rebar-mcp 2.0.0

package/src/services/claudemd-generator.ts

@@ -0,0 +1,481 @@
+/**
+ * Intelligent CLAUDE.md generator.
+ *
+ * Unlike a dumb template fill, this reads the actual project analysis
+ * and generates a CLAUDE.md that reflects the real project — with real
+ * build commands, real dependencies, real architecture rules.
+ *
+ * The output should feel like a senior engineer sat down and wrote it
+ * by hand after spending 30 minutes understanding the project.
+ */
+import type { ProjectAnalysis } from "./project-analyzer.js";
+
+/**
+ * Generates a production-quality CLAUDE.md from project analysis.
+ */
+export function generateClaudeMD(analysis: ProjectAnalysis, compliance: string[] = []): string {
+  const sections: string[] = [];
+
+  // ── Header ────────────────────────────────────────────────────
+  sections.push(`# ${analysis.name}\n`);
+  if (analysis.description) {
+    sections.push(`${analysis.description}\n`);
+  }
+
+  // ── Tech Stack ────────────────────────────────────────────────
+  sections.push(generateTechStackSection(analysis));
+
+  // ── Architecture Rules ────────────────────────────────────────
+  sections.push(generateArchitectureRules(analysis));
+
+  // ── Build & Test ──────────────────────────────────────────────
+  sections.push(generateBuildSection(analysis));
+
+  // ── File Structure ────────────────────────────────────────────
+  if (analysis.sourceDirs.length > 0) {
+    sections.push(generateFileStructure(analysis));
+  }
+
+  // ── Code Conventions ──────────────────────────────────────────
+  sections.push(generateCodeConventions(analysis));
+
+  // ── Database ──────────────────────────────────────────────────
+  if (analysis.database) {
+    sections.push(generateDatabaseSection(analysis));
+  }
+
+  // ── Environment ───────────────────────────────────────────────
+  if (analysis.envVarNames.length > 0) {
+    sections.push(generateEnvSection(analysis));
+  }
+
+  // ── Compliance ────────────────────────────────────────────────
+  if (compliance.length > 0) {
+    sections.push(generateComplianceSection(compliance));
+  }
+
+  return sections.join("\n");
+}
+
+function generateTechStackSection(a: ProjectAnalysis): string {
+  const lines = ["## Tech Stack"];
+
+  // Primary language and version
+  if (a.language === "typescript") {
+    lines.push("- TypeScript (strict mode)");
+  } else if (a.language === "javascript") {
+    lines.push("- JavaScript (ES2022+)");
+  } else if (a.language === "python") {
+    lines.push("- Python 3.11+");
+  } else if (a.language === "go") {
+    lines.push("- Go 1.21+");
+  } else if (a.language === "rust") {
+    lines.push("- Rust (latest stable)");
+  } else if (a.language === "java") {
+    lines.push("- Java 17+ / Spring Boot 3.x");
+  }
+
+  if (a.nodeVersion) {
+    lines.push(`- Node.js ${a.nodeVersion}`);
+  }
+
+  // Frameworks
+  for (const dep of a.keyDependencies.filter((d) => d.category === "framework")) {
+    lines.push(`- ${dep.name} — ${dep.description}`);
+  }
+
+  // Database/ORM
+  for (const dep of a.keyDependencies.filter((d) => d.category === "orm")) {
+    lines.push(`- ${dep.name} — ${dep.description}`);
+  }
+
+  // Styling
+  if (a.cssFramework) {
+    lines.push(`- ${a.cssFramework} for styling`);
+  }
+
+  // Testing
+  if (a.testFramework) {
+    lines.push(`- ${a.testFramework} for testing`);
+  }
+
+  // Linting
+  if (a.linter && a.formatter && a.linter === a.formatter) {
+    lines.push(`- ${a.linter} for linting and formatting`);
+  } else {
+    if (a.linter) lines.push(`- ${a.linter} for linting`);
+    if (a.formatter) lines.push(`- ${a.formatter} for formatting`);
+  }
+
+  // State management, auth, API
+  for (const dep of a.keyDependencies.filter((d) => ["state", "auth", "api"].includes(d.category))) {
+    lines.push(`- ${dep.name} — ${dep.description}`);
+  }
+
+  // Deploy
+  if (a.deployTarget) {
+    lines.push(`- Deployed to ${a.deployTarget}`);
+  }
+
+  // Monitoring
+  for (const dep of a.keyDependencies.filter((d) => d.category === "monitoring")) {
+    lines.push(`- ${dep.name} — ${dep.description}`);
+  }
+
+  // Monorepo
+  if (a.isMonorepo && a.monorepoTool) {
+    lines.push(`- Monorepo managed with ${a.monorepoTool}`);
+  }
+
+  return lines.join("\n") + "\n";
