devsquad 1.0.0

package/templates/.claude/skills/nestjs/auth.md

@@ -0,0 +1,187 @@
+# NestJS — Autenticação JWT
+
+## Prisma Schema (auth)
+
+```prisma
+model User {
+  id                 String    @id @default(uuid())
+  email              String    @unique
+  password           String
+  name               String
+  role               Role      @default(USER)
+  hashedRefreshToken String?   // para refresh token rotation
+  createdAt          DateTime  @default(now())
+  updatedAt          DateTime  @updatedAt
+  deletedAt          DateTime?
+
+  @@map("users")
+  @@index([email])
+}
+
+enum Role { ADMIN USER }
+```
+
+> 📖 UUID evita enumeração de IDs — OWASP A01. `hashedRefreshToken` armazenado como hash (bcrypt) para invalidação segura.
+
+## JWT Strategy
+
+```typescript
+// strategies/jwt.strategy.ts
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ConfigService } from '@nestjs/config';
+import { PrismaService } from '../../prisma/prisma.service';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(config: ConfigService, private prisma: PrismaService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKey: config.get('jwt.secret'),
+    });
+  }
+
+  async validate(payload: { sub: string; email: string; role: string }) {
+    const user = await this.prisma.user.findUnique({
+      where: { id: payload.sub, deletedAt: null },
+    });
+    if (!user) throw new UnauthorizedException();
+    const { password, hashedRefreshToken, ...result } = user;
+    return result;
+  }
+}
+```
+
+## Auth Service — Login + Refresh Token Rotation
+
+```typescript
+// auth.service.ts
+import { Injectable, UnauthorizedException, ForbiddenException } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import { PrismaService } from '../../prisma/prisma.service';
+import * as bcrypt from 'bcrypt';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private prisma: PrismaService,
+    private jwt: JwtService,
+    private config: ConfigService,
+  ) {}
+
+  async login(email: string, password: string) {
+    const user = await this.prisma.user.findUnique({ where: { email } });
+
+    // 🔒 Mesma mensagem para email e senha inválidos — evita user enumeration
+    if (!user || !(await bcrypt.compare(password, user.password))) {
+      throw new UnauthorizedException('Credenciais inválidas');
+    }
+
+    const tokens = await this.generateTokens(user.id, user.email, user.role);
+    await this.updateRefreshToken(user.id, tokens.refresh_token);
+    return tokens;
+  }
+
+  async refresh(userId: string, refreshToken: string) {
+    const user = await this.prisma.user.findUnique({ where: { id: userId } });
+    if (!user?.hashedRefreshToken) throw new ForbiddenException();
+
+    const isValid = await bcrypt.compare(refreshToken, user.hashedRefreshToken);
+    if (!isValid) throw new ForbiddenException();
+
+    // 🔒 Rotation — invalida o token anterior a cada uso
+    const tokens = await this.generateTokens(user.id, user.email, user.role);
+    await this.updateRefreshToken(user.id, tokens.refresh_token);
+    return tokens;
+  }
+
+  async logout(userId: string) {
+    await this.prisma.user.update({
+      where: { id: userId },
+      data: { hashedRefreshToken: null },
+    });
+  }
+
+  private async generateTokens(userId: string, email: string, role: string) {
+    const payload = { sub: userId, email, role };
+    const [access_token, refresh_token] = await Promise.all([
+      this.jwt.signAsync(payload, {
+        secret: this.config.get('jwt.secret'),
+        expiresIn: '15m',
+      }),
+      this.jwt.signAsync(payload, {
+        secret: this.config.get('jwt.refreshSecret'),
+        expiresIn: '7d',
+      }),
+    ]);
+    return { access_token, refresh_token };
+  }
+
+  private async updateRefreshToken(userId: string, refreshToken: string) {
+    const hashed = await bcrypt.hash(refreshToken, 12);
+    await this.prisma.user.update({
+      where: { id: userId },
+      data: { hashedRefreshToken: hashed },
+    });
+  }
+}
+```
+
+## Guards e RBAC
+
+```typescript
+// guards/jwt-auth.guard.ts
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {}
+
+// decorators/roles.decorator.ts
+import { SetMetadata } from '@nestjs/common';
+export const Roles = (...roles: string[]) => SetMetadata('roles', roles);
+
+// guards/roles.guard.ts
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+  canActivate(ctx: ExecutionContext): boolean {
+    const roles = this.reflector.get<string[]>('roles', ctx.getHandler());
+    if (!roles) return true;
+    return roles.includes(ctx.switchToHttp().getRequest().user?.role);
+  }
+}
+
+// decorators/current-user.decorator.ts
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+export const CurrentUser = createParamDecorator(
+  (_: unknown, ctx: ExecutionContext) => ctx.switchToHttp().getRequest().user,
+);
+```
+
+## Uso no Controller
+
+```typescript
+@Get('profile')
+@UseGuards(JwtAuthGuard)
+getProfile(@CurrentUser() user: User) { return user; }
+
+@Get('admin')
+@UseGuards(JwtAuthGuard, RolesGuard)
+@Roles('ADMIN')
+adminOnly() { return 'só admin'; }
+```
+
+## Checklist de Auth
+
+- [ ] bcrypt com salt 12 no hash de senhas
+- [ ] Mesma mensagem de erro para email/senha inválidos
+- [ ] Access token 15min + Refresh token 7d
+- [ ] Refresh token salvo como hash (bcrypt) no banco
+- [ ] Rotation implementada — token anterior invalidado a cada `/refresh`
+- [ ] Rate limiting no `/auth/login` — `@Throttle({ default: { ttl: 900000, limit: 5 } })`
+- [ ] `JwtAuthGuard` e `RolesGuard` criados e testados
+- [ ] `CurrentUser` decorator funcionando

