rex-claude 6.1.0 → 6.2.0

package/dist/index.js

@@ -638,7 +638,7 @@ ${COLORS.bold}${projects.length} projects found${COLORS.reset}
       break;
     }
     case "preload": {
-      const { preload } = await import("./preload-I3MYBVNU.js");
+      const { preload } = await import("./preload-OJJO66IG.js");
       const cwd = process.argv[3] || process.cwd();
       const context = await preload(cwd);
       if (context) console.log(context);

package/dist/{preload-I3MYBVNU.js → preload-OJJO66IG.js}

@@ -14,9 +14,50 @@ import "./chunk-PDX44BCA.js";
 // src/preload.ts
 import Database from "better-sqlite3";
 import * as sqliteVec from "sqlite-vec";
-import { existsSync } from "fs";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 var log = createLogger("preload");
-var MAX_TOKENS = 200;
+var MAX_TOKENS = 300;
+var SKILL_RULES = [
+  // Frontend frameworks → UI/UX skills
+  { deps: ["next", "react", "vue", "nuxt", "@angular/core"], skills: ["ux-flow", "ui-craft", "ui-review"] },
+  // API layers → API design
+  { deps: ["express", "fastify", "hono", "koa", "@hapi/hapi"], skills: ["api-design", "error-handling"] },
+  // Database ORMs → DB design
+  { deps: ["drizzle-orm", "prisma", "typeorm", "mongoose", "sequelize", "knex"], skills: ["db-design"] },
+  // Auth libraries → auth patterns
+  { deps: ["next-auth", "lucia", "passport", "jose", "jsonwebtoken", "@auth/core"], skills: ["auth-patterns"] },
+  // i18n
+  { deps: ["next-intl", "i18next", "react-i18next", "vue-i18n"], skills: ["i18n"] },
+  // Testing
+  { deps: ["vitest", "jest", "@testing-library/react", "playwright", "cypress"], skills: ["test-strategy"] },
+  // Next.js specifically → SEO worth mentioning
+  { deps: ["next"], skills: ["seo", "perf"] },
+  // Any project → performance
+  { deps: ["react", "vue", "angular"], skills: ["perf"] }
+];
+function detectRelevantSkills(projectRoot) {
+  const pkgPath = join(projectRoot, "package.json");
+  if (!existsSync(pkgPath)) return [];
+  let pkg = {};
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+  } catch {
+    return [];
+  }
+  const allDeps = Object.keys({ ...pkg.dependencies, ...pkg.devDependencies });
+  const suggested = /* @__PURE__ */ new Set();
+  for (const rule of SKILL_RULES) {
+    if (rule.deps && rule.deps.some((d) => allDeps.includes(d))) {
+      rule.skills.forEach((s) => suggested.add(s));
+    }
+    if (rule.files) {
+      const matched = rule.files.some((f) => existsSync(join(projectRoot, f)));
+      if (matched) rule.skills.forEach((s) => suggested.add(s));
+    }
+  }
+  return [...suggested];
+}
 async function preload(cwd) {
   if (!existsSync(MEMORY_DB_PATH)) {
     log.debug("No memory DB found, skipping preload");
@@ -66,6 +107,12 @@ async function preload(cwd) {
   } finally {
     db.close();
   }
+  if (project?.path) {
+    const skills = detectRelevantSkills(project.path);
+    if (skills.length > 0) {
+      sections.push(`Skills: ${skills.join(", ")}`);
+    }
+  }
   const output = sections.join("\n");
   log.info(`Preloaded ${sections.length} sections for ${project?.name || cwd} (${output.length} chars)`);
   if (output.length > MAX_TOKENS * 4) {

