start-vibing 1.1.1

package/template/.claude/config/security-rules.json

@@ -0,0 +1,45 @@
+{
+  "$comment": "Security rules. Used by security-auditor agent.",
+
+  "authentication": {
+    "framework": "session-based",
+    "userIdSource": "ctx.user._id",
+    "protectedProcedure": "protectedProcedure",
+    "sessionStore": "mongodb"
+  },
+
+  "validation": {
+    "library": "zod",
+    "requireOnAllRoutes": true
+  },
+
+  "sensitivePatterns": {
+    "forbidden": [
+      "input.userId",
+      "input.user_id",
+      "req.body.userId",
+      "passwordHash",
+      "password:"
+    ],
+    "files": ["auth/", "api/", "server/", "routers/"]
+  },
+
+  "cryptography": {
+    "passwordHashing": "bcrypt",
+    "minSaltRounds": 10,
+    "tokenGeneration": "crypto.randomBytes"
+  },
+
+  "cookies": {
+    "httpOnly": true,
+    "secure": true,
+    "sameSite": "strict"
+  },
+
+  "owaspChecks": {
+    "a01_brokenAccessControl": true,
+    "a02_cryptographicFailures": true,
+    "a03_injection": true,
+    "a07_authenticationFailures": true
+  }
+}

package/template/.claude/config/testing-config.json

@@ -0,0 +1,168 @@
+{
+  "$comment": "Testing configuration. Used by tester agent.",
+
+  "framework": {
+    "unit": "vitest",
+    "e2e": "playwright",
+    "version": "1.40+"
+  },
+
+  "paths": {
+    "unitTests": "tests/unit/*.test.ts",
+    "e2eTests": "tests/e2e/**/*.spec.ts",
+    "fixtures": "tests/e2e/fixtures/",
+    "pages": "tests/e2e/pages/",
+    "flows": "tests/e2e/flows/",
+    "api": "tests/e2e/api/",
+    "authState": "tests/e2e/.auth/"
+  },
+
+  "viewports": {
+    "desktop": {
+      "device": "Desktop Chrome",
+      "width": 1280,
+      "height": 800,
+      "required": true
+    },
+    "tablet": {
+      "device": "iPad",
+      "width": 768,
+      "height": 1024,
+      "required": true
+    },
+    "mobile": {
+      "device": "iPhone SE",
+      "width": 375,
+      "height": 667,
+      "required": true
+    },
+    "mobileLarge": {
+      "device": "iPhone 14",
+      "width": 390,
+      "height": 844,
+      "required": false
+    }
+  },
+
+  "auth": {
+    "storageStatePath": "tests/e2e/.auth/user.json",
+    "loginPage": "/auth/login",
+    "registerPage": "/auth/register",
+    "protectedPrefix": "/app",
+    "setupProject": "setup",
+    "reuseSession": true
+  },
+
+  "database": {
+    "type": "mongodb",
+    "testConnectionEnv": "MONGODB_URI",
+    "cleanupStrategy": "fixture-tracking",
+    "verifyAfterActions": true
+  },
+
+  "cleanup": {
+    "strategy": "fixture-based",
+    "trackCreatedIds": true,
