opencode-skills-collection 3.0.32 → 3.0.33

package/bundled-skills/varlock/SKILL.md

@@ -88,9 +88,11 @@ curl -H "Authorization: Bearer $API_KEY" https://api.example.com
 
 ```bash
 # Install Varlock CLI
-curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh
-sed -n '1,160p' /tmp/varlock-install.sh
-sh /tmp/varlock-install.sh --force-no-brew
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh"
+sed -n '1,160p' "$tmpdir/varlock-install.sh"
+sh "$tmpdir/varlock-install.sh" --force-no-brew
 
 # Add to PATH (add to ~/.zshrc or ~/.bashrc)
 export PATH="$HOME/.varlock/bin:$PATH"
@@ -245,9 +247,11 @@ varlock load
 
 ```dockerfile
 # Install Varlock in container
-RUN curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh \
-    && sed -n '1,160p' /tmp/varlock-install.sh \
-    && sh /tmp/varlock-install.sh --force-no-brew \
+RUN tmpdir="$(mktemp -d)" \
+    && curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh" \
+    && sed -n '1,160p' "$tmpdir/varlock-install.sh" \
+    && sh "$tmpdir/varlock-install.sh" --force-no-brew \
+    && rm -rf "$tmpdir" \
     && ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
 
 # Validate at container start

package/bundled-skills/vibe-code-cleanup/SKILL.md

@@ -0,0 +1,231 @@
+---
+name: vibe-code-cleanup
+description: "Safe production cleanup and hardening for vibe-coded fullstack apps (Next.js, React, Node.js, etc.). Removes dead imports, unused files, broken references, and standardizes helpers without breaking routes or APIs."
+category: fullstack
+risk: safe
+source: self
+source_type: self
+date_added: "2026-05-31"
+author: Whoisabhishekadhikari
+tags: [cleanup, refactor, nextjs, production, vibe-code, fullstack, nodejs]
+tools: [claude, cursor, gemini, claude-code]
+version: 1.0.0
+---
+
+# Vibe-Code Cleanup — Production Refactor Skill
+
+A safe, incremental cleanup workflow for AI-generated / vibe-coded fullstack apps.
+The goal is to make the codebase production-ready **without** breaking anything that already works.
+
+## When to Use
+
+- Use when a rapidly built app works but has broken imports, duplicated logic, dead code, unclear environment variables, or fragile release hygiene.
+- Use before launch or handoff to convert exploratory code into a maintainable production baseline.
+- Use when cleanup must preserve existing behavior and avoid broad rewrites of routes, APIs, auth, data models, or integrations.
+
+## Core Philosophy
+
+> **Surgery, not demolition.** Remove only what is provably dead. Preserve everything else.
+
+Never:
+- Rewrite working systems for cosmetic reasons
+- Rename routes, slugs, or API endpoints that may be indexed or cached
+- Change tool inputs/outputs, API contracts, DB schema, or auth flow
+- Delete files you haven't verified are unused
+- Make broad sweeping changes in a single commit
+
+Always:
+- Make small, targeted, reversible changes
+- Validate after every meaningful batch of changes
+- Prefer shared helpers over copy-pasted blocks
+- Keep backward compatibility
+
+---
+
+## Step 1 — Reconnaissance (read before touching)
+
+Before changing anything, map the codebase:
+
+```bash
+# List all pages/routes
+find . -path "*/app/**/page.{js,jsx,ts,tsx}" | sort
+find . -path "*/pages/**/*.{js,jsx,ts,tsx}" | grep -v "_" | sort
+
+# Find broken imports (TS projects)
+npx tsc --noEmit 2>&1 | head -80
+
+# Find unused exports (optional, for larger projects)
+npx ts-prune 2>/dev/null | head -40
+
+# Check for console.log / debug leftovers
+grep -r "console\.log\|debugger\|TODO\|FIXME\|HACK" --include="*.{js,ts,jsx,tsx}" -l
+```
+
+Document what you find. Do NOT change yet.
+
+---
+
+## Step 2 — Fix Broken Imports First
+
+Broken imports cause build failures and should be fixed before anything else.
+
+```bash
+# TypeScript: list all errors
+npx tsc --noEmit 2>&1
+
+# Common patterns to fix:
+# - Missing file (file was deleted or renamed)
+# - Wrong relative path (../lib vs ../../lib)
+# - Named export that doesn't exist
+```
+
+**Fix rule:** Fix the import reference. Do NOT delete the referenced file unless you've confirmed it's unused everywhere.
+
+---
+
+## Step 3 — Identify Dead Code (verify before removing)
+
+A file/export is safe to remove **only if**:
+1. No other file imports it (grep-confirmed)
+2. It's not referenced in config, sitemap, or route manifest
+3. It's not a public-facing URL (page.js, route.js)
+
+```bash
+# Check if a file is imported anywhere
+grep -r "from.*my-file\|require.*my-file" --include="*.{js,ts,jsx,tsx}" .
+
+# Check if a component is used anywhere  
+grep -r "MyComponent" --include="*.{js,ts,jsx,tsx}" .
+```
+
+---
+
+## Step 4 — Consolidate Repeated Logic into Helpers
+
+Look for repeated patterns (metadata blocks, API fetch wrappers, error handlers) that appear in 3+ places.
+
+**Good consolidation targets:**
+- Page-level SEO metadata (Open Graph, Twitter cards, canonical)
+- Fetch wrappers with error handling
+- Repeated utility functions (slugify, formatDate, truncate)
+
+**Bad consolidation targets (leave alone):**
+- One-off business logic
+- Route handlers with different contracts
+- Anything touching DB schema or auth
+
+**Pattern for shared metadata helper (Next.js):**
+```js
+// lib/socialMetadata.js
+export function buildPageMetadata({ title, description, path, image }) {
+  const baseUrl = process.env.NEXT_PUBLIC_BASE_URL || 'https://yourdomain.com';
+  const imageUrl = image?.startsWith('http') ? image : `${baseUrl}${image}`;
+  
+  return {
+    title,
+    description,
+    openGraph: {
+      title,
+      description,
+      url: `${baseUrl}${path}`,
+      images: [{ url: imageUrl, width: 1200, height: 630, alt: title }],
+    },
+    twitter: {
+      card: 'summary_large_image',
+      title,
+      description,
+      images: [imageUrl],
+    },
+    alternates: {
+      canonical: `${baseUrl}${path}`,
+    },
+  };
+}
+```
+
+---
+
+## Step 5 — Environment Variable Audit
+
+```bash
+# List all env vars used in code
+grep -r "process\.env\." --include="*.{js,ts,jsx,tsx}" . | grep -oP 'process\.env\.\w+' | sort -u
+
+# Compare against .env.example or .env.local
+cat .env.example 2>/dev/null || cat .env.local 2>/dev/null
+```
+
+Flag any env vars used in code but missing from `.env.example`. Never add secrets to version control.
+
+---
+
+## Step 6 — Validate After Every Batch
+
+Run this after every meaningful batch of cleanup changes:
+
+```bash
+# TypeScript check
+npx tsc --noEmit
+
+# Lint
+npx eslint . --ext .js,.jsx,.ts,.tsx --max-warnings 0
+
+# Build (catches runtime issues TypeScript misses)
+npm run build
+
+# Tests (if present)
+npm test -- --runInBand --passWithNoTests
+```
+
+If build or typecheck breaks → **revert the last batch** before continuing.
+
+---
+
+## Step 7 — Commit Strategy
+
+Each commit should be a single logical unit:
+
+```
+fix: remove broken import in app/blog/page.js
+refactor: consolidate social metadata into lib/socialMetadata.js  
+chore: remove verified-unused utils/oldHelper.js
+fix: standardize env var references to NEXT_PUBLIC_BASE_URL
+```
+
+Never bundle UI changes + logic changes + file deletions in one commit. Smaller commits = easier rollback.
+
+---
+
+## What NOT to Clean Up
+
+Treat these as off-limits unless there's a verified bug:
+
+| Area | Why |
+|------|-----|
+| Route slugs / page paths | May be indexed by Google |
+| API route contracts | Callers depend on exact shape |
+| DB schema / Prisma models | Migration required |
+| Auth flow logic | Security-sensitive |
+| Third-party integration configs | Keys/webhooks are environment-specific |
+| Working tool pages | User-facing functionality |
+
+---
+
+## Cleanup Checklist
+
+- [ ] TypeScript errors fixed
+- [ ] No broken imports
+- [ ] Dead code removed (grep-verified)
+- [ ] Shared helpers created for repeated patterns (3+ uses)
+- [ ] No hardcoded secrets or local-only URLs
+- [ ] All env vars documented in `.env.example`
+- [ ] Build passes
+- [ ] Tests pass (or no tests exist)
+- [ ] Lint passes
+- [ ] Each commit is scoped and explainable
+
+## Limitations
+
+- Does not infer product intent from code alone; confirm behavior before deleting routes, components, API contracts, or data models.
+- Cleanup should be applied in small reviewed batches because broad refactors can hide regressions.
+- Avoid changing auth, billing, persistence, or third-party integration behavior without explicit requirements and tests.