package/dist/skills/api-design/SKILL.md

@@ -0,0 +1,134 @@
+---
+name: api-design
+description: REST API design. Enforces consistent endpoints, response envelopes, pagination, error codes, and versioning. Use before building any new endpoint or reviewing an existing API surface.
+user-invocable: true
+---
+
+# API Design
+
+Consistency is the only thing that matters in an API. One inconsistent endpoint breaks trust in all of them.
+
+## URL conventions
+
+```
+GET    /api/v1/users           # list (always paginated)
+GET    /api/v1/users/:id       # single resource
+POST   /api/v1/users           # create
+PATCH  /api/v1/users/:id       # partial update
+DELETE /api/v1/users/:id       # delete
+
+# Nested resources (max 2 levels deep)
+GET    /api/v1/users/:id/orders
+POST   /api/v1/users/:id/orders
+
+# Actions (when REST doesn't fit)
+POST   /api/v1/users/:id/activate
+POST   /api/v1/invoices/:id/send
+```
+
+- Always plural nouns, never verbs in URL
+- kebab-case for multi-word: `/order-items` not `/orderItems`
+- Version prefix: `/api/v1/` — bump to v2 only for breaking changes
+
+## Response envelope
+
+**Every response** uses this shape:
+
+```typescript
+// Success
+{
+  "data": { ... } | [...],
+  "meta": {
+    "total": 150,    // always on lists
+    "limit": 20,
+    "offset": 0
+  }
+}
+
+// Error
+{
+  "data": null,
+  "error": {
+    "code": "VALIDATION_ERROR",    // machine-readable, SCREAMING_SNAKE
+    "message": "Email is required", // human-readable, end-user safe
+    "field": "email"               // optional, for field-level errors
+  }
+}
+```
+
+Never return raw arrays at the top level. Never return different shapes for the same endpoint.
+
+## Pagination (mandatory on all lists)
+
+```
+GET /api/v1/orders?limit=20&offset=0
+GET /api/v1/orders?limit=20&offset=20
+
+// Response
+{
+  "data": [...],
+  "meta": { "total": 847, "limit": 20, "offset": 0 }
+}
+```
+
+- Default limit: 20. Max limit: 100 (enforce server-side).
+- Never return unbounded lists. Always paginate.
+- Frontend shows `total` from meta, not `data.length`.
+
+## HTTP status codes
+
+| Code | When |
+|------|------|
+| 200 | Success (GET, PATCH) |
+| 201 | Created (POST) — include `Location` header |
+| 204 | Deleted (DELETE) — no body |
+| 400 | Bad request (malformed JSON, invalid params) |
+| 401 | Not authenticated (missing/expired token) |
+| 403 | Authenticated but not authorized |
+| 404 | Resource not found |
+| 409 | Conflict (duplicate email, concurrent update) |
+| 422 | Validation error (valid JSON but business rule violated) |
+| 429 | Rate limited — include `Retry-After` header |
+| 500 | Server error — log internally, never expose stack trace |
+
+## Error codes
+
+Use machine-readable `code` values the frontend can switch on:
+
+```
+VALIDATION_ERROR     — field validation failed
+NOT_FOUND            — resource doesn't exist
+UNAUTHORIZED         — not logged in
+FORBIDDEN            — logged in but no permission
+DUPLICATE            — unique constraint violation
+RATE_LIMITED         — too many requests
+INTERNAL_ERROR       — catch-all for 500s
+```
+
+## Validation
+
+- Validate at the boundary — never trust client data inside business logic
+- Return ALL validation errors at once, not one by one
+- Use `422` + `field` in error for form validation, `400` for structural issues
+
+## Rate limiting headers
+
+Always include on authenticated endpoints:
+
+```
+X-RateLimit-Limit: 100
+X-RateLimit-Remaining: 42
+X-RateLimit-Reset: 1735689600   # Unix timestamp
+Retry-After: 30                  # seconds, on 429
+```
+
+## Checklist before shipping an endpoint
+
+- [ ] URL follows conventions (plural, kebab, versioned)
+- [ ] Response uses the standard envelope
+- [ ] List endpoint is paginated (limit+offset+total)
+- [ ] All error cases return correct status + error code
+- [ ] Validation errors return field-level details
+- [ ] No secrets or internal paths in responses
+- [ ] Auth required where needed (don't forget!)
+- [ ] Rate limiting on sensitive endpoints (auth, email send)

package/dist/skills/auth-patterns/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: auth-patterns
+description: Authentication and authorization patterns. JWT, sessions, OAuth, RBAC, route protection. Use when implementing login, protected routes, or permission systems.
+user-invocable: true
+---
+
+# Auth Patterns
+
+Auth bugs are security bugs. Every decision here has a security consequence.
+
+## Token storage
+
+| Method | XSS safe | CSRF safe | Use for |
+|--------|----------|-----------|---------|
+| `httpOnly` cookie | ✅ | ❌ (need CSRF token) | Sessions, refresh tokens |
+| Memory (React state) | ✅ | ✅ | Access tokens (short-lived) |
+| `localStorage` | ❌ | ✅ | Never for auth tokens |
+| `sessionStorage` | ❌ | ✅ | Never for auth tokens |
+
+**Rule:** Access token in memory. Refresh token in `httpOnly` `Secure` `SameSite=Strict` cookie.
+
+## JWT structure
+
+```ts
+// Access token: short-lived, stateless
+const accessToken = jwt.sign(
+  { sub: user.id, role: user.role, email: user.email },
+  ACCESS_TOKEN_SECRET,
+  { expiresIn: '15m' }   // never more than 1h
+)
+
+// Refresh token: long-lived, stored in DB for revocation
+const refreshToken = jwt.sign(
+  { sub: user.id, jti: crypto.randomUUID() },  // jti = unique ID for revocation
+  REFRESH_TOKEN_SECRET,
+  { expiresIn: '30d' }
+)
+// Store hashed refresh token in DB
+await db.refreshTokens.insert({ userId: user.id, tokenHash: hash(refreshToken) })
+```
+
+**Never:** embed sensitive data in JWT (passwords, full profile, card numbers).
+**Always:** verify on every request, don't trust payload without signature check.
+
+## Route protection (Next.js App Router)
+
+```ts
+// middleware.ts — runs on every request before page render
+import { NextResponse } from 'next/server'
+import { verifyToken } from '@/lib/auth'
+
+export async function middleware(request: NextRequest) {
+  const token = request.cookies.get('access_token')?.value
+
+  if (!token) {
+    return NextResponse.redirect(new URL('/login', request.url))
+  }
+
+  const payload = await verifyToken(token)
+  if (!payload) {
+    return NextResponse.redirect(new URL('/login', request.url))
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: ['/dashboard/:path*', '/settings/:path*', '/api/v1/:path*'],
+}
+```
+
+**Never** protect routes only client-side — always enforce on server/middleware.
+
+## RBAC (Role-Based Access Control)
+
+```ts
+// Define roles and permissions clearly
+const PERMISSIONS = {
+  'admin':   ['read', 'write', 'delete', 'manage_users'],
+  'editor':  ['read', 'write'],
+  'viewer':  ['read'],
+} as const
+
+// Check permission, not role (more flexible)
+function can(user: User, action: string): boolean {
+  return PERMISSIONS[user.role]?.includes(action) ?? false
+}
+
+// Usage
+if (!can(user, 'delete')) {
+  return res.status(403).json({ error: { code: 'FORBIDDEN', message: 'Insufficient permissions' } })
+}
+```
+
+**Never:** check `user.role === 'admin'` inline everywhere. Centralize permission logic.
+
+## Password handling
+
+```ts
+import bcrypt from 'bcrypt'  // or argon2
+
+// Hash on registration (never store plain text)
+const hash = await bcrypt.hash(password, 12)  // cost factor 12
+
+// Verify on login
+const valid = await bcrypt.compare(password, user.passwordHash)
+
+// Timing-safe comparison for tokens
+import { timingSafeEqual } from 'node:crypto'
+const match = timingSafeEqual(Buffer.from(token), Buffer.from(expectedToken))
+```
+
+## OAuth (social login)
+
+```ts
+// Always use a library — don't implement OAuth yourself
+// next-auth / auth.js for Next.js
+// passport.js for Express
+
+// Validate state parameter to prevent CSRF
+// Validate redirect_uri server-side
+// Store minimal profile data (don't keep what you don't need)
+```
+
+## Rate limiting on auth endpoints
+
+```ts
+// Login: 5 attempts per 15min per IP
+// Password reset: 3 per hour per email
+// Token refresh: 10 per minute per token
+// Registration: 3 per hour per IP
+```
+
+## Checklist
+
+- [ ] Access tokens expire in ≤1h
+- [ ] Refresh tokens stored as hash in DB (revocable)
+- [ ] Tokens in `httpOnly` cookies, never `localStorage`
+- [ ] Passwords hashed with bcrypt/argon2 (cost ≥12)
+- [ ] CSRF protection on all cookie-based state changes
+- [ ] Rate limiting on login, register, reset endpoints
+- [ ] All protected routes verified server-side (not just client guard)
+- [ ] `HTTPS` only in production (`Secure` cookie flag)
+- [ ] Logout invalidates refresh token in DB
+- [ ] No sensitive data in JWT payload

