natureco-cli 5.18.3 → 5.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (154) hide show
  1. package/package.json +1 -1
  2. package/skills/airunway-aks-setup/SKILL.md +73 -0
  3. package/skills/algorithmic-art/SKILL.md +405 -0
  4. package/skills/appinsights-instrumentation/SKILL.md +76 -0
  5. package/skills/azure-ai/SKILL.md +71 -0
  6. package/skills/azure-aigateway/SKILL.md +129 -0
  7. package/skills/azure-cloud-migrate/SKILL.md +52 -0
  8. package/skills/azure-compliance/SKILL.md +108 -0
  9. package/skills/azure-compute/SKILL.md +46 -0
  10. package/skills/azure-cost/SKILL.md +45 -0
  11. package/skills/azure-deploy/SKILL.md +97 -0
  12. package/skills/azure-diagnostics/SKILL.md +151 -0
  13. package/skills/azure-enterprise-infra-planner/SKILL.md +54 -0
  14. package/skills/azure-hosted-copilot-sdk/SKILL.md +89 -0
  15. package/skills/azure-kubernetes/SKILL.md +153 -0
  16. package/skills/azure-kusto/SKILL.md +231 -0
  17. package/skills/azure-messaging/SKILL.md +57 -0
  18. package/skills/azure-prepare/SKILL.md +165 -0
  19. package/skills/azure-quotas/SKILL.md +276 -0
  20. package/skills/azure-rbac/SKILL.md +17 -0
  21. package/skills/azure-reliability/SKILL.md +387 -0
  22. package/skills/azure-resource-lookup/SKILL.md +108 -0
  23. package/skills/azure-resource-visualizer/SKILL.md +183 -0
  24. package/skills/azure-storage/SKILL.md +100 -0
  25. package/skills/azure-upgrade/SKILL.md +91 -0
  26. package/skills/azure-validate/SKILL.md +72 -0
  27. package/skills/brainstorming/SKILL.md +159 -0
  28. package/skills/brand-guidelines/SKILL.md +73 -0
  29. package/skills/brandkit/SKILL.md +798 -0
  30. package/skills/brutalist-skill/SKILL.md +92 -0
  31. package/skills/canvas-design/SKILL.md +130 -0
  32. package/skills/cavecrew/SKILL.md +82 -0
  33. package/skills/caveman-commit/SKILL.md +65 -0
  34. package/skills/caveman-help/SKILL.md +63 -0
  35. package/skills/caveman-review/SKILL.md +55 -0
  36. package/skills/caveman-stats/SKILL.md +10 -0
  37. package/skills/claude-api/SKILL.md +356 -0
  38. package/skills/composition-patterns/SKILL.md +89 -0
  39. package/skills/decision-mapping/SKILL.md +84 -0
  40. package/skills/deploy-to-vercel/SKILL.md +296 -0
  41. package/skills/design-an-interface/SKILL.md +94 -0
  42. package/skills/design-doc-mermaid/SKILL.md +498 -0
  43. package/skills/develop-userscripts/SKILL.md +84 -0
  44. package/skills/doc-coauthoring/SKILL.md +375 -0
  45. package/skills/documentation/SKILL.md +109 -0
  46. package/skills/docx/SKILL.md +590 -0
  47. package/skills/edit-article/SKILL.md +15 -0
  48. package/skills/entra-agent-id/SKILL.md +356 -0
  49. package/skills/entra-app-registration/SKILL.md +191 -0
  50. package/skills/faceless-explainer/SKILL.md +202 -0
  51. package/skills/fastify/SKILL.md +75 -0
  52. package/skills/general-video/SKILL.md +143 -0
  53. package/skills/git-guardrails-claude-code/SKILL.md +95 -0
  54. package/skills/github-actions-docs/SKILL.md +98 -0
  55. package/skills/gpt-tasteskill/SKILL.md +74 -0
  56. package/skills/grill-me/SKILL.md +7 -0
  57. package/skills/grilling/SKILL.md +10 -0
  58. package/skills/handoff/SKILL.md +16 -0
  59. package/skills/hyperframes/SKILL.md +152 -0
  60. package/skills/hyperframes-animation/SKILL.md +82 -0
  61. package/skills/hyperframes-cli/SKILL.md +109 -0
  62. package/skills/hyperframes-core/SKILL.md +78 -0
  63. package/skills/hyperframes-creative/SKILL.md +68 -0
  64. package/skills/hyperframes-media/SKILL.md +97 -0
  65. package/skills/image-to-code-skill/SKILL.md +1228 -0
  66. package/skills/imagegen-frontend-mobile/SKILL.md +1465 -0
  67. package/skills/imagegen-frontend-web/SKILL.md +987 -0
  68. package/skills/implement/SKILL.md +15 -0
  69. package/skills/init/SKILL.md +91 -0
  70. package/skills/internal-comms/SKILL.md +32 -0
  71. package/skills/lark-approval/SKILL.md +56 -0
  72. package/skills/lark-base/SKILL.md +157 -0
  73. package/skills/lark-doc/SKILL.md +81 -0
  74. package/skills/lark-shared/SKILL.md +168 -0
  75. package/skills/lark-workflow-meeting-summary/SKILL.md +122 -0
  76. package/skills/linting-neostandard-eslint9/SKILL.md +64 -0
  77. package/skills/loop-me/SKILL.md +32 -0
  78. package/skills/microsoft-foundry/SKILL.md +262 -0
  79. package/skills/migrate-to-shoehorn/SKILL.md +118 -0
  80. package/skills/minimalist-skill/SKILL.md +85 -0
  81. package/skills/motion-graphics/SKILL.md +170 -0
