to shared mutable state
15
+ - Want to eliminate manual synchronization (locks, DispatchQueues)
16
+ - Building offline-first apps with local storage
17
+
18
+ ## Core Pattern
19
+
20
+ ### Actor-Based Repository
21
+
22
+ The actor model guarantees serialized access — no data races, enforced by the compiler.
23
+
24
+ ```swift
25
+ public actor LocalRepository<T: Codable & Identifiable> where T.ID == String {
26
+ private var cache: [String: T] = [:]
27
+ private let fileURL: URL
28
+
29
+ public init(directory: URL = .documentsDirectory, filename: String = "data.json") {
30
+ self.fileURL = directory.appendingPathComponent(filename)
31
+ // Synchronous load during init (actor isolation not yet active)
32
+ self.cache = Self.loadSynchronously(from: fileURL)
33
+ }
34
+
35
+ // MARK: - Public API
36
+
37
+ public func save(_ item: T) throws {
38
+ cache[item.id] = item
39
+ try persistToFile()
40
+ }
41
+
42
+ public func delete(_ id: String) throws {
43
+ cache[id] = nil
44
+ try persistToFile()
45
+ }
46
+
47
+ public func find(by id: String) -> T? {
48
+ cache[id]
49
+ }
50
+
51
+ public func loadAll() -> [T] {
52
+ Array(cache.values)
53
+ }
54
+
55
+ // MARK: - Private
56
+
57
+ private func persistToFile() throws {
58
+ let data = try JSONEncoder().encode(Array(cache.values))
59
+ try data.write(to: fileURL, options: .atomic)
60
+ }
61
+
62
+ private static func loadSynchronously(from url: URL) -> [String: T] {
63
+ guard let data = try? Data(contentsOf: url),
64
+ let items = try? JSONDecoder().decode([T].self, from: data) else {
65
+ return [:]
66
+ }
67
+ return Dictionary(uniqueKeysWithValues: items.map { ($0.id, $0) })
68
+ }
69
+ }
70
+ ```
71
+
72
+ ### Usage
73
+
74
+ All calls are automatically async due to actor isolation:
75
+
76
+ ```swift
77
+ let repository = LocalRepository<Question>()
78
+
79
+ // Read — fast O(1) lookup from in-memory cache
80
+ let question = await repository.find(by: "q-001")
81
+ let allQuestions = await repository.loadAll()
82
+
83
+ // Write — updates cache and persists to file atomically
84
+ try await repository.save(newQuestion)
85
+ try await repository.delete("q-001")
86
+ ```
87
+
88
+ ### Combining with @Observable ViewModel
89
+
90
+ ```swift
91
+ @Observable
92
+ final class QuestionListViewModel {
93
+ private(set) var questions: [Question] = []
94
+ private let repository: LocalRepository<Question>
95
+
96
+ init(repository: LocalRepository<Question> = LocalRepository()) {
97
+ self.repository = repository
98
+ }
99
+
100
+ func load() async {
101
+ questions = await repository.loadAll()
102
+ }
103
+
104
+ func add(_ question: Question) async throws {
105
+ try await repository.save(question)
106
+ questions = await repository.loadAll()
107
+ }
108
+ }
109
+ ```
110
+
111
+ ## Key Design Decisions
112
+
113
+ | Decision | Rationale |
114
+ |----------|-----------|
115
+ | Actor (not class + lock) | Compiler-enforced thread safety, no manual synchronization |
116
+ | In-memory cache + file persistence | Fast reads from cache, durable writes to disk |
117
+ | Synchronous init loading | Avoids async initialization complexity |
118
+ | Dictionary keyed by ID | O(1) lookups by identifier |
119
+ | Generic over `Codable & Identifiable` | Reusable across any model type |
120
+ | Atomic file writes (`.atomic`) | Prevents partial writes on crash |
121
+
122
+ ## Best Practices
123
+
124
+ - **Use `Sendable` types** for all data crossing actor boundaries
125
+ - **Keep the actor's public API minimal** — only expose domain operations, not persistence details
126
+ - **Use `.atomic` writes** to prevent data corruption if the app crashes mid-write
127
+ - **Load synchronously in `init`** — async initializers add complexity with minimal benefit for local files
128
+ - **Combine with `@Observable`** ViewModels for reactive UI updates
129
+
130
+ ## Anti-Patterns to Avoid
131
+
132
+ - Using `DispatchQueue` or `NSLock` instead of actors for new Swift concurrency code
133
+ - Exposing the internal cache dictionary to external callers
134
+ - Making the file URL configurable without validation
135
+ - Forgetting that all actor method calls are `await` — callers must handle async context
136
+ - Using `nonisolated` to bypass actor isolation (defeats the purpose)
137
+
138
+ ## When to Use
139
+
140
+ - Local data storage in iOS/macOS apps (user data, settings, cached content)
141
+ - Offline-first architectures that sync to a server later
142
+ - Any shared mutable state that multiple parts of the app access concurrently
143
+ - Replacing legacy `DispatchQueue`-based thread safety with modern Swift concurrency
@@ -0,0 +1,190 @@
1
+ ---
2
+ name: swift-protocol-di-testing
3
+ description: Protocol-based dependency injection for testable Swift code — mock file system, network, and external APIs using focused protocols and Swift Testing.
