memory-journal-mcp 7.3.0 → 7.4.0

package/skills/docker/SKILL.md

@@ -0,0 +1,262 @@
+---
+name: docker
+description: |
+  Production-grade Docker and container best practices. Use when writing
+  Dockerfiles, configuring Docker Compose, optimizing image size and build
+  speed, implementing security hardening, or debugging container issues.
+  Triggers on "Docker", "Dockerfile", "container", "Compose", "BuildKit",
+  "multi-stage build", "image size", "docker-compose".
+---
+
+# Docker & Container Engineering Standards
+
+This skill codifies 2026 Docker best practices — secure, minimal, reproducible container images using BuildKit, multi-stage builds, and Compose v2.
+
+## 1. Dockerfile Fundamentals
+
+### Always Start With BuildKit Syntax
+
+```dockerfile
+# syntax=docker/dockerfile:1
+```
+
+Place this as the **first line** of every Dockerfile. It enables:
+
+- Parallel stage execution
+- Cache mounts (`--mount=type=cache`)
+- Secret mounts (`--mount=type=secret`)
+- Reproducible builds across Docker versions
+
+### Base Image Selection
+
+| Use Case    | Recommended Base          | Why                                     |
+| ----------- | ------------------------- | --------------------------------------- |
+| **Node.js** | `node:22-slim`            | Debian Slim — small, has essential libs |
+| **Python**  | `python:3.13-slim`        | Minimal Debian, no build tools          |
+| **Go**      | `scratch` or `distroless` | Static binary needs nothing             |
+| **General** | `debian:bookworm-slim`    | Stable, well-patched, small             |
+
+- **NEVER** use `:latest` — always pin to a specific version tag
+- **Prefer `-slim` variants** over full images to reduce attack surface
+- **Consider `distroless`** for production — no shell, no package manager = minimal attack surface
+
+## 2. Multi-Stage Builds (Required for Production)
+
+Multi-stage builds are **mandatory** for any production image. They separate build-time dependencies from runtime.
+
+```dockerfile
+# syntax=docker/dockerfile:1
+
+# ── Stage 1: Build ─────────────────────────────
+FROM node:22-slim AS builder
+WORKDIR /app
+COPY package.json pnpm-lock.yaml ./
+RUN corepack enable && pnpm install --frozen-lockfile
+COPY . .
+RUN pnpm run build
+
+# ── Stage 2: Runtime ───────────────────────────
+FROM node:22-slim AS runtime
+WORKDIR /app
+ENV NODE_ENV=production
+
+# Create non-root user
+RUN groupadd -r appgroup && useradd -r -g appgroup appuser
+
+# Copy ONLY production artifacts
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./
+
+USER appuser
+EXPOSE 3000
+CMD ["node", "dist/index.js"]
+```
+
+### Key Rules
+
+- **Name every stage**: `FROM ... AS builder` — makes builds readable and targetable
+- **Copy only artifacts**: Use `COPY --from=builder` to cherry-pick built files
+- **Never install dev dependencies in the runtime stage**
+- **The runtime stage should have ZERO build tools** (no compilers, no git, no curl)
+
+## 3. Security Hardening
+
+### Non-Root Execution (Mandatory)
+
+```dockerfile
+# Create a system user with no home directory, no login shell
+RUN groupadd -r appgroup && useradd -r -g appgroup -s /usr/sbin/nologin appuser
+
+# Switch to the non-root user BEFORE CMD
+USER appuser
+```
+
+- **NEVER** run containers as root in production
+- **NEVER** use `--privileged` flag unless absolutely required
+- **Set `USER` as late as possible** — after all `RUN` commands that need root
+
+### Secret Handling
+
+```dockerfile
+# ✅ Good: BuildKit secret mount (never stored in layers)
+RUN --mount=type=secret,id=npm_token \
+    NPM_TOKEN=$(cat /run/secrets/npm_token) \
+    npm config set //registry.npmjs.org/:_authToken=$NPM_TOKEN
+
+# ❌ Bad: ARG/ENV secrets (visible in image history)
+ARG NPM_TOKEN
+ENV NPM_TOKEN=$NPM_TOKEN
+```
+
+- **NEVER** use `ARG` or `ENV` for secrets — they are baked into image layers
+- **NEVER** `COPY` `.env` files into the image
+- Use `--mount=type=secret` (BuildKit) for build-time secrets
+- Use Docker Compose `secrets:` or orchestrator secrets for runtime
+
+### Vulnerability Scanning
+
+```bash
+docker scout cves <image>          # Docker Scout
+trivy image <image>                # Trivy (open source)
+grype <image>                      # Grype (Anchore)
+```
+
+- Run scanning in CI — **hard-fail** on HIGH/CRITICAL vulnerabilities
+- Never use `continue-on-error: true` for security gates
+
+## 4. Layer Optimization
+
+### Instruction Ordering
+
+Docker caches each layer. Order instructions from **least-changing to most-changing**:
+
+```dockerfile
+# 1. Base image (rarely changes)
+FROM node:22-slim
+
+# 2. System deps (changes infrequently)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    dumb-init \
+    && rm -rf /var/lib/apt/lists/*
+
+# 3. Application deps (changes when lock file changes)
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+# 4. Application code (changes most frequently)
+COPY . .
