memory-journal-mcp 7.2.0 → 7.4.0

package/skills/github-actions/SKILL.md

@@ -0,0 +1,315 @@
+---
+name: github-actions
+description: |
+  Master GitHub Actions CI/CD workflows with production-grade security and
+  performance patterns. Use when writing workflow YAML, configuring CI/CD
+  pipelines, setting up matrix strategies, caching dependencies, managing
+  artifacts, or implementing reusable workflows. Triggers on "GitHub Actions",
+  "CI/CD", "workflow", "actions/checkout", "matrix strategy", "reusable
+  workflow", "SHA pinning", ".github/workflows".
+---
+
+# GitHub Actions CI/CD Engineering Standards
+
+This skill codifies 2026 GitHub Actions best practices — secure supply chains, efficient caching, reusable workflows, and hardened permission models.
+
+## 1. Security: SHA Pinning (Mandatory)
+
+### Pin Every Third-Party Action to a Commit SHA
+
+```yaml
+# ✅ Good: SHA-pinned (immutable, auditable)
+- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.2.2
+- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde8c81c89c3166c0 # v4.2.0
+
+# ❌ Bad: Tag-pinned (mutable, vulnerable to supply chain attacks)
+- uses: actions/checkout@v4
+- uses: actions/setup-node@v4
+```
+
+- **ALWAYS** pin to full-length commit SHAs — tags are mutable and can be hijacked
+- **ALWAYS** add a trailing comment with the version for human readability
+- **Use tools** like `step-security/harden-runner` or `pin-github-action` CLI to automate SHA resolution
+- **Audit quarterly** — review all pinned SHAs when updating workflow dependencies
+
+### Permission Hardening
+
+```yaml
+# Set restrictive defaults at the workflow level
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    # Grant specific permissions per-job
+    permissions:
+      contents: read
+      packages: write
+```
+
+- **ALWAYS** set `permissions:` at the workflow level — use `read-all` or specify individually
+- **NEVER** use `permissions: write-all` — it grants maximum privileges
+- **Grant write only where needed** — per-job, not per-workflow
+
+## 2. Workflow Structure
+
+### Standard CI Template
+
+```yaml
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run lint
+      - run: pnpm run typecheck
+
+  test:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm test
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
+```
+
+### Key Structural Rules
+
+- **ALWAYS** set `concurrency` with `cancel-in-progress: true` to prevent stale runs
+- **Use `needs:`** to create a dependency chain: lint → test → build → deploy
+- **Use `.node-version`** or `.python-version` files — never hardcode versions in workflows
+- **Use `--frozen-lockfile`** — never let CI modify the lock file
+
+## 3. Caching
+
+### Package Manager Caching
+
+```yaml
+# Node.js (pnpm)
+- uses: actions/setup-node@<sha>
+  with:
+    node-version-file: .node-version
+    cache: pnpm
+
+# Python (uv)
+- uses: actions/setup-python@<sha>
+  with:
+    python-version-file: .python-version
+- run: pip install uv
+- uses: actions/cache@<sha>
+  with:
+    path: ~/.cache/uv
+    key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+    restore-keys: uv-${{ runner.os }}-
+
+# Go
+- uses: actions/setup-go@<sha>
+  with:
+    go-version-file: go.mod
+    cache: true
+```
+
+### Custom Caching Rules
+
+- **Key on lock file hash** — `${{ hashFiles('pnpm-lock.yaml') }}`
+- **Use `restore-keys`** for fallback to partial cache hits
+- **Cache the package manager's global cache**, not `node_modules` directly
+- **Don't cache everything** — simplicity trumps marginal speedup
+
+## 4. Matrix Strategy
+
+### Basic Matrix
+
+```yaml
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node: [20, 22]
+        exclude:
+          - os: windows-latest
+            node: 20
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/setup-node@<sha>
+        with:
+          node-version: ${{ matrix.node }}
+```
+
+### Dynamic Matrix
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set.outputs.matrix }}
+    steps:
+      - id: set
+        run: |
+          echo 'matrix={"include":[{"project":"api"},{"project":"web"}]}' >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: prepare
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Building ${{ matrix.project }}"
+```
+
+### Rules
+
+- **Use `fail-fast: false`** for test matrices — you want to see all failures, not just the first
+- **Use `include`/`exclude`** to fine-tune — don't generate invalid combinations
+- **Use `max-parallel`** if jobs contend for shared resources (APIs, databases)
+
+## 5. Reusable Workflows
+
+### Defining a Reusable Workflow
+
+```yaml
+# .github/workflows/reusable-build.yml
+name: Reusable Build
+
