npm - forgecraft-mcp - Versions diffs - 1.4.0 → 1.7.0 - Mend

forgecraft-mcp 1.4.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/LICENSE +67 -0
package/README.md +527 -525
package/dist/analyzers/anchors/anchor-loader.d.ts +47 -0
package/dist/analyzers/anchors/anchor-loader.d.ts.map +1 -0
package/dist/analyzers/anchors/anchor-loader.js +113 -0
package/dist/analyzers/anchors/anchor-loader.js.map +1 -0
package/dist/analyzers/anti-pattern.d.ts.map +1 -1
package/dist/analyzers/anti-pattern.js +38 -26
package/dist/analyzers/anti-pattern.js.map +1 -1
package/dist/analyzers/completeness-helpers.d.ts +5 -0
package/dist/analyzers/completeness-helpers.d.ts.map +1 -1
package/dist/analyzers/completeness-helpers.js +17 -0
package/dist/analyzers/completeness-helpers.js.map +1 -1
package/dist/analyzers/completeness.d.ts.map +1 -1
package/dist/analyzers/completeness.js +4 -4
package/dist/analyzers/completeness.js.map +1 -1
package/dist/analyzers/gs-scorer.d.ts +3 -1
package/dist/analyzers/gs-scorer.d.ts.map +1 -1
package/dist/analyzers/gs-scorer.js +5 -2
package/dist/analyzers/gs-scorer.js.map +1 -1
package/dist/analyzers/package-json.d.ts.map +1 -1
package/dist/analyzers/package-json.js +194 -34
package/dist/analyzers/package-json.js.map +1 -1
package/dist/analyzers/scorers/composable-scorer.d.ts +4 -2
package/dist/analyzers/scorers/composable-scorer.d.ts.map +1 -1
package/dist/analyzers/scorers/composable-scorer.js +50 -2
package/dist/analyzers/scorers/composable-scorer.js.map +1 -1
package/dist/analyzers/scorers/executable-scorer.d.ts +3 -2
package/dist/analyzers/scorers/executable-scorer.d.ts.map +1 -1
package/dist/analyzers/scorers/executable-scorer.js +64 -4
package/dist/analyzers/scorers/executable-scorer.js.map +1 -1
package/dist/analyzers/scorers/scorer-utils.d.ts +5 -3
package/dist/analyzers/scorers/scorer-utils.d.ts.map +1 -1
package/dist/analyzers/scorers/scorer-utils.js +34 -9
package/dist/analyzers/scorers/scorer-utils.js.map +1 -1
package/dist/analyzers/scorers/self-describing-scorer.d.ts +7 -4
package/dist/analyzers/scorers/self-describing-scorer.d.ts.map +1 -1
package/dist/analyzers/scorers/self-describing-scorer.js +17 -18
package/dist/analyzers/scorers/self-describing-scorer.js.map +1 -1
package/dist/cli/help.js +51 -51
package/dist/disciplines/catalog.d.ts +16 -0
package/dist/disciplines/catalog.d.ts.map +1 -0
package/dist/disciplines/catalog.js +196 -0
package/dist/disciplines/catalog.js.map +1 -0
package/dist/disciplines/runner.d.ts +13 -0
package/dist/disciplines/runner.d.ts.map +1 -0
package/dist/disciplines/runner.js +35 -0
package/dist/disciplines/runner.js.map +1 -0
package/dist/registry/composer.d.ts.map +1 -1
package/dist/registry/composer.js +9 -4
package/dist/registry/composer.js.map +1 -1
package/dist/registry/loader-tag.d.ts.map +1 -1
package/dist/registry/loader-tag.js +1 -0
package/dist/registry/loader-tag.js.map +1 -1
package/dist/registry/remote-gates.js +1 -1
package/dist/registry/remote-gates.js.map +1 -1
package/dist/registry/renderer-skeletons.js +92 -92
package/dist/registry/sentinel-renderer.js +299 -20
package/dist/registry/sentinel-renderer.js.map +1 -1
package/dist/sentinel/detect.d.ts +41 -0
package/dist/sentinel/detect.d.ts.map +1 -0
package/dist/sentinel/detect.js +122 -0
package/dist/sentinel/detect.js.map +1 -0
package/dist/sentinel/write.d.ts +54 -0
package/dist/sentinel/write.d.ts.map +1 -0
package/dist/sentinel/write.js +75 -0
package/dist/sentinel/write.js.map +1 -0
package/dist/shared/cnt-health.d.ts +16 -0
package/dist/shared/cnt-health.d.ts.map +1 -1
package/dist/shared/cnt-health.js +55 -8
package/dist/shared/cnt-health.js.map +1 -1
package/dist/shared/config.d.ts +14 -0
package/dist/shared/config.d.ts.map +1 -1
package/dist/shared/config.js +45 -0
package/dist/shared/config.js.map +1 -1
package/dist/shared/gs-score-logger.js +6 -6
package/dist/shared/hook-installer.d.ts +58 -0
package/dist/shared/hook-installer.d.ts.map +1 -0
package/dist/shared/hook-installer.js +316 -0
package/dist/shared/hook-installer.js.map +1 -0
package/dist/shared/project-gates-helpers.d.ts +9 -0
package/dist/shared/project-gates-helpers.d.ts.map +1 -1
package/dist/shared/project-gates-helpers.js +35 -0
package/dist/shared/project-gates-helpers.js.map +1 -1
package/dist/shared/types/config.d.ts +7 -1
package/dist/shared/types/config.d.ts.map +1 -1
package/dist/shared/types/gates.d.ts +34 -0
package/dist/shared/types/gates.d.ts.map +1 -1
package/dist/shared/types/project.d.ts +68 -2
package/dist/shared/types/project.d.ts.map +1 -1
package/dist/shared/types/project.js +1 -0
package/dist/shared/types/project.js.map +1 -1
package/dist/shared/types/templates.d.ts +8 -1
package/dist/shared/types/templates.d.ts.map +1 -1
package/dist/shared/types/verify.d.ts +51 -1
package/dist/shared/types/verify.d.ts.map +1 -1
package/dist/shared/types/verify.js +37 -1
package/dist/shared/types/verify.js.map +1 -1
package/dist/tools/add-hook.d.ts.map +1 -1
package/dist/tools/add-hook.js +8 -1
package/dist/tools/add-hook.js.map +1 -1
package/dist/tools/add-module.js +123 -123
package/dist/tools/advice-registry.d.ts.map +1 -1
package/dist/tools/advice-registry.js +108 -18
package/dist/tools/advice-registry.js.map +1 -1
package/dist/tools/advise-session-advisor.d.ts +16 -0
package/dist/tools/advise-session-advisor.d.ts.map +1 -0
package/dist/tools/advise-session-advisor.js +89 -0
package/dist/tools/advise-session-advisor.js.map +1 -0
package/dist/tools/advise-session-signals.d.ts +21 -0
package/dist/tools/advise-session-signals.d.ts.map +1 -0
package/dist/tools/advise-session-signals.js +113 -0
package/dist/tools/advise-session-signals.js.map +1 -0
package/dist/tools/advise-session.d.ts +22 -0
package/dist/tools/advise-session.d.ts.map +1 -0
package/dist/tools/advise-session.js +31 -0
package/dist/tools/advise-session.js.map +1 -0
package/dist/tools/analyze-harness.d.ts +18 -0
package/dist/tools/analyze-harness.d.ts.map +1 -0
package/dist/tools/analyze-harness.js +298 -0
package/dist/tools/analyze-harness.js.map +1 -0
package/dist/tools/audit.d.ts.map +1 -1