+RUN pnpm build
+```
+
+### Cache Mounts (BuildKit)
+
+```dockerfile
+# Cache package manager downloads between builds
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install -r requirements.txt
+```
+
+### `.dockerignore` (Required)
+
+Create a `.dockerignore` in every project with a Dockerfile:
+
+```
+.git
+.github
+node_modules
+dist
+*.md
+.env*
+.vscode
+.idea
+tmp/
+coverage/
+```
+
+- **ALWAYS** exclude `.git` — it can be hundreds of MB
+- **ALWAYS** exclude `node_modules` — reinstall inside the container
+- **ALWAYS** exclude `.env*` — prevents secret leaks
+
+## 5. Docker Compose v2
+
+### Structure
+
+```yaml
+# docker-compose.yml
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      target: runtime # Target a specific stage
+    ports:
+      - '3000:3000'
+    environment:
+      NODE_ENV: production
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+
+  db:
+    image: postgres:17-alpine
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+    secrets:
+      - db_password
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  pgdata:
+
+secrets:
+  db_password:
+    file: ./secrets/db_password.txt
+```
+
+### Best Practices
+
+- **Use `depends_on` with health checks** — not just service start order
+- **Use named volumes** for persistent data — never bind-mount the entire project in production
+- **Use environment files** (`env_file:`) for non-secret config
+- **Use `secrets:`** for credentials — they are mounted as files, not env vars
+- **Pin image versions** — `postgres:17-alpine`, not `postgres:latest`
+
+## 6. CI/CD Integration
+
+### GitHub Actions Pattern
+
+```yaml
+- name: Build and push
+  uses: docker/build-push-action@<sha>
+  with:
+    context: .
+    push: true
+    tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+    cache-from: type=gha
+    cache-to: type=gha,mode=max
+```
+
+- **Use GitHub Actions cache** (`type=gha`) for CI builds
+- **Tag with commit SHA** — never `:latest` for production
+- **Scan before push** — run vulnerability scanning as a build step
+
+## 7. Anti-Patterns (Never Do These)
+
+| Anti-Pattern               | Why It's Wrong                          | Do This Instead                                 |
+| -------------------------- | --------------------------------------- | ----------------------------------------------- |
+| `FROM ubuntu:latest`       | Unpinned, large, unpredictable          | Pin version, use `-slim`                        |
+| `RUN apt-get update` alone | Cache goes stale across builds          | Combine with `install` in one `RUN`             |
+| `ADD` for local files      | Unpredictable (auto-extracts)           | Use `COPY` explicitly                           |
+| Multiple `RUN apt-get`     | Creates unnecessary layers              | Chain with `&&` in one `RUN`                    |
+| `COPY . .` before deps     | Breaks layer cache on every code change | Copy lock file first, install, then copy source |
+| Running as root            | Security vulnerability                  | Create and switch to `appuser`                  |
+| Secrets in `ENV`/`ARG`     | Visible in image history                | Use `--mount=type=secret`                       |
+| No `.dockerignore`         | Bloated context, potential secret leaks | Always create one                               |

package/skills/github-actions/SKILL.md

@@ -0,0 +1,315 @@
+---
+name: github-actions
+description: |
+  Master GitHub Actions CI/CD workflows with production-grade security and
+  performance patterns. Use when writing workflow YAML, configuring CI/CD
+  pipelines, setting up matrix strategies, caching dependencies, managing
+  artifacts, or implementing reusable workflows. Triggers on "GitHub Actions",
+  "CI/CD", "workflow", "actions/checkout", "matrix strategy", "reusable
+  workflow", "SHA pinning", ".github/workflows".