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        type: string
+        default: '22'
+    secrets:
+      NPM_TOKEN:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@<sha>
+      - uses: actions/setup-node@<sha>
+        with:
+          node-version: ${{ inputs.node-version }}
+          registry-url: https://registry.npmjs.org
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### Calling a Reusable Workflow
+
+```yaml
+jobs:
+  build:
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      node-version: '22'
+    secrets:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### Rules
+
+- **Pass secrets explicitly** — avoid `secrets: inherit` (grants broader access than needed)
+- **Pin reusable workflows** to SHA or tag in production
+- **Use `workflow_call` inputs** for all configuration — don't rely on `env` or file conventions
+- **Separate concerns**: reusable workflows = entire jobs; composite actions = reusable steps
+
+## 6. Artifacts (v4)
+
+```yaml
+# Upload
+- uses: actions/upload-artifact@<sha> # v4
+  with:
+    name: build-output
+    path: dist/
+    retention-days: 7
+    compression-level: 6
+
+# Download (in a different job)
+- uses: actions/download-artifact@<sha> # v4
+  with:
+    name: build-output
+    path: dist/
+```
+
+### Rules
+
+- **v4 artifacts are immutable** — you cannot overwrite the same artifact name
+- **Use unique names per job** — don't upload from parallel matrix jobs to the same name
+- **Set `retention-days`** — don't rely on org defaults (storage costs add up)
+- **Use `compression-level: 0`** for already-compressed files (`.zip`, `.tar.gz`)
+- **v3 and v4 are incompatible** — do not mix upload-artifact@v3 with download-artifact@v4
+
+## 7. Environment Protection
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://myapp.example.com
+    steps:
+      - run: echo "Deploying to production"
+```
+
+- **Use `environment:`** for production deployments — enables approval gates
+- **Configure required reviewers** in repo Settings → Environments
+- **Use environment-scoped secrets** — production secrets should not be accessible in CI
+
+## 8. Anti-Patterns (Never Do These)
+
+| Anti-Pattern                                | Why It's Wrong                    | Do This Instead                      |
+| ------------------------------------------- | --------------------------------- | ------------------------------------ |
+| `uses: action@v4`                           | Mutable tag, supply chain risk    | Pin to full commit SHA               |
+| `permissions: write-all`                    | Maximum privilege, dangerous      | Explicit per-job permissions         |
+| `continue-on-error: true` on security steps | Suppresses critical failures      | Hard-fail on security gates          |
+| `secrets: inherit`                          | Over-broad secret access          | Pass secrets explicitly              |
+| Hardcoded `node-version: 22`                | Version drift across workflows    | Use `.node-version` file             |
+| No `concurrency:`                           | Stale runs waste minutes          | Always set with `cancel-in-progress` |
+| `if: always()` on non-cleanup steps         | Runs even after critical failures | Use `if: success()` (default)        |
+| Caching `node_modules` directly             | Fragile, platform-specific        | Cache package manager global cache   |

package/skills/package.json

@@ -1,6 +1,6 @@
 {
     "name": "neverinfamous-agent-skills",
-    "version": "1.0.6",
+    "version": "1.1.1",
     "description": "Foundational AI agent metacognitive skills and workflows for the Adamic ecosystem.",
     "type": "module",
     "main": "README.md",
@@ -12,17 +12,21 @@
         "README.md",
         "autonomous-dev/",
         "bun/",
+        "docker/",
+        "github-actions/",
         "github-commander/",
         "gitlab/",
         "golang/",
         "mysql/",
         "playwright-standard/",
         "postgres/",
+        "python/",
         "react-best-practices/",
         "rust/",
         "shadcn-ui/",
         "skill-builder/",
         "sqlite/",
+        "tailwind-css/",
         "typescript/",
         "vitest-standard/"
     ],

package/skills/python/SKILL.md

@@ -0,0 +1,257 @@
+---
+name: python
+description: |
+  Master modern Python development with production-grade tooling and idioms.
+  Use when writing Python code, configuring project structure, managing
+  dependencies with uv, linting with ruff, adding type hints, writing pytest
+  tests, or building FastAPI/Django/Flask applications. Triggers on "Python",
+  "FastAPI", "Django", "Flask", "pytest", "uv", "ruff", "pyproject.toml".
