start-vibing 1.1.1

package/template/.claude/skills/research-cache/SKILL.md

@@ -0,0 +1,207 @@
+---
+name: research-cache
+description: Caches research findings to avoid redundant web searches. Stores best practices by topic with sources and dates. Use before researching to check existing knowledge.
+allowed-tools: Read, Write, Glob, Grep
+---
+
+# Research Cache - Best Practices Storage
+
+## Purpose
+
+This skill caches research findings to avoid redundant web searches and maintain institutional knowledge about best practices.
+
+---
+
+## Structure
+
+```
+.claude/skills/research-cache/
+├── SKILL.md          # This file
+├── TEMPLATE.md       # Template for research findings
+└── cache/            # Cached research by topic
+    ├── react-server-components.md
+    ├── typescript-strict.md
+    └── [topic].md
+```
+
+---
+
+## How It Works
+
+### Before Research
+
+1. **Check cache first** - Look for existing research on the topic
+2. **Verify freshness** - Research older than 6 months may need updating
+3. **Reuse findings** - If recent research exists, use it directly
+
+### After Research
+
+1. **Create cache file** - Document findings in `cache/[topic].md`
+2. **Follow template** - Use consistent structure
+3. **Include sources** - Always cite URLs and dates
+4. **Tag relevance** - Mark which parts of stack it applies to
+
+---
+
+## Cache File Template
+
+```markdown
+# Research: [Topic Name]
+
+## Metadata
+- **Date:** YYYY-MM-DD
+- **Researcher:** [agent/session]
+- **Freshness:** [fresh|stale|outdated]
+- **Stack:** [bun|typescript|mongodb|react|all]
+
+## Problem Statement
+[What problem were we trying to solve?]
+
+## Search Queries
+1. "[query 1]"
+2. "[query 2]"
+3. "[query 3]"
+
+## Key Findings
+
+### Finding 1: [Title]
+**Source:** [URL]
+**Date:** [publication date]
+**Relevance:** [high|medium|low]
+
+[Summary of finding]
+
+**Code Example:**
+```[language]
+[code]
+```
+
+**Applies When:**
+- [condition 1]
+- [condition 2]
+
+### Finding 2: [Title]
+...
+
+## Recommendations
+
+### DO
+1. [Best practice 1]
+2. [Best practice 2]
+
+### AVOID
+1. [Anti-pattern 1]
+2. [Anti-pattern 2]
+
+### CONSIDER
+1. [Alternative approach 1]
+2. [Alternative approach 2]
+
+## Implementation Notes
+
+### For This Project
+- [Specific note for your project]
+- [Integration point]
+
+### Gotchas
+- [Warning 1]
+- [Warning 2]
+
+## Sources
+
+| Title | URL | Date | Relevance |
+|-------|-----|------|-----------|
+| [Source 1] | [url] | [date] | [high/med/low] |
+| [Source 2] | [url] | [date] | [high/med/low] |
+
+## Related Topics
+- [[related-topic-1]]
+- [[related-topic-2]]
+```
+
+---
+
+## Usage Patterns
+
+### Quick Lookup
+
+```bash
+# Check if research exists
+ls .claude/skills/research-cache/cache/
+
+# Read specific research
+cat .claude/skills/research-cache/cache/[topic].md
+```
+
+### Search Cached Research
+
+```bash
+# Find all research mentioning a term
+grep -r "websocket" .claude/skills/research-cache/cache/
+```
+
+### Check Freshness
+
+```bash
+# Find research older than 6 months
+find .claude/skills/research-cache/cache/ -mtime +180
+```
+
+---
+
+## Integration with Research Agent
+
+The **research agent** uses this skill to:
+
+1. **Check existing research** before web searching
+2. **Store new findings** after web research
+3. **Update stale research** when patterns change
+4. **Cross-reference** findings across topics
+
+---
+
+## Freshness Guidelines
+
+| Age | Status | Action |
+|-----|--------|--------|
+| < 3 months | Fresh | Use directly |
+| 3-6 months | Aging | Verify still valid |
+| 6-12 months | Stale | Update recommended |
+| > 12 months | Outdated | Full re-research needed |
+
+---
+
+## Topic Naming Convention
+
+Use kebab-case descriptive names:
+
+```
+react-server-components.md # Technology + feature
+typescript-strict-mode.md  # Language + specific setting
+mongodb-indexes.md         # Database + concept
+bun-docker-deploy.md       # Runtime + deployment context
+error-handling-patterns.md # Generic pattern
+```
+
+---
+
+## Rules
+
+### MANDATORY
+
+1. **Always check cache first** - Don't duplicate research
+2. **Always include sources** - No unsourced recommendations
+3. **Always date entries** - Freshness matters
+4. **Always follow template** - Consistency helps retrieval
+
+### FORBIDDEN
+
+1. **Cache without sources** - All findings need citations
+2. **Ignore freshness** - Old research may be wrong
+3. **Duplicate topics** - One file per topic, update existing
+
+---
+
+## Version
+
+- **v1.0.0** - Initial implementation

