claude-code-starter 0.2.0 → 0.3.0

package/README.md

@@ -1,5 +1,12 @@
 # Claude Code Starter
 
+[![CI](https://github.com/cassmtnr/claude-code-starter/actions/workflows/pr-check.yml/badge.svg)](https://github.com/cassmtnr/claude-code-starter/actions/workflows/pr-check.yml)
+[![codecov](https://codecov.io/gh/cassmtnr/claude-code-starter/graph/badge.svg)](https://codecov.io/gh/cassmtnr/claude-code-starter)
+[![npm version](https://img.shields.io/npm/v/claude-code-starter.svg)](https://www.npmjs.com/package/claude-code-starter)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/Node.js-18%2B-green.svg)](https://nodejs.org/)
+[![Bun](https://img.shields.io/badge/Bun-compatible-f472b6.svg)](https://bun.sh/)
+
 Intelligent CLI that bootstraps Claude Code configurations tailored to your project's tech stack.
 
 ## Quick Start
@@ -39,12 +46,13 @@ Based on your stack, creates:
 
 ## Commands
 
-| Command           | Description         |
-| ----------------- | ------------------- |
-| `/task <desc>`    | Start a new task    |
-| `/status`         | Show current task   |
-| `/done`           | Mark task complete  |
-| `/analyze <area>` | Deep dive into code |
+| Command           | Description                              |
+| ----------------- | ---------------------------------------- |
+| `/task <desc>`    | Start a new task                         |
+| `/status`         | Show current task                        |
+| `/done`           | Mark task complete                       |
+| `/analyze <area>` | Deep dive into code                      |
+| `/code-review`    | Review changes for quality and security  |
 
 ## CLI Options
 
@@ -75,7 +83,7 @@ npx claude-code-starter --help    # Show help
 ✅ Configuration complete! (14 files)
 
 Generated for your stack:
-  📚 4 skills (pattern-discovery, testing-methodology, nextjs-patterns, ...)
+  📚 9 skills (pattern-discovery, iterative-development, security, nextjs-patterns, ...)
   🤖 2 agents (code-reviewer, test-writer)
   📏 2 rules
 ```
@@ -95,15 +103,21 @@ After running, your project will have:
 │   ├── task.md
 │   ├── status.md
 │   ├── done.md
-│   └── analyze.md
+│   ├── analyze.md
+│   └── code-review.md
 ├── rules/              # Code style rules
 │   ├── typescript.md   # (or python.md, etc.)
 │   └── code-style.md
-├── skills/             # Framework-specific patterns
+├── skills/             # Methodology guides + patterns
 │   ├── pattern-discovery.md
 │   ├── systematic-debugging.md
 │   ├── testing-methodology.md
-│   └── nextjs-patterns.md  # (or fastapi-patterns.md, etc.)
+│   ├── iterative-development.md
+│   ├── commit-hygiene.md
+│   ├── code-deduplication.md
+│   ├── simplicity-rules.md
+│   ├── security.md
+│   └── nextjs-patterns.md  # (framework-specific)
 └── state/
     └── task.md         # Current task tracking
 ```

package/dist/cli.js

@@ -539,6 +539,7 @@ function generateClaudeMd(projectInfo) {
   sections.push("| `/status` | Show current task state |");
   sections.push("| `/done` | Mark current task complete |");
   sections.push("| `/analyze <area>` | Deep-dive into specific code |");
+  sections.push("| `/code-review` | Review changes for quality and security |");
   sections.push("");
   sections.push("## Common Operations");
   sections.push("");
