codeninja 3.2.0 → 4.0.1

package/ide/antigravity/.agents/skills/mcp-and-context/SKILL.md

@@ -1,111 +1,105 @@
 ---
 skill: mcp-and-context
-scope: always-loaded
+scope: all-commands
+loaded-for:
+  - all commands (always active)
 description: >
-  MCP tool usage rules and context management protocol. Loaded on every
-  session. Governs how every persona reads, writes, and protects context.json.
+  All MCP tools available in this project, the complete context.json schema
+  (including v4.0 fields), and the stale scratchpad recovery procedure.
 ---
 
-# Skill: MCP and Context Management
+# Skill: MCP and Context
 
-This skill governs all interaction with the codeninja MCP server and
-context.json. Every persona must follow these rules without exception.
-
----
-
-## Available MCP Tools
+## All MCP Tools
 
 | Tool | Purpose | When to use |
-|------|---------|-------------|
-| `context_read` | Load full project context | First thing on every activation |
-| `context_write` | Persist changes (deep-merge) | After every completed operation |
-| `context_clear_scratchpad` | Clear a current_* key | After writing context |
-| `context_check_stale` | Detect unresolved scratchpad | Step 0 of activation |
-| `service_scan` | Discover all services on disk | Step 2 of activation |
-| `migration_next_number` | Get next sequential migration number | Before creating any migration file |
+|---|---|---|
+| `context_read` | Load full context.json into memory | FIRST on every activation |
+| `context_write` | Deep-merge updates into context.json | After every completed operation |
+| `context_clear_scratchpad` | Clear current_* scratchpad key | After writing context post-workflow |
+| `context_check_stale` | Detect unresolved scratchpad operations | Step 0 of every activation |
+| `service_scan` | Discover all service directories on disk | Step 2 of activation; compare with context.services |
+| `migration_next_number` | Get next sequential migration number | Before generating any migration file |
 | `fs_read` | Read a file from disk | Before modifying any existing file |
-| `fs_list` | List directory contents | When scanning structure |
-| `fs_exists` | Check if file/directory exists | Before conditional operations |
-| `file_insert_after` | Surgical file insertion | Appending to route_manager.js, etc. |
-| `file_contains` | Check if string exists in file | Before appending to avoid duplicates |
-| `run_drift_check` | Compare context vs disk | During @sync workflow |
-| `lint_file` | Lint a generated file | After generating JS/SQL files |
-| `npm_check_package` | Look up npm package info | When verifying dependencies |
-| `npm_install` | Install a package | When adding new dependencies |
-| `validate_redis_connection` | Test Redis connectivity | During service init |
-| `validate_postgres_connection` | Test DB connectivity | During service init |
-| `analyze_middleware_order` | Check middleware chain | During @audit |
-| `analyze_encryption_library` | Verify encryption setup | During @audit |
-| `analyze_language_keys` | Check i18n completeness | During @audit |
-| `analyze_dependencies` | Scan package.json | During @audit / @sync |
-| `analyze_env_file` | Check .env completeness | During @audit |
-
----
-
-## Absolute Rules
-
-- NEVER read `context.json` directly with `fs_read` — always use `context_read`
-- NEVER write `context.json` directly — always use `context_write`
-- `context_write` deep-merges — it never overwrites the whole file
-- `change_log` is append-only — never delete entries
-- NEVER assume a stored value — always read from loaded context object
-- `context_version` is managed automatically — if `context_read` returns a
-  higher version than expected, the file was modified externally — re-read before acting
-
----
-
-## Context Schema Reference
+| `fs_list` | List directory contents | When scanning project structure |
+| `fs_exists` | Check if a file/directory exists | Before conditional operations |
+| `file_insert_after` | Surgically insert content after a marker | route_manager.js, swagger_doc.json — never rewrite |
+| `file_contains` | Check if file already contains a string | Before appending to avoid duplicates |
+| `run_drift_check` | Compare context vs actual files on disk | During /codeninja:sync |
+| `lint_file` | Lint a generated JS/TS file | After any JS/TS file generation |
+| `analyze_middleware_order` | Verify middleware chain order | During /codeninja:audit |
+| `analyze_encryption_library` | Verify encryption library usage | During /codeninja:audit |
+| `analyze_language_keys` | Check i18n key consistency | During /codeninja:audit |
+| `analyze_dependencies` | Scan package.json for issues | During /codeninja:audit |
+| `analyze_env_file` | Check .env completeness | During /codeninja:audit |
+| `validate_redis_connection` | Test Redis connectivity | During /codeninja:init |
+| `validate_postgres_connection` | Test PostgreSQL connectivity | During /codeninja:init |
+
+## Context.json Schema (v4.0)
 
 ```json
 {
   "context_version": 0,
   "project_name": "",
+  "initialized_at": "",
+  "last_updated_at": "",
+  "last_command": "",
+  "repository_state": "fresh|existing",
   "project_info": {
     "summary": "",
     "detected_entities": [],
-    "features": [],
-    "from_doc": { "project_name": "", "domain": "", "purpose": "", "features": [], "entities": [], "tech_preferences": [] },
-    "from_sow": { "integrations": [] },
-    "from_figma": { "screens": [] }
+    "has_doc": false,
+    "has_sow": false,
+    "has_figma": false
   },
   "db": {
-    "type": "",
-    "name": "",
-    "host": "",
-    "port": 0,
-    "user": "",
-    "schema": {}
+    "type": "postgres|mysql|mongodb",
+    "orm": "none|prisma",
+    "name": "", "host": "", "port": 0, "user": "",
+    "schema": { "tables": {}, "change_log": [] }
+  },
+  "services": {
+    "<service_name>": {
+      "type": "nodejs|reactjs",
+      "language": "javascript|typescript",
+      "hashing_library": "bcryptjs|argon2",
+      "port": 0,
+      "client_type": "reactjs|app",
+      "encrypted_transport": true,
+      "supported_languages": ["en"],
+      "encryption_key": "",
+      "encryption_iv": "",
+      "api_key": "",
+      "modules": [],
+      "linked_service": "",
+      "linked_service_port": 0
+    }
   },
-  "services": {},
   "api_routes": [],
-  "change_log": []
+  "change_log": [],
+  "current_init": {},
+  "current_api": {},
+  "current_action": {}
 }
 ```
 
