codecruise 0.1.0

package/config/commands/plan-review.md

@@ -0,0 +1,130 @@
+---
+name: plan-review
+description: Validate roadmap plans for correctness, completeness, and quality
+model: sonnet
+tools: Read, Glob, Grep
+---
+
+# /plan-review — Plan Validation
+
+Validate roadmap plans for structure, quality, traceability, and risks.
+
+## Usage
+
+```bash
+/plan-review                  # Review all plans
+/plan-review phase-01         # Review specific phase
+/plan-review --quick          # Structural checks only
+/plan-review --strict         # Fail on warnings
+/plan-review --coverage       # Focus on spec coverage
+/plan-review --fix            # Auto-fix minor issues
+```
+
+## Validation Categories
+
+### Structural (Error severity)
+
+| Check | Description |
+|-------|-------------|
+| YAML_SYNTAX | Valid YAML |
+| REQUIRED_FIELDS | id, description, status, files, criteria |
+| UNIQUE_IDS | No duplicate IDs |
+| VALID_REFERENCES | depends_on points to existing TODOs |
+| NO_CIRCULAR_DEPS | Acyclic dependency graph |
+| VALID_STATUS | pending, in_progress, done, blocked |
+
+### Quality (Warning severity)
+
+| Check | Description |
+|-------|-------------|
+| TESTABLE_CRITERIA | Can be objectively verified |
+| REASONABLE_SCOPE | 1-5 files per TODO |
+| CRITERIA_COUNT | 1-10 criteria |
+| NO_VAGUE_WORDS | No "properly", "correctly", "good" |
+| HAS_TESTS_FIELD | tests field present (recommended) |
+
+### Traceability (Warning severity)
+
+| Check | Description |
+|-------|-------------|
+| FR_COVERAGE | All FR-XXX have TODOs |
+| NFR_COVERAGE | Non-functional requirements addressed |
+| ADR_ALIGNMENT | TODOs don't contradict decisions |
+| NO_ORPHAN_TODOS | Every TODO belongs to a feature |
+
+### Risk Detection (Info severity)
+
+| Check | Description |
+|-------|-------------|
+| LARGE_TODO | >5 files or >10 criteria |
+| LONG_DEP_CHAIN | Dependency chain >5 deep |
+| SECURITY_TODO | Contains auth/token/secret keywords |
+| MANY_DEPENDENTS | >5 TODOs depend on this one |
+
+### Completeness (Error severity)
+
+| Check | Description |
+|-------|-------------|
+| PHASE_HAS_FEATURES | No empty phases |
+| FEATURE_HAS_TODOS | No empty features |
+| FEATURE_HAS_BRANCH | Branch specified |
+| TODO_HAS_FILES | Files specified |
+
+## Auto-Fix (`--fix`)
+
+| Issue | Action |
+|-------|--------|
+| Missing `status` | Set to `pending` |
+| Missing `depends_on` | Set to `[]` |
+| Missing `owner` | Set to `dev` |
+| Missing `tests` | Add `tests: []` |
+| Inconsistent indentation | Normalize |
+
+**Cannot auto-fix**: Missing criteria, vague descriptions, circular deps
+
+## Output Summary
+
+```
+STRUCTURAL: ✓ PASS
+QUALITY: ⚠ 3 WARNINGS
+  ⚠ todo-1.3a-005: missing 'tests' field
+  ⚠ todo-1.8b-003: vague criteria "works correctly"
+TRACEABILITY: ⚠ 1 WARNING
+  ⚠ Missing: FR-046, FR-047
+RISK: ⚠ 2 FLAGS
+  ⚠ SECURITY: todo-1.6a-008 (JWT handling)
+COMPLETENESS: ✓ PASS
+
+Result: ⚠ PASS WITH WARNINGS
+Errors: 0 | Warnings: 6
+
+Actions:
+1. Add 'tests' field to todo-1.3a-005
+2. Clarify criteria in todo-1.8b-003
+3. Add TODOs for FR-046, FR-047
+```
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Pass |
+| 1 | Pass with warnings |
+| 2 | Fail (errors) |
+| 3 | Cannot run (missing files) |
+
+## Quick Mode
+
+Structural checks only, fast pre-flight for /run:
+
+```
+STRUCTURAL: ✓ PASS
+  ✓ YAML valid | ✓ Fields OK | ✓ IDs unique | ✓ Deps valid
+```
+
+## Quality Bar
+
+- Validates all files in <5 seconds
+- Clear, actionable output
+- Specific line numbers for issues
+- No false positives on structural checks

package/config/commands/plan.md

@@ -0,0 +1,216 @@
+---
+name: plan
+description: Create or update project roadmap with phases, features, and TODOs
+disable-model-invocation: true
+tools: Read, Write, Glob, Grep, Bash
+model: sonnet
+---
+
+# /plan Command
+
+Create or update the project roadmap.