package/templates/.claude/skills/nestjs/modules.md

@@ -0,0 +1,110 @@
+# NestJS — Padrão de módulo (DDD leve)
+
+Use este padrão para cada feature em `src/modules/<nome>/`.
+
+## Estrutura de pastas
+
+```
+src/modules/users/
+├── users.module.ts
+├── users.controller.ts
+├── users.service.ts
+├── dto/
+│   ├── create-user.dto.ts
+│   └── update-user.dto.ts
+└── entities/
+    └── user.entity.ts          ← opcional: classe pura ou type do Prisma
+```
+
+## users.module.ts
+
+```typescript
+import { Module } from '@nestjs/common';
+import { UsersService } from './users.service';
+import { UsersController } from './users.controller';
+import { PrismaModule } from '../../prisma/prisma.module';
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [UsersController],
+  providers: [UsersService],
+  exports: [UsersService],
+})
+export class UsersModule {}
+```
+
+## DTOs (A03 — validação)
+
+```typescript
+// create-user.dto.ts
+import { IsEmail, IsString, MinLength, MaxLength } from 'class-validator';
+
+export class CreateUserDto {
+  @IsEmail()
+  email: string;
+
+  @IsString()
+  @MinLength(8)
+  @MaxLength(128)
+  password: string;
+
+  @IsString()
+  @MaxLength(100)
+  name: string;
+}
+```
+
+## Service (Prisma)
+
+```typescript
+import { Injectable, NotFoundException } from '@nestjs/common';
+import { PrismaService } from '../../prisma/prisma.service';
+import { CreateUserDto } from './dto/create-user.dto';
+
+@Injectable()
+export class UsersService {
+  constructor(private prisma: PrismaService) {}
+
+  async create(dto: CreateUserDto) {
+    // hash de senha no service ou em subcamada dedicada — ver auth.md
+    return this.prisma.user.create({ data: { /* mapear dto */ } });
+  }
+
+  async findOne(id: string) {
+    const user = await this.prisma.user.findUnique({ where: { id } });
+    if (!user) throw new NotFoundException();
+    return user;
+  }
+}
+```
+
+## Controller
+
+```typescript
+import { Controller, Get, Post, Body, Param, UseGuards } from '@nestjs/common';
+import { UsersService } from './users.service';
+import { CreateUserDto } from './dto/create-user.dto';
+import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
+
+@Controller('users')
+export class UsersController {
+  constructor(private readonly usersService: UsersService) {}
+
+  @Post()
+  create(@Body() dto: CreateUserDto) {
+    return this.usersService.create(dto);
+  }
+
+  @Get(':id')
+  @UseGuards(JwtAuthGuard)
+  findOne(@Param('id') id: string) {
+    return this.usersService.findOne(id);
+  }
+}
+```
+
+## Regras
+
+- **Um módulo = uma bounded context** clara (users, orders, billing).
+- **Nunca** exponha entidades Prisma brutas se houver campos sensíveis — use resposta DTO ou `select`.
+- Rotas protegidas: `@UseGuards(JwtAuthGuard)` + ownership quando o recurso for do usuário (ver skill **security**).