package/dist/skills/db-design/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: db-design
+description: Database schema design, indexing strategy, and migration patterns. Prevents N+1, missing indexes, unsafe migrations, and schema drift. Use when designing tables, adding columns, or writing complex queries.
+user-invocable: true
+---
+
+# DB Design
+
+Bad schema is the most expensive technical debt. You can refactor code in hours; migrating 10M rows takes days.
+
+## Schema design principles
+
+### Naming
+- Tables: `snake_case`, plural (`users`, `order_items`, `refresh_tokens`)
+- Columns: `snake_case` (`created_at`, `user_id`, `is_active`)
+- Foreign keys: `{table_singular}_id` (`user_id`, `order_id`)
+- Booleans: prefix `is_` or `has_` (`is_active`, `has_verified_email`)
+- Timestamps: always `created_at` + `updated_at` on every table
+
+### Standard columns every table needs
+```sql
+id         BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY  -- or UUID
+created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+```
+
+### Soft delete pattern (prefer over hard delete)
+```sql
+deleted_at TIMESTAMPTZ  -- NULL = active, non-NULL = deleted
+-- Query: WHERE deleted_at IS NULL
+```
+
+## Indexing strategy
+
+**Index everything you filter, sort, or join on.**
+
+```sql
+-- Always index foreign keys
+CREATE INDEX idx_orders_user_id ON orders(user_id);
+
+-- Composite index for common query patterns (leftmost prefix rule)
+CREATE INDEX idx_orders_user_status ON orders(user_id, status);
+-- This covers: WHERE user_id = ?
+-- And:         WHERE user_id = ? AND status = ?
+-- But NOT:     WHERE status = ?  alone
+
+-- Partial index for filtered queries
+CREATE INDEX idx_orders_pending ON orders(created_at)
+  WHERE status = 'pending';
+
+-- Text search
+CREATE INDEX idx_products_name_search ON products USING gin(to_tsvector('english', name));
+```
+
+**Check for missing indexes:**
+```sql
+EXPLAIN ANALYZE SELECT ... -- look for "Seq Scan" on large tables
+-- Seq Scan on 1000 rows = fine. On 1M rows = add an index.
+```
+
+**Over-indexing costs:** Every index slows down INSERT/UPDATE/DELETE. Don't index columns you never filter on.
+
+## N+1 pattern (the most common DB bug)
+
+```ts
+// BAD — N+1: 1 query for orders + N queries for each user
+const orders = await db.orders.findMany()
+for (const order of orders) {
+  order.user = await db.users.findById(order.userId)  // N queries!
+}
+
+// GOOD — 1 query with join or eager load
+const orders = await db.orders.findMany({
+  include: { user: true }  // Prisma
+})
+
+// Or raw SQL with JOIN
+SELECT o.*, u.name, u.email
+FROM orders o
+JOIN users u ON u.id = o.user_id
+WHERE o.status = 'pending'
+```
+
+## Safe migration patterns
+
+```sql
+-- SAFE: adding nullable column (instant, no lock)
+ALTER TABLE users ADD COLUMN avatar_url TEXT;
+
+-- SAFE: adding column with default (Postgres 11+, instant)
+ALTER TABLE users ADD COLUMN is_verified BOOLEAN NOT NULL DEFAULT false;
+
+-- DANGEROUS: adding NOT NULL without default (locks table, blocks writes)
+-- Do it in 3 steps:
+-- 1. Add nullable
+ALTER TABLE users ADD COLUMN phone TEXT;
+-- 2. Backfill
+UPDATE users SET phone = '' WHERE phone IS NULL;
+-- 3. Add constraint
+ALTER TABLE users ALTER COLUMN phone SET NOT NULL;
+
+-- DANGEROUS: dropping column (data loss, code must be deployed first)
+-- 1. Deploy code that no longer uses the column
+-- 2. Then drop in next migration
+ALTER TABLE users DROP COLUMN legacy_field;
+
+-- DANGEROUS: renaming column/table (breaks existing queries)
+-- Use a 2-phase rename: add new column, migrate data, remove old
+```
+
+## Transaction patterns
+
+```ts
+// Always use transactions for multi-step operations
+await db.transaction(async (tx) => {
+  const order = await tx.orders.create({ data: { userId, total } })
+  await tx.inventory.decrement({ productId, quantity })
+  await tx.payments.create({ data: { orderId: order.id, amount: total } })
+  // If any step fails, all are rolled back
+})
+```
+
+## Query hygiene
+
+- Never `SELECT *` in production — select only what you need
+- Parameterized queries always (no string interpolation)
+- `LIMIT` on all queries that could return unbounded results
+- Avoid `OFFSET` for large pagination → use cursor-based (`WHERE id > lastId`)
+
+## Checklist
+
+- [ ] Every table has `id`, `created_at`, `updated_at`
+- [ ] All foreign keys have indexes
+- [ ] Columns filtered/sorted in queries have indexes
+- [ ] `EXPLAIN ANALYZE` run on queries touching >10k rows
+- [ ] Migrations are reversible (or have a rollback plan)
+- [ ] No `ALTER TABLE` without reviewing lock implications
+- [ ] Multi-step operations wrapped in transactions
+- [ ] No `SELECT *`, no string-interpolated queries

