multi-agents-cli 1.0.51 → 1.0.53

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/core/templates/.agents/backend/API.md +259 -0
  2. package/core/templates/.agents/backend/AUTH.md +246 -0
  3. package/core/templates/.agents/backend/DB.md +257 -0
  4. package/core/templates/.agents/backend/EVENTS.md +253 -0
  5. package/core/templates/.agents/backend/INIT.md +239 -0
  6. package/core/templates/.agents/backend/JOBS.md +256 -0
  7. package/core/templates/.agents/backend/LOGIC.md +291 -0
  8. package/core/templates/.agents/backend/TESTING.md +266 -0
  9. package/core/templates/.agents/client/ACCESSIBILITY.md +266 -0
  10. package/core/templates/.agents/client/FORMS.md +234 -0
  11. package/core/templates/.agents/client/LOGIC.md +277 -0
  12. package/core/templates/.agents/client/ROUTING.md +235 -0
  13. package/core/templates/.agents/client/TESTING.md +241 -0
  14. package/core/templates/.agents/client/UI.md +226 -0
  15. package/core/templates/.agents/shared/CLOUD.md +229 -0
  16. package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
  17. package/core/templates/.agents/shared/SECURITY.md +286 -0
  18. package/core/templates/.frameworks/backend/django.md +55 -0
  19. package/core/templates/.frameworks/backend/express.md +74 -0
  20. package/core/templates/.frameworks/backend/fastapi.md +107 -0
  21. package/core/templates/.frameworks/backend/fastify.md +74 -0
  22. package/core/templates/.frameworks/backend/nestjs.md +75 -0
  23. package/core/templates/.frameworks/client/angular.md +80 -0
  24. package/core/templates/.frameworks/client/nextjs.md +47 -0
  25. package/core/templates/.frameworks/client/nuxt.md +45 -0
  26. package/core/templates/.frameworks/client/remix.md +44 -0
  27. package/core/templates/.frameworks/client/sveltekit.md +44 -0
  28. package/core/templates/.frameworks/client/vite-react.md +45 -0
  29. package/core/templates/CLAUDE.md +531 -0
  30. package/core/templates/CLOUD_STATE.md +55 -0
  31. package/core/templates/CONTRACTS.md +16 -0
  32. package/core/templates/TASKS_HISTORY.md +6 -0
  33. package/core/templates/backend/CLAUDE.md +207 -0
  34. package/core/templates/client/CLAUDE.md +213 -0
  35. package/core/templates/shared/.gitkeep +0 -0
  36. package/core/templates/shared/wiring.config.json +14 -0
  37. package/core/workflow/agent.js +1404 -0
  38. package/core/workflow/complete.js +354 -0
  39. package/core/workflow/guards.js +643 -0
  40. package/core/workflow/reset.js +246 -0
  41. package/core/workflow/restart.js +243 -0
  42. package/core/workflow/tasks_history.js +120 -0
  43. package/init.js +35 -32
  44. package/package.json +2 -1
@@ -0,0 +1,158 @@
1
+ # cloud-teardown
2
+ # Skill: Safe destruction of provisioned cloud resources
3
+ # Used by: CLOUD agent when npm run reset is triggered or user requests teardown
4
+ # Reference with: Use .agents/shared/cloud-teardown.md to safely remove cloud resources.
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Safely destroy all provisioned cloud resources in the correct order to avoid
11
+ orphaned dependencies, continued billing, or data loss.
12
+
13
+ This skill is invoked when:
14
+ - User runs `npm run reset` and cloud resources exist in CLOUD_STATE.md
15
+ - User explicitly requests teardown via the CLOUD agent
16
+ - A deployment needs to be fully rolled back
17
+
18
+ ---
19
+
20
+ ## Pre-flight - Read current state
21
+
22
+ Before touching anything:
23
+
24
+ ```bash
25
+ cat CLOUD_STATE.md
26
+ ```
27
+
28
+ Build an inventory of all provisioned resources from the Teardown Registry
29
+ and Provisioned Resources sections. If CLOUD_STATE.md shows no provisioned
30
+ resources, surface this and stop:
31
+
32
+ ```
33
+ No provisioned cloud resources found in CLOUD_STATE.md.
