multi-agents-cli 1.1.8 → 1.1.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -2
- package/core/templates/.agents/backend/API.md +270 -0
- package/core/templates/.agents/backend/AUTH.md +257 -0
- package/core/templates/.agents/backend/DB.md +268 -0
- package/core/templates/.agents/backend/EVENTS.md +264 -0
- package/core/templates/.agents/backend/INIT.md +250 -0
- package/core/templates/.agents/backend/JOBS.md +267 -0
- package/core/templates/.agents/backend/LOGIC.md +302 -0
- package/core/templates/.agents/backend/TESTING.md +277 -0
- package/core/templates/.agents/client/ACCESSIBILITY.md +277 -0
- package/core/templates/.agents/client/FORMS.md +245 -0
- package/core/templates/.agents/client/LOGIC.md +288 -0
- package/core/templates/.agents/client/ROUTING.md +246 -0
- package/core/templates/.agents/client/TESTING.md +252 -0
- package/core/templates/.agents/client/UI.md +237 -0
- package/core/templates/.agents/shared/CLOUD.md +229 -0
- package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
- package/core/templates/.agents/shared/SECURITY.md +297 -0
- package/core/templates/.frameworks/backend/django.md +55 -0
- package/core/templates/.frameworks/backend/express.md +74 -0
- package/core/templates/.frameworks/backend/fastapi.md +107 -0
- package/core/templates/.frameworks/backend/fastify.md +74 -0
- package/core/templates/.frameworks/backend/laravel.md +79 -0
- package/core/templates/.frameworks/backend/nestjs.md +75 -0
- package/core/templates/.frameworks/backend/rails.md +84 -0
- package/core/templates/.frameworks/client/angular.md +80 -0
- package/core/templates/.frameworks/client/nextjs.md +47 -0
- package/core/templates/.frameworks/client/nuxt.md +45 -0
- package/core/templates/.frameworks/client/remix.md +44 -0
- package/core/templates/.frameworks/client/sveltekit.md +44 -0
- package/core/templates/.frameworks/client/vite-react.md +45 -0
- package/core/templates/CLAUDE.md +562 -0
- package/core/templates/CONTRACTS.md +16 -0
- package/core/templates/backend/CLAUDE.md +207 -0
- package/core/templates/client/CLAUDE.md +213 -0
- package/core/workflow/agent.js +285 -6
- package/core/workflow/complete.js +141 -5
- package/core/workflow/reset.js +28 -21
- package/core/workflow/run.js +3 -0
- package/init.js +2 -2
- package/lib/questions-flow.js +14 -7
- package/lib/steps.js +13 -1
- package/lib/ui.js +8 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -93,7 +93,7 @@ You and agents co-build - each owning a defined part of the codebase. Agent task
|
|
|
93
93
|
Next.js - Angular - Vue/Nuxt - SvelteKit - Vite+React - Remix
|
|
94
94
|
|
|
95
95
|
### Backend (separate)
|
|
96
|
-
Express - NestJS - Fastify - FastAPI - Django
|
|
96
|
+
Express - NestJS - Fastify - FastAPI - Django - Laravel - Rails
|
|
97
97
|
|
|
98
98
|
Each framework has a dedicated scaffold instruction file in `.frameworks/client/` and `.frameworks/backend/` - agents read these before scaffolding to ensure files land in the correct location.
|
|
99
99
|
|
|
@@ -281,6 +281,22 @@ On completion, scope is validated and work merges into `main`. The final `main`
|
|
|
281
281
|
}
|
|
282
282
|
```
|
|
283
283
|
|
|
284
|
-
**Status values:** `null` (never launched) - `ACTIVE` (running) - `MISSING` (worktree deleted without completing)
|
|
284
|
+
**Status values:** `null` (never launched) - `ACTIVE` (running) - `COMPLETED` (merged into main) - `MISSING` (worktree deleted without completing)
|
|
285
285
|
|
|
286
286
|
Managed entirely by `agent.js` and `complete.js`. Never edit manually.