package/dist/skills/error-handling/SKILL.md

@@ -0,0 +1,196 @@
+---
+name: error-handling
+description: Error handling strategy. Error boundaries, logging patterns, user-facing messages, monitoring setup, and async error flows. Use when building any feature that can fail, or auditing error handling in existing code.
+user-invocable: true
+---
+
+# Error Handling
+
+Every error falls into two buckets: expected (handle gracefully) and unexpected (log, alert, recover).
+Never show users a stack trace. Never silently swallow an error.
+
+## Error hierarchy
+
+```
+Expected errors (handle in code)
+├── Validation errors → show to user, guide to fix
+├── Not found → 404, redirect or empty state
+├── Auth errors → redirect to login
+├── Business rule violations → explain and offer alternative
+└── External API failures → retry or fallback
+
+Unexpected errors (log + alert + recover)
+├── Unhandled promise rejections
+├── Database connection failures
+├── Third-party SDK crashes
+└── Memory/timeout errors
+```
+
+## Frontend: React Error Boundaries
+
+```tsx
+// components/ErrorBoundary.tsx
+'use client'
+import { Component, ReactNode } from 'react'
+
+interface Props { children: ReactNode; fallback?: ReactNode }
+interface State { hasError: boolean; error?: Error }
+
+export class ErrorBoundary extends Component<Props, State> {
+  state: State = { hasError: false }
+
+  static getDerivedStateFromError(error: Error): State {
+    return { hasError: true, error }
+  }
+
+  componentDidCatch(error: Error, info: { componentStack: string }) {
+    // Log to your monitoring service
+    console.error('[ErrorBoundary]', error, info)
+    reportError(error, { context: info.componentStack })
+  }
+
+  render() {
+    if (this.state.hasError) {
+      return this.props.fallback ?? <DefaultErrorFallback error={this.state.error} />
+    }
+    return this.props.children
+  }
+}
+
+// Wrap at route level and around risky components
+<ErrorBoundary fallback={<ErrorPage />}>
+  <Dashboard />
+</ErrorBoundary>
+```
+
+## Frontend: async error patterns
+
+```tsx
+// NEVER: unhandled promise
+useEffect(() => {
+  fetchData()  // if this throws, silent failure
+}, [])
+
+// GOOD: handle errors explicitly
+const [error, setError] = useState<string | null>(null)
+
+useEffect(() => {
+  fetchData()
+    .catch(err => {
+      setError(getErrorMessage(err))
+      reportError(err)
+    })
+}, [])
+
+// GOOD: React Query handles this automatically
+const { data, error, isError } = useQuery({ queryKey: ['users'], queryFn: fetchUsers })
+if (isError) return <ErrorState message={getErrorMessage(error)} />
+```
+
+## Next.js App Router error files
+
+```tsx
+// app/error.tsx — catches runtime errors in route segment
+'use client'
+export default function Error({ error, reset }: { error: Error; reset: () => void }) {
+  useEffect(() => { reportError(error) }, [error])
+
+  return (
+    <div>
+      <h2>Something went wrong</h2>
+      <button onClick={reset}>Try again</button>
+    </div>
+  )
+}
+
+// app/not-found.tsx — 404 handler
+export default function NotFound() {
+  return <div>Page not found</div>
+}
+
+// app/global-error.tsx — catches errors in root layout
+'use client'
+export default function GlobalError({ error, reset }) { ... }
+```
+
+## Backend: error response pattern
+
+```ts
+// Never expose internal errors to clients
+class AppError extends Error {
+  constructor(
+    public code: string,       // machine-readable
+    public message: string,    // end-user safe
+    public status: number,     // HTTP status
+    public details?: unknown   // optional context (logged, not returned)
+  ) { super(message) }
+}
+
+// Express global error handler
+app.use((err: Error, req, res, next) => {
+  if (err instanceof AppError) {
+    return res.status(err.status).json({
+      data: null,
+      error: { code: err.code, message: err.message }
+    })
+  }
+
+  // Unexpected error — log full details, return generic message
+  logger.error({ err, req: { method: req.method, url: req.url } })
+  reportError(err)
+
+  res.status(500).json({
+    data: null,
+    error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' }
+  })
+})
+```
+
+## Logging levels
+
+| Level | When | Example |
+|-------|------|---------|
+| `error` | Unexpected failures, alerts needed | DB crash, unhandled exception |
+| `warn` | Expected failures worth monitoring | Retry attempts, rate limit hit |
+| `info` | Key business events | User registered, payment processed |
+| `debug` | Dev only, never in production | Query params, response body |
+
+```ts
+// Always log with context, not just the message
+logger.error({ err, userId: req.user?.id, endpoint: req.url }, 'Payment failed')
+// Not: logger.error('Payment failed')
+```
+
+## Async error rules
+
+- Every `async` function must have a `try/catch` or be called with `.catch()`
+- Never `await` inside `forEach` — use `Promise.all` or `for...of`
+- Unhandled promise rejections crash Node.js 15+ — always handle
+
+```ts
+// GOOD
+const results = await Promise.all(items.map(item => processItem(item)))
+
+// BAD (forEach ignores returned promise)
+items.forEach(async (item) => await processItem(item))
+
+// For sequential with error isolation:
+for (const item of items) {
+  try {
+    await processItem(item)
+  } catch (err) {
+    logger.warn({ err, itemId: item.id }, 'Failed to process item, continuing')
+  }
+}
+```
+
+## Checklist
+
+- [ ] Error boundaries around route segments and risky components
+- [ ] Every `fetch`/`async` call has error handling
+- [ ] User sees human-readable message, never stack trace or raw error
+- [ ] Unexpected errors logged with full context (user, endpoint, stack)
+- [ ] `app/error.tsx` and `app/not-found.tsx` exist and are styled
+- [ ] Global error handler in API (Express/Hono/Next route handler)
+- [ ] `AppError` class for expected errors with machine-readable codes
+- [ ] Error monitoring service wired up (see monitoring patterns)

