opencode-metis 0.1.0

package/opencode/skill/coding-conventions/checklists/accessibility-checklist.md

@@ -0,0 +1,176 @@
+# Accessibility Checklist
+
+WCAG 2.1 Level AA compliance checklist for inclusive design.
+
+## Perceivable
+
+### Text Alternatives (1.1)
+
+- [ ] All images have meaningful alt text describing content or function
+- [ ] Decorative images have empty alt (`alt=""`) or are CSS backgrounds
+- [ ] Complex images (charts, diagrams) have extended descriptions
+- [ ] Icons used as controls have accessible labels
+- [ ] CAPTCHAs provide alternative methods
+
+### Time-Based Media (1.2)
+
+- [ ] Videos have captions
+- [ ] Videos have audio descriptions for visual-only content
+- [ ] Live audio content has captions
+- [ ] Pre-recorded audio has transcripts
+
+### Adaptable (1.3)
+
+- [ ] Content structure uses semantic HTML (headings, lists, tables)
+- [ ] Heading hierarchy is logical (h1 -> h2 -> h3)
+- [ ] Tables have proper headers (`<th>` with scope)
+- [ ] Form inputs have associated labels
+- [ ] Reading order is logical when CSS is disabled
+- [ ] Instructions do not rely solely on sensory characteristics (color, shape)
+
+### Distinguishable (1.4)
+
+- [ ] Color is not the only means of conveying information
+- [ ] Text color contrast ratio is at least 4.5:1 (3:1 for large text)
+- [ ] UI component contrast ratio is at least 3:1
+- [ ] Text can be resized to 200% without loss of content
+- [ ] Text is not in images (except logos)
+- [ ] Content reflows at 320px width without horizontal scrolling
+- [ ] Line height is at least 1.5, paragraph spacing at least 2x font size
+- [ ] No content is lost when user overrides text spacing
+
+## Operable
+
+### Keyboard Accessible (2.1)
+
+- [ ] All functionality is available via keyboard
+- [ ] No keyboard traps (user can navigate away from all components)
+- [ ] Keyboard shortcuts can be turned off or remapped
+- [ ] Focus order is logical and intuitive
+- [ ] Custom components have appropriate keyboard interactions
+
+### Enough Time (2.2)
+
+- [ ] Time limits can be turned off, adjusted, or extended
+- [ ] Auto-updating content can be paused, stopped, or hidden
+- [ ] No timing-dependent interactions unless essential
+- [ ] Session timeouts warn users and allow extension
+
+### Seizures and Physical Reactions (2.3)
+
+- [ ] No content flashes more than 3 times per second
+- [ ] Motion animations can be disabled (respect prefers-reduced-motion)
+
+### Navigable (2.4)
+
+- [ ] Skip link allows bypassing repetitive content
+- [ ] Pages have descriptive titles
+- [ ] Focus order matches visual order
+- [ ] Link purpose is clear from link text (not "click here")
+- [ ] Multiple ways to find pages (navigation, search, sitemap)
+- [ ] Headings and labels describe content
+- [ ] Focus indicator is visible
+
+### Input Modalities (2.5)
+
+- [ ] Touch targets are at least 44x44 CSS pixels
+- [ ] Functionality requiring multi-point gestures has alternatives
+- [ ] Functionality requiring motion has alternatives
+- [ ] Dragging operations have single-pointer alternatives
+
+## Understandable
+
+### Readable (3.1)
+
+- [ ] Page language is set (`<html lang="en">`)
+- [ ] Language changes within content are marked
+- [ ] Unusual words or jargon are defined
+- [ ] Abbreviations are expanded on first use
+
+### Predictable (3.2)
+
+- [ ] Focus does not trigger unexpected context changes
+- [ ] Input does not automatically trigger context changes
+- [ ] Navigation is consistent across pages
+- [ ] Components with same function are identified consistently
+
+### Input Assistance (3.3)
+
+- [ ] Error messages identify the field and describe the error
+- [ ] Form fields have labels and instructions
+- [ ] Error suggestions are provided when known
+- [ ] Users can review, correct, and confirm submissions
+- [ ] Help is available for complex inputs
+
+## Robust
+
+### Compatible (4.1)