@@ -553,6 +554,18 @@ function generateClaudeMd(projectInfo) {
   sections.push("3. **Test Before Done** - Run tests before marking complete");
   sections.push("4. **Update State** - Keep task.md current as you work");
   sections.push("5. **Match Patterns** - Follow existing code conventions");
+  sections.push("6. **TDD Workflow** - Write failing tests first, then implement");
+  sections.push("");
+  sections.push("## Quality Gates");
+  sections.push("");
+  sections.push("Enforced constraints for code quality:");
+  sections.push("");
+  sections.push("| Constraint | Limit | Action |");
+  sections.push("|------------|-------|--------|");
+  sections.push("| Lines per function | 20 max | Decompose immediately |");
+  sections.push("| Parameters per function | 3 max | Use options object |");
+  sections.push("| Lines per file | 200 max | Split by responsibility |");
+  sections.push("| Test coverage | 80% min | Add tests before merge |");
   sections.push("");
   sections.push("## Skills");
   sections.push("");
@@ -757,9 +770,16 @@ function generateSettings(stack) {
 }
 function getSkillsForStack(stack) {
   const skills = [
+    // Core methodology skills
     { name: "pattern-discovery", description: "Finding codebase patterns" },
     { name: "systematic-debugging", description: "Debugging approach" },
-    { name: "testing-methodology", description: "Testing strategy" }
+    { name: "testing-methodology", description: "Testing strategy" },
+    // Process discipline skills
+    { name: "iterative-development", description: "TDD loops until tests pass" },
+    { name: "commit-hygiene", description: "Atomic commits and PR size limits" },
+    { name: "code-deduplication", description: "Prevent semantic code duplication" },
+    { name: "simplicity-rules", description: "Code complexity constraints" },
+    { name: "security", description: "Security patterns and secrets management" }
   ];
   if (stack.frameworks.includes("nextjs")) {
     skills.push({ name: "nextjs-patterns", description: "Next.js App Router patterns" });
@@ -783,6 +803,11 @@ function generateSkills(stack) {
   artifacts.push(generatePatternDiscoverySkill());
   artifacts.push(generateSystematicDebuggingSkill());
   artifacts.push(generateTestingMethodologySkill(stack));
+  artifacts.push(generateIterativeDevelopmentSkill(stack));
+  artifacts.push(generateCommitHygieneSkill());
+  artifacts.push(generateCodeDeduplicationSkill());
+  artifacts.push(generateSimplicityRulesSkill());
+  artifacts.push(generateSecuritySkill(stack));
   if (stack.frameworks.includes("nextjs")) {
     artifacts.push(generateNextJsSkill());
   }
@@ -1634,6 +1659,615 @@ describe('UsersService', () => {
     isNew: true
   };
 }
+function generateIterativeDevelopmentSkill(stack) {
+  const testCmd = getTestCommand(stack);
+  const lintCmd = getLintCommand(stack);
+  return {
+    type: "skill",
+    path: ".claude/skills/iterative-development.md",
+    content: `---
+name: iterative-development
+description: TDD-driven iterative loops until tests pass
+globs:
+  - "**/*.ts"
+  - "**/*.tsx"
+  - "**/*.js"
+  - "**/*.py"
+  - "**/*.go"
+---
+
+# Iterative Development (TDD Loops)
+
+Self-referential development loops where you iterate until completion criteria are met.
