mindsystem-cc 3.0.0

package/mindsystem/templates/codebase/conventions.md

@@ -0,0 +1,307 @@
+# Coding Conventions Template
+
+Template for `.planning/codebase/CONVENTIONS.md` - captures coding style and patterns.
+
+**Purpose:** Document how code is written in this codebase. Prescriptive guide for Claude to match existing style.
+
+---
+
+## File Template
+
+```markdown
+# Coding Conventions
+
+**Analysis Date:** [YYYY-MM-DD]
+
+## Naming Patterns
+
+**Files:**
+- [Pattern: e.g., "kebab-case for all files"]
+- [Test files: e.g., "*.test.ts alongside source"]
+- [Components: e.g., "PascalCase.tsx for React components"]
+
+**Functions:**
+- [Pattern: e.g., "camelCase for all functions"]
+- [Async: e.g., "no special prefix for async functions"]
+- [Handlers: e.g., "handleEventName for event handlers"]
+
+**Variables:**
+- [Pattern: e.g., "camelCase for variables"]
+- [Constants: e.g., "UPPER_SNAKE_CASE for constants"]
+- [Private: e.g., "_prefix for private members" or "no prefix"]
+
+**Types:**
+- [Interfaces: e.g., "PascalCase, no I prefix"]
+- [Types: e.g., "PascalCase for type aliases"]
+- [Enums: e.g., "PascalCase for enum name, UPPER_CASE for values"]
+
+## Code Style
+
+**Formatting:**
+- [Tool: e.g., "Prettier with config in .prettierrc"]
+- [Line length: e.g., "100 characters max"]
+- [Quotes: e.g., "single quotes for strings"]
+- [Semicolons: e.g., "required" or "omitted"]
+
+**Linting:**
+- [Tool: e.g., "ESLint with eslint.config.js"]
+- [Rules: e.g., "extends airbnb-base, no console in production"]
+- [Run: e.g., "npm run lint"]
+
+## Import Organization
+
+**Order:**
+1. [e.g., "External packages (react, express, etc.)"]
+2. [e.g., "Internal modules (@/lib, @/components)"]
+3. [e.g., "Relative imports (., ..)"]
+4. [e.g., "Type imports (import type {})"]
+
+**Grouping:**
+- [Blank lines: e.g., "blank line between groups"]
+- [Sorting: e.g., "alphabetical within each group"]
+
+**Path Aliases:**
+- [Aliases used: e.g., "@/ for src/, @components/ for src/components/"]
+
+## Error Handling
+
+**Patterns:**
+- [Strategy: e.g., "throw errors, catch at boundaries"]
+- [Custom errors: e.g., "extend Error class, named *Error"]
+- [Async: e.g., "use try/catch, no .catch() chains"]
+
+**Error Types:**
+- [When to throw: e.g., "invalid input, missing dependencies"]
+- [When to return: e.g., "expected failures return Result<T, E>"]
+- [Logging: e.g., "log error with context before throwing"]
+
+## Logging
+
+**Framework:**
+- [Tool: e.g., "console.log, pino, winston"]
+- [Levels: e.g., "debug, info, warn, error"]
+
+**Patterns:**
+- [Format: e.g., "structured logging with context object"]
+- [When: e.g., "log state transitions, external calls"]
+- [Where: e.g., "log at service boundaries, not in utils"]
+
+## Comments
+
+**When to Comment:**
+- [e.g., "explain why, not what"]
+- [e.g., "document business logic, algorithms, edge cases"]
+- [e.g., "avoid obvious comments like // increment counter"]
+
+**JSDoc/TSDoc:**
+- [Usage: e.g., "required for public APIs, optional for internal"]
+- [Format: e.g., "use @param, @returns, @throws tags"]
+
+**TODO Comments:**
+- [Pattern: e.g., "// TODO(username): description"]
+- [Tracking: e.g., "link to issue number if available"]
+
+## Function Design
+
+**Size:**
+- [e.g., "keep under 50 lines, extract helpers"]
+
+**Parameters:**
+- [e.g., "max 3 parameters, use object for more"]
+- [e.g., "destructure objects in parameter list"]
+
+**Return Values:**
+- [e.g., "explicit returns, no implicit undefined"]
+- [e.g., "return early for guard clauses"]
+
+## Module Design
+
+**Exports:**
+- [e.g., "named exports preferred, default exports for React components"]