package/dist/skills/i18n/SKILL.md

@@ -0,0 +1,159 @@
+---
+name: i18n
+description: Internationalization patterns for Next.js. next-intl setup, message extraction, locale routing, date/number formatting, and pluralization. Use when adding multi-language support or auditing an existing i18n setup.
+user-invocable: true
+---
+
+# i18n (Next.js + next-intl)
+
+i18n added after launch is painful. i18n from day one is just a folder structure.
+
+## Setup (next-intl)
+
+```bash
+npm install next-intl
+```
+
+```
+messages/
+├── en.json
+├── fr.json
+└── es.json
+
+app/
+├── [locale]/
+│   ├── layout.tsx
+│   └── page.tsx
+├── i18n/
+│   ├── routing.ts
+│   └── request.ts
+└── middleware.ts
+```
+
+```ts
+// i18n/routing.ts
+import { defineRouting } from 'next-intl/routing'
+
+export const routing = defineRouting({
+  locales: ['en', 'fr', 'es'],
+  defaultLocale: 'en',
+})
+
+// middleware.ts
+import createMiddleware from 'next-intl/middleware'
+import { routing } from './i18n/routing'
+
+export default createMiddleware(routing)
+
+export const config = {
+  matcher: ['/((?!api|_next|_vercel|.*\\..*).*)'],
+}
+```
+
+## Message files
+
+```json
+// messages/en.json
+{
+  "nav": {
+    "home": "Home",
+    "pricing": "Pricing",
+    "signin": "Sign in"
+  },
+  "dashboard": {
+    "welcome": "Welcome back, {name}!",
+    "items": "{count, plural, =0 {No items} one {# item} other {# items}}",
+    "lastSeen": "Last seen {date, relativetime}"
+  },
+  "errors": {
+    "required": "{field} is required",
+    "notFound": "Page not found"
+  }
+}
+```
+
+## Usage in components
+
+```tsx
+// Server component
+import { getTranslations } from 'next-intl/server'
+
+export default async function Page() {
+  const t = await getTranslations('dashboard')
+  return <h1>{t('welcome', { name: 'Kevin' })}</h1>
+}
+
+// Client component
+'use client'
+import { useTranslations } from 'next-intl'
+
+export function NavBar() {
+  const t = useTranslations('nav')
+  return <nav><a>{t('home')}</a></nav>
+}
+
+// Pluralization
+t('items', { count: 0 })   // "No items"
+t('items', { count: 1 })   // "1 item"
+t('items', { count: 42 })  // "42 items"
+```
+
+## Date, number, and currency formatting
+
+```tsx
+import { useFormatter } from 'next-intl'
+
+export function PricingCard({ price, date }: { price: number; date: Date }) {
+  const format = useFormatter()
+
+  return (
+    <div>
+      {/* Currency — auto-formats per locale */}
+      <p>{format.number(price, { style: 'currency', currency: 'EUR' })}</p>
+      {/* fr: 29,99 €  en: €29.99 */}
+
+      {/* Relative time */}
+      <time>{format.relativeTime(date)}</time>
+      {/* "3 hours ago" / "il y a 3 heures" */}
+
+      {/* Absolute date */}
+      <span>{format.dateTime(date, { dateStyle: 'long' })}</span>
+      {/* "March 7, 2026" / "7 mars 2026" */}
+    </div>
+  )
+}
+```
+
+## Locale-aware routing
+
+```tsx
+import { Link } from '@/i18n/routing'  // next-intl's Link (adds locale prefix)
+
+// /en/dashboard → /fr/dashboard automatically
+<Link href="/dashboard">Dashboard</Link>
+
+// Redirect to locale-specific path
+import { redirect } from 'next-intl/navigation'
+redirect({ href: '/login', locale: 'fr' })
+```
+
+## Common mistakes to avoid
+
+| Don't | Do instead |
+|-------|-----------|
+| Hardcode strings in JSX | Extract to message files from day 1 |
+| Use `new Date().toLocaleDateString()` | Use `format.dateTime()` |
+| Build plural strings manually (`${count} item(s)`) | Use ICU plural syntax in messages |
+| Store locale in state | Use URL-based routing (SEO + shareable) |
+| Forget RTL support | Add `dir={locale === 'ar' ? 'rtl' : 'ltr'}` to `<html>` |
+
+## Checklist
+
+- [ ] Locale detected from URL, not browser/cookie (SEO friendly)
+- [ ] All user-facing strings in message files (grep for hardcoded text)
+- [ ] Dates formatted with `format.dateTime()`, numbers with `format.number()`
+- [ ] Plurals use ICU syntax, not manual string building
+- [ ] `<Link>` from next-intl (not next/link) for locale-aware navigation
+- [ ] `<html lang={locale}>` set in root layout
+- [ ] Fallback to `defaultLocale` when translation missing
+- [ ] OG metadata localized per language

