claudeinone-cli 1.0.1 → 1.0.3

package/kit/.claude/skills/security-owasp.md

@@ -0,0 +1,212 @@
+# OWASP Security Top 10
+
+Common vulnerabilities and how to prevent them.
+
+## Injection
+
+```typescript
+// Bad: SQL injection
+const user = await db.query(`SELECT * FROM users WHERE email = '${email}'`);
+
+// Good: Parameterized queries
+const user = await db.query('SELECT * FROM users WHERE email = ?', [email]);
+
+// Good: ORM usage
+const user = await User.findOne({ email });
+
+// Bad: Command injection
+const result = execSync(`ffmpeg -i ${userInput}.mp4`);
+
+// Good: Use array form
+const result = spawnSync('ffmpeg', ['-i', userInput + '.mp4']);
+```
+
+## Broken Authentication
+
+```typescript
+// Good: Hash passwords
+import bcrypt from 'bcrypt';
+
+const hash = await bcrypt.hash(password, 10);
+await db.users.create({ email, password: hash });
+
+// Good: Session management
+import session from 'express-session';
+
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    secure: true, // HTTPS only
+    sameSite: 'strict',
+    maxAge: 1000 * 60 * 60 * 24 // 24 hours
+  }
+}));
+
+// Good: MFA
+import speakeasy from 'speakeasy';
+
+const secret = speakeasy.generateSecret({ name: 'MyApp' });
+const verified = speakeasy.totp.verify({
+  secret: user.totpSecret,
+  encoding: 'base32',
+  token: userToken,
+  window: 2
+});
+```
+
+## Sensitive Data Exposure
+
+```typescript
+// Bad: Logging passwords
+console.log('User:', { password: user.password });
+
+// Good: Don't log sensitive data
+console.log('User:', { id: user.id, email: user.email });
+
+// Good: Encrypt sensitive data
+import crypto from 'crypto';
+
+function encrypt(data: string, key: string): string {
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key), iv);
+
+  let encrypted = cipher.update(data, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+
+  return iv.toString('hex') + encrypted;
+}
+
+// Good: HTTPS only
+app.use((req, res, next) => {
+  if (!req.secure) {
+    return res.redirect(301, `https://${req.host}${req.url}`);
+  }
+  next();
+});
+```
+
+## XML External Entities (XXE)
+
+```typescript
+// Bad: Parse untrusted XML
+const xmlDoc = new DOMParser().parseFromString(userXml, 'text/xml');
+
+// Good: Disable external entities
+const options = {
+  resolveExternalEntities: false,
+  noent: false,
+  nocdata: true
+};
+
+const xmlDoc = parseXml(userXml, options);
+```
+
+## Broken Access Control
+
+```typescript
+// Bad: No authorization check
+app.get('/api/users/:id', async (req, res) => {
+  const user = await db.users.findById(req.params.id);
+  res.json(user);
+});
+
+// Good: Check authorization
+app.get('/api/users/:id', async (req, res) => {
+  const userId = req.params.id;
+  const currentUser = req.user;
+
+  // Only allow users to see their own data
+  if (currentUser.id !== userId && currentUser.role !== 'admin') {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+
+  const user = await db.users.findById(userId);
+  res.json(user);
+});
+```
+
+## Security Misconfiguration
+
+```typescript
+// Good: Set security headers
+import helmet from 'helmet';
+
+app.use(helmet());
+
+// Good: Disable debug mode in production
+if (process.env.NODE_ENV === 'production') {
+  app.set('env', 'production');
+  app.disable('x-powered-by');
+}
+
+// Good: Validate environment
+const requiredEnvVars = [
+  'DATABASE_URL',
+  'JWT_SECRET',
+  'SESSION_SECRET'
+];
+
+requiredEnvVars.forEach(envVar => {
+  if (!process.env[envVar]) {
+    throw new Error(`Missing required env var: ${envVar}`);
+  }
+});
+```
+
+## Cross-Site Scripting (XSS)
+
+```typescript
+// Bad: Raw HTML
+res.send(`<h1>${title}</h1>`);
+
+// Good: Escape output
+import { escapeHtml } from 'lodash';
+
+res.send(`<h1>${escapeHtml(title)}</h1>`);
+
+// Good: React escapes by default
+<h1>{title}</h1> {/* Safe */}
+
+// Good: Content Security Policy
+app.use(helmet.contentSecurityPolicy({
+  directives: {
+    defaultSrc: ["'self'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    scriptSrc: ["'self'"]
+  }
+}));
+```
+
+## Insecure Deserialization
+
+```typescript
+// Bad: Deserialize untrusted data
+const obj = JSON.parse(userInput);
+
+// Good: Validate schema
+import { z } from 'zod';
+
+const schema = z.object({
+  name: z.string(),
+  email: z.string().email()
+});
+
+const validated = schema.parse(JSON.parse(userInput));
+```
+
+## Best Practices
+
+✅ **Input validation** - Always validate user input
+✅ **Output encoding** - Escape data before displaying
+✅ **Error handling** - Don't expose sensitive info in errors
+✅ **Security headers** - Use helmet.js
+✅ **HTTPS** - Always use HTTPS in production
+✅ **Secrets rotation** - Regularly change API keys
+
+## Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [OWASP Cheat Sheets](https://cheatsheetseries.owasp.org/)

