npm - claudient - Versions diffs - 0.1.0 - Mend

claudient 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (283) hide show

package/.claude-plugin/plugin.json +42 -0
package/CONTEXT.md +58 -0
package/README.md +165 -0
package/agents/build-resolvers/de/python-resolver.md +64 -0
package/agents/build-resolvers/de/typescript-resolver.md +65 -0
package/agents/build-resolvers/es/python-resolver.md +64 -0
package/agents/build-resolvers/es/typescript-resolver.md +65 -0
package/agents/build-resolvers/fr/python-resolver.md +64 -0
package/agents/build-resolvers/fr/typescript-resolver.md +65 -0
package/agents/build-resolvers/nl/python-resolver.md +64 -0
package/agents/build-resolvers/nl/typescript-resolver.md +65 -0
package/agents/build-resolvers/python-resolver.md +62 -0
package/agents/build-resolvers/typescript-resolver.md +63 -0
package/agents/core/architect.md +64 -0
package/agents/core/code-reviewer.md +78 -0
package/agents/core/de/architect.md +66 -0
package/agents/core/de/code-reviewer.md +80 -0
package/agents/core/de/planner.md +63 -0
package/agents/core/de/security-reviewer.md +93 -0
package/agents/core/es/architect.md +66 -0
package/agents/core/es/code-reviewer.md +80 -0
package/agents/core/es/planner.md +63 -0
package/agents/core/es/security-reviewer.md +93 -0
package/agents/core/fr/architect.md +66 -0
package/agents/core/fr/code-reviewer.md +80 -0
package/agents/core/fr/planner.md +63 -0
package/agents/core/fr/security-reviewer.md +93 -0
package/agents/core/nl/architect.md +66 -0
package/agents/core/nl/code-reviewer.md +80 -0
package/agents/core/nl/planner.md +63 -0
package/agents/core/nl/security-reviewer.md +93 -0
package/agents/core/planner.md +61 -0
package/agents/core/security-reviewer.md +91 -0
package/guides/agent-orchestration.md +231 -0
package/guides/de/agent-orchestration.md +174 -0
package/guides/de/getting-started.md +164 -0
package/guides/de/hooks-cookbook.md +160 -0
package/guides/de/memory-management.md +153 -0
package/guides/de/security.md +180 -0
package/guides/de/skill-authoring.md +214 -0
package/guides/de/token-optimization.md +156 -0
package/guides/es/agent-orchestration.md +174 -0
package/guides/es/getting-started.md +164 -0
package/guides/es/hooks-cookbook.md +160 -0
package/guides/es/memory-management.md +153 -0
package/guides/es/security.md +180 -0
package/guides/es/skill-authoring.md +214 -0
package/guides/es/token-optimization.md +156 -0
package/guides/fr/agent-orchestration.md +174 -0
package/guides/fr/getting-started.md +164 -0
package/guides/fr/hooks-cookbook.md +227 -0
package/guides/fr/memory-management.md +169 -0
package/guides/fr/security.md +180 -0
package/guides/fr/skill-authoring.md +214 -0
package/guides/fr/token-optimization.md +158 -0
package/guides/getting-started.md +164 -0
package/guides/hooks-cookbook.md +423 -0
package/guides/memory-management.md +192 -0
package/guides/nl/agent-orchestration.md +174 -0
package/guides/nl/getting-started.md +164 -0
package/guides/nl/hooks-cookbook.md +160 -0
package/guides/nl/memory-management.md +153 -0
package/guides/nl/security.md +180 -0
package/guides/nl/skill-authoring.md +214 -0
package/guides/nl/token-optimization.md +156 -0
package/guides/security.md +229 -0
package/guides/skill-authoring.md +226 -0
package/guides/token-optimization.md +169 -0
package/hooks/lifecycle/cost-tracker.md +49 -0
package/hooks/lifecycle/cost-tracker.sh +59 -0
package/hooks/lifecycle/pre-compact-save.md +56 -0
package/hooks/lifecycle/pre-compact-save.sh +37 -0
package/hooks/lifecycle/session-start.md +50 -0
package/hooks/lifecycle/session-start.sh +47 -0
package/hooks/post-tool-use/audit-log.md +53 -0
package/hooks/post-tool-use/audit-log.sh +53 -0
package/hooks/post-tool-use/prettier.md +53 -0
package/hooks/post-tool-use/prettier.sh +49 -0
package/hooks/pre-tool-use/block-dangerous.md +48 -0
package/hooks/pre-tool-use/block-dangerous.sh +76 -0
package/hooks/pre-tool-use/git-push-confirm.md +46 -0
package/hooks/pre-tool-use/git-push-confirm.sh +36 -0
package/mcp/configs/github.json +11 -0
package/mcp/configs/postgres.json +11 -0
package/mcp/de/recommended-servers.md +170 -0
package/mcp/es/recommended-servers.md +170 -0
package/mcp/fr/recommended-servers.md +170 -0
package/mcp/nl/recommended-servers.md +170 -0
package/mcp/recommended-servers.md +168 -0
package/package.json +45 -0
package/prompts/project-starters/de/fastapi-project.md +62 -0
package/prompts/project-starters/de/nextjs-project.md +82 -0
package/prompts/project-starters/es/fastapi-project.md +62 -0
package/prompts/project-starters/es/nextjs-project.md +82 -0
package/prompts/project-starters/fastapi-project.md +60 -0
package/prompts/project-starters/fr/fastapi-project.md +62 -0
package/prompts/project-starters/fr/nextjs-project.md +82 -0
