codeninja 3.1.0 → 4.0.0

package/ide/vscode/.github/copilot-instructions.md

@@ -1,285 +1,84 @@
-# codeninja — Project Intelligence for GitHub Copilot
+# codeninja — Project Intelligence for GitHub Copilot (v4.0)
 
 This file is auto-loaded by GitHub Copilot Agent Mode.
-It gives Copilot full awareness of this project's architecture, conventions,
-and all available slash commands.
 
 ---
 
-## Section 1 — Global Orchestrator
-
-You are a Senior Software Architect managing this project via the codeninja system.
-
-### Activation Sequence (every session)
+## Activation Sequence (every session)
 1. Call `context_check_stale` — resolve stale operations first
-2. Call `context_read` — load full context
-3. Call `service_scan` — compare with `context.services`; suggest `/codeninja:sync` if drift
-4. Load `context.project_info` for all suggestions
-
-### Routing
-| Keyword trigger | Specialist domain |
-|----------------|------------------|
-| express, node, api, service, encryption | API Builder |
-| react, frontend, ui, component | ReactJS |
-| postgres, mysql, db, schema, migration, table | Database |
-| `/codeninja:db:*` | always Database |
+2. Call `context_read` — load full project context
+3. Call `service_scan` — compare with `context.services`; if drift → suggest `/codeninja:sync`
+4. Load `context.project_info` — use for all suggestions throughout session
 
-### Context Rules
-- NEVER read/write `context.json` directly — always `context_read` / `context_write`
-- `context_write` deep-merges — never overwrites the whole file
+## Context Rules
+- NEVER read/write context.json directly — always `context_read` / `context_write`
+- `context_write` deep-merges — never overwrites
 - `change_log` is append-only
+- After every completed workflow → call `context_clear_scratchpad` for relevant `current_*` key
 
-### Batch Generation Rule
-ONE confirmation per operation. After user confirms → generate all files silently.
-No per-file prompts during `@init`, `@api`, or `@db:create`.
+## Keyword Routing
+| Trigger | Specialist Domain |
+|---|---|
+| express, node, api, service, encryption, typescript | NodeJS standards |
+| react, frontend, ui, component, page | ReactJS standards |
+| postgres, mysql, db, schema, migration, table, prisma, orm | Database standards |
+| `/codeninja:db:*` | always Database standards |
 
-### Response Style
-- One question at a time
-- Always confirm before creating or modifying files
-- `database/` folder ALWAYS at repository root — never inside a service folder
-- After scaffolding → always run task: `show-final-summary`
+## Batch Generation Rule
+ONE confirmation per operation → generate ALL files silently after confirmation, no per-file prompts.
 
----
-
-## Section 2 — MCP Tools and Context
+## Response Style
+- One question at a time
+- Confirm before creating or modifying files
+- `database/` folder ALWAYS at repository root
+- After every scaffolding operation → show final summary
 
-### Available MCP Tools
+## All Available Commands
+| Command | Description |
+|---|---|
+| `/codeninja:init` | Bootstrap NodeJS service (JS/TS, raw/Prisma), ReactJS app, or database |
+| `/codeninja:api` | Add new API endpoint (route + model + swagger) |
+| `/codeninja:design` | Plan feature before coding |
+| `/codeninja:audit` | Security and quality review |
+| `/codeninja:test` | Generate Jest + Supertest tests |
+| `/codeninja:refactor` | Rename/restructure with context tracking |
+| `/codeninja:sync` | Rebuild context.json from repo |
+| `/codeninja:explain` | Explain any file, function, or concept |
+| `/codeninja:review` | Code review with severity-ranked findings |
+| `/codeninja:debug` | Diagnose and fix bugs |
+| `/codeninja:optimize` | Performance analysis with concrete fixes |
+| `/codeninja:db:create` | New table with migration file |
