claude-code-pilot 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -11
- package/bin/install.js +20 -2
- package/manifest.json +5 -1
- package/package.json +18 -6
- package/src/agents/a11y-architect.md +141 -0
- package/src/agents/code-architect.md +71 -0
- package/src/agents/code-explorer.md +69 -0
- package/src/agents/code-simplifier.md +47 -0
- package/src/agents/comment-analyzer.md +45 -0
- package/src/agents/csharp-reviewer.md +101 -0
- package/src/agents/dart-build-resolver.md +201 -0
- package/src/agents/pr-test-analyzer.md +45 -0
- package/src/agents/silent-failure-hunter.md +50 -0
- package/src/agents/type-design-analyzer.md +41 -0
- package/src/available-rules/README.md +3 -1
- package/src/available-rules/dart/coding-style.md +159 -0
- package/src/available-rules/dart/hooks.md +66 -0
- package/src/available-rules/dart/patterns.md +261 -0
- package/src/available-rules/dart/security.md +135 -0
- package/src/available-rules/dart/testing.md +215 -0
- package/src/available-rules/web/coding-style.md +105 -0
- package/src/available-rules/web/design-quality.md +72 -0
- package/src/available-rules/web/hooks.md +129 -0
- package/src/available-rules/web/patterns.md +88 -0
- package/src/available-rules/web/performance.md +73 -0
- package/src/available-rules/web/security.md +66 -0
- package/src/available-rules/web/testing.md +64 -0
- package/src/commands/ccp/ai-integration-phase.md +36 -0
- package/src/commands/ccp/audit-fix.md +33 -0
- package/src/commands/ccp/code-review-fix.md +52 -0
- package/src/commands/ccp/eval-review.md +32 -0
- package/src/commands/ccp/extract_learnings.md +22 -0
- package/src/commands/ccp/import.md +37 -0
- package/src/commands/ccp/ingest-docs.md +42 -0
- package/src/commands/ccp/intel.md +179 -0
- package/src/commands/ccp/plan-review-convergence.md +58 -0
- package/src/commands/ccp/scan.md +26 -0
- package/src/commands/ccp/sketch-wrap-up.md +31 -0
- package/src/commands/ccp/sketch.md +54 -0
- package/src/commands/ccp/spec-phase.md +62 -0
- package/src/commands/ccp/spike-wrap-up.md +31 -0
- package/src/commands/ccp/spike.md +51 -0
- package/src/commands/ccp/ultraplan-phase.md +33 -0
- package/src/hooks/ccp-read-injection-scanner.js +152 -0
- package/src/hooks/kit-check-update.js +59 -7
- package/src/hooks/run-with-flags-shell.sh +1 -0
- package/src/hooks/run-with-flags.js +48 -1
- package/src/hooks/session-end.js +88 -1
- package/src/lib/hook-flags.js +14 -0
- package/src/pilot/references/agent-contracts.md +79 -0
- package/src/pilot/references/ai-evals.md +156 -0
- package/src/pilot/references/ai-frameworks.md +186 -0
- package/src/pilot/references/doc-conflict-engine.md +91 -0
- package/src/pilot/references/gate-prompts.md +100 -0
- package/src/pilot/references/gates.md +70 -0
- package/src/pilot/references/mandatory-initial-read.md +2 -0
- package/src/pilot/references/project-skills-discovery.md +19 -0
- package/src/pilot/references/revision-loop.md +97 -0
- package/src/pilot/references/sketch-interactivity.md +41 -0
- package/src/pilot/references/sketch-theme-system.md +94 -0
- package/src/pilot/references/sketch-tooling.md +45 -0
- package/src/pilot/references/sketch-variant-patterns.md +81 -0
- package/src/pilot/references/thinking-models-debug.md +44 -0
- package/src/pilot/references/thinking-models-execution.md +50 -0
- package/src/pilot/references/thinking-models-planning.md +62 -0
- package/src/pilot/references/thinking-models-research.md +50 -0
- package/src/pilot/references/thinking-models-verification.md +55 -0
- package/src/pilot/templates/AI-SPEC.md +246 -0
- package/src/pilot/templates/spec.md +307 -0
- package/src/pilot/workflows/ai-integration-phase.md +284 -0
- package/src/pilot/workflows/audit-fix.md +175 -0
- package/src/pilot/workflows/code-review-fix.md +497 -0
- package/src/pilot/workflows/eval-review.md +155 -0
- package/src/pilot/workflows/extract_learnings.md +242 -0
