start-vibing 1.1.3 → 1.1.4

package/template/.claude/skills/research-cache/SKILL.md

@@ -1,73 +1,207 @@
 ---
 name: research-cache
-description: Stores and retrieves research findings about best practices. Activates before web searching to check existing knowledge, or after researching to cache new findings. Use when user asks about patterns, best practices, or how to implement something.
+description: Caches research findings to avoid redundant web searches. Stores best practices by topic with sources and dates. Use before researching to check existing knowledge.
 allowed-tools: Read, Write, Glob, Grep
 ---
 
-# Research Cache
+# Research Cache - Best Practices Storage
 
-## When to Use
+## Purpose
 
-- Before web searching: check if research exists
-- After web searching: cache findings
-- When implementing: apply cached patterns
+This skill caches research findings to avoid redundant web searches and maintain institutional knowledge about best practices.
+
+---
 
 ## Structure
 
 ```
-.claude/skills/research-cache/cache/
-└── [topic-name].md
+.claude/skills/research-cache/
+├── SKILL.md          # This file
+├── TEMPLATE.md       # Template for research findings
+└── cache/            # Cached research by topic
+    ├── solana-websockets.md
+    ├── typescript-strict.md
+    └── [topic].md
 ```
 
-## Workflow
+---
 
-### Check Cache First
+## How It Works
 
-```bash
-ls .claude/skills/research-cache/cache/
-grep -r "keyword" .claude/skills/research-cache/cache/
-```
+### Before Research
+
+1. **Check cache first** - Look for existing research on the topic
+2. **Verify freshness** - Research older than 6 months may need updating
+3. **Reuse findings** - If recent research exists, use it directly
 
 ### After Research
 
-Create `cache/[topic].md`:
+1. **Create cache file** - Document findings in `cache/[topic].md`
+2. **Follow template** - Use consistent structure
+3. **Include sources** - Always cite URLs and dates
+4. **Tag relevance** - Mark which parts of stack it applies to
+
+---
+
+## Cache File Template
 
 ```markdown
-# Research: [Topic]
+# Research: [Topic Name]
 
 ## Metadata
 - **Date:** YYYY-MM-DD
-- **Freshness:** fresh|stale|outdated
+- **Researcher:** [agent/session]
+- **Freshness:** [fresh|stale|outdated]
+- **Stack:** [bun|typescript|mongodb|solana|all]
+
+## Problem Statement
+[What problem were we trying to solve?]
+
+## Search Queries
+1. "[query 1]"
+2. "[query 2]"
+3. "[query 3]"
 
 ## Key Findings
 
-### Finding 1
+### Finding 1: [Title]
 **Source:** [URL]
-[Summary and code example]
+**Date:** [publication date]
+**Relevance:** [high|medium|low]
+
+[Summary of finding]
+
+**Code Example:**
+```[language]
+[code]
+```
+
+**Applies When:**
+- [condition 1]
+- [condition 2]
+
+### Finding 2: [Title]
+...
 
 ## Recommendations
 
 ### DO
-- [Best practice]
+1. [Best practice 1]
+2. [Best practice 2]
 
 ### AVOID
-- [Anti-pattern]
+1. [Anti-pattern 1]
+2. [Anti-pattern 2]
+
+### CONSIDER
+1. [Alternative approach 1]
+2. [Alternative approach 2]
+
+## Implementation Notes
+
+### For This Project
+- [Specific note for solana-listeners]
+- [Integration point]
+
+### Gotchas
+- [Warning 1]
+- [Warning 2]
 
 ## Sources
-| Title | URL | Date |
-|-------|-----|------|
+
+| Title | URL | Date | Relevance |
+|-------|-----|------|-----------|
+| [Source 1] | [url] | [date] | [high/med/low] |
+| [Source 2] | [url] | [date] | [high/med/low] |
+
+## Related Topics
+- [[related-topic-1]]
+- [[related-topic-2]]
+```
+
+---
+
+## Usage Patterns
+
+### Quick Lookup
+
+```bash
+# Check if research exists
+ls .claude/skills/research-cache/cache/
+
+# Read specific research
+cat .claude/skills/research-cache/cache/[topic].md
 ```
 