+- [e.g., "export from index.ts for public API"]
+
+**Barrel Files:**
+- [e.g., "use index.ts to re-export public API"]
+- [e.g., "avoid circular dependencies"]
+
+---
+
+*Convention analysis: [date]*
+*Update when patterns change*
+```
+
+<good_examples>
+```markdown
+# Coding Conventions
+
+**Analysis Date:** 2025-01-20
+
+## Naming Patterns
+
+**Files:**
+- kebab-case for all files (command-handler.ts, user-service.ts)
+- *.test.ts alongside source files
+- index.ts for barrel exports
+
+**Functions:**
+- camelCase for all functions
+- No special prefix for async functions
+- handleEventName for event handlers (handleClick, handleSubmit)
+
+**Variables:**
+- camelCase for variables
+- UPPER_SNAKE_CASE for constants (MAX_RETRIES, API_BASE_URL)
+- No underscore prefix (no private marker in TS)
+
+**Types:**
+- PascalCase for interfaces, no I prefix (User, not IUser)
+- PascalCase for type aliases (UserConfig, ResponseData)
+- PascalCase for enum names, UPPER_CASE for values (Status.PENDING)
+
+## Code Style
+
+**Formatting:**
+- Prettier with .prettierrc
+- 100 character line length
+- Single quotes for strings
+- Semicolons required
+- 2 space indentation
+
+**Linting:**
+- ESLint with eslint.config.js
+- Extends @typescript-eslint/recommended
+- No console.log in production code (use logger)
+- Run: npm run lint
+
+## Import Organization
+
+**Order:**
+1. External packages (react, express, commander)
+2. Internal modules (@/lib, @/services)
+3. Relative imports (./utils, ../types)
+4. Type imports (import type { User })
+
+**Grouping:**
+- Blank line between groups
+- Alphabetical within each group
+- Type imports last within each group
+
+**Path Aliases:**
+- @/ maps to src/
+- No other aliases defined
+
+## Error Handling
+
+**Patterns:**
+- Throw errors, catch at boundaries (route handlers, main functions)
+- Extend Error class for custom errors (ValidationError, NotFoundError)
+- Async functions use try/catch, no .catch() chains
+
+**Error Types:**
+- Throw on invalid input, missing dependencies, invariant violations
+- Log error with context before throwing: logger.error({ err, userId }, 'Failed to process')
+- Include cause in error message: new Error('Failed to X', { cause: originalError })
+
+## Logging
+
+**Framework:**
+- pino logger instance exported from lib/logger.ts
+- Levels: debug, info, warn, error (no trace)
+
+**Patterns:**
+- Structured logging with context: logger.info({ userId, action }, 'User action')
+- Log at service boundaries, not in utility functions
+- Log state transitions, external API calls, errors
+- No console.log in committed code
+
+## Comments
+
+**When to Comment:**
+- Explain why, not what: // Retry 3 times because API has transient failures
+- Document business rules: // Users must verify email within 24 hours
+- Explain non-obvious algorithms or workarounds
+- Avoid obvious comments: // set count to 0
+
+**JSDoc/TSDoc:**
+- Required for public API functions
+- Optional for internal functions if signature is self-explanatory
+- Use @param, @returns, @throws tags
+
+**TODO Comments:**
+- Format: // TODO: description (no username, using git blame)
+- Link to issue if exists: // TODO: Fix race condition (issue #123)
+
+## Function Design
+
+**Size:**
+- Keep under 50 lines
+- Extract helpers for complex logic
+- One level of abstraction per function
+
+**Parameters:**
+- Max 3 parameters
+- Use options object for 4+ parameters: function create(options: CreateOptions)
+- Destructure in parameter list: function process({ id, name }: ProcessParams)
+
+**Return Values:**
+- Explicit return statements
+- Return early for guard clauses
