create-baton 1.0.0 → 1.1.0

package/templates/skills/patterns/email/SKILL.md

@@ -0,0 +1,236 @@
+---
+name: email
+description: >-
+  Transactional email patterns — provider selection, template design,
+  deliverability, and common email flows (welcome, reset, notifications).
+  Load at Session 2-4 when the project needs to send emails to users.
+---
+
+# Email Skill
+
+> Users judge your app by your emails. Ugly emails = untrustworthy app.
+
+---
+
+## Choose a Provider (Session 2)
+
+| Provider | Best For | Free Tier |
+|----------|----------|-----------|
+| **Resend** | Modern, great DX, React Email templates | 3,000/month |
+| **SendGrid** | Established, high volume | 100/day |
+| **Postmark** | Transactional focus, great deliverability | 100/month |
+| **AWS SES** | Cheapest at scale, more setup | 62,000/month (from EC2) |
+
+**Default:** Resend. Best developer experience, React Email for templates, generous free tier.
+
+---
+
+## Core Email Flows
+
+### Which Emails to Send (Priority Order)
+
+| Email | When | Priority |
+|-------|------|----------|
+| **Welcome** | After signup | Must have |
+| **Password reset** | User requests it | Must have |
+| **Email verification** | After signup (if required) | Should have |
+| **Transactional** | Order confirmation, receipt | Must have (if payments) |
+| **Notification** | New activity, updates | Nice to have |
+
+Build in this order. Don't start with marketing emails.
+
+---
+
+## Setup with Resend (Session 2-3)
+
+### Install
+
+```bash
+npm install resend
+```
+
+### Send an Email
+
+```typescript
+// lib/email.ts
+import { Resend } from 'resend';
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export async function sendEmail({
+  to,
+  subject,
+  html,
+}: {
+  to: string;
+  subject: string;
+  html: string;
+}) {
+  const { error } = await resend.emails.send({
+    from: 'App Name <noreply@yourdomain.com>',
+    to,
+    subject,
+    html,
+  });
+
+  if (error) {
+    console.error('Email send failed:', error);
+    throw error;
+  }
+}
+```
+
+### Environment Variables
+
+```bash
+RESEND_API_KEY=re_...
+```
+
+---
+
+## Email Templates
+
+### Keep It Simple
+
+Every email needs:
+1. **Logo/app name** at top
+2. **One clear message** (what happened)
+3. **One clear action** (button/link)
+4. **Footer** (company name, unsubscribe if marketing)
+
+### Welcome Email
+
+```
+Subject: Welcome to [App Name]
+
+Hi [Name],
+
+Thanks for signing up.
+
+Here's what you can do next:
+→ [One primary action button]
+
+If you need help, just reply to this email.
+
+— The [App Name] team
+```
+
+### Password Reset
+
+```
+Subject: Reset your password
+
+Hi,
+
+Someone requested a password reset for your account.
+
+[Reset Password button]
+
+This link expires in 1 hour. If you didn't request this, ignore this email.
+```
+
+### Transactional (Order Confirmation)
+
+```
+Subject: Order #1234 confirmed
+
+Hi [Name],
+
+Your order is confirmed.
+
+[Order summary table]
+  Item 1 — $XX.XX
+  Item 2 — $XX.XX
+  Total  — $XX.XX
+
+We'll email you when it ships.
+
+[View Order button]
+```
+
+---
+
+## React Email (If Using Resend)
+
+```typescript
+// emails/welcome.tsx
+import { Html, Head, Body, Container, Text, Button } from '@react-email/components';
+
+export function WelcomeEmail({ name, url }: { name: string; url: string }) {
+  return (
+    <Html>
+      <Head />
+      <Body style={{ fontFamily: 'sans-serif', background: '#f9f9f9' }}>
+        <Container style={{ maxWidth: 480, margin: '0 auto', padding: 24 }}>
+          <Text style={{ fontSize: 20, fontWeight: 'bold' }}>
+            Welcome, {name}!
+          </Text>
+          <Text>Thanks for signing up. Get started:</Text>
+          <Button
+            href={url}
+            style={{
+              background: '#2563EB',
+              color: 'white',
+              padding: '12px 24px',
+              borderRadius: 6,
+            }}
+          >
+            Go to Dashboard
+          </Button>
+        </Container>
+      </Body>
+    </Html>
+  );
+}
+```
+
+---
+
+## Deliverability Basics
+
+### Required Setup
+
+1. **Custom domain** — send from `noreply@yourdomain.com`, not `@resend.dev`
+2. **DNS records** — add SPF, DKIM, and DMARC records (provider gives you these)
+3. **From name** — use your app name, not a person's name
+
+### Rules
+
+- Don't send from `noreply@gmail.com` or free email providers
+- Keep subject lines short (under 50 characters)
+- Don't use spam trigger words (FREE, URGENT, ACT NOW)
+- Always include a plain text version alongside HTML
+- Test with email preview tools before sending
+
+---
+
+## Error Handling
+
+```typescript
+// Emails should never crash your app
+try {
+  await sendEmail({ to, subject, html });
+} catch (error) {
+  // Log but don't block the user action
+  console.error('Failed to send email:', error);
+  // The user action (signup, order) should still succeed
+}
+```
+
+**Rule:** Email sending failures should be logged, not thrown. Never let a failed email block a user from completing an action.
