forgedev 1.1.0 → 1.1.3

package/README.md

@@ -16,6 +16,9 @@ npx forgedev init
 
 # Diagnose and optimize existing project
 npx forgedev doctor
+
+# Check for updates
+npx forgedev update
 ```
 
 ## Four Modes, Four Audiences
@@ -174,14 +177,51 @@ Every project includes:
 
 With Claude Code infrastructure enabled (default):
 
-- **CLAUDE.md** tailored to your stack
-- **Hooks** — auto-lint on edit, quality gate on stop
-- **Skills** — framework-specific knowledge
-- **Agents** — 5-agent verification chain
-- **Commands** — workflows, status, next, done, verify-all, audit-spec, audit-wiring, audit-security, pre-pr, run-uat, generate-prd, generate-uat, optimize-claude-md
+- **CLAUDE.md** tailored to your stack (with pitfalls and agents quick-reference)
+- **Hooks** — cross-platform Node.js `.mjs` hooks (auto-lint on edit, quality gate, protected file guard)
+- **17 Agents** — verification, development, review, and orchestration (see below)
+- **20 Commands** — daily workflow, verification, release, development, session management
+- **8 Skills** — framework-specific + universal knowledge
 - **UAT templates** — scenario packs and CSV checklists
 - **Prompt library** — the complete development prompt library
 
+## Agents (17)
+
+Every scaffolded project gets these agents in `.claude/agents/`:
+
+| Agent | Role | Access |
+|-------|------|--------|
+| `architect` | System design, data models, API contracts | Read-only |
+| `build-error-resolver` | Fix build/lint/type errors with minimal changes | Write |
+| `chief-of-staff` | Orchestrate multiple agents for complex tasks | Write |
+| `code-quality-reviewer` | Code quality review | Read-only |
+| `database-reviewer` | Query optimization, schema review, N+1 detection | Read-only |
+| `doc-updater` | Keep docs in sync with code changes | Write |
+| `docs-lookup` | Search framework docs for answers | Read-only |
+| `e2e-runner` | Generate and run Playwright E2E tests | Write |
+| `harness-optimizer` | Audit Claude Code setup, suggest optimizations | Read-only |
+| `loop-operator` | Autonomous improvement loops with stop conditions | Write |
+| `planner` | Create implementation plans before coding | Read-only |
+| `production-readiness` | Production deployment readiness review | Read-only |
+| `refactor-cleaner` | Dead code removal, duplicate elimination | Write |
+| `security-reviewer` | Security audit | Read-only |
+| `spec-validator` | Validate implementation matches specification | Read-only |
+| `tdd-guide` | Enforce RED-GREEN-REFACTOR TDD cycle | Write |
+| `uat-validator` | QA validation of UAT scenarios | Read-only |
+
+## Skills (8)
+
+| Skill | Scope |
+|-------|-------|
+| `nextjs` | Next.js 15 App Router patterns |
+| `fastapi` | FastAPI + SQLAlchemy 2.0 + Pydantic v2 |
+| `playwright` | Playwright E2E testing |
+| `security-web` | Web application security |
+| `security-api` | API security |
+| `ai-prompts` | AI/LLM integration patterns |
+| `git-workflow` | Git branching, commits, PR workflow (universal) |
+| `testing-patterns` | Test pyramid, AAA pattern, mocking (universal) |
+
 ## Development
 
 ```bash
@@ -190,6 +230,7 @@ npm test                           # run unit tests
 node bin/devforge.js test-output   # manual smoke test (guided + developer)
 node bin/devforge.js init          # test init mode (from any project dir)
 node bin/devforge.js doctor        # test doctor mode (from any project dir)
+node bin/devforge.js update        # check for updates
 ```
 
 ## Project Structure
@@ -198,7 +239,7 @@ node bin/devforge.js doctor        # test doctor mode (from any project dir)
 devforge/
 ├── bin/devforge.js              # CLI entry point
 ├── src/
-│   ├── cli.js                   # Command router (new, init, doctor)
+│   ├── cli.js                   # Command router (new, init, doctor, update)
 │   ├── index.js                 # New project orchestrator (guided + developer)
 │   ├── guided.js                # Guided mode (description → stack)
 │   ├── prompts.js               # Interactive prompts (Inquirer.js)
@@ -211,6 +252,8 @@ devforge/
 │   ├── doctor.js                # Doctor mode orchestrator
 │   ├── doctor-checks.js         # Diagnostic check functions