+- Use Result<T, E> type for expected failures
+
+## Module Design
+
+**Exports:**
+- Named exports preferred
+- Default exports only for React components
+- Export public API from index.ts barrel files
+
+**Barrel Files:**
+- index.ts re-exports public API
+- Keep internal helpers private (don't export from index)
+- Avoid circular dependencies (import from specific files if needed)
+
+---
+
+*Convention analysis: 2025-01-20*
+*Update when patterns change*
+```
+</good_examples>
+
+<guidelines>
+**What belongs in CONVENTIONS.md:**
+- Naming patterns observed in the codebase
+- Formatting rules (Prettier config, linting rules)
+- Import organization patterns
+- Error handling strategy
+- Logging approach
+- Comment conventions
+- Function and module design patterns
+
+**What does NOT belong here:**
+- Architecture decisions (that's ARCHITECTURE.md)
+- Technology choices (that's STACK.md)
+- Test patterns (that's TESTING.md)
+- File organization (that's STRUCTURE.md)
+
+**When filling this template:**
+- Check .prettierrc, .eslintrc, or similar config files
+- Examine 5-10 representative source files for patterns
+- Look for consistency: if 80%+ follows a pattern, document it
+- Be prescriptive: "Use X" not "Sometimes Y is used"
+- Note deviations: "Legacy code uses Y, new code should use X"
+- Keep under ~150 lines total
+
+**Useful for phase planning when:**
+- Writing new code (match existing style)
+- Adding features (follow naming patterns)
+- Refactoring (apply consistent conventions)
+- Code review (check against documented patterns)
+- Onboarding (understand style expectations)
+
+**Analysis approach:**
+- Scan src/ directory for file naming patterns
+- Check package.json scripts for lint/format commands
+- Read 5-10 files to identify function naming, error handling
+- Look for config files (.prettierrc, eslint.config.js)
+- Note patterns in imports, comments, function signatures
+</guidelines>

package/mindsystem/templates/codebase/integrations.md

@@ -0,0 +1,280 @@
+# External Integrations Template
+
+Template for `.planning/codebase/INTEGRATIONS.md` - captures external service dependencies.
+
+**Purpose:** Document what external systems this codebase communicates with. Focused on "what lives outside our code that we depend on."
+
+---
+
+## File Template
+
+```markdown
+# External Integrations
+
+**Analysis Date:** [YYYY-MM-DD]
+
+## APIs & External Services
+
+**Payment Processing:**
+- [Service] - [What it's used for: e.g., "subscription billing, one-time payments"]
+  - SDK/Client: [e.g., "stripe npm package v14.x"]
+  - Auth: [e.g., "API key in STRIPE_SECRET_KEY env var"]
+  - Endpoints used: [e.g., "checkout sessions, webhooks"]
+
+**Email/SMS:**
+- [Service] - [What it's used for: e.g., "transactional emails"]
+  - SDK/Client: [e.g., "sendgrid/mail v8.x"]
+  - Auth: [e.g., "API key in SENDGRID_API_KEY env var"]
+  - Templates: [e.g., "managed in SendGrid dashboard"]
+
+**External APIs:**
+- [Service] - [What it's used for]
+  - Integration method: [e.g., "REST API via fetch", "GraphQL client"]
+  - Auth: [e.g., "OAuth2 token in AUTH_TOKEN env var"]
+  - Rate limits: [if applicable]
+
+## Data Storage
+
+**Databases:**
+- [Type/Provider] - [e.g., "PostgreSQL on Supabase"]
+  - Connection: [e.g., "via DATABASE_URL env var"]
+  - Client: [e.g., "Prisma ORM v5.x"]
+  - Migrations: [e.g., "prisma migrate in migrations/"]
+
+**File Storage:**
+- [Service] - [e.g., "AWS S3 for user uploads"]
+  - SDK/Client: [e.g., "@aws-sdk/client-s3"]
+  - Auth: [e.g., "IAM credentials in AWS_* env vars"]
+  - Buckets: [e.g., "prod-uploads, dev-uploads"]
+
+**Caching:**
+- [Service] - [e.g., "Redis for session storage"]