+### Search Cached Research
+
+```bash
+# Find all research mentioning a term
+grep -r "websocket" .claude/skills/research-cache/cache/
+```
+
+### Check Freshness
+
+```bash
+# Find research older than 6 months
+find .claude/skills/research-cache/cache/ -mtime +180
+```
+
+---
+
+## Integration with Research Agent
+
+The **research agent** uses this skill to:
+
+1. **Check existing research** before web searching
+2. **Store new findings** after web research
+3. **Update stale research** when patterns change
+4. **Cross-reference** findings across topics
+
+---
+
 ## Freshness Guidelines
 
 | Age | Status | Action |
 |-----|--------|--------|
 | < 3 months | Fresh | Use directly |
-| 3-6 months | Stale | Verify still valid |
-| > 6 months | Outdated | Re-research |
+| 3-6 months | Aging | Verify still valid |
+| 6-12 months | Stale | Update recommended |
+| > 12 months | Outdated | Full re-research needed |
+
+---
+
+## Topic Naming Convention
+
+Use kebab-case descriptive names:
+
+```
+solana-websockets.md       # Technology + feature
+typescript-strict-mode.md  # Language + specific setting
+mongodb-indexes.md         # Database + concept
+bun-docker-deploy.md       # Runtime + deployment context
+error-handling-patterns.md # Generic pattern
+```
+
+---
 
 ## Rules
 
-1. **Check cache first** - don't duplicate research
-2. **Include sources** - all findings need citations
-3. **Date entries** - freshness matters
+### MANDATORY
+
+1. **Always check cache first** - Don't duplicate research
+2. **Always include sources** - No unsourced recommendations
+3. **Always date entries** - Freshness matters
+4. **Always follow template** - Consistency helps retrieval
+
+### FORBIDDEN
+
+1. **Cache without sources** - All findings need citations
+2. **Ignore freshness** - Old research may be wrong
+3. **Duplicate topics** - One file per topic, update existing
+
+---
+
+## Version
+
+- **v1.0.0** - Initial implementation

package/template/.claude/skills/security-scan/SKILL.md

@@ -1,75 +1,206 @@
 ---
 name: security-scan
-description: Audits code for security vulnerabilities. HAS VETO POWER. Activates when code touches authentication, passwords, tokens, API routes, database queries, user data, sessions, or cookies. Blocks insecure code from being committed.
+description: Audits code security against OWASP Top 10. Validates user ID from session, detects sensitive data leaks, verifies Zod validation. HAS VETO POWER - blocks insecure code.
 allowed-tools: Read, Grep, Glob, Bash
 ---
 
-# Security Scan
+# Security Scan - Security Audit System
 
 ## VETO POWER
 
-This skill CAN and MUST block insecure code.
+> **WARNING:** This skill HAS VETO POWER.
+> If critical vulnerability detected, MUST:
+>
+> 1. STOP implementation
+> 2. REPORT vulnerability
+> 3. REQUIRE fix before proceeding
 
-## When to Use
+---
+
+## Purpose
 
-- When code touches: auth, session, user data, API, database
-- Before committing security-sensitive changes
-- When user mentions: password, token, authentication, permissions
+This skill audits code security:
 
-## Critical Rules (VETO if violated)
+- **Validates** user ID comes from session (NEVER from request)
+- **Detects** sensitive data being sent to frontend
+- **Verifies** Zod validation on all routes
+- **Audits** against OWASP Top 10
+- **Blocks** commits with critical vulnerabilities
+
+---
 
-### 1. User ID ALWAYS from Session
+## Critical Security Rules
+
+### 1. USER ID ALWAYS FROM SESSION
+
+> **NEVER** trust user ID from frontend.
+> **ALWAYS** extract from `ctx.session.userId` or `ctx.user._id`.
 
 ```typescript
-// WRONG (VETO)
-async function getData({ userId }: { userId: string }) { ... }
+// WRONG - VULNERABLE (IMMEDIATE VETO)
+async function getData({ userId }: { userId: string }) {
+	return db.find({ userId }); // userId can be manipulated!
+}
 
 // CORRECT
 async function getData({ ctx }: { ctx: Context }) {
-  const userId = ctx.user._id;  // From session
+	const userId = ctx.user._id; // Always from session
+	return db.find({ userId });
 }
 ```
 
-### 2. No Sensitive Data to Frontend
+### 2. SENSITIVE DATA NEVER TO FRONTEND
 
-Never send: passwords (even hashed), API tokens, secret keys, stack traces
+> **NEVER** send to frontend:
+>
+> - Passwords (even hashed)
+> - API tokens
+> - Secret keys
+> - Other users' data
+> - Stack traces in production
 
 ```typescript
-// WRONG (VETO)
-return { user: await UserModel.findById(id) };  // Has passwordHash!
+// WRONG - DATA LEAK (IMMEDIATE VETO)
+return {
+	user: await UserModel.findById(id), // Includes passwordHash!
+};
 
 // CORRECT
-return { user: user.toPublic() };
+return {
+	user: user.toPublic(), // Sanitization method
+};
 ```
 