package/prompts/project-starters/nextjs-project.md +80 -0
package/prompts/project-starters/nl/fastapi-project.md +62 -0
package/prompts/project-starters/nl/nextjs-project.md +82 -0
package/prompts/system-prompts/ai-product.md +80 -0
package/prompts/system-prompts/data-pipeline.md +76 -0
package/prompts/system-prompts/de/ai-product.md +82 -0
package/prompts/system-prompts/de/data-pipeline.md +78 -0
package/prompts/system-prompts/de/saas-backend.md +71 -0
package/prompts/system-prompts/es/ai-product.md +82 -0
package/prompts/system-prompts/es/data-pipeline.md +78 -0
package/prompts/system-prompts/es/saas-backend.md +71 -0
package/prompts/system-prompts/fr/ai-product.md +82 -0
package/prompts/system-prompts/fr/data-pipeline.md +78 -0
package/prompts/system-prompts/fr/saas-backend.md +71 -0
package/prompts/system-prompts/nl/ai-product.md +82 -0
package/prompts/system-prompts/nl/data-pipeline.md +78 -0
package/prompts/system-prompts/nl/saas-backend.md +71 -0
package/prompts/system-prompts/saas-backend.md +69 -0
package/prompts/task-specific/changelog.md +81 -0
package/prompts/task-specific/de/changelog.md +83 -0
package/prompts/task-specific/de/debugging.md +78 -0
package/prompts/task-specific/de/pr-description.md +69 -0
package/prompts/task-specific/debugging.md +76 -0
package/prompts/task-specific/es/changelog.md +83 -0
package/prompts/task-specific/es/debugging.md +78 -0
package/prompts/task-specific/es/pr-description.md +69 -0
package/prompts/task-specific/fr/changelog.md +83 -0
package/prompts/task-specific/fr/debugging.md +78 -0
package/prompts/task-specific/fr/pr-description.md +69 -0
package/prompts/task-specific/nl/changelog.md +83 -0
package/prompts/task-specific/nl/debugging.md +78 -0
package/prompts/task-specific/nl/pr-description.md +69 -0
package/prompts/task-specific/pr-description.md +67 -0
package/rules/common/coding-style.md +45 -0
package/rules/common/de/coding-style.md +47 -0
package/rules/common/de/git.md +48 -0
package/rules/common/de/performance.md +40 -0
package/rules/common/de/security.md +45 -0
package/rules/common/de/testing.md +45 -0
package/rules/common/es/coding-style.md +47 -0
package/rules/common/es/git.md +48 -0
package/rules/common/es/performance.md +40 -0
package/rules/common/es/security.md +45 -0
package/rules/common/es/testing.md +45 -0
package/rules/common/fr/coding-style.md +47 -0
package/rules/common/fr/git.md +48 -0
package/rules/common/fr/performance.md +40 -0
package/rules/common/fr/security.md +45 -0
package/rules/common/fr/testing.md +45 -0
package/rules/common/git.md +46 -0
package/rules/common/nl/coding-style.md +47 -0
package/rules/common/nl/git.md +48 -0
package/rules/common/nl/performance.md +40 -0
package/rules/common/nl/security.md +45 -0
package/rules/common/nl/testing.md +45 -0
package/rules/common/performance.md +38 -0
package/rules/common/security.md +43 -0
package/rules/common/testing.md +43 -0
package/rules/language-specific/de/go.md +48 -0
package/rules/language-specific/de/python.md +38 -0
package/rules/language-specific/de/typescript.md +51 -0
package/rules/language-specific/es/go.md +48 -0
package/rules/language-specific/es/python.md +38 -0
package/rules/language-specific/es/typescript.md +51 -0
package/rules/language-specific/fr/go.md +48 -0
package/rules/language-specific/fr/python.md +38 -0
package/rules/language-specific/fr/typescript.md +51 -0
package/rules/language-specific/go.md +46 -0
package/rules/language-specific/nl/go.md +48 -0
package/rules/language-specific/nl/python.md +38 -0
package/rules/language-specific/nl/typescript.md +51 -0
package/rules/language-specific/python.md +36 -0
package/rules/language-specific/typescript.md +49 -0
package/scripts/cli.js +161 -0
package/scripts/link-skills.sh +35 -0
package/scripts/list-skills.sh +34 -0
package/skills/ai-engineering/agent-construction.md +285 -0
package/skills/ai-engineering/claude-api.md +248 -0
package/skills/ai-engineering/de/agent-construction.md +287 -0
package/skills/ai-engineering/de/claude-api.md +250 -0
package/skills/ai-engineering/es/agent-construction.md +287 -0
package/skills/ai-engineering/es/claude-api.md +250 -0
package/skills/ai-engineering/fr/agent-construction.md +287 -0
package/skills/ai-engineering/fr/claude-api.md +250 -0
package/skills/ai-engineering/nl/agent-construction.md +287 -0
package/skills/ai-engineering/nl/claude-api.md +250 -0
package/skills/backend/dotnet/csharp.md +304 -0
package/skills/backend/dotnet/de/csharp.md +306 -0
package/skills/backend/dotnet/es/csharp.md +306 -0
package/skills/backend/dotnet/fr/csharp.md +306 -0
package/skills/backend/dotnet/nl/csharp.md +306 -0
package/skills/backend/go/de/go.md +307 -0
package/skills/backend/go/es/go.md +307 -0
package/skills/backend/go/fr/go.md +307 -0
package/skills/backend/go/go.md +305 -0
