tribunal-kit 2.4.6 → 3.1.0

package/.agent/skills/seo-fundamentals/SKILL.md

@@ -1,181 +1,120 @@
 ---
 name: seo-fundamentals
-description: SEO fundamentals, E-E-A-T, Core Web Vitals, and Google algorithm principles.
+description: Search Engine Optimization (SEO) mastery. Metadata implementation, Open Graph (OG) social card rendering, semantic HTML5 structuring, canonicalization, Core Web Vitals performance mapping, Sitemap/Robots configurations, structured data (JSON-LD), and Next.js SSR SEO implementations. Use when auditing site visibility or building consumer-facing web architectures.
 allowed-tools: Read, Write, Edit, Glob, Grep
-version: 1.0.0
-last-updated: 2026-03-12
+version: 2.0.0
+last-updated: 2026-04-02
 applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
 ---
 
-# SEO Fundamentals
-
-> SEO is not a trick. It is the practice of making content genuinely useful
-> for the people searching for it, and technically accessible to the crawlers that index it.
-
----
-
-## What Search Engines Actually Rank
-
-Google's stated ranking factors, simplified:
-
-1. **Relevance** — does the content match the search intent?
-2. **Quality** — is it accurate, original, and valuable?
-3. **Authority** — do other credible sources link to it?
-4. **Experience** — is the page fast and easy to use?
-
-The manipulation era is over. Keyword stuffing gets pages penalized. Thin AI-generated content is actively filtered. The only reliable long-term SEO is making something worth ranking.
+# SEO Fundamentals — Visibility & Discoverability Mastery
 
 ---
 
-## E-E-A-T Framework
-
-Google evaluates content on Experience, Expertise, Authoritativeness, and Trustworthiness.
-
-| Signal | What It Means | How to Demonstrate |
-|---|---|---|
-| Experience | First-hand use of the topic | Case studies, screenshots, real examples |
-| Expertise | Deep knowledge of the domain | Accurate detail, citations, author credentials |
-| Authoritativeness | Recognized by others in the field | External links, mentions, speaking/publishing |
-| Trustworthiness | Safe and reliable site | HTTPS, privacy policy, correct contact info |
-
-E-E-A-T matters most for YMYL content (health, finance, legal, safety).
+## 1. Core Meta Architecture (The Next.js 15 Standard)
+
+Do not use legacy `next/head` tags scattered across components. Use the built-in Metadata API explicitly.
+
+```typescript
+// app/blog/[slug]/page.tsx
+import { Metadata } from 'next';
+
+export async function generateMetadata({ params }): Promise<Metadata> {
+  const post = await fetchPost(params.slug);
+
+  return {
+    title: `${post.title} | MyBrand`,
+    description: post.excerpt,
+    keywords: post.tags,
+    alternates: {
+      canonical: `https://www.example.com/blog/${params.slug}`
+    },
+    openGraph: {
+      title: post.title,
+      description: post.excerpt,
+      type: 'article',
+      url: `https://example.com/blog/${params.slug}`,
+      images: [{ url: post.coverImageUrl, width: 1200, height: 630 }],
+    },
+    twitter: {
+      card: 'summary_large_image', // Critical for big Twitter link previews
+    }
+  };
+}
+```
 
 ---
 
-## Technical SEO Checklist
-
-### Page-Level Requirements
-
-```html
-<!-- Title: 50–60 chars, includes primary keyword -->
-<title>Tribunal Agent Kit — Anti-Hallucination AI Tools</title>
-
-<!-- Description: 120–160 chars, actionable, includes keyword -->
-<meta name="description" content="Install the Tribunal Kit with npx tribunal-kit init. 
-27 specialist agents and 17 slash commands for Cursor, Windsurf, and Antigravity.">
+## 2. Semantic HTML & Heading Hierarchy
 
-<!-- One H1 per page — matches the title intent -->
-<h1>Anti-Hallucination Agent Kit for AI IDEs</h1>
+Google establishes context by parsing the DOM outline. A massive application constructed purely of `<div className="text-xl font-bold">` tags will be heavily penalized.
 
