claudient 0.1.0

package/skills/finance-payments/nl/stripe.md

@@ -0,0 +1,187 @@
+> 🇳🇱 Dit is de Nederlandse vertaling. [Engelse versie](../stripe.md).
+
+# Stripe Integratie Skill
+
+## Wanneer te activeren
+- Stripe Checkout of Payment Intents implementeren voor eenmalige betalingen
+- Stripe-abonnementen en factureringscycli instellen
+- Stripe-webhooks afhandelen voor betalingsgebeurtenissen
+- Terugbetalingen, geschillen of betalingsannuleringen implementeren
+- Stripe Connect instellen voor marketplace/platform-betalingen
+- Mislukte betalingen, geweigerde kaarten of problemen met webhookbezorging debuggen
+- SCA (Strong Customer Authentication)-compliance implementeren
+
+## Wanneer NIET te gebruiken
+- PayPal, Braintree, Adyen, Mollie — andere betalingsproviders met andere SDK's
+- Crypto-betalingen
+- Interne boekhouding of factureringssystemen zonder een betalingsgateway
+- Bankoverschrijving/ACH-only-flows (ander Stripe-product — Payment Elements zijn nog steeds van toepassing, maar flow verschilt)
+
+## Instructies
+
+### Codeer of log nooit betalingsgegevens
+```typescript
+// Log NOOIT kaartgegevens, volledige payment intent-objecten of klant-PII
+// SLECHT:
+console.log('Payment intent:', paymentIntent); // Kan gevoelige data bevatten
+
+// GOED:
+console.log('Payment intent created:', paymentIntent.id, paymentIntent.status);
+```
+
+### Payment Intents — aanmaken aan serverzijde
+```typescript
+import Stripe from 'stripe';
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
+  apiVersion: '2024-12-18.acacia',  // Pin altijd de API-versie
+});
+
+// Maak payment intent aan serverzijde — nooit aan clientzijde
+export async function createPaymentIntent(
+  amount: number,   // Altijd in kleinste valuta-eenheid (centen voor USD)
+  currency: string,
+  customerId: string,
+  metadata: Record<string, string>
+): Promise<{ clientSecret: string; paymentIntentId: string }> {
+  const paymentIntent = await stripe.paymentIntents.create({
+    amount,                    // bijv. 2999 = €29,99
+    currency,                  // bijv. 'usd', 'eur'
+    customer: customerId,
+    automatic_payment_methods: { enabled: true },
+    metadata,                  // Sla hier je interne ID's op
+    idempotency_key: `pi_${customerId}_${Date.now()}`,  // Voorkom dubbele kosten
+  });
+
+  return {
+    clientSecret: paymentIntent.client_secret!,
+    paymentIntentId: paymentIntent.id,
+  };
+}
+```
+
+### Webhook-afhandeling — verifieer altijd handtekening
+```typescript
+import { headers } from 'next/headers';
+
+export async function POST(request: Request) {
+  const body = await request.text();  // Ruwe body — geen geparseerde JSON
+  const signature = headers().get('stripe-signature')!;
+
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(
+      body,
+      signature,
+      process.env.STRIPE_WEBHOOK_SECRET!