package/bundled-skills/vibecode-production-qa-validator/SKILL.md

@@ -0,0 +1,237 @@
+---
+name: vibecode-production-qa-validator
+description: "End-to-end production QA, build verification, and launch-readiness checklist for fullstack Next.js apps before going live or shipping a major update. Covers TypeScript, linting, tests, build, SEO tags, route regression, and sitemap validation."
+category: devops
+risk: safe
+source: self
+source_type: self
+date_added: "2026-05-31"
+author: Whoisabhishekadhikari
+tags: [qa, testing, nextjs, production, build-validation, deployment, seo]
+tools: [claude, cursor, gemini, claude-code]
+version: 1.0.0
+---
+
+# Production QA Validator Skill
+
+The end-to-end launch checklist for fullstack Next.js apps. Run this before every production deployment or after any major change.
+
+---
+
+## When to Use
+
+- Use before deploying a vibe-coded or fast-built app to production.
+- Use when validating build output, SEO tags, sitemap routes, API routes, git diff cleanliness, and post-deploy smoke checks.
+- Use when you need a concrete definition of done for release readiness across code, runtime behavior, and public URLs.
+
+---
+
+## The Full Validation Command Sequence
+
+Run in order — stop and fix on any failure before continuing:
+
+```bash
+# 1. TypeScript — catches type errors and broken imports
+npx tsc --noEmit
+
+# 2. Custom validation scripts (if present)
+npm run validate 2>/dev/null || echo "No validate script"
+
+# 3. Canonical/SEO linting (if present)
+npm run lint:canon 2>/dev/null || echo "No canon lint"
+npm run lint:anchors 2>/dev/null || echo "No anchor lint"  
+npm run lint:links 2>/dev/null || echo "No link lint"
+
+# 4. ESLint
+npx eslint . --ext .js,.jsx,.ts,.tsx --max-warnings 0
+
+# 5. Tests
+npm test -- --runInBand --passWithNoTests
+
+# 6. Production build — the final arbiter
+npm run build
+```
+
+All 6 must pass before committing.
+
+---
+
+## Reading the Build Output
+
+```bash
+npm run build 2>&1 | tee build.log
+
+# Check for errors
+grep -i "error\|failed\|cannot" build.log | grep -v "no errors"
+
+# Check static page count
+grep "Static pages\|○\|●" build.log | tail -5
+```
+
+### Route symbols explained
+| Symbol | Meaning | Expected? |
+|--------|---------|-----------|
+| `○` | Static (rendered at build time) | ✓ Good for most pages |
+| `●` | SSG (generated from `generateStaticParams`) | ✓ Good for dynamic pages |
+| `λ` | Serverless (dynamic, rendered on request) | ✓ APIs and truly dynamic pages only |
+| `⊕` | Partial prerender | ✓ Fine |
+
+If an important SEO page shows `λ` and should be static, add `generateStaticParams` or use `export const dynamic = 'force-static'`.
+
+---
+
+## SEO Tags in Raw HTML Verification
+
+Crawlers don't run JavaScript. Metadata must be in the raw HTML response.
+
+```bash
+# Check a page's metadata
+curl -s https://www.yourdomain.com/blog/my-post | grep -i \
+  "og:title\|og:description\|og:image\|twitter:card\|canonical\|description"
+
+# Expected output should include all of these:
+# <meta property="og:title" content="..." />
+# <meta property="og:description" content="..." />
+# <meta property="og:image" content="https://..." />
+# <meta name="twitter:card" content="summary_large_image" />
+# <link rel="canonical" href="https://..." />
+# <meta name="description" content="..." />
+```
+
+If tags are missing from raw HTML: they're added by client-side JavaScript. Fix: move to `export const metadata` or `generateMetadata`.
+
+---
+
+## Route Regression Testing
+
+After any major change, verify all critical route types still return 200:
+
+```bash
+BASE="https://www.yourdomain.com"
+
+# Core pages
+for path in "/" "/about" "/contact" "/privacy" "/terms" "/faq"; do
+  STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE$path")
+  echo "$STATUS $BASE$path"
+done
+
+# Sitemaps
+for path in "/sitemap.xml" "/robots.txt"; do
+  STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE$path")
+  echo "$STATUS $BASE$path"
+done
+
+# Sample dynamic routes (test a few real slugs)
+for path in "/tools/keyword-density-checker" "/blog/my-post-slug"; do
+  STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE$path")
+  echo "$STATUS $BASE$path"
+done
+```
+
+All should return `200`. Investigate anything returning `404`, `500`, or `301`/`302` when a direct URL was expected.
+
+---
+
+## Sitemap Validation
+
+```bash
+# Fetch and validate sitemap XML
+curl -s https://www.yourdomain.com/sitemap.xml | python3 -c "
+import sys, xml.etree.ElementTree as ET
+try:
+    ET.parse(sys.stdin)
+    print('✓ Valid XML')
+except Exception as e:
+    print(f'✗ Invalid XML: {e}')
+"
+
+# Count URLs in sitemap
+curl -s https://www.yourdomain.com/sitemap.xml | grep -c "<loc>"
+```
+
+---
+
+## API Route Testing
+
+```bash
+# Test API endpoints return expected content-type and status
+for path in "/api/health" "/api/tools"; do
+  RESULT=$(curl -s -o /dev/null -w "%{http_code} %{content_type}" "$BASE$path")
+  echo "$RESULT $path"
+done
+```
+
+---
+
+## Pre-Commit Git Checklist
+
+Before committing:
+
+```bash
+# Review what's changed
+git diff --stat HEAD
+
+# Ensure no secrets or local-only files
+git diff HEAD | grep -i "password\|secret\|api_key\|localhost:3000" | grep "^+"
+
+# Confirm no build artifacts are staged
+git status | grep -E "\.next|node_modules"
+```
+
+Good commit message format:
+```
+type(scope): brief description
+
+fix(seo): add canonical tags to all blog pages
+feat(tools): add keyword density checker page
+refactor(metadata): consolidate OG/Twitter tags into shared helper
+chore(cleanup): remove unused utils/oldHelper.js
+```
+
+---
+
+## Post-Deployment Smoke Test
+
+Run 5–10 minutes after deployment:
+
+```bash
+PROD="https://www.yourdomain.com"
+
+# Homepage loads
+curl -sI "$PROD" | grep -i "http\|status"
+
+# Key page loads
+curl -sI "$PROD/tools/keyword-density-checker" | grep "200\|301\|404"
+
+# No JS errors (requires manual browser check)
+# Open browser → Console → look for red errors
+
+# OG image loads
+curl -sI "$PROD/images/og/home.jpg" | grep -i "200\|content-type"
+```
+
+---
+
+## Definition of Done
+
+A change is **production-ready** only when ALL of the following are true:
+
+- [ ] `npx tsc --noEmit` passes
+- [ ] `npm run validate` passes (or no script)
+- [ ] `npm run lint:canon` passes (or no script)
+- [ ] `npx eslint .` passes with 0 warnings
+- [ ] `npm test` passes or no tests exist
+- [ ] `npm run build` completes successfully
+- [ ] Important pages show `○` or `●` in build output (not `λ`)
+- [ ] SEO tags visible in `curl` output for key pages
+- [ ] All sitemap routes return valid XML
+- [ ] No new 404s on previously working routes
+- [ ] No secrets in git diff
+- [ ] Commit message is scoped and descriptive
+- [ ] Social preview platforms show correct card after cache refresh
+
+## Limitations
+
+- Passing this checklist reduces release risk but does not prove the absence of production bugs.
+- Some checks depend on project-specific scripts, deployment topology, and external services that may not exist in every app.
+- Manual exploratory testing is still required for critical user journeys, payments, auth, and data mutation flows.