tribunal-kit 3.0.0 → 4.0.0

package/.agent/workflows/tribunal-database.md

@@ -1,115 +1,95 @@
----
-description: Database-specific Tribunal. Runs Logic + Security + SQL reviewers. Use for Prisma queries, raw SQL, schema migrations, ORM operations, and database transaction code.
----
-
-# /tribunal-database — Database Code Audit
-
-$ARGUMENTS
-
----
-
-## When to Use /tribunal-database
-
-| Use `/tribunal-database` when... | Use something else when... |
-|:---|:---|
-| Prisma queries and schema | Frontend queries → `/tribunal-frontend` |
-| Raw SQL with pg/mysql2/better-sqlite3 | API routes calling DB → `/tribunal-backend` |
-| Database migrations | Full audit → `/tribunal-full` |
-| ORM schema changes | |
-| Transaction boundaries | |
-
----
-
-## 3 Active Reviewers (All Run Simultaneously)
-
-### logic-reviewer
-- Prisma methods that don't exist (`findOne` was removed — use `findUnique`)
-- Transaction that should be `$transaction` but isn't
-- Pagination query missing total count (returns wrong metadata)
-- `.findMany()` with no `take` limit (unbounded query)
-
-### security-auditor
-- SQL injection via `$queryRaw` with template literals and user input
-- Row-level security bypass (no WHERE clause on user-scoped query)
-- Mass assignment via `prisma.user.update({ data: req.body })` (unrestricted)
-- Prisma `$executeRaw` with string interpolation
-
-### sql-reviewer
-- N+1 pattern (loop with prisma query inside)
-- Foreign key columns without `@@index`
-- No index on ORDER BY column for large tables
-- Unscoped UPDATE/DELETE without WHERE clause
-- Missing rollback in raw SQL catch block
-- Expand vs contract migration not followed
-
----
-
-## Verdict System
-
-```
-If ANY reviewer → ❌ REJECTED: fix before Human Gate
-If any reviewer → ⚠️ WARNING:  proceed with flagged items
-If all reviewers → ✅ APPROVED: Human Gate
-```
-
----
-
-## Output Format
-
-```
-━━━ Tribunal Database ━━━━━━━━━━━━━━━━━━━━
-
-logic-reviewer:   ✅ APPROVED
-security-auditor: ❌ REJECTED
-sql-reviewer:     ⚠️ WARNING
-
-━━━ VERDICT: ❌ REJECTED ━━━━━━━━━━━━━━━━━
-
-Blockers:
-- security-auditor: [CRITICAL] SQL injection via $queryRaw at src/lib/db.ts:34
-  Code: await prisma.$queryRaw`SELECT * WHERE email = '${email}'`
-  Fix:  await prisma.$queryRaw`SELECT * WHERE email = ${email}` (Prisma auto-parameterizes)
-
-Warnings:
-- sql-reviewer: [MEDIUM] N+1 detected — posts fetched inside user loop at src/lib/feed.ts:56
-  Fix: Use include: { posts: true } in findMany() instead of for-loop fetches
-```
-
----
-
-## Database-Specific Hallucination Traps (Common LLM Mistakes)
-
-```typescript
-// ❌ Prisma: findOne was REMOVED — doesn't exist in any version
-const user = await prisma.user.findOne({ where: { id } });
-// ✅ Correct
-const user = await prisma.user.findUnique({ where: { id } });
-
-// ❌ Prisma: upsertMany doesn't exist
-await prisma.product.upsertMany({ data: products });         // Doesn't exist
-// ✅ Use createMany or transaction with multiple upserts
-await prisma.$transaction(products.map(p => prisma.product.upsert({ ... })));
-
-// ❌ Migration fails silently: adding NOT NULL column to populated table
-ALTER TABLE users ADD COLUMN phone VARCHAR(20) NOT NULL; // Error on existing rows
-// ✅ Always add nullable first, backfill, then add constraint
-
-// ❌ Missing rollback in raw SQL
-try {
-  await db.query('BEGIN');
-  await db.query('UPDATE ...');
-} catch (e) {
-  // Missing: await db.query('ROLLBACK');
-}
-```
-
----
-
-## Usage Examples
-
-```
-/tribunal-database the createOrder function with Stripe idempotency
-/tribunal-database the user registration with email uniqueness check
-/tribunal-database the migration file adding phoneNumber to users
-/tribunal-database the paginated product query with category filter
-```
+---
+description: Database-specific Tribunal. Runs Logic + Security + SQL reviewers. Use for Prisma queries, raw SQL, schema migrations, ORM operations, and database transaction code.