+
+---
+
+## Common Mistakes
+
+| Mistake | Fix |
+|---------|-----|
+| Sending from free email domain | Set up custom domain |
+| No DNS records (SPF/DKIM) | Add them or emails go to spam |
+| Blocking user actions on email failure | Send async, log errors |
+| Building complex email templates early | Start with plain, styled text |
+| Sending too many emails | Only send what users expect |
+
+---
+
+*Last updated: Baton Protocol v3.1*

package/templates/skills/patterns/file-uploads/SKILL.md

@@ -0,0 +1,216 @@
+---
+name: file-uploads
+description: >-
+  File upload patterns — storage strategy, direct uploads, presigned URLs,
+  image optimization, and validation. Load at Session 2-4 when the project
+  needs file uploads (avatars, images, documents). Use when implementing
+  any file upload feature.
+---
+
+# File Uploads Skill
+
+> Files are the messiest feature. Validate early, store smart, serve fast.
+
+---
+
+## Choose Storage (Session 1-2)
+
+| Storage | Best For | Pricing |
+|---------|----------|---------|
+| **Supabase Storage** | Already using Supabase | 1GB free, then $0.021/GB |
+| **Vercel Blob** | Simple, Next.js apps | 100MB free |
+| **AWS S3** | Full control, large scale | Pay per GB |
+| **Cloudflare R2** | S3-compatible, no egress fees | 10GB free |
+
+**Default:** Use whatever your stack already includes. Supabase project? Use Supabase Storage. Don't add a new service just for files.
+
+---
+
+## Upload Flow (Session 2-3)
+
+### Direct Upload (Recommended)
+
+```
+Browser → Presigned URL from server → Upload directly to storage → Save URL in database
+```
+
+**Why direct:** Files don't pass through your server. Faster, cheaper, no server memory issues.
+
+### Server Upload (Simple but Limited)
+
+```
+Browser → Server → Storage → Save URL in database
+```
+
+**When to use:** Small files only (<5MB), when presigned URLs are overkill.
+
+### Presigned URL Pattern
+
+```typescript
+// 1. Client requests upload URL
+// POST /api/upload/request
+'use server'
+export async function getUploadUrl(filename: string, contentType: string) {
+  const user = await getAuthenticatedUser();
+  if (!user) throw new Error('Not authenticated');
+
+  // Validate before generating URL
+  if (!ALLOWED_TYPES.includes(contentType)) {
+    throw new Error('Invalid file type');
+  }
+
+  const path = `${user.id}/${Date.now()}-${filename}`;
+  const { data, error } = await supabase.storage
+    .from('uploads')
+    .createSignedUploadUrl(path);
+
+  return { uploadUrl: data.signedUrl, path };
+}
+
+// 2. Client uploads directly to storage using the URL
+// 3. Client sends the path back to save in database
+```
+
+---
+
+## Validation (Always)
+
+### Before Upload
+
+```typescript
+const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp', 'application/pdf'];
+const MAX_SIZE = 10 * 1024 * 1024; // 10MB
+
+function validateFile(file: File): string | null {
+  if (!ALLOWED_TYPES.includes(file.type)) {
+    return 'File type not allowed';
+  }
+  if (file.size > MAX_SIZE) {
+    return 'File too large (max 10MB)';
+  }
+  return null; // valid
+}
+```
+
+### What to Validate
+
+| Check | Why |
+|-------|-----|
+| File type (MIME) | Prevent executable uploads |
+| File size | Prevent storage abuse |
+| Filename | Sanitize special characters |
+| Dimensions (images) | Prevent absurdly large images |
+
+### Never Trust the Client
+
+- Validate on server AND client
+- Client validation is for UX (fast feedback)
+- Server validation is for security (can't be bypassed)
+
+---
+
+## Image Optimization
+
+### On Upload
+
+- Resize to max dimensions (e.g., 1920px wide for display images)
+- Generate thumbnails (200x200 for avatars, 400x300 for cards)
+- Convert to WebP (smaller, supported everywhere)
+
+### On Display
+
+```tsx
+// Next.js Image handles optimization automatically
+import Image from 'next/image';
+
+<Image
+  src={imageUrl}
+  alt={description}
+  width={400}
+  height={300}
+  className="object-cover"
+/>
+```
+
+**Rule:** Always use Next.js `<Image>` for user-uploaded images. It handles lazy loading, sizing, and format conversion.
