recall-os 0.1.0 → 0.2.0

package/examples/generated-laravel-vue/docs/adrs/proposed/ADR-PROPOSED-laravel-vue-validation-authorization.md

@@ -0,0 +1,30 @@
+# Proposed ADR: Validate with Form Requests and authorize with Policies
+
+## Status
+
+Proposed
+
+## Context
+
+Input validation and authorization must be consistent and centralized, not scattered across
+controllers.
+
+## Decision
+
+Consider Form Requests for validation (and request-level authorization) plus Policies and Gates for
+per-model and per-action permission checks, awaiting human acceptance.
+
+## Alternatives Considered
+
+- Inline validation and authorization in controllers.
+- A third-party permissions package layered on top.
+
+## Consequences
+
+- Controllers stay thin; validation and authorization are testable in isolation.
+- Every state-changing action must have an explicit authorization path.
+
+## Related Documents
+
+- `docs/ai/presets/laravel-vue-guidance.md` — the proposed Laravel stack guidance.
+- `docs/10-architecture/ARCHITECTURE.md` — record the accepted architecture here once promoted.

package/examples/generated-laravel-vue/docs/ai/AI_AGENTS_SKILLS_MCP_STRATEGY.md

@@ -0,0 +1,7 @@
+# AI Agents, Skills, And MCP Strategy
+
+Root agent files are entry points, not guarantees.
+
+Durable memory lives in `docs/`.
+
+MCP is optional external context and does not override accepted repository memory.

package/examples/generated-laravel-vue/docs/ai/MCP_STRATEGY.md

@@ -0,0 +1,6 @@
+# MCP Strategy
+
+MCP is not required for this repository.
+
+If MCP is introduced later, document trusted servers, data accessed, permissions, risks, and
+source-of-truth rules.

package/examples/generated-laravel-vue/docs/ai/RECALL_COMMANDS.md

@@ -0,0 +1,133 @@
+# Recall OS Commands
+
+This document records the Recall OS commands available to humans and AI agents.
+
+## Completion Gate
+
+Before claiming implementation work is complete, run:
+
+```txt
+pnpm test:run
+pnpm typecheck
+recall doctor
+```
+
+If `recall doctor` reports errors, fix them or report why they cannot be fixed. If it reports
+warnings, address them or record why they are acceptable.
+
+Package binary behavior is covered by binary integration tests.
+
+## Commands
+
+### `recall init`
+
+Initialize neutral repository memory.
+
+Options:
+
+- `--preset <id>`: apply optional preset guidance and proposed decisions.
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+- `--reinit`: required with `--force` to overwrite an existing Recall OS installation (a directory
+  that already has `.recall/config.json`). Without it, `--force` refuses, protecting existing
+  repository memory.
+
+Init also generates a tracked pre-commit hook at `.recall/hooks/pre-commit` that runs
+`recall doctor` plus any `preCommitGates` in `.recall/config.json`. Init proposes, but does not run,
+the activation command `git config core.hooksPath .recall/hooks`.
+
+### `recall adopt`
+
+Inspect an existing repository through read-only manifest and marker files, then write a proposed
+adoption report and proposed framework ADRs for human review. Adopt never executes repository code
+and never produces accepted memory.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall skill create <name>`
+
+Generate a portable AI agent skill as `SKILL.md` for both Claude Code (`.claude/skills/`) and the
+portable Agent Skills target (`.agents/skills/`). Known names use the built-in catalog; unknown
+names produce a valid skeleton. Generated skills contain no scripts.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall skill list`
+
+List the built-in catalog skills.
+
+### `recall mcp add <server>`
+
+Generate offline, proposed memory for an MCP server (for example `figma`) as
+`docs/ai/mcp/<server>.md` plus a proposed adoption ADR. Recall OS never connects to the MCP server
+or makes network calls; the agent records durable MCP-derived context into the generated memory for
+human review. It also installs a `capture-mcp-context` agent skill that prompts the agent to record
+that context.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall preset list`
+
+List built-in presets.
+
+### `recall feature create <name>`
+
+Create feature memory docs under the configured features directory.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall adr create <title>`
+
+Create a proposed ADR under the configured ADR directory.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall adr accept <name>`
+
+Promote a proposed ADR to accepted repository memory. A proposal under
+`docs/adrs/proposed/ADR-PROPOSED-<slug>.md` becomes a numbered, accepted `ADR-####-<slug>.md` and
+the proposal is removed; an existing numbered Proposed ADR is accepted in place.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall module create <name>`
+
+Create module memory docs under the configured modules directory.
+
+Options:
+
+- `--dry-run`: show planned writes without writing files.
+- `--force`: overwrite existing files explicitly.
+
+### `recall doctor`
+
+Check whether repository memory is structurally healthy enough for AI-assisted work, whether basic
+engineering evidence is present, and whether memory references decisions that exist and are
+accepted.
+
+Doctor also runs deterministic drift checks: feature or module memory that references a missing ADR
+is an error, and memory that references a not-yet-accepted ADR is a warning.
+
+Exit codes:
+
+- `0`: healthy
+- `1`: warnings only
+- `2`: errors