+    );
+  } catch (err) {
+    // Ongeldige handtekening — direct weigeren
+    return new Response('Invalid signature', { status: 400 });
+  }
+
+  // Idempotent verwerken — webhooks kunnen meer dan eens worden bezorgd
+  switch (event.type) {
+    case 'payment_intent.succeeded':
+      await handlePaymentSucceeded(event.data.object as Stripe.PaymentIntent);
+      break;
+    case 'payment_intent.payment_failed':
+      await handlePaymentFailed(event.data.object as Stripe.PaymentIntent);
+      break;
+    case 'customer.subscription.deleted':
+      await handleSubscriptionCancelled(event.data.object as Stripe.Subscription);
+      break;
+    default:
+      // Log maar geef geen fout bij onbekende events — Stripe voegt nieuwe events toe in de loop der tijd
+      console.log(`Unhandled event type: ${event.type}`);
+  }
+
+  return new Response(null, { status: 200 });
+}
+
+// Controleer altijd of al verwerkt voordat DB-wijzigingen worden aangebracht
+async function handlePaymentSucceeded(paymentIntent: Stripe.PaymentIntent) {
+  const orderId = paymentIntent.metadata.order_id;
+
+  // Idempotentiecontrole
+  const existing = await db.order.findUnique({ where: { id: orderId } });
+  if (existing?.status === 'paid') return;  // Al verwerkt
+
+  await db.order.update({
+    where: { id: orderId },
+    data: { status: 'paid', stripePaymentIntentId: paymentIntent.id }
+  });
+}
+```
+
+### Abonnementen
+```typescript
+// Abonnement aanmaken
+const subscription = await stripe.subscriptions.create({
+  customer: customerId,
+  items: [{ price: priceId }],
+  payment_behavior: 'default_incomplete',  // Activeer niet totdat betaling bevestigd is
+  expand: ['latest_invoice.payment_intent'],
+});
+
+// Sleutel webhook-events voor abonnementen:
+// customer.subscription.created → toegang verlenen
+// customer.subscription.updated → planwijzigingen afhandelen
+// customer.subscription.deleted → toegang intrekken
+// invoice.payment_succeeded → toegangsperiode verlengen
+// invoice.payment_failed → dunning-e-mail sturen, dan opschorten na respijtperiode
+```
+
+### Testmodus-discipline
+```typescript
+// Gebruik testkaartnummers in ontwikkeling:
+// Succes: 4242 4242 4242 4242
+// Geweigerd: 4000 0000 0000 0002
+// Authenticatie vereist: 4000 0025 0000 3155
+// Gebruik test webhook CLI: stripe listen --forward-to localhost:3000/api/webhooks/stripe
+
+// Gebruik nooit testsleutels in productie, gebruik nooit live sleutels in ontwikkeling
+const isLiveMode = process.env.STRIPE_SECRET_KEY!.startsWith('sk_live_');
+if (isLiveMode && process.env.NODE_ENV !== 'production') {
+  throw new Error('Live Stripe keys must not be used outside production');
+}
+```
+
+### Foutafhandeling
+```typescript
+try {
+  const charge = await stripe.charges.create({ ... });
+} catch (err) {
+  if (err instanceof Stripe.errors.StripeCardError) {
+    // Kaart geweigerd — toon gebruiksvriendelijk bericht
+    return { error: err.message, code: err.code };
+  }
+  if (err instanceof Stripe.errors.StripeRateLimitError) {
+    // Opnieuw proberen met exponentieel wachten
+    throw err;
+  }
+  if (err instanceof Stripe.errors.StripeInvalidRequestError) {
+    // Slechte API-aanroep — log en herstel de code
+    console.error('Invalid Stripe request:', err.message);
+    throw err;
+  }
+  // Andere fouten: StripeAPIError, StripeConnectionError, StripeAuthenticationError
+  throw err;
+}
+```
+
+## Voorbeeld
+
+**Gebruiker:** Implementeer een checkout-flow voor een SaaS-product: maak aan serverzijde een payment intent aan, handel de webhook bij succes af om het abonnement te activeren en behandel mislukte betalingen.
