npm - ima-claude - Versions diffs - 2.18.0 → 2.25.0 - Mend

ima-claude 2.18.0 → 2.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/plugins/ima-claude/skills/rails/SKILL.md CHANGED Viewed

@@ -5,38 +5,19 @@ description: "Ruby on Rails conventions + security - strong parameters, ActiveRe
 # Rails
-Convention-over-configuration development on the happy path, with security non-negotiables that prevent the most common Rails vulnerabilities.
+Convention-over-configuration on the happy path. Work with Rails opinions, not against them.
-## When to Use This Skill
+**Foundation**: Reference `../ruby-fp/SKILL.md` for Ruby FP core. Business logic in service objects — keep models and controllers thin.
-- Building Rails controllers, models, services
-- Reviewing Rails code for security or structure
-- Adding features to an existing Rails application
-- Discourse plugin development (see also `discourse` skill)
-## Core Philosophy
-Rails has opinions. Work with them, not against them. The framework gives you:
-- SQL injection protection via ActiveRecord (use it)
-- CSRF protection by default (don't disable it)
-- XSS protection via ERB auto-escaping (use `<%= %>`)
-- Mass assignment protection via Strong Parameters (permit explicitly)
-**Functional core still applies in Rails.** Business logic in service modules/plain Ruby objects. Keep models and controllers thin.
-**Foundation**: Reference `../ruby-fp/SKILL.md` for Ruby FP core principles.
-## The 5 Non-Negotiable Security Practices
+## 5 Non-Negotiable Security Practices
 | Practice | Prevents | Rule |
 |----------|----------|------|
-| **Strong Parameters** | Mass assignment | `params.require(:model).permit(:field, ...)` on ALL controller actions |
-| **Parameterized Queries** | SQL injection | ActiveRecord methods or `?`/named placeholders — NEVER string interpolation |
-| **CSRF Protection** | CSRF | Never disable `protect_from_forgery`; use `form_with` helpers |
-| **Before Actions (Auth)** | Unauthorized access | `before_action :authenticate_user!` or equivalent on ALL sensitive actions |
-| **Secrets via Credentials** | Credential exposure | Rails credentials or ENV — never hardcode secrets in source |
-### Quick Reference: The Five in Code
+| Strong Parameters | Mass assignment | `params.require(:model).permit(:field, ...)` on ALL controller actions |
+| Parameterized Queries | SQL injection | ActiveRecord methods or `?`/named placeholders — NEVER string interpolation |
+| CSRF Protection | CSRF | Never disable `protect_from_forgery`; use `form_with` helpers |
+| Before Actions (Auth) | Unauthorized access | `before_action :authenticate_user!` on ALL sensitive actions |
+| Secrets via Credentials | Credential exposure | Rails credentials or `ENV.fetch` — never hardcode |
 ```ruby
 # 1. Strong Parameters
@@ -45,21 +26,19 @@ def user_params
   # Never: params[:user]  or  params.permit!
 end
-# 2. Parameterized Queries — ActiveRecord keeps you safe
+# 2. Parameterized Queries
 User.where(email: params[:email])                          # safe
 User.where("email = ?", params[:email])                    # safe
-User.where("email = :email", email: params[:email])        # safe
 User.where("email = '#{params[:email]}'")                  # NEVER — SQL injection
-# 3. CSRF — keep default, use form helpers
+# 3. CSRF — keep default
 class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception  # default — keep it
 end
-# form_with and form_for automatically include the token
 # 4. Before action auth
 class PostsController < ApplicationController
-  before_action :authenticate_user!          # Devise
+  before_action :authenticate_user!