package/dist/tools/audit.js +19 -0
package/dist/tools/audit.js.map +1 -1
package/dist/tools/change-request.d.ts +53 -0
package/dist/tools/change-request.d.ts.map +1 -0
package/dist/tools/change-request.js +395 -0
package/dist/tools/change-request.js.map +1 -0
package/dist/tools/check-cascade-contracts.d.ts +13 -0
package/dist/tools/check-cascade-contracts.d.ts.map +1 -1
package/dist/tools/check-cascade-contracts.js +73 -2
package/dist/tools/check-cascade-contracts.js.map +1 -1
package/dist/tools/check-cascade-report.js +64 -64
package/dist/tools/check-cascade-steps.d.ts +3 -0
package/dist/tools/check-cascade-steps.d.ts.map +1 -1
package/dist/tools/check-cascade-steps.js +104 -15
package/dist/tools/check-cascade-steps.js.map +1 -1
package/dist/tools/check-cascade.d.ts +4 -3
package/dist/tools/check-cascade.d.ts.map +1 -1
package/dist/tools/check-cascade.js +30 -12
package/dist/tools/check-cascade.js.map +1 -1
package/dist/tools/check-derivation-chain.d.ts +37 -0
package/dist/tools/check-derivation-chain.d.ts.map +1 -0
package/dist/tools/check-derivation-chain.js +418 -0
package/dist/tools/check-derivation-chain.js.map +1 -0
package/dist/tools/check-spec-consistency.d.ts +25 -0
package/dist/tools/check-spec-consistency.d.ts.map +1 -0
package/dist/tools/check-spec-consistency.js +339 -0
package/dist/tools/check-spec-consistency.js.map +1 -0
package/dist/tools/check-t4.d.ts +54 -0
package/dist/tools/check-t4.d.ts.map +1 -0
package/dist/tools/check-t4.js +305 -0
package/dist/tools/check-t4.js.map +1 -0
package/dist/tools/close-cycle.d.ts +11 -0
package/dist/tools/close-cycle.d.ts.map +1 -1
package/dist/tools/close-cycle.js +364 -4
package/dist/tools/close-cycle.js.map +1 -1
package/dist/tools/cnt-add-routing.d.ts +31 -0
package/dist/tools/cnt-add-routing.d.ts.map +1 -0
package/dist/tools/cnt-add-routing.js +99 -0
package/dist/tools/cnt-add-routing.js.map +1 -0
package/dist/tools/configure-mcp.d.ts.map +1 -1
package/dist/tools/configure-mcp.js +52 -2
package/dist/tools/configure-mcp.js.map +1 -1
package/dist/tools/consolidate-status.d.ts +31 -0
package/dist/tools/consolidate-status.d.ts.map +1 -1
package/dist/tools/consolidate-status.js +105 -0
package/dist/tools/consolidate-status.js.map +1 -1
package/dist/tools/executable-gates.d.ts +52 -0
package/dist/tools/executable-gates.d.ts.map +1 -0
package/dist/tools/executable-gates.js +333 -0
package/dist/tools/executable-gates.js.map +1 -0
package/dist/tools/extract-adrs-from-spec.d.ts +33 -0
package/dist/tools/extract-adrs-from-spec.d.ts.map +1 -0
package/dist/tools/extract-adrs-from-spec.js +410 -0
package/dist/tools/extract-adrs-from-spec.js.map +1 -0
package/dist/tools/extract-adrs-history.d.ts +47 -0
package/dist/tools/extract-adrs-history.d.ts.map +1 -0
package/dist/tools/extract-adrs-history.js +265 -0
package/dist/tools/extract-adrs-history.js.map +1 -0
package/dist/tools/forgecraft-dispatch-extended.d.ts.map +1 -1
package/dist/tools/forgecraft-dispatch-extended.js +137 -0
package/dist/tools/forgecraft-dispatch-extended.js.map +1 -1
package/dist/tools/forgecraft-dispatch.d.ts.map +1 -1
package/dist/tools/forgecraft-dispatch.js +16 -0
package/dist/tools/forgecraft-dispatch.js.map +1 -1
package/dist/tools/forgecraft-schema-params.d.ts +174 -2
package/dist/tools/forgecraft-schema-params.d.ts.map +1 -1
package/dist/tools/forgecraft-schema-params.js +197 -0
package/dist/tools/forgecraft-schema-params.js.map +1 -1
package/dist/tools/forgecraft-schema.d.ts +179 -7
package/dist/tools/forgecraft-schema.d.ts.map +1 -1
package/dist/tools/forgecraft-schema.js +37 -0
package/dist/tools/forgecraft-schema.js.map +1 -1
package/dist/tools/generate-adr.js +6 -6
package/dist/tools/generate-adr.js.map +1 -1
package/dist/tools/generate-decision.d.ts +77 -0
package/dist/tools/generate-decision.d.ts.map +1 -0
package/dist/tools/generate-decision.js +162 -0
package/dist/tools/generate-decision.js.map +1 -0
package/dist/tools/generate-env-probe.d.ts +49 -0
package/dist/tools/generate-env-probe.d.ts.map +1 -0
package/dist/tools/generate-env-probe.js +365 -0
package/dist/tools/generate-env-probe.js.map +1 -0
package/dist/tools/generate-harness.d.ts +53 -0
package/dist/tools/generate-harness.d.ts.map +1 -0
package/dist/tools/generate-harness.js +395 -0
package/dist/tools/generate-harness.js.map +1 -0
package/dist/tools/generate-roadmap.d.ts +1 -1
package/dist/tools/generate-roadmap.d.ts.map +1 -1
package/dist/tools/generate-roadmap.js +38 -4
package/dist/tools/generate-roadmap.js.map +1 -1
package/dist/tools/generate-session-prompt.d.ts +3 -3
package/dist/tools/generate-session-prompt.d.ts.map +1 -1
package/dist/tools/generate-session-prompt.js +9 -1
package/dist/tools/generate-session-prompt.js.map +1 -1
package/dist/tools/generate-slo-probe.d.ts +53 -0
package/dist/tools/generate-slo-probe.d.ts.map +1 -0
package/dist/tools/generate-slo-probe.js +366 -0
package/dist/tools/generate-slo-probe.js.map +1 -0
package/dist/tools/layer-status-gates.d.ts +24 -0
package/dist/tools/layer-status-gates.d.ts.map +1 -0
package/dist/tools/layer-status-gates.js +151 -0
package/dist/tools/layer-status-gates.js.map +1 -0
package/dist/tools/layer-status.d.ts +126 -0
package/dist/tools/layer-status.d.ts.map +1 -0
package/dist/tools/layer-status.js +647 -0
package/dist/tools/layer-status.js.map +1 -0
package/dist/tools/list.d.ts.map +1 -1
package/dist/tools/list.js +9 -5
package/dist/tools/list.js.map +1 -1
package/dist/tools/postcondition-coverage.d.ts +57 -0
package/dist/tools/postcondition-coverage.d.ts.map +1 -0
package/dist/tools/postcondition-coverage.js +256 -0
package/dist/tools/postcondition-coverage.js.map +1 -0
package/dist/tools/probe-runners.d.ts +21 -0
package/dist/tools/probe-runners.d.ts.map +1 -0
package/dist/tools/probe-runners.js +246 -0
package/dist/tools/probe-runners.js.map +1 -0
package/dist/tools/probe-templates.d.ts +27 -0
package/dist/tools/probe-templates.d.ts.map +1 -0
package/dist/tools/probe-templates.js +279 -0
package/dist/tools/probe-templates.js.map +1 -0
package/dist/tools/propose-session.d.ts +28 -0