+
+**Verwachte output:**
+- `POST /api/checkout` — maakt PaymentIntent aan, retourneert `clientSecret`
+- `POST /api/webhooks/stripe` — verifieert handtekening, behandelt `payment_intent.succeeded` (idempotente DB-update), `payment_intent.payment_failed` (log + notificeer)
+- Metadata op PaymentIntent: `user_id`, `plan_id`, `order_id`
+- Alle bedragen in centen, valuta expliciet
+- API-versie gepind
+- Geen logging van gevoelige data
+
+---
+
+> **Werk met ons:** Claudient wordt ondersteund door [Uitbreiden](https://uitbreiden.com/) — we bouwen AI-producten en B2B-oplossingen met ontwikkelaarsgemeenschappen. Betalingsflows bouwen of AI-producten monetiseren? [uitbreiden.com](https://uitbreiden.com/)

package/skills/finance-payments/stripe.md

@@ -0,0 +1,185 @@
+# Stripe Integration Skill
+
+## When to activate
+- Implementing Stripe Checkout or Payment Intents for one-time payments
+- Setting up Stripe subscriptions and billing cycles
+- Handling Stripe webhooks for payment events
+- Implementing refunds, disputes, or payment cancellations
+- Setting up Stripe Connect for marketplace/platform payments
+- Debugging failed payments, declined cards, or webhook delivery issues
+- Implementing SCA (Strong Customer Authentication) compliance
+
+## When NOT to use
+- PayPal, Braintree, Adyen, Mollie — different payment providers with different SDKs
+- Crypto payments
+- Internal accounting or invoicing systems without a payment gateway
+- Bank transfer / ACH-only flows (different Stripe product — Payment Elements still apply, but flow differs)
+
+## Instructions
+
+### Never hardcode or log payment data
+```typescript
+// NEVER log card details, full payment intent objects, or customer PII
+// BAD:
+console.log('Payment intent:', paymentIntent); // May contain sensitive data
+
+// GOOD:
+console.log('Payment intent created:', paymentIntent.id, paymentIntent.status);
+```
+
+### Payment Intents — server-side creation
+```typescript
+import Stripe from 'stripe';
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
+  apiVersion: '2024-12-18.acacia',  // Always pin the API version
+});
+
+// Create payment intent server-side — never client-side
+export async function createPaymentIntent(
+  amount: number,   // Always in smallest currency unit (cents for USD)
+  currency: string,
+  customerId: string,
+  metadata: Record<string, string>
+): Promise<{ clientSecret: string; paymentIntentId: string }> {
+  const paymentIntent = await stripe.paymentIntents.create({
+    amount,                    // e.g., 2999 = $29.99
+    currency,                  // e.g., 'usd', 'eur'
+    customer: customerId,
+    automatic_payment_methods: { enabled: true },
+    metadata,                  // Store your internal IDs here
+    idempotency_key: `pi_${customerId}_${Date.now()}`,  // Prevent duplicate charges
+  });
+
+  return {
+    clientSecret: paymentIntent.client_secret!,
+    paymentIntentId: paymentIntent.id,
+  };
+}
+```
+
+### Webhook handling — always verify signature
+```typescript
+import { headers } from 'next/headers';
+
+export async function POST(request: Request) {
+  const body = await request.text();  // Raw body — not parsed JSON
+  const signature = headers().get('stripe-signature')!;
+
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(
+      body,
+      signature,
+      process.env.STRIPE_WEBHOOK_SECRET!
+    );
+  } catch (err) {
+    // Invalid signature — reject immediately
+    return new Response('Invalid signature', { status: 400 });
+  }
+
+  // Process idempotently — webhooks can be delivered more than once
+  switch (event.type) {
+    case 'payment_intent.succeeded':
+      await handlePaymentSucceeded(event.data.object as Stripe.PaymentIntent);
+      break;
+    case 'payment_intent.payment_failed':
+      await handlePaymentFailed(event.data.object as Stripe.PaymentIntent);
+      break;
+    case 'customer.subscription.deleted':
+      await handleSubscriptionCancelled(event.data.object as Stripe.Subscription);
+      break;
+    default:
+      // Log but don't error on unknown events — Stripe adds new events over time
+      console.log(`Unhandled event type: ${event.type}`);
+  }
+
+  return new Response(null, { status: 200 });
+}
+
+// Always check if already processed before making DB changes
