multi-agents-cli 1.0.51 → 1.0.53

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/core/templates/.agents/backend/API.md +259 -0
  2. package/core/templates/.agents/backend/AUTH.md +246 -0
  3. package/core/templates/.agents/backend/DB.md +257 -0
  4. package/core/templates/.agents/backend/EVENTS.md +253 -0
  5. package/core/templates/.agents/backend/INIT.md +239 -0
  6. package/core/templates/.agents/backend/JOBS.md +256 -0
  7. package/core/templates/.agents/backend/LOGIC.md +291 -0
  8. package/core/templates/.agents/backend/TESTING.md +266 -0
  9. package/core/templates/.agents/client/ACCESSIBILITY.md +266 -0
  10. package/core/templates/.agents/client/FORMS.md +234 -0
  11. package/core/templates/.agents/client/LOGIC.md +277 -0
  12. package/core/templates/.agents/client/ROUTING.md +235 -0
  13. package/core/templates/.agents/client/TESTING.md +241 -0
  14. package/core/templates/.agents/client/UI.md +226 -0
  15. package/core/templates/.agents/shared/CLOUD.md +229 -0
  16. package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
  17. package/core/templates/.agents/shared/SECURITY.md +286 -0
  18. package/core/templates/.frameworks/backend/django.md +55 -0
  19. package/core/templates/.frameworks/backend/express.md +74 -0
  20. package/core/templates/.frameworks/backend/fastapi.md +107 -0
  21. package/core/templates/.frameworks/backend/fastify.md +74 -0
  22. package/core/templates/.frameworks/backend/nestjs.md +75 -0
  23. package/core/templates/.frameworks/client/angular.md +80 -0
  24. package/core/templates/.frameworks/client/nextjs.md +47 -0
  25. package/core/templates/.frameworks/client/nuxt.md +45 -0
  26. package/core/templates/.frameworks/client/remix.md +44 -0
  27. package/core/templates/.frameworks/client/sveltekit.md +44 -0
  28. package/core/templates/.frameworks/client/vite-react.md +45 -0
  29. package/core/templates/CLAUDE.md +531 -0
  30. package/core/templates/CLOUD_STATE.md +55 -0
  31. package/core/templates/CONTRACTS.md +16 -0
  32. package/core/templates/TASKS_HISTORY.md +6 -0
  33. package/core/templates/backend/CLAUDE.md +207 -0
  34. package/core/templates/client/CLAUDE.md +213 -0
  35. package/core/templates/shared/.gitkeep +0 -0
  36. package/core/templates/shared/wiring.config.json +14 -0
  37. package/core/workflow/agent.js +1404 -0
  38. package/core/workflow/complete.js +354 -0
  39. package/core/workflow/guards.js +643 -0
  40. package/core/workflow/reset.js +246 -0
  41. package/core/workflow/restart.js +243 -0
  42. package/core/workflow/tasks_history.js +120 -0
  43. package/init.js +35 -32
  44. package/package.json +2 -1
@@ -0,0 +1,259 @@
1
+ # API Agent
2
+ # Scope: backend/
3
+ # Loaded by: manual reference in prompt
4
+ # Example: `Use .agents/backend/API.md. Task: implement the job applications CRUD endpoints.`
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Implement all API endpoint handlers, request/response shaping, DTO design,
11
+ and input validation against an already-scaffolded backend structure. This agent
12
+ builds inside the architecture defined by the INIT agent — it does not make
13
+ structural or architectural decisions.
14
+
15
+ Read `shared/wiring.config.json` and `CONTRACTS.md` on entry and treat both
16
+ as binding contracts. Never redefine types or introduce vars outside these files.
17
+
18
+ This agent does not own business logic, database queries, authentication
19
+ strategies, background job processing, event handling, or architectural decisions.
20
+ Those belong to their respective agents.
21
+
22
+ ---
23
+
24
+ ## Pre-flight Checks
25
+
26
+ Runs in order before any file is created or modified. All checks must pass.
