prizmkit 1.1.79 → 1.1.81

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (110) hide show
  1. package/bundled/VERSION.json +3 -3
  2. package/bundled/dev-pipeline/scripts/init-pipeline.py +2 -0
  3. package/bundled/dev-pipeline-windows/scripts/init-pipeline.py +2 -0
  4. package/bundled/skills/_metadata.json +1 -1
  5. package/bundled/skills/app-planner/SKILL.md +12 -356
  6. package/bundled/skills/app-planner/references/infrastructure-convention-discovery.md +108 -0
  7. package/bundled/skills/app-planner/references/project-conventions-discovery.md +59 -0
  8. package/bundled/skills/app-planner/references/project-state-detection.md +88 -0
  9. package/bundled/skills/app-planner/references/rules/backend/derivation-rules.md +10 -0
  10. package/bundled/skills/app-planner/references/rules/database/derivation-rules.md +9 -0
  11. package/bundled/skills/app-planner/references/rules/frontend/derivation-rules.md +10 -0
  12. package/bundled/skills/app-planner/references/rules/frontend/question-bank.md +17 -0
  13. package/bundled/skills/app-planner/references/rules/frontend/template.md +19 -0
  14. package/bundled/skills/app-planner/references/rules/mobile/derivation-rules.md +10 -0
  15. package/bundled/skills/app-planner/references/rules-configuration.md +46 -0
  16. package/bundled/skills/bug-fix-workflow/SKILL.md +18 -54
  17. package/bundled/skills/bug-fix-workflow/references/bug-diagnosis.md +41 -0
  18. package/bundled/skills/bug-planner/SKILL.md +20 -12
  19. package/bundled/skills/bugfix-pipeline-launcher/SKILL.md +9 -108
  20. package/bundled/skills/bugfix-pipeline-launcher/references/configuration.md +98 -0
  21. package/bundled/skills/feature-pipeline-launcher/SKILL.md +20 -103
  22. package/bundled/skills/feature-pipeline-launcher/references/configuration.md +81 -0
  23. package/bundled/skills/feature-planner/SKILL.md +5 -9
  24. package/bundled/skills/feature-workflow/SKILL.md +27 -184
  25. package/bundled/skills/feature-workflow/references/brainstorm-guide.md +137 -0
  26. package/bundled/skills/prizm-kit/SKILL.md +14 -2
  27. package/bundled/skills/prizmkit-code-review/SKILL.md +67 -136
  28. package/bundled/skills/prizmkit-code-review/references/dev-agent-prompt.md +30 -0
  29. package/bundled/skills/prizmkit-code-review/references/review-report-template.md +31 -0
  30. package/bundled/skills/prizmkit-code-review/references/reviewer-agent-prompt.md +62 -0
  31. package/bundled/skills/prizmkit-code-review/scripts/check_loop.py +186 -0
  32. package/bundled/skills/prizmkit-committer/SKILL.md +8 -0
  33. package/bundled/skills/prizmkit-deploy/SKILL.md +49 -73
  34. package/bundled/skills/prizmkit-deploy/references/data-safety-examples.md +120 -0
  35. package/bundled/skills/prizmkit-deploy/references/ssh-bootstrap-flow.md +49 -0
  36. package/bundled/skills/prizmkit-deploy/references/ssh-execution-flow.md +41 -0
  37. package/bundled/skills/prizmkit-deploy/references/ssh-takeover.md +20 -0
  38. package/bundled/skills/prizmkit-implement/SKILL.md +7 -1
  39. package/bundled/skills/prizmkit-plan/SKILL.md +1 -83
  40. package/bundled/skills/prizmkit-plan/references/examples.md +85 -0
  41. package/bundled/skills/prizmkit-prizm-docs/SKILL.md +14 -0
  42. package/bundled/skills/prizmkit-retrospective/SKILL.md +1 -1
  43. package/bundled/skills/prizmkit-test/SKILL.md +3 -151
  44. package/bundled/skills/prizmkit-test/references/examples.md +70 -0
  45. package/bundled/skills/prizmkit-test/references/test-generation-steps.md +49 -0
  46. package/bundled/skills/prizmkit-test/references/test-report-template.md +42 -0
  47. package/bundled/skills/recovery-workflow/SKILL.md +24 -103
  48. package/bundled/skills/recovery-workflow/references/detection.md +58 -0
  49. package/bundled/skills/refactor-pipeline-launcher/SKILL.md +9 -96
  50. package/bundled/skills/refactor-pipeline-launcher/references/configuration.md +88 -0
  51. package/bundled/skills/refactor-planner/SKILL.md +15 -157
  52. package/bundled/skills/refactor-planner/references/fast-path.md +59 -0
  53. package/bundled/skills/refactor-planner/references/planning-phases.md +135 -0
  54. package/bundled/skills/refactor-workflow/SKILL.md +18 -178
  55. package/bundled/skills/refactor-workflow/references/brainstorm-guide.md +116 -0
  56. package/bundled/skills-windows/app-planner/SKILL.md +12 -358
  57. package/bundled/skills-windows/app-planner/references/infrastructure-convention-discovery.md +108 -0
  58. package/bundled/skills-windows/app-planner/references/project-conventions-discovery.md +59 -0
  59. package/bundled/skills-windows/app-planner/references/project-state-detection.md +90 -0
  60. package/bundled/skills-windows/app-planner/references/rules/backend/derivation-rules.md +10 -0
  61. package/bundled/skills-windows/app-planner/references/rules/database/derivation-rules.md +9 -0
  62. package/bundled/skills-windows/app-planner/references/rules/frontend/derivation-rules.md +10 -0
  63. package/bundled/skills-windows/app-planner/references/rules/frontend/question-bank.md +17 -0
  64. package/bundled/skills-windows/app-planner/references/rules/frontend/template.md +19 -0
  65. package/bundled/skills-windows/app-planner/references/rules/mobile/derivation-rules.md +10 -0
