ima-claude 2.9.0

package/plugins/ima-claude/skills/compound-bridge/SKILL.md

@@ -0,0 +1,200 @@
+---
+name: "compound-bridge"
+description: "Compound Engineering integration — memory bridge (Compound → Vestige/Qdrant), Vestige → Compound research, role separation (plan vs task-master), per-project config template. Triggers when Compound workflows complete or when orchestrating plan/review workflows. Triggers on: /workflows:compound, /workflows:plan, /workflows:review, compound engineering, compound-engineering.local."
+---
+
+# Compound Bridge — Compound Engineering + ima-claude Integration
+
+Minimal connective tissue between Compound Engineering (structured workflows) and ima-claude (coding standards + memory). Removing this skill returns both systems to standalone behavior.
+
+## Memory Bridge: Compound → Vestige/Qdrant
+
+After Compound workflow events, **automatically store insights** without being asked:
+
+| After This Event | Store This | Where |
+|---|---|---|
+| `/workflows:compound` writes a solution | Root cause + key insight (1-2 sentences) | Vestige `smart_ingest`, node_type: `pattern` |
+| `/workflows:compound` writes a solution (>500 words) | Full solution content | Qdrant `qdrant-store`, collection: `compound-solutions` |
+| `/workflows:plan` completes with research | Key decisions + approach chosen | Vestige `smart_ingest`, node_type: `decision` |
+| `/workflows:review` finds P1/P2 issues | Pattern summary of findings | Vestige `smart_ingest`, node_type: `pattern` |
+
+### Compound → Vestige Example
+
+After `/workflows:compound` finishes writing to `docs/solutions/`:
+
+```
+mcp__vestige__smart_ingest
+  content: "Root cause: {concise root cause}. Fix: {approach taken}. Key insight: {what we learned}"
+  node_type: "pattern"
+```
+
+### Compound → Qdrant Example (Large Solutions)
+
+For solutions over ~500 words, also store the full document in Qdrant for RAG retrieval:
+
+```
+mcp__qdrant-memory__qdrant-store
+  information: "{full solution content}"
+  metadata: {"type": "compound-solution", "source": "docs/solutions/{filename}"}
+```
+
+## Memory Bridge: Vestige → Compound Research
+
+When orchestrating `/workflows:plan`, **search Vestige before/alongside** the learnings-researcher agent:
+
+```
+mcp__vestige__search query: "{feature keywords}" limit: 5
+```
+
+Include Vestige results alongside file-based learnings, marked as cross-project provenance:
+
+```markdown
+### Prior Knowledge (Cross-Project — Vestige)
+- {vestige result 1}
+- {vestige result 2}
+
+### Prior Solutions (Project — docs/solutions/)
+- {learnings-researcher results}
+```
+
+This supplements but does not replace the learnings-researcher's `docs/solutions/` grep.
+
+## Role Separation: Planning
+
+Both `task-master` and `/workflows:plan` handle planning. They have different lanes:
+
+| Need | Use | Why |
+|---|---|---|
+| Formal feature planning with research | `/workflows:plan` | Research agents, structured documentation, living plan file |
+| Ad-hoc work breakdown during implementation | `task-master` | Decomposition patterns, storage strategy, agent delegation |
+| Breaking a plan into executable tasks | Both | Plan creates the doc; task-master principles guide breakdown |
+
+### task-master Principles That Enhance Compound Workflows
+
+These apply when `/workflows:work` creates its task list:
+
+- **Two-level max** agent delegation (Compound's swarm already respects this)
+- **Model selection**: Sonnet for execution, Opus for orchestration
+- **Minimal context principle** for subagents — only include what they need
+- **Vertical decomposition** for sequential work, **horizontal** for parallel
+
+## Per-Project Config: `compound-engineering.local.md`
+
+Create this file in project roots where both systems are used. It tells Compound's review agents about our coding standards.
