oh-my-customcode 0.9.4 → 0.10.1

package/README.md

@@ -5,6 +5,7 @@
 [![npm version](https://img.shields.io/npm/v/oh-my-customcode.svg)](https://www.npmjs.com/package/oh-my-customcode)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![CI](https://github.com/baekenough/oh-my-customcode/actions/workflows/ci.yml/badge.svg)](https://github.com/baekenough/oh-my-customcode/actions/workflows/ci.yml)
+[![Security Audit](https://github.com/baekenough/oh-my-customcode/actions/workflows/security-audit.yml/badge.svg)](https://github.com/baekenough/oh-my-customcode/actions/workflows/security-audit.yml)
 
 **[한국어 문서 (Korean)](./README_ko.md)**
 
@@ -16,7 +17,7 @@ Like oh-my-zsh transformed shell customization, oh-my-customcode makes personali
 
 | Feature | Description |
 |---------|-------------|
-| **Batteries Included** | 42 agents, 52 skills, 22 guides, 18 rules, 1 hook, 1 context - ready to use out of the box |
+| **Batteries Included** | 42 agents, 51 skills, 22 guides, 18 rules, 1 hook, 4 contexts - ready to use out of the box |
 | **Sub-Agent Model** | Supports hierarchical agent orchestration with specialized roles |
 | **Dead Simple Customization** | Create a folder + markdown file = new agent or skill |
 | **Mix and Match** | Use built-in components, create your own, or combine both |
@@ -121,7 +122,7 @@ Claude Code selects the appropriate model and parallelizes independent tasks (up
 | **QA** | 3 | qa-planner, qa-writer, qa-engineer |
 | **Total** | **42** | |
 
-### Skills (52)
+### Skills (51)
 
 Includes slash commands and capabilities:
 
@@ -157,9 +158,9 @@ Comprehensive reference documentation covering:
 
 Event-driven automation for Claude Code lifecycle events (PreToolUse, PostToolUse, etc.).
 
-### Contexts (1)
+### Contexts (4)
 
-Shared context file for cross-agent knowledge and mode configurations.
+Shared context files for cross-agent knowledge and mode configurations.
 