+  - Connection: [e.g., "REDIS_URL env var"]
+  - Client: [e.g., "ioredis v5.x"]
+
+## Authentication & Identity
+
+**Auth Provider:**
+- [Service] - [e.g., "Supabase Auth", "Auth0", "custom JWT"]
+  - Implementation: [e.g., "Supabase client SDK"]
+  - Token storage: [e.g., "httpOnly cookies", "localStorage"]
+  - Session management: [e.g., "JWT refresh tokens"]
+
+**OAuth Integrations:**
+- [Provider] - [e.g., "Google OAuth for sign-in"]
+  - Credentials: [e.g., "GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET"]
+  - Scopes: [e.g., "email, profile"]
+
+## Monitoring & Observability
+
+**Error Tracking:**
+- [Service] - [e.g., "Sentry"]
+  - DSN: [e.g., "SENTRY_DSN env var"]
+  - Release tracking: [e.g., "via SENTRY_RELEASE"]
+
+**Analytics:**
+- [Service] - [e.g., "Mixpanel for product analytics"]
+  - Token: [e.g., "MIXPANEL_TOKEN env var"]
+  - Events tracked: [e.g., "user actions, page views"]
+
+**Logs:**
+- [Service] - [e.g., "CloudWatch", "Datadog", "none (stdout only)"]
+  - Integration: [e.g., "AWS Lambda built-in"]
+
+## CI/CD & Deployment
+
+**Hosting:**
+- [Platform] - [e.g., "Vercel", "AWS Lambda", "Docker on ECS"]
+  - Deployment: [e.g., "automatic on main branch push"]
+  - Environment vars: [e.g., "configured in Vercel dashboard"]
+
+**CI Pipeline:**
+- [Service] - [e.g., "GitHub Actions"]
+  - Workflows: [e.g., "test.yml, deploy.yml"]
+  - Secrets: [e.g., "stored in GitHub repo secrets"]
+
+## Environment Configuration
+
+**Development:**
+- Required env vars: [List critical vars]
+- Secrets location: [e.g., ".env.local (gitignored)", "1Password vault"]
+- Mock/stub services: [e.g., "Stripe test mode", "local PostgreSQL"]
+
+**Staging:**
+- Environment-specific differences: [e.g., "uses staging Stripe account"]
+- Data: [e.g., "separate staging database"]
+
+**Production:**
+- Secrets management: [e.g., "Vercel environment variables"]
+- Failover/redundancy: [e.g., "multi-region DB replication"]
+
+## Webhooks & Callbacks
+
+**Incoming:**
+- [Service] - [Endpoint: e.g., "/api/webhooks/stripe"]
+  - Verification: [e.g., "signature validation via stripe.webhooks.constructEvent"]
+  - Events: [e.g., "payment_intent.succeeded, customer.subscription.updated"]
+
+**Outgoing:**
+- [Service] - [What triggers it]
+  - Endpoint: [e.g., "external CRM webhook on user signup"]
+  - Retry logic: [if applicable]
+
+---
+
+*Integration audit: [date]*
+*Update when adding/removing external services*
+```
+
+<good_examples>
+```markdown
+# External Integrations
+
+**Analysis Date:** 2025-01-20
+
+## APIs & External Services
+
+**Payment Processing:**
+- Stripe - Subscription billing and one-time course payments
+  - SDK/Client: stripe npm package v14.8
+  - Auth: API key in STRIPE_SECRET_KEY env var
+  - Endpoints used: checkout sessions, customer portal, webhooks
+
+**Email/SMS:**
+- SendGrid - Transactional emails (receipts, password resets)
+  - SDK/Client: @sendgrid/mail v8.1
+  - Auth: API key in SENDGRID_API_KEY env var
+  - Templates: Managed in SendGrid dashboard (template IDs in code)
+
+**External APIs:**
+- OpenAI API - Course content generation
+  - Integration method: REST API via openai npm package v4.x
+  - Auth: Bearer token in OPENAI_API_KEY env var
+  - Rate limits: 3500 requests/min (tier 3)
+
+## Data Storage
+
+**Databases:**
+- PostgreSQL on Supabase - Primary data store
+  - Connection: via DATABASE_URL env var
+  - Client: Prisma ORM v5.8
+  - Migrations: prisma migrate in prisma/migrations/
+
+**File Storage:**
+- Supabase Storage - User uploads (profile images, course materials)
+  - SDK/Client: @supabase/supabase-js v2.x