+---
+
+# GitHub Actions CI/CD Engineering Standards
+
+This skill codifies 2026 GitHub Actions best practices — secure supply chains, efficient caching, reusable workflows, and hardened permission models.
+
+## 1. Security: SHA Pinning (Mandatory)
+
+### Pin Every Third-Party Action to a Commit SHA
+
+```yaml
+# ✅ Good: SHA-pinned (immutable, auditable)
+- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.2.2
+- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde8c81c89c3166c0 # v4.2.0
+
+# ❌ Bad: Tag-pinned (mutable, vulnerable to supply chain attacks)
+- uses: actions/checkout@v4
+- uses: actions/setup-node@v4
+```
+
+- **ALWAYS** pin to full-length commit SHAs — tags are mutable and can be hijacked
+- **ALWAYS** add a trailing comment with the version for human readability
+- **Use tools** like `step-security/harden-runner` or `pin-github-action` CLI to automate SHA resolution
+- **Audit quarterly** — review all pinned SHAs when updating workflow dependencies
+
+### Permission Hardening
+
+```yaml
+# Set restrictive defaults at the workflow level
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    # Grant specific permissions per-job
+    permissions:
+      contents: read
+      packages: write
+```
+
+- **ALWAYS** set `permissions:` at the workflow level — use `read-all` or specify individually
+- **NEVER** use `permissions: write-all` — it grants maximum privileges
+- **Grant write only where needed** — per-job, not per-workflow
+
+## 2. Workflow Structure
+
+### Standard CI Template
+
+```yaml
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run lint
+      - run: pnpm run typecheck
+
+  test:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm test
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@<sha> # v4
+      - uses: actions/setup-node@<sha> # v4
+        with:
+          node-version-file: .node-version
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
+```
+
+### Key Structural Rules
+
+- **ALWAYS** set `concurrency` with `cancel-in-progress: true` to prevent stale runs
+- **Use `needs:`** to create a dependency chain: lint → test → build → deploy
+- **Use `.node-version`** or `.python-version` files — never hardcode versions in workflows
+- **Use `--frozen-lockfile`** — never let CI modify the lock file
+
+## 3. Caching
+
+### Package Manager Caching
+
+```yaml
+# Node.js (pnpm)
+- uses: actions/setup-node@<sha>
+  with:
+    node-version-file: .node-version
+    cache: pnpm
+
+# Python (uv)
+- uses: actions/setup-python@<sha>
+  with:
+    python-version-file: .python-version
+- run: pip install uv
+- uses: actions/cache@<sha>
+  with:
+    path: ~/.cache/uv
+    key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+    restore-keys: uv-${{ runner.os }}-
+
+# Go
+- uses: actions/setup-go@<sha>
+  with:
+    go-version-file: go.mod
+    cache: true
+```
+
+### Custom Caching Rules
+
+- **Key on lock file hash** — `${{ hashFiles('pnpm-lock.yaml') }}`
+- **Use `restore-keys`** for fallback to partial cache hits
+- **Cache the package manager's global cache**, not `node_modules` directly
+- **Don't cache everything** — simplicity trumps marginal speedup
+
+## 4. Matrix Strategy
+
+### Basic Matrix
+
+```yaml
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node: [20, 22]
+        exclude:
+          - os: windows-latest
+            node: 20
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/setup-node@<sha>
+        with:
+          node-version: ${{ matrix.node }}
+```
+
+### Dynamic Matrix
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set.outputs.matrix }}
+    steps:
+      - id: set
+        run: |
+          echo 'matrix={"include":[{"project":"api"},{"project":"web"}]}' >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: prepare
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Building ${{ matrix.project }}"
+```
+
+### Rules
+
+- **Use `fail-fast: false`** for test matrices — you want to see all failures, not just the first
+- **Use `include`/`exclude`** to fine-tune — don't generate invalid combinations
+- **Use `max-parallel`** if jobs contend for shared resources (APIs, databases)
+
+## 5. Reusable Workflows
+
+### Defining a Reusable Workflow
+
+```yaml
+# .github/workflows/reusable-build.yml
