opscale-setup 1.0.0

package/src/templates/hooks/dep-audit.js

@@ -0,0 +1,66 @@
+#!/usr/bin/env node
+/**
+ * PreToolUse / Bash — intercepts npm/pip/cargo install commands and runs
+ * a lightweight audit before allowing the install to proceed.
+ *
+ * For npm: checks `npm audit` after hypothetical install.
+ * For pip: warns if package is not on a known allowlist (informational only).
+ */
+import { readFileSync } from 'fs';
+import { execSync } from 'child_process';
+
+let input;
+try {
+  input = JSON.parse(readFileSync('/dev/stdin', 'utf8'));
+} catch {
+  process.exit(0);
+}
+
+const command = (input?.tool_input?.command ?? '').trim();
+
+// Only handle install commands
+if (!/^(npm\s+install|npm\s+i|pip\s+install|cargo\s+add|yarn\s+add|pnpm\s+add)/.test(command)) {
+  process.exit(0);
+}
+
+// Extract package names (simple heuristic — flags start with -)
+const tokens = command.split(/\s+/).filter(t => !t.startsWith('-') && !/^(npm|pip|cargo|yarn|pnpm|install|add|i)$/.test(t));
+
+if (tokens.length === 0) process.exit(0);
+
+// Flag known typosquat-prone names
+const SUSPICIOUS = [
+  /^cros$/, /^reqeusts$/, /^lodahs$/, /^expres$/, /^djano$/,
+];
+for (const pkg of tokens) {
+  for (const pattern of SUSPICIOUS) {
+    if (pattern.test(pkg)) {
+      console.error(
+        `[dep-audit] BLOCKED: package name "${pkg}" looks like a typosquat.\n` +
+        `  Did you mean a different package?`
+      );
+      process.exit(1);
+    }
+  }
+}
+
+// For npm, run audit after install (informational)
+if (/^(npm|yarn|pnpm)/.test(command)) {
+  try {
+    execSync('npm audit --audit-level=critical --json', { stdio: 'pipe' });
+  } catch (err) {
+    try {
+      const report = JSON.parse(err.stdout?.toString() ?? '{}');
+      const critical = report?.metadata?.vulnerabilities?.critical ?? 0;
+      if (critical > 0) {
+        console.error(
+          `[dep-audit] WARNING: npm audit found ${critical} critical vulnerabilities.\n` +
+          `  Run \`npm audit fix\` after install.`
+        );
+        // Warn only — don't block
+      }
+    } catch { /* ignore parse errors */ }
+  }
+}
+
+process.exit(0);

package/src/templates/hooks/deploy-check.js

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+/**
+ * PreToolUse / Bash — intercepts deploy commands and enforces a pre-flight
+ * checklist: tests must pass, no uncommitted changes, branch must be correct.
+ */
+import { readFileSync } from 'fs';
+import { execSync } from 'child_process';
+
+const DEPLOY_PATTERNS = [
+  /\bdeploy\b/,
+  /\bserverless\s+deploy\b/,
+  /\beb\s+deploy\b/,
+  /\bkubectl\s+apply\b/,
+  /\bhelm\s+upgrade\b/,
+  /\bdocker\s+push\b/,
+  /\bvercel\b/,
+  /\bflyctl\s+deploy\b/,
+];
+
+let input;
+try {
+  input = JSON.parse(readFileSync('/dev/stdin', 'utf8'));
+} catch {
+  process.exit(0);
+}
+
+const command = input?.tool_input?.command ?? '';
+
+if (!DEPLOY_PATTERNS.some(p => p.test(command))) process.exit(0);
+
+const errors = [];
+
+// Uncommitted changes check
+try {
+  const status = execSync('git status --porcelain', { stdio: ['pipe', 'pipe', 'pipe'] }).toString().trim();
+  if (status.length > 0) {
+    errors.push('There are uncommitted changes. Commit or stash before deploying.');
+  }
+} catch { /* not a git repo — skip */ }
+
+// Check tests exist and pass (node projects)
+const testScript = (() => {
+  try {
+    const pkg = JSON.parse(readFileSync('package.json', 'utf8'));
+    return pkg?.scripts?.test;
+  } catch { return null; }
+})();
+
+if (testScript && testScript !== 'echo \\"Error: no test specified\\" && exit 1') {
+  try {
+    execSync('npm test --if-present', { stdio: 'pipe', timeout: 120_000 });
+  } catch {
+    errors.push('Test suite failed. Fix all tests before deploying.');
+  }
+}
+
+if (errors.length > 0) {
+  console.error('[deploy-check] BLOCKED — pre-flight checklist failed:\n' +
+    errors.map(e => `  • ${e}`).join('\n')
+  );
+  process.exit(1);
+}
+
+console.error('[deploy-check] Pre-flight checks passed.');
+process.exit(0);