package/template/.claude/skills/security-scan/SKILL.md

@@ -0,0 +1,206 @@
+---
+name: security-scan
+description: Audits code security against OWASP Top 10. Validates user ID from session, detects sensitive data leaks, verifies Zod validation. HAS VETO POWER - blocks insecure code.
+allowed-tools: Read, Grep, Glob, Bash
+---
+
+# Security Scan - Security Audit System
+
+## VETO POWER
+
+> **WARNING:** This skill HAS VETO POWER.
+> If critical vulnerability detected, MUST:
+>
+> 1. STOP implementation
+> 2. REPORT vulnerability
+> 3. REQUIRE fix before proceeding
+
+---
+
+## Purpose
+
+This skill audits code security:
+
+- **Validates** user ID comes from session (NEVER from request)
+- **Detects** sensitive data being sent to frontend
+- **Verifies** Zod validation on all routes
+- **Audits** against OWASP Top 10
+- **Blocks** commits with critical vulnerabilities
+
+---
+
+## Critical Security Rules
+
+### 1. USER ID ALWAYS FROM SESSION
+
+> **NEVER** trust user ID from frontend.
+> **ALWAYS** extract from `ctx.session.userId` or `ctx.user._id`.
+
+```typescript
+// WRONG - VULNERABLE (IMMEDIATE VETO)
+async function getData({ userId }: { userId: string }) {
+	return db.find({ userId }); // userId can be manipulated!
+}
+
+// CORRECT
+async function getData({ ctx }: { ctx: Context }) {
+	const userId = ctx.user._id; // Always from session
+	return db.find({ userId });
+}
+```
+
+### 2. SENSITIVE DATA NEVER TO FRONTEND
+
+> **NEVER** send to frontend:
+>
+> - Passwords (even hashed)
+> - API tokens
+> - Secret keys
+> - Other users' data
+> - Stack traces in production
+
+```typescript
+// WRONG - DATA LEAK (IMMEDIATE VETO)
+return {
+	user: await UserModel.findById(id), // Includes passwordHash!
+};
+
+// CORRECT
+return {
+	user: user.toPublic(), // Sanitization method
+};
+```
+
+### 3. ZOD VALIDATION REQUIRED
+
+> **EVERY** tRPC route MUST have `.input(z.object({...}))`.
+> Unvalidated inputs are attack vectors.
+
+```typescript
+// WRONG - NO VALIDATION (IMMEDIATE VETO)
+.mutation(async ({ input }) => {
+  await db.create(input); // input can have anything!
+})
+
+// CORRECT
+.input(createSchema) // Zod schema
+.mutation(async ({ input }) => {
+  await db.create(input); // input is validated
+})
+```
+
+---
+
+## OWASP Top 10 Checklist
+
+### A01: Broken Access Control
+
+- [ ] All protected routes use `protectedProcedure`?
+- [ ] User ID from session, not input?
+- [ ] Resources filtered by user/tenant?
+
+### A02: Cryptographic Failures
+
+- [ ] Passwords hashed with bcrypt (salt >= 10)?
+- [ ] Tokens generated with crypto.randomBytes?
+- [ ] Cookies with HttpOnly, Secure, SameSite?
+- [ ] No secrets in code (use env vars)?
+
+### A03: Injection
+
+- [ ] Queries use Mongoose (prevents NoSQL injection)?
+- [ ] Inputs validated with Zod?
+- [ ] No string concatenation in queries?
+
+### A07: Authentication Failures
+
+- [ ] Passwords with minimum requirements?
+- [ ] Brute force protection?
+- [ ] Sessions invalidated on logout?
+- [ ] Tokens with expiration?
+
+---
+
+## Detection Patterns
+
+### Detect User ID from Input (VETO)
+
+```bash
+grep -r "input\.userId\|input\.user_id\|{ userId }" server/ --include="*.ts"
+```
+
+### Detect Password Return (VETO)
+
+```bash
+grep -r "passwordHash\|password:" server/ --include="*.ts"
+```
+
+### Detect Route Without Validation (VETO)
+
+```bash
+grep -A5 "Procedure\." server/ --include="*.ts" | grep -v ".input("
+```
+
+---
+
+## Output Format
+
+### Approved
+
+```markdown
+## SECURITY SCAN - APPROVED
+
+### Scope
+
+- **Files:** X
+- **Routes:** Y
+
+### Checks
+
+- [x] User ID always from session
+- [x] No sensitive data in response
+- [x] All routes with Zod validation
+- [x] OWASP Top 10 OK
+
+**STATUS: APPROVED**
+```
+
+### Vetoed
+
+```markdown
+## SECURITY SCAN - VETOED
+
+### CRITICAL VULNERABILITY
+
+**Type:** User ID from Input
+**File:** `server/routers/example.ts:45`
+**Risk:** Any user can access other users' data
+
+**Fix:** Use `ctx.user._id` instead of `input.userId`
+
+**STATUS: VETOED** - Fix before proceeding
+```
+
+---
+
+## VETO Rules
+
+### IMMEDIATE VETO
+
+1. User ID from input/request body
+2. Password returned in response
+3. API tokens exposed
+4. Protected route without `protectedProcedure`
+5. Query without user/tenant filter
+
+### VETO BEFORE MERGE
+
+1. Route without Zod validation
+2. Unsanitized sensitive data
+3. bun audit (or npm audit) with critical vulnerabilities
+
+---
+
+## Version
+
+- **v2.0.0** - Generic template