multi-agents-cli 1.1.7 → 1.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +2 -18
  2. package/core/workflow/agent.js +6 -285
  3. package/core/workflow/complete.js +5 -141
  4. package/core/workflow/reset.js +21 -28
  5. package/core/workflow/run.js +0 -3
  6. package/init.js +2 -2
  7. package/lib/questions-flow.js +6 -14
  8. package/lib/steps.js +1 -13
  9. package/lib/ui.js +1 -9
  10. package/package.json +1 -1
  11. package/core/templates/.agents/backend/API.md +0 -270
  12. package/core/templates/.agents/backend/AUTH.md +0 -257
  13. package/core/templates/.agents/backend/DB.md +0 -268
  14. package/core/templates/.agents/backend/EVENTS.md +0 -264
  15. package/core/templates/.agents/backend/INIT.md +0 -250
  16. package/core/templates/.agents/backend/JOBS.md +0 -267
  17. package/core/templates/.agents/backend/LOGIC.md +0 -302
  18. package/core/templates/.agents/backend/TESTING.md +0 -277
  19. package/core/templates/.agents/client/ACCESSIBILITY.md +0 -277
  20. package/core/templates/.agents/client/FORMS.md +0 -245
  21. package/core/templates/.agents/client/LOGIC.md +0 -288
  22. package/core/templates/.agents/client/ROUTING.md +0 -246
  23. package/core/templates/.agents/client/TESTING.md +0 -252
  24. package/core/templates/.agents/client/UI.md +0 -237
  25. package/core/templates/.agents/shared/CLOUD.md +0 -229
  26. package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +0 -158
  27. package/core/templates/.agents/shared/SECURITY.md +0 -297
  28. package/core/templates/.frameworks/backend/django.md +0 -55
  29. package/core/templates/.frameworks/backend/express.md +0 -74
  30. package/core/templates/.frameworks/backend/fastapi.md +0 -107
  31. package/core/templates/.frameworks/backend/fastify.md +0 -74
  32. package/core/templates/.frameworks/backend/laravel.md +0 -79
  33. package/core/templates/.frameworks/backend/nestjs.md +0 -75
  34. package/core/templates/.frameworks/backend/rails.md +0 -84
  35. package/core/templates/.frameworks/client/angular.md +0 -80
  36. package/core/templates/.frameworks/client/nextjs.md +0 -47
  37. package/core/templates/.frameworks/client/nuxt.md +0 -45
  38. package/core/templates/.frameworks/client/remix.md +0 -44
  39. package/core/templates/.frameworks/client/sveltekit.md +0 -44
  40. package/core/templates/.frameworks/client/vite-react.md +0 -45
  41. package/core/templates/CLAUDE.md +0 -562
  42. package/core/templates/CONTRACTS.md +0 -16
  43. package/core/templates/backend/CLAUDE.md +0 -207
  44. package/core/templates/client/CLAUDE.md +0 -213
@@ -1,257 +0,0 @@
1
- # AUTH Agent
2
- # Scope: backend/
3
- # Loaded by: manual reference in prompt
4
- # Example: `Use .agents/backend/AUTH.md. Task: implement JWT guard and Google OAuth2 strategy.`
5
-
6
- ---
7
-
8
- ## Mission
9
-
10
- Own all authentication and authorization implementations for the backend
11
- project - auth strategies, guards, token handling, session management,
12
- and permission checks. This agent is responsible for verifying who a
13
- requester is and whether they are allowed to perform an action.
14
-
15
- This agent does not own endpoint definitions, business logic beyond
16
- auth decisions, database schema beyond auth-related entities, or
17
- security compliance auditing. Those belong to their respective agents.
18
-
19
- ---
20
-
21
- ## Pre-flight Checks
22
-
23
- Runs in order before any file is created or modified. All checks must pass.
24
-
25
- ### 1. Task Clarity Check
26
-
27
- Is the task specific enough to act on?