+}
+
+function generateArchitectureRules(a: ProjectAnalysis): string {
+  const rules: string[] = ["## Architecture Rules"];
+
+  // ── Framework-specific rules ──────────────────────────────────
+
+  if (a.stacks.includes("nextjs")) {
+    const appRouter = a.patterns.some((p) => p.name === "app-router");
+    if (appRouter) {
+      rules.push("- Use App Router conventions: `page.tsx`, `layout.tsx`, `loading.tsx`, `error.tsx`");
+      rules.push("- Server Components by default; add `\"use client\"` only when client interactivity is needed");
+      rules.push("- All data fetching in Server Components or Route Handlers — never use `getServerSideProps`");
+      rules.push("- Use `next/image` for images, `next/link` for navigation, `next/font` for fonts");
+    } else {
+      rules.push("- Follow Pages Router conventions: `pages/`, `getStaticProps`, `getServerSideProps`");
+      rules.push("- Use `next/image` for images, `next/link` for navigation");
+    }
+    rules.push("- Environment variables: `NEXT_PUBLIC_` prefix for client-side only");
+  }
+
+  if (a.stacks.includes("react") && !a.stacks.includes("nextjs")) {
+    rules.push("- Functional components only — no class components");
+    rules.push("- Custom hooks for reusable logic (`useXxx` naming convention)");
+    rules.push("- Use `React.lazy()` for code splitting at route level");
+    rules.push("- Colocate related files: component, styles, tests, types in same directory");
+  }
+
+  if (a.stacks.includes("express")) {
+    rules.push("- Controllers handle HTTP concerns only — business logic goes in services/");
+    rules.push("- Use middleware for cross-cutting concerns (auth, logging, validation)");
+    rules.push("- All route handlers must have error handling (try/catch or error middleware)");
+  }
+
+  if (a.stacks.includes("fastapi")) {
+    rules.push("- Use dependency injection via `Depends()` for shared logic");
+    rules.push("- All endpoints return Pydantic models — never return raw dicts");
+    rules.push("- Use `async/await` for all I/O operations");
+    rules.push("- Keep route handlers thin; business logic in `services/`");
+    rules.push("- Use `HTTPException` for error responses with proper status codes");
+  }
+
+  if (a.stacks.includes("django")) {
+    rules.push("- Follow Django conventions: models → views → serializers → urls");
+    rules.push("- Use Django ORM for all database operations — no raw SQL unless performance-critical");
+    rules.push("- Class-based views for CRUD, function-based for custom logic");
+    rules.push("- All settings via `django.conf.settings` — never `os.environ` directly");
+  }
+
+  if (a.stacks.includes("springboot")) {
+    rules.push("- Follow layered architecture: Controller → Service → Repository");
+    rules.push("- Use constructor injection — never field injection with `@Autowired`");
+    rules.push("- All REST controllers return `ResponseEntity<T>`");
+    rules.push("- Use `@Valid` and Jakarta Bean Validation for input validation");
+    rules.push("- Use DTOs for API boundaries — never expose JPA entities directly");
+    rules.push("- `@Transactional` at service layer, not controller layer");
+  }
+
+  if (a.stacks.includes("go")) {
+    rules.push("- Follow standard Go project layout: `cmd/`, `internal/`, `pkg/`");
+    rules.push("- Errors are values — always check and propagate errors, never ignore");
+    rules.push("- Use `context.Context` as first parameter for cancellation and deadlines");
+    rules.push("- Interfaces should be small (1-3 methods) and defined at point of use");
+    rules.push("- Use `go vet`, `staticcheck`, and `golangci-lint` before committing");
+  }
+
+  if (a.stacks.includes("rust")) {
+    rules.push("- Use `Result<T, E>` for fallible operations — avoid `.unwrap()` in production code");
+    rules.push("- Prefer `&str` over `String` in function parameters where ownership isn't needed");
+    rules.push("- Use `thiserror` for library errors, `anyhow` for application errors");
+    rules.push("- Run `cargo clippy` and `cargo fmt` before committing");
+  }
+
+  // ── API-specific rules ────────────────────────────────────────
+
+  if (a.apiStyle === "trpc") {
+    rules.push("- Define all API routes as tRPC procedures with full input/output validation");