+
+### Template
+
+```markdown
+---
+review_agents:
+  - code-simplicity-reviewer
+  - security-sentinel
+  - performance-oracle
+  - kieran-typescript-reviewer
+  - kieran-python-reviewer
+  - architecture-strategist
+  - pattern-recognition-specialist
+  - julik-frontend-races-reviewer
+  - agent-native-reviewer
+---
+
+## Coding Standards (ima-claude)
+
+FP-first: pure functions, composition, immutability. Anti-over-engineering: YAGNI strictly, boring code wins. Native patterns only — no custom pipe/compose/curry utilities.
+
+Language skills auto-activate by context:
+- JavaScript: js-fp | PHP: php-fp | Vue: js-fp-vue | React: js-fp-react
+- WordPress JS: js-fp-wordpress, jquery | WordPress PHP: php-fp-wordpress
+- Quasar: quasar-fp | Bootstrap: ima-bootstrap
+
+## Work Decomposition (task-master)
+
+- Two-level max agent delegation
+- Sonnet for execution, Opus for orchestration
+- Minimal context principle for subagents
+```
+
+### When to Create
+
+Create `compound-engineering.local.md` when:
+- A project uses both ima-claude skills AND Compound Engineering workflows
+- You're about to run `/workflows:review` for the first time in a project
+
+Don't create it for projects that only use one system.
+
+## What Works Without This Skill
+
+These integrate naturally — no bridge needed:
+
+- ima-claude language/FP skills auto-activate during `/workflows:work` by file type
+- Compound's research agents (learnings-researcher, best-practices-researcher) fill gaps ima-claude doesn't cover
+- Compound's 15 specialized review agents complement our FP-focused standards
+- Compound's brainstorm workflow is genuinely new capability
+
+## Artifact Resilience: Surviving Branch Switches & Context Compaction
+
+Compound workflows write artifacts to the working tree (`docs/brainstorms/`, `docs/plans/`, `docs/solutions/`, `todos/`). These files are **not committed** during workflows. Git branch switching during `/workflows:work` **destroys them**. Context compaction loses agent results that reference them. This section prevents that.
+
+### Rule 1: Shadow Copy to `.claude/compound/`
+
+**After EVERY workflow artifact write**, immediately copy the file to `.claude/compound/`:
+
+```
+# After /workflows:brainstorm writes to docs/brainstorms/
+cp docs/brainstorms/{file}.md .claude/compound/brainstorms/{file}.md
+
+# After /workflows:plan writes to docs/plans/
+cp docs/plans/{file}.md .claude/compound/plans/{file}.md
+
+# After /workflows:compound writes to docs/solutions/
+cp docs/solutions/{category}/{file}.md .claude/compound/solutions/{category}/{file}.md
+
+# After /workflows:review writes to todos/
+cp todos/{file}.md .claude/compound/todos/{file}.md
+```
+
+Create directories with `mkdir -p` as needed. The `.claude/` directory is gitignored and **survives branch switches** — just like Claude Code's own plan files.
+
+**Also shadow-copy on edits**: When `/workflows:work` updates plan checkboxes (`- [ ]` → `- [x]`), copy the updated plan to the shadow location too.
+
+### Rule 2: Eager Memory Bridge (Store Immediately, Not Just at Completion)
+
+Don't wait until a workflow finishes to bridge to memory. Store **immediately after each artifact write**:
+
+| After Writing | Store Immediately |
+|---|---|
+| Brainstorm document | Vestige `smart_ingest`: key decisions + open questions, node_type: `decision` |
+| Plan document | Vestige `smart_ingest`: approach + task list summary, node_type: `decision` |
+| Plan checkbox update | Vestige `smart_ingest`: progress snapshot (X of Y tasks done), node_type: `observation` |
+| Review todo file | Vestige `smart_ingest`: finding summary + priority, node_type: `pattern` |
+| Solution document | Vestige + Qdrant (per existing rules above) |
+
+This ensures that even if context compacts or the session dies, the knowledge survives in memory.