+| `/codeninja:db:modify` | Alter table via migration |
+| `/codeninja:db:index` | Add index |
+| `/codeninja:db:drop` | Drop table (safety-checked) |
+| `/codeninja:db:seed` | Add seed data |
+| `/codeninja:db:sync` | Rebuild DB schema context from migrations |
+| `/codeninja:modularize` | Extract ReactJS layout components |
+| `/codeninja:validate-page` | Add form validation to ReactJS page |
+| `/codeninja:integrate-api` | Wire ReactJS forms to backend |
+
+## MCP Tools Quick Reference
 | Tool | Purpose | When |
-|------|---------|------|
-| `context_read` | Load project context | FIRST on every activation |
-| `context_write` | Persist changes (deep-merge) | After every completed operation |
+|---|---|---|
+| `context_read` | Load context.json | First on every activation |
+| `context_write` | Deep-merge updates | After every completed operation |
 | `context_clear_scratchpad` | Clear current_* key | After writing context |
-| `context_check_stale` | Detect unresolved scratchpad | Step 0 of activation |
-| `service_scan` | Discover all services on disk | Step 2 of activation |
-| `migration_next_number` | Next sequential migration number | Before any migration file |
-| `fs_read` | Read file from disk | Before modifying |
-| `fs_list` | List directory | When scanning structure |
-| `fs_exists` | Check existence | Before conditional ops |
-| `file_insert_after` | Surgical file insertion | route_manager.js, swagger |
-| `file_contains` | Check before appending | Avoid duplicates |
-| `run_drift_check` | Context vs disk | During @sync |
-| `lint_file` | Lint generated file | After JS/SQL generation |
-| `analyze_middleware_order` | Check middleware chain | During @audit |
-| `analyze_encryption_library` | Verify encryption | During @audit |
-| `analyze_language_keys` | Check i18n | During @audit |
-| `analyze_dependencies` | Scan package.json | During @audit |
-| `analyze_env_file` | Check .env completeness | During @audit |
-| `validate_redis_connection` | Test Redis | During init |
-| `validate_postgres_connection` | Test DB | During init |
-
----
-
-## Section 3 — API Builder (NodeJS/Express)
-
-### 2-Layer Architecture (enforced)
-```
-modules/v1/<ModuleName>/
-├── route.js          ← HTTP only: validation, middleware, res.json()
-└── <module>_model.js ← DB only: queries, business logic
-```
-Never SQL in `route.js`. Never `res.json()` in `_model.js`.
-
-### 5-Step SOP for New Endpoints
-1. **ROUTING** — append to `route_manager.js` via `file_insert_after` (never rewrite)
-2. **VALIDATION** — validatorjs schema in `route.js`, match existing patterns
-3. **CONTROLLER** — model call + try/catch + `sendResponse()` in `route.js`
-4. **MODEL** — parameterized `$1,$2` SQL via pg pool in `_model.js`
-5. **LOCALIZE** — all strings in `languages/en.js`, check with `file_contains` first
-
-### Middleware Chain Order
-Language extraction → API key validation → JWT auth (protected only) → Rate limiting → Validation → Handler
-
-### Response Contract
-```javascript
-{ status: 1, message: lang.key, data: result }   // success
-{ status: 0, message: lang.key }                  // error
-{ status: -1, message: lang.key }                 // session expired
-```
-Always `sendResponse(req, res, status, message, data)`. Never `res.json()` directly.
-
-### Localizify Rules
-Only `headerValidator.js` and `response.js` may import localizify or call `t()`.
-All other files use `sendResponse()`, `getMessage()`, or `req.t("key")`.
-
-### Encryption Selection
-| client_type | Library | Demo file |
-|-------------|---------|-----------|
-| `reactjs` | crypto-js AES-256-CBC | enc_dec.html |
-| `app` | cryptlib AES-256-CBC | enc_dec.php |
-`encrypted_transport: true` → encrypt full response payload.
-KEY/IV always from context — never hardcode.
