luna-agents 2.0.1

package/commands/git-insights.md

@@ -0,0 +1,12 @@
+---
+name: git-insights
+displayName: Git Insights (shortcut)
+description: "Shortcut: Repository analytics and visualization → /ll-git-insights"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-git-insights
+---
+
+# /git-insights — Shortcut for /ll-git-insights
+
+See /ll-git-insights for full documentation.

package/commands/go-viral.md

@@ -0,0 +1,16 @@
+---
+name: go-viral
+displayName: Go Viral (shortcut)
+description: "Shortcut: Complete AI-first product launch — SEO + AI discovery + MCP registry + organic content + awesome lists -> /ll-go-viral"
+version: 1.0.0
+category: deployment
+shortcut_for: ll-go-viral
+---
+
+# /go-viral — Every AI Agent Recommends Your Product
+
+Shortcut for `/ll-go-viral`. One command to generate AI discovery files, publish to MCP registries, write launch content, submit to awesome lists, and ping search engines.
+
+```bash
+/go-viral --product_name "MyApp" --domain myapp.com --repo org/myapp --competitors "Tool A, Tool B" --category monitoring --install_command "npx myapp init"
+```

package/commands/go.md

@@ -0,0 +1,42 @@
+---
+name: go
+displayName: Execute (shortcut)
+description: "Shortcut: Implement next task from the plan → /luna-execute"
+version: 1.0.0
+category: implementation
+agent: luna-task-executor
+parameters:
+  - name: scope
+    type: string
+    description: Project or feature scope
+    required: true
+    prompt: true
+---
+
+# /go — Execute Next Task
+
+Shortcut for `/luna-execute`.
+
+Picks up the next uncompleted task from your implementation plan and builds it.
+
+## What it does
+
+1. Finds next `[ ]` task in implementation plan
+2. Implements code following design specs
+3. Writes tests, marks task `[x]`, commits
+
+## Usage
+
+```
+/go        # implement next task
+/go        # repeat until all done
+/go        # keep going
+```
+
+Run it repeatedly — each call completes one task.
+
+## Next
+
+```
+/rev → /test → /ship
+```

package/commands/graph-rag.md

@@ -0,0 +1,13 @@
+---
+name: graph-rag
+displayName: Graph RAG (shortcut)
+description: "Shortcut: Knowledge graph RAG search -> /ll-graph-rag"
+version: 1.0.0
+category: search
+shortcut_for: ll-graph-rag
+---
+
+# /graph-rag — Graph RAG
+
+Shortcut for `/ll-graph-rag`. Knowledge graph search with community detection — 30-60% better retrieval than flat vector search.
+

package/commands/guard.md

@@ -0,0 +1,12 @@
+---
+name: guard
+displayName: Guard (shortcut)
+description: "Shortcut: → /ll-guard"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-guard
+---
+
+# /guard — Shortcut for /ll-guard
+
+See /ll-guard for full documentation.

package/commands/heal.md

@@ -0,0 +1,17 @@
+---
+name: heal
+displayName: Self-Heal (shortcut)
+description: "Shortcut: Test, screenshot, auto-fix in a loop until healthy -> /ll-heal"
+version: 1.0.0
+category: automation
+shortcut_for: ll-heal
+---
+
+# /heal — Self-Healing App
+
+Shortcut for `/ll-heal`. Continuously test, screenshot, fix, retest until app is healthy.
+
+```
+/heal http://localhost:3000
+/pipe go *5 >> heal http://localhost:3000 ?>> ship
+```

package/commands/heygen.md

@@ -0,0 +1,12 @@
+---
+name: heygen
+displayName: HeyGen (shortcut)
+description: "Shortcut: Generate AI avatar product videos → /ll-heygen"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-heygen
+---
+
+# /heygen — Shortcut for /ll-heygen
+
+See /ll-heygen for full documentation.