 ---
 
@@ -194,13 +195,13 @@ your-project/
 └── .claude/               # (or .codex/)
     ├── rules/             # Behavior rules (18 total)
     ├── hooks/             # Event hooks (1 total)
-    ├── contexts/          # Context files (1 total)
+    ├── contexts/          # Context files (4 total)
     ├── agents/            # Agent definitions (42 flat .md files)
     │   ├── lang-golang-expert.md
     │   ├── be-fastapi-expert.md
     │   ├── mgr-creator.md
     │   └── ...
-    ├── skills/            # Skill modules (52 directories, each with SKILL.md)
+    ├── skills/            # Skill modules (51 directories, each with SKILL.md)
     │   ├── go-best-practices/
     │   ├── react-best-practices/
     │   ├── secretary-routing/
@@ -219,6 +220,17 @@ bun test             # Run tests
 bun run build        # Build for production
 ```
 
+### Quality Gates
+
+| Gate | Tool | Threshold |
+|------|------|-----------|
+| Lint | Biome | Zero errors (complexity enforced) |
+| Test Coverage | Bun test | 95% (pre-commit), 97% (CI) |
+| Security Audit | bun pm audit | No high/critical vulnerabilities |
+| Dependabot | GitHub | Weekly scans, auto-PR for updates |
+
+Pre-commit hooks automatically enforce lint, test, and coverage gates before each commit.
+
 ### Requirements
 
 - Node.js >= 18.0.0

package/dist/cli/index.js

@@ -11725,6 +11725,7 @@ var en_default = {
       skipped: "Update skipped",
       dryRunOption: "Show what would be updated without making changes",
       forceOption: "Force update even if already at latest version",
+      forceOverwriteAllOption: "Bypass all file preservation (manifest and config)",
       backupOption: "Create backup before updating",
       agentsOption: "Update only agents",
       skillsOption: "Update only skills",
@@ -12008,6 +12009,7 @@ var ko_default = {
       skipped: "업데이트 건너뜀",
       dryRunOption: "변경 없이 업데이트할 내용 표시",
       forceOption: "이미 최신 버전이어도 강제 업데이트",
+      forceOverwriteAllOption: "모든 파일 보존 무시 (manifest 및 config)",
       backupOption: "업데이트 전 백업 생성",
       agentsOption: "에이전트만 업데이트",
       skillsOption: "스킬만 업데이트",
@@ -12299,8 +12301,38 @@ var $visitAsync = visit.visitAsync;
 import { join as join2 } from "node:path";
 
 // src/utils/fs.ts
-import { dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { dirname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
 import { fileURLToPath } from "node:url";
+function validatePreserveFilePath(filePath, projectRoot) {
+  if (!filePath || filePath.trim() === "") {
+    return {
+      valid: false,
+      reason: "Path cannot be empty"
+    };
+  }
+  if (isAbsolute(filePath)) {
+    return {
+      valid: false,
+      reason: "Absolute paths are not allowed"
+    };
+  }
+  const normalizedPath = normalize(filePath);
+  if (normalizedPath.startsWith("..")) {
+    return {
+      valid: false,
+      reason: "Path cannot traverse outside project root"
+    };
+  }
+  const resolvedPath = resolve(projectRoot, normalizedPath);
+  const relativePath = relative(projectRoot, resolvedPath);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    return {
+      valid: false,
+      reason: "Resolved path escapes project root"
+    };
+  }
+  return { valid: true };
+}
 async function fileExists(path) {
   const fs = await import("node:fs/promises");
   try {
@@ -12689,7 +12721,7 @@ async function loadConfig(targetDir) {
   if (await fileExists(configPath)) {
     try {
       const config = await readJsonFile(configPath);
-      const merged = mergeConfig(getDefaultConfig(), config);
+      const merged = mergeConfig(getDefaultConfig(), config, targetDir);
       if (merged.configVersion < CURRENT_CONFIG_VERSION) {
         const migrated = migrateConfig(merged);
         await saveConfig(targetDir, migrated);
@@ -12718,7 +12750,30 @@ function deduplicateCustomComponents(components) {
   }
   return [...seen.values()];
 }
-function mergeConfig(defaults, overrides) {
+function mergeConfig(defaults, overrides, targetDir) {
+  let mergedPreserveFiles;
+  if (overrides.preserveFiles) {
+    const allFiles = [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])];
+    if (targetDir) {
+      const validatedFiles = [];
+      for (const filePath of allFiles) {
+        const validation = validatePreserveFilePath(filePath, targetDir);
+        if (validation.valid) {
+          validatedFiles.push(filePath);
+        } else {
+          warn("config.invalid_preserve_path", {
+            path: filePath,
+            reason: validation.reason ?? "Invalid path"
+          });
+        }
+      }
+      mergedPreserveFiles = validatedFiles;
+    } else {
+      mergedPreserveFiles = allFiles;
+    }
+  } else {
+    mergedPreserveFiles = defaults.preserveFiles;
+  }
   return {
     ...defaults,
     ...overrides,
@@ -12732,7 +12787,7 @@ function mergeConfig(defaults, overrides) {
       ...defaults.agents,
       ...overrides.agents
     },
-    preserveFiles: overrides.preserveFiles ? [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])] : defaults.preserveFiles,
+    preserveFiles: mergedPreserveFiles,
     customComponents: overrides.customComponents ? deduplicateCustomComponents([
       ...defaults.customComponents || [],
       ...overrides.customComponents
@@ -13908,13 +13963,13 @@ async function tryExtractMarkdownDescription(mdPath, options = {}) {
     return;
   }
 }
-async function getAgents(targetDir, rootDir = ".claude") {
+async function getAgents(targetDir, rootDir = ".claude", config) {
   const agentsDir = join6(targetDir, rootDir, "agents");
   if (!await fileExists(agentsDir))
     return [];
   try {
-    const config = await loadConfig(targetDir);
-    const customComponents = config.customComponents || [];
+    const resolvedConfig = config ?? await loadConfig(targetDir);
+    const customComponents = resolvedConfig.customComponents || [];
     const customAgentPaths = new Set(customComponents.filter((c) => c.type === "agent").map((c) => c.path));
     const agentMdFiles = await listFiles(agentsDir, { recursive: false, pattern: "*.md" });
     const agents = await Promise.all(agentMdFiles.map(async (agentMdPath) => {
@@ -13936,13 +13991,13 @@ async function getAgents(targetDir, rootDir = ".claude") {
     return [];
   }
 }
-async function getSkills(targetDir, rootDir = ".claude") {
+async function getSkills(targetDir, rootDir = ".claude", config) {
   const skillsDir = join6(targetDir, rootDir, "skills");
   if (!await fileExists(skillsDir))
     return [];
   try {
-    const config = await loadConfig(targetDir);
-    const customComponents = config.customComponents || [];
+    const resolvedConfig = config ?? await loadConfig(targetDir);
+    const customComponents = resolvedConfig.customComponents || [];
     const customSkillPaths = new Set(customComponents.filter((c) => c.type === "skill").map((c) => c.path));
     const skillMdFiles = await listFiles(skillsDir, { recursive: true, pattern: "SKILL.md" });
     const skills = await Promise.all(skillMdFiles.map(async (skillMdPath) => {
@@ -13965,13 +14020,13 @@ async function getSkills(targetDir, rootDir = ".claude") {
     return [];
   }
 }
-async function getGuides(targetDir) {
+async function getGuides(targetDir, config) {
   const guidesDir = join6(targetDir, "guides");
   if (!await fileExists(guidesDir))
     return [];
   try {
-    const config = await loadConfig(targetDir);
-    const customComponents = config.customComponents || [];
+    const resolvedConfig = config ?? await loadConfig(targetDir);
+    const customComponents = resolvedConfig.customComponents || [];
     const customGuidePaths = new Set(customComponents.filter((c) => c.type === "guide").map((c) => c.path));
     const guideMdFiles = await listFiles(guidesDir, { recursive: true, pattern: "*.md" });
