nextjs-hackathon-stack 0.1.40 → 0.1.41

package/template/.opencode/skills/discover-feature/SKILL.md

@@ -0,0 +1,194 @@
+---
+name: discover-feature
+description: Run the two-role requirements discovery process for a new feature. The Business Analyst asks structured questions, then collaborates with the Technical Lead to assess complexity and produce a complete plan with functional and technical task lists. Writes the plan to .requirements/<feature-name>-<timestamp>.md. Use this in Conversation 1, then start a new conversation and run /build-feature. Triggers: 'new feature', 'define requirements', 'discover feature', 'I want to build'. NOT for: already-defined features (use /build-feature directly).
+compatibility: opencode
+---
+
+# Discover Feature Skill
+
+> **Invoke as:** `/discover-feature <feature-description>`
+> After this skill completes, **start a new conversation** before running `/build-feature`.
+
+## IMPORTANT: Token Budget
+
+This conversation is for requirements and planning only. Do NOT start implementation here. When done, start a fresh conversation to keep the implementation context clean.
+
+---
+
+## Process
+
+### Step 1 — BA: Load Existing Features via MCP Memory
+
+1. Read `package.json` to get the project name (`<project-name>`)
+2. Call `search_memory` with `tags: ["project:<project-name>", "domain:features"]` — understand existing features and relationships
+3. **Fallback**: if memory service is unavailable, read `.opencode/memory/architecture-snapshot.md` → "Existing Features" section
+
+### Step 2 — BA: Discovery Questions
+
+Ask ALL of the following before writing anything. Cover at minimum questions 1–3 + any relevant ones from 4–8.
+
+1. **Problem & audience** — "What problem does this solve? Who experiences it?"
+2. **User flows** — "Walk me through the happy path. What happens on error?"
+3. **Edge cases & constraints** — "What are the limits? What should NOT happen?"
+4. **Field constraints** — "What are the length limits, allowed formats, required vs optional fields?"
+5. **Volume & scale** — "How many records are expected? Do you need search or pagination?"
+6. **File/upload specifics** — (if applicable) "What file types and size limits are allowed?"
+7. **Privacy & access** — "Who can see this data? Is it per-user or shared?"
+8. **Relationship to existing features** — (informed by MCP memory) "Does this link to `<existing feature>`?"
+9. **Confirm understanding** — Restate what you heard and ask for approval before writing
+
+If the user says "just do it" without answering, document all assumptions explicitly in an `## Assumptions` section.
+
+Only after the user confirms your understanding should you proceed to Step 3.
+
+### Step 3 — BA: Draft Functional Spec
+
+Write a draft functional spec (not yet the final plan):
+
+```markdown
+### User Story
+As a [user type], I want [goal] so that [reason].
+
+### Acceptance Criteria
+- [ ] AC1: When [user does X], they see [Y]
+- [ ] AC2: When [error condition], user sees [message/state]
+- [ ] AC3: [Edge case]: [expected outcome]
+
+### Functional Test Cases
+- [ ] TC1 (AC1): User does X → sees Y (happy path)
+- [ ] TC2 (AC2): User triggers error → sees error message
+- [ ] TC3 (AC3): Edge case behavior visible to user
+```
+
+### Step 4 — Tech Lead: Codebase Complexity Assessment
+
+Hand the draft spec to `@technical-lead` with this request:
+> "Here is the draft functional spec for [feature]. Please: (1) read the relevant codebase areas, (2) save your findings to MCP memory, (3) report: complexity assessment, affected files, risks not in the spec, recommended technical task breakdown grouped for parallel execution."
+
+The Tech Lead will:
+1. Read relevant source files (actions, queries, schema, components)
+2. Store findings in MCP memory with appropriate tags
+3. Return a complexity report with a technical task breakdown
+
+### Step 5 — BA + Tech Lead: Produce Combined Plan
+
+Merge the functional spec (BA) and technical breakdown (Tech Lead) into the final plan:
+