  66. package/bundled/skills-windows/app-planner/references/rules-configuration.md +46 -0
  67. package/bundled/skills-windows/bug-fix-workflow/SKILL.md +18 -54
  68. package/bundled/skills-windows/bug-fix-workflow/references/bug-diagnosis.md +41 -0
  69. package/bundled/skills-windows/bug-planner/SKILL.md +20 -12
  70. package/bundled/skills-windows/bugfix-pipeline-launcher/SKILL.md +6 -91
  71. package/bundled/skills-windows/bugfix-pipeline-launcher/references/configuration.md +94 -0
  72. package/bundled/skills-windows/feature-pipeline-launcher/SKILL.md +19 -88
  73. package/bundled/skills-windows/feature-pipeline-launcher/references/configuration.md +77 -0
  74. package/bundled/skills-windows/feature-planner/SKILL.md +5 -9
  75. package/bundled/skills-windows/feature-workflow/SKILL.md +27 -184
  76. package/bundled/skills-windows/feature-workflow/references/brainstorm-guide.md +137 -0
  77. package/bundled/skills-windows/prizm-kit/SKILL.md +14 -2
  78. package/bundled/skills-windows/prizmkit-code-review/SKILL.md +67 -136
  79. package/bundled/skills-windows/prizmkit-code-review/references/dev-agent-prompt.md +30 -0
  80. package/bundled/skills-windows/prizmkit-code-review/references/review-report-template.md +31 -0
  81. package/bundled/skills-windows/prizmkit-code-review/references/reviewer-agent-prompt.md +62 -0
  82. package/bundled/skills-windows/prizmkit-code-review/scripts/check_loop.py +186 -0
  83. package/bundled/skills-windows/prizmkit-committer/SKILL.md +8 -0
  84. package/bundled/skills-windows/prizmkit-deploy/SKILL.md +50 -74
  85. package/bundled/skills-windows/prizmkit-deploy/references/data-safety-examples.md +120 -0
  86. package/bundled/skills-windows/prizmkit-deploy/references/direct-upload.md +3 -3
  87. package/bundled/skills-windows/prizmkit-deploy/references/ssh-bootstrap-flow.md +49 -0
  88. package/bundled/skills-windows/prizmkit-deploy/references/ssh-execution-flow.md +41 -0
  89. package/bundled/skills-windows/prizmkit-deploy/references/ssh-takeover.md +20 -0
  90. package/bundled/skills-windows/prizmkit-deploy/references/ssl-setup.md +2 -2
  91. package/bundled/skills-windows/prizmkit-implement/SKILL.md +7 -1
  92. package/bundled/skills-windows/prizmkit-plan/SKILL.md +1 -83
  93. package/bundled/skills-windows/prizmkit-plan/references/examples.md +85 -0
  94. package/bundled/skills-windows/prizmkit-prizm-docs/SKILL.md +14 -0
  95. package/bundled/skills-windows/prizmkit-retrospective/SKILL.md +1 -1
  96. package/bundled/skills-windows/prizmkit-retrospective/references/structural-sync-steps.md +1 -1
  97. package/bundled/skills-windows/prizmkit-test/SKILL.md +3 -151
  98. package/bundled/skills-windows/prizmkit-test/references/examples.md +70 -0
  99. package/bundled/skills-windows/prizmkit-test/references/test-generation-steps.md +49 -0
  100. package/bundled/skills-windows/prizmkit-test/references/test-report-template.md +42 -0
  101. package/bundled/skills-windows/recovery-workflow/SKILL.md +24 -125
  102. package/bundled/skills-windows/recovery-workflow/references/detection.md +58 -0
  103. package/bundled/skills-windows/refactor-pipeline-launcher/SKILL.md +8 -77
  104. package/bundled/skills-windows/refactor-pipeline-launcher/references/configuration.md +82 -0
  105. package/bundled/skills-windows/refactor-planner/SKILL.md +15 -157
  106. package/bundled/skills-windows/refactor-planner/references/fast-path.md +59 -0
  107. package/bundled/skills-windows/refactor-planner/references/planning-phases.md +135 -0
  108. package/bundled/skills-windows/refactor-workflow/SKILL.md +18 -178
  109. package/bundled/skills-windows/refactor-workflow/references/brainstorm-guide.md +116 -0
  110. package/package.json +1 -1
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: "prizmkit-deploy"
3
- description: "Universal deployment gateway for any PrizmKit project. Discovers project type and target (SSH server, Vercel, Docker, etc.), then routes: full automation for SSH Linux with PM2 + Nginx + blue/green switching, guided setup for cloud platforms, or safe documentation fallback for unsupported targets. Also operates existing deployments: status, logs, restart, rollback, health checks, history, validate. Use this skill whenever the user asks about deployment, hosting, going live, or server operations. Triggers on: 'deploy', 'ship it', 'take this live', 'deploy to Vercel', 'deploy to my server', 'check deploy status', 'view logs', 'restart app', 'rollback', 'how do I deploy this', any deployment or hosting question."
3
+ description: "Universal deployment gateway for any PrizmKit project. Discovers project type and target (SSH server, Vercel, Docker, etc.), then routes: full automation for SSH Linux with PM2 + Nginx + blue/green switching, guided setup for cloud platforms, or safe documentation fallback for unsupported targets. Also operates existing deployments: status, logs, restart, rollback, health checks, history, validate. Use this skill whenever the user asks about deployment, hosting, going live, or server operations. Triggers on: 'deploy', 'ship it', 'take this live', 'deploy to Vercel', 'deploy to my server', 'check deploy status', 'view logs', 'restart app', 'rollback', 'how do I deploy this', any deployment or hosting question. (project)"
4
4
  ---
5
5
 