package/skills/backend/go/nl/go.md +307 -0
package/skills/backend/nodejs/de/nestjs.md +274 -0
package/skills/backend/nodejs/de/nextjs.md +222 -0
package/skills/backend/nodejs/es/nestjs.md +274 -0
package/skills/backend/nodejs/es/nextjs.md +222 -0
package/skills/backend/nodejs/fr/nestjs.md +274 -0
package/skills/backend/nodejs/fr/nextjs.md +222 -0
package/skills/backend/nodejs/nestjs.md +272 -0
package/skills/backend/nodejs/nextjs.md +220 -0
package/skills/backend/nodejs/nl/nestjs.md +274 -0
package/skills/backend/nodejs/nl/nextjs.md +222 -0
package/skills/backend/python/de/django.md +285 -0
package/skills/backend/python/de/fastapi.md +244 -0
package/skills/backend/python/django.md +283 -0
package/skills/backend/python/es/django.md +285 -0
package/skills/backend/python/es/fastapi.md +244 -0
package/skills/backend/python/fastapi.md +242 -0
package/skills/backend/python/fr/django.md +285 -0
package/skills/backend/python/fr/fastapi.md +244 -0
package/skills/backend/python/nl/django.md +285 -0
package/skills/backend/python/nl/fastapi.md +244 -0
package/skills/data-ml/dbt-data-pipelines.md +155 -0
package/skills/data-ml/de/dbt-data-pipelines.md +157 -0
package/skills/data-ml/de/pandas-polars.md +147 -0
package/skills/data-ml/de/pytorch-tensorflow.md +171 -0
package/skills/data-ml/es/dbt-data-pipelines.md +157 -0
package/skills/data-ml/es/pandas-polars.md +147 -0
package/skills/data-ml/es/pytorch-tensorflow.md +171 -0
package/skills/data-ml/fr/dbt-data-pipelines.md +157 -0
package/skills/data-ml/fr/pandas-polars.md +147 -0
package/skills/data-ml/fr/pytorch-tensorflow.md +171 -0
package/skills/data-ml/nl/dbt-data-pipelines.md +157 -0
package/skills/data-ml/nl/pandas-polars.md +147 -0
package/skills/data-ml/nl/pytorch-tensorflow.md +171 -0
package/skills/data-ml/pandas-polars.md +145 -0
package/skills/data-ml/pytorch-tensorflow.md +169 -0
package/skills/database/de/graphql.md +181 -0
package/skills/database/es/graphql.md +181 -0
package/skills/database/fr/graphql.md +181 -0
package/skills/database/graphql.md +179 -0
package/skills/database/nl/graphql.md +181 -0
package/skills/devops-infra/de/docker.md +133 -0
package/skills/devops-infra/de/github-actions.md +179 -0
package/skills/devops-infra/de/kubernetes.md +129 -0
package/skills/devops-infra/de/terraform.md +130 -0
package/skills/devops-infra/docker.md +131 -0
package/skills/devops-infra/es/docker.md +133 -0
package/skills/devops-infra/es/github-actions.md +179 -0
package/skills/devops-infra/es/kubernetes.md +129 -0
package/skills/devops-infra/es/terraform.md +130 -0
package/skills/devops-infra/fr/docker.md +133 -0
package/skills/devops-infra/fr/github-actions.md +179 -0
package/skills/devops-infra/fr/kubernetes.md +129 -0
package/skills/devops-infra/fr/terraform.md +130 -0
package/skills/devops-infra/github-actions.md +177 -0
package/skills/devops-infra/kubernetes.md +127 -0
package/skills/devops-infra/nl/docker.md +133 -0
package/skills/devops-infra/nl/github-actions.md +179 -0
package/skills/devops-infra/nl/kubernetes.md +129 -0
package/skills/devops-infra/nl/terraform.md +130 -0
package/skills/devops-infra/terraform.md +128 -0
package/skills/finance-payments/de/stripe.md +187 -0
package/skills/finance-payments/es/stripe.md +187 -0
package/skills/finance-payments/fr/stripe.md +187 -0
package/skills/finance-payments/nl/stripe.md +187 -0
package/skills/finance-payments/stripe.md +185 -0
package/workflows/code-review.md +151 -0
package/workflows/de/code-review.md +153 -0
package/workflows/de/debugging-session.md +146 -0
package/workflows/de/feature-development.md +155 -0
package/workflows/de/new-project-bootstrap.md +175 -0
package/workflows/de/refactor-safely.md +150 -0
package/workflows/debugging-session.md +144 -0
package/workflows/es/code-review.md +153 -0
package/workflows/es/debugging-session.md +146 -0
package/workflows/es/feature-development.md +155 -0
package/workflows/es/new-project-bootstrap.md +175 -0
package/workflows/es/refactor-safely.md +150 -0
package/workflows/feature-development.md +153 -0
package/workflows/fr/code-review.md +153 -0
package/workflows/fr/debugging-session.md +146 -0
package/workflows/fr/feature-development.md +155 -0
package/workflows/fr/new-project-bootstrap.md +175 -0
package/workflows/fr/refactor-safely.md +150 -0
package/workflows/new-project-bootstrap.md +173 -0
package/workflows/nl/code-review.md +153 -0
package/workflows/nl/debugging-session.md +146 -0
package/workflows/nl/feature-development.md +155 -0
package/workflows/nl/new-project-bootstrap.md +175 -0
package/workflows/nl/refactor-safely.md +150 -0
package/workflows/refactor-safely.md +148 -0

package/agents/core/fr/security-reviewer.md ADDED Viewed

@@ -0,0 +1,93 @@
+> 🇫🇷 This is the French translation. [English version](../security-reviewer.md).