package/commands/hig.md

@@ -0,0 +1,33 @@
+---
+name: hig
+displayName: Apple HIG Audit (shortcut)
+description: "Shortcut: Apple Human Interface Guidelines compliance check → /luna-hig"
+version: 1.0.0
+category: design
+agent: luna-hig
+parameters:
+  - name: scope
+    type: string
+    description: Component or page to audit
+    required: true
+    prompt: true
+---
+
+# /hig — Apple HIG Audit
+
+Shortcut for `/luna-hig`.
+
+Check your UI against Apple Human Interface Guidelines.
+
+## What it does
+
+1. Audits spacing, typography, color, layout
+2. Checks accessibility (WCAG 2.1 AA)
+3. Validates dark mode, motion, touch targets
+4. Generates compliance report with fixes
+
+## Usage
+
+```
+/hig
+```

package/commands/idea.md

@@ -0,0 +1,12 @@
+---
+name: idea
+displayName: Idea (shortcut)
+description: "Shortcut: → /ll-idea"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-idea
+---
+
+# /idea — Shortcut for /ll-idea
+
+See /ll-idea for full documentation.

package/commands/imagine.md

@@ -0,0 +1,12 @@
+---
+name: imagine
+displayName: Imagine (shortcut)
+description: "Shortcut: → /ll-imagine"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-imagine
+---
+
+# /imagine — Shortcut for /ll-imagine
+
+See /ll-imagine for full documentation.

package/commands/inbox.md

@@ -0,0 +1,12 @@
+---
+name: inbox
+displayName: Inbox Zero (shortcut)
+description: "Shortcut: AI email management → /ll-inbox"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-inbox
+---
+
+# /inbox — Shortcut for /ll-inbox
+
+See /ll-inbox for full documentation.

package/commands/lam.md

@@ -0,0 +1,12 @@
+---
+name: lam
+displayName: LAM (shortcut)
+description: "Shortcut: Goal-driven autonomous actions -> /ll-lam"
+version: 1.0.0
+category: ai
+shortcut_for: ll-lam
+---
+
+# /lam — Large Action Model
+
+Shortcut for `/ll-lam`. Goal-driven AI that understands your codebase and takes autonomous actions.

package/commands/landing.md

@@ -0,0 +1,12 @@
+---
+name: landing
+displayName: Landing Page (shortcut)
+description: "Shortcut: Generate HeyGen-quality marketing landing page → /ll-landing"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-landing
+---
+
+# /landing — Shortcut for /ll-landing
+
+See /ll-landing for full documentation.

package/commands/launch.md

@@ -0,0 +1,12 @@
+---
+name: launch
+displayName: Launch (shortcut)
+description: "Shortcut: → /ll-launch"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-launch
+---
+
+# /launch — Shortcut for /ll-launch
+
+See /ll-launch for full documentation.

package/commands/learn.md

@@ -0,0 +1,12 @@
+---
+name: learn
+displayName: Learn (shortcut)
+description: "Shortcut: → /ll-learn"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-learn
+---
+
+# /learn — Shortcut for /ll-learn
+
+See /ll-learn for full documentation.

package/commands/leverage.md

@@ -0,0 +1,12 @@
+---
+name: leverage
+displayName: Leverage Open Source (shortcut)
+description: "Shortcut: Scan repos, extract patterns, generate integration plans → /ll-leverage"
+version: 1.0.0
+category: shortcut
+shortcut_for: ll-leverage
+---
+
+# /leverage — Shortcut for /ll-leverage
+
+See /ll-leverage for full documentation.

