ima-claude 2.9.0

package/plugins/ima-claude/skills/rails/SKILL.md

@@ -0,0 +1,359 @@
+---
+name: "rails"
+description: "Ruby on Rails conventions + security - strong parameters, ActiveRecord safety, CSRF, auth, secrets management"
+---
+
+# Rails
+
+Convention-over-configuration development on the happy path, with security non-negotiables that prevent the most common Rails vulnerabilities.
+
+## When to Use This Skill
+
+- Building Rails controllers, models, services
+- Reviewing Rails code for security or structure
+- Adding features to an existing Rails application
+- Discourse plugin development (see also `discourse` skill)
+
+## Core Philosophy
+
+Rails has opinions. Work with them, not against them. The framework gives you:
+- SQL injection protection via ActiveRecord (use it)
+- CSRF protection by default (don't disable it)
+- XSS protection via ERB auto-escaping (use `<%= %>`)
+- Mass assignment protection via Strong Parameters (permit explicitly)
+
+**Functional core still applies in Rails.** Business logic in service modules/plain Ruby objects. Keep models and controllers thin.
+
+**Foundation**: Reference `../ruby-fp/SKILL.md` for Ruby FP core principles.
+
+## The 5 Non-Negotiable Security Practices
+
+| Practice | Prevents | Rule |
+|----------|----------|------|
+| **Strong Parameters** | Mass assignment | `params.require(:model).permit(:field, ...)` on ALL controller actions |
+| **Parameterized Queries** | SQL injection | ActiveRecord methods or `?`/named placeholders — NEVER string interpolation |
+| **CSRF Protection** | CSRF | Never disable `protect_from_forgery`; use `form_with` helpers |
+| **Before Actions (Auth)** | Unauthorized access | `before_action :authenticate_user!` or equivalent on ALL sensitive actions |
+| **Secrets via Credentials** | Credential exposure | Rails credentials or ENV — never hardcode secrets in source |
+
+### Quick Reference: The Five in Code
+
+```ruby
+# 1. Strong Parameters
+def user_params
+  params.require(:user).permit(:name, :email, :bio)
+  # Never: params[:user]  or  params.permit!
+end
+
+# 2. Parameterized Queries — ActiveRecord keeps you safe
+User.where(email: params[:email])                          # safe
+User.where("email = ?", params[:email])                    # safe
+User.where("email = :email", email: params[:email])        # safe
+User.where("email = '#{params[:email]}'")                  # NEVER — SQL injection
+
+# 3. CSRF — keep default, use form helpers
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception  # default — keep it
+end
+# form_with and form_for automatically include the token
+
+# 4. Before action auth
+class PostsController < ApplicationController
+  before_action :authenticate_user!          # Devise
+  before_action :require_admin, only: [:destroy]
+
+  private
+  def require_admin
+    redirect_to root_path unless current_user&.admin?
