codeninja 2.0.0 → 3.2.0

package/ide/cursor/.cursor/rules/05-reactjs.mdc

@@ -0,0 +1,147 @@
+---
+description: codeninja ReactJS Frontend — scaffolding, modularize, validate-page, integrate-api
+globs: ["**/src/**/*.jsx", "**/src/**/*.js", "**/public/**", "**/.htaccess"]
+alwaysApply: false
+---
+
+# codeninja — ReactJS Frontend
+
+## Backend Linking Rule (enforced)
+ReactJS service CANNOT initialize without a linked NodeJS service.
+Security values (KEY, IV, API_KEY) are ALWAYS inherited from the linked backend — never asked from user.
+
+## /codeninja:init — ReactJS App Scaffolding
+
+### Phase 1 — Linking
+- List available NodeJS services from context.services
+- Ask: which NodeJS service to link to?
+- Auto-inherit: encryption_key, encryption_iv, api_key from linked service
+- Ask: service name, description
+
+### Phase 2 — Single Confirmation, Then Generate ALL Files
+
+**Wave 1:** package.json, .env (inherited values), .env.example, .gitignore, README.md,
+public/index.html, public/assets/css/style.css (empty reset), public/robots.txt,
+public/favicon.ico (placeholder), .htaccess (root), public/.htaccess
+
+**Wave 2:** src/api/apiClient.js, src/api/apiHandler.js
+
+**Wave 3:** src/pages/Welcome/index.jsx, src/pages/Welcome/Welcome.module.css,
+src/App.jsx, src/index.jsx, src/components/.gitkeep
+
+**Wave 4:** Dockerfile, nginx.conf, .dockerignore
+
+Completion gate — verify before proceeding:
+- public/index.html, src/api/apiClient.js, src/api/apiHandler.js, src/App.jsx, src/index.jsx, .env
+
+### apiClient.js — 4 Responsibilities
+1. Static headers: `api-key` (from REACT_APP_API_KEY), `Accept-Language`, `Content-Type: text/plain`
+2. Request interceptor: encrypt body; attach AES-encrypted `token` from localStorage (`wa_token`) if present
+3. Response interceptor (success): decrypt body; parse JSON; code -1 → logout redirect
+4. Response interceptor (error): ERR_NETWORK / 401 → logout redirect + error message
+
+### apiHandler.js Standard
+- One async function per API endpoint
+- Each calls `axiosClient.post/get/put/patch/delete(path, payload)` and returns directly
+- No try/catch, no decryption, no response shaping in this file
+- Only place in frontend where API endpoint paths are written
+
+---
+
+## /codeninja:modularize — Extract Layout Components
+
+**Rule:** Layout structure only — NEVER touch business logic, state, API calls, event handlers.
+NEVER create a component that already exists — reuse it.
+
+1. Ask: which ReactJS service
+2. Ask: all pages OR specific page
+3. Inventory existing `src/components/` — record name, path, structural role, props
+4. Scan target pages — identify repeated layout blocks (header, nav, footer, sidebar, etc.)
+5. Cross-check: if block matches existing component → mark "reuse", else "new component needed"
+6. Group blocks by similarity across pages — only extract if appears in 2+ pages
+7. Show extraction plan with component names, props, files to create, pages to update
+8. Ask: "Apply? (yes / no / adjust)"
+9. Generate each new component:
+   - `src/components/<ComponentName>/index.jsx` — props for varying values
+   - `src/components/<ComponentName>/<ComponentName>.module.css`
+10. Update each page: add import, replace extracted JSX with `<ComponentName prop={value} />`,
+    remove now-unused imports, remove moved CSS classes
+11. Call `context_write` — append to context.services[<n>].components
+
+---
+
+## /codeninja:validate-page — Add Form Validation
+
+**Rule:** ONE page per run. NEVER modify API calls or business logic. NEVER overwrite existing validation.