+---
+
+# Python Engineering Standards
+
+This skill codifies 2026 Python best practices — modern tooling (`uv`, `ruff`), strict typing, and idiomatic patterns that produce maintainable, performant code.
+
+## 1. Project Setup & Structure
+
+### Tooling: `uv` (Not pip/pipenv/poetry)
+
+`uv` is the standard package manager for Python in 2026. It replaces pip, pipenv, and poetry with a single, fast Rust binary.
+
+```bash
+uv init <project-name>       # Initialize a new project
+uv add <package>              # Add a dependency
+uv add --dev <package>        # Add a dev dependency
+uv run <command>              # Run a command in the project's venv
+uv sync                      # Install all deps from uv.lock
+uv python install 3.13        # Install a specific Python version
+```
+
+- **ALWAYS** commit both `pyproject.toml` AND `uv.lock` to version control.
+- **NEVER** use `requirements.txt` for new projects — it is a legacy pattern.
+- **NEVER** use `pip install` directly — use `uv add` to keep the lock file in sync.
+
+### Directory Layout: `src/` Layout
+
+```
+my-project/
+├── .python-version          # Pin Python version (e.g., 3.13)
+├── pyproject.toml           # Single source of truth for config
+├── uv.lock                  # Deterministic lock file
+├── src/
+│   └── my_package/
+│       ├── __init__.py
+│       ├── main.py
+│       └── models.py
+└── tests/
+    ├── __init__.py
+    ├── conftest.py          # Shared fixtures
+    └── test_main.py
+```
+
+- **Use `src/` layout** for packages and production apps — it prevents tests from accidentally importing the local source instead of the installed package.
+- **Group by domain**, not file type — prefer `users/`, `billing/`, `auth/` over `models/`, `utils/`, `services/`.
+- **Use `kebab-case`** for directory names, `snake_case` for Python modules.
+
+### `pyproject.toml` Configuration (PEP 621)
+
+```toml
+[project]
+name = "my-package"
+version = "0.1.0"
+requires-python = ">=3.12"
+dependencies = [
+    "httpx>=0.27",
+    "pydantic>=2.0",
+]
+
+[project.optional-dependencies]
+dev = ["pytest>=8.0", "ruff>=0.8", "mypy>=1.13"]
+
+[tool.ruff]
+target-version = "py312"
+line-length = 88
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP", "B", "SIM", "RUF"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+pythonpath = ["src"]
+```
+
+## 2. Type Hints (Mandatory)
+
+Type hints are **not optional** — they are foundational design tools.
+
+### Rules
+
+- **Use built-in generics** (Python 3.9+): `list[str]`, `dict[str, int]`, `tuple[int, ...]`
+- **Use union syntax** (Python 3.10+): `str | None` instead of `Optional[str]`
+- **Avoid `Any`** — use `object`, `Unknown`, or narrow with type guards
+- **Use `TypedDict`** for dict-shaped data with known keys
+- **Use `Protocol`** for structural subtyping instead of ABCs
+- **Run static analysis**: `mypy --strict` or `pyright`
+
+### Examples
+
+```python
+# ✅ Good
+def get_user(user_id: int) -> User | None:
+    ...
+
+class Config(TypedDict):
+    host: str
+    port: int
+    debug: bool
+
+# ❌ Bad
+def get_user(user_id):  # Missing type hints
+    ...
+
+def process(data: Any):  # Untyped escape hatch
+    ...
+```
+
+## 3. Code Quality: `ruff`
+
+Ruff is the **all-in-one** linter and formatter for Python. It replaces Flake8, Black, isort, pyupgrade, and more.
+
+```bash
+ruff check --fix .    # Lint with auto-fix
+ruff format .         # Format (replaces Black)
+```
+
+### Configuration in `pyproject.toml`
+
+```toml
+[tool.ruff]
+target-version = "py312"
+line-length = 88
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = [
+    "E",    # pycodestyle errors
+    "F",    # pyflakes
+    "I",    # isort
+    "UP",   # pyupgrade
+    "B",    # bugbear
+    "SIM",  # simplify
+    "RUF",  # ruff-specific
+]
+```
+
+- **NEVER** use `# noqa` to suppress linter errors unless the suppression is explicitly justified by a comment explaining _why_.
+- **NEVER** use `# type: ignore` — fix the type error or use a proper type guard.