+  end
+end
+
+# 5. Credentials — never hardcode
+# config/credentials.yml.enc (encrypted)
+# Access: Rails.application.credentials.stripe[:secret_key]
+# ENV fallback: ENV.fetch('STRIPE_SECRET_KEY')
+```
+
+## ActiveRecord Safety
+
+```ruby
+# SAFE — all these use parameterization internally
+User.find(params[:id])                     # auto-cast to integer
+User.find_by(email: params[:email])
+User.where(status: params[:status])
+User.where("created_at > ?", 1.week.ago)
+
+# SAFE — sanitize_sql_like for LIKE patterns
+query = ActiveRecord::Base.sanitize_sql_like(params[:search])
+User.where("name LIKE ?", "%#{query}%")
+
+# UNSAFE — never do these
+User.where("id = #{params[:id]}")          # SQL injection
+User.where("name LIKE '%#{params[:q]}%'")  # SQL injection
+User.find_by("email = '#{email}'")         # SQL injection
+
+# Raw SQL when needed — use sanitize or bind params
+User.find_by_sql(["SELECT * FROM users WHERE token = ?", token])
+ActiveRecord::Base.connection.execute(
+  ActiveRecord::Base.sanitize_sql(["UPDATE users SET x = ? WHERE id = ?", val, id])
+)
+```
+
+## Mass Assignment
+
+```ruby
+# BAD — never permit all, never skip permit
+User.new(params[:user])           # bypasses strong params
+User.update(params.permit!)       # permits everything — dangerous
+
+# GOOD — explicit whitelist
+def user_params
+  params.require(:user).permit(:name, :email, :bio)
+end
+
+# Nested params
+def post_params
+  params.require(:post).permit(:title, :body, tags: [], author: [:name, :email])
+end
+
+# Never permit sensitive fields
+# role, admin, password_digest, confirmed_at — set these explicitly in code
+def promote_to_admin
+  @user.update!(role: 'admin')  # explicit, not from params
+end
+```
+
+## XSS in Views
+
+```ruby
+# ERB auto-escaping — always use <%= %> for user content
+<%= user.name %>           # safe — HTML-escaped
+<%== user.name %>          # UNSAFE — raw output, HTML injection risk
+<%= raw user.name %>       # UNSAFE — same as above
+<%= user.name.html_safe %> # UNSAFE — marking untrusted content safe
+
+# When you need to render HTML you control
+<%= sanitize user.bio, tags: %w[b i em strong p] %>
+
+# JavaScript context — never interpolate directly
+<script>var name = "<%= user.name %>"</script>  # UNSAFE — XSS via JS
+# GOOD
+<script>var data = <%= user.to_json.html_safe %></script>  # if you control the data
+# BEST — pass via data attributes
+<div data-user-name="<%= user.name %>"></div>
+```
+
+## Authentication & Authorization Pattern
+
+```ruby
+# Authentication — Devise is the Rails default
+# Before action guards all sensitive routes
+class ApplicationController < ActionController::Base
+  before_action :authenticate_user!
+
+  # Override to allow public actions
+  skip_before_action :authenticate_user!, only: [:index, :show]
+end
+
+# Authorization — policy objects (Pundit pattern or manual)
+class PostPolicy
+  def initialize(user, post)
+    @user = user
+    @post = post
+  end
+
+  def update?
+    @user.admin? || @post.user_id == @user.id
+  end
+end
+
+# In controller
+def update
+  @post = Post.find(params[:id])
+  policy = PostPolicy.new(current_user, @post)
+  return head :forbidden unless policy.update?
+  # ... update logic
+end
+
+# NEVER rely on hidden fields or client-side checks alone
+# Always enforce auth server-side
+```
+
+## Secrets Management
+
+```ruby
+# config/credentials.yml.enc (encrypted, safe to commit)
+# Edit with: rails credentials:edit
+# Access:
+Rails.application.credentials.database[:password]
+Rails.application.credentials.dig(:aws, :access_key_id)
+
+# ENV for 12-factor apps (Heroku, Docker, etc.)
+# Always use fetch to fail loudly if missing
+DB_PASSWORD = ENV.fetch('DB_PASSWORD')  # raises KeyError if missing
+DB_PASSWORD = ENV.fetch('DB_PASSWORD') { raise "DB_PASSWORD not set" }
+
+# Never in source code
+config.secret_key_base = "abc123hardcoded"  # NEVER
+```
+
+## Controller Pattern
+
+```ruby
+class UsersController < ApplicationController
+  before_action :authenticate_user!
+  before_action :set_user, only: [:show, :update, :destroy]
+  before_action :authorize_user!, only: [:update, :destroy]
+
+  def show
+    render json: @user.as_json(only: [:id, :name, :email])
+  end
+
+  def update
+    if @user.update(user_params)
+      render json: @user
+    else
+      render json: { errors: @user.errors.full_messages }, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def set_user
+    @user = User.find(params[:id])
+  end
+
+  def authorize_user!
