rex-claude 6.0.0 → 6.2.0

package/dist/index.js

@@ -638,7 +638,7 @@ ${COLORS.bold}${projects.length} projects found${COLORS.reset}
       break;
     }
     case "preload": {
-      const { preload } = await import("./preload-I3MYBVNU.js");
+      const { preload } = await import("./preload-OJJO66IG.js");
       const cwd = process.argv[3] || process.cwd();
       const context = await preload(cwd);
       if (context) console.log(context);

package/dist/{preload-I3MYBVNU.js → preload-OJJO66IG.js}

@@ -14,9 +14,50 @@ import "./chunk-PDX44BCA.js";
 // src/preload.ts
 import Database from "better-sqlite3";
 import * as sqliteVec from "sqlite-vec";
-import { existsSync } from "fs";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 var log = createLogger("preload");
-var MAX_TOKENS = 200;
+var MAX_TOKENS = 300;
+var SKILL_RULES = [
+  // Frontend frameworks → UI/UX skills
+  { deps: ["next", "react", "vue", "nuxt", "@angular/core"], skills: ["ux-flow", "ui-craft", "ui-review"] },
+  // API layers → API design
+  { deps: ["express", "fastify", "hono", "koa", "@hapi/hapi"], skills: ["api-design", "error-handling"] },
+  // Database ORMs → DB design
+  { deps: ["drizzle-orm", "prisma", "typeorm", "mongoose", "sequelize", "knex"], skills: ["db-design"] },
+  // Auth libraries → auth patterns
+  { deps: ["next-auth", "lucia", "passport", "jose", "jsonwebtoken", "@auth/core"], skills: ["auth-patterns"] },
+  // i18n
+  { deps: ["next-intl", "i18next", "react-i18next", "vue-i18n"], skills: ["i18n"] },
+  // Testing
+  { deps: ["vitest", "jest", "@testing-library/react", "playwright", "cypress"], skills: ["test-strategy"] },
+  // Next.js specifically → SEO worth mentioning
+  { deps: ["next"], skills: ["seo", "perf"] },
+  // Any project → performance
+  { deps: ["react", "vue", "angular"], skills: ["perf"] }
+];
+function detectRelevantSkills(projectRoot) {
+  const pkgPath = join(projectRoot, "package.json");
+  if (!existsSync(pkgPath)) return [];
+  let pkg = {};
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+  } catch {
+    return [];
+  }
+  const allDeps = Object.keys({ ...pkg.dependencies, ...pkg.devDependencies });
+  const suggested = /* @__PURE__ */ new Set();
+  for (const rule of SKILL_RULES) {
+    if (rule.deps && rule.deps.some((d) => allDeps.includes(d))) {
+      rule.skills.forEach((s) => suggested.add(s));
+    }
+    if (rule.files) {
+      const matched = rule.files.some((f) => existsSync(join(projectRoot, f)));
+      if (matched) rule.skills.forEach((s) => suggested.add(s));
+    }
+  }
+  return [...suggested];
+}
 async function preload(cwd) {
   if (!existsSync(MEMORY_DB_PATH)) {
     log.debug("No memory DB found, skipping preload");
@@ -66,6 +107,12 @@ async function preload(cwd) {
   } finally {
     db.close();
   }
+  if (project?.path) {
+    const skills = detectRelevantSkills(project.path);
+    if (skills.length > 0) {
+      sections.push(`Skills: ${skills.join(", ")}`);
+    }
+  }
   const output = sections.join("\n");
   log.info(`Preloaded ${sections.length} sections for ${project?.name || cwd} (${output.length} chars)`);
   if (output.length > MAX_TOKENS * 4) {

package/dist/skills/api-design/SKILL.md

@@ -0,0 +1,134 @@
+---
+name: api-design
+description: REST API design. Enforces consistent endpoints, response envelopes, pagination, error codes, and versioning. Use before building any new endpoint or reviewing an existing API surface.
+user-invocable: true
+---
+
+# API Design
+
+Consistency is the only thing that matters in an API. One inconsistent endpoint breaks trust in all of them.