  82. package/skills/music-to-video/SKILL.md +197 -0
  83. package/skills/node/SKILL.md +94 -0
  84. package/skills/nodejs-core/SKILL.md +156 -0
  85. package/skills/oauth/SKILL.md +186 -0
  86. package/skills/obsidian-vault/SKILL.md +59 -0
  87. package/skills/octocat/SKILL.md +93 -0
  88. package/skills/openclaw-secure-linux-cloud/SKILL.md +157 -0
  89. package/skills/opensource-guide-coach/SKILL.md +218 -0
  90. package/skills/output-skill/SKILL.md +49 -0
  91. package/skills/pdf/SKILL.md +314 -0
  92. package/skills/pptx/SKILL.md +232 -0
  93. package/skills/pr-to-video/SKILL.md +235 -0
  94. package/skills/product-launch-video/SKILL.md +205 -0
  95. package/skills/python-appservice-deploy/SKILL.md +36 -0
  96. package/skills/qa/SKILL.md +130 -0
  97. package/skills/react-best-practices/SKILL.md +149 -0
  98. package/skills/react-native-skills/SKILL.md +121 -0
  99. package/skills/react-view-transitions/SKILL.md +320 -0
  100. package/skills/readme-i18n/SKILL.md +176 -0
  101. package/skills/redesign-skill/SKILL.md +178 -0
  102. package/skills/remotion/SKILL.md +364 -0
  103. package/skills/request-refactor-plan/SKILL.md +68 -0
  104. package/skills/resolving-merge-conflicts/SKILL.md +14 -0
  105. package/skills/running-claude-code-via-litellm-copilot/SKILL.md +263 -0
  106. package/skills/scaffold-exercises/SKILL.md +106 -0
  107. package/skills/secure-linux-web-hosting/SKILL.md +162 -0
  108. package/skills/setup-pre-commit/SKILL.md +91 -0
  109. package/skills/shadcn/SKILL.md +267 -0
  110. package/skills/simple/SKILL.md +52 -0
  111. package/skills/skill-creator/SKILL.md +485 -0
  112. package/skills/skill-optimizer/SKILL.md +47 -0
  113. package/skills/skills-cli/SKILL.md +281 -0
  114. package/skills/slack-gif-creator/SKILL.md +254 -0
  115. package/skills/snipgrapher/SKILL.md +58 -0
  116. package/skills/soft-skill/SKILL.md +98 -0
  117. package/skills/stitch-skill/SKILL.md +184 -0
  118. package/skills/supabase/SKILL.md +135 -0
  119. package/skills/supabase-postgres-best-practices/SKILL.md +64 -0
  120. package/skills/systematic-debugging/SKILL.md +296 -0
  121. package/skills/talking-head-recut/SKILL.md +1191 -0
  122. package/skills/taste-skill/SKILL.md +1206 -0
  123. package/skills/taste-skill-v1/SKILL.md +226 -0
  124. package/skills/tdd/SKILL.md +108 -0
  125. package/skills/teach/SKILL.md +140 -0
  126. package/skills/test-driven-development/SKILL.md +371 -0
  127. package/skills/theme-factory/SKILL.md +59 -0
  128. package/skills/to-prd/SKILL.md +75 -0
  129. package/skills/typescript-magician/SKILL.md +117 -0
  130. package/skills/tzst/SKILL.md +68 -0
  131. package/skills/ubiquitous-language/SKILL.md +93 -0
  132. package/skills/use-my-browser/SKILL.md +110 -0
  133. package/skills/using-superpowers/SKILL.md +121 -0
  134. package/skills/vercel-cli-with-tokens/SKILL.md +353 -0
  135. package/skills/vercel-optimize/SKILL.md +322 -0
  136. package/skills/viral-instagram-reels/SKILL.md +180 -0
  137. package/skills/viral-short-form/SKILL.md +147 -0
  138. package/skills/viral-short-form-ideas/SKILL.md +184 -0
  139. package/skills/viral-tiktok-content/SKILL.md +180 -0
  140. package/skills/web-artifacts-builder/SKILL.md +74 -0
  141. package/skills/web-design-guidelines/SKILL.md +39 -0
  142. package/skills/webapp-testing/SKILL.md +96 -0
  143. package/skills/website-to-video/SKILL.md +145 -0
  144. package/skills/writing-beats/SKILL.md +67 -0
  145. package/skills/writing-fragments/SKILL.md +79 -0
  146. package/skills/writing-great-skills/SKILL.md +82 -0
  147. package/skills/writing-guidelines/SKILL.md +39 -0
  148. package/skills/writing-plans/SKILL.md +174 -0
  149. package/skills/writing-shape/SKILL.md +79 -0
  150. package/skills/xdrop/SKILL.md +78 -0
  151. package/skills/xget/SKILL.md +87 -0
  152. package/skills/xlsx/SKILL.md +292 -0
  153. package/src/tools/skills_download.js +217 -0
  154. package/src/utils/tools.js +2 -2
@@ -0,0 +1,156 @@
1
+ ---
2
+ name: nodejs-core
3
+ description: Debugs native module crashes, optimizes V8 performance, configures node-gyp builds, writes N-API/node-addon-api bindings, and diagnoses libuv event loop issues in Node.js. Use when working with C++ addons, native modules, binding.gyp, node-gyp errors, segfaults, memory leaks in native code, V8 optimization/deoptimization, libuv thread pool tuning, N-API or NAN bindings, build system failures, or any Node.js internals below the JavaScript layer.
