claudeinone-cli 1.0.1 → 1.0.3

package/kit/.claude/skills/arch-multi-tenant.md

@@ -0,0 +1,81 @@
+# Multi-Tenancy
+
+## Overview
+Multi-tenancy serves multiple organizations from a single application with isolated data.
+
+## Strategies
+| Strategy | Isolation | Complexity | Cost |
+|----------|-----------|------------|------|
+| Row-level (shared DB) | Low | Low | Low |
+| Schema-per-tenant | Medium | Medium | Medium |
+| Database-per-tenant | High | High | High |
+
+## Row-Level Isolation (Most Common)
+
+```typescript
+// Every query scoped by tenantId
+const posts = await prisma.post.findMany({
+  where: { tenantId: req.tenant.id },
+});
+
+// Middleware to inject tenant into every request
+export async function tenantMiddleware(req: Request, res: Response, next: NextFunction) {
+  const subdomain = req.hostname.split('.')[0];
+  const tenant = await prisma.tenant.findUnique({ where: { subdomain } });
+  if (!tenant) return res.status(404).json({ error: 'Tenant not found' });
+  req.tenant = tenant;
+  next();
+}
+```
+
+## Prisma Extension for Automatic Tenant Scoping
+
+```typescript
+import { PrismaClient } from '@prisma/client';
+
+export function createTenantClient(tenantId: string) {
+  return new PrismaClient().$extends({
+    query: {
+      $allModels: {
+        async findMany({ args, query }) {
+          args.where = { ...args.where, tenantId };
+          return query(args);
+        },
+        async create({ args, query }) {
+          args.data = { ...args.data, tenantId };
+          return query(args);
+        },
+      },
+    },
+  });
+}
+
+// Usage
+const db = createTenantClient(req.tenant.id);
+const users = await db.user.findMany(); // automatically scoped
+```
+
+## Tenant Resolution from Subdomain
+
+```typescript
+// middleware.ts (Next.js)
+import { NextRequest, NextResponse } from 'next/server';
+
+export function middleware(req: NextRequest) {
+  const hostname = req.headers.get('host') ?? '';
+  const subdomain = hostname.replace(`.${process.env.ROOT_DOMAIN}`, '');
+
+  if (subdomain && subdomain !== www) {
+    return NextResponse.rewrite(new URL(`/t/${subdomain}${req.nextUrl.pathname}`, req.url));
+  }
+}
+```
+
+## Best Practices
+- Add `tenantId` index on every multi-tenant table
+- Validate tenant access on every query (defense in depth)
+- Use Prisma extensions or middleware to enforce scoping automatically
+- Rate limit per tenant to prevent noisy-neighbor problems
+
+## Resources
+- [Prisma multi-tenancy guide](https://www.prisma.io/docs/guides/other/multi-tenancy)

package/kit/.claude/skills/arch-serverless.md

@@ -0,0 +1,86 @@
+# Serverless Patterns
+
+## Overview
+Design patterns for building reliable serverless applications on AWS Lambda, Vercel, and Cloudflare.
+
+## Lambda Handler Pattern
+
+```typescript
+import { APIGatewayProxyEvent, APIGatewayProxyResult, Context } from 'aws-lambda';
+
+// Initialize once outside handler
+const db = DynamoDBDocumentClient.from(new DynamoDBClient({}));
+
+export const handler = async (event: APIGatewayProxyEvent): Promise<APIGatewayProxyResult> => {
+  try {
+    const body = event.body ? JSON.parse(event.body) : {};
+    const result = await processRequest(body, db);
+    return { statusCode: 200, body: JSON.stringify(result) };
+  } catch (error) {
+    console.error('Handler error:', error);
+    return { statusCode: 500, body: JSON.stringify({ error: 'Internal server error' }) };
+  }
+};
+```
+
+## SQS Queue Consumer
+
+```typescript
+import { SQSEvent } from 'aws-lambda';
+
+export const handler = async (event: SQSEvent): Promise<void> => {
+  for (const record of event.Records) {
+    try {
+      const message = JSON.parse(record.body);
+      await processMessage(message);
+    } catch (error) {
+      console.error('Failed to process message:', record.messageId, error);
+      // Throw to move to DLQ after max retries
+      throw error;
+    }
+  }
+};
+```
+
+## Vercel Edge Function
+
+```typescript
+// app/api/edge/route.ts
+export const runtime = 'edge';
+
+export async function GET(req: Request) {
+  const country = req.headers.get('x-vercel-ip-country') ?? 'US';
+  const { searchParams } = new URL(req.url);
+  return Response.json({ country, q: searchParams.get('q') });
+}
+```
+
+## Cloudflare Durable Objects (Stateful Serverless)
+
+```typescript
+export class Counter implements DurableObject {
+  private count = 0;
+  constructor(state: DurableObjectState) {
+    state.blockConcurrencyWhile(async () => {
+      this.count = (await state.storage.get<number>('count')) ?? 0;
+    });
+  }
+
+  async fetch(req: Request) {
+    this.count++;
+    await (this as any).state.storage.put('count', this.count);
+    return Response.json({ count: this.count });
+  }
+}
+```
+
+## Best Practices
+- Initialize clients outside handler (reused on warm invocations)
+- Use SQS/EventBridge for async processing — don't block the function
+- Implement idempotency — Lambda can execute twice on retry
+- Set function timeout to 10-30s maximum; use queues for longer work
+- Use Lambda Layers for large shared dependencies
+
+## Resources
+- [AWS Lambda best practices](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html)
+- [Serverless Land patterns](https://serverlessland.com/patterns)