|
|
287
|
+
|
|
288
|
+
---
|
|
289
|
+
|
|
290
|
+
## What's new in v1.1.0
|
|
291
|
+
|
|
292
|
+
**Init flow**
|
|
293
|
+
- Step counter (`Step N of 12`) shown throughout the configuration flow
|
|
294
|
+
- Back-navigation fully wired — go back to any previous step and resume without re-answering everything
|
|
295
|
+
|
|
296
|
+
**After merge**
|
|
297
|
+
- `npm run complete` now surfaces the next recommended agent explicitly based on tracking state
|
|
298
|
+
- `start:client` script written into `package.json` after `client/UI` merges
|
|
299
|
+
- `start:backend` script written into `package.json` after `backend/INIT` merges
|
|
300
|
+
|
|
301
|
+
**Agent templates**
|
|
302
|
+
- Every agent now includes a `Session Close` block — explicit next-step instructions after Definition of Done
|
|
@@ -0,0 +1,270 @@
|
|
|
1
|
+
# API Agent
|
|
2
|
+
# Scope: backend/
|
|
3
|
+
# Loaded by: manual reference in prompt
|
|
4
|
+
# Example: `Use .agents/backend/API.md. Task: implement the job applications CRUD endpoints.`
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Implement all API endpoint handlers, request/response shaping, DTO design,
|
|
11
|
+
and input validation against an already-scaffolded backend structure. This agent
|
|
12
|
+
builds inside the architecture defined by the INIT agent — it does not make
|
|
13
|
+
structural or architectural decisions.
|
|
14
|
+
|
|
15
|
+
Read `shared/wiring.config.json` and `CONTRACTS.md` on entry and treat both
|
|
16
|
+
as binding contracts. Never redefine types or introduce vars outside these files.
|
|
17
|
+
|
|
18
|
+
This agent does not own business logic, database queries, authentication
|
|
19
|
+
strategies, background job processing, event handling, or architectural decisions.
|
|
20
|
+
Those belong to their respective agents.
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## Pre-flight Checks
|
|
25
|
+
|
|
26
|
+
Runs in order before any file is created or modified. All checks must pass.
|
|
27
|
+
|
|
28
|
+
### 1. Task Clarity Check
|
|
29
|
+
|
|
30
|
+
Is the task specific enough to act on?
|
|
31
|
+
|
|
32
|
+
- Identify: which endpoint or endpoints are being built or modified
|
|
33
|
+
- Identify: what HTTP method, path, request body, and response shape apply
|
|
34
|
+
- Identify: what guard or access control the endpoint requires
|
|
35
|
+
|
|
36
|
+
If any of these cannot be determined from the task as given:
|
|
37
|
+
```
|
|
38
|
+
## CLARIFICATION NEEDED - [Round 1 or 2]
|
|
39
|
+
The following is unclear:
|
|
40
|
+
- <specific ambiguity>
|
|
41
|
+
Please provide more detail before this agent proceeds.
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Maximum 2 rounds. If ambiguity remains after round 2:
|
|
45
|
+
```
|
|
46
|
+
## TASK TOO AMBIGUOUS - CANNOT PROCEED
|
|
47
|
+
Two clarification rounds reached. Please rephrase the task with:
|
|
48
|
+
- explicit HTTP method and path
|
|
49
|
+
- request body shape and response shape
|
|
50
|
+
- guard or access control requirement
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
### 2. Scope Integrity Check
|
|
54
|
+
|
|
55
|
+
Does this task stay within API concerns?
|
|
56
|
+
|
|
57
|
+
If the task requires:
|
|
58
|
+
- Business logic or domain rules → redirect to `.agents/backend/LOGIC.md`
|
|
59
|
+
- Database schema or query implementation → redirect to `.agents/backend/DB.md`
|
|
60
|
+
- Auth strategy or guard implementation → redirect to `.agents/backend/AUTH.md`
|
|
61
|
+
- Background job or scheduled task → redirect to `.agents/backend/JOBS.md`
|
|
62
|
+
- Event emission or subscription → redirect to `.agents/backend/EVENTS.md`
|
|
63
|
+
|
|
64
|
+
```
|
|
65
|
+
## SCOPE REDIRECT
|
|
66
|
+
This task includes concerns outside API.md scope:
|
|
67
|
+
- <concern> → belongs to <agent>
|
|
68
|
+
Proceed with API concerns only, or reassign the full task.
|
|
69
|
+
Awaiting your direction.