+    head :forbidden unless current_user.admin? || @user == current_user
+  end
+
+  def user_params
+    params.require(:user).permit(:name, :email, :bio)
+  end
+end
+```
+
+## Model: Thin, Validated, No Business Logic
+
+```ruby
+class User < ApplicationRecord
+  # Validations
+  validates :email, presence: true, uniqueness: { case_sensitive: false },
+                    format: { with: URI::MailTo::EMAIL_REGEXP }
+  validates :name, presence: true, length: { maximum: 100 }
+
+  # Scopes — declarative query building
+  scope :active, -> { where(active: true) }
+  scope :recent, -> { order(created_at: :desc) }
+  scope :admins, -> { where(role: 'admin') }
+
+  # Callbacks — use sparingly, only for model lifecycle concerns
+  before_save :normalize_email
+
+  # Associations
+  has_many :posts, dependent: :destroy
+  belongs_to :organization
+
+  private
+
+  def normalize_email
+    self.email = email.to_s.strip.downcase
+  end
+end
+
+# Business logic lives in service objects, NOT the model
+# UserRegistrationService, UserImportService, etc.
+```
+
+## Service Objects (Functional Core in Rails)
+
+```ruby
+# app/services/user_registration_service.rb
+class UserRegistrationService
+  Result = Data.define(:success, :user, :errors)
+
+  def self.call(attrs)
+    new(attrs).call
+  end
+
+  def initialize(attrs)
+    @attrs = attrs
+  end
+
+  def call
+    user = User.new(normalized_attrs)
+    if user.save
+      send_welcome_email(user)
+      Result.new(success: true, user: user, errors: [])
+    else
+      Result.new(success: false, user: nil, errors: user.errors.full_messages)
+    end
+  end
+
+  private
+
+  def normalized_attrs
+    @attrs.slice(:name, :email, :password).merge(
+      email: @attrs[:email].to_s.strip.downcase,
+      name: @attrs[:name].to_s.strip
+    )
+  end
+
+  def send_welcome_email(user)
+    WelcomeMailer.with(user: user).welcome_email.deliver_later
+  end
+end
+
+# Usage in controller
+result = UserRegistrationService.call(user_params)
+```
+
+## File Organization
+
+```
+app/
+├── controllers/
+│   └── users_controller.rb      # Thin — delegate to services
+├── models/
+│   └── user.rb                  # Validations, scopes, associations only
+├── services/
+│   └── user_registration_service.rb  # Business logic
+├── policies/
+│   └── user_policy.rb           # Authorization rules
+└── views/
+    └── users/                   # Only <%= %> — never <%== %>
+config/
+└── credentials.yml.enc          # Secrets (encrypted)
+```
+
+## Security Checklist
+
+- [ ] Strong Parameters on all mutating actions
+- [ ] No string interpolation in SQL queries
+- [ ] `protect_from_forgery` enabled (default — don't remove)
+- [ ] `before_action` auth guard on all sensitive routes
+- [ ] No secrets in source code — credentials or ENV.fetch
+- [ ] ERB uses `<%= %>` not `<%== %>` for user content
+- [ ] `sanitize` used when rendering user-supplied HTML
+- [ ] Dependency audit: `bundle exec bundler-audit check --update`
+
+## When to Load Reference Files
+
+### Security Deep Dive
+**File**: [`references/security.md`](references/security.md)
+**Load when**: Need vulnerable vs. safe comparisons, injection examples, CSRF details
+**Contains**: Full attack examples, all Rails security helpers, CSP configuration
+
+### ActiveRecord Patterns
+**File**: [`references/activerecord.md`](references/activerecord.md)
+**Load when**: Complex queries, raw SQL needs, migration patterns, performance
+**Contains**: Query interface, raw SQL safety, N+1 prevention, index strategy
+
+### Testing Strategy
+**File**: [`references/testing.md`](references/testing.md)
+**Load when**: Writing request specs, model specs, service object tests
+**Contains**: RSpec patterns, factory patterns, security test examples
+
+---
+
+**Evidence Base**: OWASP Top 10 (2021), Rails Security Guide, RailsFactory/Corgea security research (2024–2025).