+
+### Rule 3: Pre-Branch-Switch Checkpoint
+
+**Before ANY `git checkout`, `git switch`, or worktree operation** during a Compound workflow:
+
+1. Verify all workflow artifacts have shadow copies in `.claude/compound/`
+2. If any are missing, create them immediately
+3. Store a Vestige snapshot: `smart_ingest` with content summarizing current workflow state (which phase, what's done, what's next), node_type: `observation`
+
+### Rule 4: Recovery from Shadow Copies
+
+If workflow artifacts are lost (branch switch, reset, or interrupted session):
+
+1. Check `.claude/compound/` for shadow copies
+2. Restore them to their working-tree locations (`docs/plans/`, etc.)
+3. Check Vestige for the most recent workflow state snapshot
+4. Resume from where we left off
+
+### Rule 5: Commit `compound-engineering.local.md` Early
+
+This file is **persistent project config**, not a transient artifact. When creating or modifying `compound-engineering.local.md`, commit it to the current branch promptly so it survives branch switches via git rather than shadow copies.
+
+## What This Skill Does NOT Do
+
+- Modify the Compound Engineering plugin — it stays as-is from the marketplace
+- Create custom scripts or utilities — all integration is skill instructions
+- Add new MCP servers — uses existing Vestige, Qdrant, Serena
+- Force workflows — both systems remain independently functional

package/plugins/ima-claude/skills/discourse/SKILL.md

@@ -0,0 +1,440 @@
+---
+name: "discourse"
+description: "Discourse plugin development - plugin.rb, after_initialize, admin routes, Guardian auth, security patterns"
+---
+
+# Discourse Plugin Development
+
+Discourse plugins are Rails engines with conventions. Work with the framework — its plugin API, Guardian authorization system, and event hooks exist for good reason.
+
+## When to Use This Skill
+
+- Building or modifying Discourse plugins
+- Adding admin UI to a Discourse plugin
+- Implementing authentication hooks or user lifecycle extensions
+- Migrating data into Discourse (import scripts)
+- Reviewing Discourse plugin security
+
+## Core Philosophy
+
+> Discourse plugins are Rails. Discourse adds its own authorization layer (Guardian). Respect both.
+
+- **`after_initialize`** is where plugin logic wires into Discourse
+- **Guardian** is the authorization layer — every action checks it
+- **Plugin API** hooks (`register_*`, `add_*`) are the extension points — don't monkey-patch core
+- **StaffConstraint** protects admin routes — use it, never roll your own
+- **RuboCop** is enforced — Discourse ships lint rules
+
+**Foundation**: Reference `../rails/SKILL.md` for Rails security practices and `../ruby-fp/SKILL.md` for Ruby patterns.
+
+## Plugin Structure
+
+```
+my-plugin/
+├── plugin.rb               # Manifest + bootstrap (required)
+├── about.json              # Metadata for admin panel
+├── app/
+│   ├── controllers/
+│   │   └── admin/
+│   │       └── my_plugin_controller.rb
+│   ├── models/
+│   │   └── my_plugin_record.rb
+│   └── serializers/
+│       └── my_plugin_serializer.rb
+├── config/
+│   ├── locales/
+│   │   └── server.en.yml
+│   └── settings.yml        # Site settings
+├── db/
+│   └── migrate/
+│       └── 20250101000000_create_my_plugin.rb
+├── assets/
+│   └── javascripts/
+│       └── admin/          # Ember components for admin UI
+├── lib/
+│   └── my_plugin/          # Pure logic (no Discourse deps)
+└── spec/
+    └── plugin_helper.rb
+```
+
+## plugin.rb: Manifest + Bootstrap
+
+```ruby
+# frozen_string_literal: true
+
+# name: my-plugin
+# about: Brief plugin description
+# version: 1.0.0
+# authors: Your Name
+# url: https://github.com/yourorg/my-plugin
+
+# Autoloading — define module first, then require engine
+module ::MyPlugin
+  PLUGIN_NAME = "my-plugin"
+end
+
+require_relative "lib/my_plugin/engine"
+
+# All wiring happens inside after_initialize
+after_initialize do
+  # Register settings, hooks, extensions here
+  # This runs after Discourse core is fully loaded
+end
+```
+
+## after_initialize: The Plugin Entry Point
+
+```ruby
+after_initialize do
+  # Extend models — use class_eval in after_initialize, not top-level monkey-patches
+  User.class_eval do
+    has_one :my_plugin_profile, dependent: :destroy
+  end
+
+  # Register custom fields
+  register_post_custom_field_type('wp_original_id', :integer)
+  register_topic_custom_field_type('imported_from', :string)
+
+  # Wire into Discourse events (preferred over overriding methods)
+  on(:user_created) do |user|
+    MyPlugin::UserSetup.call(user)
+  end
+
+  on(:post_created) do |post, opts, user|
+    MyPlugin::PostSync.call(post, user)
+  end
+
+  # Add serializer extensions
+  add_to_serializer(:user, :wp_user_id) do
+    object.custom_fields['wp_user_id']
+  end
+end
+```
+
+## Admin Routes + Controller
+
+Every admin route needs `StaffConstraint` — never expose admin actions without it.
