cp-toolkit 2.2.2 → 2.2.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cp-toolkit",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "Copilot Toolkit - AI Agent framework for GitHub Copilot, Claude, Gemini CLI, and other AI assistants",
   "keywords": [
     "ai-agents",

package/src/commands/init.js

@@ -207,7 +207,17 @@ export async function initCommand(directory, options) {
     console.log(chalk.dim('   .github/'));
     console.log(chalk.dim('   ├── agents/           ') + chalk.cyan('← 20 specialist agents'));
     console.log(chalk.dim('   ├── skills/           ') + chalk.cyan('← Essential skills library'));
-    console.log(chalk.dim('   ├── instructions/     ') + chalk.cyan('← Language-specific rules'));
+    console.log(chalk.dim('   ├── instructions/     ') + chalk.cyan('← 10 specialized instruction files'));
+    console.log(chalk.dim('   │   ├── typescript-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── javascript-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── react-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── nextjs-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── python-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── security-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── database-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── testing-development.instructions.md'));
+    console.log(chalk.dim('   │   ├── api-development.instructions.md'));
+    console.log(chalk.dim('   │   └── github-actions.instructions.md'));
     console.log(chalk.dim('   ├── copilot-workflows/') + chalk.cyan('← Workflow templates'));
     console.log(chalk.dim('   ├── scripts/          ') + chalk.cyan('← MCP server & utilities'));
     console.log(chalk.dim('   ├── rules/            ') + chalk.cyan('← Global AI rules'));
@@ -232,101 +242,392 @@ export async function initCommand(directory, options) {
 
 async function createInstructionFiles(instructionsDir) {
   const instructions = {
-    'typescript.instructions.md': `---
+    'typescript-development.instructions.md': `---
 applyTo: "**/*.ts,**/*.tsx,**/*.mts,**/*.cts"
 ---
 
-# TypeScript Guidelines
+# TypeScript Development Guidelines
 
-## Strict Mode
+## Strict Mode & Type Safety
 - Enable \`strict: true\` in tsconfig.json
 - No \`any\` types - use \`unknown\` and narrow with type guards
 - Explicit return types for public functions
+- Use \`strictNullChecks\` and \`noImplicitAny\`
 
-## Patterns
+## Code Patterns
 - Prefer \`interface\` over \`type\` for object shapes
-- Use \`as const\` for literal types
-- Leverage discriminated unions for state
+- Use \`as const\` for literal types and enums
+- Leverage discriminated unions for state management
+- Use mapped types for transformations
+- Prefer \`readonly\` for immutable data
 
-## Imports
+## Imports & Modules
 - Use type-only imports: \`import type { X } from 'y'\`
 - Barrel exports for public APIs only
+- Avoid relative imports with \`../\` - use absolute paths
+
+## Error Handling
+- Use custom error classes extending \`Error\`
+- Prefer Result types over throwing exceptions
+- Use try/catch only for external operations
+`,
+
+    'javascript-development.instructions.md': `---
+applyTo: "**/*.js,**/*.mjs,**/*.cjs"
+---
+
+# JavaScript Development Guidelines
+
+## ES6+ Features
+- Use \`const\` and \`let\` instead of \`var\`
+- Arrow functions for callbacks and anonymous functions
+- Template literals over string concatenation
+- Destructuring for objects and arrays
+- Spread/rest operators for manipulation
+
+## Code Patterns
+- Prefer functional programming approaches
+- Use async/await over Promises for readability
+- Implement proper error handling with try/catch
+- Use Map/Set for collections when appropriate
+- Leverage object destructuring for configuration
+
+## Best Practices
+- Strict mode: \`'use strict'\` at file/module level
+- Consistent naming: camelCase for variables/functions
+- Meaningful variable names over abbreviations
+- Single responsibility principle for functions
+
+## Performance
+- Avoid global variables
+- Use efficient algorithms and data structures
+- Minimize DOM manipulation
+- Cache expensive operations
 `,
 
