skillstore-cli 1.0.0

package/README.md

@@ -0,0 +1,95 @@
+# SkillStore CLI
+
+Install and manage skill packages for [Claude Code](https://claude.ai/claude-code).
+
+## Install
+
+```bash
+npm install -g skillstore-cli
+```
+
+## Quick Start
+
+```bash
+# Browse available packages
+skillstore list
+
+# Install free skills (no license needed)
+skillstore install devflow-presale --free-only
+
+# Activate a license
+skillstore activate <license-key>
+
+# Install full package (requires license)
+skillstore install devflow-presale
+
+# Install as template (includes agents + workflows)
+skillstore install devflow-agile --as-template
+
+# Install all packages at once
+skillstore install-bundle devflow-complete
+```
+
+## Packages
+
+| Package | Skills | Price | Free Preview |
+|---------|--------|-------|-------------|
+| **DevFlow Presale** | 6 | $29 | requirement-analysis |
+| **DevFlow Agile** | 10 | $49 | developer |
+| **DevFlow Post-Project** | 4 | $19 | retrospective |
+| **DevFlow Docs** | 4 | $19 | pdf-processor |
+| **DevFlow Bootstrap** | 4 | $19 | project-scaffold |
+| **DevFlow Complete** (bundle) | 28 | $99 | — |
+
+## Free Framework Skills
+
+These 8 skills are always free — no license required:
+
+- `frontend-development` — React, Vue, Angular patterns
+- `backend-development` — API design, Node.js, Python, Java
+- `databases` — SQL/NoSQL, migrations, query optimization
+- `mobile-development` — React Native, Flutter
+- `ui-generation` — Generate UI components from descriptions
+- `debugging-investigation` — Systematic debugging methodology
+- `codebase-analysis` — Architecture analysis, tech debt assessment
+- `security-audit` — OWASP checklist, vulnerability remediation
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `skillstore list` | Show all packages with pricing |
+| `skillstore search <query>` | Search packages and skills |
+| `skillstore install <package>` | Install a package |
+| `skillstore install-bundle <name>` | Install a bundle |
+| `skillstore activate <key>` | Activate a license key |
+| `skillstore status` | Show license tier and installed packages |
+| `skillstore update` | Update installed packages |
+
+## Installation Modes
+
+**Plugin** (default) — copies skills and commands to `.claude/`:
+```bash
+skillstore install devflow-presale
+```
+
+**Template** — also copies agents, workflows, and framework config:
+```bash
+skillstore install devflow-presale --as-template
+```
+
+## How It Works
+
+1. Free skills and framework are bundled with the CLI — works offline
+2. Paid skills are downloaded from a secure server after license verification
+3. Downloaded packages are cached locally for offline use
+4. All skills follow the [Agent Skills Spec](https://docs.claude.ai/claude-code/skills) — SKILL.md + references + assets
+
+## Requirements
+
+- Node.js 18+
+- Claude Code
+
+## License
+
+MIT

package/data/bundles/devflow-complete.json

@@ -0,0 +1,19 @@
+{
+  "name": "devflow-complete",
+  "displayName": "DevFlow Complete",
+  "description": "All 28 DevFlow skills — presale, agile, post-project, docs, and bootstrap in one bundle",
+  "packages": [
+    "@skillstore/devflow-presale",
+    "@skillstore/devflow-agile",
+    "@skillstore/devflow-postproject",
+    "@skillstore/devflow-docs",
+    "@skillstore/devflow-bootstrap"
+  ],
+  "price": {
+    "bundle": 99,
+    "individual": 135,
+    "savings": 36,
+    "currency": "USD"
+  },
+  "version": "1.2.0"
+}

package/data/free-skills/devflow-agile/manifest.json

@@ -0,0 +1,19 @@
+{
+  "name": "@skillstore/devflow-agile",
+  "version": "1.0.0",
+  "skills": [
+    "project-manager",
+    "scrum-master",
+    "business-analyst",
+    "solution-architect",
+    "tech-lead",
+    "team-lead",
+    "developer",
+    "qa-tester",
+    "ui-ux-designer",
+    "devops-engineer"
+  ],
+  "freeSkills": ["developer"],
+  "commands": ["agile", "agile/sprint", "agile/standup", "agile/review", "agile/retro"],
+  "modes": ["plugin", "template"]
+}