-### 3. Zod Validation Required
+### 3. ZOD VALIDATION REQUIRED
+
+> **EVERY** tRPC route MUST have `.input(z.object({...}))`.
+> Unvalidated inputs are attack vectors.
 
 ```typescript
-// WRONG (VETO)
-.mutation(async ({ input }) => { await db.create(input); })
+// WRONG - NO VALIDATION (IMMEDIATE VETO)
+.mutation(async ({ input }) => {
+  await db.create(input); // input can have anything!
+})
 
 // CORRECT
-.input(createSchema).mutation(async ({ input }) => { ... })
+.input(createSchema) // Zod schema
+.mutation(async ({ input }) => {
+  await db.create(input); // input is validated
+})
+```
+
+---
+
+## OWASP Top 10 Checklist
+
+### A01: Broken Access Control
+
+- [ ] All protected routes use `protectedProcedure`?
+- [ ] User ID from session, not input?
+- [ ] Resources filtered by user/tenant?
+
+### A02: Cryptographic Failures
+
+- [ ] Passwords hashed with bcrypt (salt >= 10)?
+- [ ] Tokens generated with crypto.randomBytes?
+- [ ] Cookies with HttpOnly, Secure, SameSite?
+- [ ] No secrets in code (use env vars)?
+
+### A03: Injection
+
+- [ ] Queries use Mongoose (prevents NoSQL injection)?
+- [ ] Inputs validated with Zod?
+- [ ] No string concatenation in queries?
+
+### A07: Authentication Failures
+
+- [ ] Passwords with minimum requirements?
+- [ ] Brute force protection?
+- [ ] Sessions invalidated on logout?
+- [ ] Tokens with expiration?
+
+---
+
+## Detection Patterns
+
+### Detect User ID from Input (VETO)
+
+```bash
+grep -r "input\.userId\|input\.user_id\|{ userId }" server/ --include="*.ts"
+```
+
+### Detect Password Return (VETO)
+
+```bash
+grep -r "passwordHash\|password:" server/ --include="*.ts"
 ```
 
-## Detection Commands
+### Detect Route Without Validation (VETO)
 
 ```bash
-# User ID from input
-grep -r "input\.userId\|input\.user_id" server/
+grep -A5 "Procedure\." server/ --include="*.ts" | grep -v ".input("
+```
+
+---
+
+## Output Format
 
-# Password in response
-grep -r "passwordHash\|password:" server/
+### Approved
+
+```markdown
+## SECURITY SCAN - APPROVED
+
+### Scope
+
+- **Files:** X
+- **Routes:** Y
+
+### Checks
+
+- [x] User ID always from session
+- [x] No sensitive data in response
+- [x] All routes with Zod validation
+- [x] OWASP Top 10 OK
+
+**STATUS: APPROVED**
 ```
 
-## OWASP Checklist
+### Vetoed
+
+```markdown
+## SECURITY SCAN - VETOED
 
-- [ ] A01: User ID from session, not input?
-- [ ] A02: Passwords hashed (bcrypt, salt >= 10)?
-- [ ] A03: Queries use ORM (no string concat)?
-- [ ] A07: Sessions invalidated on logout?
+### CRITICAL VULNERABILITY
+
+**Type:** User ID from Input
+**File:** `server/routers/example.ts:45`
+**Risk:** Any user can access other users' data
+
+**Fix:** Use `ctx.user._id` instead of `input.userId`
+
+**STATUS: VETOED** - Fix before proceeding
+```
+
+---
+
+## VETO Rules
+
+### IMMEDIATE VETO
+
+1. User ID from input/request body
+2. Password returned in response
+3. API tokens exposed
+4. Protected route without `protectedProcedure`
+5. Query without user/tenant filter
+
+### VETO BEFORE MERGE
+
+1. Route without Zod validation
+2. Unsanitized sensitive data
+3. bun audit (or npm audit) with critical vulnerabilities
+
+---
 
-## Output
+## Version
 
-**APPROVED:** No vulnerabilities found
-**VETOED:** Critical vulnerability - must fix before commit
+- **v2.0.0** - Generic template