+
+## URL conventions
+
+```
+GET    /api/v1/users           # list (always paginated)
+GET    /api/v1/users/:id       # single resource
+POST   /api/v1/users           # create
+PATCH  /api/v1/users/:id       # partial update
+DELETE /api/v1/users/:id       # delete
+
+# Nested resources (max 2 levels deep)
+GET    /api/v1/users/:id/orders
+POST   /api/v1/users/:id/orders
+
+# Actions (when REST doesn't fit)
+POST   /api/v1/users/:id/activate
+POST   /api/v1/invoices/:id/send
+```
+
+- Always plural nouns, never verbs in URL
+- kebab-case for multi-word: `/order-items` not `/orderItems`
+- Version prefix: `/api/v1/` — bump to v2 only for breaking changes
+
+## Response envelope
+
+**Every response** uses this shape:
+
+```typescript
+// Success
+{
+  "data": { ... } | [...],
+  "meta": {
+    "total": 150,    // always on lists
+    "limit": 20,
+    "offset": 0
+  }
+}
+
+// Error
+{
+  "data": null,
+  "error": {
+    "code": "VALIDATION_ERROR",    // machine-readable, SCREAMING_SNAKE
+    "message": "Email is required", // human-readable, end-user safe
+    "field": "email"               // optional, for field-level errors
+  }
+}
+```
+
+Never return raw arrays at the top level. Never return different shapes for the same endpoint.
+
+## Pagination (mandatory on all lists)
+
+```
+GET /api/v1/orders?limit=20&offset=0
+GET /api/v1/orders?limit=20&offset=20
+
+// Response
+{
+  "data": [...],
+  "meta": { "total": 847, "limit": 20, "offset": 0 }
+}
+```
+
+- Default limit: 20. Max limit: 100 (enforce server-side).
+- Never return unbounded lists. Always paginate.
+- Frontend shows `total` from meta, not `data.length`.
+
+## HTTP status codes
+
+| Code | When |
+|------|------|
+| 200 | Success (GET, PATCH) |
+| 201 | Created (POST) — include `Location` header |
+| 204 | Deleted (DELETE) — no body |
+| 400 | Bad request (malformed JSON, invalid params) |
+| 401 | Not authenticated (missing/expired token) |
+| 403 | Authenticated but not authorized |
+| 404 | Resource not found |
+| 409 | Conflict (duplicate email, concurrent update) |
+| 422 | Validation error (valid JSON but business rule violated) |
+| 429 | Rate limited — include `Retry-After` header |
+| 500 | Server error — log internally, never expose stack trace |
+
+## Error codes
+
+Use machine-readable `code` values the frontend can switch on:
+
+```
+VALIDATION_ERROR     — field validation failed
+NOT_FOUND            — resource doesn't exist
+UNAUTHORIZED         — not logged in
+FORBIDDEN            — logged in but no permission
+DUPLICATE            — unique constraint violation
+RATE_LIMITED         — too many requests
+INTERNAL_ERROR       — catch-all for 500s
+```
+
+## Validation
+
+- Validate at the boundary — never trust client data inside business logic
+- Return ALL validation errors at once, not one by one
+- Use `422` + `field` in error for form validation, `400` for structural issues
+
+## Rate limiting headers
+
+Always include on authenticated endpoints:
+
+```
+X-RateLimit-Limit: 100
+X-RateLimit-Remaining: 42
+X-RateLimit-Reset: 1735689600   # Unix timestamp
+Retry-After: 30                  # seconds, on 429
+```
+
+## Checklist before shipping an endpoint
+
+- [ ] URL follows conventions (plural, kebab, versioned)
+- [ ] Response uses the standard envelope
+- [ ] List endpoint is paginated (limit+offset+total)
+- [ ] All error cases return correct status + error code
+- [ ] Validation errors return field-level details
+- [ ] No secrets or internal paths in responses
+- [ ] Auth required where needed (don't forget!)