 │   ├── doctor-prompts.js        # Fix prompt generators
+│   ├── update-check.js          # npm registry version check
+│   ├── update.js                # Update command handler
 │   └── utils.js                 # File ops, logging, colors
 ├── templates/                   # Scaffold templates by category
 │   ├── base/                    # Every project gets this
@@ -225,26 +268,55 @@ devforge/
 └── docs/                        # Reference documentation
 ```
 
-## Claude Code Commands
+## Claude Code Commands (20)
 
 After running `npx forgedev init`, these slash commands are available inside Claude Code:
 
+**Daily Workflow:**
+
 | Command | What It Does |
 |---------|-------------|
 | `/workflows` | Lists all available workflows |
 | `/status` | Project dashboard — tests, branch, changes |
 | `/next` | Figures out your next task |
 | `/done` | Verifies task completion |
+
+**Verification:**
+
+| Command | What It Does |
+|---------|-------------|
 | `/verify-all` | Runs lint, type check, tests, then launches reviewers |
+| `/full-audit` | Runs every audit and review agent in a single pass |
 | `/audit-spec` | Validates implementation against a spec/PRD |
 | `/audit-wiring` | Finds dead or unwired features |
 | `/audit-security` | Runs a security audit |
+| `/code-review` | Reviews uncommitted changes for security and quality |
+
+**Release:**
+
+| Command | What It Does |
+|---------|-------------|
 | `/pre-pr` | Runs the complete pre-PR checklist |
 | `/run-uat` | Executes UAT scenarios |
+
+**Development:**
+
+| Command | What It Does |
+|---------|-------------|
+| `/plan` | Invoke planner agent for implementation planning |
+| `/build-fix` | Incrementally fix build/lint/type errors |
+| `/tdd` | Enforce test-driven development cycle |
 | `/generate-prd` | Generates a PRD with Mermaid diagrams |
 | `/generate-uat` | Generates UAT scenarios from codebase |
 | `/optimize-claude-md` | Proposes splitting an oversized CLAUDE.md |
 
+**Session:**
+
+| Command | What It Does |
+|---------|-------------|
+| `/save-session` | Save work context for later resumption |
+| `/resume-session` | Load saved session and continue where you left off |
+
 ## Install
 
 ```bash

package/bin/devforge.js

@@ -1,4 +1,13 @@
 #!/usr/bin/env node
 import { parseCommand } from '../src/cli.js';
 
-parseCommand(process.argv.slice(2));
+try {
+  await parseCommand(process.argv.slice(2));
+} catch (err) {
+  // Graceful exit on Ctrl+C / prompt cancellation
+  if (err?.name === 'ExitPromptError' || err?.code === 'ERR_USE_AFTER_CLOSE') {
+    console.log('');
+    process.exit(0);
+  }
+  throw err;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forgedev",
-  "version": "1.1.0",
+  "version": "1.1.3",
   "description": "Universal, AI-first project scaffolding CLI with Claude Code infrastructure",
   "type": "module",
   "bin": {

package/src/claude-configurator.js

@@ -260,6 +260,7 @@ function generateCommands(outputDir, config, vars) {
     'tdd.md',
     'save-session.md',
     'resume-session.md',
+    'full-audit.md',
   ];
 
   for (const cmd of commands) {

package/src/cli.js

@@ -46,6 +46,12 @@ export async function parseCommand(args) {
     return;
   }
 
+  if (command === 'update') {
+    const { runUpdate } = await import('./update.js');
+    await runUpdate();
+    return;
+  }
+
   // Shorthand: devforge my-app → devforge new my-app
   if (!command.startsWith('-')) {
     const targetDir = path.resolve(process.cwd(), command);
@@ -73,6 +79,7 @@ function showUsage() {
     devforge new <name>     Create a new project
     devforge init           Add dev guardrails to current project
     devforge doctor         Diagnose and optimize current project
+    devforge update         Check for newer version
     devforge <name>         Shorthand for ${chalk.dim('devforge new <name>')}
 
   ${chalk.bold('Options:')}
@@ -105,6 +112,10 @@ function showHelp() {
       flaky tests, dead code, duplicate code, and more.
       Generates Claude Code prompts to fix each issue.
 
+    ${chalk.bold('devforge update')}
+      Check if a newer version of DevForge is available.
+      Shows upgrade instructions if an update exists.