package/src/templates/hooks/lint-check.js

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+/**
+ * PostToolUse / Write — runs the project linter on the file Claude just wrote.
+ * Supports ESLint, Biome, Ruff (Python), and gofmt. Advisory only — never blocks.
+ */
+import { readFileSync, existsSync } from 'fs';
+import { execSync } from 'child_process';
+import path from 'path';
+
+let input;
+try {
+  input = JSON.parse(readFileSync('/dev/stdin', 'utf8'));
+} catch {
+  process.exit(0);
+}
+
+const filePath = input?.tool_input?.file_path ?? '';
+if (!filePath || !existsSync(filePath)) process.exit(0);
+
+const ext = path.extname(filePath);
+
+function run(cmd) {
+  try {
+    execSync(cmd, { stdio: 'pipe', timeout: 30_000 });
+    console.error(`[lint-check] Lint passed: ${path.basename(filePath)}`);
+  } catch (err) {
+    console.error(
+      `[lint-check] Lint issues in ${path.basename(filePath)}:\n` +
+      (err.stdout?.toString() ?? '') +
+      (err.stderr?.toString() ?? '')
+    );
+  }
+}
+
+if (['.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs'].includes(ext)) {
+  if (existsSync('biome.json') || existsSync('biome.jsonc')) {
+    run(`npx biome check --no-errors-on-unmatched ${filePath}`);
+  } else if (existsSync('.eslintrc.js') || existsSync('.eslintrc.json') || existsSync('eslint.config.js') || existsSync('eslint.config.mjs')) {
+    run(`npx eslint --max-warnings=0 ${filePath}`);
+  }
+} else if (ext === '.py') {
+  if (existsSync('ruff.toml') || existsSync('pyproject.toml')) {
+    run(`ruff check ${filePath}`);
+  }
+} else if (ext === '.go') {
+  run(`gofmt -l ${filePath}`);
+} else if (ext === '.rs') {
+  run(`cargo clippy --quiet 2>&1`);
+}
+
+process.exit(0);

package/src/templates/hooks/secret-guard.js

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+/**
+ * PreToolUse / Bash + Write — scans command strings and file content for
+ * patterns that look like secrets, API keys, or credentials before they
+ * are written to disk or executed.
+ */
+import { readFileSync } from 'fs';
+
+const SECRET_PATTERNS = [
+  { name: 'AWS Access Key',        re: /AKIA[0-9A-Z]{16}/ },
+  { name: 'AWS Secret Key',        re: /aws_secret_access_key\s*=\s*\S{40}/i },
+  { name: 'GitHub Token',          re: /ghp_[a-zA-Z0-9]{36}/ },
+  { name: 'GitHub Fine-grained',   re: /github_pat_[a-zA-Z0-9_]{82}/ },
+  { name: 'Stripe Secret Key',     re: /sk_live_[a-zA-Z0-9]{24,}/ },
+  { name: 'SendGrid Key',          re: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ },
+  { name: 'Anthropic API Key',     re: /sk-ant-[a-zA-Z0-9\-_]{90,}/ },
+  { name: 'OpenAI API Key',        re: /sk-[a-zA-Z0-9]{48}/ },
+  { name: 'Slack Token',           re: /xox[baprs]-[a-zA-Z0-9\-]+/ },
+  { name: 'Private key block',     re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { name: 'Hardcoded password',    re: /password\s*=\s*['"][^'"]{8,}['"]/i },
+];
+
+let input;
+try {
+  input = JSON.parse(readFileSync('/dev/stdin', 'utf8'));
+} catch {
+  process.exit(0);
+}
+
+const haystack = [
+  input?.tool_input?.command,
+  input?.tool_input?.content,
+  input?.tool_input?.new_string,
+].filter(Boolean).join('\n');
+
+for (const { name, re } of SECRET_PATTERNS) {
+  if (re.test(haystack)) {
+    console.error(
+      `[secret-guard] BLOCKED: possible ${name} detected in tool input.\n` +
+      `  If this is intentional, move the value to an environment variable.`
+    );
+    process.exit(1);
+  }
+}
+
+process.exit(0);