package/data/free-skills/devflow-agile/plugin/commands/agile/retro.md

@@ -0,0 +1,23 @@
+---
+description: Sprint retrospective facilitation
+argument-hint: [sprint number or context]
+---
+
+## Your Mission
+
+<sprint>
+$ARGUMENTS
+</sprint>
+
+## Process
+
+1. Activate `scrum-master` skill for retrospective techniques
+2. Select appropriate retro format based on team context
+3. Facilitate discussion areas:
+   - What went well
+   - What didn't go well
+   - What to improve
+4. Produce:
+   - Categorized findings
+   - Action items with owners and deadlines
+   - Follow-up from previous retro actions

package/data/free-skills/devflow-agile/plugin/commands/agile/review.md

@@ -0,0 +1,21 @@
+---
+description: Sprint review preparation and facilitation
+argument-hint: [sprint number or context]
+---
+
+## Your Mission
+
+<sprint>
+$ARGUMENTS
+</sprint>
+
+## Process
+
+1. Activate `scrum-master` skill for review structure
+2. Activate `project-manager` skill for progress metrics
+3. Compile:
+   - Completed stories with demo notes
+   - Incomplete stories with reasons
+   - Sprint metrics (velocity, goal achievement)
+   - Stakeholder feedback items
+4. Produce sprint review presentation outline

package/data/free-skills/devflow-agile/plugin/commands/agile/sprint.md

@@ -0,0 +1,30 @@
+---
+description: Sprint management — planning, execution tracking, or closure
+argument-hint: [plan|track|close] [sprint details]
+---
+
+## Your Mission
+
+<task>
+$ARGUMENTS
+</task>
+
+## Process
+
+Based on the action:
+
+### Sprint Planning
+1. Activate `scrum-master` skill for ceremony facilitation
+2. Activate `project-manager` skill for capacity planning
+3. Activate `business-analyst` skill for story refinement
+4. Produce sprint goal, committed stories, and capacity allocation
+
+### Sprint Tracking
+1. Activate `scrum-master` skill for metrics
+2. Activate `project-manager` skill for status reporting
+3. Identify blockers, risks, and velocity trends
+
+### Sprint Closure
+1. Activate `scrum-master` skill for review/retro facilitation
+2. Activate `qa-tester` skill for test completion verification
+3. Produce sprint summary, velocity, and improvement actions

package/data/free-skills/devflow-agile/plugin/commands/agile/standup.md

@@ -0,0 +1,20 @@
+---
+description: Generate or facilitate daily standup
+argument-hint: [team or context]
+---
+
+## Your Mission
+
+<context>
+$ARGUMENTS
+</context>
+
+## Process
+
+1. Activate `scrum-master` skill
+2. For each team member / work area:
+   - What was completed yesterday
+   - What is planned for today
+   - Any blockers or dependencies
+3. Flag items needing escalation
+4. Produce concise standup summary

package/data/free-skills/devflow-agile/plugin/commands/agile.md

@@ -0,0 +1,35 @@
+---
+description: Agile project workflow orchestrator — manage sprints, ceremonies, and team coordination
+argument-hint: [task or ceremony name]
+---
+
+## Your Mission
+
+<task>
+$ARGUMENTS
+</task>
+
+## Workflow
+
+Analyze the task and route to the appropriate role skill:
+
+1. **Understand the request** — What Agile activity is needed?
+2. **Route to skill** — Based on the task:
+   - Project planning/tracking → Activate `project-manager` skill
+   - Sprint ceremonies → Activate `scrum-master` skill
+   - Requirements/stories → Activate `business-analyst` skill
+   - Architecture/design → Activate `solution-architect` skill
+   - Code standards/review → Activate `tech-lead` skill
+   - Team coordination → Activate `team-lead` skill
+   - Implementation → Activate `developer` skill
+   - Testing → Activate `qa-tester` skill
+   - UI/UX review → Activate `ui-ux-designer` skill
+   - CI/CD/infra → Activate `devops-engineer` skill
+3. **Multi-role if needed** — Complex tasks may require multiple roles
+
+## Sub-commands
+
+- `/agile:sprint [action]` — Sprint planning, execution, or closure
+- `/agile:standup [team]` — Generate standup report format
+- `/agile:review [sprint]` — Sprint review preparation
+- `/agile:retro [sprint]` — Sprint retrospective facilitation