     const guides = await Promise.all(guideMdFiles.map(async (guideMdPath) => {
@@ -13992,13 +14047,13 @@ async function getGuides(targetDir) {
   }
 }
 var RULE_PRIORITY_ORDER = { MUST: 0, SHOULD: 1, MAY: 2 };
-async function getRules(targetDir, rootDir = ".claude") {
+async function getRules(targetDir, rootDir = ".claude", config) {
   const rulesDir = join6(targetDir, rootDir, "rules");
   if (!await fileExists(rulesDir))
     return [];
   try {
-    const config = await loadConfig(targetDir);
-    const customComponents = config.customComponents || [];
+    const resolvedConfig = config ?? await loadConfig(targetDir);
+    const customComponents = resolvedConfig.customComponents || [];
     const customRulePaths = new Set(customComponents.filter((c) => c.type === "rule").map((c) => c.path));
     const ruleMdFiles = await listFiles(rulesDir, { recursive: false, pattern: "*.md" });
     const rules = await Promise.all(ruleMdFiles.map(async (ruleMdPath) => {
@@ -14108,7 +14163,7 @@ async function getContexts(targetDir, rootDir = ".claude") {
 var COMPONENT_GETTERS = {
   agents: getAgents,
   skills: getSkills,
-  guides: async (dir2) => getGuides(dir2),
+  guides: async (dir2, _rootDir, config) => getGuides(dir2, config),
   rules: getRules,
   hooks: getHooks,
   contexts: getContexts
@@ -14122,12 +14177,12 @@ function displayComponents(components, type, format) {
     formatAsTable(components, type);
   }
 }
-async function handleListAll(targetDir, rootDir, format) {
+async function handleListAll(targetDir, rootDir, format, config) {
   const [agents, skills, guides, rules, hooks, contexts] = await Promise.all([
-    getAgents(targetDir, rootDir),
-    getSkills(targetDir, rootDir),
-    getGuides(targetDir),
-    getRules(targetDir, rootDir),
+    getAgents(targetDir, rootDir, config),
+    getSkills(targetDir, rootDir, config),
+    getGuides(targetDir, config),
+    getRules(targetDir, rootDir, config),
     getHooks(targetDir, rootDir),
     getContexts(targetDir, rootDir)
   ]);
@@ -14152,7 +14207,8 @@ async function listCommand(type = "all", options = {}) {
       preferProject: true
     });
     const layout = getProviderLayout(detection.provider);
-    const components = type === "all" ? await handleListAll(targetDir, layout.rootDir, format) : await COMPONENT_GETTERS[type](targetDir, layout.rootDir);
+    const config = await loadConfig(targetDir);
+    const components = type === "all" ? await handleListAll(targetDir, layout.rootDir, format, config) : await COMPONENT_GETTERS[type](targetDir, layout.rootDir, config);
     if (type === "all" && format === "json") {
       formatAsJson(components);
     } else if (type !== "all") {
@@ -14172,34 +14228,60 @@ import { join as join7 } from "node:path";
 // src/core/entry-merger.ts
 var MANAGED_START = "<!-- omcustom:start -->";
 var MANAGED_END = "<!-- omcustom:end -->";
+function isCodeBlockDelimiter(line) {
+  const trimmed = line.trim();
+  return trimmed.startsWith("```") || trimmed.startsWith("~~~");
+}
+function handleManagedStart(currentLines, sections) {
+  if (currentLines.length > 0) {
+    sections.push({
+      type: "custom",
+      content: currentLines.join(`
+`)
+    });
+  }
+  return {
+    currentSection: { type: "managed", content: "" },
+    currentLines: []
+  };
+}
+function handleManagedEnd(currentSection, currentLines, sections) {
+  if (currentSection && currentSection.type === "managed") {
+    currentSection.content = currentLines.join(`
+`);
+    sections.push(currentSection);
+    return {
+      currentSection: null,
+      currentLines: []
+    };
+  }
+  return { currentSection, currentLines };
+}
 function parseEntryDoc(content) {
   const sections = [];
   const lines = content.split(`
 `);
   let currentSection = null;
   let currentLines = [];
+  let insideCodeBlock = false;
   for (const line of lines) {
-    if (line.trim() === MANAGED_START) {
-      if (currentLines.length > 0) {
-        sections.push({
-          type: "custom",
-          content: currentLines.join(`
-`)
-        });
-        currentLines = [];
+    if (isCodeBlockDelimiter(line)) {
+      insideCodeBlock = !insideCodeBlock;
+    }
+    if (!insideCodeBlock) {
+      const trimmed = line.trim();
+      if (trimmed === MANAGED_START) {
+        const result = handleManagedStart(currentLines, sections);
+        currentSection = result.currentSection;
+        currentLines = result.currentLines;
+        continue;
       }
-      currentSection = { type: "managed", content: "" };
-      continue;
-    }
-    if (line.trim() === MANAGED_END) {
-      if (currentSection && currentSection.type === "managed") {
-        currentSection.content = currentLines.join(`
-`);
-        sections.push(currentSection);
-        currentSection = null;
-        currentLines = [];
+      if (trimmed === MANAGED_END) {
+        const result = handleManagedEnd(currentSection, currentLines, sections);
+        currentSection = result.currentSection;
+        currentLines = result.currentLines;
+        continue;
       }
-      continue;
     }
     currentLines.push(line);
   }
@@ -14280,7 +14362,7 @@ async function handleBackupIfRequested(targetDir, provider, backup, result) {
   result.backedUpPaths.push(backupPath);
   info("update.backup_created", { path: backupPath });
 }
-async function processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result) {
+async function processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result, config) {
   const componentUpdate = updateCheck.updatableComponents.find((c) => c.name === component);
   if (!componentUpdate && !options.force) {
     result.skippedComponents.push(component);
@@ -14292,7 +14374,7 @@ async function processComponentUpdate(targetDir, provider, component, updateChec
     return;
   }
   try {
-    const preserved = await updateComponent(targetDir, provider, component, customizations, options);
+    const preserved = await updateComponent(targetDir, provider, component, customizations, options, config);
     result.updatedComponents.push(component);
     result.preservedFiles.push(...preserved);
   } catch (err) {
@@ -14301,9 +14383,9 @@ async function processComponentUpdate(targetDir, provider, component, updateChec
     result.skippedComponents.push(component);
   }
 }
-async function updateAllComponents(targetDir, provider, components, updateCheck, customizations, options, result) {
+async function updateAllComponents(targetDir, provider, components, updateCheck, customizations, options, result, config) {
   for (const component of components) {
-    await processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result);
+    await processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result, config);
   }
 }
 function getEntryTemplateName2(provider, language) {
@@ -14320,25 +14402,76 @@ async function backupFile(filePath) {
     debug("update.file_backed_up", { path: filePath, backup: backupPath });
   }
 }
-function resolveCustomizations(customizations, configPreserveFiles) {
-  if (!customizations && configPreserveFiles.length === 0) {
+async function resolveManifestCustomizations(options, targetDir) {
+  if (options.forceOverwriteAll) {
     return null;
   }
-  if (customizations && configPreserveFiles.length > 0) {
-    customizations.preserveFiles = [
-      ...new Set([...customizations.preserveFiles, ...configPreserveFiles])
-    ];
-    return customizations;
+  if (options.preserveCustomizations === false) {
+    return null;
+  }
+  return loadCustomizationManifest(targetDir);
+}
+function resolveConfigPreserveFiles(options, config) {
+  if (options.forceOverwriteAll) {
+    return [];
+  }
+  const preserveFiles = config.preserveFiles || [];
+  const validatedPaths = [];