- package/src/pilot/workflows/import.md +246 -0
- package/src/pilot/workflows/ingest-docs.md +328 -0
- package/src/pilot/workflows/plan-review-convergence.md +329 -0
- package/src/pilot/workflows/scan.md +102 -0
- package/src/pilot/workflows/sketch-wrap-up.md +285 -0
- package/src/pilot/workflows/sketch.md +360 -0
- package/src/pilot/workflows/spec-phase.md +262 -0
- package/src/pilot/workflows/spike-wrap-up.md +306 -0
- package/src/pilot/workflows/spike.md +452 -0
- package/src/pilot/workflows/ultraplan-phase.md +189 -0
- package/src/skills/accessibility/SKILL.md +146 -0
- package/src/skills/agent-eval/SKILL.md +145 -0
- package/src/skills/agent-introspection-debugging/SKILL.md +153 -0
- package/src/skills/android-clean-architecture/SKILL.md +339 -0
- package/src/skills/api-connector-builder/SKILL.md +120 -0
- package/src/skills/code-tour/SKILL.md +236 -0
- package/src/skills/compose-multiplatform-patterns/SKILL.md +299 -0
- package/src/skills/csharp-testing/SKILL.md +321 -0
- package/src/skills/dart-flutter-patterns/SKILL.md +563 -0
- package/src/skills/dashboard-builder/SKILL.md +108 -0
- package/src/skills/dotnet-patterns/SKILL.md +321 -0
- package/src/skills/frontend-design/SKILL.md +145 -0
- package/src/skills/frontend-slides/SKILL.md +184 -0
- package/src/skills/frontend-slides/STYLE_PRESETS.md +330 -0
- package/src/skills/gateguard/SKILL.md +121 -0
- package/src/skills/github-ops/SKILL.md +144 -0
- package/src/skills/hookify-rules/SKILL.md +128 -0
- package/src/skills/knowledge-ops/SKILL.md +154 -0
- package/src/skills/liquid-glass-design/SKILL.md +279 -0
- package/src/skills/nestjs-patterns/SKILL.md +230 -0
- package/src/skills/security-bounty-hunter/SKILL.md +99 -0
- package/src/skills/swift-actor-persistence/SKILL.md +143 -0
- package/src/skills/swift-protocol-di-testing/SKILL.md +190 -0
- package/src/skills/swiftui-patterns/SKILL.md +259 -0
- package/src/skills/terminal-ops/SKILL.md +109 -0
- package/src/skills/ui-demo/SKILL.md +465 -0
|
@@ -0,0 +1,230 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: nestjs-patterns
|
|
3
|
+
description: NestJS architecture patterns for modules, controllers, providers, DTO validation, guards, interceptors, config, and production-grade TypeScript backends.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# NestJS Development Patterns
|
|
8
|
+
|
|
9
|
+
Production-grade NestJS patterns for modular TypeScript backends.
|
|
10
|
+
|
|
11
|
+
## When to Activate
|
|
12
|
+
|
|
13
|
+
- Building NestJS APIs or services
|
|
14
|
+
- Structuring modules, controllers, and providers
|
|
15
|
+
- Adding DTO validation, guards, interceptors, or exception filters
|
|
16
|
+
- Configuring environment-aware settings and database integrations
|
|
17
|
+
- Testing NestJS units or HTTP endpoints
|
|
18
|
+
|
|
19
|
+
## Project Structure
|
|
20
|
+
|
|
21
|
+
```text
|
|
22
|
+
src/
|
|
23
|
+
├── app.module.ts
|
|
24
|
+
├── main.ts
|
|
25
|
+
├── common/
|
|
26
|
+
│ ├── filters/
|
|
27
|
+
│ ├── guards/
|
|
28
|
+
│ ├── interceptors/
|
|
29
|
+
│ └── pipes/
|
|
30
|
+
├── config/
|
|
31
|
+
│ ├── configuration.ts
|
|
32
|
+
│ └── validation.ts
|
|
33
|
+
├── modules/
|
|
34
|
+
│ ├── auth/
|
|
35
|
+
│ │ ├── auth.controller.ts
|
|
36
|
+
│ │ ├── auth.module.ts
|
|
37
|
+
│ │ ├── auth.service.ts
|
|
38
|
+
│ │ ├── dto/
|
|
39
|
+
│ │ ├── guards/
|
|
40
|
+
│ │ └── strategies/
|
|
41
|
+
│ └── users/
|
|
42
|
+
│ ├── dto/
|
|
43
|
+
│ ├── entities/
|
|
44
|
+
│ ├── users.controller.ts
|
|
45
|
+
│ ├── users.module.ts
|
|
46
|
+
│ └── users.service.ts
|
|
47
|
+
└── prisma/ or database/
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
- Keep domain code inside feature modules.
|
|
51
|
+
- Put cross-cutting filters, decorators, guards, and interceptors in `common/`.
|
|
52
|
+
- Keep DTOs close to the module that owns them.