-
-### Service File Structure
-```
-<service>/
-  app.js, .env, .env.example, .gitignore, README.md, package.json
-  config/   common.js, constants.js, database.js, template.js
-  languages/   <lang>.js (one per supported_languages[])
-  logger/   logging.js, logs/ (gitignored)
-  middleware/   headerValidator.js, rateLimiter.js
-  modules/v1/   route_manager.js, <ModuleName>/route.js + <m>_model.js
-  utilities/   encryption.js, response.js, validator.js, ioRedis.js, notification.js
-  document/v1/   swagger_doc.json
-  tests/v1/   <ModuleName>.test.js
-  pem/ (gitignored), images/ (gitignored)
-```
-
-### JSDoc Standard
-```javascript
-/**
- * One-sentence description. Active voice.
- * @param {type} name - Description.
- * @returns {Promise<Object>} Description.
- */
-```
-Middleware: `@middleware` tag, no `@returns`. Route: `// POST /path — Business purpose.`
-No inline `//` inside function bodies. No file-level headers.
-
----
-
-## Section 4 — Database Architect
-
-### Before Any SQL File
-Call `migration_next_number`. Load `context.db` fully. `database/` always at repo root.
-
-### Naming Conventions (strict)
-| Element | Rule | Example |
-|---------|------|---------|
-| Table | `tbl_` prefix, lowercase, plural | `tbl_users` |
-| Column | lowercase snake_case | `user_id`, `created_at` |
-| PK | `id` bigint identity, first column | always |
-| FK | `<table_singular_no_prefix>_id` | `user_id` refs `tbl_users` |
-| Create file | `<N>-setup-tbl-<n>.sql` | `3-setup-tbl-users.sql` |
-| Alter file | `<N>-alter-tbl-<n>-<desc>.sql` | `12-alter-tbl-users-add-kyc.sql` |
-| Drop file | `<N>-drop-tbl-<n>.sql` | `13-drop-tbl-sessions.sql` |
-| Shared indexes | `111-setup-database-indexes.sql` | always last |
-
-### Primary Key (exact)
-```sql
-id bigint NOT NULL GENERATED ALWAYS AS IDENTITY (INCREMENT 1 START 1 MINVALUE 1 MAXVALUE 9223372036854775807 CACHE 1),
-```
-`PRIMARY KEY (id)` at END of column block — never inline.
-
-### Column Types
-`BIGINT NOT NULL DEFAULT 0` (FK) · `VARCHAR(132)` (email) · `TEXT` (token/password)
-`TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP` · `BOOLEAN NOT NULL DEFAULT FALSE`
-`INTEGER NOT NULL DEFAULT 0 CHECK (status IN (0,1))` · `NUMERIC(18,8)` (financial)
-`JSON NOT NULL DEFAULT '{}'` · NEVER PostgreSQL ENUM — always `VARCHAR + CHECK`
-
-### SQL File Content Order
+| `context_check_stale` | Detect unresolved ops | Step 0 of activation |
+| `service_scan` | Discover services on disk | Step 2 of activation |
+| `migration_next_number` | Next sequential migration # | Before any migration file |
+| `file_insert_after` | Surgical insert | route_manager, swagger — never rewrite |
+| `file_contains` | Check for string | Before appending |
+| `lint_file` | Lint generated JS/TS | After generation |
+
+## MCP Server Setup
+Add to your VS Code MCP settings:
+```json
+{
+  "mcpServers": {
+    "codeninja": {
+      "command": "node",
+      "args": ["${workspaceFolder}/.codeninja/mcp-server.js"]
+    }
+  }
+}
 ```
-1. Comment header
-2. DROP TABLE IF EXISTS CASCADE
-3. CREATE TABLE (id first, timestamps last)
-4. COMMENT ON COLUMN (every enum/flag)
-5. Per-table CREATE INDEX
-6. ALTER TABLE OWNER TO <context.db.user>
-7. GRANT ALL ON TABLE TO <context.db.user>
-8. INSERT seed (reference tables only)
-```
-
-### Required Columns
-`id` + `created_at` on every table. `status` + `is_deleted` on entity tables. NOT on log/pivot tables.
-
-### Index Rules
-Always index: every FK, `(status,is_deleted)` compound, `created_at DESC` on logs, `email+is_deleted` compound on users, any WHERE/ORDER BY column.
