create-baton 1.0.0

package/templates/skills/core/security/SKILL.md

@@ -0,0 +1,309 @@
+---
+name: security
+description: >-
+  Universal security rules for every project. Covers secrets management,
+  database security, input validation, authentication, API security, and
+  common vulnerabilities. Use when building auth, handling user data,
+  setting up databases, or reviewing security.
+---
+
+# Security Skill — Universal Rules
+
+> These rules apply to EVERY project, regardless of stack or domain.
+> Violations are blockers. Do not ship without addressing them.
+
+---
+
+## Secrets Management
+
+### Never Commit Secrets
+
+```
+# BLOCKED - Never do this
+const API_KEY = "sk-live-abc123..."
+const DATABASE_URL = "postgres://user:password@..."
+
+# CORRECT - Use environment variables
+const API_KEY = process.env.API_KEY
+const DATABASE_URL = process.env.DATABASE_URL
+```
+
+### Environment Variable Rules
+
+| Variable Type | Prefix | Exposed To |
+|--------------|--------|------------|
+| Server-only secrets | None | Server only |
+| Public keys | NEXT_PUBLIC_ / VITE_ | Client + Server |
+
+```bash
+# .env.local (never commit)
+DATABASE_URL=...           # Server only
+API_SECRET=...             # Server only
+NEXT_PUBLIC_APP_URL=...    # Safe for client
+```
+
+### Check Before Commit
+
+Before every commit, verify:
+- [ ] No hardcoded secrets in code
+- [ ] .env files in .gitignore
+- [ ] No secrets in error messages or logs
+
+---
+
+## Database Security
+
+### Row Level Security (RLS)
+
+**MANDATORY for all tables.** No exceptions.
+
+```sql
+-- Enable RLS on every table
+ALTER TABLE items ENABLE ROW LEVEL SECURITY;
+
+-- Default deny - explicit policies required
+CREATE POLICY "Users see own data"
+ON items FOR SELECT
+USING (auth.uid() = user_id);
+```
+
+### Verify RLS Is Enabled
+
+```sql
+-- Check all tables have RLS
+SELECT tablename, rowsecurity
+FROM pg_tables
+WHERE schemaname = 'public';
+```
+
+Every table should show `rowsecurity = true`.
+
+### Service Role Key
+
+- Use ONLY in server-side code
+- NEVER expose to client
+- Use for admin operations and background jobs only
+
+---
+
+## Input Validation
+
+### Validate All Inputs
+
+Every form, API endpoint, and server action MUST validate input.
+
+```typescript
+// REQUIRED - Use Zod or similar
+import { z } from 'zod'
+
+const schema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  age: z.number().int().positive().optional(),
+})
+
+// Validate before using
+const result = schema.safeParse(input)
+if (!result.success) {
+  return { error: 'Invalid input' }
+}
+```
+
+### Never Trust Client Data
+
+```typescript
+// BAD - Trusting client-provided user ID
+const userId = req.body.userId  // User can send any ID!
+
+// GOOD - Get user ID from authenticated session
+const userId = session.user.id  // Server-verified
+```
+
+---
+
+## Authentication
+
+### Verify Auth on Every Protected Route
+
+```typescript
+// Server component
+const user = await getAuthenticatedUser()
+if (!user) {
+  redirect('/login')
+}
+
+// API route
+export async function POST(req: Request) {
+  const user = await getAuthenticatedUser()
+  if (!user) {
+    return Response.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+}
+```
+
+### Session Security
+
+- Use HTTP-only cookies for tokens (not localStorage)
+- Set secure flag in production
+- Implement session expiry
+- Rotate tokens on privilege changes
+
+---
+
+## API Security
+
+### Rate Limiting
+
+All public endpoints MUST have rate limiting.
+
+```typescript
+// Example with Upstash
+import { Ratelimit } from '@upstash/ratelimit'
+
+const ratelimit = new Ratelimit({
+  limiter: Ratelimit.slidingWindow(10, '10 s'), // 10 requests per 10 seconds
+})
+
+const { success } = await ratelimit.limit(identifier)
+if (!success) {
+  return Response.json({ error: 'Too many requests' }, { status: 429 })
+}
+```
+
+### CORS
+
+Configure CORS to allow only trusted origins:
+
+```typescript
+// Only allow your domain
+const allowedOrigins = ['https://yourdomain.com']
+```
+
+---
+
+## File Uploads
+
+### Validate Before Accepting
+
+```typescript
+// Check file type
+const allowedTypes = ['image/jpeg', 'image/png', 'application/pdf']
+if (!allowedTypes.includes(file.type)) {
+  return { error: 'Invalid file type' }
+}
+
+// Check file size (e.g., 5MB max)
+const maxSize = 5 * 1024 * 1024
+if (file.size > maxSize) {
+  return { error: 'File too large' }
+}
+```
+
+### Store Securely
+
+- Use signed URLs for private files
+- Set appropriate expiry times
+- Never serve user uploads from your main domain (use CDN/storage domain)
+
+---
+
+## Error Handling
+
+### Never Expose Internal Errors
+
+```typescript
+// BAD - Exposes internal details
+catch (error) {
+  return { error: error.message }  // Could leak DB schema, paths, etc.