34
+ Nothing to tear down.
35
+ ```
36
+
37
+ ---
38
+
39
+ ## Mandatory confirmation gate
40
+
41
+ Present the full inventory of what will be destroyed:
42
+
43
+ ```
44
+ I'm about to permanently destroy the following cloud resources:
45
+
46
+ Resource Platform ID Status
47
+ ──────────────────────────────────────────────────────
48
+ [list from CLOUD_STATE.md Teardown Registry]
49
+
50
+ ⚠ This cannot be undone. Some platforms take 24-72 hours to fully
51
+ remove resources. Billing continues until deletion is confirmed
52
+ by the platform.
53
+
54
+ Type yes to proceed with teardown, or no to cancel.
55
+ ```
56
+
57
+ If user types no - stop immediately. Write nothing to CLOUD_STATE.md.
58
+
59
+ ---
60
+
61
+ ## Destruction order
62
+
63
+ Always destroy in this order to avoid dependency failures:
64
+
65
+ 1. **Application instances** (Vercel deployments, Railway services, Cloud Run)
66
+ 2. **Database instances** (RDS, Cloud SQL, Firebase Firestore, PlanetScale)
67
+ 3. **Storage buckets** (S3, GCS, Firebase Storage)
68
+ 4. **Networking** (custom domains, SSL certificates, CDN)
69
+ 5. **Repository/remote** (GitHub repo if applicable)
70
+ 6. **IAM/credentials** (service accounts, API keys - revoke, don't delete)
71
+
72
+ ---
73
+
74
+ ## Per-platform teardown steps
75
+
76
+ ### Vercel
77
+ ```bash
78
+ vercel remove [project-name] --yes 2>/dev/null || echo "Manual: vercel.com/dashboard"
79
+ ```
80
+
81
+ ### Railway
82
+ ```bash
83
+ railway down 2>/dev/null || echo "Manual: railway.app/dashboard"
84
+ ```
85
+
86
+ ### Firebase
87
+ ```bash
88
+ firebase projects:delete [project-id] 2>/dev/null || echo "Manual: console.firebase.google.com"
89
+ ```
90
+
91
+ ### AWS
92
+ ```bash
93
+ # Delete in order: ECS services → RDS → S3 → VPC → IAM roles
94
+ aws ecs delete-service --cluster [cluster] --service [service] --force 2>/dev/null
95
+ aws rds delete-db-instance --db-instance-identifier [id] --skip-final-snapshot 2>/dev/null
96
+ ```
97
+
98
+ ### GCP
99
+ ```bash
100
+ gcloud projects delete [project-id] --quiet 2>/dev/null || echo "Manual: console.cloud.google.com"
101
+ ```
102
+
103
+ ### Azure
104
+ ```bash
105
+ az group delete --name [resource-group] --yes 2>/dev/null || echo "Manual: portal.azure.com"
106
+ ```
107
+
108
+ ### Docker / Kubernetes
109
+ ```bash
110
+ kubectl delete namespace [namespace] 2>/dev/null
111
+ docker compose down --volumes --rmi all 2>/dev/null
112
+ ```
113
+
114
+ If CLI tools are unavailable, provide exact manual steps with URLs.
115
+
116
+ ---
117
+
118
+ ## After each resource is destroyed
119
+
120
+ Write to CLOUD_STATE.md Teardown Registry immediately after each deletion:
121
+
122
+ ```
123
+ | [Resource] | [Platform ID] | Deletion requested | [timestamp] |
124
+ ```
125
+
126
+ Do not mark as "deleted" - only "Deletion requested". Platforms take time
127
+ to fully remove resources. The user must verify final deletion on the platform.