-
-### create-schema.sql
-At `<repo_root>/database/<db_type>/create-schema.sql`. Auto-generated. `\i` entries in numeric order. `111-setup-database-indexes.sql` always last. Update after every table operation.
-
----
-
-## Section 5 — ReactJS Frontend
-
-### Backend Linking (enforced)
-Inherit from `context.services[linked]`: `port` → `REACT_APP_BASE_URL`, `encryption_key` → `REACT_APP_KEY`, `encryption_iv` → `REACT_APP_IV`, `api_key` → `REACT_APP_API_KEY`.
-NEVER ask user for these. NEVER hardcode.
-
-### File Structure
-```
-<service>/public/assets/css/style.css  index.html  .htaccess
-src/api/apiClient.js  apiHandler.js
-src/components/  src/pages/Welcome/index.jsx  App.jsx  index.jsx
-.env (gitignored)  .env.example  package.json
-```
-
-### apiClient.js — 4 Responsibilities
-1. Static headers: `api-key`, `Accept-Language`, `Content-Type: text/plain`
-2. Request: encrypt body; attach encrypted `token` from `localStorage('wa_token')`
-3. Response success: decrypt; parse JSON; `status === -1` → logout
-4. Response error: `ERR_NETWORK` or `401` → logout + error message
-
-KEY/IV via `CryptoJS.enc.Hex.parse(process.env.REACT_APP_KEY/IV)`.
-
-### apiHandler.js
-One async function per endpoint. No try/catch, no decryption. Session saving in handler.
-
-### Code Style
-Functional components only. JSDoc on every export. `.module.css` per page. No `console.log`. No hardcoded API paths.
-
----
-
-## Section 6 — Code Intelligence
-
-### /codeninja:explain
-What it is → How it works → Why this way → Where it connects.
-Use real names from context throughout.
-
-### /codeninja:review
-CRITICAL (security): missing validation, missing apiKey middleware, hardcoded secrets, string SQL concatenation.
-WARNING (architecture): SQL in route.js, res.json() in model.js, strings hardcoded.
-SUGGESTION (quality): missing JSDoc, console.log, SELECT *.
-Output: `[LEVEL] File: path  Issue/Before/After/Why`
-
-### /codeninja:debug
-Trace: Language → API key → JWT → Rate limit → Validation → Handler → Model → DB → Response.
-Check: column names vs context.db.schema, middleware order, missing try/catch, RANK vs DENSE_RANK.
-Output: root cause + before/after fix. Confirm before applying.
-
-### /codeninja:optimize
-DB: missing indexes (vs context.db.schema), SELECT *, N+1, no LIMIT, RANK() gaps, DATE() in WHERE, duplicate rows.
-Output: `[HIGH|MED|LOW]` Target/Cause/Fix/Gain. Generate migration for new indexes.
-
-### /codeninja:audit
-Full review + `analyze_middleware_order`, `analyze_encryption_library`, `analyze_language_keys`, `analyze_dependencies`, `analyze_env_file` MCP tools.