package/commands/ll-365-secure.md

@@ -0,0 +1,179 @@
+---
+name: ll-365-secure
+displayName: Luna Microsoft 365 Security
+description: Apply Microsoft 365 / Azure AD security hardening and BFF session authentication
+version: 1.0.0
+category: security
+agent: luna-365-security
+parameters:
+  - name: scope
+    type: string
+    description: Project or feature scope for security hardening
+    required: true
+    prompt: true
+workflow:
+  - audit_current_auth_flow
+  - implement_bff_session_exchange
+  - apply_security_headers
+  - configure_rate_limiting
+  - validate_jwt_verification
+  - generate_security_report
+output:
+  - .luna/{current-project}/security-report.md
+  - src/lib/server/session-store.server.ts
+  - src/routes/auth/session/+server.ts
+  - src/hooks.server.ts (updated)
+prerequisites:
+  - existing_authentication_flow (MSAL.js / Azure AD)
+  - .luna/{current-project}/requirements.md
+---
+
+# Luna Microsoft 365 Security
+
+Applies enterprise-grade Microsoft 365 / Azure AD security hardening and BFF session authentication to your application. Based on the `365-security` and `bff-session-auth` skill protocols.
+
+**Zero Azure Entra changes required.**
+
+## What This Command Does
+
+This command audits your current authentication flow, implements the BFF (Backend-for-Frontend) session exchange pattern, applies strict security headers, configures rate limiting, and validates JWT verification — all following Microsoft 365 best practices.
+
+## Prerequisites
+
+Requires:
+- An existing authentication flow using MSAL.js v2+ (Auth Code + PKCE)
+- Node.js `crypto` module available
+- `.luna/{current-project}/requirements.md`
+
+If you don't have authentication set up yet, first run:
+```
+/luna-execute  # With auth setup task in your plan
+```
+
+## Execution Steps
+
+### 1. Audit Current Auth Flow
+- Verify Auth Code + PKCE is in use (not Implicit Flow)
+- Check `cacheLocation` is `sessionStorage` (not `localStorage`)
+- Ensure tokens never appear in URL fragments
+- Flag any use of `localStorage` for token storage
+
+### 2. Implement BFF Session Exchange
+Creates server-side session management:
+
+```
+Login Flow:
+  MSAL.js → acquireTokenSilent → token (in JS for ~2 seconds)
+  Browser → POST /auth/session { token }
+  BFF → validates JWT → generates 256-bit session ID
+  BFF → stores { sessionId → accessToken, user, fingerprint }
+  BFF → Set-Cookie: __session=<id>; HttpOnly; Secure; SameSite=Strict
+  Browser → clears MSAL sessionStorage
+```
+
+**Files Created:**
+- `src/lib/server/session-store.server.ts` — Server-side session store
+- `src/routes/auth/session/+server.ts` — Session API endpoint (POST/GET/DELETE)
+
+**Session Security Properties:**
+| Property | Implementation |
+|----------|---------------|
+| Session ID entropy | 256 bits (`crypto.randomBytes(32)`) |
+| Session fixation | ID created only after JWT validation |
+| Cookie flags | `HttpOnly; Secure; SameSite=Strict; Path=/` |
+| Fingerprint binding | `SHA-256(User-Agent + IP)` validated every request |
+| Sliding TTL | 75 min, refreshed on each request |
+| Absolute expiry | 8 hours hard cap |
+
+### 3. Apply Security Headers
+Updates `hooks.server.ts` with:
+
+| Header | Value |
+|--------|-------|
+| `X-Content-Type-Options` | `nosniff` |
+| `X-Frame-Options` | `DENY` |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=()` |
+| `X-XSS-Protection` | `0` (disabled in favor of CSP) |
+| `Content-Security-Policy` | strict `script-src` |
+
+### 4. Configure Rate Limiting
+- General API: 100 req/min per IP
+- Auth endpoints: 10 req/min per IP (OTP, login, session exchange)
+- Sliding window with periodic cleanup of stale buckets
+
+### 5. Validate JWT Verification
+Ensures server-side JWT validation covers:
+- **Signature** via JWKS endpoint
+- **Audience** (`aud` claim)
+- **Issuer** (`iss` — both v1 and v2 formats)
+- **Expiration** (`exp` with 30s clock skew tolerance)
+
+Issuer formats accepted:
+- v2: `https://login.microsoftonline.com/{tenant}/v2.0`
+- v1: `https://sts.windows.net/{tenant}/`
+
+### 6. Generate Security Report
+Creates `.luna/{current-project}/security-report.md` with:
+- Checklist of all security measures applied
+- Attack vectors covered (XSS, CSRF, AiTM, token replay)
+- Remaining Azure Portal tasks (Conditional Access, FIDO2, etc.)
+- Testing checklist for verification
+
+## Attack Vectors Covered
+
+| Attack | Defense |
+|--------|---------|
+| XSS → token theft | BFF session exchange (HTTP-only cookies) |
+| AiTM phishing | FIDO2 keys (Azure Portal) |
+| Device code abuse | Restrict device code flow (Azure Portal) |
+| Token in logs | Never log tokens or HMAC payloads |
+| Open proxy | Path allowlisting on all proxy routes |
+| CSRF | `SameSite=Strict` + Origin validation |
+| Brute force | Rate limiting on auth endpoints |
+| Token replay | Client fingerprint binding, short TTL |
+
+## Output Files
+
+Creates in your current project:
+```
+.luna/{current-project}/security/
+├── security-report.md           # Comprehensive audit report
+src/lib/server/
+├── session-store.server.ts      # BFF session store
+src/routes/auth/session/
+├── +server.ts                   # Session API endpoint
+src/
+├── hooks.server.ts              # Updated with security middleware
+```
+
+## Testing Checklist
+
+After running this command, verify:
+- [ ] Login → `__session` cookie set, `sessionStorage` empty
+- [ ] API calls work with cookie auth (no Bearer header)
+- [ ] `GET /auth/session` returns valid + TTL
+- [ ] Logout → cookie cleared, server session destroyed
+- [ ] Idle timeout → re-auth works
+- [ ] Fingerprint mismatch (different User-Agent) → session rejected
+- [ ] Session expiry → 401 → silent re-auth
+- [ ] Multiple tabs → session shared via cookie
+
+## Next Steps in Workflow
+
+After security hardening, run tests:
+```
+/luna-test
+```
+
+Then proceed to deployment:
+```
+/luna-deploy
+```
+
+## Tips
+
+- The in-memory session store is sufficient for internal dashboards. For user-facing apps, swap to Redis.
+- The 2-second token window during initial auth is negligible risk vs. 8-hour `sessionStorage` exposure.
+- Azure Portal tasks (Conditional Access, FIDO2) require admin access and are out-of-scope for this command.
+- Run this command again after major auth changes to re-audit.