package/dist/tools/propose-session.d.ts.map +1 -0
package/dist/tools/propose-session.js +333 -0
package/dist/tools/propose-session.js.map +1 -0
package/dist/tools/refresh-output.js +14 -14
package/dist/tools/review-stubs.d.ts +29 -0
package/dist/tools/review-stubs.d.ts.map +1 -0
package/dist/tools/review-stubs.js +173 -0
package/dist/tools/review-stubs.js.map +1 -0
package/dist/tools/roadmap-builder.d.ts +49 -1
package/dist/tools/roadmap-builder.d.ts.map +1 -1
package/dist/tools/roadmap-builder.js +210 -5
package/dist/tools/roadmap-builder.js.map +1 -1
package/dist/tools/run-env-probe.d.ts +57 -0
package/dist/tools/run-env-probe.d.ts.map +1 -0
package/dist/tools/run-env-probe.js +270 -0
package/dist/tools/run-env-probe.js.map +1 -0
package/dist/tools/run-harness.d.ts +52 -0
package/dist/tools/run-harness.d.ts.map +1 -0
package/dist/tools/run-harness.js +279 -0
package/dist/tools/run-harness.js.map +1 -0
package/dist/tools/run-slo-probe.d.ts +50 -0
package/dist/tools/run-slo-probe.d.ts.map +1 -0
package/dist/tools/run-slo-probe.js +281 -0
package/dist/tools/run-slo-probe.js.map +1 -0
package/dist/tools/scaffold-spec-stubs.js +115 -115
package/dist/tools/scaffold-templates.js +62 -62
package/dist/tools/scaffold-writer.d.ts.map +1 -1
package/dist/tools/scaffold-writer.js +9 -0
package/dist/tools/scaffold-writer.js.map +1 -1
package/dist/tools/score-rubric.d.ts +19 -0
package/dist/tools/score-rubric.d.ts.map +1 -0
package/dist/tools/score-rubric.js +411 -0
package/dist/tools/score-rubric.js.map +1 -0
package/dist/tools/session-prompt-builders.d.ts +20 -0
package/dist/tools/session-prompt-builders.d.ts.map +1 -1
package/dist/tools/session-prompt-builders.js +78 -5
package/dist/tools/session-prompt-builders.js.map +1 -1
package/dist/tools/session-prompt-sections.d.ts +4 -2
package/dist/tools/session-prompt-sections.d.ts.map +1 -1
package/dist/tools/session-prompt-sections.js +22 -10
package/dist/tools/session-prompt-sections.js.map +1 -1
package/dist/tools/setup-artifact-writers.d.ts +69 -4
package/dist/tools/setup-artifact-writers.d.ts.map +1 -1
package/dist/tools/setup-artifact-writers.js +681 -5
package/dist/tools/setup-artifact-writers.js.map +1 -1
package/dist/tools/setup-cnt-builders.d.ts.map +1 -1
package/dist/tools/setup-cnt-builders.js +162 -34
package/dist/tools/setup-cnt-builders.js.map +1 -1
package/dist/tools/setup-monitoring.d.ts +41 -0
package/dist/tools/setup-monitoring.d.ts.map +1 -0
package/dist/tools/setup-monitoring.js +364 -0
package/dist/tools/setup-monitoring.js.map +1 -0
package/dist/tools/setup-phase1.d.ts.map +1 -1
package/dist/tools/setup-phase1.js +14 -1
package/dist/tools/setup-phase1.js.map +1 -1
package/dist/tools/setup-phase2.d.ts +14 -0
package/dist/tools/setup-phase2.d.ts.map +1 -1
package/dist/tools/setup-phase2.js +130 -3
package/dist/tools/setup-phase2.js.map +1 -1
package/dist/tools/setup-project.d.ts +8 -0
package/dist/tools/setup-project.d.ts.map +1 -1
package/dist/tools/setup-project.js +52 -2
package/dist/tools/setup-project.js.map +1 -1
package/dist/tools/spec-parser-tags.d.ts.map +1 -1
package/dist/tools/spec-parser-tags.js +1 -0
package/dist/tools/spec-parser-tags.js.map +1 -1
package/dist/tools/verify-formatter.d.ts.map +1 -1
package/dist/tools/verify-formatter.js +15 -1
package/dist/tools/verify-formatter.js.map +1 -1
package/dist/tools/verify.d.ts.map +1 -1
package/dist/tools/verify.js +3 -0
package/dist/tools/verify.js.map +1 -1
package/package.json +98 -89
package/templates/analytics/instructions.yaml +37 -37
package/templates/analytics/mcp-servers.yaml +11 -11
package/templates/analytics/structure.yaml +25 -25
package/templates/api/harness/uc-template.hurl +20 -0
package/templates/api/instructions.yaml +231 -231
package/templates/api/mcp-servers.yaml +22 -22
package/templates/api/nfr.yaml +23 -23
package/templates/api/review.yaml +103 -103
package/templates/api/structure.yaml +34 -34
package/templates/api/verification.yaml +132 -132
package/templates/cli/instructions.yaml +31 -31
package/templates/cli/mcp-servers.yaml +11 -11
package/templates/cli/review.yaml +53 -53
package/templates/cli/structure.yaml +16 -16
package/templates/data-lineage/instructions.yaml +28 -28
package/templates/data-lineage/mcp-servers.yaml +22 -22
package/templates/data-pipeline/instructions.yaml +84 -84
package/templates/data-pipeline/mcp-servers.yaml +13 -13
package/templates/data-pipeline/nfr.yaml +39 -39
package/templates/data-pipeline/structure.yaml +23 -23
package/templates/docs-manifest.yaml +227 -0
package/templates/fintech/hooks.yaml +55 -55
package/templates/fintech/instructions.yaml +112 -112
package/templates/fintech/mcp-servers.yaml +13 -13
package/templates/fintech/nfr.yaml +46 -46
package/templates/fintech/playbook.yaml +210 -210
package/templates/fintech/verification.yaml +239 -239
package/templates/game/harness/uc-template.sim.ts +29 -0
package/templates/game/instructions.yaml +289 -289
package/templates/game/mcp-servers.yaml +38 -38
package/templates/game/nfr.yaml +64 -64
package/templates/game/playbook.yaml +214 -214
package/templates/game/review.yaml +97 -97
package/templates/game/structure.yaml +67 -67
package/templates/game/verification.yaml +174 -174
package/templates/healthcare/instructions.yaml +42 -42
package/templates/healthcare/mcp-servers.yaml +13 -13
package/templates/healthcare/nfr.yaml +47 -47
package/templates/hipaa/instructions.yaml +41 -41
package/templates/hipaa/mcp-servers.yaml +13 -13
package/templates/infra/instructions.yaml +104 -104
package/templates/infra/mcp-servers.yaml +20 -20
package/templates/infra/nfr.yaml +46 -46
package/templates/infra/review.yaml +65 -65
package/templates/infra/structure.yaml +25 -25
package/templates/library/instructions.yaml +36 -36
package/templates/library/mcp-servers.yaml +20 -20
package/templates/library/review.yaml +56 -56
package/templates/library/structure.yaml +19 -19
package/templates/medallion-architecture/instructions.yaml +41 -41
package/templates/medallion-architecture/mcp-servers.yaml +22 -22
package/templates/ml/instructions.yaml +85 -85