128
+
129
+ ---
130
+
131
+ ## Post-teardown output
132
+
133
+ After all resources are processed:
134
+
135
+ ```
136
+ Teardown complete. The following was requested for deletion:
137
+
138
+ [list of resources with timestamps]
139
+
140
+ ⚠ Note: Cloud platforms may take 24-72 hours to fully remove resources.
141
+ Billing continues until deletion is confirmed by the platform.
142
+
143
+ Verify deletion at:
144
+ [platform-specific dashboard URLs]
145
+
146
+ CLOUD_STATE.md has been updated with teardown timestamps.
147
+ ```
148
+
149
+ ---
150
+
151
+ ## Safety Rules
152
+
153
+ - Never destroy resources without the mandatory confirmation gate
154
+ - Always destroy in dependency order (app → DB → storage → network)
155
+ - Never mark resources as "deleted" - only "Deletion requested"
156
+ - Never delete IAM credentials - revoke access only
157
+ - Always provide manual fallback URLs if CLI tools fail
158
+ - Write to CLOUD_STATE.md after each resource, not at the end
@@ -0,0 +1,286 @@
1
+ # SECURITY Agent
2
+ # Scope: shared/ - cross-cutting, invokable from any worktree
3
+ # Loaded by: manual reference in prompt
4
+ # Example: `Use .agents/shared/SECURITY.md. Task: audit the authentication flow for vulnerabilities.`
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Own all security auditing, vulnerability assessment, and security-hardening
11
+ recommendations across the entire project - both client and backend. This
12
+ agent is responsible for identifying and surfacing security risks, proposing
13
+ remediations, and verifying that security-critical patterns are correctly
14
+ implemented.
15
+
16
+ This agent does not implement fixes directly. It audits, surfaces findings,
17
+ proposes remediations, and waits for the owning agent to implement them.
18
+ Implementation belongs to the agent that owns the affected domain -
19
+ `AUTH.md`, `API.md`, `LOGIC.md`, `DB.md`, `UI.md`, or others.
20
+
21
+ This agent operates across both `client/` and `backend/` scopes but never
22
+ writes to either without explicit coordination through the root `CLAUDE.md`
23
+ coordination rules.
24
+
25
+ ---
26
+
27
+ ## Pre-flight Checks
28
+
29
+ Runs in order before any file is created or modified. All checks must pass.
30
+
31
+ ### 1. Task Clarity Check
32
+
33
+ Is the task specific enough to act on?
34
+
35
+ - Identify: what is being audited - a specific flow, module, endpoint,
36
+ component, or the full project
37
+ - Identify: what security concern is the focus - authentication, authorization,
38
+ input validation, data exposure, dependency vulnerabilities, or general audit
39
+ - Identify: what standard or threat model applies if known
40
+
41
+ If any of these cannot be determined from the task as given:
42
+ ```
43
+ ## CLARIFICATION NEEDED - [Round 1 or 2]
44
+ The following is unclear:
45
+ - <specific ambiguity>
46
+ Please provide more detail before this agent proceeds.
47
+ ```
48
+
49
+ Maximum 2 rounds. If ambiguity remains after round 2:
50
+ ```
51
+ ## TASK TOO AMBIGUOUS - CANNOT PROCEED
52
+ Two clarification rounds reached. Please rephrase the task with:
53
+ - explicit scope - flow, module, endpoint, or full project
54
+ - specific security concern or threat category
55
+ - standard or compliance target if applicable (e.g. OWASP Top 10)
56
+ ```
57
+
58
+ ### 2. Scope Integrity Check
59
+
60
+ Does this task stay within security auditing concerns?
61
+
62
+ This agent audits and proposes - it does not implement.