+
+- [ ] HTML is valid and well-formed
+- [ ] Custom components have proper ARIA roles, states, and properties
+- [ ] Status messages are announced by screen readers (aria-live)
+- [ ] Name, role, and value are programmatically determinable
+
+## Component-Specific Checks
+
+### Forms
+
+- [ ] All inputs have visible labels
+- [ ] Required fields are indicated (not by color alone)
+- [ ] Error messages are associated with inputs
+- [ ] Form validation errors are announced
+- [ ] Autocomplete attributes are used appropriately
+
+### Modals and Dialogs
+
+- [ ] Focus moves to modal when opened
+- [ ] Focus is trapped within modal while open
+- [ ] Focus returns to trigger element when closed
+- [ ] Modal can be closed with Escape key
+- [ ] Background content is hidden from screen readers (aria-hidden)
+
+### Navigation Menus
+
+- [ ] Current page/section is indicated
+- [ ] Dropdowns are keyboard accessible
+- [ ] Expanded/collapsed state is announced (aria-expanded)
+- [ ] Mobile menu is accessible
+
+### Data Tables
+
+- [ ] Headers are properly associated with cells
+- [ ] Complex tables use id/headers attributes
+- [ ] Sortable columns indicate sort state
+- [ ] Tables are not used for layout
+
+### Carousels and Sliders
+
+- [ ] Pause control is available for auto-advancing
+- [ ] Navigation controls are keyboard accessible
+- [ ] Current slide is announced to screen readers
+- [ ] Slide content is accessible when visible
+
+## Testing Methods
+
+### Automated Testing
+
+- [ ] axe-core or similar tool runs in CI
+- [ ] Lighthouse accessibility audit passes
+- [ ] HTML validation passes
+
+### Manual Testing
+
+- [ ] Navigate entire interface with keyboard only
+- [ ] Test with screen reader (VoiceOver, NVDA)
+- [ ] Test with browser zoom at 200%
+- [ ] Test with high contrast mode
+- [ ] Test with prefers-reduced-motion enabled
+
+## Usage Notes
+
+1. Accessibility is a legal requirement in many jurisdictions
+2. Not every item applies to every component - use judgment
+3. Automated tools catch only ~30% of issues - manual testing is essential
+4. Include users with disabilities in usability testing when possible
+5. Document exceptions with rationale and remediation plan
+6. Accessibility should be part of the definition of done

package/opencode/skill/coding-conventions/checklists/performance-checklist.md

@@ -0,0 +1,154 @@
+# Performance Checklist
+
+Actionable performance optimization checks for frontend, backend, and database operations.
+
+## Frontend Performance
+
+### Initial Load
+
+- [ ] Critical CSS is inlined or loaded first
+- [ ] JavaScript is deferred or loaded async where possible
+- [ ] Images are lazy-loaded below the fold
+- [ ] Web fonts use `font-display: swap` to prevent blocking
+- [ ] Bundle size is monitored and kept under budget
+- [ ] Code splitting is used for route-based chunks
+- [ ] Tree shaking removes unused code
+
+### Runtime Performance
+
+- [ ] Long lists use virtualization (render only visible items)
+- [ ] Expensive calculations are memoized
+- [ ] React/Vue components avoid unnecessary re-renders
+- [ ] Event handlers are debounced or throttled where appropriate
+- [ ] Animations use CSS transforms, not layout-triggering properties
+- [ ] Large data processing uses Web Workers
+
+### Assets
+
+- [ ] Images are properly sized (not scaling down large images)
+- [ ] Modern image formats used (WebP, AVIF with fallbacks)
+- [ ] Images are compressed without quality loss
+- [ ] SVGs are optimized and used for icons
+- [ ] Fonts are subsetted to include only needed characters
+- [ ] Assets are served from CDN
+
+### Caching
+
+- [ ] Static assets have cache-control headers with long max-age
+- [ ] Asset filenames include content hash for cache busting
+- [ ] Service worker caches critical resources
+- [ ] API responses include appropriate cache headers
+
+## Backend Performance