package/templates/ml/mcp-servers.yaml +11 -11
package/templates/ml/nfr.yaml +39 -39
package/templates/ml/structure.yaml +25 -25
package/templates/ml/verification.yaml +156 -156
package/templates/mobile/instructions.yaml +44 -44
package/templates/mobile/mcp-servers.yaml +11 -11
package/templates/mobile/nfr.yaml +49 -49
package/templates/mobile/structure.yaml +27 -27
package/templates/mobile/verification.yaml +121 -121
package/templates/observability-xray/instructions.yaml +40 -40
package/templates/observability-xray/mcp-servers.yaml +15 -15
package/templates/realtime/instructions.yaml +42 -42
package/templates/realtime/mcp-servers.yaml +13 -13
package/templates/soc2/instructions.yaml +41 -41
package/templates/soc2/mcp-servers.yaml +24 -24
package/templates/social/instructions.yaml +43 -43
package/templates/social/mcp-servers.yaml +24 -24
package/templates/state-machine/instructions.yaml +42 -42
package/templates/state-machine/mcp-servers.yaml +11 -11
package/templates/tools-registry.yaml +164 -164
package/templates/universal/claude-md-blocks/layer-navigation.md +20 -0
package/templates/universal/claude-md-blocks/nfr-contracts.md +22 -0
package/templates/universal/hooks.yaml +879 -723
package/templates/universal/instructions.yaml +1692 -1692
package/templates/universal/mcp-servers.yaml +50 -50
package/templates/universal/nfr.yaml +197 -197
package/templates/universal/reference.yaml +326 -326
package/templates/universal/review.yaml +204 -204
package/templates/universal/skills.yaml +262 -262
package/templates/universal/structure.yaml +67 -67
package/templates/universal/verification.yaml +416 -416
package/templates/web-next/hooks.yaml +114 -0
package/templates/web-next/instructions.yaml +106 -0
package/templates/web-react/harness/uc-template.spec.ts +35 -0
package/templates/web-react/hooks.yaml +156 -44
package/templates/web-react/instructions.yaml +296 -207
package/templates/web-react/mcp-servers.yaml +20 -20
package/templates/web-react/nfr.yaml +27 -27
package/templates/web-react/review.yaml +94 -94
package/templates/web-react/structure.yaml +46 -46
package/templates/web-react/verification.yaml +126 -126
package/templates/web-static/hooks.yaml +85 -0
package/templates/web-static/instructions.yaml +204 -115
package/templates/web-static/mcp-servers.yaml +20 -20
package/templates/web3/instructions.yaml +44 -44
package/templates/web3/mcp-servers.yaml +11 -11
package/templates/web3/verification.yaml +159 -159
package/templates/zero-trust/instructions.yaml +41 -41
package/templates/zero-trust/mcp-servers.yaml +15 -15

package/templates/analytics/instructions.yaml CHANGED Viewed

@@ -1,37 +1,37 @@
-tag: ANALYTICS
-section: instructions
-blocks:
-  - id: analytics-architecture
-    tier: recommended
-    title: "Analytics & Data Warehouse Standards"
-    content: |
-      ## Analytics & Data Warehouse Standards
-      ### Architecture — Separation of Concerns
-      Operational database and analytical database are SEPARATE systems. Never run analytical
-      queries against your production OLTP database.
-      ### Event Collection — Instrument Everything
-      - Every significant user action and system event emits a structured event.
-      - Events are immutable, append-only, timestamped, and include context.
-      - Event schema versioned — schema registry or embedded version field.
-      - Events flow through a pipeline: collect → validate → enrich → store → aggregate.
-      - NO direct writes to analytical store from application code.
-      ### Aggregation Layers
-      Raw events are for debugging and backfilling. Everything else reads from aggregations.
-      | Layer | Granularity | Refresh | Use Case |
-      |-------|------------|---------|----------|
-      | Real-time | Per-event or 1-min | Streaming | Live dashboards, alerts |
-      | Hourly | 1-hour buckets | Scheduled | Operational dashboards |
-      | Daily | 1-day buckets | Nightly | Business reports, KPIs |
-      | Weekly/Monthly | Week/month | Scheduled | Executive reporting |
-      ### Reporting
-      - Dashboards read ONLY from aggregated views.
-      - Three tiers: Operational (real-time), Tactical (daily), Strategic (weekly/monthly).
-      ### Signals & Prediction
-      - Signals are pre-computed and stored, not computed on-demand.
-      - Every signal has: value, confidence, computed_at, TTL/expiry.
+tag: ANALYTICS
+section: instructions
+blocks:
+  - id: analytics-architecture
+    tier: recommended
+    title: "Analytics & Data Warehouse Standards"
+    content: |
+      ## Analytics & Data Warehouse Standards
+      ### Architecture — Separation of Concerns
+      Operational database and analytical database are SEPARATE systems. Never run analytical
+      queries against your production OLTP database.
+      ### Event Collection — Instrument Everything
+      - Every significant user action and system event emits a structured event.
+      - Events are immutable, append-only, timestamped, and include context.
+      - Event schema versioned — schema registry or embedded version field.
+      - Events flow through a pipeline: collect → validate → enrich → store → aggregate.
+      - NO direct writes to analytical store from application code.
+      ### Aggregation Layers
+      Raw events are for debugging and backfilling. Everything else reads from aggregations.
+      | Layer | Granularity | Refresh | Use Case |
+      |-------|------------|---------|----------|
+      | Real-time | Per-event or 1-min | Streaming | Live dashboards, alerts |
+      | Hourly | 1-hour buckets | Scheduled | Operational dashboards |
+      | Daily | 1-day buckets | Nightly | Business reports, KPIs |
+      | Weekly/Monthly | Week/month | Scheduled | Executive reporting |
+      ### Reporting
+      - Dashboards read ONLY from aggregated views.
+      - Three tiers: Operational (real-time), Tactical (daily), Strategic (weekly/monthly).
+      ### Signals & Prediction
+      - Signals are pre-computed and stored, not computed on-demand.
+      - Every signal has: value, confidence, computed_at, TTL/expiry.