6
6
  # PrizmKit Deploy — Universal Deployment Gateway
@@ -14,6 +14,51 @@ Three possible outcomes depending on what's supported:
14
14
 
15
15
  When invited, behave as a deployment engineer. Ask until you understand what is being deployed, where it runs, how it is built, how it starts, what secrets it needs, how traffic reaches it, and how health is checked.
16
16
 
17
+ ### When to Use
18
+ - User says "deploy", "ship it", "take this live", "deploy to Vercel", "deploy to my server"
19
+ - User wants to check deploy status, view logs, restart app, rollback
20
+ - First-time deployment configuration or repair
21
+ - Any deployment, hosting, or server operation question
22
+
23
+ ### When NOT to Use
24
+ - Project has no code to deploy (empty/scaffold project)
25
+ - Local dev environment startup — use the project's dev scripts instead
26
+ - Purely CI/CD pipeline debugging unrelated to deployment
27
+ - User wants to edit application code — use /prizmkit-plan and /prizmkit-implement
28
+
29
+ ## Data Safety Gate
30
+
31
+ Before executing any command that could **irreversibly destroy, overwrite, or modify data**, pause and get explicit user confirmation. This is a hard gate — the cost of a false negative (losing real data) is catastrophic, while asking one extra question costs nothing.
32
+
33
+ ### Detection
34
+
35
+ Before running any shell command, scan it for these patterns:
36
+
37
+ | Category | Dangerous patterns | What's at risk |
38
+ |----------|-------------------|----------------|
39
+ | Database schema | `prisma db push --force-reset`, `prisma db push --accept-data-loss`, `prisma migrate reset`, `prisma migrate dev --create-only` | All existing data dropped, schema reset |
40
+ | Database data | `DROP TABLE`, `DROP DATABASE`, `TRUNCATE`, `DELETE FROM` without `WHERE`, `UPDATE` without `WHERE` | Data deletion or corruption |
41
+ | File system | `rm -rf`, `> /etc/`, overwriting existing configs without backup | Config loss, system breakage |
42
+ | Cloud resources | `terraform destroy`, `kubectl delete`, cloud resource deletion, S3 bucket removal | Infrastructure/service loss |
43
+
44
+ ### Confirmation Flow
45
+
46
+ When a dangerous pattern is detected:
47
+
48
+ 1. **Stop.** Do not execute. Do not ask "should I proceed?" while already running the command.
49
+ 2. **Explain** what the command will do and what data will be lost, in plain language.
50
+ 3. **Ask** an explicit yes/no question. Accept only a clear "yes" or equivalent — ambiguous responses ("sure, I guess", "ok go ahead") count as "no" when the consequence is data loss.
51
+ 4. **Only proceed** on unambiguous consent. If the user says anything other than a clear affirmative, abort.
52
+ 5. **Record** the confirmation decision and the command that was run in deploy history.
53
+
54
+ ### Headless Mode
55
+
56
+ If a destructive data operation is detected in headless mode, **refuse and exit** with `DATA_SAFETY_DENIED`. Data destruction must never happen without human oversight — an unattended pipeline that runs `--force-reset` could wipe a production database with no one watching.
57
+
58
+ ### Examples
59
+
60
+ Read `${SKILL_DIR}/references/data-safety-examples.md` for concrete few-shot examples of dangerous commands caught by this gate, including the correct and incorrect ways to handle them.
61
+
17
62
  ## Deployment Discovery
18
63
 
19
64
  Before doing anything else, discover what you're deploying and where. This phase routes the request to the right adapter or fallback. It runs regardless of mode (interactive or headless), but interactive mode may ask questions; headless mode reads from existing config and exits with `NEEDS_INPUT` if critical details are missing.
@@ -245,39 +290,7 @@ Write `deploy.config.json` with all collected values and `validated: {}` stubs f
245
290
 
246
291
  Before first deployment, bootstrap the server. Present a plan showing every privileged action before executing anything.
247
292
 
248
- **Always-run preflight:**
249
- ```
250
- locale-gen en_US.UTF-8 # fix locale warnings on bare Ubuntu
251
- apt-get update -qq # refresh package list
252
- ```
253
-
254
- **Check-and-install (idempotent):** Node.js, npm, PM2, Nginx, Git. Use v22 LTS if v25 not available.
255
-
256
- **Detect port conflicts:** `ss -tlnp | grep :80 || true`. If port 80/443 is occupied, report and ask how to resolve.
257
-
258
- **User and directory setup:**
259
- ```
260
- useradd -m -s /bin/bash <runtimeUser> # if not exists
261
- mkdir -p /var/www/<project>/{releases,shared,deploy-logs}
262
- chown -R <runtimeUser>:<runtimeUser> /var/www/<project>
263
- ```
264
-
265
- **PM2 startup:**
266
- ```
267
- env PATH=$PATH:/usr/bin pm2 startup systemd -u <runtimeUser> --hp /home/<runtimeUser>
268
- ```
269
-
270
- **Deploy key (Pull mode only):**
271
- ```
272
- sudo -u <runtimeUser> ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
273
- sudo -u <runtimeUser> ssh-keyscan -H github.com >> ~/.ssh/known_hosts
274
- ```
275
-
276
- **Security baseline (firewall):** After core tools are installed, ask whether to configure ufw. If user agrees, read `references/firewall-setup.md` for the full interactive flow and rule templates.
277
-
278
- **Database setup:** If Discovery detected database drivers, ask whether to install the database on the server. If user agrees, read `references/database-setup.md` for platform-specific setup commands and security notes.
279
-
280
- After each bootstrap step, record the result. Bootstrap operations must be idempotent. Back up any existing config files before modifying them.
293
+ Read `${SKILL_DIR}/references/ssh-bootstrap-flow.md` for the full bootstrap procedure (preflight, check-and-install, user/dir setup, PM2 startup, deploy key). When the bootstrap reaches firewall or database steps, it routes to `references/firewall-setup.md` and `references/database-setup.md`. Key rules: bootstrap operations must be idempotent, existing config files must be backed up before modification, and each step's result must be recorded.
281
294
 