+- [ ] Rate limiting on sensitive endpoints (auth, email send)

package/dist/skills/auth-patterns/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: auth-patterns
+description: Authentication and authorization patterns. JWT, sessions, OAuth, RBAC, route protection. Use when implementing login, protected routes, or permission systems.
+user-invocable: true
+---
+
+# Auth Patterns
+
+Auth bugs are security bugs. Every decision here has a security consequence.
+
+## Token storage
+
+| Method | XSS safe | CSRF safe | Use for |
+|--------|----------|-----------|---------|
+| `httpOnly` cookie | ✅ | ❌ (need CSRF token) | Sessions, refresh tokens |
+| Memory (React state) | ✅ | ✅ | Access tokens (short-lived) |
+| `localStorage` | ❌ | ✅ | Never for auth tokens |
+| `sessionStorage` | ❌ | ✅ | Never for auth tokens |
+
+**Rule:** Access token in memory. Refresh token in `httpOnly` `Secure` `SameSite=Strict` cookie.
+
+## JWT structure
+
+```ts
+// Access token: short-lived, stateless
+const accessToken = jwt.sign(
+  { sub: user.id, role: user.role, email: user.email },
+  ACCESS_TOKEN_SECRET,
+  { expiresIn: '15m' }   // never more than 1h
+)
+
+// Refresh token: long-lived, stored in DB for revocation
+const refreshToken = jwt.sign(
+  { sub: user.id, jti: crypto.randomUUID() },  // jti = unique ID for revocation
+  REFRESH_TOKEN_SECRET,
+  { expiresIn: '30d' }
+)
+// Store hashed refresh token in DB
+await db.refreshTokens.insert({ userId: user.id, tokenHash: hash(refreshToken) })
+```
+
+**Never:** embed sensitive data in JWT (passwords, full profile, card numbers).
+**Always:** verify on every request, don't trust payload without signature check.
+
+## Route protection (Next.js App Router)
+
+```ts
+// middleware.ts — runs on every request before page render
+import { NextResponse } from 'next/server'
+import { verifyToken } from '@/lib/auth'
+
+export async function middleware(request: NextRequest) {
+  const token = request.cookies.get('access_token')?.value
+
+  if (!token) {
+    return NextResponse.redirect(new URL('/login', request.url))
+  }
+
+  const payload = await verifyToken(token)
+  if (!payload) {
+    return NextResponse.redirect(new URL('/login', request.url))
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: ['/dashboard/:path*', '/settings/:path*', '/api/v1/:path*'],
+}
+```
+
+**Never** protect routes only client-side — always enforce on server/middleware.
+
+## RBAC (Role-Based Access Control)
+
+```ts
+// Define roles and permissions clearly
+const PERMISSIONS = {
+  'admin':   ['read', 'write', 'delete', 'manage_users'],
+  'editor':  ['read', 'write'],
+  'viewer':  ['read'],
+} as const
+
+// Check permission, not role (more flexible)
+function can(user: User, action: string): boolean {
+  return PERMISSIONS[user.role]?.includes(action) ?? false
+}
+
+// Usage
+if (!can(user, 'delete')) {
+  return res.status(403).json({ error: { code: 'FORBIDDEN', message: 'Insufficient permissions' } })
+}
+```
+
+**Never:** check `user.role === 'admin'` inline everywhere. Centralize permission logic.