+
+## Usage
+
+```
+/plan                              # Create full roadmap from EDD
+/plan "auth feature"               # Plan specific feature only
+/plan --phase 2                    # Plan specific phase
+/plan --from-edd docs/arch/edd.md  # Specify EDD source
+```
+
+### Arguments
+
+| Argument | Description | Example |
+|----------|-------------|---------|
+| (positional) | Feature or phase to plan | `/plan "user authentication"` |
+| `--phase` | Plan specific phase number | `/plan --phase 2` |
+| `--from-edd` | Specify EDD file path | `/plan --from-edd docs/architecture/edd-auth.md` |
+| `--todos-only` | Generate TODOs only (skip phase/feature) | `/plan "login" --todos-only` |
+| `--max-todos` | Max TODOs per feature (default 8) | `/plan --max-todos 6` |
+
+### Examples
+
+```bash
+# Full roadmap from EDD
+/plan
+
+# Plan specific feature with TODO breakdown
+/plan "payment processing"
+
+# Plan phase 2 only
+/plan --phase 2
+
+# Quick TODO breakdown for small feature
+/plan "add logout button" --todos-only
+```
+
+## Read First
+
+1. `~/.claude/rules/workflow.md`
+2. Project `CLAUDE.md` for tech stack and context
+
+## Process
+
+### 1. Gather Context
+
+Use Explore subagent to:
+- Read project `CLAUDE.md`
+- Scan existing `roadmap/` if present
+- Understand codebase structure
+- Identify current state from `progress.yaml`
+- Read `docs/context/*.yaml` if exists (feature constraints, decisions)
+- Read `docs/canon/spec.md` if exists (requirements)
+
+### 2. If No Roadmap Exists
+
+Create initial structure:
+
+```bash
+mkdir -p roadmap dashboard
+touch progress.yaml
+```
+
+### 3. Discuss with User
+
+Ask clarifying questions:
+- What is the project goal?
+- What are the major phases?
+- Any existing work to incorporate?
+- Timeline constraints?
+
+### 4. Create Roadmap
+
+For each phase, create `roadmap/phase-NN.md`:
+
+```markdown
+# Phase N: {Name}
+
+## Metadata
+\`\`\`yaml
+id: phase-NN
+status: pending
+started: null
+completed: null
+\`\`\`
+
+## Requirements
+- {requirement 1}
+- {requirement 2}
+
+---
+
+## feature-N.1: {Name}
+
+\`\`\`yaml
+id: feature-N.1
+branch: feature/{slug}
+status: pending
+\`\`\`
+
+### Requirements
+- {requirement}
+
+### Todos
+
+```yaml
+todos:
+  - id: todo-001
+    description: {description}
+    owner: dev
+    status: pending
+    files:
+      - {file}
+    criteria:
+      - {acceptance criterion}
+    constraints:        # From docs/context/{feature}.yaml
+      - {constraint 1}
+      - {constraint 2}
+    depends_on: []
+```
+
+**Note:** If `docs/context/{feature}.yaml` exists, include relevant constraints in each TODO to ensure implementation honors documented decisions.
+```
+
+### 5. Create Project Metadata
+
+Create `roadmap/project.yaml`:
+
+```yaml
+name: {Project Name}
+description: {One-liner}
+
+tech_stack:
+  language: {e.g., TypeScript}
+  framework: {e.g., Next.js 15}
+  database: {e.g., PostgreSQL}
+  testing: {e.g., Vitest + Playwright}
+
+branch_strategy:
+  main: main
+  feature_prefix: feature/
+
+phases:
+  - id: phase-01
+    name: {Phase Name}
+    status: pending
+```
+
+### 6. Initialize Progress
+
+Create `progress.yaml`:
+
+```yaml
+project: {name}
+generated: {ISO timestamp}
+
+current_phase: phase-01
+current_feature: null
+current_todo: null
+
+active_todos: []
+
+stats:
+  total_phases: {N}
+  completed_phases: 0
+  total_features: {N}
+  completed_features: 0
+  total_todos: {N}
+  completed_todos: 0
+  percent_complete: 0
+
+blocked: []
+last_updated: {ISO timestamp}
+```
+
+### 7. Generate Dashboard
+
+Run `/dashboard` to create visual progress view.
+
+## Feature Decomposition
+
+For complex features, invoke the planner agent:
+
+```
+Use the planner agent to break down {feature} into TODOs
+```
+
+The planner follows TODO format from `~/.claude/rules/workflow.md`.