package/examples/generated-laravel-vue/docs/ai/presets/laravel-vue-guidance.md

@@ -0,0 +1,64 @@
+# Laravel Preset Guidance (Vue via Inertia)
+
+This is proposed guidance, not accepted. Convert any architecture choice into a proposed ADR, then
+an accepted ADR, before treating it as repository truth. Repository rules override model preference.
+
+## The stack (proposed)
+
+- Laravel 12 on PHP 8.3+, using the official conventions and directory layout.
+- Frontend: Inertia 2 + Vue 3 (script setup) + TypeScript + Tailwind, built with Vite (the official
+  Vue starter kit).
+- Database: PostgreSQL (MySQL is the alternative) through Eloquent and migrations.
+- Auth: Laravel Sanctum for first-party SPA and mobile clients (Passport only if you need
+  third-party OAuth2).
+- Background work: queues, with Redis and Laravel Horizon when throughput grows.
+- Tests: Pest, with database factories and feature tests over real routes.
+
+The app is a server-driven SPA: Laravel controllers return Inertia responses with typed props; there
+is no separate REST client for first-party screens.
+
+## Decision forks this stack forces
+
+- Frontend delivery: Inertia (server-driven SPA) vs a decoupled API + separate SPA vs Blade +
+  Livewire.
+- Auth: Sanctum (first-party SPA and mobile) vs Passport (third-party OAuth2) vs a managed identity
+  provider.
+- Database: PostgreSQL vs MySQL, and where read scaling and queues live (Redis vs database driver).
+- Authorization: Policies and Gates vs ad-hoc checks; validation via Form Requests vs inline.
+- Business logic: thin controllers with Action/Service classes vs fat controllers and models.
+- Testing: Pest vs PHPUnit.
+
+## Recommended structure (proposed)
+
+- Keep controllers thin: they validate, authorize, delegate, and return a response — nothing more.
+- Put request validation **and** authorization in Form Requests (`authorize()` + `rules()`).
+- Put per-model and per-action permission logic in Policies and Gates, not in controllers.
+- Put business logic in single-purpose Action or Service classes, not in controllers or models.
+- Shape every outbound payload with API Resources (or typed Inertia props), never raw models.
+- Declare `$fillable` (or `$guarded`) explicitly on every Eloquent model to stop mass assignment.
+
+## Data and performance (proposed)
+
+- Eager-load relationships (`with(...)`) to avoid N+1 queries; enable `Model::preventLazyLoading()`
+  in local and CI.
+- Wrap multi-write operations in database transactions.
+- Paginate list endpoints; never return unbounded collections.
+- Move email, exports, third-party calls, and other slow work into queued jobs.
+- Cache expensive reads deliberately, with explicit invalidation.
+
+## Testing (proposed)
+
+- Write Pest feature tests that exercise real routes end to end, using `RefreshDatabase`.
+- Build state with model factories, not hand-rolled fixtures.
+- Test authorization explicitly: a forbidden action must assert a 403, not just a happy path.
+- Cover validation failures, not only the success case.
+
+## Security considerations (proposed)
+
+- Validate every inbound request through Form Requests; persist only validated data.
+- Authorize every state-changing action through a Policy or Gate.
+- Keep secrets in `.env`; never commit `.env` or hardcode credentials.
+- Apply rate limiting to auth and write endpoints.
+- Keep mass assignment locked down and never trust client-supplied IDs without an ownership check.
+- Inertia uses Laravel's session and CSRF protection; keep auth and authorization on the server,
+  never the client.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "recall-os",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Architecture-neutral repository memory for AI-assisted software teams.",
   "packageManager": "pnpm@10.12.3",
   "type": "module",