+
+## Core Philosophy
+
+\`\`\`
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502  ITERATION > PERFECTION                                     \u2502
+\u2502  Don't aim for perfect on first try.                        \u2502
+\u2502  Let the loop refine the work.                              \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502  FAILURES ARE DATA                                          \u2502
+\u2502  Failed tests, lint errors, type mismatches are signals.    \u2502
+\u2502  Use them to guide the next iteration.                      \u2502
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524
+\u2502  CLEAR COMPLETION CRITERIA                                  \u2502
+\u2502  Define exactly what "done" looks like.                     \u2502
+\u2502  Tests passing. Coverage met. Lint clean.                   \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+\`\`\`
+
+## TDD Workflow (Mandatory)
+
+Every implementation task MUST follow this workflow:
+
+### 1. RED: Write Tests First
+\`\`\`bash
+# Write tests based on requirements
+# Run tests - they MUST FAIL
+${testCmd}
+\`\`\`
+
+### 2. GREEN: Implement Feature
+\`\`\`bash
+# Write minimum code to pass tests
+# Run tests - they MUST PASS
+${testCmd}
+\`\`\`
+
+### 3. VALIDATE: Quality Gates
+\`\`\`bash
+# Full quality check
+${lintCmd ? `${lintCmd} && ` : ""}${testCmd}
+\`\`\`
+
+## Completion Criteria Template
+
+For any implementation task, define:
+
+\`\`\`markdown
+### Completion Criteria
+- [ ] All tests passing
+- [ ] Coverage >= 80% (on new code)
+- [ ] Lint clean (no errors)
+- [ ] Type check passing
+\`\`\`
+
+## When to Use This Workflow
+
+| Task Type | Use TDD Loop? |
+|-----------|---------------|
+| New feature | \u2705 Always |
+| Bug fix | \u2705 Always (write test that reproduces bug first) |
+| Refactoring | \u2705 Always (existing tests must stay green) |
+| Spike/exploration | \u274C Skip (but document findings) |
+| Documentation | \u274C Skip |
+
+## Anti-Patterns
+
+- \u274C Writing code before tests
+- \u274C Skipping the RED phase (tests that never fail are useless)
+- \u274C Moving on when tests fail
+- \u274C Large batches (prefer small, focused iterations)
+`,
+    isNew: true
+  };
+}
+function generateCommitHygieneSkill() {
+  return {
+    type: "skill",
+    path: ".claude/skills/commit-hygiene.md",
+    content: `---
+name: commit-hygiene
+description: Atomic commits, PR size limits, commit thresholds
+globs:
+  - "**/*"
+---
+
+# Commit Hygiene
+
+Keep commits atomic, PRs reviewable, and git history clean.
+
+## Size Thresholds
+
+| Metric | \u{1F7E2} Good | \u{1F7E1} Warning | \u{1F534} Commit Now |
+|--------|---------|------------|---------------|
+| Files changed | 1-5 | 6-10 | > 10 |
+| Lines added | < 150 | 150-300 | > 300 |
+| Total changes | < 250 | 250-400 | > 400 |
+
+**Research shows:** PRs > 400 lines have 40%+ defect rates vs 15% for smaller changes.
+
+## When to Commit
+
+### Commit Triggers (Any = Commit)
+
+| Trigger | Action |
+|---------|--------|
+| Test passes | Just got a test green \u2192 commit |
+| Feature complete | Finished a function \u2192 commit |
+| Refactor done | Renamed across files \u2192 commit |
+| Bug fixed | Fixed the issue \u2192 commit |
+| Threshold hit | > 5 files or > 200 lines \u2192 commit |
+
+### Commit Immediately If
+
+- \u2705 Tests are passing after being red
+- \u2705 You're about to make a "big change"
+- \u2705 You've been coding for 30+ minutes
+- \u2705 You're about to try something risky
+- \u2705 The current state is "working"
+
+## Atomic Commit Patterns
+
+### Good Commits \u2705
+
+\`\`\`
+"Add email validation to signup form"
+- 3 files: validator.ts, signup.tsx, signup.test.ts
+- 120 lines changed
+- Single purpose: email validation
+
+"Fix null pointer in user lookup"
+- 2 files: userService.ts, userService.test.ts
+- 25 lines changed
+- Single purpose: fix one bug
+\`\`\`
+
+### Bad Commits \u274C
+
+\`\`\`
+"Add authentication, fix bugs, update styles"
+- 25 files changed, 800 lines
+- Multiple unrelated purposes
+
+"WIP" / "Updates" / "Fix stuff"
+- Unknown scope, no clear purpose
+\`\`\`
+
+## Quick Status Check
+
+Run frequently to check current state:
+
+\`\`\`bash
+# See what's changed
+git status --short
+
+# Count changes
+git diff --shortstat
+
+# Full summary
+git diff --stat HEAD
+\`\`\`
+
+## PR Size Rules
+
+| PR Size | Review Time | Quality |
+|---------|-------------|---------|
+| < 200 lines | < 30 min | High confidence |
+| 200-400 lines | 30-60 min | Good confidence |
+| 400-1000 lines | 1-2 hours | Declining quality |
+| > 1000 lines | Often skipped | Rubber-stamped |
+
+**Best practice:** If a PR will be > 400 lines, split into stacked PRs.