+---
+
+# /tribunal-database — Database Code Audit
+
+$ARGUMENTS
+
+---
+
+## When to Use /tribunal-database
+
+|Use `/tribunal-database` when...|Use something else when...|
+|:---|:---|
+|Prisma queries and schema|Frontend queries → `/tribunal-frontend`|
+|Raw SQL with pg/mysql2/better-sqlite3|API routes calling DB → `/tribunal-backend`|
+|Database migrations|Full audit → `/tribunal-full`|
+|ORM schema changes||
+|Transaction boundaries||
+
+---
+
+## 3 Active Reviewers (All Run Simultaneously)
+
+### precedence-reviewer    → Checks local repo Case Law for past rejections
+logic-reviewer
+- Prisma methods that don't exist (`findOne` was removed — use `findUnique`)
+- Transaction that should be `$transaction` but isn't
+- Pagination query missing total count (returns wrong metadata)
+- `.findMany()` with no `take` limit (unbounded query)
+
+### security-auditor
+- SQL injection via `$queryRaw` with template literals and user input
+- Row-level security bypass (no WHERE clause on user-scoped query)
+- Mass assignment via `prisma.user.update({ data: req.body })` (unrestricted)
+- Prisma `$executeRaw` with string interpolation
+
+### sql-reviewer
+- N+1 pattern (loop with prisma query inside)
+- Foreign key columns without `@@index`
+- No index on ORDER BY column for large tables
+- Unscoped UPDATE/DELETE without WHERE clause
+- Missing rollback in raw SQL catch block
+- Expand vs contract migration not followed
+
+---
+
+## Verdict System
+
+```
+If ANY reviewer → ❌ REJECTED: fix before Human Gate
+If any reviewer → ⚠️ WARNING:  proceed with flagged items
+If all reviewers → ✅ APPROVED: Human Gate
+```
+
+---
+
+---
+
+## Database-Specific Hallucination Traps (Common LLM Mistakes)
+
+```typescript
+// ❌ Prisma: findOne was REMOVED — doesn't exist in any version
+const user = await prisma.user.findOne({ where: { id } });
+// ✅ Correct
+const user = await prisma.user.findUnique({ where: { id } });
+
+// ❌ Prisma: upsertMany doesn't exist
+await prisma.product.upsertMany({ data: products });         // Doesn't exist
+// ✅ Use createMany or transaction with multiple upserts
+await prisma.$transaction(products.map(p => prisma.product.upsert({ ... })));
+
+// ❌ Migration fails silently: adding NOT NULL column to populated table
+ALTER TABLE users ADD COLUMN phone VARCHAR(20) NOT NULL; // Error on existing rows
+// ✅ Always add nullable first, backfill, then add constraint
+
+// ❌ Missing rollback in raw SQL
+try {
+  await db.query('BEGIN');
+  await db.query('UPDATE ...');
+} catch (e) {
+  // Missing: await db.query('ROLLBACK');
+}
+```
+
+---
+
+## Usage Examples
+
+```
+/tribunal-database the createOrder function with Stripe idempotency
+/tribunal-database the user registration with email uniqueness check
+/tribunal-database the migration file adding phoneNumber to users
+/tribunal-database the paginated product query with category filter
+```

package/.agent/workflows/tribunal-frontend.md

@@ -1,118 +1,96 @@
----
-description: Frontend and React specific Tribunal. Runs Logic + Security + Frontend + Type Safety reviewers. Use for React components, hooks, UI code, Next.js pages, Server Components, and Client Components.