-
----
-
-## Slash Commands Quick Reference
-
-Use with `@workspace` in Copilot Chat:
-
-| Command | Description |
-|---------|-------------|
-| `@workspace /codeninja:init` | Bootstrap NodeJS service, ReactJS app, or database |
-| `@workspace /codeninja:api` | Add API endpoint (5-step SOP) |
-| `@workspace /codeninja:design` | Plan feature before coding |
-| `@workspace /codeninja:audit` | Security and quality review |
-| `@workspace /codeninja:test` | Generate Jest tests |
-| `@workspace /codeninja:refactor` | Rename with context tracking |
-| `@workspace /codeninja:sync` | Rebuild context from repo |
-| `@workspace /codeninja:explain` | Explain any file or pattern |
-| `@workspace /codeninja:review` | Code review with findings |
-| `@workspace /codeninja:debug` | Debug with code path trace |
-| `@workspace /codeninja:optimize` | Performance improvements |
-| `@workspace /codeninja:db:create` | New table + migration |
-| `@workspace /codeninja:db:modify` | Alter column |
-| `@workspace /codeninja:db:index` | Add index |
-| `@workspace /codeninja:db:drop` | Drop table |
-| `@workspace /codeninja:db:seed` | Add seed data |
-| `@workspace /codeninja:db:sync` | Rebuild DB schema |
-| `@workspace @modularize` | Extract React layout components |
-| `@workspace @validate-page` | Add form validation |
-| `@workspace @integrate-api` | Wire forms to API handlers |
-
----
-
-## File Locations
-
-| What | Path |
-|------|------|
-| Agent personas | `.codeninja/agent/` |
-| Workflow files | `.codeninja/commands/` |
-| Task files | `.codeninja/tasks/` |
-| Context | `.codeninja/context/context.json` |
-| MCP server | `.codeninja/mcp-server.js` |

package/ide/vscode/.vscode/instructions/code-intelligence.instructions.md

@@ -0,0 +1,58 @@
+---
+applyTo: "**/*"
+---
+
+# codeninja — Code Intelligence Standards (v4.0)
+
+## /codeninja:audit Checklist
+
+### Security
+- [ ] Passwords HASHED using `utilities/hashing.js` (bcrypt/argon2)? Not AES-encrypted?
+- [ ] No direct bcrypt/argon2 imports in route/model files?
+- [ ] Parameterized queries only — no string concatenation in SQL?
+- [ ] API key validation on all routes?
+- [ ] No hardcoded secrets in source?
+- [ ] Middleware order: rateLimiter→extractLanguage→validateApiKey→[auth]→decryptRequest?
+
+### Architecture
+- [ ] 2-layer rule enforced (no SQL in route, no res.json in model)?
+- [ ] route_manager.js never fully rewritten (append-only via file_insert_after)?
+- [ ] All routes in swagger_doc.json and context.api_routes?
+
+### v4.0 Checks
+- [ ] orm="prisma": no `new PrismaClient()` in model files?
+- [ ] language="typescript": all .ts files use import/export syntax?
+
+## /codeninja:debug Trace Path
+1. extractLanguage — Accept-Language header processed?
+2. validateApiKey — api-key header matches .env API_KEY?
+3. validateAuthToken (protected only) — JWT valid and not expired?
+4. rateLimiter — request not throttled?
+5. validatorjs rules — all required fields in request body?
+6. Model call — DB connection alive?
+7. Query — column names match context.db.schema?
+8. sendResponse — encrypted_transport handled?
+
+**401:** middleware order or key mismatch | **400:** validation rules | **500:** DB/column issue
+
+## /codeninja:review Dimensions
+- Security: auth middleware, parameterized queries, no hardcoded secrets, hashing not encryption
+- Architecture: 2-layer rule, route_manager append-only, swagger/context coverage
+- Code quality: JSDoc on all functions, no console.log, async try/catch
+- Database: column names match context, FK indexes, LIMIT on list queries
+
+## /codeninja:optimize Patterns (ranked)
+1. Missing index → `CREATE INDEX CONCURRENTLY` (no table lock)
+2. `SELECT *` → explicit column list
+3. N+1 query → JOIN or IN clause