+}
+
+// GOOD - Generic message, log internally
+catch (error) {
+  console.error('Operation failed:', error)  // Log for debugging
+  return { error: 'Something went wrong' }   // Safe for user
+}
+```
+
+### Log Sensitive Operations
+
+Log but don't expose:
+- Failed login attempts
+- Permission denied events
+- Unusual patterns (many requests, odd hours)
+
+---
+
+## HTTPS
+
+### Enforce HTTPS Everywhere
+
+- All production traffic over HTTPS
+- Redirect HTTP to HTTPS
+- Use HSTS headers
+
+```typescript
+// Middleware example
+if (process.env.NODE_ENV === 'production' && !req.secure) {
+  return Response.redirect(`https://${req.host}${req.url}`)
+}
+```
+
+---
+
+## Security Headers
+
+Add these headers in production:
+
+```typescript
+// next.config.js or middleware
+const securityHeaders = [
+  { key: 'X-Frame-Options', value: 'DENY' },
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'X-XSS-Protection', value: '1; mode=block' },
+]
+```
+
+### Content Security Policy (CSP)
+
+For apps with user content or third-party scripts:
+
+```typescript
+{
+  key: 'Content-Security-Policy',
+  value: "default-src 'self'; script-src 'self' 'unsafe-inline'..."
+}
+```
+
+---
+
+## Quick Checklist
+
+Before any release:
+
+- [ ] No secrets in code or logs
+- [ ] RLS enabled on all tables
+- [ ] All inputs validated with Zod
+- [ ] Auth checked on all protected routes
+- [ ] Rate limiting on public APIs
+- [ ] File uploads validated (type + size)
+- [ ] Error messages don't leak internals
+- [ ] HTTPS enforced
+- [ ] Security headers configured
+
+---
+
+## Common Vulnerabilities to Avoid
+
+| Vulnerability | Prevention |
+|--------------|------------|
+| SQL Injection | Use parameterized queries (ORMs do this) |
+| XSS | Escape user content, use CSP |
+| CSRF | Use anti-CSRF tokens (frameworks handle this) |
+| Broken Auth | Verify session on every request |
+| Sensitive Data Exposure | Encrypt at rest, HTTPS in transit |
+| Insecure File Upload | Validate type/size, use signed URLs |
+
+---
+
+*Last updated: Baton Protocol v3.1*

package/templates/skills/core/testing/SKILL.md

@@ -0,0 +1,307 @@
+---
+name: testing
+description: >-
+  Universal testing standards for any project. Covers build verification,
+  smoke testing, automated test levels, and session testing protocol.
+  Use when setting up tests, reviewing test coverage, discussing testing
+  strategy, or when the user asks about testing.
+---
+
+# Testing Skill — Universal Rules
+
+> Testing standards that apply to every project.
+> Not all projects need all tests, but all projects need SOME testing.
+
+---
+
+## Testing Philosophy
+
+### The Minimum Viable Testing Rule
+
+Every project MUST have at least:
+1. **Build verification** — Code compiles without errors
+2. **Smoke test** — Core user flows work manually
+3. **Critical path coverage** — Main features don't break
+
+### When to Add More Testing
+
+| Project Stage | Testing Level |
+|---------------|--------------|
+| MVP / Prototype | Build + manual smoke test |
+| Beta / Early users | Add critical path tests |
+| Production / Paying users | Comprehensive test suite |
+
+Don't over-test early. Don't under-test late.
+
+---
+
+## Build Verification
+
+### Always Required
+
+Before ending ANY session:
+
+```bash
+# Must pass with no errors
+npm run build    # or yarn build, pnpm build
+
+# TypeScript projects
+npx tsc --noEmit  # Type check only
+```
+
+### What "Build Passes" Means
+
+- [ ] No compilation errors
+- [ ] No TypeScript errors
+- [ ] No unresolved imports
+- [ ] Build output generated successfully
+
+**If build fails, session is NOT complete.**
+
+---
+
+## Manual Smoke Testing
+
+### What to Test Each Session
+
+After completing tasks, manually verify:
+
+1. **New features work** — Demo what you just built
+2. **Core flows still work** — Login, main action, logout
+3. **No visual regressions** — UI looks correct
+
+### Smoke Test Checklist Template
+
+```markdown
+## Session N Smoke Test
+
+### New Features
+- [ ] [Feature 1] works as expected
+- [ ] [Feature 2] works as expected
+
+### Core Flows
+- [ ] Can log in
+- [ ] Can perform main action
+- [ ] Can log out
+
+### Visual Check
+- [ ] No layout breaks
+- [ ] No missing elements
+- [ ] Mobile view works (if applicable)
+```
+
+---
+
+## Automated Testing Levels
+
+### Level 1: Unit Tests
+
+Test individual functions in isolation.