+
   ${chalk.bold('Supported stacks (V1):')}
     - Next.js full-stack (TypeScript + Prisma + PostgreSQL)
     - FastAPI backend (Python + SQLAlchemy + PostgreSQL)

package/src/doctor-prompts.js

@@ -176,6 +176,15 @@ ${fileList}
 
 Extract all prompts into a dedicated prompts file (e.g., src/lib/prompts.ts or prompts/). This makes prompts easier to version, A/B test, and iterate on without changing application code.`;
   },
+
+  DEVFORGE_UPDATE: (issue) => {
+    return `A newer version of DevForge is available.
+
+Run: npm install -g forgedev@latest
+Then re-run: npx forgedev init
+
+This will update your project's agents, commands, skills, and hooks to the latest version.`;
+  },
 };
 
 export function generatePrompt(issue) {
@@ -223,8 +232,6 @@ export function generateReport(issues, projectName) {
   const critical = issues.filter(i => i.severity === 'critical');
   const warnings = issues.filter(i => i.severity === 'warning');
   const info = issues.filter(i => i.severity === 'info');
-  const healthy = []; // Could be populated by passing in good checks
-
   let report = `# DevForge Doctor Report — ${projectName}
 Generated: ${new Date().toISOString().split('T')[0]}
 

package/src/doctor.js

@@ -29,6 +29,25 @@ export async function runDoctor(projectDir) {
   // Run all checks
   const issues = runAllChecks(projectDir, scan);
 
+  // Check for DevForge updates (5s timeout, won't crash on failure)
+  try {
+    const { checkForUpdate } = await import('./update-check.js');
+    const updateResult = await checkForUpdate();
+    if (updateResult?.updateAvailable) {
+      issues.push({
+        severity: 'info',
+        title: `DevForge update available: ${updateResult.current} → ${updateResult.latest}`,
+        impact: 'Newer version may include improved agents, commands, and bug fixes',
+        files: [],
+        autoFixable: false,
+        promptId: 'DEVFORGE_UPDATE',
+        effort: 'quick',
+      });
+    }
+  } catch {
+    // Silently ignore — network issues shouldn't block doctor
+  }
+
   if (issues.length === 0) {
     console.log(chalk.green('  ✓ Your project looks healthy! No issues found.'));
     console.log('');

package/src/index.js

@@ -11,6 +11,13 @@ import { generateUAT } from './uat-generator.js';
 
 export async function runNew(projectName) {
   const safeName = toKebabCase(projectName);
+
+  // Prevent path traversal — project name must not escape cwd
+  if (/[\/\\]/.test(safeName) || safeName.includes('..')) {
+    log.error('Project name must not contain path separators or ".."');
+    process.exit(1);
+  }
+
   const outputDir = path.resolve(process.cwd(), safeName);
 
   if (fs.existsSync(outputDir)) {

package/src/update-check.js

@@ -0,0 +1,49 @@
+import fs from 'node:fs';
+
+const PACKAGE_NAME = 'forgedev';
+
+/**
+ * Compare two semver strings (major.minor.patch).
+ * Returns 1 if a > b, -1 if a < b, 0 if equal.
+ */
+export function compareVersions(a, b) {
+  const pa = a.split('.').map(Number);
+  const pb = b.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] || 0) > (pb[i] || 0)) return 1;
+    if ((pa[i] || 0) < (pb[i] || 0)) return -1;
+  }
+  return 0;
+}
+
+/**
+ * Check npm registry for a newer version of forgedev.
+ * Returns { current, latest, updateAvailable } or null on failure.