+
+---
+
+## Avatar Upload Pattern
+
+The most common file upload feature:
+
+```typescript
+// Upload component
+function AvatarUpload({ currentUrl }: { currentUrl?: string }) {
+  async function handleChange(e: ChangeEvent<HTMLInputElement>) {
+    const file = e.target.files?.[0];
+    if (!file) return;
+
+    const error = validateFile(file);
+    if (error) { alert(error); return; }
+
+    // Get presigned URL
+    const { uploadUrl, path } = await getUploadUrl(file.name, file.type);
+
+    // Upload directly to storage
+    await fetch(uploadUrl, { method: 'PUT', body: file });
+
+    // Save path in database
+    await updateAvatar(path);
+  }
+
+  return (
+    <label>
+      <img src={currentUrl || '/default-avatar.png'} />
+      <input type="file" accept="image/*" onChange={handleChange} hidden />
+    </label>
+  );
+}
+```
+
+---
+
+## Storage Organization
+
+### File Path Convention
+
+```
+{user_id}/{purpose}/{timestamp}-{filename}
+
+Examples:
+abc123/avatars/1708300800-photo.jpg
+abc123/documents/1708300800-contract.pdf
+abc123/products/1708300800-hero-image.webp
+```
+
+**Rules:**
+- Always include user/org ID (for RLS and cleanup)
+- Include timestamp (prevents collisions)
+- Sanitize filename (remove special characters)
+
+---
+
+## Security
+
+- Never serve user uploads from your main domain (use storage CDN URL)
+- Set appropriate bucket policies (public for avatars, private for documents)
+- Generate signed URLs for private files (expire in 1 hour)
+- Scan for malware if handling sensitive documents (enterprise only)
+
+---
+
+## Common Mistakes
+
+| Mistake | Fix |
+|---------|-----|
+| Storing files in database (BLOB) | Use object storage |
+| No file size limit | Always set MAX_SIZE |
+| Accepting any file type | Whitelist allowed MIME types |
+| Uploading through server | Use presigned URLs for large files |
+| Not handling upload failures | Show error, allow retry |
+| No loading indicator | Show progress bar during upload |
+
+---
+
+*Last updated: Baton Protocol v3.1*

package/templates/skills/patterns/payments/SKILL.md

@@ -0,0 +1,246 @@
+---
+name: payments
+description: >-
+  Payment integration patterns — Stripe Checkout, subscriptions, webhooks,
+  one-time payments, and billing portal. Load at Session 3-5 when the project
+  needs to accept payments. Use when discussing monetization or implementing
+  checkout.
+---
+
+# Payments Skill
+
+> Money code has zero margin for error. Use Stripe, don't build custom.
+
+---
+
+## Rule #1: Use Stripe Checkout
+
+Don't build a custom payment form. Ever. Stripe Checkout handles:
+- PCI compliance (you don't want this responsibility)
+- Card input with validation
+- Apple Pay, Google Pay, Link
+- 3D Secure authentication
+- Tax calculation
+- Receipt emails
+- 135+ currencies
+
+---
+
+## Choose Your Payment Model
+
+| Model | Use When | Stripe Feature |
+|-------|----------|---------------|
+| **One-time** | Selling a product or service | Checkout (payment mode) |
+| **Subscription** | Monthly/annual SaaS | Checkout (subscription mode) |
+| **Usage-based** | Pay per API call, storage, etc. | Metered billing |
+| **Freemium** | Free tier + paid upgrade | Checkout + feature gating |
+
+**Default for SaaS:** Subscription with annual discount.
+**Default for e-commerce:** One-time payments.