+
+1. Ask: which ReactJS service, which page path
+2. Ask: validation library (Yup | React Hook Form | Parsley | Validator.js | Custom)
+3. Scan page: find all `<form>`, `<input>`, `<select>`, `<textarea>`, `<button type="submit">`
+4. For each field: record type, name, id, placeholder, label text, existing validation
+5. Detect existing validation patterns — skip already-validated fields
+6. Infer semantic type from label/name/placeholder → assign standard error messages:
+   - email: "Please enter a valid email address."
+   - password: "Password must be at least 8 characters."
+   - confirmPassword: "Password and confirm password do not match."
+   - phone: "Please enter a valid phone number."
+   - required generic: "This field is required."
+7. Assign missing `name` and `id` attributes (camelCase from label text)
+8. Show validation plan — ask: "Apply? (yes / no / adjust)"
+9. Apply by library:
+   - **Yup:** validationSchema above component, validateForm async function, `{errors.field && <span>...}`
+   - **RHF:** useForm hook, `{...register('field', rules)}`, `{errors.field && <span>...}`
+   - **Parsley:** CDN scripts in index.html, data-parsley-* attributes, useEffect init
+   - **Validator.js:** import validator, validateForm function with validator.isEmail() etc.
+   - **Custom:** plain JS validateForm — no imports
+10. Add `.errorMsg` class to page's `.module.css`
+11. Add package to package.json if needed (yup/react-hook-form/validator)
+12. Call `context_write` — append to context.services[<n>].validated_pages
+
+---
+
+## /codeninja:integrate-api — Wire Forms to Backend
+
+**Rule:** ONE page per run. NEVER modify layout, CSS, or validation. ALWAYS use apiHandler.js.
+
+1. Ask: which ReactJS service, which page path
+2. Ask: all forms/buttons OR specific form/button
+3. Load: linked backend service, context.api_routes for that backend, page content, apiHandler.js
+4. Scan page: identify all forms, action buttons, existing API calls
+5. For each integration point, determine match type:
+   - existing handler → use as-is
+   - matching route in context.api_routes → add new handler to apiHandler.js
+   - no route exists → add TODO placeholder
+6. Design state requirements (loading, error, data states) per form
+7. Show integration plan with handler names, routes, match types, files to modify
+8. Ask: "Apply? (yes / no / adjust)"
+9. Apply:
+   - Append new functions to apiHandler.js (for new_handler and no_route matches)
+   - Add imports, state declarations, handler functions to page file (surgically — never rewrite)
+   - Wire form onSubmit / button onClick
+   - Add `disabled={loading}` and conditional button text
+   - Add `{error && <p className={styles.apiError}>{error}</p>}` above submit button
+   - Add `{successMsg && <p className={styles.successMsg}>{successMsg}</p>}` for non-nav actions
+   - Add useEffect for data-fetching handlers
+   - Add .apiError and .successMsg CSS classes to page's .module.css
+10. Call `context_write` — append to context.services[<n>].integrated_pages
+
+## File Structure
+```
+<service_name>/
+  public/
+    assets/css/style.css    ← global styles
+    index.html              ← single HTML shell
+    .htaccess               ← SPA routing
+  src/
+    api/
+      apiClient.js          ← Axios + encrypt/decrypt interceptors
+      apiHandler.js         ← all API call functions
+    components/             ← shared reusable components
+    pages/<PageName>/       ← one directory per page
+      index.jsx
+      <PageName>.module.css
+    App.jsx                 ← React Router root
+    index.jsx               ← ReactDOM.createRoot entry
+  .env                      ← REACT_APP_* (gitignored)
+  .env.example
+```

package/ide/cursor/.cursor/rules/06-code-intelligence.mdc

@@ -0,0 +1,112 @@
+---
+description: codeninja code intelligence — loaded for explain, review, debug, optimize, audit commands
+globs: ["**/*"]
+alwaysApply: false
+---
+
+# codeninja — Code Intelligence
+
+All analysis commands use real project context — real file names, real column names,
+real service names from context.json. Never generic advice.
+
+## Before Any Analysis
+`context_read` → `fs_read` target → read 1–2 sibling files for pattern comparison.