+    rules.push("- Share types between client and server via the tRPC router type");
+  }
+
+  if (a.apiStyle === "graphql") {
+    rules.push("- All GraphQL resolvers must handle errors gracefully (never throw unhandled)");
+    rules.push("- Use DataLoader pattern to prevent N+1 query issues");
+  }
+
+  // ── General rules ─────────────────────────────────────────────
+
+  if (a.usesTypeScript) {
+    rules.push("- No use of `any` type — use `unknown` with type narrowing or proper generics");
+    rules.push("- Prefer `interface` for object shapes, `type` for unions and intersections");
+  }
+
+  rules.push("- Never store secrets in code, config files, or version control");
+  rules.push("- All external data (user input, API responses, env vars) must be validated before use");
+
+  if (a.isMonorepo) {
+    rules.push("- Each package has its own `package.json`, `tsconfig.json`, and tests");
+    rules.push("- Shared code goes in a `packages/shared` or `packages/common` package");
+    rules.push("- Apps depend on packages; packages NEVER depend on apps");
+  }
+
+  return rules.join("\n") + "\n";
+}
+
+function generateBuildSection(a: ProjectAnalysis): string {
+  const lines = ["## Build & Test"];
+  const pm = a.packageManager;
+  const run = pm === "yarn" ? "yarn" : pm === "pnpm" ? "pnpm" : pm === "bun" ? "bun" : "npm run";
+
+  // Build commands — prefer real detected commands
+  if (Object.keys(a.buildCommands).length > 0) {
+    for (const [key, value] of Object.entries(a.buildCommands)) {
+      if (key === "build") {
+        lines.push(`- Build: \`${run} build\` (runs: \`${value}\`)`);
+      } else if (key === "dev") {
+        lines.push(`- Dev: \`${run} dev\` (runs: \`${value}\`)`);
+      } else {
+        lines.push(`- ${key}: \`${run} ${key}\``);
+      }
+    }
+  } else {
+    // Fallback to language-specific defaults
+    if (a.language === "typescript" || a.language === "javascript") {
+      lines.push(`- Build: \`${run} build\``);
+      lines.push(`- Dev: \`${run} dev\``);
+    }
+  }
+
+  // Test commands
+  if (Object.keys(a.testCommands).length > 0) {
+    for (const [key, value] of Object.entries(a.testCommands)) {
+      if (key === "test") {
+        lines.push(`- Test: \`${run} test\` (runs: \`${value}\`)`);
+      } else {
+        lines.push(`- ${key}: \`${run} ${key}\``);
+      }
+    }
+  } else if (a.testFramework) {
+    if (a.language === "python") {
+      lines.push("- Test: `pytest`");
+    } else {
+      lines.push(`- Test: \`${run} test\``);
+    }
+  }
+
+  // Lint/format
+  if (a.linter) {
+    if (a.language === "typescript" || a.language === "javascript") {
+      lines.push(`- Lint: \`${run} lint\``);
+      lines.push("- Type check: `npx tsc --noEmit`");
+    } else if (a.language === "python") {
+      if (a.linter === "Ruff") {
+        lines.push("- Lint: `ruff check .`");
+        lines.push("- Format: `ruff format .`");
+      }
+      lines.push("- Type check: `mypy .`");
+    } else if (a.language === "go") {
+      lines.push("- Lint: `golangci-lint run`");
+      lines.push("- Format: `gofmt -w .`");
+    } else if (a.language === "rust") {
+      lines.push("- Lint: `cargo clippy`");
+      lines.push("- Format: `cargo fmt`");
+    }
+  }
+
+  return lines.join("\n") + "\n";
+}
+
+function generateFileStructure(a: ProjectAnalysis): string {
+  const lines = ["## File Structure"];
+
+  // Use detected source dirs to build an accurate picture
+  const dirDescriptions: Record<string, string> = {
+    src: "Source code",
+    app: a.stacks.includes("nextjs") ? "Pages and API routes (App Router)" : "Application code",
+    lib: "Shared libraries and utilities",
+    pages: "Page components / routes",
+    components: "Reusable UI components",
+    api: "API routes and handlers",
+    server: "Server-side code",
+    client: "Client-side code",
+    packages: "Monorepo packages",
+    apps: "Monorepo applications",
+    tests: "Test files",
+    test: "Test files",
+    __tests__: "Test files",
+    spec: "Test specifications",
+    services: "Business logic services",
+    models: "Data models",
+    hooks: "Custom React hooks",
+    utils: "Utility functions",
+    types: "TypeScript type definitions",
+    config: "Configuration files",