+
+## 4. Error Handling
+
+### Patterns
+
+- **Use specific exception types** — never catch bare `except:` or `except Exception:`
+- **Create custom exceptions** inheriting from a base project exception
+- **Use `from` for exception chaining**: `raise ValueError("msg") from original_error`
+- **Never swallow exceptions silently** — at minimum, log them
+
+```python
+# ✅ Good
+class AppError(Exception):
+    """Base exception for the application."""
+
+class NotFoundError(AppError):
+    """Raised when a resource is not found."""
+
+try:
+    user = get_user(user_id)
+except DatabaseError as e:
+    raise NotFoundError(f"User {user_id} not found") from e
+
+# ❌ Bad
+try:
+    user = get_user(user_id)
+except:           # Bare except — catches SystemExit, KeyboardInterrupt
+    pass          # Silently swallowed
+```
+
+## 5. Testing with `pytest`
+
+### Structure
+
+- **AAA pattern**: Arrange, Act, Assert — one concern per test
+- **Use fixtures** for setup/teardown, not classes with `setUp()`/`tearDown()`
+- **Use `conftest.py`** for shared fixtures across test modules
+- **Use `@pytest.mark.parametrize`** for data-driven tests
+
+```python
+@pytest.fixture
+def client(tmp_path: Path) -> TestClient:
+    """Create a test client with a temporary database."""
+    app = create_app(db_path=tmp_path / "test.db")
+    return TestClient(app)
+
+@pytest.mark.parametrize("status_code,expected", [
+    (200, True),
+    (404, False),
+    (500, False),
+])
+def test_is_success(status_code: int, expected: bool) -> None:
+    assert is_success(status_code) == expected
+```
+
+### Running Tests
+
+```bash
+uv run pytest                           # Run all tests
+uv run pytest tests/test_main.py        # Run specific file
+uv run pytest -k "test_user"            # Run by pattern
+uv run pytest --cov=src --cov-report=term-missing  # Coverage
+```
+
+## 6. Async & Concurrency
+
+- **Use `asyncio`** for I/O-bound concurrency (HTTP calls, DB queries)
+- **Use `async def` / `await`** — never mix sync and async code paths
+- **Use `asyncio.TaskGroup`** (Python 3.11+) for structured concurrency
+- **Use `httpx`** (async-native) instead of `requests` for HTTP clients
+
+```python
+async with asyncio.TaskGroup() as tg:
+    task1 = tg.create_task(fetch_user(user_id))
+    task2 = tg.create_task(fetch_orders(user_id))
+# Both tasks complete here — exceptions propagate cleanly
+```
+
+## 7. Data Validation: Pydantic v2
+
+- **Use Pydantic models** at system boundaries (API requests, config files, DB results)
+- **Never trust external input** — validate with `model_validate()`, not dict access
+- **Use `Field()` validators** for constraints, not manual `if` checks
+
+```python
+from pydantic import BaseModel, Field
+
+class CreateUserRequest(BaseModel):
+    name: str = Field(min_length=1, max_length=100)
+    email: str = Field(pattern=r"^[\w.-]+@[\w.-]+\.\w+$")
+    age: int = Field(ge=0, le=150)
+```
+
+## 8. Anti-Patterns (Never Do These)
+
+| Anti-Pattern                         | Why It's Wrong                     | Do This Instead              |
+| ------------------------------------ | ---------------------------------- | ---------------------------- |
+| `import *`                           | Pollutes namespace, breaks tooling | Explicit imports             |
+| Mutable default args (`def f(x=[])`) | Shared across calls                | Use `None` + assign          |
+| Global mutable state                 | Thread-unsafe, untestable          | Dependency injection         |
+| `os.path` for path manipulation      | Platform-inconsistent              | Use `pathlib.Path`           |
+| `print()` for logging                | No levels, no rotation             | Use `logging` or `structlog` |
+| `== None` / `== True`                | Wrong semantics                    | `is None` / `is True`        |
+
+## 9. Web Frameworks Quick Reference
+
+| Framework   | Best For                     | Key Pattern                                               |
+| ----------- | ---------------------------- | --------------------------------------------------------- |
+| **FastAPI** | REST APIs, async, auto-docs  | Pydantic models, dependency injection, `async def` routes |
+| **Django**  | Full-stack, admin, ORM       | Models → Views → Templates, `manage.py`, migrations       |
+| **Flask**   | Lightweight APIs, prototypes | Blueprints, application factory pattern                   |