282
295
  ### SSH: Direct Upload Deployment
283
296
 
@@ -310,37 +323,7 @@ Full procedure in `references/ssl-setup.md`.
310
323
 
311
324
  ### SSH: Deployment Execution Flow
312
325
 
313
- Pipeline runs in strict order. Each group must complete before the next begins. If any step before traffic switch fails, STOP — do not touch the live version.
314
-
315
- **Pre-flight — Change Summary:** Show what will be deployed using `git log --oneline <last-deployed-commit>..HEAD`. If first deployment, show last 5 commits. If no new commits, warn "没有新的代码变更。确定要重新部署吗?"
316
-
317
- **Group 1 — Pre-flight & Prepare:**
318
- - Verify SSH, runtime user, tools, deploy key, port availability.
319
- - Generate `releaseId`: `YYYYMMDD-<short-commit-sha>`. Create `releases/<releaseId>`.
320
- - Determine target color: read `activeColor` from `shared/deploy-metadata.json` and use the opposite. If first deploy (no metadata, no `current` symlink), default to blue (port 3101).
321
-
322
- **Group 2 — Fetch & Build:**
323
-
324
- - **CI/CD Pull mode** (server-side build): git clone → install → copy `.env.production` before build (NEXT_PUBLIC_* vars are baked at build time) → build. If build fails: STOP.
325
- - **CI/CD Push mode** (runner-side build): extract tarball, skip install/build.
326
- - **Direct-upload mode**: build was already done locally and SCP'd. Skip this group.
327
-
328
- **Group 3 — Stage & Health Check:**
329
- - Start new version on inactive port via PM2: `pm2 start npm --name <project>-<app>-<color> -- run start -- -p <inactivePort>`.
330
- - PM2 process naming: `<project>-<app>-<color>` (e.g., `prizm-ideas-web-green`).
331
- - Wait 3-5 seconds, run health checks against new port. If any fails: STOP, do NOT switch traffic.
332
-
333
- **Group 4 — Switch & Verify:**
334
- - Update Nginx upstream to new port. Run `nginx -t` — abort on failure.
335
- - `systemctl reload nginx`. Update `current` symlink to new release.
336
- - Write `shared/deploy-metadata.json` with new `activeColor`, `activePort`, `lastReleaseId`.
337
- - Run health checks against public endpoint. If any fails: rollback immediately.
338
-
339
- **Group 5 — Cleanup & Record:**
340
- - Stop old PM2 process. Remove oldest releases beyond `releaseRetention` count. `pm2 save`.
341
- - Write deploy-history JSON. Update `deploy.config.json` validation status.
342
-
343
- **Post-deploy — Completion Summary:** Output a summary (project, URL, version, duration, health status) and append to deploy.md. If `deployStrategy` is `"direct-upload"`, offer CI/CD upgrade (see §SSH: Post-Deploy CI/CD Upgrade).
326
+ Read `${SKILL_DIR}/references/ssh-execution-flow.md` for the full 5-group pipeline: pre-flight, fetch & build, stage & health check, switch & verify, cleanup & record. Key invariant: if any step before traffic switch fails, STOP — do not touch the live version.
344
327
 
345
328
  ### SSH: Blue/Green PM2 + Nginx Strategy
346
329
 
@@ -405,14 +388,7 @@ Deploy history records secret presence metadata only (e.g., `{"SUPABASE_SERVICE_
405
388
 
406
389
  ### SSH: Existing Deployment Takeover
407
390
 
408
- When deploying to a server that already has deployment assets:
409
-
410
- 1. Detect: existing `/var/www/<project>` directory, existing PM2 processes with similar names, Nginx config referencing the same domain/IP, port conflicts.
411
- 2. Report findings and ask for takeover decision:
412
- - **Take over and backup**: Back up existing config, then proceed.
413
- - **Coexist**: Use different directory/ports/process names.
414
- - **Manual resolve**: Stop and let the user handle it.
415
- 3. Record takeover decision and validation results in config and history.
391
+ When deploying to a server that already has deployment assets, read `${SKILL_DIR}/references/ssh-takeover.md` for the detection procedure and takeover decision flow. Record takeover decision and validation results in config and history.
416
392
 