4
+ origin: ECC
5
+ ---
6
+
7
+ # Swift Protocol-Based Dependency Injection for Testing
8
+
9
+ Patterns for making Swift code testable by abstracting external dependencies (file system, network, iCloud) behind small, focused protocols. Enables deterministic tests without I/O.
10
+
11
+ ## When to Activate
12
+
13
+ - Writing Swift code that accesses file system, network, or external APIs
14
+ - Need to test error handling paths without triggering real failures
15
+ - Building modules that work across environments (app, test, SwiftUI preview)
16
+ - Designing testable architecture with Swift concurrency (actors, Sendable)
17
+
18
+ ## Core Pattern
19
+
20
+ ### 1. Define Small, Focused Protocols
21
+
22
+ Each protocol handles exactly one external concern.
23
+
24
+ ```swift
25
+ // File system access
26
+ public protocol FileSystemProviding: Sendable {
27
+ func containerURL(for purpose: Purpose) -> URL?
28
+ }
29
+
30
+ // File read/write operations
31
+ public protocol FileAccessorProviding: Sendable {
32
+ func read(from url: URL) throws -> Data
33
+ func write(_ data: Data, to url: URL) throws
34
+ func fileExists(at url: URL) -> Bool
35
+ }
36
+
37
+ // Bookmark storage (e.g., for sandboxed apps)
38
+ public protocol BookmarkStorageProviding: Sendable {
39
+ func saveBookmark(_ data: Data, for key: String) throws
40
+ func loadBookmark(for key: String) throws -> Data?
41
+ }
42
+ ```
43
+
44
+ ### 2. Create Default (Production) Implementations
45
+
46
+ ```swift
47
+ public struct DefaultFileSystemProvider: FileSystemProviding {
48
+ public init() {}
49
+
50
+ public func containerURL(for purpose: Purpose) -> URL? {
51
+ FileManager.default.url(forUbiquityContainerIdentifier: nil)
52
+ }
53
+ }
54
+
55
+ public struct DefaultFileAccessor: FileAccessorProviding {
56
+ public init() {}
57
+
58
+ public func read(from url: URL) throws -> Data {
59
+ try Data(contentsOf: url)
60
+ }
61
+
62
+ public func write(_ data: Data, to url: URL) throws {
63
+ try data.write(to: url, options: .atomic)
64
+ }
65
+
66
+ public func fileExists(at url: URL) -> Bool {
67
+ FileManager.default.fileExists(atPath: url.path)
68
+ }
69
+ }
70
+ ```
71
+
72
+ ### 3. Create Mock Implementations for Testing
73
+
74
+ ```swift
75
+ public final class MockFileAccessor: FileAccessorProviding, @unchecked Sendable {
76
+ public var files: [URL: Data] = [:]
77
+ public var readError: Error?
78
+ public var writeError: Error?