+async function handlePaymentSucceeded(paymentIntent: Stripe.PaymentIntent) {
+  const orderId = paymentIntent.metadata.order_id;
+
+  // Idempotency check
+  const existing = await db.order.findUnique({ where: { id: orderId } });
+  if (existing?.status === 'paid') return;  // Already processed
+
+  await db.order.update({
+    where: { id: orderId },
+    data: { status: 'paid', stripePaymentIntentId: paymentIntent.id }
+  });
+}
+```
+
+### Subscriptions
+```typescript
+// Create subscription
+const subscription = await stripe.subscriptions.create({
+  customer: customerId,
+  items: [{ price: priceId }],
+  payment_behavior: 'default_incomplete',  // Don't activate until payment confirmed
+  expand: ['latest_invoice.payment_intent'],
+});
+
+// Key webhook events for subscriptions:
+// customer.subscription.created → provision access
+// customer.subscription.updated → handle plan changes
+// customer.subscription.deleted → revoke access
+// invoice.payment_succeeded → extend access period
+// invoice.payment_failed → send dunning email, then suspend after grace period
+```
+
+### Test mode discipline
+```typescript
+// Use test card numbers in development:
+// Success: 4242 4242 4242 4242
+// Decline: 4000 0000 0000 0002
+// Auth required: 4000 0025 0000 3155
+// Use test webhook CLI: stripe listen --forward-to localhost:3000/api/webhooks/stripe
+
+// Never use test keys in production, never use live keys in development
+const isLiveMode = process.env.STRIPE_SECRET_KEY!.startsWith('sk_live_');
+if (isLiveMode && process.env.NODE_ENV !== 'production') {
+  throw new Error('Live Stripe keys must not be used outside production');
+}
+```
+
+### Error handling
+```typescript
+try {
+  const charge = await stripe.charges.create({ ... });
+} catch (err) {
+  if (err instanceof Stripe.errors.StripeCardError) {
+    // Card declined — show user-friendly message
+    return { error: err.message, code: err.code };
+  }
+  if (err instanceof Stripe.errors.StripeRateLimitError) {
+    // Retry with exponential backoff
+    throw err;
+  }
+  if (err instanceof Stripe.errors.StripeInvalidRequestError) {
+    // Bad API call — log and fix the code
+    console.error('Invalid Stripe request:', err.message);
+    throw err;
+  }
+  // Other errors: StripeAPIError, StripeConnectionError, StripeAuthenticationError
+  throw err;
+}
+```
+
+## Example
+
+**User:** Implement a checkout flow for a SaaS product: create a payment intent server-side, handle the webhook on success to activate the subscription, and handle failed payments.
+
+**Expected output:**
+- `POST /api/checkout` — creates PaymentIntent, returns `clientSecret`
+- `POST /api/webhooks/stripe` — verifies signature, handles `payment_intent.succeeded` (idempotent DB update), `payment_intent.payment_failed` (log + notify)
+- Metadata on PaymentIntent: `user_id`, `plan_id`, `order_id`
+- All amounts in cents, currency explicit
+- API version pinned
+- No logging of sensitive data
+
+---
+
+> **Work with us:** Claudient is backed by [Uitbreiden](https://uitbreiden.com/) — we build AI products and B2B solutions with developer communities. Building payment flows or monetizing AI products? [uitbreiden.com](https://uitbreiden.com/)

package/workflows/code-review.md

@@ -0,0 +1,151 @@
+# Code Review Workflow
+
+How to run a structured, automated code review using Claude Code before or alongside human review.
+
+---
+
+## When to use this workflow
+- Self-reviewing your own changes before pushing
+- Pre-screening a PR before requesting human review
+- Reviewing AI-generated code before accepting it
+- Onboarding review: understanding what changed in an unfamiliar PR
+
+---
+
+## Step 1 — Prepare context
+
+Give Claude everything it needs to review meaningfully.
+
+**Prompt Claude:**
+```
+I need you to review the following changes.
+
+Project context:
+- Stack: [language, framework, key libraries]
+- Testing approach: [unit/integration, mocking policy]
+- Key conventions: [paste relevant CLAUDE.md sections]
+
+Changed files:
+[paste git diff output OR list files and ask Claude to read them]
+
+This PR: [one sentence on what it's supposed to do]
+```
+
+---
+
+## Step 2 — Correctness review
+
+**Prompt Claude:**
+```
+Review these changes for correctness only.
+
+Check:
+1. Does the code do what the PR description says it does?
