tribunal-kit 1.0.0

package/.agent/workflows/tribunal-backend.md

@@ -0,0 +1,69 @@
+---
+description: Backend-specific Tribunal. Runs Logic + Security + Dependency + Types. Use for API routes, server logic, and auth code.
+---
+
+# /tribunal-backend — Server-Side Audit
+
+$ARGUMENTS
+
+---
+
+Focused audit for backend and API code. Paste server-side code and these four reviewers analyze it simultaneously.
+
+---
+
+## Active Reviewers
+
+```
+logic-reviewer          → Invented stdlib methods, impossible conditional branches
+security-auditor        → Auth bypass, SQL injection, secrets in code, rate limiting gaps
+dependency-reviewer     → Any import not found in your package.json
+type-safety-reviewer    → Implicit any, unguarded optional access, missing return types
+```
+
+---
+
+## What Gets Flagged
+
+| Reviewer | Common Backend Catches |
+|---|---|
+| logic | Calling `req.user` after a check that could pass with null |
+| security | `jwt.verify()` without `algorithms` option — allows `alg:none` attack |
+| dependency | `import { z } from 'zod'` but zod not in package.json |
+| type-safety | `async function handler(req, res)` — no types on req or res |
+
+---
+
+## Report Format
+
+```
+━━━ Backend Audit ━━━━━━━━━━━━━━━━━━━━━━━
+
+  logic-reviewer:        ✅ APPROVED
+  security-auditor:      ❌ REJECTED
+  dependency-reviewer:   ✅ APPROVED
+  type-safety-reviewer:  ⚠️  WARNING
+
+━━━ Issues ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+security-auditor:
+  ❌ Critical — Line 44
+     JWT algorithm not enforced: jwt.verify(token, secret)
+     Fix: jwt.verify(token, secret, { algorithms: ['HS256'] })
+
+type-safety-reviewer:
+  ⚠️ Medium — Line 10
+     Request body typed as any — add Zod schema parse at boundary
+
+━━━ Verdict: NEEDS FIXES ━━━━━━━━━━━━━━━━
+```
+
+---
+
+## Usage
+
+```
+/tribunal-backend [paste API route code]
+/tribunal-backend [paste auth middleware]
+/tribunal-backend src/routes/user.ts
+```

package/.agent/workflows/tribunal-database.md

@@ -0,0 +1,88 @@
+---
+description: Database-specific Tribunal. Runs Logic + Security + SQL reviewers. Use for queries, migrations, and ORM code.
+---
+
+# /tribunal-database — Data Layer Audit
+
+$ARGUMENTS
+
+---
+
+Focused audit for SQL queries, ORM code, schema changes, and migrations. Provide your schema alongside the code for the most accurate analysis.
+
+---
+
+## Active Reviewers
+
+```
+logic-reviewer      → ORM methods that don't exist, impossible WHERE conditions
+security-auditor    → Injection surfaces, sensitive data exposed without masking
+sql-reviewer        → String interpolation in queries, N+1 patterns,
+                      references to tables/columns not in the schema
+```
+
+---
+
+## Important: Provide Your Schema
+
+The `sql-reviewer` can only validate column/table names if it has the schema:
+
+```
+/tribunal-database
+
+Schema:
+  CREATE TABLE users (id UUID, email TEXT, created_at TIMESTAMPTZ);
+  CREATE TABLE posts (id UUID, user_id UUID REFERENCES users(id), title TEXT);
+
+Code to audit:
+  [paste query or ORM code here]
+```
+
+Without the schema, the reviewer flags all table/column references as `[VERIFY — schema not provided]`.
+
+---
+
+## What Gets Flagged
+
+| Reviewer | Common Database Catches |
+|---|---|
+| logic | `prisma.user.findFirstOrCreate()` — not a real Prisma method |
+| security | `db.query(\`SELECT * WHERE id = ${req.params.id}\`)` — injection |
+| sql | `SELECT * FROM payments` when `payments` table not in schema |
+| sql | A loop with a `SELECT` inside — N+1 query pattern |
+
+---
+
+## Report Format
+
+```
+━━━ Database Audit ━━━━━━━━━━━━━━━━━━━━━━
+
+  logic-reviewer:    ✅ APPROVED
+  security-auditor:  ❌ REJECTED
+  sql-reviewer:      ❌ REJECTED
+
+━━━ Issues ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+security-auditor:
+  ❌ Critical — Line 6
+     SQL injection: string interpolation in query
+     Fix: Use $1 parameterized placeholder
+
+sql-reviewer:
+  ❌ High — Line 19
+     N+1 detected: SELECT inside for-loop
+     Fix: Batch with WHERE id = ANY($1) or use JOIN
+
+━━━ Verdict: NEEDS FIXES ━━━━━━━━━━━━━━━━
+```
+
+---
+
+## Usage
+
+```
+/tribunal-database [paste query with schema]
+/tribunal-database src/repositories/userRepo.ts
+/tribunal-database [paste Prisma query]
+```