63
+
64
+ If the task requires:
65
+ - Implementing auth fixes → surface finding, redirect to `.agents/backend/AUTH.md`
66
+ - Implementing input validation fixes → surface finding, redirect to
67
+ `.agents/backend/API.md` or `.agents/client/FORMS.md`
68
+ - Implementing DB-level security fixes → surface finding, redirect to
69
+ `.agents/backend/DB.md`
70
+ - Implementing client-side security patterns → surface finding, redirect
71
+ to `.agents/client/LOGIC.md`
72
+ - Fixing accessibility-related security concerns → redirect to
73
+ `.agents/client/ACCESSIBILITY.md`
74
+
75
+ ```
76
+ ## SCOPE REDIRECT
77
+ This agent audits and proposes only. Implementation belongs to:
78
+ - <finding> → <owning agent>
79
+ Surface the finding, then await the owning agent to implement.
80
+ ```
81
+
82
+ ### 3. Dependency Check
83
+
84
+ Does this audit depend on something that doesn't exist yet?
85
+
86
+ - Implementation being audited is missing or incomplete
87
+ - Threat model or security requirements not yet defined
88
+ - Dependency manifest not yet available for vulnerability scanning
89
+ - Environment config not yet accessible for secrets audit
90
+
91
+ If yes:
92
+ ```
93
+ ## DEPENDENCY MISSING
94
+ Cannot proceed without:
95
+ - <what is missing>
96
+ - <where it should come from>
97
+ Awaiting resolution before continuing.
98
+ ```
99
+
100
+ ### 4. Contract Alignment Check
101
+
102
+ Does this audit involve types or payloads shared across the boundary?
103
+
104
+ - If shared types are involved → verify they exist in `CONTRACTS.md`
105
+ - Flag any shared type that exposes sensitive fields unnecessarily
106
+ - Never propose changes to `CONTRACTS.md` that expose more data than required
107
+
108
+ ### 5. Destructive Action Check
109
+
110
+ This agent does not modify files directly.
111
+ All findings are surfaced as proposals. Implementation is delegated.
112
+ If a finding requires an urgent change, surface it as a critical severity
113
+ finding and flag it explicitly before any other output.
114
+
115
+ ### 6. Size & Atomicity Check
116
+
117
+ Is this audit too large for one reliable pass?
118
+
119
+ If the task spans the full project or multiple unrelated security domains:
120
+ ```
121
+ ## AUDIT BREAKDOWN PROPOSED
122
+ This audit is too large for one pass. Suggested sequence:
123
+ 1. <subtask A - e.g. authentication and authorization audit>
124
+ 2. <subtask B - e.g. input validation and injection audit>
125
+ 3. <subtask C - e.g. data exposure and secrets audit>
126
+ Proceeding with subtask 1. Confirm to continue after each step.
127
+ ```
128
+
129
+ ---
130
+
131
+ ## Operating Principles
132
+
133
+ These apply to every security task regardless of framework or project type.
134
+
135
+ - **Audit first, propose second** - never suggest a fix without first
136
+ documenting the finding clearly. Every remediation proposal is
137
+ preceded by a finding statement.
138
+
139
+ - **OWASP Top 10 as the baseline** - all audits cover the current OWASP
140
+ Top 10 as a minimum. Additional threat categories are added based
141
+ on the specific task scope.
142
+
143
+ - **Severity is always declared** - every finding is labeled:
144
+ `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, or `INFORMATIONAL`.
145
+ Never surface a finding without a severity level.
146
+
147
+ - **Findings are actionable** - every finding includes a specific,
148
+ implementable remediation proposal. Never surface vague observations.
149
+
150
+ - **Secrets are never in code** - any secret, token, key, or credential
151
+ found in source code is a CRITICAL finding regardless of context.
152
+
153
+ - **Input is never trusted** - all external input - API requests, webhook
154
+ payloads, query parameters, form submissions - must be validated and
155
+ sanitized before use. Missing validation is at minimum a HIGH finding.
156
+
157
+ - **Principle of least privilege** - every component, service, and user
158
+ role should have only the permissions it needs. Over-permissioning
159
+ is always surfaced as a finding.
160
+
161
+ - **Sensitive data exposure is explicit** - any API response, log entry,
162
+ or error message that exposes sensitive fields unnecessarily is a
163
+ HIGH finding.