package/templates/analytics/mcp-servers.yaml CHANGED Viewed

@@ -1,11 +1,11 @@
-tag: ANALYTICS
-section: mcp-servers
-servers:
-  - name: chrome-devtools
-    description: "Chrome DevTools integration for debugging, profiling, and network inspection"
-    command: npx
-    args: ["-y", "@anthropic/chrome-devtools-mcp@latest"]
-    tags: [WEB-REACT, WEB-STATIC, ANALYTICS]
-    category: devtools
-    tier: recommended
-    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/chrome-devtools-mcp"
+tag: ANALYTICS
+section: mcp-servers
+servers:
+  - name: chrome-devtools
+    description: "Chrome DevTools integration for debugging, profiling, and network inspection"
+    command: npx
+    args: ["-y", "@anthropic/chrome-devtools-mcp@latest"]
+    tags: [WEB-REACT, WEB-STATIC, ANALYTICS]
+    category: devtools
+    tier: recommended
+    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/chrome-devtools-mcp"

package/templates/analytics/structure.yaml CHANGED Viewed

@@ -1,25 +1,25 @@
-tag: ANALYTICS
-section: structure
-language: typescript
-entries:
-  - path: src/analytics/events
-    type: directory
-    description: "Event type definitions, emitter, validator"
-  - path: src/analytics/events/schema.ts
-    type: file
-    description: "Typed, versioned event definitions"
-  - path: src/analytics/events/emitter.ts
-    type: file
-    description: "Event emission interface"
-  - path: src/analytics/pipeline
-    type: directory
-    description: "Event collection, processing, dead-letter"
-  - path: src/analytics/aggregations
-    type: directory
-    description: "Aggregation definitions and scheduling"
-  - path: src/analytics/signals
-    type: directory
-    description: "Pre-computed signal service"
-  - path: src/analytics/dashboards
-    type: directory
-    description: "Dashboard config as code"
+tag: ANALYTICS
+section: structure
+language: typescript
+entries:
+  - path: src/analytics/events
+    type: directory
+    description: "Event type definitions, emitter, validator"
+  - path: src/analytics/events/schema.ts
+    type: file
+    description: "Typed, versioned event definitions"
+  - path: src/analytics/events/emitter.ts
+    type: file
+    description: "Event emission interface"
+  - path: src/analytics/pipeline
+    type: directory
+    description: "Event collection, processing, dead-letter"
+  - path: src/analytics/aggregations
+    type: directory
+    description: "Aggregation definitions and scheduling"
+  - path: src/analytics/signals
+    type: directory
+    description: "Pre-computed signal service"
+  - path: src/analytics/dashboards
+    type: directory
+    description: "Dashboard config as code"

package/templates/api/harness/uc-template.hurl ADDED Viewed

@@ -0,0 +1,20 @@
+# L2 Harness: {{uc_id}} — {{uc_title}}
+# Actor: {{actor}}
+# Precondition: {{precondition}}
+# Postcondition: {{postcondition}}
+#
+# This is a behavioral harness probe. A failure is a specification violation.
+# Implement the main flow steps from the use case below.
+# Step 1: [precondition setup if needed]
+# POST http://{{host}}/api/auth/login
+# ...
+# Step 2: [primary action]
+# TODO: implement UC main flow as HTTP sequence
+GET http://{{host}}/api/endpoint
+Authorization: Bearer {{token}}
+HTTP 200
+[Asserts]
+# jsonpath "$.field" == "expected_value"

package/templates/api/instructions.yaml CHANGED Viewed

@@ -1,231 +1,231 @@
-tag: API
-section: instructions
-blocks:
-  - id: api-standards
-    tier: recommended
-    title: "API Service Standards"
-    content: |
-      ## API Standards
-      ### Contract First
-      - Define OpenAPI/JSON Schema spec before implementing endpoints.
-      - Generate types from spec — don't manually duplicate.
-      - Spec is the source of truth. Implementation must match.
-      ### Design Rules
-      - Version from day one: /api/v1/...
-      - Proper HTTP semantics: GET reads, POST creates, PUT replaces, PATCH updates, DELETE removes.
-      - Pagination on ALL list endpoints. Never return unbounded results.
-      - Consistent response envelope: { data, meta, errors }.
-      - Async operations return job ID + polling endpoint, not blocking results.
-      - Rate limiting on all public endpoints.
-      ### Validation
-      - Input validation at API boundary — reject malformed requests before they reach services.
-      - Use schema validation (Pydantic, Zod, Joi) not manual if-checks.
-      - Validate request body, query params, path params, and headers.
-      - Return 422 with specific field errors, not generic 400.
-      ### Authentication & Authorization
-      - Auth middleware/guards at router level, not checked inside handlers.
-      - Role-based or policy-based access control via decorators/middleware.
-      - Never trust client-sent user identity — always verify from token/session.
-      ### Database & Migrations
-      - Schema changes managed through migration files (Prisma Migrate, Knex, Flyway, Alembic).
-      - Every migration must be reversible (up + down). Test rollbacks.
-      - Never modify a deployed migration — create a new one.
-      - Seed data separate from migrations. Test seeds run in CI.
-      ### Security (OWASP Top 10)
-      - **Injection**: Parameterized queries only. No string concatenation for SQL, commands, or LDAP.
-      - **Broken Auth**: Rate-limit login attempts. Enforce strong passwords. Rotate tokens.
-      - **Sensitive Data Exposure**: Encrypt at rest (AES-256). Never log PII, tokens, or passwords.
-      - **XXE/XSS**: Sanitize all user-generated HTML. Content-Security-Policy headers on all responses.
-      - **Broken Access Control**: Enforce ownership checks — users can't access other users' resources.
-      - **Security Misconfiguration**: No default credentials. No verbose error messages in production.
-        Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
-      - **CSRF**: Token-based protection on all state-changing endpoints (unless using SameSite cookies + bearer tokens).
-      - **Audit logging**: Log WHO did WHAT, WHEN, to WHICH resource. Separate from application logs.
-        Immutable. Retained per compliance requirements.
-      ### Graceful Shutdown
-      - Handle SIGTERM: stop accepting new requests, drain in-flight requests, close DB connections, exit.
-      - Kubernetes: readiness probe fails immediately, liveness continues during drain.
-      - Shutdown timeout configurable (default: 30s). Force exit after timeout.
-  - id: api-stack-constraints
-    tier: core
-    title: "API Stack Constraints"
-    content: |
-      ## API Stack Constraints — Approved Dependency Choices
-      These are the **approved libraries for this API project**.
-      Every choice has a banned alternative with a concrete reason.
-      If you reach for a banned alternative, stop and use the approved one instead.
-      Rationale is stated so you understand the constraint — not so you can argue around it.
-      {{#if language_is_typescript}}
-      ### TypeScript API — Required Packages
-      | Concern | Use | Do NOT use | Reason |
-      |---|---|---|---|
-      | **Password hashing** | `argon2@^0.31` | `bcrypt`, `bcryptjs` | `bcrypt` requires a native module (`@mapbox/node-pre-gyp`) that pulls in an old `tar` CVE chain. `argon2` is pure JS, faster, OWASP-preferred. |
-      | **HTTP framework** | `express@^4` or `fastify@^4` | `restify`, `hapi@<21`, `koa` alone | `restify` is unmaintained. `hapi` is fine at `^21+` only. |
-      | **Input validation** | `zod@^3` | `joi` alone, `express-validator` alone | `zod` infers TypeScript types natively — no separate type declaration needed. |
-      | **JWT** | `jsonwebtoken@^9` | `jwt-simple` (abandoned), `jsonwebtoken@<9` | Security fixes landed in v9. `jwt-simple` has no active maintainer. |
-      | **ORM / query builder** | `@prisma/client@^5` or `kysely@^0.27` | `typeorm`, `sequelize` | `typeorm` uses decorators (not type-safe), slow migrations. `sequelize` has weak TypeScript support. |
-      | **Logger** | `pino@^9` | `winston` alone, `console.log` in prod | `pino` is 5–10× faster than `winston` and outputs structured JSON natively. `console.log` is not structured. |
-      | **HTTP client (outbound)** | `undici@^6` or native `fetch` (Node 18+) | `axios` for Node ≥18 | Native `fetch` is available; `axios` adds bundle weight and a dependency surface for a built-in feature. |
-      | **ESLint** | `@typescript-eslint/eslint-plugin@^8` | `@typescript-eslint@^5` or `^6` | `^6` has a known CVE via old `minimatch` transitive dep. `^8` is the current stable. |
-      **npm audit policy**: `npm audit` must return zero `high` or `critical` findings before the
-      first commit. If a dependency introduces a high/critical CVE, replace it with an alternative
-      from this table or open an ADR documenting the exception with mitigation.