----
-
-## Scratchpad Keys (current_* pattern)
-
-Temporary keys written during multi-step workflows:
+**New v4.0 fields:**
+- `db.orm` — "none" (raw driver) or "prisma" (Prisma ORM)
+- `services[name].language` — "javascript" or "typescript"
+- `services[name].hashing_library` — "bcryptjs" or "argon2"
 
-| Key | Used by |
-|-----|---------|
-| `current_init` | initialize-project workflow |
-| `current_api` | create-api workflow |
-| `current_table` | db-create-table workflow |
-| `current_modify` | db-modify-table workflow |
-| `current_index` | db-add-index workflow |
-| `current_design` | design workflow |
+## Context Rules
 
-After `context_write` with final results → always call `context_clear_scratchpad`
-for the relevant key. This prevents stale data from persisting across sessions.
-
----
+- `context_write` deep-merges — it never replaces the whole file
+- `change_log` is append-only — never delete or modify entries
+- `context_version` auto-increments on each write
+- Stale scratchpad: if `context_check_stale` returns unresolved keys, resolve them before any other operation
+- After every completed workflow: call `context_write` then `context_clear_scratchpad`
 
 ## Stale Scratchpad Recovery
 
-When `context_check_stale` returns stale keys:
-1. Show the user what was in progress
-2. Ask: "Resume this operation or discard it?"
-3. If resume → re-read the scratchpad and continue from where it left off
-4. If discard → call `context_clear_scratchpad` and start fresh
+If `context_check_stale` returns stale `current_*` keys:
+1. Read the stale key contents
+2. Ask user: "There's an unfinished [operation] — continue it or discard?"
+3. If continue: resume the workflow from the summary step
+4. If discard: call `context_clear_scratchpad` for that key, then proceed