+```markdown
+## Feature: [Feature Name]
+**Timestamp**: [ISO timestamp — e.g. 2026-04-11T14:30:00Z]
+
+---
+
+### Context
+[One paragraph: what problem this solves, who benefits, key constraints]
+
+---
+
+### User Story
+As a [user type], I want [goal] so that [reason].
+
+### Acceptance Criteria
+- [ ] AC1: When [user does X], they see [Y]
+- [ ] AC2: When [error condition], user sees [message/state]
+- [ ] AC3: [Edge case]: [expected outcome]
+
+### Functional Test Cases
+- [ ] TC1 (AC1): User does X → sees Y (happy path)
+- [ ] TC2 (AC2): User triggers error → sees error message
+- [ ] TC3 (AC3): Edge case behavior visible to user
+
+---
+
+### Functional Task List (BA-owned)
+Ordered by user value. Each task is independently testable.
+
+- [ ] FT1: [Functional capability — user-visible description]
+- [ ] FT2: [Functional capability]
+- [ ] FT3: [Edge case or constraint handling]
+
+---
+
+### Technical Task List (Tech Lead-owned)
+Derived from functional tasks. Scoped per agent. Parallel groups marked.
+
+**Group A — Backend (runs in parallel with Group B)**
+- [ ] TT1: [Schema/migration/RLS task]
+- [ ] TT2: [Server Action/query task]
+
+**Group B — Frontend (runs in parallel with Group A)**
+- [ ] TT3: [Component/page task]
+- [ ] TT4: [Form/hook task]
+
+**Group C — Sequential gates (after A + B complete)**
+- [ ] TT5: Test RED phase — @test-qa writes failing tests
+- [ ] TT6: Test GREEN phase — @backend + @frontend in parallel
+- [ ] TT7: Review gate — @code-reviewer + @security-researcher in parallel
+
+---
+
+### Technical Notes (from Tech Lead)
+[Complexity, affected files with paths, patterns to reuse, risks]
+
+---
+
+### Assumptions
+[If user skipped any discovery questions, list assumptions here]
+```
+
+**Rules:**
+- Acceptance criteria use plain functional language — no code, no implementation details
+- Test cases describe what the **user sees**, not system internals
+- Every acceptance criterion maps to at least one test case
+- No mention of database tables, API calls, or file paths in the functional section
+- Technical tasks are grouped for parallel execution where possible
+- Write requirements in the user's language; IDs (`AC1`, `FT1`, `TT1`) and technical terms stay in English
+
+### Step 6 — Write Plan to File
+
+Save the combined plan to `.requirements/<feature-name>-<timestamp>.md`.
+
+Use the feature name in kebab-case and ISO timestamp (e.g., `user-notifications-2026-04-11T1430.md`).
+
+### Step 7 — Store in MCP Memory
+
+```
+store_memory({
+  content: "Requirement: <feature-name> — <one-line summary of what the feature does and key acceptance criteria>",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:features", "category:requirement", "feature:<feature-name>", "status:pending-snapshot"]
+  }
+})
+```
+
+### Step 8 — Hand Off
+
+Tell the user:
+
+> Requirements and technical plan written to `.requirements/<feature-name>-<timestamp>.md`.
+>
+> **Next step**: Start a new conversation and run:
+> ```
+> /build-feature @.requirements/<feature-name>-<timestamp>.md
+> ```
+
+---
+
+## Common Issues
+
+| Problem | Cause | Fix |
+|---------|-------|-----|
+| User says "just do it" without answering | Wants to skip discovery | Document all assumptions in `## Assumptions` |
+| MCP memory unavailable | Service not running | Fall back to reading `.opencode/memory/architecture-snapshot.md` |
+| Feature overlaps with existing one | Missed relationship check in Step 1 | Re-query MCP with `domain:features`, clarify scope with user |
+| Tech Lead finds major technical blocker | Spec doesn't account for constraint | Update acceptance criteria before finalizing plan |
+
+---
+
+## Guardrails
+- BA always asks questions before writing — never assume requirements
+- Tech Lead always saves codebase findings to MCP memory
+- Do NOT start any implementation in this conversation
+- Document all assumptions explicitly if the user skips questions
+- Hand off to `/build-feature` in a fresh conversation — never chain them in the same conversation