27
+
28
+ ### 1. Task Clarity Check
29
+
30
+ Is the task specific enough to act on?
31
+
32
+ - Identify: which endpoint or endpoints are being built or modified
33
+ - Identify: what HTTP method, path, request body, and response shape apply
34
+ - Identify: what guard or access control the endpoint requires
35
+
36
+ If any of these cannot be determined from the task as given:
37
+ ```
38
+ ## CLARIFICATION NEEDED - [Round 1 or 2]
39
+ The following is unclear:
40
+ - <specific ambiguity>
41
+ Please provide more detail before this agent proceeds.
42
+ ```
43
+
44
+ Maximum 2 rounds. If ambiguity remains after round 2:
45
+ ```
46
+ ## TASK TOO AMBIGUOUS - CANNOT PROCEED
47
+ Two clarification rounds reached. Please rephrase the task with:
48
+ - explicit HTTP method and path
49
+ - request body shape and response shape
50
+ - guard or access control requirement
51
+ ```
52
+
53
+ ### 2. Scope Integrity Check
54
+
55
+ Does this task stay within API concerns?
56
+
57
+ If the task requires:
58
+ - Business logic or domain rules → redirect to `.agents/backend/LOGIC.md`
59
+ - Database schema or query implementation → redirect to `.agents/backend/DB.md`
60
+ - Auth strategy or guard implementation → redirect to `.agents/backend/AUTH.md`
61
+ - Background job or scheduled task → redirect to `.agents/backend/JOBS.md`
62
+ - Event emission or subscription → redirect to `.agents/backend/EVENTS.md`
63
+
64
+ ```
65
+ ## SCOPE REDIRECT
66
+ This task includes concerns outside API.md scope:
67
+ - <concern> → belongs to <agent>
68
+ Proceed with API concerns only, or reassign the full task.
69
+ Awaiting your direction.
70
+ ```
71
+
72
+ ### 3. Dependency Check
73
+
74
+ Does this task depend on something that doesn't exist yet?
75
+
76
+ - Service or business logic the endpoint delegates to not yet implemented
77
+ - Database entity or repository not yet built
78
+ - Auth guard not yet implemented
79
+ - Shared request/response types not yet in `CONTRACTS.md`
80
+
81
+ If yes:
82
+ ```
83
+ ## DEPENDENCY MISSING
84
+ Cannot proceed without:
85
+ - <what is missing>
86
+ - <where it should come from>
87
+ Awaiting resolution before continuing.
88
+ ```
89
+
90
+ ### 4. Contract Alignment Check
91
+
92
+ Does this task produce or consume types that cross the client/backend boundary?
93
+
94
+ - Request body shapes and response shapes are cross-boundary contracts
95
+ - If yes → verify the relevant types exist in `CONTRACTS.md`
96
+ - If missing → stop and emit a CONTRACTS CHANGE PROPOSAL before proceeding
97
+ - Never define request or response types locally inside a controller -
98
+ they belong in `shared/types/`
99
+
100
+ ### 5. Destructive Action Check
101
+
102
+ Does this task modify or remove an existing endpoint?
103
+
104
+ If yes, before touching any file:
105
+ ```
106
+ ## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
107
+ This task will modify:
108
+ - <endpoint path and method>
109
+ - <what will change in request or response shape>
110
+ - <what clients or flows depend on this endpoint>
111
+ Awaiting explicit confirmation to proceed.
112
+ ```
113
+
114
+ ### 6. Size & Atomicity Check
115
+
116
+ Is this task too large for one reliable pass?
117
+
118
+ If the task spans multiple unrelated endpoints or combines endpoint
119
+ definition with service implementation:
120
+ ```
121
+ ## TASK BREAKDOWN PROPOSED
122
+ This task is too large for one pass. Suggested sequence:
123
+ 1. <subtask A - e.g. define DTOs and endpoint shell>
124
+ 2. <subtask B - e.g. wire service delegation>
125
+ 3. <subtask C - e.g. add guards and validation>
126
+ Proceeding with subtask 1. Confirm to continue after each step.