+`,
+    isNew: true
+  };
+}
+function generateCodeDeduplicationSkill() {
+  return {
+    type: "skill",
+    path: ".claude/skills/code-deduplication.md",
+    content: `---
+name: code-deduplication
+description: Prevent semantic code duplication with capability index
+globs:
+  - "**/*.ts"
+  - "**/*.tsx"
+  - "**/*.js"
+  - "**/*.py"
+---
+
+# Code Deduplication
+
+Prevent semantic duplication by maintaining awareness of existing capabilities.
+
+## Core Principle
+
+\`\`\`
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502  CHECK BEFORE YOU WRITE                                         \u2502
+\u2502  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500  \u2502
+\u2502  AI doesn't copy/paste - it reimplements.                       \u2502
+\u2502  The problem isn't duplicate code, it's duplicate PURPOSE.      \u2502
+\u2502                                                                 \u2502
+\u2502  Before writing ANY new function:                               \u2502
+\u2502  1. Search codebase for similar functionality                   \u2502
+\u2502  2. Check utils/, helpers/, lib/ for existing implementations   \u2502
+\u2502  3. Extend existing code if possible                            \u2502
+\u2502  4. Only create new if nothing suitable exists                  \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+\`\`\`
+
+## Before Writing New Code
+
+### Search Checklist
+
+1. **Search by purpose**: "format date", "validate email", "fetch user"
+2. **Search common locations**:
+   - \`src/utils/\` or \`lib/\`
+   - \`src/helpers/\`
+   - \`src/common/\`
+   - \`src/shared/\`
+3. **Search by function signature**: Similar inputs/outputs
+
+### Common Duplicate Candidates
+
+| Category | Look For |
+|----------|----------|
+| Date/Time | formatDate, parseDate, isExpired, addDays |
+| Validation | isEmail, isPhone, isURL, isUUID |
+| Strings | slugify, truncate, capitalize, pluralize |
+| API | fetchUser, createItem, handleError |
+| Auth | validateToken, requireAuth, getCurrentUser |
+
+## If Similar Code Exists
+
+### Option 1: Reuse directly
+\`\`\`typescript
+// Import and use existing function
+import { formatDate } from '@/utils/dates';
+\`\`\`
+
+### Option 2: Extend with options
+\`\`\`typescript
+// Add optional parameter to existing function
+export function formatDate(
+  date: Date,
+  format: string = 'short',
+  locale?: string  // NEW: added locale support
+): string { ... }
+\`\`\`
+
+### Option 3: Compose from existing
+\`\`\`typescript
+// Build on existing utilities
+export function formatDateRange(start: Date, end: Date) {
+  return \`\${formatDate(start)} - \${formatDate(end)}\`;
+}
+\`\`\`
+
+## File Header Pattern
+
+Document what each file provides:
+
+\`\`\`typescript
+/**
+ * @file User validation utilities
+ * @description Email, phone, and identity validation functions.
+ *
+ * Key exports:
+ * - isEmail(email) - Validates email format
+ * - isPhone(phone, country?) - Validates phone with country
+ * - isValidUsername(username) - Checks username rules
+ */
+\`\`\`
+
+## Anti-Patterns
+
+- \u274C Writing date formatter without checking utils/
+- \u274C Creating new API client when one exists
+- \u274C Duplicating validation logic across files
+- \u274C Copy-pasting functions between files
+- \u274C "I'll refactor later" (you won't)
+`,
+    isNew: true
+  };
+}
+function generateSimplicityRulesSkill() {
+  return {
+    type: "skill",
+    path: ".claude/skills/simplicity-rules.md",
+    content: `---
+name: simplicity-rules
+description: Enforced code complexity constraints
+globs:
+  - "**/*.ts"
+  - "**/*.tsx"
+  - "**/*.js"
+  - "**/*.py"
+  - "**/*.go"
+---
+
+# Simplicity Rules
+
+Complexity is the enemy. Every line of code is a liability.