package/template/.opencode/skills/memory/SKILL.md

@@ -0,0 +1,199 @@
+---
+name: memory
+description: Sync architecture-snapshot.md with MCP memory service and recall project knowledge semantically. Use when starting a new session, after completing a feature, or to search project context efficiently. Triggers: 'memory sync', 'memory recall', 'memory update', 'sync architecture', 'search project knowledge', 'what components are installed'.
+compatibility: opencode
+---
+
+# Memory Skill
+
+> **Invoke as:** `/memory sync`, `/memory recall "query"`, `/memory update`
+
+## Preflight Check
+
+Before running any subcommand, verify the memory service is running:
+
+```
+retrieve_memory({ query: "test", n_results: 1 })
+```
+
+If this fails, tell the user: "Memory service is unavailable. Run `pipx install mcp-memory-service` and ensure the `memory` binary is in PATH (check `opencode.json`)."
+
+---
+
+## `/memory sync` — Snapshot → MCP
+
+Parses `architecture-snapshot.md` into individual entries and stores each in MCP memory. Run this after scaffolding a new project or after `/memory update`.
+
+### Steps
+
+1. Read `package.json` — get `name` field as `<project-name>`
+2. Read `.opencode/memory/architecture-snapshot.md`
+3. For each section, parse into individual entries and call `store_memory`:
+
+**Installed shadcn/ui Components** (one memory for the full list):
+```
+store_memory({
+  content: "Installed shadcn/ui components: button, card, input, label, spinner",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:ui", "category:components"]
+  }
+})
+```
+
+**DB Schema** (one memory per table row):
+```
+store_memory({
+  content: "DB table: profiles — columns: id (uuid PK), email (text unique), createdAt, updatedAt",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:database", "category:schema", "table:profiles"]
+  }
+})
+```
+
+**Existing Features** (one memory per feature row):
+```
+store_memory({
+  content: "Feature: auth — path: src/features/auth/ — Login/logout, cookie-based sessions via Supabase",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:features", "category:feature", "feature:auth"]
+  }
+})
+```
+
+**Canonical Pattern References** (one memory per pattern row):
+```
+store_memory({
+  content: "Canonical pattern: Server Action — file: src/features/todos/actions/todos.action.ts",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:patterns", "category:pattern", "pattern:server-action"]
+  }
+})
+```
+
+**Key Rules** (one memory per bullet):
+```
+store_memory({
+  content: "Rule: Runtime queries use Supabase client only — Drizzle is schema/migrations only",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:rules", "category:rule"]
+  }
+})
+```
+
+**Shared Utilities** (one memory per utility row):
+```
+store_memory({
+  content: "Utility: formFieldText(formData, key) — location: src/shared/lib/form-utils.ts — Safe FormData text extraction, avoids no-base-to-string lint error",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:shared", "category:utility"]
+  }
+})
+```
+
+**Strict Rules Reference** (one memory per sub-heading group):
+```
+store_memory({
+  content: "TypeScript strict rules: noUncheckedIndexedAccess (guard arr[i]), exactOptionalPropertyTypes (omit key instead of undefined), noImplicitReturns (explicit return in all branches), noUnusedLocals/noUnusedParameters (prefix unused with _), useUnknownInCatchVariables (narrow with instanceof Error)",
+  metadata: {
+    type: "architecture",
+    tags: ["project:<project-name>", "domain:rules", "category:lint-rule", "subcategory:typescript"]
+  }
+})
+```
+
+4. After all entries are stored, call:
+```
+trigger_consolidation({ time_horizon: "daily", immediate: true })
+```
+
+5. Report: "Stored N memories for project `<project-name>`. Consolidation triggered."
+
+---
+
+## `/memory recall "query"` — Semantic Search
+
+Use to find project context without reading the full snapshot.
+
+### Steps
+
+1. Read `package.json` — get `<project-name>`
+2. Call broad semantic search:
+```
+retrieve_memory({ query: "<user-query>", n_results: 10 })
+```
+3. If results are too broad, narrow with tags:
+```
+search_memory({
+  query: "<user-query>",
+  tags: ["project:<project-name>"],
+  limit: 5,
+  min_score: 0.6
+})
+```
+4. Present results as a summary. If no results found, tell the user to run `/memory sync` first.
+
+---
+
+## `/memory update` — MCP → Snapshot
+
+Merges new entries (tagged `status:pending-snapshot`) back into `architecture-snapshot.md`. Run after agents store new knowledge via `store_memory`.
+
+### Steps
+
+1. Read `package.json` — get `<project-name>`
+2. Search for pending entries:
+```
+search_memory({
+  query: "new pending architecture update",
+  tags: ["project:<project-name>", "status:pending-snapshot"],
+  limit: 50
+})
+```
+3. For each result, determine the target section from the `domain` and `category` tags:
+   - `domain:ui` → "Installed shadcn/ui Components"
+   - `domain:database` → "DB Schema"
+   - `domain:features` → "Existing Features"
+   - `domain:patterns` → "Canonical Pattern References"
+   - `domain:rules` + `category:rule` → "Key Rules"
+   - `domain:shared` → "Shared Utilities"
+4. Read `.opencode/memory/architecture-snapshot.md` and merge new entries into the correct sections
+5. Write the updated snapshot
+6. Re-store each processed memory WITHOUT the `status:pending-snapshot` tag
+7. Call `trigger_consolidation({ time_horizon: "daily", immediate: true })`
+8. Report: "Merged N entries into architecture-snapshot.md."
+
+---
+
+## Tag Schema Reference
+
+All memories must include `type: "architecture"` and `project:<project-name>`. Use lowercase with hyphens for multi-word values.
+
+| Snapshot Section | Required Tags | Optional Tags |
+|---|---|---|
+| shadcn Components | `domain:ui`, `category:components` | — |
+| DB Schema | `domain:database`, `category:schema` | `table:<name>` |
+| Existing Features | `domain:features`, `category:feature` | `feature:<name>` |
+| Canonical Patterns | `domain:patterns`, `category:pattern` | `pattern:<type>` |
+| Key Rules | `domain:rules`, `category:rule` | — |
+| Shared Utilities | `domain:shared`, `category:utility` | — |
+| Strict Rules (TS) | `domain:rules`, `category:lint-rule` | `subcategory:typescript` |
+| Strict Rules (ESLint) | `domain:rules`, `category:lint-rule` | `subcategory:eslint` |
+
+When storing **new** architecture knowledge (e.g., after `/build-feature`), add `status:pending-snapshot` so `/memory update` can sync it back.
+
+---
+
+## Guardrails
+
+- NEVER store secrets, API keys, `.env` values, or credentials in memory
+- ALWAYS scope memories with `project:<project-name>` to prevent cross-project pollution
+- ALWAYS use `type: "architecture"` for snapshot-derived memories
+- Keep individual memory content under 300 words for effective semantic retrieval
+- The snapshot file (`.opencode/memory/architecture-snapshot.md`) is the source of truth — MCP memory is a search index
+- If the memory service is unavailable, agents fall back to reading the snapshot file directly