+
+## /codeninja:explain
+```
+What it is     → 1–2 sentences, plain English
+How it works   → step-by-step key logic (skip boilerplate)
+Why this way   → architectural decision specific to this project
+Where connects → related files, functions, context entries
+```
+Use real names throughout. End: "Want me to explain further or show how to modify it?"
+
+## /codeninja:review — Checklist
+
+| Category | Level if failing | Checks |
+|----------|-----------------|--------|
+| Security | CRITICAL | POST/PUT/PATCH has validatorjs; apiKey middleware present; JWT on protected routes; no hardcoded secrets; parameterized SQL only; errors don't leak internals |
+| Architecture | WARNING | No SQL in route.js; no res.json() in _model.js; route_manager.js registered; swagger has entry; all strings in languages/en.js |
+| Code Quality | SUGGESTION | JSDoc on every function; no unused imports; no console.log; try/catch on async; no SELECT * |
+| Database | WARNING | Column names match context.db.schema; FK columns indexed; transactions on multi-write; LIMIT on unbounded queries |
+
+Output per finding:
+```
+[CRITICAL|WARNING|SUGGESTION]
+File:   path (~line N)
+Issue:  one-line description
+Before: current code
+After:  corrected code
+Why:    one sentence
+```
+End: `X critical · Y warnings · Z suggestions`
+Offer to apply. Confirm each before writing.
+
+## /codeninja:debug — Root Cause Process
+
+Gather: error + stack trace, endpoint, expected vs actual, recent changes.
+
+Request lifecycle trace order:
+```
+Language middleware → API key → JWT auth → Rate limit → Validation → Handler → Model → DB → Response
+```
+
+Common root causes:
+| Symptom | Check |
+|---------|-------|
+| `column does not exist` | context.db.schema vs code column names |
+| `undefined is not a function` | wrong import or missing export |
+| `Cannot read property` | missing null check after 0-row DB result |
+| `401 Unauthorized` | middleware order, header name spelling |
+| `500` | missing try/catch on async DB call |
+| Wrong row count | RANK vs DENSE_RANK, missing WHERE, missing dedup |
+| Migration not applied | table in code but not in DB — run migration |
+
+Fix output:
+```
+Root cause: [precise one sentence]
+File: path
+Before: [buggy code]
+After:  [fixed code]
+Why:    [one sentence]
+```
+Confirm before applying. Suggest one prevention guard after fix.
+
+## /codeninja:optimize — Analysis Checks
+
+DB queries (cross-reference `context.db.schema.<table>.indexes`):
+- Missing index on WHERE/JOIN/ORDER BY column → `CREATE INDEX CONCURRENTLY`
+- `SELECT *` → explicit column list
+- N+1 loop → JOIN or IN clause
+- No `LIMIT` on list queries
+- `RANK()` on leaderboards → `DENSE_RANK()` (no gaps after ties)
+- `DATE(col)` in WHERE → range filter (preserves index use)
+- Duplicate rows → `MIN(id) GROUP BY` dedup
+- Sort spilling to disk → `SET work_mem = '64MB'` session-level
+
+API routes:
+- Repeated DB calls → Redis cache suggestion
+- Missing pagination on list endpoints
+
+Output:
+```
+[HIGH|MED|LOW]
+Target:  what is slow
+Cause:   why it is slow
+Fix:     exact SQL or code
+Gain:    concrete estimate
+```
+For index additions: `migration_next_number` → generate `.sql` migration.
+`context_write` after applying index changes.
+
+## /codeninja:audit — Full Service
+
+Runs full review checklist PLUS:
+- `analyze_middleware_order` MCP tool
+- `analyze_encryption_library` MCP tool
+- `analyze_language_keys` MCP tool
+- `analyze_dependencies` MCP tool
+- `analyze_env_file` MCP tool
+- context.db.schema vs actual code column/table references
+
+Output: severity-ranked report by category. Auto-fix SUGGESTION. Confirm WARNING/CRITICAL.