4
+ metadata:
5
+ tags: nodejs, v8, libuv, cpp, native-addons, performance, debugging, internals
6
+ ---
7
+
8
+ ## When to use
9
+
10
+ Use this skill when you need deep Node.js internals expertise, including:
11
+ - C++ addon development
12
+ - V8 engine debugging
13
+ - libuv event loop issues
14
+ - Build system problems
15
+ - Compilation failures
16
+ - Performance optimization at the engine level
17
+ - Understanding Node.js core architecture
18
+
19
+ ## How to use
20
+
21
+ Read individual rule files for detailed explanations and code examples:
22
+
23
+ ### V8 Engine
24
+
25
+ - [rules/v8-garbage-collection.md](rules/v8-garbage-collection.md) - Scavenger, Mark-Sweep, Mark-Compact, generational GC
26
+ - [rules/v8-hidden-classes.md](rules/v8-hidden-classes.md) - Hidden classes, inline caching, optimization
27
+ - [rules/v8-jit-compilation.md](rules/v8-jit-compilation.md) - TurboFan, optimization/deoptimization patterns
28
+
29
+ ### libuv
30
+
31
+ - [rules/libuv-event-loop.md](rules/libuv-event-loop.md) - Event loop phases, timers, I/O, idle, check, close
32
+ - [rules/libuv-thread-pool.md](rules/libuv-thread-pool.md) - Thread pool size, blocking operations, UV_THREADPOOL_SIZE
33
+ - [rules/libuv-async-io.md](rules/libuv-async-io.md) - Async I/O patterns, handles, requests
34
+
35
+ ### Native Addons
36
+
37
+ - [rules/napi.md](rules/napi.md) - N-API development, ABI stability, async workers
38
+ - [rules/node-addon-api.md](rules/node-addon-api.md) - C++ wrapper patterns, best practices
39
+ - [rules/native-memory.md](rules/native-memory.md) - Buffer handling, external memory, prevent leaks
40
+
41
+ ### Core Modules Internals
42
+
43
+ - [rules/streams-internals.md](rules/streams-internals.md) - How Node.js streams work at C++ level
44
+ - [rules/net-internals.md](rules/net-internals.md) - TCP/UDP implementation, socket handling
45
+ - [rules/fs-internals.md](rules/fs-internals.md) - libuv fs operations, sync vs async
46
+ - [rules/crypto-internals.md](rules/crypto-internals.md) - OpenSSL integration, performance considerations
47
+ - [rules/child-process-internals.md](rules/child-process-internals.md) - IPC, spawn, fork implementation
48
+ - [rules/worker-threads-internals.md](rules/worker-threads-internals.md) - SharedArrayBuffer, Atomics, MessageChannel
49
+
50
+ ### JavaScript Internals
51
+
52
+ - [rules/primordials.md](rules/primordials.md) - **Using primordials to prevent prototype pollution (required for `lib/internal/`)**
53
+
54
+ ### Build & Contributing
55
+
56
+ - [rules/build-and-test-workflow.md](rules/build-and-test-workflow.md) - **The edit-build-lint-test cycle (start here)**
57
+ - [rules/configure.md](rules/configure.md) - `./configure` flags for debug builds, ASan, Ninja, etc.
58
+ - [rules/build-system.md](rules/build-system.md) - gyp, ninja, make, cross-platform compilation
59
+ - [rules/cli-options.md](rules/cli-options.md) - Adding CLI options and gating experimental modules
60
+ - [rules/contributing.md](rules/contributing.md) - How to contribute to Node.js core, the process
61
+ - [rules/commit-messages.md](rules/commit-messages.md) - Node.js-style commit message formatting and validation
62
+ - [rules/reviewing-prs.md](rules/reviewing-prs.md) - Reviewing PRs, quality signals, and spotting low-quality AI-generated contributions
63
+
64
+ ### Documentation
65
+
66
+ - [rules/documentation.md](rules/documentation.md) - **Updating doc/api/*.md files: structure, link ordering, error docs, code example constraints**
67
+
68
+ ### Debugging & Profiling
69
+
70
+ - [rules/debugging-native.md](rules/debugging-native.md) - gdb, lldb, debugging C++ addons
71
+ - [rules/profiling-v8.md](rules/profiling-v8.md) - --prof, --trace-opt, --trace-deopt, flame graphs
72
+ - [rules/memory-debugging.md](rules/memory-debugging.md) - Heap snapshots, memory leak detection
73
+
74
+ ## Instructions
75
+
76
+ ### MANDATORY: Rebuild before testing
77
+
78
+ Node.js embeds `lib/` JavaScript files into the binary at compile time via
79
+ `js2c`. **After ANY change to `src/` or `lib/`, you MUST rebuild before
80
+ running tests.** Without a rebuild, tests run against stale code and results
81
+ are meaningless.
82
+
83
+ ```
84
+ edit src/ or lib/ → make -j$(nproc) → make lint → then test
85
+ ```
86
+
87
+ Never skip the rebuild step. Never run `./node test/...` after editing
88
+ without building first.