-    'python.instructions.md': `---
+    'react-development.instructions.md': `---
+applyTo: "**/*.jsx,**/*.tsx,**/*react*"
+---
+
+# React Development Guidelines
+
+## Component Patterns
+- Functional components with hooks over class components
+- Custom hooks for reusable logic
+- Compound components for complex UI patterns
+- Container/Presentational separation when appropriate
+
+## State Management
+- useState for local component state
+- useReducer for complex state logic
+- Context API for theme/configuration
+- External libraries (Zustand, Redux) for app-wide state
+
+## Performance
+- React.memo for expensive components
+- useMemo for expensive calculations
+- useCallback for event handlers
+- Lazy loading with React.lazy and Suspense
+- Code splitting for large applications
+
+## Hooks Best Practices
+- Custom hooks for side effects
+- useEffect cleanup functions
+- Dependency arrays correctly specified
+- Avoid conditional hook calls
+
+## Accessibility
+- Semantic HTML elements
+- ARIA attributes when needed
+- Keyboard navigation support
+- Screen reader compatibility
+`,
+
+    'nextjs-development.instructions.md': `---
+applyTo: "**/pages/**,**/app/**,**/components/**,**/lib/**,**/utils/**"
+---
+
+# Next.js Development Guidelines
+
+## App Router (App Directory)
+- Server Components by default
+- Client Components with 'use client' directive
+- Server Actions for form handling
+- Route Groups for organization: (auth), (dashboard)
+
+## File Structure
+- \`app/\` for routing and layouts
+- \`components/\` for reusable UI
+- \`lib/\` for utilities and configurations
+- \`utils/\` for helper functions
+- \`types/\` for TypeScript definitions
+
+## Data Fetching
+- Server Components for initial data
+- Client Components for interactive data
+- SWR or React Query for client-side fetching
+- Server Actions for mutations
+
+## Performance
+- Image optimization with next/image
+- Font optimization with next/font
+- Code splitting automatic
+- Static generation when possible
+- ISR for dynamic content
+
+## SEO & Metadata
+- Metadata API for dynamic meta tags
+- Static metadata exports
+- Open Graph and Twitter cards
+- Structured data with JSON-LD
+`,
+
+    'python-development.instructions.md': `---
 applyTo: "**/*.py"
 ---
 
-# Python Guidelines
+# Python Development Guidelines
 
-## Type Hints
+## Type Hints & Annotations
 - Use type hints for all function signatures
 - Use \`from __future__ import annotations\` for forward refs
 - Prefer \`typing.Optional\` over \`X | None\` for Python 3.9 compat
+- Generic types with \`TypeVar\` when needed
 
-## Patterns
+## Code Patterns
 - Use dataclasses or Pydantic for data structures
 - Async/await for I/O bound operations
-- Context managers for resource management
-
-## Style
-- Follow PEP 8
-- Use Black for formatting
-- Docstrings in Google style
+- Context managers (\`with\` statements) for resource management
+- List/dict comprehensions for transformations
+- Generator functions for large datasets
+
+## Best Practices
+- Follow PEP 8 style guidelines
+- Use Black for code formatting
+- Google/NumPy style docstrings
+- Meaningful variable names
+- Single responsibility principle
+
+## Error Handling
+- Custom exception classes
+- Specific exception types over generic Exception
+- Proper exception chaining
+- Logging with appropriate levels
+
+## Testing
+- pytest framework preferred
+- Unit tests for functions/classes
+- Integration tests for workflows
+- Mock external dependencies
 `,
 
-    'security.instructions.md': `---
-applyTo: "**/auth/**,**/security/**,**/*auth*,**/*token*,**/*session*"
+    'security-development.instructions.md': `---
+applyTo: "**/auth/**,**/security/**,**/*auth*,**/*token*,**/*session*,**/middleware/**"
 ---
 