   before_action :require_admin, only: [:destroy]
   private
@@ -68,133 +47,83 @@ class PostsController < ApplicationController
   end
 end
-# 5. Credentials — never hardcode
-# config/credentials.yml.enc (encrypted)
-# Access: Rails.application.credentials.stripe[:secret_key]
-# ENV fallback: ENV.fetch('STRIPE_SECRET_KEY')
+# 5. Credentials
+Rails.application.credentials.stripe[:secret_key]
+ENV.fetch('STRIPE_SECRET_KEY')  # raises KeyError if missing
 ```
 ## ActiveRecord Safety
 ```ruby
-# SAFE — all these use parameterization internally
-User.find(params[:id])                     # auto-cast to integer
+# SAFE
+User.find(params[:id])
 User.find_by(email: params[:email])
 User.where(status: params[:status])
 User.where("created_at > ?", 1.week.ago)
-# SAFE — sanitize_sql_like for LIKE patterns
 query = ActiveRecord::Base.sanitize_sql_like(params[:search])
 User.where("name LIKE ?", "%#{query}%")
-# UNSAFE — never do these
-User.where("id = #{params[:id]}")          # SQL injection
-User.where("name LIKE '%#{params[:q]}%'")  # SQL injection
-User.find_by("email = '#{email}'")         # SQL injection
+# UNSAFE — never
+User.where("id = #{params[:id]}")
+User.where("name LIKE '%#{params[:q]}%'")
+User.find_by("email = '#{email}'")
-# Raw SQL when needed — use sanitize or bind params
+# Raw SQL — use bind params
 User.find_by_sql(["SELECT * FROM users WHERE token = ?", token])
-ActiveRecord::Base.connection.execute(
-  ActiveRecord::Base.sanitize_sql(["UPDATE users SET x = ? WHERE id = ?", val, id])
-)
 ```
 ## Mass Assignment
 ```ruby
-# BAD — never permit all, never skip permit
-User.new(params[:user])           # bypasses strong params
-User.update(params.permit!)       # permits everything — dangerous
+# BAD
+User.new(params[:user])
+User.update(params.permit!)
-# GOOD — explicit whitelist
+# GOOD
 def user_params
   params.require(:user).permit(:name, :email, :bio)
 end
-# Nested params
 def post_params
   params.require(:post).permit(:title, :body, tags: [], author: [:name, :email])
 end
-# Never permit sensitive fields
-# role, admin, password_digest, confirmed_at — set these explicitly in code
+# Set sensitive fields explicitly — never from params
 def promote_to_admin
-  @user.update!(role: 'admin')  # explicit, not from params
+  @user.update!(role: 'admin')
 end
 ```
 ## XSS in Views
 ```ruby
-# ERB auto-escaping — always use <%= %> for user content
 <%= user.name %>           # safe — HTML-escaped
-<%== user.name %>          # UNSAFE — raw output, HTML injection risk
-<%= raw user.name %>       # UNSAFE — same as above
-<%= user.name.html_safe %> # UNSAFE — marking untrusted content safe
-# When you need to render HTML you control
+<%== user.name %>          # UNSAFE — raw output
+<%= raw user.name %>       # UNSAFE
 <%= sanitize user.bio, tags: %w[b i em strong p] %>
-# JavaScript context — never interpolate directly
-<script>var name = "<%= user.name %>"</script>  # UNSAFE — XSS via JS
-# GOOD
-<script>var data = <%= user.to_json.html_safe %></script>  # if you control the data
-# BEST — pass via data attributes
+# JS context — pass via data attributes, not interpolation
 <div data-user-name="<%= user.name %>"></div>
 ```
-## Authentication & Authorization Pattern
+## Authentication & Authorization
 ```ruby
-# Authentication — Devise is the Rails default
-# Before action guards all sensitive routes
 class ApplicationController < ActionController::Base
   before_action :authenticate_user!
-  # Override to allow public actions
   skip_before_action :authenticate_user!, only: [:index, :show]
 end
-# Authorization — policy objects (Pundit pattern or manual)
+# Policy object (Pundit pattern)
 class PostPolicy
-  def initialize(user, post)
-    @user = user
-    @post = post
-  end
-  def update?
-    @user.admin? || @post.user_id == @user.id
-  end
+  def initialize(user, post) = @user, @post = user, post
+  def update? = @user.admin? || @post.user_id == @user.id
 end
-# In controller
 def update
   @post = Post.find(params[:id])
-  policy = PostPolicy.new(current_user, @post)
-  return head :forbidden unless policy.update?
-  # ... update logic
+  return head :forbidden unless PostPolicy.new(current_user, @post).update?
+  # update logic
 end
-# NEVER rely on hidden fields or client-side checks alone
-# Always enforce auth server-side
-```
-## Secrets Management
-```ruby
-# config/credentials.yml.enc (encrypted, safe to commit)
-# Edit with: rails credentials:edit
-# Access:
-Rails.application.credentials.database[:password]
-Rails.application.credentials.dig(:aws, :access_key_id)
-# ENV for 12-factor apps (Heroku, Docker, etc.)