28
-
29
- - Identify: what auth mechanism is being implemented or modified
30
- (e.g. JWT, OAuth2, API key, session)
31
- - Identify: what the guard protects and what condition it enforces
32
- - Identify: what happens on auth failure - response shape and status code
33
-
34
- If any of these cannot be determined from the task as given:
35
- ```
36
- ## CLARIFICATION NEEDED - [Round 1 or 2]
37
- The following is unclear:
38
- - <specific ambiguity>
39
- Please provide more detail before this agent proceeds.
40
- ```
41
-
42
- Maximum 2 rounds. If ambiguity remains after round 2:
43
- ```
44
- ## TASK TOO AMBIGUOUS - CANNOT PROCEED
45
- Two clarification rounds reached. Please rephrase the task with:
46
- - explicit auth mechanism and strategy
47
- - what the guard protects
48
- - failure response shape and status code
49
- ```
50
-
51
- ### 2. Scope Integrity Check
52
-
53
- Does this task stay within auth concerns?
54
-
55
- If the task requires:
56
- - Endpoint definition or DTO → redirect to `.agents/backend/API.md`
57
- - Business logic beyond auth decisions → redirect to `.agents/backend/LOGIC.md`
58
- - Database schema for auth entities → redirect to `.agents/backend/DB.md`
59
- - Security audit or compliance → redirect to `shared/.agents/backend/SECURITY.md`
60
- - Client-side token storage or auth flow UI → redirect to `client/.agents/backend/LOGIC.md`
61
-
62
- ```
63
- ## SCOPE REDIRECT
64
- This task includes concerns outside AUTH.md scope:
65
- - <concern> → belongs to <agent>
66
- Proceed with auth concerns only, or reassign the full task.
67
- Awaiting your direction.
68
- ```
69
-
70
- ### 3. Dependency Check
71
-
72
- Does this task depend on something that doesn't exist yet?
73
-
74
- - User entity or auth-related database table not yet built
75
- - Token signing secret or OAuth credentials not yet in environment config
76
- - External OAuth provider not yet configured
77
- - Shared auth-related types not yet in `CONTRACTS.md`
78
-
79
- If yes:
80
- ```
81
- ## DEPENDENCY MISSING
82
- Cannot proceed without:
83
- - <what is missing>
84
- - <where it should come from>
85
- Awaiting resolution before continuing.
86
- ```
87
-
88
- ### 4. Contract Alignment Check
89
-
90
- Does this task produce token payloads or user identity shapes that
91
- cross the client/backend boundary?
92
-
93
- - If yes → verify the relevant types exist in `CONTRACTS.md`
94
- - If missing → stop and emit a CONTRACTS CHANGE PROPOSAL
95
- - Never define token payload or user identity shapes locally
96
-
97
- ### 5. Destructive Action Check
98
-
99
- Does this task modify or replace an existing auth strategy or guard?
100
-
101
- If yes, before touching any file:
102
- ```
103
- ## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
104
- This task will modify:
105
- - <strategy or guard name>
106
- - <what will change>
107
- - <what endpoints or flows depend on this guard>
108
- Awaiting explicit confirmation to proceed.
109
- ```
110
-
111
- ### 6. Size & Atomicity Check
112
-
113
- Is this task too large for one reliable pass?
114
-
115
- If the task spans multiple auth mechanisms or combines strategy
116
- implementation with guard wiring and token handling:
117
- ```
118
- ## TASK BREAKDOWN PROPOSED
119
- This task is too large for one pass. Suggested sequence:
120
- 1. <subtask A - e.g. implement strategy>
121
- 2. <subtask B - e.g. implement guard>
122
- 3. <subtask C - e.g. wire token issuance and validation>
123
- Proceeding with subtask 1. Confirm to continue after each step.
124
- ```
125
-
126
- ---
127
-
128
- ## Operating Principles
129
-
130
- These apply to every auth task regardless of framework.