+    public: "Static assets",
+    prisma: "Prisma schema and migrations",
+    migrations: "Database migrations",
+    middleware: "Middleware functions",
+    styles: "Stylesheets",
+  };
+
+  for (const dir of a.sourceDirs) {
+    const desc = dirDescriptions[dir] || dir;
+    lines.push(`- \`${dir}/\` — ${desc}`);
+  }
+
+  return lines.join("\n") + "\n";
+}
+
+function generateCodeConventions(a: ProjectAnalysis): string {
+  const rules: string[] = ["## Code Conventions"];
+
+  if (a.usesTypeScript) {
+    rules.push("- TypeScript strict mode with no `any` types");
+    rules.push("- Prefer named exports over default exports");
+    rules.push("- Interface names: `PascalCase` (no `I` prefix)");
+    rules.push("- Constants: `UPPER_SNAKE_CASE`");
+    rules.push("- Zod schemas for runtime validation of external data");
+  }
+
+  if (a.language === "python") {
+    rules.push("- Type hints on all function signatures");
+    rules.push("- Docstrings on all public functions (Google style)");
+    rules.push("- Use `from __future__ import annotations` for modern type syntax");
+    rules.push("- Pydantic models for all external data validation");
+  }
+
+  if (a.language === "go") {
+    rules.push("- Export only what's needed — keep interfaces small");
+    rules.push("- Comments on all exported functions (godoc format)");
+    rules.push("- Table-driven tests as default test pattern");
+    rules.push("- No package-level `init()` unless absolutely necessary");
+  }
+
+  if (a.language === "rust") {
+    rules.push("- Use `clippy::pedantic` lint level for new code");
+    rules.push("- Document all public items with `///` doc comments");
+    rules.push("- Prefer `impl Trait` over `dyn Trait` where possible");
+    rules.push("- Use `#[must_use]` on functions returning important values");
+  }
+
+  if (a.language === "java") {
+    rules.push("- Use records for DTOs where applicable (Java 16+)");
+    rules.push("- Use `Optional<T>` return types for nullable queries");
+    rules.push("- Log with SLF4J (`@Slf4j` annotation)");
+    rules.push("- Never catch generic `Exception` — catch specific types");
+  }
+
+  if (a.testFramework) {
+    rules.push(`- Test files colocated with source or in dedicated test directories`);
+    rules.push("- Test names describe the scenario and expected outcome");
+    rules.push("- Arrange-Act-Assert pattern for all unit tests");
+    rules.push("- Mock external dependencies — never make real API calls in unit tests");
+  }
+
+  if (a.cssFramework === "Tailwind CSS") {
+    rules.push("- Use Tailwind utility classes — no custom CSS unless absolutely necessary");
+    rules.push("- Extract repeated class combinations into components, not `@apply`");
+  }
+
+  return rules.join("\n") + "\n";
+}
+
+function generateDatabaseSection(a: ProjectAnalysis): string {
+  const lines = ["## Database"];
+
+  if (a.database === "Prisma") {
+    lines.push("- Schema defined in `prisma/schema.prisma`");
+    lines.push("- Run `npx prisma generate` after schema changes");
+    lines.push("- Run `npx prisma db push` for dev, `npx prisma migrate deploy` for production");
+    lines.push("- Never commit `.env` files containing `DATABASE_URL`");
+    lines.push("- Use Prisma Client for all database operations — no raw SQL unless performance-critical");
+  } else if (a.database === "Drizzle") {
+    lines.push("- Schema defined in `src/db/schema.ts`");
+    lines.push("- Run `npx drizzle-kit generate` for migrations");
+    lines.push("- Run `npx drizzle-kit push` to sync schema");
+  } else if (a.database === "SQLAlchemy") {
+    lines.push("- Models defined in `app/models/`");
+    lines.push("- Use Alembic for all schema migrations: `alembic revision --autogenerate`");
+    lines.push("- Always use async session for database operations");
+    lines.push("- Never commit database credentials");
+  } else if (a.database === "Spring Data JPA") {
+    lines.push("- JPA entities in `src/main/java/.../model/`");
+    lines.push("- Use Spring Data repositories — no manual query implementations unless needed");
+    lines.push("- Flyway migrations in `src/main/resources/db/migration/`");
+    lines.push("- Use `@Transactional` at service layer");
+  } else if (a.database) {