+  for (const filePath of preserveFiles) {
+    const validation = validatePreserveFilePath(filePath, options.targetDir);
+    if (validation.valid) {
+      validatedPaths.push(filePath);
+    } else {
+      warn("preserve_files.invalid_path", {
+        path: filePath,
+        reason: validation.reason ?? "Invalid path"
+      });
+    }
+  }
+  return validatedPaths;
+}
+function resolveCustomizations(customizations, configPreserveFiles, targetDir) {
+  const validatedManifestFiles = [];
+  if (customizations && customizations.preserveFiles.length > 0) {
+    for (const filePath of customizations.preserveFiles) {
+      const validation = validatePreserveFilePath(filePath, targetDir);
+      if (validation.valid) {
+        validatedManifestFiles.push(filePath);
+      } else {
+        warn("preserve_files.invalid_path", {
+          path: filePath,
+          reason: validation.reason ?? "Invalid path",
+          source: "manifest"
+        });
+      }
+    }
+  }
+  if (validatedManifestFiles.length === 0 && configPreserveFiles.length === 0) {
+    return customizations && customizations.modifiedFiles.length > 0 ? customizations : null;
+  }
+  if (validatedManifestFiles.length > 0 && configPreserveFiles.length > 0) {
+    const merged = customizations || {
+      modifiedFiles: [],
+      preserveFiles: [],
+      customComponents: [],
+      lastUpdated: new Date().toISOString()
+    };
+    merged.preserveFiles = [...new Set([...validatedManifestFiles, ...configPreserveFiles])];
+    return merged;
   }
   if (configPreserveFiles.length > 0) {
     return {
-      modifiedFiles: [],
+      modifiedFiles: customizations?.modifiedFiles || [],
       preserveFiles: configPreserveFiles,
-      customComponents: [],
+      customComponents: customizations?.customComponents || [],
       lastUpdated: new Date().toISOString()
     };
   }
-  return customizations;
+  if (customizations) {
+    customizations.preserveFiles = validatedManifestFiles;
+    return customizations;
+  }
+  return null;
 }
 async function updateEntryDoc(targetDir, provider, config, options) {
   const layout = getProviderLayout(provider);
@@ -14391,11 +14524,11 @@ async function update(options) {
       return result;
     }
     await handleBackupIfRequested(options.targetDir, provider, !!options.backup, result);
-    const manifestCustomizations = options.preserveCustomizations !== false ? await loadCustomizationManifest(options.targetDir) : null;
-    const configPreserveFiles = config.preserveFiles || [];
-    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles);
+    const manifestCustomizations = await resolveManifestCustomizations(options, options.targetDir);
+    const configPreserveFiles = resolveConfigPreserveFiles(options, config);
+    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles, options.targetDir);
     const components = options.components || getAllUpdateComponents();
-    await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result);
+    await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result, config);
     if (!options.components || options.components.length === 0) {
       await updateEntryDoc(options.targetDir, provider, config, options);
     }
@@ -14454,15 +14587,14 @@ async function componentHasUpdate(_targetDir, provider, component, config) {
   const latestVersion = await getLatestVersion(provider);
   return installedVersion !== latestVersion;
 }
-async function updateComponent(targetDir, provider, component, customizations, options) {
+async function updateComponent(targetDir, provider, component, customizations, options, config) {
   const preservedFiles = [];
   const componentPath = getComponentPath2(provider, component);
   const srcPath = resolveTemplatePath(componentPath);
   const destPath = join7(targetDir, componentPath);
-  const config = await loadConfig(targetDir);
   const customComponents = config.customComponents || [];
   const skipPaths = [];
-  if (customizations && options.preserveCustomizations !== false) {
+  if (customizations && !options.forceOverwriteAll) {
     const toPreserve = customizations.preserveFiles.filter((f) => f.startsWith(componentPath));
     preservedFiles.push(...toPreserve);
     skipPaths.push(...toPreserve);
@@ -14538,6 +14670,7 @@ async function updateCommand(options = {}) {
       components,
       force: options.force,
       preserveCustomizations: true,
+      forceOverwriteAll: options.forceOverwriteAll,
       dryRun: options.dryRun,
       backup: options.backup
     };
@@ -14611,7 +14744,7 @@ function createProgram() {
   program2.command("init").description(i18n.t("cli.init.description")).option("-l, --lang <language>", i18n.t("cli.init.langOption"), "en").option("-p, --provider <provider>", i18n.t("cli.init.providerOption"), "auto").action(async (options) => {
     await initCommand(options);
   });
-  program2.command("update").description(i18n.t("cli.update.description")).option("--dry-run", i18n.t("cli.update.dryRunOption")).option("--force", i18n.t("cli.update.forceOption")).option("--backup", i18n.t("cli.update.backupOption")).option("--agents", i18n.t("cli.update.agentsOption")).option("--skills", i18n.t("cli.update.skillsOption")).option("--rules", i18n.t("cli.update.rulesOption")).option("--guides", i18n.t("cli.update.guidesOption")).option("--hooks", i18n.t("cli.update.hooksOption")).option("--contexts", i18n.t("cli.update.contextsOption")).option("-p, --provider <provider>", i18n.t("cli.update.providerOption"), "auto").action(async (options) => {
+  program2.command("update").description(i18n.t("cli.update.description")).option("--dry-run", i18n.t("cli.update.dryRunOption")).option("--force", i18n.t("cli.update.forceOption")).option("--force-overwrite-all", i18n.t("cli.update.forceOverwriteAllOption")).option("--backup", i18n.t("cli.update.backupOption")).option("--agents", i18n.t("cli.update.agentsOption")).option("--skills", i18n.t("cli.update.skillsOption")).option("--rules", i18n.t("cli.update.rulesOption")).option("--guides", i18n.t("cli.update.guidesOption")).option("--hooks", i18n.t("cli.update.hooksOption")).option("--contexts", i18n.t("cli.update.contextsOption")).option("-p, --provider <provider>", i18n.t("cli.update.providerOption"), "auto").action(async (options) => {
     await updateCommand(options);
   });
   program2.command("list").description(i18n.t("cli.list.description")).argument("[type]", i18n.t("cli.list.typeArgument"), "all").option("-f, --format <format>", "Output format: table, json, or simple", "table").option("--verbose", "Show detailed information").option("-p, --provider <provider>", i18n.t("cli.list.providerOption"), "auto").action(async (type, options) => {

package/dist/index.js

@@ -1,28 +1,42 @@
 import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // src/core/config.ts
 import { join as join2 } from "node:path";
 
 // src/utils/fs.ts
-import { dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { dirname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
 import { fileURLToPath } from "node:url";
+function validatePreserveFilePath(filePath, projectRoot) {
+  if (!filePath || filePath.trim() === "") {
+    return {
+      valid: false,
+      reason: "Path cannot be empty"
+    };
+  }
+  if (isAbsolute(filePath)) {
+    return {
+      valid: false,
+      reason: "Absolute paths are not allowed"
+    };
+  }
+  const normalizedPath = normalize(filePath);
+  if (normalizedPath.startsWith("..")) {
+    return {
+      valid: false,
+      reason: "Path cannot traverse outside project root"
+    };
+  }
+  const resolvedPath = resolve(projectRoot, normalizedPath);
+  const relativePath = relative(projectRoot, resolvedPath);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    return {