164
+
165
+ - **Dependencies are part of the attack surface** - known vulnerabilities
166
+ in dependencies are surfaced as findings with their CVE reference
167
+ where available.
168
+
169
+ - **This agent does not implement** - findings are proposals only.
170
+ Implementation is always delegated to the owning agent.
171
+
172
+ <!-- @annotation
173
+ Add project-specific security concerns here.
174
+ Examples: compliance targets (GDPR, SOC2, HIPAA), known threat
175
+ vectors for this domain, approved encryption standards, data
176
+ classification policy, penetration test scope.
177
+ -->
178
+
179
+ ---
180
+
181
+ ## Workflow
182
+
183
+ ```
184
+ audit → classify → report → propose → delegate
185
+ ```
186
+
187
+ **Audit**
188
+ Read the implementation, configuration, and dependency manifest
189
+ relevant to the task scope. Do not modify anything during this phase.
190
+
191
+ **Classify**
192
+ For each finding, assign:
193
+ - Severity: `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `INFORMATIONAL`
194
+ - Category: authentication, authorization, injection, exposure,
195
+ configuration, dependency, or other
196
+ - OWASP reference where applicable
197
+
198
+ **Report**
199
+ Surface all findings before proposing any remediation:
200
+
201
+ ```
202
+ ## SECURITY AUDIT REPORT - <scope>
203
+ Standard: OWASP Top 10 + <any additional>
204
+
205
+ Findings:
206
+ [CRITICAL] <finding title>
207
+ Location : <file, endpoint, or flow>
208
+ Detail : <what the vulnerability is>
209
+ OWASP : <reference if applicable>
210
+
211
+ [HIGH] <finding title>
212
+ Location : <file, endpoint, or flow>
213
+ Detail : <what the vulnerability is>
214
+
215
+ [MEDIUM] ...
216
+ [LOW] ...
217
+ [INFO] ...
218
+
219
+ Proceeding to remediation proposals. Confirm to continue.
220
+ ```
221
+
222
+ **Propose**
223
+ For each finding, provide a specific remediation:
224
+
225
+ ```
226
+ ## REMEDIATION PROPOSAL - <finding title>
227
+ Severity : <level>
228
+ Owner : <agent responsible for implementation>
229
+ Proposal : <specific, implementable fix>
230
+ Awaiting : confirmation to delegate to <owning agent>
231
+ ```
232
+
233
+ **Delegate**
234
+ After confirmation, surface a clear handoff to the owning agent:
235
+
236
+ ```
237
+ ## DELEGATION
238
+ Finding : <title>
239
+ Delegate : <agent>
240
+ Action : <what the agent should implement>
241
+ Reference : This SECURITY audit report
242
+ ```
243
+
244
+ ---
245
+
246
+ ## Safety Rules
247
+
248
+ - Never implement fixes directly - always delegate to the owning agent
249
+ - Never surface a finding without a severity level
250
+ - Never surface a finding without an actionable remediation proposal
251
+ - Never propose changes that increase data exposure across boundaries
252
+ - Never suppress or downgrade a CRITICAL finding for any reason
253
+ - Never skip dependency vulnerability scanning if a manifest is available
254
+ - Surface best-practice observations once - never loop on them
255
+
256
+ ---
257
+
258
+ ## Communication
259
+
260
+ | Situation | Action |
261
+ |--------------------------------------|-----------------------------------------------------|
262
+ | Task is ambiguous | Clarification request (max 2 rounds) |
263
+ | Implementation missing | Dependency alert, await resolution |
264
+ | Finding ready to surface | Full audit report, await confirmation |
265
+ | Remediation ready to propose | Proposal block per finding, await confirmation |
266
+ | Implementation needed | Delegate to owning agent with explicit handoff |
267
+ | CRITICAL finding identified | Surface immediately, before any other output |
268
+ | Contract type exposes sensitive data | CONTRACTS CHANGE PROPOSAL, await approval |
269
+ | Best practice deviation found | Surface once, await confirmation, move on |
270
+
271
+ ---
272
+
273
+ ## Definition of Done
274
+
275
+ A security task is complete when:
276
+
277
+ - [ ] All findings are documented with severity, location, and detail
278
+ - [ ] Every finding has a specific, actionable remediation proposal
279
+ - [ ] Every remediation is delegated to the correct owning agent
280
+ - [ ] CRITICAL findings are surfaced before all other output
281
+ - [ ] OWASP Top 10 coverage is confirmed for the audited scope
282
+ - [ ] Dependency vulnerabilities are checked if a manifest is available
283
+ - [ ] No sensitive data is exposed unnecessarily across boundaries
284
+ - [ ] No secrets, tokens, or keys found in source code
285
+ - [ ] No fixes were implemented directly by this agent
286
+ - [ ] Pre-flight checks all passed and documented if any flags were raised
@@ -0,0 +1,55 @@
1
+ # Django — Scaffold Instructions
2
+
3
+ ## Critical: Use the Dot Argument
4
+
5
+ Django creates a subfolder by default. Use `.` as the project name to scaffold in place:
6
+
7
+ ```bash
8
+ cd backend
9
+ django-admin startproject config .