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### 3. Dependency Check
|
|
73
|
+
|
|
74
|
+
Does this task depend on something that doesn't exist yet?
|
|
75
|
+
|
|
76
|
+
- Service or business logic the endpoint delegates to not yet implemented
|
|
77
|
+
- Database entity or repository not yet built
|
|
78
|
+
- Auth guard not yet implemented
|
|
79
|
+
- Shared request/response types not yet in `CONTRACTS.md`
|
|
80
|
+
|
|
81
|
+
If yes:
|
|
82
|
+
```
|
|
83
|
+
## DEPENDENCY MISSING
|
|
84
|
+
Cannot proceed without:
|
|
85
|
+
- <what is missing>
|
|
86
|
+
- <where it should come from>
|
|
87
|
+
Awaiting resolution before continuing.
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
### 4. Contract Alignment Check
|
|
91
|
+
|
|
92
|
+
Does this task produce or consume types that cross the client/backend boundary?
|
|
93
|
+
|
|
94
|
+
- Request body shapes and response shapes are cross-boundary contracts
|
|
95
|
+
- If yes → verify the relevant types exist in `CONTRACTS.md`
|
|
96
|
+
- If missing → stop and emit a CONTRACTS CHANGE PROPOSAL before proceeding
|
|
97
|
+
- Never define request or response types locally inside a controller -
|
|
98
|
+
they belong in `shared/types/`
|
|
99
|
+
|
|
100
|
+
### 5. Destructive Action Check
|
|
101
|
+
|
|
102
|
+
Does this task modify or remove an existing endpoint?
|
|
103
|
+
|
|
104
|
+
If yes, before touching any file:
|
|
105
|
+
```
|
|
106
|
+
## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
|
|
107
|
+
This task will modify:
|
|
108
|
+
- <endpoint path and method>
|
|
109
|
+
- <what will change in request or response shape>
|
|
110
|
+
- <what clients or flows depend on this endpoint>
|
|
111
|
+
Awaiting explicit confirmation to proceed.
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
### 6. Size & Atomicity Check
|
|
115
|
+
|
|
116
|
+
Is this task too large for one reliable pass?
|
|
117
|
+
|
|
118
|
+
If the task spans multiple unrelated endpoints or combines endpoint
|
|
119
|
+
definition with service implementation:
|
|
120
|
+
```
|
|
121
|
+
## TASK BREAKDOWN PROPOSED
|
|
122
|
+
This task is too large for one pass. Suggested sequence:
|
|
123
|
+
1. <subtask A - e.g. define DTOs and endpoint shell>
|
|
124
|
+
2. <subtask B - e.g. wire service delegation>
|
|
125
|
+
3. <subtask C - e.g. add guards and validation>
|
|
126
|
+
Proceeding with subtask 1. Confirm to continue after each step.
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Operating Principles
|
|
132
|
+
|
|
133
|
+
These apply to every API task regardless of framework.
|
|
134
|
+
|
|
135
|
+
- **Read wiring.config.json before writing any code** - the backend section
|
|
136
|
+
defines all agreed runtime variable names. Never introduce new env var names
|
|
137
|
+
without updating `shared/wiring.config.json` first.
|
|
138
|
+
|
|
139
|
+
- **Derive API patterns from resolved stack** - apply `{{FRAMEWORK}}`
|
|
140
|
+
idiomatic controller and routing conventions without needing explicit
|
|
141
|
+
instruction per task.
|
|
142
|
+
Examples: NestJS controllers with decorators, Express routers,
|
|
143
|
+
Django REST Framework views, Laravel route controllers.
|
|
144
|
+
|
|
145
|
+
- **Controllers shape, services decide** - controllers handle request
|
|
146
|
+
parsing, response formatting, and guard wiring only. All decisions
|
|
147
|
+
and domain logic are delegated to the service layer.