+
+## Enforced Limits
+
+**CRITICAL: These limits are non-negotiable. Check and enforce for EVERY file.**
+
+### Function Level
+
+| Constraint | Limit | Action if Exceeded |
+|------------|-------|-------------------|
+| Lines per function | 20 max | Decompose immediately |
+| Parameters | 3 max | Use options object |
+| Nesting levels | 2 max | Flatten with early returns |
+
+### File Level
+
+| Constraint | Limit | Action if Exceeded |
+|------------|-------|-------------------|
+| Lines per file | 200 max | Split by responsibility |
+| Functions per file | 10 max | Split into modules |
+
+### Module Level
+
+| Constraint | Limit | Reason |
+|------------|-------|--------|
+| Directory nesting | 3 levels max | Flat is better |
+| Circular deps | 0 | Never acceptable |
+
+## Enforcement Protocol
+
+**Before completing ANY file:**
+
+\`\`\`
+1. Count total lines     \u2192 if > 200, STOP and split
+2. Count functions       \u2192 if > 10, STOP and split
+3. Check function length \u2192 if any > 20 lines, decompose
+4. Check parameters      \u2192 if any > 3, refactor to options object
+\`\`\`
+
+## Violation Response
+
+When limits are exceeded:
+
+\`\`\`
+\u26A0\uFE0F FILE SIZE VIOLATION DETECTED
+
+[filename] has [X] lines (limit: 200)
+
+Splitting into:
+- [filename-a].ts - [responsibility A]
+- [filename-b].ts - [responsibility B]
+\`\`\`
+
+**Never defer refactoring.** Fix violations immediately.
+
+## Decomposition Patterns
+
+### Long Function \u2192 Multiple Functions
+
+\`\`\`typescript
+// BEFORE: 40 lines
+function processOrder(order) {
+  // validate... 10 lines
+  // calculate totals... 15 lines
+  // apply discounts... 10 lines
+  // save... 5 lines
+}
+
+// AFTER: 4 functions, each < 15 lines
+function processOrder(order) {
+  validateOrder(order);
+  const totals = calculateTotals(order);
+  const finalPrice = applyDiscounts(totals, order.coupons);
+  return saveOrder({ ...order, finalPrice });
+}
+\`\`\`
+
+### Many Parameters \u2192 Options Object
+
+\`\`\`typescript
+// BEFORE: 6 parameters
+function createUser(name, email, password, role, team, settings) { }
+
+// AFTER: 1 options object
+interface CreateUserOptions {
+  name: string;
+  email: string;
+  password: string;
+  role?: string;
+  team?: string;
+  settings?: UserSettings;
+}
+function createUser(options: CreateUserOptions) { }
+\`\`\`
+
+### Deep Nesting \u2192 Early Returns
+
+\`\`\`typescript
+// BEFORE: 4 levels deep
+function process(data) {
+  if (data) {
+    if (data.valid) {
+      if (data.items) {
+        for (const item of data.items) {
+          // actual logic here
+        }
+      }
+    }
+  }
+}
+
+// AFTER: 1 level deep
+function process(data) {
+  if (!data?.valid || !data.items) return;
+
+  for (const item of data.items) {
+    // actual logic here
+  }
+}
+\`\`\`
+
+## Anti-Patterns
+
+- \u274C God objects/files (do everything)
+- \u274C "Just one more line" (compound violations)
+- \u274C "I'll split it later" (you won't)
+- \u274C Deep inheritance hierarchies
+- \u274C Complex conditionals without extraction
+`,
+    isNew: true
+  };
+}
+function generateSecuritySkill(stack) {
+  const isJS = stack.languages.includes("typescript") || stack.languages.includes("javascript");
+  const isPython = stack.languages.includes("python");
+  return {
+    type: "skill",
+    path: ".claude/skills/security.md",
+    content: `---
+name: security
+description: Security best practices, secrets management, OWASP patterns
+globs:
+  - "**/*"
+---
+
+# Security Best Practices
+
+Security is not optional. Every project must pass security checks.
