ima-claude 2.20.0 → 2.26.0

package/plugins/ima-claude/skills/rails/SKILL.md

@@ -5,38 +5,19 @@ description: "Ruby on Rails conventions + security - strong parameters, ActiveRe
 
 # Rails
 
-Convention-over-configuration development on the happy path, with security non-negotiables that prevent the most common Rails vulnerabilities.
+Convention-over-configuration on the happy path. Work with Rails opinions, not against them.
 
-## When to Use This Skill
+**Foundation**: Reference `../ruby-fp/SKILL.md` for Ruby FP core. Business logic in service objects — keep models and controllers thin.
 
-- Building Rails controllers, models, services
-- Reviewing Rails code for security or structure
-- Adding features to an existing Rails application
-- Discourse plugin development (see also `discourse` skill)
-
-## Core Philosophy
-
-Rails has opinions. Work with them, not against them. The framework gives you:
-- SQL injection protection via ActiveRecord (use it)
-- CSRF protection by default (don't disable it)
-- XSS protection via ERB auto-escaping (use `<%= %>`)
-- Mass assignment protection via Strong Parameters (permit explicitly)
-
-**Functional core still applies in Rails.** Business logic in service modules/plain Ruby objects. Keep models and controllers thin.
-
-**Foundation**: Reference `../ruby-fp/SKILL.md` for Ruby FP core principles.
-
-## The 5 Non-Negotiable Security Practices
+## 5 Non-Negotiable Security Practices
 
 | Practice | Prevents | Rule |
 |----------|----------|------|
-| **Strong Parameters** | Mass assignment | `params.require(:model).permit(:field, ...)` on ALL controller actions |
-| **Parameterized Queries** | SQL injection | ActiveRecord methods or `?`/named placeholders — NEVER string interpolation |
-| **CSRF Protection** | CSRF | Never disable `protect_from_forgery`; use `form_with` helpers |
-| **Before Actions (Auth)** | Unauthorized access | `before_action :authenticate_user!` or equivalent on ALL sensitive actions |
-| **Secrets via Credentials** | Credential exposure | Rails credentials or ENV — never hardcode secrets in source |
-
-### Quick Reference: The Five in Code
+| Strong Parameters | Mass assignment | `params.require(:model).permit(:field, ...)` on ALL controller actions |
+| Parameterized Queries | SQL injection | ActiveRecord methods or `?`/named placeholders — NEVER string interpolation |
+| CSRF Protection | CSRF | Never disable `protect_from_forgery`; use `form_with` helpers |
+| Before Actions (Auth) | Unauthorized access | `before_action :authenticate_user!` on ALL sensitive actions |
+| Secrets via Credentials | Credential exposure | Rails credentials or `ENV.fetch` — never hardcode |
 
 ```ruby
 # 1. Strong Parameters
@@ -45,21 +26,19 @@ def user_params
   # Never: params[:user]  or  params.permit!
 end
 
-# 2. Parameterized Queries — ActiveRecord keeps you safe
+# 2. Parameterized Queries
 User.where(email: params[:email])                          # safe
 User.where("email = ?", params[:email])                    # safe
-User.where("email = :email", email: params[:email])        # safe
 User.where("email = '#{params[:email]}'")                  # NEVER — SQL injection
 
-# 3. CSRF — keep default, use form helpers
+# 3. CSRF — keep default
 class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception  # default — keep it
 end
-# form_with and form_for automatically include the token
 
 # 4. Before action auth
 class PostsController < ApplicationController
-  before_action :authenticate_user!          # Devise
+  before_action :authenticate_user!
   before_action :require_admin, only: [:destroy]
 
   private
@@ -68,133 +47,83 @@ class PostsController < ApplicationController
   end
 end
 
-# 5. Credentials — never hardcode
-# config/credentials.yml.enc (encrypted)
-# Access: Rails.application.credentials.stripe[:secret_key]
-# ENV fallback: ENV.fetch('STRIPE_SECRET_KEY')
+# 5. Credentials
+Rails.application.credentials.stripe[:secret_key]
+ENV.fetch('STRIPE_SECRET_KEY')  # raises KeyError if missing
 ```
 