+
+---
+
+## One-Time Payment (Session 3-4)
+
+### Create Checkout Session
+
+```typescript
+'use server'
+import Stripe from 'stripe';
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
+
+export async function createCheckout(items: CartItem[]) {
+  const session = await stripe.checkout.sessions.create({
+    mode: 'payment',
+    line_items: items.map(item => ({
+      price_data: {
+        currency: 'usd',
+        product_data: { name: item.name },
+        unit_amount: item.priceCents,
+      },
+      quantity: item.quantity,
+    })),
+    success_url: `${process.env.NEXT_PUBLIC_APP_URL}/success?session_id={CHECKOUT_SESSION_ID}`,
+    cancel_url: `${process.env.NEXT_PUBLIC_APP_URL}/cart`,
+  });
+
+  redirect(session.url!);
+}
+```
+
+### Success Page
+
+```typescript
+// app/success/page.tsx
+export default async function SuccessPage({ searchParams }) {
+  const sessionId = searchParams.session_id;
+
+  // Verify the session is real (don't trust the URL alone)
+  const session = await stripe.checkout.sessions.retrieve(sessionId);
+
+  if (session.payment_status !== 'paid') {
+    redirect('/cart');
+  }
+
+  return <div>Payment successful! Order confirmed.</div>;
+}
+```
+
+---
+
+## Subscription (Session 3-5)
+
+### Setup
+
+1. Create products and prices in Stripe Dashboard (not in code)
+2. Store Stripe `price_id` in your environment variables
+3. Create checkout session with subscription mode
+
+```typescript
+const session = await stripe.checkout.sessions.create({
+  mode: 'subscription',
+  line_items: [{
+    price: process.env.STRIPE_PRO_PRICE_ID,
+    quantity: 1,
+  }],
+  customer_email: user.email,
+  success_url: `${baseUrl}/dashboard?upgraded=true`,
+  cancel_url: `${baseUrl}/pricing`,
+});
+```
+
+### Customer Portal (Managing Subscriptions)
+
+Don't build subscription management UI. Use Stripe's Customer Portal:
+
+```typescript
+export async function createPortalSession(customerId: string) {
+  const session = await stripe.billingPortal.sessions.create({
+    customer: customerId,
+    return_url: `${process.env.NEXT_PUBLIC_APP_URL}/settings`,
+  });
+
+  redirect(session.url);
+}
+```
+
+This gives users: plan changes, cancellation, payment method updates, invoice history — all built by Stripe.
+
+---
+
+## Webhooks (Critical)
+
+### Setup
+
+```typescript
+// app/api/webhooks/stripe/route.ts
+export async function POST(req: Request) {
+  const body = await req.text();
+  const signature = req.headers.get('stripe-signature')!;
+
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(
+      body,
+      signature,
+      process.env.STRIPE_WEBHOOK_SECRET!
+    );
+  } catch (err) {
+    return Response.json({ error: 'Invalid signature' }, { status: 400 });
+  }
+
+  switch (event.type) {
+    case 'checkout.session.completed':
+      await handleCheckoutComplete(event.data.object);
+      break;
+    case 'customer.subscription.updated':
+      await handleSubscriptionUpdate(event.data.object);
+      break;
+    case 'customer.subscription.deleted':
+      await handleSubscriptionCancelled(event.data.object);
+      break;
+    case 'invoice.payment_failed':
+      await handlePaymentFailed(event.data.object);
+      break;
+  }
+
+  return Response.json({ received: true });
+}
+```
+
+### Critical Rules
+
+- **Always verify signatures** — never skip this
+- **Return 200 quickly** — do heavy processing async
+- **Handle idempotently** — webhooks can fire multiple times
+- **Log every event** — you'll need this for debugging
+
+### Testing Webhooks Locally
+
+```bash
+# Install Stripe CLI
+stripe listen --forward-to localhost:3000/api/webhooks/stripe
+```
+
+This gives you a temporary webhook secret for local development.
+
+---
+
+## Pricing Page (Session 3-4)
+
+### Standard Layout
+
+```
+Free          Pro           Enterprise
+$0/mo         $29/mo        Custom
+              ($290/year)
+
+Feature 1 ✓   Feature 1 ✓   Feature 1 ✓
+Feature 2 ✗   Feature 2 ✓   Feature 2 ✓
+Feature 3 ✗   Feature 3 ✓   Feature 3 ✓
+              Feature 4 ✓   Feature 4 ✓
+                            Feature 5 ✓
+
+[Start Free]  [Upgrade]     [Contact Us]
+```
+
+**Rules:**
+- Highlight the recommended plan (usually middle)
+- Show annual pricing with savings ("Save 20%")
+- List features, not technical specs
+- Primary CTA on the plan you want people to pick
+
+---
+
+## Environment Variables
+
+```bash
+# .env.local
+STRIPE_SECRET_KEY=sk_test_...          # Server only
+STRIPE_WEBHOOK_SECRET=whsec_...        # Server only
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_...  # Client OK
+
+# Price IDs (from Stripe Dashboard)
+STRIPE_PRO_MONTHLY_PRICE_ID=price_...
+STRIPE_PRO_ANNUAL_PRICE_ID=price_...
+```
+
+**Never expose the secret key to the client.**
+
+---
+
+## Common Mistakes
+
+| Mistake | Fix |
+|---------|-----|
+| Building custom payment form | Use Stripe Checkout |
+| Building subscription management UI | Use Stripe Customer Portal |
+| Not verifying webhook signatures | Always verify |
+| Trusting client-side payment confirmation | Verify via webhook |
+| Hardcoding prices in UI | Pull from Stripe or env vars |
+| Forgetting test mode vs live mode | Check keys before launch |
+
+---
+
+*Last updated: Baton Protocol v3.1*