package/dist/skills/perf/SKILL.md

@@ -0,0 +1,108 @@
+---
+name: perf
+description: Performance audit. Identifies bottlenecks in frontend (Core Web Vitals, bundle, rendering), backend (slow queries, N+1, missing indexes), and infrastructure (caching, CDN). Reports with file:line and concrete fixes. Use when the app feels slow or before a launch.
+user-invocable: true
+---
+
+# Performance
+
+Measure first. Never guess where the bottleneck is.
+
+## Frontend
+
+### Core Web Vitals targets
+| Metric | Good | Needs work |
+|--------|------|-----------|
+| LCP (largest content) | <2.5s | >4s |
+| INP (interaction) | <200ms | >500ms |
+| CLS (layout shift) | <0.1 | >0.25 |
+
+### Bundle audit
+```bash
+# Next.js
+ANALYZE=true next build   # needs @next/bundle-analyzer
+
+# Check for duplicate deps
+npx depcheck
+npx bundlephobia <package>   # before adding anything
+```
+
+**Red flags:**
+- `moment.js` (replace with `date-fns` or `dayjs`)
+- Full `lodash` import (use `lodash-es` + tree-shaking)
+- Unoptimized images (no `next/image`, missing `width`/`height`)
+- No code splitting (all JS in one chunk)
+- `useEffect` on every render with no dep array
+
+### Rendering bottlenecks
+
+```tsx
+// BAD: expensive filter on every render
+const filtered = items.filter(...)
+
+// GOOD: memoized
+const filtered = useMemo(() => items.filter(...), [items, query])
+
+// BAD: new function reference breaks child memo
+<Child onClick={() => doSomething()} />
+
+// GOOD
+const handleClick = useCallback(() => doSomething(), [])
+<Child onClick={handleClick} />
+```
+
+**Check:**
+- [ ] Lists with 100+ items: use virtualization (`react-window` or `@tanstack/virtual`)
+- [ ] Heavy components: lazy load with `dynamic(() => import(...), { ssr: false })`
+- [ ] Images: `next/image` with `priority` on above-the-fold, lazy below
+- [ ] Fonts: `next/font` only, never `<link>` to Google Fonts
+
+## Backend / API
+
+### Query audit
+
+```sql
+-- Spot slow queries (Postgres)
+SELECT query, mean_exec_time, calls
+FROM pg_stat_statements
+ORDER BY mean_exec_time DESC LIMIT 20;
+
+-- Missing indexes
+EXPLAIN ANALYZE SELECT ...;   -- look for "Seq Scan" on large tables
+```
+
+**Red flags:**
+- `SELECT *` on wide tables
+- Missing indexes on foreign keys and filtered columns
+- N+1: loop calling DB inside `.map()` — batch with `WHERE id IN (...)` instead
+- No pagination on list endpoints
+- Sorting on non-indexed column
+
+### Caching strategy
+
+| Layer | Tool | TTL |
+|-------|------|-----|
+| Static data | CDN edge cache | 1h–24h |
+| API responses | Redis / Cloudflare KV | 1min–1h |
+| DB queries | In-memory LRU | 30s |
+| Images | `Cache-Control: public, max-age=31536000` | 1 year |
+
+## Audit output format
+
+```
+## Perf Audit — [app/page]
+
+### Critical (>1s impact)
+- [file:line] Description + fix
+
+### High (100ms–1s)
+- ...
+
+### Quick wins (<1h to fix)
+- ...
+
+### Metrics baseline
+- Bundle: Xkb (main), Ykb (page)
+- TTFB: Xms
+- LCP: Xs
+```