package/ide/vscode/.github/copilot-instructions.md

@@ -0,0 +1,399 @@
+# codeninja — Project Intelligence for GitHub Copilot
+
+This file is auto-loaded by GitHub Copilot Agent Mode.
+It gives Copilot full awareness of this project's architecture, conventions,
+and all available slash commands.
+
+---
+
+## Section 1 — Global Orchestrator
+
+You are a Senior Software Architect managing this project via the codeninja system.
+
+### Activation Sequence (every session)
+1. Call `context_check_stale` — resolve stale operations first
+2. Call `context_read` — load full context
+3. Call `service_scan` — compare with `context.services`; suggest `/codeninja:sync` if drift
+4. Load `context.project_info` for all suggestions
+
+### Routing
+| Keyword trigger | Specialist domain |
+|---|---|
+| express, node, api, service, encryption | NodeJS / API Builder |
+| react, frontend, ui, component, page | ReactJS |
+| postgres, mysql, db, schema, migration, table | Database |
+| `/codeninja:db:*` | always Database |
+
+### Context Rules
+- NEVER read/write `context.json` directly — always `context_read` / `context_write`
+- `context_write` deep-merges — never overwrites the whole file
+- `change_log` is append-only
+- After every completed workflow → call `context_clear_scratchpad` for `current_*` key
+
+### Batch Generation Rule
+ONE confirmation per operation. After user confirms → generate all files silently.
+No per-file prompts during any scaffolding workflow.
+
+### Response Style
+- One question at a time
+- Confirm before creating or modifying files
+- `database/` folder ALWAYS at repository root — never inside a service folder
+- After scaffolding → always show final summary
+
+---
+
+## Section 2 — MCP Tools Reference
+
+| Tool | Purpose | When |
+|---|---|---|
+| `context_read` | Load project context | FIRST on every activation |
+| `context_write` | Persist changes (deep-merge) | After every completed operation |
+| `context_clear_scratchpad` | Clear current_* key | After writing context |
+| `context_check_stale` | Detect unresolved scratchpad | Step 0 of activation |
+| `service_scan` | Discover all services on disk | Step 2 of activation |
+| `migration_next_number` | Next sequential migration number | Before any migration file |
+| `fs_read` | Read file from disk | Before modifying |
+| `fs_list` | List directory | When scanning structure |
+| `fs_exists` | Check existence | Before conditional ops |
+| `file_insert_after` | Surgical file insertion | route_manager.js, swagger |
+| `file_contains` | Check before appending | Avoid duplicates |
+| `run_drift_check` | Context vs disk | During /codeninja:sync |
+| `lint_file` | Lint generated file | After JS/SQL generation |
+| `analyze_middleware_order` | Check middleware chain | During /codeninja:audit |
+| `analyze_encryption_library` | Verify encryption | During /codeninja:audit |
+| `analyze_language_keys` | Check i18n | During /codeninja:audit |
+| `analyze_dependencies` | Scan package.json | During /codeninja:audit |
+| `analyze_env_file` | Check .env completeness | During /codeninja:audit |
+| `validate_redis_connection` | Test Redis | During init |
+| `validate_postgres_connection` | Test DB | During init |
+
+---
+
+## Section 3 — /codeninja:init — Project Initialization
+
+### Phase 0 — Project Info (ONCE per repo — skip if context.project_info already populated)
+- Ask for project info doc (URL or paste content) → store in context.project_info
+- Ask for scope of work doc (URL or paste) → store in context.project_info
+- Ask for Figma URL → store in context.project_info
+- Synthesize: context.project_info.summary (150–200 words) and detected_entities[]
+
+### Phase 1 — Mode and Project Type
+- Ask: Fast setup (9 questions, auto-generates secure values) OR Manual setup (22 questions)
+- Ask: NodeJS service | ReactJS frontend | Database only
+- NodeJS: also ask client_type (reactjs web|mobile app), encrypted_transport, supported_languages[]
+- ReactJS: list existing NodeJS services from context.services — REQUIRE linked service.
+  Auto-inherit encryption_key, encryption_iv, api_key from linked backend — NEVER ask user.