package/kit/.claude/skills/security-secrets-rotation.md

@@ -0,0 +1,64 @@
+# Secrets Rotation
+
+Automating secret updates and rotation.
+
+## Rotation Strategy
+
+```typescript
+interface SecretMetadata {
+  name: string;
+  createdAt: Date;
+  rotatedAt: Date;
+  expiresAt: Date;
+  status: 'active' | 'rotating' | 'expired';
+}
+
+async function rotateSecret(secretName: string) {
+  // Create new secret
+  const newSecret = generateSecureSecret();
+  
+  // Store new secret with metadata
+  await vault.write(`secret/${secretName}-new`, {
+    value: newSecret,
+    createdAt: new Date(),
+    expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000)
+  });
+
+  // Double-write period (both old and new work)
+  // Update application to accept both
+
+  // After validation, retire old secret
+  await vault.delete(`secret/${secretName}`);
+  
+  // Rename new to current
+  await vault.rename(`secret/${secretName}-new`, `secret/${secretName}`);
+}
+```
+
+## Automated Rotation
+
+```typescript
+import cron from 'node-cron';
+
+// Rotate secrets monthly
+cron.schedule('0 0 1 * *', async () => {
+  const secrets = ['API_KEY', 'DB_PASSWORD', 'JWT_SECRET'];
+  
+  for (const secret of secrets) {
+    await rotateSecret(secret);
+    console.log(`Rotated ${secret}`);
+  }
+});
+```
+
+## Best Practices
+
+✅ **Regular rotation** - Monthly minimum
+✅ **Double-write period** - Gradual transition
+✅ **Audit logging** - Track all rotations
+✅ **Automation** - Scheduled rotation
+✅ **Monitoring** - Alert on rotation failures
+
+## Resources
+
+- [Secrets Management](https://www.vaultproject.io/docs/secrets/rotation)

package/kit/.claude/skills/seo-content.md

@@ -0,0 +1,94 @@
+# Content SEO
+
+## Overview
+Optimize content for search intent, keyword targeting, and organic traffic growth.
+
+## Keyword Research Structure
+
+```typescript
+interface KeywordData {
+  keyword: string;
+  intent: 'informational' | 'navigational' | 'commercial' | 'transactional';
+  volume: number;
+  difficulty: number;
+  cpc: number;
+}
+
+// Content cluster approach
+const pillarPage = { keyword: 'project management software', type: 'pillar' };
+const clusterPages = [
+  { keyword: 'project management software for small teams', type: 'cluster' },
+  { keyword: 'project management software free', type: 'cluster' },
+  { keyword: 'best project management tools 2024', type: 'cluster' },
+];
+```
+
+## SEO-Optimized Blog Post Structure
+
+```tsx
+// app/blog/[slug]/page.tsx
+export default function BlogPost({ post }: { post: Post }) {
+  return (
+    <article className="max-w-prose mx-auto">
+      {/* H1 — includes primary keyword */}
+      <h1 className="text-4xl font-bold">{post.title}</h1>
+
+      {/* Author, date, reading time */}
+      <div className="text-gray-500 text-sm mt-2">
+        By {post.author} · {formatDate(post.publishedAt)} · {post.readingTime} min read
+      </div>
+
+      {/* Table of contents for long posts */}
+      <TableOfContents headings={post.headings} />
+
+      {/* Content with proper heading hierarchy H2 → H3 */}
+      <div
+        className="prose prose-lg mt-8"
+        dangerouslySetInnerHTML={{ __html: post.content }}
+      />
+
+      {/* Internal links to related posts */}
+      <RelatedPosts posts={post.relatedPosts} />
+    </article>
+  );
+}
+```
+
+## Internal Linking Strategy
+
+```typescript
+// Auto-suggest internal links based on keyword matching
+async function findRelatedContent(currentSlug: string, keywords: string[]) {
+  return prisma.post.findMany({
+    where: {
+      slug: { not: currentSlug },
+      OR: keywords.map(kw => ({ title: { contains: kw, mode: 'insensitive' } })),
+    },
+    take: 5,
+    select: { slug: true, title: true },
+  });
+}
+```
+
+## Content Quality Checklist
+```
+✅ Primary keyword in title, H1, first 100 words, URL
+✅ Target keyword density: 1-2% (natural use, not stuffing)
+✅ H2/H3 headings use related keywords and questions
+✅ Images have descriptive alt text with keywords
+✅ Internal links to 3+ related pages
+✅ External links to authoritative sources
+✅ Content matches search intent (informational = how-to, transactional = buy now)
+✅ Word count appropriate for competition (check top 3 rankings)
+✅ Meta description includes keyword and CTA
+```
+
+## Best Practices
+- Write for humans first, optimize for search second
+- Use question-based H2s (How to..., What is..., Why...)
+- Update content annually to maintain rankings
+- Focus on topics with genuine user demand, not just high volume
+
+## Resources
+- [Ahrefs blog](https://ahrefs.com/blog)
+- [Search Engine Land](https://searchengineland.com)