+4. `DATE(col)` in WHERE → range filter to use index
+5. `RANK()` with gaps → `DENSE_RANK()` for leaderboards
+6. Unbounded list query → add `LIMIT` and `OFFSET`
+7. Repeated identical queries → Redis cache opportunity
+8. `work_mem` for sort-heavy queries
+
+## /codeninja:refactor Types
+- Rename DB column: ALTER migration + update model queries + context.change_log
+- Rename service: update context.services key + context.change_log
+- Rename table: ALTER migration + update all model references + context.change_log
+- Rename module: rename files + update route_manager + context.change_log

package/ide/vscode/.vscode/instructions/database.instructions.md

@@ -0,0 +1,55 @@
+---
+applyTo: "**/*.sql,**/database/**,**/prisma/**"
+---
+
+# codeninja — Database Standards (v4.0)
+
+## Naming Conventions
+| Element | Rule | Example |
+|---|---|---|
+| Table | `tbl_` prefix, lowercase, plural | `tbl_users` |
+| Column | lowercase snake_case | `user_id`, `created_at` |
+| PK | `id`, bigint identity, first column | always |
+| FK | `<ref_table_singular_no_tbl>_id` | `user_id` refs `tbl_users` |
+| Index (per-table) | `idx_<table_no_tbl>_<cols>` | `idx_users_email` |
+| Shared indexes | `111-setup-database-indexes.sql` | always last file |
+
+## Column Types
+| Use Case | PostgreSQL Type |
+|---|---|
+| PK | `bigint NOT NULL GENERATED ALWAYS AS IDENTITY (INCREMENT 1 START 1 MINVALUE 1 MAXVALUE 9223372036854775807 CACHE 1)` |
+| FK | `BIGINT NOT NULL DEFAULT 0` |
+| Email | `VARCHAR(132) NOT NULL DEFAULT ''` |
+| Password/token | `TEXT NOT NULL DEFAULT ''` |
+| Status | `INTEGER NOT NULL DEFAULT 0 CHECK (status IN (0, 1))` |
+| Soft delete | `BOOLEAN NOT NULL DEFAULT FALSE` |
+| Timestamp | `TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP` |
+| Financial | `NUMERIC(18,8) NOT NULL DEFAULT 0.00000000` |
+| JSON | `JSON NOT NULL DEFAULT '{}'` |
+
+NEVER use PostgreSQL ENUM — always `VARCHAR + CHECK constraint + COMMENT ON COLUMN`.
+
+## SQL File Content Order (strict)
+1. `-- Creating tbl_name for purpose`
+2. `DROP TABLE IF EXISTS public.tbl_name CASCADE;`
+3. `CREATE TABLE` block (id first, timestamps last)
+4. `COMMENT ON COLUMN` for every enum/flag/status column
+5. Per-table `CREATE INDEX` statements
+6. `ALTER TABLE ... OWNER TO <db_user>`
+7. `GRANT ALL ON TABLE ... TO <db_user>`
+8. Seed `INSERT` (reference/master tables only)
+
+## Index Strategy
+Always index: every FK column; (status + is_deleted) compound; created_at DESC on log tables; email + is_deleted on user tables. Most selective column first in compound indexes.
+
+## create-schema.sql Maintenance
+After every table operation: re-read the file → add/remove/reorder `\i` entries → write back.
+ALTER files go immediately after their CREATE file. 111-indexes always last.
+
+## Prisma Conventions (v4.0)
+- `tbl_users` → `model Users` (strip tbl_, PascalCase) + `@@map("tbl_users")`
+- `id` BIGINT IDENTITY → `id BigInt @id @default(autoincrement())`
+- `created_at` → `createdAt DateTime @default(now()) @map("created_at")`
+- `is_deleted` → `isDeleted Boolean @default(false) @map("is_deleted")`
+- FK `user_id` → `userId BigInt @map("user_id")` + relation field
+- After any model addition → `npx prisma generate`

package/ide/vscode/.vscode/instructions/nodejs.instructions.md

@@ -0,0 +1,77 @@
+---
+applyTo: "**/*.js,**/*.ts"
+---
+
+# codeninja — NodeJS Standards (v4.0)
+
+## The 2-Layer Rule (absolute)
+- `route.js/ts` — HTTP only: validation, middleware, `res.json()` via sendResponse
+- `<module>_model.js/ts` — DB only: queries, business logic, never `res.json()`
+
+## Middleware Order (never change)
+```
+rateLimiter → extractLanguage → validateApiKey → [auth if protected] → decryptRequest → routeHandler
+```
+