+    "deleteOnlyTracked": true,
+    "cleanupOnFailure": true,
+    "collections": ["users", "items", "sessions"]
+  },
+
+  "dataTestIds": {
+    "form": {
+      "nameInput": "name-input",
+      "emailInput": "email-input",
+      "passwordInput": "password-input",
+      "confirmPasswordInput": "confirm-password-input",
+      "submitButton": "submit-button"
+    },
+    "feedback": {
+      "errorMessage": "error-message",
+      "successMessage": "success-message",
+      "loadingSpinner": "loading-spinner"
+    },
+    "navigation": {
+      "sidebar": "sidebar",
+      "hamburgerMenu": "hamburger-menu",
+      "mobileNav": "mobile-nav",
+      "logoutButton": "logout-button"
+    },
+    "actions": {
+      "deleteButton": "delete-button",
+      "editButton": "edit-button",
+      "confirmDelete": "confirm-delete",
+      "cancelButton": "cancel-button"
+    }
+  },
+
+  "api": {
+    "rest": {
+      "baseUrl": "/api",
+      "authEndpoint": "/api/auth/login",
+      "validateInput": true,
+      "requireAuth": true
+    },
+    "trpc": {
+      "baseUrl": "/api/trpc",
+      "batchEnabled": true,
+      "validateInput": true
+    }
+  },
+
+  "security": {
+    "testForbiddenRequests": true,
+    "testRateLimiting": true,
+    "testCrossUserAccess": true,
+    "testUnauthenticated": true,
+    "expectedForbiddenStatus": 403,
+    "expectedUnauthorizedStatus": 401,
+    "expectedRateLimitStatus": 429
+  },
+
+  "flows": {
+    "required": [
+      "registration",
+      "login",
+      "logout",
+      "crud-create",
+      "crud-read",
+      "crud-update",
+      "crud-delete",
+      "permissions"
+    ],
+    "optional": [
+      "password-reset",
+      "email-verification",
+      "profile-update"
+    ]
+  },
+
+  "commands": {
+    "install": "bun add -D @playwright/test && bunx playwright install",
+    "run": "bunx playwright test",
+    "runUi": "bunx playwright test --ui",
+    "runHeaded": "bunx playwright test --headed",
+    "runMobile": "bunx playwright test --project='iPhone SE'",
+    "debug": "bunx playwright test --debug",
+    "report": "bunx playwright show-report",
+    "codegen": "bunx playwright codegen"
+  },
+
+  "rules": {
+    "noSkip": true,
+    "noMockAuth": true,
+    "requireCleanup": true,
+    "requireDbValidation": true,
+    "requireViewportTests": true,
+    "requireDataTestId": true,
+    "uniqueTestData": true,
+    "timestampEmails": true
+  },
+
+  "reporting": {
+    "trace": "on-first-retry",
+    "screenshot": "only-on-failure",
+    "video": "retain-on-failure",
+    "outputFolder": "test-results"
+  }
+}