package/ide/antigravity/.agents/skills/reactjs/SKILL.md

@@ -209,3 +209,39 @@ export default App;
 5. Wire form submit and button clicks to handler functions
 6. Add loading state (boolean), error state (string), success state
 7. Show loading spinner during API call, error message on failure, success feedback on completion
+
+---
+
+## Wave Generation Order (v4.0)
+
+Wave 1 — Foundation (read `.codeninja/tasks/generate-react-package-json.task.md` etc.):
+- `package.json` → task: generate-react-package-json
+- `.env` + `.env.example` → task: generate-react-env
+- `.gitignore` → task: generate-react-gitignore
+- `README.md` → task: generate-readme
+- `public/index.html` → task: generate-react-index-html
+- `.htaccess` (root + public) → task: generate-react-htaccess
+
+Wave 2 — API Layer:
+- `src/api/apiClient.js` → task: generate-react-api-client
+- `src/api/apiHandler.js` → task: generate-react-api-handler
+
+Wave 3 — Application Shell:
+- `src/pages/Welcome/index.jsx` → task: generate-react-welcome-page
+- `src/App.jsx` → task: generate-react-app-jsx
+- `src/index.jsx` → task: generate-react-index-jsx
+
+Wave 4 — Docker:
+- `Dockerfile` + `nginx.conf` → task: generate-react-dockerfile
+
+## .htaccess Pattern
+
+Two files are always generated — one at service root, one in `public/`:
+
+```apache
+RewriteEngine On
+RewriteBase /
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule ^ index.html [L]
+```

package/ide/antigravity/.agents/workflows/codeninja-api.md

@@ -1,111 +1,104 @@
+This workflow runs when user invokes /codeninja:api
+
 ---
-slash_command: /codeninja:api
-personas: [global-orchestrator, nodejs-backend]
-skills: [mcp-and-context, api-builder]
-description: Add a new API module (route.js + model.js) to an existing NodeJS service.
+type: workflow
+name: create-api
+description: >
+  Add a new API module (route.js + model.js) to an existing NodeJS service.
+  Appends to route_manager.js and patches swagger_doc.json surgically —
+  never rewrites existing files. Fully context-aware.
 ---
 
-# /codeninja:api
+# Workflow: @create-api
+
+## Goal
+Scaffold a complete API module inside an existing NodeJS service.
+Every generated file references actual DB columns from context.
+
+## Rules
+- Ask ONE question at a time
+- Never invent table or column names — read from `context.db.schema`
+- Always add the new route to `context.api_routes`
+- Always update `swagger_doc.json` with the new endpoint
 
-## Before Running
-1. Call `context_check_stale`
-2. Call `context_read` — load `context.services` and `context.db.schema`
-3. Read 1–2 existing modules in the target service to understand current patterns
+---
 
-## Execution — Full Step-by-Step
+## Step-by-Step Execution
 
 ### Phase 0 — Existing Pattern Review
-Before asking any questions, read existing modules in `context.services[<service_name>].modules`
-and scan 1–2 existing `route.js` and `_model.js` files from the service.
+Before asking any questions, read the existing modules in
+context.services[<service_name>].modules and scan 1–2 existing
+route.js and _model.js files from the service.
 
 Identify:
-- Naming conventions (camelCase vs PascalCase)
-- Common validation patterns
-- Auth patterns (all protected? mixed?)
-- Response patterns beyond standard contract
-
-Surface: "I've reviewed [n] existing modules. I'll follow the same structure." Then proceed.
+- Naming conventions in use (camelCase vs PascalCase for functions)
+- Common validation patterns (which fields always get required rules)
+- Any project-specific response patterns beyond the standard contract
+- Auth pattern used across existing routes (all full? mixed?)
 
----
+Surface a one-line summary: "I've reviewed [n] existing modules.
+I'll follow the same structure." Then proceed to Phase 1.
 
 ### Phase 1 — Target Service
+1. Run task: `ask-target-service`
+   - List available services from `context.services`
+   - Stores: `context.current_api.service_name`
 
-**Step 1.** Ask: "Which service?" (list from `context.services`)
-- Store: `context.current_api.service_name`
-
-**Step 2.** Ask: "API version?" (default: v1)
-- Store: `context.current_api.version`
+2. Run task: `ask-api-version`
+   - Default: v1
+   - Stores: `context.current_api.version`
 
 ---
 
 ### Phase 2 — Module Identity
+3. Run task: `ask-module-name`
+   - Example: Products, Orders, Invoice
+   - Stores: `context.current_api.module_name`
 