package/.agent/workflows/tribunal-frontend.md

@@ -0,0 +1,69 @@
+---
+description: Frontend + React specific Tribunal. Runs Logic + Security + Frontend + Types. Use for React components, hooks, and UI code.
+---
+
+# /tribunal-frontend — UI & React Audit
+
+$ARGUMENTS
+
+---
+
+Focused audit for React, Next.js, and frontend code. Four reviewers analyze it simultaneously for framework-specific issues that generic reviews miss.
+
+---
+
+## Active Reviewers
+
+```
+logic-reviewer          → Non-existent React APIs, impossible render conditions
+security-auditor        → XSS via dangerouslySetInnerHTML, exposed tokens in state
+frontend-reviewer       → Hooks violations, missing dep arrays, direct state mutation
+type-safety-reviewer    → Untyped props, any in hooks, unsafe DOM ref usage
+```
+
+---
+
+## What Gets Flagged
+
+| Reviewer | Common Frontend Catches |
+|---|---|
+| logic | `useState.useAsync()` — not a real React API |
+| security | `dangerouslySetInnerHTML={{ __html: userInput }}` — XSS |
+| frontend | `useEffect(() => {...}, [])` with a prop used inside — stale closure |
+| type-safety | `function Card(props: any)` — no defined prop interface |
+
+---
+
+## Report Format
+
+```
+━━━ Frontend Audit ━━━━━━━━━━━━━━━━━━━━━━
+
+  logic-reviewer:     ✅ APPROVED
+  security-auditor:   ✅ APPROVED
+  frontend-reviewer:  ❌ REJECTED
+  type-safety:        ⚠️  WARNING
+
+━━━ Issues ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+frontend-reviewer:
+  ❌ High — Line 18
+     Missing dep: userId used in useEffect but not in dep array
+     Fix: }, [userId])
+
+type-safety-reviewer:
+  ⚠️ Medium — Line 3
+     props: any — define a typed interface for this component
+
+━━━ Verdict: NEEDS FIXES ━━━━━━━━━━━━━━━━
+```
+
+---
+
+## Usage
+
+```
+/tribunal-frontend [paste component code]
+/tribunal-frontend [paste custom hook]
+/tribunal-frontend src/components/UserCard.tsx
+```