+
+## Password handling
+
+```ts
+import bcrypt from 'bcrypt'  // or argon2
+
+// Hash on registration (never store plain text)
+const hash = await bcrypt.hash(password, 12)  // cost factor 12
+
+// Verify on login
+const valid = await bcrypt.compare(password, user.passwordHash)
+
+// Timing-safe comparison for tokens
+import { timingSafeEqual } from 'node:crypto'
+const match = timingSafeEqual(Buffer.from(token), Buffer.from(expectedToken))
+```
+
+## OAuth (social login)
+
+```ts
+// Always use a library — don't implement OAuth yourself
+// next-auth / auth.js for Next.js
+// passport.js for Express
+
+// Validate state parameter to prevent CSRF
+// Validate redirect_uri server-side
+// Store minimal profile data (don't keep what you don't need)
+```
+
+## Rate limiting on auth endpoints
+
+```ts
+// Login: 5 attempts per 15min per IP
+// Password reset: 3 per hour per email
+// Token refresh: 10 per minute per token
+// Registration: 3 per hour per IP
+```
+
+## Checklist
+
+- [ ] Access tokens expire in ≤1h
+- [ ] Refresh tokens stored as hash in DB (revocable)
+- [ ] Tokens in `httpOnly` cookies, never `localStorage`
+- [ ] Passwords hashed with bcrypt/argon2 (cost ≥12)
+- [ ] CSRF protection on all cookie-based state changes
+- [ ] Rate limiting on login, register, reset endpoints
+- [ ] All protected routes verified server-side (not just client guard)
+- [ ] `HTTPS` only in production (`Secure` cookie flag)
+- [ ] Logout invalidates refresh token in DB
+- [ ] No sensitive data in JWT payload

package/dist/skills/db-design/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: db-design
+description: Database schema design, indexing strategy, and migration patterns. Prevents N+1, missing indexes, unsafe migrations, and schema drift. Use when designing tables, adding columns, or writing complex queries.
+user-invocable: true
+---
+
+# DB Design
+
+Bad schema is the most expensive technical debt. You can refactor code in hours; migrating 10M rows takes days.
+
+## Schema design principles
+
+### Naming
+- Tables: `snake_case`, plural (`users`, `order_items`, `refresh_tokens`)
+- Columns: `snake_case` (`created_at`, `user_id`, `is_active`)
+- Foreign keys: `{table_singular}_id` (`user_id`, `order_id`)
+- Booleans: prefix `is_` or `has_` (`is_active`, `has_verified_email`)
+- Timestamps: always `created_at` + `updated_at` on every table
+
+### Standard columns every table needs
+```sql
+id         BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY  -- or UUID
+created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+```
+
+### Soft delete pattern (prefer over hard delete)
+```sql
+deleted_at TIMESTAMPTZ  -- NULL = active, non-NULL = deleted
+-- Query: WHERE deleted_at IS NULL
+```
+
+## Indexing strategy
+
+**Index everything you filter, sort, or join on.**
+
+```sql
+-- Always index foreign keys
+CREATE INDEX idx_orders_user_id ON orders(user_id);
+
+-- Composite index for common query patterns (leftmost prefix rule)
+CREATE INDEX idx_orders_user_status ON orders(user_id, status);
+-- This covers: WHERE user_id = ?
+-- And:         WHERE user_id = ? AND status = ?
+-- But NOT:     WHERE status = ?  alone
+
+-- Partial index for filtered queries
+CREATE INDEX idx_orders_pending ON orders(created_at)
+  WHERE status = 'pending';
+
+-- Text search
+CREATE INDEX idx_products_name_search ON products USING gin(to_tsvector('english', name));
+```
+
+**Check for missing indexes:**
+```sql
+EXPLAIN ANALYZE SELECT ... -- look for "Seq Scan" on large tables
+-- Seq Scan on 1000 rows = fine. On 1M rows = add an index.
+```
+
+**Over-indexing costs:** Every index slows down INSERT/UPDATE/DELETE. Don't index columns you never filter on.
+
+## N+1 pattern (the most common DB bug)
+
+```ts
+// BAD — N+1: 1 query for orders + N queries for each user
+const orders = await db.orders.findMany()
+for (const order of orders) {
+  order.user = await db.users.findById(order.userId)  // N queries!