79
+
80
+ public init() {}
81
+
82
+ public func read(from url: URL) throws -> Data {
83
+ if let error = readError { throw error }
84
+ guard let data = files[url] else {
85
+ throw CocoaError(.fileReadNoSuchFile)
86
+ }
87
+ return data
88
+ }
89
+
90
+ public func write(_ data: Data, to url: URL) throws {
91
+ if let error = writeError { throw error }
92
+ files[url] = data
93
+ }
94
+
95
+ public func fileExists(at url: URL) -> Bool {
96
+ files[url] != nil
97
+ }
98
+ }
99
+ ```
100
+
101
+ ### 4. Inject Dependencies with Default Parameters
102
+
103
+ Production code uses defaults; tests inject mocks.
104
+
105
+ ```swift
106
+ public actor SyncManager {
107
+ private let fileSystem: FileSystemProviding
108
+ private let fileAccessor: FileAccessorProviding
109
+
110
+ public init(
111
+ fileSystem: FileSystemProviding = DefaultFileSystemProvider(),
112
+ fileAccessor: FileAccessorProviding = DefaultFileAccessor()
113
+ ) {
114
+ self.fileSystem = fileSystem
115
+ self.fileAccessor = fileAccessor
116
+ }
117
+
118
+ public func sync() async throws {
119
+ guard let containerURL = fileSystem.containerURL(for: .sync) else {
120
+ throw SyncError.containerNotAvailable
121
+ }
122
+ let data = try fileAccessor.read(
123
+ from: containerURL.appendingPathComponent("data.json")
124
+ )
125
+ // Process data...
126
+ }
127
+ }
128
+ ```
129
+
130
+ ### 5. Write Tests with Swift Testing
131
+
132
+ ```swift
133
+ import Testing
134
+
135
+ @Test("Sync manager handles missing container")
136
+ func testMissingContainer() async {
137
+ let mockFileSystem = MockFileSystemProvider(containerURL: nil)
138
+ let manager = SyncManager(fileSystem: mockFileSystem)
139
+
140
+ await #expect(throws: SyncError.containerNotAvailable) {
141
+ try await manager.sync()
142
+ }
143
+ }
144
+
145
+ @Test("Sync manager reads data correctly")
146
+ func testReadData() async throws {
147
+ let mockFileAccessor = MockFileAccessor()
148
+ mockFileAccessor.files[testURL] = testData
149
+
150
+ let manager = SyncManager(fileAccessor: mockFileAccessor)
151
+ let result = try await manager.loadData()
152
+
153
+ #expect(result == expectedData)
154
+ }
155
+
156
+ @Test("Sync manager handles read errors gracefully")
157
+ func testReadError() async {
158
+ let mockFileAccessor = MockFileAccessor()
159
+ mockFileAccessor.readError = CocoaError(.fileReadCorruptFile)
160
+
161
+ let manager = SyncManager(fileAccessor: mockFileAccessor)
162
+
163
+ await #expect(throws: SyncError.self) {
164
+ try await manager.sync()
165
+ }
166
+ }
167
+ ```
168
+
169
+ ## Best Practices
170
+
171
+ - **Single Responsibility**: Each protocol should handle one concern — don't create "god protocols" with many methods
172
+ - **Sendable conformance**: Required when protocols are used across actor boundaries
173
+ - **Default parameters**: Let production code use real implementations by default; only tests need to specify mocks
174
+ - **Error simulation**: Design mocks with configurable error properties for testing failure paths
175
+ - **Only mock boundaries**: Mock external dependencies (file system, network, APIs), not internal types
176
+
177
+ ## Anti-Patterns to Avoid
178
+
179
+ - Creating a single large protocol that covers all external access
180
+ - Mocking internal types that have no external dependencies
181
+ - Using `#if DEBUG` conditionals instead of proper dependency injection
182
+ - Forgetting `Sendable` conformance when used with actors
183
+ - Over-engineering: if a type has no external dependencies, it doesn't need a protocol
184
+
185
+ ## When to Use
186
+
187
+ - Any Swift code that touches file system, network, or external APIs
188
+ - Testing error handling paths that are hard to trigger in real environments
189
+ - Building modules that need to work in app, test, and SwiftUI preview contexts
190
+ - Apps using Swift concurrency (actors, structured concurrency) that need testable architecture