package/src/templates/hooks/test-runner.js

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+/**
+ * PostToolUse / Write — when Claude writes a source file, auto-discovers and
+ * runs the related test file if one exists. Exits 0 always (advisory only),
+ * but prints test output so Claude sees failures and can fix them.
+ */
+import { readFileSync, existsSync } from 'fs';
+import { execSync } from 'child_process';
+import path from 'path';
+
+const TEST_CANDIDATES = (file) => {
+  const { dir, name, ext } = path.parse(file);
+  return [
+    path.join(dir, `${name}.test${ext}`),
+    path.join(dir, `${name}.spec${ext}`),
+    path.join(dir, '__tests__', `${name}.test${ext}`),
+    path.join('tests', `${name}.test${ext}`),
+    path.join('test', `${name}_test${ext}`),
+    // Python
+    path.join(dir, `test_${name}${ext}`),
+    path.join('tests', `test_${name}.py`),
+  ];
+};
+
+let input;
+try {
+  input = JSON.parse(readFileSync('/dev/stdin', 'utf8'));
+} catch {
+  process.exit(0);
+}
+
+const filePath = input?.tool_input?.file_path ?? input?.tool_response?.file_path ?? '';
+if (!filePath) process.exit(0);
+
+// Don't run tests when the test file itself was written
+if (/\.(test|spec)\.(js|ts|jsx|tsx|py|go|rs)$/.test(filePath) || /test_.*\.py$/.test(filePath)) {
+  process.exit(0);
+}
+
+const testFile = TEST_CANDIDATES(filePath).find(f => existsSync(f));
+if (!testFile) process.exit(0);
+
+const ext = path.extname(testFile);
+
+let cmd;
+if (['.js', '.ts', '.jsx', '.tsx', '.mjs'].includes(ext)) {
+  cmd = `node --test ${testFile}`;
+} else if (ext === '.py') {
+  cmd = `python -m pytest ${testFile} -q`;
+} else if (ext === '.go') {
+  cmd = `go test ./${path.dirname(testFile)}/...`;
+} else {
+  process.exit(0);
+}
+
+try {
+  const out = execSync(cmd, { stdio: 'pipe', timeout: 60_000 }).toString();
+  console.error(`[test-runner] Tests passed for ${path.basename(filePath)}:\n${out}`);
+} catch (err) {
+  console.error(
+    `[test-runner] Tests FAILED for ${path.basename(filePath)}:\n` +
+    (err.stdout?.toString() ?? '') +
+    (err.stderr?.toString() ?? '')
+  );
+}
+
+process.exit(0);

package/src/templates/settings.js

@@ -0,0 +1,128 @@
+export function renderSettings({ projectType, teamSize, deployTarget }) {
+  const hooksBase = '.claude/hooks';
+
+  // Larger teams get stricter guardrails
+  const strictMode = teamSize === 'medium' || teamSize === 'large';
+
+  const dangerousPatterns = [
+    'rm -rf',
+    'DROP TABLE',
+    'DROP DATABASE',
+    'DELETE FROM',
+    'truncate',
+    '--force-with-lease',
+    'git push --force',
+    'chmod 777',
+    'curl.*sh.*bash',
+    'wget.*sh.*bash',
+  ];
+
+  if (deployTarget === 'aws' || deployTarget === 'gcp' || deployTarget === 'azure') {
+    dangerousPatterns.push('aws.*delete', 'gcloud.*delete', 'az.*delete');
+  }
+
+  return {
+    version: 1,
+    permissions: {
+      allow: [
+        'Bash(git:*)',
+        'Bash(npm:*)',
+        'Bash(node:*)',
+        ...(projectType === 'python' ? ['Bash(python:*)', 'Bash(pip:*)', 'Bash(pytest:*)'] : []),
+        ...(projectType === 'go' ? ['Bash(go:*)'] : []),
+        ...(projectType === 'rust' ? ['Bash(cargo:*)'] : []),
+        'Bash(ls:*)',
+        'Bash(cat:*)',
+        'Bash(echo:*)',
+        'Bash(find:*)',
+        'Bash(grep:*)',
+      ],
+      deny: [
+        'Bash(rm -rf /*)',
+        'Bash(curl * | bash:*)',
+        'Bash(wget * | bash:*)',
+      ],
+    },
+    env: {
+      OPSCALE_PROJECT_TYPE: projectType,
+      OPSCALE_TEAM_SIZE: teamSize,
+      OPSCALE_DEPLOY_TARGET: deployTarget,
+    },
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: 'Bash',
+          hooks: [
+            {
+              type: 'command',
+              command: `node ${hooksBase}/block-dangerous.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/secret-guard.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/branch-guard.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/dep-audit.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/deploy-check.js`,
+            },
+          ],
+        },
+        {
+          matcher: 'Write',
+          hooks: [
+            {
+              type: 'command',
+              command: `node ${hooksBase}/secret-guard.js`,
+            },
+          ],
+        },
+      ],
+      PostToolUse: [
+        {
+          matcher: 'Write',
+          hooks: [
+            {
+              type: 'command',
+              command: `node ${hooksBase}/test-runner.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/lint-check.js`,
+            },
+            {
+              type: 'command',
+              command: `node ${hooksBase}/build-validator.js`,
+            },
+          ],
+        },
+        {
+          matcher: 'Bash',
+          hooks: [
+            {
+              type: 'command',
+              command: `node ${hooksBase}/auto-commit-msg.js`,
+            },
+          ],
+        },
+      ],
+      Stop: [
+        {
+          hooks: [
+            {
+              type: 'command',
+              command: `node ${hooksBase}/cost-tracker.js`,
+            },
+          ],
+        },
+      ],
+    },
+  };
+}