package/dist/skills/seo/SKILL.md

@@ -0,0 +1,158 @@
+---
+name: seo
+description: SEO implementation for Next.js. Metadata, OG tags, sitemap, robots.txt, structured data, and Core Web Vitals. Use when building landing pages, blog, or any public-facing page.
+user-invocable: true
+---
+
+# SEO (Next.js App Router)
+
+SEO is plumbing. Do it right once and forget it. Do it wrong and it's invisible for 6 months.
+
+## Metadata API (App Router)
+
+```tsx
+// app/layout.tsx — site-wide defaults
+export const metadata: Metadata = {
+  metadataBase: new URL('https://yourdomain.com'),
+  title: {
+    default: 'Your App Name',
+    template: '%s | Your App Name',   // page title → "Page | Your App Name"
+  },
+  description: 'Clear, 150-char max description of what the app does.',
+  openGraph: {
+    type: 'website',
+    locale: 'en_US',
+    url: 'https://yourdomain.com',
+    siteName: 'Your App Name',
+    images: [{ url: '/og-default.png', width: 1200, height: 630 }],
+  },
+  twitter: {
+    card: 'summary_large_image',
+    creator: '@yourhandle',
+  },
+  robots: { index: true, follow: true },
+}
+
+// app/blog/[slug]/page.tsx — dynamic per-page metadata
+export async function generateMetadata({ params }): Promise<Metadata> {
+  const post = await getPost(params.slug)
+  return {
+    title: post.title,
+    description: post.excerpt,
+    openGraph: {
+      type: 'article',
+      publishedTime: post.publishedAt,
+      images: [{ url: post.ogImage, width: 1200, height: 630 }],
+    },
+  }
+}
+```
+
+## OG Image generation
+
+```tsx
+// app/og/route.tsx — dynamic OG images (Vercel OG)
+import { ImageResponse } from 'next/og'
+
+export async function GET(request: Request) {
+  const { searchParams } = new URL(request.url)
+  const title = searchParams.get('title') || 'Default Title'
+
+  return new ImageResponse(
+    <div style={{ display: 'flex', width: '100%', height: '100%', background: '#000' }}>
+      <h1 style={{ color: '#fff', fontSize: 60 }}>{title}</h1>
+    </div>,
+    { width: 1200, height: 630 }
+  )
+}
+
+// Use in metadata:
+// images: [{ url: `/og?title=${encodeURIComponent(post.title)}` }]
+```
+
+## Sitemap
+
+```tsx
+// app/sitemap.ts
+import { MetadataRoute } from 'next'
+
+export default async function sitemap(): Promise<MetadataRoute.Sitemap> {
+  const posts = await getAllPosts()
+
+  return [
+    { url: 'https://yourdomain.com', lastModified: new Date(), changeFrequency: 'weekly', priority: 1 },
+    { url: 'https://yourdomain.com/pricing', lastModified: new Date(), changeFrequency: 'monthly', priority: 0.8 },
+    ...posts.map(post => ({
+      url: `https://yourdomain.com/blog/${post.slug}`,
+      lastModified: post.updatedAt,
+      changeFrequency: 'monthly' as const,
+      priority: 0.6,
+    })),
+  ]
+}
+```
+
+## Robots.txt
+
+```tsx
+// app/robots.ts
+import { MetadataRoute } from 'next'
+
+export default function robots(): MetadataRoute.Robots {
+  return {
+    rules: [
+      { userAgent: '*', allow: '/', disallow: ['/api/', '/dashboard/', '/admin/'] },
+    ],
+    sitemap: 'https://yourdomain.com/sitemap.xml',
+  }
+}
+```
+
+## Structured data (JSON-LD)
+
+```tsx
+// app/blog/[slug]/page.tsx
+export default function BlogPost({ post }) {
+  const jsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'Article',
+    headline: post.title,
+    datePublished: post.publishedAt,
+    dateModified: post.updatedAt,
+    author: { '@type': 'Person', name: post.author },
+    description: post.excerpt,
+  }
+
+  return (
+    <>
+      <script type="application/ld+json" dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }} />
+      {/* page content */}
+    </>
+  )
+}
+```
+
+Common schemas: `Article`, `Product`, `Organization`, `BreadcrumbList`, `FAQPage`, `LocalBusiness`
+
+## Technical SEO checklist
+
+- [ ] `metadataBase` set in root layout (required for absolute OG URLs)
+- [ ] `title.template` set for consistent page titles
+- [ ] Description 50–160 chars on every page
+- [ ] OG image 1200×630px on every page (static or generated)
+- [ ] `sitemap.ts` includes all public pages
+- [ ] `robots.ts` blocks `/api/`, `/dashboard/`, `/admin/`
+- [ ] Canonical URL set on duplicate content pages
+- [ ] Structured data on blog posts, products, FAQ
+- [ ] No `noindex` accidentally on important pages
+- [ ] Images have descriptive `alt` text
+- [ ] Headings hierarchy: one `h1` per page, logical `h2`/`h3` structure
+- [ ] Core Web Vitals passing (LCP <2.5s, CLS <0.1, INP <200ms)
+
+## Quick wins (do these first)
+
+1. Add `metadataBase` + default `title.template` (20 min)
+2. Add OG image to every public page (1h)
+3. Generate sitemap (30 min)
+4. Add `robots.ts` (15 min)
+5. Add JSON-LD to blog/product pages (1h)