+      valid: false,
+      reason: "Resolved path escapes project root"
+    };
+  }
+  return { valid: true };
+}
 async function fileExists(path) {
   const fs = await import("node:fs/promises");
   try {
@@ -402,7 +416,7 @@ async function loadConfig(targetDir) {
   if (await fileExists(configPath)) {
     try {
       const config = await readJsonFile(configPath);
-      const merged = mergeConfig(getDefaultConfig(), config);
+      const merged = mergeConfig(getDefaultConfig(), config, targetDir);
       if (merged.configVersion < CURRENT_CONFIG_VERSION) {
         const migrated = migrateConfig(merged);
         await saveConfig(targetDir, migrated);
@@ -431,7 +445,30 @@ function deduplicateCustomComponents(components) {
   }
   return [...seen.values()];
 }
-function mergeConfig(defaults, overrides) {
+function mergeConfig(defaults, overrides, targetDir) {
+  let mergedPreserveFiles;
+  if (overrides.preserveFiles) {
+    const allFiles = [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])];
+    if (targetDir) {
+      const validatedFiles = [];
+      for (const filePath of allFiles) {
+        const validation = validatePreserveFilePath(filePath, targetDir);
+        if (validation.valid) {
+          validatedFiles.push(filePath);
+        } else {
+          warn("config.invalid_preserve_path", {
+            path: filePath,
+            reason: validation.reason ?? "Invalid path"
+          });
+        }
+      }
+      mergedPreserveFiles = validatedFiles;
+    } else {
+      mergedPreserveFiles = allFiles;
+    }
+  } else {
+    mergedPreserveFiles = defaults.preserveFiles;
+  }
   return {
     ...defaults,
     ...overrides,
@@ -445,7 +482,7 @@ function mergeConfig(defaults, overrides) {
       ...defaults.agents,
       ...overrides.agents
     },
-    preserveFiles: overrides.preserveFiles ? [...new Set([...defaults.preserveFiles || [], ...overrides.preserveFiles])] : defaults.preserveFiles,
+    preserveFiles: mergedPreserveFiles,
     customComponents: overrides.customComponents ? deduplicateCustomComponents([
       ...defaults.customComponents || [],
       ...overrides.customComponents
@@ -904,34 +941,60 @@ import { join as join5 } from "node:path";
 // src/core/entry-merger.ts
 var MANAGED_START = "<!-- omcustom:start -->";
 var MANAGED_END = "<!-- omcustom:end -->";
+function isCodeBlockDelimiter(line) {
+  const trimmed = line.trim();
+  return trimmed.startsWith("```") || trimmed.startsWith("~~~");
+}
+function handleManagedStart(currentLines, sections) {
+  if (currentLines.length > 0) {
+    sections.push({
+      type: "custom",
+      content: currentLines.join(`
+`)
+    });
+  }
+  return {
+    currentSection: { type: "managed", content: "" },
+    currentLines: []
+  };
+}
+function handleManagedEnd(currentSection, currentLines, sections) {
+  if (currentSection && currentSection.type === "managed") {
+    currentSection.content = currentLines.join(`
+`);
+    sections.push(currentSection);
+    return {
+      currentSection: null,
+      currentLines: []
+    };
+  }
+  return { currentSection, currentLines };
+}
 function parseEntryDoc(content) {
   const sections = [];
   const lines = content.split(`
 `);
   let currentSection = null;
   let currentLines = [];
+  let insideCodeBlock = false;
   for (const line of lines) {
-    if (line.trim() === MANAGED_START) {
-      if (currentLines.length > 0) {
-        sections.push({
-          type: "custom",
-          content: currentLines.join(`
-`)
-        });
-        currentLines = [];
-      }
-      currentSection = { type: "managed", content: "" };
-      continue;
+    if (isCodeBlockDelimiter(line)) {
+      insideCodeBlock = !insideCodeBlock;
     }
-    if (line.trim() === MANAGED_END) {
-      if (currentSection && currentSection.type === "managed") {
-        currentSection.content = currentLines.join(`
-`);
-        sections.push(currentSection);
-        currentSection = null;
-        currentLines = [];
+    if (!insideCodeBlock) {
+      const trimmed = line.trim();
+      if (trimmed === MANAGED_START) {
+        const result = handleManagedStart(currentLines, sections);
+        currentSection = result.currentSection;
+        currentLines = result.currentLines;
+        continue;
+      }
+      if (trimmed === MANAGED_END) {
+        const result = handleManagedEnd(currentSection, currentLines, sections);
+        currentSection = result.currentSection;
+        currentLines = result.currentLines;
+        continue;
       }
-      continue;
     }
     currentLines.push(line);
   }
@@ -1012,7 +1075,7 @@ async function handleBackupIfRequested(targetDir, provider, backup, result) {
   result.backedUpPaths.push(backupPath);
   info("update.backup_created", { path: backupPath });
 }
-async function processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result) {
+async function processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result, config) {
   const componentUpdate = updateCheck.updatableComponents.find((c) => c.name === component);
   if (!componentUpdate && !options.force) {
     result.skippedComponents.push(component);
@@ -1024,7 +1087,7 @@ async function processComponentUpdate(targetDir, provider, component, updateChec
     return;
   }
   try {
-    const preserved = await updateComponent(targetDir, provider, component, customizations, options);
+    const preserved = await updateComponent(targetDir, provider, component, customizations, options, config);
     result.updatedComponents.push(component);
     result.preservedFiles.push(...preserved);
   } catch (err) {
@@ -1033,9 +1096,9 @@ async function processComponentUpdate(targetDir, provider, component, updateChec
     result.skippedComponents.push(component);
   }
 }
-async function updateAllComponents(targetDir, provider, components, updateCheck, customizations, options, result) {
+async function updateAllComponents(targetDir, provider, components, updateCheck, customizations, options, result, config) {
   for (const component of components) {
-    await processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result);
+    await processComponentUpdate(targetDir, provider, component, updateCheck, customizations, options, result, config);
   }
 }
 function getEntryTemplateName2(provider, language) {
@@ -1052,25 +1115,76 @@ async function backupFile(filePath) {
     debug("update.file_backed_up", { path: filePath, backup: backupPath });
   }
 }
-function resolveCustomizations(customizations, configPreserveFiles) {
-  if (!customizations && configPreserveFiles.length === 0) {
+async function resolveManifestCustomizations(options, targetDir) {
+  if (options.forceOverwriteAll) {
     return null;
   }
-  if (customizations && configPreserveFiles.length > 0) {
-    customizations.preserveFiles = [
-      ...new Set([...customizations.preserveFiles, ...configPreserveFiles])
-    ];
-    return customizations;
+  if (options.preserveCustomizations === false) {
+    return null;
+  }
+  return loadCustomizationManifest(targetDir);
+}
+function resolveConfigPreserveFiles(options, config) {
+  if (options.forceOverwriteAll) {
+    return [];
+  }
+  const preserveFiles = config.preserveFiles || [];
+  const validatedPaths = [];
+  for (const filePath of preserveFiles) {
+    const validation = validatePreserveFilePath(filePath, options.targetDir);
+    if (validation.valid) {
+      validatedPaths.push(filePath);
+    } else {
+      warn("preserve_files.invalid_path", {
+        path: filePath,
+        reason: validation.reason ?? "Invalid path"
+      });
+    }
+  }
+  return validatedPaths;
+}
+function resolveCustomizations(customizations, configPreserveFiles, targetDir) {
+  const validatedManifestFiles = [];