+}
+
+// GOOD — 1 query with join or eager load
+const orders = await db.orders.findMany({
+  include: { user: true }  // Prisma
+})
+
+// Or raw SQL with JOIN
+SELECT o.*, u.name, u.email
+FROM orders o
+JOIN users u ON u.id = o.user_id
+WHERE o.status = 'pending'
+```
+
+## Safe migration patterns
+
+```sql
+-- SAFE: adding nullable column (instant, no lock)
+ALTER TABLE users ADD COLUMN avatar_url TEXT;
+
+-- SAFE: adding column with default (Postgres 11+, instant)
+ALTER TABLE users ADD COLUMN is_verified BOOLEAN NOT NULL DEFAULT false;
+
+-- DANGEROUS: adding NOT NULL without default (locks table, blocks writes)
+-- Do it in 3 steps:
+-- 1. Add nullable
+ALTER TABLE users ADD COLUMN phone TEXT;
+-- 2. Backfill
+UPDATE users SET phone = '' WHERE phone IS NULL;
+-- 3. Add constraint
+ALTER TABLE users ALTER COLUMN phone SET NOT NULL;
+
+-- DANGEROUS: dropping column (data loss, code must be deployed first)
+-- 1. Deploy code that no longer uses the column
+-- 2. Then drop in next migration
+ALTER TABLE users DROP COLUMN legacy_field;
+
+-- DANGEROUS: renaming column/table (breaks existing queries)
+-- Use a 2-phase rename: add new column, migrate data, remove old
+```
+
+## Transaction patterns
+
+```ts
+// Always use transactions for multi-step operations
+await db.transaction(async (tx) => {
+  const order = await tx.orders.create({ data: { userId, total } })
+  await tx.inventory.decrement({ productId, quantity })
+  await tx.payments.create({ data: { orderId: order.id, amount: total } })
+  // If any step fails, all are rolled back
+})
+```
+
+## Query hygiene
+
+- Never `SELECT *` in production — select only what you need
+- Parameterized queries always (no string interpolation)
+- `LIMIT` on all queries that could return unbounded results
+- Avoid `OFFSET` for large pagination → use cursor-based (`WHERE id > lastId`)
+
+## Checklist
+
+- [ ] Every table has `id`, `created_at`, `updated_at`
+- [ ] All foreign keys have indexes
+- [ ] Columns filtered/sorted in queries have indexes
+- [ ] `EXPLAIN ANALYZE` run on queries touching >10k rows
+- [ ] Migrations are reversible (or have a rollback plan)
+- [ ] No `ALTER TABLE` without reviewing lock implications
+- [ ] Multi-step operations wrapped in transactions
+- [ ] No `SELECT *`, no string-interpolated queries

package/dist/skills/error-handling/SKILL.md

@@ -0,0 +1,196 @@
+---
+name: error-handling
+description: Error handling strategy. Error boundaries, logging patterns, user-facing messages, monitoring setup, and async error flows. Use when building any feature that can fail, or auditing error handling in existing code.
+user-invocable: true
+---
+
+# Error Handling
+
+Every error falls into two buckets: expected (handle gracefully) and unexpected (log, alert, recover).
+Never show users a stack trace. Never silently swallow an error.
+
+## Error hierarchy
+
+```
+Expected errors (handle in code)
+├── Validation errors → show to user, guide to fix
+├── Not found → 404, redirect or empty state
+├── Auth errors → redirect to login
+├── Business rule violations → explain and offer alternative
+└── External API failures → retry or fallback
+
+Unexpected errors (log + alert + recover)
+├── Unhandled promise rejections
+├── Database connection failures
+├── Third-party SDK crashes
+└── Memory/timeout errors
+```
+
+## Frontend: React Error Boundaries
+
+```tsx
+// components/ErrorBoundary.tsx
+'use client'
+import { Component, ReactNode } from 'react'
+
+interface Props { children: ReactNode; fallback?: ReactNode }
+interface State { hasError: boolean; error?: Error }
+
+export class ErrorBoundary extends Component<Props, State> {
+  state: State = { hasError: false }
+
+  static getDerivedStateFromError(error: Error): State {
+    return { hasError: true, error }
+  }
+
+  componentDidCatch(error: Error, info: { componentStack: string }) {
+    // Log to your monitoring service
+    console.error('[ErrorBoundary]', error, info)
+    reportError(error, { context: info.componentStack })
+  }
+
+  render() {
+    if (this.state.hasError) {
+      return this.props.fallback ?? <DefaultErrorFallback error={this.state.error} />