package/template/.opencode/skills/review-branch/SKILL.md

@@ -0,0 +1,43 @@
+---
+name: review-branch
+description: Review current branch changes against develop — runs full code quality, testing, architecture, and security checklist. Triggers: 'review branch', 'review my changes', 'check branch quality', 'review PR'.
+compatibility: opencode
+---
+
+# Review Branch Skill
+
+## Process
+
+### 1. Get Changes
+```bash
+git diff develop...HEAD
+```
+Or for a specific branch:
+```bash
+git diff develop...<branch-name>
+```
+
+### 2. Check Each Changed File
+Apply the full checklist from `references/review-checklist.md` — covers code quality, tests, architecture, security, performance, and accessibility.
+
+**You MUST check every changed file individually. Do not summarize or skip files. Show your analysis for each file before moving to the next.**
+
+### 3. Generate Report
+```
+## Branch Review: <branch-name>
+
+### Changed Files
+- [list each file]
+
+### Issues Found
+- [file:line]: [issue] → [fix]
+
+### Verdict: PASS / FAIL
+```
+
+### 4. Run Automated Checks
+```bash
+pnpm lint
+pnpm typecheck
+pnpm test:coverage
+```

package/template/.opencode/skills/security-audit/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: security-audit
+description: Run a full security audit on the codebase — checks OWASP Top 10, RLS policies, hardcoded secrets, auth coverage, input validation, XSS vectors, and security headers. Triggers: 'security audit', 'audit security', 'check vulnerabilities', 'scan for secrets', 'check RLS'.
+compatibility: opencode
+---
+
+# Security Audit Skill
+
+## Process
+
+**You MUST execute every step below. Do not skip or summarize steps. Show your findings for each step before moving to the next.**
+
+Execute all 7 audit steps from `references/audit-steps.md`:
+1. Dependency audit (`pnpm audit`)
+2. Secret scan (hardcoded keys)
+3. RLS verification (all tables)
+4. Auth coverage (routes + actions)
+5. Input validation (Zod at boundaries)
+6. XSS check (`dangerouslySetInnerHTML`)
+7. Security headers (`next.config.ts`)
+
+## Output Format
+```
+## Security Audit Report
+
+### Critical 🔴
+[findings]
+
+### High 🟠
+[findings]
+
+### Medium 🟡
+[findings]
+
+### Low 🟢
+[findings]
+
+### Passed ✅
+[clean checks]
+```