+
+## Required .gitignore Entries
+
+**NEVER commit these:**
+
+\`\`\`gitignore
+# Environment files
+.env
+.env.*
+!.env.example
+
+# Secrets and credentials
+*.pem
+*.key
+*.p12
+credentials.json
+secrets.json
+*-credentials.json
+service-account*.json
+
+# IDE secrets
+.idea/
+.vscode/settings.json
+\`\`\`
+
+## Environment Variables
+
+### Create .env.example
+
+Document required vars without values:
+
+\`\`\`bash
+# Server-side only (never expose to client)
+DATABASE_URL=
+API_SECRET_KEY=
+ANTHROPIC_API_KEY=
+
+# Client-side safe (public, non-sensitive)
+${isJS ? "VITE_API_URL=\nNEXT_PUBLIC_SITE_URL=" : "API_BASE_URL="}
+\`\`\`
+
+${isJS ? `### Frontend Exposure Rules
+
+| Framework | Client-Exposed Prefix | Server-Only |
+|-----------|----------------------|-------------|
+| Vite | \`VITE_*\` | No prefix |
+| Next.js | \`NEXT_PUBLIC_*\` | No prefix |
+| CRA | \`REACT_APP_*\` | N/A |
+
+**CRITICAL:** Never put secrets in client-exposed env vars!
+
+\`\`\`typescript
+// \u274C WRONG - Secret exposed to browser
+const key = import.meta.env.VITE_API_SECRET;
+
+// \u2705 CORRECT - Secret stays server-side
+const key = process.env.API_SECRET; // in API route only
+\`\`\`
+` : ""}
+
+### Validate at Startup
+
+${isJS ? `\`\`\`typescript
+import { z } from 'zod';
+
+const envSchema = z.object({
+  DATABASE_URL: z.string().url(),
+  API_SECRET_KEY: z.string().min(32),
+  NODE_ENV: z.enum(['development', 'production', 'test']),
+});
+
+export const env = envSchema.parse(process.env);
+\`\`\`` : ""}
+${isPython ? `\`\`\`python
+from pydantic_settings import BaseSettings
+
+class Settings(BaseSettings):
+    database_url: str
+    api_secret_key: str
+    environment: str = "development"
+
+    class Config:
+        env_file = ".env"
+
+settings = Settings()
+\`\`\`` : ""}
+
+## OWASP Top 10 Checklist
+
+| Vulnerability | Prevention |
+|---------------|------------|
+| Injection (SQL, NoSQL, Command) | Parameterized queries, input validation |
+| Broken Auth | Secure session management, MFA |
+| Sensitive Data Exposure | Encryption at rest and in transit |
+| XXE | Disable external entity processing |
+| Broken Access Control | Verify permissions on every request |
+| Security Misconfiguration | Secure defaults, minimal permissions |
+| XSS | Output encoding, CSP headers |
+| Insecure Deserialization | Validate all serialized data |
+| Using Vulnerable Components | Keep dependencies updated |
+| Insufficient Logging | Log security events, monitor |
+
+## Input Validation
+
+\`\`\`
+RULE: Never trust user input. Validate everything.
+
+- Validate type, length, format, range
+- Sanitize before storage
+- Encode before output
+- Use allowlists over denylists
+\`\`\`
+
+## Secrets Detection
+
+Before committing, check for:
+
+- API keys (usually 32+ chars, specific patterns)
+- Passwords in code
+- Connection strings with credentials
+- Private keys (BEGIN RSA/EC/PRIVATE KEY)
+- Tokens (jwt, bearer, oauth)
+
+## Security Review Checklist
+
+Before PR merge:
+
+- [ ] No secrets in code or config
+- [ ] Input validation on all user data
+- [ ] Output encoding where displayed
+- [ ] Authentication checked on protected routes
+- [ ] Authorization verified for resources
+- [ ] Dependencies scanned for vulnerabilities
+- [ ] Error messages don't leak internals
+`,
+    isNew: true
+  };
+}
 function getAgentsForStack(stack) {
   const agents = [
     { name: "code-reviewer", description: "Reviews code for quality and security" },
@@ -1948,7 +2582,8 @@ function generateCommands() {
     generateTaskCommand(),
     generateStatusCommand(),
     generateDoneCommand(),
-    generateAnalyzeCommand()
+    generateAnalyzeCommand(),
+    generateCodeReviewCommand()
   ];
 }
 function generateTaskCommand() {
@@ -2092,6 +2727,71 @@ Any improvements or concerns noted.