package/plugins/ima-claude/skills/resume-session/SKILL.md

@@ -0,0 +1,68 @@
+---
+name: "resume-session"
+description: "Resume previous session from Serena MCP memory. Use when: resume session, restore session, load session, continue session, resume from save."
+---
+
+# resume-session
+
+Resume a previously saved session from Serena MCP memory.
+
+## Trigger Phrases
+
+- "resume session"
+- "restore session"
+- "load session"
+- "continue session"
+- "resume from save"
+
+## Instructions
+
+1. Use `mcp__serena__read_memory` with memory name `session-state`
+2. Search Vestige for project context: `mcp__vestige__search query: "{project-name}" limit: 5`
+3. Check for pending intentions: `mcp__vestige__intention action: "check"`
+4. Parse the content and provide a brief status summary
+5. Wait for user direction before taking action
+
+## Output Format
+
+```
+## Session Resumed
+
+**Task**: {current task from memory}
+**Last saved**: {date from memory}
+
+### Status
+- {bullet 1: what was in progress}
+- {bullet 2: key decision or context}
+- {bullet 3: main outstanding item}
+
+### Suggested Next Step
+{The "Resume Hint" from memory, or first outstanding item}
+
+Ready to continue. What would you like to focus on?
+```
+
+## Rules
+
+- **Do not** take any actions beyond reading and summarizing
+- **Do not** start working on outstanding items automatically
+- **Do not** re-read files mentioned unless user asks
+- **Do** present the state clearly and wait for direction
+
+## If Memory Not Found
+
+Respond with:
+```
+No session memory found.
+
+To save a session, use: /ima-claude:save-session
+```
+
+You can also check available memories with `mcp__serena__list_memories` if helpful.
+
+## Technical Notes
+
+- Uses Serena MCP `read_memory` tool (no file path confusion)
+- Memory persists across Claude sessions in project context
+- Project-specific storage (sessions are project-bound)
+- Single checkpoint model (latest session-state only)

package/plugins/ima-claude/skills/rg/SKILL.md

@@ -0,0 +1,205 @@
+---
+name: "rg"
+description: "Ripgrep (rg) - fast recursive search tool. Prefer over grep/find for code search. Respects .gitignore, searches recursively, supports regex. Use for file content search, file listing, pattern matching. Triggers on: ripgrep, rg, search files, find in files, grep, search code, find pattern."
+---
+
+# Ripgrep (rg) - Preferred Search Tool
+
+**Always use `rg` instead of `grep` or `find -name`** - it's faster, has better defaults, and respects `.gitignore`.
+
+## Quick Reference
+
+### Basic Search
+```bash
+# Search for pattern in current directory (recursive)
+rg "pattern"
+
+# Search specific file or directory
+rg "pattern" src/
+rg "pattern" file.ts
+
+# Case-insensitive search
+rg -i "pattern"
+
+# Word boundary match (whole words only)
+rg -w "function"
+
+# Fixed string (not regex)
+rg -F "exact.string.match"
+```
+
+### Output Control
+```bash
+# Show N lines of context (before and after)
+rg -C 3 "pattern"
+
+# Lines before (-B) or after (-A) only
+rg -B 2 -A 5 "pattern"
+
+# Count matches per file
+rg -c "pattern"
+
+# List files with matches only (no content)
+rg -l "pattern"
+rg --files-with-matches "pattern"
+
+# List files WITHOUT matches
+rg --files-without-match "pattern"
+
+# Show only the matched text (not full line)
+rg -o "pattern"
+```
+
+### File Filtering
+```bash
+# By file type (built-in types)
+rg -t ts "pattern"       # TypeScript only
+rg -t py "pattern"       # Python only
+rg -t js "pattern"       # JavaScript only