+2. Are there edge cases not handled? (null inputs, empty collections, concurrent access, large inputs)
+3. Are there off-by-one errors, wrong comparisons, or logic inversions?
+4. Are error paths handled — can this panic, throw, or silently fail?
+5. Are there race conditions if this code runs concurrently?
+
+Format: [FILE:LINE] — [issue description] — [suggested fix]
+Only report real issues. Do not nitpick style.
+```
+
+---
+
+## Step 3 — Security review
+
+**Prompt Claude:**
+```
+Review these changes for security issues.
+
+Check:
+1. Is any user input used in SQL, shell commands, file paths, or HTML without sanitization?
+2. Are there missing authentication or authorization checks?
+3. Are secrets, tokens, or credentials exposed in logs, errors, or responses?
+4. Are there insecure direct object references (IDOR)?
+5. Are there missing rate limits on sensitive endpoints?
+
+Severity: CRITICAL / HIGH / MEDIUM / LOW
+Format: [SEVERITY] [FILE:LINE] — [vulnerability] — [fix]
+```
+
+---
+
+## Step 4 — Test coverage check
+
+**Prompt Claude:**
+```
+Review the test coverage for these changes.
+
+Check:
+1. Is every new function or method covered by at least one test?
+2. Is the happy path tested?
+3. Is at least one error/edge case tested?
+4. Do the tests actually assert meaningful behavior, or just that the function runs?
+5. Are there behaviors changed by this PR that existing tests don't cover?
+
+List: [what is tested] and [what is missing]
+```
+
+---
+
+## Step 5 — Maintainability review
+
+**Prompt Claude:**
+```
+Review these changes for maintainability.
+
+Check:
+1. Will a developer unfamiliar with this code understand it in 6 months?
+2. Are function names and variable names clear and accurate?
+3. Is there duplicated logic that should be extracted?
+4. Are there magic numbers or strings that should be named constants?
+5. Does this introduce unnecessary coupling between modules?
+
+Only flag real maintainability issues — not style preferences.
+```
+
+---
+
+## Step 6 — Consolidate findings
+
+**Prompt Claude:**
+```
+Consolidate all findings from the review into a final report.
+
+Format:
+## CRITICAL (must fix before merge)
+[list]
+
+## HIGH (strongly recommended)
+[list]
+
+## SUGGESTED (worth doing)
+[list]
+
+## NITPICK (optional)
+[list]
+
+## VERDICT
+[ ] Approved — no blockers
+[ ] Approved with suggestions — merge after addressing CRITICAL
+[ ] Changes requested — must address before merge
+```
+
+---
+
+## Using the Code Reviewer agent
+
+For larger PRs, delegate to the Code Reviewer agent rather than running inline:
+
+```
+Spawn a Code Reviewer agent (Sonnet 4.6) to review [list of files].
+Give it the project context from CLAUDE.md and the PR description.
+Have it return a structured CRITICAL/SUGGESTED/NITPICK report.
+```
+
+See `agents/core/code-reviewer.md` for the full agent definition.
+
+---
+
+> **Work with us:** Claudient is backed by [Uitbreiden](https://uitbreiden.com/) — we build AI products and B2B solutions with developer communities. [uitbreiden.com](https://uitbreiden.com/)

package/workflows/de/code-review.md

@@ -0,0 +1,153 @@
+> 🇩🇪 Dies ist die deutsche Übersetzung. [Englische Version](../code-review.md).
+
+# Code-Review-Workflow
+
+So führt man ein strukturiertes, automatisiertes Code-Review mit Claude Code durch — vor oder parallel zum menschlichen Review.
+
+---
+
+## Wann diesen Workflow verwenden
+- Eigene Änderungen vor dem Pushen selbst überprüfen
+- Einen PR vor dem Anfordern eines menschlichen Reviews vorscreenen
+- KI-generierten Code vor der Annahme überprüfen
+- Onboarding-Review: verstehen, was sich in einem unbekannten PR geändert hat
+
+---
+
+## Schritt 1 — Kontext vorbereiten
+
+Claude alles geben, was für eine sinnvolle Überprüfung benötigt wird.