+
+```ruby
+# In plugin.rb — register the admin nav link
+add_admin_route 'my_plugin.title', 'my-plugin'
+
+# Wire the route
+Discourse::Application.routes.append do
+  get '/admin/plugins/my-plugin' => 'admin/my_plugin#index',
+      constraints: StaffConstraint.new
+  post '/admin/plugins/my-plugin/action' => 'admin/my_plugin#action',
+      constraints: StaffConstraint.new
+end
+```
+
+```ruby
+# app/controllers/admin/my_plugin_controller.rb
+# frozen_string_literal: true
+
+class ::Admin::MyPluginController < ::Admin::AdminController
+  # Admin::AdminController already requires:
+  # - User is logged in
+  # - User is staff (moderator or admin)
+  # For admin-only actions, add:
+  before_action :ensure_admin, only: [:dangerous_action]
+
+  def index
+    render json: {
+      stats: MyPlugin::Stats.summary,
+      settings: SiteSetting.my_plugin_enabled
+    }
+  end
+
+  def action
+    # Strong parameters for any mutating action
+    attrs = params.require(:my_plugin).permit(:field_one, :field_two)
+    result = MyPlugin::SomeService.call(attrs.to_h.symbolize_keys)
+
+    if result.success?
+      render json: { success: true, data: result.data }
+    else
+      render json: { success: false, errors: result.errors }, status: :unprocessable_entity
+    end
+  end
+end
+```
+
+## Guardian: Authorization Layer
+
+Guardian is Discourse's authorization system. Always check it for user-facing actions.
+
+```ruby
+# Check permissions before acting
+def update_post
+  post = Post.find(params[:id])
+
+  # guardian.can_edit_post? checks ownership, trust level, staff status
+  unless guardian.can_edit_post?(post)
+    return render json: failed_json, status: :forbidden
+  end
+
+  post.update!(body: params[:body])
+  render json: PostSerializer.new(post, scope: guardian).as_json
+end
+
+# Extending Guardian for plugin-specific permissions
+# In after_initialize:
+module ::Guardian::MyPluginExtensions
+  def can_use_my_feature?