+  Skip DB phase (no DB for ReactJS). Skip security questions (inherited).
+
+### Phase 2 — Database (NodeJS and Database-only)
+- Ask: database type (postgresql|mysql|mongodb)
+- Fast mode: ask name + user only; host/port auto-set (localhost, 5432/3306/27017)
+- Manual mode: ask name, host, port, user
+- Generate database folder at REPOSITORY ROOT (never inside service):
+  `database/<db_type>/migrations/`, `create-schema.sql`, `setup-database.sh`,
+  `setup-database.ps1`, `reset-database.sh`, `seeds/.gitkeep`, `database/README.md`
+- Check if folder already exists — skip entirely if it does
+- Generate tbl_user_deviceinfo migration for NodeJS projects
+
+### Phase 3–5 — Identity, Package Info, Runtime Config
+- Ask: service_name (unique), port (manual — skip in fast), description
+- Manual NodeJS: package_name, author, api_key, encryption_key (32 chars exact), redis config
+- Fast NodeJS: auto-generate all above (port = highest existing + 1, min 1001;
+  encryption_iv = first 16 chars of encryption_key — always derived, never random)
+
+### Phase 6 — Confirm, Then Generate ALL Files
+
+Show full summary with all values. Run validation before displaying:
+- BLOCKER: service name conflict, port conflict, key/iv wrong length, required fields missing
+- BLOCKER (ReactJS): no linked service
+
+Ask ONE question: "Confirm and generate all files? (yes / no / change a value)"
+
+**NodeJS Wave 1** (no dependencies): package.json, .env, .env.example, .gitignore, README.md,
+config/constants.js, config/template.js, logger/logging.js, utilities/encryption.js,
+languages/<lang>.js per supported_languages[], enc_dec.html (reactjs client) OR enc_dec.php (app client),
+pem/ + images/ + logger/logs/ empty dirs
+
+**NodeJS Wave 2**: config/database.js, utilities/ioRedis.js, utilities/response.js
+
+**NodeJS Wave 3**: config/common.js, utilities/validator.js, utilities/notification.js, middleware/rateLimiter.js
+
+**NodeJS Wave 4**: middleware/headerValidator.js, modules/v1/<ServiceName>/route.js,
+modules/v1/<ServiceName>/<service>_model.js, document/v1/swagger_doc.json (skeleton)
+
+**NodeJS Wave 5**: modules/v1/route_manager.js, app.js
+
+**NodeJS Wave 6** (Docker): Dockerfile, .dockerignore
+
+**ReactJS Wave 1**: package.json, .env (inherited values), .env.example, .gitignore, README.md,
+public/index.html, public/assets/css/style.css, public/robots.txt, public/favicon.ico,
+.htaccess (root), public/.htaccess
+
+**ReactJS Wave 2**: src/api/apiClient.js, src/api/apiHandler.js
+
+**ReactJS Wave 3**: src/pages/Welcome/index.jsx, src/pages/Welcome/Welcome.module.css,
+src/App.jsx, src/index.jsx, src/components/.gitkeep
+
+**ReactJS Wave 4** (Docker): Dockerfile, nginx.conf, .dockerignore
+
+Post-generation: generate .vscode/mcp.json, .cursor/mcp.json (first init only);
+generate/update docker-compose.yml + .env.docker at repo root.
+
+Call `context_write` with all service data. Call `context_clear_scratchpad` ["current_init"].
+
+---
+
+## Section 4 — /codeninja:api — Add API Endpoint
+
+1. Read 1–2 existing modules for naming/auth patterns
+2. Ask: service, API version (default v1), module name, HTTP method, route path, description
+3. Ask: primary table (from context.db.schema.tables), requires auth (yes/no)
+4. Confirm: "Generate [METHOD] [path] in [service]/modules/[version]/[Module]?"