 ## ActiveRecord Safety
 
 ```ruby
-# SAFE — all these use parameterization internally
-User.find(params[:id])                     # auto-cast to integer
+# SAFE
+User.find(params[:id])
 User.find_by(email: params[:email])
 User.where(status: params[:status])
 User.where("created_at > ?", 1.week.ago)
-
-# SAFE — sanitize_sql_like for LIKE patterns
 query = ActiveRecord::Base.sanitize_sql_like(params[:search])
 User.where("name LIKE ?", "%#{query}%")
 
-# UNSAFE — never do these
-User.where("id = #{params[:id]}")          # SQL injection
-User.where("name LIKE '%#{params[:q]}%'")  # SQL injection
-User.find_by("email = '#{email}'")         # SQL injection
+# UNSAFE — never
+User.where("id = #{params[:id]}")
+User.where("name LIKE '%#{params[:q]}%'")
+User.find_by("email = '#{email}'")
 
-# Raw SQL when needed — use sanitize or bind params
+# Raw SQL — use bind params
 User.find_by_sql(["SELECT * FROM users WHERE token = ?", token])
-ActiveRecord::Base.connection.execute(
-  ActiveRecord::Base.sanitize_sql(["UPDATE users SET x = ? WHERE id = ?", val, id])
-)
 ```
 
 ## Mass Assignment
 
 ```ruby
-# BAD — never permit all, never skip permit
-User.new(params[:user])           # bypasses strong params
-User.update(params.permit!)       # permits everything — dangerous
+# BAD
+User.new(params[:user])
+User.update(params.permit!)
 
-# GOOD — explicit whitelist
+# GOOD
 def user_params
   params.require(:user).permit(:name, :email, :bio)
 end
-
-# Nested params
 def post_params
   params.require(:post).permit(:title, :body, tags: [], author: [:name, :email])
 end
 
-# Never permit sensitive fields
-# role, admin, password_digest, confirmed_at — set these explicitly in code
+# Set sensitive fields explicitly — never from params
 def promote_to_admin
-  @user.update!(role: 'admin')  # explicit, not from params
+  @user.update!(role: 'admin')
 end
 ```
 
 ## XSS in Views
 
 ```ruby
-# ERB auto-escaping — always use <%= %> for user content
 <%= user.name %>           # safe — HTML-escaped
-<%== user.name %>          # UNSAFE — raw output, HTML injection risk
-<%= raw user.name %>       # UNSAFE — same as above
-<%= user.name.html_safe %> # UNSAFE — marking untrusted content safe
-
-# When you need to render HTML you control
+<%== user.name %>          # UNSAFE — raw output
+<%= raw user.name %>       # UNSAFE
 <%= sanitize user.bio, tags: %w[b i em strong p] %>
 
-# JavaScript context — never interpolate directly
-<script>var name = "<%= user.name %>"</script>  # UNSAFE — XSS via JS
-# GOOD
-<script>var data = <%= user.to_json.html_safe %></script>  # if you control the data
-# BEST — pass via data attributes
+# JS context — pass via data attributes, not interpolation
 <div data-user-name="<%= user.name %>"></div>
 ```
 
-## Authentication & Authorization Pattern
+## Authentication & Authorization
 
 ```ruby
-# Authentication — Devise is the Rails default
-# Before action guards all sensitive routes
 class ApplicationController < ActionController::Base
   before_action :authenticate_user!
-
-  # Override to allow public actions
   skip_before_action :authenticate_user!, only: [:index, :show]
 end
 
-# Authorization — policy objects (Pundit pattern or manual)
+# Policy object (Pundit pattern)
 class PostPolicy
-  def initialize(user, post)
-    @user = user
-    @post = post
-  end
-
-  def update?
-    @user.admin? || @post.user_id == @user.id
-  end
+  def initialize(user, post) = @user, @post = user, post
+  def update? = @user.admin? || @post.user_id == @user.id
 end
 
-# In controller
 def update
   @post = Post.find(params[:id])
-  policy = PostPolicy.new(current_user, @post)
-  return head :forbidden unless policy.update?
-  # ... update logic
+  return head :forbidden unless PostPolicy.new(current_user, @post).update?
+  # update logic
 end
-
-# NEVER rely on hidden fields or client-side checks alone
-# Always enforce auth server-side
-```
-
-## Secrets Management
-
-```ruby
-# config/credentials.yml.enc (encrypted, safe to commit)
-# Edit with: rails credentials:edit
-# Access:
-Rails.application.credentials.database[:password]
-Rails.application.credentials.dig(:aws, :access_key_id)
-
-# ENV for 12-factor apps (Heroku, Docker, etc.)
-# Always use fetch to fail loudly if missing
-DB_PASSWORD = ENV.fetch('DB_PASSWORD')  # raises KeyError if missing
-DB_PASSWORD = ENV.fetch('DB_PASSWORD') { raise "DB_PASSWORD not set" }
-
-# Never in source code
-config.secret_key_base = "abc123hardcoded"  # NEVER
 ```
 