-<!-- Canonical — prevent duplicate content -->
-<link rel="canonical" href="https://yoursite.com/page">
-
-<!-- Open Graph (social sharing) -->
-<meta property="og:title" content="...">
-<meta property="og:description" content="...">
-<meta property="og:image" content="https://yoursite.com/og-image.jpg">
-```
+1. **The H1 Law:** Exactly ONE `<h1>` per page. This is the primary subject.
+2. **Hierarchy Integrity:** Never skip heading levels. An `<h2>` MUST precede an `<h3>`. Do not use heading tags for visual sizing; use them purely for document structure.
+3. **Semantic Tags:** Wrap headers in `<header>`, menus in `<nav>`, main content in `<main>`, and sidebars in `<aside>`.
 
-### Core Web Vitals (2025 Targets)
-
-| Metric | Good | Needs Work | Poor |
-|---|---|---|---|
-| LCP (Largest Contentful Paint) | < 2.5s | 2.5–4s | > 4s |
-| INP (Interaction to Next Paint) | < 200ms | 200–500ms | > 500ms |
-| CLS (Cumulative Layout Shift) | < 0.1 | 0.1–0.25 | > 0.25 |
-
-**Most common LCP fix:** The hero image or heading is the LCP element. Preload it:
 ```html
-<link rel="preload" href="/hero.webp" as="image" fetchpriority="high">
-```
-
-**Most common CLS fix:** Images without explicit width/height cause layout shifts:
-```html
-<img src="..." width="800" height="450" alt="...">
+<!-- ✅ GOOD: Perfect SEO Document Outline -->
+<main>
+  <article>
+    <h1>The Future of AI Agents</h1>
+    <p>Introduction...</p>
+
+    <h2>Architectural Patterns</h2>
+    <section>
+       <h3>The Supervisor Pattern</h3>
+       <p>Content regarding supervisors...</p>
+    </section>
+  </article>
+</main>
 ```
 