+    authenticated? && (is_staff? || user.trust_level >= 2)
+  end
+end
+
+Guardian.prepend(::Guardian::MyPluginExtensions)
+```
+
+## Security Non-Negotiables
+
+### 1. Never Raw SQL with Interpolation — Use ActiveRecord or Named Params
+
+```ruby
+# BAD — SQL injection
+User.where("username = '#{params[:username]}'")
+DB.query("SELECT * FROM users WHERE id = #{user_id}")
+
+# GOOD — ActiveRecord parameterization
+User.where(username: params[:username])
+User.where("created_at > ?", params[:since])
+
+# GOOD — Discourse DB helper with named bind params (always use this for raw SQL)
+DB.query("SELECT * FROM users WHERE id = :id", id: user_id.to_i)
+DB.query("UPDATE users SET flag = TRUE WHERE id = :id", id: user_id.to_i)
+```
+
+### 2. Staff-Only Admin Routes
+
+```ruby
+# ALWAYS use StaffConstraint on admin routes
+get '/admin/plugins/my-plugin' => 'admin/my_plugin#index',
+    constraints: StaffConstraint.new
+
+# Admin::AdminController gives you these checks automatically:
+# - ensure_logged_in
+# - ensure_staff
+# For admin-only (not just moderator), add ensure_admin
+```
+
+### 3. No Sensitive Data in Logs
+
+```ruby
+# BAD — logs hash values, tokens, passwords
+Rails.logger.warn("[MyPlugin] Processing hash: #{user_hash}")
+Rails.logger.info("[MyPlugin] Token: #{token}")
+
+# GOOD — log what happened, not the sensitive value
+Rails.logger.info("[MyPlugin] Processing user #{user.id}")
+Rails.logger.warn("[MyPlugin] Auth failed for user #{user.id}")
+```
+
+### 4. Custom Fields — Validate Types
+
+```ruby
+# Register field types to prevent type confusion
+register_user_custom_field_type('my_plugin_id', :integer)
+register_post_custom_field_type('source_url', :string)
+
+# Whitelist custom fields for API/serializer exposure
+DiscoursePluginRegistry.serialized_current_user_fields << 'my_plugin_id'
+
+# Access safely — always coerce type
+user_id = (user.custom_fields['my_plugin_id'].to_i rescue nil)
+```
+
+### 5. Rate Limiting on Sensitive Endpoints
+
+```ruby
+# For endpoints that test credentials or perform expensive operations
+RateLimiter.new(current_user, "my_plugin_sensitive_action", 5, 1.minute).performed!
+# Raises RateLimiter::LimitExceeded if over limit
+```
+
+## Site Settings
+
+```yaml
+# config/settings.yml
+plugins:
+  my_plugin_enabled:
+    default: false
+    client: false  # server-side only unless UI needs it
+  my_plugin_max_items:
+    default: 100
+    min: 1
+    max: 1000
+    type: integer
+```
+
+```ruby
+# Access in code
+SiteSetting.my_plugin_enabled
+SiteSetting.my_plugin_max_items
+
+# Guard features
+return unless SiteSetting.my_plugin_enabled
+```
+
+## Migrations
+
+```ruby
+# db/migrate/20250101000000_create_my_plugin_records.rb
+# frozen_string_literal: true
+
+class CreateMyPluginRecords < ActiveRecord::Migration[7.0]
+  def change
+    create_table :my_plugin_records do |t|
+      t.integer :user_id, null: false
+      t.string :source_id, null: false
+      t.text :data
+      t.timestamps
+    end
+
+    add_index :my_plugin_records, :user_id
+    add_index :my_plugin_records, :source_id, unique: true
+    add_foreign_key :my_plugin_records, :users
+  end
+end
+```
+
+## Import Script Pattern (Standalone Ruby)
+
+Import scripts inherit from `ImportScripts::Base` and run outside the Rails request cycle.
+
+```ruby
+# frozen_string_literal: true
+
+require_relative "base"
+
+class ImportScripts::MyImport < ImportScripts::Base
+  def initialize
+    super
+    @client = Mysql2::Client.new(
+      host: ENV.fetch('SOURCE_DB_HOST'),
+      username: ENV.fetch('SOURCE_DB_USER'),
+      password: ENV.fetch('SOURCE_DB_PASSWORD'),
+      database: ENV.fetch('SOURCE_DB_NAME')
+    )
+  end
+
+  def perform
+    import_users
+    import_categories
+    import_posts
+  end
+
+  private
+
+  def import_users
+    puts "Importing users..."