|
|
53
|
+
|
|
54
|
+
## Bootstrap and Global Validation
|
|
55
|
+
|
|
56
|
+
```ts
|
|
57
|
+
async function bootstrap() {
|
|
58
|
+
const app = await NestFactory.create(AppModule, { bufferLogs: true });
|
|
59
|
+
|
|
60
|
+
app.useGlobalPipes(
|
|
61
|
+
new ValidationPipe({
|
|
62
|
+
whitelist: true,
|
|
63
|
+
forbidNonWhitelisted: true,
|
|
64
|
+
transform: true,
|
|
65
|
+
transformOptions: { enableImplicitConversion: true },
|
|
66
|
+
}),
|
|
67
|
+
);
|
|
68
|
+
|
|
69
|
+
app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));
|
|
70
|
+
app.useGlobalFilters(new HttpExceptionFilter());
|
|
71
|
+
|
|
72
|
+
await app.listen(process.env.PORT ?? 3000);
|
|
73
|
+
}
|
|
74
|
+
bootstrap();
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
- Always enable `whitelist` and `forbidNonWhitelisted` on public APIs.
|
|
78
|
+
- Prefer one global validation pipe instead of repeating validation config per route.
|
|
79
|
+
|
|
80
|
+
## Modules, Controllers, and Providers
|
|
81
|
+
|
|
82
|
+
```ts
|
|
83
|
+
@Module({
|
|
84
|
+
controllers: [UsersController],
|
|
85
|
+
providers: [UsersService],
|
|
86
|
+
exports: [UsersService],
|
|
87
|
+
})
|
|
88
|
+
export class UsersModule {}
|
|
89
|
+
|
|
90
|
+
@Controller('users')
|
|
91
|
+
export class UsersController {
|
|
92
|
+
constructor(private readonly usersService: UsersService) {}
|
|
93
|
+
|
|
94
|
+
@Get(':id')
|
|
95
|
+
getById(@Param('id', ParseUUIDPipe) id: string) {
|
|
96
|
+
return this.usersService.getById(id);
|
|
97
|
+
}
|
|
98
|
+
|
|
99
|
+
@Post()
|
|
100
|
+
create(@Body() dto: CreateUserDto) {
|
|
101
|
+
return this.usersService.create(dto);
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
@Injectable()
|
|
106
|
+
export class UsersService {
|
|
107
|
+
constructor(private readonly usersRepo: UsersRepository) {}
|
|
108
|
+
|
|
109
|
+
async create(dto: CreateUserDto) {
|
|
110
|
+
return this.usersRepo.create(dto);
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
- Controllers should stay thin: parse HTTP input, call a provider, return response DTOs.
|
|
116
|
+
- Put business logic in injectable services, not controllers.
|
|
117
|
+
- Export only the providers other modules genuinely need.
|
|
118
|
+
|
|
119
|
+
## DTOs and Validation
|
|
120
|
+
|
|
121
|
+
```ts
|
|
122
|
+
export class CreateUserDto {
|
|
123
|
+
@IsEmail()
|
|
124
|
+
email!: string;
|
|
125
|
+
|
|
126
|
+
@IsString()
|
|
127
|
+
@Length(2, 80)
|
|
128
|
+
name!: string;
|
|
129
|
+
|
|
130
|
+
@IsOptional()
|
|
131
|
+
@IsEnum(UserRole)
|
|
132
|
+
role?: UserRole;
|
|
133
|
+
}
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
- Validate every request DTO with `class-validator`.
|
|
137
|
+
- Use dedicated response DTOs or serializers instead of returning ORM entities directly.
|
|
138
|
+
- Avoid leaking internal fields such as password hashes, tokens, or audit columns.
|
|
139
|
+
|
|
140
|
+
## Auth, Guards, and Request Context
|
|
141
|
+
|
|
142
|
+
```ts
|
|
143
|
+
@UseGuards(JwtAuthGuard, RolesGuard)
|
|
144
|
+
@Roles('admin')
|
|
145
|
+
@Get('admin/report')
|
|
146
|
+
getAdminReport(@Req() req: AuthenticatedRequest) {
|
|
147
|
+
return this.reportService.getForUser(req.user.id);
|
|
148
|
+
}
|
|
149
|
+
```
|
|
150
|
+
|
|
151
|
+
- Keep auth strategies and guards module-local unless they are truly shared.
|
|
152
|
+
- Encode coarse access rules in guards, then do resource-specific authorization in services.
|
|
153
|
+
- Prefer explicit request types for authenticated request objects.