 ---
 
-## Content Structure
-
-```
-Page structure that works:
-  H1: Primary topic (one per page)
-  H2: Major sections
-  H3: Subsections
-  
-Content patterns that help:
-  - Answer the question in the first paragraph
-  - Use tables and lists for comparative or step-by-step info
-  - Add FAQ sections for long-tail queries
-  - Internal links to related content
-  - External links to authoritative sources
+## 3. Structured Data (JSON-LD)
+
+Help search engines understand exact data graphs (Products, Reviews, Articles, Jobs) bypassingly standard text crawling. Inject standard `Schema.org` JSON-LD.
+
+```typescript
+// Injecting JSON-LD structurally into a React/Next component
+export default function ProductPage({ product }) {
+  const jsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'Product',
+    name: product.name,
+    image: product.image,
+    description: product.description,
+    offers: {
+      '@type': 'Offer',
+      price: product.price,
+      priceCurrency: 'USD',
+      availability: product.inStock ? 'https://schema.org/InStock' : 'https://schema.org/OutOfStock',
+    },
+  };
+
+  return (
+    <section>
+      {/* Script injected cleanly into DOM */}
+      <script
+        type="application/ld+json"
+        dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
+      />
+      
+      <h1>{product.name}</h1>
+      {/* ... rest of UI ... */}
+    </section>
+  );
+}
 ```
 
 ---
 
-## What Not to Do
-
-- **Keyword stuffing** — unreadable text written for bots; penalized
-- **Thin content** — pages with nothing to say; filtered
-- **Duplicate content** — same content on multiple URLs without canonical; splits authority
-- **Hidden text** — same color as background, `display:none` with keywords; penalized
-- **Link schemes** — buying links; can result in manual penalty
+## 4. Robots & Sitemaps
 
----
+If a page shouldn't be indexed (e.g., dynamic search result matrices, user profiles), you must explicitly block it, otherwise Googlebot wastes "Crawl Budget" on infinite URLs.
 
-## Scripts
-
-| Script | Purpose | Run With |
-|---|---|---|
-| `scripts/seo_checker.py` | Audits page-level technical SEO | `python scripts/seo_checker.py <url>` |
+- **`robots.txt`**: Denies crawling of specific directories.
+- **`<meta name="robots" content="noindex, nofollow">`**: Denies indexing of a specific page instance.
+- **`sitemap.xml`**: A programmatic manifest mapped to root guiding crawlers mathematically through all valid indexable paths.
 
 ---
-
-## Output Format
-
-When this skill produces a recommendation or design decision, structure your output as:
-
-```
-━━━ Seo Fundamentals Recommendation ━━━━━━━━━━━━━━━━
-Decision:    [what was chosen / proposed]
-Rationale:   [why — one concise line]
-Trade-offs:  [what is consciously accepted]
-Next action: [concrete next step for the user]
-─────────────────────────────────────────────────
-Pre-Flight:  ✅ All checks passed
-             or ❌ [blocking item that must be resolved first]
-```
-
-
-
----
-
-## 🤖 LLM-Specific Traps
-
-AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
-
-1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
-2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
-3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
-4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
-5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
-
----
-
-## 🏛️ Tribunal Integration (Anti-Hallucination)
-
-**Slash command: `/review` or `/tribunal-full`**
-**Active reviewers: `logic-reviewer` · `security-auditor`**
-
-### ❌ Forbidden AI Tropes
-
-1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
-2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
-3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
-
-### ✅ Pre-Flight Self-Audit
-
-Review these questions before confirming output:
-```
-✅ Did I rely ONLY on real, verified tools and methods?
-✅ Is this solution appropriately scoped to the user's constraints?
-✅ Did I handle potential failure modes and edge cases?
-✅ Have I avoided generic boilerplate that doesn't add value?
-```
-
-### 🛑 Verification-Before-Completion (VBC) Protocol
-
-**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
-- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
-- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.

package/.agent/skills/server-management/SKILL.md

@@ -1,212 +1,156 @@
 ---
 name: server-management
-description: Server management principles and decision-making. Process management, monitoring strategy, and scaling decisions. Teaches thinking, not commands.
+description: Production Linux server administration mastery. Systemd services, Nginx reverse proxy architecture, UFW firewalls, SSH key security, cron scheduling, log rotation, and server hardening. Use when configuring bare-metal, VPS instances, or reviewing deployment architecture.
 allowed-tools: Read, Write, Edit, Glob, Grep
-version: 1.0.0
-last-updated: 2026-03-12
+version: 2.0.0
+last-updated: 2026-04-02
 applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
 ---
 
-# Server Management Principles
-
-> A server you can't observe is a server you can't operate.
-> Monitoring is not optional — it is how you find out about problems before your users do.
+# Server Management — Production Linux Mastery
 
 ---
 
-## Process Management
-
-Never run Node.js or Python processes directly in production with `node app.js`. Use a process manager.
+## 1. Systemd Service Architecture (Process Guard)
 
-| Tool | Best For | Why |
-|---|---|---|
-| PM2 | Single-server Node.js | Auto-restart, log rotation, cluster mode |
-| systemd | Linux servers, any language | Native to most Linux distros, reliable |
-| Supervisor | Python, Ruby, any language | Simple config, battle-tested |
-| Docker (+restart policy) | Containerized apps | Portable, consistent across environments |
+Do not use `pm2`, `forever`, or custom `screen` sessions attached to SSH panels for server orchestration. Linux provides an enterprise-grade init system natively: systemd.
 
-**Core requirement:** If the process crashes, it restarts automatically. If it can't restart, you are alerted.
+```ini
+# /etc/systemd/system/myapp.service
 
-```bash
-# PM2 example — stays running, auto-restarts, survives reboots
-pm2 start app.js --name "api" --instances max
-pm2 save
-pm2 startup  # generates the command to run at boot
-```
+[Unit]
+Description=My Application Node.js Server
+Documentation=https://example.com/docs
+After=network.target postgresql.service # Ensure DB and Network start first
 
----
+[Service]
+Type=simple
+User=appuser     # NEVER run as root
+Group=appuser
+WorkingDirectory=/var/www/myapp
 
-## What to Monitor
+# Explicitly declare environment limits and variables
+Environment=NODE_ENV=production
+Environment=PORT=3000
+EnvironmentFile=/var/www/myapp/.env
 
-The minimum viable monitoring stack:
+# The execution target
+ExecStart=/usr/bin/node /var/www/myapp/build/index.js
 
-| Signal | What To Alert On |
-|---|---|
-| Process health | Process is not running |
-| Response time | P95 latency > SLA threshold |
-| Error rate | Error rate > 2x baseline |
-| Disk usage | > 80% full |
-| Memory | Growing without bound (memory leak) |
-| CPU | Sustained > 80% for more than 5 minutes |
+# Immortal behavior: Restart strictly on failure
+Restart=on-failure
+RestartSec=5
 
-**Alert on symptoms, not just causes.** "Error rate spiked" is a better alert than "CPU is high" — users don't feel CPU, they feel slow responses and errors.
+# Security Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
----
-
-## Log Management
-
-Logs are useless without structure. Structured logs can be queried and aggregated.
-
-```ts
-// ❌ Unstructured — hard to query
-console.log(`User ${userId} failed to login at ${new Date()}`);
-
-// ✅ Structured — can be filtered, aggregated, alerted on
-logger.warn('login_failed', {
-  userId,
-  ip: req.ip,
-  reason: 'invalid_password',
-  timestamp: new Date().toISOString(),
-});
+[Install]
+WantedBy=multi-user.target
 ```
 