package/data/free-skills/devflow-agile/plugin/commands/devflow.md

@@ -0,0 +1,42 @@
+---
+description: DevFlow smart router — automatically routes tasks to the right agile role skill
+argument-hint: [task description]
+---
+
+## Your Mission
+
+<task>
+$ARGUMENTS
+</task>
+
+## Smart Routing
+
+Analyze the task and determine which role skill to activate:
+
+### Route Detection
+| Keywords/Patterns | Route To |
+|-------------------|----------|
+| plan, schedule, timeline, milestone, status, budget | `project-manager` skill |
+| sprint, ceremony, standup, velocity, burndown, impediment | `scrum-master` skill |
+| story, requirement, acceptance criteria, UAT, process flow | `business-analyst` skill |
+| architecture, design, ADR, NFR, system design, integration | `solution-architect` skill |
+| code review, standards, PR, tech debt, conventions | `tech-lead` skill |
+| assign, mentor, performance, team, coordination | `team-lead` skill |
+| implement, code, debug, feature, fix, build | `developer` skill |
+| test, QA, bug, coverage, automation, regression | `qa-tester` skill |
+| UI, UX, design, wireframe, accessibility, WCAG | `ui-ux-designer` skill |
+| deploy, CI/CD, pipeline, monitoring, infrastructure | `devops-engineer` skill |
+
+### Multi-Role Tasks
+If task requires multiple roles:
+1. Identify primary role (who owns the outcome)
+2. Identify supporting roles (who provides input)
+3. Primary role leads, supporting roles activated as needed
+
+### Ambiguity Handling
+If unclear which role: ask ONE clarifying question.
+Example: "This could be a tech-lead (code review) or developer (implementation) task. Which do you need?"
+
+## References
+- Load `rules/development-rules.md` for quality standards
+- Follow `protocols/error-recovery.md` for failure handling

package/data/free-skills/devflow-agile/plugin/skills/developer/SKILL.md

@@ -0,0 +1,93 @@
+---
+name: developer
+description: Clean code practices, design patterns, debugging methodology, and development best practices for ITO delivery teams
+---
+
+# Developer
+
+Write clean, maintainable code, apply appropriate design patterns, debug systematically, and follow development best practices. Calibrated for developers working in outsourcing teams where code readability and handover-friendliness are critical.
+
+## Triggers
+
+Activate this skill when:
+- Implementing a **new feature** and need to plan the approach
+- Fixing a **bug** and need a systematic debugging strategy
+- Improving **code quality** in existing modules (refactoring)
+- Choosing the right **design pattern** for a problem
+- Writing or improving **tests** for business-critical logic
+- Optimizing **performance** of a slow endpoint, query, or UI component
+- Preparing code for **handover** or knowledge transfer
+
+## Inputs
+
+Gather before starting:
+1. **Ticket/story details** — acceptance criteria, priority, linked design/specs
+2. **Codebase context** — relevant modules, existing patterns, tech stack
+3. **Test requirements** — coverage expectations, existing test suite, CI gates
+4. **Performance targets** (if applicable) — response time SLAs, throughput requirements
+5. **Dependencies** — APIs, libraries, other team members' work in progress
+
+## Process
+
+### Step 1: Understand Before Coding
+- Read the full ticket including comments and linked documents
+- Identify acceptance criteria — these become your test cases
+- Check existing code for **similar implementations** to follow established patterns
+- Ask clarifying questions BEFORE writing code, not after
+
+### Step 2: Plan the Implementation
+- Break the task into **small, testable increments** (each could be a commit)
+- Identify which files need changes and what the impact radius is
+- Design the data flow: input → processing → output → error handling
+- Consider edge cases: null/empty inputs, concurrent access, large datasets
+- See `assets/sample-output.md` for a feature implementation plan example
+
+### Step 3: Write Clean Code
+- Apply **SOLID principles** — especially Single Responsibility and Dependency Inversion
+- Follow **DRY** (Don't Repeat Yourself) but avoid premature abstraction
+- Keep functions **short and focused** — one level of abstraction per function
+- Use **meaningful names** that reveal intent (not `data`, `temp`, `result`)
+- Handle errors explicitly — no silent catches, no swallowed exceptions
+- Reference: `references/clean-code-guide.md` for principles and patterns
+
+### Step 4: Test Your Code
+- Write unit tests for **business logic** — not just happy path
+- Write integration tests for **API endpoints** and **database operations**
+- Test edge cases: boundary values, empty collections, permission errors
+- Aim for meaningful coverage — 80%+ on business logic, less on boilerplate
+
+### Step 5: Debug Systematically
+- **Reproduce** the bug reliably before attempting a fix
+- **Isolate** — narrow down to the smallest failing unit
+- Form a **hypothesis**, test it, iterate
+- Fix the **root cause**, not the symptom
+- Add a **regression test** for every bug fix
+- Reference: `references/debugging-methodology.md` for techniques by scenario
+
+### Step 6: Submit for Review
+- Self-review your diff before creating a PR
+- Write a clear PR description: what changed, why, how to test
+- Keep PRs **small and focused** — under 400 lines of diff when possible
+- Link the ticket and tag relevant reviewers
+
+## Core Areas
+
+| Area | Focus | Deliverables |
+|------|-------|-------------|
+| Clean code | Readable, maintainable, intention-revealing | Well-structured code, clear naming |
+| Design patterns | Right pattern for the problem | Documented pattern choices in code/PR |
+| Debugging | Systematic root cause resolution | Bug fix + regression test |
+| Testing | Meaningful coverage of critical paths | Unit tests, integration tests |
+| Performance | Meet SLAs, avoid waste | Profiling results, optimization PRs |
+| Documentation | Code that explains itself + context docs | Inline comments, API docs, runbooks |
+
+## Key Rules
+
+- **Never copy-paste** code without understanding it — especially from Stack Overflow or AI suggestions
+- Write code as if the person maintaining it is a **junior developer who joined next month**
+- Every bug fix must include a **test that fails without the fix** and passes with it
+- **Commit early, commit often** — small commits with clear messages are easier to review and revert
+- In ITO projects, **code readability beats cleverness** — your successor needs to understand it
+- If a function needs a comment to explain what it does, **rename the function** instead
+- Log **context, not noise** — include request IDs, user context, and error details in logs
+- When stuck for more than **30 minutes**, ask for help — pairing is not a sign of weakness