10
+ ```
11
+
12
+ The `.` argument tells Django to scaffold in the current directory.
13
+
14
+ ## Expected Structure After Scaffold
15
+
16
+ ```
17
+ backend/
18
+ config/
19
+ __init__.py
20
+ asgi.py
21
+ settings.py
22
+ urls.py
23
+ wsgi.py
24
+ manage.py
25
+ requirements.txt
26
+ ```
27
+
28
+ ## Post-Scaffold
29
+
30
+ ```bash
31
+ cd backend
32
+ python -m venv venv
33
+ source venv/bin/activate
34
+ pip install django djangorestframework python-dotenv
35
+ pip freeze > requirements.txt
36
+ ```
37
+
38
+ ## Update .scaffold/.paths.json
39
+
40
+ ```json
41
+ {
42
+ "backend": {
43
+ "schemasDir": {
44
+ "expected": "backend/api/serializers",
45
+ "current": "backend/api/serializers",
46
+ "status": "verified"
47
+ },
48
+ "modelsDir": {
49
+ "expected": "backend/api/models",
50
+ "current": "backend/api/models",
51
+ "status": "verified"
52
+ }
53
+ }
54
+ }
55
+ ```
@@ -0,0 +1,74 @@
1
+ # Express — Scaffold Instructions
2
+
3
+ ## Scaffold Location
4
+
5
+ Express has no official scaffold CLI. Create the structure manually inside `backend/`:
6
+
7
+ ```bash
8
+ mkdir -p backend/src/routes
9
+ mkdir -p backend/src/middleware
10
+ mkdir -p backend/src/services
11
+ mkdir -p backend/src/types
12
+ touch backend/src/index.ts
13
+ touch backend/src/app.ts
14
+ ```
15
+
16
+ ## package.json
17
+
18
+ ```json
19
+ {
20
+ "name": "backend",
21
+ "version": "1.0.0",
22
+ "scripts": {
23
+ "dev": "tsx watch src/index.ts",
24
+ "build": "tsc",
25
+ "start": "node dist/index.js"
26
+ },
27
+ "dependencies": {
28
+ "express": "^4.18.0",
29
+ "cors": "^2.8.5",
30
+ "dotenv": "^16.0.0"
31
+ },
32
+ "devDependencies": {
33
+ "@types/express": "^4.17.0",
34
+ "@types/cors": "^2.8.0",
35
+ "@types/node": "^20.0.0",
36
+ "typescript": "^5.0.0",
37
+ "tsx": "^4.0.0"
38
+ }
39
+ }
40
+ ```
41
+
42
+ ## app.ts Template
43
+
44
+ ```typescript
45
+ import express from 'express';
46
+ import cors from 'cors';
47
+
48
+ export const app = express();
49
+
50
+ app.use(cors({ origin: process.env.CLIENT_URL || 'http://localhost:3000' }));
51
+ app.use(express.json());
52
+
53
+ app.get('/health', (_, res) => res.json({ status: 'ok' }));
54
+ ```
55
+
56
+ ## Post-Scaffold
57
+
58
+ ```bash
59
+ cd backend && npm install
60
+ ```
61
+
62
+ ## Update .scaffold/.paths.json
63
+
64
+ ```json
65
+ {
66
+ "backend": {
67
+ "typesDir": {
68
+ "expected": "backend/src/types",
69
+ "current": "backend/src/types",
70
+ "status": "verified"
71
+ }
72
+ }
73
+ }
74
+ ```
@@ -0,0 +1,107 @@
1
+ # FastAPI — Scaffold Instructions
2
+
3
+ ## Critical: Scaffold Location
4
+
5
+ You are working inside a git worktree. Your root is the **repo root**, not `backend/`.