package/template/.claude/hooks/SETUP.md

@@ -0,0 +1,181 @@
+# Workflow Enforcement Hooks - Setup Guide
+
+## Overview
+
+This system enforces the agent workflow by:
+
+1. **Blocking file modifications** until workflow is started and files are approved
+2. **Tracking all changes** automatically
+3. **Preventing incomplete workflow** from stopping
+4. **Blocking commits** that don't follow the workflow
+
+## Requirements
+
+- Python 3.8+
+- Git
+- Husky (for pre-commit hooks)
+
+## Files
+
+| File                  | Purpose                                          |
+| --------------------- | ------------------------------------------------ |
+| `pre-tool-use.py`     | Blocks Edit/Write unless file is approved        |
+| `post-tool-use.py`    | Auto-tracks modifications to workflow-state.json |
+| `stop-validation.py`  | Blocks stopping if workflow incomplete           |
+| `validate-commit.py`  | Husky pre-commit validation                      |
+| `workflow-manager.py` | CLI for agents to update workflow state          |
+
+## Husky Integration
+
+### 1. Install Husky
+
+```bash
+bun add husky --dev
+bunx husky init
+```
+
+### 2. Create Pre-Commit Hook
+
+```bash
+# Create .husky/pre-commit
+echo '#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+python .claude/hooks/validate-commit.py
+' > .husky/pre-commit
+
+chmod +x .husky/pre-commit
+```
+
+### 3. Add to package.json
+
+```json
+{
+	"scripts": {
+		"prepare": "husky"
+	}
+}
+```
+
+## Claude Code Configuration
+
+The hooks are configured in `.claude/settings.json`:
+
+```json
+{
+	"hooks": {
+		"PreToolUse": [
+			{
+				"matcher": "Edit|Write|NotebookEdit",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python \"$CLAUDE_PROJECT_DIR/.claude/hooks/pre-tool-use.py\"",
+						"timeout": 30
+					}
+				]
+			}
+		],
+		"PostToolUse": [
+			{
+				"matcher": "Edit|Write|NotebookEdit",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python \"$CLAUDE_PROJECT_DIR/.claude/hooks/post-tool-use.py\"",
+						"timeout": 30
+					}
+				]
+			}
+		],
+		"Stop": [
+			{
+				"matcher": "",
+				"hooks": [
+					{
+						"type": "command",
+						"command": "python \"$CLAUDE_PROJECT_DIR/.claude/hooks/stop-validation.py\"",
+						"timeout": 30
+					}
+				]
+			}
+		]
+	}
+}
+```
+
+**IMPORTANT:** Use `$CLAUDE_PROJECT_DIR` to ensure hooks work from any directory.
+
+## Workflow Manager CLI
+
+```bash
+# Start a task (REQUIRED FIRST)
+python .claude/hooks/workflow-manager.py start-task --type feature --description "Add user auth"
+
+# Approve files for modification
+python .claude/hooks/workflow-manager.py approve-files --files "src/auth.ts" "app/login/*"
+
+# Mark agent as executed
+python .claude/hooks/workflow-manager.py agent-executed --agent analyzer --result approved
+
+# Record quality gate result
+python .claude/hooks/workflow-manager.py quality-gate --gate typecheck --passed true
+
+# Record security audit
+python .claude/hooks/workflow-manager.py security-audit --result approved
+
+# Final validation
+python .claude/hooks/workflow-manager.py final-validation --result approved --ready-to-commit true
+
+# Complete task after commit
+python .claude/hooks/workflow-manager.py complete-task --commit-hash abc123def
+
+# Check current status
+python .claude/hooks/workflow-manager.py status
+```
+
+## Error Messages
+
+### "BLOCKED: No active task"
+
+Run `workflow-manager.py start-task` first.
+
+### "BLOCKED: Analyzer agent has not executed"
+
+Run the analyzer agent and call `workflow-manager.py agent-executed --agent analyzer --result approved`.
+
+### "BLOCKED: File not in approved list"
+
+Add the file to approved list via `workflow-manager.py approve-files --files "path/to/file"`.
+
+### "WORKFLOW INCOMPLETE - Cannot stop yet"
+
+Execute all required agents before stopping the session.
+
+### "COMMIT BLOCKED - Workflow validation failed"
+
+Ensure all agents executed, tests created, and final validation approved.
+
+## Environment Variables
+
+| Variable             | Default       | Description            |
+| -------------------- | ------------- | ---------------------- |
+| `CLAUDE_PROJECT_DIR` | `os.getcwd()` | Project root directory |
+
+## Troubleshooting
+
+### Hooks not executing
+
+1. Verify Python is in PATH
+2. Check `.claude/settings.json` hooks configuration
+3. Ensure hook files have execute permissions
+
+### Workflow state corrupted
+
+Delete `.claude/workflow-state.json` and start fresh.
+
+### Husky not running
+
+1. Run `bun run prepare`
+2. Check `.husky/pre-commit` has execute permissions
+3. Verify Git hooks are enabled: `git config core.hooksPath`