+# Agent Réviseur de Sécurité
+## Objectif
+Effectue un audit de sécurité ciblé des changements de code ou d'un module spécifique — en se concentrant sur le Top 10 OWASP, l'exposition des secrets, les failles d'authentification/autorisation et les vulnérabilités d'injection.
+## Conseil sur le modèle
+**Opus 4.7** — la révision de sécurité nécessite un raisonnement approfondi pour identifier les vecteurs d'attaque non évidents, comprendre comment les vulnérabilités s'enchaînent et évaluer si les mesures d'atténuation sont réellement efficaces. Ne pas utiliser Haiku ou Sonnet pour les révisions critiques de sécurité.
+## Outils
+- `Read` — lire les fichiers en révision, CLAUDE.md, le code auth/middleware
+- `Bash` (lecture seule : `grep`, `find`) — rechercher des patterns (secrets codés en dur, fonctions non sécurisées, vérifications d'auth manquantes)
+- `WebFetch` — consulter les bases de données CVE ou les avis de sécurité pour des dépendances spécifiques
+- Pas de `Edit`, `Write`, ou opérations destructives
+## Quand déléguer ici
+- Avant de fusionner du code qui touche l'authentification, l'autorisation ou la gestion des sessions
+- Avant de déployer du code qui gère des entrées utilisateur (formulaires, uploads de fichiers, paramètres API)
+- Révision de la construction de requêtes de base de données pour les risques d'injection
+- Audit des endpoints API pour les vérifications d'auth/authz manquantes
+- Vérification des secrets ou credentials accidentellement inclus dans le code
+- Révision des ajouts de dépendances tierces pour les CVEs connus
+## Quand NE PAS déléguer ici
+- Révision générale de la qualité du code (utiliser le Réviseur de Code)
+- Sécurité infra/réseau (utiliser un outil cloud security dédié)
+- Tests de pénétration (tests dynamiques, pas d'analyse statique)
+## Template de prompt
+```
+You are a security reviewer. Do not modify any files. Report findings only.
+Files to review:
+[list files or paste code]
+Application context:
+- What this code does: [brief description]
+- Auth mechanism: [JWT, sessions, API keys, etc.]
+- Database: [PostgreSQL/MySQL/MongoDB + ORM if any]
+- User input sources: [API params, form data, file uploads, etc.]
+- Known sensitive operations: [payments, admin actions, user data access]
+Audit for:
+1. Injection (SQL, NoSQL, command, LDAP, XPath)
+2. Broken authentication (weak tokens, missing expiry, insecure storage)
+3. Broken access control (missing auth checks, IDOR, privilege escalation)
+4. Sensitive data exposure (secrets in code, logs, error messages)
+5. Security misconfiguration (default credentials, verbose errors, open CORS)
+6. XSS (reflected, stored, DOM-based)
+7. CSRF (missing tokens on state-changing endpoints)
+8. Insecure dependencies (known CVEs in imports)
+9. Insufficient logging (failed auth attempts not logged, no audit trail)
+Severity: CRITICAL / HIGH / MEDIUM / LOW / INFO
+For each finding:
+- Severity
+- Location (file:line)
+- Vulnerability description
+- Attack scenario (how would an attacker exploit this?)
+- Recommended fix
+```
+## Exemple de cas d'utilisation
+**Scénario :** Réviser un nouvel endpoint d'upload de fichier.
+**Ce que retourne le Réviseur de Sécurité :**
+```
+CRITICAL — uploads/routes.ts:28
+File extension not validated before saving. Attacker can upload .php or .exe.
+Attack: upload malicious.php, access via URL, execute arbitrary code on server.
+Fix: whitelist allowed MIME types + extensions, validate both. Never trust client-provided content-type.
+HIGH — uploads/routes.ts:41
+File saved to web-accessible directory (/public/uploads).
+Attack: uploaded files are directly executable/accessible by URL.
+Fix: save outside webroot, serve via signed URLs with expiry.
+MEDIUM — uploads/routes.ts:15
+No file size limit enforced server-side (only client-side check).
+Attack: send large files to exhaust disk space or cause OOM.
+Fix: add multer/busboy size limit at middleware level.
+LOW — uploads/routes.ts:55
+Original filename used in storage path without sanitization.
+Attack: path traversal via filename like "../../etc/passwd".
+Fix: generate UUID filename, ignore original filename for storage path.
+```
+---
+> **Travaillez avec nous :** Claudient est soutenu par [Uitbreiden](https://uitbreiden.com/) — nous construisons des produits IA et des solutions B2B avec des communautés de développeurs. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/nl/architect.md ADDED Viewed

@@ -0,0 +1,66 @@
+> 🇳🇱 Dit is de Nederlandse vertaling. [Engelse versie](../architect.md).
+# Architect Agent
+## Doel
+Evalueert architectuuropties voor een systeemontwerpprobleem, overweegt afwegingen en beveelt een specifieke aanpak aan met onderbouwing.
+## Modeladvies
+**Opus 4.7** — architectuurbeslissingen zijn ingrijpend, moeilijk te draaien en vereisen echte redenering over complexe afwegingen. Dit is een van de weinige gevallen waarbij Opus zijn kosten rechtvaardigt.