package/src/templates/skills/code-review.md

@@ -0,0 +1,61 @@
+# code-review
+
+Review the current diff (or a specified file/PR) for correctness bugs, security
+issues, and efficiency problems. Return actionable findings only — no praise,
+no summaries of what the code does.
+
+## How to use
+
+```
+/code-review                    # review staged + unstaged changes
+/code-review src/auth.ts        # review a specific file
+/code-review --fix              # apply safe fixes automatically
+/code-review --security         # focus only on security issues
+```
+
+## Review checklist
+
+### Correctness
+- Off-by-one errors in loops and slices
+- Null / undefined dereferences before safety checks
+- Race conditions in async code (missing `await`, shared mutable state)
+- Incorrect error handling (swallowed errors, wrong error types)
+- Logic inversions (`!` in wrong place, wrong comparison operator)
+
+### Security (OWASP Top 10 + extras)
+- SQL / NoSQL injection via string interpolation
+- Command injection via `exec`/`spawn` with user input
+- XSS — unescaped user content rendered as HTML
+- Insecure direct object reference (IDOR)
+- Missing authentication or authorization checks
+- Secrets hardcoded or logged
+- Unsafe deserialization
+- Path traversal (`../` in user-supplied filenames)
+- SSRF — user-controlled URLs fetched server-side
+
+### Performance
+- N+1 query patterns
+- Missing database indexes implied by query patterns
+- Unnecessary re-renders or re-computations in hot paths
+- Large payloads sent over the wire without pagination
+
+### Maintainability
+- Functions doing more than one thing (flag for refactor, don't refactor)
+- Magic numbers / strings that should be named constants
+- Dead code paths
+- Inconsistent error handling patterns vs. rest of codebase
+
+## Output format
+
+For each finding:
+
+```
+[SEVERITY] file.ts:42 — Short description
+  Why: <why this is a problem>
+  Fix: <concrete fix, code snippet if helpful>
+```
+
+Severity levels: CRITICAL · HIGH · MEDIUM · LOW · INFO
+
+Only report findings you are confident about. If uncertain, say so.
+Prefer fewer high-confidence findings over many speculative ones.