+name: Reusable Build
+
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        type: string
+        default: '22'
+    secrets:
+      NPM_TOKEN:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@<sha>
+      - uses: actions/setup-node@<sha>
+        with:
+          node-version: ${{ inputs.node-version }}
+          registry-url: https://registry.npmjs.org
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### Calling a Reusable Workflow
+
+```yaml
+jobs:
+  build:
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      node-version: '22'
+    secrets:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### Rules
+
+- **Pass secrets explicitly** — avoid `secrets: inherit` (grants broader access than needed)
+- **Pin reusable workflows** to SHA or tag in production
+- **Use `workflow_call` inputs** for all configuration — don't rely on `env` or file conventions
+- **Separate concerns**: reusable workflows = entire jobs; composite actions = reusable steps
+
+## 6. Artifacts (v4)
+
+```yaml
+# Upload
+- uses: actions/upload-artifact@<sha> # v4
+  with:
+    name: build-output
+    path: dist/
+    retention-days: 7
+    compression-level: 6
+
+# Download (in a different job)
+- uses: actions/download-artifact@<sha> # v4
+  with:
+    name: build-output
+    path: dist/
+```
+
+### Rules
+
+- **v4 artifacts are immutable** — you cannot overwrite the same artifact name
+- **Use unique names per job** — don't upload from parallel matrix jobs to the same name
+- **Set `retention-days`** — don't rely on org defaults (storage costs add up)
+- **Use `compression-level: 0`** for already-compressed files (`.zip`, `.tar.gz`)
+- **v3 and v4 are incompatible** — do not mix upload-artifact@v3 with download-artifact@v4
+
+## 7. Environment Protection
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://myapp.example.com
+    steps:
+      - run: echo "Deploying to production"
+```
+
+- **Use `environment:`** for production deployments — enables approval gates
+- **Configure required reviewers** in repo Settings → Environments
+- **Use environment-scoped secrets** — production secrets should not be accessible in CI
+
+## 8. Anti-Patterns (Never Do These)
+
+| Anti-Pattern                                | Why It's Wrong                    | Do This Instead                      |
+| ------------------------------------------- | --------------------------------- | ------------------------------------ |
+| `uses: action@v4`                           | Mutable tag, supply chain risk    | Pin to full commit SHA               |
+| `permissions: write-all`                    | Maximum privilege, dangerous      | Explicit per-job permissions         |
+| `continue-on-error: true` on security steps | Suppresses critical failures      | Hard-fail on security gates          |
+| `secrets: inherit`                          | Over-broad secret access          | Pass secrets explicitly              |
+| Hardcoded `node-version: 22`                | Version drift across workflows    | Use `.node-version` file             |
+| No `concurrency:`                           | Stale runs waste minutes          | Always set with `cancel-in-progress` |
+| `if: always()` on non-cleanup steps         | Runs even after critical failures | Use `if: success()` (default)        |
+| Caching `node_modules` directly             | Fragile, platform-specific        | Cache package manager global cache   |

package/skills/package.json

@@ -1,6 +1,6 @@
 {
     "name": "neverinfamous-agent-skills",
-    "version": "1.0.8",
+    "version": "1.1.1",
     "description": "Foundational AI agent metacognitive skills and workflows for the Adamic ecosystem.",
     "type": "module",
     "main": "README.md",
@@ -12,17 +12,21 @@
         "README.md",
         "autonomous-dev/",
         "bun/",
+        "docker/",
+        "github-actions/",
         "github-commander/",
         "gitlab/",
         "golang/",
         "mysql/",
         "playwright-standard/",
         "postgres/",
+        "python/",
         "react-best-practices/",
         "rust/",
         "shadcn-ui/",
         "skill-builder/",
         "sqlite/",
+        "tailwind-css/",
         "typescript/",
         "vitest-standard/"
     ],