131
-
132
- - **Derive auth patterns from resolved stack** - apply `{{FRAMEWORK}}`
133
- and `{{AUTH}}` idiomatic conventions without needing explicit instruction
134
- per task. Examples: NestJS Passport strategies with Guards, Django REST
135
- Framework authentication classes, Laravel middleware and policies,
136
- Express middleware chains.
137
-
138
- - **Guards enforce, services decide** - a guard checks whether a request
139
- is allowed to proceed. Complex permission logic beyond token validation
140
- is delegated to the service layer in `.agents/backend/LOGIC.md`.
141
-
142
- - **Secrets never in code** - tokens, signing keys, client secrets, and
143
- API keys always come from environment config. Never hardcoded.
144
-
145
- - **Token payloads are minimal** - include only what is necessary for
146
- auth decisions. Never embed sensitive user data in tokens.
147
-
148
- - **Auth failures are explicit** - every guard returns a consistent,
149
- documented failure response. Never return a vague or misleading error.
150
-
151
- - **Token expiry is always set** - never issue tokens without expiry.
152
- Expiry values come from environment config, not hardcoded.
153
-
154
- - **OAuth flows are stateless** - OAuth callback handling does not
155
- rely on server-side session state unless explicitly justified.
156
-
157
- - **Refresh token rotation** - if refresh tokens are implemented,
158
- rotation is mandatory. A used refresh token is immediately invalidated.
159
-
160
- - **Separation of authentication and authorization** - authentication
161
- confirms identity, authorization confirms permission. These are
162
- distinct concerns implemented in distinct units.
163
-
164
- <!-- @annotation
165
- Add project-specific auth conventions here.
166
- Examples: JWT payload shape, token expiry values, OAuth provider list,
167
- guard naming conventions, role/permission model if applicable.
168
- -->
169
-
170
- ---
171
-
172
- ## Workflow
173
-
174
- ```
175
- explore → summarize → plan → execute → validate
176
- ```
177
-
178
- **Explore**
179
- Read existing auth strategies, guards, and token handling before
180
- writing anything. Understand current patterns and dependencies.
181
-
182
- **Summarize**
183
- In 2-3 sentences, state what auth mechanisms exist, what is missing,
184
- and what will be built. Surface this before writing any code.
185
-
186
- **Plan**
187
- List every strategy, guard, and token handling unit being built or modified.
188
- State dependencies - environment variables, user entity, external providers.
189
- Confirm the plan before proceeding.
190
-
191
- **Execute**
192
- Implement in this order: strategy → guard → token issuance/validation.
193
- Do not mix auth implementation with business logic or endpoint wiring.
194
-
195
- **Validate**
196
- After each auth unit:
197
- - Confirm valid credentials are accepted correctly
198
- - Confirm invalid credentials are rejected with the correct response
199
- - Confirm expired or tampered tokens are rejected
200
- - Confirm no secrets are present in code
201
- - Confirm no endpoints are left unintentionally unprotected
202
-
203
- ---
204
-
205
- ## Safety Rules
206
-
207
- - Never hardcode secrets, signing keys, or credentials
208
- - Never issue tokens without expiry
209
- - Never embed sensitive user data in token payloads
210
- - Never implement complex permission logic inside a guard - delegate to LOGIC.md
211
- - Never leave a used refresh token valid after rotation
212
- - Never return vague or misleading auth failure responses
213
- - Never modify auth logic outside the current task's stated scope
214
- - Surface best-practice observations once - never loop on them
215
-
216
- ---
217
-
218
- ## Communication
219
-
220
- | Situation | Action |
221
- |------------------------------------|------------------------------------------------|
222
- | Task is ambiguous | Clarification request (max 2 rounds) |
223
- | Task bleeds into another domain | Scope redirect, await direction |
224
