omegon 0.6.0

package/skills/python/SKILL.md

@@ -0,0 +1,189 @@
+---
+name: python
+description: Python development guidance. Covers project setup (pyproject.toml, src/ layout), testing (pytest), linting (ruff), type checking (mypy), packaging, venv management, and CI/CD patterns. Use when creating, modifying, or debugging Python code.
+guardrails:
+  - name: typecheck
+    cmd: mypy src/
+    timeout: 60
+    condition: file_exists(pyproject.toml)
+  - name: lint
+    cmd: ruff check .
+    timeout: 30
+    condition: file_exists(pyproject.toml)
+---
+
+# Python Development Skill
+
+Conventions, tooling, and patterns for Python development.
+
+## Core Conventions
+
+- **Python 3.11+** minimum
+- **src/ layout** (PEP 517) for all packages
+- **pyproject.toml** is the single config file — no `.cfg`, `.ini`, or separate `.toml`
+- **venv + pip** for environment management — no poetry, no conda
+- **Makefile** (or justfile) wraps all dev commands
+- **Editable install**: `pip install -e ".[dev]"` for development
+
+## Project Scaffold
+
+```
+<project>/
+├── pyproject.toml          # All config: build, deps, ruff, mypy, pytest
+├── Makefile                # Dev workflow: test, lint, format, typecheck, validate
+├── src/<package>/          # Source code (src/ layout)
+│   ├── __init__.py         # __version__ = "0.1.0"
+│   └── ...
+├── tests/
+│   ├── conftest.py         # Shared fixtures
+│   └── test_*.py
+└── .github/workflows/ci.yml
+```
+
+**Build backend choice:**
+| Project Type | Backend |
+|-------------|---------|
+| Library / CLI tool | hatchling |
+| Daemon / application | setuptools |
+
+## Tooling Quick Reference
+
+### Ruff (Linting + Formatting)
+
+```toml
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP", "B", "SIM", "RUF"]
+ignore = ["E501"]
+
+[tool.ruff.lint.per-file-ignores]
+"__init__.py" = ["F401"]
+
+[tool.ruff.lint.isort]
+known-first-party = ["<package>"]
+```
+
+```bash
+ruff check .              # Lint
+ruff check --fix .        # Lint + auto-fix
+ruff format .             # Format (replaces black)
+ruff format --check .     # Format check (CI)
+```
+
+### Mypy (Type Checking)
+
+**New projects** — use `strict = true`.
+**Projects with untyped deps** — use `ignore_missing_imports = true`, `disallow_untyped_defs = false`.
+
+```toml
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_return_any = true
+warn_unused_ignores = true
+```
+
+### Pytest
+
+```toml
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "-v --strict-markers"
+asyncio_mode = "auto"
+markers = [
+    "slow: marks tests as slow",
+    "smoke: quick validation tests",
+    "integration: requires external services",
+]
+```
+
+**Key commands:**
+```bash
+pytest                          # All tests
+pytest -m smoke                 # Quick validation only
+pytest -m "not slow"            # Skip slow tests
+pytest -x                       # Stop on first failure
+pytest --lf                     # Rerun last failures
+pytest -k "test_connect"        # Name pattern
+pytest --cov=src --cov-report=term-missing  # Coverage
+```
+
+## Virtual Environment
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install --upgrade pip
+pip install -e ".[dev]"
+```
+
+## Testing Patterns
+
+### Async Tests
+
+With `asyncio_mode = "auto"`, async tests work without decorators:
+
+```python
+async def test_connection():
+    client = await connect()
+    assert client.is_connected
+```
+
+## Python Idioms
+
+| Pattern | Convention |
+|---------|-----------|
+| Paths | `pathlib.Path`, never `os.path` |
+| Data models | `dataclasses` for internal, Pydantic at validation boundaries |
+| Imports | stdlib / third-party / local (ruff `I` rule enforces) |
+| Async | `asyncio.gather` for concurrency, `asyncio.wait_for` for timeouts |
+| Logging | `logging.getLogger(__name__)` |
+| Entry points | `def main() -> int:` registered via `[project.scripts]` |
+| Version | Single source in `__init__.py`, read by build backend |
+
+## Packaging
+
+```bash
+python -m build       # Produces dist/*.whl + dist/*.tar.gz
+twine upload dist/*   # Publish to PyPI
+```
+
+Use trusted publishing (OIDC) via `pypa/gh-action-pypi-publish` in CI.