-**Log levels, used correctly:**
-- `ERROR` — something failed that requires attention
-- `WARN` — something unexpected but non-fatal happened
-- `INFO` — key business events (user registered, payment processed)
-- `DEBUG` — useful for troubleshooting, never on in production by default
-
-**Never log:**
-- Passwords, tokens, or full credit card numbers
-- PII without a documented retention policy
-- Full request bodies on auth endpoints
+**Commands:**
+`sudo systemctl daemon-reload`
+`sudo systemctl enable myapp`
+`sudo systemctl start myapp`
+`journalctl -u myapp -f` (Follow logs seamlessly)
 
 ---
 
-## Scaling Decision Framework
+## 2. Nginx Reverse Proxy Architecture
 
-Before scaling, answer:
-
-**Is the bottleneck identified?**
-- Profile first. Is it CPU, memory, database, or network?
-- Scaling horizontally when the bottleneck is a single database query helps nothing.
-
-| Bottleneck | Scaling Approach |
-|---|---|
-| CPU-bound app logic | Horizontal scale (more instances) |
-| Memory limit | Vertical scale (more RAM per instance) |
-| I/O-bound (DB, external calls) | Connection pooling, caching, async patterns |
-| Database reads | Read replicas, query optimization, caching |
-| Database writes | Sharding, write queuing, schema redesign |
-
-**Cached responses don't need scaling.** Add caching before adding instances.
-
----
-
-## Nginx Configuration Essentials
+You must shield your internal application framework (Node/Python/Ruby) behind Nginx. Nginx handles SSL termination, static file caching, and DDOS mitigation.
 
 ```nginx
+# /etc/nginx/sites-available/myapp.com
+
 server {
-  listen 80;
-  server_name example.com;
-  
-  # Redirect HTTP → HTTPS
-  return 301 https://$host$request_uri;
+    listen 80;
+    server_name api.myapp.com;
+    
+    # Force SSL Redirect
+    return 301 https://$host$request_uri;
 }
 
 server {
-  listen 443 ssl;
-  server_name example.com;
-
-  # Security headers
-  add_header X-Frame-Options DENY;
-  add_header X-Content-Type-Options nosniff;
-  add_header Strict-Transport-Security "max-age=31536000" always;
-
-  # Proxy to Node.js app
-  location / {
-    proxy_pass http://127.0.0.1:3000;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-Proto https;
-  }
-
-  # Serve static files directly (don't proxy to Node)
-  location /static/ {
-    root /var/www/myapp;
-    expires 1y;
-    add_header Cache-Control "public, immutable";
-  }
+    listen 443 ssl http2;
+    server_name api.myapp.com;
+
+    # SSL Certs (Let's Encrypt / Certbot)
+    ssl_certificate /etc/letsencrypt/live/api.myapp.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/api.myapp.com/privkey.pem;
+
+    # Modern Security Headers
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+
+    # GZIP Compression
+    gzip on;
+    gzip_types text/plain application/json;
+
+    location / {
+        # Proxy traffic to internal local process
+        proxy_pass http://127.0.0.1:3000;
+        
+        # Forward original IP and Protocol for rate limiters
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support (Required for GraphQL subscriptions, TRPC, Socket.io)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
 }
 ```
 