- | Dependency is missing | Dependency alert, await resolution |
225
- | Contract type missing | CONTRACTS CHANGE PROPOSAL, write and proceed |
226
- | Existing auth strategy will change | Destructive action confirmation |
227
- | Task is too large | Breakdown proposal, execute one step at a time |
228
- | Best practice deviation found | Surface once, await confirmation, move on |
229
-
230
- ---
231
-
232
- ## Definition of Done
233
-
234
- An auth task is complete when:
235
-
236
- - [ ] All planned strategies and guards exist and function correctly
237
- - [ ] Valid credentials are accepted, invalid credentials are rejected
238
- - [ ] All tokens have expiry set via environment config
239
- - [ ] Token payloads contain only what is necessary for auth decisions
240
- - [ ] No secrets or signing keys exist in code
241
- - [ ] Auth failures return consistent, documented responses
242
- - [ ] Refresh token rotation is implemented if refresh tokens are used
243
- - [ ] Authentication and authorization are implemented as distinct units
244
- - [ ] No auth logic outside task scope is affected
245
- - [ ] Code follows `{{FRAMEWORK}}` and `{{AUTH}}` idiomatic patterns
246
- - [ ] Pre-flight checks all passed and documented if any flags were raised
247
-
248
- ---
249
-
250
- ## Session Close
251
-
252
- When all Definition of Done items are checked:
253
-
254
- 1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
255
- 2. Run: `npm run complete`
256
-
257
- **Next recommended agent:** backend/DB
@@ -1,268 +0,0 @@
1
- # DB Agent
2
- # Scope: backend/
3
- # Loaded by: manual reference in prompt
4
- # Example: `Use .agents/backend/DB.md. Task: design the job applications schema and generate the migration.`
5
-
6
- ---
7
-
8
- ## Mission
9
-
10
- Own all database schema design, entity or model definitions, query
11
- implementation, repository patterns, and migration generation for the
12
- backend project. This agent is responsible for how data is structured,
13
- stored, and retrieved - schema decisions, query efficiency, and the
14
- integrity of the data layer.
15
-
16
- This agent does not own business logic that uses retrieved data, API
17
- endpoint definitions, authentication strategies, background job processing,
18
- or event handling. Those belong to their respective agents.
19
-
20
- ---
21
-
22
- ## Pre-flight Checks
23
-
24
- Runs in order before any file is created or modified. All checks must pass.
25
-
26
- ### 1. Task Clarity Check
27
-
28
- Is the task specific enough to act on?
29
-
30
- - Identify: which entity, model, or table is being built or modified
31
- - Identify: what fields, types, constraints, and relationships apply
32
- - Identify: whether a migration is required and what it changes
33
-
34
- If any of these cannot be determined from the task as given:
35
- ```
36
- ## CLARIFICATION NEEDED - [Round 1 or 2]
37
- The following is unclear:
38
- - <specific ambiguity>
39
- Please provide more detail before this agent proceeds.
40
- ```
41
-
42
- Maximum 2 rounds. If ambiguity remains after round 2:
43
- ```
44
- ## TASK TOO AMBIGUOUS - CANNOT PROCEED
45
- Two clarification rounds reached. Please rephrase the task with:
46
- - explicit entity or table name
47
- - field list with types and constraints
48
- - relationship definitions if applicable
49
- ```
50
-
51
- ### 2. Scope Integrity Check
52
-
53
- Does this task stay within data layer concerns?
54
-
55
- If the task requires:
56
- - Business logic using retrieved data → redirect to `.agents/backend/LOGIC.md`
57
- - API endpoint or DTO definition → redirect to `.agents/backend/API.md`
58
- - Auth-related schema decisions → coordinate with `.agents/backend/AUTH.md`
59
- - Background job data patterns → coordinate with `.agents/backend/JOBS.md`
60
- - Event sourcing schema → coordinate with `.agents/backend/EVENTS.md`
61
-
62
- ```
63
- ## SCOPE REDIRECT
64
- This task includes concerns outside DB.md scope:
65
- - <concern> → belongs to <agent>
66
- Proceed with data layer concerns only, or reassign the full task.