+
+## CI/CD Template
+
+```yaml
+name: CI
+on: [push, pull_request]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: pip install -e ".[dev]"
+      - run: ruff format --check .
+      - run: ruff check .
+      - run: mypy src/
+      - run: pytest --cov=src --cov-report=term-missing
+```
+
+## Common Gotchas
+
+| Issue | Fix |
+|-------|-----|
+| Import from src/ fails | `pip install -e ".[dev]"` |
+| `ModuleNotFoundError` in tests | Check `testpaths`, verify conftest.py exists |
+| Async test hangs | Missing `await`, or add `asyncio.wait_for` timeout |
+| Type stubs missing | Add `types-<pkg>` to dev deps, or `ignore_missing_imports` |
+| Version mismatch | Single source: `__version__` in `__init__.py`, read by build backend |
+</content>
+</invoke>

package/skills/rust/SKILL.md

@@ -0,0 +1,268 @@
+---
+name: rust
+description: Rust development guidance including Zellij WASM plugin development. Covers project setup (Cargo.toml), testing, clippy, rustfmt, CI/CD patterns, and the zellij-tile plugin API. Use when creating, modifying, or debugging Rust code or Zellij plugins.
+guardrails:
+  - name: clippy
+    cmd: cargo clippy -- -D warnings
+    timeout: 120
+    condition: file_exists(Cargo.toml)
+  - name: test
+    cmd: cargo test
+    timeout: 120
+    condition: file_exists(Cargo.toml)
+---
+
+# Rust Development Skill
+
+Conventions for Rust development, with a dedicated section for Zellij WASM plugin development.
+
+## Core Conventions
+
+- **Rust stable** toolchain (`rustup default stable`)
+- **Cargo** for build, test, lint, format — no external build tools needed
+- **clippy** for linting, **rustfmt** for formatting
+- **Edition 2021** minimum
+- Workspace layout for multi-crate projects, single `Cargo.toml` otherwise
+
+## Project Scaffold
+
+```
+<project>/
+├── Cargo.toml              # Package metadata, deps, lint config
+├── rustfmt.toml            # max_width = 100
+├── src/
+│   ├── lib.rs              # Library root (or main.rs for binary)
+│   └── ...
+├── tests/
+│   └── integration_test.rs
+└── .github/workflows/ci.yml
+```
+
+## Tooling Quick Reference
+
+### Clippy (Linting)
+
+```bash
+cargo clippy                        # Lint
+cargo clippy -- -D warnings         # Warnings as errors (CI)
+cargo clippy --all-targets           # Include tests/benches
+cargo clippy --fix                   # Auto-fix
+```
+
+Project config in `Cargo.toml`:
+```toml
+[lints.clippy]
+pedantic = { level = "warn", priority = -1 }
+unwrap_used = "warn"
+```
+
+### Rustfmt (Formatting)
+
+```bash
+cargo fmt                           # Format
+cargo fmt -- --check                # Check only (CI)
+```
+
+### Build & Test
+
+```bash
+cargo build                         # Debug build
+cargo build --release               # Release build
+cargo test                          # All tests
+cargo test -- --nocapture            # Show println output
+cargo test test_name                 # Specific test
+cargo test --lib                     # Unit tests only
+cargo test --test integration_test   # Specific integration test
+```
+
+### Other Useful Commands
+
+```bash
+cargo doc --open                    # Generate and browse docs
+cargo audit                         # Security vulnerability check