+  - Auth: Service role key in SUPABASE_SERVICE_ROLE_KEY
+  - Buckets: avatars (public), course-materials (private)
+
+**Caching:**
+- None currently (all database queries, no Redis)
+
+## Authentication & Identity
+
+**Auth Provider:**
+- Supabase Auth - Email/password + OAuth
+  - Implementation: Supabase client SDK with server-side session management
+  - Token storage: httpOnly cookies via @supabase/ssr
+  - Session management: JWT refresh tokens handled by Supabase
+
+**OAuth Integrations:**
+- Google OAuth - Social sign-in
+  - Credentials: GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET (Supabase dashboard)
+  - Scopes: email, profile
+
+## Monitoring & Observability
+
+**Error Tracking:**
+- Sentry - Server and client errors
+  - DSN: SENTRY_DSN env var
+  - Release tracking: Git commit SHA via SENTRY_RELEASE
+
+**Analytics:**
+- None (planned: Mixpanel)
+
+**Logs:**
+- Vercel logs - stdout/stderr only
+  - Retention: 7 days on Pro plan
+
+## CI/CD & Deployment
+
+**Hosting:**
+- Vercel - Next.js app hosting
+  - Deployment: Automatic on main branch push
+  - Environment vars: Configured in Vercel dashboard (synced to .env.example)
+
+**CI Pipeline:**
+- GitHub Actions - Tests and type checking
+  - Workflows: .github/workflows/ci.yml
+  - Secrets: None needed (public repo tests only)
+
+## Environment Configuration
+
+**Development:**
+- Required env vars: DATABASE_URL, NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY
+- Secrets location: .env.local (gitignored), team shared via 1Password vault
+- Mock/stub services: Stripe test mode, Supabase local dev project
+
+**Staging:**
+- Uses separate Supabase staging project
+- Stripe test mode
+- Same Vercel account, different environment
+
+**Production:**
+- Secrets management: Vercel environment variables
+- Database: Supabase production project with daily backups
+
+## Webhooks & Callbacks
+
+**Incoming:**
+- Stripe - /api/webhooks/stripe
+  - Verification: Signature validation via stripe.webhooks.constructEvent
+  - Events: payment_intent.succeeded, customer.subscription.updated, customer.subscription.deleted
+
+**Outgoing:**
+- None
+
+---
+
+*Integration audit: 2025-01-20*
+*Update when adding/removing external services*
+```
+</good_examples>
+
+<guidelines>
+**What belongs in INTEGRATIONS.md:**
+- External services the code communicates with
+- Authentication patterns (where secrets live, not the secrets themselves)
+- SDKs and client libraries used
+- Environment variable names (not values)
+- Webhook endpoints and verification methods
+- Database connection patterns
+- File storage locations
+- Monitoring and logging services
+
+**What does NOT belong here:**
+- Actual API keys or secrets (NEVER write these)
+- Internal architecture (that's ARCHITECTURE.md)
+- Code patterns (that's PATTERNS.md)
+- Technology choices (that's STACK.md)
+- Performance issues (that's CONCERNS.md)
+
+**When filling this template:**
+- Check .env.example or .env.template for required env vars
+- Look for SDK imports (stripe, @sendgrid/mail, etc.)
+- Check for webhook handlers in routes/endpoints
+- Note where secrets are managed (not the secrets)
+- Document environment-specific differences (dev/staging/prod)
+- Include auth patterns for each service
+
+**Useful for phase planning when:**
+- Adding new external service integrations
+- Debugging authentication issues
+- Understanding data flow outside the application
+- Setting up new environments
+- Auditing third-party dependencies
+- Planning for service outages or migrations
+
+**Security note:**
+Document WHERE secrets live (env vars, Vercel dashboard, 1Password), never WHAT the secrets are.
+</guidelines>