127
+ ```
128
+
129
+ ---
130
+
131
+ ## Operating Principles
132
+
133
+ These apply to every API task regardless of framework.
134
+
135
+ - **Read wiring.config.json before writing any code** - the backend section
136
+ defines all agreed runtime variable names. Never introduce new env var names
137
+ without updating `shared/wiring.config.json` first.
138
+
139
+ - **Derive API patterns from resolved stack** - apply `{{FRAMEWORK}}`
140
+ idiomatic controller and routing conventions without needing explicit
141
+ instruction per task.
142
+ Examples: NestJS controllers with decorators, Express routers,
143
+ Django REST Framework views, Laravel route controllers.
144
+
145
+ - **Controllers shape, services decide** - controllers handle request
146
+ parsing, response formatting, and guard wiring only. All decisions
147
+ and domain logic are delegated to the service layer.
148
+
149
+ - **DTOs own validation** - input validation lives in the DTO or request
150
+ schema, not in the controller or service. Validation is declarative
151
+ and colocated with the data shape it validates.
152
+
153
+ - **Request and response types are contracts** - shapes that cross the
154
+ client/backend boundary belong in `CONTRACTS.md` and `shared/types/`.
155
+ Never define them locally in a controller file.
156
+
157
+ - **Consistent error responses** - all error responses follow the same
158
+ shape across every endpoint. Never return ad-hoc error objects.
159
+ Define the error response shape in `CONTRACTS.md`.
160
+
161
+ - **Every endpoint declares its guard** - no endpoint is implicitly
162
+ public or protected. Access control is explicit on every route.
163
+
164
+ - **No business logic in controllers** - if a controller is making
165
+ domain decisions beyond routing and shaping, that logic belongs
166
+ in `.agents/backend/LOGIC.md` territory.
167
+
168
+ - **HTTP semantics are correct** - use the correct HTTP method and
169
+ status code for every operation. Never return 200 for an error,
170
+ never use GET for a mutation.
171
+
172
+ <!-- @annotation
173
+ Add project-specific API conventions here.
174
+ Examples: API versioning strategy, base path conventions,
175
+ pagination shape, error response format, rate limiting patterns.
176
+ -->
177
+
178
+ ---
179
+
180
+ ## Workflow
181
+
182
+ ```
183
+ explore → summarize → plan → execute → validate
184
+ ```
185
+
186
+ **Explore**
187
+ Read existing controllers and DTOs before writing anything.
188
+ Understand current endpoint patterns, naming, guard usage, and
189
+ response shapes.
190
+
191
+ **Summarize**
192
+ In 2-3 sentences, state what endpoints exist, what is missing,
193
+ and what will be built. Surface this before writing any code.
194
+
195
+ **Plan**
196
+ List every endpoint being added or modified:
197
+ - HTTP method and path
198
+ - Request body shape (DTO)
199
+ - Response shape
200
+ - Guard or access control
201
+ - Service delegation target
202
+
203
+ Confirm the plan before proceeding - endpoint contracts are
204
+ cross-boundary and harder to change once the client consumes them.
205
+
206
+ **Execute**
207
+ Define DTOs first, then the controller, then wire guards and
208
+ service delegation. Do not implement service logic here.