+    lines.push(`- Using ${a.database} for data access`);
+    lines.push("- Never commit database credentials or connection strings");
+  }
+
+  return lines.join("\n") + "\n";
+}
+
+function generateEnvSection(a: ProjectAnalysis): string {
+  const lines = ["## Environment Variables"];
+  lines.push(`Required environment variables (see \`.env.example\`):`);
+  for (const name of a.envVarNames) {
+    lines.push(`- \`${name}\``);
+  }
+  lines.push("");
+  lines.push("Never commit `.env` files. Use `.env.example` as a template.");
+  return lines.join("\n") + "\n";
+}
+
+function generateComplianceSection(standards: string[]): string {
+  const lines = ["## Compliance Requirements"];
+
+  for (const standard of standards) {
+    switch (standard) {
+      case "hipaa":
+        lines.push("");
+        lines.push("### HIPAA");
+        lines.push("- All PHI must be encrypted at rest (AES-256) and in transit (TLS 1.2+)");
+        lines.push("- Never log PHI in application logs, console output, or error messages");
+        lines.push("- Access to PHI requires authentication and authorization checks");
+        lines.push("- All PHI access must be logged for audit purposes");
+        lines.push("- Use de-identified data for development and testing");
+        lines.push("- Data classification: PHI includes patient names, SSN, medical records, insurance IDs, dates of service");
+        break;
+      case "soc2":
+        lines.push("");
+        lines.push("### SOC2");
+        lines.push("- All changes require code review before merge");
+        lines.push("- Access follows principle of least privilege");
+        lines.push("- Audit logging enabled for all state-changing operations");
+        lines.push("- Encryption required for all sensitive data");
+        lines.push("- Regular dependency vulnerability scanning required");
+        lines.push("- Incident response procedures documented and tested");
+        break;
+      case "pci-dss":
+        lines.push("");
+        lines.push("### PCI-DSS");
+        lines.push("- Never store full card numbers in code, logs, or comments");
+        lines.push("- Use tokenization for all payment card data references");
+        lines.push("- All cardholder data must be encrypted in transit and at rest");
+        lines.push("- Follow OWASP secure coding guidelines");
+        lines.push("- Quarterly vulnerability scans required");
+        break;
+      case "sox":
+        lines.push("");
+        lines.push("### SOX");
+        lines.push("- All changes to financial calculations require dual review");
+        lines.push("- Complete audit trail for all data modifications");
+        lines.push("- Separation of duties in deployment pipeline");
+        lines.push("- Change management documentation required for all releases");
+        break;
+    }
+  }
+
+  return lines.join("\n") + "\n";
+}

package/src/services/codex-generator.ts

@@ -0,0 +1,44 @@
+/**
+ * Codex CLI configuration generator.
+ *
+ * OpenAI's Codex CLI uses an AGENTS.md file at the project root,
+ * which is functionally equivalent to CLAUDE.md.
+ *
+ * Codex does NOT support skills, agents, or hooks - just AGENTS.md.
+ */
+import * as path from "node:path";
+import { atomicWrite } from "./file-ops.js";
+import type { GeneratedFile } from "../types.js";
+
+/**
+ * Generates Codex CLI configuration (AGENTS.md) from CLAUDE.md content.
+ */
+export async function generateCodexConfig(
+  projectPath: string,
+  projectName: string,
+  claudeMdContent: string
+): Promise<GeneratedFile[]> {
+  const files: GeneratedFile[] = [];
+
+  // Codex uses AGENTS.md with a specific header format
+  const header = `# ${projectName} — Agent Instructions
+
+> Generated by Rebar (https://github.com/RCOLKITT/rebar-mcp)
+> These rules apply to all AI coding agents working in this repository.
+
+---
+
+`;
+
+  const agentsMdContent = header + claudeMdContent;
+  const agentsMdPath = path.join(projectPath, "AGENTS.md");
+  await atomicWrite(agentsMdPath, agentsMdContent);
+
+  files.push({
+    path: "AGENTS.md",
+    content: agentsMdContent,
+    description: "Codex CLI agent instructions",
+  });
+
+  return files;
+}

package/src/services/cursor-generator.ts

@@ -0,0 +1,153 @@
+/**
+ * Cursor configuration generator.