+## Response Contract
+```javascript
+sendResponse(req, res, 1, 'success_key', data)    // success
+sendResponse(req, res, 0, 'error_key', [])          // error
+sendResponse(req, res, -1, 'session_expired', [])   // auth expired → frontend logout
+```
+
+## Password Hashing (v4.0 — CRITICAL)
+- NEVER use `encryption.js` for passwords — reversible AES is a security vulnerability
+- ALWAYS use `utilities/hashing.js`: `hashPassword(plain)` to store, `verifyPassword(plain, hash)` to check
+- Import: `const { hashPassword, verifyPassword } = require('../../utilities/hashing')`
+- TypeScript: `import { hashPassword, verifyPassword } from '../../utilities/hashing'`
+
+## ORM Branch (v4.0)
+Read `context.db.orm` before generating any model:
+- orm="none": parameterized SQL with `$1`, `$2` placeholders via pg/mysql2/mongoose
+- orm="prisma": `prisma.tableName.operation()` — import singleton from `config/prisma`, never `new PrismaClient()`
+- Prisma table access: `tbl_users` → `prisma.users` (lowercase, strip `tbl_` prefix)
+
+## TypeScript Support (v4.0)
+Read `context.services[name].language`:
+- "javascript": `.js` files, `require()`/`module.exports`, no tsconfig
+- "typescript": `.ts` files, `import`/`export`, typed params, `tsconfig.json` in Wave 1
+
+TypeScript patterns:
+```typescript
+// route.ts
+import { Router, Request, Response } from 'express';
+router.post('/path', async (req: Request, res: Response) => { ... });
+export default router;
+
+// _model.ts
+export async function functionName(request: RequestType, user_id: number, user_type: string): Promise<object> { ... }
+```
+
+## Localizify Rules
+- ONLY `headerValidator.js/ts` and `response.js/ts` may call `t()` directly
+- All other files use `sendResponse()`, `getMessage()`, or `req.t("key")`
+
+## Code Style
+- JSDoc on every exported function (no exceptions)
+- No inline `//` comments inside function bodies
+- Route comment: `// POST /path — description` above each route handler
+- No file-level header comments
+
+## .env Keys (NodeJS service)
+```
+PORT=, API_KEY=, KEY=, IV=, ENCRYPTED_TRANSPORT=, SUPPORTED_LANGUAGES=,
+DB_HOST=, DB_PORT=, DB_NAME=, DB_USER=, DB_PASSWORD=,
+REDIS_HOST=, REDIS_PORT=,
+DATABASE_URL= (Prisma only — replaces individual DB_* vars)
+```
+
+## Wave Generation Order
+Before generating any file, read `.codeninja/tasks/generate-<name>.task.md`.
+
+Wave 1: package.json, .env, .gitignore, README.md, config/constants, config/template, logger/logging, utilities/encryption, **utilities/hashing** (v4.0), languages/*, **tsconfig.json** (TS only, v4.0)
+Wave 2: config/database OR config/prisma (v4.0 ORM branch), utilities/ioRedis, utilities/response
+Wave 3: config/common, utilities/validator, utilities/notification, middleware/rateLimiter
+Wave 4: middleware/headerValidator, modules/v1/<Name>/route, modules/v1/<Name>/_model, swagger_doc.json
+Wave 5: modules/v1/route_manager, app.js/ts
+Wave 6: Dockerfile, .dockerignore

package/ide/vscode/.vscode/instructions/reactjs.instructions.md

@@ -0,0 +1,42 @@
+---
+applyTo: "**/*.jsx,**/src/**"
+---
+
+# codeninja — ReactJS Architecture Standards
+
+## apiClient.js — 4 Responsibilities
+1. Static headers: `api-key`, `Accept-Language`, `Content-Type: text/plain`
+2. Request interceptor: AES-encrypt body + attach encrypted token from localStorage
+3. Response interceptor (success): decrypt + parse JSON; responsecode -1 → logout
+4. Response interceptor (error): ERR_NETWORK/401 → logout + error message
+
+## apiHandler.js Standard
+- One exported async function per backend endpoint
+- No try/catch, no decryption (interceptors handle it)
+- All API paths here — never in page components
+
+## Backend Linking Rule
+ReactJS CANNOT be initialized without a linked NodeJS backend.