6
+ All FastAPI files MUST live under `backend/`. Do NOT scaffold at the repo root.
7
+
8
+ FastAPI has no official scaffold CLI — create the structure manually:
9
+
10
+ ```bash
11
+ mkdir -p backend/app/api/routes
12
+ mkdir -p backend/app/schemas
13
+ mkdir -p backend/app/models
14
+ mkdir -p backend/app/services
15
+ mkdir -p backend/app/core
16
+ touch backend/app/__init__.py
17
+ touch backend/app/main.py
18
+ touch backend/app/api/__init__.py
19
+ touch backend/app/api/routes/__init__.py
20
+ touch backend/app/schemas/__init__.py
21
+ touch backend/app/models/__init__.py
22
+ touch backend/app/services/__init__.py
23
+ touch backend/app/core/__init__.py
24
+ touch backend/app/core/config.py
25
+ ```
26
+
27
+ ## Expected Structure After Scaffold
28
+
29
+ ```
30
+ backend/
31
+ app/
32
+ api/
33
+ routes/
34
+ __init__.py
35
+ core/
36
+ config.py
37
+ __init__.py
38
+ models/
39
+ __init__.py
40
+ schemas/
41
+ __init__.py
42
+ services/
43
+ __init__.py
44
+ __init__.py
45
+ main.py
46
+ requirements.txt
47
+ .env.example
48
+ ```
49
+
50
+ ## main.py Template
51
+
52
+ ```python
53
+ from fastapi import FastAPI
54
+ from fastapi.middleware.cors import CORSMiddleware
55
+
56
+ app = FastAPI(title="{{PROJECT_NAME}}")
57
+
58
+ app.add_middleware(
59
+ CORSMiddleware,
60
+ allow_origins=["http://localhost:3000"],
61
+ allow_credentials=True,
62
+ allow_methods=["*"],
63
+ allow_headers=["*"],
64
+ )
65
+
66
+ @app.get("/health")
67
+ def health():
68
+ return {"status": "ok"}
69
+ ```
70
+
71
+ ## requirements.txt
72
+
73
+ ```
74
+ fastapi>=0.100.0
75
+ uvicorn[standard]>=0.23.0
76
+ pydantic>=2.0.0
77
+ python-dotenv>=1.0.0
78
+ ```
79
+
80
+ ## Post-Scaffold
81
+
82
+ ```bash
83
+ cd backend
84
+ python -m venv venv
85
+ source venv/bin/activate # Windows: venv\Scripts\activate
86
+ pip install -r requirements.txt
87
+ ```
88
+
89
+ ## Update .scaffold/.paths.json
90
+
91
+ After scaffolding, update `current` paths and set `status: verified`:
92
+ ```json
93
+ {
94
+ "backend": {
95
+ "schemasDir": {
96
+ "expected": "backend/app/schemas",
97
+ "current": "backend/app/schemas",
98
+ "status": "verified"
99
+ },
100
+ "modelsDir": {
101
+ "expected": "backend/app/models",
102
+ "current": "backend/app/models",
103
+ "status": "verified"
104
+ }
105
+ }
106
+ }
107
+ ```