package/.agent/workflows/tribunal-full.md

@@ -0,0 +1,77 @@
+---
+description: Run ALL 8 Tribunal reviewer agents simultaneously. Maximum hallucination coverage. Use before merging any AI-generated code.
+---
+
+# /tribunal-full — Full Panel Review
+
+$ARGUMENTS
+
+---
+
+Paste code. All 8 reviewers analyze it simultaneously. Maximum coverage, no domain gaps.
+
+Use this before merging any AI-generated code, or when you're not sure which domain a piece of code sits in.
+
+---
+
+## Who Runs
+
+```
+logic-reviewer          → Hallucinated methods, impossible logic, undefined refs
+security-auditor        → OWASP Top 10, injection, secrets, auth bypass
+dependency-reviewer     → Imports not found in package.json
+type-safety-reviewer    → any, unsafe casts, unguarded access
+sql-reviewer            → Injection via interpolation, N+1, invented schema
+frontend-reviewer       → Hooks violations, missing dep arrays, state mutation
+performance-reviewer    → O(n²), blocking I/O, memory allocation anti-patterns
+test-coverage-reviewer  → Tautology tests, no-assertion specs, over-mocking
+```
+
+All 8 run in parallel. You wait for all verdicts before seeing the result.
+
+---
+
+## Report Format
+
+```
+━━━ Full Tribunal Audit ━━━━━━━━━━━━━━━━━━━━━
+
+  logic-reviewer:          ✅ APPROVED
+  security-auditor:        ❌ REJECTED
+  dependency-reviewer:     ✅ APPROVED
+  type-safety-reviewer:    ⚠️  WARNING
+  sql-reviewer:            ✅ APPROVED
+  frontend-reviewer:       ✅ APPROVED
+  performance-reviewer:    ✅ APPROVED
+  test-coverage-reviewer:  ❌ REJECTED
+
+━━━ Issues ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+security-auditor:
+  ❌ Critical — Line 12
+     SQL injection: db.query(`WHERE id = ${id}`)
+     Fix: db.query('WHERE id = $1', [id])
+
+test-coverage-reviewer:
+  ❌ High — Line 45-60
+     Tautology test: expect(fn(x)).toBe(fn(x)) — always passes
+
+type-safety-reviewer:
+  ⚠️ Medium — Line 7
+     Implicit any in parameter: function (data) — add explicit type
+
+━━━ Verdict ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  2 REJECTED. Fix all issues before this code reaches your codebase.
+  1 WARNING — review before approving.
+```
+
+---
+
+## When to Use This
+
+```
+/tribunal-full [paste any code]
+/tribunal-full before merging
+/tribunal-full when you're unsure which domain applies
+```