+
+### Request Handling
+
+- [ ] Endpoints respond within acceptable latency targets
+- [ ] Heavy operations are processed asynchronously
+- [ ] Request payload size limits are enforced
+- [ ] Response payloads include only necessary data
+- [ ] Pagination is used for list endpoints
+- [ ] Compression (gzip, brotli) is enabled
+
+### Computation
+
+- [ ] CPU-intensive tasks are offloaded to worker processes
+- [ ] Algorithms have acceptable time complexity for data size
+- [ ] Loops avoid unnecessary iterations
+- [ ] String concatenation in loops uses efficient methods
+- [ ] Regular expressions are optimized and avoid catastrophic backtracking
+
+### Caching
+
+- [ ] Frequently accessed data is cached in memory (Redis, Memcached)
+- [ ] Cache invalidation strategy is defined
+- [ ] Cache hit rates are monitored
+- [ ] Cache keys are designed to avoid collisions
+- [ ] TTLs are set appropriately for data freshness requirements
+
+### External Services
+
+- [ ] API calls are batched where possible
+- [ ] Circuit breakers prevent cascading failures
+- [ ] Timeouts are set on all external calls
+- [ ] Retries use exponential backoff
+- [ ] Connection pools are sized appropriately
+
+## Database Performance
+
+### Query Optimization
+
+- [ ] Queries retrieve only needed columns (no SELECT *)
+- [ ] Indexes exist for frequently queried columns
+- [ ] Composite indexes match query patterns
+- [ ] N+1 query problems are eliminated (use JOINs or batch loading)
+- [ ] Query execution plans are reviewed for slow queries
+- [ ] LIMIT is used for large result sets
+
+### Schema Design
+
+- [ ] Tables are normalized appropriately (avoid over-normalization)
+- [ ] Data types are sized correctly (not oversized)
+- [ ] Foreign keys have indexes
+- [ ] Frequently accessed fields are not in separate tables requiring JOINs
+
+### Connection Management
+
+- [ ] Connection pooling is configured
+- [ ] Pool size matches expected concurrency
+- [ ] Connections are released promptly after use
+- [ ] Long-running transactions are avoided
+- [ ] Read replicas are used for read-heavy workloads
+
+### Data Lifecycle
+
+- [ ] Old data is archived or deleted according to policy
+- [ ] Large tables have partitioning strategy
+- [ ] Bulk operations are batched to avoid lock contention
+- [ ] Indexes are rebuilt periodically if needed
+
+## API Performance
+
+### Design
+
+- [ ] Endpoints support field selection (sparse fieldsets)
+- [ ] Batch endpoints available for multiple-item operations
+- [ ] GraphQL queries have depth/complexity limits
+- [ ] Large responses support streaming or pagination
+
+### Network
+
+- [ ] HTTP/2 or HTTP/3 is enabled
+- [ ] Keep-alive connections are used
+- [ ] Response compression is enabled
+- [ ] CDN caching is used for cacheable responses
+
+## Monitoring and Measurement
+
+### Metrics
+
+- [ ] Response time percentiles are tracked (p50, p95, p99)
+- [ ] Error rates are monitored
+- [ ] Resource utilization is tracked (CPU, memory, connections)
+- [ ] Throughput is measured under load
+
+### Alerting
+
+- [ ] Latency degradation triggers alerts
+- [ ] Resource exhaustion triggers alerts
+- [ ] Error rate spikes trigger alerts
+
+### Profiling
+
+- [ ] Production profiling tools are available
+- [ ] Slow query logging is enabled
+- [ ] Application performance monitoring (APM) is configured
+
+## Usage Notes
+
+1. Measure before optimizing - identify actual bottlenecks
+2. Set performance budgets and enforce them in CI
+3. Not every optimization applies to every system
+4. Document performance-critical paths
+5. Load test under realistic conditions
+6. Performance regression tests should be part of CI/CD

package/opencode/skill/coding-conventions/checklists/security-checklist.md

@@ -0,0 +1,127 @@
+# Security Checklist
+
+OWASP Top 10 aligned security checks for code review and implementation validation.