package/template/.opencode/skills/supabase/SKILL.md

@@ -0,0 +1,105 @@
+---
+name: supabase
+description: "Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector)."
+compatibility: opencode
+metadata:
+  author: supabase
+  version: "0.1.0"
+---
+
+# Supabase
+
+## Core Principles
+
+**1. Supabase changes frequently — verify against current docs before implementing.**
+Do not rely on training data for Supabase features. Function signatures, config.toml settings, and API conventions change between versions. Before implementing, look up the relevant topic using the documentation access methods below.
+
+**2. Verify your work.**
+After implementing any fix, run a test query to confirm the change works. A fix without verification is incomplete.
+
+**3. Recover from errors, don't loop.**
+If an approach fails after 2-3 attempts, stop and reconsider. Try a different method, check documentation, inspect the error more carefully, and review relevant logs when available. Supabase issues are not always solved by retrying the same command, and the answer is not always in the logs, but logs are often worth checking before proceeding.
+
+**4. RLS by default in exposed schemas.**
+Enable RLS on every table in any exposed schema, especially `public`. This is critical in Supabase because tables in exposed schemas can be reachable through the Data API. For private schemas, prefer RLS as defense in depth. After enabling RLS, create policies that match the actual access model rather than defaulting every table to the same `auth.uid()` pattern.
+
+**5. Security checklist.**
+When working on any Supabase task that touches auth, RLS, views, storage, or user data, run through this checklist. These are Supabase-specific security traps that silently create vulnerabilities:
+
+- **Auth and session security**
+   - **Never use `user_metadata` claims in JWT-based authorization decisions.** In Supabase, `raw_user_meta_data` is user-editable and can appear in `auth.jwt()`, so it is unsafe for RLS policies or any other authorization logic. Store authorization data in `raw_app_meta_data` / `app_metadata` instead.
+   - **Deleting a user does not invalidate existing access tokens.** Sign out or revoke sessions first, keep JWT expiry short for sensitive apps, and for strict guarantees validate `session_id` against `auth.sessions` on sensitive operations.
+   - **If you use `app_metadata` or `auth.jwt()` for authorization, remember JWT claims are not always fresh until the user's token is refreshed.**
+
+- **API key and client exposure**
+   - **Never expose the `service_role` or secret key in public clients.** Prefer publishable keys for frontend code. Legacy `anon` keys are only for compatibility. In Next.js, any `NEXT_PUBLIC_` env var is sent to the browser.
+
+- **RLS, views, and privileged database code**
+   - **Views bypass RLS by default.** In Postgres 15 and above, use `CREATE VIEW ... WITH (security_invoker = true)`. In older versions of Postgres, protect your views by revoking access from the `anon` and `authenticated` roles, or by putting them in an unexposed schema.
+   - **UPDATE requires a SELECT policy.** In Postgres RLS, an UPDATE needs to first SELECT the row. Without a SELECT policy, updates silently return 0 rows — no error, just no change.
+   - **Do not put `security definer` functions in an exposed schema.** Keep them in a private or otherwise unexposed schema.
+
+
+- **Storage access control**
+   - **Storage upsert requires INSERT + SELECT + UPDATE.** Granting only INSERT allows new uploads but file replacement (upsert) silently fails. You need all three.
+
+For any security concern not covered above, fetch the Supabase product security index: `https://supabase.com/docs/guides/security/product-security.md`
+
+## Supabase CLI
+
+Always discover commands via `--help` — never guess. The CLI structure changes between versions.
+
+```bash
+supabase --help                    # All top-level commands
+supabase <group> --help            # Subcommands (e.g., supabase db --help)
+supabase <group> <command> --help  # Flags for a specific command
+```
+
+**Supabase CLI Known gotchas:**
+- `supabase db query` requires **CLI v2.79.0+** → use MCP `execute_sql` or `psql` as fallback
+- `supabase db advisors` requires **CLI v2.81.3+** → use MCP `get_advisors` as fallback
+- When you need a new migration SQL file, **always** create it with `supabase migration new <name>` first. Never invent a migration filename or rely on memory for the expected format.
+
+**Version check and upgrade:** Run `supabase --version` to check. For CLI changelogs and version-specific features, consult the [CLI documentation](https://supabase.com/docs/reference/cli/introduction) or [GitHub releases](https://github.com/supabase/cli/releases).
+
+## Supabase MCP Server
+
+For setup instructions, server URL, and configuration, see the [MCP setup guide](https://supabase.com/docs/guides/getting-started/mcp).
+
+**Troubleshooting connection issues** — follow these steps in order:
+
+1. **Check if the server is reachable:**
+   `curl -so /dev/null -w "%{http_code}" https://mcp.supabase.com/mcp`
+   A `401` is expected (no token) and means the server is up. Timeout or "connection refused" means it may be down.
+
+2. **Check `opencode.json` configuration:**
+   Verify the project root has a valid `opencode.json` with the correct server URL. If missing, create one pointing to `https://mcp.supabase.com/mcp`.
+
+3. **Authenticate the MCP server:**
+   If the server is reachable and the config is correct but tools aren't visible, the user needs to authenticate. The Supabase MCP server uses OAuth 2.1 — tell the user to trigger the auth flow in their agent, complete it in the browser, and reload the session.
+
+## Supabase Documentation
+
+Before implementing any Supabase feature, find the relevant documentation. Use these methods in priority order:
+
+1. **MCP `search_docs` tool** (preferred — returns relevant snippets directly)
+2. **Fetch docs pages as markdown** — any docs page can be fetched by appending `.md` to the URL path.
+3. **Web search** for Supabase-specific topics when you don't know which page to look at.
+
+## Making and Committing Schema Changes
+
+**To make schema changes, use `execute_sql` (MCP) or `supabase db query` (CLI).** These run SQL directly on the database without creating migration history entries, so you can iterate freely and generate a clean migration when ready.
+
+Do NOT use `apply_migration` to change a local database schema — it writes a migration history entry on every call, which means you can't iterate, and `supabase db diff` / `supabase db pull` will produce empty or conflicting diffs. If you use it, you'll be stuck with whatever SQL you passed on the first try.
+
+**When ready to commit** your changes to a migration file:
+
+1. **Run advisors** → `supabase db advisors` (CLI v2.81.3+) or MCP `get_advisors`. Fix any issues.
+2. **Review the Security Checklist above** if your changes involve views, functions, triggers, or storage.
+3. **Generate the migration** → `supabase db pull <descriptive-name> --local --yes`
+4. **Verify** → `supabase migration list --local`
+
+## Reference Guides
+
+- **Skill Feedback** → [references/skill-feedback.md](references/skill-feedback.md)
+  **MUST read when** the user reports that this skill gave incorrect guidance or is missing information.