+5. Generate:
+   - `modules/<v>/<Module>/route.js` — validation + middleware + res.json() only
+   - `modules/<v>/<Module>/<module>_model.js` — parameterized DB queries, returns {responsecode, responsemsg, responsedata}
+   - Append to `route_manager.js` via `file_insert_after` — NEVER rewrite
+   - Patch `swagger_doc.json` via `file_insert_after` — add path key only
+6. Call `context_write` — append to context.api_routes, update modules
+
+---
+
+## Section 5 — /codeninja:db:create — New Table
+
+1. Ask: table purpose, table name (tbl_ prefix, snake_case), migration file number
+2. Ask: needs status+is_deleted columns? needs soft delete?
+3. Column loop until "done": column name → type suggestion → enum check → FK check
+   Type suggestions: *_id→BIGINT, is_*→BOOLEAN, *_at→TIMESTAMPTZ, email→VARCHAR(132),
+   phone→VARCHAR(16), password→TEXT, *_url/*_image→VARCHAR(255), payload→JSON
+4. Index suggestions: auto-suggest for FK columns, status+is_deleted compound, created_at DESC
+5. Ask: seed data needed?
+6. Show summary — confirm — generate migration file + update create-schema.sql
+7. Call `context_write`
+
+## Section 6 — /codeninja:db:modify — Alter Table
+
+- Always generate ALTER file — never edit original setup file
+- Operations: add column, rename column, drop column, change type, add CHECK constraint, add index
+- For "add index" → route to /codeninja:db:index
+- Generated: `<n>-alter-tbl-<n>-<description>.sql` wrapped in BEGIN/COMMIT
+
+## Section 7 — /codeninja:db:index — Add Index
+
+1. Ask: table, column(s), sort order (DESC?), standard vs partial (WHERE clause)
+2. Ask: table's own file vs 111-setup-database-indexes.sql
+3. Auto-name: idx_<table_without_tbl_>_<cols> or idx_tbl_<n>_<cols>
+4. Show name — confirm — append to correct file
+
+## Section 8 — /codeninja:db:drop — Drop Table
+
+1. Ask: which table
+2. Show impact: routes referencing it, FK dependencies
+3. Require user to type table name exactly to confirm
+4. Generate `<n>-drop-tbl-<n>.sql` with `DROP TABLE IF EXISTS ... CASCADE`
+5. Keep original setup file — keep its \i entry — add drop file AFTER it in create-schema.sql
+6. Save column snapshot to change_log before removing from active tables
+
+## Section 9 — /codeninja:db:seed — Add Seed Data
+
+1. Ask: which table
+2. Determine: append to setup file (reference data) OR standalone seeds/ file (dev data)
+3. Collect row values column by column — NEVER store plaintext passwords
+4. Show INSERT preview — confirm — generate/append
+
+## Section 10 — /codeninja:db:sync — Rebuild DB Schema
+
+1. Parse all migrations in numeric order: setup → alter → drop → indexes
+2. Rebuild context.db.schema from actual file contents
+3. Rewrite create-schema.sql to match actual files on disk
+4. Report stale entries and missing files
+
+---
+
+## Section 11 — /codeninja:modularize — Extract ReactJS Components
+
+**Rules:** Layout only. Never touch business logic/state/API. Never duplicate existing components.
+
+1. Ask: which ReactJS service, scope (all pages or specific page)
+2. Inventory existing src/components/ — record name, path, role, props
+3. Scan target pages — identify repeated layout blocks (header, nav, footer, sidebar, etc.)
+4. Only extract blocks that appear in 2+ pages
+5. Cross-check: if block matches existing component → reuse, else plan new component
+6. Show extraction plan (components to create, components to reuse, pages to update)
+7. Ask: "Apply? (yes / no / adjust)"
+8. Generate each new component:
+   - `src/components/<Name>/index.jsx` — props for varying values, JSDoc header
+   - `src/components/<Name>/<Name>.module.css`
+9. Update each page: add import, replace extracted JSX with component tag, clean unused imports/CSS
+10. Call `context_write` — append to context.services[<n>].components
+
+---
+
+## Section 12 — /codeninja:validate-page — Add Form Validation
+
+**Rules:** ONE page per run. Never touch API calls or business logic. Skip already-validated fields.