417
393
  ### SSH: Nginx Management
418
394
 
@@ -0,0 +1,120 @@
1
+ # Data Safety Examples
2
+
3
+ Few-shot examples for the Data Safety Gate in `/prizmkit-deploy`. Read this file when a dangerous command pattern is detected — it shows the correct confirmation flow and illustrates what happens when the gate is skipped.
4
+
5
+ ## Example 1: Prisma Force Reset (the incident)
6
+
7
+ **Context:** User runs `/prizmkit-deploy` to deploy a Next.js + Prisma project. During database setup, the model needs to sync the Prisma schema with the database.
8
+
9
+ **Wrong — skipping the gate:**
10
+ ```
11
+ Model: I'll sync your database schema now.
12
+ $ prisma db push --force-reset --accept-schema
13
+ → All tables dropped. All production data lost. No backup. No confirmation.
14
+ ```
15
+ This happened in production. `--force-reset` drops and recreates every table. `--accept-schema` bypasses Prisma's own confirmation prompt. The model ran both flags without asking the user whether existing data should be preserved.
16
+
17
+ **Correct — with the safety gate:**
18
+ ```
19
+ Model: I detected that your database needs a schema sync. However, before I do anything:
20
+
21
+ WARNING: The Prisma schema has changes that could affect existing data.
22
+ - New tables to create: 0
23
+ - Tables that may be modified: 2 (users, orders)
24
+ - If I run `prisma db push --force-reset`, ALL existing data will be DESTROYED.
25
+
26
+ Options:
27
+ 1. prisma db push (safe — only adds missing tables/columns, no data loss)
28
+ 2. prisma db push --force-reset (DANGEROUS — drops and recreates all tables, all data lost)
29
+ 3. prisma migrate dev (creates a migration file you can review first)
30
+
31
+ Which approach do you want? (1/2/3)
32
+ ```
33
+
34
+ The `--accept-schema` flag should never be used — it suppresses Prisma's own built-in safety prompts that protect the user.
35
+
36
+ ## Example 2: Prisma Migrate Reset
37
+
38
+ **Context:** User wants to reset their dev database to a clean state for testing.
39
+
40
+ **Correct detection and confirmation:**
41
+ ```
42
+ Model: `prisma migrate reset` will:
43
+ - Drop the entire database
44
+ - Recreate it from scratch
45
+ - Run all migrations
46
+
47
+ This is a DESTRUCTIVE operation. All data in the database will be permanently lost.
48
+
49
+ Are you sure this is a dev/test database with no important data? (yes/no)
50
+ ```
51
+
52
+ In production or any environment with real data: refuse immediately. This command should only run in dev with explicit user confirmation.
53
+
54
+ ## Example 3: Raw SQL Data Modification
55
+
56
+ **Context:** During deployment, the model considers running a SQL command to fix a data issue.
57
+
58
+ **Correct detection and confirmation:**
59
+ ```
60
+ Model: To fix the duplicate user records, I would run:
61
+ ```sql
62
+ DELETE FROM users WHERE email IS NULL AND created_at < '2025-01-01';
63
+ ```
64
+
65
+ This would delete approximately 340 user records. BEFORE I run this:
66
+
67
+ 1. Would you like me to run a SELECT first to show you exactly which rows would be deleted?
68
+ 2. Do you want to back up the users table before deletion?
69
+ 3. Confirm: Delete these 340 records? (yes/no)
70
+
71
+ I will not proceed without your explicit confirmation.
72
+ ```
73
+
74
+ ## Example 4: Overwriting Production Configuration
75
+
76
+ **Context:** During bootstrap, the model needs to write an Nginx config, but one already exists at the target path.
77
+
78
+ **Correct detection and confirmation:**
79
+ ```
80
+ Model: Found existing Nginx config at /etc/nginx/sites-enabled/myapp.
81
+
82
+ This file is NOT managed by PrizmKit (no `# PrizmKit Managed:` marker).
83
+ Overwriting it could break existing site configuration.
84
+
85
+ Options:
86
+ 1. Back up the existing config to /etc/nginx/sites-enabled/myapp.bak, then write new config
87
+ 2. Create new config alongside existing one with a different name
88
+ 3. Skip — keep the existing config as-is
89
+
90
+ Which approach? (1/2/3)
91
+ ```
92
+
93
+ ## Example 5: Confirmation Dialogue Template
94
+
95
+ When the gate triggers, use this dialogue structure:
96
+
97
+ ```
98
+ ============================================================
99
+ DATA SAFETY GATE — DESTRUCTIVE OPERATION DETECTED
100
+ ============================================================
101
+
102
+ Command: <the dangerous command>
103
+ Risk level: HIGH / CRITICAL
104
+ What will be lost: <plain-language description of affected data>
105
+
106
+ Current state:
107
+ - Database: <name>, <size>, <table count>
108
+ - Affected tables: <list>
109
+ - Last backup: <date if known, or "unknown — backup recommended">
110
+
111
+ Recommended safe approach:
112
+ <alternative if one exists>
113
+
114
+ Do you want to proceed with this destructive operation?
115
+ Type "yes, I understand the data will be lost" to confirm.
116
+ Any other response will abort.
117
+ ============================================================
118
+ ```
119
+
120
+ This format forces the user to read and acknowledge the risk before proceeding.
@@ -0,0 +1,49 @@
1
+ # SSH Bootstrap Flow
2
+
3
+ Bootstraps the server before first deployment. Present a plan showing every privileged action before executing anything.
4
+
5
+ ## Always-Run Preflight
6
+
7
+ ```
8
+ locale-gen en_US.UTF-8 # fix locale warnings on bare Ubuntu
9
+ apt-get update -qq # refresh package list
10
+ ```
11
+
12
+ ## Check-and-Install (idempotent)
13
+
14
+ Node.js, npm, PM2, Nginx, Git. Use v22 LTS if v25 not available.
15
+
16
+ ## Detect Port Conflicts
17
+
18
+ `ss -tlnp | grep :80 || true`. If port 80/443 is occupied, report and ask how to resolve.
19
+
20
+ ## User and Directory Setup
21
+
22
+ ```
23
+ useradd -m -s /bin/bash <runtimeUser> # if not exists
24
+ mkdir -p /var/www/<project>/{releases,shared,deploy-logs}
25
+ chown -R <runtimeUser>:<runtimeUser> /var/www/<project>
26
+ ```
27
+
28
+ ## PM2 Startup
29
+
30
+ ```
31
+ env PATH=$PATH:/usr/bin pm2 startup systemd -u <runtimeUser> --hp /home/<runtimeUser>
32
+ ```
33
+
34
+ ## Deploy Key (Pull mode only)
35
+
36
+ ```
37
+ sudo -u <runtimeUser> ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
38
+ sudo -u <runtimeUser> ssh-keyscan -H github.com >> ~/.ssh/known_hosts
39
+ ```
40
+
41
+ ## Security Baseline (Firewall)
42
+
43
+ After core tools are installed, ask whether to configure ufw. If user agrees, read `references/firewall-setup.md` for the full interactive flow and rule templates.
44
+
45
+ ## Database Setup
46
+
47
+ If Discovery detected database drivers, ask whether to install the database on the server. If user agrees, read `references/database-setup.md` for platform-specific setup commands and security notes.
48
+
49
+ After each bootstrap step, record the result. Bootstrap operations must be idempotent. Back up any existing config files before modifying them.
@@ -0,0 +1,41 @@
1
+ # SSH: Deployment Execution Flow
2
+
3
+ Pipeline runs in strict order. Each group must complete before the next begins. If any step before traffic switch fails, STOP — do not touch the live version.
4
+
5
+ ## Pre-flight — Change Summary
6
+
7
+ Show what will be deployed using `git log --oneline <last-deployed-commit>..HEAD`. If first deployment, show last 5 commits. If no new commits, warn "没有新的代码变更。确定要重新部署吗?"
8
+
9
+ ## Group 1 — Pre-flight & Prepare
10
+
11
+ - Verify SSH, runtime user, tools, deploy key, port availability.
12
+ - Generate `releaseId`: `YYYYMMDD-<short-commit-sha>`. Create `releases/<releaseId>`.
13
+ - Determine target color: read `activeColor` from `shared/deploy-metadata.json` and use the opposite. If first deploy (no metadata, no `current` symlink), default to blue (port 3101).
14
+
15
+ ## Group 2 — Fetch & Build
16
+
17
+ - **CI/CD Pull mode** (server-side build): git clone → install → copy `.env.production` before build (NEXT_PUBLIC_* vars are baked at build time) → build. If build fails: STOP.
18
+ - **CI/CD Push mode** (runner-side build): extract tarball, skip install/build.
19
+ - **Direct-upload mode**: build was already done locally and SCP'd. Skip this group.
20
+
21
+ ## Group 3 — Stage & Health Check
22
+
23
+ - Start new version on inactive port via PM2: `pm2 start npm --name <project>-<app>-<color> -- run start -- -p <inactivePort>`.
24
+ - PM2 process naming: `<project>-<app>-<color>` (e.g., `prizm-ideas-web-green`).
25
+ - Wait 3-5 seconds, run health checks against new port. If any fails: STOP, do NOT switch traffic.
26
+
27
+ ## Group 4 — Switch & Verify
28
+
29
+ - Update Nginx upstream to new port. Run `nginx -t` — abort on failure.
30
+ - `systemctl reload nginx`. Update `current` symlink to new release.
31
+ - Write `shared/deploy-metadata.json` with new `activeColor`, `activePort`, `lastReleaseId`.
32
+ - Run health checks against public endpoint. If any fails: rollback immediately.
33
+
34
+ ## Group 5 — Cleanup & Record
35
+
36
+ - Stop old PM2 process. Remove oldest releases beyond `releaseRetention` count. `pm2 save`.
37
+ - Write deploy-history JSON. Update `deploy.config.json` validation status.
38
+
39
+ ## Post-deploy — Completion Summary
40
+
41
+ Output a summary (project, URL, version, duration, health status) and append to deploy.md. If `deployStrategy` is `"direct-upload"`, offer CI/CD upgrade (see §SSH: Post-Deploy CI/CD Upgrade).
@@ -0,0 +1,20 @@
1
+ # SSH: Existing Deployment Takeover
2
+
3
+ When deploying to a server that already has deployment assets.
4
+
5
+ ## Detection
6
+
7
+ 1. Check for existing `/var/www/<project>` directory
8
+ 2. Check for existing PM2 processes with similar names
9
+ 3. Check Nginx config referencing the same domain/IP
10
+ 4. Check for port conflicts
11
+
12
+ ## Decision Flow
13
+
14
+ Report findings and ask for takeover decision:
15
+
16
+ - **Take over and backup**: Back up existing config, then proceed.
17
+ - **Coexist**: Use different directory/ports/process names.
18
+ - **Manual resolve**: Stop and let the user handle it.
19
+
20
+ Record takeover decision and validation results in config and history.
@@ -10,6 +10,12 @@ description: "Execute plan.md tasks with TDD approach. Respects task ordering an
10
10
  - User says "implement", "build", "code it", "start coding", "develop"
11
11
  - For fast-path: user describes a simple change directly (fast-path skips specify, but still requires a simplified plan.md with Tasks section)
12
12
 