|
|
154
|
+
|
|
155
|
+
## Exception Filters and Error Shape
|
|
156
|
+
|
|
157
|
+
```ts
|
|
158
|
+
@Catch()
|
|
159
|
+
export class HttpExceptionFilter implements ExceptionFilter {
|
|
160
|
+
catch(exception: unknown, host: ArgumentsHost) {
|
|
161
|
+
const response = host.switchToHttp().getResponse<Response>();
|
|
162
|
+
const request = host.switchToHttp().getRequest<Request>();
|
|
163
|
+
|
|
164
|
+
if (exception instanceof HttpException) {
|
|
165
|
+
return response.status(exception.getStatus()).json({
|
|
166
|
+
path: request.url,
|
|
167
|
+
error: exception.getResponse(),
|
|
168
|
+
});
|
|
169
|
+
}
|
|
170
|
+
|
|
171
|
+
return response.status(500).json({
|
|
172
|
+
path: request.url,
|
|
173
|
+
error: 'Internal server error',
|
|
174
|
+
});
|
|
175
|
+
}
|
|
176
|
+
}
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
- Keep one consistent error envelope across the API.
|
|
180
|
+
- Throw framework exceptions for expected client errors; log and wrap unexpected failures centrally.
|
|
181
|
+
|
|
182
|
+
## Config and Environment Validation
|
|
183
|
+
|
|
184
|
+
```ts
|
|
185
|
+
ConfigModule.forRoot({
|
|
186
|
+
isGlobal: true,
|
|
187
|
+
load: [configuration],
|
|
188
|
+
validate: validateEnv,
|
|
189
|
+
});
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
- Validate env at boot, not lazily at first request.
|
|
193
|
+
- Keep config access behind typed helpers or config services.
|
|
194
|
+
- Split dev/staging/prod concerns in config factories instead of branching throughout feature code.
|
|
195
|
+
|
|
196
|
+
## Persistence and Transactions
|
|
197
|
+
|
|
198
|
+
- Keep repository / ORM code behind providers that speak domain language.
|
|
199
|
+
- For Prisma or TypeORM, isolate transactional workflows in services that own the unit of work.
|
|
200
|
+
- Do not let controllers coordinate multi-step writes directly.
|
|
201
|
+
|
|
202
|
+
## Testing
|
|
203
|
+
|
|
204
|
+
```ts
|
|
205
|
+
describe('UsersController', () => {
|
|
206
|
+
let app: INestApplication;
|
|
207
|
+
|
|
208
|
+
beforeAll(async () => {
|
|
209
|
+
const moduleRef = await Test.createTestingModule({
|
|
210
|
+
imports: [UsersModule],
|
|
211
|
+
}).compile();
|
|
212
|
+
|
|
213
|
+
app = moduleRef.createNestApplication();
|
|
214
|
+
app.useGlobalPipes(new ValidationPipe({ whitelist: true, transform: true }));
|
|
215
|
+
await app.init();
|
|
216
|
+
});
|
|
217
|
+
});
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
- Unit test providers in isolation with mocked dependencies.
|
|
221
|
+
- Add request-level tests for guards, validation pipes, and exception filters.
|
|
222
|
+
- Reuse the same global pipes/filters in tests that you use in production.
|
|
223
|
+
|
|
224
|
+
## Production Defaults
|
|
225
|
+
|
|
226
|
+
- Enable structured logging and request correlation ids.
|
|
227
|
+
- Terminate on invalid env/config instead of booting partially.
|
|
228
|
+
- Prefer async provider initialization for DB/cache clients with explicit health checks.
|
|
229
|
+
- Keep background jobs and event consumers in their own modules, not inside HTTP controllers.
|
|
230
|
+
- Make rate limiting, auth, and audit logging explicit for public endpoints.
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-bounty-hunter
|
|
3
|
+
description: Hunt for exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities that qualify for real reports instead of noisy local-only findings.
|
|
4
|
+
origin: ECC direct-port adaptation
|
|
5
|
+
version: "1.0.0"
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Security Bounty Hunter
|
|
9
|
+
|
|
10
|
+
Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review.
|
|
11
|
+
|
|
12
|
+
## When to Use
|
|
13
|
+
|
|
14
|
+
- Scanning a repository for exploitable vulnerabilities
|
|
15
|
+
- Preparing a Huntr, HackerOne, or similar bounty submission
|
|
16
|
+
- Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?"
|
|
17
|
+
|
|
18
|
+
## How It Works
|
|
19
|
+
|
|
20
|
+
Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope.