 ---
 
-## Backup Strategy
-
-The 3-2-1 rule:
-- **3** copies of data
-- **2** on different storage media
-- **1** offsite (different data center, cloud region)
+## 3. Server Hardening Fundamentals
 
-Test restores on a schedule — a backup you've never restored is a backup you don't know works.
-
----
-
-## Output Format
-
-When this skill produces a recommendation or design decision, structure your output as:
-
-```
-━━━ Server Management Recommendation ━━━━━━━━━━━━━━━━
-Decision:    [what was chosen / proposed]
-Rationale:   [why — one concise line]
-Trade-offs:  [what is consciously accepted]
-Next action: [concrete next step for the user]
-─────────────────────────────────────────────────
-Pre-Flight:  ✅ All checks passed
-             or ❌ [blocking item that must be resolved first]
+### SSH Security (`/etc/ssh/sshd_config`)
+```bash
+PermitRootLogin no           # Kill direct root login attacks immediately
+PasswordAuthentication no    # Enforce SSH key-based login ONLY
+Port 2022                    # (Optional) Obscurity defense against automated script-kiddie scanners
 ```
 
+### Uncomplicated Firewall (UFW)
+A naked server with all ports open is a honeypot.
+```bash
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow 22/tcp      # Allow SSH
+sudo ufw allow 80/tcp      # Allow HTTP
+sudo ufw allow 443/tcp     # Allow HTTPS
+sudo ufw enable
+```
 
+### Fail2Ban
+Automatically bans IPs attempting brute force credential filling after 5 bad attempts.
 
 ---
 
-## 🤖 LLM-Specific Traps
-
-AI coding assistants often fall into specific bad habits when dealing with this domain. These are strictly forbidden:
-
-1. **Over-engineering:** Proposing complex abstractions or distributed systems when a simpler approach suffices.
-2. **Hallucinated Libraries/Methods:** Using non-existent methods or packages. Always `// VERIFY` or check `package.json` / `requirements.txt`.
-3. **Skipping Edge Cases:** Writing the "happy path" and ignoring error handling, timeouts, or data validation.
-4. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
-5. **Silent Degradation:** Catching and suppressing errors without logging or re-raising.
-
----
-
-## 🏛️ Tribunal Integration (Anti-Hallucination)
-
-**Slash command: `/review` or `/tribunal-full`**
-**Active reviewers: `logic-reviewer` · `security-auditor`**
-
-### ❌ Forbidden AI Tropes
-
-1. **Blind Assumptions:** Never make an assumption without documenting it clearly with `// VERIFY: [reason]`.
-2. **Silent Degradation:** Catching and suppressing errors without logging or handling.
-3. **Context Amnesia:** Forgetting the user's constraints and offering generic advice instead of tailored solutions.
+## 4. Log Rotation (Prevent Disk Full Outages)
 
-### ✅ Pre-Flight Self-Audit
+A server will inevitably crash when `/var/log` consumes 100% of the disk.
 
-Review these questions before confirming output:
-```
-✅ Did I rely ONLY on real, verified tools and methods?
-✅ Is this solution appropriately scoped to the user's constraints?
-✅ Did I handle potential failure modes and edge cases?
-✅ Have I avoided generic boilerplate that doesn't add value?
+```bash
+# /etc/logrotate.d/myapp
+
+/var/www/myapp/logs/*.log {
+    daily                # Rotate every day
+    missingok            # Ignore if file is missing
+    rotate 14            # Keep 14 days of history
+    compress             # Gzip old logs
+    delaycompress        # Don't compress the one created yesterday
+    notifempty           # Do nothing if log is empty
+    copytruncate         # Copy then clear (avoids disrupting Node's open file handles)
+}
 ```
 
-### 🛑 Verification-Before-Completion (VBC) Protocol
-
-**CRITICAL:** You must follow a strict "evidence-based closeout" state machine.
-- ❌ **Forbidden:** Declaring a task complete because the output "looks correct."
-- ✅ **Required:** You are explicitly forbidden from finalizing any task without providing **concrete evidence** (terminal output, passing tests, compile success, or equivalent proof) that your output works as intended.
+---