+rg -t rust "pattern"     # Rust only
+
+# Exclude file type
+rg -T js "pattern"       # Exclude JavaScript
+
+# By glob pattern
+rg -g "*.vue" "pattern"           # Only .vue files
+rg -g "!*.test.ts" "pattern"      # Exclude test files
+rg -g "src/**/*.ts" "pattern"     # TypeScript in src/
+
+# Multiple globs
+rg -g "*.ts" -g "*.vue" "pattern"
+```
+
+### List Files (No Search)
+```bash
+# List all files that would be searched
+rg --files
+
+# List files matching glob
+rg --files -g "*.ts"
+
+# List files in specific directory
+rg --files src/components/
+```
+
+### Bypass Filters
+```bash
+# -u levels (unrestricted):
+rg -u "pattern"      # Ignore .gitignore
+rg -uu "pattern"     # + search hidden files
+rg -uuu "pattern"    # + search binary files
+
+# Specific overrides
+rg --hidden "pattern"      # Include hidden files
+rg --no-ignore "pattern"   # Ignore all ignore files
+```
+
+### Advanced Patterns
+```bash
+# Multiline search
+rg -U "start.*\n.*end"
+
+# PCRE2 regex (lookahead/lookbehind)
+rg -P "(?<=prefix)pattern(?=suffix)"
+
+# Replace in output (preview, doesn't modify files)
+rg "old" -r "new"
+
+# With capture groups
+rg "fn (\w+)" -r "function $1"
+
+# JSON output (for scripting)
+rg --json "pattern"
+```
+
+## Common Recipes
+
+### Find Function/Class Definitions
+```bash
+# JavaScript/TypeScript
+rg "^(export )?(async )?(function|const|class) \w+"
+rg "^export (default )?(function|class)"
+
+# Python
+rg "^(async )?def \w+|^class \w+"
+
+# PHP
+rg "^(public |private |protected )?(static )?(function) \w+"
+```
+
+### Find Imports/Requires
+```bash
+rg "^import .+ from"
+rg "require\(['\"]"
+```
+
+### Find TODOs/FIXMEs
+```bash
+rg "TODO|FIXME|HACK|XXX" -g "!node_modules"
+```
+
+### Find Files by Extension
+```bash
+rg --files -g "*.tsx"              # All TSX files
+rg --files -g "*.{ts,tsx}"         # TS and TSX
+rg --files -g "!*.test.*"          # Exclude test files
+```
+
+### Search and Replace Preview
+```bash
+# See what would change (doesn't modify files)
+rg "oldFunction" -r "newFunction" --passthru
+```
+
+## vs grep/find
+
+| Task | grep/find (avoid) | rg (prefer) |
+|------|-------------------|-------------|
+| Search text | `grep -r "pattern" .` | `rg "pattern"` |
+| Find files | `find . -name "*.ts"` | `rg --files -g "*.ts"` |
+| Case insensitive | `grep -ri "pattern" .` | `rg -i "pattern"` |
+| Whole word | `grep -rw "word" .` | `rg -w "word"` |
+| Show context | `grep -r -C 3 "pattern" .` | `rg -C 3 "pattern"` |
+| List files only | `grep -rl "pattern" .` | `rg -l "pattern"` |
+
+## Key Advantages
+
+1. **Speed**: 2-10x faster than grep on large codebases
+2. **Smart defaults**: Respects `.gitignore`, skips binary/hidden files
+3. **Recursive by default**: No `-r` flag needed
+4. **Better regex**: Rust regex engine, optional PCRE2
+5. **Built-in file types**: `-t ts`, `-t py`, etc.
+6. **Colored output**: Easy to read in terminal
+
+## Configuration
+
+Create `~/.ripgreprc` for persistent settings:
+```shell
+# Smart case (case-insensitive unless uppercase used)
+--smart-case
+
+# Max line length for display
+--max-columns=150
+--max-columns-preview
+
+# Include hidden files by default
+# --hidden
+
+# Custom file type
+--type-add
+web:*.{html,css,js,ts,vue}
+```
+
+Set the config file path:
+```bash
+export RIPGREP_CONFIG_PATH="$HOME/.ripgreprc"
+```
+
+## Type List
+
+View all built-in types:
+```bash
+rg --type-list
+```
+
+Common types: `ts`, `js`, `py`, `rust`, `go`, `java`, `php`, `ruby`, `css`, `html`, `json`, `yaml`, `md`, `sh`