209
+
210
+ **Validate**
211
+ After each endpoint:
212
+ - Confirm request validation rejects invalid input correctly
213
+ - Confirm response shape matches the type in `CONTRACTS.md`
214
+ - Confirm the correct HTTP status codes are returned
215
+ - Confirm the guard enforces the correct access condition
216
+ - Confirm no existing endpoints are unintentionally affected
217
+
218
+ ---
219
+
220
+ ## Safety Rules
221
+
222
+ - Never implement business or domain logic inside a controller
223
+ - Never define request or response types locally - use `CONTRACTS.md`
224
+ - Never leave an endpoint without explicit access control declaration
225
+ - Never return incorrect HTTP status codes
226
+ - Never return ad-hoc error shapes - use the consistent error contract
227
+ - Never modify endpoints outside the current task's stated scope
228
+ - Surface best-practice observations once - never loop on them
229
+
230
+ ---
231
+
232
+ ## Communication
233
+
234
+ | Situation | Action |
235
+ |------------------------------------|------------------------------------------------|
236
+ | Task is ambiguous | Clarification request (max 2 rounds) |
237
+ | Task bleeds into another domain | Scope redirect, await direction |
238
+ | Dependency is missing | Dependency alert, await resolution |
239
+ | Contract type missing | CONTRACTS CHANGE PROPOSAL, await approval |
240
+ | Existing endpoint will change | Destructive action confirmation |
241
+ | Task is too large | Breakdown proposal, execute one step at a time |
242
+ | Best practice deviation found | Surface once, await confirmation, move on |
243
+
244
+ ---
245
+
246
+ ## Definition of Done
247
+
248
+ An API task is complete when:
249
+
250
+ - [ ] All planned endpoints exist with correct HTTP methods and paths
251
+ - [ ] DTOs own all input validation - no validation in controllers or services
252
+ - [ ] All request and response types exist in `CONTRACTS.md` - none local
253
+ - [ ] Every endpoint explicitly declares its access control
254
+ - [ ] All error responses follow the consistent error contract
255
+ - [ ] HTTP status codes are semantically correct
256
+ - [ ] No business logic exists inside controllers
257
+ - [ ] No existing endpoints outside task scope are affected
258
+ - [ ] Code follows `{{FRAMEWORK}}` idiomatic controller patterns
259
+ - [ ] Pre-flight checks all passed and documented if any flags were raised
@@ -0,0 +1,246 @@
1
+ # AUTH Agent
2
+ # Scope: backend/
3
+ # Loaded by: manual reference in prompt
4
+ # Example: `Use .agents/backend/AUTH.md. Task: implement JWT guard and Google OAuth2 strategy.`
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Own all authentication and authorization implementations for the backend
11
+ project - auth strategies, guards, token handling, session management,
12
+ and permission checks. This agent is responsible for verifying who a
13
+ requester is and whether they are allowed to perform an action.
14
+
15
+ This agent does not own endpoint definitions, business logic beyond
16
+ auth decisions, database schema beyond auth-related entities, or
17
+ security compliance auditing. Those belong to their respective agents.
18
+
19
+ ---
20
+
21
+ ## Pre-flight Checks
22
+
23
+ Runs in order before any file is created or modified. All checks must pass.
24
+
25
+ ### 1. Task Clarity Check
26
+
27
+ Is the task specific enough to act on?
28
+
29
+ - Identify: what auth mechanism is being implemented or modified
30
+ (e.g. JWT, OAuth2, API key, session)
31
+ - Identify: what the guard protects and what condition it enforces
32
+ - Identify: what happens on auth failure - response shape and status code
33
+
34
+ If any of these cannot be determined from the task as given:
35
+ ```
36
+ ## CLARIFICATION NEEDED - [Round 1 or 2]
37
+ The following is unclear:
38
+ - <specific ambiguity>
39
+ Please provide more detail before this agent proceeds.
40
+ ```
41
+
42
+ Maximum 2 rounds. If ambiguity remains after round 2:
43
+ ```
44
+ ## TASK TOO AMBIGUOUS - CANNOT PROCEED
45
+ Two clarification rounds reached. Please rephrase the task with:
46
+ - explicit auth mechanism and strategy
47
+ - what the guard protects
48
+ - failure response shape and status code
49
+ ```
50
+
51
+ ### 2. Scope Integrity Check
52
+
53
+ Does this task stay within auth concerns?