+ */
+export async function checkForUpdate() {
+  const pkg = JSON.parse(
+    fs.readFileSync(new URL('../package.json', import.meta.url), 'utf-8')
+  );
+  const currentVersion = pkg.version;
+
+  try {
+    const response = await fetch(
+      `https://registry.npmjs.org/${PACKAGE_NAME}/latest`,
+      { signal: AbortSignal.timeout(5000) }
+    );
+    if (!response.ok) return null;
+    const data = await response.json();
+    const latestVersion = data.version;
+
+    // Validate version format before trusting registry response
+    if (!/^\d+\.\d+\.\d+/.test(latestVersion)) return null;
+
+    return {
+      current: currentVersion,
+      latest: latestVersion,
+      updateAvailable: compareVersions(latestVersion, currentVersion) > 0,
+    };
+  } catch {
+    return null;
+  }
+}

package/src/update.js

@@ -0,0 +1,33 @@
+import chalk from 'chalk';
+import { log } from './utils.js';
+import { checkForUpdate } from './update-check.js';
+
+export async function runUpdate() {
+  console.log('');
+  console.log(chalk.bold.cyan('  DevForge') + chalk.dim(' — Checking for updates...'));
+  console.log('');
+
+  const result = await checkForUpdate();
+
+  if (result === null) {
+    log.warn('  Could not reach the npm registry. Check your internet connection.');
+    console.log('');
+    return;
+  }
+
+  if (!result.updateAvailable) {
+    log.success(`  ✓ You're on the latest version (${result.current})`);
+    console.log('');
+    return;
+  }
+
+  log.warn(`  Update available: ${result.current} → ${result.latest}`);
+  console.log('');
+  console.log('  To update:');
+  console.log(`    ${chalk.bold('npm install -g forgedev@latest')}   ${chalk.dim('(if installed globally)')}`);
+  console.log(`    ${chalk.bold('npx forgedev@latest new my-app')}  ${chalk.dim('(one-time use)')}`);
+  console.log('');
+  log.dim('  To update an existing project\'s Claude Code infrastructure:');
+  log.dim('    cd my-project && npx forgedev@latest init');
+  console.log('');
+}

package/templates/auth/jwt-custom/backend/app/core/security.py.template

@@ -1,3 +1,4 @@
+import os
 from datetime import datetime, timedelta, timezone
 
 from jose import JWTError, jwt
@@ -7,7 +8,9 @@ from app.core.config import settings
 
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
 
-SECRET_KEY = "change-me-in-production"  # TODO: Move to settings/env
+SECRET_KEY = os.environ.get("JWT_SECRET_KEY")
+if not SECRET_KEY:
+    raise RuntimeError("JWT_SECRET_KEY environment variable is required. Set it in your .env file.")
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30
 

package/templates/backend/fastapi/backend/app/core/config.py.template

@@ -6,8 +6,8 @@ class Settings(BaseSettings):
     app_name: str = "{{PROJECT_NAME_PASCAL}}"
     debug: bool = False
 
-    # Database
-    database_url: str = "postgresql+asyncpg://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}"
+    # Database — no default: must be set via .env or environment
+    database_url: str
 
     # CORS
     cors_origins: list[str] = ["http://localhost:3000"]

package/templates/claude-code/agents/build-error-resolver.md

@@ -8,9 +8,8 @@ You are a build error resolution specialist. Your job is to fix build/type/lint
 
 1. **Collect errors** — Run `{{BUILD_COMMAND}}`, `{{LINT_COMMAND}}`, and `{{TYPE_CHECK_COMMAND}}` to capture all errors
 2. **Group by file** — Sort errors by file path, fix in dependency order (imports/types before logic)
-3. **Fix one at a time** — Read the file, diagnose root cause, apply minimal edit, re-run build
-4. **Verify** — After each fix, confirm the error is gone and no new errors were introduced
-
+3. **Fix one error at a time** — Read the file, diagnose root cause, apply minimal edit
+4. **Verify** — After each fix, re-run all three commands to confirm the error is gone and no new errors were introduced
 ## Common Fix Patterns
 
 | Error Type | Fix |

package/templates/claude-code/agents/database-reviewer.md

@@ -19,7 +19,7 @@ You are a database specialist. Your job is to review database code for performan
 - [ ] Transactions are short-lived (no long-running transactions)
 
 ### Schema Design
-- [ ] Primary keys use UUID or serial (not random values that fragment indexes)
+- [ ] Primary keys use sequential identifiers (SERIAL, BIGSERIAL, UUIDv7) to avoid index fragmentation
 - [ ] Foreign keys have indexes
 - [ ] Timestamps use timezone-aware types (`timestamptz` not `timestamp`)
 - [ ] Nullable columns have explicit defaults or are intentionally nullable

package/templates/claude-code/agents/doc-updater.md

@@ -6,7 +6,7 @@ You are a documentation specialist. Your job is to keep project documentation ac
 
 ## Workflow
 
-1. **Detect changes** — Run `git diff --name-only HEAD~1` to see what changed
+1. **Detect changes** — Run `git diff --name-only HEAD~1` to see files changed in the last commit
 2. **Identify affected docs** — Map code changes to documentation that needs updating
 3. **Update docs** — Edit README, API docs, changelogs, and inline comments
 4. **Verify links** — Check that all referenced files and endpoints still exist

package/templates/claude-code/agents/loop-operator.md

@@ -14,8 +14,7 @@ Execute iterative improvement loops safely: run a sequence of checks → fixes
 2. **Set stop conditions** — Define when to stop (all tests pass, zero lint errors, or max 5 iterations)
 3. **Execute iteration** — Fix one category of issues per iteration
 4. **Checkpoint** — After each iteration, record progress and compare to baseline
-5. **Evaluate** — If progress stalled (same errors as last iteration), stop and report
-6. **Report** — Show baseline vs final state with concrete numbers
+5. **Evaluate** — If no progress across 2 consecutive iterations, stop and report6. **Report** — Show baseline vs final state with concrete numbers
 
 ## Stop Conditions (halt the loop if any are true)
 

package/templates/claude-code/agents/uat-validator.md

@@ -16,7 +16,8 @@ Read-only. Never modify code.