package/template/.claude/hooks/post-tool-use.py

@@ -0,0 +1,155 @@
+#!/usr/bin/env python3
+"""
+PostToolUse Hook - Track File Modifications
+
+This hook records all file modifications to workflow-state.json
+for later validation by Husky pre-commit hook.
+
+Exit codes:
+- 0: Always (tracking is non-blocking)
+"""
+
+import json
+import sys
+import os
+from datetime import datetime
+from pathlib import Path
+
+# Get project directory
+PROJECT_DIR = os.environ.get('CLAUDE_PROJECT_DIR', os.getcwd())
+WORKFLOW_STATE_PATH = Path(PROJECT_DIR) / '.claude' / 'workflow-state.json'
+
+# Tools that modify files
+FILE_MODIFY_TOOLS = {'Edit', 'Write', 'NotebookEdit'}
+FILE_DELETE_TOOLS = {'Bash'}  # rm commands
+
+# Test file patterns
+TEST_PATTERNS = ['test', 'spec', '.test.', '.spec.', '__tests__']
+
+# Doc file patterns
+DOC_PATTERNS = ['docs/', 'README', 'CHANGELOG', '.md', 'domains/']
+
+
+def load_workflow_state():
+    """Load current workflow state"""
+    if not WORKFLOW_STATE_PATH.exists():
+        return {"version": "1.0.0", "currentTask": None, "sessions": []}
+    try:
+        with open(WORKFLOW_STATE_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, IOError):
+        return {"version": "1.0.0", "currentTask": None, "sessions": []}
+
+
+def save_workflow_state(state: dict):
+    """Save workflow state"""
+    WORKFLOW_STATE_PATH.parent.mkdir(parents=True, exist_ok=True)
+    with open(WORKFLOW_STATE_PATH, 'w') as f:
+        json.dump(state, f, indent=2)
+
+
+def is_test_file(path: str) -> bool:
+    """Check if file is a test file"""
+    return any(p in path.lower() for p in TEST_PATTERNS)
+
+
+def is_doc_file(path: str) -> bool:
+    """Check if file is a documentation file"""
+    return any(p in path.lower() for p in DOC_PATTERNS)
+
+
+def main():
+    # Read hook input from stdin
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    tool_name = hook_input.get('tool_name', '')
+    tool_input = hook_input.get('tool_input', {})
+    tool_result = hook_input.get('tool_result', {})
+
+    # Only track file modification tools
+    if tool_name not in FILE_MODIFY_TOOLS:
+        sys.exit(0)
+
+    # Get file path
+    file_path = tool_input.get('file_path', tool_input.get('notebook_path', ''))
+
+    if not file_path:
+        sys.exit(0)
+
+    # Skip workflow state file itself
+    if 'workflow-state.json' in file_path:
+        sys.exit(0)
+
+    # Load state
+    state = load_workflow_state()
+
+    # If no current task, just exit (pre-tool-use should have blocked)
+    if not state.get('currentTask'):
+        sys.exit(0)
+
+    task = state['currentTask']
+
+    # Determine action type
+    # For Write tool, check if file existed
+    action = 'modified'
+    if tool_name == 'Write':
+        # Assume created if not in modified list
+        existing = [m['path'] for m in task.get('modifiedFiles', [])]
+        if file_path not in existing:
+            action = 'created'
+
+    # Normalize path
+    file_path = file_path.replace('\\', '/')
+
+    # Check if file was approved
+    approved_files = task.get('approvedFiles', [])
+    was_approved = any(
+        file_path.endswith(af) or file_path == af or
+        (af.endswith('*') and file_path.startswith(af[:-1]))
+        for af in approved_files
+    )
+
+    # Record modification
+    modification = {
+        'path': file_path,
+        'action': action,
+        'timestamp': datetime.now().isoformat(),
+        'approved': was_approved
+    }
+
+    if 'modifiedFiles' not in task:
+        task['modifiedFiles'] = []
+
+    # Update or add
+    existing_paths = [m['path'] for m in task['modifiedFiles']]
+    if file_path in existing_paths:
+        idx = existing_paths.index(file_path)
+        task['modifiedFiles'][idx] = modification
+    else:
+        task['modifiedFiles'].append(modification)
+
+    # Track test files
+    if is_test_file(file_path):
+        if 'testsCreated' not in task:
+            task['testsCreated'] = []
+        if file_path not in task['testsCreated']:
+            task['testsCreated'].append(file_path)
+
+    # Track doc files
+    if is_doc_file(file_path):
+        if 'docsUpdated' not in task:
+            task['docsUpdated'] = []
+        if file_path not in task['docsUpdated']:
+            task['docsUpdated'].append(file_path)
+
+    # Save state
+    save_workflow_state(state)
+
+    sys.exit(0)
+
+
+if __name__ == '__main__':
+    main()