+
+```typescript
+// Example: Testing a utility function
+import { formatCurrency } from '@/lib/utils'
+
+describe('formatCurrency', () => {
+  it('formats cents to dollars', () => {
+    expect(formatCurrency(1000)).toBe('$10.00')
+  })
+
+  it('handles zero', () => {
+    expect(formatCurrency(0)).toBe('$0.00')
+  })
+})
+```
+
+**When to add:** When you have pure functions with business logic.
+
+### Level 2: Integration Tests
+
+Test multiple components working together.
+
+```typescript
+// Example: Testing a server action
+import { createItem } from '@/lib/actions/items'
+
+describe('createItem', () => {
+  it('creates item and returns it', async () => {
+    const result = await createItem({
+      name: 'Test Item',
+      userId: 'test-user-id',
+    })
+
+    expect(result.success).toBe(true)
+    expect(result.data.name).toBe('Test Item')
+  })
+})
+```
+
+**When to add:** When you have server actions or API routes with critical logic.
+
+### Level 3: End-to-End Tests
+
+Test full user flows in a browser.
+
+```typescript
+// Example: Playwright E2E test
+import { test, expect } from '@playwright/test'
+
+test('user can create an item', async ({ page }) => {
+  await page.goto('/login')
+  await page.fill('[name="email"]', 'test@example.com')
+  await page.fill('[name="password"]', 'password')
+  await page.click('button[type="submit"]')
+
+  await page.goto('/items/new')
+  await page.fill('[name="name"]', 'New Item')
+  await page.click('button[type="submit"]')
+
+  await expect(page.locator('text=New Item')).toBeVisible()
+})
+```
+
+**When to add:** When you have paying users and can't afford broken flows.
+
+---
+
+## Test File Organization
+
+```
+src/
+├── lib/
+│   ├── utils.ts
+│   └── utils.test.ts      # Co-located unit tests
+├── actions/
+│   ├── items.ts
+│   └── items.test.ts      # Co-located action tests
+tests/
+├── e2e/                    # End-to-end tests
+│   ├── auth.spec.ts
+│   └── items.spec.ts
+└── setup.ts                # Test configuration
+```
+
+---
+
+## Testing Tools by Stack
+
+### Next.js / React
+
+| Type | Tool | Why |
+|------|------|-----|
+| Unit | Vitest or Jest | Fast, good DX |
+| Component | React Testing Library | Tests user behavior |
+| E2E | Playwright | Reliable, fast |
+
+### Node.js / Backend
+
+| Type | Tool | Why |
+|------|------|-----|
+| Unit | Vitest or Jest | Standard |
+| Integration | Supertest | HTTP testing |
+| E2E | Playwright or Cypress | Full flow |
+
+---
+
+## What to Test (Priority Order)
+
+### Must Test (Critical Path)
+
+1. **Authentication** — Login, logout, session handling
+2. **Core user action** — The main thing users do
+3. **Payment flows** — If you charge money
+4. **Data integrity** — Critical calculations, financial data
+
+### Should Test (Important)
+
+5. **Form validation** — Error states, edge cases
+6. **API error handling** — What happens when things fail
+7. **Permissions** — Users can only access their data
+
+### Nice to Test (Polish)
+
+8. **UI states** — Loading, empty, error states
+9. **Edge cases** — Empty inputs, long strings, special characters
+10. **Accessibility** — Screen reader, keyboard nav
+
+---
+
+## Session Testing Protocol
+
+### Before Ending Session
+
+1. **Run build** — Must pass
+2. **Run existing tests** — All must pass
+3. **Manual smoke test** — Core flows work
+4. **Document test status** — Note in PROGRESS.md
+
+### Test Status in PROGRESS.md
+
+```markdown
+### Session N - Testing
+
+**Build:** ✅ Passes
+**Existing Tests:** ✅ 12/12 passing
+**New Tests Added:** 2 (item creation, validation)
+**Manual Smoke Test:** ✅ Completed
+
+**Coverage Notes:**
+- Added tests for createItem action
+- Auth flow manually verified
+```
+
+---
+
+## When Tests Fail
+
+### In CI/Build
+
+1. Stop deployment
+2. Fix the failing test
+3. Verify fix locally
+4. Push and verify CI passes
+
+### Flaky Tests
+
+A test that sometimes passes and sometimes fails is **worse than no test**.
+
+- Fix immediately or delete
+- Never ignore flaky tests
+- Usually caused by: timing issues, shared state, network dependencies
+
+---
+
+## Testing Debt
+
+Track testing gaps in BACKLOG.md:
+
+```markdown
+## Testing Debt
+
+- [ ] Add E2E tests for checkout flow (Session 8)
+- [ ] Add unit tests for currency conversion (Session 5)
+- [ ] Fix flaky auth test (Session 7)
+```
+
+Address testing debt before adding more features.
+
+---
+
+## Quick Checklist
+
+Every session:
+- [ ] Build passes
+- [ ] Existing tests pass
+- [ ] New critical features have tests
+- [ ] Manual smoke test completed
+- [ ] Test status documented
+
+Before launch:
+- [ ] Critical path has automated tests
+- [ ] No flaky tests
+- [ ] Test coverage documented
+- [ ] CI/CD runs tests on every push
+
+---
+
+*Last updated: Baton Protocol v3.1*