-# Always use fetch to fail loudly if missing
-DB_PASSWORD = ENV.fetch('DB_PASSWORD')  # raises KeyError if missing
-DB_PASSWORD = ENV.fetch('DB_PASSWORD') { raise "DB_PASSWORD not set" }
-# Never in source code
-config.secret_key_base = "abc123hardcoded"  # NEVER
 ```
 ## Controller Pattern
@@ -205,9 +134,7 @@ class UsersController < ApplicationController
   before_action :set_user, only: [:show, :update, :destroy]
   before_action :authorize_user!, only: [:update, :destroy]
-  def show
-    render json: @user.as_json(only: [:id, :name, :email])
-  end
+  def show = render json: @user.as_json(only: [:id, :name, :email])
   def update
     if @user.update(user_params)
@@ -219,71 +146,46 @@ class UsersController < ApplicationController
   private
-  def set_user
-    @user = User.find(params[:id])
-  end
-  def authorize_user!
-    head :forbidden unless current_user.admin? || @user == current_user
-  end
-  def user_params
-    params.require(:user).permit(:name, :email, :bio)
-  end
+  def set_user = @user = User.find(params[:id])
+  def authorize_user! = head :forbidden unless current_user.admin? || @user == current_user
+  def user_params = params.require(:user).permit(:name, :email, :bio)
 end
 ```
-## Model: Thin, Validated, No Business Logic
+## Model: Thin, Validated
 ```ruby
 class User < ApplicationRecord
-  # Validations
   validates :email, presence: true, uniqueness: { case_sensitive: false },
                     format: { with: URI::MailTo::EMAIL_REGEXP }
   validates :name, presence: true, length: { maximum: 100 }
-  # Scopes — declarative query building
   scope :active, -> { where(active: true) }
   scope :recent, -> { order(created_at: :desc) }
-  scope :admins, -> { where(role: 'admin') }
-  # Callbacks — use sparingly, only for model lifecycle concerns
   before_save :normalize_email
-  # Associations
   has_many :posts, dependent: :destroy
-  belongs_to :organization
   private
-  def normalize_email
-    self.email = email.to_s.strip.downcase
-  end
+  def normalize_email = self.email = email.to_s.strip.downcase
 end
-# Business logic lives in service objects, NOT the model
-# UserRegistrationService, UserImportService, etc.
+# Business logic → service objects
 ```
-## Service Objects (Functional Core in Rails)
+## Service Objects (Functional Core)
 ```ruby
-# app/services/user_registration_service.rb
 class UserRegistrationService
   Result = Data.define(:success, :user, :errors)
-  def self.call(attrs)
-    new(attrs).call
-  end
+  def self.call(attrs) = new(attrs).call
-  def initialize(attrs)
-    @attrs = attrs
-  end
+  def initialize(attrs) = @attrs = attrs
   def call
     user = User.new(normalized_attrs)
     if user.save
-      send_welcome_email(user)
+      WelcomeMailer.with(user: user).welcome_email.deliver_later
       Result.new(success: true, user: user, errors: [])
     else
       Result.new(success: false, user: nil, errors: user.errors.full_messages)
@@ -298,13 +200,8 @@ class UserRegistrationService
       name: @attrs[:name].to_s.strip
     )
   end
-  def send_welcome_email(user)
-    WelcomeMailer.with(user: user).welcome_email.deliver_later
-  end
 end
-# Usage in controller
 result = UserRegistrationService.call(user_params)
 ```
@@ -312,18 +209,13 @@ result = UserRegistrationService.call(user_params)
 ```
 app/
-├── controllers/
-│   └── users_controller.rb      # Thin — delegate to services
-├── models/
-│   └── user.rb                  # Validations, scopes, associations only
-├── services/
-│   └── user_registration_service.rb  # Business logic
-├── policies/
-│   └── user_policy.rb           # Authorization rules
-└── views/
-    └── users/                   # Only <%= %> — never <%== %>
+├── controllers/   # Thin — delegate to services
+├── models/        # Validations, scopes, associations only
+├── services/      # Business logic
+├── policies/      # Authorization rules
+└── views/         # Only <%= %> — never <%== %>
 config/
-└── credentials.yml.enc          # Secrets (encrypted)
+└── credentials.yml.enc  # Secrets (encrypted)
 ```
 ## Security Checklist
@@ -331,29 +223,16 @@ config/
 - [ ] Strong Parameters on all mutating actions
 - [ ] No string interpolation in SQL queries