+  if (customizations && customizations.preserveFiles.length > 0) {
+    for (const filePath of customizations.preserveFiles) {
+      const validation = validatePreserveFilePath(filePath, targetDir);
+      if (validation.valid) {
+        validatedManifestFiles.push(filePath);
+      } else {
+        warn("preserve_files.invalid_path", {
+          path: filePath,
+          reason: validation.reason ?? "Invalid path",
+          source: "manifest"
+        });
+      }
+    }
+  }
+  if (validatedManifestFiles.length === 0 && configPreserveFiles.length === 0) {
+    return customizations && customizations.modifiedFiles.length > 0 ? customizations : null;
+  }
+  if (validatedManifestFiles.length > 0 && configPreserveFiles.length > 0) {
+    const merged = customizations || {
+      modifiedFiles: [],
+      preserveFiles: [],
+      customComponents: [],
+      lastUpdated: new Date().toISOString()
+    };
+    merged.preserveFiles = [...new Set([...validatedManifestFiles, ...configPreserveFiles])];
+    return merged;
   }
   if (configPreserveFiles.length > 0) {
     return {
-      modifiedFiles: [],
+      modifiedFiles: customizations?.modifiedFiles || [],
       preserveFiles: configPreserveFiles,
-      customComponents: [],
+      customComponents: customizations?.customComponents || [],
       lastUpdated: new Date().toISOString()
     };
   }
-  return customizations;
+  if (customizations) {
+    customizations.preserveFiles = validatedManifestFiles;
+    return customizations;
+  }
+  return null;
 }
 async function updateEntryDoc(targetDir, provider, config, options) {
   const layout = getProviderLayout(provider);
@@ -1123,11 +1237,11 @@ async function update(options) {
       return result;
     }
     await handleBackupIfRequested(options.targetDir, provider, !!options.backup, result);
-    const manifestCustomizations = options.preserveCustomizations !== false ? await loadCustomizationManifest(options.targetDir) : null;
-    const configPreserveFiles = config.preserveFiles || [];
-    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles);
+    const manifestCustomizations = await resolveManifestCustomizations(options, options.targetDir);
+    const configPreserveFiles = resolveConfigPreserveFiles(options, config);
+    const customizations = resolveCustomizations(manifestCustomizations, configPreserveFiles, options.targetDir);
     const components = options.components || getAllUpdateComponents();
-    await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result);
+    await updateAllComponents(options.targetDir, provider, components, updateCheck, customizations, options, result, config);
     if (!options.components || options.components.length === 0) {
       await updateEntryDoc(options.targetDir, provider, config, options);
     }
@@ -1207,15 +1321,14 @@ async function componentHasUpdate(_targetDir, provider, component, config) {
   const latestVersion = await getLatestVersion(provider);
   return installedVersion !== latestVersion;
 }
-async function updateComponent(targetDir, provider, component, customizations, options) {
+async function updateComponent(targetDir, provider, component, customizations, options, config) {
   const preservedFiles = [];
   const componentPath = getComponentPath2(provider, component);
   const srcPath = resolveTemplatePath(componentPath);
   const destPath = join5(targetDir, componentPath);
-  const config = await loadConfig(targetDir);
   const customComponents = config.customComponents || [];
   const skipPaths = [];
-  if (customizations && options.preserveCustomizations !== false) {
+  if (customizations && !options.forceOverwriteAll) {
     const toPreserve = customizations.preserveFiles.filter((f) => f.startsWith(componentPath));
     preservedFiles.push(...toPreserve);
     skipPaths.push(...toPreserve);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-customcode",
-  "version": "0.9.4",
+  "version": "0.10.1",
   "description": "Batteries-included agent harness for Claude Code",
   "type": "module",
   "bin": {

package/templates/.claude/skills/springboot-best-practices/SKILL.md

@@ -25,104 +25,22 @@ public class UserService {
 ### 3. REST API Design
 @RestController + @RequestMapping. Use @Validated for input, ResponseEntity for responses, proper HTTP status codes.
 
-```java
-@RestController
-@RequestMapping("/api/v1/users")
-@RequiredArgsConstructor
-public class UserController {
-    private final UserService userService;
-
-    @GetMapping("/{id}")
-    public ResponseEntity<UserResponse> getUser(@PathVariable Long id) {
-        return ResponseEntity.ok(userService.findById(id));
-    }
-
-    @PostMapping
-    @ResponseStatus(HttpStatus.CREATED)
-    public UserResponse createUser(@Valid @RequestBody UserRequest request) {
-        return userService.create(request);
-    }
-}
-```
+See `examples/controller-example.java` for reference implementation.
 
 ### 4. Service Layer
 Business logic in services. @Transactional boundaries at service level. Interface + implementation pattern.
 
-```java
-@Service
-@Transactional(readOnly = true)
-@RequiredArgsConstructor
-public class UserServiceImpl implements UserService {
-    private final UserRepository userRepository;
-
-    @Override
-    public UserResponse findById(Long id) {
-        User user = userRepository.findById(id)
-            .orElseThrow(() -> new UserNotFoundException(id));
-        return userMapper.toResponse(user);
-    }
-
-    @Override
-    @Transactional
-    public UserResponse create(UserRequest request) {
-        User user = userMapper.toEntity(request);
-        return userMapper.toResponse(userRepository.save(user));
-    }
-}
-```
+See `examples/service-example.java` for reference implementation.
 
 ### 5. Data Access
 Spring Data JPA. @Query or method naming for custom queries. @Entity with proper JPA annotations.
 
-```java
-public interface UserRepository extends JpaRepository<User, Long> {
-    Optional<User> findByEmail(String email);
-
-    @Query("SELECT u FROM User u WHERE u.status = :status")
-    List<User> findByStatus(@Param("status") UserStatus status);
-}
-
-@Entity
-@Table(name = "users")
-@Getter
-@NoArgsConstructor(access = AccessLevel.PROTECTED)
-public class User {
-    @Id
-    @GeneratedValue(strategy = GenerationType.IDENTITY)
-    private Long id;
-
-    @Column(nullable = false, unique = true)
-    private String email;
-
-    @Enumerated(EnumType.STRING)
-    private UserStatus status;
-}
-```
+See `examples/repository-example.java` and `examples/entity-example.java` for reference implementations.
 
 ### 6. Exception Handling
 @RestControllerAdvice for global handling. Domain-specific exceptions with proper HTTP status mapping.
 
-```java
-@RestControllerAdvice
-public class GlobalExceptionHandler {
-    @ExceptionHandler(UserNotFoundException.class)
-    @ResponseStatus(HttpStatus.NOT_FOUND)
-    public ErrorResponse handleUserNotFound(UserNotFoundException ex) {
-        return new ErrorResponse("USER_NOT_FOUND", ex.getMessage());
-    }
-
-    @ExceptionHandler(MethodArgumentNotValidException.class)
-    @ResponseStatus(HttpStatus.BAD_REQUEST)
-    public ErrorResponse handleValidation(MethodArgumentNotValidException ex) {
-        List<String> errors = ex.getBindingResult()
-            .getFieldErrors()
-            .stream()
-            .map(e -> e.getField() + ": " + e.getDefaultMessage())
-            .toList();
-        return new ErrorResponse("VALIDATION_ERROR", errors);
-    }
-}
-```
+See `examples/exception-handler-example.java` for reference implementation.
 
 ### 7. Configuration
 Profile-based: application-{profile}.yml. @ConfigurationProperties for type-safe config. Externalize sensitive values.
@@ -138,80 +56,17 @@ spring:
     password: ${DATABASE_PASSWORD}
 ```
 