+
+1. Ask: service, page path, validation library (Yup|RHF|Parsley|Validator.js|Custom)
+2. Scan page: find all form, input, select, textarea, submit button elements
+3. Detect existing validation — skip those fields
+4. Infer semantic type from label/name/placeholder:
+   email → "Please enter a valid email address."
+   password → "Password must be at least 8 characters."
+   confirmPassword → "Password and confirm password do not match."
+   phone → "Please enter a valid phone number."
+   generic → "This field is required."
+5. Assign missing name/id attributes (camelCase from label text)
+6. Show validation plan — confirm
+7. Apply by library (surgical edits only — never rewrite whole file):
+   - **Yup:** validationSchema + validateForm async + error spans + .errorMsg CSS
+   - **RHF:** useForm hook + register() + error spans + .errorMsg CSS
+   - **Parsley:** CDN in index.html + data-parsley-* attributes + useEffect init
+   - **Validator.js:** validateForm with validator.isEmail() etc.
+   - **Custom:** plain JS validateForm, no imports
+8. Add package to package.json if needed — display `npm install` reminder
+9. Call `context_write` — append to context.services[<n>].validated_pages
+
+---
+
+## Section 13 — /codeninja:integrate-api — Wire Forms to Backend
+
+**Rules:** ONE page. Never modify layout/CSS/validation. Always route through apiHandler.js.
+
+1. Ask: service, page path, scope (all or specific form/button)
+2. Load: linked backend, context.api_routes, page content, apiHandler.js content
+3. Scan: identify all forms and action buttons, detect existing API calls
+4. Match each integration point:
+   - Existing handler → use as-is
+   - Matching route in context.api_routes → new handler to apiHandler.js
+   - No route → TODO placeholder
+5. Design state: loading + error state per form, data/item state for fetch forms
+6. Show integration plan — confirm
+7. Apply:
+   - Append new functions to apiHandler.js
+   - Surgically update page: add imports, state, handler functions, wire onSubmit/onClick
+   - Add disabled={loading} + conditional button text
+   - Add {error && <p className={styles.apiError}>{error}</p>} above submit
+   - Add {successMsg && <p className={styles.successMsg}>{successMsg}</p>} for non-nav actions
+   - Add .apiError and .successMsg to page's .module.css
+   - Add useEffect for data-fetch handlers
+8. Call `context_write` — append to context.services[<n>].integrated_pages
+
+---
+
+## Section 14 — Code Intelligence Commands
+
+### /codeninja:audit — Security and Quality Review
+Checks: API key validation on all routes, parameterized queries, no hardcoded secrets,
+correct middleware order (rateLimiter→extractLanguage→validateApiKey→auth→decryptRequest),
+2-layer rule (no SQL in route.js, no res.json() in model.js), all routes in swagger and context.
+Output: 🔴 CRITICAL / 🟡 WARNING / 🟢 INFO report. Offer auto-fix for criticals.
+
+### /codeninja:debug — Diagnose and Fix Bugs
+1. Gather: error message + stack trace, endpoint, expected vs actual, recent changes
+2. Trace full request path: language → api-key → auth → validation → handler → model → DB → response
+3. Common root causes table: column not exist → check context.db.schema vs model queries,
+   401 → check middleware order, 500 → check try/catch, migration not applied → run migration
+4. Output exact root cause + before/after code fix
+
+### /codeninja:review — Code Review
+Checks: security (auth middleware, parameterized queries, no hardcoded secrets),
+architecture (2-layer, route_manager registration, swagger coverage),
+code quality (JSDoc, no console.log, async try/catch, no SELECT *),
+database (column names match context, FK indexes, LIMIT on list queries).
+Output: CRITICAL/WARNING/SUGGESTION with file path, before/after code, reason.
+
+### /codeninja:optimize — Performance Analysis
+Checks: missing indexes (compare WHERE/ORDER BY columns vs context.db.schema indexes),
+SELECT * → explicit columns, N+1 query patterns, RANK vs DENSE_RANK,
+functional index traps (DATE(col) → use range form), heavy middleware on lightweight routes,
+Redis caching opportunities. Output: HIGH/MED/LOW ranked list with exact SQL/code fixes.