+## Tools
+- `Read` — bestaande architectuurbestanden, CLAUDE.md, CONTEXT.md, ADR's lezen
+- `Bash` (alleen-lezen: `find`, `grep`) — bestaande patronen en afhankelijkheden verkennen
+- `WebFetch` — documentatie controleren voor specifieke technologieën in overweging
+- Geen `Edit`, `Write` of destructieve operaties — architect beveelt aan, implementeert niet
+## Wanneer hierheen te delegeren
+- Kiezen tussen fundamenteel verschillende benaderingen (bijv. event-driven vs. request-response, monorepo vs. polyrepo, SQL vs. NoSQL)
+- Een beslissing die duur is om te draaien (datamodelshape, API-contractontwerp, auth-strategie)
+- Evalueren of een component zelf te bouwen of in te kopen
+- Een bestaande architectuur beoordelen op schaalbaarheids- of onderhoudbaarheidsproblemen
+- Een nieuw systeem van scratch ontwerpen met meerdere levensvatbare benaderingen
+## Wanneer NIET hierheen te delegeren
+- Beslissingen op implementatieniveau (welke bibliotheek voor een hulpprogramma, codestijlkeuzes)
+- Wanneer de architectuur al is besloten en je alleen hoeft te implementeren
+- Prestatieoptimalisatie van bestaande code (niet architectureel)
+## Promptsjabloon
+```
+You are an architecture advisor. Do not write implementation code.
+Problem: [describe the architectural decision to be made]
+Current system context:
+- Stack: [languages, frameworks, infrastructure]
+- Scale: [users, requests/sec, data volume]
+- Team: [size, expertise areas]
+- Constraints: [budget, timeline, existing systems that can't change]
+Existing architectural decisions (from ADRs/CLAUDE.md):
+[paste relevant decisions]
+Evaluate [2-3 specific options] and recommend one.
+For each option, cover:
+- How it works in this context
+- Advantages specific to our constraints
+- Disadvantages and risks
+- What it would cost to reverse this decision later
+End with: your recommendation, one-sentence rationale, and what to record in an ADR.
+```
+## Voorbeeldgebruiksscenario
+**Scenario:** "Moeten we Kafka, SQS of directe DB-polling gebruiken voor onze async-taakrij?"
+**Wat Architect retourneert:**
+- Evalueert alle 3 tegen: huidige schaal (5k events/dag), teamexpertise (sterk AWS, geen Kafka-ervaring), budget (startup)
+- Beveelt aan: SQS — past bij schaal, teamexpertise en bestaande AWS-infrastructuur. Kafka voegt operationele complexiteit toe die niet gerechtvaardigd is bij huidig volume.
+- ADR-aanbeveling: Registreer de schaaldrempel (>500k events/dag) waarbij Kafka moet worden heroverwogen.
+- Risico gemarkeerd: SQS FIFO-wachtrijen hebben een limiet van 3k berichten/sec — controleer of dit geen plafond wordt.
+---
+> **Werk met ons:** Claudient wordt ondersteund door [Uitbreiden](https://uitbreiden.com/) — we bouwen AI-producten en B2B-oplossingen met ontwikkelaarsgemeenschappen. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/nl/code-reviewer.md ADDED Viewed

@@ -0,0 +1,80 @@
+> 🇳🇱 Dit is de Nederlandse vertaling. [Engelse versie](../code-reviewer.md).
+# Code Reviewer Agent
+## Doel
+Beoordeelt een diff of set gewijzigde bestanden op correctheid, onderhoudbaarheid, beveiligingsproblemen en naleving van projectconventies — en geeft gestructureerde, uitvoerbare feedback terug.
+## Modeladvies
+**Haiku 4.5** voor het beoordelen van kleine diffs (< 200 gewijzigde regels) of enkelvoudige bestandswijzigingen. Snel en goedkoop.
+**Sonnet 4.6** voor multi-bestand wijzigingen, complexe logicabeoordeling, of wanneer de beoordelaar gegevensstroom over bestanden heen moet traceren.
+## Tools
+- `Read` — gewijzigde bestanden en hun tests lezen
+- `Bash` (alleen-lezen: `git diff`, `grep`) — wijzigingen vergelijken, zoeken naar gerelateerde patronen
+- Geen `Edit`, `Write` of destructieve operaties — beoordelaar rapporteert, lost niet op
+## Wanneer hierheen te delegeren
+- Pre-commit beoordeling van je eigen wijzigingen voor pushen
+- Code-review van een PR-branch voor samenvoegen
+- AI-gegenereerde code beoordelen op correctheid voor acceptatie
+- Een module controleren op codekwaliteitsproblemen
+- Tweede mening over een complexe implementatie
+## Wanneer NIET hierheen te delegeren
+- Wanneer je automatische fixes wilt (gebruik in plaats daarvan een Builder-agent)
+- Infrastructuurconfiguraties beoordelen (gebruik Security Reviewer voor beveiligingsgevoelige infra)
+- Alleen-stijl-feedback (gebruik in plaats daarvan Prettier/ESLint hooks)
+## Promptsjabloon
+```
+You are a code reviewer. Do not modify any files. Report only — do not fix.
+Changed files:
+[list files or paste diff]
+Project context:
+- Language/framework: [e.g., TypeScript, Next.js, Prisma]
+- Testing approach: [e.g., Jest, integration tests, no mocks]
+- Conventions: [paste relevant CLAUDE.md sections]
+Review for:
+1. Correctness — does it do what it claims? Edge cases not handled?
+2. Security — SQL injection, XSS, unvalidated input, secret exposure?
+3. Error handling — are failures handled explicitly? Can this panic/throw unexpectedly?
+4. Test coverage — are the changed behaviors tested?
+5. Maintainability — is this easy to understand and modify in 6 months?
+6. Convention violations — does it break patterns established in this project?