package/.agent/workflows/ui-ux-pro-max.md

@@ -0,0 +1,153 @@
+---
+description: Plan and implement UI
+---
+
+# /ui-ux-pro-max — Advanced UI/UX Design Mode
+
+$ARGUMENTS
+
+---
+
+This command activates the highest-fidelity UI/UX workflow. It combines deep design thinking, component architecture, and real-time feedback — not just "generate a pretty layout."
+
+> This is not a shortcut. It's a full design session.
+
+---
+
+## What Makes This Different From `/create`
+
+`/create` builds features. `/ui-ux-pro-max` obsesses over the craft:
+
+- Color decisions backed by contrast ratios and optical principles — not "looks nice"
+- Typography choices based on reading distance, weight hierarchy, and scale
+- Layout that solves the actual user flow, not the common template
+- Interaction states for every element (hover, focus, active, loading, error, empty)
+- Accessibility by default — not retrofitted
+
+---
+
+## Design Rules (Always Active in This Mode)
+
+### Color
+- No purple/violet as primary color — most overused AI design choice
+- All text must pass WCAG AA contrast (4.5:1 minimum)
+- Color palette derived from a single base hue with rotational logic — not random picks
+- No pure black backgrounds (`#000`) — use `#090909` to `#121212` for perceived depth
+
+### Typography
+- Google Fonts only if you have the `<link>` to prove it exists — no invented font names
+- Minimum 16px body text on mobile
+- Line height between 1.4–1.6 for body, 1.1–1.2 for headings
+- No more than 3 font weights in one component
+
+### Layout
+- No standard hero (left text / right illustration) without a compelling reason
+- Section max-width: 1200px for content, 720px for text-heavy content
+- 8px spacing grid — all padding and margin values are multiples of 8
+
+### Interaction
+- Every interactive element has: default, hover, focus, active, and disabled states
+- Focus rings must be visible — never `outline: none` without a styled alternative
+- Loading states for anything async — no silent spinners
+- Error states with actionable copy — not just "Error occurred"
+
+---
+
+## The Design Session Protocol
+
+### Step 1 — Problem Before Pixels
+
+Answer these before designing anything:
+
+```
+Who is the user?              (not "general users" — a specific persona)
+What is the one thing this UI must make easy?
+What is the emotional tone?   (serious, playful, professional, urgent)
+What does the user do after this screen?
+```
+
+### Step 2 — Layout Skeleton (No Colors yet)
+
+Define the structure:
+- What regions exist? (nav, hero, content, sidebar, footer)
+- What is the visual hierarchy? (#1 most important thing → #2 → #3)
+- What flows from top to bottom when the user scrolls?
+
+### Step 3 — Color + Typography System
+
+Pick once, use consistently:
+
+```
+Base hue:         [HSL value]
+Primary:          [hue, full saturation]
+Background:       [hue, 2–5% saturation, 6–12% lightness for dark]
+Surface:          [background + 4–6% lightness]
+Text primary:     [96–98% lightness on dark]
+Text secondary:   [65–70% lightness on dark]
+Accent:           [complementary hue, high saturation]
+```
+
+### Step 4 — Component Build (Tribunal: logic + frontend)
+
+Every component built goes through `/tribunal-frontend` before being shown.
+
+### Step 5 — Interaction Layer
+
+Define CSS transitions for every state change:
+```css
+transition: all 0.15s ease;   /* for micro-interactions */
+transition: all 0.25s ease;   /* for layout transitions */
+```
+
+### Step 6 — Accessibility Audit
+
+```
+✅ All images have alt attributes
+✅ Focus order follows visual order
+✅ Color is not the only indicator of state (add icon or text)
+✅ Touch targets minimum 44px × 44px on mobile
+✅ ARIA roles on custom interactive elements
+```
+
+---
+
+## 🏛️ Anti-Hallucination Rules for UI
+
+- **No invented Google Fonts** — verify every font name at fonts.google.com before using it
+- **No invented CSS properties** — `backdrop-filter` needs vendor prefix in some browsers; write `// VERIFY: check browser support`
+- **Contrast ratios must be real** — don't claim AA compliance without checking the actual ratio
+- **No placeholder images** — generate real images or use a placeholder service with documented URL format
+
+---
+
+## Output Format
+
+Each step produces:
+
+```
+📐 Layout skeleton: [description or ASCII diagram]
+
+🎨 Color system:
+   Background:   #[hex]
+   Surface:      #[hex]
+   Primary text: #[hex]
+   Accent:       #[hex]
+   Contrast:     [ratio]:1 → AA [pass|fail]
+
+🧱 Component: [name]
+   Tribunal: [verdict]
+
+♿ Accessibility:
+   [checklist result]
+```
+
+---
+
+## Usage
+
+```
+/ui-ux-pro-max design a SaaS dashboard homepage
+/ui-ux-pro-max build a pricing page that converts
+/ui-ux-pro-max create a mobile-first landing page for a productivity app
+/ui-ux-pro-max redesign the login and registration flow
+```