package/commands/ll-3d-mesh.md

@@ -0,0 +1,94 @@
+---
+name: ll-3d-mesh
+displayName: Luna 3D Mesh
+description: Generate 3D meshes from text descriptions using LLaMA-Mesh — text-to-3D for marketing heroes, product visuals, and icons
+version: 1.0.0
+category: creative
+agent: luna-task-executor
+parameters:
+  - name: prompt
+    type: string
+    description: "What to generate (e.g., 'a diamond-shaped rotating cube', 'a stylized rocket', 'a 3D logo')"
+    required: true
+    prompt: true
+  - name: format
+    type: string
+    description: "Output: obj, html-preview, css-cube, video-loop"
+    required: false
+    default: html-preview
+prerequisites: []
+---
+
+# Luna 3D Mesh — Text-to-3D Generation
+
+Generate 3D meshes from text descriptions using NVIDIA's LLaMA-Mesh model, then export as OBJ files, embeddable HTML previews, CSS-only cubes, or looping video for marketing heroes.
+
+## How It Works
+
+LLaMA-Mesh is a fine-tuned LLaMA model that generates 3D mesh vertex coordinates and face definitions as plain text. No special vocabulary — it outputs OBJ-format mesh data directly.
+
+### Step 1: Generate Mesh
+Sends your prompt to LLaMA-Mesh (via HuggingFace Inference API or local model) to generate the 3D mesh as text.
+
+### Step 2: Convert to Format
+- **obj** — Raw OBJ file for Blender/Three.js
+- **html-preview** — Embeddable Three.js viewer with auto-rotation
+- **css-cube** — CSS-only rotating cube with mesh faces as textures
+- **video-loop** — Renders a rotating loop as MP4 (for marketing heroes)
+
+## Usage
+
+```bash
+# Generate a 3D diamond for marketing hero
+/3d-mesh "a faceted diamond shape with sharp edges" html-preview
+
+# Generate an icon mesh
+/3d-mesh "a stylized rocket ship" obj
+
+# Generate a rotating cube hero (like HeyGen)
+/3d-mesh "a cube with rounded edges" css-cube
+
+# Generate a video loop for landing page
+/3d-mesh "an abstract geometric orb" video-loop
+```
+
+## Marketing Hero Pattern (HeyGen-style)
+
+The rotating cube/diamond hero on HeyGen's landing page is a pre-rendered video loop. To replicate:
+
+```bash
+# Option 1: CSS-only rotating diamond (zero runtime cost)
+/3d-mesh "diamond" css-cube
+
+# Option 2: Generate mesh, render as video loop
+/3d-mesh "faceted orb with holographic edges" video-loop
+```
+
+The CSS cube approach produces this pattern:
+- `rotateZ(45deg)` + `rotateX(-20deg)` = diamond orientation
+- 6 faces, each holding a product screenshot or avatar
+- Iridescent edge glow via `box-shadow`
+- 8-second rotation loop
+
+## Output
+
+```
+.luna/{project}/3d-mesh/
+  mesh.obj                # Raw 3D mesh
+  preview.html            # Embeddable Three.js viewer
+  cube.html               # CSS rotating cube
+  loop.mp4                # Video loop for hero sections
+  textures/               # Generated face textures
+```
+
+## In Pipes
+
+```bash
+# Generate 3D hero, then build landing page
+/pipe 3d-mesh "diamond orb" css-cube >> heygen https://myapp.com
+
+# Generate mesh for product visualization
+/pipe 3d-mesh "my product shape" html-preview >> docs
+```
+
+Sources: [LLaMA-Mesh (NVIDIA)](https://github.com/nv-tlabs/LLaMA-Mesh), [HuggingFace Space](https://huggingface.co/spaces/Zhengyi/LLaMA-Mesh), [Paper](https://huggingface.co/papers/2411.09595)