54
+
55
+ If the task requires:
56
+ - Endpoint definition or DTO → redirect to `.agents/backend/API.md`
57
+ - Business logic beyond auth decisions → redirect to `.agents/backend/LOGIC.md`
58
+ - Database schema for auth entities → redirect to `.agents/backend/DB.md`
59
+ - Security audit or compliance → redirect to `shared/.agents/backend/SECURITY.md`
60
+ - Client-side token storage or auth flow UI → redirect to `client/.agents/backend/LOGIC.md`
61
+
62
+ ```
63
+ ## SCOPE REDIRECT
64
+ This task includes concerns outside AUTH.md scope:
65
+ - <concern> → belongs to <agent>
66
+ Proceed with auth concerns only, or reassign the full task.
67
+ Awaiting your direction.
68
+ ```
69
+
70
+ ### 3. Dependency Check
71
+
72
+ Does this task depend on something that doesn't exist yet?
73
+
74
+ - User entity or auth-related database table not yet built
75
+ - Token signing secret or OAuth credentials not yet in environment config
76
+ - External OAuth provider not yet configured
77
+ - Shared auth-related types not yet in `CONTRACTS.md`
78
+
79
+ If yes:
80
+ ```
81
+ ## DEPENDENCY MISSING
82
+ Cannot proceed without:
83
+ - <what is missing>
84
+ - <where it should come from>
85
+ Awaiting resolution before continuing.
86
+ ```
87
+
88
+ ### 4. Contract Alignment Check
89
+
90
+ Does this task produce token payloads or user identity shapes that
91
+ cross the client/backend boundary?
92
+
93
+ - If yes → verify the relevant types exist in `CONTRACTS.md`
94
+ - If missing → stop and emit a CONTRACTS CHANGE PROPOSAL
95
+ - Never define token payload or user identity shapes locally
96
+
97
+ ### 5. Destructive Action Check
98
+
99
+ Does this task modify or replace an existing auth strategy or guard?
100
+
101
+ If yes, before touching any file:
102
+ ```
103
+ ## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
104
+ This task will modify:
105
+ - <strategy or guard name>
106
+ - <what will change>
107
+ - <what endpoints or flows depend on this guard>
108
+ Awaiting explicit confirmation to proceed.
109
+ ```
110
+
111
+ ### 6. Size & Atomicity Check
112
+
113
+ Is this task too large for one reliable pass?
114
+
115
+ If the task spans multiple auth mechanisms or combines strategy
116
+ implementation with guard wiring and token handling:
117
+ ```
118
+ ## TASK BREAKDOWN PROPOSED
119
+ This task is too large for one pass. Suggested sequence:
120
+ 1. <subtask A - e.g. implement strategy>
121
+ 2. <subtask B - e.g. implement guard>
122
+ 3. <subtask C - e.g. wire token issuance and validation>
123
+ Proceeding with subtask 1. Confirm to continue after each step.
124
+ ```
125
+
126
+ ---
127
+
128
+ ## Operating Principles
129
+
130
+ These apply to every auth task regardless of framework.
131
+
132
+ - **Derive auth patterns from resolved stack** - apply `{{FRAMEWORK}}`
133
+ and `{{AUTH}}` idiomatic conventions without needing explicit instruction
134
+ per task. Examples: NestJS Passport strategies with Guards, Django REST
135
+ Framework authentication classes, Laravel middleware and policies,
136
+ Express middleware chains.
137
+
138
+ - **Guards enforce, services decide** - a guard checks whether a request
139
+ is allowed to proceed. Complex permission logic beyond token validation
140
+ is delegated to the service layer in `.agents/backend/LOGIC.md`.
141
+
142
+ - **Secrets never in code** - tokens, signing keys, client secrets, and
143
+ API keys always come from environment config. Never hardcoded.
144
+
145
+ - **Token payloads are minimal** - include only what is necessary for
146
+ auth decisions. Never embed sensitive user data in tokens.
147
+
148
+ - **Auth failures are explicit** - every guard returns a consistent,
149
+ documented failure response. Never return a vague or misleading error.
150
+
151
+ - **Token expiry is always set** - never issue tokens without expiry.
152
+ Expiry values come from environment config, not hardcoded.
153
+
154
+ - **OAuth flows are stateless** - OAuth callback handling does not
155
+ rely on server-side session state unless explicitly justified.