-# Security Guidelines
+# Security Development Guidelines
 
-## Authentication
+## Authentication & Authorization
 - JWT with short expiry + refresh tokens
 - HttpOnly cookies for web sessions
-- Rate limit authentication endpoints
-
-## Authorization
-- RBAC or ABAC patterns
-- Check permissions server-side always
-- Deny by default, allow explicitly
+- Rate limiting on authentication endpoints
+- RBAC or ABAC patterns implemented
+- Server-side permission checks always
 
 ## Data Protection
-- Sanitize all user inputs
-- Escape outputs by context (HTML, SQL, etc.)
+- Input sanitization and validation
+- Output encoding by context (HTML, SQL, JSON)
 - Never log sensitive data (passwords, tokens, PII)
+- Encryption at rest and in transit
+- Secure password hashing (bcrypt, Argon2)
 
-## OWASP Top 10
-- Validate content types
+## Web Security
 - CSRF tokens for state-changing operations
-- Security headers (CSP, HSTS, X-Frame-Options)
+- Content Security Policy (CSP) headers
+- HTTPS enforcement (HSTS)
+- Secure headers (X-Frame-Options, etc.)
+- XSS prevention with proper escaping
+
+## API Security
+- API versioning for breaking changes
+- Request/response validation schemas
+- CORS configuration for allowed origins
+- API rate limiting and throttling
+- Proper error messages (no sensitive info)
+
+## OWASP Top 10
+- Injection prevention (parameterized queries)
+- Broken authentication handling
+- Sensitive data exposure protection
+- XML external entity prevention
+- Access control enforcement
 `,
 
-    'database.instructions.md': `---
-applyTo: "**/prisma/**,**/*.sql,**/migrations/**,**/schema.*,**/db/**"
+    'database-development.instructions.md': `---
+applyTo: "**/prisma/**,**/*.sql,**/migrations/**,**/schema.*,**/db/**,**/models/**"
 ---
 
-# Database Guidelines
+# Database Development Guidelines
 
 ## Schema Design
-- UUID or ULID for primary keys
+- UUID or ULID for primary keys (not auto-increment)
 - Timestamps: createdAt, updatedAt on all tables
 - Soft delete with deletedAt when needed
+- Proper foreign key relationships
+- Normalized schemas with good indexing
 
-## Queries
+## Query Optimization
 - Use parameterized queries only (never string concat)
-- Select only needed fields
+- Select only needed fields (avoid SELECT *)
 - Use cursor-based pagination for large datasets
+- Proper indexing on frequently queried fields
+- Query execution plan analysis
 
-## Prisma
+## ORM Best Practices
 - Use transactions for multi-table operations
-- Define indexes for frequently queried fields
-- Use \`@map\` and \`@@map\` for legacy schemas
+- N+1 query problem avoidance
+- Proper eager/lazy loading
+- Migration scripts for schema changes
+- Database constraints and validations
 