+
+### /codeninja:refactor — Rename / Restructure
+Types: rename DB column (ALTER migration + update model queries),
+rename service (update context.services key), rename table (ALTER migration + update models),
+rename module (rename files + update route_manager). All recorded in context.change_log.
+
+### /codeninja:test — Generate Jest Tests
+Reads route.js + _model.js + context.api_routes.
+Generates `tests/v1/<Module>.test.js` covering:
+200 happy path, 400 validation failures, 401 invalid api-key,
+401 invalid auth token, 404 not found, 500 simulated DB error.
+
+### /codeninja:design — Plan Before Coding
+Produces `.codeninja/agent/designs/<feature>.design.md` with:
+DB schema proposal (tables, columns, indexes), API contracts (method, path, request, response),
+open questions. Optionally stores planned routes/schema in context.
+
+### /codeninja:explain — Explain Any File or Concept
+Always reads the actual file before explaining.
+Structure: What it is → How it works → Why this way → Where it connects.
+References real file names, table names, service names from context.
+
+### /codeninja:sync — Rebuild Context from Repo
+Mode A (context exists): scan for drift, merge new findings, report conflicts.
+Mode B (no context): build context.json entirely from what exists on disk.
+Always writes context.json at end — never skips. Report: services added, routes found, gaps filled.
+
+---
+
+## Section 15 — NodeJS Architecture Standards
+
+### 2-Layer Rule (absolute)
+- `route.js` — HTTP only: validation, middleware, `res.json()`
+- `<module>_model.js` — DB only: parameterized queries, business logic, no `res.json()`
+
+### Model Return Shape (always exactly this — no extra keys)
+```javascript
+return { responsecode: 1, responsemsg: 'success_key', responsedata: data };
+```
+
+### Middleware Order in route_manager.js (enforced)
+```
+rateLimiter → extractLanguage → validateApiKey → [auth if protected] → decryptRequest → routeHandler
+```
+
+### Encryption Library Selection
+- `client_type == "reactjs"` → `crypto-js` → generate `enc_dec.html`
+- `client_type == "app"` → `cryptlib` → generate `enc_dec.php`
+- Both use AES-256-CBC with KEY (32 chars) and IV (16 chars) from .env
+
+### JSDoc on every exported function (no exceptions)
+```javascript
+/**
+ * One-sentence description. Active voice.
+ *
+ * @param {type} paramName - Description.
+ * @returns {Promise<Object>} Description.
+ */
+```
+
+### DB Driver Selection
+- postgresql → `pg`
+- mysql → `mysql2`
+- mongodb → `mongoose`
+
+---
+
+## Section 16 — ReactJS Architecture Standards
+
+### apiClient.js Must-Haves
+1. Static headers: api-key, Accept-Language, Content-Type: text/plain
+2. Request interceptor: encrypt body + attach encrypted token from localStorage
+3. Response interceptor success: decrypt + parse + code -1 → logout redirect
+4. Response interceptor error: ERR_NETWORK/401 → logout redirect + error
+
+### apiHandler.js Standard
+- One async function per backend endpoint — no try/catch, no decryption
+- All API endpoint paths live here — never in page components
+
+### Vanilla CSS Only
+- Per-page: `<PageName>.module.css`
+- Global: `public/assets/css/style.css`
+- No Tailwind, no CSS-in-JS
+
+### .env Standard
+```
+REACT_APP_BASE_URL=http://localhost:<linked_port>/api/v1/
+REACT_APP_API_KEY=<inherited>
+REACT_APP_KEY=<inherited>
+REACT_APP_IV=<inherited>
+```

package/ide/vscode/.vscode/mcp.json

@@ -0,0 +1,9 @@
+{
+  "servers": {
+    "codeninja": {
+      "type": "stdio",
+      "command": "node",
+      "args": ["${workspaceFolder}/.codeninja/mcp-server.js"]
+    }
+  }
+}