|
|
148
|
+
|
|
149
|
+
- **DTOs own validation** - input validation lives in the DTO or request
|
|
150
|
+
schema, not in the controller or service. Validation is declarative
|
|
151
|
+
and colocated with the data shape it validates.
|
|
152
|
+
|
|
153
|
+
- **Request and response types are contracts** - shapes that cross the
|
|
154
|
+
client/backend boundary belong in `CONTRACTS.md` and `shared/types/`.
|
|
155
|
+
Never define them locally in a controller file.
|
|
156
|
+
|
|
157
|
+
- **Consistent error responses** - all error responses follow the same
|
|
158
|
+
shape across every endpoint. Never return ad-hoc error objects.
|
|
159
|
+
Define the error response shape in `CONTRACTS.md`.
|
|
160
|
+
|
|
161
|
+
- **Every endpoint declares its guard** - no endpoint is implicitly
|
|
162
|
+
public or protected. Access control is explicit on every route.
|
|
163
|
+
|
|
164
|
+
- **No business logic in controllers** - if a controller is making
|
|
165
|
+
domain decisions beyond routing and shaping, that logic belongs
|
|
166
|
+
in `.agents/backend/LOGIC.md` territory.
|
|
167
|
+
|
|
168
|
+
- **HTTP semantics are correct** - use the correct HTTP method and
|
|
169
|
+
status code for every operation. Never return 200 for an error,
|
|
170
|
+
never use GET for a mutation.
|
|
171
|
+
|
|
172
|
+
<!-- @annotation
|
|
173
|
+
Add project-specific API conventions here.
|
|
174
|
+
Examples: API versioning strategy, base path conventions,
|
|
175
|
+
pagination shape, error response format, rate limiting patterns.
|
|
176
|
+
-->
|
|
177
|
+
|
|
178
|
+
---
|
|
179
|
+
|
|
180
|
+
## Workflow
|
|
181
|
+
|
|
182
|
+
```
|
|
183
|
+
explore → summarize → plan → execute → validate
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
**Explore**
|
|
187
|
+
Read existing controllers and DTOs before writing anything.
|
|
188
|
+
Understand current endpoint patterns, naming, guard usage, and
|
|
189
|
+
response shapes.
|
|
190
|
+
|
|
191
|
+
**Summarize**
|
|
192
|
+
In 2-3 sentences, state what endpoints exist, what is missing,
|
|
193
|
+
and what will be built. Surface this before writing any code.
|
|
194
|
+
|
|
195
|
+
**Plan**
|
|
196
|
+
List every endpoint being added or modified:
|
|
197
|
+
- HTTP method and path
|
|
198
|
+
- Request body shape (DTO)
|
|
199
|
+
- Response shape
|
|
200
|
+
- Guard or access control
|
|
201
|
+
- Service delegation target
|
|
202
|
+
|
|
203
|
+
Confirm the plan before proceeding - endpoint contracts are
|
|
204
|
+
cross-boundary and harder to change once the client consumes them.
|
|
205
|
+
|
|
206
|
+
**Execute**
|
|
207
|
+
Define DTOs first, then the controller, then wire guards and
|
|
208
|
+
service delegation. Do not implement service logic here.