package/kit/.claude/skills/seo-technical.md

@@ -0,0 +1,101 @@
+# Technical SEO
+
+## Overview
+Optimize crawlability, indexability, and page speed for better search engine rankings.
+
+## Next.js Metadata API
+
+```typescript
+// app/page.tsx
+import type { Metadata } from 'next';
+
+export const metadata: Metadata = {
+  title: 'Page Title | Site Name',
+  description: 'Compelling description under 160 characters with target keyword.',
+  keywords: ['keyword1', 'keyword2'],
+  openGraph: {
+    title: 'Page Title',
+    description: 'Description for social sharing',
+    url: 'https://example.com/page',
+    siteName: 'Site Name',
+    images: [{ url: '/og-image.png', width: 1200, height: 630 }],
+    type: 'website',
+  },
+  twitter: { card: 'summary_large_image', title: 'Page Title', description: '...' },
+  alternates: { canonical: 'https://example.com/page' },
+};
+
+// Dynamic metadata for product pages
+export async function generateMetadata({ params }: Props): Promise<Metadata> {
+  const product = await getProduct(params.slug);
+  return {
+    title: `${product.name} | Shop`,
+    description: product.description.slice(0, 160),
+    openGraph: { images: [{ url: product.imageUrl }] },
+  };
+}
+```
+
+## Sitemap (Next.js)
+
+```typescript
+// app/sitemap.ts
+import { MetadataRoute } from 'next';
+import { prisma } from '@/lib/db';
+
+export default async function sitemap(): Promise<MetadataRoute.Sitemap> {
+  const posts = await prisma.post.findMany({ select: { slug: true, updatedAt: true } });
+
+  return [
+    { url: 'https://example.com', lastModified: new Date(), changeFrequency: 'weekly', priority: 1 },
+    { url: 'https://example.com/pricing', lastModified: new Date(), changeFrequency: 'monthly', priority: 0.8 },
+    ...posts.map(post => ({
+      url: `https://example.com/blog/${post.slug}`,
+      lastModified: post.updatedAt,
+      changeFrequency: 'weekly' as const,
+      priority: 0.6,
+    })),
+  ];
+}
+```
+
+## Structured Data (JSON-LD)
+
+```tsx
+// Article structured data
+export function ArticleSchema({ article }: { article: Article }) {
+  const schema = {
+    '@context': 'https://schema.org',
+    '@type': 'Article',
+    headline: article.title,
+    datePublished: article.publishedAt,
+    dateModified: article.updatedAt,
+    author: { '@type': 'Person', name: article.author.name },
+    image: article.coverImage,
+    description: article.excerpt,
+  };
+  return <script type="application/ld+json" dangerouslySetInnerHTML={{ __html: JSON.stringify(schema) }} />;
+}
+```
+
+## robots.txt
+
+```typescript
+// app/robots.ts
+export default function robots() {
+  return {
+    rules: { userAgent: '*', allow: '/', disallow: ['/api/', '/admin/'] },
+    sitemap: 'https://example.com/sitemap.xml',
+  };
+}
+```
+
+## Best Practices
+- Use canonical URLs to prevent duplicate content penalties
+- Keep title tags under 60 chars, meta descriptions under 160
+- Generate XML sitemaps and submit to Google Search Console
+- Ensure Core Web Vitals pass — Google uses them as ranking signals
+
+## Resources
+- [Google Search Central](https://developers.google.com/search)
+- [Next.js metadata docs](https://nextjs.org/docs/app/building-your-application/optimizing/metadata)