package/src/templates/skills/debugging.md

@@ -0,0 +1,61 @@
+# debugging
+
+Systematically diagnose and fix a bug. Works for runtime errors, wrong output,
+performance regressions, and flaky tests.
+
+## How to use
+
+```
+/debugging "TypeError: Cannot read properties of undefined"
+/debugging "checkout is 3x slower after the last deploy"
+/debugging "test suite fails intermittently on CI"
+```
+
+## Debugging protocol
+
+Follow these steps in order. Do not skip ahead.
+
+### 1. Reproduce
+- Find or write the minimal command / test that reliably triggers the bug.
+- If flaky: run it 10 times and record the failure rate.
+- State the reproduction case explicitly before proceeding.
+
+### 2. Isolate
+- Narrow scope: which module, function, or line is responsible?
+- Use `git bisect` if the bug is a regression: `git bisect start HEAD <last-good-sha>`.
+- Add temporary `console.error` / `print` / `fmt.Println` at key points — remove after.
+- Read the stack trace from bottom (the root call) to top (where it blew up).
+
+### 3. Hypothesize
+- State 2-3 hypotheses for the root cause, ranked by likelihood.
+- Design one test per hypothesis that would confirm or rule it out.
+- Test hypotheses cheapest-first.
+
+### 4. Fix
+- Fix the root cause, not a symptom.
+- If fixing requires a workaround (e.g., third-party bug), document why in a comment.
+- Remove all debug logging added in step 2.
+- Confirm reproduction case now passes.
+
+### 5. Prevent
+- Write a regression test that would have caught this bug.
+- Check if the same pattern exists elsewhere: `grep -r "pattern" src/`.
+- If the bug was caused by a missing validation, add validation at the boundary.
+
+## Common root causes by symptom
+
+| Symptom | Check first |
+|---------|-------------|
+| `undefined` / `null` dereference | Async timing, missing await, API response shape change |
+| Wrong calculation | Unit mismatch, integer overflow, floating-point precision |
+| Only fails in production | Missing env var, different data shape, caching layer |
+| Only fails on CI | Time-dependent test, missing seed data, parallelism |
+| Memory leak | Event listeners not removed, circular references, unbounded cache |
+| Slow after deploy | N+1 query introduced, missing index, cache invalidated |
+
+## Rules
+
+- Never blame the framework or library until you have ruled out your own code.
+- "It works on my machine" means the environments differ — find the difference.
+- A bug that cannot be reproduced reliably cannot be safely fixed.
+- Fix one thing at a time; revert and try again if it doesn't help.

package/src/templates/skills/deployment.md

@@ -0,0 +1,89 @@
+# deployment
+
+Run a deployment checklist, generate deployment commands, or assist with
+rollback procedures for any cloud target.
+
+## How to use
+
+```
+/deployment                     # run full pre-deploy checklist
+/deployment --rollback          # generate rollback commands for last deploy
+/deployment --diff              # show what will change vs. production
+/deployment --status            # check current deployment status
+```
+
+## Pre-deployment checklist
+
+Work through each item before running the deploy command.
+
+### Code quality
+- [ ] All tests pass locally (`npm test` / `pytest` / `go test ./...`)
+- [ ] No linting errors (`npm run lint` / `ruff check .`)
+- [ ] TypeScript compiles without errors (`tsc --noEmit`)
+- [ ] No `console.log` / `print` debug statements left in code
+- [ ] Feature branch merged to main via PR, not committed directly
+
+### Configuration
+- [ ] Environment variables verified in target environment
+- [ ] `.env.example` updated if new vars were added
+- [ ] Secrets rotated if they were accidentally committed (even briefly)
+- [ ] Feature flags set correctly for target environment
+
+### Database
+- [ ] Migration is backwards-compatible (can run with old code)
+- [ ] Migration tested on a copy of production data
+- [ ] Rollback SQL prepared for schema changes
+- [ ] No long-lock migrations (adding NOT NULL without default on large tables)
+
+### Infrastructure
+- [ ] Resource limits (CPU, memory) checked for new workloads
+- [ ] Auto-scaling configured if expected traffic increase
+- [ ] Health check endpoint responds correctly
+- [ ] Deployment target (cluster/region) confirmed
+
+### Observability
+- [ ] New code paths have log statements at appropriate levels
+- [ ] Metrics / dashboards updated for new features
+- [ ] Alerts configured for new failure modes
+- [ ] On-call team notified if risky deploy
+
+## Deploy command templates
+
+### Vercel
+```bash
+vercel --prod
+```
+
+### AWS ECS
+```bash
+aws ecs update-service --cluster <cluster> --service <service> --force-new-deployment
+```
+
+### Kubernetes
+```bash
+kubectl set image deployment/<name> <container>=<image>:<tag>
+kubectl rollout status deployment/<name>
+```
+
+### Docker Compose
+```bash
+docker compose pull && docker compose up -d --remove-orphans
+```
+
+## Rollback procedure
+
+1. Identify the last stable image/commit: `git log --oneline -10`
+2. Revert the deployment (do NOT delete data):
+   - Kubernetes: `kubectl rollout undo deployment/<name>`
+   - ECS: redeploy previous task definition revision
+   - Vercel: `vercel rollback`
+3. Verify health check returns 200.
+4. Roll back the database migration **only if** it is backwards-incompatible.
+5. File an incident report within 24 hours.
+
+## Rules
+
+- Never deploy on a Friday afternoon or before a holiday without explicit sign-off.
+- Always have a rollback plan before deploying schema changes.
+- Deploy to staging first; wait 10 minutes; then promote to production.
+- One deploy at a time — wait for the previous deploy to stabilize.