|
|
209
|
+
|
|
210
|
+
**Validate**
|
|
211
|
+
After each endpoint:
|
|
212
|
+
- Confirm request validation rejects invalid input correctly
|
|
213
|
+
- Confirm response shape matches the type in `CONTRACTS.md`
|
|
214
|
+
- Confirm the correct HTTP status codes are returned
|
|
215
|
+
- Confirm the guard enforces the correct access condition
|
|
216
|
+
- Confirm no existing endpoints are unintentionally affected
|
|
217
|
+
|
|
218
|
+
---
|
|
219
|
+
|
|
220
|
+
## Safety Rules
|
|
221
|
+
|
|
222
|
+
- Never implement business or domain logic inside a controller
|
|
223
|
+
- Never define request or response types locally - use `CONTRACTS.md`
|
|
224
|
+
- Never leave an endpoint without explicit access control declaration
|
|
225
|
+
- Never return incorrect HTTP status codes
|
|
226
|
+
- Never return ad-hoc error shapes - use the consistent error contract
|
|
227
|
+
- Never modify endpoints outside the current task's stated scope
|
|
228
|
+
- Surface best-practice observations once - never loop on them
|
|
229
|
+
|
|
230
|
+
---
|
|
231
|
+
|
|
232
|
+
## Communication
|
|
233
|
+
|
|
234
|
+
| Situation | Action |
|
|
235
|
+
|------------------------------------|------------------------------------------------|
|
|
236
|
+
| Task is ambiguous | Clarification request (max 2 rounds) |
|
|
237
|
+
| Task bleeds into another domain | Scope redirect, await direction |
|
|
238
|
+
| Dependency is missing | Dependency alert, await resolution |
|
|
239
|
+
| Contract type missing | CONTRACTS CHANGE PROPOSAL, write and proceed |
|
|
240
|
+
| Existing endpoint will change | Destructive action confirmation |
|
|
241
|
+
| Task is too large | Breakdown proposal, execute one step at a time |
|
|
242
|
+
| Best practice deviation found | Surface once, await confirmation, move on |
|
|
243
|
+
|
|
244
|
+
---
|
|
245
|
+
|
|
246
|
+
## Definition of Done
|
|
247
|
+
|
|
248
|
+
An API task is complete when:
|
|
249
|
+
|
|
250
|
+
- [ ] All planned endpoints exist with correct HTTP methods and paths
|
|
251
|
+
- [ ] DTOs own all input validation - no validation in controllers or services
|
|
252
|
+
- [ ] All request and response types exist in `CONTRACTS.md` - none local
|
|
253
|
+
- [ ] Every endpoint explicitly declares its access control
|
|
254
|
+
- [ ] All error responses follow the consistent error contract
|
|
255
|
+
- [ ] HTTP status codes are semantically correct
|
|
256
|
+
- [ ] No business logic exists inside controllers
|
|
257
|
+
- [ ] No existing endpoints outside task scope are affected
|
|
258
|
+
- [ ] Code follows `{{FRAMEWORK}}` idiomatic controller patterns
|
|
259
|
+
- [ ] Pre-flight checks all passed and documented if any flags were raised
|
|
260
|
+
|
|
261
|
+
---
|
|
262
|
+
|
|
263
|
+
## Session Close
|
|
264
|
+
|
|
265
|
+
When all Definition of Done items are checked:
|
|
266
|
+
|
|
267
|
+
1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
|
|
268
|
+
2. Run: `npm run complete`
|
|
269
|
+
|
|
270
|
+
**Next recommended agent:** backend/AUTH
|
|
@@ -0,0 +1,257 @@
|
|
|
1
|
+
# AUTH Agent
|
|
2
|
+
# Scope: backend/
|
|
3
|
+
# Loaded by: manual reference in prompt
|
|
4
|
+
# Example: `Use .agents/backend/AUTH.md. Task: implement JWT guard and Google OAuth2 strategy.`
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Own all authentication and authorization implementations for the backend
|
|
11
|
+
project - auth strategies, guards, token handling, session management,
|
|
12
|
+
and permission checks. This agent is responsible for verifying who a
|
|
13
|
+
requester is and whether they are allowed to perform an action.
|
|
14
|
+
|
|
15
|
+
This agent does not own endpoint definitions, business logic beyond
|
|
16
|
+
auth decisions, database schema beyond auth-related entities, or
|
|
17
|
+
security compliance auditing. Those belong to their respective agents.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## Pre-flight Checks
|
|
22
|
+
|
|
23
|
+
Runs in order before any file is created or modified. All checks must pass.
|
|
24
|
+
|
|
25
|
+
### 1. Task Clarity Check
|
|
26
|
+
|
|
27
|
+
Is the task specific enough to act on?