-## Migrations
-- One migration per feature
+## Migration Safety
+- One migration per feature/change
 - Never modify already-applied migrations
-- Test migrations on copy of production data
+- Test migrations on production-like data
+- Rollback scripts for emergency recovery
+- Version control for migration files
+
+## Performance
+- Connection pooling configuration
+- Query result caching strategies
+- Database indexing strategy
+- Read/write splitting when appropriate
+- Monitoring and alerting setup
+`,
+
+    'testing-development.instructions.md': `---
+applyTo: "**/*.test.*,**/*.spec.*,**/tests/**,**/__tests__/**"
+---
+
+# Testing Development Guidelines
+
+## Test Structure
+- Unit tests for individual functions/classes
+- Integration tests for component interactions
+- End-to-end tests for user workflows
+- Performance tests for critical paths
+- Accessibility tests for UI components
+
+## Testing Frameworks
+- Jest for JavaScript/TypeScript
+- pytest for Python
+- RSpec for Ruby
+- JUnit for Java
+- Appropriate framework per language
+
+## Test Patterns
+- Arrange-Act-Assert (AAA) pattern
+- Descriptive test names (not test1, test2)
+- One assertion per test when possible
+- Mock external dependencies
+- Test edge cases and error conditions
+
+## Code Coverage
+- Aim for 80%+ coverage on critical code
+- Focus on business logic over getters/setters
+- Integration tests for coverage gaps
+- Coverage reports in CI/CD pipeline
+
+## Best Practices
+- Tests run independently (no shared state)
+- Fast execution for developer experience
+- CI/CD integration with quality gates
+- Test data management and cleanup
+- Documentation of test scenarios
+`,
+
+    'api-development.instructions.md': `---
+applyTo: "**/api/**,**/routes/**,**/controllers/**,**/services/**,**/*api*,**/*endpoint*"
+---
+
+# API Development Guidelines
+
+## RESTful Design
+- Proper HTTP methods (GET, POST, PUT, DELETE)
+- Resource-based URLs (/users, /users/{id})
+- Status codes: 200, 201, 400, 401, 403, 404, 500
+- Content-Type and Accept headers
+- Idempotent operations where appropriate
+
+## API Versioning
+- URL versioning: /api/v1/users
+- Header versioning when needed
+- Backward compatibility maintenance
+- Deprecation notices for breaking changes
+- Version documentation
+
+## Request/Response
+- JSON as primary format
+- Consistent response structure
+- Pagination for list endpoints
+- Filtering and sorting parameters
+- Rate limiting headers
+
+## Error Handling
+- Consistent error response format
+- Appropriate HTTP status codes
+- User-friendly error messages
+- Error logging and monitoring
+- Graceful degradation
+
+## Documentation
+- OpenAPI/Swagger specifications
+- Interactive API documentation
+- Authentication examples
+- Rate limiting information
+- Changelog for API versions
+`,
+
+    'github-actions.instructions.md': `---
+applyTo: ".github/workflows/**/*.yml,.github/workflows/**/*.yaml"
+---
+
+# GitHub Actions Development Guidelines
+
+## Workflow Structure
+- Descriptive workflow names and jobs
+- Matrix builds for multiple environments
+- Proper job dependencies with needs
+- Conditional execution with if statements
+- Timeout settings for long-running jobs
+
+## Security
+- Use trusted actions from GitHub Marketplace
+- Pin action versions to specific SHAs
+- Use secrets for sensitive data
+- CodeQL for security scanning
+- Dependency review for PRs
+
+## Best Practices
+- Cache dependencies for faster builds
+- Use self-hosted runners when appropriate
+- Proper artifact management
+- Notification configuration
+- Workflow reusability with composite actions
+
+## CI/CD Pipeline
+- Build → Test → Deploy stages
+- Parallel job execution
+- Failure handling and notifications
+- Rollback capabilities
+- Environment-specific configurations
+
+## Performance
+- Efficient caching strategies
+- Minimal artifact sizes
+- Parallel job execution
+- Resource optimization
+- Build time monitoring
 `
   };
 
@@ -369,10 +670,16 @@ To invoke an agent, reference it in your prompt:
 ## 📋 Language Instructions
 
 Context-specific rules are in \`.github/instructions/\`:
-- \`typescript.instructions.md\` - TS/TSX files
-- \`python.instructions.md\` - Python files
-- \`security.instructions.md\` - Auth/security code
-- \`database.instructions.md\` - Database/Prisma code
+- \`typescript-development.instructions.md\` - TypeScript files
+- \`javascript-development.instructions.md\` - JavaScript files
+- \`react-development.instructions.md\` - React components
+- \`nextjs-development.instructions.md\` - Next.js applications
+- \`python-development.instructions.md\` - Python files
+- \`security-development.instructions.md\` - Auth/security code
+- \`database-development.instructions.md\` - Database/ORM code
+- \`testing-development.instructions.md\` - Test files
+- \`api-development.instructions.md\` - API endpoints
+- \`github-actions.instructions.md\` - GitHub Actions workflows
 
 ## 🔧 MCP Servers