|
|
21
|
+
|
|
22
|
+
## In-Scope Patterns
|
|
23
|
+
|
|
24
|
+
These are the kinds of issues that consistently matter:
|
|
25
|
+
|
|
26
|
+
| Pattern | CWE | Typical impact |
|
|
27
|
+
| --- | --- | --- |
|
|
28
|
+
| SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft |
|
|
29
|
+
| Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access |
|
|
30
|
+
| Remote deserialization or upload-to-RCE paths | CWE-502 | code execution |
|
|
31
|
+
| SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass, data destruction |
|
|
32
|
+
| Command injection in request handlers | CWE-78 | code execution |
|
|
33
|
+
| Path traversal in file-serving paths | CWE-22 | arbitrary file read or write |
|
|
34
|
+
| Auto-triggered XSS | CWE-79 | session theft, admin compromise |
|
|
35
|
+
|
|
36
|
+
## Skip These
|
|
37
|
+
|
|
38
|
+
These are usually low-signal or out of bounty scope unless the program says otherwise:
|
|
39
|
+
|
|
40
|
+
- Local-only `pickle.loads`, `torch.load`, or equivalent with no remote path
|
|
41
|
+
- `eval()` or `exec()` in CLI-only tooling
|
|
42
|
+
- `shell=True` on fully hardcoded commands
|
|
43
|
+
- Missing security headers by themselves
|
|
44
|
+
- Generic rate-limiting complaints without exploit impact
|
|
45
|
+
- Self-XSS requiring the victim to paste code manually
|
|
46
|
+
- CI/CD injection that is not part of the target program scope
|
|
47
|
+
- Demo, example, or test-only code
|
|
48
|
+
|
|
49
|
+
## Workflow
|
|
50
|
+
|
|
51
|
+
1. Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions.
|
|
52
|
+
2. Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints.
|
|
53
|
+
3. Run static tooling where it helps, but treat it as triage input only.
|
|
54
|
+
4. Read the real code path end to end.
|
|
55
|
+
5. Prove user control reaches a meaningful sink.
|
|
56
|
+
6. Confirm exploitability and impact with the smallest safe PoC possible.
|
|
57
|
+
7. Check for duplicates before drafting a report.
|
|
58
|
+
|
|
59
|
+
## Example Triage Loop
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
semgrep --config=auto --severity=ERROR --severity=WARNING --json
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Then manually filter:
|
|
66
|
+
|
|
67
|
+
- drop tests, demos, fixtures, vendored code
|
|
68
|
+
- drop local-only or non-reachable paths
|
|
69
|
+
- keep only findings with a clear network or user-controlled route
|
|
70
|
+
|
|
71
|
+
## Report Structure
|
|
72
|
+
|
|
73
|
+
```markdown
|
|
74
|
+
## Description
|
|
75
|
+
[What the vulnerability is and why it matters]
|
|
76
|
+
|
|
77
|
+
## Vulnerable Code
|
|
78
|
+
[File path, line range, and a small snippet]
|
|
79
|
+
|
|
80
|
+
## Proof of Concept
|
|
81
|
+
[Minimal working request or script]
|
|
82
|
+
|
|
83
|
+
## Impact
|
|
84
|
+
[What the attacker can achieve]
|
|
85
|
+
|
|
86
|
+
## Affected Version
|
|
87
|
+
[Version, commit, or deployment target tested]
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
## Quality Gate
|
|
91
|
+
|
|
92
|
+
Before submitting:
|
|
93
|
+
|
|
94
|
+
- The code path is reachable from a real user or network boundary
|
|
95
|
+
- The input is genuinely user-controlled
|
|
96
|
+
- The sink is meaningful and exploitable
|
|
97
|
+
- The PoC works
|
|
98
|
+
- The issue is not already covered by an advisory, CVE, or open ticket
|
|
99
|
+
- The target is actually in scope for the bounty program
|
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: swift-actor-persistence
|
|
3
|
+
description: Thread-safe data persistence in Swift using actors — in-memory cache with file-backed storage, eliminating data races by design.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Swift Actors for Thread-Safe Persistence
|
|
8
|
+
|
|
9
|
+
Patterns for building thread-safe data persistence layers using Swift actors. Combines in-memory caching with file-backed storage, leveraging the actor model to eliminate data races at compile time.
|
|
10
|
+
|
|
11
|
+
## When to Activate
|
|
12
|
+
|
|
13
|
+
- Building a data persistence layer in Swift 5.5+
|
|
14
|
+
- Need thread-safe access to shared mutable state
|
|
15
|
+
- Want to eliminate manual synchronization (locks, DispatchQueues)
|
|
16
|
+
- Building offline-first apps with local storage
|
|
17
|
+
|
|
18
|
+
## Core Pattern
|
|
19
|
+
|
|
20
|
+
### Actor-Based Repository
|
|
21
|
+
|
|
22
|
+
The actor model guarantees serialized access — no data races, enforced by the compiler.