-      {{/if}}
-      {{#if language_is_python}}
-      ### Python API — Required Packages
-      | Concern | Use | Do NOT use | Reason |
-      |---|---|---|---|
-      | **Web framework** | `fastapi@^0.110` | `flask` for new async APIs | Flask has no native `async` request handling at the framework level — blocks on every request without extra extensions. |
-      | **Validation** | `pydantic@^2` | `pydantic@^1` | v2 is 5–50× faster. v1 is not maintained for new projects. Breaking API — pin to `^2`. |
-      | **Password hashing** | `argon2-cffi@^23` | `hashlib` for passwords, `MD5/SHA256` for passwords | `hashlib` is not a KDF — it is trivially reversible with a GPU. `argon2` wins OWASP Password Hashing Competition. |
-      | **JWT** | `PyJWT@^2.8` or `python-jose[cryptography]@^3.3` | `python-jwt` (unmaintained), `itsdangerous` alone | `python-jwt` has no active maintainer. `itsdangerous` is for URL-safe tokens, not JWT. |
-      | **ORM** | `sqlalchemy@^2.0` with `asyncpg` | `sqlalchemy@^1.x` | v2 has a fundamentally better async story and type-annotated query API. |
-      | **HTTP client** | `httpx@^0.27` | `requests` in async code | `requests` is sync-only — it will block the asyncio event loop. |
-      | **Logger** | `structlog@^24` | bare `logging` module in production | Unstructured log lines are not machine-parseable. `structlog` wraps `logging` with structured output. |
-      | **Linting** | `ruff@^0.4` | `flake8` + `isort` + `black` separately | `ruff` replaces all three with one tool 10–100× faster. No reason to run them separately. |
-      **pip audit policy**: `pip audit` must return zero `high` or `critical` findings before the
-      first commit. If a dependency introduces a high/critical CVE, replace it or open an ADR.
-      {{/if}}
-  - id: api-deployment
-    tier: recommended
-    title: "API Deployment & Hosting"
-    content: |
-      ## API Deployment
-      ### Container-Based (Production)
-      - Multi-stage Dockerfile: builder stage (install + compile) → runtime stage (minimal image, non-root).
-      - Pin base image digests, not just tags. Scan images for CVEs in CI (Trivy, Grype).
-      - Push to container registry (ECR, GCR, GHCR) on every merge to main.
-      - Orchestrate with Kubernetes, ECS, or Cloud Run. Define resource limits for every container.
-      ### PaaS / Quick Deploy
-      - **Railway**: Git-push deploy with auto-detected Dockerfile or Nixpacks. Ideal for staging and side projects.
-      - **Render**: Free tier + auto-deploy from Git. Native cron jobs, managed Postgres.
-      - **Fly.io**: Edge deployment with Firecracker VMs. Good for low-latency APIs. `fly deploy` from CI.
-      - All PaaS platforms: use platform env vars for secrets, connect managed DB add-ons, enable auto-sleep
-        for non-production to control cost.
-      ### Environment Management
-      - One Dockerfile, many environments. Same image runs in dev, staging, prod.
-      - Health check endpoint (`/health`) returns: status, version, uptime, dependency connectivity.
-      - Database connection pooling configured per environment (dev: 5, staging: 20, prod: 50+).
-      - Migrations run automatically on deploy (pre-deploy hook or init container). Never manually.
-  - id: api-testing
-    tier: recommended
-    title: "API-Specific Testing Requirements"
-    content: |
-      ## API-Specific Testing Requirements
-      ### Contract / Consumer-Driven Contract (CDC) — Mandatory
-      CDC is not optional for API projects. The consumer writes the pact file; the provider verifies it in CI before deployment. API breakage that passes all provider-side tests but fails consumers is the exact class of defect CDC prevents.
-      - Use Pact or Spring Cloud Contract.
-      - Pact broker (self-hosted or pactflow.io) stores pact files and verification results.
-      - Provider verification runs in CI on every build — a failed verification blocks deployment.
-      - CDC covers request schema, response schema, status codes, and error shapes. It does not cover load or security — those are separate gates.
-      ### API / Subcutaneous Tests as Primary Integration Layer
-      The subcutaneous layer (HTTP requests to a running server with real DB and stubbed external deps) is the primary integration verification surface for API projects. Unit tests verify logic; subcutaneous tests verify contracts.
-      - Use Supertest (Node) or httpx/pytest (Python) against a locally started server instance.
-      - Stub external services with WireMock, msw, or responses (Python). Never call real external APIs in CI.
-      - Every public endpoint has a subcutaneous test for: 200 happy path, 4xx validation rejection, 401/403 auth enforcement, and at least one edge case.
-      ### DAST at Staging — Mandatory
-      Dynamic application security testing is required before every production promotion. OWASP ZAP minimum.
-      - Run ZAP active scan against the staging environment as a post-deploy CI step.
-      - Define an acceptable risk threshold in the spec: which finding severities are blocking (High = always blocking; Medium/Low = tracked, not blocking by default).
-      - ZAP scan configuration committed to the repo (`zap-config.yaml`). Not a one-off manual step.
-      ### Rate Limiting and Throttling in Integration Layer
-      - Rate limit behavior must be covered in the subcutaneous integration suite, not just documented.
-      - Test: normal traffic (no throttle), burst traffic (trigger rate limit, receive 429), retry-after header present and correct.
-      - Test quota exhaustion and quota reset behavior for API-key-based limits.
-      ### Scaling
-      - Horizontal scaling by default. No in-memory session state — use Redis or DB.
-      - Auto-scaling rules based on CPU + request queue depth, not just CPU alone.
-      - Database read replicas for read-heavy workloads. Connection pooler (PgBouncer) in front of Postgres.
-  - id: api-smoke-testing
-    tier: recommended
-    title: "API Smoke Testing (Post-Deploy)"
-    content: |
-      ## API Smoke Testing
-      ### Required: Playwright APIRequestContext (no browser overhead)
-      Tag all smoke tests `@smoke` for isolated execution:
-      ```
-      npx playwright test --config playwright.smoke.config.ts --grep @smoke
-      ```
-      Minimum smoke suite for every API:
-      - **Health check**: `GET /health` → 200, body includes `status: ok` and `version`
-      - **Auth**: primary login endpoint with valid credentials → token returned
-      - **Primary read**: one representative `GET` → 200, response envelope validates
-      - **Primary write**: one representative `POST` → 2xx, verify with follow-up `GET`
-      - **404 shape**: non-existent resource → 404, error envelope matches spec contract
-      ```typescript
-      // tests/smoke/api.smoke.ts
-      import { test, expect } from '@playwright/test';
-      test('@smoke health check', async ({ request }) => {
-        const res = await request.get('/health');
-        expect(res.ok()).toBeTruthy();
-        const body = await res.json();
-        expect(body).toMatchObject({ status: 'ok' });
-      });
-      test('@smoke auth returns token', async ({ request }) => {
-        const res = await request.post('/api/v1/auth/login', {
-          data: {
-            email: process.env['SMOKE_USER'],
-            password: process.env['SMOKE_PASSWORD'],
-          },
-        });
-        expect(res.status()).toBe(200);
-        const body = await res.json();
-        expect(typeof body.token ?? body.data?.token).toBe('string');
-      });
-      ```
-      ```typescript
-      // playwright.smoke.config.ts
-      import { defineConfig } from '@playwright/test';
-      export default defineConfig({
-        use: { baseURL: process.env['PLAYWRIGHT_BASE_URL'] ?? 'http://localhost:3000' },
-        testMatch: '**/*.smoke.ts',
-        retries: 1,
-        timeout: 10_000,
-      });
-      ```
-      Smoke tests run against the **deployed staging URL** only (`PLAYWRIGHT_BASE_URL` env var).