package/templates/.claude/skills/nestjs/security.md

@@ -0,0 +1,42 @@
+# NestJS — Segurança (OWASP no backend)
+
+Checklist e pontos **específicos de NestJS**. Para o checklist completo e exemplos genéricos, use a skill **`/devsquad security`** (`security/SKILL.md`).
+
+## Já coberto em setup.md
+
+- `helmet()`, `ValidationPipe` com `whitelist` + `forbidNonWhitelisted`
+- CORS explícito, `ThrottlerGuard` global
+- Swagger em `/api/docs` com Bearer
+
+## Antes de ir para produção
+
+| Item | Ação |
+|------|------|
+| **A02** | `JWT_SECRET` / `JWT_REFRESH_SECRET` fortes, nunca no código |
+| **A04** | Login: throttle mais agressivo (ex.: guard dedicado na rota `auth/login`) |
+| **A05** | HTTPS atrás de proxy; confiar em `X-Forwarded-*` só se configurado |
+| **A07** | Access token curto + refresh com rotation (ver `auth.md`) |
+| **A09** | Logger sem email, senha, token ou body completo de erro para cliente |
+
+## Snippets úteis
+
+### Rate limit na rota de login
+
+```typescript
+import { Throttle } from '@nestjs/throttler';
+
+@Throttle({ default: { limit: 5, ttl: 900000 } }) // 5 / 15 min
+@Post('login')
+login(@Body() dto: LoginDto) { /* ... */ }
+```
+
+### Não vazar stack trace
+
+```typescript
+// Em produção: filtre detalhes em ExceptionFilter global
+```
+
+## Referência cruzada
+
+- **auth.md** — JWT, guards, refresh
+- **security (skill)** — OWASP Top 10 completo para stack Nest + React