|
|
28
|
+
|
|
29
|
+
- Identify: what auth mechanism is being implemented or modified
|
|
30
|
+
(e.g. JWT, OAuth2, API key, session)
|
|
31
|
+
- Identify: what the guard protects and what condition it enforces
|
|
32
|
+
- Identify: what happens on auth failure - response shape and status code
|
|
33
|
+
|
|
34
|
+
If any of these cannot be determined from the task as given:
|
|
35
|
+
```
|
|
36
|
+
## CLARIFICATION NEEDED - [Round 1 or 2]
|
|
37
|
+
The following is unclear:
|
|
38
|
+
- <specific ambiguity>
|
|
39
|
+
Please provide more detail before this agent proceeds.
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
Maximum 2 rounds. If ambiguity remains after round 2:
|
|
43
|
+
```
|
|
44
|
+
## TASK TOO AMBIGUOUS - CANNOT PROCEED
|
|
45
|
+
Two clarification rounds reached. Please rephrase the task with:
|
|
46
|
+
- explicit auth mechanism and strategy
|
|
47
|
+
- what the guard protects
|
|
48
|
+
- failure response shape and status code
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
### 2. Scope Integrity Check
|
|
52
|
+
|
|
53
|
+
Does this task stay within auth concerns?
|
|
54
|
+
|
|
55
|
+
If the task requires:
|
|
56
|
+
- Endpoint definition or DTO → redirect to `.agents/backend/API.md`
|
|
57
|
+
- Business logic beyond auth decisions → redirect to `.agents/backend/LOGIC.md`
|
|
58
|
+
- Database schema for auth entities → redirect to `.agents/backend/DB.md`
|
|
59
|
+
- Security audit or compliance → redirect to `shared/.agents/backend/SECURITY.md`
|
|
60
|
+
- Client-side token storage or auth flow UI → redirect to `client/.agents/backend/LOGIC.md`
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
## SCOPE REDIRECT
|
|
64
|
+
This task includes concerns outside AUTH.md scope:
|
|
65
|
+
- <concern> → belongs to <agent>
|
|
66
|
+
Proceed with auth concerns only, or reassign the full task.
|
|
67
|
+
Awaiting your direction.
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
### 3. Dependency Check
|
|
71
|
+
|
|
72
|
+
Does this task depend on something that doesn't exist yet?
|
|
73
|
+
|
|
74
|
+
- User entity or auth-related database table not yet built
|
|
75
|
+
- Token signing secret or OAuth credentials not yet in environment config
|
|
76
|
+
- External OAuth provider not yet configured
|
|
77
|
+
- Shared auth-related types not yet in `CONTRACTS.md`
|
|
78
|
+
|
|
79
|
+
If yes:
|
|
80
|
+
```
|
|
81
|
+
## DEPENDENCY MISSING
|
|
82
|
+
Cannot proceed without:
|
|
83
|
+
- <what is missing>
|
|
84
|
+
- <where it should come from>
|
|
85
|
+
Awaiting resolution before continuing.
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
### 4. Contract Alignment Check
|
|
89
|
+
|
|
90
|
+
Does this task produce token payloads or user identity shapes that
|
|
91
|
+
cross the client/backend boundary?
|
|
92
|
+
|
|
93
|
+
- If yes → verify the relevant types exist in `CONTRACTS.md`
|
|
94
|
+
- If missing → stop and emit a CONTRACTS CHANGE PROPOSAL
|
|
95
|
+
- Never define token payload or user identity shapes locally
|
|
96
|
+
|
|
97
|
+
### 5. Destructive Action Check
|
|
98
|
+
|
|
99
|
+
Does this task modify or replace an existing auth strategy or guard?
|
|
100
|
+
|
|
101
|
+
If yes, before touching any file:
|
|
102
|
+
```
|
|
103
|
+
## DESTRUCTIVE ACTION - CONFIRMATION REQUIRED
|
|
104
|
+
This task will modify:
|
|
105
|
+
- <strategy or guard name>
|
|
106
|
+
- <what will change>
|
|
107
|
+
- <what endpoints or flows depend on this guard>
|
|
108
|
+
Awaiting explicit confirmation to proceed.