-**Step 3.** Ask: "Module name?" (e.g. Products, Orders, Invoice)
-- Store: `context.current_api.module_name`
-
-**Step 4.** Ask: "HTTP method?" (GET / POST / PUT / PATCH / DELETE)
-- Store: `context.current_api.method`
+4. Run task: `ask-http-method`
+   - Options: GET, POST, PUT, PATCH, DELETE
+   - Stores: `context.current_api.method`
 
-**Step 5.** Ask: "Route path?" (e.g. /products, /products/:id)
-- Store: `context.current_api.route_path`
+5. Run task: `ask-route-path`
+   - Example: /products, /products/:id
+   - Stores: `context.current_api.route_path`
 
-**Step 6.** Ask: "Route description?" (one sentence)
-- Store: `context.current_api.description`
+6. Run task: `ask-route-description`
+   - Stores: `context.current_api.description`
 
 ---
 
 ### Phase 3 — Database Binding
+7. Run task: `ask-primary-table`
+   - Show available tables from `context.db.schema.tables`
+   - Stores: `context.current_api.primary_table`
 
-**Step 7.** Ask: "Which table does this route primarily use?"
-- Show available tables from `context.db.schema.tables`
-- Store: `context.current_api.primary_table`
-
-**Step 8.** Ask: "Does this route require authentication?" (yes / no)
-- Store: `context.current_api.requires_auth`
+8. Run task: `ask-requires-auth`
+   - Options: yes / no
+   - Stores: `context.current_api.requires_auth`
 
 ---
 
-### Phase 4 — Confirm and Generate
-
-**Step 9.** Confirm: "Generate [METHOD] [path] in [service]/modules/[version]/[Module]? (yes/no)"
-
-**Step 10.** Delegate to nodejs-agent — generate ALL files simultaneously:
-
-- `modules/<version>/<ModuleName>/route.js`
-  - Full validation schema using `validatorjs`
-  - All middleware applied in correct order
-  - Calls model function, returns via `sendResponse`
-  - JSDoc on every handler
-
-- `modules/<version>/<ModuleName>/<module>_model.js`
-  - Parameterized queries only — no string concatenation
-  - References actual column names from `context.db.schema`
-  - Returns exactly `{ responsecode, responsemsg, responsedata }`
-  - No `res.json()` anywhere in this file
-
-- Append to `modules/<version>/route_manager.js`
-  - Use `file_insert_after` MCP tool — NEVER rewrite this file
-  - Surgical insert of `router.use('/<path>', require('./<Module>/route'))` only
-  - Use `file_contains` first to avoid duplicate registration
-
-- Patch `document/<version>/swagger_doc.json`
-  - Use `file_insert_after` MCP tool — NEVER rewrite this file
-  - Add new path key to the `paths` object only
-
----
-
-### Phase 5 — Finalize
-
-**Step 11.** Call `context_write`:
-- Append to `context.api_routes`
-- Update `context.services[<service>].modules`
-- Set `last_command` = "create-api"
-- Append to `change_log`
-
-**Step 12.** Call `context_clear_scratchpad` with keys: ["current_api"]
-
-**Step 13.** Show final summary:
-- Files created/modified
-- Route registered in route_manager
-- Swagger patched
-- Offer next steps: /codeninja:design, /codeninja:db:create
+### Phase 4 — Generate
+9. Confirm with user: "Generate [METHOD] [path] in [service]/modules/[version]/[Module]? (yes/no)"
+
+> **Multi-agent:** Delegate to `nodejs-backend` via Task invocation for parallel execution.
+> Read `.codeninja/tasks/generate-route.task.md` and `.codeninja/tasks/generate-model.task.md` before generating each file.
+
+10. Delegate to `nodejs-agent`:
+    - Generate: `route.js` — run task: generate-route
+      (new file — always a full write)
+    - Generate: `<module>_model.js` — run task: generate-model
+      (new file — always a full write)
+    - Append to: `modules/<version>/route_manager.js`
+      run task: generate-route-manager (Mode 2 — append only)
+      NEVER rewrite this file — surgical insert only
+    - Patch: `document/<version>/swagger_doc.json`
+      run task: generate-swagger (Mode 2 — patch paths object only)
+      NEVER rewrite this file — add new path key only
+
+11. Run task: `write-context`
+    - Append to `context.api_routes`
+    - Update `context.services[<service>].modules`
+
+12. Run task: `show-final-summary`