|
|
23
|
+
|
|
24
|
+
```swift
|
|
25
|
+
public actor LocalRepository<T: Codable & Identifiable> where T.ID == String {
|
|
26
|
+
private var cache: [String: T] = [:]
|
|
27
|
+
private let fileURL: URL
|
|
28
|
+
|
|
29
|
+
public init(directory: URL = .documentsDirectory, filename: String = "data.json") {
|
|
30
|
+
self.fileURL = directory.appendingPathComponent(filename)
|
|
31
|
+
// Synchronous load during init (actor isolation not yet active)
|
|
32
|
+
self.cache = Self.loadSynchronously(from: fileURL)
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
// MARK: - Public API
|
|
36
|
+
|
|
37
|
+
public func save(_ item: T) throws {
|
|
38
|
+
cache[item.id] = item
|
|
39
|
+
try persistToFile()
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
public func delete(_ id: String) throws {
|
|
43
|
+
cache[id] = nil
|
|
44
|
+
try persistToFile()
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
public func find(by id: String) -> T? {
|
|
48
|
+
cache[id]
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
public func loadAll() -> [T] {
|
|
52
|
+
Array(cache.values)
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
// MARK: - Private
|
|
56
|
+
|
|
57
|
+
private func persistToFile() throws {
|
|
58
|
+
let data = try JSONEncoder().encode(Array(cache.values))
|
|
59
|
+
try data.write(to: fileURL, options: .atomic)
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
private static func loadSynchronously(from url: URL) -> [String: T] {
|
|
63
|
+
guard let data = try? Data(contentsOf: url),
|
|
64
|
+
let items = try? JSONDecoder().decode([T].self, from: data) else {
|
|
65
|
+
return [:]
|
|
66
|
+
}
|
|
67
|
+
return Dictionary(uniqueKeysWithValues: items.map { ($0.id, $0) })
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Usage
|
|
73
|
+
|
|
74
|
+
All calls are automatically async due to actor isolation:
|
|
75
|
+
|
|
76
|
+
```swift
|
|
77
|
+
let repository = LocalRepository<Question>()
|
|
78
|
+
|
|
79
|
+
// Read — fast O(1) lookup from in-memory cache
|
|
80
|
+
let question = await repository.find(by: "q-001")
|
|
81
|
+
let allQuestions = await repository.loadAll()
|
|
82
|
+
|
|
83
|
+
// Write — updates cache and persists to file atomically
|
|
84
|
+
try await repository.save(newQuestion)
|
|
85
|
+
try await repository.delete("q-001")
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
### Combining with @Observable ViewModel
|
|
89
|
+
|
|
90
|
+
```swift
|
|
91
|
+
@Observable
|
|
92
|
+
final class QuestionListViewModel {
|
|
93
|
+
private(set) var questions: [Question] = []
|
|
94
|
+
private let repository: LocalRepository<Question>
|
|
95
|
+
|
|
96
|
+
init(repository: LocalRepository<Question> = LocalRepository()) {
|
|
97
|
+
self.repository = repository
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
func load() async {
|
|
101
|
+
questions = await repository.loadAll()
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
func add(_ question: Question) async throws {
|
|
105
|
+
try await repository.save(question)
|
|
106
|
+
questions = await repository.loadAll()
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
## Key Design Decisions
|
|
112
|
+
|
|
113
|
+
| Decision | Rationale |
|
|
114
|
+
|----------|-----------|
|
|
115
|
+
| Actor (not class + lock) | Compiler-enforced thread safety, no manual synchronization |
|
|
116
|
+
| In-memory cache + file persistence | Fast reads from cache, durable writes to disk |
|
|
117
|
+
| Synchronous init loading | Avoids async initialization complexity |
|
|
118
|
+
| Dictionary keyed by ID | O(1) lookups by identifier |
|
|
119
|
+
| Generic over `Codable & Identifiable` | Reusable across any model type |
|
|
120
|
+
| Atomic file writes (`.atomic`) | Prevents partial writes on crash |
|
|
121
|
+
|
|
122
|
+
## Best Practices
|
|
123
|
+
|
|
124
|
+
- **Use `Sendable` types** for all data crossing actor boundaries
|
|
125
|
+
- **Keep the actor's public API minimal** — only expose domain operations, not persistence details
|
|
126
|
+
- **Use `.atomic` writes** to prevent data corruption if the app crashes mid-write
|
|
127
|
+
- **Load synchronously in `init`** — async initializers add complexity with minimal benefit for local files
|
|
128
|
+
- **Combine with `@Observable`** ViewModels for reactive UI updates
|
|
129
|
+
|
|
130
|
+
## Anti-Patterns to Avoid
|
|
131
|
+
|
|
132
|
+
- Using `DispatchQueue` or `NSLock` instead of actors for new Swift concurrency code
|
|
133
|
+
- Exposing the internal cache dictionary to external callers
|
|
134
|
+
- Making the file URL configurable without validation
|
|
135
|
+
- Forgetting that all actor method calls are `await` — callers must handle async context
|
|
136
|
+
- Using `nonisolated` to bypass actor isolation (defeats the purpose)
|
|
137
|
+
|
|
138
|
+
## When to Use
|
|
139
|
+
|
|
140
|
+
- Local data storage in iOS/macOS apps (user data, settings, cached content)
|
|
141
|
+
- Offline-first architectures that sync to a server later
|
|
142
|
+
- Any shared mutable state that multiple parts of the app access concurrently
|
|
143
|
+
- Replacing legacy `DispatchQueue`-based thread safety with modern Swift concurrency
|
|
@@ -0,0 +1,190 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: swift-protocol-di-testing
|
|
3
|
+
description: Protocol-based dependency injection for testable Swift code — mock file system, network, and external APIs using focused protocols and Swift Testing.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Swift Protocol-Based Dependency Injection for Testing
|
|
8
|
+
|
|
9
|
+
Patterns for making Swift code testable by abstracting external dependencies (file system, network, iCloud) behind small, focused protocols. Enables deterministic tests without I/O.