+Inherits from linked service: `encryption_key`, `encryption_iv`, `api_key`, `port`.
+NEVER ask user for these — always read from `context.services[linked_service]`.
+
+## Vanilla CSS Only
+- Per-page: `<PageName>.module.css`
+- Global: `public/assets/css/style.css`
+- No Tailwind, no CSS-in-JS
+
+## .env Standard
+```
+REACT_APP_BASE_URL=http://localhost:<linked_port>/api/v1/
+REACT_APP_API_KEY=<inherited>
+REACT_APP_KEY=<inherited>
+REACT_APP_IV=<inherited>
+```
+
+## Wave Generation Order
+Before generating any file, read `.codeninja/tasks/generate-react-*.task.md`.
+
+Wave 1: package.json, .env, .gitignore, README.md, public/index.html, public/assets/css/style.css, .htaccess (root + public)
+Wave 2: src/api/apiClient.js, src/api/apiHandler.js
+Wave 3: src/pages/Welcome/index.jsx, src/pages/Welcome/Welcome.module.css, src/App.jsx, src/index.jsx
+Wave 4: Dockerfile, nginx.conf, .dockerignore

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "codeninja",
-    "version": "3.1.0",
-    "description": "AI agent scaffolding system — NodeJS, ReactJS, and database projects. IDE-aware: installs Antigravity slash commands, Cursor rules, or VS Code Copilot instructions automatically.",
+    "version": "4.0.0",
+    "description": "AI agent scaffolding system — NodeJS (JS/TS), ReactJS, and database projects. Multi-agent architecture with true parallel sub-agents. Supports Prisma ORM, TypeScript, and bcrypt/argon2 password hashing. IDE-aware: Claude Code, Antigravity, Cursor, VS Code.",
     "private": false,
     "bin": {
         "codeninja": "cli.js"

package/tasks/ask-hashing-library.task.md

@@ -0,0 +1,31 @@
+---
+type: task
+name: ask-hashing-library
+---
+
+Condition: only run if `context.current_init.init_mode == "manual"` AND
+`context.current_init.project_type == "nodejs"`.
+In fast mode, `generate-fast-defaults` sets `hashing_library = "bcryptjs"`
+automatically — skip this task.
+
+Ask the user exactly this question:
+
+"Which password hashing library should this service use?"
+
+Present options:
+1. bcryptjs — pure JavaScript, no native bindings, easier to install (recommended)
+2. argon2 — stronger algorithm, requires native build tools
+
+Wait for user selection.
+
+Store result in: `context.current_init.hashing_library`
+- Option 1 → "bcryptjs"
+- Option 2 → "argon2"
+
+Show confirmation based on selection:
+- bcryptjs → "bcryptjs will be added to package.json. Passwords will be hashed
+  with bcrypt (SALT_ROUNDS = 12)."
+- argon2 → "argon2 will be added to package.json. Passwords will be hashed
+  with argon2id. Native build tools (node-gyp) must be available."
+
+Do not ask any other question in this task.

package/tasks/ask-language-type.task.md

@@ -0,0 +1,26 @@
+---
+type: task
+name: ask-language-type
+---
+
+# Task: ask-language-type
+
+Condition: only run if `context.current_init.project_type == "nodejs"`.
+Skip entirely for reactjs and database-only projects.
+
+If `context.current_init.init_mode == "fast"` → skip this task,
+set `context.current_init.language = "javascript"` silently, return.
+
+Ask: "What language would you like to use for this service?"
+
+Options:
+1. JavaScript (default) — CommonJS require/module.exports, .js files, no build step
+2. TypeScript — import/export, type annotations, .ts files, compiled to dist/
+
+Guidance:
+- JavaScript: simpler setup, runs directly with node, faster to start
+- TypeScript: type safety, better IDE autocomplete, recommended for larger teams
+
+Stores: `context.current_init.language` ("javascript" | "typescript")
+
+Do not ask any other question in this task.