+cargo tree                          # Dependency tree
+cargo expand                        # Macro expansion
+```
+
+## Testing Patterns
+
+### Unit Tests (in-module)
+
+```rust
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_valid() {
+        let result = parse("input");
+        assert_eq!(result, expected);
+    }
+}
+```
+
+### Async Tests (tokio)
+
+```rust
+#[tokio::test]
+async fn test_async_op() {
+    let result = fetch_data().await;
+    assert!(result.is_ok());
+}
+```
+
+## Error Handling
+
+| Context | Pattern |
+|---------|---------|
+| Libraries | `thiserror::Error` derive for custom error types |
+| Applications | `anyhow::Result` for ergonomic error propagation |
+| Unwrap | Never in library code; `expect("reason")` in main/tests only |
+
+## Common Dependencies
+
+| Crate | Purpose |
+|-------|---------|
+| `serde` + `serde_json` | Serialization |
+| `tokio` | Async runtime |
+| `anyhow` / `thiserror` | Error handling |
+| `clap` | CLI parsing |
+| `tracing` | Structured logging |
+
+## CI/CD
+
+```yaml
+name: CI
+on: [push, pull_request]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo fmt -- --check
+      - run: cargo clippy -- -D warnings
+      - run: cargo test
+```
+
+---
+
+## Zellij WASM Plugin Development
+
+Zellij plugins are Rust crates compiled to `wasm32-wasip1`, loaded by the Zellij multiplexer. The `zellij-tile` crate provides the plugin API.
+
+### Setup
+
+```bash
+rustup target add wasm32-wasip1
+cargo build --release --target wasm32-wasip1
+# Output: target/wasm32-wasip1/release/<name>.wasm
+```
+
+### Plugin Cargo.toml
+
+```toml
+[dependencies]
+zellij-tile = "0.41"        # Match your Zellij version
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+
+[profile.release]
+opt-level = "s"             # Optimize for WASM size
+lto = true
+strip = true
+```
+
+### Plugin Lifecycle
+
+```rust
+use zellij_tile::prelude::*;
+
+#[derive(Default)]
+struct MyPlugin { /* state */ }
+
+impl ZellijPlugin for MyPlugin {
+    fn load(&mut self, config: BTreeMap<String, String>) {
+        subscribe(&[EventType::Timer, EventType::Key]);
+        request_permission(&[PermissionType::ReadApplicationState]);
+        set_timeout(10.0);
+    }
+
+    fn update(&mut self, event: Event) -> bool {
+        match event {
+            Event::Timer(_) => { set_timeout(10.0); true }
+            _ => false,
+        }
+    }
+
+    fn render(&mut self, rows: usize, cols: usize) {
+        print!("status: ok");
+    }
+
+    fn pipe(&mut self, pipe_message: PipeMessage) -> bool {
+        false
+    }
+}
+
+register_plugin!(MyPlugin);
+```
+
+### Permissions
+
+| Permission | Allows |
+|-----------|--------|
+| `ReadApplicationState` | Query panes, tabs, session info |
+| `ChangeApplicationState` | Create/close panes/tabs, switch focus |
+| `RunCommands` | Execute commands in panes |
+| `OpenFiles` | Open files in editor panes |
+| `WriteToStdin` | Write to pane stdin |
+| `ReadCliPipes` | Receive `zellij pipe` messages |
+
+### External Communication via Pipes
+
+```bash
+echo '{"status":"ok"}' | zellij pipe --plugin "file:plugin.wasm" --name "update"
+```
+
+Plugin handles in `fn pipe()`. Primary pattern for bridging external events into WASM plugins (WASM can't open sockets directly).