|
|
10
|
+
|
|
11
|
+
## When to Activate
|
|
12
|
+
|
|
13
|
+
- Writing Swift code that accesses file system, network, or external APIs
|
|
14
|
+
- Need to test error handling paths without triggering real failures
|
|
15
|
+
- Building modules that work across environments (app, test, SwiftUI preview)
|
|
16
|
+
- Designing testable architecture with Swift concurrency (actors, Sendable)
|
|
17
|
+
|
|
18
|
+
## Core Pattern
|
|
19
|
+
|
|
20
|
+
### 1. Define Small, Focused Protocols
|
|
21
|
+
|
|
22
|
+
Each protocol handles exactly one external concern.
|
|
23
|
+
|
|
24
|
+
```swift
|
|
25
|
+
// File system access
|
|
26
|
+
public protocol FileSystemProviding: Sendable {
|
|
27
|
+
func containerURL(for purpose: Purpose) -> URL?
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
// File read/write operations
|
|
31
|
+
public protocol FileAccessorProviding: Sendable {
|
|
32
|
+
func read(from url: URL) throws -> Data
|
|
33
|
+
func write(_ data: Data, to url: URL) throws
|
|
34
|
+
func fileExists(at url: URL) -> Bool
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
// Bookmark storage (e.g., for sandboxed apps)
|
|
38
|
+
public protocol BookmarkStorageProviding: Sendable {
|
|
39
|
+
func saveBookmark(_ data: Data, for key: String) throws
|
|
40
|
+
func loadBookmark(for key: String) throws -> Data?
|
|
41
|
+
}
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### 2. Create Default (Production) Implementations
|
|
45
|
+
|
|
46
|
+
```swift
|
|
47
|
+
public struct DefaultFileSystemProvider: FileSystemProviding {
|
|
48
|
+
public init() {}
|
|
49
|
+
|
|
50
|
+
public func containerURL(for purpose: Purpose) -> URL? {
|
|
51
|
+
FileManager.default.url(forUbiquityContainerIdentifier: nil)
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
public struct DefaultFileAccessor: FileAccessorProviding {
|
|
56
|
+
public init() {}
|
|
57
|
+
|
|
58
|
+
public func read(from url: URL) throws -> Data {
|
|
59
|
+
try Data(contentsOf: url)
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
public func write(_ data: Data, to url: URL) throws {
|
|
63
|
+
try data.write(to: url, options: .atomic)
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
public func fileExists(at url: URL) -> Bool {
|
|
67
|
+
FileManager.default.fileExists(atPath: url.path)
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### 3. Create Mock Implementations for Testing
|
|
73
|
+
|
|
74
|
+
```swift
|
|
75
|
+
public final class MockFileAccessor: FileAccessorProviding, @unchecked Sendable {
|
|
76
|
+
public var files: [URL: Data] = [:]
|
|
77
|
+
public var readError: Error?
|
|
78
|
+
public var writeError: Error?
|
|
79
|
+
|
|
80
|
+
public init() {}
|
|
81
|
+
|
|
82
|
+
public func read(from url: URL) throws -> Data {
|
|
83
|
+
if let error = readError { throw error }
|
|
84
|
+
guard let data = files[url] else {
|
|
85
|
+
throw CocoaError(.fileReadNoSuchFile)
|
|
86
|
+
}
|
|
87
|
+
return data
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
public func write(_ data: Data, to url: URL) throws {
|
|
91
|
+
if let error = writeError { throw error }
|
|
92
|
+
files[url] = data
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
public func fileExists(at url: URL) -> Bool {
|
|
96
|
+
files[url] != nil
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### 4. Inject Dependencies with Default Parameters
|
|
102
|
+
|
|
103
|
+
Production code uses defaults; tests inject mocks.