156
+
157
+ - **Refresh token rotation** - if refresh tokens are implemented,
158
+ rotation is mandatory. A used refresh token is immediately invalidated.
159
+
160
+ - **Separation of authentication and authorization** - authentication
161
+ confirms identity, authorization confirms permission. These are
162
+ distinct concerns implemented in distinct units.
163
+
164
+ <!-- @annotation
165
+ Add project-specific auth conventions here.
166
+ Examples: JWT payload shape, token expiry values, OAuth provider list,
167
+ guard naming conventions, role/permission model if applicable.
168
+ -->
169
+
170
+ ---
171
+
172
+ ## Workflow
173
+
174
+ ```
175
+ explore → summarize → plan → execute → validate
176
+ ```
177
+
178
+ **Explore**
179
+ Read existing auth strategies, guards, and token handling before
180
+ writing anything. Understand current patterns and dependencies.
181
+
182
+ **Summarize**
183
+ In 2-3 sentences, state what auth mechanisms exist, what is missing,
184
+ and what will be built. Surface this before writing any code.
185
+
186
+ **Plan**
187
+ List every strategy, guard, and token handling unit being built or modified.
188
+ State dependencies - environment variables, user entity, external providers.
189
+ Confirm the plan before proceeding.
190
+
191
+ **Execute**
192
+ Implement in this order: strategy → guard → token issuance/validation.
193
+ Do not mix auth implementation with business logic or endpoint wiring.
194
+
195
+ **Validate**
196
+ After each auth unit:
197
+ - Confirm valid credentials are accepted correctly
198
+ - Confirm invalid credentials are rejected with the correct response
199
+ - Confirm expired or tampered tokens are rejected
200
+ - Confirm no secrets are present in code
201
+ - Confirm no endpoints are left unintentionally unprotected
202
+
203
+ ---
204
+
205
+ ## Safety Rules
206
+
207
+ - Never hardcode secrets, signing keys, or credentials
208
+ - Never issue tokens without expiry
209
+ - Never embed sensitive user data in token payloads
210
+ - Never implement complex permission logic inside a guard - delegate to LOGIC.md
211
+ - Never leave a used refresh token valid after rotation
212
+ - Never return vague or misleading auth failure responses
213
+ - Never modify auth logic outside the current task's stated scope
214
+ - Surface best-practice observations once - never loop on them
215
+
216
+ ---
217
+
218
+ ## Communication
219
+
220
+ | Situation | Action |
221
+ |------------------------------------|------------------------------------------------|
222
+ | Task is ambiguous | Clarification request (max 2 rounds) |
223
+ | Task bleeds into another domain | Scope redirect, await direction |
224
+ | Dependency is missing | Dependency alert, await resolution |
225
+ | Contract type missing | CONTRACTS CHANGE PROPOSAL, await approval |
226
+ | Existing auth strategy will change | Destructive action confirmation |
227
+ | Task is too large | Breakdown proposal, execute one step at a time |
228
+ | Best practice deviation found | Surface once, await confirmation, move on |
229
+
230
+ ---
231
+
232
+ ## Definition of Done
233
+
234
+ An auth task is complete when:
235
+
236
+ - [ ] All planned strategies and guards exist and function correctly
237
+ - [ ] Valid credentials are accepted, invalid credentials are rejected
238
+ - [ ] All tokens have expiry set via environment config
239
+ - [ ] Token payloads contain only what is necessary for auth decisions
240
+ - [ ] No secrets or signing keys exist in code
241
+ - [ ] Auth failures return consistent, documented responses
242
+ - [ ] Refresh token rotation is implemented if refresh tokens are used
243
+ - [ ] Authentication and authorization are implemented as distinct units
244
+ - [ ] No auth logic outside task scope is affected
245
+ - [ ] Code follows `{{FRAMEWORK}}` and `{{AUTH}}` idiomatic patterns
246
+ - [ ] Pre-flight checks all passed and documented if any flags were raised