    a. Verify the feature exists in the codebase
    b. Check if there's a corresponding automated test
    c. If automated test exists, verify it covers the scenario's steps
-   d. Flag gaps: scenarios without tests, tests without scenarios
+   d. Flag scenarios without automated tests
+3. Scan test files to identify orphaned tests (tests without corresponding UAT scenarios)
 
 ## Output: Traceability Matrix
 

package/templates/claude-code/claude-md/base.md

@@ -14,7 +14,7 @@
 ## RULES
 - Never commit `.env` files or secrets
 - Never modify migration files directly — generate new migrations instead
-- All API responses use structured error format: `{ error: { code, message } }`
+- All API responses use structured error format: `{ "error": { "code": "ERR_CODE", "message": "..." } }`
 - Never leak stack traces to clients
 - Health check endpoints must always be available
 - Write tests for new features before marking them complete
@@ -23,7 +23,7 @@
 
 ## Pitfalls
 - Never commit lock file merge conflicts — delete and regenerate
-- Never use `any` type — use `unknown` and narrow with type guards
+- Never use loose types (`any` in TS, `Any` in Python) — use strict types and narrow explicitly
 - Never hardcode URLs, ports, or credentials — use environment variables
 - Never catch errors silently — always log or re-throw
 - Never push directly to main — always use feature branches

package/templates/claude-code/commands/build-fix.md

@@ -22,7 +22,7 @@ For each error:
 1. Read the file to see error context
 2. Diagnose the root cause (missing import, wrong type, syntax error)
 3. Apply the smallest possible fix
-4. Re-run the build to verify the error is gone
+4. Re-run all three commands (build, lint, type check) to confirm the error is gone and no new errors were introduced
 5. Move to the next error
 
 ## Step 4: Guardrails

package/templates/claude-code/commands/code-review.md

@@ -33,11 +33,10 @@ For each changed file, check:
 ## Step 3: Generate Report
 
 For each issue found:
-- **Severity**: CRITICAL, HIGH, MEDIUM, LOW
+- **Severity**: CRITICAL, HIGH, MEDIUM
 - **File**: path and line number
 - **Issue**: what's wrong
 - **Fix**: how to fix it
-
 ## Step 4: Verdict
 
 - If CRITICAL issues found → block commit, list required fixes

package/templates/claude-code/commands/full-audit.md

@@ -0,0 +1,60 @@
+Run every audit and review agent in a single pass. Use this when you want a comprehensive project health check.
+
+## Step 1: Build + Lint + Tests
+
+1. Run lint: `{{LINT_COMMAND}}`
+2. Run type check: `{{TYPE_CHECK_COMMAND}}`
+3. Run tests: `{{TEST_COMMAND}}`
+
+If any step fails, report the failures but continue with the remaining audits.