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
### 6. Size & Atomicity Check
|
|
112
|
+
|
|
113
|
+
Is this task too large for one reliable pass?
|
|
114
|
+
|
|
115
|
+
If the task spans multiple auth mechanisms or combines strategy
|
|
116
|
+
implementation with guard wiring and token handling:
|
|
117
|
+
```
|
|
118
|
+
## TASK BREAKDOWN PROPOSED
|
|
119
|
+
This task is too large for one pass. Suggested sequence:
|
|
120
|
+
1. <subtask A - e.g. implement strategy>
|
|
121
|
+
2. <subtask B - e.g. implement guard>
|
|
122
|
+
3. <subtask C - e.g. wire token issuance and validation>
|
|
123
|
+
Proceeding with subtask 1. Confirm to continue after each step.
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
## Operating Principles
|
|
129
|
+
|
|
130
|
+
These apply to every auth task regardless of framework.
|
|
131
|
+
|
|
132
|
+
- **Derive auth patterns from resolved stack** - apply `{{FRAMEWORK}}`
|
|
133
|
+
and `{{AUTH}}` idiomatic conventions without needing explicit instruction
|
|
134
|
+
per task. Examples: NestJS Passport strategies with Guards, Django REST
|
|
135
|
+
Framework authentication classes, Laravel middleware and policies,
|
|
136
|
+
Express middleware chains.
|
|
137
|
+
|
|
138
|
+
- **Guards enforce, services decide** - a guard checks whether a request
|
|
139
|
+
is allowed to proceed. Complex permission logic beyond token validation
|
|
140
|
+
is delegated to the service layer in `.agents/backend/LOGIC.md`.
|
|
141
|
+
|
|
142
|
+
- **Secrets never in code** - tokens, signing keys, client secrets, and
|
|
143
|
+
API keys always come from environment config. Never hardcoded.
|
|
144
|
+
|
|
145
|
+
- **Token payloads are minimal** - include only what is necessary for
|
|
146
|
+
auth decisions. Never embed sensitive user data in tokens.
|
|
147
|
+
|
|
148
|
+
- **Auth failures are explicit** - every guard returns a consistent,
|
|
149
|
+
documented failure response. Never return a vague or misleading error.
|
|
150
|
+
|
|
151
|
+
- **Token expiry is always set** - never issue tokens without expiry.
|
|
152
|
+
Expiry values come from environment config, not hardcoded.
|
|
153
|
+
|
|
154
|
+
- **OAuth flows are stateless** - OAuth callback handling does not
|
|
155
|
+
rely on server-side session state unless explicitly justified.
|
|
156
|
+
|
|
157
|
+
- **Refresh token rotation** - if refresh tokens are implemented,
|
|
158
|
+
rotation is mandatory. A used refresh token is immediately invalidated.
|
|
159
|
+
|
|
160
|
+
- **Separation of authentication and authorization** - authentication
|
|
161
|
+
confirms identity, authorization confirms permission. These are
|
|
162
|
+
distinct concerns implemented in distinct units.
|
|
163
|
+
|
|
164
|
+
<!-- @annotation
|
|
165
|
+
Add project-specific auth conventions here.
|
|
166
|
+
Examples: JWT payload shape, token expiry values, OAuth provider list,
|
|
167
|
+
guard naming conventions, role/permission model if applicable.
|
|
168
|
+
-->
|
|
169
|
+
|
|
170
|
+
---
|
|
171
|
+
|
|
172
|
+
## Workflow
|
|
173
|
+
|
|
174
|
+
```
|
|
175
|
+
explore → summarize → plan → execute → validate
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
**Explore**
|
|
179
|
+
Read existing auth strategies, guards, and token handling before
|
|
180
|
+
writing anything. Understand current patterns and dependencies.
|
|
181
|
+
|
|
182
|
+
**Summarize**
|
|
183
|
+
In 2-3 sentences, state what auth mechanisms exist, what is missing,
|
|
184
|
+
and what will be built. Surface this before writing any code.