----
-
-# /tribunal-frontend — Frontend Code Audit
-
-$ARGUMENTS
-
----
-
-## When to Use /tribunal-frontend
-
-| Use `/tribunal-frontend` when... | Use something else when... |
-|:---|:---|
-| React components (Server or Client) | Backend routes → `/tribunal-backend` |
-| Custom hooks | Database queries → `/tribunal-database` |
-| Next.js pages and layouts | Mobile (React Native) → `/tribunal-mobile` |
-| UI state management | Maximum coverage → `/tribunal-full` |
-| Form handling with Server Actions | |
-
----
-
-## 4 Active Reviewers (All Run Simultaneously)
-
-### logic-reviewer
-- Hallucinated React 19 hooks (non-existent hook names)
-- useFormState called instead of useActionState (React 19 rename)
-- useEffect missing dependencies (stale closure)
-- Multiple setStates that should be batched (React 19 auto-batches in most cases)
-
-### security-auditor
-- `dangerouslySetInnerHTML` with user-controlled content (XSS)
-- eval/Function() calls in component code
-- Exposing sensitive data in client-rendered output
-
-### frontend-reviewer
-- useState/useReducer in Server Components (no client runtime!)
-- 'use client' directive missing on components using hooks
-- Missing 'use server' on Server Actions
-- cookies()/headers()/params not awaited in Next.js 15
-- useEffect not cleaned up (subscription leaks)
-- Keys not unique in list rendering (using index as key)
-- Direct DOM mutations (document.querySelector inside React)
-
-### type-safety-reviewer  
-- Props typed as `any`
-- Event handlers typed as `any` (use `React.MouseEvent<HTMLButtonElement>`)
-- Server Component async props typed without Promise<> (Next.js 15 params)
-- No explicit return type on custom hooks
-
----
-
-## Verdict System
-
-```
-If ANY reviewer → ❌ REJECTED: fix before Human Gate
-If any reviewer → ⚠️ WARNING:  proceed with flagged items
-If all reviewers → ✅ APPROVED: Human Gate
-```
-
----
-
-## Output Format
-
-```
-━━━ Tribunal Frontend ━━━━━━━━━━━━━━━━━━━━━
-
-logic-reviewer:      ✅ APPROVED
-security-auditor:    ✅ APPROVED
-frontend-reviewer:   ❌ REJECTED
-type-safety-reviewer: ⚠️ WARNING
-
-━━━ VERDICT: ❌ REJECTED ━━━━━━━━━━━━━━━━━
-
-Blockers:
-- frontend-reviewer: [HIGH] useState() in Server Component at src/app/dashboard/page.tsx:12
-  Fix: Move state to a Client Component ('use client')
-- frontend-reviewer: [HIGH] cookies() not awaited at src/app/api/auth/route.ts:8
-  Fix: const cookieStore = await cookies();
-
-Warnings:
-- type-safety-reviewer: [MEDIUM] onClick handler typed as 'any' at line 34
-  Fix: onClick: (e: React.MouseEvent<HTMLButtonElement>) => void
-```
-
----
-
-## Frontend-Specific Hallucination Traps (Common LLM Mistakes)
-
-```typescript
-// ❌ React 19: useFormState renamed to useActionState
-import { useFormState } from 'react';      // useFormState no longer exists in React 19
-import { useActionState } from 'react';    // Correct React 19 name
-
-// ❌ Next.js 15: params and searchParams must be awaited
-const { id } = params;                    // WRONG — params is a Promise in Next.js 15
-const { id } = await params;             // CORRECT
-
-// ❌ Hook not valid in Server Component
-export default async function Page() {
-  const [count, setCount] = useState(0); // Server Components cannot use hooks
-}
-
-// ❌ Server Action missing 'use server'
-async function saveData(formData: FormData) {  // Without 'use server' — not a Server Action
-  'use server';                                // Must be FIRST line
-```
-
----
-
-## Usage Examples
-
-```
-/tribunal-frontend the ProductCard component with server-fetched data
-/tribunal-frontend the useAuth custom hook implementation
-/tribunal-frontend the checkout page with Server Action form
-/tribunal-frontend the DashboardLayout with Suspense and loading states
-```
+---
+description: Frontend and React specific Tribunal. Runs Logic + Security + Frontend + Type Safety reviewers. Use for React components, hooks, UI code, Next.js pages, Server Components, and Client Components.