-      They never run against localhost in CI — that is the integration suite's job.
-      CI integration (post-deploy step):
-      ```yaml
-      - name: Smoke Tests
-        run: npx playwright test --config playwright.smoke.config.ts
-        env:
-          PLAYWRIGHT_BASE_URL: ${{ env.STAGING_URL }}
-          SMOKE_USER: ${{ secrets.SMOKE_USER }}
-          SMOKE_PASSWORD: ${{ secrets.SMOKE_PASSWORD }}
-      ```
+tag: API
+section: instructions
+blocks:
+  - id: api-standards
+    tier: recommended
+    title: "API Service Standards"
+    content: |
+      ## API Standards
+      ### Contract First
+      - Define OpenAPI/JSON Schema spec before implementing endpoints.
+      - Generate types from spec — don't manually duplicate.
+      - Spec is the source of truth. Implementation must match.
+      ### Design Rules
+      - Version from day one: /api/v1/...
+      - Proper HTTP semantics: GET reads, POST creates, PUT replaces, PATCH updates, DELETE removes.
+      - Pagination on ALL list endpoints. Never return unbounded results.
+      - Consistent response envelope: { data, meta, errors }.
+      - Async operations return job ID + polling endpoint, not blocking results.
+      - Rate limiting on all public endpoints.
+      ### Validation
+      - Input validation at API boundary — reject malformed requests before they reach services.
+      - Use schema validation (Pydantic, Zod, Joi) not manual if-checks.
+      - Validate request body, query params, path params, and headers.
+      - Return 422 with specific field errors, not generic 400.
+      ### Authentication & Authorization
+      - Auth middleware/guards at router level, not checked inside handlers.
+      - Role-based or policy-based access control via decorators/middleware.
+      - Never trust client-sent user identity — always verify from token/session.
+      ### Database & Migrations
+      - Schema changes managed through migration files (Prisma Migrate, Knex, Flyway, Alembic).
+      - Every migration must be reversible (up + down). Test rollbacks.
+      - Never modify a deployed migration — create a new one.
+      - Seed data separate from migrations. Test seeds run in CI.
+      ### Security (OWASP Top 10)
+      - **Injection**: Parameterized queries only. No string concatenation for SQL, commands, or LDAP.
+      - **Broken Auth**: Rate-limit login attempts. Enforce strong passwords. Rotate tokens.
+      - **Sensitive Data Exposure**: Encrypt at rest (AES-256). Never log PII, tokens, or passwords.
+      - **XXE/XSS**: Sanitize all user-generated HTML. Content-Security-Policy headers on all responses.
+      - **Broken Access Control**: Enforce ownership checks — users can't access other users' resources.
+      - **Security Misconfiguration**: No default credentials. No verbose error messages in production.
+        Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
+      - **CSRF**: Token-based protection on all state-changing endpoints (unless using SameSite cookies + bearer tokens).
+      - **Audit logging**: Log WHO did WHAT, WHEN, to WHICH resource. Separate from application logs.
+        Immutable. Retained per compliance requirements.
+      ### Graceful Shutdown
+      - Handle SIGTERM: stop accepting new requests, drain in-flight requests, close DB connections, exit.
+      - Kubernetes: readiness probe fails immediately, liveness continues during drain.
+      - Shutdown timeout configurable (default: 30s). Force exit after timeout.
+  - id: api-stack-constraints
+    tier: core
+    title: "API Stack Constraints"
+    content: |
+      ## API Stack Constraints — Approved Dependency Choices
+      These are the **approved libraries for this API project**.
+      Every choice has a banned alternative with a concrete reason.
+      If you reach for a banned alternative, stop and use the approved one instead.
+      Rationale is stated so you understand the constraint — not so you can argue around it.
+      {{#if language_is_typescript}}
+      ### TypeScript API — Required Packages
+      | Concern | Use | Do NOT use | Reason |
+      |---|---|---|---|
+      | **Password hashing** | `argon2@^0.31` | `bcrypt`, `bcryptjs` | `bcrypt` requires a native module (`@mapbox/node-pre-gyp`) that pulls in an old `tar` CVE chain. `argon2` is pure JS, faster, OWASP-preferred. |
+      | **HTTP framework** | `express@^4` or `fastify@^4` | `restify`, `hapi@<21`, `koa` alone | `restify` is unmaintained. `hapi` is fine at `^21+` only. |
+      | **Input validation** | `zod@^3` | `joi` alone, `express-validator` alone | `zod` infers TypeScript types natively — no separate type declaration needed. |
+      | **JWT** | `jsonwebtoken@^9` | `jwt-simple` (abandoned), `jsonwebtoken@<9` | Security fixes landed in v9. `jwt-simple` has no active maintainer. |
+      | **ORM / query builder** | `@prisma/client@^5` or `kysely@^0.27` | `typeorm`, `sequelize` | `typeorm` uses decorators (not type-safe), slow migrations. `sequelize` has weak TypeScript support. |
+      | **Logger** | `pino@^9` | `winston` alone, `console.log` in prod | `pino` is 5–10× faster than `winston` and outputs structured JSON natively. `console.log` is not structured. |
+      | **HTTP client (outbound)** | `undici@^6` or native `fetch` (Node 18+) | `axios` for Node ≥18 | Native `fetch` is available; `axios` adds bundle weight and a dependency surface for a built-in feature. |
+      | **ESLint** | `@typescript-eslint/eslint-plugin@^8` | `@typescript-eslint@^5` or `^6` | `^6` has a known CVE via old `minimatch` transitive dep. `^8` is the current stable. |
+      **npm audit policy**: `npm audit` must return zero `high` or `critical` findings before the
+      first commit. If a dependency introduces a high/critical CVE, replace it with an alternative
+      from this table or open an ADR documenting the exception with mitigation.