-```java
-@Configuration
-@ConfigurationProperties(prefix = "app")
-@Validated
-public class AppProperties {
-    @NotBlank
-    private String name;
-
-    @Min(1)
-    private int maxConnections;
-}
-```
+See `examples/config-properties-example.java` for type-safe configuration properties.
 
 ### 8. Security
 Spring Security with SecurityFilterChain. Externalize secrets. Proper authentication/authorization patterns.
 
-```java
-@Configuration
-@EnableWebSecurity
-@RequiredArgsConstructor
-public class SecurityConfig {
-    @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        return http
-            .csrf(csrf -> csrf.disable())
-            .sessionManagement(session ->
-                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .authorizeHttpRequests(auth -> auth
-                .requestMatchers("/api/v1/auth/**").permitAll()
-                .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
-                .anyRequest().authenticated())
-            .build();
-    }
-}
-```
+See `examples/security-config-example.java` for reference implementation.
 
 ### 9. Testing
 @WebMvcTest (controller), @DataJpaTest (repository), @SpringBootTest (integration), @MockBean for mocking.
 
-```java
-// Controller test
-@WebMvcTest(UserController.class)
-class UserControllerTest {
-    @Autowired
-    private MockMvc mockMvc;
-
-    @MockBean
-    private UserService userService;
-
-    @Test
-    void getUser_shouldReturnUser() throws Exception {
-        given(userService.findById(1L))
-            .willReturn(new UserResponse(1L, "test@example.com"));
-
-        mockMvc.perform(get("/api/v1/users/1"))
-            .andExpect(status().isOk())
-            .andExpect(jsonPath("$.email").value("test@example.com"));
-    }
-}
-
-// Repository test
-@DataJpaTest
-class UserRepositoryTest {
-    @Autowired
-    private UserRepository userRepository;
-
-    @Test
-    void findByEmail_shouldReturnUser() {
-        User user = userRepository.save(new User("test@example.com"));
-        Optional<User> found = userRepository.findByEmail("test@example.com");
-        assertThat(found).isPresent();
-    }
-}
-```
+See `examples/controller-test-example.java` and `examples/repository-test-example.java` for reference implementations.
 