+Format your output as:
+- CRITICAL (must fix before merge): [list]
+- SUGGESTED (worth doing): [list]
+- NITPICK (optional): [list]
+- APPROVED if no critical issues
+One comment per issue. File + line number where applicable.
+```
+## Voorbeeldgebruiksscenario
+**Scenario:** Beoordeel een nieuw API-endpoint voor het aanmaken van gebruikersaccounts.
+**Wat Code Reviewer retourneert:**
+```
+CRITICAL:
+- auth/routes.ts:45 — wachtwoord opgeslagen als platte tekst. Moet worden gehasht met bcrypt voor opslaan.
+- auth/routes.ts:52 — e-mail niet gevalideerd voor DB-invoer. Gebruik zod/joi-schema.
+SUGGESTED:
+- auth/routes.ts:60 — geen rate limiting op dit endpoint. Voeg rate limiter middleware toe.
+- auth/tests.ts — geen test voor dubbele e-mailregistratie (zou 409 moeten retourneren).
+NITPICK:
+- auth/routes.ts:38 — variabelenaam 'u' is ambigu, gebruik 'user'.
+GOEDGEKEURD na CRITICAL-fixes.
+```
+---
+> **Werk met ons:** Claudient wordt ondersteund door [Uitbreiden](https://uitbreiden.com/) — we bouwen AI-producten en B2B-oplossingen met ontwikkelaarsgemeenschappen. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/nl/planner.md ADDED Viewed

@@ -0,0 +1,63 @@
+> 🇳🇱 Dit is de Nederlandse vertaling. [Engelse versie](../planner.md).
+# Planner Agent
+## Doel
+Breekt een vaag of complex doel af in een concreet, gesequentieerd implementatieplan voordat code wordt geschreven.
+## Modeladvies
+**Sonnet 4.6** — planning vereist redenering over het volledige probleemdomein maar niet de diepe codebegrijping van Opus. Sonnet is voldoende en ~3x goedkoper.
+Escaleer naar **Opus 4.7** alleen wanneer het plan architectuurbeslissingen omvat over veel systemen met niet-vanzelfsprekende afwegingen.
+## Tools
+- `Read` — bestaande code, CLAUDE.md, CONTEXT.md, relevante bestanden lezen
+- `Bash` (alleen-lezen: `find`, `grep`, `ls`, `cat`) — codebasestructuur verkennen
+- Geen `Edit`, `Write` of destructieve `Bash` — deze agent plant, implementeert niet
+## Wanneer hierheen te delegeren
+- Gebruiker geeft een doel dat meer dan 3 bestanden of 2 systemen overspant
+- De taak is voldoende ambigu dat direct naar code springen verspild werk riskeert
+- Je hebt een gesequentieerde checklist nodig voor een lange implementatiesessie
+- Een nieuwe functie moet worden ontworpen voordat code wordt geschreven
+## Wanneer NIET hierheen te delegeren
+- Eenvoudige, duidelijk omschreven taken (een veld toevoegen, een bug in één functie oplossen)
+- Wanneer je al een plan hebt en het alleen hoeft uit te voeren
+- Refactoringtaken waarbij de reikwijdte al duidelijk is
+## Promptsjabloon
+```
+You are a planning agent. Do not write code. Do not edit files.
+Your task: [describe the goal]
+Context:
+- Project structure: [paste key directories]
+- Relevant files: [list files the plan must account for]
+- Constraints: [any decisions already made]
+- CONTEXT.md: [paste if available]
+Produce:
+1. A numbered implementation plan — each step is a concrete, bounded action
+2. Files that will be created or modified per step
+3. Dependencies between steps (which must complete before which)
+4. Risks or open questions that need answers before implementation begins
+Do not include code samples. Focus on sequencing and scope.
+```
+## Voorbeeldgebruiksscenario
+**Scenario:** "Voeg multi-tenancy toe aan onze bestaande single-tenant SaaS-app."
+**Wat Planner retourneert:**
+1. Voeg `organization_id`-kolom toe aan alle tenant-scoped tabellen (5 migraties vermeld)
+2. Werk alle Prisma-queries bij om te filteren op `organization_id` uit aanvraagcontext
+3. Voeg `OrganizationMiddleware` toe om org-context te injecteren vanuit JWT-claim
+4. Werk seed-data en tests bij om organisatiefixtures te gebruiken
+5. Controleer alle admin-endpoints op ontbrekende org-scope — lijst van 8 te controleren bestanden
+6. **Risico:** Gebruikers gemaakt vóór migratie hebben geen `organization_id` — backfill-beslissing nodig voor stap 1
+---
+> **Werk met ons:** Claudient wordt ondersteund door [Uitbreiden](https://uitbreiden.com/) — we bouwen AI-producten en B2B-oplossingen met ontwikkelaarsgemeenschappen. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/nl/security-reviewer.md ADDED Viewed

@@ -0,0 +1,93 @@
+> 🇳🇱 Dit is de Nederlandse vertaling. [Engelse versie](../security-reviewer.md).
+# Security Reviewer Agent
+## Doel
+Voert een gerichte beveiligingsaudit uit van codewijzigingen of een specifieke module — gericht op OWASP Top 10, blootstelling van secrets, authenticatie/autorisatiefouten en injectiekwetsbaarheden.
+## Modeladvies
+**Opus 4.7** — beveiligingsbeoordeling vereist diep redeneren om niet-vanzelfsprekende aanvalsvectoren te identificeren, te begrijpen hoe kwetsbaarheden ketenen en te evalueren of maatregelen werkelijk effectief zijn. Gebruik geen Haiku of Sonnet voor beveiligingskritische beoordelingen.