+
+## Step 2: Code Review (changed files)
+
+1. Get changed files: `git diff --name-only HEAD`
+2. For each changed file, check for:
+   - Hardcoded credentials, API keys, tokens
+   - SQL injection, XSS, path traversal
+   - Functions > 50 lines, files > 800 lines
+   - Missing error handling, console.log left in
+   - Missing tests for new code
+
+## Step 3: Launch Review Agents
+
+Run these agents in sequence on the full codebase:
+
+1. **code-quality-reviewer** — code patterns, duplication, naming
+2. **security-reviewer** — vulnerabilities, secrets, unsafe operations
+3. **production-readiness** — deployment readiness, error handling, health checks
+4. **database-reviewer** — query performance, N+1, schema issues (skip if no database)
+
+## Step 4: Structural Audits
+
+1. **Wiring audit** — verify all API endpoints are connected between frontend and backend
+2. **Spec audit** — if `docs/` contains a spec/PRD, validate implementation coverage
+
+## Step 5: Claude Code Setup
+
+1. **harness-optimizer** — check if .claude/ setup follows best practices
+
+## Step 6: Summary Report
+
+Compile all findings into a single report grouped by severity:
+
+```
+CRITICAL (must fix before merge):
+  - [list]
+
+HIGH (fix soon):
+  - [list]
+
+MEDIUM (improve when possible):
+  - [list]
+
+LOW (nice to have):
+  - [list]
+
+PASSED:
+  - [list of checks that found no issues]
+```
+
+Include total counts: X critical, Y high, Z medium, W low.

package/templates/claude-code/commands/workflows.md

@@ -15,6 +15,7 @@ Show the developer what workflows are available.
 
 ### Verification
 - `/verify-all` — Run lint, type check, tests, then launch all reviewers
+- `/full-audit` — Run every audit and review agent in a single pass
 - `/audit-spec` — Validate implementation against a spec/PRD
 - `/audit-wiring` — Find dead or unwired features
 - `/audit-security` — Run a security audit

package/templates/claude-code/hooks/scripts/autofix-polyglot.mjs

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 // Auto-fix lint issues on saved TypeScript or Python files (polyglot)
 
-import { execSync } from 'node:child_process';
+import { execFileSync } from 'node:child_process';
+import { resolve } from 'node:path';
 
 let input = '';
 process.stdin.setEncoding('utf8');
@@ -11,19 +12,26 @@ process.stdin.on('end', () => {
     const data = JSON.parse(input);
     const filePath = data?.tool_input?.file_path || '';
 
-    if (!filePath) {
+    if (!filePath || filePath.includes('..')) {
+      process.exit(0);
+    }
+
+    // Ensure path stays within the working directory
+    const resolved = resolve(filePath);
+    const cwd = resolve('.');
+    if (!resolved.startsWith(cwd)) {
       process.exit(0);
     }
 
     if (filePath.endsWith('.ts') || filePath.endsWith('.tsx')) {
       try {
-        execSync(`npx eslint --fix "${filePath}"`, { stdio: 'pipe', cwd: 'frontend' });
+        execFileSync('npx', ['eslint', '--fix', filePath], { stdio: 'pipe', cwd: 'frontend' });
       } catch {
         // eslint may exit non-zero for unfixable issues — that's okay
       }
     } else if (filePath.endsWith('.py')) {
       try {
-        execSync(`ruff check --fix "${filePath}"`, { stdio: 'pipe', cwd: 'backend' });
+        execFileSync('ruff', ['check', '--fix', filePath], { stdio: 'pipe', cwd: 'backend' });
       } catch {
         // ruff may exit non-zero for unfixable issues — that's okay
       }

package/templates/claude-code/hooks/scripts/autofix-python.mjs

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 // Auto-fix lint issues on saved Python files
 
-import { execSync } from 'node:child_process';
+import { execFileSync } from 'node:child_process';
+import { resolve } from 'node:path';
 
 let input = '';
 process.stdin.setEncoding('utf8');
@@ -11,13 +12,20 @@ process.stdin.on('end', () => {
     const data = JSON.parse(input);
     const filePath = data?.tool_input?.file_path || '';
 
-    if (!filePath) {
+    if (!filePath || filePath.includes('..')) {
+      process.exit(0);
+    }
+
+    // Ensure path stays within the working directory
+    const resolved = resolve(filePath);
+    const cwd = resolve('.');
+    if (!resolved.startsWith(cwd)) {
       process.exit(0);
     }
 
     if (filePath.endsWith('.py')) {
       try {
-        execSync(`ruff check --fix "${filePath}"`, { stdio: 'pipe', cwd: 'backend' });
+        execFileSync('ruff', ['check', '--fix', filePath], { stdio: 'pipe', cwd: 'backend' });
       } catch {