 ## Controller Pattern
@@ -205,9 +134,7 @@ class UsersController < ApplicationController
   before_action :set_user, only: [:show, :update, :destroy]
   before_action :authorize_user!, only: [:update, :destroy]
 
-  def show
-    render json: @user.as_json(only: [:id, :name, :email])
-  end
+  def show = render json: @user.as_json(only: [:id, :name, :email])
 
   def update
     if @user.update(user_params)
@@ -219,71 +146,46 @@ class UsersController < ApplicationController
 
   private
 
-  def set_user
-    @user = User.find(params[:id])
-  end
-
-  def authorize_user!
-    head :forbidden unless current_user.admin? || @user == current_user
-  end
-
-  def user_params
-    params.require(:user).permit(:name, :email, :bio)
-  end
+  def set_user = @user = User.find(params[:id])
+  def authorize_user! = head :forbidden unless current_user.admin? || @user == current_user
+  def user_params = params.require(:user).permit(:name, :email, :bio)
 end
 ```
 
-## Model: Thin, Validated, No Business Logic
+## Model: Thin, Validated
 
 ```ruby
 class User < ApplicationRecord
-  # Validations
   validates :email, presence: true, uniqueness: { case_sensitive: false },
                     format: { with: URI::MailTo::EMAIL_REGEXP }
   validates :name, presence: true, length: { maximum: 100 }
 
-  # Scopes — declarative query building
   scope :active, -> { where(active: true) }
   scope :recent, -> { order(created_at: :desc) }
-  scope :admins, -> { where(role: 'admin') }
 
-  # Callbacks — use sparingly, only for model lifecycle concerns
   before_save :normalize_email
-
-  # Associations
   has_many :posts, dependent: :destroy
-  belongs_to :organization
 
   private
-
-  def normalize_email
-    self.email = email.to_s.strip.downcase
-  end
+  def normalize_email = self.email = email.to_s.strip.downcase
 end
-
-# Business logic lives in service objects, NOT the model
-# UserRegistrationService, UserImportService, etc.
+# Business logic → service objects
 ```
 
-## Service Objects (Functional Core in Rails)
+## Service Objects (Functional Core)
 
 ```ruby
-# app/services/user_registration_service.rb
 class UserRegistrationService
   Result = Data.define(:success, :user, :errors)
 
-  def self.call(attrs)
-    new(attrs).call
-  end
+  def self.call(attrs) = new(attrs).call
 
-  def initialize(attrs)
-    @attrs = attrs
-  end
+  def initialize(attrs) = @attrs = attrs
 
   def call
     user = User.new(normalized_attrs)
     if user.save
-      send_welcome_email(user)
+      WelcomeMailer.with(user: user).welcome_email.deliver_later
       Result.new(success: true, user: user, errors: [])
     else
       Result.new(success: false, user: nil, errors: user.errors.full_messages)
@@ -298,13 +200,8 @@ class UserRegistrationService
       name: @attrs[:name].to_s.strip
     )
   end
-
-  def send_welcome_email(user)
-    WelcomeMailer.with(user: user).welcome_email.deliver_later
-  end
 end
 
-# Usage in controller
 result = UserRegistrationService.call(user_params)
 ```
 
@@ -312,18 +209,13 @@ result = UserRegistrationService.call(user_params)
 