|
|
104
|
+
|
|
105
|
+
```swift
|
|
106
|
+
public actor SyncManager {
|
|
107
|
+
private let fileSystem: FileSystemProviding
|
|
108
|
+
private let fileAccessor: FileAccessorProviding
|
|
109
|
+
|
|
110
|
+
public init(
|
|
111
|
+
fileSystem: FileSystemProviding = DefaultFileSystemProvider(),
|
|
112
|
+
fileAccessor: FileAccessorProviding = DefaultFileAccessor()
|
|
113
|
+
) {
|
|
114
|
+
self.fileSystem = fileSystem
|
|
115
|
+
self.fileAccessor = fileAccessor
|
|
116
|
+
}
|
|
117
|
+
|
|
118
|
+
public func sync() async throws {
|
|
119
|
+
guard let containerURL = fileSystem.containerURL(for: .sync) else {
|
|
120
|
+
throw SyncError.containerNotAvailable
|
|
121
|
+
}
|
|
122
|
+
let data = try fileAccessor.read(
|
|
123
|
+
from: containerURL.appendingPathComponent("data.json")
|
|
124
|
+
)
|
|
125
|
+
// Process data...
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
### 5. Write Tests with Swift Testing
|
|
131
|
+
|
|
132
|
+
```swift
|
|
133
|
+
import Testing
|
|
134
|
+
|
|
135
|
+
@Test("Sync manager handles missing container")
|
|
136
|
+
func testMissingContainer() async {
|
|
137
|
+
let mockFileSystem = MockFileSystemProvider(containerURL: nil)
|
|
138
|
+
let manager = SyncManager(fileSystem: mockFileSystem)
|
|
139
|
+
|
|
140
|
+
await #expect(throws: SyncError.containerNotAvailable) {
|
|
141
|
+
try await manager.sync()
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
@Test("Sync manager reads data correctly")
|
|
146
|
+
func testReadData() async throws {
|
|
147
|
+
let mockFileAccessor = MockFileAccessor()
|
|
148
|
+
mockFileAccessor.files[testURL] = testData
|
|
149
|
+
|
|
150
|
+
let manager = SyncManager(fileAccessor: mockFileAccessor)
|
|
151
|
+
let result = try await manager.loadData()
|
|
152
|
+
|
|
153
|
+
#expect(result == expectedData)
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
@Test("Sync manager handles read errors gracefully")
|
|
157
|
+
func testReadError() async {
|
|
158
|
+
let mockFileAccessor = MockFileAccessor()
|
|
159
|
+
mockFileAccessor.readError = CocoaError(.fileReadCorruptFile)
|
|
160
|
+
|
|
161
|
+
let manager = SyncManager(fileAccessor: mockFileAccessor)
|
|
162
|
+
|
|
163
|
+
await #expect(throws: SyncError.self) {
|
|
164
|
+
try await manager.sync()
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
## Best Practices
|
|
170
|
+
|
|
171
|
+
- **Single Responsibility**: Each protocol should handle one concern — don't create "god protocols" with many methods
|
|
172
|
+
- **Sendable conformance**: Required when protocols are used across actor boundaries
|
|
173
|
+
- **Default parameters**: Let production code use real implementations by default; only tests need to specify mocks
|
|
174
|
+
- **Error simulation**: Design mocks with configurable error properties for testing failure paths
|
|
175
|
+
- **Only mock boundaries**: Mock external dependencies (file system, network, APIs), not internal types
|
|
176
|
+
|
|
177
|
+
## Anti-Patterns to Avoid
|
|
178
|
+
|
|
179
|
+
- Creating a single large protocol that covers all external access
|
|
180
|
+
- Mocking internal types that have no external dependencies
|
|
181
|
+
- Using `#if DEBUG` conditionals instead of proper dependency injection
|
|
182
|
+
- Forgetting `Sendable` conformance when used with actors
|
|
183
|
+
- Over-engineering: if a type has no external dependencies, it doesn't need a protocol
|
|
184
|
+
|
|
185
|
+
## When to Use
|
|
186
|
+
|
|
187
|
+
- Any Swift code that touches file system, network, or external APIs
|
|
188
|
+
- Testing error handling paths that are hard to trigger in real environments
|
|
189
|
+
- Building modules that need to work in app, test, and SwiftUI preview contexts
|
|
190
|
+
- Apps using Swift concurrency (actors, structured concurrency) that need testable architecture
|