package/template/.opencode/skills/supabase/assets/feedback-issue-template.md

@@ -0,0 +1,17 @@
+## What happened
+
+**Task:** <!-- e.g., "Set up MFA on patient records" -->
+
+**Skill said:** <!-- e.g., "Use auth.jwt()->>'app_metadata' in the RLS policy" -->
+
+**Expected:** <!-- e.g., "The function also needs SECURITY DEFINER + grant to supabase_auth_admin" -->
+
+## Source
+
+**File:** <!-- e.g., references/security-model.md -->
+
+**Section:** <!-- e.g., "Trust Boundaries > user_metadata vs app_metadata" -->
+
+## Fix suggestion
+
+<!-- Leave blank if unsure -->

package/template/.opencode/skills/supabase/references/skill-feedback.md

@@ -0,0 +1,17 @@
+# Skill Feedback
+
+Use this when the user reports that the skill gave incorrect guidance, is missing information, or could be improved. This is about the skill (agent instructions), not about Supabase the product.
+
+## Steps
+
+1. **Ask permission** — Ask the user if they'd like to submit feedback to the skill maintainers. If they decline, move on.
+
+2. **Draft the issue** — Use the template at [assets/feedback-issue-template.md](../assets/feedback-issue-template.md) to structure the feedback. Fill in the fields based on the conversation. Always identify which specific reference file and section caused the problem.
+
+3. **Submit** — Create a GitHub Issue on the `supabase/agent-skills` repository using the draft as the issue body. The title must follow this format: `user-feedback: <summary of the problem>`.
+
+4. **Share the result** — Share the issue URL with the user after submission. If submission fails, give the user this link to create the issue manually:
+
+```
+https://github.com/supabase/agent-skills/issues/new
+```