+
+### Loading in KDL Layouts
+
+```kdl
+pane size=1 borderless=true {
+    plugin location="file:/path/to/plugin.wasm"
+}
+```
+
+### WASM Constraints
+
+| Limitation | Workaround |
+|-----------|------------|
+| No sockets | `zellij pipe` bridge from external script |
+| No threads | `ZellijWorker` for background work |
+| No system clock | `set_timeout()` for time-based logic |
+| Binary size | `opt-level = "s"`, LTO, strip |
+
+## Debugging
+
+```bash
+cargo test -- --nocapture           # Show test output
+RUST_BACKTRACE=1 cargo test         # Full backtraces
+RUST_LOG=debug cargo run            # With tracing/env_logger
+
+# WASM plugins
+tail -f /tmp/zellij-*/zellij-log/zellij.log
+```
+
+## Common Gotchas
+
+| Issue | Fix |
+|-------|-----|
+| `wasm32-wasip1` not found | `rustup target add wasm32-wasip1` |
+| Plugin won't load | Check Zellij version matches `zellij-tile` crate version |
+| Clippy too noisy | Tune via `[lints.clippy]` in Cargo.toml |
+| WASM binary too large | `opt-level = "s"`, `lto = true`, `strip = true` |
+| Can't open sockets in WASM | Use `zellij pipe` bridge pattern |
+| Plugin doesn't re-render | Return `true` from `update()` or `pipe()` |
+</content>
+</invoke>

package/skills/security/SKILL.md

@@ -0,0 +1,206 @@
+---
+name: security
+description: Security checklist for code review and implementation. Covers input escaping, injection prevention, path traversal, process safety, dependency integrity, and secrets management. Load when working on user-facing code, template rendering, or process spawning.
+---
+
+# Security Skill
+
+Defensive coding practices. Apply these checks during implementation and review.
+
+## Input Escaping
+
+### Never interpolate user input into templates, scripts, or SQL
+
+```rust
+// ❌ XSS: user-controlled value injected into JS string
+let js = format!("var id = '{}';", user_input);
+
+// ✅ Escape special characters before interpolation
+fn escape_js_string(s: &str) -> String {
+    s.replace('\\', "\\\\")
+     .replace('\'', "\\'")
+     .replace('"', "\\\"")
+     .replace('<', "\\x3c")
+     .replace('>', "\\x3e")
+     .replace('\n', "\\n")
+     .replace('\r', "\\r")
+}
+let js = format!("var id = '{}';", escape_js_string(user_input));
+```
+
+```typescript
+// ❌ Template injection
+const html = `<div>${userInput}</div>`;
+
+// ✅ Escape HTML entities
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+const html = `<div>${escapeHtml(userInput)}</div>`;
+```
+
+### Context matters — escape for the target language
+
+| Context | Escape | Characters |
+|---------|--------|------------|
+| HTML body | HTML entities | `& < > "` |
+| HTML attribute | HTML entities + quote | `& < > " '` |
+| JavaScript string | JS escapes | `\ ' " < > \n \r` |
+| URL parameter | `encodeURIComponent` | All non-unreserved |
+| SQL | Parameterized queries | Never interpolate |
+| Shell command | Avoid if possible | Use `spawn(cmd, [args])` not `exec(string)` |
+
+## Path Traversal
+
+### Validate that resolved paths stay within the expected root
+
+```typescript
+// ❌ User can escape with ../../etc/passwd
+const filePath = join(rootDir, userInput);
+
+// ✅ Resolve and verify containment
+const resolved = resolve(rootDir, userInput);
+if (!resolved.startsWith(resolve(rootDir) + sep) && resolved !== resolve(rootDir)) {
+  throw new Error("Path traversal attempt");
+}
+```
+
+```rust
+// ❌ No validation
+let path = root.join(&user_path);
+
+// ✅ Canonicalize and check prefix
+let canonical = path.canonicalize()?;
+if !canonical.starts_with(&root.canonicalize()?) {
+    return Err("Path traversal".into());
+}
+```
+
+### Reject suspicious path components
+
+- `..` segments
+- Null bytes (`%00`, `\0`)
+- Absolute paths when relative expected
+- Symlinks that escape the root (use `canonicalize`/`realpath`)
+
+## Process Spawning
+
+### Use `spawn` with argument arrays, never shell interpolation
+
+```typescript
+// ❌ Shell injection via userInput
+execSync(`grep ${userInput} file.txt`);
+
+// ✅ Arguments are not shell-interpreted
+spawn("grep", [userInput, "file.txt"], { stdio: "pipe" });
+```
+
+### Never use `stdio: "inherit"` in TUI applications
+
+Inherited stdio corrupts the terminal UI. Always use `"pipe"` or `"ignore"`.