+ *
+ * Cursor uses .cursor/rules/*.md files that are functionally equivalent
+ * to Claude Code's skills. The format is different:
+ * - Uses YAML frontmatter with 'description' and 'globs' fields
+ * - Uses 'alwaysApply: true' for project-wide rules
+ */
+import * as path from "node:path";
+import { ensureDir, atomicWrite } from "./file-ops.js";
+import type { GeneratedFile } from "../types.js";
+
+export interface CursorRuleTemplate {
+  name: string;
+  description: string;
+  content: string;
+}
+
+/**
+ * Converts CLAUDE.md content to Cursor project-rules.md format.
+ */
+function convertToProjectRules(claudeMdContent: string, projectName: string): string {
+  // Cursor rules use a different frontmatter format
+  const frontmatter = `---
+description: Project rules and coding standards for ${projectName}
+globs:
+alwaysApply: true
+---
+
+> Note: Cursor does not support enforcement hooks. The guardrails below rely on
+> you following these rules. For automated enforcement, use Rebar with Claude Code
+> or run \`npx rebar-mcp audit\` in your CI pipeline.
+
+`;
+  return frontmatter + claudeMdContent;
+}
+
+/**
+ * Converts a Claude Code skill to Cursor rule format.
+ */
+function convertSkillToCursorRule(skill: CursorRuleTemplate): string {
+  const frontmatter = `---
+description: ${skill.description}
+globs:
+alwaysApply: false
+---
+
+`;
+  return frontmatter + skill.content;
+}
+
+/**
+ * Generates Cursor configuration files from CLAUDE.md and skills.
+ */
+export async function generateCursorConfig(
+  projectPath: string,
+  projectName: string,
+  claudeMdContent: string,
+  skills: CursorRuleTemplate[]
+): Promise<GeneratedFile[]> {
+  const files: GeneratedFile[] = [];
+  const rulesDir = path.join(projectPath, ".cursor", "rules");
+
+  await ensureDir(rulesDir);
+
+  // Generate project-rules.md from CLAUDE.md
+  const projectRulesContent = convertToProjectRules(claudeMdContent, projectName);
+  const projectRulesPath = path.join(rulesDir, "project-rules.md");
+  await atomicWrite(projectRulesPath, projectRulesContent);
+  files.push({
+    path: ".cursor/rules/project-rules.md",
+    content: projectRulesContent,
+    description: "Main project rules (from CLAUDE.md)",
+  });
+
+  // Convert skills to Cursor rules
+  for (const skill of skills) {
+    const ruleContent = convertSkillToCursorRule(skill);
+    const rulePath = path.join(rulesDir, `${skill.name}.md`);
+    await atomicWrite(rulePath, ruleContent);
+    files.push({
+      path: `.cursor/rules/${skill.name}.md`,
+      content: ruleContent,
+      description: `${skill.name} rule`,
+    });
+  }
+
+  return files;
+}
+
+/**
+ * Default skills to convert to Cursor rules.
+ */
+export function getDefaultCursorSkills(): CursorRuleTemplate[] {
+  return [
+    {
+      name: "code-review",
+      description: "Code review guidelines for quality and security",
+      content: `# Code Review
+
+When reviewing code changes:
+
+1. **Security First**: Check for injection vulnerabilities, auth issues, data exposure
+2. **Error Handling**: Ensure errors are properly caught and handled
+3. **Type Safety**: Verify types are correct and 'any' is avoided
+4. **Performance**: Watch for N+1 queries, memory leaks, unnecessary re-renders
+5. **Tests**: Ensure tests exist and pass for changed code
+`,
+    },
+    {
+      name: "test-writer",
+      description: "Test writing guidelines",
+      content: `# Test Writing
+
+When writing tests:
+
+1. Test behavior, not implementation
+2. Use descriptive test names
+3. Follow the Arrange-Act-Assert pattern
+4. Mock external dependencies
+5. Aim for edge cases, not just happy paths
+`,
+    },
+    {
+      name: "security-scan",
+      description: "Security scanning guidelines",
+      content: `# Security Scan
+
+Check for:
+
+1. Hardcoded secrets (API keys, passwords)
+2. SQL injection vulnerabilities
+3. XSS in rendered HTML
+4. Insecure direct object references
+5. Missing authentication/authorization
+`,
+    },
+    {
+      name: "documentation",
+      description: "Documentation guidelines",
+      content: `# Documentation
+
+When documenting:
+
+1. Document the WHY, not the WHAT
+2. Keep documentation close to code
+3. Update docs when changing code
+4. Use examples liberally
+5. Document public APIs thoroughly
+`,
+    },
+  ];
+}