create-tigra 2.0.4 → 2.1.1

package/bin/create-tigra.js

@@ -124,11 +124,11 @@ async function main() {
   program
     .name('create-tigra')
     .description('Create a production-ready full-stack app with Next.js + Fastify + Prisma + Redis')
-    .version('2.0.2')
+    .version('2.1.0')
     .argument('[project-name]', 'Name for your new project')
     .action(async (projectNameArg) => {
       console.log();
-      console.log(chalk.bold('  Create Tigra') + chalk.dim(' v2.0.2'));
+      console.log(chalk.bold('  Create Tigra') + chalk.dim(' v2.1.0'));
       console.log();
 
       let projectName = projectNameArg;
@@ -213,6 +213,9 @@ async function main() {
           }
         }
 
+        // Create .developer-role file (default: fullstack = no restrictions)
+        await fs.writeFile(path.join(targetDir, '.developer-role'), 'fullstack\n', 'utf-8');
+
         spinner.succeed('Project scaffolded successfully!');
       } catch (error) {
         spinner.fail('Failed to scaffold project');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-tigra",
-  "version": "2.0.4",
+  "version": "2.1.1",
   "type": "module",
   "description": "Create a production-ready full-stack app with Next.js 16 + Fastify 5 + Prisma + Redis",
   "bin": {

package/template/_claude/hooks/restrict-paths.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# Restrict Claude's WRITE access based on the .developer-role file.
+# Claude can always READ any file for full project context.
+# Only Edit/Write operations are blocked on the other side's directory.
+#
+# To switch roles, either:
+#   1. Edit .developer-role and type: frontend, backend, or fullstack
+#   2. Use /role command in Claude
+#
+# fullstack (or empty/missing file) = no restrictions
+
+ROLE_FILE="$CLAUDE_PROJECT_DIR/.developer-role"
+
+# Read role from file, trim whitespace
+if [ -f "$ROLE_FILE" ]; then
+  ROLE=$(tr -d '[:space:]' < "$ROLE_FILE")
+else
+  ROLE=""
+fi
+
+# No file, empty, or fullstack = full access
+if [ -z "$ROLE" ] || [ "$ROLE" = "fullstack" ]; then
+  exit 0
+fi
+
+# Read stdin (JSON from Claude Code)
+INPUT=$(cat)
+
+# Extract tool_name from JSON
+TOOL_NAME=$(echo "$INPUT" | grep -oP '"tool_name"\s*:\s*"[^"]*"' | head -1 | sed 's/.*:.*"\(.*\)"/\1/')
+
+# Only block write operations (Edit, Write). Allow Read, Glob, Grep.
+if [ "$TOOL_NAME" != "Edit" ] && [ "$TOOL_NAME" != "Write" ]; then
+  exit 0
+fi
+
+# Extract file_path or path from JSON
+FILE_PATH=""
+for field in file_path path; do
+  value=$(echo "$INPUT" | grep -oP "\"${field}\"\s*:\s*\"[^\"]*\"" | head -1 | sed 's/.*:.*"\(.*\)"/\1/')
+  if [ -n "$value" ]; then
+    FILE_PATH="$value"
+    break
+  fi
+done
+
+# No file path found = allow
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+deny_with_reason() {
+  cat <<DENY_EOF
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"$1"}}
+DENY_EOF
+  exit 0
+}
+
+if [ "$ROLE" = "frontend" ]; then
+  if echo "$FILE_PATH" | grep -qiE "(^|/|\\\\)server(/|\\\\|$)"; then
+    deny_with_reason "BLOCKED: Role is set to frontend. You can read server/ files but cannot modify them. Only the backend developer can edit server/ code."
+  fi
+elif [ "$ROLE" = "backend" ]; then
+  if echo "$FILE_PATH" | grep -qiE "(^|/|\\\\)client(/|\\\\|$)"; then
+    deny_with_reason "BLOCKED: Role is set to backend. You can read client/ files but cannot modify them. Only the frontend developer can edit client/ code."
+  fi
+fi
+
+exit 0

package/template/_claude/settings.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/restrict-paths.sh\""
+          }
+        ]
+      }
+    ]
+  }
+}

package/template/_claude/skills/role/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: role
+description: Switch developer role to restrict Claude's access to frontend-only, backend-only, or full access
+argument-hint: "[frontend | backend | fullstack]"
+disable-model-invocation: true
+allowed-tools: Read, Write
+---
+
+The user wants to switch their developer role. The argument is: $ARGUMENTS
+
+Read the file `.developer-role` in the project root to see the current role.
+
+## Rules
+
+- If the argument is `frontend`, `backend`, or `fullstack` — write that word to `.developer-role` and confirm the switch.
+- If no argument is given — read `.developer-role` and tell the user their current role, then ask which role they want.
+- If the argument is not one of the three valid roles — tell the user the valid options.
+
+## What each role does
+
+Claude can always READ all files for full project context. Only WRITE access is restricted.
+
+| Role | Can edit |
+|------|---------|
+| `frontend` | `client/` only. Cannot edit `server/` files. |
+| `backend` | `server/` only. Cannot edit `client/` files. |
+| `fullstack` | Everything. No restrictions. |
+
+## Response format
+
+After switching, confirm like this:
+
+```
+Role switched to **{role}**.
+
+- frontend → can edit client/ only (can read everything)
+- backend → can edit server/ only (can read everything)
+- fullstack → can edit everything
+```

package/template/gitignore

@@ -22,6 +22,9 @@ Thumbs.db
 # Claude Code local settings
 .claude/settings.local.json
 
+# Developer role (personal per developer)
+.developer-role
+
 # Playwright MCP artifacts
 .playwright-mcp/