89
+
90
+ Before starting work, **ask the user** about their build configuration
91
+ (Make vs Ninja, debug vs release, what configure flags they use). Do not
92
+ assume a specific setup. Most of the time, `./configure` has already been
93
+ run and only `make -j$(nproc)` is needed to rebuild.
94
+
95
+ See [rules/build-and-test-workflow.md](rules/build-and-test-workflow.md)
96
+ for the full workflow including configure flags, lint targets, and test
97
+ commands.
98
+
99
+ ### Core knowledge domains
100
+
101
+ Apply deep knowledge of Node.js internals across these domains:
102
+
103
+ - **Core architecture**: Node.js core modules and their C++ implementations, V8 GC and JIT, libuv event loop mechanics, thread pool behavior, startup/module-loading lifecycle
104
+ - **Native development**: N-API, node-addon-api, and NAN addon development; V8 C++ API handle management; memory safety; native debugging with gdb/lldb
105
+ - **Build systems**: node-gyp, gyp, ninja, make; cross-platform compilation; linker errors; dependency issues; platform-specific considerations (Windows, macOS, Linux, embedded)
106
+ - **Performance & debugging**: Event loop profiling, memory leak detection in JS and native code, CPU flame graphs, V8 optimization/deoptimization tracing
107
+
108
+ ### Quick-reference debugging commands
109
+
110
+ **V8 optimization tracing:**
111
+ ```bash
112
+ node --trace-opt --trace-deopt script.js
113
+ # Checkpoint: confirm no unexpected deoptimization warnings before proceeding to profiling
114
+ node --prof script.js && node --prof-process isolate-*.log > processed.txt
115
+ ```
116
+
117
+ **Event loop lag detection:**
118
+ ```bash
119
+ node --trace-event-categories v8,node,node.async_hooks script.js
120
+ ```
121
+
122
+ **Native addon debugging (gdb):**
123
+ ```bash
124
+ gdb --args node --napi-modules ./build/Release/addon.node
125
+ # Inside gdb:
126
+ run
127
+ bt # backtrace on crash
128
+ # Checkpoint: verify backtrace shows the expected call site before applying a fix
129
+ ```
130
+
131
+ **Heap snapshot for memory leaks:**
132
+ ```bash
133
+ node --inspect script.js # then open chrome://inspect, take heap snapshot
134
+ # Checkpoint: compare two consecutive heap snapshots to confirm leak growth before and after the fix; run valgrind --leak-check=full node addon_test.js to confirm no native leaks remain
135
+ ```
136
+
137
+ ### Node.js-specific diagnostic decision trees
138
+
139
+ **Segfault / crash in native addon:**
140
+ 1. Is the crash reproducible with `node --napi-modules`? → Run `gdb`, capture `bt`
141
+ 2. Does `bt` point to a V8 handle scope issue? → Check `HandleScope` / `EscapableHandleScope` usage in the addon
142
+ 3. Does it point to a libuv callback? → Inspect async handle lifetime and `uv_close()` sequencing
143
+ 4. No clear C++ frame? → Check for JS-side type mismatches passed into the native binding
144
+
145
+ **V8 deoptimization / performance regression:**
146
+ 1. Run `--trace-opt --trace-deopt` → identify the deoptimized function and reason (e.g., "not a Smi", "wrong map")
147
+ 2. Checkpoint: confirm the same function deoptimizes consistently across runs
148
+ 3. Inspect hidden class transitions (`--trace-ic`) and fix property addition order or type inconsistencies
149
+ 4. Re-run `--trace-opt` to confirm the function is now optimized
150
+
151
+ **Build failure (node-gyp / binding.gyp):**
152
+ 1. Is it a missing header? → Verify `include_dirs` in `binding.gyp` and Node.js header installation
153
+ 2. Is it a linker error? → Check `libraries` and `link_settings` entries; confirm ABI compatibility
154
+ 3. Is it platform-specific? → Consult `rules/build-system.md` for Windows/macOS/Linux differences
155
+
156
+ Always consider both JavaScript-level and native-level causes, explain performance implications and trade-offs, and indicate the stability status of any experimental features discussed. Code examples should demonstrate Node.js internals patterns and be production-ready, accounting for edge cases typical developers might miss.
@@ -0,0 +1,186 @@
1
+ ---
2
+ name: oauth
3
+ description: Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.