+## Tools
+- `Read` — te beoordelen bestanden, CLAUDE.md, auth/middleware-code lezen
+- `Bash` (alleen-lezen: `grep`, `find`) — zoeken naar patronen (hardcoded secrets, onveilige functies, ontbrekende auth-controles)
+- `WebFetch` — CVE-databases of beveiligingsadviezen controleren voor specifieke afhankelijkheden
+- Geen `Edit`, `Write` of destructieve operaties
+## Wanneer hierheen te delegeren
+- Voor het samenvoegen van code die authenticatie, autorisatie of sessiebeheer aanraakt
+- Voor het deployen van code die gebruikersinvoer verwerkt (formulieren, bestandsuploads, API-parameters)
+- Database-queryconstruccte beoordelen op injectierisico's
+- API-endpoints controleren op ontbrekende auth/authz-controles
+- Controleren op per ongeluk opgenomen secrets of credentials in code
+- Toevoeging van third-party afhankelijkheden beoordelen op bekende CVE's
+## Wanneer NIET hierheen te delegeren
+- Algemene codekwaliteitsbeoordeling (gebruik Code Reviewer)
+- Infra/netwerk-beveiliging (gebruik een specifieke cloud-beveiligingstool)
+- Penetratietesten (dynamisch testen, geen statische analyse)
+## Promptsjabloon
+```
+You are a security reviewer. Do not modify any files. Report findings only.
+Files to review:
+[list files or paste code]
+Application context:
+- What this code does: [brief description]
+- Auth mechanism: [JWT, sessions, API keys, etc.]
+- Database: [PostgreSQL/MySQL/MongoDB + ORM if any]
+- User input sources: [API params, form data, file uploads, etc.]
+- Known sensitive operations: [payments, admin actions, user data access]
+Audit for:
+1. Injection (SQL, NoSQL, command, LDAP, XPath)
+2. Broken authentication (weak tokens, missing expiry, insecure storage)
+3. Broken access control (missing auth checks, IDOR, privilege escalation)
+4. Sensitive data exposure (secrets in code, logs, error messages)
+5. Security misconfiguration (default credentials, verbose errors, open CORS)
+6. XSS (reflected, stored, DOM-based)
+7. CSRF (missing tokens on state-changing endpoints)
+8. Insecure dependencies (known CVEs in imports)
+9. Insufficient logging (failed auth attempts not logged, no audit trail)
+Severity: CRITICAL / HIGH / MEDIUM / LOW / INFO
+For each finding:
+- Severity
+- Location (file:line)
+- Vulnerability description
+- Attack scenario (how would an attacker exploit this?)
+- Recommended fix
+```
+## Voorbeeldgebruiksscenario
+**Scenario:** Beoordeel een nieuw bestandsupload-endpoint.
+**Wat Security Reviewer retourneert:**
+```
+CRITICAL — uploads/routes.ts:28
+Bestandsextensie niet gevalideerd voor opslaan. Aanvaller kan .php of .exe uploaden.
+Aanval: upload malicious.php, toegang via URL, voer willekeurige code op server uit.
+Oplossing: sta toegestane MIME-types + extensies toe via allowlist, valideer beide. Vertrouw nooit client-verstrekte content-type.
+HIGH — uploads/routes.ts:41
+Bestand opgeslagen in web-toegankelijke directory (/public/uploads).
+Aanval: geüploade bestanden zijn direct uitvoerbaar/toegankelijk via URL.
+Oplossing: sla op buiten webroot, serveer via ondertekende URL's met vervaldatum.
+MEDIUM — uploads/routes.ts:15
+Geen bestandsgroottelimiet afgedwongen server-side (alleen client-side controle).
+Aanval: stuur grote bestanden om schijfruimte uit te putten of OOM te veroorzaken.
+Oplossing: voeg multer/busboy-groottelimiet toe op middleware-niveau.
+LOW — uploads/routes.ts:55
+Originele bestandsnaam gebruikt in opslagpad zonder sanering.
+Aanval: padtraversal via bestandsnaam zoals "../../etc/passwd".
+Oplossing: genereer UUID-bestandsnaam, negeer originele bestandsnaam voor opslagpad.
+```
+---
+> **Werk met ons:** Claudient wordt ondersteund door [Uitbreiden](https://uitbreiden.com/) — we bouwen AI-producten en B2B-oplossingen met ontwikkelaarsgemeenschappen. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/planner.md ADDED Viewed

@@ -0,0 +1,61 @@
+# Planner Agent
+## Purpose
+Breaks down a vague or complex goal into a concrete, sequenced implementation plan before any code is written.
+## Model guidance
+**Sonnet 4.6** — planning requires reasoning over the full problem scope but not the deep code comprehension of Opus. Sonnet is sufficient and ~3x cheaper.
+Escalate to **Opus 4.7** only when the plan involves architectural decisions across many systems with non-obvious trade-offs.
+## Tools
+- `Read` — read existing code, CLAUDE.md, CONTEXT.md, relevant files
+- `Bash` (read-only: `find`, `grep`, `ls`, `cat`) — explore codebase structure
+- No `Edit`, `Write`, or destructive `Bash` — this agent plans, it does not implement
+## When to delegate here
+- User gives a goal that spans more than 3 files or 2 systems
+- The task is ambiguous enough that jumping straight to code risks wasted work
+- You need a sequenced checklist before starting a long implementation session
+- A new feature needs to be designed before any code is written
+## When NOT to delegate here
+- Simple, clearly-scoped tasks (add a field, fix a bug in one function)
+- When you already have a plan and just need to execute it
+- Refactoring tasks where the scope is already obvious
+## Prompt template
+```
+You are a planning agent. Do not write code. Do not edit files.