+
+## Output
+
+```
+✓ Roadmap created
+
+Phases: {N}
+Features: {N}
+TODOs: {N}
+
+Files created:
+- roadmap/project.yaml
+- roadmap/phase-01.md
+- progress.yaml
+- dashboard/dashboard.md
+
+Next: Run /task to start first TODO
+```

package/config/commands/production-check.md

@@ -0,0 +1,308 @@
+---
+name: production-check
+description: Comprehensive production readiness audit before deployment
+tools: Read, Glob, Grep, Bash
+model: opus
+---
+
+# /production-check — Production Readiness Audit
+
+## Goal
+
+Validate that the codebase is production-ready across all quality dimensions before deployment.
+
+## Usage
+
+```
+/production-check              # Full audit
+/production-check --section security   # Specific section
+/production-check --quick      # Fast checks only (no deep analysis)
+```
+
+## Process
+
+### 1. Gather Context
+
+Read project configuration:
+- `package.json` — dependencies, scripts
+- `tsconfig.json` — TypeScript config
+- `.env.example` — required environment variables
+- `CLAUDE.md` — project context
+
+### 2. Run Automated Checks
+
+```bash
+# Type safety
+npm run typecheck
+
+# Linting
+npm run lint
+
+# Tests with coverage
+npm run test:coverage
+
+# Security audit
+npm audit --audit-level=high
+```
+
+### 3. Manual Audit Checklist
+
+#### Security (Weight: Critical)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| No secrets in code | `grep -r "API_KEY\|SECRET\|PASSWORD" --include="*.ts"` | No matches in source |
+| Auth on protected routes | Manual review | All /api/* routes have auth middleware |
+| Input validation | Check controllers | Zod schemas at all boundaries |
+| SQL injection | Check queries | All queries parameterized |
+| XSS prevention | Check responses | Output encoding present |
+| Rate limiting | Check middleware | Configured on /auth, /api |
+| CORS | Check config | Specific origins, not `*` |
+| Security headers | Check middleware | CSP, X-Frame-Options, etc. |
+| Dependencies | `npm audit` | No high/critical vulnerabilities |
+
+#### Type Safety (Weight: High)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| Strict mode | Check tsconfig.json | `strict: true` |
+| No `any` types | `grep -r ": any" --include="*.ts"` | Zero matches |
+| Explicit returns | Manual review | All exports have return types |
+| Zod validation | Check API routes | All inputs validated |
+| AppError hierarchy | Check error handling | Custom errors used |
+
+#### Performance (Weight: High)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| N+1 queries | Check DB calls | All use includes/joins |
+| Database indexes | Check schema | FKs and filters indexed |
+| Pagination | Check list endpoints | Cursor pagination used |
+| Caching | Check hot paths | Cache strategy documented |
+| Bundle size | `npm run build && ls -la dist` | Within budget |
+
+#### Resilience (Weight: High)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| Error handling | Check async functions | All have try/catch |
+| Circuit breakers | Check external calls | Pattern implemented |
+| Timeouts | Check HTTP clients | All configured |
+| Retry logic | Check critical paths | Exponential backoff |
+| Graceful shutdown | Check server setup | SIGTERM handled |
+| Health endpoints | Check routes | /health, /health/ready exist |
+
+#### Observability (Weight: Medium)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| Structured logging | `grep -r "console.log" --include="*.ts"` | Zero in src/ |
+| Correlation IDs | Check middleware | Propagated on all requests |
+| PII redaction | Check logger | Sensitive fields redacted |
+| Metrics | Check instrumentation | Key paths tracked |
+| Error tracking | Check config | Sentry/similar configured |
+
+#### Testing (Weight: High)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| Unit tests | Check coverage | > 80% for business logic |
+| Integration tests | Check test files | API endpoints covered |
+| E2E tests | Check playwright/cypress | Critical flows covered |
+| Test determinism | Run tests 3x | All pass consistently |
+
+#### Documentation (Weight: Medium)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| README | Check README.md | Setup, usage documented |
+| API docs | Check /docs or OpenAPI | All endpoints documented |
+| Environment | Check .env.example | All required vars listed |
+| Architecture | Check docs/ | Key decisions documented |
+