package/template/.claude/hooks/pre-tool-use.py

@@ -0,0 +1,159 @@
+#!/usr/bin/env python3
+"""
+PreToolUse Hook - File Modification Enforcement
+
+This hook blocks file modifications unless:
+1. The analyzer agent has approved the file
+2. The file is in the approvedFiles list in workflow-state.json
+
+Exit codes:
+- 0: Allow the operation
+- 2: Block the operation (shows stderr to Claude)
+"""
+
+import json
+import sys
+import os
+from datetime import datetime
+from pathlib import Path
+
+# Get project directory
+PROJECT_DIR = os.environ.get('CLAUDE_PROJECT_DIR', os.getcwd())
+WORKFLOW_STATE_PATH = Path(PROJECT_DIR) / '.claude' / 'workflow-state.json'
+
+# Tools that modify files
+FILE_MODIFY_TOOLS = {'Edit', 'Write', 'NotebookEdit'}
+
+# Files always allowed (config, etc)
+ALWAYS_ALLOWED = {
+    '.claude/workflow-state.json',
+    '.claude/hooks/',
+    'package-lock.json',
+    'node_modules/',
+}
+
+# Files always blocked
+ALWAYS_BLOCKED = {
+    '.env',
+    '.env.local',
+    '.env.production',
+    'credentials.json',
+    'secrets/',
+}
+
+
+def load_workflow_state():
+    """Load current workflow state"""
+    if not WORKFLOW_STATE_PATH.exists():
+        return None
+    try:
+        with open(WORKFLOW_STATE_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, IOError):
+        return None
+
+
+def is_file_approved(file_path: str, state: dict) -> tuple[bool, str]:
+    """Check if file is approved for modification"""
+
+    # Normalize path
+    file_path = file_path.replace('\\', '/')
+
+    # Always blocked files
+    for blocked in ALWAYS_BLOCKED:
+        if blocked in file_path:
+            return False, f"BLOCKED: {file_path} is in the always-blocked list (sensitive file)"
+
+    # Always allowed files
+    for allowed in ALWAYS_ALLOWED:
+        if allowed in file_path:
+            return True, "Allowed (system file)"
+
+    # No active task - block all modifications
+    if not state or not state.get('currentTask'):
+        return False, f"""BLOCKED: No active task in workflow-state.json
+
+To modify files, you must first:
+1. Start a task via orchestrator agent
+2. Run analyzer agent to approve files for modification
+3. The file '{file_path}' must be in the approvedFiles list
+
+Current state: No task active. Start with orchestrator first."""
+
+    task = state['currentTask']
+    approved_files = task.get('approvedFiles', [])
+
+    # Check if analyzer has run
+    agents = task.get('agents', {})
+    analyzer = agents.get('analyzer', {})
+
+    if not analyzer.get('executed'):
+        return False, f"""BLOCKED: Analyzer agent has not executed yet
+
+To modify '{file_path}', you must:
+1. Run the analyzer agent first
+2. Analyzer will determine which files can be modified
+3. Add approved files to workflow-state.json
+
+Current task: {task.get('description', 'Unknown')}
+Analyzer status: Not executed"""
+
+    # Check if file is in approved list
+    for approved in approved_files:
+        # Support glob patterns
+        if approved.endswith('*'):
+            if file_path.startswith(approved[:-1]):
+                return True, f"Approved (matches pattern: {approved})"
+        elif approved == file_path or file_path.endswith(approved):
+            return True, f"Approved by analyzer"
+
+    return False, f"""BLOCKED: File not in approved list
+
+File: {file_path}
+Task: {task.get('description', 'Unknown')}
+
+Approved files for this task:
+{chr(10).join(f'  - {f}' for f in approved_files) if approved_files else '  (none)'}
+
+To modify this file, run analyzer again and add it to approvedFiles."""
+
+
+def main():
+    # Read hook input from stdin
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        # Can't parse input, allow by default
+        sys.exit(0)
+
+    tool_name = hook_input.get('tool_name', '')
+    tool_input = hook_input.get('tool_input', {})
+
+    # Only check file modification tools
+    if tool_name not in FILE_MODIFY_TOOLS:
+        sys.exit(0)
+
+    # Get file path from tool input
+    file_path = tool_input.get('file_path', tool_input.get('notebook_path', ''))
+
+    if not file_path:
+        sys.exit(0)
+
+    # Load workflow state
+    state = load_workflow_state()
+
+    # Check if file is approved
+    approved, message = is_file_approved(file_path, state)
+
+    if approved:
+        # Log the approval (optional verbose output)
+        # print(f"✓ {message}", file=sys.stderr)
+        sys.exit(0)
+    else:
+        # Block with error message
+        print(message, file=sys.stderr)
+        sys.exit(2)
+
+
+if __name__ == '__main__':
+    main()