+Your task: [describe the goal]
+Context:
+- Project structure: [paste key directories]
+- Relevant files: [list files the plan must account for]
+- Constraints: [any decisions already made]
+- CONTEXT.md: [paste if available]
+Produce:
+1. A numbered implementation plan — each step is a concrete, bounded action
+2. Files that will be created or modified per step
+3. Dependencies between steps (which must complete before which)
+4. Risks or open questions that need answers before implementation begins
+Do not include code samples. Focus on sequencing and scope.
+```
+## Example use case
+**Scenario:** "Add multi-tenancy to our existing single-tenant SaaS app."
+**What Planner returns:**
+1. Add `organization_id` column to all tenant-scoped tables (5 migrations listed)
+2. Update all Prisma queries to filter by `organization_id` from request context
+3. Add `OrganizationMiddleware` to inject org context from JWT claim
+4. Update seed data and tests to use organization fixtures
+5. Audit all admin endpoints for missing org scope — list of 8 files to check
+6. **Risk:** Users created before migration have no `organization_id` — needs backfill decision before step 1
+---
+> **Work with us:** Claudient is backed by [Uitbreiden](https://uitbreiden.com/) — we build AI products and B2B solutions with developer communities. [uitbreiden.com](https://uitbreiden.com/)

package/agents/core/security-reviewer.md ADDED Viewed

@@ -0,0 +1,91 @@
+# Security Reviewer Agent
+## Purpose
+Performs a targeted security audit of code changes or a specific module — focusing on OWASP Top 10, secrets exposure, authentication/authorization flaws, and injection vulnerabilities.
+## Model guidance
+**Opus 4.7** — security review requires deep reasoning to identify non-obvious attack vectors, understand how vulnerabilities chain together, and evaluate whether mitigations are actually effective. Do not use Haiku or Sonnet for security-critical reviews.
+## Tools
+- `Read` — read files under review, CLAUDE.md, auth/middleware code
+- `Bash` (read-only: `grep`, `find`) — search for patterns (hardcoded secrets, unsafe functions, missing auth checks)
+- `WebFetch` — check CVE databases or security advisories for specific dependencies
+- No `Edit`, `Write`, or destructive operations
+## When to delegate here
+- Before merging code that touches authentication, authorization, or session management
+- Before deploying code that handles user input (forms, file uploads, API parameters)
+- Reviewing database query construction for injection risks
+- Auditing API endpoints for missing auth/authz checks
+- Checking for secrets or credentials accidentally included in code
+- Reviewing third-party dependency additions for known CVEs
+## When NOT to delegate here
+- General code quality review (use Code Reviewer)
+- Infra/networking security (use a dedicated cloud security tool)
+- Penetration testing (dynamic testing, not static analysis)
+## Prompt template
+```
+You are a security reviewer. Do not modify any files. Report findings only.
+Files to review:
+[list files or paste code]
+Application context:
+- What this code does: [brief description]
+- Auth mechanism: [JWT, sessions, API keys, etc.]
+- Database: [PostgreSQL/MySQL/MongoDB + ORM if any]
+- User input sources: [API params, form data, file uploads, etc.]
+- Known sensitive operations: [payments, admin actions, user data access]
+Audit for:
+1. Injection (SQL, NoSQL, command, LDAP, XPath)
+2. Broken authentication (weak tokens, missing expiry, insecure storage)
+3. Broken access control (missing auth checks, IDOR, privilege escalation)
+4. Sensitive data exposure (secrets in code, logs, error messages)
+5. Security misconfiguration (default credentials, verbose errors, open CORS)
+6. XSS (reflected, stored, DOM-based)
+7. CSRF (missing tokens on state-changing endpoints)
+8. Insecure dependencies (known CVEs in imports)
+9. Insufficient logging (failed auth attempts not logged, no audit trail)
+Severity: CRITICAL / HIGH / MEDIUM / LOW / INFO
+For each finding:
+- Severity
+- Location (file:line)
+- Vulnerability description
+- Attack scenario (how would an attacker exploit this?)
+- Recommended fix
+```
+## Example use case
+**Scenario:** Review a new file upload endpoint.
+**What Security Reviewer returns:**
+```
+CRITICAL — uploads/routes.ts:28
+File extension not validated before saving. Attacker can upload .php or .exe.
+Attack: upload malicious.php, access via URL, execute arbitrary code on server.
+Fix: whitelist allowed MIME types + extensions, validate both. Never trust client-provided content-type.
+HIGH — uploads/routes.ts:41
+File saved to web-accessible directory (/public/uploads).
+Attack: uploaded files are directly executable/accessible by URL.
+Fix: save outside webroot, serve via signed URLs with expiry.
+MEDIUM — uploads/routes.ts:15
+No file size limit enforced server-side (only client-side check).
+Attack: send large files to exhaust disk space or cause OOM.
+Fix: add multer/busboy size limit at middleware level.
+LOW — uploads/routes.ts:55
+Original filename used in storage path without sanitization.
+Attack: path traversal via filename like "../../etc/passwd".
+Fix: generate UUID filename, ignore original filename for storage path.
+```
+---
+> **Work with us:** Claudient is backed by [Uitbreiden](https://uitbreiden.com/) — we build AI products and B2B solutions with developer communities. [uitbreiden.com](https://uitbreiden.com/)