 - [ ] `protect_from_forgery` enabled (default — don't remove)
-- [ ] `before_action` auth guard on all sensitive routes
-- [ ] No secrets in source code — credentials or ENV.fetch
+- [ ] `before_action` auth on all sensitive routes
+- [ ] No secrets in source — credentials or `ENV.fetch`
 - [ ] ERB uses `<%= %>` not `<%== %>` for user content
-- [ ] `sanitize` used when rendering user-supplied HTML
-- [ ] Dependency audit: `bundle exec bundler-audit check --update`
+- [ ] `sanitize` for user-supplied HTML
+- [ ] `bundle exec bundler-audit check --update`
-## When to Load Reference Files
-### Security Deep Dive
-**File**: [`references/security.md`](references/security.md)
-**Load when**: Need vulnerable vs. safe comparisons, injection examples, CSRF details
-**Contains**: Full attack examples, all Rails security helpers, CSP configuration
-### ActiveRecord Patterns
-**File**: [`references/activerecord.md`](references/activerecord.md)
-**Load when**: Complex queries, raw SQL needs, migration patterns, performance
-**Contains**: Query interface, raw SQL safety, N+1 prevention, index strategy
-### Testing Strategy
-**File**: [`references/testing.md`](references/testing.md)
-**Load when**: Writing request specs, model specs, service object tests
-**Contains**: RSpec patterns, factory patterns, security test examples
----
+## Reference Files
-**Evidence Base**: OWASP Top 10 (2021), Rails Security Guide, RailsFactory/Corgea security research (2024–2025).
+| File | Load when |
+|------|-----------|
+| [`references/security.md`](references/security.md) | Vulnerable vs. safe comparisons, injection examples, CSP |
+| [`references/activerecord.md`](references/activerecord.md) | Complex queries, raw SQL, migrations, N+1 prevention |
+| [`references/testing.md`](references/testing.md) | RSpec patterns, factory patterns, security tests |

package/plugins/ima-claude/skills/resume-session/SKILL.md CHANGED Viewed

@@ -5,64 +5,43 @@ description: "Resume previous session from Serena MCP memory. Use when: resume s
 # resume-session
-Resume a previously saved session from Serena MCP memory.
+## Steps
-## Trigger Phrases
-- "resume session"
-- "restore session"
-- "load session"
-- "continue session"
-- "resume from save"
-## Instructions
-1. Use `mcp__serena__read_memory` with memory name `session-state`
-2. Search Vestige for project context: `mcp__vestige__search query: "{project-name}" limit: 5`
-3. Check for pending intentions: `mcp__vestige__intention action: "check"`
-4. Parse the content and provide a brief status summary
-5. Wait for user direction before taking action
+1. `mcp__serena__read_memory` with name `session-state`
+2. `mcp__vestige__search query: "{project-name}" limit: 5`
+3. `mcp__vestige__intention action: "check"`
+4. Summarize state, wait for user direction
 ## Output Format
 ```
 ## Session Resumed
-**Task**: {current task from memory}
-**Last saved**: {date from memory}
+**Task**: {current task}
+**Last saved**: {date}
 ### Status
-- {bullet 1: what was in progress}
-- {bullet 2: key decision or context}
-- {bullet 3: main outstanding item}
+- {what was in progress}
+- {key decision or context}
+- {main outstanding item}
 ### Suggested Next Step
-{The "Resume Hint" from memory, or first outstanding item}
+{Resume Hint from memory, or first outstanding item}
 Ready to continue. What would you like to focus on?
 ```
 ## Rules
-- **Do not** take any actions beyond reading and summarizing
-- **Do not** start working on outstanding items automatically
-- **Do not** re-read files mentioned unless user asks
-- **Do** present the state clearly and wait for direction
+- Read and summarize only — no automatic action on outstanding items
+- Do not re-read files unless asked
 ## If Memory Not Found
-Respond with:
 ```
 No session memory found.
 To save a session, use: /ima-claude:save-session
 ```
-You can also check available memories with `mcp__serena__list_memories` if helpful.
-## Technical Notes
-- Uses Serena MCP `read_memory` tool (no file path confusion)
-- Memory persists across Claude sessions in project context
-- Project-specific storage (sessions are project-bound)
-- Single checkpoint model (latest session-state only)
+Check available memories with `mcp__serena__list_memories` if helpful.