package/data/free-skills/devflow-agile/plugin/skills/developer/assets/sample-output.md

@@ -0,0 +1,182 @@
+# Sample Implementation Plan: Password Reset Feature
+
+## Ticket: AUTH-156 — User Password Reset via Email
+
+### Requirements
+- User requests password reset by entering their email address
+- System sends an email with a secure reset link
+- Link expires after 24 hours
+- User clicks link, enters new password (with confirmation)
+- Old sessions are invalidated after password change
+- Rate limit: max 3 reset requests per email per hour
+
+---
+
+## Implementation Approach
+
+### Data Flow
+```
+User enters email → POST /api/v1/auth/password-reset/request
+  → Validate email exists (return success even if not found — prevent enumeration)
+  → Generate secure token (crypto.randomBytes, 32 bytes, hex encoded)
+  → Store token hash (SHA-256) + userId + expiresAt in password_reset_tokens table
+  → Send email with reset link containing the raw token
+  → Return 200 OK
+
+User clicks link → GET /app/reset-password?token=abc123
+  → Frontend shows new password form
+
+User submits new password → POST /api/v1/auth/password-reset/confirm
+  → Hash the provided token, look up in DB
+  → Verify: token exists, not expired, not already used
+  → Hash new password (bcrypt, 12 rounds)
+  → Update user password
+  → Mark token as used
+  → Invalidate all existing sessions for this user
+  → Return 200 OK
+```
+
+### Why This Design
+- **Store token hash, not raw token**: If the database is compromised, attacker cannot use stored tokens
+- **Return success even if email not found**: Prevents user enumeration attacks
+- **Mark token as used (not delete)**: Audit trail — know when token was used
+- **Invalidate sessions**: If someone else had access, changing password should lock them out
+
+---
+
+## Implementation Steps
+
+### Step 1: Database Migration
+**File**: `src/migrations/20260320_create_password_reset_tokens.ts`
+
+```sql
+CREATE TABLE password_reset_tokens (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id     UUID NOT NULL REFERENCES users(id),
+  token_hash  VARCHAR(64) NOT NULL UNIQUE,
+  expires_at  TIMESTAMP WITH TIME ZONE NOT NULL,
+  used_at     TIMESTAMP WITH TIME ZONE,
+  created_at  TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+CREATE INDEX idx_reset_tokens_hash ON password_reset_tokens(token_hash);
+CREATE INDEX idx_reset_tokens_user_expires ON password_reset_tokens(user_id, created_at);
+```
+
+**Commit after**: migration runs successfully on local DB.
+
+### Step 2: Token Service
+**File**: `src/services/password-reset.service.ts`
+
+Responsibilities:
+- `requestReset(email: string)`: Generate token, store hash, send email
+- `confirmReset(token: string, newPassword: string)`: Validate token, update password, invalidate sessions
+- `checkRateLimit(email: string)`: Count requests in last hour, enforce limit
+
+Design decisions:
+- Token generation: `crypto.randomBytes(32).toString('hex')` — 256-bit entropy
+- Token hashing: SHA-256 (fast enough for one-time tokens, bcrypt is overkill here)
+- Password hashing: bcrypt with 12 rounds (same as registration flow)
+- Rate limiting: Query `COUNT(*)` from `password_reset_tokens WHERE user_id = X AND created_at > NOW() - INTERVAL '1 hour'`
+
+**Commit after**: service with unit tests passes.
+
+### Step 3: API Endpoints
+**File**: `src/routes/auth.routes.ts`
+
+| Method | Path | Auth | Request Body | Response |
+|--------|------|------|-------------|---------|
+| POST | `/api/v1/auth/password-reset/request` | None | `{ email: string }` | `{ message: "If the email exists, a reset link has been sent" }` |
+| POST | `/api/v1/auth/password-reset/confirm` | None | `{ token: string, password: string, passwordConfirm: string }` | `{ message: "Password has been reset successfully" }` |
+
+Input validation:
+- `email`: valid email format, trimmed, lowercased
+- `password`: min 8 chars, max 128 chars, must contain uppercase + lowercase + number
+- `passwordConfirm`: must match `password`