+
+**Claude fragen:**
+```
+I need you to review the following changes.
+
+Project context:
+- Stack: [language, framework, key libraries]
+- Testing approach: [unit/integration, mocking policy]
+- Key conventions: [paste relevant CLAUDE.md sections]
+
+Changed files:
+[paste git diff output OR list files and ask Claude to read them]
+
+This PR: [one sentence on what it's supposed to do]
+```
+
+---
+
+## Schritt 2 — Korrektheitsprüfung
+
+**Claude fragen:**
+```
+Review these changes for correctness only.
+
+Check:
+1. Does the code do what the PR description says it does?
+2. Are there edge cases not handled? (null inputs, empty collections, concurrent access, large inputs)
+3. Are there off-by-one errors, wrong comparisons, or logic inversions?
+4. Are error paths handled — can this panic, throw, or silently fail?
+5. Are there race conditions if this code runs concurrently?
+
+Format: [FILE:LINE] — [issue description] — [suggested fix]
+Only report real issues. Do not nitpick style.
+```
+
+---
+
+## Schritt 3 — Sicherheitsprüfung
+
+**Claude fragen:**
+```
+Review these changes for security issues.
+
+Check:
+1. Is any user input used in SQL, shell commands, file paths, or HTML without sanitization?
+2. Are there missing authentication or authorization checks?
+3. Are secrets, tokens, or credentials exposed in logs, errors, or responses?
+4. Are there insecure direct object references (IDOR)?
+5. Are there missing rate limits on sensitive endpoints?
+
+Severity: CRITICAL / HIGH / MEDIUM / LOW
+Format: [SEVERITY] [FILE:LINE] — [vulnerability] — [fix]
+```
+
+---
+
+## Schritt 4 — Testabdeckungs-Prüfung
+
+**Claude fragen:**
+```
+Review the test coverage for these changes.
+
+Check:
+1. Is every new function or method covered by at least one test?
+2. Is the happy path tested?
+3. Is at least one error/edge case tested?
+4. Do the tests actually assert meaningful behavior, or just that the function runs?
+5. Are there behaviors changed by this PR that existing tests don't cover?
+
+List: [what is tested] and [what is missing]
+```
+
+---
+
+## Schritt 5 — Wartbarkeitsprüfung
+
+**Claude fragen:**
+```
+Review these changes for maintainability.
+
+Check:
+1. Will a developer unfamiliar with this code understand it in 6 months?
+2. Are function names and variable names clear and accurate?
+3. Is there duplicated logic that should be extracted?
+4. Are there magic numbers or strings that should be named constants?
+5. Does this introduce unnecessary coupling between modules?
+
+Only flag real maintainability issues — not style preferences.
+```
+
+---
+
+## Schritt 6 — Befunde konsolidieren
+
+**Claude fragen:**
+```
+Consolidate all findings from the review into a final report.
+
+Format:
+## CRITICAL (must fix before merge)
+[list]
+
+## HIGH (strongly recommended)
+[list]
+
+## SUGGESTED (worth doing)
+[list]
+
+## NITPICK (optional)
+[list]
+
+## VERDICT
+[ ] Approved — no blockers
+[ ] Approved with suggestions — merge after addressing CRITICAL
+[ ] Changes requested — must address before merge
+```
+
+---
+
+## Den Code Reviewer-Agenten verwenden
+
+Für größere PRs den Code Reviewer-Agenten delegieren, anstatt inline zu prüfen:
+
+```
+Spawn a Code Reviewer agent (Sonnet 4.6) to review [list of files].
+Give it the project context from CLAUDE.md and the PR description.
+Have it return a structured CRITICAL/SUGGESTED/NITPICK report.
+```
+
+Die vollständige Agentendefinition in `agents/core/code-reviewer.md` finden.
+
+---
+
+> **Mit uns arbeiten:** Claudient wird von [Uitbreiden](https://uitbreiden.com/) unterstützt — wir bauen KI-Produkte und B2B-Lösungen mit Entwickler-Communities. [uitbreiden.com](https://uitbreiden.com/)