package/templates/.claude/skills/nestjs/setup.md

@@ -0,0 +1,162 @@
+# NestJS — Setup Completo
+
+## src/main.ts
+
+```typescript
+import { NestFactory } from '@nestjs/core';
+import { ValidationPipe, Logger } from '@nestjs/common';
+import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger';
+import { AppModule } from './app.module';
+import helmet from 'helmet';
+
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule);
+  const logger = new Logger('Bootstrap');
+
+  // 🔒 OWASP A05 — Headers de segurança HTTP
+  app.use(helmet());
+
+  // 🔒 OWASP A03 — Rejeita campos não declarados nos DTOs
+  app.useGlobalPipes(new ValidationPipe({
+    whitelist: true,
+    forbidNonWhitelisted: true,
+    transform: true,
+  }));
+
+  // CORS explícito — nunca use '*' em produção
+  app.enableCors({ origin: process.env.FRONTEND_URL, credentials: true });
+
+  app.setGlobalPrefix('api/v1');
+
+  // Swagger
+  const config = new DocumentBuilder()
+    .setTitle(process.env.APP_NAME ?? 'API')
+    .setVersion('1.0')
+    .addBearerAuth()
+    .build();
+  SwaggerModule.setup('api/docs', app, SwaggerModule.createDocument(app, config));
+
+  const port = process.env.PORT ?? 3000;
+  await app.listen(port);
+  logger.log(`🚀 http://localhost:${port}`);
+  logger.log(`📚 Swagger: http://localhost:${port}/api/docs`);
+}
+bootstrap();
+```
+
+## src/app.module.ts
+
+```typescript
+import { Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
+import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
+import { APP_GUARD } from '@nestjs/core';
+import { PrismaModule } from './prisma/prisma.module';
+import { AuthModule } from './modules/auth/auth.module';
+import { UsersModule } from './modules/users/users.module';
+import configuration from './config/configuration';
+
+@Module({
+  imports: [
+    ConfigModule.forRoot({ isGlobal: true, load: [configuration] }),
+    ThrottlerModule.forRoot([{ ttl: 60000, limit: 60 }]),
+    PrismaModule,
+    AuthModule,
+    UsersModule,
+  ],
+  providers: [{ provide: APP_GUARD, useClass: ThrottlerGuard }],
+})
+export class AppModule {}
+```
+
+## src/config/configuration.ts
+
+```typescript
+export default () => ({
+  port: parseInt(process.env.PORT ?? '3000', 10),
+  jwt: {
+    secret: process.env.JWT_SECRET,
+    refreshSecret: process.env.JWT_REFRESH_SECRET,
+    expiresIn: '15m',
+    refreshExpiresIn: '7d',
+  },
+  frontendUrl: process.env.FRONTEND_URL,
+});
+```
+
+## src/prisma/prisma.service.ts
+
+```typescript
+import { Injectable, OnModuleInit, OnModuleDestroy } from '@nestjs/common';
+import { PrismaClient } from '@prisma/client';
+
+@Injectable()
+export class PrismaService extends PrismaClient
+  implements OnModuleInit, OnModuleDestroy {
+  async onModuleInit() { await this.$connect(); }
+  async onModuleDestroy() { await this.$disconnect(); }
+}
+```
+
+```typescript
+// prisma/prisma.module.ts
+import { Global, Module } from '@nestjs/common';
+import { PrismaService } from './prisma.service';
+
+@Global()
+@Module({ providers: [PrismaService], exports: [PrismaService] })
+export class PrismaModule {}
+```
+
+## .env.example
+
+```env
+APP_NAME="Nome do Projeto"
+PORT=3000
+NODE_ENV=development
+FRONTEND_URL="http://localhost:5173"
+DATABASE_URL="postgresql://postgres:postgres@localhost:5432/nome_db?schema=public"
+JWT_SECRET="gere-com-openssl-rand-base64-32"
+JWT_REFRESH_SECRET="outro-segredo-diferente"
+```
+
+## Estrutura de pastas (DDD)
+
+```
+src/
+├── modules/
+│   ├── auth/
+│   │   ├── dto/          login.dto.ts, register.dto.ts
+│   │   ├── guards/       jwt-auth.guard.ts
+│   │   ├── strategies/   jwt.strategy.ts
+│   │   ├── decorators/   current-user.decorator.ts
+│   │   ├── auth.controller.ts
+│   │   ├── auth.module.ts
+│   │   └── auth.service.ts
+│   └── users/
+│       ├── dto/          create-user.dto.ts, update-user.dto.ts
+│       ├── entities/     user.entity.ts
+│       ├── users.controller.ts
+│       ├── users.module.ts
+│       └── users.service.ts
+├── common/
+│   ├── decorators/       roles.decorator.ts
+│   ├── guards/           roles.guard.ts
+│   └── filters/          http-exception.filter.ts
+├── config/
+│   └── configuration.ts
+├── prisma/
+│   ├── prisma.module.ts
+│   └── prisma.service.ts
+└── main.ts
+```
+
+## Checklist de setup
+
+- [ ] NestJS inicializado via CLI
+- [ ] `helmet` + `ValidationPipe` global + CORS configurados no `main.ts`
+- [ ] `PrismaModule` com `@Global()` criado
+- [ ] `ThrottlerModule` configurado no `AppModule`
+- [ ] `.env.example` criado e `.env` no `.gitignore`
+- [ ] Swagger funcionando em `/api/docs`
+- [ ] Prefixo global `api/v1` definido