package/ide/antigravity/.agents/workflows/codeninja-audit.md

@@ -1,72 +1,110 @@
+This workflow runs when user invokes /codeninja:audit
+
+---
+type: workflow
+name: audit
+description: >
+  Review an existing service for code quality, security issues, naming
+  consistency, missing middleware, and context alignment.
 ---
-slash_command: /codeninja:audit
-personas: [global-orchestrator, nodejs-backend]
-skills: [mcp-and-context, api-builder, code-intelligence]
-description: Deep security and quality review of an existing NodeJS service.
+
+# Workflow: @audit
+
+## Goal
+Produce a structured audit report for a service. Identify issues by severity.
+Optionally auto-fix low-risk issues.
+
+## When to use @audit vs @sync drift detection
+
+`@sync` drift detection: runs automatically with every @sync. Checks
+structural markers only — middleware order, library consistency,
+export patterns. Fast, read-only, always safe.
+
+`@audit`: run manually when you want deep code quality analysis —
+security checks, SQL injection patterns, response format consistency,
+context alignment. Slower, comprehensive, covers logic not just structure.
+
+Run @sync regularly. Run @audit before releasing a service or after
+a major refactor.
+
 ---
 
-# /codeninja:audit
+## Step-by-Step Execution
 
-## Before Running
-1. Call `context_read`
-2. Call `context_check_stale`
+1. Run task: `ask-target-service`
 
-## Execution — Full Step-by-Step
+> **Multi-agent:** Delegate to `nodejs-backend` or `database-architect` based on service type via Task invocation for parallel execution.
+> Read `.codeninja/tasks/` task files relevant to the service before running checks.
 
-**Step 1.** Ask: "Which service to audit?" (list from `context.services`)
+2. Delegate to relevant agent(s) based on service type.
 
-**Step 2.** Delegate to nodejs-agent. Run all checks:
+3. Agent checks:
 
 ### Security Checks
-- [ ] API key validation middleware on ALL routes?
+- [ ] API key validation middleware applied to all routes?
 - [ ] Input validation on all POST/PUT/PATCH routes?
-- [ ] SQL injection prevention (parameterized queries only)?
+- [ ] SQL injection prevention (parameterized queries)?
 - [ ] Sensitive values only from env vars (no hardcoded keys/passwords)?
 - [ ] `.env` in `.gitignore`?
-- [ ] Real AES-256-CBC encryption (not base64)?
-- [ ] `utilities/encryption.js` is the ONLY file importing crypto-js or cryptlib?
-- [ ] `res.json()` never called directly in route.js or model files?
+- [ ] Encryption using real AES-256-CBC (not base64)?
+- [ ] utilities/encryption.js is the only file importing crypto-js or cryptlib?
+- [ ] res.json() is never called directly in route.js or model files?
 - [ ] Validator package never imported directly in route files?
-- [ ] SMTP credentials only in .env — never hardcoded in notification.js or template.js?
-- [ ] Firebase service account file in `pem/` and in `.gitignore`?
-- [ ] `GLOBALS` object frozen using `Object.freeze()`?
+- [ ] SMTP credentials only in .env — never hardcoded in
+      notification.js or template.js?
+- [ ] Firebase service account file in pem/ and in .gitignore?
+- [ ] GLOBALS object is frozen using Object.freeze?
 