+
+## A01: Broken Access Control
+
+- [ ] All endpoints verify user authentication before processing
+- [ ] Authorization checks occur on every request, not just UI hiding
+- [ ] Users cannot access resources belonging to other users by modifying IDs
+- [ ] Directory traversal attacks are prevented (no `../` in file paths)
+- [ ] CORS is configured to allow only trusted origins
+- [ ] Default deny: access requires explicit grant, not explicit denial
+
+## A02: Cryptographic Failures
+
+- [ ] Sensitive data is encrypted at rest (database, file storage)
+- [ ] TLS 1.2+ is enforced for all data in transit
+- [ ] Passwords use strong hashing (bcrypt, argon2) with appropriate cost
+- [ ] No hardcoded secrets, API keys, or credentials in code
+- [ ] Secrets are stored in environment variables or secret managers
+- [ ] Cryptographic keys are rotated on a schedule
+- [ ] No deprecated algorithms (MD5, SHA1 for security, DES, RC4)
+
+## A03: Injection
+
+- [ ] SQL queries use parameterized statements, never string concatenation
+- [ ] NoSQL queries are properly escaped or use ODM/ORM
+- [ ] OS commands are avoided; if necessary, inputs are validated against allowlist
+- [ ] LDAP queries use proper escaping
+- [ ] XML parsers disable external entity processing (XXE prevention)
+- [ ] Template engines use auto-escaping by default
+
+## A04: Insecure Design
+
+- [ ] Threat modeling performed for new features
+- [ ] Rate limiting implemented on authentication and sensitive endpoints
+- [ ] Business logic includes abuse prevention (e.g., quantity limits)
+- [ ] Fail securely: errors default to denied access
+- [ ] Security requirements documented and testable
+- [ ] Separation of tenants in multi-tenant systems
+
+## A05: Security Misconfiguration
+
+- [ ] Default credentials changed on all systems
+- [ ] Unnecessary features and frameworks disabled
+- [ ] Error messages do not expose stack traces or system details
+- [ ] Security headers configured (CSP, X-Frame-Options, etc.)
+- [ ] Cloud storage buckets are not publicly accessible by default
+- [ ] Development/debug features disabled in production
+
+## A06: Vulnerable Components
+
+- [ ] Dependencies are tracked and regularly updated
+- [ ] Known vulnerabilities are checked (npm audit, Snyk, Dependabot)
+- [ ] Components are obtained from official sources
+- [ ] Unused dependencies are removed
+- [ ] Component versions are pinned (not floating)
+- [ ] License compliance is verified
+
+## A07: Identification and Authentication Failures
+
+- [ ] Multi-factor authentication available for sensitive operations
+- [ ] Password requirements meet current standards (length over complexity)
+- [ ] Brute force protection: lockout or increasing delays
+- [ ] Session tokens are regenerated after login
+- [ ] Session tokens are invalidated on logout
+- [ ] Sessions have appropriate timeouts
+- [ ] Password reset tokens are single-use and time-limited
+
+## A08: Software and Data Integrity Failures
+
+- [ ] CI/CD pipelines verify integrity of dependencies
+- [ ] Signed commits or verified sources for code
+- [ ] Deserialization of untrusted data is avoided
+- [ ] If deserialization is necessary, integrity checks are in place
+- [ ] Update mechanisms verify signatures
+- [ ] Code review required before deployment
+
+## A09: Security Logging and Monitoring Failures
+
+- [ ] Authentication events are logged (success and failure)
+- [ ] Authorization failures are logged
+- [ ] Input validation failures are logged
+- [ ] Logs include sufficient context (timestamp, user, action, outcome)
+- [ ] Logs do not contain sensitive data (passwords, tokens, PII)
+- [ ] Alerting is configured for suspicious patterns
+- [ ] Logs are stored securely and cannot be tampered with
+
+## A10: Server-Side Request Forgery (SSRF)
+
+- [ ] URLs from user input are validated against allowlist
+- [ ] Internal network addresses are blocked (127.0.0.1, 10.x, 192.168.x)
+- [ ] URL schemes are restricted (http/https only)
+- [ ] Responses from external requests are not directly returned to users
+- [ ] Network segmentation limits impact of SSRF
+
+## Additional Checks
+
+### Input Validation
+
+- [ ] All user input is validated on the server side
+- [ ] Validation uses allowlists, not blocklists
+- [ ] File uploads validate type, size, and content
+- [ ] JSON/XML payloads are validated against schema
+
+### Output Encoding
+
+- [ ] HTML output is encoded to prevent XSS
+- [ ] JSON responses use proper content-type headers
+- [ ] URLs are encoded when constructed dynamically
+- [ ] Context-appropriate encoding (HTML, JavaScript, CSS, URL)
+
+### API Security
+
+- [ ] Authentication required for all non-public endpoints
+- [ ] API keys are treated as secrets
+- [ ] Rate limiting prevents abuse
+- [ ] Response data is filtered to authorized fields only
+- [ ] HTTP methods are restricted appropriately
+
+## Usage Notes
+
+1. Apply this checklist during code review
+2. Use automated tools (SAST, DAST) to complement manual review
+3. Not all items apply to every change - use judgment
+4. Document any exceptions with rationale
+5. Security testing should be part of the CI/CD pipeline