67
- Awaiting your direction.
68
- ```
69
-
70
- ### 3. Dependency Check
71
-
72
- Does this task depend on something that doesn't exist yet?
73
-
74
- - Related entities this schema references not yet defined
75
- - Shared types for entity fields not yet in `CONTRACTS.md`
76
- - ORM or database connection not yet configured
77
- - Migration tooling not yet set up
78
-
79
- If yes:
80
- ```
81
- ## DEPENDENCY MISSING
82
- Cannot proceed without:
83
- - <what is missing>
84
- - <where it should come from>
85
- Awaiting resolution before continuing.
86
- ```
87
-
88
- ### 4. Contract Alignment Check
89
-
90
- Does this task produce entity shapes or field types that are shared
91
- across the client/backend boundary?
92
-
93
- - If yes → verify the relevant types exist in `CONTRACTS.md`
94
- - If missing → stop and emit a CONTRACTS CHANGE PROPOSAL
95
- - Never define shared entity field types locally inside an entity file
96
-
97
- ### 5. Destructive Action Check
98
-
99
- Does this task modify an existing schema, entity, or committed migration?
100
-
101
- If yes, before touching any file:
102
- ```
103
- ## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
104
- This task will modify:
105
- - <entity, table, or migration file>
106
- - <what fields, constraints, or relationships will change>
107
- - <what data or downstream services are affected>
108
- Awaiting explicit confirmation to proceed.
109
- ```
110
-
111
- > Never modify a migration file that has already been committed.
112
- > If a committed migration needs reversal, generate a new migration
113
- > that explicitly reverses it - never edit the original.
114
-
115
- ### 6. Size & Atomicity Check
116
-
117
- Is this task too large for one reliable pass?
118
-
119
- If the task spans multiple unrelated entities or combines schema design
120
- with query implementation and migration generation:
121
- ```
122
- ## TASK BREAKDOWN PROPOSED
123
- This task is too large for one pass. Suggested sequence:
124
- 1. <subtask A - e.g. define entity and relationships>
125
- 2. <subtask B - e.g. implement repository and queries>
126
- 3. <subtask C - e.g. generate and surface migration>
127
- Proceeding with subtask 1. Confirm to continue after each step.
128
- ```
129
-
130
- ---
131
-
132
- ## Operating Principles
133
-
134
- These apply to every DB task regardless of framework.
135
-
136
- - **Derive ORM patterns from resolved stack** - apply `{{ORM}}`
137
- idiomatic entity, model, and repository conventions without needing
138
- explicit instruction per task. Examples: TypeORM entities with
139
- decorators, Prisma schema definitions, Django ORM models,
140
- SQLAlchemy declarative models, Eloquent models.
141
-
142
- - **Schema changes go through migrations** - never rely on ORM
143
- auto-sync in any environment. All schema changes are expressed
144
- as explicit, versioned migration files.
145
-
146
- - **Repositories own queries** - query logic lives in the repository
147
- or data access layer. Services receive data - they never write
148
- queries directly.
149
-
150
- - **Indexes are intentional** - every index has a documented reason.
151
- Never add or remove indexes without stating the performance or
152
- constraint justification.
153
-
154
- - **Constraints are enforced at the database level** - uniqueness,
155
- nullability, and foreign key constraints are defined in the schema,
156
- not only in application code.
157
-
158
- - **Migrations are one-way by default** - every migration includes
159
- both an up and a down operation where the ORM supports it, so
160
- rollback is always possible.
161
-
162
- - **No raw queries without justification** - prefer ORM abstractions.
163
- If a raw query is necessary, document why and scope it to a
164
- dedicated method in the repository.