13
+ ### When NOT to Use
14
+ - No plan.md exists — run /prizmkit-plan first
15
+ - All tasks in plan.md are already checked off — nothing to implement
16
+ - Trivial one-line changes (typo, config tweak) — edit directly without the full workflow
17
+ - Design/planning phase — use /prizmkit-plan to produce spec and plan first
18
+
13
19
  **PRECONDITION:**
14
20
 
15
21
  | Required Artifact | Check | If Missing |
@@ -17,7 +23,7 @@ description: "Execute plan.md tasks with TDD approach. Respects task ordering an
17
23
  | `plan.md` with Tasks section | File exists + unchecked tasks | Run `/prizmkit-plan` |
18
24
  | `spec.md` | File exists in same directory as plan.md | Run `/prizmkit-plan` |
19
25
 
20
- **Artifact directory**: Accept `artifact_dir` from caller. If not provided, scan `.prizmkit/` subdirectories for the most recently modified `plan.md` with unchecked tasks.
26
+ **Artifact directory**: Accept `artifact_dir` from caller. If not provided, scan `.prizmkit/` subdirectories for the most recently modified `plan.md` with unchecked tasks. When invoked as a handoff step in a skill chain, reuse the `artifact_dir` from the previous skill rather than re-detecting — re-detection can resolve to a different feature's directory in a multi-task workspace.
21
27
 