     isNew: true
   };
 }
+function generateCodeReviewCommand() {
+  return {
+    type: "command",
+    path: ".claude/commands/code-review.md",
+    content: `---
+allowed-tools: Read, Glob, Grep, Bash(git diff), Bash(git status), Bash(git log)
+description: Review code changes for quality, security, and best practices
+---
+
+# Code Review
+
+## Changes to Review
+
+!git diff --stat HEAD~1 2>/dev/null || git diff --stat
+
+## Review Process
+
+Analyze all changes for:
+
+### 1. Security (Critical)
+- [ ] No secrets/credentials in code
+- [ ] Input validation present
+- [ ] Output encoding where needed
+- [ ] Auth/authz checks on protected routes
+
+### 2. Quality
+- [ ] Functions \u2264 20 lines
+- [ ] Files \u2264 200 lines
+- [ ] No code duplication
+- [ ] Clear naming
+- [ ] Proper error handling
+
+### 3. Testing
+- [ ] Tests exist for new code
+- [ ] Edge cases covered
+- [ ] Tests are meaningful (not just for coverage)
+
+### 4. Style
+- [ ] Matches existing patterns
+- [ ] Consistent formatting
+- [ ] No commented-out code
+
+## Output Format
+
+For each finding, include file:line reference:
+
+### Critical (Must Fix)
+Issues that block merge
+
+### Warning (Should Fix)
+Issues that should be addressed
+
+### Suggestion (Consider)
+Optional improvements
+
+## Summary
+
+Provide:
+1. Overall assessment (Ready / Changes Needed / Not Ready)
+2. Count of findings by severity
+3. Top priorities to address
+`,
+    isNew: true
+  };
+}
 function formatLanguage(lang) {
   const names = {
     typescript: "TypeScript",
@@ -2203,15 +2903,14 @@ ${pc.bold("MORE INFO")}
 `);
 }
 function showBanner() {
-  console.log(pc.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-  console.log(pc.cyan(`\u2551   Claude Code Starter v${VERSION.padEnd(24)}\u2551`));
-  console.log(pc.cyan("\u2551   Intelligent AI-Assisted Development Setup     \u2551"));
-  console.log(pc.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log();
+  console.log(pc.bold("Claude Code Starter") + pc.gray(` v${VERSION}`));
+  console.log(pc.gray("Intelligent AI-Assisted Development Setup"));
   console.log();
 }
 function showTechStack(projectInfo, verbose) {
   const { techStack } = projectInfo;
-  console.log(pc.blue("\u{1F4CA} Tech Stack Analysis"));
+  console.log(pc.bold("Tech Stack"));
   console.log();
   if (techStack.primaryLanguage) {
     console.log(`  ${pc.bold("Language:")} ${formatLanguage2(techStack.primaryLanguage)}`);
@@ -2251,7 +2950,7 @@ async function promptNewProject(args) {
   if (!args.interactive) {
     return null;
   }
-  console.log(pc.yellow("\u{1F195} New project detected - let's set it up!"));
+  console.log(pc.yellow("New project detected - let's set it up!"));
   console.log();
   const response = await prompts([
     {
@@ -2441,7 +3140,7 @@ async function main() {
   }
   showBanner();
   const projectDir = process.cwd();
-  console.log(pc.blue("\u{1F50D} Analyzing repository..."));
+  console.log(pc.gray("Analyzing repository..."));
   console.log();
   const projectInfo = analyzeRepository(projectDir);
   showTechStack(projectInfo, args.verbose);
@@ -2457,11 +3156,11 @@ async function main() {
       projectInfo.description = preferences.description;
     }
   } else {
-    console.log(pc.green(`\u{1F4C1} Existing project \xB7 ${projectInfo.fileCount} source files`));
+    console.log(pc.gray(`Existing project with ${projectInfo.fileCount} source files`));
     console.log();