+    }
+    return this.props.children
+  }
+}
+
+// Wrap at route level and around risky components
+<ErrorBoundary fallback={<ErrorPage />}>
+  <Dashboard />
+</ErrorBoundary>
+```
+
+## Frontend: async error patterns
+
+```tsx
+// NEVER: unhandled promise
+useEffect(() => {
+  fetchData()  // if this throws, silent failure
+}, [])
+
+// GOOD: handle errors explicitly
+const [error, setError] = useState<string | null>(null)
+
+useEffect(() => {
+  fetchData()
+    .catch(err => {
+      setError(getErrorMessage(err))
+      reportError(err)
+    })
+}, [])
+
+// GOOD: React Query handles this automatically
+const { data, error, isError } = useQuery({ queryKey: ['users'], queryFn: fetchUsers })
+if (isError) return <ErrorState message={getErrorMessage(error)} />
+```
+
+## Next.js App Router error files
+
+```tsx
+// app/error.tsx — catches runtime errors in route segment
+'use client'
+export default function Error({ error, reset }: { error: Error; reset: () => void }) {
+  useEffect(() => { reportError(error) }, [error])
+
+  return (
+    <div>
+      <h2>Something went wrong</h2>
+      <button onClick={reset}>Try again</button>
+    </div>
+  )
+}
+
+// app/not-found.tsx — 404 handler
+export default function NotFound() {
+  return <div>Page not found</div>
+}
+
+// app/global-error.tsx — catches errors in root layout
+'use client'
+export default function GlobalError({ error, reset }) { ... }
+```
+
+## Backend: error response pattern
+
+```ts
+// Never expose internal errors to clients
+class AppError extends Error {
+  constructor(
+    public code: string,       // machine-readable
+    public message: string,    // end-user safe
+    public status: number,     // HTTP status
+    public details?: unknown   // optional context (logged, not returned)
+  ) { super(message) }
+}
+
+// Express global error handler
+app.use((err: Error, req, res, next) => {
+  if (err instanceof AppError) {
+    return res.status(err.status).json({
+      data: null,
+      error: { code: err.code, message: err.message }
+    })
+  }
+
+  // Unexpected error — log full details, return generic message
+  logger.error({ err, req: { method: req.method, url: req.url } })
+  reportError(err)
+
+  res.status(500).json({
+    data: null,
+    error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' }
+  })
+})
+```
+
+## Logging levels
+
+| Level | When | Example |
+|-------|------|---------|
+| `error` | Unexpected failures, alerts needed | DB crash, unhandled exception |
+| `warn` | Expected failures worth monitoring | Retry attempts, rate limit hit |
+| `info` | Key business events | User registered, payment processed |
+| `debug` | Dev only, never in production | Query params, response body |
+
+```ts
+// Always log with context, not just the message
+logger.error({ err, userId: req.user?.id, endpoint: req.url }, 'Payment failed')
+// Not: logger.error('Payment failed')
+```
+
+## Async error rules
+
+- Every `async` function must have a `try/catch` or be called with `.catch()`
+- Never `await` inside `forEach` — use `Promise.all` or `for...of`
+- Unhandled promise rejections crash Node.js 15+ — always handle
+
+```ts
+// GOOD
+const results = await Promise.all(items.map(item => processItem(item)))
+
+// BAD (forEach ignores returned promise)
+items.forEach(async (item) => await processItem(item))
+
+// For sequential with error isolation:
+for (const item of items) {
+  try {
+    await processItem(item)
+  } catch (err) {
+    logger.warn({ err, itemId: item.id }, 'Failed to process item, continuing')
+  }
+}
+```
+
+## Checklist
+
+- [ ] Error boundaries around route segments and risky components
+- [ ] Every `fetch`/`async` call has error handling
+- [ ] User sees human-readable message, never stack trace or raw error
+- [ ] Unexpected errors logged with full context (user, endpoint, stack)
+- [ ] `app/error.tsx` and `app/not-found.tsx` exist and are styled
+- [ ] Global error handler in API (Express/Hono/Next route handler)
+- [ ] `AppError` class for expected errors with machine-readable codes
+- [ ] Error monitoring service wired up (see monitoring patterns)