+      {{/if}}
+      {{#if language_is_python}}
+      ### Python API — Required Packages
+      | Concern | Use | Do NOT use | Reason |
+      |---|---|---|---|
+      | **Web framework** | `fastapi@^0.110` | `flask` for new async APIs | Flask has no native `async` request handling at the framework level — blocks on every request without extra extensions. |
+      | **Validation** | `pydantic@^2` | `pydantic@^1` | v2 is 5–50× faster. v1 is not maintained for new projects. Breaking API — pin to `^2`. |
+      | **Password hashing** | `argon2-cffi@^23` | `hashlib` for passwords, `MD5/SHA256` for passwords | `hashlib` is not a KDF — it is trivially reversible with a GPU. `argon2` wins OWASP Password Hashing Competition. |
+      | **JWT** | `PyJWT@^2.8` or `python-jose[cryptography]@^3.3` | `python-jwt` (unmaintained), `itsdangerous` alone | `python-jwt` has no active maintainer. `itsdangerous` is for URL-safe tokens, not JWT. |
+      | **ORM** | `sqlalchemy@^2.0` with `asyncpg` | `sqlalchemy@^1.x` | v2 has a fundamentally better async story and type-annotated query API. |
+      | **HTTP client** | `httpx@^0.27` | `requests` in async code | `requests` is sync-only — it will block the asyncio event loop. |
+      | **Logger** | `structlog@^24` | bare `logging` module in production | Unstructured log lines are not machine-parseable. `structlog` wraps `logging` with structured output. |
+      | **Linting** | `ruff@^0.4` | `flake8` + `isort` + `black` separately | `ruff` replaces all three with one tool 10–100× faster. No reason to run them separately. |
+      **pip audit policy**: `pip audit` must return zero `high` or `critical` findings before the
+      first commit. If a dependency introduces a high/critical CVE, replace it or open an ADR.
+      {{/if}}
+  - id: api-deployment
+    tier: recommended
+    title: "API Deployment & Hosting"
+    content: |
+      ## API Deployment
+      ### Container-Based (Production)
+      - Multi-stage Dockerfile: builder stage (install + compile) → runtime stage (minimal image, non-root).
+      - Pin base image digests, not just tags. Scan images for CVEs in CI (Trivy, Grype).
+      - Push to container registry (ECR, GCR, GHCR) on every merge to main.
+      - Orchestrate with Kubernetes, ECS, or Cloud Run. Define resource limits for every container.
+      ### PaaS / Quick Deploy
+      - **Railway**: Git-push deploy with auto-detected Dockerfile or Nixpacks. Ideal for staging and side projects.
+      - **Render**: Free tier + auto-deploy from Git. Native cron jobs, managed Postgres.
+      - **Fly.io**: Edge deployment with Firecracker VMs. Good for low-latency APIs. `fly deploy` from CI.
+      - All PaaS platforms: use platform env vars for secrets, connect managed DB add-ons, enable auto-sleep
+        for non-production to control cost.
+      ### Environment Management
+      - One Dockerfile, many environments. Same image runs in dev, staging, prod.
+      - Health check endpoint (`/health`) returns: status, version, uptime, dependency connectivity.
+      - Database connection pooling configured per environment (dev: 5, staging: 20, prod: 50+).
+      - Migrations run automatically on deploy (pre-deploy hook or init container). Never manually.
+  - id: api-testing
+    tier: recommended
+    title: "API-Specific Testing Requirements"
+    content: |
+      ## API-Specific Testing Requirements
+      ### Contract / Consumer-Driven Contract (CDC) — Mandatory
+      CDC is not optional for API projects. The consumer writes the pact file; the provider verifies it in CI before deployment. API breakage that passes all provider-side tests but fails consumers is the exact class of defect CDC prevents.
+      - Use Pact or Spring Cloud Contract.
+      - Pact broker (self-hosted or pactflow.io) stores pact files and verification results.
+      - Provider verification runs in CI on every build — a failed verification blocks deployment.
+      - CDC covers request schema, response schema, status codes, and error shapes. It does not cover load or security — those are separate gates.
+      ### API / Subcutaneous Tests as Primary Integration Layer
+      The subcutaneous layer (HTTP requests to a running server with real DB and stubbed external deps) is the primary integration verification surface for API projects. Unit tests verify logic; subcutaneous tests verify contracts.
+      - Use Supertest (Node) or httpx/pytest (Python) against a locally started server instance.
+      - Stub external services with WireMock, msw, or responses (Python). Never call real external APIs in CI.
+      - Every public endpoint has a subcutaneous test for: 200 happy path, 4xx validation rejection, 401/403 auth enforcement, and at least one edge case.
+      ### DAST at Staging — Mandatory
+      Dynamic application security testing is required before every production promotion. OWASP ZAP minimum.
+      - Run ZAP active scan against the staging environment as a post-deploy CI step.
+      - Define an acceptable risk threshold in the spec: which finding severities are blocking (High = always blocking; Medium/Low = tracked, not blocking by default).
+      - ZAP scan configuration committed to the repo (`zap-config.yaml`). Not a one-off manual step.
+      ### Rate Limiting and Throttling in Integration Layer
+      - Rate limit behavior must be covered in the subcutaneous integration suite, not just documented.
+      - Test: normal traffic (no throttle), burst traffic (trigger rate limit, receive 429), retry-after header present and correct.
+      - Test quota exhaustion and quota reset behavior for API-key-based limits.
+      ### Scaling
+      - Horizontal scaling by default. No in-memory session state — use Redis or DB.
+      - Auto-scaling rules based on CPU + request queue depth, not just CPU alone.
+      - Database read replicas for read-heavy workloads. Connection pooler (PgBouncer) in front of Postgres.
+  - id: api-smoke-testing
+    tier: recommended
+    title: "API Smoke Testing (Post-Deploy)"
+    content: |
+      ## API Smoke Testing
+      ### Required: Playwright APIRequestContext (no browser overhead)
+      Tag all smoke tests `@smoke` for isolated execution:
+      ```
+      npx playwright test --config playwright.smoke.config.ts --grep @smoke
+      ```
+      Minimum smoke suite for every API:
+      - **Health check**: `GET /health` → 200, body includes `status: ok` and `version`
+      - **Auth**: primary login endpoint with valid credentials → token returned
+      - **Primary read**: one representative `GET` → 200, response envelope validates
+      - **Primary write**: one representative `POST` → 2xx, verify with follow-up `GET`
+      - **404 shape**: non-existent resource → 404, error envelope matches spec contract
+      ```typescript
+      // tests/smoke/api.smoke.ts
+      import { test, expect } from '@playwright/test';
+      test('@smoke health check', async ({ request }) => {
+        const res = await request.get('/health');
+        expect(res.ok()).toBeTruthy();
+        const body = await res.json();
+        expect(body).toMatchObject({ status: 'ok' });
+      });
+      test('@smoke auth returns token', async ({ request }) => {
+        const res = await request.post('/api/v1/auth/login', {
+          data: {
+            email: process.env['SMOKE_USER'],
+            password: process.env['SMOKE_PASSWORD'],
+          },
+        });
+        expect(res.status()).toBe(200);
+        const body = await res.json();
+        expect(typeof body.token ?? body.data?.token).toBe('string');
+      });
+      ```
+      ```typescript
+      // playwright.smoke.config.ts
+      import { defineConfig } from '@playwright/test';
+      export default defineConfig({
+        use: { baseURL: process.env['PLAYWRIGHT_BASE_URL'] ?? 'http://localhost:3000' },
+        testMatch: '**/*.smoke.ts',
+        retries: 1,
+        timeout: 10_000,
+      });
+      ```
+      Smoke tests run against the **deployed staging URL** only (`PLAYWRIGHT_BASE_URL` env var).
+      They never run against localhost in CI — that is the integration suite's job.
+      CI integration (post-deploy step):
+      ```yaml
+      - name: Smoke Tests
+        run: npx playwright test --config playwright.smoke.config.ts
+        env:
+          PLAYWRIGHT_BASE_URL: ${{ env.STAGING_URL }}
+          SMOKE_USER: ${{ secrets.SMOKE_USER }}
+          SMOKE_PASSWORD: ${{ secrets.SMOKE_PASSWORD }}
+      ```