 ```
 app/
-├── controllers/
-│   └── users_controller.rb      # Thin — delegate to services
-├── models/
-│   └── user.rb                  # Validations, scopes, associations only
-├── services/
-│   └── user_registration_service.rb  # Business logic
-├── policies/
-│   └── user_policy.rb           # Authorization rules
-└── views/
-    └── users/                   # Only <%= %> — never <%== %>
+├── controllers/   # Thin — delegate to services
+├── models/        # Validations, scopes, associations only
+├── services/      # Business logic
+├── policies/      # Authorization rules
+└── views/         # Only <%= %> — never <%== %>
 config/
-└── credentials.yml.enc          # Secrets (encrypted)
+└── credentials.yml.enc  # Secrets (encrypted)
 ```
 
 ## Security Checklist
@@ -331,29 +223,16 @@ config/
 - [ ] Strong Parameters on all mutating actions
 - [ ] No string interpolation in SQL queries
 - [ ] `protect_from_forgery` enabled (default — don't remove)
-- [ ] `before_action` auth guard on all sensitive routes
-- [ ] No secrets in source code — credentials or ENV.fetch
+- [ ] `before_action` auth on all sensitive routes
+- [ ] No secrets in source — credentials or `ENV.fetch`
 - [ ] ERB uses `<%= %>` not `<%== %>` for user content
-- [ ] `sanitize` used when rendering user-supplied HTML
-- [ ] Dependency audit: `bundle exec bundler-audit check --update`
+- [ ] `sanitize` for user-supplied HTML
+- [ ] `bundle exec bundler-audit check --update`
 
-## When to Load Reference Files
-
-### Security Deep Dive
-**File**: [`references/security.md`](references/security.md)
-**Load when**: Need vulnerable vs. safe comparisons, injection examples, CSRF details
-**Contains**: Full attack examples, all Rails security helpers, CSP configuration
-
-### ActiveRecord Patterns
-**File**: [`references/activerecord.md`](references/activerecord.md)
-**Load when**: Complex queries, raw SQL needs, migration patterns, performance
-**Contains**: Query interface, raw SQL safety, N+1 prevention, index strategy
-
-### Testing Strategy
-**File**: [`references/testing.md`](references/testing.md)
-**Load when**: Writing request specs, model specs, service object tests
-**Contains**: RSpec patterns, factory patterns, security test examples
-
----
+## Reference Files
 
-**Evidence Base**: OWASP Top 10 (2021), Rails Security Guide, RailsFactory/Corgea security research (2024–2025).
+| File | Load when |
+|------|-----------|
+| [`references/security.md`](references/security.md) | Vulnerable vs. safe comparisons, injection examples, CSP |
+| [`references/activerecord.md`](references/activerecord.md) | Complex queries, raw SQL, migrations, N+1 prevention |
+| [`references/testing.md`](references/testing.md) | RSpec patterns, factory patterns, security tests |

package/plugins/ima-claude/skills/resume-session/SKILL.md

@@ -5,64 +5,43 @@ description: "Resume previous session from Serena MCP memory. Use when: resume s
 
 # resume-session
 
-Resume a previously saved session from Serena MCP memory.
+## Steps
 
-## Trigger Phrases
-
-- "resume session"
-- "restore session"
-- "load session"
-- "continue session"
-- "resume from save"
-
-## Instructions
-
-1. Use `mcp__serena__read_memory` with memory name `session-state`
-2. Search Vestige for project context: `mcp__vestige__search query: "{project-name}" limit: 5`
-3. Check for pending intentions: `mcp__vestige__intention action: "check"`
-4. Parse the content and provide a brief status summary
-5. Wait for user direction before taking action
+1. `mcp__serena__read_memory` with name `session-state`
+2. `mcp__vestige__search query: "{project-name}" limit: 5`
+3. `mcp__vestige__intention action: "check"`
+4. Summarize state, wait for user direction
 
 ## Output Format
 
 ```
 ## Session Resumed
 
-**Task**: {current task from memory}
-**Last saved**: {date from memory}
+**Task**: {current task}
+**Last saved**: {date}
 
 ### Status
-- {bullet 1: what was in progress}
-- {bullet 2: key decision or context}
-- {bullet 3: main outstanding item}
+- {what was in progress}
+- {key decision or context}
+- {main outstanding item}
 
 ### Suggested Next Step
-{The "Resume Hint" from memory, or first outstanding item}
+{Resume Hint from memory, or first outstanding item}
 
 Ready to continue. What would you like to focus on?
 ```
 
 ## Rules
 
-- **Do not** take any actions beyond reading and summarizing
-- **Do not** start working on outstanding items automatically
-- **Do not** re-read files mentioned unless user asks
-- **Do** present the state clearly and wait for direction
+- Read and summarize only — no automatic action on outstanding items
+- Do not re-read files unless asked
 
 ## If Memory Not Found
 
-Respond with:
 ```
 No session memory found.
 
 To save a session, use: /ima-claude:save-session
 ```
 
-You can also check available memories with `mcp__serena__list_memories` if helpful.
-
-## Technical Notes
-
-- Uses Serena MCP `read_memory` tool (no file path confusion)
-- Memory persists across Claude sessions in project context
-- Project-specific storage (sessions are project-bound)
-- Single checkpoint model (latest session-state only)
+Check available memories with `mcp__serena__list_memories` if helpful.