package/commands/ll-3d.md

@@ -0,0 +1,123 @@
+---
+name: ll-3d
+displayName: Luna 3D
+description: Generate 3D models and visualizations — app architecture in 3D, component flowcharts, data flow animations, product mockups
+version: 1.0.0
+category: creative
+agent: luna-task-executor
+parameters:
+  - name: what
+    type: string
+    description: "What to generate: architecture (3D system map), flow (component flowchart), mockup (device mockup), model (3D asset), dashboard (3D data viz)"
+    required: true
+    prompt: true
+  - name: source
+    type: string
+    description: Source — path to code, component name, or description
+    required: false
+mcp_servers:
+  - tripo-3d
+  - stability-ai
+  - piapi
+  - fal-ai
+  - zai-mcp-server
+  - playwright
+  - git
+  - sequential-thinking
+---
+
+# /3d — Your Code in Three Dimensions
+
+Visualize your architecture, components, and data flows as interactive 3D models. Generate product mockups, 3D assets, and spatial visualizations.
+
+## Modes
+
+### /3d architecture
+```
+3D System Architecture:
+├── Each service as a 3D node (cube/sphere)
+├── API connections as glowing lines
+├── Data flow animated along connections
+├── Color-coded by service type
+│   ├── 🔵 Frontend (Next.js, React)
+│   ├── 🟢 API (Hono, Workers)
+│   ├── 🟡 Database (D1, KV)
+│   ├── 🔴 External (Stripe, Auth)
+│   └── 🟣 AI/ML (Agents, RAG)
+├── Interactive: rotate, zoom, click nodes
+├── Export: .glb, .obj, .html (Three.js)
+└── Generated from your actual codebase
+```
+
+### /3d flow
+```
+Component Flowchart (3D):
+├── React component tree as 3D graph
+├── Props flowing down as animated particles
+├── State changes as color pulses
+├── Event handlers as connection sparks
+├── Zoom into any component for details
+├── Export: interactive HTML, PNG, SVG
+└── Reads your actual component files
+```
+
+### /3d mockup
+```
+Device Mockups:
+├── Your app rendered in 3D devices
+│   ├── iPhone 15 Pro
+│   ├── MacBook Pro
+│   ├── iPad
+│   ├── Apple Watch
+│   └── Custom device
+├── Real screenshots from your running app
+├── Multiple angles and perspectives
+├── Hero image quality (marketing-ready)
+└── Export: PNG (transparent), .glb
+```
+
+### /3d mock-api
+```
+API Visualization:
+├── Each endpoint as a 3D node
+├── Request/response flow animated
+├── Auth middleware as gateway
+├── Rate limits as traffic lights
+├── Error paths in red
+├── Success paths in green
+├── Response time as node size
+├── Live data from your actual API
+└── Export: interactive HTML, PNG
+```
+
+### /3d dashboard
+```
+3D Data Visualization:
+├── Metrics as 3D bar/line/scatter charts
+├── Real-time data if connected to API
+├── Fly-through animation
+├── VR-ready export (.glb)
+└── Embedded in presentations
+```
+
+## Usage
+
+```bash
+/3d architecture                                          # Full system in 3D
+/3d architecture ./src                                    # Specific directory
+/3d flow ./src/components/Dashboard.tsx                   # Component tree
+/3d mockup                                                # Device mockups of your app
+/3d mock-api                                              # API endpoint visualization
+/3d model "futuristic AI agent robot"                     # Custom 3D asset
+/3d dashboard                                             # 3D metrics visualization
+```
+
+## In Pipes
+
+```bash
+/pipe 3d architecture >> present architecture >> share team
+/pipe 3d mockup >> imagine hero >> publish producthunt
+/pipe 3d flow >> record "component walkthrough" >> publish
+/pipe 3d mock-api >> docs >> publish notion
+/pipe 3d model "product mascot" >> brand >> video trailer >> publish
+```