+
+    # Parameterized query — never interpolate
+    users = @client.query(
+      "SELECT id, email, username, display_name FROM wp_users WHERE user_status = 0",
+      as: :hash
+    )
+
+    create_users(users) do |user|
+      {
+        id: user['id'],
+        email: user['email'],
+        username: normalize_username(user['username']),
+        name: user['display_name']
+      }
+    end
+  end
+
+  def normalize_username(raw)
+    # Pure function — transform only, no side effects
+    raw.to_s.strip.downcase.gsub(/[^a-z0-9_]/, '_').truncate(20)
+  end
+end
+
+ImportScripts::MyImport.new.perform
+```
+
+## Testing
+
+```ruby
+# spec/plugin_helper.rb — loads Discourse test env
+require 'rails_helper'
+
+# spec/requests/admin/my_plugin_spec.rb
+RSpec.describe Admin::MyPluginController do
+  fab!(:admin) { Fabricate(:admin) }
+  fab!(:user)  { Fabricate(:user) }
+
+  before { sign_in(admin) }
+
+  describe "GET #index" do
+    it "returns success for admin" do
+      get "/admin/plugins/my-plugin.json"
+      expect(response.status).to eq(200)
+    end
+  end
+
+  describe "authorization" do
+    it "rejects non-staff" do
+      sign_in(user)
+      get "/admin/plugins/my-plugin.json"
+      expect(response.status).to eq(404)  # Discourse returns 404 for staff routes
+    end
+  end
+end
+
+# Pure logic specs — no Discourse dependencies
+RSpec.describe MyPlugin::UserSetup do
+  describe ".call" do
+    it "normalizes username" do
+      expect(described_class.normalize("John Doe!")).to eq("john_doe_")
+    end
+  end
+end
+```
+
+## Security Checklist
+
+- [ ] `StaffConstraint.new` on all admin routes
+- [ ] Inherited from `Admin::AdminController` for admin endpoints
+- [ ] Strong parameters on all mutating endpoints
+- [ ] No string interpolation in SQL — use ActiveRecord or `DB.query` with `:named` params
+- [ ] `guardian.can_*?` checked before user-facing mutations
+- [ ] No sensitive values (tokens, hashes, passwords) in log output
+- [ ] Rate limiting on credential-testing or expensive endpoints
+- [ ] Custom field types registered (`register_*_custom_field_type`)
+- [ ] Site settings used for feature flags, not hardcoded booleans
+
+## Common Pitfalls
+
+| Pitfall | Correct Approach |
+|---------|-----------------|
+| Monkey-patching Discourse classes | Use `class_eval` / `prepend` in `after_initialize` |
+| Direct DB string interpolation | `DB.query("... WHERE id = :id", id: val)` |
+| Checking `current_user.staff?` in controller | Inherit `Admin::AdminController` instead |
+| Logging `user.password_hash` for debugging | Log `user.id` only |
+| `params[:field]` without strong params | Always `params.require().permit()` |
+| Hardcoded credentials in plugin.rb | `ENV.fetch('KEY')` or Rails credentials |
+
+## When to Load Reference Files
+
+### Security Examples
+**File**: [`references/security.md`](references/security.md)
+**Load when**: Implementing auth hooks, custom Guardian checks, SQL safety in import scripts
+**Contains**: Guardian extension patterns, DB.query vs ActiveRecord, rate limiting, log hygiene
+
+### Admin UI (Ember)
+**File**: [`references/admin-ui.md`](references/admin-ui.md)
+**Load when**: Building admin panel Ember components
+**Contains**: Route setup, Ember component patterns, REST adapter, admin nav
+
+### Import Scripts
+**File**: [`references/import-scripts.md`](references/import-scripts.md)
+**Load when**: Writing data migration scripts
+**Contains**: ImportScripts::Base lifecycle, batching, lookup maps, resume/idempotency
+
+---
+
+**Evidence Base**: Discourse Developer Docs, Discourse GitHub (discourse-solved, discourse-data-explorer), Discourse CVE history (2024–2026), Rails Security Guide.