package/dist/skills/test-strategy/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: test-strategy
+description: Testing strategy. Defines what to test, at what level, and how to mock. Prevents over-testing, under-testing, and tests that slow down development. Use before writing tests for a new feature or when a test suite grows painful.
+user-invocable: true
+---
+
+# Test Strategy
+
+Test the behavior, not the implementation. A test that breaks when you rename a variable is worthless.
+
+## The pyramid
+
+```
+         /‾‾‾‾‾‾\
+        / E2E (5%) \       — Happy paths only. Slow, brittle, expensive.
+       /────────────\
+      / Integration  \     — API endpoints, DB queries, service boundaries.
+     /   (25–35%)    \
+    /──────────────────\
+   /   Unit (60–70%)   \   — Business logic, transformations, edge cases.
+  /──────────────────────\
+```
+
+If your pyramid is inverted (more E2E than unit), your tests are slow and fragile.
+
+## What to test at each level
+
+### Unit tests
+Test pure functions, business logic, edge cases:
+- Calculations, transformations, validations
+- Error conditions and boundary values
+- Utility functions
+- State machines
+
+```ts
+// GOOD — tests behavior
+test('calculates discount correctly', () => {
+  expect(applyDiscount(100, 0.2)).toBe(80)
+  expect(applyDiscount(100, 0)).toBe(100)
+  expect(applyDiscount(0, 0.5)).toBe(0)
+})
+
+// BAD — tests implementation, breaks on refactor
+test('calls Math.floor once', () => { ... })
+```
+
+### Integration tests
+Test your API endpoints end-to-end (request → response, with real DB in test mode):
+
+```ts
+test('POST /api/v1/users creates user', async () => {
+  const res = await request(app)
+    .post('/api/v1/users')
+    .send({ email: 'test@example.com', name: 'Test' })
+
+  expect(res.status).toBe(201)
+  expect(res.body.data.email).toBe('test@example.com')
+  // verify it's actually in the DB
+  const user = await db.users.findByEmail('test@example.com')
+  expect(user).toBeTruthy()
+})
+```
+
+### E2E tests
+Reserve for critical user paths only:
+- Authentication (login, logout, forgot password)
+- Checkout / payment flow
+- Core value action of the product (publish, send, submit)
+
+Never E2E test: form validation, UI states, error messages, edge cases.
+
+## Mocking rules
+
+| Mock this | Don't mock this |
+|-----------|----------------|
+| External APIs (Stripe, SendGrid, S3) | Internal business logic |
+| Email/SMS sending | Database in unit tests (use in-memory or test DB) |
+| Time (`Date.now()`, `new Date()`) | Your own service layer |
+| Random values (`Math.random()`) | Framework code |
+| File system in unit tests | |
+
+```ts
+// GOOD — mock external, test logic
+jest.mock('./email-service')
+test('sends welcome email on registration', async () => {
+  await registerUser({ email: 'test@example.com' })
+  expect(sendWelcomeEmail).toHaveBeenCalledWith('test@example.com')
+})
+
+// BAD — mocking what you're testing
+jest.mock('./user-service')
+test('user service creates user', () => { ... })  // what are we even testing?
+```
+
+## Coverage as a signal, not a goal
+
+- 80% coverage is fine. 100% is usually waste.
+- Coverage doesn't measure quality — a test that does `expect(true).toBe(true)` counts.
+- Focus on: critical paths, error branches, edge cases.
+- Skip: trivial getters/setters, framework boilerplate, generated code.
+
+## Red flags in test suites
+
+- Tests that test implementation details (internals, private methods)
+- `setTimeout` or `sleep` in tests (use fake timers or conditions)
+- Tests that depend on execution order (each test must be independent)
+- Snapshots for everything (become maintenance burden — use for UI components only)
+- Mocking your own database service (test against a real test DB instead)
+
+## Before writing tests
+
+1. Identify the **behavior** you're testing (not the code)
+2. Write the test name as a sentence: `"should return 404 when user doesn't exist"`
+3. Arrange → Act → Assert — three clear sections, no more
+4. One assertion per test (or one logical group)
+5. Make the test fail first — if it passes without code, it's testing nothing
+
+## Stack conventions
+
+```ts
+// Vitest (preferred for Vite/Next projects)
+import { describe, test, expect, vi } from 'vitest'
+
+// Jest (legacy, Node projects)
+import { describe, test, expect, jest } from '@jest/globals'
+
+// React Testing Library — test from user perspective
+import { render, screen, userEvent } from '@testing-library/react'
+test('shows error when email invalid', async () => {
+  render(<LoginForm />)
+  await userEvent.type(screen.getByLabelText('Email'), 'not-an-email')
+  await userEvent.click(screen.getByRole('button', { name: 'Login' }))
+  expect(screen.getByText('Invalid email')).toBeInTheDocument()
+})
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rex-claude",
-  "version": "6.1.0",
+  "version": "6.2.0",
   "description": "REX — dev assistant with Telegram gateway, memory RAG, guards, model switching, and macOS native app",
   "type": "module",
   "bin": {