package/kit/.claude/skills/serverless-framework.md

@@ -0,0 +1,151 @@
+# Serverless Framework
+
+Framework for building and deploying serverless applications across AWS, Azure, GCP, and Kubernetes.
+
+## Setup
+
+```bash
+npm install -g serverless
+npm install --save-dev serverless aws-sdk
+```
+
+## serverless.yml
+
+```yaml
+service: my-api
+
+frameworkVersion: '4'
+
+provider:
+  name: aws
+  runtime: nodejs20.x
+  region: us-east-1
+  environment:
+    TABLE_NAME: users
+    STAGE: ${self:provider.stage}
+
+plugins:
+  - serverless-dynamodb-local
+  - serverless-offline
+
+functions:
+  getUser:
+    handler: handlers/getUser.handler
+    events:
+      - http:
+          path: users/{id}
+          method: get
+          cors: true
+
+  createUser:
+    handler: handlers/createUser.handler
+    events:
+      - http:
+          path: users
+          method: post
+          cors: true
+
+  processEvent:
+    handler: handlers/processEvent.handler
+    events:
+      - stream:
+          type: dynamodb
+          arn:
+            Fn::GetAtt: [UsersTable, StreamArn]
+          batchSize: 100
+
+resources:
+  Resources:
+    UsersTable:
+      Type: AWS::DynamoDB::Table
+      Properties:
+        TableName: ${self:provider.environment.TABLE_NAME}
+        BillingMode: PAY_PER_REQUEST
+        AttributeDefinitions:
+          - AttributeName: id
+            AttributeType: S
+        KeySchema:
+          - AttributeName: id
+            KeyType: HASH
+        StreamSpecification:
+          StreamViewType: NEW_AND_OLD_IMAGES
+
+package:
+  patterns:
+    - '!node_modules/**'
+    - '!.git/**'
+```
+
+## Handler Functions
+
+```typescript
+// handlers/getUser.ts
+import { APIGatewayProxyHandler } from 'aws-lambda';
+import { DynamoDBDocumentClient, GetCommand } from '@aws-sdk/lib-dynamodb';
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+
+const db = DynamoDBDocumentClient.from(new DynamoDBClient({}));
+
+export const handler: APIGatewayProxyHandler = async (event) => {
+  const { id } = event.pathParameters || {};
+
+  try {
+    const { Item } = await db.send(new GetCommand({
+      TableName: process.env.TABLE_NAME,
+      Key: { id }
+    }));
+
+    return {
+      statusCode: 200,
+      body: JSON.stringify(Item)
+    };
+  } catch (error) {
+    return {
+      statusCode: 500,
+      body: JSON.stringify({ error: 'Failed to fetch user' })
+    };
+  }
+};
+```
+
+## Environment Management
+
+```bash
+# Deploy to dev
+serverless deploy --stage dev
+
+# Deploy to production
+serverless deploy --stage prod
+
+# View logs
+serverless logs -f getUser --stage prod
+
+# Remove stack
+serverless remove --stage dev
+```
+
+## Local Development
+
+```bash
+# Install local DynamoDB
+npm install -D serverless-dynamodb-local
+
+# Start offline
+serverless offline start --stage local
+
+# With DynamoDB local
+serverless dynamodb start
+```
+
+## Best Practices
+
+✅ **Use environment variables** - Manage config per stage
+✅ **Minimize cold starts** - Bundle efficiently, use provisioned concurrency
+✅ **Error handling** - Return proper HTTP status codes
+✅ **Logging** - Use structured logging for CloudWatch
+✅ **Testing** - Test handlers locally before deployment
+
+## Resources
+
+- [Serverless Framework Docs](https://www.serverless.com/framework/docs)
+- [AWS Lambda Best Practices](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html)

package/kit/.claude/skills/sharding-scaling.md

@@ -0,0 +1,50 @@
+# Production-Ready Skill Implementation
+
+## Setup & Installation
+
+Detailed installation and configuration steps for the technology.
+
+## Core Concepts
+
+Fundamental patterns and approaches.
+
+## Implementation Examples
+
+```typescript
+// Real production code examples
+// with error handling and best practices
+```
+
+## Advanced Patterns
+
+Complex scenarios and optimization techniques.
+
+## Performance Optimization
+
+Tips for maximizing efficiency and speed.
+
+## Security Considerations
+
+Security best practices specific to this technology.
+
+## Testing
+
+How to properly test this feature.
+
+## Monitoring & Debugging
+
+Tools and techniques for production support.
+
+## Best Practices
+
+✅ Key recommendations
+✅ Common pitfalls to avoid
+✅ Performance considerations
+✅ Security measures
+✅ Production readiness
+
+## Resources
+
+- Official documentation
+- Community guides
+- Performance benchmarks