+- `token`: 64-char hex string (validates format before DB lookup)
+
+**Commit after**: endpoints work via Postman/curl, integration test passes.
+
+### Step 4: Email Template
+**File**: `src/templates/email/password-reset.hbs`
+
+Content:
+- Subject: "Reset your password — [AppName]"
+- Body: Greeting, explanation, prominent CTA button with reset link, expiration notice (24h), "If you didn't request this" disclaimer
+- Link format: `{APP_URL}/reset-password?token={rawToken}`
+
+**Commit after**: email sends correctly in local/staging environment.
+
+### Step 5: Frontend — Request Form
+**File**: `src/pages/ForgotPassword.tsx`
+
+- Simple form: email input + submit button
+- On submit: call POST `/request`, show success message regardless of result
+- Disable submit button for 60 seconds after submission (prevent spam clicks)
+- Link back to login page
+
+### Step 6: Frontend — Reset Form
+**File**: `src/pages/ResetPassword.tsx`
+
+- Read `token` from URL query parameter
+- Form: new password + confirm password
+- Client-side validation: password strength, match confirmation
+- On submit: call POST `/confirm`
+- On success: redirect to login page with "Password reset successful" message
+- On error (expired/invalid token): show error with link to request a new reset
+
+**Commit after**: full flow works end-to-end locally.
+
+### Step 7: Tests
+
+| Test Type | File | Cases |
+|-----------|------|-------|
+| Unit | `password-reset.service.test.ts` | Token generation, hash verification, expiration check, rate limiting, used token rejection |
+| Integration | `password-reset.api.test.ts` | Full request→confirm flow, expired token, invalid token format, rate limit exceeded, non-existent email (should still return 200) |
+| E2E | `password-reset.e2e.test.ts` | Happy path through UI (intercept email in test, extract token, complete reset, verify login with new password) |
+
+---
+
+## Edge Cases & Error Handling
+
+| Scenario | Expected Behavior |
+|----------|------------------|
+| Email not in system | Return 200 OK (do not reveal if email exists) |
+| Token expired (>24h) | Return 400 with "Reset link has expired. Please request a new one" |
+| Token already used | Return 400 with "This reset link has already been used" |
+| Same email, 4th request within 1 hour | Return 429 with "Too many requests. Please try again later" |
+| Malformed token (not 64 hex chars) | Return 400 with "Invalid reset link" (do not query DB) |
+| Password too weak | Return 400 with specific validation errors |
+| User account disabled/locked | Still send the email but fail at confirm step with generic error |
+
+---
+
+## Security Checklist
+
+- [x] Token is cryptographically random (256-bit)
+- [x] Only token hash is stored in DB
+- [x] Token expires after 24 hours
+- [x] Token is single-use (marked as used after confirmation)
+- [x] Rate limited to prevent abuse
+- [x] Email response does not reveal if account exists
+- [x] New password is validated for strength
+- [x] All existing sessions invalidated after reset
+- [x] Reset link uses HTTPS (enforced by APP_URL config)
+- [x] No token in server logs (log only token_hash prefix for debugging)
+
+---
+
+## Files Changed Summary
+
+| File | Action | Description |
+|------|--------|-------------|
+| `src/migrations/20260320_create_password_reset_tokens.ts` | New | DB migration for tokens table |
+| `src/services/password-reset.service.ts` | New | Core reset logic (request, confirm, rate limit) |
+| `src/routes/auth.routes.ts` | Modified | Add 2 new endpoints |
+| `src/templates/email/password-reset.hbs` | New | Email template |
+| `src/pages/ForgotPassword.tsx` | New | Request reset form |
+| `src/pages/ResetPassword.tsx` | New | Set new password form |
+| `src/services/__tests__/password-reset.service.test.ts` | New | Unit tests |
+| `src/routes/__tests__/password-reset.api.test.ts` | New | Integration tests |
+
+**Estimated effort**: 3 story points (~2 days for a mid-level developer)