+---
+
+# /tribunal-frontend — Frontend Code Audit
+
+$ARGUMENTS
+
+---
+
+## When to Use /tribunal-frontend
+
+|Use `/tribunal-frontend` when...|Use something else when...|
+|:---|:---|
+|React components (Server or Client)|Backend routes → `/tribunal-backend`|
+|Custom hooks|Database queries → `/tribunal-database`|
+|Next.js pages and layouts|Mobile (React Native) → `/tribunal-mobile`|
+|UI state management|Maximum coverage → `/tribunal-full`|
+|Form handling with Server Actions||
+
+---
+
+## 4 Active Reviewers (All Run Simultaneously)
+
+### precedence-reviewer    → Checks local repo Case Law for past rejections
+logic-reviewer
+- Hallucinated React 19 hooks (non-existent hook names)
+- useFormState called instead of useActionState (React 19 rename)
+- useEffect missing dependencies (stale closure)
+- Multiple setStates that should be batched (React 19 auto-batches in most cases)
+
+### security-auditor
+- `dangerouslySetInnerHTML` with user-controlled content (XSS)
+- eval/Function() calls in component code
+- Exposing sensitive data in client-rendered output
+
+### frontend-reviewer
+- useState/useReducer in Server Components (no client runtime!)
+- 'use client' directive missing on components using hooks
+- Missing 'use server' on Server Actions
+- cookies()/headers()/params not awaited in Next.js 15
+- useEffect not cleaned up (subscription leaks)
+- Keys not unique in list rendering (using index as key)
+- Direct DOM mutations (document.querySelector inside React)
+
+### type-safety-reviewer  
+- Props typed as `any`
+- Event handlers typed as `any` (use `React.MouseEvent<HTMLButtonElement>`)
+- Server Component async props typed without Promise<> (Next.js 15 params)
+- No explicit return type on custom hooks
+
+---
+
+## Verdict System
+
+```
+If ANY reviewer → ❌ REJECTED: fix before Human Gate
+If any reviewer → ⚠️ WARNING:  proceed with flagged items
+If all reviewers → ✅ APPROVED: Human Gate
+```
+
+---
+
+---
+
+## Frontend-Specific Hallucination Traps (Common LLM Mistakes)
+
+```typescript
+// ❌ React 19: useFormState renamed to useActionState
+import { useFormState } from 'react';      // useFormState no longer exists in React 19
+import { useActionState } from 'react';    // Correct React 19 name
+
+// ❌ Next.js 15: params and searchParams must be awaited
+const { id } = params;                    // WRONG — params is a Promise in Next.js 15
+const { id } = await params;             // CORRECT
+
+// ❌ Hook not valid in Server Component
+export default async function Page() {
+  const [count, setCount] = useState(0); // Server Components cannot use hooks
+}
+
+// ❌ Server Action missing 'use server'
+async function saveData(formData: FormData) {  // Without 'use server' — not a Server Action
+  'use server';                                // Must be FIRST line
+```
+
+---
+
+## Usage Examples
+
+```
+/tribunal-frontend the ProductCard component with server-fetched data
+/tribunal-frontend the useAuth custom hook implementation
+/tribunal-frontend the checkout page with Server Action form
+/tribunal-frontend the DashboardLayout with Suspense and loading states
+```