22
28
  ## Input
23
29
 
@@ -86,89 +86,7 @@ A universal spec + plan generator. Takes a natural-language description of ANY d
86
86
 
87
87
  ## Examples
88
88
 
89
- ### Example 1: New Feature
90
-
91
- **Input:** "I want users to upload avatars"
92
-
93
- **Phase 0 output:** `.prizmkit/specs/003-user-avatar/spec.md`
94
- ```markdown
95
- # User Avatar Upload
96
- ## Overview
97
- Allow registered users to upload and manage profile pictures.
98
- ## Goals
99
- ### G-1: Upload Avatar
100
- As a registered user, I want to upload a profile picture,
101
- so that other users can visually identify me.
102
- **Acceptance Criteria:**
103
- - Given I am on my profile page
104
- - When I select an image file and click upload
105
- - Then my avatar is updated and visible across the platform
106
- ## Scope
107
- - **In scope:** Upload, display, remove avatar; image format validation
108
- - **Out of scope:** Image cropping/editing, avatar history
109
- ```
110
-
111
- **Phase 1-2 output:** `plan.md` excerpt:
112
- ```markdown
113
- ## Tasks
114
- ### Phase: Foundation (T-010~T-019)
115
- - [ ] [T-010] [G-1] Add avatar_url field to User model — file: src/models/user.ts
116
- - [ ] [T-011] [G-1] Create S3 upload utility — file: src/lib/s3.ts
117
- ### Phase: Core [P] (T-100~T-109)
118
- - [ ] [T-100] [P] [G-1] POST /api/avatar upload endpoint — file: src/routes/avatar.ts
119
- ```
120
-
121
- ### Example 2: Refactoring
122
-
123
- **Input:** "Extract shared auth middleware from the API routes"
124
-
125
- **Phase 0 output:** `.prizmkit/specs/004-extract-auth-middleware/spec.md`
126
- ```markdown
127
- # Extract Auth Middleware
128
- ## Overview
129
- Consolidate duplicated authentication logic scattered across route files into a single shared middleware.
130
- ## Goals
131
- ### G-1: Extract Shared Authentication Logic
132
- Consolidate duplicated auth checks from 5 route files into a single middleware module.
133
- **Acceptance Criteria:**
134
- - All existing auth-related tests pass without modification
135
- - Auth logic exists in exactly one file (src/middleware/auth.ts)
136
- - No route file contains inline token verification
137
- ## Scope
138
- - **In scope:** src/routes/users.ts, orders.ts, admin.ts, payments.ts, profile.ts
139
- - **Out of scope:** Authorization (role-based access), rate limiting
140
- ## Behavior Preservation
141
- - All 23 existing API tests must pass unchanged
142
- - Response formats and HTTP status codes must not change
143
- - Error message strings must remain identical
144
- ```
145
-
146
- ### Example 3: Bug Fix
147
-
148
- **Input:** "Login page crashes when API returns 401"
149
-
150
- **Phase 0 output:** `.prizmkit/specs/005-login-401-crash/spec.md`
151
- ```markdown
152
- # Fix: Login Crash on 401 Response
153
- ## Overview
154
- Login page throws unhandled exception when auth API returns 401, causing a white screen.
155
- ## Goals
156
- ### G-1: Handle 401 Response Gracefully
157
- When the auth API returns 401, display an error message instead of crashing.
158
- **Acceptance Criteria:**
159
- - Given user submits invalid credentials, When API returns 401, Then error message "Invalid credentials" is displayed
160
- - Given user submits invalid credentials, When API returns 401, Then no unhandled exception is thrown
161
- ## Root Cause
162
- - Error classification: Runtime
163
- - Root cause: `AuthService.handleLogin()` at src/services/auth.ts:42 does not handle null token
164
- - Affected files: src/services/auth.ts (L42), src/pages/login.tsx (L28)
165
- ## Scope
166
- - **In scope:** Null handling in auth service, error display in login page
167
- - **Out of scope:** Other HTTP error codes (403, 500), auth flow redesign
168
- ## Behavior Preservation
169
- - All existing login success tests must pass unchanged
170
- - Auth token flow for valid credentials must not change
171
- ```
89
+ Read `${SKILL_DIR}/references/examples.md` for worked examples of feature, refactoring, and bug fix planning.
172
90
 