4
+ metadata:
5
+ tags: oauth, oauth2, security, authentication, authorization, jwt, fastify
6
+ ---
7
+
8
+ ## When to use
9
+
10
+ Use this skill when you need to:
11
+ - Implement or debug an OAuth 2.0/2.1 flow in a Fastify application
12
+ - Validate tokens, configure PKCE, or set up refresh token rotation
13
+ - Secure Fastify routes and plugins with access-control middleware
14
+ - Resolve RFC compliance questions or identify security anti-patterns
15
+
16
+ ---
17
+
18
+ ## Step-by-step: Authorization Code + PKCE in Fastify
19
+
20
+ ### 1. Install dependencies
21
+
22
+ ```bash
23
+ npm install @fastify/oauth2 @fastify/cookie @fastify/session fastify-plugin
24
+ ```
25
+
26
+ ### 2. Register the OAuth plugin
27
+
28
+ ```typescript
29
+ // plugins/oauth.ts
30
+ import fp from 'fastify-plugin'
31
+ import oauth2, { OAuth2Namespace } from '@fastify/oauth2'
32
+ import { FastifyInstance } from 'fastify'
33
+
34
+ export default fp(async function (fastify: FastifyInstance) {
35
+ fastify.register(oauth2, {
36
+ name: 'oauth2',
37
+ scope: ['openid', 'profile', 'email'],
38
+ credentials: {
39
+ client: {
40
+ id: process.env.CLIENT_ID!,
41
+ secret: process.env.CLIENT_SECRET!,
42
+ },
43
+ auth: {
44
+ authorizeHost: process.env.AUTH_SERVER!,
45
+ authorizePath: '/authorize',
46
+ tokenHost: process.env.AUTH_SERVER!,
47
+ tokenPath: '/token',
48
+ },
49
+ },
50
+ startRedirectPath: '/login',
51
+ callbackUri: process.env.CALLBACK_URI!,
52
+ pkce: 'S256', // RFC 7636 — always use for public clients
53
+ generateStateFunction: (req) => req.session.state = crypto.randomUUID(),
54
+ checkStateFunction: (req, callback) =>
55
+ req.query.state === req.session.state ? callback() : callback(new Error('State mismatch')),
56
+ })
57
+ })
58
+ ```
59
+
60
+ **Validation checkpoint:** Confirm `callbackUri` exactly matches a registered redirect URI at the authorization server before proceeding (RFC 6749 §3.1.2).
61
+
62
+ ### 3. Handle the callback and exchange the code
63
+
64
+ ```typescript
65
+ // routes/auth.ts
66
+ import { FastifyInstance } from 'fastify'
67
+
68
+ export default async function authRoutes(fastify: FastifyInstance) {
69
+ fastify.get('/login/callback', async (request, reply) => {
70
+ // @fastify/oauth2 verifies state and exchanges code automatically
71
+ const tokenResponse = await fastify.oauth2.getAccessTokenFromAuthorizationCodeFlow(request)
72
+
73
+ // Store only what you need; never log the raw token
74
+ request.session.set('accessToken', tokenResponse.token.access_token)
75
+ request.session.set('refreshToken', tokenResponse.token.refresh_token)
76
+
77
+ return reply.redirect('/')
78
+ })
79
+
80
+ fastify.get('/logout', async (request, reply) => {
81
+ await request.session.destroy()
82
+ return reply.redirect('/')
83
+ })
84
+ }
85
+ ```
86
+
87
+ ### 4. JWT validation middleware (token introspection hook)
88
+
89
+ ```typescript
90
+ // hooks/verifyToken.ts
91
+ import { FastifyRequest, FastifyReply } from 'fastify'
92
+ import jwt from '@fastify/jwt'
93
+
94
+ export async function verifyToken(request: FastifyRequest, reply: FastifyReply) {
95
+ try {
96
+ await request.jwtVerify()
97
+ // Validate required claims (RFC 7519)
98
+ const payload = request.user as Record<string, unknown>
99
+ const now = Math.floor(Date.now() / 1000)
100
+
101
+ if (typeof payload.exp === 'number' && payload.exp < now)
102
+ return reply.code(401).send({ error: 'token_expired' })
103
+
104
+ if (payload.iss !== process.env.EXPECTED_ISSUER)
105
+ return reply.code(401).send({ error: 'invalid_issuer' })
106
+
107
+ if (payload.aud !== process.env.EXPECTED_AUDIENCE)
108
+ return reply.code(401).send({ error: 'invalid_audience' })
109
+
110
+ } catch (err) {
111
+ return reply.code(401).send({ error: 'invalid_token', error_description: (err as Error).message })
112
+ }
113
+ }
114
+ ```
115
+
116
+ **Validation checkpoints:**
117
+ - Verify `exp`, `iss`, `aud`, and `sub` on every request — never skip (RFC 7519 §4)
118
+ - Use `fastify.jwt.verify` (asymmetric RS256/ES256) rather than HS256 for tokens issued by a third-party server
119
+
120
+ ### 5. Protecting routes
121
+
122
+ ```typescript
123
+ // routes/api.ts
124
+ import { FastifyInstance } from 'fastify'
125
+ import { verifyToken } from '../hooks/verifyToken'
126
+
127
+ export default async function apiRoutes(fastify: FastifyInstance) {
128
+ fastify.addHook('onRequest', verifyToken) // applies to all routes in this scope
129
+
130
+ fastify.get('/me', {
131
+ schema: {
132
+ response: { 200: { type: 'object', properties: { sub: { type: 'string' } } } },