package/templates/.claude/skills/postman/SKILL.md

@@ -0,0 +1,82 @@
+---
+name: postman-collections
+description: Criação e organização de Postman Collections profissionais para documentar e testar APIs. Use quando o desenvolvedor precisar documentar endpoints, criar environments, escrever scripts de teste ou exportar a collection para o repositório.
+---
+
+# Postman Collections
+
+## Estrutura da collection
+
+```
+📁 [Nome do Projeto] API
+├── 📁 Auth
+│   ├── POST /auth/register
+│   ├── POST /auth/login      ← script de captura automática de token
+│   ├── POST /auth/refresh
+│   └── POST /auth/logout
+└── 📁 [Módulo por módulo]
+```
+
+## Environments (nunca hardcode URLs ou tokens)
+
+**Development**
+```json
+{ "base_url": "http://localhost:3000/api/v1", "access_token": "", "refresh_token": "" }
+```
+
+**Production**
+```json
+{ "base_url": "https://api.seudominio.com/api/v1", "access_token": "", "refresh_token": "" }
+```
+
+Uso nas requisições: `{{base_url}}/auth/login` | `Bearer {{access_token}}`
+
+## Script de captura automática de token (aba Tests do login)
+
+```javascript
+const { access_token, refresh_token } = pm.response.json();
+if (access_token) {
+  pm.environment.set('access_token', access_token);
+  pm.environment.set('refresh_token', refresh_token);
+}
+pm.test('Status 200', () => pm.response.to.have.status(200));
+pm.test('Retorna tokens', () => {
+  pm.expect(pm.response.json()).to.have.property('access_token');
+});
+```
+
+## Testes padrão por endpoint
+
+```javascript
+pm.test('Status correto', () => pm.response.to.have.status(201));
+pm.test('Estrutura correta', () => {
+  const json = pm.response.json();
+  pm.expect(json).to.have.property('id');
+  pm.expect(json).not.to.have.property('password'); // 🔒
+});
+pm.test('Resposta < 500ms', () => pm.expect(pm.response.responseTime).to.be.below(500));
+```
+
+## Versionamento no repositório
+
+```
+postman/
+├── collection.json          ← Exportar: ··· > Export > Collection v2.1
+├── environment.dev.json     ← Sem valores reais
+└── environment.prod.json    ← Sem valores reais
+```
+
+```bash
+git commit -m "docs(postman): adicionar endpoints do módulo de auth"
+```
+
+> 🔒 Nunca commite tokens reais nos arquivos de environment.
+
+## Checklist
+
+- [ ] Collection com o nome do projeto
+- [ ] Environments dev e prod configurados com variáveis
+- [ ] Todas as URLs usando `{{base_url}}`
+- [ ] Script de auto-captura de token no login
+- [ ] Testes básicos (status + estrutura) em cada endpoint
+- [ ] Collection exportada em `postman/collection.json`

package/templates/.claude/skills/react/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: react-frontend
+description: Setup e arquitetura de frontend com React + TypeScript + TailwindCSS + TanStack Query. Use quando o desenvolvedor precisar inicializar o frontend web, configurar autenticação no cliente, criar componentes, hooks, services ou rotas protegidas.
+---
+
+# React Frontend
+
+Stack: React + TypeScript + Vite + TailwindCSS + TanStack Query + Axios + React Router + React Hook Form + Zod
+
+## Setup rápido
+
+```bash
+npm create vite@latest nome-do-projeto -- --template react-ts
+cd nome-do-projeto
+npm install -D tailwindcss postcss autoprefixer && npx tailwindcss init -p
+npm install axios @tanstack/react-query react-router-dom react-hook-form zod @hookform/resolvers lucide-react
+```
+
+```javascript
+// tailwind.config.js
+export default {
+  content: ['./index.html', './src/**/*.{js,ts,jsx,tsx}'],
+  theme: { extend: {} },
+  plugins: [],
+}
+```
+
+## Estrutura de pastas
+
+```
+src/
+├── components/ui/       ← Button, Input, Card reutilizáveis
+├── components/layout/   ← Header, Sidebar, PrivateLayout
+├── pages/               ← Uma pasta por rota
+├── hooks/               ← Custom hooks
+├── services/            ← api.ts + *.service.ts (nunca axios direto no componente)
+├── contexts/            ← AuthContext.tsx
+├── routes/              ← AppRoutes.tsx + PrivateRoute.tsx
+├── types/               ← interfaces TypeScript
+└── utils/               ← funções puras
+```
+
+## .env.example
+
+```env
+VITE_API_URL=http://localhost:3000/api/v1
+```
+
+## Arquivos detalhados desta skill
+
+- **setup.md** — AuthContext, Axios com interceptors, PrivateRoute, App.tsx prontos
+
+Leia `setup.md` para implementar a estrutura base completa.