173
91
  ## References
174
92
 
@@ -0,0 +1,85 @@
1
+ # Plan Examples
2
+
3
+ ## Example 1: New Feature
4
+
5
+ **Input:** "I want users to upload avatars"
6
+
7
+ **Phase 0 output:** `.prizmkit/specs/003-user-avatar/spec.md`
8
+ ```markdown
9
+ # User Avatar Upload
10
+ ## Overview
11
+ Allow registered users to upload and manage profile pictures.
12
+ ## Goals
13
+ ### G-1: Upload Avatar
14
+ As a registered user, I want to upload a profile picture,
15
+ so that other users can visually identify me.
16
+ **Acceptance Criteria:**
17
+ - Given I am on my profile page
18
+ - When I select an image file and click upload
19
+ - Then my avatar is updated and visible across the platform
20
+ ## Scope
21
+ - **In scope:** Upload, display, remove avatar; image format validation
22
+ - **Out of scope:** Image cropping/editing, avatar history
23
+ ```
24
+
25
+ **Phase 1-2 output:** `plan.md` excerpt:
26
+ ```markdown
27
+ ## Tasks
28
+ ### Phase: Foundation (T-010~T-019)
29
+ - [ ] [T-010] [G-1] Add avatar_url field to User model — file: src/models/user.ts
30
+ - [ ] [T-011] [G-1] Create S3 upload utility — file: src/lib/s3.ts
31
+ ### Phase: Core [P] (T-100~T-109)
32
+ - [ ] [T-100] [P] [G-1] POST /api/avatar upload endpoint — file: src/routes/avatar.ts
33
+ ```
34
+
35
+ ## Example 2: Refactoring
36
+
37
+ **Input:** "Extract shared auth middleware from the API routes"
38
+
39
+ **Phase 0 output:** `.prizmkit/specs/004-extract-auth-middleware/spec.md`
40
+ ```markdown
41
+ # Extract Auth Middleware
42
+ ## Overview
43
+ Consolidate duplicated authentication logic scattered across route files into a single shared middleware.
44
+ ## Goals
45
+ ### G-1: Extract Shared Authentication Logic
46
+ Consolidate duplicated auth checks from 5 route files into a single middleware module.
47
+ **Acceptance Criteria:**
48
+ - All existing auth-related tests pass without modification
49
+ - Auth logic exists in exactly one file (src/middleware/auth.ts)
50
+ - No route file contains inline token verification
51
+ ## Scope
52
+ - **In scope:** src/routes/users.ts, orders.ts, admin.ts, payments.ts, profile.ts
53
+ - **Out of scope:** Authorization (role-based access), rate limiting
54
+ ## Behavior Preservation
55
+ - All 23 existing API tests must pass unchanged
56
+ - Response formats and HTTP status codes must not change
57
+ - Error message strings must remain identical
58
+ ```
59
+
60
+ ## Example 3: Bug Fix
61
+
62
+ **Input:** "Login page crashes when API returns 401"
63
+
64
+ **Phase 0 output:** `.prizmkit/specs/005-login-401-crash/spec.md`
65
+ ```markdown
66
+ # Fix: Login Crash on 401 Response
67
+ ## Overview
68
+ Login page throws unhandled exception when auth API returns 401, causing a white screen.
69
+ ## Goals
70
+ ### G-1: Handle 401 Response Gracefully
71
+ When the auth API returns 401, display an error message instead of crashing.
72
+ **Acceptance Criteria:**
73
+ - Given user submits invalid credentials, When API returns 401, Then error message "Invalid credentials" is displayed
74
+ - Given user submits invalid credentials, When API returns 401, Then no unhandled exception is thrown
75
+ ## Root Cause
76
+ - Error classification: Runtime
77
+ - Root cause: `AuthService.handleLogin()` at src/services/auth.ts:42 does not handle null token
78
+ - Affected files: src/services/auth.ts (L42), src/pages/login.tsx (L28)
79
+ ## Scope
80
+ - **In scope:** Null handling in auth service, error display in login page
81
+ - **Out of scope:** Other HTTP error codes (403, 500), auth flow redesign
82
+ ## Behavior Preservation
83
+ - All existing login success tests must pass unchanged
84
+ - Auth token flow for valid credentials must not change
85
+ ```
@@ -36,6 +36,19 @@ This skill handles 6 operations. When invoked, determine the user's intent and e
36
36
 
37
37
  **Key principle**: `/prizmkit-prizm-docs` defines WHAT the docs should look like and bootstraps them. `/prizmkit-retrospective` is the SOLE WRITER that keeps docs in sync with code during ongoing development.
38
38
 
39
+ ### When to Use
40
+ - First-time project documentation setup (init)
41
+ - Checking if docs are up to date (status)
42
+ - Rebuilding stale module docs after major changes (rebuild)
43
+ - Validating doc format compliance (validate)
44
+ - Migrating existing docs to Prizm format (migrate)
45
+ - User says "initialize docs", "check doc status", "rebuild docs", "validate docs"
46
+
47
+ ### When NOT to Use
48
+ - Incremental doc updates after code changes → use /prizmkit-retrospective (the sole writer during development)
49
+ - Project has no .prizmkit/prizm-docs/ and user doesn't want to initialize
50
+ - User wants to edit code → use /prizmkit-plan and /prizmkit-implement
51
+
39
52
  ## Operation: Init
40
53
 
41
54
  Bootstrap .prizmkit/prizm-docs/ for the current project.
@@ -46,6 +59,7 @@ PRECONDITION: No .prizmkit/prizm-docs/ directory exists, or user confirms overwr
46
59
 
47
60
  Update .prizmkit/prizm-docs/ to reflect recent code changes.
48
61
  PRECONDITION: .prizmkit/prizm-docs/ exists with root.prizm.
62
+ **Scope guard**: Use Update only for out-of-band resync — when docs drifted from code after manual edits, merges, branch switches, or other changes made outside the dev loop. During the normal feature/bugfix/refactor loop, do NOT use Update: `/prizmkit-retrospective` is the sole writer and keeps docs in sync per task. Running both is redundant and risks conflicting edits.
49
63
  → Read `${SKILL_DIR}/references/op-update.md` for detailed steps.
50
64
 
51
65
  ## Operation: Status
@@ -27,7 +27,7 @@ For initial doc setup, validation, or migration, use `/prizmkit-prizm-docs` inst
27
27
 
28
28
  | Parameter | Required | Description |
29
29
  |-----------|----------|-------------|
30
- | `artifact_dir` | No | Directory containing spec.md, plan.md, review-report.md. If omitted, scan `.prizmkit/` subdirectories for the most recently modified directory with a `plan.md`. If no artifact directory found, run in standalone mode (structural sync only from `git diff`). |
30
+ | `artifact_dir` | No | Directory containing spec.md, plan.md, review-report.md. If omitted, scan `.prizmkit/` subdirectories for the most recently modified directory with a `plan.md`. When invoked as a handoff step, reuse the caller's `artifact_dir` rather than re-detecting. If no artifact directory found, run in standalone mode (structural sync only from `git diff`). |
31
31
 
32
32
  ## When NOT to Use
33
33