 ### Code Quality Checks
-- [ ] Only services called from controllers (no DB queries in controllers)?
-- [ ] Models contain only DB queries and business logic?
+- [ ] Controllers only call services (no DB queries in controllers)?
+- [ ] Services contain business logic (no Express req/res objects)?
+- [ ] Models contain only DB queries?
 - [ ] Global error handler present and used?
-- [ ] All routes call `checkValidationRules` from `utilities/validator.js`?
-- [ ] No separate `_validator.js` files per module?
-- [ ] `rateLimiter` is FIRST middleware in `route_manager.js`?
-- [ ] `extractLanguage` runs BEFORE `validateApiKey` in `route_manager.js`?
-- [ ] `decryptRequest` is LAST middleware in the chain?
-- [ ] No route handlers defined directly in `route_manager.js`?
-- [ ] `asyncHandler` wraps every middleware in `route_manager.js`?
-- [ ] All model functions return exactly `{ responsecode, responsemsg, responsedata }`?
-- [ ] No `req/res` objects in any model file?
-- [ ] Passwords encrypted via `utilities/encryption.js` before storage?
-- [ ] Session tokens generated only via `common.generateSessionCode()`?
+- [ ] All routes call checkValidationRules from utilities/validator.js
+      before calling model functions?
+- [ ] No separate _validator.js files exist per module?
+- [ ] rateLimiter is the first middleware in route_manager.js?
+- [ ] extractLanguage runs before validateApiKey in route_manager.js?
+- [ ] decryptRequest is the last middleware in the chain?
+- [ ] No route handlers defined directly in route_manager.js?
+- [ ] asyncHandler wraps every middleware in route_manager.js?
+- [ ] All model functions return exactly { responsecode, responsemsg,
+      responsedata } — no extra keys, no throws?
+- [ ] No req/res objects in any model file?
+- [ ] Passwords HASHED (not encrypted) using `utilities/hashing.js` before storage?
+      Correct: `await hashPassword(plainText)` — one-way bcrypt/argon2 hash
+      Wrong: `encrypt(password)` from encryption.js — reversible AES, not safe for passwords
+- [ ] No direct bcrypt/argon2 imports in route.js or model files? All hashing routed through utilities/hashing.js?
+- [ ] Session tokens generated only via common.generateSessionCode?
+- [ ] No crypto-js or cryptlib imported directly in model files?
+- [ ] No direct res.json() calls in route.js files?
 
 ### Consistency Checks
 - [ ] All routes documented in `swagger_doc.json`?
 - [ ] Response format consistent (success, message, data, timestamp)?
-- [ ] snake_case for DB, camelCase for JS?
-- [ ] Port matches `context.services[<n>].port`?
+- [ ] Naming follows snake_case for DB, camelCase for JS?
+- [ ] Port matches `context.services[<name>].port`?
 - [ ] DB config matches `context.db`?
-- [ ] All message keywords in `sendResponse` calls exist in `languages/en.js`?
-- [ ] All language files have the same keys as `en.js`?
+- [ ] All message keywords used in sendResponse calls exist in
+      languages/en.js?
+- [ ] All language files contain the same set of keys as en.js?
 - [ ] No two services share the same port in context.services?
-- [ ] All encryption keys exactly 32 chars in context.services?
-- [ ] All encryption IVs exactly 16 chars in context.services?
+- [ ] All encryption keys in context.services are exactly 32 characters?
+- [ ] All encryption IVs in context.services are exactly 16 characters?
+- [ ] No service name in context.services conflicts with a folder name
+      that already exists on disk for a different service?
 
 ### Context Alignment
 - [ ] All routes present in `context.api_routes`?
 - [ ] All DB tables referenced match `context.db.schema`?
-- [ ] All `router.use()` lines in route_manager.js have a corresponding entry in context.services modules?
-- [ ] All context.services modules have a corresponding `router.use()` in route_manager.js?
-- [ ] All swagger_doc.json paths have a corresponding entry in context.api_routes?
+- [ ] All router.use() lines in route_manager.js have a corresponding
+      entry in context.services[<name>].modules?
+- [ ] All context.services[<name>].modules entries have a corresponding
+      router.use() line in route_manager.js?
+- [ ] All paths in swagger_doc.json have a corresponding entry in
+      context.api_routes?
 
-**Step 3.** Present audit report:
+4. Present audit report:
 ```
 AUDIT REPORT — <service_name>
 ══════════════════════════════════════
@@ -77,5 +115,5 @@ AUDIT REPORT — <service_name>
 [list findings with file + line context]
 ```
 
-**Step 4.** Ask: "Auto-fix critical issues? (yes/no)"
-If yes → delegate to nodejs-agent for fixes → call `context_write` after.
+5. Ask: "Auto-fix critical issues? (yes/no)"
+6. If yes → delegate to relevant agent for fixes → run task: `write-context`