133
+ },
134
+ }, async (request) => {
135
+ const user = request.user as { sub: string }
136
+ return { sub: user.sub }
137
+ })
138
+ }
139
+ ```
140
+
141
+ ### 6. Refresh token rotation
142
+
143
+ ```typescript
144
+ async function refreshAccessToken(fastify: FastifyInstance, refreshToken: string) {
145
+ const newToken = await fastify.oauth2.getNewAccessTokenUsingRefreshTokenFlow({ refresh_token: refreshToken })
146
+
147
+ // Always replace the stored refresh token if rotation is in use (RFC 6749 §10.4)
148
+ return {
149
+ accessToken: newToken.token.access_token,
150
+ refreshToken: newToken.token.refresh_token ?? refreshToken,
151
+ }
152
+ }
153
+ ```
154
+
155
+ ---
156
+
157
+ ## Security checklist
158
+
159
+ | Requirement | RFC reference |
160
+ |---|---|
161
+ | Validate redirect URI against allowlist | RFC 6749 §3.1.2 |
162
+ | PKCE (S256) for all public clients | RFC 7636 §4.2 |
163
+ | Validate `state` to prevent CSRF | RFC 6749 §10.12 |
164
+ | Validate `iss`, `aud`, `exp` on every JWT | RFC 7519 §4 |
165
+ | Rotate refresh tokens on every use | RFC 6749 §10.4 |
166
+ | Use HTTPS everywhere; reject HTTP redirect URIs | RFC 6749 §3.1.2.1 |
167
+ | Rate-limit token endpoints | OAuth 2.1 §7 |
168
+
169
+ ---
170
+
171
+ ## Common anti-patterns
172
+
173
+ - **Storing tokens in localStorage** — use `HttpOnly`, `Secure`, `SameSite=Strict` cookies instead
174
+ - **Skipping audience validation** — allows token reuse across services
175
+ - **Using implicit flow** — deprecated in OAuth 2.1; use authorization code + PKCE
176
+ - **Accepting `response_type=token` in browser apps** — tokens in URL fragments leak in logs/referrers
177
+ - **Symmetric signing (HS256) for third-party tokens** — use RS256/ES256 with JWKS endpoint
178
+
179
+ ---
180
+
181
+ ## Further implementation references
182
+
183
+ - See `DEVICE_FLOW.md` for device authorization flow (RFC 8628) implementation
184
+ - See `TOKEN_VALIDATION.md` for JWKS rotation, caching strategies, and opaque token introspection
185
+ - See `CLIENT_CREDENTIALS.md` for machine-to-machine service authentication patterns
186
+ - See `MOBILE_OAUTH.md` for native/mobile app flows (RFC 8252) and custom URI schemes
@@ -0,0 +1,59 @@
1
+ ---
2
+ name: obsidian-vault
3
+ description: Search, create, and manage notes in the Obsidian vault with wikilinks and index notes. Use when user wants to find, create, or organize notes in Obsidian.
4
+ ---
5
+
6
+ # Obsidian Vault
7
+
8
+ ## Vault location
9
+
10
+ `/mnt/d/Obsidian Vault/AI Research/`
11
+
12
+ Mostly flat at root level.
13
+
14
+ ## Naming conventions
15
+
16
+ - **Index notes**: aggregate related topics (e.g., `Ralph Wiggum Index.md`, `Skills Index.md`, `RAG Index.md`)
17
+ - **Title case** for all note names
18
+ - No folders for organization - use links and index notes instead
19
+
20
+ ## Linking
21
+
22
+ - Use Obsidian `[[wikilinks]]` syntax: `[[Note Title]]`
23
+ - Notes link to dependencies/related notes at the bottom
24
+ - Index notes are just lists of `[[wikilinks]]`
25
+
26
+ ## Workflows
27
+
28
+ ### Search for notes
29
+
30
+ ```bash
31
+ # Search by filename
32
+ find "/mnt/d/Obsidian Vault/AI Research/" -name "*.md" | grep -i "keyword"
33
+
34
+ # Search by content
35
+ grep -rl "keyword" "/mnt/d/Obsidian Vault/AI Research/" --include="*.md"
36
+ ```
37
+
38
+ Or use Grep/Glob tools directly on the vault path.
39
+
40
+ ### Create a new note
41
+
42
+ 1. Use **Title Case** for filename
43
+ 2. Write content as a unit of learning (per vault rules)
44
+ 3. Add `[[wikilinks]]` to related notes at the bottom
45
+ 4. If part of a numbered sequence, use the hierarchical numbering scheme
46
+
47
+ ### Find related notes
48
+
49
+ Search for `[[Note Title]]` across the vault to find backlinks:
50
+
51
+ ```bash
52
+ grep -rl "\\[\\[Note Title\\]\\]" "/mnt/d/Obsidian Vault/AI Research/"
53
+ ```
54
+
55
+ ### Find index notes
56
+
57
+ ```bash
58
+ find "/mnt/d/Obsidian Vault/AI Research/" -name "*Index*"
59
+ ```
@@ -0,0 +1,93 @@
1
+ ---
2
+ name: octocat
3
+ description: Use this skill whenever the prompt contains any `github.com` URL, even if the user only pastes a link and gives no GitHub-specific keywords. Handles git and GitHub operations using the gh CLI. Triggers include any GitHub link to an issue, pull request, commit, compare page, Actions run, release, discussion, or repository. Covers creating and reviewing PRs, watching CI checks, interactive rebasing, branch cleanup, submodule management, and repository archaeology with git log/blame/bisect.