package/kit/.claude/skills/auth-clerk.md

@@ -0,0 +1,97 @@
+# Clerk Authentication
+
+## Overview
+Clerk provides drop-in auth with React components, Next.js middleware, and a full user management dashboard.
+
+## Installation
+
+```bash
+npm install @clerk/nextjs
+```
+
+```env
+NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_...
+CLERK_SECRET_KEY=sk_test_...
+NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
+NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
+NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/dashboard
+```
+
+## Middleware
+
+```typescript
+// middleware.ts
+import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
+
+const isPublicRoute = createRouteMatcher(['/sign-in(.*)', '/sign-up(.*)', '/api/webhooks(.*)']);
+
+export default clerkMiddleware(async (auth, req) => {
+  if (!isPublicRoute(req)) await auth.protect();
+});
+
+export const config = { matcher: ['/((?!.*\..*|_next).*)', '/', '/(api|trpc)(.*)'] };
+```
+
+## Root Layout
+
+```tsx
+// app/layout.tsx
+import { ClerkProvider } from '@clerk/nextjs';
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return <ClerkProvider><html lang="en"><body>{children}</body></html></ClerkProvider>;
+}
+```
+
+## Navbar with Auth Buttons
+
+```tsx
+import { SignInButton, SignedIn, SignedOut, UserButton } from '@clerk/nextjs';
+
+export function Navbar() {
+  return (
+    <nav>
+      <SignedOut><SignInButton mode="modal" /></SignedOut>
+      <SignedIn><UserButton afterSignOutUrl="/" /></SignedIn>
+    </nav>
+  );
+}
+```
+
+## Server Component Auth
+
+```typescript
+import { auth, currentUser } from '@clerk/nextjs/server';
+import { redirect } from 'next/navigation';
+
+export default async function Dashboard() {
+  const { userId } = await auth();
+  if (!userId) redirect('/sign-in');
+  const user = await currentUser();
+  return <h1>Welcome, {user?.firstName}</h1>;
+}
+```
+
+## Sync to Database via Webhooks
+
+```typescript
+// app/api/webhooks/clerk/route.ts
+import { Webhook } from 'svix';
+import { WebhookEvent } from '@clerk/nextjs/server';
+
+export async function POST(req: Request) {
+  const wh = new Webhook(process.env.CLERK_WEBHOOK_SECRET!);
+  const payload = await req.text();
+  const headers = Object.fromEntries(['svix-id','svix-timestamp','svix-signature'].map(h => [h, req.headers.get(h)!]));
+  const evt = wh.verify(payload, headers) as WebhookEvent;
+
+  if (evt.type === 'user.created') {
+    await prisma.user.create({
+      data: { clerkId: evt.data.id, email: evt.data.email_addresses[0].email_address }
+    });
+  }
+  return Response.json({ received: true });
+}
+```
+
+## Resources
+- [Clerk Next.js quickstart](https://clerk.com/docs/quickstarts/nextjs)