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Tribunal Anti-Hallucination Agent Kit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,136 @@
+# Tribunal Anti-Hallucination Agent Kit
+
+> Plug-in `.agent/` folder that gives your AI IDE (Cursor, Windsurf, Antigravity) a full
+> anti-hallucination system with 27 specialist agents, 17 slash commands, and 8 parallel Tribunal reviewers.
+
+---
+
+## Quick Install
+
+```bash
+npx tribunal-kit init
+```
+
+Or install globally and use anywhere:
+
+```bash
+npm install -g tribunal-kit
+tribunal-kit init
+```
+
+This installs the `.agent/` folder containing all agents, workflows, skills, and scripts into your project.
+
+---
+
+> ⚠️ **Important — `.gitignore` Note**
+>
+> If you use AI-powered editors like Cursor or Windsurf, adding `.agent/` to your `.gitignore`
+> may prevent the IDE from indexing the workflows. Slash commands like `/generate` or `/review`
+> won't appear in the chat suggestion dropdown.
+>
+> **Recommended:** Keep `.agent/` out of `.gitignore`. If you want it local-only:
+> ```
+> # Add this to .git/info/exclude (not .gitignore)
+> .agent/
+> ```
+
+---
+
+## What's Included
+
+| Component | Count | Description |
+|---|---|---|
+| Agents | 27 | Specialist AI personas (backend, frontend, security, Tribunal reviewers, etc.) |
+| Workflows | 17 | Slash command procedures |
+| Skills | 37 | Domain-specific knowledge modules |
+| Scripts | 4 | Python utility scripts (checklist, verify, preview, session) |
+
+---
+
+## How It Works
+
+### Auto-Agent Routing
+
+No need to mention agents explicitly. The system automatically detects the right specialist:
+
+```
+You: "Add JWT authentication"
+AI:  🤖 Applying @security-auditor + @backend-specialist...
+
+You: "Fix the dark mode button"
+AI:  🤖 Applying @frontend-specialist...
+
+You: "Login returns 500 error"
+AI:  🤖 Applying @debugger for systematic analysis...
+```
+
+### The Tribunal Pipeline
+
+Every generated code goes through parallel reviewers before you see it:
+
+```
+You type /generate →
+  Maker generates at low temperature →
+  Reviewers audit in parallel (logic, security, types, ...) →
+  Human Gate: you approve the diff before it writes to disk
+```
+
+---
+
+## Slash Commands
+
+| Command | Description |
+|---|---|
+| `/generate` | Full Tribunal pipeline: generate → review → approve |
+| `/review` | Audit existing code — no generation |
+| `/tribunal-full` | All 8 reviewers simultaneously |
+| `/tribunal-backend` | Logic + Security + Dependency + Types |
+| `/tribunal-frontend` | Logic + Security + Frontend + Types |
+| `/tribunal-database` | Logic + Security + SQL |
+| `/brainstorm` | Explore options before implementation |
+| `/create` | Build new features or apps |
+| `/debug` | Systematic root-cause investigation |
+| `/plan` | Create structured plan file only |
+| `/enhance` | Improve existing code safely |
+| `/orchestrate` | Multi-agent coordination |
+| `/test` | Generate or audit tests |
+| `/deploy` | 3-gate production deployment |
+| `/preview` | Local dev server control |
+| `/status` | Tribunal session dashboard |
+| `/ui-ux-pro-max` | Advanced UI/UX design workflow |
+
+---
+
+## CLI Reference
+
+```bash
+tribunal-kit init                        # Install into current directory
+tribunal-kit init --force                # Overwrite existing .agent/ folder
+tribunal-kit init --path ./my-app        # Install in specific directory
+tribunal-kit init --quiet                # Suppress output (for CI/CD)
+tribunal-kit init --dry-run              # Preview without writing files
+tribunal-kit update                      # Re-install to get latest version
+tribunal-kit status                      # Check installation status
+```
+
+---
+
+## Utility Scripts (after install)
+
+```bash
+python .agent/scripts/checklist.py .         # Pre-commit audit
+python .agent/scripts/verify_all.py          # Pre-deploy full suite
+python .agent/scripts/auto_preview.py start  # Start dev server
+python .agent/scripts/session_manager.py save "note"  # Save session
+```
+
+---
+
+## Compatible IDEs
+
+| IDE | Support |
+|---|---|
+| Cursor | ✅ Reads `.agent/` automatically |
+| Windsurf | ✅ Reads `.agent/` automatically |
+| Antigravity | ✅ Native `.agent/` support |
+| GitHub Copilot (Agent Mode) | ✅ Copy `GEMINI.md` → `.github/copilot-instructions.md` |