   }
   if (projectInfo.techStack.hasClaudeConfig && !args.force) {
-    console.log(pc.yellow("\u26A0\uFE0F  Existing .claude/ configuration detected"));
+    console.log(pc.yellow("Existing .claude/ configuration detected"));
     console.log();
     if (args.interactive) {
       const { proceed } = await prompts({
@@ -2477,32 +3176,32 @@ async function main() {
     }
     console.log();
   }
-  console.log(pc.blue("\u2699\uFE0F  Generating Claude Code configuration..."));
+  console.log(pc.gray("Generating configuration..."));
   console.log();
   const result = generateArtifacts(projectInfo);
   const { created, updated, skipped } = writeArtifacts(result.artifacts, projectDir, args.force);
   if (created.length > 0) {
-    console.log(pc.green("  Created:"));
+    console.log(pc.green("Created:"));
     for (const file of created) {
-      console.log(pc.green(`    \u2713 ${file}`));
+      console.log(pc.green(`  + ${file}`));
     }
   }
   if (updated.length > 0) {
-    console.log(pc.blue("  Updated:"));
+    console.log(pc.blue("Updated:"));
     for (const file of updated) {
-      console.log(pc.blue(`    \u21BB ${file}`));
+      console.log(pc.blue(`  ~ ${file}`));
     }
   }
   if (skipped.length > 0 && args.verbose) {
-    console.log(pc.gray("  Preserved:"));
+    console.log(pc.gray("Preserved:"));
     for (const file of skipped) {
-      console.log(pc.gray(`    - ${file}`));
+      console.log(pc.gray(`  - ${file}`));
     }
   }
   console.log();
   createTaskFile(projectInfo, preferences);
   const totalFiles = created.length + updated.length;
-  console.log(pc.green(`\u2705 Configuration complete! (${totalFiles} files)`));
+  console.log(pc.green(`Done! (${totalFiles} files)`));
   console.log();
   console.log(pc.bold("Generated for your stack:"));
   const skills = result.artifacts.filter((a) => a.type === "skill");
@@ -2510,24 +3209,24 @@ async function main() {
   const rules = result.artifacts.filter((a) => a.type === "rule");
   if (skills.length > 0) {
     console.log(
-      `  \u{1F4DA} ${skills.length} skills (${skills.map((s) => path3.basename(s.path, ".md")).join(", ")})`
+      `  ${skills.length} skills (${skills.map((s) => path3.basename(s.path, ".md")).join(", ")})`
     );
   }
   if (agents.length > 0) {
     console.log(
-      `  \u{1F916} ${agents.length} agents (${agents.map((a) => path3.basename(a.path, ".md")).join(", ")})`
+      `  ${agents.length} agents (${agents.map((a) => path3.basename(a.path, ".md")).join(", ")})`
     );
   }
   if (rules.length > 0) {
-    console.log(`  \u{1F4CF} ${rules.length} rules`);
+    console.log(`  ${rules.length} rules`);
   }
   console.log();
   console.log(`${pc.cyan("Next step:")} Run ${pc.bold("claude")} to start working!`);
   console.log();
   if (!projectInfo.isExisting) {
-    console.log(pc.gray("\u{1F4A1} Tip: Use /task to define your first task"));
+    console.log(pc.gray("Tip: Use /task to define your first task"));
   } else {
-    console.log(pc.gray("\u{1F4A1} Tip: Use /analyze to explore specific areas of your codebase"));
+    console.log(pc.gray("Tip: Use /analyze to explore specific areas of your codebase"));
   }
 }
 main().catch((err) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-code-starter",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "A lightweight starter kit for AI-assisted development with Claude Code",
   "keywords": [
     "claude",