+
+```typescript
+// ❌ Corrupts TUI
+spawn("some-tool", [], { stdio: "inherit" });
+
+// ✅ Capture or discard
+spawn("some-tool", [], { stdio: "pipe" });
+spawn("some-tool", [], { stdio: "ignore" }); // fire-and-forget
+```
+
+### Limit `pkill`/`killall` scope
+
+```typescript
+// ❌ Matches any process with "serve" in its command line
+execSync("pkill -f 'ollama serve'");
+
+// ✅ Track the PID you spawned and kill that specifically
+if (child) { child.kill("SIGTERM"); child = null; }
+```
+
+### Set timeouts on child processes
+
+```typescript
+const child = spawn("cmd", args);
+const timer = setTimeout(() => {
+  child.kill("SIGTERM");
+}, 300_000); // 5 min timeout
+
+child.on("exit", () => clearTimeout(timer));
+```
+
+## Dependency Integrity
+
+### Pin CDN resources with Subresource Integrity (SRI)
+
+```html
+<!-- ❌ No integrity check — CDN compromise = XSS -->
+<script src="https://cdn.example.com/lib.js"></script>
+
+<!-- ✅ SRI hash — browser rejects tampered content -->
+<script src="https://cdn.example.com/lib.js"
+        integrity="sha384-abc123..."
+        crossorigin="anonymous"></script>
+```
+
+### Prefer bundling over CDN for offline-first tools
+
+```rust
+// ✅ Bundle at compile time — no network dependency
+const JS: &str = include_str!("../static/lib.min.js");
+```
+
+```typescript
+// ✅ Import from node_modules, bundler handles it
+import { force } from "force-graph";
+```
+
+## Secrets Management
+
+- **Never hardcode secrets** — use environment variables or secret managers.
+- **Never log secrets** — mask or omit sensitive values from log output.
+- **Never commit secrets** — use `.gitignore` and pre-commit hooks.
+- **Rotate on exposure** — if a secret appears in a commit, rotate immediately.
+
+```typescript
+// ❌ Hardcoded
+const apiKey = "sk-abc123";
+
+// ✅ Environment variable
+const apiKey = process.env.API_KEY;
+if (!apiKey) throw new Error("API_KEY not set");
+```
+
+## TOCTOU (Time-of-Check to Time-of-Use)
+
+When you check a condition and then act on it, the condition may change between check and action.
+
+```typescript
+// ❌ TOCTOU: file may be deleted between check and read
+if (existsSync(path)) {
+  const data = readFileSync(path); // may throw ENOENT
+}
+
+// ✅ Just try the operation and handle the error
+try {
+  const data = readFileSync(path);
+} catch (err) {
+  if ((err as NodeJS.ErrnoException).code === "ENOENT") {
+    // file doesn't exist — handle gracefully
+  } else throw err;
+}
+```
+
+## Checklist
+
+Before submitting code that handles external input:
+
+- [ ] All user/external input is escaped for its target context
+- [ ] File paths are validated against a root directory
+- [ ] Child processes use argument arrays, not shell strings
+- [ ] No `stdio: "inherit"` in TUI-hosted code
+- [ ] CDN resources have SRI hashes or are bundled locally
+- [ ] No secrets in source code or logs
+- [ ] Error messages don't leak internal paths or stack traces to end users
+- [ ] Timeouts set on all network requests and child processes