 ## Application
 

package/templates/.claude/skills/springboot-best-practices/examples/config-properties-example.java

@@ -0,0 +1,22 @@
+package com.example.demo.config;
+
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotBlank;
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.validation.annotation.Validated;
+
+@Configuration
+@ConfigurationProperties(prefix = "app")
+@Validated
+@Getter
+@Setter
+public class AppProperties {
+    @NotBlank
+    private String name;
+
+    @Min(1)
+    private int maxConnections;
+}

package/templates/.claude/skills/springboot-best-practices/examples/controller-example.java

@@ -0,0 +1,28 @@
+package com.example.demo.controller;
+
+import com.example.demo.dto.UserRequest;
+import com.example.demo.dto.UserResponse;
+import com.example.demo.service.UserService;
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/api/v1/users")
+@RequiredArgsConstructor
+public class UserController {
+    private final UserService userService;
+
+    @GetMapping("/{id}")
+    public ResponseEntity<UserResponse> getUser(@PathVariable Long id) {
+        return ResponseEntity.ok(userService.findById(id));
+    }
+
+    @PostMapping
+    @ResponseStatus(HttpStatus.CREATED)
+    public UserResponse createUser(@Valid @RequestBody UserRequest request) {
+        return userService.create(request);
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/controller-test-example.java

@@ -0,0 +1,33 @@
+package com.example.demo.controller;
+
+import com.example.demo.dto.UserResponse;
+import com.example.demo.service.UserService;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.mockito.BDDMockito.given;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@WebMvcTest(UserController.class)
+class UserControllerTest {
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private UserService userService;
+
+    @Test
+    void getUser_shouldReturnUser() throws Exception {
+        given(userService.findById(1L))
+            .willReturn(new UserResponse(1L, "test@example.com"));
+
+        mockMvc.perform(get("/api/v1/users/1"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.email").value("test@example.com"));
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/entity-example.java

@@ -0,0 +1,22 @@
+package com.example.demo.entity;
+
+import jakarta.persistence.*;
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Table(name = "users")
+@Getter
+@NoArgsConstructor(access = AccessLevel.PROTECTED)
+public class User {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(nullable = false, unique = true)
+    private String email;
+
+    @Enumerated(EnumType.STRING)
+    private UserStatus status;
+}

package/templates/.claude/skills/springboot-best-practices/examples/exception-handler-example.java

@@ -0,0 +1,30 @@
+package com.example.demo.exception;
+
+import com.example.demo.dto.ErrorResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.MethodArgumentNotValidException;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+import java.util.List;
+
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+    @ExceptionHandler(UserNotFoundException.class)
+    @ResponseStatus(HttpStatus.NOT_FOUND)
+    public ErrorResponse handleUserNotFound(UserNotFoundException ex) {
+        return new ErrorResponse("USER_NOT_FOUND", ex.getMessage());
+    }
+
+    @ExceptionHandler(MethodArgumentNotValidException.class)
+    @ResponseStatus(HttpStatus.BAD_REQUEST)
+    public ErrorResponse handleValidation(MethodArgumentNotValidException ex) {
+        List<String> errors = ex.getBindingResult()
+            .getFieldErrors()
+            .stream()
+            .map(e -> e.getField() + ": " + e.getDefaultMessage())
+            .toList();
+        return new ErrorResponse("VALIDATION_ERROR", errors);
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/repository-example.java

@@ -0,0 +1,17 @@
+package com.example.demo.repository;
+
+import com.example.demo.entity.User;
+import com.example.demo.entity.UserStatus;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+
+import java.util.List;
+import java.util.Optional;
+
+public interface UserRepository extends JpaRepository<User, Long> {
+    Optional<User> findByEmail(String email);
+
+    @Query("SELECT u FROM User u WHERE u.status = :status")
+    List<User> findByStatus(@Param("status") UserStatus status);
+}

package/templates/.claude/skills/springboot-best-practices/examples/repository-test-example.java

@@ -0,0 +1,23 @@
+package com.example.demo.repository;
+
+import com.example.demo.entity.User;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
+
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@DataJpaTest
+class UserRepositoryTest {
+    @Autowired
+    private UserRepository userRepository;
+
+    @Test
+    void findByEmail_shouldReturnUser() {
+        User user = userRepository.save(new User("test@example.com"));
+        Optional<User> found = userRepository.findByEmail("test@example.com");
+        assertThat(found).isPresent();
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/security-config-example.java

@@ -0,0 +1,27 @@
+package com.example.demo.config;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+@RequiredArgsConstructor
+public class SecurityConfig {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        return http
+            .csrf(csrf -> csrf.disable())
+            .sessionManagement(session ->
+                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/api/v1/auth/**").permitAll()
+                .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
+                .anyRequest().authenticated())
+            .build();
+    }
+}

package/templates/.claude/skills/springboot-best-practices/examples/service-example.java

@@ -0,0 +1,33 @@
+package com.example.demo.service;
+
+import com.example.demo.dto.UserRequest;
+import com.example.demo.dto.UserResponse;
+import com.example.demo.entity.User;
+import com.example.demo.exception.UserNotFoundException;
+import com.example.demo.mapper.UserMapper;
+import com.example.demo.repository.UserRepository;
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+@Transactional(readOnly = true)
+@RequiredArgsConstructor
+public class UserServiceImpl implements UserService {
+    private final UserRepository userRepository;
+    private final UserMapper userMapper;
+
+    @Override
+    public UserResponse findById(Long id) {
+        User user = userRepository.findById(id)
+            .orElseThrow(() -> new UserNotFoundException(id));
+        return userMapper.toResponse(user);
+    }
+
+    @Override
+    @Transactional
+    public UserResponse create(UserRequest request) {
+        User user = userMapper.toEntity(request);
+        return userMapper.toResponse(userRepository.save(user));
+    }
+}