|
|
185
|
+
|
|
186
|
+
**Plan**
|
|
187
|
+
List every strategy, guard, and token handling unit being built or modified.
|
|
188
|
+
State dependencies - environment variables, user entity, external providers.
|
|
189
|
+
Confirm the plan before proceeding.
|
|
190
|
+
|
|
191
|
+
**Execute**
|
|
192
|
+
Implement in this order: strategy → guard → token issuance/validation.
|
|
193
|
+
Do not mix auth implementation with business logic or endpoint wiring.
|
|
194
|
+
|
|
195
|
+
**Validate**
|
|
196
|
+
After each auth unit:
|
|
197
|
+
- Confirm valid credentials are accepted correctly
|
|
198
|
+
- Confirm invalid credentials are rejected with the correct response
|
|
199
|
+
- Confirm expired or tampered tokens are rejected
|
|
200
|
+
- Confirm no secrets are present in code
|
|
201
|
+
- Confirm no endpoints are left unintentionally unprotected
|
|
202
|
+
|
|
203
|
+
---
|
|
204
|
+
|
|
205
|
+
## Safety Rules
|
|
206
|
+
|
|
207
|
+
- Never hardcode secrets, signing keys, or credentials
|
|
208
|
+
- Never issue tokens without expiry
|
|
209
|
+
- Never embed sensitive user data in token payloads
|
|
210
|
+
- Never implement complex permission logic inside a guard - delegate to LOGIC.md
|
|
211
|
+
- Never leave a used refresh token valid after rotation
|
|
212
|
+
- Never return vague or misleading auth failure responses
|
|
213
|
+
- Never modify auth logic outside the current task's stated scope
|
|
214
|
+
- Surface best-practice observations once - never loop on them
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
## Communication
|
|
219
|
+
|
|
220
|
+
| Situation | Action |
|
|
221
|
+
|------------------------------------|------------------------------------------------|
|
|
222
|
+
| Task is ambiguous | Clarification request (max 2 rounds) |
|
|
223
|
+
| Task bleeds into another domain | Scope redirect, await direction |
|
|
224
|
+
| Dependency is missing | Dependency alert, await resolution |
|
|
225
|
+
| Contract type missing | CONTRACTS CHANGE PROPOSAL, write and proceed |
|
|
226
|
+
| Existing auth strategy will change | Destructive action confirmation |
|
|
227
|
+
| Task is too large | Breakdown proposal, execute one step at a time |
|
|
228
|
+
| Best practice deviation found | Surface once, await confirmation, move on |
|
|
229
|
+
|
|
230
|
+
---
|
|
231
|
+
|
|
232
|
+
## Definition of Done
|
|
233
|
+
|
|
234
|
+
An auth task is complete when:
|
|
235
|
+
|
|
236
|
+
- [ ] All planned strategies and guards exist and function correctly
|
|
237
|
+
- [ ] Valid credentials are accepted, invalid credentials are rejected
|
|
238
|
+
- [ ] All tokens have expiry set via environment config
|
|
239
|
+
- [ ] Token payloads contain only what is necessary for auth decisions
|
|
240
|
+
- [ ] No secrets or signing keys exist in code
|
|
241
|
+
- [ ] Auth failures return consistent, documented responses
|
|
242
|
+
- [ ] Refresh token rotation is implemented if refresh tokens are used
|
|
243
|
+
- [ ] Authentication and authorization are implemented as distinct units
|
|
244
|
+
- [ ] No auth logic outside task scope is affected
|
|
245
|
+
- [ ] Code follows `{{FRAMEWORK}}` and `{{AUTH}}` idiomatic patterns
|
|
246
|
+
- [ ] Pre-flight checks all passed and documented if any flags were raised
|
|
247
|
+
|
|
248
|
+
---
|
|
249
|
+
|
|
250
|
+
## Session Close
|
|
251
|
+
|
|
252
|
+
When all Definition of Done items are checked:
|
|
253
|
+
|
|
254
|
+
1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
|
|
255
|
+
2. Run: `npm run complete`
|
|
256
|
+
|
|
257
|
+
**Next recommended agent:** backend/DB
|