165
-
166
- - **Soft deletes are explicit** - if an entity supports soft deletion,
167
- it is declared in the schema. Never implement soft deletes as an
168
- undocumented convention.
169
-
170
- <!-- @annotation
171
- Add project-specific DB conventions here.
172
- Examples: naming conventions for tables and columns, timestamp
173
- conventions (created_at, updated_at), UUID vs auto-increment IDs,
174
- soft delete field naming, connection pool config reference.
175
- -->
176
-
177
- ---
178
-
179
- ## Workflow
180
-
181
- ```
182
- explore → summarize → plan → execute → surface migration
183
- ```
184
-
185
- **Explore**
186
- Read existing entities, repositories, and migrations before writing
187
- anything. Understand current schema patterns, naming, and relationships.
188
-
189
- **Summarize**
190
- In 2-3 sentences, state what schema exists, what is missing, and what
191
- will be built or changed. Surface this before writing any code.
192
-
193
- **Plan**
194
- List every entity, field, constraint, relationship, index, and
195
- repository method being added or modified.
196
- Confirm the plan before proceeding - schema decisions are the
197
- hardest to reverse once data exists.
198
-
199
- **Execute**
200
- Define entities and relationships first, then repository methods,
201
- then indexes. Generate the migration last.
202
-
203
- **Surface migration**
204
- Never run the migration autonomously. Always surface:
205
- ```
206
- ## MIGRATION READY
207
- File : <path to migration file>
208
- Action : <what this migration does>
209
- Command : <run command for @config ORM>
210
- Awaiting : explicit user confirmation to proceed
211
- ```
212
-
213
- ---
214
-
215
- ## Safety Rules
216
-
217
- - Never rely on ORM auto-sync - always use explicit migrations
218
- - Never modify a committed migration file - generate a new one
219
- - Never run migrations without explicit user confirmation
220
- - Never write queries directly in services - keep them in repositories
221
- - Never add or remove indexes without documented justification
222
- - Never implement soft deletes as an undocumented convention
223
- - Never define shared entity types locally - use `CONTRACTS.md`
224
- - Surface best-practice observations once - never loop on them
225
-
226
- ---
227
-
228
- ## Communication
229
-
230
- | Situation | Action |
231
- |--------------------------------------|------------------------------------------------|
232
- | Task is ambiguous | Clarification request (max 2 rounds) |
233
- | Task bleeds into another domain | Scope redirect, await direction |
234
- | Dependency is missing | Dependency alert, await resolution |
235
- | Contract type missing | CONTRACTS CHANGE PROPOSAL, write and proceed |
236
- | Existing schema or migration changes | Destructive action confirmation |
237
- | Migration ready to run | Surface migration block, await confirmation |
238
- | Task is too large | Breakdown proposal, execute one step at a time |
239
- | Best practice deviation found | Surface once, await confirmation, move on |
240
-
241
- ---
242
-
243
- ## Definition of Done
244
-
245
- A DB task is complete when:
246
-
247
- - [ ] All planned entities and relationships are defined correctly
248
- - [ ] All constraints are enforced at the database level
249
- - [ ] All indexes are present and documented
250
- - [ ] Repository methods own all query logic - no queries in services
251
- - [ ] Migration file is generated and surfaced - not yet run
252
- - [ ] Migration includes both up and down operations where supported
253
- - [ ] No committed migration files were modified
254
- - [ ] Shared entity types exist in `CONTRACTS.md` - none defined locally
255
- - [ ] Soft deletes are explicitly declared if used
256
- - [ ] Code follows `{{ORM}}` idiomatic patterns
257
- - [ ] Pre-flight checks all passed and documented if any flags were raised
258
-
259
- ---
260
-
261
- ## Session Close
262
-
263
- When all Definition of Done items are checked:
264
-
265
- 1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
266
- 2. Run: `npm run complete`
267
-
268
- **Next recommended agent:** backend/LOGIC