+#### Infrastructure (Weight: Medium)
+
+| Check | Command/Method | Pass Criteria |
+|-------|----------------|---------------|
+| Docker | Check Dockerfile | Multi-stage, non-root user |
+| CI/CD | Check .github/workflows | Build, test, deploy stages |
+| Database migrations | Check migrations | Idempotent, reversible |
+| Feature flags | Check config | Risky features flagged |
+| Rollback plan | Check docs | Documented procedure |
+
+### 4. Calculate Score
+
+```typescript
+interface AuditResult {
+  section: string;
+  weight: 'critical' | 'high' | 'medium';
+  score: number;  // 0-10
+  issues: Issue[];
+}
+
+const weights = {
+  critical: 2.0,
+  high: 1.5,
+  medium: 1.0,
+};
+
+function calculateGrade(results: AuditResult[]): Grade {
+  let totalWeight = 0;
+  let weightedScore = 0;
+
+  for (const result of results) {
+    const weight = weights[result.weight];
+    totalWeight += weight;
+    weightedScore += result.score * weight;
+  }
+
+  const score = weightedScore / totalWeight;
+
+  if (score >= 9.0) return 'A';
+  if (score >= 8.0) return 'B';
+  if (score >= 7.0) return 'C';
+  if (score >= 6.0) return 'D';
+  return 'F';
+}
+```
+
+### 5. Generate Report
+
+## Output Format
+
+```markdown
+# Production Readiness Report
+
+**Project**: {name}
+**Date**: {ISO timestamp}
+**Auditor**: /production-check
+
+## Executive Summary
+
+**Grade**: B (7.8/10)
+**Verdict**: ⚠️ READY WITH CAVEATS
+
+| Section | Score | Status |
+|---------|-------|--------|
+| Security | 8/10 | ⚠️ |
+| Type Safety | 9/10 | ✓ |
+| Performance | 7/10 | ⚠️ |
+| Resilience | 6/10 | ✗ |
+| Observability | 8/10 | ✓ |
+| Testing | 8/10 | ✓ |
+| Documentation | 7/10 | ⚠️ |
+| Infrastructure | 8/10 | ✓ |
+
+## Blockers (Must Fix Before Deploy)
+
+1. **No circuit breaker on payment API**
+   - File: `src/services/payment.ts`
+   - Risk: Cascading failure if Stripe is down
+   - Fix: Implement circuit breaker pattern
+
+2. **Missing rate limiting on /auth endpoints**
+   - File: `src/routes/auth.ts`
+   - Risk: Brute force attacks
+   - Fix: Add rate limiter middleware
+
+## Warnings (Should Fix Soon)
+
+1. **Test coverage at 75%**
+   - Missing: Error handling paths
+   - Recommendation: Add tests for edge cases
+
+2. **No graceful shutdown**
+   - Risk: Dropped requests during deploy
+   - Fix: Handle SIGTERM, drain connections
+
+## Passed Checks ✓
+
+- No secrets in code
+- All inputs validated with Zod
+- Strict TypeScript mode enabled
+- No `any` types found
+- All queries parameterized
+- Health endpoints present
+- Structured logging configured
+- CI/CD pipeline complete
+
+## Recommendations
+
+### Before Deploy
+1. Add circuit breaker to payment service
+2. Configure rate limiting on auth endpoints
+
+### Post-Deploy
+1. Monitor error rates for 24h
+2. Verify all health checks pass
+3. Test rollback procedure
+
+### Next Sprint
+1. Increase test coverage to 85%
+2. Add E2E tests for checkout flow
+3. Document API with OpenAPI
+
+---
+
+## Quick Checklist (Print & Sign Off)
+
+### Security
+- [ ] No secrets in code
+- [ ] Auth on all protected routes
+- [ ] Input validation everywhere
+- [ ] Rate limiting configured
+- [ ] CORS restricted
+- [ ] Dependencies audited
+
+### Reliability
+- [ ] Circuit breakers on external calls
+- [ ] Timeouts configured
+- [ ] Graceful shutdown implemented
+- [ ] Health check endpoints exist
+
+### Observability
+- [ ] Structured logging (no console.log)
+- [ ] Correlation IDs propagated
+- [ ] Error tracking configured
+
+### Quality
+- [ ] No `any` types
+- [ ] Test coverage > 80%
+- [ ] TypeScript strict mode
+
+### Infrastructure
+- [ ] CI/CD passes
+- [ ] Migrations tested
+- [ ] Rollback plan documented
+
+**Sign-off**: _________________ **Date**: _________________
+```
+
+## Grading Criteria
+
+| Grade | Score | Meaning | Action |
+|-------|-------|---------|--------|
+| A | 9.0+ | Excellent | Ship it |
+| B | 8.0-8.9 | Good | Ship with monitoring |
+| C | 7.0-7.9 | Acceptable | Fix warnings, then ship |
+| D | 6.0-6.9 | Poor | Fix blockers first |
+| F | < 6.0 | Failing | Major rework needed |
+
+**Minimum to deploy: C (7.0) with no blockers**
+
+## Terminal Output
+
+```
+✓ Production readiness audit complete
+
+Grade: B (7.8/10)
+Verdict: READY WITH CAVEATS
+
+Blockers: 2 (must fix)
+Warnings: 4 (should fix)
+Passed: 18 checks
+
+Report: docs/production-audit.md
+
+Next: Fix blockers, then deploy
+```