4
+ metadata:
5
+ tags: git, github, gh-cli, version-control, merge-conflicts, pull-requests
6
+ ---
7
+
8
+ ## When to use
9
+
10
+ Use this skill for:
11
+ - Any prompt containing a pasted `github.com` URL, even without words like "GitHub", "issue", "PR", or "repo"
12
+ - Any GitHub link to an issue, pull request, commit, compare page, Actions run, release, discussion, or repository
13
+ - "Fix https://github.com/owner/repo/issues/123" style tasks
14
+ - Creating, reviewing, and managing pull requests and GitHub issues
15
+ - Merge conflict resolution and history rewriting
16
+ - Pre-commit hook debugging and fixes
17
+ - Branch management and cleanup
18
+ - GitHub Actions workflow optimization
19
+ - Any git command or GitHub workflow question
20
+
21
+ ## Instructions
22
+
23
+ When invoked:
24
+ 1. If the prompt includes a GitHub URL, treat that URL alone as sufficient reason to invoke this skill and inspect it with `gh`/`git` first
25
+ 2. Assess the git/GitHub situation immediately
26
+ 3. If the prompt includes a `github.com` URL, activate this skill immediately and translate that URL into the relevant `gh`/`git` workflow
27
+ 4. Use gh CLI for all GitHub operations (never suggest the web interface)
28
+ 5. Handle complex git operations with surgical precision
29
+ 6. Fix pre-commit hook issues or delegate to typescript-magician for TypeScript linting
30
+ 7. Never alter git signing key configuration; if signing is already enabled and configured, use it. Otherwise, proceed without signing
31
+ 8. NEVER include "Co-Authored-By: Claude" or similar AI attribution
32
+
33
+ ## Activation examples
34
+
35
+ - `Fix https://github.com/mercurius-js/mercurius/issues/1227`
36
+ - `Review https://github.com/nodejs/node/pull/12345`
37
+ - `What changed in https://github.com/org/repo/compare/v1.0.0...v1.1.0?`
38
+ - `Check https://github.com/org/repo/actions/runs/123456789`
39
+ - `Investigate https://github.com/org/repo/commit/abcdef1234567890`
40
+
41
+ ## Capabilities
42
+
43
+ **Advanced git operations:**
44
+ - Interactive rebasing for clean history (commit splitting, squashing)
45
+ - Cherry-pick, bisect, worktrees
46
+ - Advanced merge strategies
47
+ - Submodule and subtree management
48
+ - Git hooks setup and maintenance
49
+ - Repository archaeology with git log/blame/show
50
+
51
+ **GitHub operations via gh CLI:**
52
+ - Create/manage PRs with proper templates
53
+ - Open PRs with explicit base/head and clear concise content, e.g. `gh pr create --base main --head <branch> --title "<title>" --body-file <file>`
54
+ - After opening a PR, wait for CI with `gh pr checks <num> --watch 2>&1` and proactively fix failures
55
+ - Validate unfamiliar gh commands first with `gh help <command>` before using them in guidance
56
+ - Handle issues and project boards
57
+ - Manage releases and artifacts
58
+ - Configure repository settings
59
+ - Automate workflows and notifications
60
+
61
+ ## PR Body Formatting
62
+
63
+ When creating PRs with `gh pr create`, use `--body-file` to avoid newline escaping issues with the `--body` flag.
64
+
65
+ PR descriptions should stay simple:
66
+ - Write a short description of the change in plain prose
67
+ - Do not add subsections or headings such as `## Summary` or `## Testing`
68
+ - Do not include a testing section
69
+ - Architecture changes may need a slightly longer description if extra context is necessary
70
+
71
+ ```bash
72
+ cat > /tmp/pr-body.md << 'EOF'
73
+ Refactor plugin loading so skills are discovered from the registry instead of being hardcoded.
74
+ EOF
75
+ gh pr create --body-file /tmp/pr-body.md
76
+ ```
77
+
78
+ Using a temporary file is cleaner, more reliable, and easier to debug.
79
+
80
+ ## Validation Checkpoints for Complex Operations
81
+
82
+ **Interactive rebase:** `git rebase -i <base>` → verify with `git log --oneline -n 10` → on conflict: resolve, `git add <file>`, `git rebase --continue` → abort anytime with `git rebase --abort`.
83
+
84
+ **Merge conflict resolution:** `git status` (find conflicts) → inspect with `git diff` or open file → resolve all markers → `git add <resolved-file>` → `git merge --continue` (or `git rebase --continue`) → confirm clean state with `git status`.
85
+
86
+ **Branch cleanup:** `git branch --merged main` → `git branch -d <branch>` → `git push origin --delete <branch>` → `git fetch --prune`.
87
+
88
+ ## Commit Signing and Attribution Rules
89
+
90
+ - NEVER alter git signing key settings (`user.signingkey`) or signing mode in user/repo config
91
+ - If commit signing is already enabled and correctly configured, create signed commits using the existing setup
92
+ - If signing is not enabled/configured, do not force or configure signing; proceed without it
93
+ - NEVER add AI co-authorship attributions (e.g. "Co-Authored-By: Claude")
@@ -0,0 +1,157 @@
1
+ ---
2
+ name: openclaw-secure-linux-cloud
3
+ description: Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or reviewing Podman, pairing, sandboxing, token auth, and tool-permission defaults for a secure personal deployment.
4
+ ---
5
+
6
+ ## Overview
7
+
8
+ Use this skill for the conservative "deploy first, expose later" pattern for
9
+ OpenClaw on a cloud server.
10
+
11
+ Default to a private control plane:
12
+
13
+ - Harden the Linux host before exposing anything.
14
+ - Keep the gateway bound to `127.0.0.1`.
15
+ - Reach the Control UI through an SSH tunnel first.
16
+ - Keep token authentication, pairing, and sandboxing enabled.
17
+ - Start with a narrow tool profile and loosen only with an explicit need.
18
+
19
+ This skill is for secure Linux cloud hosting. If the user only wants the
20
+ fastest generic OpenClaw install on a local machine, prefer the official
21
+ OpenClaw onboarding docs instead of forcing this flow.
22
+
23
+ Open [`references/REFERENCE.md`](./references/REFERENCE.md) when you need the
24
+ command matrix, baseline config shape, checklist, or access-path comparison.