package/kit/.claude/skills/auth-jwt.md

@@ -0,0 +1,143 @@
+# JWT (JSON Web Tokens)
+
+Stateless authentication using digitally signed tokens.
+
+## Token Structure
+
+JWTs consist of 3 parts separated by dots: `header.payload.signature`
+
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
+eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
+SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
+```
+
+### Header
+```json
+{
+  "alg": "HS256",
+  "typ": "JWT"
+}
+```
+
+### Payload
+```json
+{
+  "sub": "1234567890",
+  "name": "John Doe",
+  "iat": 1516239022,
+  "exp": 1516242622,
+  "roles": ["user", "admin"]
+}
+```
+
+### Signature
+```
+HMACSHA256(
+  base64UrlEncode(header) + "." +
+  base64UrlEncode(payload),
+  secret
+)
+```
+
+## Implementation (Node.js + Express)
+
+```typescript
+import jwt from 'jsonwebtoken';
+
+const SECRET = process.env.JWT_SECRET!;
+
+// Create token
+function createToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, role: 'user' },
+    SECRET,
+    { expiresIn: '24h' }
+  );
+}
+
+// Verify token (middleware)
+function verifyToken(token: string) {
+  try {
+    return jwt.verify(token, SECRET);
+  } catch (err) {
+    throw new Error('Invalid token');
+  }
+}
+
+// Express middleware
+function authMiddleware(req, res, next) {
+  const token = req.headers.authorization?.split(' ')[1];
+  if (!token) return res.status(401).json({ error: 'No token' });
+  
+  try {
+    req.user = jwt.verify(token, SECRET);
+    next();
+  } catch (err) {
+    res.status(401).json({ error: 'Invalid token' });
+  }
+}
+
+// Route
+app.get('/profile', authMiddleware, (req, res) => {
+  res.json({ user_id: req.user.sub });
+});
+```
+
+## Refresh Tokens
+
+```typescript
+// Issue refresh token with longer expiry
+const refreshToken = jwt.sign(
+  { sub: userId },
+  REFRESH_SECRET,
+  { expiresIn: '7d' }
+);
+
+// Use refresh token to get new access token
+app.post('/refresh', (req, res) => {
+  const { refreshToken } = req.body;
+  try {
+    const decoded = jwt.verify(refreshToken, REFRESH_SECRET);
+    const newAccessToken = jwt.sign(
+      { sub: decoded.sub },
+      SECRET,
+      { expiresIn: '1h' }
+    );
+    res.json({ accessToken: newAccessToken });
+  } catch (err) {
+    res.status(401).json({ error: 'Invalid refresh token' });
+  }
+});
+```
+
+## Best Practices
+
+1. **Sign with strong secret**: Use environment variable, min 32 characters
+2. **Short expiry**: 15min - 1hr for access tokens
+3. **Refresh tokens**: Separate longer-lived tokens for token refresh
+4. **Always HTTPS**: Never transmit JWT over unencrypted connection
+5. **HttpOnly cookies**: Store tokens in httpOnly cookies if possible
+6. **Validate claims**: Check exp, iat, and custom claims
+7. **Revocation**: Maintain blacklist of invalidated tokens
+8. **RSA for microservices**: Use asymmetric crypto for inter-service auth
+
+## Claims (Standard)
+
+```json
+{
+  "iss": "issuer",
+  "sub": "subject (usually user ID)",
+  "aud": "audience",
+  "exp": 1516242622,
+  "nbf": 1516239022,
+  "iat": 1516239022,
+  "jti": "unique token ID"
+}
+```
+
+## Resources
+
+- [JWT.io](https://jwt.io/)
+- [RFC 7519 - JSON Web Token](https://tools.ietf.org/html/rfc7519)
+- [jsonwebtoken npm](https://www.npmjs.com/package/jsonwebtoken)

package/kit/.claude/skills/auth-lucia.md

@@ -0,0 +1,93 @@
+# Lucia Auth
+
+Simple and flexible authentication library for SvelteKit, Astro, and other frameworks.
+
+## Setup
+
+```bash
+npm install lucia @lucia-auth/adapter-prisma
+```
+
+## Prisma Schema
+
+```prisma
+model User {
+  id            String    @id @unique
+  primary_email String
+  created_at    DateTime  @default(now())
+
+  auth_session AuthSession[]
+  auth_key     AuthKey[]
+}
+
+model AuthSession {
+  id             String    @id @unique
+  user_id        String    @unique
+  user           User      @relation(references: [id], fields: [user_id], onDelete: Cascade)
+  active_expires BigInt
+  idle_expires   BigInt
+}
+
+model AuthKey {
+  id              String  @id @unique
+  hashed_password String?
+  user_id         String
+  user            User    @relation(references: [id], fields: [user_id], onDelete: Cascade)
+}
+```
+
+## Lucia Configuration
+
+```typescript
+import lucia from 'lucia';
+import { sveltekit } from 'lucia/middleware';
+import { prisma } from '@lucia-auth/adapter-prisma';
+import { dev } from '$app/environment';
+
+export const auth = lucia({
+  env: dev ? 'DEV' : 'PROD',
+  middleware: sveltekit(),
+  adapter: prisma(db),
+  getUserAttributes: (data) => {
+    return { email: data.primary_email };
+  }
+});
+```
+
+## Login/Signup
+
+```typescript
+// Sign up
+const user = await auth.createUser({
+  key: {
+    providerId: 'email',
+    providerUserId: email,
+    password: hashedPassword
+  },
+  attributes: { primary_email: email }
+});
+
+// Create session
+const session = await auth.createSession({ userId: user.userId });
+
+// Login
+const key = await auth.useKey('email', email, password);
+const session = await auth.createSession({ userId: key.userId });
+```
+
+## Session Management
+
+```typescript
+// Get session
+const { session, user } = await auth.validateSession(sessionId);
+
+// Invalidate session
+await auth.invalidateSession(sessionId);
+
+// Update session
+await auth.updateUserAttributes(userId, { primary_email: newEmail });
+```
+
+## Resources
+
+- [Lucia Docs](https://lucia-auth.com/)