         // ruff may exit non-zero for unfixable issues — that's okay
       }

package/templates/claude-code/hooks/scripts/autofix-typescript.mjs

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 // Auto-fix lint issues on saved TypeScript files
 
-import { execSync } from 'node:child_process';
+import { execFileSync } from 'node:child_process';
+import { resolve } from 'node:path';
 
 let input = '';
 process.stdin.setEncoding('utf8');
@@ -11,13 +12,20 @@ process.stdin.on('end', () => {
     const data = JSON.parse(input);
     const filePath = data?.tool_input?.file_path || '';
 
-    if (!filePath) {
+    if (!filePath || filePath.includes('..')) {
+      process.exit(0);
+    }
+
+    // Ensure path stays within the working directory
+    const resolved = resolve(filePath);
+    const cwd = resolve('.');
+    if (!resolved.startsWith(cwd)) {
       process.exit(0);
     }
 
     if (filePath.endsWith('.ts') || filePath.endsWith('.tsx')) {
       try {
-        execSync(`npx eslint --fix "${filePath}"`, { stdio: 'pipe' });
+        execFileSync('npx', ['eslint', '--fix', filePath], { stdio: 'pipe' });
       } catch {
         // eslint may exit non-zero for unfixable issues — that's okay
       }

package/templates/claude-code/skills/ai-prompts/SKILL.md

@@ -33,6 +33,7 @@ description: AI/LLM integration patterns and best practices
 ## Security
 - Never include user secrets in prompts
 - Sanitize user input before including in prompts
+- Protect against prompt injection attacks (delimiter tokens, input validation, output filtering)
 - Validate and sanitize AI output before using
 - Don't trust AI output for security decisions
 

package/templates/claude-code/skills/fastapi/SKILL.md

@@ -29,7 +29,7 @@ description: FastAPI + SQLAlchemy 2.0 + Pydantic v2 patterns
 - Raise `AppError` subclasses, never `HTTPException` with raw strings
 - Global exception handler catches unhandled errors
 - Never expose stack traces or internal details to clients
-- Use structured error format: `{ error: { code, message } }`
+- Use structured error format: `{ "error": { "code": "ERR_CODE", "message": "Error description" } }`
 
 ## Testing
 - Use `httpx.AsyncClient` with `ASGITransport` for async tests

package/templates/claude-code/skills/git-workflow/SKILL.md

@@ -61,4 +61,4 @@ If rebase gets messy: `git rebase --abort` and start over.
 - Never commit `.env` files, credentials, or large binaries
 - Never rebase commits that have been pushed and shared
 - Never merge main into feature branches (rebase instead)
-- Always pull before pushing: `git pull --rebase origin main`
+- Always pull before pushing: `git pull --rebase` (pulls current branch's upstream)

package/templates/claude-code/skills/playwright/SKILL.md

@@ -25,8 +25,8 @@ description: Playwright E2E testing patterns and best practices
 
 ## Common Patterns
 - Navigation: `await page.goto('/')` then assert page loaded
-- Form filling: `await page.fill('[name=email]', 'test@example.com')`
-- Clicking: `await page.click('button[type=submit]')` or `getByRole`
+- Form filling: `await page.getByLabel('Email').fill('test@example.com')`
+- Clicking: `await page.getByRole('button', { name: 'Submit' }).click()`
 - Waiting: prefer auto-waiting over explicit waits
 - Network: `page.waitForResponse()` for API-dependent tests
 - Authentication: use `storageState` for persistent auth across tests

package/templates/claude-code/skills/security-api/SKILL.md

@@ -16,7 +16,7 @@ description: API security best practices
 - Validate all input with Pydantic models
 - Set max lengths on string fields
 - Validate email formats, URLs, phone numbers
-- Reject unexpected fields (Pydantic does this by default)
+- Reject unexpected fields (set `extra = "forbid"` in Pydantic model config)
 - Validate file uploads (size, type, extension)
 
 ## SQL Injection Prevention
@@ -38,7 +38,7 @@ description: API security best practices
 - Never expose stack traces to clients
 - Use generic error messages for auth failures
 - Log detailed errors server-side only
-- Return structured error responses: `{ error: { code, message } }`
+- Return structured error responses: `{ "error": { "code": "ERR_CODE", "message": "Error description" } }`
 
 ## Secrets Management
 - Store secrets in environment variables, never in code

package/templates/database/sqlalchemy-postgres/.env.example

@@ -1 +1,2 @@
 DATABASE_URL="postgresql+asyncpg://postgres:postgres@localhost:5432/{{PROJECT_NAME_SNAKE}}"
+JWT_SECRET_KEY="change-me-generate-a-random-secret"