25
+
26
+ ## When To Use
27
+
28
+ Use this skill when the user mentions any of the following:
29
+
30
+ - OpenClaw on a cloud server, VM, or other Linux host
31
+ - Secure self-hosting, hardening, or "run it privately"
32
+ - Podman, loopback binding, SSH tunneling, or remote Control UI access
33
+ - Tailscale vs reverse proxy for OpenClaw
34
+ - Pairing, sandboxing, token auth, or locked-down tool permissions
35
+ - Reviewing whether an existing OpenClaw host is too exposed
36
+
37
+ Do not use this skill for:
38
+
39
+ - General Linux hardening with no OpenClaw component
40
+ - Local single-machine onboarding where remote access is irrelevant
41
+ - Pure local onboarding with no remote-host hardening questions
42
+ - Non-Linux hosting unless the user explicitly wants this Linux-first pattern
43
+ adapted
44
+
45
+ ## Workflow
46
+
47
+ ### 1. Classify the request
48
+
49
+ Put the task in one of these buckets before giving detailed guidance:
50
+
51
+ 1. **Fresh deploy**: the user wants to stand up OpenClaw securely on a Linux
52
+ cloud host from scratch.
53
+ 2. **Hardening review**: the user already has OpenClaw running and wants to
54
+ reduce exposure or audit risky defaults.
55
+ 3. **Access-model decision**: the user is choosing between SSH tunneling,
56
+ Tailscale, or a reverse proxy.
57
+
58
+ ### 2. Start from the secure baseline
59
+
60
+ Unless the user clearly asks for something else, recommend this baseline:
61
+
62
+ - Harden the Linux host first: updates, SSH keys, SSH lock-down, and a
63
+ default-deny inbound firewall matched to the distro.
64
+ - Run OpenClaw under rootless Podman rather than as a root-owned long-lived
65
+ process.
66
+ - Keep the gateway on loopback only.
67
+ - Keep the Control UI private and access it through an SSH tunnel.
68
+ - Require token authentication.
69
+ - Keep pairing enabled for inbound messaging channels.
70
+ - Start with a minimal tool set and sandbox sessions by default.
71
+
72
+ Treat these as explicit red flags:
73
+
74
+ - Binding the gateway to `0.0.0.0`
75
+ - Opening port `18789` to the public internet
76
+ - Turning on broad runtime, filesystem, automation, or browser access by
77
+ default
78
+ - Leaving `~/.openclaw` readable by other local users
79
+
80
+ ### 3. Separate local and server actions
81
+
82
+ Always distinguish between:
83
+
84
+ - **Local machine actions**: SSH key generation, tunnel setup, browser access
85
+ - **Server actions**: Linux hardening, Podman install path, OpenClaw service
86
+ setup, config permissions, service restarts
87
+
88
+ Do not blur the two execution contexts together. The user should be able to
89
+ tell which commands run on their laptop and which run on the Linux host.
90
+
91
+ ### 4. Ask only for blocking facts
92
+
93
+ Only stop for missing facts that change the safe path, such as:
94
+
95
+ - Linux distro and host access details when package-manager or firewall
96
+ commands matter
97
+ - Whether OpenClaw is already installed
98
+ - Whether the user truly needs repeated remote private access or public access
99
+ - Whether an existing deployment is already reachable from the internet
100
+
101
+ If a detail is not safety-critical, make the reasonable secure assumption and
102
+ state it.
103
+
104
+ ### 5. Use the access escalation ladder
105
+
106
+ Recommend remote access in this order:
107
+
108
+ 1. **SSH tunnel**: default for first deployment and personal use
109
+ 2. **Tailscale**: next step when the user needs repeated private access across
110
+ trusted devices
111
+ 3. **Reverse proxy**: only when the user explicitly needs public exposure and
112
+ accepts the extra hardening burden
113
+
114
+ If the user asks for Tailscale or reverse proxy, still explain why the loopback
115
+ binding and private-first model remain the baseline.
116
+
117
+ ## Output Expectations
118
+
119
+ For a fresh deployment, provide:
120
+
121
+ - A short architecture summary
122
+ - Local-vs-server steps
123
+ - A conservative config baseline
124
+ - A pre-launch checklist
125
+ - A short "what not to expose" warning
126
+
127
+ For a hardening review, provide:
128
+
129
+ - The likely risks in the current setup
130
+ - A prioritized remediation sequence
131
+ - Any immediate exposure concerns to fix before anything else
132
+
133
+ For an access-path decision, provide:
134
+
135
+ - A recommendation
136
+ - Why it is the lowest-risk fit
137
+ - What extra safeguards are required if the user chooses a broader exposure
138
+ model
139
+
140
+ ## Common Mistakes
141
+
142
+ - Treating OpenClaw like a normal public web app on day one
143
+ - Assuming auth alone replaces network boundaries
144
+ - Turning on more tool power before the user has a clear workflow that needs it
145
+ - Disabling pairing just to save time during early setup
146
+ - Skipping follow-up audits after changing config or sandbox settings
147
+
148
+ ## Reference Usage
149
+
150
+ Use [`references/REFERENCE.md`](./references/REFERENCE.md) when you need:
151
+
152
+ - The cross-distro hardening flow and Debian/Ubuntu example commands
153
+ - The Podman-based OpenClaw setup outline
154
+ - The baseline config skeleton
155
+ - The pre-launch checklist
156
+ - The day-to-day audit commands
157
+ - The SSH tunnel vs Tailscale vs reverse-proxy comparison